diff --git a/internal/iam/repository_principal_role.go b/internal/iam/repository_principal_role.go index 0701b1a574..6e84dcc9a1 100644 --- a/internal/iam/repository_principal_role.go +++ b/internal/iam/repository_principal_role.go @@ -110,8 +110,7 @@ func (r *Repository) AddPrincipalRoles(ctx context.Context, roleId string, roleV return principalRoles, nil } -// tests: no change, just delete, just add - +// SetPrincipalRoles will set the role's principals func (r *Repository) SetPrincipalRoles(ctx context.Context, roleId string, roleVersion int, userIds, groupIds []string, opt ...Option) ([]PrincipalRole, int, error) { if roleId == "" { return nil, db.NoRowsAffected, fmt.Errorf("set principal roles: missing role id: %w", db.ErrInvalidParameter) @@ -119,16 +118,17 @@ func (r *Repository) SetPrincipalRoles(ctx context.Context, roleId string, roleV if len(userIds) == 0 && len(groupIds) == 0 { return nil, db.NoRowsAffected, fmt.Errorf("set principal roles: missing either user or groups to delete %w", db.ErrInvalidParameter) } - toSet, err := r.principalsToSet(ctx, roleId, userIds, groupIds) - if err != nil { - return nil, db.NoRowsAffected, fmt.Errorf("set principal roles: unable to determine set: %w", err) - } role := allocRole() role.PublicId = roleId scope, err := role.GetScope(ctx, r.reader) if err != nil { return nil, db.NoRowsAffected, fmt.Errorf("set principal roles: unable to get role %s scope: %w", roleId, err) } + toSet, err := r.principalsToSet(ctx, &role, userIds, groupIds) + if err != nil { + return nil, db.NoRowsAffected, fmt.Errorf("set principal roles: unable to determine set: %w", err) + } + // handle no change to existing principal roles if len(toSet.addUserRoles) == 0 && len(toSet.addGroupRoles) == 0 && len(toSet.deleteUserRoles) == 0 && len(toSet.deleteGroupRoles) == 0 { results := make([]PrincipalRole, 0, len(userIds)+len(groupIds)) @@ -282,10 +282,13 @@ type principalSet struct { deleteGroupRoles []interface{} } -func (r *Repository) principalsToSet(ctx context.Context, roleId string, userIds, groupIds []string) (*principalSet, error) { - existing, err := r.ListPrincipalRoles(ctx, roleId) +func (r *Repository) principalsToSet(ctx context.Context, role *Role, userIds, groupIds []string) (*principalSet, error) { + if role == nil { + return nil, fmt.Errorf("missing role %w", db.ErrNilParameter) + } + existing, err := r.ListPrincipalRoles(ctx, role.PublicId) if err != nil { - return nil, fmt.Errorf("unable to list existing principal role %s: %w", roleId, err) + return nil, fmt.Errorf("unable to list existing principal role %s: %w", role.PublicId, err) } existingUsers := map[string]PrincipalRole{} existingGroups := map[string]PrincipalRole{} @@ -303,8 +306,8 @@ func (r *Repository) principalsToSet(ctx context.Context, roleId string, userIds userIdsMap := map[string]struct{}{} for _, id := range userIds { userIdsMap[id] = struct{}{} - if p, ok := existingUsers[id]; !ok { - usrRole, err := NewUserRole(p.GetScopeId(), p.GetRoleId(), id) + if _, ok := existingUsers[id]; !ok { + usrRole, err := NewUserRole(role.ScopeId, role.PublicId, id) if err != nil { return nil, fmt.Errorf("unable to create in memory user role for add: %w", err) } @@ -315,8 +318,8 @@ func (r *Repository) principalsToSet(ctx context.Context, roleId string, userIds groupIdsMap := map[string]struct{}{} for _, id := range groupIds { groupIdsMap[id] = struct{}{} - if p, ok := existingGroups[id]; !ok { - grpRole, err := NewGroupRole(p.GetScopeId(), p.GetRoleId(), id) + if _, ok := existingGroups[id]; !ok { + grpRole, err := NewGroupRole(role.ScopeId, role.PublicId, id) if err != nil { return nil, fmt.Errorf("unable to create in memory group role for add: %w", err) } @@ -335,7 +338,7 @@ func (r *Repository) principalsToSet(ctx context.Context, roleId string, userIds } var deleteGrpRoles []interface{} for _, p := range existingGroups { - if _, ok := userIdsMap[p.GetPrincipalId()]; !ok { + if _, ok := groupIdsMap[p.GetPrincipalId()]; !ok { grpRole, err := NewGroupRole(p.GetScopeId(), p.GetRoleId(), p.GetPrincipalId()) if err != nil { return nil, fmt.Errorf("unable to create in memory group role for delete: %w", err)