(t *testing.T)
| 8489 | } |
| 8490 | |
| 8491 | func TestUserSecretsAuthorization(t *testing.T) { |
| 8492 | t.Parallel() |
| 8493 | |
| 8494 | // Use raw database and wrap with dbauthz for authorization testing |
| 8495 | db, _ := dbtestutil.NewDB(t) |
| 8496 | authorizer := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry()) |
| 8497 | authDB := dbauthz.New(db, authorizer, slogtest.Make(t, &slogtest.Options{}), coderdtest.AccessControlStorePointer()) |
| 8498 | |
| 8499 | // Create test users |
| 8500 | user1 := dbgen.User(t, db, database.User{}) |
| 8501 | user2 := dbgen.User(t, db, database.User{}) |
| 8502 | owner := dbgen.User(t, db, database.User{}) |
| 8503 | orgAdmin := dbgen.User(t, db, database.User{}) |
| 8504 | |
| 8505 | // Create organization for org-scoped roles |
| 8506 | org := dbgen.Organization(t, db, database.Organization{}) |
| 8507 | |
| 8508 | // Create secrets for users |
| 8509 | _ = dbgen.UserSecret(t, db, database.UserSecret{ |
| 8510 | UserID: user1.ID, |
| 8511 | Name: "user1-secret", |
| 8512 | Description: "User 1's secret", |
| 8513 | Value: "user1-value", |
| 8514 | }) |
| 8515 | |
| 8516 | _ = dbgen.UserSecret(t, db, database.UserSecret{ |
| 8517 | UserID: user2.ID, |
| 8518 | Name: "user2-secret", |
| 8519 | Description: "User 2's secret", |
| 8520 | Value: "user2-value", |
| 8521 | }) |
| 8522 | |
| 8523 | testCases := []struct { |
| 8524 | name string |
| 8525 | subject rbac.Subject |
| 8526 | lookupUserID uuid.UUID |
| 8527 | lookupName string |
| 8528 | expectedAccess bool |
| 8529 | }{ |
| 8530 | { |
| 8531 | name: "UserCanAccessOwnSecrets", |
| 8532 | subject: rbac.Subject{ |
| 8533 | ID: user1.ID.String(), |
| 8534 | Roles: rbac.RoleIdentifiers{rbac.RoleMember()}, |
| 8535 | Scope: rbac.ScopeAll, |
| 8536 | }, |
| 8537 | lookupUserID: user1.ID, |
| 8538 | lookupName: "user1-secret", |
| 8539 | expectedAccess: true, |
| 8540 | }, |
| 8541 | { |
| 8542 | name: "UserCannotAccessOtherUserSecrets", |
| 8543 | subject: rbac.Subject{ |
| 8544 | ID: user1.ID.String(), |
| 8545 | Roles: rbac.RoleIdentifiers{rbac.RoleMember()}, |
| 8546 | Scope: rbac.ScopeAll, |
| 8547 | }, |
| 8548 | lookupUserID: user2.ID, |
nothing calls this directly
no test coverage detected