Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit70651c6

Browse files
committed
update tests and policy
1 parentff6552e commit70651c6

File tree

2 files changed

+22
-5
lines changed

2 files changed

+22
-5
lines changed

‎coderd/rbac/authz_internal_test.go‎

Lines changed: 20 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -389,7 +389,9 @@ func TestAuthorizeDomain(t *testing.T) {
389389
{resource:ResourceWorkspace.AnyOrganization().WithOwner(user.ID),actions:ResourceWorkspace.AvailableActions(),allow:true},
390390
{resource:ResourceTemplate.AnyOrganization(),actions: []policy.Action{policy.ActionCreate},allow:false},
391391

392-
{resource:ResourceWorkspace.WithOwner(user.ID),actions:ResourceWorkspace.AvailableActions(),allow:true},
392+
// ResourceWorkspace WITHOUT an organization. Should never happen in prod. The default member role omits these
393+
// permissions.
394+
{resource:ResourceWorkspace.WithOwner(user.ID),actions:ResourceWorkspace.AvailableActions(),allow:false},
393395

394396
{resource:ResourceWorkspace.All(),actions:ResourceWorkspace.AvailableActions(),allow:false},
395397

@@ -455,6 +457,7 @@ func TestAuthorizeDomain(t *testing.T) {
455457
Scope:must(ExpandScope(ScopeAll)),
456458
Roles:Roles{
457459
must(RoleByName(ScopedRoleOrgAdmin(defOrg))),
460+
must(RoleByName(ScopedRoleOrgMember(defOrg))),
458461
must(RoleByName(RoleMember())),
459462
},
460463
}
@@ -469,7 +472,8 @@ func TestAuthorizeDomain(t *testing.T) {
469472
{resource:ResourceWorkspace.InOrg(defOrg),actions:workspaceExceptConnect,allow:true},
470473
{resource:ResourceWorkspace.InOrg(defOrg),actions:workspaceConnect,allow:false},
471474

472-
{resource:ResourceWorkspace.WithOwner(user.ID),actions:ResourceWorkspace.AvailableActions(),allow:true},
475+
// Workspace is not in any organization, will never happen in prod.
476+
{resource:ResourceWorkspace.WithOwner(user.ID),actions:ResourceWorkspace.AvailableActions(),allow:false},
473477

474478
{resource:ResourceWorkspace.All(),actions:ResourceWorkspace.AvailableActions(),allow:false},
475479

@@ -546,7 +550,8 @@ func TestAuthorizeDomain(t *testing.T) {
546550
{resource:ResourceWorkspace.InOrg(defOrg).WithOwner(user.ID),allow:true},
547551
{resource:ResourceWorkspace.InOrg(defOrg),allow:false},
548552

549-
{resource:ResourceWorkspace.WithOwner(user.ID),allow:true},
553+
// Workspace with no ownership will never happen in prod.
554+
{resource:ResourceWorkspace.WithOwner(user.ID),allow:false},
550555

551556
{resource:ResourceWorkspace.All(),allow:false},
552557

@@ -640,6 +645,13 @@ func TestAuthorizeDomain(t *testing.T) {
640645
Action:policy.ActionRead,
641646
}},
642647
},
648+
OrgMember:map[string][]Permission{
649+
defOrg.String(): {{
650+
Negate:false,
651+
ResourceType:"*",
652+
Action:policy.ActionRead,
653+
}},
654+
},
643655
User: []Permission{
644656
{
645657
Negate:false,
@@ -1145,10 +1157,14 @@ func TestAuthorizeScope(t *testing.T) {
11451157
ResourceWorkspace.Type: {policy.ActionRead},
11461158
}),
11471159
},
1160+
OrgMember:map[string][]Permission{
1161+
defOrg.String():Permissions(map[string][]policy.Action{
1162+
ResourceWorkspace.Type: {policy.ActionRead},
1163+
}),
1164+
},
11481165
User:Permissions(map[string][]policy.Action{
11491166
ResourceUser.Type: {policy.ActionRead},
11501167
}),
1151-
OrgMember:nil,
11521168
},
11531169
AllowIDList: []AllowListElement{AllowListAll()},
11541170
},

‎coderd/rbac/policy.rego‎

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -233,7 +233,8 @@ scope_user := user_allow([input.subject.scope])
233233
user_allow(roles):= num if{
234234
input.object.owner!=""
235235
# if there is an org, use org_member permissions instead
236-
input.object.org_owner!=""
236+
input.object.org_owner==""
237+
input.object.any_org==false
237238
input.subject.id= input.object.owner
238239

239240
allow:= {is_allowed|

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp