feat: reset the role when updating user

flanksource · Sep 4, 2024 · 977fcb6 · 977fcb6
1 parent 3516189
commit 977fcb6
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 15 deletions.
diff --git a/echo/users.go → echo/people.go b/echo/users.go → echo/people.go
@@ -2,29 +2,31 @@ package echo
 
 import (
 	"errors"
+	"fmt"
 	"net/http"
 
 	"github.com/flanksource/duty/api"
 	"github.com/flanksource/duty/context"
 	"github.com/flanksource/duty/types"
 	"github.com/flanksource/incident-commander/auth"
+	"github.com/flanksource/incident-commander/rbac"
 	"github.com/flanksource/incident-commander/vars"
 	echov4 "github.com/labstack/echo/v4"
 	"github.com/ory/client-go"
 	"github.com/samber/lo"
 )
 
-type UpdateUserRequest struct {
-	ID string `json:"id" form:"id"`
+type UpdatePersonRequest struct {
+	ID string `form:"id"`
 
-	FirstName *string `json:"firstName" form:"firstName"`
-	LastName  *string `json:"lastName" form:"lastName"`
-	Email     *string `json:"email" form:"email"`
-	Role      *string `json:"role" form:"role"`
-	Active    *bool   `json:"active" form:"active"`
+	FirstName *string `form:"firstName"`
+	LastName  *string `form:"lastName"`
+	Email     *string `form:"email"`
+	Role      *string `form:"role"`
+	Active    *bool   `form:"active"`
 }
 
-func (t *UpdateUserRequest) ToUpdateIdentityBody(traits map[string]any) client.UpdateIdentityBody {
+func (t *UpdatePersonRequest) ToUpdateIdentityBody(traits map[string]any) client.UpdateIdentityBody {
 	out := client.UpdateIdentityBody{
 		Traits: traits,
 	}
@@ -67,10 +69,10 @@ func (t *PersonController) UpdatePerson(c echov4.Context) error {
 	ctx := c.Request().Context().(context.Context)
 
 	if vars.AuthMode != auth.Kratos {
-		return api.Errorf(api.EINVALID, "updating users is only supported when using Kratos auth mode")
+		return api.Errorf(api.EINVALID, "updating person is only supported when using Kratos auth mode")
 	}
 
-	var req UpdateUserRequest
+	var req UpdatePersonRequest
 	if err := c.Bind(&req); err != nil {
 		return api.Errorf(api.EINVALID, "invalid request body: %v", err)
 	}
@@ -94,5 +96,15 @@ func (t *PersonController) UpdatePerson(c echov4.Context) error {
 		return err
 	}
 
+	if req.Role != nil {
+		if err := rbac.DeleteAllRolesForUser(req.ID); err != nil {
+			return api.WriteError(c, fmt.Errorf("failed to delete existing roles: %w", err))
+		}
+
+		if err := rbac.AddRoleForUser(req.ID, *req.Role); err != nil {
+			return api.WriteError(c, fmt.Errorf("failed to add the new role: %w", err))
+		}
+	}
+
 	return c.JSON(http.StatusOK, identity.Traits)
 }
diff --git a/go.mod b/go.mod
@@ -14,7 +14,7 @@ require (
 	github.com/containrrr/shoutrrr v0.8.0
 	github.com/fergusstrange/embedded-postgres v1.25.0 // indirect
 	github.com/flanksource/commons v1.29.4
-	github.com/flanksource/duty v1.0.616
+	github.com/flanksource/duty v1.0.619
 	github.com/flanksource/gomplate/v3 v3.24.27
 	github.com/flanksource/kopper v1.0.9
 	github.com/gomarkdown/markdown v0.0.0-20240419095408-642f0ee99ae2
@@ -358,6 +358,6 @@ require (
 
 // replace github.com/flanksource/commons => /Users/moshe/go/src/github.com/flanksource/commons
 
-replace github.com/flanksource/duty => ../duty
+// replace github.com/flanksource/duty => ../dut9
 
 // replace github.com/flanksource/gomplate/v3 => /Users/moshe/go/src/github.com/flanksource/gomplate
diff --git a/go.sum b/go.sum
@@ -875,8 +875,8 @@ github.com/flanksource/artifacts v1.0.14 h1:Vv70bccsae0MwGaf/uSPp34J5V1/PyKfct9z
 github.com/flanksource/artifacts v1.0.14/go.mod h1:qHVCnQu5k50aWNJ5UhpcAKEl7pAzqUrFFKGSm147G70=
 github.com/flanksource/commons v1.29.4 h1:lA+iylPS85LXsKK7lp4wcNx9A3QU2d1BwUfUWIS1t7c=
 github.com/flanksource/commons v1.29.4/go.mod h1:bdTkBoakpFszgjQ16qJ6/qEF9n2s/sc0d2ujYYdFvGs=
-github.com/flanksource/duty v1.0.616 h1:lGKN3ms0oat2P8Aj9/RDzjswkbZvF54SnjNS2YpV0F0=
-github.com/flanksource/duty v1.0.616/go.mod h1:wdoe4wjzj9sqb5D10BEGfWmFSVr/q81Mb6PcXiL8elo=
+github.com/flanksource/duty v1.0.619 h1:va2q9tdNh76AgL4eLNzervrPEIyN4FIY+jpeYpuaeSg=
+github.com/flanksource/duty v1.0.619/go.mod h1:fEsbkDxWoAcjXBDVD9unI8ekrPN/IG1v2Q2+dvoLLvs=
 github.com/flanksource/gomplate/v3 v3.20.4/go.mod h1:27BNWhzzSjDed1z8YShO6W+z6G9oZXuxfNFGd/iGSdc=
 github.com/flanksource/gomplate/v3 v3.24.27 h1:5vw7k0fUj4/b67wDyscJmC4jNCboDbjdl7ebwUF6mtc=
 github.com/flanksource/gomplate/v3 v3.24.27/go.mod h1:x5LuJX08JyvjzrydbG1Hvd+DKopirJsSHNShXynyE0o=

diff --git a/rbac/init.go b/rbac/init.go
@@ -104,10 +104,15 @@ func Stop() {
 		enforcer.StopAutoLoadPolicy()
 	}
 }
+
 func DeleteRoleForUser(user string, role string) error {
 	_, err := enforcer.DeleteRoleForUser(user, role)
 	return err
+}
 
+func DeleteAllRolesForUser(user string) error {
+	_, err := enforcer.DeleteRolesForUser(user)
+	return err
 }
 
 func AddRoleForUser(user string, role ...string) error {

diff --git a/rbac/policies.yaml b/rbac/policies.yaml
@@ -10,7 +10,7 @@
     - everyone
 - principal: viewer
   acl:
-    - objects: database.public,canaries,catalog,playbooks,topology
+    - objects: database.public,canaries,catalog,playbooks,topology,people
       actions: read
 - principal: commander
   acl: