Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TF-5568 add support for project custom permissions #745

Merged
merged 4 commits into from
Aug 1, 2023
Merged

TF-5568 add support for project custom permissions #745

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4b3e1c7
TF-5568 Add support for team project customizable permissions.
rberecka Jul 24, 2023
a86268b
Update team_project_access.go
rberecka Jul 31, 2023
5ab54ff
Update CHANGELOG.md
rberecka Aug 1, 2023
d29dd12
Update team_project_access.go
rberecka Aug 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@
## Enhancements
* Added BETA support for including `projects` relationship and `projects-count` attribute to policy_set on create by @hs26gill [#737](https://github.com/hashicorp/go-tfe/pull/737)
* Added BETA method `AddProjects` and `RemoveProjects` for attaching/detaching policy set to projects by @Netra2104 [#735](https://github.com/hashicorp/go-tfe/pull/735)
* Added BETA support for adding and updating custom permissions to `TeamProjectAccesses`. A `TeamProjectAccessType` of `"custom"` can set various permissions applied at
rberecka marked this conversation as resolved.
Show resolved Hide resolved
the project level to the project itself (`TeamProjectAccessProjectPermissionsOptions`) and all of the workspaces in a project (`TeamProjectAccessWorkspacePermissionsOptions`) by @rberecka [#745](https://github.com/hashicorp/go-tfe/pull/745)

# v1.30.0

Expand Down
107 changes: 103 additions & 4 deletions team_project_access.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ const (
TeamProjectAccessMaintain TeamProjectAccessType = "maintain"
TeamProjectAccessWrite TeamProjectAccessType = "write"
TeamProjectAccessRead TeamProjectAccessType = "read"
TeamProjectAccessCustom TeamProjectAccessType = "custom"
)

// TeamProjectAccessList represents a list of team project accesses
Expand All @@ -57,14 +58,106 @@ type TeamProjectAccessList struct {

// TeamProjectAccess represents a project access for a team
type TeamProjectAccess struct {
ID string `jsonapi:"primary,team-projects"`
Access TeamProjectAccessType `jsonapi:"attr,access"`
ID string `jsonapi:"primary,team-projects"`
Access TeamProjectAccessType `jsonapi:"attr,access"`
ProjectAccess *TeamProjectAccessProjectPermissions `jsonapi:"attr,project-access"`
WorkspaceAccess *TeamProjectAccessWorkspacePermissions `jsonapi:"attr,workspace-access"`

// Relations
Team *Team `jsonapi:"relation,team"`
Project *Project `jsonapi:"relation,project"`
}

// ProjectPermissions represents the team's permissions on its project
rberecka marked this conversation as resolved.
Show resolved Hide resolved
type TeamProjectAccessProjectPermissions struct {
ProjectSettingsPermission ProjectSettingsPermissionType `jsonapi:"attr,settings"`
ProjectTeamsPermission ProjectTeamsPermissionType `jsonapi:"attr,teams"`
}

rberecka marked this conversation as resolved.
Show resolved Hide resolved
// Workspacepermissions represents the team's permission on all workspaces in its project
rberecka marked this conversation as resolved.
Show resolved Hide resolved
type TeamProjectAccessWorkspacePermissions struct {
WorkspaceRunsPermission WorkspaceRunsPermissionType `jsonapi:"attr,runs"`
WorkspaceSentinelMocksPermission WorkspaceSentinelMocksPermissionType `jsonapi:"attr,sentinel-mocks"`
WorkspaceStateVersionsPermission WorkspaceStateVersionsPermissionType `jsonapi:"attr,state-versions"`
WorkspaceVariablesPermission WorkspaceVariablesPermissionType `jsonapi:"attr,variables"`
WorkspaceCreatePermission bool `jsonapi:"attr,create"`
WorkspaceLockingPermission bool `jsonapi:"attr,locking"`
WorkspaceMovePermission bool `jsonapi:"attr,move"`
WorkspaceDeletePermission bool `jsonapi:"attr,delete"`
WorkspaceRunTasksPermission bool `jsonapi:"attr,run-tasks"`
}

// ProjectSettingsPermissionType represents the permissiontype to a project's settings
type ProjectSettingsPermissionType string

const (
ProjectSettingsPermissionRead ProjectSettingsPermissionType = "read"
ProjectSettingsPermissionUpdate ProjectSettingsPermissionType = "update"
ProjectSettingsPermissionDelete ProjectSettingsPermissionType = "delete"
)
rberecka marked this conversation as resolved.
Show resolved Hide resolved

// ProjectTeamsPermissionType represents the permissiontype to a project's teams
type ProjectTeamsPermissionType string

const (
ProjectTeamsPermissionNone ProjectTeamsPermissionType = "none"
ProjectTeamsPermissionRead ProjectTeamsPermissionType = "read"
ProjectTeamsPermissionManage ProjectTeamsPermissionType = "manage"
)

// WorkspaceRunsPermissionType represents the permissiontype to project workspaces' runs
type WorkspaceRunsPermissionType string

const (
WorkspaceRunsPermissionRead WorkspaceRunsPermissionType = "read"
WorkspaceRunsPermissionPlan WorkspaceRunsPermissionType = "plan"
WorkspaceRunsPermissionApply WorkspaceRunsPermissionType = "apply"
)

// WorkspaceSentinelMocksPermissionType represents the permissiontype to project workspaces' sentinel-mocks
type WorkspaceSentinelMocksPermissionType string

const (
WorkspaceSentinelMocksPermissionNone WorkspaceSentinelMocksPermissionType = "none"
WorkspaceSentinelMocksPermissionRead WorkspaceSentinelMocksPermissionType = "read"
)

// WorkspaceStateVersionsPermissionType represents the permissiontype to project workspaces' state-versions
type WorkspaceStateVersionsPermissionType string

const (
WorkspaceStateVersionsPermissionNone WorkspaceStateVersionsPermissionType = "none"
WorkspaceStateVersionsPermissionReadOutputs WorkspaceStateVersionsPermissionType = "read-outputs"
WorkspaceStateVersionsPermissionRead WorkspaceStateVersionsPermissionType = "read"
WorkspaceStateVersionsPermissionWrite WorkspaceStateVersionsPermissionType = "write"
)

// WorkspaceVariablesPermissionType represents the permissiontype to project workspaces' variables
type WorkspaceVariablesPermissionType string

const (
WorkspaceVariablesPermissionNone WorkspaceVariablesPermissionType = "none"
WorkspaceVariablesPermissionRead WorkspaceVariablesPermissionType = "read"
WorkspaceVariablesPermissionWrite WorkspaceVariablesPermissionType = "write"
)

type TeamProjectAccessProjectPermissionsOptions struct {
Settings *ProjectSettingsPermissionType `json:"settings,omitempty"`
Teams *ProjectTeamsPermissionType `json:"teams,omitempty"`
}

type TeamProjectAccessWorkspacePermissionsOptions struct {
Runs *WorkspaceRunsPermissionType `json:"runs,omitempty"`
SentinelMocks *WorkspaceSentinelMocksPermissionType `json:"sentinel-mocks,omitempty"`
StateVersions *WorkspaceStateVersionsPermissionType `json:"state-versions,omitempty"`
Variables *WorkspaceVariablesPermissionType `json:"variables,omitempty"`
Create *bool `json:"create,omitempty"`
Locking *bool `json:"locking,omitempty"`
Move *bool `json:"move,omitempty"`
Delete *bool `json:"delete,omitempty"`
RunTasks *bool `json:"run-tasks,omitempty"`
}

// TeamProjectAccessListOptions represents the options for listing team project accesses
type TeamProjectAccessListOptions struct {
ListOptions
Expand All @@ -80,6 +173,9 @@ type TeamProjectAccessAddOptions struct {
Type string `jsonapi:"primary,team-projects"`
// The type of access to grant.
Access TeamProjectAccessType `jsonapi:"attr,access"`
// The levels that project and workspace permissions grant
ProjectAccess *TeamProjectAccessProjectPermissionsOptions `jsonapi:"attr,project-access,omitempty"`
WorkspaceAccess *TeamProjectAccessWorkspacePermissionsOptions `jsonapi:"attr,workspace-access,omitempty"`

// The team to add to the project
Team *Team `jsonapi:"relation,team"`
Expand All @@ -95,7 +191,9 @@ type TeamProjectAccessUpdateOptions struct {
// https://jsonapi.org/format/#crud-creating
Type string `jsonapi:"primary,team-projects"`
// The type of access to grant.
Access *TeamProjectAccessType `jsonapi:"attr,access,omitempty"`
Access *TeamProjectAccessType `jsonapi:"attr,access,omitempty"`
ProjectAccess *TeamProjectAccessProjectPermissionsOptions `jsonapi:"attr,project-access,omitempty"`
WorkspaceAccess *TeamProjectAccessWorkspacePermissionsOptions `jsonapi:"attr,workspace-access,omitempty"`
}

// List all team accesses for a given project.
Expand Down Expand Up @@ -229,7 +327,8 @@ func validateTeamProjectAccessType(t TeamProjectAccessType) error {
case TeamProjectAccessAdmin,
TeamProjectAccessMaintain,
TeamProjectAccessWrite,
TeamProjectAccessRead:
TeamProjectAccessRead,
TeamProjectAccessCustom:
// do nothing
default:
return ErrInvalidTeamProjectAccessType
Expand Down
208 changes: 207 additions & 1 deletion team_project_access_integration_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,10 @@ package tfe

import (
"context"
"github.com/stretchr/testify/assert"
"testing"

"github.com/stretchr/testify/assert"

"github.com/stretchr/testify/require"
)

Expand Down Expand Up @@ -164,6 +165,102 @@ func TestTeamProjectAccessesAdd(t *testing.T) {
}
})

t.Run("with valid options for all custom TeamProject permissions", func(t *testing.T) {
rberecka marked this conversation as resolved.
Show resolved Hide resolved
skipUnlessBeta(t)
options := TeamProjectAccessAddOptions{
Access: *ProjectAccess(TeamProjectAccessCustom),
Team: tmTest,
Project: pTest,
ProjectAccess: &TeamProjectAccessProjectPermissionsOptions{
Settings: ProjectSettingsPermission(ProjectSettingsPermissionUpdate),
Teams: ProjectTeamsPermission(ProjectTeamsPermissionManage),
},
WorkspaceAccess: &TeamProjectAccessWorkspacePermissionsOptions{
Runs: WorkspaceRunsPermission(WorkspaceRunsPermissionApply),
SentinelMocks: WorkspaceSentinelMocksPermission(WorkspaceSentinelMocksPermissionRead),
StateVersions: WorkspaceStateVersionsPermission(WorkspaceStateVersionsPermissionWrite),
Variables: WorkspaceVariablesPermission(WorkspaceVariablesPermissionWrite),
Create: Bool(true),
Locking: Bool(true),
Move: Bool(true),
Delete: Bool(false),
RunTasks: Bool(false),
},
}

tpa, err := client.TeamProjectAccess.Add(ctx, options)
defer func() {
err := client.TeamProjectAccess.Remove(ctx, tpa.ID)
if err != nil {
t.Logf("error removing team access (%s): %s", tpa.ID, err)
}
}()

require.NoError(t, err)

// Get a refreshed view from the API.
refreshed, err := client.TeamProjectAccess.Read(ctx, tpa.ID)
require.NoError(t, err)

for _, item := range []*TeamProjectAccess{
tpa,
refreshed,
} {
assert.NotEmpty(t, item.ID)
assert.Equal(t, options.Access, item.Access)
assert.Equal(t, *options.ProjectAccess.Settings, item.ProjectAccess.ProjectSettingsPermission)
assert.Equal(t, *options.ProjectAccess.Teams, item.ProjectAccess.ProjectTeamsPermission)
assert.Equal(t, *options.WorkspaceAccess.Runs, item.WorkspaceAccess.WorkspaceRunsPermission)
assert.Equal(t, *options.WorkspaceAccess.SentinelMocks, item.WorkspaceAccess.WorkspaceSentinelMocksPermission)
assert.Equal(t, *options.WorkspaceAccess.StateVersions, item.WorkspaceAccess.WorkspaceStateVersionsPermission)
assert.Equal(t, *options.WorkspaceAccess.Variables, item.WorkspaceAccess.WorkspaceVariablesPermission)
assert.Equal(t, item.WorkspaceAccess.WorkspaceCreatePermission, true)
assert.Equal(t, item.WorkspaceAccess.WorkspaceLockingPermission, true)
assert.Equal(t, item.WorkspaceAccess.WorkspaceMovePermission, true)
assert.Equal(t, item.WorkspaceAccess.WorkspaceDeletePermission, false)
assert.Equal(t, item.WorkspaceAccess.WorkspaceRunTasksPermission, false)
rberecka marked this conversation as resolved.
Show resolved Hide resolved
}
})

t.Run("with valid options for some custom TeamProject permissions", func(t *testing.T) {
skipUnlessBeta(t)
options := TeamProjectAccessAddOptions{
Access: *ProjectAccess(TeamProjectAccessCustom),
Team: tmTest,
Project: pTest,
ProjectAccess: &TeamProjectAccessProjectPermissionsOptions{
Settings: ProjectSettingsPermission(ProjectSettingsPermissionUpdate),
},
WorkspaceAccess: &TeamProjectAccessWorkspacePermissionsOptions{
Runs: WorkspaceRunsPermission(WorkspaceRunsPermissionApply),
},
}

tpa, err := client.TeamProjectAccess.Add(ctx, options)
t.Cleanup(func() {
err := client.TeamProjectAccess.Remove(ctx, tpa.ID)
if err != nil {
t.Logf("error removing team access (%s): %s", tpa.ID, err)
}
})

require.NoError(t, err)

// Get a refreshed view from the API.
refreshed, err := client.TeamProjectAccess.Read(ctx, tpa.ID)
require.NoError(t, err)

for _, item := range []*TeamProjectAccess{
tpa,
refreshed,
} {
assert.NotEmpty(t, item.ID)
assert.Equal(t, options.Access, item.Access)
assert.Equal(t, *options.ProjectAccess.Settings, item.ProjectAccess.ProjectSettingsPermission)
assert.Equal(t, *options.WorkspaceAccess.Runs, item.WorkspaceAccess.WorkspaceRunsPermission)
}
})

t.Run("when the team already has access to the project", func(t *testing.T) {
_, tpaTestCleanup := createTeamProjectAccess(t, client, tmTest, pTest, nil)
defer tpaTestCleanup()
Expand Down Expand Up @@ -205,6 +302,20 @@ func TestTeamProjectAccessesAdd(t *testing.T) {
assert.Equal(t, err, ErrRequiredProject)
})

t.Run("when invalid custom project permission is provided in options", func(t *testing.T) {
skipUnlessBeta(t)
tpa, err := client.TeamProjectAccess.Add(ctx, TeamProjectAccessAddOptions{
Access: *ProjectAccess(TeamProjectAccessCustom),
Team: tmTest,
Project: pTest,
ProjectAccess: &TeamProjectAccessProjectPermissionsOptions{
Teams: ProjectTeamsPermission(badIdentifier),
},
})
assert.Nil(t, tpa)
assert.Error(t, err)
})

t.Run("when invalid access is provided in options", func(t *testing.T) {
tpa, err := client.TeamProjectAccess.Add(ctx, TeamProjectAccessAddOptions{
Access: badIdentifier,
Expand Down Expand Up @@ -242,6 +353,101 @@ func TestTeamProjectAccessesUpdate(t *testing.T) {

assert.Equal(t, tpa.Access, TeamProjectAccessRead)
})

t.Run("with valid custom permissions attributes for all permissions", func(t *testing.T) {
skipUnlessBeta(t)
options := TeamProjectAccessUpdateOptions{
Access: ProjectAccess(TeamProjectAccessCustom),
ProjectAccess: &TeamProjectAccessProjectPermissionsOptions{
Settings: ProjectSettingsPermission(ProjectSettingsPermissionUpdate),
Teams: ProjectTeamsPermission(ProjectTeamsPermissionManage),
},
WorkspaceAccess: &TeamProjectAccessWorkspacePermissionsOptions{
Runs: WorkspaceRunsPermission(WorkspaceRunsPermissionPlan),
SentinelMocks: WorkspaceSentinelMocksPermission(WorkspaceSentinelMocksPermissionNone),
StateVersions: WorkspaceStateVersionsPermission(WorkspaceStateVersionsPermissionReadOutputs),
Variables: WorkspaceVariablesPermission(WorkspaceVariablesPermissionRead),
Create: Bool(false),
Locking: Bool(false),
Move: Bool(false),
Delete: Bool(true),
RunTasks: Bool(true),
},
}

tpa, err := client.TeamProjectAccess.Update(ctx, tpaTest.ID, options)
require.NoError(t, err)
require.NotNil(t, options.ProjectAccess)
require.NotNil(t, options.WorkspaceAccess)
assert.Equal(t, tpa.Access, TeamProjectAccessCustom)
assert.Equal(t, *options.ProjectAccess.Teams, tpa.ProjectAccess.ProjectTeamsPermission)
assert.Equal(t, *options.ProjectAccess.Settings, tpa.ProjectAccess.ProjectSettingsPermission)
assert.Equal(t, *options.WorkspaceAccess.Runs, tpa.WorkspaceAccess.WorkspaceRunsPermission)
assert.Equal(t, *options.WorkspaceAccess.SentinelMocks, tpa.WorkspaceAccess.WorkspaceSentinelMocksPermission)
assert.Equal(t, *options.WorkspaceAccess.StateVersions, tpa.WorkspaceAccess.WorkspaceStateVersionsPermission)
assert.Equal(t, *options.WorkspaceAccess.Variables, tpa.WorkspaceAccess.WorkspaceVariablesPermission)
assert.Equal(t, false, tpa.WorkspaceAccess.WorkspaceCreatePermission)
assert.Equal(t, false, tpa.WorkspaceAccess.WorkspaceLockingPermission)
assert.Equal(t, false, tpa.WorkspaceAccess.WorkspaceMovePermission)
assert.Equal(t, true, tpa.WorkspaceAccess.WorkspaceDeletePermission)
assert.Equal(t, true, tpa.WorkspaceAccess.WorkspaceRunTasksPermission)
})

t.Run("with valid custom permissions attributes for some permissions", func(t *testing.T) {
skipUnlessBeta(t)
// create tpaCustomTest to verify unupdated attributes stay the same for custom permissions
rberecka marked this conversation as resolved.
Show resolved Hide resolved
// because going from admin to read to custom changes the values of all custom permissions
tm2Test, tm2TestCleanup := createTeam(t, client, orgTest)
defer tm2TestCleanup()

TpaOptions := TeamProjectAccessAddOptions{
Access: *ProjectAccess(TeamProjectAccessCustom),
Team: tm2Test,
Project: pTest,
}

tpaCustomTest, err := client.TeamProjectAccess.Add(ctx, TpaOptions)
rberecka marked this conversation as resolved.
Show resolved Hide resolved
require.NoError(t, err)

options := TeamProjectAccessUpdateOptions{
Access: ProjectAccess(TeamProjectAccessCustom),
ProjectAccess: &TeamProjectAccessProjectPermissionsOptions{
Teams: ProjectTeamsPermission(ProjectTeamsPermissionManage),
},
WorkspaceAccess: &TeamProjectAccessWorkspacePermissionsOptions{
Create: Bool(false),
},
}

tpa, err := client.TeamProjectAccess.Update(ctx, tpaCustomTest.ID, options)
require.NoError(t, err)
require.NotNil(t, options.ProjectAccess)
require.NotNil(t, options.WorkspaceAccess)
assert.Equal(t, *options.ProjectAccess.Teams, tpa.ProjectAccess.ProjectTeamsPermission)
assert.Equal(t, false, tpa.WorkspaceAccess.WorkspaceCreatePermission)
// assert that other attributes remain the same
assert.Equal(t, tpaCustomTest.ProjectAccess.ProjectSettingsPermission, tpa.ProjectAccess.ProjectSettingsPermission)
assert.Equal(t, tpaCustomTest.WorkspaceAccess.WorkspaceLockingPermission, tpa.WorkspaceAccess.WorkspaceLockingPermission)
assert.Equal(t, tpaCustomTest.WorkspaceAccess.WorkspaceMovePermission, tpa.WorkspaceAccess.WorkspaceMovePermission)
assert.Equal(t, tpaCustomTest.WorkspaceAccess.WorkspaceDeletePermission, tpa.WorkspaceAccess.WorkspaceDeletePermission)
assert.Equal(t, tpaCustomTest.WorkspaceAccess.WorkspaceRunsPermission, tpa.WorkspaceAccess.WorkspaceRunsPermission)
assert.Equal(t, tpaCustomTest.WorkspaceAccess.WorkspaceSentinelMocksPermission, tpa.WorkspaceAccess.WorkspaceSentinelMocksPermission)
assert.Equal(t, tpaCustomTest.WorkspaceAccess.WorkspaceStateVersionsPermission, tpa.WorkspaceAccess.WorkspaceStateVersionsPermission)
})
rberecka marked this conversation as resolved.
Show resolved Hide resolved
t.Run("with invalid custom permissions attributes", func(t *testing.T) {
skipUnlessBeta(t)
options := TeamProjectAccessUpdateOptions{
Access: ProjectAccess(TeamProjectAccessCustom),
ProjectAccess: &TeamProjectAccessProjectPermissionsOptions{
Teams: ProjectTeamsPermission(badIdentifier),
},
}

tpa, err := client.TeamProjectAccess.Update(ctx, tpaTest.ID, options)

assert.Nil(t, tpa)
assert.Error(t, err)
})
}

func TestTeamProjectAccessesRemove(t *testing.T) {
Expand Down
Loading
Loading