Bosorawis domain iam implement role grant scopes all (#5701)

* implement getRoleScopeId

* move query to query.go

* improve notfound err message

* improve other err messages

* use named parameter and move getRoleScopeId implementation

* moved getRoleScopeId test

* rename getRoleScopeId to getRoleScopeType

* fix public_id ambiguous error

* undo unintended change to getUserWithAccount

* fix the correct query

* split iam_role_global_individual_grant_scope to have separate tables for org and project

* small comment change

* small comment change

* WIP: add tests

* remove grant_scope as immutable column

* add trigger to delete individual grant scope when grant_scope changes

* add a test that covers changing grant_scope

* rename function and trigger in iam_role_global

* improve assertion in sqltest for iam_role_global

* update iam_role_org to delete redundant grants scope

* minor comment fix

* no longer handle individual grant scope deletion with triggers and rename some functions

* rename test

* add all subtype definitions

* remove unnecessary baseRole subtype

* add clone, setTableName, and GetScope tests

* add ResourceType and Actions test

* add create and delete tests for globalROle

* finish create and delete tests

* add trigger for deleting base role

* add trigger to sync update_time back to base iam_role table

* add update tests

* fix missing err checks

* fix iam_role delete subtype trigger function name and use new.update_time instead of now()

* add struct documentation to role subtypes

* add version update check

* implement getRoleScopeId

* implement getRoleScopeId

* save

* remove struct embedding from iam.Role

* fix tests to use new iam.Role definition

* repository_role_test.go move to new iam.Role model

* repository_principal_role_test.go use new iam.Role model

* repository_role_grant_test.go use new iam.Role model in test

* add oplog info to sql schema

* internal/iam/testing.go use new role schema in TestRole

* add toRole helper function to all role subtype

* remove tests that are no longer relevant

* internal/iam/repository_scope.go use new iam model

* internal/iam/repository_role_grant.go use new iam model

* internal/iam/repository_principal_role.go use new iam model

* internal/iam/repository_role_test.go add test case for global scoped role

* internal/iam/repository_grant_scope.go use new iam model

* fix query

* make create and lookup role work and add tests

* add role id to getRoleScopeId error message

* make DeleteRole work with new model and add tests

* fix update

* ensure oplog.ReplayableMessage is implemented on all role subtypes

* internal/iam/repository_role_grant.go fix slugging version properly

* internal/iam/repository_role.go minor correction to error message saying org instead of scope

* internal/iam/repository_role_test.go add more update tests

* add immutable_fields tests

* fix rebase

* change error code to RecordNotFound

* refactor to use getScopeType

* fix delete test

* add getRoleScope utility function

* repository_principal_role.go: refactor to remove multiple switch statements

* repository_role_grant.go: refactor to reduce LOC

* repository_role.go small refactor to use alloc func

* repository_grant_scope.go refactor

* review comments

* implement getRoleScopeId

* move query to query.go

* improve notfound err message

* improve other err messages

* use named parameter and move getRoleScopeId implementation

* moved getRoleScopeId test

* rename getRoleScopeId to getRoleScopeType

* fix public_id ambiguous error

* undo unintended change to getUserWithAccount

* fix the correct query

* rename test

* change error code to RecordNotFound

* Update internal/iam/repository_role.go

Co-authored-by: David Kanney <[email protected]>

* switch to slice instead of counter

* fix merge mistakes

* handling special scopes in test function

* fix TestRoleWithGrants

* fix minor typo

* make gen

* fix comment typos

* Bosorawis domain iam role use new model list role (#5676)

* add and use new list roles query

* run make gen

* tweaked returned error

* move ListRoleGrantScopes to repository_grant_scope.go

* rename repository_grant_scope to repository_role_grant_scope

* add proto definition for global role individual grant scope tables

* fix test from removing embeded struct from RoleGrantScope

* add grant_scope to proto definition

* implement GlobalRoleIndividualOrgGrantScope and GlobalRoleIndividualProjectGrantScope

* update comment

* run make gen to update comment

* implement OrgRoleIndividualGrantScope and add tests

* implement part of ListRoleGrantScopes

* Add more test

* add more test cases and remove add-grants test

* unexport listRoleGrantScopes

* use reader from function parameter instead of struct method

* rename test to match actual function

* run make gen

* unexport individual grants structs

* unexport individual grants structs - missed one file

* change TestRole and TestRoleGrantScope function to support new model

* add validation for special scopes

* add role_org_individual_grant_scope.pb.go to protobuild make target

* remove dead code from listRoleGrantScopes

* fix testRoleGrantScopeSpecial not handling org role special scope properly

* change proto grant_this default to true

* make TestRole readback the role to get updated version

* implement toRoleGrantScope function on the subtypes

* implement conversion function

* add tests and AddRoleGrantScope before refactor

* working delete grant scope before refactor

* remove unused functions

* refactor repository_role_grant_scope.go

* add tests for SetRoleGrantScopes

* all tests passing

* refactor repository_role_grant_scope.go again

* run make gen

* no longer embed Resource in roleScopeGranter interface and make interface all internal functions

* add additional test case

* fix minor typo

* add a constraint check for iam_role_org.grant_scope

* refactor and comment repository_role_grant_scope.go and add test cases

* remove unused code

* rename roleScopeGranter to roleGrantScopeUpdater

* interface and function rename

* address PR comments

* remove redundant constraint on iam_role_org

* address pr comments

* grant this scope to role by default when creating a role

* tweak comments and variable names

---------

Co-authored-by: David Kanney <[email protected]>

Author: bosorawis

internal/iam/repository_role.go

@@ -48,7 +48,7 @@ func (r *Repository) CreateRole(ctx context.Context, role *Role, opt ...Option)
 				ScopeId:            role.ScopeId,
 				Name:               role.Name,
 				Description:        role.Description,
-				GrantThisRoleScope: false,
+				GrantThisRoleScope: true,
 				GrantScope:         globals.GrantScopeIndividual,
 			},
 		}
@@ -59,7 +59,7 @@ func (r *Repository) CreateRole(ctx context.Context, role *Role, opt ...Option)
 				ScopeId:            role.ScopeId,
 				Name:               role.Name,
 				Description:        role.Description,
-				GrantThisRoleScope: false,
+				GrantThisRoleScope: true,
 				GrantScope:         globals.GrantScopeIndividual,
 			},
 		}
@@ -70,6 +70,7 @@ func (r *Repository) CreateRole(ctx context.Context, role *Role, opt ...Option)
 				ScopeId:     role.ScopeId,
 				Name:        role.Name,
 				Description: role.Description,
+				// GrantThisRoleScope: true, will be set in https://github.com/hashicorp/boundary/pull/5738 since the field doesn't exist yet
 			},
 		}
 	default:

internal/iam/repository_role_grant_scope.go

@@ -242,10 +242,14 @@ func TestRepository_CreateRole(t *testing.T) {
 			assert.NotNil(grp.CreateTime)
 			assert.NotNil(grp.UpdateTime)
 
-			foundGrp, _, _, _, err := repo.LookupRole(context.Background(), grp.PublicId)
+			foundGrp, _, _, grantScopes, err := repo.LookupRole(context.Background(), grp.PublicId)
 			assert.NoError(err)
 			assert.Equal(foundGrp, grp)
 
+			// by default, all created roles has `this` role grant scope
+			assert.Len(grantScopes, 1)
+			assert.Equal(grantScopes[0].ScopeIdOrSpecial, globals.GrantScopeThis)
+
 			err = db.TestVerifyOplog(t, rw, grp.PublicId, db.WithOperation(oplog.OpType_OP_TYPE_CREATE), db.WithCreateNotBefore(10*time.Second))
 			assert.NoError(err)
 		})

internal/iam/repository_role_grant_scope_test.go

@@ -6,6 +6,7 @@ package iam
 import (
 	"context"
 
+	"github.com/hashicorp/boundary/globals"
 	"github.com/hashicorp/boundary/internal/db"
 	"github.com/hashicorp/boundary/internal/db/timestamp"
 	"github.com/hashicorp/boundary/internal/errors"
@@ -17,12 +18,44 @@ import (
 )
 
 const (
-	defaultRoleTableName        = "iam_role"
 	defaultGlobalRoleTableName  = "iam_role_global"
 	defaultOrgRoleTableName     = "iam_role_org"
 	defaultProjectRoleTableName = "iam_role_project"
 )
 
+// roleGrantScopeUpdater represents an internal scope type specific role structs that
+// support grant scope columns. Currently this only applies to globalRole and orgRole
+// this is used in SetRoleGrantScope, AddRoleGrantScope, DeleteRoleGrantScope
+type roleGrantScopeUpdater interface {
+	// setVersion sets value of `Version` of this role. This is used in
+	// `repository_grant_scope` operations where version column of the associated role
+	// has to increase when grant scopes list is changed (add/remove) which is done in a different table.
+	// This version bump cannot be done by automatically with trigger and is being handled in the application code
+	setVersion(version uint32)
+
+	// setThisGrantScope sets value of `GrantThisRoleScope` of this role which control
+	// whether this role has 'this' scope granted to it
+	setGrantThisRoleScope(grantThis bool)
+
+	// setGrantScope sets value of `GrantScope` column of this role.  The allowed values depends on the scope
+	// that the role is in
+	// 	- global-role: ['descendants', 'children', 'individual']
+	// 	- org-role: ['children', 'individual']
+	//	- project-role: [] (None)
+	// This value controls whether special grant scope is granted to this role
+	setGrantScope(specialGrant string)
+
+	// GrantThisRoleScope return value of `GrantScopeThis` column as *RoleGrantScope.
+	// Prior to the grants refactor, `this` grant scope is granted to a role by
+	// inserting a row to 'role_grant_scope' table, but we've moved on to storing
+	// 'this' grant as a dedicated column in the type-specific role tables
+	grantThisRoleScope() *RoleGrantScope
+
+	// GrantScope returns special grant scopes ['descendants', 'children'] if available.
+	// returns nil, false if special grant scope is 'individual'
+	grantScope() (*RoleGrantScope, bool)
+}
+
 // Roles are granted permissions and assignable to Users and Groups.
 type Role struct {
 	PublicId    string
@@ -86,11 +119,13 @@ func (role *Role) GetVersion() uint32 {
 
 // ensure that Role implements the interfaces of: Resource, Cloneable, and db.VetForWriter.
 var (
+	_ roleGrantScopeUpdater   = (*globalRole)(nil)
 	_ Resource                = (*globalRole)(nil)
 	_ Cloneable               = (*globalRole)(nil)
 	_ db.VetForWriter         = (*globalRole)(nil)
 	_ oplog.ReplayableMessage = (*globalRole)(nil)
 
+	_ roleGrantScopeUpdater   = (*orgRole)(nil)
 	_ Resource                = (*orgRole)(nil)
 	_ Cloneable               = (*orgRole)(nil)
 	_ db.VetForWriter         = (*orgRole)(nil)
@@ -172,6 +207,55 @@ type globalRole struct {
 	tableName   string            `gorm:"-"`
 }
 
+func (g *globalRole) setVersion(version uint32) {
+	if g == nil {
+		return
+	}
+	g.Version = version
+}
+
+func (g *globalRole) setGrantThisRoleScope(grantThis bool) {
+	if g == nil {
+		return
+	}
+	g.GrantThisRoleScope = grantThis
+}
+
+func (g *globalRole) setGrantScope(specialGrant string) {
+	if g == nil {
+		return
+	}
+	g.GrantScope = specialGrant
+}
+
+func (g *globalRole) grantThisRoleScope() *RoleGrantScope {
+	if g == nil {
+		return &RoleGrantScope{}
+	}
+	if !g.GrantThisRoleScope {
+		return &RoleGrantScope{}
+	}
+	return &RoleGrantScope{
+		CreateTime:       g.GrantThisRoleScopeUpdateTime,
+		RoleId:           g.PublicId,
+		ScopeIdOrSpecial: globals.GrantScopeThis,
+	}
+}
+
+func (g *globalRole) grantScope() (*RoleGrantScope, bool) {
+	if g == nil {
+		return nil, false
+	}
+	if g.GrantScope == globals.GrantScopeIndividual {
+		return nil, false
+	}
+	return &RoleGrantScope{
+		CreateTime:       g.GrantScopeUpdateTime,
+		RoleId:           g.PublicId,
+		ScopeIdOrSpecial: g.GrantScope,
+	}, true
+}
+
 func (g *globalRole) TableName() string {
 	if g.tableName != "" {
 		return g.tableName
@@ -254,6 +338,55 @@ type orgRole struct {
 	tableName   string            `gorm:"-"`
 }
 
+func (o *orgRole) setVersion(version uint32) {
+	if o == nil {
+		return
+	}
+	o.Version = version
+}
+
+func (o *orgRole) setGrantThisRoleScope(grantThis bool) {
+	if o == nil {
+		return
+	}
+	o.GrantThisRoleScope = grantThis
+}
+
+func (o *orgRole) setGrantScope(specialGrant string) {
+	if o == nil {
+		return
+	}
+	o.GrantScope = specialGrant
+}
+
+func (o *orgRole) grantThisRoleScope() *RoleGrantScope {
+	if o == nil {
+		return &RoleGrantScope{}
+	}
+	if !o.GrantThisRoleScope {
+		return &RoleGrantScope{}
+	}
+	return &RoleGrantScope{
+		CreateTime:       o.GrantThisRoleScopeUpdateTime,
+		RoleId:           o.PublicId,
+		ScopeIdOrSpecial: globals.GrantScopeThis,
+	}
+}
+
+func (o *orgRole) grantScope() (*RoleGrantScope, bool) {
+	if o == nil {
+		return nil, false
+	}
+	if o.GrantScope == globals.GrantScopeIndividual {
+		return nil, false
+	}
+	return &RoleGrantScope{
+		CreateTime:       o.GrantScopeUpdateTime,
+		RoleId:           o.PublicId,
+		ScopeIdOrSpecial: o.GrantScope,
+	}, true
+}
+
 func (o *orgRole) TableName() string {
 	if o.tableName != "" {
 		return o.tableName

internal/iam/repository_role_test.go

@@ -34,16 +34,24 @@ var (
 	_ Cloneable               = (*globalRoleIndividualOrgGrantScope)(nil)
 	_ db.VetForWriter         = (*globalRoleIndividualOrgGrantScope)(nil)
 	_ oplog.ReplayableMessage = (*globalRoleIndividualOrgGrantScope)(nil)
+	_ roleGrantScoper         = (*globalRoleIndividualOrgGrantScope)(nil)
 
 	_ Cloneable               = (*globalRoleIndividualProjectGrantScope)(nil)
 	_ db.VetForWriter         = (*globalRoleIndividualProjectGrantScope)(nil)
 	_ oplog.ReplayableMessage = (*globalRoleIndividualProjectGrantScope)(nil)
+	_ roleGrantScoper         = (*globalRoleIndividualProjectGrantScope)(nil)
 
 	_ Cloneable               = (*orgRoleIndividualGrantScope)(nil)
 	_ db.VetForWriter         = (*orgRoleIndividualGrantScope)(nil)
 	_ oplog.ReplayableMessage = (*orgRoleIndividualGrantScope)(nil)
+	_ roleGrantScoper         = (*orgRoleIndividualGrantScope)(nil)
 )
 
+// roleGrantScoper is an interface for converting internal grantScopeTypes to exported RoleGrantScope
+type roleGrantScoper interface {
+	roleGrantScope() *RoleGrantScope
+}
+
 // RoleGrantScope defines the grant scopes that are assigned to a role
 type RoleGrantScope struct {
 	CreateTime       *timestamp.Timestamp
@@ -136,6 +144,17 @@ type globalRoleIndividualOrgGrantScope struct {
 	tableName string `gorm:"-"`
 }
 
+func (g *globalRoleIndividualOrgGrantScope) roleGrantScope() *RoleGrantScope {
+	if g == nil {
+		return nil
+	}
+	return &RoleGrantScope{
+		CreateTime:       g.CreateTime,
+		RoleId:           g.RoleId,
+		ScopeIdOrSpecial: g.GetScopeId(),
+	}
+}
+
 func (g *globalRoleIndividualOrgGrantScope) TableName() string {
 	if g.tableName != "" {
 		return g.tableName
@@ -176,6 +195,17 @@ type globalRoleIndividualProjectGrantScope struct {
 	tableName string `gorm:"-"`
 }
 
+func (g *globalRoleIndividualProjectGrantScope) roleGrantScope() *RoleGrantScope {
+	if g == nil {
+		return nil
+	}
+	return &RoleGrantScope{
+		CreateTime:       g.GetCreateTime(),
+		RoleId:           g.GetRoleId(),
+		ScopeIdOrSpecial: g.GetScopeId(),
+	}
+}
+
 func (g *globalRoleIndividualProjectGrantScope) TableName() string {
 	if g.tableName != "" {
 		return g.tableName
@@ -216,6 +246,17 @@ type orgRoleIndividualGrantScope struct {
 	tableName string `gorm:"-"`
 }
 
+func (g *orgRoleIndividualGrantScope) roleGrantScope() *RoleGrantScope {
+	if g == nil {
+		return nil
+	}
+	return &RoleGrantScope{
+		CreateTime:       g.GetCreateTime(),
+		RoleId:           g.GetRoleId(),
+		ScopeIdOrSpecial: g.GetScopeId(),
+	}
+}
+
 func (g *orgRoleIndividualGrantScope) TableName() string {
 	if g.tableName != "" {
 		return g.tableName

internal/iam/role.go

@@ -263,7 +263,29 @@ func TestRole(t testing.TB, conn *db.DB, scopeId string, opt ...Option) *Role {
 	}
 	require.Equal(opts.withDescription, role.Description)
 	require.Equal(opts.withName, role.Name)
-	return role
+
+	var final *Role
+	switch {
+	case strings.HasPrefix(scopeId, globals.GlobalPrefix):
+		g := allocGlobalRole()
+		g.PublicId = id
+		require.NoError(rw.LookupByPublicId(ctx, &g))
+		final = g.toRole()
+	case strings.HasPrefix(scopeId, globals.OrgPrefix):
+		o := allocOrgRole()
+		o.PublicId = id
+		require.NoError(rw.LookupByPublicId(ctx, &o))
+		final = o.toRole()
+	case strings.HasPrefix(scopeId, globals.ProjectPrefix):
+		p := allocProjectRole()
+		p.PublicId = id
+		require.NoError(rw.LookupByPublicId(ctx, &p))
+		final = p.toRole()
+	default:
+		t.Logf("invalid scope id: %s", scopeId)
+		t.FailNow()
+	}
+	return final
 }
 
 // TestRoleWithGrants creates a role suitable for testing along with grants

internal/iam/role_grant_scope.go

@@ -36,7 +36,7 @@ message GlobalRole {
   }];
 
   // control if this role is granted access to its role scope
-  // @inject_tag: `gorm:"default:true"`
+  // @inject_tag: `gorm:"default:false"`
   bool grant_this_role_scope = 5;
 
   // control type of grant scope granted to this role ['descendant', 'children', 'individual']