Access-control: use role UID when adding/removing roles (#32438)

2025-02-25 18:55:37 -06:00 · 2021-03-29 18:36:48 +03:00 · 2021-03-29 18:36:48 +03:00 · 20f6ba5ba4
commit 20f6ba5ba4
parent c4d5a67b38
4 changed files with 56 additions and 56 deletions
--- a/pkg/services/accesscontrol/database/database.go
+++ b/pkg/services/accesscontrol/database/database.go
@ -449,44 +449,46 @@ func (*AccessControlStore) userRolesFilter(orgID, userID int64, roles []string)

 func (ac *AccessControlStore) AddTeamRole(cmd *accesscontrol.AddTeamRoleCommand) error {
 	return ac.SQLStore.WithTransactionalDbSession(context.Background(), func(sess *sqlstore.DBSession) error {
-		if res, err := sess.Query("SELECT 1 from team_role WHERE org_id=? and team_id=? and role_id=?", cmd.OrgID, cmd.TeamID, cmd.RoleID); err != nil {
+		role, err := getRoleByUID(sess, cmd.RoleUID, cmd.OrgID)
+		if err != nil {
 			return err
-		} else if len(res) == 1 {
-			return accesscontrol.ErrTeamRoleAlreadyAdded
 		}

 		if _, err := teamExists(cmd.OrgID, cmd.TeamID, sess); err != nil {
 			return err
 		}

-		if _, err := roleExists(cmd.OrgID, cmd.RoleID, sess); err != nil {
+		if res, err := sess.Query("SELECT 1 from team_role WHERE org_id=? and team_id=? and role_id=?", cmd.OrgID, cmd.TeamID, role.ID); err != nil {
 			return err
+		} else if len(res) == 1 {
+			return accesscontrol.ErrTeamRoleAlreadyAdded
 		}

 		teamRole := &accesscontrol.TeamRole{
 			OrgID:   cmd.OrgID,
 			TeamID:  cmd.TeamID,
-			RoleID:  cmd.RoleID,
+			RoleID:  role.ID,
 			Created: TimeNow(),
 		}

-		_, err := sess.Insert(teamRole)
+		_, err = sess.Insert(teamRole)
 		return err
 	})
 }

 func (ac *AccessControlStore) RemoveTeamRole(cmd *accesscontrol.RemoveTeamRoleCommand) error {
 	return ac.SQLStore.WithTransactionalDbSession(context.Background(), func(sess *sqlstore.DBSession) error {
+		role, err := getRoleByUID(sess, cmd.RoleUID, cmd.OrgID)
+		if err != nil {
+			return err
+		}
+
 		if _, err := teamExists(cmd.OrgID, cmd.TeamID, sess); err != nil {
 			return err
 		}

-		if _, err := roleExists(cmd.OrgID, cmd.RoleID, sess); err != nil {
-			return err
-		}
-
 		q := "DELETE FROM team_role WHERE org_id=? and team_id=? and role_id=?"
-		res, err := sess.Exec(q, cmd.OrgID, cmd.TeamID, cmd.RoleID)
+		res, err := sess.Exec(q, cmd.OrgID, cmd.TeamID, role.ID)
 		if err != nil {
 			return err
 		}
@ -501,36 +503,38 @@ func (ac *AccessControlStore) RemoveTeamRole(cmd *accesscontrol.RemoveTeamRoleCo

 func (ac *AccessControlStore) AddUserRole(cmd *accesscontrol.AddUserRoleCommand) error {
 	return ac.SQLStore.WithTransactionalDbSession(context.Background(), func(sess *sqlstore.DBSession) error {
-		if res, err := sess.Query("SELECT 1 from user_role WHERE org_id=? and user_id=? and role_id=?", cmd.OrgID, cmd.UserID, cmd.RoleID); err != nil {
+		role, err := getRoleByUID(sess, cmd.RoleUID, cmd.OrgID)
+		if err != nil {
+			return err
+		}
+
+		if res, err := sess.Query("SELECT 1 from user_role WHERE org_id=? and user_id=? and role_id=?", cmd.OrgID, cmd.UserID, role.ID); err != nil {
 			return err
 		} else if len(res) == 1 {
 			return accesscontrol.ErrUserRoleAlreadyAdded
 		}

-		if _, err := roleExists(cmd.OrgID, cmd.RoleID, sess); err != nil {
-			return err
-		}
-
 		userRole := &accesscontrol.UserRole{
 			OrgID:   cmd.OrgID,
 			UserID:  cmd.UserID,
-			RoleID:  cmd.RoleID,
+			RoleID:  role.ID,
 			Created: TimeNow(),
 		}

-		_, err := sess.Insert(userRole)
+		_, err = sess.Insert(userRole)
 		return err
 	})
 }

 func (ac *AccessControlStore) RemoveUserRole(cmd *accesscontrol.RemoveUserRoleCommand) error {
 	return ac.SQLStore.WithTransactionalDbSession(context.Background(), func(sess *sqlstore.DBSession) error {
-		if _, err := roleExists(cmd.OrgID, cmd.RoleID, sess); err != nil {
+		role, err := getRoleByUID(sess, cmd.RoleUID, cmd.OrgID)
+		if err != nil {
 			return err
 		}

 		q := "DELETE FROM user_role WHERE org_id=? and user_id=? and role_id=?"
-		res, err := sess.Exec(q, cmd.OrgID, cmd.UserID, cmd.RoleID)
+		res, err := sess.Exec(q, cmd.OrgID, cmd.UserID, role.ID)
 		if err != nil {
 			return err
 		}
--- a/pkg/services/accesscontrol/models.go
+++ b/pkg/services/accesscontrol/models.go
@ -148,27 +148,27 @@ type DeleteRoleCommand struct {
 }

 type AddTeamRoleCommand struct {
-	OrgID  int64 `json:"org_id"`
-	RoleID int64 `json:"role_id"`
-	TeamID int64 `json:"team_id"`
+	OrgID   int64  `json:"org_id"`
+	RoleUID string `json:"role_uid"`
+	TeamID  int64  `json:"team_id"`
 }

 type RemoveTeamRoleCommand struct {
-	OrgID  int64 `json:"org_id"`
-	RoleID int64 `json:"role_id"`
-	TeamID int64 `json:"team_id"`
+	OrgID   int64  `json:"org_id"`
+	RoleUID string `json:"role_uid"`
+	TeamID  int64  `json:"team_id"`
 }

 type AddUserRoleCommand struct {
-	OrgID  int64 `json:"org_id"`
-	RoleID int64 `json:"role_id"`
-	UserID int64 `json:"user_id"`
+	OrgID   int64  `json:"org_id"`
+	RoleUID string `json:"role_uid"`
+	UserID  int64  `json:"user_id"`
 }

 type RemoveUserRoleCommand struct {
-	OrgID  int64 `json:"org_id"`
-	RoleID int64 `json:"role_id"`
-	UserID int64 `json:"user_id"`
+	OrgID   int64  `json:"org_id"`
+	RoleUID string `json:"role_uid"`
+	UserID  int64  `json:"user_id"`
 }

 type EvaluationResult struct {
--- a/pkg/services/accesscontrol/testing/common.go
+++ b/pkg/services/accesscontrol/testing/common.go
@ -59,13 +59,12 @@ func CreateUserWithRole(t *testing.T, db *sqlstore.SQLStore, ac accesscontrol.St
 			OrgID: 1,
 			Name:  p.Name,
 		}
-		res, err := ac.CreateRole(context.Background(), createRoleCmd)
+		role, err := ac.CreateRole(context.Background(), createRoleCmd)
 		require.NoError(t, err)
-		roleId := res.ID

 		for _, perm := range p.Permissions {
 			permCmd := accesscontrol.CreatePermissionCommand{
-				RoleID:     roleId,
+				RoleID:     role.ID,
 				Permission: perm.Permission,
 				Scope:      perm.Scope,
 			}
@ -75,9 +74,9 @@ func CreateUserWithRole(t *testing.T, db *sqlstore.SQLStore, ac accesscontrol.St
 		}

 		addUserRoleCmd := accesscontrol.AddUserRoleCommand{
-			OrgID:  1,
-			RoleID: roleId,
-			UserID: userId,
+			OrgID:   1,
+			RoleUID: role.UID,
+			UserID:  userId,
 		}
 		err = ac.AddUserRole(&addUserRoleCmd)
 		require.NoError(t, err)
@ -95,13 +94,12 @@ func CreateTeamWithRole(t *testing.T, db *sqlstore.SQLStore, ac accesscontrol.St
 			OrgID: orgID,
 			Name:  p.Name,
 		}
-		res, err := ac.CreateRole(context.Background(), createRoleCmd)
+		role, err := ac.CreateRole(context.Background(), createRoleCmd)
 		require.NoError(t, err)
-		roleId := res.ID

 		for _, perm := range p.Permissions {
 			permCmd := accesscontrol.CreatePermissionCommand{
-				RoleID:     roleId,
+				RoleID:     role.ID,
 				Permission: perm.Permission,
 				Scope:      perm.Scope,
 			}
@ -111,9 +109,9 @@ func CreateTeamWithRole(t *testing.T, db *sqlstore.SQLStore, ac accesscontrol.St
 		}

 		addTeamRoleCmd := accesscontrol.AddTeamRoleCommand{
-			OrgID:  1,
-			RoleID: roleId,
-			TeamID: teamId,
+			OrgID:   1,
+			RoleUID: role.UID,
+			TeamID:  teamId,
 		}
 		err = ac.AddTeamRole(&addTeamRoleCmd)
 		require.NoError(t, err)
--- a/pkg/services/accesscontrol/testing/common_bench.go
+++ b/pkg/services/accesscontrol/testing/common_bench.go
@ -35,15 +35,14 @@ func GenerateRoles(b *testing.B, db *sqlstore.SQLStore, ac accesscontrol.Store,
 		for j := 0; j < rolesPerUser; j++ {
 			roleName := fmt.Sprintf("role_%s_%v", teamName, j)
 			createRoleCmd := accesscontrol.CreateRoleCommand{OrgID: 1, Name: roleName}
-			res, err := ac.CreateRole(context.Background(), createRoleCmd)
+			role, err := ac.CreateRole(context.Background(), createRoleCmd)
 			require.NoError(b, err)
-			roleId := res.ID

 			for k := 0; k < PermissionsPerRole; k++ {
 				permission := fmt.Sprintf("permission_%v", k)
 				scope := fmt.Sprintf("scope_%v", k)
 				permCmd := accesscontrol.CreatePermissionCommand{
-					RoleID:     roleId,
+					RoleID:     role.ID,
 					Permission: permission,
 					Scope:      scope,
 				}
@ -53,9 +52,9 @@ func GenerateRoles(b *testing.B, db *sqlstore.SQLStore, ac accesscontrol.Store,
 			}

 			addTeamRoleCmd := accesscontrol.AddTeamRoleCommand{
-				OrgID:  1,
-				RoleID: roleId,
-				TeamID: teamId,
+				OrgID:   1,
+				RoleUID: role.UID,
+				TeamID:  teamId,
 			}
 			err = ac.AddTeamRole(&addTeamRoleCmd)
 			require.NoError(b, err)
@ -76,15 +75,14 @@ func GenerateRoles(b *testing.B, db *sqlstore.SQLStore, ac accesscontrol.Store,
 			for j := 0; j < rolesPerUser; j++ {
 				roleName := fmt.Sprintf("role_%s_%v", userName, j)
 				createRoleCmd := accesscontrol.CreateRoleCommand{OrgID: 1, Name: roleName}
-				res, err := ac.CreateRole(context.Background(), createRoleCmd)
+				role, err := ac.CreateRole(context.Background(), createRoleCmd)
 				require.NoError(b, err)
-				roleId := res.ID

 				for k := 0; k < PermissionsPerRole; k++ {
 					permission := fmt.Sprintf("permission_%v", k)
 					scope := fmt.Sprintf("scope_%v", k)
 					permCmd := accesscontrol.CreatePermissionCommand{
-						RoleID:     roleId,
+						RoleID:     role.ID,
 						Permission: permission,
 						Scope:      scope,
 					}
@ -94,9 +92,9 @@ func GenerateRoles(b *testing.B, db *sqlstore.SQLStore, ac accesscontrol.Store,
 				}

 				addUserRoleCmd := accesscontrol.AddUserRoleCommand{
-					OrgID:  1,
-					RoleID: roleId,
-					UserID: userId,
+					OrgID:   1,
+					RoleUID: role.UID,
+					UserID:  userId,
 				}
 				err = ac.AddUserRole(&addUserRoleCmd)
 				require.NoError(b, err)