Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit5ce4225

Browse files
committed
update roles_test to include all actions and resources
1 parent4d16bfc commit5ce4225

File tree

2 files changed

+212
-25
lines changed

2 files changed

+212
-25
lines changed

‎coderd/rbac/roles.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -159,7 +159,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
159159
// All users can see the provisioner daemons.
160160
ResourceProvisionerDaemon.Type: {policy.ActionRead},
161161
// All users can see OAuth2 provider applications.
162-
ResourceOauth2App.Type: {policy.ActionRead},
162+
ResourceOauth2App.Type: {policy.ActionRead},
163+
ResourceWorkspaceProxy.Type: {policy.ActionRead},
163164
}),
164165
Org:map[string][]Permission{},
165166
User:append(allPermsExcept(ResourceWorkspaceDormant,ResourceUser,ResourceOrganizationMember),

‎coderd/rbac/roles_test.go

Lines changed: 210 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -36,8 +36,8 @@ func TestOwnerExec(t *testing.T) {
3636

3737
auth:=rbac.NewCachingAuthorizer(prometheus.NewRegistry())
3838
// Exec a random workspace
39-
err:=auth.Authorize(context.Background(),owner,policy.ActionCreate,
40-
rbac.ResourceWorkspaceExecution.WithID(uuid.New()).InOrg(uuid.New()).WithOwner(uuid.NewString()))
39+
err:=auth.Authorize(context.Background(),owner,policy.ActionSSH,
40+
rbac.ResourceWorkspace.WithID(uuid.New()).InOrg(uuid.New()).WithOwner(uuid.NewString()))
4141
require.ErrorAsf(t,err,&rbac.UnauthorizedError{},"expected unauthorized error")
4242
})
4343

@@ -50,8 +50,8 @@ func TestOwnerExec(t *testing.T) {
5050
auth:=rbac.NewCachingAuthorizer(prometheus.NewRegistry())
5151

5252
// Exec a random workspace
53-
err:=auth.Authorize(context.Background(),owner,policy.ActionCreate,
54-
rbac.ResourceWorkspaceExecution.WithID(uuid.New()).InOrg(uuid.New()).WithOwner(uuid.NewString()))
53+
err:=auth.Authorize(context.Background(),owner,policy.ActionSSH,
54+
rbac.ResourceWorkspace.WithID(uuid.New()).InOrg(uuid.New()).WithOwner(uuid.NewString()))
5555
require.NoError(t,err,"expected owner can")
5656
})
5757
}
@@ -60,6 +60,8 @@ func TestOwnerExec(t *testing.T) {
6060
funcTestRolePermissions(t*testing.T) {
6161
t.Parallel()
6262

63+
crud:= []policy.Action{policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete}
64+
6365
auth:=rbac.NewCachingAuthorizer(prometheus.NewRegistry())
6466

6567
// currentUser is anything that references "me", "mine", or "my".
@@ -145,8 +147,8 @@ func TestRolePermissions(t *testing.T) {
145147
{
146148
Name:"MyWorkspaceInOrgExecution",
147149
// When creating the WithID won't be set, but it does not change the result.
148-
Actions: []policy.Action{policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},
149-
Resource:rbac.ResourceWorkspaceExecution.WithID(workspaceID).InOrg(orgID).WithOwner(currentUser.String()),
150+
Actions: []policy.Action{policy.ActionSSH},
151+
Resource:rbac.ResourceWorkspace.WithID(workspaceID).InOrg(orgID).WithOwner(currentUser.String()),
150152
AuthorizeMap:map[bool][]authSubject{
151153
true: {owner,orgMemberMe},
152154
false: {orgAdmin,memberMe,otherOrgAdmin,otherOrgMember,templateAdmin,userAdmin},
@@ -155,16 +157,16 @@ func TestRolePermissions(t *testing.T) {
155157
{
156158
Name:"MyWorkspaceInOrgAppConnect",
157159
// When creating the WithID won't be set, but it does not change the result.
158-
Actions: []policy.Action{policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},
159-
Resource:rbac.ResourceWorkspaceApplicationConnect.WithID(workspaceID).InOrg(orgID).WithOwner(currentUser.String()),
160+
Actions: []policy.Action{policy.ActionApplicationConnect},
161+
Resource:rbac.ResourceWorkspace.WithID(workspaceID).InOrg(orgID).WithOwner(currentUser.String()),
160162
AuthorizeMap:map[bool][]authSubject{
161-
true: {owner,orgAdmin,orgMemberMe},
162-
false: {memberMe,otherOrgAdmin,otherOrgMember,templateAdmin,userAdmin},
163+
true: {owner,orgMemberMe},
164+
false: {memberMe,otherOrgAdmin,otherOrgMember,templateAdmin,userAdmin,orgAdmin},
163165
},
164166
},
165167
{
166168
Name:"Templates",
167-
Actions: []policy.Action{policy.ActionCreate,policy.ActionUpdate,policy.ActionDelete},
169+
Actions: []policy.Action{policy.ActionCreate,policy.ActionUpdate,policy.ActionDelete,policy.ActionViewInsights},
168170
Resource:rbac.ResourceTemplate.WithID(templateID).InOrg(orgID),
169171
AuthorizeMap:map[bool][]authSubject{
170172
true: {owner,orgAdmin,templateAdmin},
@@ -191,7 +193,7 @@ func TestRolePermissions(t *testing.T) {
191193
},
192194
{
193195
Name:"MyFile",
194-
Actions: []policy.Action{policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},
196+
Actions: []policy.Action{policy.ActionCreate,policy.ActionRead},
195197
Resource:rbac.ResourceFile.WithID(fileID).WithOwner(currentUser.String()),
196198
AuthorizeMap:map[bool][]authSubject{
197199
true: {owner,memberMe,orgMemberMe,templateAdmin},
@@ -227,8 +229,8 @@ func TestRolePermissions(t *testing.T) {
227229
},
228230
{
229231
Name:"RoleAssignment",
230-
Actions: []policy.Action{policy.ActionCreate,policy.ActionUpdate,policy.ActionDelete},
231-
Resource:rbac.ResourceRoleAssignment,
232+
Actions: []policy.Action{policy.ActionAssign,policy.ActionDelete},
233+
Resource:rbac.ResourceAssignRole,
232234
AuthorizeMap:map[bool][]authSubject{
233235
true: {owner,userAdmin},
234236
false: {orgAdmin,orgMemberMe,otherOrgAdmin,otherOrgMember,memberMe,templateAdmin},
@@ -237,16 +239,16 @@ func TestRolePermissions(t *testing.T) {
237239
{
238240
Name:"ReadRoleAssignment",
239241
Actions: []policy.Action{policy.ActionRead},
240-
Resource:rbac.ResourceRoleAssignment,
242+
Resource:rbac.ResourceAssignRole,
241243
AuthorizeMap:map[bool][]authSubject{
242244
true: {owner,orgAdmin,orgMemberMe,otherOrgAdmin,otherOrgMember,memberMe,templateAdmin,userAdmin},
243245
false: {},
244246
},
245247
},
246248
{
247249
Name:"OrgRoleAssignment",
248-
Actions: []policy.Action{policy.ActionCreate,policy.ActionUpdate,policy.ActionDelete},
249-
Resource:rbac.ResourceOrgRoleAssignment.InOrg(orgID),
250+
Actions: []policy.Action{policy.ActionAssign,policy.ActionDelete},
251+
Resource:rbac.ResourceAssignOrgRole.InOrg(orgID),
250252
AuthorizeMap:map[bool][]authSubject{
251253
true: {owner,orgAdmin},
252254
false: {orgMemberMe,otherOrgAdmin,otherOrgMember,memberMe,templateAdmin,userAdmin},
@@ -255,7 +257,7 @@ func TestRolePermissions(t *testing.T) {
255257
{
256258
Name:"ReadOrgRoleAssignment",
257259
Actions: []policy.Action{policy.ActionRead},
258-
Resource:rbac.ResourceOrgRoleAssignment.InOrg(orgID),
260+
Resource:rbac.ResourceAssignOrgRole.InOrg(orgID),
259261
AuthorizeMap:map[bool][]authSubject{
260262
true: {owner,orgAdmin,orgMemberMe},
261263
false: {otherOrgAdmin,otherOrgMember,memberMe,templateAdmin,userAdmin},
@@ -264,16 +266,16 @@ func TestRolePermissions(t *testing.T) {
264266
{
265267
Name:"APIKey",
266268
Actions: []policy.Action{policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},
267-
Resource:rbac.ResourceAPIKey.WithID(apiKeyID).WithOwner(currentUser.String()),
269+
Resource:rbac.ResourceApiKey.WithID(apiKeyID).WithOwner(currentUser.String()),
268270
AuthorizeMap:map[bool][]authSubject{
269271
true: {owner,orgMemberMe,memberMe},
270272
false: {orgAdmin,otherOrgAdmin,otherOrgMember,templateAdmin,userAdmin},
271273
},
272274
},
273275
{
274276
Name:"UserData",
275-
Actions: []policy.Action{policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},
276-
Resource:rbac.ResourceUserData.WithID(currentUser).WithOwner(currentUser.String()),
277+
Actions: []policy.Action{policy.ActionReadPersonal,policy.ActionUpdatePersonal},
278+
Resource:rbac.ResourceUserObject(currentUser),
277279
AuthorizeMap:map[bool][]authSubject{
278280
true: {owner,orgMemberMe,memberMe,userAdmin},
279281
false: {orgAdmin,otherOrgAdmin,otherOrgMember,templateAdmin},
@@ -312,6 +314,15 @@ func TestRolePermissions(t *testing.T) {
312314
},
313315
{
314316
Name:"Groups",
317+
Actions: []policy.Action{policy.ActionCreate,policy.ActionDelete,policy.ActionUpdate},
318+
Resource:rbac.ResourceGroup.WithID(groupID).InOrg(orgID),
319+
AuthorizeMap:map[bool][]authSubject{
320+
true: {owner,orgAdmin,userAdmin},
321+
false: {memberMe,otherOrgAdmin,orgMemberMe,otherOrgMember,templateAdmin},
322+
},
323+
},
324+
{
325+
Name:"GroupsRead",
315326
Actions: []policy.Action{policy.ActionRead},
316327
Resource:rbac.ResourceGroup.WithID(groupID).InOrg(orgID),
317328
AuthorizeMap:map[bool][]authSubject{
@@ -330,19 +341,183 @@ func TestRolePermissions(t *testing.T) {
330341
},
331342
{
332343
Name:"WorkspaceBuild",
333-
Actions:rbac.AllActions(),
334-
Resource:rbac.ResourceWorkspaceBuild.WithID(uuid.New()).InOrg(orgID).WithOwner(memberMe.Actor.ID),
344+
Actions:[]policy.Action{policy.ActionWorkspaceBuild},
345+
Resource:rbac.ResourceWorkspace.WithID(uuid.New()).InOrg(orgID).WithOwner(memberMe.Actor.ID),
335346
AuthorizeMap:map[bool][]authSubject{
336347
true: {owner,orgAdmin,orgMemberMe},
337348
false: {userAdmin,otherOrgAdmin,otherOrgMember,templateAdmin,memberMe},
338349
},
339350
},
351+
// Some admin style resources
352+
{
353+
Name:"Licences",
354+
Actions: []policy.Action{policy.ActionCreate,policy.ActionRead,policy.ActionDelete},
355+
Resource:rbac.ResourceLicense,
356+
AuthorizeMap:map[bool][]authSubject{
357+
true: {owner},
358+
false: {orgAdmin,otherOrgAdmin,otherOrgMember,memberMe,orgMemberMe,templateAdmin,userAdmin},
359+
},
360+
},
361+
{
362+
Name:"DeploymentStats",
363+
Actions: []policy.Action{policy.ActionRead},
364+
Resource:rbac.ResourceDeploymentStats,
365+
AuthorizeMap:map[bool][]authSubject{
366+
true: {owner},
367+
false: {orgAdmin,otherOrgAdmin,otherOrgMember,memberMe,orgMemberMe,templateAdmin,userAdmin},
368+
},
369+
},
370+
{
371+
Name:"DeploymentConfig",
372+
Actions: []policy.Action{policy.ActionRead},
373+
Resource:rbac.ResourceDeploymentConfig,
374+
AuthorizeMap:map[bool][]authSubject{
375+
true: {owner},
376+
false: {orgAdmin,otherOrgAdmin,otherOrgMember,memberMe,orgMemberMe,templateAdmin,userAdmin},
377+
},
378+
},
379+
{
380+
Name:"DebugInfo",
381+
Actions: []policy.Action{policy.ActionUse},
382+
Resource:rbac.ResourceDebugInfo,
383+
AuthorizeMap:map[bool][]authSubject{
384+
true: {owner},
385+
false: {orgAdmin,otherOrgAdmin,otherOrgMember,memberMe,orgMemberMe,templateAdmin,userAdmin},
386+
},
387+
},
388+
{
389+
Name:"Replicas",
390+
Actions: []policy.Action{policy.ActionRead},
391+
Resource:rbac.ResourceReplicas,
392+
AuthorizeMap:map[bool][]authSubject{
393+
true: {owner},
394+
false: {orgAdmin,otherOrgAdmin,otherOrgMember,memberMe,orgMemberMe,templateAdmin,userAdmin},
395+
},
396+
},
397+
{
398+
Name:"TailnetCoordinator",
399+
Actions:crud,
400+
Resource:rbac.ResourceTailnetCoordinator,
401+
AuthorizeMap:map[bool][]authSubject{
402+
true: {owner},
403+
false: {orgAdmin,otherOrgAdmin,otherOrgMember,memberMe,orgMemberMe,templateAdmin,userAdmin},
404+
},
405+
},
406+
{
407+
Name:"AuditLogs",
408+
Actions: []policy.Action{policy.ActionRead},
409+
Resource:rbac.ResourceAuditLog,
410+
AuthorizeMap:map[bool][]authSubject{
411+
true: {owner},
412+
false: {orgAdmin,otherOrgAdmin,otherOrgMember,memberMe,orgMemberMe,templateAdmin,userAdmin},
413+
},
414+
},
415+
{
416+
Name:"ProvisionerDaemons",
417+
Actions: []policy.Action{policy.ActionCreate,policy.ActionUpdate,policy.ActionDelete},
418+
Resource:rbac.ResourceProvisionerDaemon.InOrg(orgID),
419+
AuthorizeMap:map[bool][]authSubject{
420+
true: {owner,templateAdmin,orgAdmin},
421+
false: {otherOrgAdmin,otherOrgMember,memberMe,orgMemberMe,userAdmin},
422+
},
423+
},
424+
{
425+
Name:"ProvisionerDaemonsRead",
426+
Actions: []policy.Action{policy.ActionRead},
427+
Resource:rbac.ResourceProvisionerDaemon.InOrg(orgID),
428+
AuthorizeMap:map[bool][]authSubject{
429+
// This should be fixed when multi-org goes live
430+
true: {owner,templateAdmin,orgAdmin,otherOrgAdmin,otherOrgMember,memberMe,orgMemberMe,userAdmin},
431+
false: {},
432+
},
433+
},
434+
{
435+
Name:"UserProvisionerDaemons",
436+
Actions: []policy.Action{policy.ActionCreate,policy.ActionUpdate,policy.ActionDelete},
437+
Resource:rbac.ResourceProvisionerDaemon.WithOwner(currentUser.String()).InOrg(orgID),
438+
AuthorizeMap:map[bool][]authSubject{
439+
true: {owner,templateAdmin,orgMemberMe,orgAdmin},
440+
false: {memberMe,otherOrgAdmin,otherOrgMember,userAdmin},
441+
},
442+
},
443+
{
444+
Name:"System",
445+
Actions:crud,
446+
Resource:rbac.ResourceSystem,
447+
AuthorizeMap:map[bool][]authSubject{
448+
true: {owner},
449+
false: {orgAdmin,otherOrgAdmin,otherOrgMember,memberMe,orgMemberMe,templateAdmin,userAdmin},
450+
},
451+
},
452+
{
453+
Name:"Oauth2App",
454+
Actions: []policy.Action{policy.ActionCreate,policy.ActionUpdate,policy.ActionDelete},
455+
Resource:rbac.ResourceOauth2App,
456+
AuthorizeMap:map[bool][]authSubject{
457+
true: {owner},
458+
false: {orgAdmin,otherOrgAdmin,otherOrgMember,memberMe,orgMemberMe,templateAdmin,userAdmin},
459+
},
460+
},
461+
{
462+
Name:"Oauth2AppRead",
463+
Actions: []policy.Action{policy.ActionRead},
464+
Resource:rbac.ResourceOauth2App,
465+
AuthorizeMap:map[bool][]authSubject{
466+
true: {owner,orgAdmin,otherOrgAdmin,otherOrgMember,memberMe,orgMemberMe,templateAdmin,userAdmin},
467+
false: {},
468+
},
469+
},
470+
{
471+
Name:"Oauth2AppSecret",
472+
Actions:crud,
473+
Resource:rbac.ResourceOauth2AppSecret,
474+
AuthorizeMap:map[bool][]authSubject{
475+
true: {owner},
476+
false: {orgAdmin,otherOrgAdmin,otherOrgMember,memberMe,orgMemberMe,templateAdmin,userAdmin},
477+
},
478+
},
479+
{
480+
Name:"Oauth2Token",
481+
Actions:crud,
482+
Resource:rbac.ResourceOauth2AppCodeToken,
483+
AuthorizeMap:map[bool][]authSubject{
484+
true: {owner},
485+
false: {orgAdmin,otherOrgAdmin,otherOrgMember,memberMe,orgMemberMe,templateAdmin,userAdmin},
486+
},
487+
},
488+
{
489+
Name:"WorkspaceProxy",
490+
Actions: []policy.Action{policy.ActionCreate,policy.ActionUpdate,policy.ActionDelete},
491+
Resource:rbac.ResourceWorkspaceProxy,
492+
AuthorizeMap:map[bool][]authSubject{
493+
true: {owner},
494+
false: {orgAdmin,otherOrgAdmin,otherOrgMember,memberMe,orgMemberMe,templateAdmin,userAdmin},
495+
},
496+
},
497+
{
498+
Name:"WorkspaceProxyRead",
499+
Actions: []policy.Action{policy.ActionRead},
500+
Resource:rbac.ResourceWorkspaceProxy,
501+
AuthorizeMap:map[bool][]authSubject{
502+
true: {owner,orgAdmin,otherOrgAdmin,otherOrgMember,memberMe,orgMemberMe,templateAdmin,userAdmin},
503+
false: {},
504+
},
505+
},
506+
}
507+
508+
// We expect every permission to be tested above.
509+
remainingPermissions:=make(map[string]map[policy.Action]bool)
510+
forrtype,perms:=rangepolicy.RBACPermissions {
511+
remainingPermissions[rtype]=make(map[policy.Action]bool)
512+
foraction:=rangeperms.Actions {
513+
remainingPermissions[rtype][action]=true
514+
}
340515
}
341516

342517
for_,c:=rangetestCases {
343518
c:=c
519+
// nolint:tparallel -- These share the same remainingPermissions map
344520
t.Run(c.Name,func(t*testing.T) {
345-
t.Parallel()
346521
remainingSubjs:=make(map[string]struct{})
347522
for_,subj:=rangerequiredSubjects {
348523
remainingSubjs[subj.Name]=struct{}{}
@@ -359,6 +534,8 @@ func TestRolePermissions(t *testing.T) {
359534
ifactor.Scope==nil {
360535
actor.Scope=rbac.ScopeAll
361536
}
537+
538+
delete(remainingPermissions[c.Resource.Type],action)
362539
err:=auth.Authorize(context.Background(),actor,action,c.Resource)
363540
ifresult {
364541
assert.NoError(t,err,fmt.Sprintf("Should pass: %s",msg))
@@ -371,6 +548,15 @@ func TestRolePermissions(t *testing.T) {
371548
require.Empty(t,remainingSubjs,"test should cover all subjects")
372549
})
373550
}
551+
552+
forrtype,v:=rangeremainingPermissions {
553+
// nolint:tparallel -- Making a subtest for easier diagnosing failures.
554+
t.Run(fmt.Sprintf("%s-AllActions",rtype),func(t*testing.T) {
555+
iflen(v)>0 {
556+
assert.Equal(t,map[policy.Action]bool{},v,"remaining permissions should be empty for type %q",rtype)
557+
}
558+
})
559+
}
374560
}
375561

376562
funcTestIsOrgRole(t*testing.T) {

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp