TestUserSecretLimits exercises the per-user count and byte caps enforced by enforce_user_secrets_per_user_limits across both POST (creating a new secret) and PATCH (updating an existing one). Each subtest spins up its own server so it can burn the budget without affecting other tests. Each subtest
(t *testing.T)
| 479 | // - A different user's budget is independent; the trigger groups |
| 480 | // by user_id. |
| 481 | func TestUserSecretLimits(t *testing.T) { |
| 482 | t.Parallel() |
| 483 | |
| 484 | t.Run("CountLimit", func(t *testing.T) { |
| 485 | t.Parallel() |
| 486 | ctx := testutil.Context(t, testutil.WaitLong) |
| 487 | |
| 488 | client := coderdtest.New(t, nil) |
| 489 | owner := coderdtest.CreateFirstUser(t, client) |
| 490 | otherClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID) |
| 491 | |
| 492 | // Fill the count budget exactly to the cap. |
| 493 | var firstSecret codersdk.UserSecret |
| 494 | for i := 0; i < codersdk.MaxUserSecretsPerUserCount; i++ { |
| 495 | s, err := client.CreateUserSecret(ctx, codersdk.Me, codersdk.CreateUserSecretRequest{ |
| 496 | Name: fmt.Sprintf("count-limit-%03d", i), |
| 497 | Value: "x", |
| 498 | }) |
| 499 | require.NoError(t, err) |
| 500 | if i == 0 { |
| 501 | firstSecret = s |
| 502 | } |
| 503 | } |
| 504 | |
| 505 | // POST: the 51st secret is rejected. |
| 506 | _, err := client.CreateUserSecret(ctx, codersdk.Me, codersdk.CreateUserSecretRequest{ |
| 507 | Name: "one-too-many", |
| 508 | Value: "x", |
| 509 | }) |
| 510 | requireSecretAPIError(t, err, http.StatusBadRequest, "at most") |
| 511 | |
| 512 | // PATCH at the cap: changing the description must succeed. |
| 513 | // Without the FILTER clause the trigger would re-count |
| 514 | // firstSecret and reject this UPDATE. |
| 515 | newDescription := "renamed" |
| 516 | _, err = client.UpdateUserSecret(ctx, codersdk.Me, firstSecret.Name, codersdk.UpdateUserSecretRequest{ |
| 517 | Description: &newDescription, |
| 518 | }) |
| 519 | require.NoError(t, err) |
| 520 | |
| 521 | // Other-user isolation: the second user's budget is independent. |
| 522 | _, err = otherClient.CreateUserSecret(ctx, codersdk.Me, codersdk.CreateUserSecretRequest{ |
| 523 | Name: "other-user-secret", |
| 524 | Value: "x", |
| 525 | }) |
| 526 | require.NoError(t, err) |
| 527 | }) |
| 528 | |
| 529 | t.Run("TotalBytesLimit", func(t *testing.T) { |
| 530 | t.Parallel() |
| 531 | ctx := testutil.Context(t, testutil.WaitLong) |
| 532 | |
| 533 | client := coderdtest.New(t, nil) |
| 534 | owner := coderdtest.CreateFirstUser(t, client) |
| 535 | otherClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID) |
| 536 | |
| 537 | // Pre-fill the total-bytes budget exactly to the cap using |
| 538 | // max-sized file-only secrets (which don't count against env |
nothing calls this directly
no test coverage detected