@@ -2,6 +2,7 @@ package coderd_test
22
33import (
44"context"
5+ "database/sql"
56"fmt"
67"net/http"
78"slices"
@@ -13,8 +14,10 @@ import (
1314
1415"github.com/coder/coder/v2/coderd"
1516"github.com/coder/coder/v2/coderd/coderdtest/oidctest"
17+ "github.com/coder/coder/v2/coderd/database/migrations"
1618"github.com/coder/coder/v2/coderd/notifications"
1719"github.com/coder/coder/v2/coderd/notifications/notificationstest"
20+ "github.com/coder/coder/v2/coderd/prebuilds"
1821"github.com/coder/coder/v2/coderd/rbac/policy"
1922
2023"github.com/golang-jwt/jwt/v4"
@@ -2415,3 +2418,92 @@ func BenchmarkUsersMe(b *testing.B) {
24152418require .NoError (b ,err )
24162419}
24172420}
2421+
2422+ func TestSystemUserBehaviour (t * testing.T ) {
2423+ // Setup.
2424+ t .Parallel ()
2425+
2426+ ctx := testutil .Context (t ,testutil .WaitLong )
2427+
2428+ sqlDB := testSQLDB (t )
2429+ err := migrations .Up (sqlDB )// coderd/database/migrations/00030*_system_user.up.sql will create a system user.
2430+ require .NoError (t ,err ,"migrations" )
2431+
2432+ db := database .New (sqlDB )
2433+
2434+ // =================================================================================================================
2435+
2436+ // When: retrieving users with the include_system flag enabled.
2437+ other := dbgen .User (t ,db , database.User {})
2438+ users ,err := db .GetUsers (ctx , database.GetUsersParams {
2439+ IncludeSystem :true ,
2440+ })
2441+
2442+ // Then: system users are returned, alongside other users.
2443+ require .NoError (t ,err )
2444+ require .Len (t ,users ,2 )
2445+
2446+ var systemUser ,regularUser database.GetUsersRow
2447+ for _ ,u := range users {
2448+ if u .IsSystem .Bool {
2449+ systemUser = u
2450+ }else {
2451+ regularUser = u
2452+ }
2453+ }
2454+ require .NotNil (t ,systemUser )
2455+ require .NotNil (t ,regularUser )
2456+
2457+ require .True (t ,systemUser .IsSystem .Bool )
2458+ require .Equal (t ,systemUser .ID ,prebuilds .OwnerID )
2459+ require .False (t ,regularUser .IsSystem .Bool )
2460+ require .Equal (t ,regularUser .ID ,other .ID )
2461+
2462+ // =================================================================================================================
2463+
2464+ // When: retrieving users with the include_system flag disabled.
2465+ users ,err = db .GetUsers (ctx , database.GetUsersParams {
2466+ IncludeSystem :false ,
2467+ })
2468+
2469+ // Then: only regular users are returned.
2470+ require .NoError (t ,err )
2471+ require .Len (t ,users ,1 )
2472+ require .False (t ,users [0 ].IsSystem .Bool )
2473+
2474+ // =================================================================================================================
2475+
2476+ // When: attempting to update a system user's name.
2477+ _ ,err = db .UpdateUserProfile (ctx , database.UpdateUserProfileParams {
2478+ ID :systemUser .ID ,
2479+ Name :"not prebuilds" ,
2480+ })
2481+ // Then: the attempt is rejected by a postgres trigger.
2482+ require .ErrorContains (t ,err ,"Cannot modify or delete system users" )
2483+
2484+ // When: attempting to delete a system user.
2485+ err = db .UpdateUserDeletedByID (ctx ,systemUser .ID )
2486+ // Then: the attempt is rejected by a postgres trigger.
2487+ require .ErrorContains (t ,err ,"Cannot modify or delete system users" )
2488+
2489+ // When: attempting to update a user's roles.
2490+ _ ,err = db .UpdateUserRoles (ctx , database.UpdateUserRolesParams {
2491+ ID :systemUser .ID ,
2492+ GrantedRoles : []string {rbac .RoleAuditor ().String ()},
2493+ })
2494+ // Then: the attempt is rejected by a postgres trigger.
2495+ require .ErrorContains (t ,err ,"Cannot modify or delete system users" )
2496+ }
2497+
2498+ func testSQLDB (t testing.TB )* sql.DB {
2499+ t .Helper ()
2500+
2501+ connection ,err := dbtestutil .Open (t )
2502+ require .NoError (t ,err )
2503+
2504+ db ,err := sql .Open ("postgres" ,connection )
2505+ require .NoError (t ,err )
2506+ t .Cleanup (func () {_ = db .Close () })
2507+
2508+ return db
2509+ }