Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ensure role exists before we try to remove the role assignment #3949

Merged
merged 2 commits into from
Jul 22, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 24 additions & 16 deletions internal/roles/service.go
Original file line number Diff line number Diff line change
Expand Up @@ -169,26 +169,34 @@ func (_ *roleService) RemoveRoleAssignment(ctx context.Context, qtx db.Querier,
return nil, status.Errorf(codes.Internal, "error getting user: %v", err)
}

// Validate in case there's only one admin for the project and the user is trying to remove themselves
if roleToRemove == authz.RoleAdmin {
// Get all role assignments for the project
as, err := authzClient.AssignmentsToProject(ctx, targetProject)
if err != nil {
return nil, status.Errorf(codes.Internal, "error getting role assignments: %v", err)
}
// Count the number of admin roles
adminRolesCnt := 0
for _, existing := range as {
if existing.Role == authz.RoleAdmin.String() {
adminRolesCnt++
}
// Get all role assignments for the project
as, err := authzClient.AssignmentsToProject(ctx, targetProject)
if err != nil {
return nil, status.Errorf(codes.Internal, "error getting role assignments: %v", err)
}

// Check if there is such role assignment for the user or the user is the last admin
found := false
adminRolesCnt := 0
for _, a := range as {
if a.Subject == identity.String() && a.Role == roleToRemove.String() {
found = true
}
// If there's only one admin role, return an error
if adminRolesCnt <= 1 {
return nil, util.UserVisibleError(codes.FailedPrecondition, "cannot remove the last admin from the project")
if a.Role == authz.RoleAdmin.String() {
adminRolesCnt++
}
}

// If there's no role assignment for the user, return an error
if !found {
return nil, util.UserVisibleError(codes.NotFound, "role assignment for this user does not exist")
rdimitrov marked this conversation as resolved.
Show resolved Hide resolved
}

// If there's only one admin role, return an error
if roleToRemove == authz.RoleAdmin && adminRolesCnt <= 1 {
return nil, util.UserVisibleError(codes.FailedPrecondition, "cannot remove the last admin from the project")
}

// Delete the role assignment
if err := authzClient.Delete(ctx, identity.String(), roleToRemove, targetProject); err != nil {
return nil, status.Errorf(codes.Internal, "error writing role assignment: %v", err)
Expand Down
14 changes: 14 additions & 0 deletions internal/roles/service_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,7 @@ func TestRemoveRole(t *testing.T) {
dBSetup dbf.DBMockBuilder
role authz.Role
expectedError string
noAssignment bool
}{
{
name: "error when user doesn't exist",
Expand All @@ -214,6 +215,15 @@ func TestRemoveRole(t *testing.T) {
withGetUser(validUser, nil),
),
},
{
name: "error when role assignment doesn't exist",
role: authz.RoleEditor,
dBSetup: dbf.NewDBMock(
withGetUser(validUser, nil),
),
noAssignment: true,
expectedError: "role assignment for this user does not exist",
},
}

for _, scenario := range scenarios {
Expand Down Expand Up @@ -245,6 +255,10 @@ func TestRemoveRole(t *testing.T) {
},
}

if scenario.noAssignment {
authzClient.Assignments[project] = []*minderv1.RoleAssignment{}
}

service := NewRoleService()
_, err := service.RemoveRoleAssignment(ctx, store, authzClient, idClient, project, subject, scenario.role)

Expand Down