fix site <-> user perms bug

Emyrk · Emyrk · commit 70bcd3dbdf64 · 2024-05-16T17:41:59.000-05:00
diff --git a/coderd/database/db2sdk/db2sdk.go b/coderd/database/db2sdk/db2sdk.go
@@ -532,7 +532,7 @@ func Role(role rbac.Role) codersdk.Role {
 		DisplayName:             role.DisplayName,
 		SitePermissions:         List(role.Site, Permission),
 		OrganizationPermissions: Map(role.Org, ListLazy(Permission)),
-		UserPermissions:         List(role.Site, Permission),
+		UserPermissions:         List(role.User, Permission),
 	}
 }
 
diff --git a/enterprise/cli/roleedit.go b/enterprise/cli/roleedit.go
@@ -19,9 +19,9 @@ import (
 func (r *RootCmd) editRole() *serpent.Command {
 	formatter := cliui.NewOutputFormatter(
 		cliui.ChangeFormatterData(
-			cliui.TableFormat([]codersdk.Role{}, []string{"name", "display_name", "site_permissions", "org_permissions", "user_permissions"}),
+			cliui.TableFormat([]roleTableView{}, []string{"name", "display_name", "site_permissions", "org_permissions", "user_permissions"}),
 			func(data any) (any, error) {
-				return []codersdk.Role{data.(codersdk.Role)}, nil
+				return []roleTableView{roleToTableView(data.(codersdk.Role))}, nil
 			},
 		),
 		cliui.JSONFormat(),
@@ -51,108 +51,126 @@ func (r *RootCmd) editRole() *serpent.Command {
 			},
 		},
 		Middleware: serpent.Chain(
-			serpent.RequireNArgs(1),
+			serpent.RequireRangeArgs(0, 1),
 			r.InitClient(client),
 		),
 		Handler: func(inv *serpent.Invocation) error {
 			ctx := inv.Context()
-			roles, err := client.ListSiteRoles(ctx)
-			if err != nil {
-				return xerrors.Errorf("listing roles: %w", err)
-			}
-
-			// Make sure the role actually exists first
-			var originalRole codersdk.AssignableRoles
-			for _, r := range roles {
-				if strings.EqualFold(inv.Args[0], r.Name) {
-					originalRole = r
-					break
-				}
-			}
-
-			if originalRole.Name == "" {
-				_, err = cliui.Prompt(inv, cliui.PromptOptions{
-					Text:      "No role exists with that name, do you want to create one?",
-					Default:   "yes",
-					IsConfirm: true,
-				})
-				if err != nil {
-					return xerrors.Errorf("abort: %w", err)
-				}
 
-				originalRole.Role = codersdk.Role{
-					Name: inv.Args[0],
-				}
-			}
-
-			var customRole *codersdk.Role
-			// Either interactive, or take input mode.
+			var customRole codersdk.Role
 			fi, _ := os.Stdin.Stat()
 			if (fi.Mode() & os.ModeCharDevice) == 0 {
+				// JSON Upload mode
 				bytes, err := io.ReadAll(os.Stdin)
 				if err != nil {
 					return xerrors.Errorf("reading stdin: %w", err)
 				}
 
-				err = json.Unmarshal(bytes, customRole)
+				err = json.Unmarshal(bytes, &customRole)
 				if err != nil {
 					return xerrors.Errorf("parsing stdin json: %w", err)
 				}
-			} else {
-				// Interactive mode
-				if len(originalRole.OrganizationPermissions) > 0 {
-					return xerrors.Errorf("unable to edit role in interactive mode, it contains organization permissions")
-				}
 
-				if len(originalRole.UserPermissions) > 0 {
-					return xerrors.Errorf("unable to edit role in interactive mode, it contains user permissions")
+				if customRole.Name == "" {
+					arr := make([]json.RawMessage, 0)
+					err = json.Unmarshal(bytes, &arr)
+					if err == nil && len(arr) > 0 {
+						return xerrors.Errorf("the input appears to be an array, only 1 role can be sent at a time")
+					}
+					return xerrors.Errorf("json input does not appear to be a valid role")
 				}
-
-				customRole, err = interactiveEdit(inv, &originalRole.Role)
+			} else {
+				interactiveRole, err := interactiveEdit(inv, client)
 				if err != nil {
 					return xerrors.Errorf("editing role: %w", err)
 				}
-			}
 
-			totalOrg := 0
-			for _, o := range customRole.OrganizationPermissions {
-				totalOrg += len(o)
-			}
-			preview := fmt.Sprintf("perms: %d site, %d over %d orgs, %d user",
-				len(customRole.SitePermissions), totalOrg, len(customRole.OrganizationPermissions), len(customRole.UserPermissions))
-			_, err = cliui.Prompt(inv, cliui.PromptOptions{
-				Text:      "Are you sure you wish to update the role? " + preview,
-				Default:   "yes",
-				IsConfirm: true,
-			})
-			if err != nil {
-				return xerrors.Errorf("abort: %w", err)
+				customRole = *interactiveRole
+
+				// Only the interactive can answer prompts.
+				totalOrg := 0
+				for _, o := range customRole.OrganizationPermissions {
+					totalOrg += len(o)
+				}
+				preview := fmt.Sprintf("perms: %d site, %d over %d orgs, %d user",
+					len(customRole.SitePermissions), totalOrg, len(customRole.OrganizationPermissions), len(customRole.UserPermissions))
+				_, err = cliui.Prompt(inv, cliui.PromptOptions{
+					Text:      "Are you sure you wish to update the role? " + preview,
+					Default:   "yes",
+					IsConfirm: true,
+				})
+				if err != nil {
+					return xerrors.Errorf("abort: %w", err)
+				}
 			}
 
+			var err error
 			var updated codersdk.Role
 			if dryRun {
 				// Do not actually post
-				updated = *customRole
+				updated = customRole
 			} else {
-				updated, err = client.PatchRole(ctx, *customRole)
+				updated, err = client.PatchRole(ctx, customRole)
 				if err != nil {
 					return fmt.Errorf("patch role: %w", err)
 				}
 			}
 
-			_, err = formatter.Format(ctx, updated)
+			output, err := formatter.Format(ctx, updated)
 			if err != nil {
 				return xerrors.Errorf("formatting: %w", err)
 			}
-			return nil
+
+			_, err = fmt.Fprintln(inv.Stdout, output)
+			return err
 		},
 	}
 
 	formatter.AttachOptions(&cmd.Options)
 	return cmd
 }
 
-func interactiveEdit(inv *serpent.Invocation, role *codersdk.Role) (*codersdk.Role, error) {
+func interactiveEdit(inv *serpent.Invocation, client *codersdk.Client) (*codersdk.Role, error) {
+	ctx := inv.Context()
+	roles, err := client.ListSiteRoles(ctx)
+	if err != nil {
+		return nil, xerrors.Errorf("listing roles: %w", err)
+	}
+
+	// Make sure the role actually exists first
+	var originalRole codersdk.AssignableRoles
+	for _, r := range roles {
+		if strings.EqualFold(inv.Args[0], r.Name) {
+			originalRole = r
+			break
+		}
+	}
+
+	if originalRole.Name == "" {
+		_, err = cliui.Prompt(inv, cliui.PromptOptions{
+			Text:      "No role exists with that name, do you want to create one?",
+			Default:   "yes",
+			IsConfirm: true,
+		})
+		if err != nil {
+			return nil, xerrors.Errorf("abort: %w", err)
+		}
+
+		originalRole.Role = codersdk.Role{
+			Name: inv.Args[0],
+		}
+	}
+
+	// Some checks since interactive mode is limited in what it currently sees
+	if len(originalRole.OrganizationPermissions) > 0 {
+		return nil, xerrors.Errorf("unable to edit role in interactive mode, it contains organization permissions")
+	}
+
+	if len(originalRole.UserPermissions) > 0 {
+		return nil, xerrors.Errorf("unable to edit role in interactive mode, it contains user permissions")
+	}
+
+	role := &originalRole.Role
 	allowedResources := []codersdk.RBACResource{
 		codersdk.ResourceTemplate,
 		codersdk.ResourceWorkspace,
diff --git a/enterprise/cli/rolescmd.go b/enterprise/cli/rolescmd.go
@@ -44,13 +44,9 @@ func (r *RootCmd) showRole() *serpent.Command {
 				rows := make([]assignableRolesTableRow, 0, len(input))
 				for _, role := range input {
 					rows = append(rows, assignableRolesTableRow{
-						Name:                    role.Name,
-						DisplayName:             role.DisplayName,
-						SitePermissions:         fmt.Sprintf("%d permissions", len(role.SitePermissions)),
-						OrganizationPermissions: fmt.Sprintf("%d organizations", len(role.OrganizationPermissions)),
-						UserPermissions:         fmt.Sprintf("%d permissions", len(role.UserPermissions)),
-						Assignable:              role.Assignable,
-						BuiltIn:                 role.BuiltIn,
+						roleTableView: roleToTableView(role.Role),
+						Assignable:    role.Assignable,
+						BuiltIn:       role.BuiltIn,
 					})
 				}
 				return rows, nil
@@ -100,13 +96,27 @@ func (r *RootCmd) showRole() *serpent.Command {
 	return cmd
 }
 
-type assignableRolesTableRow struct {
+func roleToTableView(role codersdk.Role) roleTableView {
+	return roleTableView{
+		Name:                    role.Name,
+		DisplayName:             role.DisplayName,
+		SitePermissions:         fmt.Sprintf("%d permissions", len(role.SitePermissions)),
+		OrganizationPermissions: fmt.Sprintf("%d organizations", len(role.OrganizationPermissions)),
+		UserPermissions:         fmt.Sprintf("%d permissions", len(role.UserPermissions)),
+	}
+}
+
+type roleTableView struct {
 	Name            string `table:"name,default_sort"`
 	DisplayName     string `table:"display_name"`
 	SitePermissions string ` table:"site_permissions"`
 	// map[<org_id>] -> Permissions
 	OrganizationPermissions string `table:"org_permissions"`
 	UserPermissions         string `table:"user_permissions"`
-	Assignable              bool   `table:"assignable"`
-	BuiltIn                 bool   `table:"built_in"`
+}
+
+type assignableRolesTableRow struct {
+	roleTableView `table:"r,recursive_inline"`
+	Assignable    bool `table:"assignable"`
+	BuiltIn       bool `table:"built_in"`
 }
diff --git a/enterprise/cmd/coder/role.json b/enterprise/cmd/coder/role.json
@@ -0,0 +1,2 @@
+  {
+  }
diff --git a/enterprise/coderd/roles_test.go b/enterprise/coderd/roles_test.go
@@ -67,9 +67,18 @@ func TestCustomRole(t *testing.T) {
 		allRoles, err := tmplAdmin.ListSiteRoles(ctx)
 		require.NoError(t, err)
 
+		var foundRole codersdk.AssignableRoles
 		require.True(t, slices.ContainsFunc(allRoles, func(selected codersdk.AssignableRoles) bool {
-			return selected.Name == role.Name
+			if selected.Name == role.Name {
+				foundRole = selected
+				return true
+			}
+			return false
 		}), "role missing from site role list")
+
+		require.Len(t, foundRole.SitePermissions, 7)
+		require.Len(t, foundRole.OrganizationPermissions, 0)
+		require.Len(t, foundRole.UserPermissions, 0)
 	})
 
 	// Revoked licenses cannot modify/create custom roles, but they can

Original file line number	Diff line number	Diff line change
`@@ -532,7 +532,7 @@ func Role(role rbac.Role) codersdk.Role {`
`532`	`532`	`DisplayName: role.DisplayName,`
`533`	`533`	`SitePermissions: List(role.Site, Permission),`
`534`	`534`	`OrganizationPermissions: Map(role.Org, ListLazy(Permission)),`
`535`		`- UserPermissions: List(role.Site, Permission),`
	`535`	`+ UserPermissions: List(role.User, Permission),`
`536`	`536`	`}`
`537`	`537`	`}`
`538`	`538`