From 136e923583ecec118bc1fc55314e191caac7cbc1 Mon Sep 17 00:00:00 2001
From: Jim <jlambert@hashicorp.com>
Date: Fri, 10 Jul 2020 10:22:38 -0400
Subject: [PATCH] make iam_role scope_id immutable (#179)

---
 internal/db/migrations/postgres.gen.go        |  5 +++++
 internal/db/migrations/postgres/06_iam.up.sql |  5 +++++
 internal/iam/role_test.go                     | 15 ++++++++++++++-
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/internal/db/migrations/postgres.gen.go b/internal/db/migrations/postgres.gen.go
index 32c07e7ef3..a0cdc713a9 100644
--- a/internal/db/migrations/postgres.gen.go
+++ b/internal/db/migrations/postgres.gen.go
@@ -736,6 +736,11 @@ create table iam_role (
     unique(scope_id, public_id)
   );
 
+create trigger immutable_scope_id
+before
+update on iam_role
+  for each row execute procedure iam_immutable_scope_id_func();
+
 create trigger 
   update_version_column
 after update on iam_role
diff --git a/internal/db/migrations/postgres/06_iam.up.sql b/internal/db/migrations/postgres/06_iam.up.sql
index 51acfeb94e..757f062c60 100644
--- a/internal/db/migrations/postgres/06_iam.up.sql
+++ b/internal/db/migrations/postgres/06_iam.up.sql
@@ -288,6 +288,11 @@ create table iam_role (
     unique(scope_id, public_id)
   );
 
+create trigger immutable_scope_id
+before
+update on iam_role
+  for each row execute procedure iam_immutable_scope_id_func();
+
 create trigger 
   update_version_column
 after update on iam_role
diff --git a/internal/iam/role_test.go b/internal/iam/role_test.go
index 1b8e07ffd6..945d3a985a 100644
--- a/internal/iam/role_test.go
+++ b/internal/iam/role_test.go
@@ -213,6 +213,7 @@ func Test_RoleUpdate(t *testing.T) {
 		fieldMaskPaths []string
 		nullPaths      []string
 		ScopeId        string
+		opts           []db.Option
 	}
 	tests := []struct {
 		name           string
@@ -307,6 +308,18 @@ func Test_RoleUpdate(t *testing.T) {
 			wantErr:        false,
 			wantRowsUpdate: 1,
 		},
+		{
+			name: "attempt scope id update",
+			args: args{
+				name:           "valid" + id,
+				fieldMaskPaths: []string{"ScopeId"},
+				ScopeId:        proj.PublicId,
+				opts:           []db.Option{db.WithSkipVetForWrite(true)},
+			},
+			wantErr:        true,
+			wantErrMsg:     "update: failed pq: scope_id cannot be set to " + proj.PublicId,
+			wantRowsUpdate: 0,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -326,7 +339,7 @@ func Test_RoleUpdate(t *testing.T) {
 			updateRole.Name = tt.args.name
 			updateRole.Description = tt.args.description
 
-			updatedRows, err := rw.Update(context.Background(), &updateRole, tt.args.fieldMaskPaths, tt.args.nullPaths)
+			updatedRows, err := rw.Update(context.Background(), &updateRole, tt.args.fieldMaskPaths, tt.args.nullPaths, tt.args.opts...)
 			if tt.wantErr {
 				require.Error(err)
 				assert.Equal(0, updatedRows)