Bosorawis domain iam implement role grant scopes all #5701
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…for org and project
…name some functions
Base automatically changed from
bosorawis-domain-iam-implement-role-grant-scopes-list-and-test
to
llb-normalized-grants
April 30, 2025 18:03
…ent-role-grant-scopes-all
…ent-role-grant-scopes-all
…face all internal functions
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
dkanney
reviewed
May 2, 2025
internal/iam/role.go
Outdated
Comment on lines
48
to
56
| // thisGrantScope return value of `GrantScopeThis` column as *RoleGrantScope. | ||
| // Prior to the grants refactor, `this` grant scope is granted to a role by | ||
| // inserting a row to 'role_grant_scope' table, but we've moved on to storing | ||
| // 'this' grant as a dedicated column in the type-specific role tables | ||
| thisGrantScope() *RoleGrantScope | ||
|
|
||
| // specialGrantScope returns special grant scopes ['descendants', 'children'] if available. | ||
| // returns nil, false if special grant scope is 'individual' | ||
| specialGrantScope() (*RoleGrantScope, bool) |
There was a problem hiding this comment.
Since we're going with a setter/getter style here, I think it could be clearer if we prepend get to these last two methods, so we end up having:
// roleGrantScopeUpdater represents an internal scope type specific role structs that
// support grant scope columns. Currently this only applies to globalRole and orgRole
// this is used in SetRoleGrantScope, AddRoleGrantScope, DeleteRoleGrantScope
type roleGrantScopeUpdater interface {
// setVersion sets value of `Version` of this role. This is used in
// `repository_grant_scope` operations where version column of the associated role
// has to increase when grant scopes list is changed (add/remove) which is done in a different table.
// This version bump cannot be done by automatically with trigger and is being handled in the application code
setVersion(version uint32)
// setThisGrantScope sets value of `GrantThisRoleScope` of this role which control
// whether this role has 'this' scope granted to it
setThisGrantScope(grantThis bool)
// getThisGrantScope return value of `GrantScopeThis` column as *RoleGrantScope.
// Prior to the grants refactor, `this` grant scope is granted to a role by
// inserting a row to 'role_grant_scope' table, but we've moved on to storing
// 'this' grant as a dedicated column in the type-specific role tables
getThisGrantScope() *RoleGrantScope
// setSpecialGrantScope sets value of `GrantScope` column of this role. The allowed values depends on the scope
// that the role is in
// - global-role: ['descendants', 'children', 'individual']
// - org-role: ['children', 'individual']
// - project-role: [] (None)
// This value controls whether special grant scope is granted to this role
setSpecialGrantScope(specialGrant string)
// getSpecialGrantScope returns special grant scopes ['descendants', 'children'] if available.
// returns nil, false if special grant scope is 'individual'
getSpecialGrantScope() (*RoleGrantScope, bool)
}There was a problem hiding this comment.
I feel bad to "actually..." this discussion, but this is against the recommendation in Effective Go: https://go.dev/doc/effective_go#Getters. Personally I prefer not to have the "Get" prefix either 😅.
internal/iam/role_grant_scope.go
Outdated
Comment on lines
51
to
52
| type toRoleGrantScope interface { | ||
| roleGrantScope() *RoleGrantScope |
There was a problem hiding this comment.
I feel like this interface name and its method should be swapped. If an object can be a roleGrantScope, I'd expect it to implement a method called toRoleGrantScope() that converts it to a RoleGrantScope.
There was a problem hiding this comment.
renaming interface to roleGrantScoper which has a function calledroleGrantScope
| roleGrantScopes := []*RoleGrantScope{} | ||
| if err := r.reader.SearchWhere(ctx, &roleGrantScopes, "role_id = ?", []any{roleId}); err != nil { | ||
| // Find existing grant scopes to find duplicate grants | ||
| roleGrantScopes, err := listRoleGrantScopes(ctx, r.reader, []string{roleId}) |
There was a problem hiding this comment.
Nit: maybe call this
Suggested change
| roleGrantScopes, err := listRoleGrantScopes(ctx, r.reader, []string{roleId}) | |
| originalGrantScopes, err := listRoleGrantScopes(ctx, r.reader, []string{roleId}) |
To be consistent with the map name below
Comment on lines
67
to
68
| // allocation type specific role and manually bump version to ensure that version gets updated | ||
| // even when only individual grant scopes which are stored in separate tables are modified |
There was a problem hiding this comment.
This sentence reads like it accidentally a word to me. Is this right?
Suggested change
| // allocation type specific role and manually bump version to ensure that version gets updated | |
| // even when only individual grant scopes which are stored in separate tables are modified | |
| // Allocate a subtype-specific role and manually bump version to ensure that version gets updated | |
| // even when only individual grant scopes, which are stored in separate tables, are modified. |
Comment on lines
82
to
85
| // finalSpecialGrantScope is used to pass into individualGlobalRoleGrantScope | ||
| // this only matters if the role is a global role and the grantScopes contains individual project scope | ||
| // because there are 2 possible values ['individual', 'children']. | ||
| // If there's no scope being added, we have to use the existing iam_role_<type>.grant_scope column |
There was a problem hiding this comment.
Nit:
Suggested change
| // finalSpecialGrantScope is used to pass into individualGlobalRoleGrantScope | |
| // this only matters if the role is a global role and the grantScopes contains individual project scope | |
| // because there are 2 possible values ['individual', 'children']. | |
| // If there's no scope being added, we have to use the existing iam_role_<type>.grant_scope column | |
| // finalSpecialGrantScope is used to pass into individualGlobalRoleGrantScope. | |
| // This only matters if the role is a global role and the grantScopes contains an individual project | |
| // scope, because there are 2 possible values: ['individual', 'children']. | |
| // If there's no scope being added, we have to use the existing iam_role_<type>.grant_scope column |
I don't think the grammar needs to be perfect in comments, but this was a bit confusing to read because of the lack of a full stop.
internal/iam/role.go
Outdated
Comment on lines
48
to
56
| // thisGrantScope return value of `GrantScopeThis` column as *RoleGrantScope. | ||
| // Prior to the grants refactor, `this` grant scope is granted to a role by | ||
| // inserting a row to 'role_grant_scope' table, but we've moved on to storing | ||
| // 'this' grant as a dedicated column in the type-specific role tables | ||
| thisGrantScope() *RoleGrantScope | ||
|
|
||
| // specialGrantScope returns special grant scopes ['descendants', 'children'] if available. | ||
| // returns nil, false if special grant scope is 'individual' | ||
| specialGrantScope() (*RoleGrantScope, bool) |
There was a problem hiding this comment.
I feel bad to "actually..." this discussion, but this is against the recommendation in Effective Go: https://go.dev/doc/effective_go#Getters. Personally I prefer not to have the "Get" prefix either 😅.
|
Database schema diff between To understand how these diffs are generated and some limitations see the FunctionsUnchanged Tablesdiff --git a/.schema-diff/tables_8336e489933de2090fecf4b084d799b1a404652a/iam_role_org.sql b/.schema-diff/tables_22a692c4005b5d62b3a756c23a552038641f9ad4/iam_role_org.sql
index 83a60b4a7..5dd37af9e 100644
--- a/.schema-diff/tables_8336e489933de2090fecf4b084d799b1a404652a/iam_role_org.sql
+++ b/.schema-diff/tables_22a692c4005b5d62b3a756c23a552038641f9ad4/iam_role_org.sql
@@ -35,7 +35,8 @@ create table public.iam_role_org (
grant_this_role_scope_update_time public.wt_timestamp,
grant_scope_update_time public.wt_timestamp,
create_time public.wt_timestamp,
- update_time public.wt_timestamp
+ update_time public.wt_timestamp,
+ constraint iam_role_org_grant_scope_valid_chk check ((grant_scope = any (array['children'::text, 'individual'::text])))
);
ViewsUnchanged TriggersUnchanged IndexesUnchanged ConstraintsUnchanged Foreign Key ConstraintsUnchanged |
| @@ -670,7 +670,7 @@ func Test_SetRoleGrantScope(t *testing.T) { | |||
| expectRoleVersionChange: 0, | |||
| scopes: []string{globals.GrantScopeChildren, globals.GrantScopeDescendants}, | |||
| wantErr: true, | |||
| wantErrMsg: "iam.(Repository).SetRoleGrantScopes: only one of ['children', 'descendants'] can be specified: parameter violation: error #100", | |||
There was a problem hiding this comment.
This error might've been clearer before. I personally think I prefer ' to ` 😅 . I won't insist on it though.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Change implementation of following methods to use new grants data model