TestInsertCustomRoles verifies creating custom roles cannot escalate permissions.
(t *testing.T)
| 21 | |
| 22 | // TestInsertCustomRoles verifies creating custom roles cannot escalate permissions. |
| 23 | func TestInsertCustomRoles(t *testing.T) { |
| 24 | t.Parallel() |
| 25 | |
| 26 | userID := uuid.New() |
| 27 | subjectFromRoles := func(roles rbac.ExpandableRoles) rbac.Subject { |
| 28 | return rbac.Subject{ |
| 29 | FriendlyName: "Test user", |
| 30 | ID: userID.String(), |
| 31 | Roles: roles, |
| 32 | Groups: nil, |
| 33 | Scope: rbac.ScopeAll, |
| 34 | } |
| 35 | } |
| 36 | |
| 37 | canCreateCustomRole := rbac.Role{ |
| 38 | Identifier: rbac.RoleIdentifier{Name: "can-assign"}, |
| 39 | DisplayName: "", |
| 40 | Site: rbac.Permissions(map[string][]policy.Action{ |
| 41 | rbac.ResourceAssignRole.Type: {policy.ActionRead}, |
| 42 | rbac.ResourceAssignOrgRole.Type: {policy.ActionRead, policy.ActionCreate}, |
| 43 | }), |
| 44 | } |
| 45 | |
| 46 | merge := func(u ...interface{}) rbac.Roles { |
| 47 | all := make([]rbac.Role, 0) |
| 48 | for _, v := range u { |
| 49 | switch t := v.(type) { |
| 50 | case rbac.Role: |
| 51 | all = append(all, t) |
| 52 | case rbac.ExpandableRoles: |
| 53 | all = append(all, must(t.Expand())...) |
| 54 | case rbac.RoleIdentifier: |
| 55 | all = append(all, must(rbac.RoleByName(t))) |
| 56 | default: |
| 57 | panic("unknown type") |
| 58 | } |
| 59 | } |
| 60 | |
| 61 | return all |
| 62 | } |
| 63 | |
| 64 | orgID := uuid.New() |
| 65 | |
| 66 | testCases := []struct { |
| 67 | name string |
| 68 | |
| 69 | subject rbac.ExpandableRoles |
| 70 | |
| 71 | // Perms to create on new custom role |
| 72 | organizationID uuid.UUID |
| 73 | site []codersdk.Permission |
| 74 | org []codersdk.Permission |
| 75 | user []codersdk.Permission |
| 76 | member []codersdk.Permission |
| 77 | errorContains string |
| 78 | }{ |
| 79 | { |
| 80 | // No roles, so no assign role |
nothing calls this directly
no test coverage detected