Skip to content

Team Viewer Role & RBAC Improvements #308

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
frodesundby merged 19 commits into from
Jan 21, 2026
Merged

Team Viewer Role & RBAC Improvements #308

frodesundby merged 19 commits into from
Jan 21, 2026

Conversation

@frodesundby
Copy link
Contributor

@frodesundby frodesundby commented Jan 16, 2026
edited
Loading

Key Changes

🔑 Secret Metadata Without Elevation

  • Adds Secret.keys field to expose key names without requiring elevation
  • Secret values still require elevation to view
  • Implements caching for key names to improve performance
  • New integration test for cross-team secret access control

🔄 Secret Client Refactoring

  • Removes custom ServiceAccountClientCreator abstraction
  • Write operations: Use SystemAuthenticatedClient (service account)
  • Read operations: Use ImpersonatedClient (user elevation)
  • Consistent with application/job workload patterns

🧹 Cleanup

  • Removes obsolete euthanasia labels
  • Cleanes up commented code
  • Updates kill-after label to Unix timestamp

@frodesundby frodesundby requested a review from a team as a code owner January 16, 2026 14:39
@jhrv jhrv changed the title Envmapping Team Viewer Role & RBAC Improvements Jan 19, 2026
thokra-nav
thokra-nav reviewed Jan 19, 2026
View reviewed changes
thokra-nav
thokra-nav reviewed Jan 19, 2026
View reviewed changes
thokra-nav
thokra-nav reviewed Jan 19, 2026
View reviewed changes
thokra-nav
thokra-nav approved these changes Jan 21, 2026
View reviewed changes
Copy link
Contributor

@thokra-nav thokra-nav left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approver for å gjøre graphql review grønn, men se over kommentarene

internal/team/queries/team_members.sql
Comment on lines 105 to 119
-- name: UserIsMember :one
-- name: ViewerIsMember :one
SELECT
EXISTS (
SELECT
id
FROM
user_roles
WHERE
user_id = @user_id
AND target_team_slug = @team_slug::slug
AND role_name IN ('Team member', 'Team owner')
)
;

-- name: UserIsOwner :one
Copy link
Contributor

@thokra-nav thokra-nav Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Synes vi kan fortsette å kalle disse UserIs..

internal/team/queries.go Outdated
Comment on lines 455 to 463
func ViewerIsOwner(ctx context.Context, teamSlug slug.Slug, userID uuid.UUID) (bool, error) {
return db(ctx).ViewerIsOwner(ctx, teamsql.ViewerIsOwnerParams{
UserID: userID,
TeamSlug: teamSlug,
})
}

func UserIsMember(ctx context.Context, teamSlug slug.Slug, userID uuid.UUID) (bool, error) {
return db(ctx).UserIsMember(ctx, teamsql.UserIsMemberParams{
func ViewerIsMember(ctx context.Context, teamSlug slug.Slug, userID uuid.UUID) (bool, error) {
return db(ctx).ViewerIsMember(ctx, teamsql.ViewerIsMemberParams{
Copy link
Contributor

@thokra-nav thokra-nav Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Her også, bedre å beholde UserIs... navnene

frodesundby and others added 19 commits January 21, 2026 14:28
@frodesundby @jhrv
feat: Add Secret.keys field to expose secret key names without elevation
c13d8e8 
Co-authored-by: Johnny Horvi <johnny@horvi.no>
@frodesundby @jhrv
Cache secret key names and avoid storing secret values in memory
3e47166 
Co-authored-by: Johnny Horvi <johnny@horvi.no>
@frodesundby
go.sum
b9f765f
@jhrv @frodesundby
Use Unix timestamp for euthanaisa kill-after label
e81329a 
Changed from RFC3339 annotation to Unix timestamp label for
consistency with naiserator webhook and euthanaisa.
@frodesundby
go.sum
8bddd43
@jhrv @frodesundby
Remove unused euthanaisa enabled label
dd6c702
@frodesundby
Remove obsolete commented code from secret resolvers
84d8d5c
@jhrv @frodesundby
viewer
77d3e3e
@jhrv @frodesundby
member -> editor
902220a
@jhrv @frodesundby
roles
c109e4b
@jhrv @frodesundby
fix test
0f0a81d
@jhrv @frodesundby
fmt
f3439fa
@jhrv @frodesundby
fix integration test
3902909
@jhrv @frodesundby
revert
37e758a
@frodesundby
Rename team role "editor" to "member" everywhere
215816d
@frodesundby
Remove obsolete viewer role test from elevation integration tests
4e67910
@frodesundby
Remove service account client logic from secret loader
d1fc1e0 
Refactor secret loader to use impersonated clients for all
operations. Remove ServiceAccountClientCreator and related methods.
Update secret queries to use watcher.ImpersonatedClient and
watcher.Delete.
@frodesundby
Use SystemAuthenticatedClient instead of ImpersonatedClient
6dcaeba
@jhrv @frodesundby
Revert rename from viewer to user
4e3e41d
@frodesundby frodesundby merged commit 38994be into main Jan 21, 2026
10 checks passed
@frodesundby frodesundby deleted the envmapping branch January 21, 2026 13:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhrv jhrv jhrv left review comments

@thokra-nav thokra-nav thokra-nav approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@frodesundby @jhrv @thokra-nav