rubygems · colby-swandale · Jul 17, 2024 · Sep 6, 2024 · Aug 2, 2024 · Aug 6, 2024
diff --git a/app/avo/resources/ownership_resource.rb b/app/avo/resources/ownership_resource.rb
@@ -26,4 +26,5 @@ class ConfirmedFilter < ScopeBooleanFilter; end
 
   field :authorizer, as: :belongs_to
   field :confirmed_at, as: :date_time
+  field :role, as: :select, enum: Ownership.roles
 end
diff --git a/app/controllers/api/v1/owners_controller.rb b/app/controllers/api/v1/owners_controller.rb
@@ -15,7 +15,8 @@ def show
   def create
     authorize @rubygem, :add_owner?
     owner = User.find_by_name!(email_param)
-    ownership = @rubygem.ownerships.new(user: owner, authorizer: @api_key.user)
+    ownership = @rubygem.ownerships.new(user: owner, authorizer: @api_key.user, **ownership_params)
+
     if ownership.save
       OwnersMailer.ownership_confirmation(ownership).deliver_later
       render plain: response_with_mfa_warning("#{owner.display_handle} was added as an unconfirmed owner. " \
@@ -26,10 +27,28 @@ def create
     end
   end
 
+  def update
+    owner = User.find_by_name(email_param)
+    ownership = @rubygem.ownerships.find_by(user: owner) if owner
+    if ownership
+      authorize(ownership)
+    else
+      authorize(@rubygem, :update_owner?) # don't leak presence of an email unless authorized
+      return render_not_found
+    end
+
+    if ownership.update(ownership_params)
+      render plain: response_with_mfa_warning("Owner updated successfully.")
+    else
+      render plain: response_with_mfa_warning(ownership.errors.full_messages.to_sentence), status: :unprocessable_entity
+    end
+  end
+
   def destroy
     authorize @rubygem, :remove_owner?
     owner = User.find_by_name!(email_param)
     ownership = @rubygem.ownerships_including_unconfirmed.find_by!(user: owner)
+
     if ownership.safe_destroy
       OwnersMailer.owner_removed(ownership.user_id, @api_key.user.id, ownership.rubygem_id).deliver_later
       render plain: response_with_mfa_warning("Owner removed successfully.")
@@ -60,4 +79,8 @@ def render_not_found
   def email_param
     params.permit(:email).require(:email)
   end
+
+  def ownership_params
+    params.permit(:role)
+  end
 end
diff --git a/app/controllers/owners_controller.rb b/app/controllers/owners_controller.rb
@@ -2,8 +2,13 @@ class OwnersController < ApplicationController
   include SessionVerifiable
 
   before_action :find_rubygem, except: :confirm
-  verify_session_before only: %i[index create destroy]
-  before_action :verify_mfa_requirement, only: %i[create destroy]
+  verify_session_before only: %i[index edit update create destroy]
+  before_action :verify_mfa_requirement, only: %i[create edit update destroy]
+  before_action :find_ownership, only: %i[edit update destroy]
+
+  rescue_from(Pundit::NotAuthorizedError) do |e|
+    redirect_to rubygem_path(@rubygem.slug), alert: e.policy.error
+  end
 
   def confirm
     ownership = Ownership.find_by!(token: token_params)
@@ -32,10 +37,14 @@ def index
     @ownerships = @rubygem.ownerships_including_unconfirmed.includes(:user, :authorizer)
   end
 
+  def edit
+  end
+
   def create
     authorize @rubygem, :add_owner?
     owner = User.find_by_name(handle_params)
-    ownership = @rubygem.ownerships.new(user: owner, authorizer: current_user)
+
+    ownership = @rubygem.ownerships.new(user: owner, authorizer: current_user, role: params[:role])
     if ownership.save
       OwnersMailer.ownership_confirmation(ownership).deliver_later
       redirect_to rubygem_owners_path(@rubygem.slug), notice: t(".success_notice", handle: owner.name)
@@ -44,9 +53,19 @@ def create
     end
   end
 
+  # This action is used to update a user's owenrship role. This endpoint currently asssumes
+  # the role is the only thing that can be updated. If more fields are added to the ownership
+  # this action will need to be tweaked a bit
+  def update
+    if @ownership.update(update_params)
+      OwnersMailer.with(ownership: @ownership, authorizer: current_user).owner_updated.deliver_later
+      redirect_to rubygem_owners_path(@ownership.rubygem.slug), notice: t(".success_notice", handle: @ownership.user.name)
+    else
+      index_with_error @ownership.errors.full_messages.to_sentence, :unprocessable_entity
+    end
+  end
+
   def destroy
-    authorize @rubygem, :remove_owner?
-    @ownership = @rubygem.ownerships_including_unconfirmed.find_by_owner_handle!(handle_params)
     if @ownership.safe_destroy
       OwnersMailer.owner_removed(@ownership.user_id, current_user.id, @ownership.rubygem_id).deliver_later
       redirect_to rubygem_owners_path(@ownership.rubygem.slug), notice: t(".removed_notice", owner_name: @ownership.owner_name)
@@ -61,6 +80,15 @@ def verify_session_redirect_path
     rubygem_owners_url(params[:rubygem_id])
   end
 
+  def find_ownership
+    @ownership = @rubygem.ownerships_including_unconfirmed.find_by_owner_handle(handle_params)
+    return authorize(@ownership) if @ownership
+
+    predicate = params[:action] == "destroy" ? :remove_owner? : :update_owner?
+    authorize(@rubygem, predicate)
+    render_not_found
+  end
+
   def token_params
     params.permit(:token).require(:token)
   end
@@ -69,6 +97,10 @@ def handle_params
     params.permit(:handle).require(:handle)
   end
 
+  def update_params
+    params.permit(:role)
+  end
+
   def notify_owner_added(ownership)
     ownership.rubygem.ownership_notifiable_owners.each do |notified_user|
       OwnersMailer.owner_added(

diff --git a/app/mailers/owners_mailer.rb b/app/mailers/owners_mailer.rb
@@ -13,6 +13,17 @@ def ownership_confirmation(ownership)
       end
   end
 
+  def owner_updated
+    @ownership = params[:ownership]
+    @user = @ownership.user
+    @rubygem = @ownership.rubygem
+
+    mail(
+      to: @user.email,
+      subject: t("mailer.owner_updated.subject", gem: @rubygem.name, host: Gemcutter::HOST_DISPLAY)
+    )
+  end
+
   def owner_removed(user_id, remover_id, gem_id)
     @user = User.find(user_id)
     @remover = User.find(remover_id)

diff --git a/app/models/api_key.rb b/app/models/api_key.rb
@@ -1,9 +1,9 @@
 class ApiKey < ApplicationRecord
   class ScopeError < RuntimeError; end
 
-  API_SCOPES = %i[show_dashboard index_rubygems push_rubygem yank_rubygem add_owner remove_owner access_webhooks
+  API_SCOPES = %i[show_dashboard index_rubygems push_rubygem yank_rubygem add_owner update_owner remove_owner access_webhooks
                   configure_trusted_publishers].freeze
-  APPLICABLE_GEM_API_SCOPES = %i[push_rubygem yank_rubygem add_owner remove_owner configure_trusted_publishers].freeze
+  APPLICABLE_GEM_API_SCOPES = %i[push_rubygem yank_rubygem add_owner update_owner remove_owner configure_trusted_publishers].freeze
   EXCLUSIVE_SCOPES = %i[show_dashboard].freeze
 
   self.ignored_columns += API_SCOPES

diff --git a/app/models/events/rubygem_event.rb b/app/models/events/rubygem_event.rb
@@ -59,6 +59,17 @@ class Events::RubygemEvent < ApplicationRecord
     attribute :owner_gid, :global_id
   end
 
+  OWNER_ROLE_UPDATED = define_event "rubygem:owner:updated" do
+    attribute :owner, :string
+    attribute :updated_by, :string
+
+    attribute :actor_gid, :global_id
+    attribute :owner_gid, :global_id
+
+    attribute :previous_role, :string
+    attribute :current_role, :string
+  end
+
   OWNER_REMOVED = define_event "rubygem:owner:removed" do
     attribute :owner, :string
     attribute :removed_by, :string

diff --git a/app/models/membership.rb b/app/models/membership.rb
@@ -5,6 +5,8 @@ class Membership < ApplicationRecord
   scope :unconfirmed, -> { where(confirmed_at: nil) }
   scope :confirmed, -> { where.not(confirmed_at: nil) }
 
+  enum :role, { owner: Access::OWNER, maintainer: Access::MAINTAINER, admin: Access::ADMIN }, validate: true, default: :maintainer
+
   def confirmed?
     !confirmed_at.nil?
   end

diff --git a/app/models/ownership.rb b/app/models/ownership.rb
@@ -13,11 +13,17 @@ class Ownership < ApplicationRecord
 
   after_create :record_create_event
   after_update :record_confirmation_event, if: :saved_change_to_confirmed_at?
+  after_update :record_role_updated_event, if: :saved_change_to_role?
+  after_update :notify_user_role_of_role_change, if: :saved_change_to_role?
   after_destroy :record_destroy_event
 
   scope :confirmed, -> { where.not(confirmed_at: nil) }
   scope :unconfirmed, -> { where(confirmed_at: nil) }
 
+  enum :role, { owner: Access::OWNER, maintainer: Access::MAINTAINER }, validate: true, default: :owner
+
+  scope :user_with_minimum_role, ->(user, role) { where(user: user, role: Access.with_minimum_role(role)) }
+
   def self.by_indexed_gem_name
     select("ownerships.*, rubygems.name")
       .left_joins(rubygem: :versions)
@@ -26,8 +32,8 @@ def self.by_indexed_gem_name
       .order("rubygems.name ASC")
   end
 
-  def self.find_by_owner_handle!(handle)
-    joins(:user).find_by(users: { handle: handle }) || joins(:user).find_by!(users: { id: handle })
+  def self.find_by_owner_handle(handle)
+    joins(:user).find_by(users: { handle: handle }) || joins(:user).find_by(users: { id: handle })
   end
 
   def self.create_confirmed(rubygem, user, approver)
@@ -107,11 +113,25 @@ def record_confirmation_event
       actor_gid: Current.user&.to_gid)
   end
 
+  def record_role_updated_event
+    rubygem.record_event!(Events::RubygemEvent::OWNER_ROLE_UPDATED,
+      owner: user.display_handle,
+      updated_by: Current.user&.display_handle,
+      owner_gid: user.to_gid,
+      actor_gid: Current.user&.to_gid,
+      previous_role: role_previously_was,
+      current_role: role)
+  end
+
   def record_destroy_event
     rubygem.record_event!(Events::RubygemEvent::OWNER_REMOVED,
       owner: user.display_handle,
       removed_by: Current.user&.display_handle,
       owner_gid: user.to_gid,
       actor_gid: Current.user&.to_gid)
   end
+
+  def notify_user_role_of_role_change
+    OwnersMailer.with(ownership: self).owner_updated.deliver_later
+  end
 end
diff --git a/app/models/rubygem.rb b/app/models/rubygem.rb
@@ -188,6 +188,13 @@ def owned_by?(user)
     ownerships.exists?(user_id: user.id)
   end
 
+  def owned_by_with_role?(user, minimum_required_role)
+    return false if user.blank?
+    ownerships.user_with_minimum_role(user, minimum_required_role).exists?
+  rescue KeyError
+    false
+  end
+
   def unconfirmed_ownerships
     ownerships_including_unconfirmed.unconfirmed
   end

diff --git a/app/policies/api/application_policy.rb b/app/policies/api/application_policy.rb
@@ -42,10 +42,19 @@ def deny(error)
     false
   end
 
+  def api_policy!(record)
+    Pundit.policy!(api_key, [:api, record])
+  end
+
   def user_policy!(record)
     Pundit.policy!(api_key.user, record)
   end
 
+  def api_authorized?(record, action)
+    policy = api_policy!(record)
+    policy.send(action) || deny(policy.error)
+  end
+
   def user_authorized?(record, action)
     policy = user_policy!(record)
     policy.send(action) || deny(policy.error)

diff --git a/app/policies/api/ownership_policy.rb b/app/policies/api/ownership_policy.rb
@@ -0,0 +1,11 @@
+class Api::OwnershipPolicy < Api::ApplicationPolicy
+  class Scope < Api::ApplicationPolicy::Scope
+  end
+
+  delegate :rubygem, to: :record
+
+  def update?
+    api_authorized?(rubygem, :update_owner?) &&
+      user_authorized?(record, :update?)
+  end
+end
diff --git a/app/policies/api/rubygem_policy.rb b/app/policies/api/rubygem_policy.rb
@@ -26,6 +26,13 @@ def add_owner?
       user_authorized?(rubygem, :add_owner?)
   end
 
+  def update_owner?
+    user_api_key? &&
+      mfa_requirement_satisfied?(rubygem) &&
+      api_key_scope?(:update_owner, rubygem) &&
+      user_authorized?(rubygem, :update_owner?)
+  end
+
   def remove_owner?
     user_api_key? &&
       mfa_requirement_satisfied?(rubygem) &&

diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb
@@ -80,6 +80,10 @@ def rubygem_owned_by?(user)
     rubygem.owned_by?(user) || deny(t(:forbidden))
   end
 
+  def rubygem_owned_by_with_role?(user, minimum_required_role:)
+    rubygem.owned_by_with_role?(user, minimum_required_role) || deny(t(:forbidden))
+  end
+
   def policy!(user, record) = Pundit.policy!(user, record)
   def user_policy!(record) = policy!(user, record)
 

diff --git a/app/policies/oidc/rubygem_trusted_publisher_policy.rb b/app/policies/oidc/rubygem_trusted_publisher_policy.rb
@@ -5,14 +5,14 @@ class Scope < ApplicationPolicy::Scope
   delegate :rubygem, to: :record
 
   def show?
-    rubygem_owned_by?(user)
+    rubygem_owned_by_with_role?(user, minimum_required_role: :owner)
   end
 
   def create?
-    rubygem_owned_by?(user)
+    rubygem_owned_by_with_role?(user, minimum_required_role: :owner)
   end
 
   def destroy?
-    rubygem_owned_by?(user)
+    rubygem_owned_by_with_role?(user, minimum_required_role: :owner)
   end
 end
diff --git a/app/policies/organization_policy.rb b/app/policies/organization_policy.rb
@@ -0,0 +1,54 @@
+class OrganizationPolicy < ApplicationPolicy
+  class Scope < ApplicationPolicy::Scope
+  end
+
+  def show?
+    true
+  end
+
+  def update?
+    organization_member_with_role?(user, minimum_required_role: Access::OWNER)
+  end
+
+  def create?
+    true
+  end
+
+  def add_gem?
+    organization_member_with_role?(user, minimum_required_role: Access::OWNER)
+  end
+
+  def remove_gem?
+    organization_member_with_role?(user, minimum_required_role: Access::OWNER)
+  end
+
+  def add_membership?
+    organization_member_with_role?(user, minimum_required_role: Access::OWNER)
+  end
+
+  def update_membership?
+    organization_member_with_role?(user, minimum_required_role: Access::OWNER)
+  end
+
+  def remove_membership?
+    organization_member_with_role?(user, minimum_required_role: Access::OWNER)
+  end
+
+  def show_membership?
+    organization_member_with_role?(user, minimum_required_role: Access::MAINTAINER)
+  end
+
+  def list_memberships?
+    organization_member_with_role?(user, minimum_required_role: Access::MAINTAINER)
+  end
+
+  def destroy?
+    false # For now organizations cannot be deleted
+  end
+
+  private
+
+  def organization_member_with_role?(user, minimum_required_role:)
+    record.memberships.exists?(["user_id = ? AND role >= ?", user.id, minimum_required_role])
+  end
+end