Make role grants add users to projects

This adds the necessary code to ensure that a user belongs to a project
once it gets a role in it.

database/query/user_projects.sql

@@ -4,7 +4,10 @@ INSERT INTO user_projects (
   project_id
     ) VALUES (
         $1, $2
-) RETURNING *;
+) ON CONFLICT DO NOTHING RETURNING *;
+
+-- name: RemoveUserProject :one
+DELETE FROM user_projects WHERE user_id = $1 AND project_id = $2 RETURNING *;
 
 -- name: GetUserProjects :many
 SELECT * FROM projects INNER JOIN user_projects ON projects.id = user_projects.project_id WHERE user_projects.user_id = $1;

internal/authz/authz.go

@@ -353,20 +353,48 @@ func (a *ClientWrapper) AssignmentsToProject(ctx context.Context, project uuid.U
 			return nil, fmt.Errorf("unable to read authorization tuples: %w", err)
 		}
 
-		for _, t := range resp.GetTuples() {
-			k := t.GetKey()
-			r, err := ParseRole(k.GetRelation())
-			if err != nil {
-				a.l.Err(err).Msg("Found invalid role in authz store")
-				continue
-			}
-			assignments = append(assignments, &minderv1.RoleAssignment{
-				Subject: getUserFromTuple(k.GetUser()),
-				Role:    r.String(),
-				Project: &prjStr,
-			})
+		assignments = append(assignments, getRoleAssignmentsFromReadResones(resp, &prjStr)...)
+
+		if resp.GetContinuationToken() == "" {
+			break
+		}
+
+		contTok = &resp.ContinuationToken
+	}
+
+	return assignments, nil
+}
+
+// AssignmentsToProjectForUser lists the current role assignments that are scoped to a project
+// for a given user
+func (a *ClientWrapper) AssignmentsToProjectForUser(
+	ctx context.Context,
+	project uuid.UUID,
+	sub string,
+) ([]*minderv1.RoleAssignment, error) {
+	o := getProjectForTuple(project)
+	u := getUserForTuple(sub)
+	prjStr := project.String()
+
+	var pagesize int32 = 50
+	var contTok *string = nil
+
+	assignments := []*minderv1.RoleAssignment{}
+
+	for {
+		resp, err := a.cli.Read(ctx).Options(fgaclient.ClientReadOptions{
+			PageSize:          &pagesize,
+			ContinuationToken: contTok,
+		}).Body(fgaclient.ClientReadRequest{
+			User:   &u,
+			Object: &o,
+		}).Execute()
+		if err != nil {
+			return nil, fmt.Errorf("unable to read authorization tuples: %w", err)
 		}
 
+		assignments = append(assignments, getRoleAssignmentsFromReadResones(resp, &prjStr)...)
+
 		if resp.GetContinuationToken() == "" {
 			break
 		}
@@ -388,3 +416,22 @@ func getProjectForTuple(project uuid.UUID) string {
 func getUserFromTuple(user string) string {
 	return strings.TrimPrefix(user, "user:")
 }
+
+func getRoleAssignmentsFromReadResones(resp *fgaclient.ClientReadResponse, proj *string) []*minderv1.RoleAssignment {
+	assignments := []*minderv1.RoleAssignment{}
+
+	for _, t := range resp.GetTuples() {
+		k := t.GetKey()
+		r, err := ParseRole(k.GetRelation())
+		if err != nil {
+			continue
+		}
+		assignments = append(assignments, &minderv1.RoleAssignment{
+			Subject: getUserFromTuple(k.GetUser()),
+			Role:    r.String(),
+			Project: proj,
+		})
+	}
+
+	return assignments
+}

internal/authz/interface.go

@@ -98,6 +98,10 @@ type Client interface {
 	// AssignmentsToProject outputs the existing role assignments for a given project.
 	AssignmentsToProject(ctx context.Context, project uuid.UUID) ([]*minderv1.RoleAssignment, error)
 
+	// AssingmentsToProjectForUser outputs the existing role assignments for a given project and user.
+	//nolint:lll
+	AssignmentsToProjectForUser(ctx context.Context, project uuid.UUID, user string) ([]*minderv1.RoleAssignment, error)
+
 	// PrepareForRun allows for any preflight configurations to be done before
 	// the server is started.
 	PrepareForRun(ctx context.Context) error

internal/authz/mock/noop_authz.go

@@ -64,6 +64,12 @@ func (_ *NoopClient) AssignmentsToProject(_ context.Context, _ uuid.UUID) ([]*mi
 	return nil, nil
 }
 
+// AssignmentsToProjectForUser implements authz.Client
+func (_ *NoopClient) AssignmentsToProjectForUser(
+	_ context.Context, _ uuid.UUID, _ string) ([]*minderv1.RoleAssignment, error) {
+	return nil, nil
+}
+
 // PrepareForRun implements authz.Client
 func (_ *NoopClient) PrepareForRun(_ context.Context) error {
 	return nil

internal/authz/mock/simple_authz.go

@@ -67,6 +67,12 @@ func (_ *SimpleClient) AssignmentsToProject(_ context.Context, _ uuid.UUID) ([]*
 	return nil, nil
 }
 
+// AssignmentsToProjectForUser implements authz.Client
+func (_ *SimpleClient) AssignmentsToProjectForUser(
+	_ context.Context, _ uuid.UUID, _ string) ([]*minderv1.RoleAssignment, error) {
+	return nil, nil
+}
+
 // PrepareForRun implements authz.Client
 func (_ *SimpleClient) PrepareForRun(_ context.Context) error {
 	return nil

internal/controlplane/handlers_authz.go

@@ -221,7 +221,8 @@ func (s *Server) AssignRole(ctx context.Context, req *minder.AssignRoleRequest)
 	}
 
 	// Verify if user exists
-	if _, err := s.store.GetUserBySubject(ctx, sub); err != nil {
+	usr, err := s.store.GetUserBySubject(ctx, sub)
+	if err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
 			return nil, util.UserVisibleError(codes.NotFound, "User not found")
 		}
@@ -236,6 +237,15 @@ func (s *Server) AssignRole(ctx context.Context, req *minder.AssignRoleRequest)
 		return nil, status.Errorf(codes.Internal, "error writing role assignment: %v", err)
 	}
 
+	// Add user to project
+	_, err = s.store.AddUserProject(ctx, db.AddUserProjectParams{
+		UserID:    usr.ID,
+		ProjectID: projectID,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "error adding user to project: %v", err)
+	}
+
 	respProj := projectID.String()
 	return &minder.AssignRoleResponse{
 		RoleAssignment: &minder.RoleAssignment{
@@ -264,7 +274,8 @@ func (s *Server) RemoveRole(ctx context.Context, req *minder.RemoveRoleRequest)
 	}
 
 	// Verify if user exists
-	if _, err := s.store.GetUserBySubject(ctx, sub); err != nil {
+	usr, err := s.store.GetUserBySubject(ctx, sub)
+	if err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
 			return nil, util.UserVisibleError(codes.NotFound, "User not found")
 		}
@@ -279,6 +290,23 @@ func (s *Server) RemoveRole(ctx context.Context, req *minder.RemoveRoleRequest)
 		return nil, status.Errorf(codes.Internal, "error writing role assignment: %v", err)
 	}
 
+	// Verify if user still has roles on project
+	assignments, err := s.authzClient.AssignmentsToProjectForUser(ctx, projectID, sub)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "error getting role assignments: %v", err)
+	}
+
+	if len(assignments) == 0 {
+		// Remove user from project
+		_, err := s.store.RemoveUserProject(ctx, db.RemoveUserProjectParams{
+			UserID:    usr.ID,
+			ProjectID: projectID,
+		})
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "error removing user from project: %v", err)
+		}
+	}
+
 	respProj := projectID.String()
 	return &minder.RemoveRoleResponse{
 		RoleAssignment: &minder.RoleAssignment{