NotificationsYou must be signed in to change notification settings
Fork1.1k
Star11.4k

Commit86ba866

committed

add unit test to enforce unauthorized

1 parent3e1087e commit86ba866Copy full SHA for 86ba866

File tree

3 files changed

+68

-11

lines changed

codersdk
- idpsync.go
enterprise/coderd
- idpsync.go
- idpsync_test.go

3 files changed

+68

-11

lines changed

`‎codersdk/idpsync.go‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -47,8 +47,8 @@ func (c *Client) GroupIDPSyncSettings(ctx context.Context, orgID string) (GroupS`
`47`	`47`	`returnresp,json.NewDecoder(res.Body).Decode(&resp)`
`48`	`48`	`}`
`49`	`49`
`50`		`-func (c*Client)PostGroupIDPSyncSettings(ctx context.Context,orgIDstring,reqGroupSyncSettings) (GroupSyncSettings,error) {`
`51`		`-res,err:=c.Request(ctx,http.MethodPost,fmt.Sprintf("/api/v2/organizations/%s/settings/idpsync/groups",orgID),req)`
	`50`	`+func (c*Client)PatchGroupIDPSyncSettings(ctx context.Context,orgIDstring,reqGroupSyncSettings) (GroupSyncSettings,error) {`
	`51`	`+res,err:=c.Request(ctx,http.MethodPatch,fmt.Sprintf("/api/v2/organizations/%s/settings/idpsync/groups",orgID),req)`
`52`	`52`	`iferr!=nil {`
`53`	`53`	`returnGroupSyncSettings{},xerrors.Errorf("make request: %w",err)`
`54`	`54`	`}`

`‎enterprise/coderd/idpsync.go‎`

Lines changed: 21 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -3,9 +3,12 @@ package coderd`
`3`	`3`	`import (`
`4`	`4`	`"net/http"`
`5`	`5`
	`6`	`+"github.com/coder/coder/v2/coderd/database/dbauthz"`
`6`	`7`	`"github.com/coder/coder/v2/coderd/httpapi"`
`7`	`8`	`"github.com/coder/coder/v2/coderd/httpmw"`
`8`	`9`	`"github.com/coder/coder/v2/coderd/idpsync"`
	`10`	`+"github.com/coder/coder/v2/coderd/rbac"`
	`11`	`+"github.com/coder/coder/v2/coderd/rbac/policy"`
`9`	`12`	`)`
`10`	`13`
`11`	`14`	`// @Summary Get group IdP Sync settings by organization`
`@@ -20,9 +23,17 @@ func (api API) groupIDPSyncSettings(rw http.ResponseWriter, r http.Request) {`
`20`	`23`	`ctx:=r.Context()`
`21`	`24`	`org:=httpmw.OrganizationParam(r)`
`22`	`25`
	`26`	`+if!api.Authorize(r,policy.ActionRead,rbac.ResourceIdpsyncSettings.InOrg(org.ID)) {`
	`27`	`+httpapi.Forbidden(rw)`
	`28`	`+return`
	`29`	`+}`
	`30`	`+`
`23`	`31`	`rlv:=api.Options.RuntimeConfig.OrganizationResolver(api.Database,org.ID)`
`24`	`32`	`runtimeConfigEntry:=api.IDPSync.GroupSyncSettings()`
`25`		`-settings,err:=runtimeConfigEntry.Resolve(ctx,rlv)`
	`33`	`+`
	`34`	`+//nolint:gocritic // Requires system context to read runtime config`
	`35`	`+sysCtx:=dbauthz.AsSystemRestricted(ctx)`
	`36`	`+settings,err:=runtimeConfigEntry.Resolve(sysCtx,rlv)`
`26`	`37`	`iferr!=nil {`
`27`	`38`	`httpapi.InternalServerError(rw,err)`
`28`	`39`	`return`
`@@ -43,6 +54,11 @@ func (api API) patchGroupIDPSyncSettings(rw http.ResponseWriter, r http.Reques`
`43`	`54`	`ctx:=r.Context()`
`44`	`55`	`org:=httpmw.OrganizationParam(r)`
`45`	`56`
	`57`	`+if!api.Authorize(r,policy.ActionUpdate,rbac.ResourceIdpsyncSettings.InOrg(org.ID)) {`
	`58`	`+httpapi.Forbidden(rw)`
	`59`	`+return`
	`60`	`+}`
	`61`	`+`
`46`	`62`	`varreq idpsync.GroupSyncSettings`
`47`	`63`	`if!httpapi.Read(ctx,rw,r,&req) {`
`48`	`64`	`return`
`@@ -51,13 +67,15 @@ func (api API) patchGroupIDPSyncSettings(rw http.ResponseWriter, r http.Reques`
`51`	`67`	`rlv:=api.Options.RuntimeConfig.OrganizationResolver(api.Database,org.ID)`
`52`	`68`	`runtimeConfigEntry:=api.IDPSync.GroupSyncSettings()`
`53`	`69`
`54`		`-err:=runtimeConfigEntry.SetRuntimeValue(ctx,rlv,&req)`
	`70`	`+//nolint:gocritic // Requires system context to update runtime config`
	`71`	`+sysCtx:=dbauthz.AsSystemRestricted(ctx)`
	`72`	`+err:=runtimeConfigEntry.SetRuntimeValue(sysCtx,rlv,&req)`
`55`	`73`	`iferr!=nil {`
`56`	`74`	`httpapi.InternalServerError(rw,err)`
`57`	`75`	`return`
`58`	`76`	`}`
`59`	`77`
`60`		`-settings,err:=runtimeConfigEntry.Resolve(ctx,rlv)`
	`78`	`+settings,err:=runtimeConfigEntry.Resolve(sysCtx,rlv)`
`61`	`79`	`iferr!=nil {`
`62`	`80`	`httpapi.InternalServerError(rw,err)`
`63`	`81`	`return`

`‎enterprise/coderd/idpsync_test.go‎`

Lines changed: 45 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,13 +1,15 @@`
`1`	`1`	`package coderd_test`
`2`	`2`
`3`	`3`	`import (`
	`4`	`+"net/http"`
`4`	`5`	`"testing"`
`5`	`6`
`6`	`7`	`"github.com/stretchr/testify/require"`
`7`	`8`
`8`	`9`	`"github.com/coder/coder/v2/coderd/coderdtest"`
`9`	`10`	`"github.com/coder/coder/v2/coderd/database/dbauthz"`
`10`	`11`	`"github.com/coder/coder/v2/coderd/idpsync"`
	`12`	`+"github.com/coder/coder/v2/coderd/rbac"`
`11`	`13`	`"github.com/coder/coder/v2/coderd/runtimeconfig"`
`12`	`14`	`"github.com/coder/coder/v2/codersdk"`
`13`	`15`	`"github.com/coder/coder/v2/enterprise/coderd/coderdenttest"`
`@@ -63,7 +65,7 @@ func TestPostGroupSyncConfig(t *testing.T) {`
`63`	`65`	`string(codersdk.ExperimentMultiOrganization),`
`64`	`66`	`}`
`65`	`67`
`66`		`-client,db,user:=coderdenttest.NewWithDatabase(t,&coderdenttest.Options{`
	`68`	`+owner,user:=coderdenttest.New(t,&coderdenttest.Options{`
`67`	`69`	`Options:&coderdtest.Options{`
`68`	`70`	`DeploymentValues:dv,`
`69`	`71`	`},`
`@@ -75,17 +77,54 @@ func TestPostGroupSyncConfig(t *testing.T) {`
`75`	`77`	`},`
`76`	`78`	`})`
`77`	`79`
	`80`	`+orgAdmin,_:=coderdtest.CreateAnotherUser(t,owner,user.OrganizationID,rbac.ScopedRoleOrgAdmin(user.OrganizationID))`
	`81`	`+`
	`82`	`+// Test as org admin`
`78`	`83`	`ctx:=testutil.Context(t,testutil.WaitShort)`
`79`		`-settings,err:=client.PostGroupIDPSyncSettings(ctx,user.OrganizationID.String(), codersdk.GroupSyncSettings{`
	`84`	`+settings,err:=orgAdmin.PatchGroupIDPSyncSettings(ctx,user.OrganizationID.String(), codersdk.GroupSyncSettings{`
`80`	`85`	`Field:"august",`
`81`	`86`	`})`
`82`	`87`	`require.NoError(t,err)`
`83`	`88`	`require.Equal(t,"august",settings.Field)`
`84`	`89`
`85`		`-dbresv:=runtimeconfig.OrganizationResolver(user.OrganizationID,runtimeconfig.NewStoreResolver(db))`
`86`		`-entry:= runtimeconfig.MustNew[*idpsync.GroupSyncSettings]("group-sync-settings")`
`87`		`-dbSettings,err:=entry.Resolve(ctx,dbresv)`
	`90`	`+fetchedSettings,err:=orgAdmin.GroupIDPSyncSettings(ctx,user.OrganizationID.String())`
`88`	`91`	`require.NoError(t,err)`
`89`		`-require.Equal(t,"august",dbSettings.Field)`
	`92`	`+require.Equal(t,"august",fetchedSettings.Field)`
	`93`	`+})`
	`94`	`+`
	`95`	`+t.Run("NotAuthorized",func(t*testing.T) {`
	`96`	`+t.Parallel()`
	`97`	`+`
	`98`	`+dv:=coderdtest.DeploymentValues(t)`
	`99`	`+dv.Experiments= []string{`
	`100`	`+string(codersdk.ExperimentCustomRoles),`
	`101`	`+string(codersdk.ExperimentMultiOrganization),`
	`102`	`+}`
	`103`	`+`
	`104`	`+owner,user:=coderdenttest.New(t,&coderdenttest.Options{`
	`105`	`+Options:&coderdtest.Options{`
	`106`	`+DeploymentValues:dv,`
	`107`	`+},`
	`108`	`+LicenseOptions:&coderdenttest.LicenseOptions{`
	`109`	`+Features: license.Features{`
	`110`	`+codersdk.FeatureCustomRoles:1,`
	`111`	`+codersdk.FeatureMultipleOrganizations:1,`
	`112`	`+},`
	`113`	`+},`
	`114`	`+})`
	`115`	`+`
	`116`	`+member,_:=coderdtest.CreateAnotherUser(t,owner,user.OrganizationID)`
	`117`	`+`
	`118`	`+ctx:=testutil.Context(t,testutil.WaitShort)`
	`119`	`+_,err:=member.PatchGroupIDPSyncSettings(ctx,user.OrganizationID.String(), codersdk.GroupSyncSettings{`
	`120`	`+Field:"august",`
	`121`	`+})`
	`122`	`+varapiError*codersdk.Error`
	`123`	`+require.ErrorAs(t,err,&apiError)`
	`124`	`+require.Equal(t,http.StatusForbidden,apiError.StatusCode())`
	`125`	`+`
	`126`	`+_,err=member.GroupIDPSyncSettings(ctx,user.OrganizationID.String())`
	`127`	`+require.ErrorAs(t,err,&apiError)`
	`128`	`+require.Equal(t,http.StatusForbidden,apiError.StatusCode())`
`90`	`129`	`})`
`91`	`130`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit86ba866

File tree

3 files changed

3 files changed

`‎codersdk/idpsync.go‎`

`‎enterprise/coderd/idpsync.go‎`

`‎enterprise/coderd/idpsync_test.go‎`

0 commit comments