Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion app/controlplane/cmd/wire_gen.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
{
"ActionType": "RoleChanged",
"TargetType": "User",
"TargetID": "1089bb36-e27b-428b-8009-d015c8737c54",
"ActorType": "USER",
"ActorID": "1089bb36-e27b-428b-8009-d015c8737c54",
"ActorEmail": "john@cyberdyne.io",
"OrgID": "1089bb36-e27b-428b-8009-d015c8737c54",
"Description": "john@cyberdyne.io role changed from 'role:org:owner' to 'role:org:member'",
"Info": {
"user_id": "1089bb36-e27b-428b-8009-d015c8737c54",
"email": "john@cyberdyne.io",
"sso_groups": [
"group1",
"group2"
],
"old_role": "role:org:owner",
"new_role": "role:org:member"
},
"Digest": "sha256:80bfd69a13fe4736ad2642ec20eaecc8f002e1774089d75d3c9fcee421af4247"
}
29 changes: 26 additions & 3 deletions app/controlplane/pkg/auditor/events/user.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,10 @@ var (
)

const (
UserType auditor.TargetType = "User"
UserSignedUpActionType string = "SignedUp"
UserLoggedInActionType string = "LoggedIn"
UserType auditor.TargetType = "User"
UserSignedUpActionType string = "SignedUp"
UserLoggedInActionType string = "LoggedIn"
UserRoleChangedActionType string = "RoleChanged"
)

// UserBase is the base struct for policy events
Expand Down Expand Up @@ -96,3 +97,25 @@ func (p *UserLoggedIn) ActionInfo() (json.RawMessage, error) {

return json.Marshal(&p)
}

type UserRoleChanged struct {
*UserBase
OldRole string `json:"old_role,omitempty"`
NewRole string `json:"new_role,omitempty"`
}

func (p *UserRoleChanged) ActionType() string {
return UserRoleChangedActionType
}

func (p *UserRoleChanged) Description() string {
return fmt.Sprintf("%s role changed from '%s' to '%s'", p.Email, p.OldRole, p.NewRole)
}

func (p *UserRoleChanged) ActionInfo() (json.RawMessage, error) {
if p.UserID == nil || p.Email == "" || p.OldRole == "" || p.NewRole == "" {
return nil, errors.New("user id, email, old role and new role are required")
}

return json.Marshal(&p)
}
15 changes: 15 additions & 0 deletions app/controlplane/pkg/auditor/events/user_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ import (

"github.com/chainloop-dev/chainloop/app/controlplane/pkg/auditor"
"github.com/chainloop-dev/chainloop/app/controlplane/pkg/auditor/events"
"github.com/chainloop-dev/chainloop/app/controlplane/pkg/authz"

"github.com/google/uuid"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
Expand Down Expand Up @@ -62,6 +64,19 @@ func TestUserEvents(t *testing.T) {
},
expected: "testdata/users/user_logs_in.json",
},
{
name: "User role changed",
event: &events.UserRoleChanged{
UserBase: &events.UserBase{
UserID: uuidPtr(userUUID),
Email: testEmail,
SSOGroups: []string{"group1", "group2"},
},
OldRole: string(authz.RoleOwner),
NewRole: string(authz.RoleOrgMember),
},
expected: "testdata/users/user_role_changed.json",
},
}

for _, tt := range tests {
Expand Down
41 changes: 35 additions & 6 deletions app/controlplane/pkg/biz/membership.go
Original file line number Diff line number Diff line change
Expand Up @@ -82,14 +82,17 @@ type MembershipsRBAC interface {
}

type MembershipUseCase struct {
repo MembershipRepo
logger *log.Helper
// Repositories
repo MembershipRepo
userRepo UserRepo
// Use Cases
orgUseCase *OrganizationUseCase
logger *log.Helper
auditor *AuditorUseCase
}

func NewMembershipUseCase(repo MembershipRepo, orgUC *OrganizationUseCase, auditor *AuditorUseCase, logger log.Logger) *MembershipUseCase {
return &MembershipUseCase{repo: repo, orgUseCase: orgUC, logger: log.NewHelper(logger), auditor: auditor}
func NewMembershipUseCase(repo MembershipRepo, orgUC *OrganizationUseCase, auditor *AuditorUseCase, userRepo UserRepo, logger log.Logger) *MembershipUseCase {
return &MembershipUseCase{repo: repo, orgUseCase: orgUC, logger: log.NewHelper(logger), userRepo: userRepo, auditor: auditor}
}

// LeaveAndDeleteOrg deletes a membership (and the org i) from the database associated with the current user
Expand Down Expand Up @@ -197,15 +200,41 @@ func (uc *MembershipUseCase) UpdateRole(ctx context.Context, orgID, userID, memb
m, err := uc.repo.FindByIDInOrg(ctx, orgUUID, membershipUUID)
if err != nil {
return nil, fmt.Errorf("failed to find membership: %w", err)
} else if m == nil {
}

if m == nil {
return nil, NewErrNotFound("membership")
}

if m.User.ID == userID {
return nil, NewErrValidationStr("cannot update yourself")
}

return uc.repo.SetRole(ctx, membershipUUID, role)
userUUID, err := uuid.Parse(m.User.ID)
if err != nil {
return nil, NewErrInvalidUUID(err)
}

user, err := uc.userRepo.FindByID(ctx, userUUID)
if err != nil {
return nil, fmt.Errorf("failed to find user: %w", err)
}

updatedMembership, err := uc.repo.SetRole(ctx, membershipUUID, role)
if err != nil {
return nil, fmt.Errorf("failed to update membership role: %w", err)
}

uc.auditor.Dispatch(ctx, &events.UserRoleChanged{
UserBase: &events.UserBase{
UserID: &userUUID,
Email: user.Email,
},
OldRole: string(m.Role),
NewRole: string(role),
}, &m.OrganizationID)

return updatedMembership, nil
}

type membershipCreateOpts struct {
Expand Down
4 changes: 2 additions & 2 deletions app/controlplane/pkg/biz/testhelpers/wire_gen.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading