AuthzUserSubjectWithDB is like AuthzUserSubject but adds db-backed roles (like organization-member).
(ctx context.Context, t testing.TB, db database.Store, user codersdk.User)
| 874 | // AuthzUserSubjectWithDB is like AuthzUserSubject but adds db-backed roles |
| 875 | // (like organization-member). |
| 876 | func AuthzUserSubjectWithDB(ctx context.Context, t testing.TB, db database.Store, user codersdk.User) rbac.Subject { |
| 877 | t.Helper() |
| 878 | |
| 879 | roles := make(rbac.RoleIdentifiers, 0, len(user.Roles)+2) |
| 880 | // Member role is always implied |
| 881 | roles = append(roles, rbac.RoleMember()) |
| 882 | for _, r := range user.Roles { |
| 883 | parsedOrgID, _ := uuid.Parse(r.OrganizationID) // defaults to nil |
| 884 | roles = append(roles, rbac.RoleIdentifier{ |
| 885 | Name: r.Name, |
| 886 | OrganizationID: parsedOrgID, |
| 887 | }) |
| 888 | } |
| 889 | |
| 890 | //nolint:gocritic // We’re constructing the subject. The incoming ctx |
| 891 | // typically has no dbauthz actor yet, and using AuthzUserSubject(user) |
| 892 | // here would be circular (it lacks DB-backed org-member roles needed for |
| 893 | // organization:read). Use system-restricted ctx for the membership lookup. |
| 894 | orgs, err := db.GetOrganizationsByUserID(dbauthz.AsSystemRestricted(ctx), database.GetOrganizationsByUserIDParams{ |
| 895 | UserID: user.ID, |
| 896 | Deleted: sql.NullBool{ |
| 897 | Valid: true, |
| 898 | Bool: false, |
| 899 | }, |
| 900 | }) |
| 901 | require.NoError(t, err) |
| 902 | for _, org := range orgs { |
| 903 | roles = append(roles, rbac.ScopedRoleOrgMember(org.ID)) |
| 904 | } |
| 905 | |
| 906 | //nolint:gocritic // We need to expand DB-backed/system roles. The caller |
| 907 | // ctx may not have permission to read system roles, so use system-restricted |
| 908 | // context for the internal role lookup. |
| 909 | rbacRoles, err := rolestore.Expand(dbauthz.AsSystemRestricted(ctx), db, roles) |
| 910 | require.NoError(t, err) |
| 911 | |
| 912 | return rbac.Subject{ |
| 913 | ID: user.ID.String(), |
| 914 | Roles: rbacRoles, |
| 915 | Groups: []string{}, |
| 916 | Scope: rbac.ScopeAll, |
| 917 | }.WithCachedASTValue() |
| 918 | } |
| 919 | |
| 920 | func createAnotherUserRetry(t testing.TB, client *codersdk.Client, organizationIDs []uuid.UUID, retries int, roles []rbac.RoleIdentifier, mutators ...func(r *codersdk.CreateUserRequestWithOrgs)) (*codersdk.Client, codersdk.User) { |
| 921 | req := codersdk.CreateUserRequestWithOrgs{ |