MCPcopy Index your code
hub / github.com/coder/coder / TestAuthorizeDomain

Function TestAuthorizeDomain

coderd/rbac/authz_internal_test.go:281–715  ·  view source on GitHub ↗

TestAuthorizeDomain test the very basic roles that are commonly used.

(t *testing.T)

Source from the content-addressed store, hash-verified

279
280// TestAuthorizeDomain test the very basic roles that are commonly used.
281func TestAuthorizeDomain(t *testing.T) {
282 t.Parallel()
283 defOrg := uuid.New()
284 unusedID := uuid.New()
285 allUsersGroup := "Everyone"
286
287 // orphanedUser has no organization
288 orphanedUser := Subject{
289 ID: "me",
290 Scope: must(ExpandScope(ScopeAll)),
291 Groups: []string{},
292 Roles: Roles{
293 must(RoleByName(RoleMember())),
294 },
295 }
296 testAuthorize(t, "OrphanedUser", orphanedUser, []authTestCase{
297 {resource: ResourceWorkspace.InOrg(defOrg).WithOwner(orphanedUser.ID), actions: ResourceWorkspace.AvailableActions(), allow: false},
298
299 // Orphaned user cannot create workspaces in any organization
300 {resource: ResourceWorkspace.AnyOrganization().WithOwner(orphanedUser.ID), actions: []policy.Action{policy.ActionCreate}, allow: false},
301 })
302
303 user := Subject{
304 ID: "me",
305 Scope: must(ExpandScope(ScopeAll)),
306 Groups: []string{allUsersGroup},
307 Roles: Roles{
308 must(RoleByName(RoleMember())),
309 orgMemberRole(defOrg),
310 },
311 }
312
313 testAuthorize(t, "UserACLList", user, []authTestCase{
314 {
315 resource: ResourceWorkspace.WithOwner(unusedID.String()).InOrg(unusedID).WithACLUserList(map[string][]policy.Action{
316 user.ID: ResourceWorkspace.AvailableActions(),
317 }),
318 actions: ResourceWorkspace.AvailableActions(),
319 allow: true,
320 },
321 {
322 resource: ResourceWorkspace.WithOwner(unusedID.String()).InOrg(unusedID).WithACLUserList(map[string][]policy.Action{
323 user.ID: {policy.WildcardSymbol},
324 }),
325 actions: ResourceWorkspace.AvailableActions(),
326 allow: true,
327 },
328 {
329 resource: ResourceWorkspace.WithOwner(unusedID.String()).InOrg(unusedID).WithACLUserList(map[string][]policy.Action{
330 user.ID: {policy.ActionRead, policy.ActionUpdate},
331 }),
332 actions: []policy.Action{policy.ActionCreate, policy.ActionDelete},
333 allow: false,
334 },
335 {
336 // By default users cannot update templates
337 resource: ResourceTemplate.InOrg(defOrg).WithACLUserList(map[string][]policy.Action{
338 user.ID: {policy.ActionUpdate},

Callers

nothing calls this directly

Calls 15

OmitFunction · 0.92
ExpandScopeFunction · 0.85
RoleByNameFunction · 0.85
RoleMemberFunction · 0.85
testAuthorizeFunction · 0.85
orgMemberRoleFunction · 0.85
ScopedRoleOrgAdminFunction · 0.85
RoleOwnerFunction · 0.85
casesFunction · 0.85
WithOwnerMethod · 0.80
InOrgMethod · 0.80
AvailableActionsMethod · 0.80

Tested by

no test coverage detected