(t *testing.T)
| 6897 | } |
| 6898 | |
| 6899 | func TestAsChatd(t *testing.T) { |
| 6900 | t.Parallel() |
| 6901 | |
| 6902 | ctx := dbauthz.AsChatd(context.Background()) |
| 6903 | actor, ok := dbauthz.ActorFromContext(ctx) |
| 6904 | require.True(t, ok, "actor must be present") |
| 6905 | |
| 6906 | auth := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry()) |
| 6907 | |
| 6908 | t.Run("AllowedActions", func(t *testing.T) { |
| 6909 | t.Parallel() |
| 6910 | |
| 6911 | // Chat CRUD. |
| 6912 | for _, action := range []policy.Action{ |
| 6913 | policy.ActionCreate, policy.ActionRead, |
| 6914 | policy.ActionUpdate, policy.ActionDelete, |
| 6915 | } { |
| 6916 | err := auth.Authorize(ctx, actor, action, rbac.ResourceChat) |
| 6917 | require.NoError(t, err, "chat %s should be allowed", action) |
| 6918 | } |
| 6919 | |
| 6920 | // Workspace read + update (update needed for ActivityBumpWorkspace). |
| 6921 | for _, action := range []policy.Action{ |
| 6922 | policy.ActionRead, policy.ActionUpdate, |
| 6923 | } { |
| 6924 | err := auth.Authorize(ctx, actor, action, rbac.ResourceWorkspace) |
| 6925 | require.NoError(t, err, "workspace %s should be allowed", action) |
| 6926 | } |
| 6927 | |
| 6928 | // DeploymentConfig reads are allowed, but writes are not. |
| 6929 | err := auth.Authorize(ctx, actor, policy.ActionRead, rbac.ResourceDeploymentConfig) |
| 6930 | require.NoError(t, err, "deployment config read should be allowed") |
| 6931 | err = auth.Authorize(ctx, actor, policy.ActionUpdate, rbac.ResourceDeploymentConfig) |
| 6932 | require.Error(t, err, "deployment config update should not be allowed") |
| 6933 | |
| 6934 | // User read_personal (needed for GetUserChatCustomPrompt). |
| 6935 | err = auth.Authorize(ctx, actor, policy.ActionReadPersonal, rbac.ResourceUser) |
| 6936 | require.NoError(t, err, "user read_personal should be allowed") |
| 6937 | }) |
| 6938 | |
| 6939 | t.Run("DeniedActions", func(t *testing.T) { |
| 6940 | t.Parallel() |
| 6941 | |
| 6942 | // Cannot delete workspaces. |
| 6943 | err := auth.Authorize(ctx, actor, policy.ActionDelete, rbac.ResourceWorkspace) |
| 6944 | require.Error(t, err, "workspace delete should be denied") |
| 6945 | |
| 6946 | // Cannot access users. |
| 6947 | err = auth.Authorize(ctx, actor, policy.ActionRead, rbac.ResourceUser) |
| 6948 | require.Error(t, err, "user read should be denied") |
| 6949 | |
| 6950 | // Cannot access API keys. |
| 6951 | err = auth.Authorize(ctx, actor, policy.ActionRead, rbac.ResourceApiKey) |
| 6952 | require.Error(t, err, "api key read should be denied") |
| 6953 | |
| 6954 | // Cannot access provisioner daemons. |
| 6955 | err = auth.Authorize(ctx, actor, policy.ActionRead, rbac.ResourceProvisionerDaemon) |
| 6956 | require.Error(t, err, "provisioner daemon read should be denied") |
nothing calls this directly
no test coverage detected