(t *testing.T)
| 264 | } |
| 265 | |
| 266 | func TestSystemRoles(t *testing.T) { |
| 267 | t.Parallel() |
| 268 | |
| 269 | orgID := uuid.New() |
| 270 | |
| 271 | canManageOrgRoles := rbac.Role{ |
| 272 | Identifier: rbac.RoleIdentifier{Name: "can-manage-org-roles"}, |
| 273 | DisplayName: "", |
| 274 | Site: rbac.Permissions(map[string][]policy.Action{ |
| 275 | rbac.ResourceAssignOrgRole.Type: {policy.ActionRead, policy.ActionCreate, policy.ActionUpdate}, |
| 276 | }), |
| 277 | } |
| 278 | |
| 279 | canCreateSystem := rbac.Role{ |
| 280 | Identifier: rbac.RoleIdentifier{Name: "can-create-system"}, |
| 281 | DisplayName: "", |
| 282 | Site: rbac.Permissions(map[string][]policy.Action{ |
| 283 | rbac.ResourceSystem.Type: {policy.ActionCreate}, |
| 284 | }), |
| 285 | } |
| 286 | |
| 287 | canUpdateSystem := rbac.Role{ |
| 288 | Identifier: rbac.RoleIdentifier{Name: "can-update-system"}, |
| 289 | DisplayName: "", |
| 290 | Site: rbac.Permissions(map[string][]policy.Action{ |
| 291 | rbac.ResourceSystem.Type: {policy.ActionUpdate}, |
| 292 | }), |
| 293 | } |
| 294 | |
| 295 | userID := uuid.New() |
| 296 | subjectNoSystemPerms := rbac.Subject{ |
| 297 | FriendlyName: "Test user", |
| 298 | ID: userID.String(), |
| 299 | Roles: rbac.Roles([]rbac.Role{canManageOrgRoles}), |
| 300 | Groups: nil, |
| 301 | Scope: rbac.ScopeAll, |
| 302 | } |
| 303 | subjectWithSystemCreatePerms := subjectNoSystemPerms |
| 304 | subjectWithSystemCreatePerms.Roles = rbac.Roles([]rbac.Role{canManageOrgRoles, canCreateSystem}) |
| 305 | subjectWithSystemUpdatePerms := subjectNoSystemPerms |
| 306 | subjectWithSystemUpdatePerms.Roles = rbac.Roles([]rbac.Role{canManageOrgRoles, canUpdateSystem}) |
| 307 | |
| 308 | db, _ := dbtestutil.NewDB(t) |
| 309 | rec := &coderdtest.RecordingAuthorizer{ |
| 310 | Wrapped: rbac.NewAuthorizer(prometheus.NewRegistry()), |
| 311 | } |
| 312 | az := dbauthz.New(db, rec, slog.Make(), coderdtest.AccessControlStorePointer()) |
| 313 | |
| 314 | t.Run("insert-requires-system-create", func(t *testing.T) { |
| 315 | t.Parallel() |
| 316 | |
| 317 | insertParamsTemplate := database.InsertCustomRoleParams{ |
| 318 | Name: "", |
| 319 | OrganizationID: uuid.NullUUID{ |
| 320 | UUID: orgID, |
| 321 | Valid: true, |
| 322 | }, |
| 323 | SitePermissions: database.CustomRolePermissions{}, |
nothing calls this directly
no test coverage detected