Add AllowStrayAsViewer option

pkg/app/ops/handler/handler.go

@@ -164,9 +164,10 @@ func (h *Handler) handleAddProject(w http.ResponseWriter, r *http.Request) {
 	}
 
 	var (
-		id            = r.FormValue("ID")
-		description   = r.FormValue("Description")
-		sharedSSOName = r.FormValue("SharedSSO")
+		id                  = r.FormValue("ID")
+		description         = r.FormValue("Description")
+		sharedSSOName       = r.FormValue("SharedSSO")
+		viewerRoleAsDefault = r.FormValue("ViewerRoleAsDefault") == "true"
 	)
 	if id == "" {
 		http.Error(w, "invalid id", http.StatusBadRequest)
@@ -191,6 +192,9 @@ func (h *Handler) handleAddProject(w http.ResponseWriter, r *http.Request) {
 			Id:            id,
 			Desc:          description,
 			SharedSsoName: sharedSSOName,
+			Rbac: &model.ProjectRBACConfig{
+				ViewerRoleAsDefault: viewerRoleAsDefault,
+			},
 		}
 		username = model.GenerateRandomString(10)
 		password = model.GenerateRandomString(30)

pkg/app/ops/handler/templates/AddProject

@@ -22,6 +22,8 @@ label {
     <input type="text" name="Description"><br><br>
     <label>Shared SSO</label>
     <input type="text" name="SharedSSO"><br><br>
+    <input type="checkbox" id="auto-assign" name="ViewerRoleAsDefault">
+    <label for="auto-assign">Auto assign viewer role</label><br><br>
     <input type="submit">
 </form>
 

pkg/app/web/src/__fixtures__/dummy-project.ts

@@ -23,6 +23,7 @@ export const dummyProject: Project.AsObject = {
     admin: "admin-team",
     editor: "editor-team",
     viewer: "viewer-team",
+    viewerRoleAsDefault: false,
   },
   staticAdmin: {
     username: "static-admin-user",
@@ -43,6 +44,7 @@ export function createProjectFromObject(o: Project.AsObject): Project {
     rbac.setAdmin(o.rbac.admin);
     rbac.setEditor(o.rbac.editor);
     rbac.setViewer(o.rbac.viewer);
+    rbac.setViewerRoleAsDefault(o.rbac.viewerRoleAsDefault);
     project.setRbac(rbac);
   }
   if (o.staticAdmin) {

pkg/model/project.proto

@@ -94,4 +94,6 @@ message ProjectRBACConfig {
     string admin = 1 [(validate.rules).string.min_len = 1];
     string editor = 2;
     string viewer = 3;
+
+    bool viewer_role_as_default = 10;
 }

pkg/oauth/github/github.go

@@ -35,6 +35,8 @@ type OAuthClient struct {
 	adminTeam  string
 	editorTeam string
 	viewerTeam string
+
+	viewerRoleAsDefault bool
 }
 
 // NewOAuthClient creates a new oauth client for GitHub.
@@ -44,10 +46,11 @@ func NewOAuthClient(ctx context.Context,
 	projectID, code string,
 ) (*OAuthClient, error) {
 	c := &OAuthClient{
-		projectID:  projectID,
-		adminTeam:  rbac.Admin,
-		editorTeam: rbac.Editor,
-		viewerTeam: rbac.Viewer,
+		projectID:           projectID,
+		adminTeam:           rbac.Admin,
+		editorTeam:          rbac.Editor,
+		viewerTeam:          rbac.Viewer,
+		viewerRoleAsDefault: rbac.ViewerRoleAsDefault,
 	}
 	cfg := oauth2.Config{
 		ClientID:     sso.ClientId,
@@ -151,6 +154,14 @@ func (c *OAuthClient) decideRole(user string, teams []*github.Team) (role model.
 		return
 	}
 
+	// In case the current user does not belong to any registered
+	// teams, if ViewerRoleAsDefault option is set, assign Viewer role
+	// as user's role.
+	if c.viewerRoleAsDefault {
+		role = model.Role_VIEWER
+		return
+	}
+
 	err = fmt.Errorf("user (%s) not found in any of the %d project teams", user, len(teams))
 	return
 }

pkg/oauth/github/github_test.go

@@ -29,13 +29,19 @@ func TestDecideRole(t *testing.T) {
 	cases := []struct {
 		name     string
 		username string
+		oc       *OAuthClient
 		teams    []*github.Team
 		role     model.Role_ProjectRole
 		wantErr  bool
 	}{
 		{
 			name:     "nothing",
 			username: "foo",
+			oc: &OAuthClient{
+				adminTeam:  "org/team-admin",
+				editorTeam: "org/team-editor",
+				viewerTeam: "org/team-viewer",
+			},
 			teams: []*github.Team{
 				{
 					Organization: &github.Organization{Login: stringPointer("org")},
@@ -44,9 +50,32 @@ func TestDecideRole(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name:     "viewer as default",
+			username: "foo",
+			oc: &OAuthClient{
+				adminTeam:           "org/team-admin",
+				editorTeam:          "org/team-editor",
+				viewerTeam:          "org/team-viewer",
+				viewerRoleAsDefault: true,
+			},
+			teams: []*github.Team{
+				{
+					Organization: &github.Organization{Login: stringPointer("org")},
+					Slug:         stringPointer("team1"),
+				},
+			},
+			role:    model.Role_VIEWER,
+			wantErr: false,
+		},
 		{
 			name:     "admin",
 			username: "foo",
+			oc: &OAuthClient{
+				adminTeam:  "org/team-admin",
+				editorTeam: "org/team-editor",
+				viewerTeam: "org/team-viewer",
+			},
 			teams: []*github.Team{
 				{
 					Organization: &github.Organization{Login: stringPointer("org")},
@@ -66,6 +95,11 @@ func TestDecideRole(t *testing.T) {
 		{
 			name:     "editor",
 			username: "foo",
+			oc: &OAuthClient{
+				adminTeam:  "org/team-admin",
+				editorTeam: "org/team-editor",
+				viewerTeam: "org/team-viewer",
+			},
 			teams: []*github.Team{
 				{
 					Organization: &github.Organization{Login: stringPointer("org")},
@@ -85,6 +119,11 @@ func TestDecideRole(t *testing.T) {
 		{
 			name:     "viewer",
 			username: "foo",
+			oc: &OAuthClient{
+				adminTeam:  "org/team-admin",
+				editorTeam: "org/team-editor",
+				viewerTeam: "org/team-viewer",
+			},
 			teams: []*github.Team{
 				{
 					Organization: &github.Organization{Login: stringPointer("org")},
@@ -103,14 +142,9 @@ func TestDecideRole(t *testing.T) {
 		},
 	}
 
-	oc := &OAuthClient{
-		adminTeam:  "org/team-admin",
-		editorTeam: "org/team-editor",
-		viewerTeam: "org/team-viewer",
-	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
-			role, err := oc.decideRole(tc.username, tc.teams)
+			role, err := tc.oc.decideRole(tc.username, tc.teams)
 			assert.Equal(t, tc.wantErr, err != nil)
 			if err == nil {
 				assert.Equal(t, tc.role, role)