These were "pared down" in https://github.com/coder/coder/pull/21359 to avoid using the now DB-backed organization-member role. As a result, they no longer model real-world org-scoped users (who also have organization-member). For example, `org_auditor` is now expected to be forbidden for `assign_o
(t *testing.T)
| 218 | // |
| 219 | // nolint:tparallel,paralleltest // subtests share a map, just run sequentially. |
| 220 | func TestRolePermissions(t *testing.T) { |
| 221 | t.Parallel() |
| 222 | |
| 223 | crud := []policy.Action{policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete} |
| 224 | |
| 225 | auth := rbac.NewStrictAuthorizer(prometheus.NewRegistry()) |
| 226 | |
| 227 | // currentUser is anything that references "me", "mine", or "my". |
| 228 | currentUser := uuid.New() |
| 229 | adminID := uuid.New() |
| 230 | templateAdminID := uuid.New() |
| 231 | userAdminID := uuid.New() |
| 232 | auditorID := uuid.New() |
| 233 | orgID := uuid.New() |
| 234 | otherOrg := uuid.New() |
| 235 | workspaceID := uuid.New() |
| 236 | templateID := uuid.New() |
| 237 | fileID := uuid.New() |
| 238 | groupID := uuid.New() |
| 239 | apiKeyID := uuid.New() |
| 240 | |
| 241 | // Subjects to user |
| 242 | memberMe := authSubject{Name: "member_me", Actor: rbac.Subject{ID: currentUser.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember()}, Scope: rbac.ScopeAll}.WithCachedASTValue()} |
| 243 | |
| 244 | owner := authSubject{Name: "owner", Actor: rbac.Subject{ID: adminID.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.RoleOwner()}, Scope: rbac.ScopeAll}.WithCachedASTValue()} |
| 245 | templateAdmin := authSubject{Name: "template-admin", Actor: rbac.Subject{ID: templateAdminID.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.RoleTemplateAdmin()}, Scope: rbac.ScopeAll}.WithCachedASTValue()} |
| 246 | userAdmin := authSubject{Name: "user-admin", Actor: rbac.Subject{ID: userAdminID.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.RoleUserAdmin()}, Scope: rbac.ScopeAll}.WithCachedASTValue()} |
| 247 | auditor := authSubject{Name: "auditor", Actor: rbac.Subject{ID: auditorID.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.RoleAuditor()}, Scope: rbac.ScopeAll}.WithCachedASTValue()} |
| 248 | |
| 249 | orgAdmin := authSubject{Name: "org_admin", Actor: rbac.Subject{ID: adminID.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.ScopedRoleOrgAdmin(orgID)}, Scope: rbac.ScopeAll}.WithCachedASTValue()} |
| 250 | orgAuditor := authSubject{Name: "org_auditor", Actor: rbac.Subject{ID: auditorID.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.ScopedRoleOrgAuditor(orgID)}, Scope: rbac.ScopeAll}.WithCachedASTValue()} |
| 251 | orgUserAdmin := authSubject{Name: "org_user_admin", Actor: rbac.Subject{ID: templateAdminID.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.ScopedRoleOrgUserAdmin(orgID)}, Scope: rbac.ScopeAll}.WithCachedASTValue()} |
| 252 | orgTemplateAdmin := authSubject{Name: "org_template_admin", Actor: rbac.Subject{ID: userAdminID.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.ScopedRoleOrgTemplateAdmin(orgID)}, Scope: rbac.ScopeAll}.WithCachedASTValue()} |
| 253 | orgAdminBanWorkspace := authSubject{Name: "org_admin_workspace_ban", Actor: rbac.Subject{ID: adminID.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.ScopedRoleOrgAdmin(orgID), rbac.ScopedRoleOrgWorkspaceCreationBan(orgID)}, Scope: rbac.ScopeAll}.WithCachedASTValue()} |
| 254 | agentsAccessUser := func() authSubject { |
| 255 | memberRole, err := rbac.RoleByName(rbac.RoleMember()) |
| 256 | require.NoError(t, err) |
| 257 | agentsRole, err := rbac.RoleByName(rbac.ScopedRoleAgentsAccess(orgID)) |
| 258 | require.NoError(t, err) |
| 259 | return authSubject{ |
| 260 | Name: "agents_access", |
| 261 | Actor: rbac.Subject{ |
| 262 | ID: currentUser.String(), |
| 263 | Roles: rbac.Roles{memberRole, agentsRole}, |
| 264 | Scope: rbac.ScopeAll, |
| 265 | }.WithCachedASTValue(), |
| 266 | } |
| 267 | }() |
| 268 | |
| 269 | orgMemberMe := func() authSubject { |
| 270 | memberRole, err := rbac.RoleByName(rbac.RoleMember()) |
| 271 | require.NoError(t, err) |
| 272 | perms := rbac.OrgMemberPermissions(rbac.OrgSettings{ |
| 273 | ShareableWorkspaceOwners: rbac.ShareableWorkspaceOwnersEveryone, |
| 274 | }) |
| 275 | return authSubject{ |
| 276 | Name: "org_member_me", |
| 277 | Actor: rbac.Subject{ |
nothing calls this directly
no test coverage detected