chore: implement custom role assignment for organization admins (#13570)

* chore: static role assignment mapping Until a dynamic approach is created in the database, only org-admins can assign custom organization roles.
2025-07-13 21:36:50 +00:00 · 2024-06-13 10:59:06 -10:00
parent 3d30c8dc68
commit d04959cea8
12 changed files with 147 additions and 38 deletions
--- a/coderd/database/dbauthz/customroles_test.go
+++ b/coderd/database/dbauthz/customroles_test.go
@ -157,7 +157,7 @@ func TestUpsertCustomRoles(t *testing.T) {
 			org: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
 				codersdk.ResourceWorkspace: {codersdk.ActionRead},
 			}),
-			errorContains: "not allowed to grant this permission",
+			errorContains: "forbidden",
 		},
 		{
 			name: "user-escalation",
--- a/coderd/database/dbauthz/dbauthz.go
+++ b/coderd/database/dbauthz/dbauthz.go
@ -239,10 +239,10 @@ var (
 					rbac.ResourceApiKey.Type:             rbac.ResourceApiKey.AvailableActions(),
 					rbac.ResourceGroup.Type:              {policy.ActionCreate, policy.ActionUpdate},
 					rbac.ResourceAssignRole.Type:         rbac.ResourceAssignRole.AvailableActions(),
+					rbac.ResourceAssignOrgRole.Type:      rbac.ResourceAssignOrgRole.AvailableActions(),
 					rbac.ResourceSystem.Type:             {policy.WildcardSymbol},
 					rbac.ResourceOrganization.Type:       {policy.ActionCreate, policy.ActionRead},
 					rbac.ResourceOrganizationMember.Type: {policy.ActionCreate},
-					rbac.ResourceAssignOrgRole.Type:      {policy.ActionRead, policy.ActionCreate, policy.ActionDelete},
 					rbac.ResourceProvisionerDaemon.Type:  {policy.ActionCreate, policy.ActionUpdate},
 					rbac.ResourceUser.Type:               rbac.ResourceUser.AvailableActions(),
 					rbac.ResourceWorkspaceDormant.Type:   {policy.ActionUpdate, policy.ActionDelete, policy.ActionWorkspaceStop},
@ -622,7 +622,7 @@ func (q *querier) canAssignRoles(ctx context.Context, orgID *uuid.UUID, added, r
 	roleAssign := rbac.ResourceAssignRole
 	shouldBeOrgRoles := false
 	if orgID != nil {
-		roleAssign = roleAssign.InOrg(*orgID)
+		roleAssign = rbac.ResourceAssignOrgRole.InOrg(*orgID)
 		shouldBeOrgRoles = true
 	}

@ -697,8 +697,14 @@ func (q *querier) canAssignRoles(ctx context.Context, orgID *uuid.UUID, added, r

 	for _, roleName := range grantedRoles {
 		if _, isCustom := customRolesMap[roleName]; isCustom {
-			// For now, use a constant name so our static assign map still works.
-			roleName = rbac.CustomSiteRole()
+			// To support a dynamic mapping of what roles can assign what, we need
+			// to store this in the database. For now, just use a static role so
+			// owners and org admins can assign roles.
+			if roleName.IsOrgRole() {
+				roleName = rbac.CustomOrganizationRole(roleName.OrganizationID)
+			} else {
+				roleName = rbac.CustomSiteRole()
+			}
 		}

 		if !rbac.CanAssignRole(actor.Roles, roleName) {
@ -3476,9 +3482,15 @@ func (q *querier) UpsertCustomRole(ctx context.Context, arg database.UpsertCusto
 		return database.CustomRole{}, NoActorError
 	}

-	// TODO: If this is an org role, check the org assign role type.
-	if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceAssignRole); err != nil {
-		return database.CustomRole{}, err
+	// Org and site role upsert share the same query. So switch the assertion based on the org uuid.
+	if arg.OrganizationID.UUID != uuid.Nil {
+		if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceAssignOrgRole.InOrg(arg.OrganizationID.UUID)); err != nil {
+			return database.CustomRole{}, err
+		}
+	} else {
+		if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceAssignRole); err != nil {
+			return database.CustomRole{}, err
+		}
 	}

 	if arg.OrganizationID.UUID == uuid.Nil && len(arg.OrgPermissions) > 0 {
--- a/coderd/database/dbauthz/dbauthz_test.go
+++ b/coderd/database/dbauthz/dbauthz_test.go
@ -625,7 +625,7 @@ func (s *MethodTestSuite) TestOrganization() {
 			UserID:         u.ID,
 			Roles:          []string{codersdk.RoleOrganizationAdmin},
 		}).Asserts(
-			rbac.ResourceAssignRole.InOrg(o.ID), policy.ActionAssign,
+			rbac.ResourceAssignOrgRole.InOrg(o.ID), policy.ActionAssign,
 			rbac.ResourceOrganizationMember.InOrg(o.ID).WithID(u.ID), policy.ActionCreate)
 	}))
 	s.Run("UpdateOrganization", s.Subtest(func(db database.Store, check *expects) {
@ -681,8 +681,8 @@ func (s *MethodTestSuite) TestOrganization() {
 			WithCancelled(sql.ErrNoRows.Error()).
 			Asserts(
 				mem, policy.ActionRead,
-				rbac.ResourceAssignRole.InOrg(o.ID), policy.ActionAssign, // org-mem
-				rbac.ResourceAssignRole.InOrg(o.ID), policy.ActionDelete, // org-admin
+				rbac.ResourceAssignOrgRole.InOrg(o.ID), policy.ActionAssign, // org-mem
+				rbac.ResourceAssignOrgRole.InOrg(o.ID), policy.ActionDelete, // org-admin
 			).Returns(out)
 	}))
 }
@ -1257,7 +1257,7 @@ func (s *MethodTestSuite) TestUser() {
 			}), convertSDKPerm),
 		}).Asserts(
 			// First check
-			rbac.ResourceAssignRole, policy.ActionCreate,
+			rbac.ResourceAssignOrgRole.InOrg(orgID), policy.ActionCreate,
 			// Escalation checks
 			rbac.ResourceTemplate.InOrg(orgID), policy.ActionCreate,
 			rbac.ResourceTemplate.InOrg(orgID), policy.ActionRead,
--- a/coderd/members.go
+++ b/coderd/members.go
@ -87,6 +87,10 @@ func (api *API) putMemberRoles(rw http.ResponseWriter, r *http.Request) {
 		UserID:       member.UserID,
 		OrgID:        organization.ID,
 	})
+	if httpapi.Is404Error(err) {
+		httpapi.Forbidden(rw)
+		return
+	}
 	if err != nil {
 		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
 			Message: err.Error(),
--- a/coderd/rbac/object_gen.go
+++ b/coderd/rbac/object_gen.go
@ -28,6 +28,7 @@ var (
 	// ResourceAssignOrgRole
 	// Valid Actions
 	//  - "ActionAssign" :: ability to assign org scoped roles
+	//  - "ActionCreate" :: ability to create/delete/edit custom roles within an organization
 	//  - "ActionDelete" :: ability to delete org scoped roles
 	//  - "ActionRead" :: view what roles are assignable
 	ResourceAssignOrgRole = Object{
--- a/coderd/rbac/policy/policy.go
+++ b/coderd/rbac/policy/policy.go
@ -218,6 +218,7 @@ var RBACPermissions = map[string]PermissionDefinition{
 			ActionAssign: actDef("ability to assign org scoped roles"),
 			ActionRead:   actDef("view what roles are assignable"),
 			ActionDelete: actDef("ability to delete org scoped roles"),
+			ActionCreate: actDef("ability to create/delete/edit custom roles within an organization"),
 		},
 	},
 	"oauth2_app": {
--- a/coderd/rbac/roles.go
+++ b/coderd/rbac/roles.go
@ -24,7 +24,8 @@ const (
 	// customSiteRole is a placeholder for all custom site roles.
 	// This is used for what roles can assign other roles.
 	// TODO: Make this more dynamic to allow other roles to grant.
-	customSiteRole string = "custom-site-role"
+	customSiteRole         string = "custom-site-role"
+	customOrganizationRole string = "custom-organization-role"

 	orgAdmin  string = "organization-admin"
 	orgMember string = "organization-member"
@ -125,8 +126,11 @@ func (r *RoleIdentifier) UnmarshalJSON(data []byte) error {
 // Once we have a database implementation, the "default" roles can be defined on the
 // site and orgs, and these functions can be removed.

-func RoleOwner() RoleIdentifier         { return RoleIdentifier{Name: owner} }
-func CustomSiteRole() RoleIdentifier    { return RoleIdentifier{Name: customSiteRole} }
+func RoleOwner() RoleIdentifier      { return RoleIdentifier{Name: owner} }
+func CustomSiteRole() RoleIdentifier { return RoleIdentifier{Name: customSiteRole} }
+func CustomOrganizationRole(orgID uuid.UUID) RoleIdentifier {
+	return RoleIdentifier{Name: customOrganizationRole, OrganizationID: orgID}
+}
 func RoleTemplateAdmin() RoleIdentifier { return RoleIdentifier{Name: templateAdmin} }
 func RoleUserAdmin() RoleIdentifier     { return RoleIdentifier{Name: userAdmin} }
 func RoleMember() RoleIdentifier        { return RoleIdentifier{Name: member} }
@ -314,6 +318,9 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 		DisplayName: "User Admin",
 		Site: Permissions(map[string][]policy.Action{
 			ResourceAssignRole.Type: {policy.ActionAssign, policy.ActionDelete, policy.ActionRead},
+			// Need organization assign as well to create users. At present, creating a user
+			// will always assign them to some organization.
+			ResourceAssignOrgRole.Type: {policy.ActionAssign, policy.ActionDelete, policy.ActionRead},
 			ResourceUser.Type: {
 				policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete,
 				policy.ActionUpdatePersonal, policy.ActionReadPersonal,
@ -361,7 +368,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 				Site:        []Permission{},
 				Org: map[string][]Permission{
 					// Org admins should not have workspace exec perms.
-					organizationID.String(): append(allPermsExcept(ResourceWorkspace, ResourceWorkspaceDormant), Permissions(map[string][]policy.Action{
+					organizationID.String(): append(allPermsExcept(ResourceWorkspace, ResourceWorkspaceDormant, ResourceAssignRole), Permissions(map[string][]policy.Action{
 						ResourceWorkspaceDormant.Type: {policy.ActionRead, policy.ActionDelete, policy.ActionCreate, policy.ActionUpdate, policy.ActionWorkspaceStop},
 						ResourceWorkspace.Type:        slice.Omit(ResourceWorkspace.AvailableActions(), policy.ActionApplicationConnect, policy.ActionSSH),
 					})...),
@ -409,32 +416,35 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 //	map[actor_role][assign_role]<can_assign>
 var assignRoles = map[string]map[string]bool{
 	"system": {
-		owner:          true,
-		auditor:        true,
-		member:         true,
-		orgAdmin:       true,
-		orgMember:      true,
-		templateAdmin:  true,
-		userAdmin:      true,
-		customSiteRole: true,
+		owner:                  true,
+		auditor:                true,
+		member:                 true,
+		orgAdmin:               true,
+		orgMember:              true,
+		templateAdmin:          true,
+		userAdmin:              true,
+		customSiteRole:         true,
+		customOrganizationRole: true,
 	},
 	owner: {
-		owner:          true,
-		auditor:        true,
-		member:         true,
-		orgAdmin:       true,
-		orgMember:      true,
-		templateAdmin:  true,
-		userAdmin:      true,
-		customSiteRole: true,
+		owner:                  true,
+		auditor:                true,
+		member:                 true,
+		orgAdmin:               true,
+		orgMember:              true,
+		templateAdmin:          true,
+		userAdmin:              true,
+		customSiteRole:         true,
+		customOrganizationRole: true,
 	},
 	userAdmin: {
 		member:    true,
 		orgMember: true,
 	},
 	orgAdmin: {
-		orgAdmin:  true,
-		orgMember: true,
+		orgAdmin:               true,
+		orgMember:              true,
+		customOrganizationRole: true,
 	},
 }

@ -596,6 +606,13 @@ func RoleByName(name RoleIdentifier) (Role, error) {
 		return Role{}, xerrors.Errorf("expect a org id for role %q", name.String())
 	}

+	// This can happen if a custom role shares the same name as a built-in role.
+	// You could make an org role called "owner", and we should not return the
+	// owner role itself.
+	if name.OrganizationID != role.Identifier.OrganizationID {
+		return Role{}, xerrors.Errorf("role %q not found", name.String())
+	}
+
 	return role, nil
 }

--- a/coderd/rbac/roles_test.go
+++ b/coderd/rbac/roles_test.go
@ -279,6 +279,15 @@ func TestRolePermissions(t *testing.T) {
 			Name:     "OrgRoleAssignment",
 			Actions:  []policy.Action{policy.ActionAssign, policy.ActionDelete},
 			Resource: rbac.ResourceAssignOrgRole.InOrg(orgID),
+			AuthorizeMap: map[bool][]authSubject{
+				true:  {owner, orgAdmin, userAdmin},
+				false: {orgMemberMe, otherOrgAdmin, otherOrgMember, memberMe, templateAdmin},
+			},
+		},
+		{
+			Name:     "CreateOrgRoleAssignment",
+			Actions:  []policy.Action{policy.ActionCreate},
+			Resource: rbac.ResourceAssignOrgRole.InOrg(orgID),
 			AuthorizeMap: map[bool][]authSubject{
 				true:  {owner, orgAdmin},
 				false: {orgMemberMe, otherOrgAdmin, otherOrgMember, memberMe, templateAdmin, userAdmin},
@ -289,8 +298,8 @@ func TestRolePermissions(t *testing.T) {
 			Actions:  []policy.Action{policy.ActionRead},
 			Resource: rbac.ResourceAssignOrgRole.InOrg(orgID),
 			AuthorizeMap: map[bool][]authSubject{
-				true:  {owner, orgAdmin, orgMemberMe},
-				false: {otherOrgAdmin, otherOrgMember, memberMe, templateAdmin, userAdmin},
+				true:  {owner, orgAdmin, orgMemberMe, userAdmin, userAdmin},
+				false: {otherOrgAdmin, otherOrgMember, memberMe, templateAdmin},
 			},
 		},
 		{
--- a/coderd/roles.go
+++ b/coderd/roles.go
@ -144,9 +144,14 @@ func assignableRoles(actorRoles rbac.ExpandableRoles, roles []rbac.Role, customR
 	}

 	for _, role := range customRoles {
+		canAssign := rbac.CanAssignRole(actorRoles, rbac.CustomSiteRole())
+		if role.RoleIdentifier().IsOrgRole() {
+			canAssign = rbac.CanAssignRole(actorRoles, rbac.CustomOrganizationRole(role.OrganizationID.UUID))
+		}
+
 		assignable = append(assignable, codersdk.AssignableRoles{
 			Role:       db2sdk.Role(role),
-			Assignable: rbac.CanAssignRole(actorRoles, role.RoleIdentifier()),
+			Assignable: canAssign,
 			BuiltIn:    false,
 		})
 	}