nolint:tparallel,paralleltest
(t *testing.T)
| 169 | |
| 170 | //nolint:tparallel,paralleltest |
| 171 | func TestOwnerExec(t *testing.T) { |
| 172 | owner := rbac.Subject{ |
| 173 | ID: uuid.NewString(), |
| 174 | Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.RoleOwner()}, |
| 175 | Scope: rbac.ScopeAll, |
| 176 | } |
| 177 | |
| 178 | t.Run("NoExec", func(t *testing.T) { |
| 179 | rbac.ReloadBuiltinRoles(&rbac.RoleOptions{ |
| 180 | NoOwnerWorkspaceExec: true, |
| 181 | }) |
| 182 | t.Cleanup(func() { rbac.ReloadBuiltinRoles(nil) }) |
| 183 | |
| 184 | auth := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry()) |
| 185 | // Exec a random workspace |
| 186 | err := auth.Authorize(context.Background(), owner, policy.ActionSSH, |
| 187 | rbac.ResourceWorkspace.WithID(uuid.New()).InOrg(uuid.New()).WithOwner(uuid.NewString())) |
| 188 | require.ErrorAsf(t, err, &rbac.UnauthorizedError{}, "expected unauthorized error") |
| 189 | }) |
| 190 | |
| 191 | t.Run("Exec", func(t *testing.T) { |
| 192 | rbac.ReloadBuiltinRoles(&rbac.RoleOptions{ |
| 193 | NoOwnerWorkspaceExec: false, |
| 194 | }) |
| 195 | t.Cleanup(func() { rbac.ReloadBuiltinRoles(nil) }) |
| 196 | |
| 197 | auth := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry()) |
| 198 | |
| 199 | // Exec a random workspace |
| 200 | err := auth.Authorize(context.Background(), owner, policy.ActionSSH, |
| 201 | rbac.ResourceWorkspace.WithID(uuid.New()).InOrg(uuid.New()).WithOwner(uuid.NewString())) |
| 202 | require.NoError(t, err, "expected owner can") |
| 203 | }) |
| 204 | } |
| 205 | |
| 206 | // These were "pared down" in https://github.com/coder/coder/pull/21359 to avoid |
| 207 | // using the now DB-backed organization-member role. As a result, they no longer |
nothing calls this directly
no test coverage detected