TestCompositeWorkspaceScopes verifies that the composite coder:workspaces.* scopes grant the permissions needed for workspace lifecycle operations when used on scoped API tokens.
(t *testing.T)
| 18 | // coder:workspaces.* scopes grant the permissions needed for |
| 19 | // workspace lifecycle operations when used on scoped API tokens. |
| 20 | func TestCompositeWorkspaceScopes(t *testing.T) { |
| 21 | t.Parallel() |
| 22 | |
| 23 | // setupWorkspace creates a server with a provisioner daemon, an |
| 24 | // admin user, a template, and a workspace. It returns the admin |
| 25 | // client and the workspace so sub-tests can create scoped tokens |
| 26 | // and act on them. |
| 27 | type setupResult struct { |
| 28 | adminClient *codersdk.Client |
| 29 | workspace codersdk.Workspace |
| 30 | } |
| 31 | setup := func(t *testing.T) setupResult { |
| 32 | t.Helper() |
| 33 | client := coderdtest.New(t, &coderdtest.Options{ |
| 34 | IncludeProvisionerDaemon: true, |
| 35 | }) |
| 36 | firstUser := coderdtest.CreateFirstUser(t, client) |
| 37 | version := coderdtest.CreateTemplateVersion(t, client, firstUser.OrganizationID, &echo.Responses{ |
| 38 | Parse: echo.ParseComplete, |
| 39 | ProvisionPlan: echo.PlanComplete, |
| 40 | ProvisionApply: echo.ApplyComplete, |
| 41 | ProvisionGraph: echo.GraphComplete, |
| 42 | }) |
| 43 | template := coderdtest.CreateTemplate(t, client, firstUser.OrganizationID, version.ID) |
| 44 | coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID) |
| 45 | workspace := coderdtest.CreateWorkspace(t, client, template.ID) |
| 46 | coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID) |
| 47 | |
| 48 | return setupResult{ |
| 49 | adminClient: client, |
| 50 | workspace: workspace, |
| 51 | } |
| 52 | } |
| 53 | |
| 54 | // scopedClient creates an API token restricted to the given scopes |
| 55 | // and returns a new client authenticated with that token. |
| 56 | scopedClient := func(t *testing.T, adminClient *codersdk.Client, scopes []codersdk.APIKeyScope) *codersdk.Client { |
| 57 | t.Helper() |
| 58 | ctx, cancel := context.WithTimeout(t.Context(), testutil.WaitShort) |
| 59 | defer cancel() |
| 60 | |
| 61 | resp, err := adminClient.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{ |
| 62 | Scopes: scopes, |
| 63 | }) |
| 64 | require.NoError(t, err, "creating scoped token") |
| 65 | |
| 66 | scoped := codersdk.New( |
| 67 | adminClient.URL, |
| 68 | codersdk.WithSessionToken(resp.Key), |
| 69 | codersdk.WithHTTPClient(coderdtest.NewIsolatedHTTPClient(adminClient.URL)), |
| 70 | ) |
| 71 | t.Cleanup(func() { scoped.HTTPClient.CloseIdleConnections() }) |
| 72 | return scoped |
| 73 | } |
| 74 | |
| 75 | // coder:workspaces.create — token should be able to create a |
| 76 | // workspace via POST /users/{user}/workspaces. |
| 77 | t.Run("WorkspacesCreate", func(t *testing.T) { |
nothing calls this directly
no test coverage detected