AssertRBAC returns an RBACAsserter for the given user. This asserter will allow asserting that the correct RBAC checks are performed for the given user. All checks that are not run against this user will be ignored.
(t *testing.T, api *coderd.API, client *codersdk.Client)
| 39 | // allow asserting that the correct RBAC checks are performed for the given user. |
| 40 | // All checks that are not run against this user will be ignored. |
| 41 | func AssertRBAC(t *testing.T, api *coderd.API, client *codersdk.Client) RBACAsserter { |
| 42 | if client.SessionToken() == "" { |
| 43 | t.Fatal("client must be logged in") |
| 44 | } |
| 45 | recorder, ok := api.Authorizer.(*RecordingAuthorizer) |
| 46 | if !ok { |
| 47 | t.Fatal("expected RecordingAuthorizer") |
| 48 | } |
| 49 | |
| 50 | // We use the database directly to not cause additional auth checks on behalf |
| 51 | // of the user. This does add authz checks on behalf of the system user, but |
| 52 | // it is hard to avoid that. |
| 53 | // nolint:gocritic |
| 54 | ctx := dbauthz.AsSystemRestricted(context.Background()) |
| 55 | token := client.SessionToken() |
| 56 | parts := strings.Split(token, "-") |
| 57 | key, err := api.Database.GetAPIKeyByID(ctx, parts[0]) |
| 58 | require.NoError(t, err, "fetch client api key") |
| 59 | |
| 60 | roles, err := api.Database.GetAuthorizationUserRoles(ctx, key.UserID) |
| 61 | require.NoError(t, err, "fetch user roles") |
| 62 | |
| 63 | roleNames, err := roles.RoleNames() |
| 64 | require.NoError(t, err) |
| 65 | |
| 66 | return RBACAsserter{ |
| 67 | Subject: rbac.Subject{ |
| 68 | ID: key.UserID.String(), |
| 69 | Roles: rbac.RoleIdentifiers(roleNames), |
| 70 | Groups: roles.Groups, |
| 71 | Scope: key.ScopeSet(), |
| 72 | }, |
| 73 | Recorder: recorder, |
| 74 | } |
| 75 | } |
| 76 | |
| 77 | // AllCalls is for debugging. If you are not sure where calls are coming from, |
| 78 | // call this and use a debugger or print them. They have small callstacks |