mirror of https://github.com/coder/coder.git
142 lines
3.8 KiB
Go
142 lines
3.8 KiB
Go
package coderd_test
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
|
|
"github.com/google/uuid"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/coder/coder/v2/coderd/coderdtest"
|
|
"github.com/coder/coder/v2/coderd/rbac"
|
|
"github.com/coder/coder/v2/codersdk"
|
|
"github.com/coder/coder/v2/testutil"
|
|
)
|
|
|
|
func TestCheckPermissions(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
t.Cleanup(cancel)
|
|
|
|
adminClient := coderdtest.New(t, &coderdtest.Options{
|
|
IncludeProvisionerDaemon: true,
|
|
})
|
|
// Create adminClient, member, and org adminClient
|
|
adminUser := coderdtest.CreateFirstUser(t, adminClient)
|
|
memberClient, _ := coderdtest.CreateAnotherUser(t, adminClient, adminUser.OrganizationID)
|
|
memberUser, err := memberClient.User(ctx, codersdk.Me)
|
|
require.NoError(t, err)
|
|
orgAdminClient, _ := coderdtest.CreateAnotherUser(t, adminClient, adminUser.OrganizationID, rbac.RoleOrgAdmin(adminUser.OrganizationID))
|
|
orgAdminUser, err := orgAdminClient.User(ctx, codersdk.Me)
|
|
require.NoError(t, err)
|
|
|
|
version := coderdtest.CreateTemplateVersion(t, adminClient, adminUser.OrganizationID, nil)
|
|
coderdtest.AwaitTemplateVersionJobCompleted(t, adminClient, version.ID)
|
|
template := coderdtest.CreateTemplate(t, adminClient, adminUser.OrganizationID, version.ID)
|
|
|
|
// With admin, member, and org admin
|
|
const (
|
|
readAllUsers = "read-all-users"
|
|
readOrgWorkspaces = "read-org-workspaces"
|
|
readMyself = "read-myself"
|
|
readOwnWorkspaces = "read-own-workspaces"
|
|
updateSpecificTemplate = "update-specific-template"
|
|
)
|
|
params := map[string]codersdk.AuthorizationCheck{
|
|
readAllUsers: {
|
|
Object: codersdk.AuthorizationObject{
|
|
ResourceType: codersdk.ResourceUser,
|
|
},
|
|
Action: "read",
|
|
},
|
|
readMyself: {
|
|
Object: codersdk.AuthorizationObject{
|
|
ResourceType: codersdk.ResourceUser,
|
|
OwnerID: "me",
|
|
},
|
|
Action: "read",
|
|
},
|
|
readOwnWorkspaces: {
|
|
Object: codersdk.AuthorizationObject{
|
|
ResourceType: codersdk.ResourceWorkspace,
|
|
OwnerID: "me",
|
|
},
|
|
Action: "read",
|
|
},
|
|
readOrgWorkspaces: {
|
|
Object: codersdk.AuthorizationObject{
|
|
ResourceType: codersdk.ResourceWorkspace,
|
|
OrganizationID: adminUser.OrganizationID.String(),
|
|
},
|
|
Action: "read",
|
|
},
|
|
updateSpecificTemplate: {
|
|
Object: codersdk.AuthorizationObject{
|
|
ResourceType: codersdk.ResourceTemplate,
|
|
ResourceID: template.ID.String(),
|
|
},
|
|
Action: "update",
|
|
},
|
|
}
|
|
|
|
testCases := []struct {
|
|
Name string
|
|
Client *codersdk.Client
|
|
UserID uuid.UUID
|
|
Check codersdk.AuthorizationResponse
|
|
}{
|
|
{
|
|
Name: "Admin",
|
|
Client: adminClient,
|
|
UserID: adminUser.UserID,
|
|
Check: map[string]bool{
|
|
readAllUsers: true,
|
|
readMyself: true,
|
|
readOwnWorkspaces: true,
|
|
readOrgWorkspaces: true,
|
|
updateSpecificTemplate: true,
|
|
},
|
|
},
|
|
{
|
|
Name: "OrgAdmin",
|
|
Client: orgAdminClient,
|
|
UserID: orgAdminUser.ID,
|
|
Check: map[string]bool{
|
|
readAllUsers: false,
|
|
readMyself: true,
|
|
readOwnWorkspaces: true,
|
|
readOrgWorkspaces: true,
|
|
updateSpecificTemplate: true,
|
|
},
|
|
},
|
|
{
|
|
Name: "Member",
|
|
Client: memberClient,
|
|
UserID: memberUser.ID,
|
|
Check: map[string]bool{
|
|
readAllUsers: false,
|
|
readMyself: true,
|
|
readOwnWorkspaces: true,
|
|
readOrgWorkspaces: false,
|
|
updateSpecificTemplate: false,
|
|
},
|
|
},
|
|
}
|
|
|
|
for _, c := range testCases {
|
|
c := c
|
|
|
|
t.Run("CheckAuthorization/"+c.Name, func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
t.Cleanup(cancel)
|
|
|
|
resp, err := c.Client.AuthCheck(ctx, codersdk.AuthorizationRequest{Checks: params})
|
|
require.NoError(t, err, "check perms")
|
|
require.Equal(t, c.Check, resp)
|
|
})
|
|
}
|
|
}
|