MCPcopy Index your code
hub / github.com/coder/coder / TestScopeAllowList

Function TestScopeAllowList

coderd/rbac/authz_internal_test.go:1175–1298  ·  view source on GitHub ↗
(t *testing.T)

Source from the content-addressed store, hash-verified

1173}
1174
1175func TestScopeAllowList(t *testing.T) {
1176 t.Parallel()
1177
1178 defOrg := uuid.New()
1179
1180 // Some IDs to use
1181 wid := uuid.New()
1182 gid := uuid.New()
1183
1184 user := Subject{
1185 ID: "me",
1186 Roles: Roles{
1187 must(RoleByName(RoleOwner())),
1188 },
1189 Scope: Scope{
1190 Role: Role{
1191 Identifier: RoleIdentifier{
1192 Name: "AllowList",
1193 OrganizationID: defOrg,
1194 },
1195 DisplayName: "AllowList",
1196 // Allow almost everything
1197 Site: allPermsExcept(ResourceUser),
1198 },
1199 AllowIDList: []AllowListElement{
1200 {Type: ResourceWorkspace.Type, ID: wid.String()},
1201 {Type: ResourceWorkspace.Type, ID: ""}, // Allow to create
1202 {Type: ResourceTemplate.Type, ID: policy.WildcardSymbol},
1203 {Type: ResourceGroup.Type, ID: gid.String()},
1204
1205 // This scope allows all users, but the permissions do not.
1206 {Type: ResourceUser.Type, ID: policy.WildcardSymbol},
1207 },
1208 },
1209 }
1210
1211 testAuthorize(t, "AllowList", user,
1212 // Allowed:
1213 cases(func(c authTestCase) authTestCase {
1214 c.allow = true
1215 return c
1216 },
1217 []authTestCase{
1218 {resource: ResourceWorkspace.InOrg(defOrg).WithOwner(user.ID).WithID(wid), actions: []policy.Action{policy.ActionRead}},
1219 // matching on empty id
1220 {resource: ResourceWorkspace.InOrg(defOrg).WithOwner(user.ID), actions: []policy.Action{policy.ActionCreate}},
1221
1222 // Template has wildcard ID, so any uuid is allowed, including the empty
1223 {resource: ResourceTemplate.InOrg(defOrg).WithID(uuid.New()), actions: AllActions()},
1224 {resource: ResourceTemplate.InOrg(defOrg).WithID(uuid.New()), actions: AllActions()},
1225 {resource: ResourceTemplate.InOrg(defOrg), actions: AllActions()},
1226
1227 // Group
1228 {resource: ResourceGroup.InOrg(defOrg).WithID(gid), actions: []policy.Action{policy.ActionRead}},
1229 },
1230 ),
1231
1232 // Not allowed:

Callers

nothing calls this directly

Calls 12

RoleByNameFunction · 0.85
RoleOwnerFunction · 0.85
allPermsExceptFunction · 0.85
testAuthorizeFunction · 0.85
casesFunction · 0.85
AllActionsFunction · 0.85
WithOwnerMethod · 0.80
InOrgMethod · 0.80
mustFunction · 0.70
NewMethod · 0.65
StringMethod · 0.45
WithIDMethod · 0.45

Tested by

no test coverage detected