MCPcopy Index your code
hub / github.com/coder/coder / TestRolePermissions

Function TestRolePermissions

coderd/rbac/roles_test.go:220–1334  ·  view source on GitHub ↗

These were "pared down" in https://github.com/coder/coder/pull/21359 to avoid using the now DB-backed organization-member role. As a result, they no longer model real-world org-scoped users (who also have organization-member). For example, `org_auditor` is now expected to be forbidden for `assign_o

(t *testing.T)

Source from the content-addressed store, hash-verified

218//
219// nolint:tparallel,paralleltest // subtests share a map, just run sequentially.
220func TestRolePermissions(t *testing.T) {
221 t.Parallel()
222
223 crud := []policy.Action{policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete}
224
225 auth := rbac.NewStrictAuthorizer(prometheus.NewRegistry())
226
227 // currentUser is anything that references "me", "mine", or "my".
228 currentUser := uuid.New()
229 adminID := uuid.New()
230 templateAdminID := uuid.New()
231 userAdminID := uuid.New()
232 auditorID := uuid.New()
233 orgID := uuid.New()
234 otherOrg := uuid.New()
235 workspaceID := uuid.New()
236 templateID := uuid.New()
237 fileID := uuid.New()
238 groupID := uuid.New()
239 apiKeyID := uuid.New()
240
241 // Subjects to user
242 memberMe := authSubject{Name: "member_me", Actor: rbac.Subject{ID: currentUser.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember()}, Scope: rbac.ScopeAll}.WithCachedASTValue()}
243
244 owner := authSubject{Name: "owner", Actor: rbac.Subject{ID: adminID.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.RoleOwner()}, Scope: rbac.ScopeAll}.WithCachedASTValue()}
245 templateAdmin := authSubject{Name: "template-admin", Actor: rbac.Subject{ID: templateAdminID.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.RoleTemplateAdmin()}, Scope: rbac.ScopeAll}.WithCachedASTValue()}
246 userAdmin := authSubject{Name: "user-admin", Actor: rbac.Subject{ID: userAdminID.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.RoleUserAdmin()}, Scope: rbac.ScopeAll}.WithCachedASTValue()}
247 auditor := authSubject{Name: "auditor", Actor: rbac.Subject{ID: auditorID.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.RoleAuditor()}, Scope: rbac.ScopeAll}.WithCachedASTValue()}
248
249 orgAdmin := authSubject{Name: "org_admin", Actor: rbac.Subject{ID: adminID.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.ScopedRoleOrgAdmin(orgID)}, Scope: rbac.ScopeAll}.WithCachedASTValue()}
250 orgAuditor := authSubject{Name: "org_auditor", Actor: rbac.Subject{ID: auditorID.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.ScopedRoleOrgAuditor(orgID)}, Scope: rbac.ScopeAll}.WithCachedASTValue()}
251 orgUserAdmin := authSubject{Name: "org_user_admin", Actor: rbac.Subject{ID: templateAdminID.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.ScopedRoleOrgUserAdmin(orgID)}, Scope: rbac.ScopeAll}.WithCachedASTValue()}
252 orgTemplateAdmin := authSubject{Name: "org_template_admin", Actor: rbac.Subject{ID: userAdminID.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.ScopedRoleOrgTemplateAdmin(orgID)}, Scope: rbac.ScopeAll}.WithCachedASTValue()}
253 orgAdminBanWorkspace := authSubject{Name: "org_admin_workspace_ban", Actor: rbac.Subject{ID: adminID.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.ScopedRoleOrgAdmin(orgID), rbac.ScopedRoleOrgWorkspaceCreationBan(orgID)}, Scope: rbac.ScopeAll}.WithCachedASTValue()}
254 agentsAccessUser := func() authSubject {
255 memberRole, err := rbac.RoleByName(rbac.RoleMember())
256 require.NoError(t, err)
257 agentsRole, err := rbac.RoleByName(rbac.ScopedRoleAgentsAccess(orgID))
258 require.NoError(t, err)
259 return authSubject{
260 Name: "agents_access",
261 Actor: rbac.Subject{
262 ID: currentUser.String(),
263 Roles: rbac.Roles{memberRole, agentsRole},
264 Scope: rbac.ScopeAll,
265 }.WithCachedASTValue(),
266 }
267 }()
268
269 orgMemberMe := func() authSubject {
270 memberRole, err := rbac.RoleByName(rbac.RoleMember())
271 require.NoError(t, err)
272 perms := rbac.OrgMemberPermissions(rbac.OrgSettings{
273 ShareableWorkspaceOwners: rbac.ShareableWorkspaceOwnersEveryone,
274 })
275 return authSubject{
276 Name: "org_member_me",
277 Actor: rbac.Subject{

Callers

nothing calls this directly

Calls 15

NewStrictAuthorizerFunction · 0.92
RoleMemberFunction · 0.92
RoleOwnerFunction · 0.92
RoleTemplateAdminFunction · 0.92
RoleUserAdminFunction · 0.92
RoleAuditorFunction · 0.92
ScopedRoleOrgAdminFunction · 0.92
ScopedRoleOrgAuditorFunction · 0.92
ScopedRoleOrgUserAdminFunction · 0.92
RoleByNameFunction · 0.92

Tested by

no test coverage detected