- Notifications
You must be signed in to change notification settings - Fork1.1k
test: add unit test to verify group permission behavior#14223
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Changes fromall commits
File filter
Filter by extension
Conversations
Uh oh!
There was an error while loading.Please reload this page.
Jump to
Uh oh!
There was an error while loading.Please reload this page.
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||
|---|---|---|---|---|
| @@ -0,0 +1,168 @@ | ||||
| package dbauthz_test | ||||
| import ( | ||||
| "context" | ||||
| "testing" | ||||
| "github.com/google/uuid" | ||||
| "github.com/prometheus/client_golang/prometheus" | ||||
| "github.com/stretchr/testify/require" | ||||
| "cdr.dev/slog/sloggers/slogtest" | ||||
| "github.com/coder/coder/v2/coderd/coderdtest" | ||||
| "github.com/coder/coder/v2/coderd/database" | ||||
| "github.com/coder/coder/v2/coderd/database/dbauthz" | ||||
| "github.com/coder/coder/v2/coderd/database/dbgen" | ||||
| "github.com/coder/coder/v2/coderd/database/dbmem" | ||||
| "github.com/coder/coder/v2/coderd/database/dbtestutil" | ||||
| "github.com/coder/coder/v2/coderd/rbac" | ||||
| ) | ||||
| // nolint:tparallel | ||||
| func TestGroupsAuth(t *testing.T) { | ||||
| t.Parallel() | ||||
| if dbtestutil.WillUsePostgres() { | ||||
| t.Skip("this test would take too long to run on postgres") | ||||
| } | ||||
| authz := rbac.NewAuthorizer(prometheus.NewRegistry()) | ||||
| db := dbauthz.New(dbmem.New(), authz, slogtest.Make(t, &slogtest.Options{ | ||||
| IgnoreErrors: true, | ||||
| }), coderdtest.AccessControlStorePointer()) | ||||
| ownerCtx := dbauthz.As(context.Background(), rbac.Subject{ | ||||
| ID: "owner", | ||||
| Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.RoleOwner()}.Expand())), | ||||
| Groups: []string{}, | ||||
| Scope: rbac.ExpandableScope(rbac.ScopeAll), | ||||
| }) | ||||
Comment on lines +35 to +40 Member There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. nit: it's unfortunate to need to copy this role instead of referencing the OG owner MemberAuthor There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. Yea, I needed the original owner role for setup. Given the pattern of the tabled tests, it felt weird to not fully define the role in the table again | ||||
| org := dbgen.Organization(t, db, database.Organization{}) | ||||
Member There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. should we test multi-org here? MemberAuthor There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more.
I threw in a different org admin. We don't actually need another org in the db for the authz test. | ||||
| group := dbgen.Group(t, db, database.Group{ | ||||
| OrganizationID: org.ID, | ||||
| }) | ||||
| var users []database.User | ||||
| for i := 0; i < 5; i++ { | ||||
| user := dbgen.User(t, db, database.User{}) | ||||
| users = append(users, user) | ||||
| err := db.InsertGroupMember(ownerCtx, database.InsertGroupMemberParams{ | ||||
| UserID: user.ID, | ||||
| GroupID: group.ID, | ||||
| }) | ||||
| require.NoError(t, err) | ||||
| } | ||||
| totalMembers := len(users) | ||||
| testCases := []struct { | ||||
| Name string | ||||
| Subject rbac.Subject | ||||
| ReadGroup bool | ||||
| ReadMembers bool | ||||
| MembersExpected int | ||||
| }{ | ||||
| { | ||||
| Name: "Owner", | ||||
| Subject: rbac.Subject{ | ||||
| ID: "owner", | ||||
| Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.RoleOwner()}.Expand())), | ||||
| Groups: []string{}, | ||||
| Scope: rbac.ExpandableScope(rbac.ScopeAll), | ||||
| }, | ||||
| ReadGroup: true, | ||||
| ReadMembers: true, | ||||
| MembersExpected: totalMembers, | ||||
| }, | ||||
| { | ||||
| Name: "UserAdmin", | ||||
| Subject: rbac.Subject{ | ||||
| ID: "useradmin", | ||||
| Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.RoleUserAdmin()}.Expand())), | ||||
| Groups: []string{}, | ||||
| Scope: rbac.ExpandableScope(rbac.ScopeAll), | ||||
| }, | ||||
| ReadGroup: true, | ||||
| ReadMembers: true, | ||||
| MembersExpected: totalMembers, | ||||
| }, | ||||
| { | ||||
| Name: "OrgAdmin", | ||||
| Subject: rbac.Subject{ | ||||
| ID: "orgadmin", | ||||
| Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.ScopedRoleOrgAdmin(org.ID)}.Expand())), | ||||
| Groups: []string{}, | ||||
| Scope: rbac.ExpandableScope(rbac.ScopeAll), | ||||
| }, | ||||
| ReadGroup: true, | ||||
| ReadMembers: true, | ||||
| MembersExpected: totalMembers, | ||||
| }, | ||||
| { | ||||
| Name: "OrgUserAdmin", | ||||
| Subject: rbac.Subject{ | ||||
| ID: "orgUserAdmin", | ||||
| Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.ScopedRoleOrgUserAdmin(org.ID)}.Expand())), | ||||
| Groups: []string{}, | ||||
| Scope: rbac.ExpandableScope(rbac.ScopeAll), | ||||
| }, | ||||
| ReadGroup: true, | ||||
| ReadMembers: true, | ||||
| MembersExpected: totalMembers, | ||||
| }, | ||||
| { | ||||
| Name: "GroupMember", | ||||
| Subject: rbac.Subject{ | ||||
| ID: users[0].ID.String(), | ||||
| Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.ScopedRoleOrgMember(org.ID)}.Expand())), | ||||
| Groups: []string{ | ||||
| group.Name, | ||||
| }, | ||||
| Scope: rbac.ExpandableScope(rbac.ScopeAll), | ||||
| }, | ||||
| // TODO: currently group members cannot see their own groups. | ||||
| //If this is fixed, these booleans should be flipped to true. | ||||
| ReadGroup: false, | ||||
| ReadMembers: false, | ||||
| // TODO: If fixed, they should only be able to see themselves | ||||
| // MembersExpected: 1, | ||||
| }, | ||||
| { | ||||
| // Org admin in the incorrect organization | ||||
| Name: "DifferentOrgAdmin", | ||||
| Subject: rbac.Subject{ | ||||
| ID: "orgadmin", | ||||
| Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.ScopedRoleOrgUserAdmin(uuid.New())}.Expand())), | ||||
| Groups: []string{}, | ||||
| Scope: rbac.ExpandableScope(rbac.ScopeAll), | ||||
| }, | ||||
| ReadGroup: false, | ||||
| ReadMembers: false, | ||||
| }, | ||||
| } | ||||
| for _, tc := range testCases { | ||||
| tc := tc | ||||
| t.Run(tc.Name, func(t *testing.T) { | ||||
Member There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. fun idea: you could actually just generate the name here from MemberAuthor There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. Unfortunately if I do that, the Goland table test runner no longer works. It looks like I can use | ||||
| t.Parallel() | ||||
| actorCtx := dbauthz.As(context.Background(), tc.Subject) | ||||
| _, err := db.GetGroupByID(actorCtx, group.ID) | ||||
| if tc.ReadGroup { | ||||
| require.NoError(t, err, "group read") | ||||
| } else { | ||||
| require.Error(t, err, "group read") | ||||
| } | ||||
| members, err := db.GetGroupMembersByGroupID(actorCtx, group.ID) | ||||
| if tc.ReadMembers { | ||||
| require.NoError(t, err, "member read") | ||||
| require.Len(t, members, tc.MembersExpected, "member count found does not match") | ||||
| } else { | ||||
| require.Error(t, err, "member read") | ||||
Emyrk marked this conversation as resolved. Show resolvedHide resolvedUh oh!There was an error while loading.Please reload this page. | ||||
| require.True(t, dbauthz.IsNotAuthorizedError(err), "not authorized error") | ||||
| } | ||||
| }) | ||||
| } | ||||
| } | ||||