Bosorawis domain iam implement role grant scopes all #5701
Conversation
…for org and project
…name some functions
…ent-role-grant-scopes-all
…face all internal functions
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
internal/iam/role.go
Outdated
| // thisGrantScope return value of `GrantScopeThis` column as *RoleGrantScope. | ||
| // Prior to the grants refactor, `this` grant scope is granted to a role by | ||
| // inserting a row to 'role_grant_scope' table, but we've moved on to storing | ||
| // 'this' grant as a dedicated column in the type-specific role tables | ||
| thisGrantScope() *RoleGrantScope | ||
|
|
||
| // specialGrantScope returns special grant scopes ['descendants', 'children'] if available. | ||
| // returns nil, false if special grant scope is 'individual' | ||
| specialGrantScope() (*RoleGrantScope, bool) |
There was a problem hiding this comment.
Since we're going with a setter/getter style here, I think it could be clearer if we prepend get to these last two methods, so we end up having:
// roleGrantScopeUpdater represents an internal scope type specific role structs that
// support grant scope columns. Currently this only applies to globalRole and orgRole
// this is used in SetRoleGrantScope, AddRoleGrantScope, DeleteRoleGrantScope
type roleGrantScopeUpdater interface {
// setVersion sets value of `Version` of this role. This is used in
// `repository_grant_scope` operations where version column of the associated role
// has to increase when grant scopes list is changed (add/remove) which is done in a different table.
// This version bump cannot be done by automatically with trigger and is being handled in the application code
setVersion(version uint32)
// setThisGrantScope sets value of `GrantThisRoleScope` of this role which control
// whether this role has 'this' scope granted to it
setThisGrantScope(grantThis bool)
// getThisGrantScope return value of `GrantScopeThis` column as *RoleGrantScope.
// Prior to the grants refactor, `this` grant scope is granted to a role by
// inserting a row to 'role_grant_scope' table, but we've moved on to storing
// 'this' grant as a dedicated column in the type-specific role tables
getThisGrantScope() *RoleGrantScope
// setSpecialGrantScope sets value of `GrantScope` column of this role. The allowed values depends on the scope
// that the role is in
// - global-role: ['descendants', 'children', 'individual']
// - org-role: ['children', 'individual']
// - project-role: [] (None)
// This value controls whether special grant scope is granted to this role
setSpecialGrantScope(specialGrant string)
// getSpecialGrantScope returns special grant scopes ['descendants', 'children'] if available.
// returns nil, false if special grant scope is 'individual'
getSpecialGrantScope() (*RoleGrantScope, bool)
}There was a problem hiding this comment.
I feel bad to "actually..." this discussion, but this is against the recommendation in Effective Go: https://go.dev/doc/effective_go#Getters. Personally I prefer not to have the "Get" prefix either 😅.
internal/iam/role_grant_scope.go
Outdated
| type toRoleGrantScope interface { | ||
| roleGrantScope() *RoleGrantScope |
There was a problem hiding this comment.
I feel like this interface name and its method should be swapped. If an object can be a roleGrantScope, I'd expect it to implement a method called toRoleGrantScope() that converts it to a RoleGrantScope.
There was a problem hiding this comment.
renaming interface to roleGrantScoper which has a function calledroleGrantScope
| roleGrantScopes := []*RoleGrantScope{} | ||
| if err := r.reader.SearchWhere(ctx, &roleGrantScopes, "role_id = ?", []any{roleId}); err != nil { | ||
| // Find existing grant scopes to find duplicate grants | ||
| roleGrantScopes, err := listRoleGrantScopes(ctx, r.reader, []string{roleId}) |
There was a problem hiding this comment.
Nit: maybe call this
| roleGrantScopes, err := listRoleGrantScopes(ctx, r.reader, []string{roleId}) | |
| originalGrantScopes, err := listRoleGrantScopes(ctx, r.reader, []string{roleId}) |
To be consistent with the map name below
| // allocation type specific role and manually bump version to ensure that version gets updated | ||
| // even when only individual grant scopes which are stored in separate tables are modified |
There was a problem hiding this comment.
This sentence reads like it accidentally a word to me. Is this right?
| // allocation type specific role and manually bump version to ensure that version gets updated | |
| // even when only individual grant scopes which are stored in separate tables are modified | |
| // Allocate a subtype-specific role and manually bump version to ensure that version gets updated | |
| // even when only individual grant scopes, which are stored in separate tables, are modified. |
| // finalSpecialGrantScope is used to pass into individualGlobalRoleGrantScope | ||
| // this only matters if the role is a global role and the grantScopes contains individual project scope | ||
| // because there are 2 possible values ['individual', 'children']. | ||
| // If there's no scope being added, we have to use the existing iam_role_<type>.grant_scope column |
There was a problem hiding this comment.
Nit:
| // finalSpecialGrantScope is used to pass into individualGlobalRoleGrantScope | |
| // this only matters if the role is a global role and the grantScopes contains individual project scope | |
| // because there are 2 possible values ['individual', 'children']. | |
| // If there's no scope being added, we have to use the existing iam_role_<type>.grant_scope column | |
| // finalSpecialGrantScope is used to pass into individualGlobalRoleGrantScope. | |
| // This only matters if the role is a global role and the grantScopes contains an individual project | |
| // scope, because there are 2 possible values: ['individual', 'children']. | |
| // If there's no scope being added, we have to use the existing iam_role_<type>.grant_scope column |
I don't think the grammar needs to be perfect in comments, but this was a bit confusing to read because of the lack of a full stop.
internal/iam/role.go
Outdated
| // thisGrantScope return value of `GrantScopeThis` column as *RoleGrantScope. | ||
| // Prior to the grants refactor, `this` grant scope is granted to a role by | ||
| // inserting a row to 'role_grant_scope' table, but we've moved on to storing | ||
| // 'this' grant as a dedicated column in the type-specific role tables | ||
| thisGrantScope() *RoleGrantScope | ||
|
|
||
| // specialGrantScope returns special grant scopes ['descendants', 'children'] if available. | ||
| // returns nil, false if special grant scope is 'individual' | ||
| specialGrantScope() (*RoleGrantScope, bool) |
There was a problem hiding this comment.
I feel bad to "actually..." this discussion, but this is against the recommendation in Effective Go: https://go.dev/doc/effective_go#Getters. Personally I prefer not to have the "Get" prefix either 😅.
|
Database schema diff between To understand how these diffs are generated and some limitations see the FunctionsUnchanged Tablesdiff --git a/.schema-diff/tables_8336e489933de2090fecf4b084d799b1a404652a/iam_role_org.sql b/.schema-diff/tables_22a692c4005b5d62b3a756c23a552038641f9ad4/iam_role_org.sql
index 83a60b4a7..5dd37af9e 100644
--- a/.schema-diff/tables_8336e489933de2090fecf4b084d799b1a404652a/iam_role_org.sql
+++ b/.schema-diff/tables_22a692c4005b5d62b3a756c23a552038641f9ad4/iam_role_org.sql
@@ -35,7 +35,8 @@ create table public.iam_role_org (
grant_this_role_scope_update_time public.wt_timestamp,
grant_scope_update_time public.wt_timestamp,
create_time public.wt_timestamp,
- update_time public.wt_timestamp
+ update_time public.wt_timestamp,
+ constraint iam_role_org_grant_scope_valid_chk check ((grant_scope = any (array['children'::text, 'individual'::text])))
);
ViewsUnchanged TriggersUnchanged IndexesUnchanged ConstraintsUnchanged Foreign Key ConstraintsUnchanged |
| @@ -670,7 +670,7 @@ func Test_SetRoleGrantScope(t *testing.T) { | |||
| expectRoleVersionChange: 0, | |||
| scopes: []string{globals.GrantScopeChildren, globals.GrantScopeDescendants}, | |||
| wantErr: true, | |||
| wantErrMsg: "iam.(Repository).SetRoleGrantScopes: only one of ['children', 'descendants'] can be specified: parameter violation: error #100", | |||
There was a problem hiding this comment.
This error might've been clearer before. I personally think I prefer ' to ` 😅 . I won't insist on it though.
| unique(name, scope_id), | ||
| constraint iam_role_org_grant_scope_valid_chk | ||
| check (grant_scope in ('children', 'individual')) |
There was a problem hiding this comment.
I think this constraint accomplishes the same thing as the above constraint, iam_role_org_grant_scope_enm_fkey
Also, I think this constraint is now causing the insert_invalid_grant_scope sqltest to fail
Change implementation of following methods to use new grants data model