chore: refactor, remove organiation_id from org_member roles

Emyrk · Emyrk · commit f7d22ea31062 · 2024-06-04T15:53:11.000-05:00
Organization member's table is already scoped to an organization.
Rolename should avoid having the org_id appended
diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -663,6 +663,7 @@ func CreateFirstUser(t testing.TB, client *codersdk.Client) codersdk.CreateFirst
 }
 
 // CreateAnotherUser creates and authenticates a new user.
+// Roles can include org scoped roles with 'roleName:<organization_id>'
 func CreateAnotherUser(t testing.TB, client *codersdk.Client, organizationID uuid.UUID, roles ...string) (*codersdk.Client, codersdk.User) {
 	return createAnotherUserRetry(t, client, organizationID, 5, roles)
 }
@@ -754,6 +755,8 @@ func createAnotherUserRetry(t testing.TB, client *codersdk.Client, organizationI
 		for _, roleName := range roles {
 			roleName := roleName
 			orgID, ok := rbac.IsOrgRole(roleName)
+			roleName, _, err = rbac.RoleSplit(roleName)
+			require.NoError(t, err, "split org role name")
 			if ok {
 				orgRoles[orgID] = append(orgRoles[orgID], roleName)
 			} else {
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -2847,8 +2847,15 @@ func (q *querier) UpdateMemberRoles(ctx context.Context, arg database.UpdateMemb
 		return database.OrganizationMember{}, err
 	}
 
+	// The 'rbac' package expects role names to be scoped.
+	// Convert the argument roles for validation.
+	scopedGranted := make([]string, 0, len(arg.GrantedRoles))
+	for _, grantedRole := range arg.GrantedRoles {
+		scopedGranted = append(scopedGranted, rbac.RoleName(grantedRole, arg.OrgID.String()))
+	}
+
 	// The org member role is always implied.
-	impliedTypes := append(arg.GrantedRoles, rbac.RoleOrgMember(arg.OrgID))
+	impliedTypes := append(scopedGranted, rbac.RoleOrgMember(arg.OrgID))
 	added, removed := rbac.ChangeRoleSet(member.Roles, impliedTypes)
 	err = q.canAssignRoles(ctx, &arg.OrgID, added, removed)
 	if err != nil {
diff --git a/coderd/database/dbmem/dbmem.go b/coderd/database/dbmem/dbmem.go
@@ -1997,7 +1997,9 @@ func (q *FakeQuerier) GetAuthorizationUserRoles(_ context.Context, userID uuid.U
 
 	for _, mem := range q.organizationMembers {
 		if mem.UserID == userID {
-			roles = append(roles, mem.Roles...)
+			for _, orgRole := range mem.Roles {
+				roles = append(roles, orgRole+":"+mem.OrganizationID.String())
+			}
 			roles = append(roles, "organization-member:"+mem.OrganizationID.String())
 		}
 	}
diff --git a/coderd/database/dump.sql b/coderd/database/dump.sql
diff --git a/coderd/database/migrations/000215_scoped_org_db_roles.down.sql b/coderd/database/migrations/000215_scoped_org_db_roles.down.sql
@@ -0,0 +1 @@
+ALTER TABLE ONLY organization_members ALTER COLUMN roles SET DEFAULT '{organization-member}';
diff --git a/coderd/database/migrations/000215_scoped_org_db_roles.up.sql b/coderd/database/migrations/000215_scoped_org_db_roles.up.sql
@@ -0,0 +1,7 @@
+-- The default was 'organization-member', but we imply that in the
+-- 'GetAuthorizationUserRoles' query.
+ALTER TABLE ONLY organization_members ALTER COLUMN roles SET DEFAULT '{}';
+
+-- No one should be using organization roles yet. If they are, the names in the
+-- database are now incorrect. Just remove them all.
+UPDATE organization_members SET roles = '{}';
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
diff --git a/coderd/database/queries/users.sql b/coderd/database/queries/users.sql
@@ -227,12 +227,14 @@ SELECT
 		array_append(users.rbac_roles, 'member'),
 		(
 			SELECT
-				array_agg(org_roles)
+				-- The roles are returned as a flat array, org scoped and site side.
+				-- Concatenating the organization id scopes the organization roles.
+				array_agg(org_roles || ':' || organization_members.organization_id::text)
 			FROM
 				organization_members,
-				-- All org_members get the org-member role for their orgs
+				-- All org_members get the organization-member role for their orgs
 				unnest(
-					array_append(roles, 'organization-member:' || organization_members.organization_id::text)
+					array_append(roles, 'organization-member')
 				) AS org_roles
 			WHERE
 				user_id = users.id

Original file line number	Diff line number	Diff line change
`@@ -1997,7 +1997,9 @@ func (q *FakeQuerier) GetAuthorizationUserRoles(_ context.Context, userID uuid.U`
`1997`	`1997`
`1998`	`1998`	`for _, mem := range q.organizationMembers {`
`1999`	`1999`	`if mem.UserID == userID {`
`2000`		`- roles = append(roles, mem.Roles...)`
	`2000`	`+ for _, orgRole := range mem.Roles {`
	`2001`	`+ roles = append(roles, orgRole+":"+mem.OrganizationID.String())`
	`2002`	`+ }`
`2001`	`2003`	`roles = append(roles, "organization-member:"+mem.OrganizationID.String())`
`2002`	`2004`	`}`
`2003`	`2005`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+ALTER TABLE ONLY organization_members ALTER COLUMN roles SET DEFAULT '{organization-member}';`