MCPcopy Index your code
hub / github.com/coder/coder / testAuthorize

Function testAuthorize

coderd/rbac/authz_internal_test.go:1317–1399  ·  view source on GitHub ↗
(t *testing.T, name string, subject Subject, sets ...[]authTestCase)

Source from the content-addressed store, hash-verified

1315}
1316
1317func testAuthorize(t *testing.T, name string, subject Subject, sets ...[]authTestCase) {
1318 t.Helper()
1319 authorizer := NewAuthorizer(prometheus.NewRegistry())
1320 for i, cases := range sets {
1321 for j, c := range cases {
1322 caseName := fmt.Sprintf("%s/Set%d/Case%d", name, i, j)
1323 t.Run(caseName, func(t *testing.T) {
1324 t.Parallel()
1325 for _, a := range c.actions {
1326 ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort)
1327 t.Cleanup(cancel)
1328
1329 authError := authorizer.Authorize(ctx, subject, a, c.resource)
1330
1331 d, _ := json.Marshal(map[string]interface{}{
1332 // This is not perfect marshal, but it is good enough for debugging this test.
1333 "subject": authSubject{
1334 ID: subject.ID,
1335 Roles: must(subject.Roles.Expand()),
1336 Groups: subject.Groups,
1337 Scope: must(subject.Scope.Expand()),
1338 },
1339 "object": c.resource,
1340 "action": a,
1341 })
1342
1343 // Logging only
1344 t.Logf("input: %s", string(d))
1345 if authError != nil {
1346 var uerr *UnauthorizedError
1347 if xerrors.As(authError, &uerr) {
1348 t.Logf("internal error: %+v", uerr.Internal().Error())
1349 t.Logf("output: %+v", uerr.Output())
1350 }
1351 }
1352
1353 if c.allow {
1354 assert.NoError(t, authError, "expected no error for testcase action %s", a)
1355 } else {
1356 assert.Error(t, authError, "expected unauthorized")
1357 }
1358
1359 prepared, err := authorizer.Prepare(ctx, subject, a, c.resource.Type)
1360 require.NoError(t, err, "make prepared authorizer")
1361
1362 // For unit testing logging and assertions, we want the PartialAuthorizer
1363 // struct.
1364 partialAuthz, ok := prepared.(*PartialAuthorizer)
1365 require.True(t, ok, "prepared authorizer is partial")
1366
1367 // Ensure the partial can compile to a SQL clause.
1368 // This does not guarantee that the clause is valid SQL.
1369 _, err = Compile(ConfigWithACL(), partialAuthz)
1370 require.NoError(t, err, "compile prepared authorizer")
1371
1372 // Also check the rego policy can form a valid partial query result.
1373 // This ensures we can convert the queries into SQL WHERE clauses in the future.
1374 // If this function returns 'Support' sections, then we cannot convert the query into SQL.

Callers 4

TestAuthorizeDomainFunction · 0.85
TestAuthorizeLevelsFunction · 0.85
TestAuthorizeScopeFunction · 0.85
TestScopeAllowListFunction · 0.85

Calls 15

AuthorizeMethod · 0.95
InternalMethod · 0.95
OutputMethod · 0.95
PrepareMethod · 0.95
NewAuthorizerFunction · 0.85
CompileFunction · 0.85
ConfigWithACLFunction · 0.85
AsMethod · 0.80
mustFunction · 0.70
HelperMethod · 0.65
RunMethod · 0.65
CleanupMethod · 0.65

Tested by

no test coverage detected