MCPcopy Index your code
hub / github.com/coder/coder / TestAuthorizeScope

Function TestAuthorizeScope

coderd/rbac/authz_internal_test.go:847–1173  ·  view source on GitHub ↗
(t *testing.T)

Source from the content-addressed store, hash-verified

845}
846
847func TestAuthorizeScope(t *testing.T) {
848 t.Parallel()
849
850 defOrg := uuid.New()
851 unusedID := uuid.New()
852 user := Subject{
853 ID: "me",
854 Roles: Roles{must(RoleByName(RoleOwner()))},
855 Scope: must(ExpandScope(ScopeApplicationConnect)),
856 }
857
858 testAuthorize(t, "Admin_ScopeApplicationConnect", user,
859 cases(func(c authTestCase) authTestCase {
860 c.actions = []policy.Action{policy.ActionRead, policy.ActionUpdate, policy.ActionDelete}
861 return c
862 }, []authTestCase{
863 {resource: ResourceWorkspace.InOrg(defOrg).WithOwner(user.ID), allow: false},
864 {resource: ResourceWorkspace.InOrg(defOrg), allow: false},
865 {resource: ResourceWorkspace.WithOwner(user.ID), allow: false},
866 {resource: ResourceWorkspace.All(), allow: false},
867 {resource: ResourceWorkspace.InOrg(unusedID).WithOwner(user.ID), allow: false},
868 {resource: ResourceWorkspace.InOrg(unusedID), allow: false},
869 {resource: ResourceWorkspace.InOrg(defOrg).WithOwner("not-me"), allow: false},
870 {resource: ResourceWorkspace.WithOwner("not-me"), allow: false},
871 {resource: ResourceWorkspace.InOrg(unusedID).WithOwner("not-me"), allow: false},
872 {resource: ResourceWorkspace.InOrg(unusedID), allow: false},
873 {resource: ResourceWorkspace.WithOwner("not-me"), allow: false},
874 }),
875 // Allowed by scope:
876 []authTestCase{
877 {resource: ResourceWorkspace.InOrg(defOrg).WithOwner("not-me"), actions: []policy.Action{policy.ActionApplicationConnect}, allow: true},
878 {resource: ResourceWorkspace.InOrg(defOrg).WithOwner(user.ID), actions: []policy.Action{policy.ActionApplicationConnect}, allow: true},
879 {resource: ResourceWorkspace.InOrg(unusedID).WithOwner("not-me"), actions: []policy.Action{policy.ActionApplicationConnect}, allow: true},
880 },
881 )
882
883 user = Subject{
884 ID: "me",
885 Roles: Roles{
886 must(RoleByName(RoleMember())),
887 orgMemberRole(defOrg),
888 },
889 Scope: must(ExpandScope(ScopeApplicationConnect)),
890 }
891
892 testAuthorize(t, "User_ScopeApplicationConnect", user,
893 cases(func(c authTestCase) authTestCase {
894 c.actions = []policy.Action{policy.ActionRead, policy.ActionUpdate, policy.ActionDelete}
895 c.allow = false
896 return c
897 }, []authTestCase{
898 {resource: ResourceWorkspace.InOrg(defOrg).WithOwner(user.ID)},
899 {resource: ResourceWorkspace.InOrg(defOrg)},
900 {resource: ResourceWorkspace.WithOwner(user.ID)},
901 {resource: ResourceWorkspace.All()},
902 {resource: ResourceWorkspace.InOrg(unusedID).WithOwner(user.ID)},
903 {resource: ResourceWorkspace.InOrg(unusedID)},
904 {resource: ResourceWorkspace.InOrg(defOrg).WithOwner("not-me")},

Callers

nothing calls this directly

Calls 15

RoleByNameFunction · 0.85
RoleOwnerFunction · 0.85
ExpandScopeFunction · 0.85
testAuthorizeFunction · 0.85
casesFunction · 0.85
RoleMemberFunction · 0.85
orgMemberRoleFunction · 0.85
PermissionsFunction · 0.85
AllowListAllFunction · 0.85
WithOwnerMethod · 0.80
InOrgMethod · 0.80
AllMethod · 0.80

Tested by

no test coverage detected