testingWithOwnerUser is a lint rule that detects potential permission bugs. Calling clitest.SetupConfig with a client authenticated as the Owner user can be a problem, since the CLI will be operating as that user and we may miss permission bugs. nolint:unused,deadcode,varnamelen
(m dsl.Matcher)
| 52 | // |
| 53 | //nolint:unused,deadcode,varnamelen |
| 54 | func testingWithOwnerUser(m dsl.Matcher) { |
| 55 | m.Import("testing") |
| 56 | m.Import("github.com/coder/coder/v2/cli/clitest") |
| 57 | m.Import("github.com/coder/coder/v2/enterprise/coderd/coderenttest") |
| 58 | |
| 59 | // For both AGPL and enterprise code, we check for SetupConfig being called with a |
| 60 | // client authenticated as the Owner user. |
| 61 | m.Match(` |
| 62 | $_ := coderdtest.CreateFirstUser($t, $client) |
| 63 | $*_ |
| 64 | clitest.$SetupConfig($t, $client, $_) |
| 65 | `). |
| 66 | Where(m["t"].Type.Implements("testing.TB") && |
| 67 | m["SetupConfig"].Text.Matches("^SetupConfig$") && |
| 68 | m.File().Name.Matches(`_test\.go$`)). |
| 69 | At(m["SetupConfig"]). |
| 70 | Report(`The CLI will be operating as the owner user, which has unrestricted permissions. Consider creating a different user.`) |
| 71 | |
| 72 | m.Match(` |
| 73 | $client, $_ := coderdenttest.New($t, $*_) |
| 74 | $*_ |
| 75 | clitest.$SetupConfig($t, $client, $_) |
| 76 | `).Where(m["t"].Type.Implements("testing.TB") && |
| 77 | m["SetupConfig"].Text.Matches("^SetupConfig$") && |
| 78 | m.File().Name.Matches(`_test\.go$`)). |
| 79 | At(m["SetupConfig"]). |
| 80 | Report(`The CLI will be operating as the owner user, which has unrestricted permissions. Consider creating a different user.`) |
| 81 | |
| 82 | // For the enterprise code, we check for any method called on the client. |
| 83 | // While we want to be a bit stricter here, some methods are known to require |
| 84 | // the owner user, so we exclude them. |
| 85 | m.Match(` |
| 86 | $client, $_ := coderdenttest.New($t, $*_) |
| 87 | $*_ |
| 88 | $_, $_ := $client.$Method($*_) |
| 89 | `).Where(m["t"].Type.Implements("testing.TB") && |
| 90 | m.File().Name.Matches(`_test\.go$`) && |
| 91 | !m["Method"].Text.Matches(`^(UpdateAppearance|Licenses|AddLicense|InsertLicense|DeleteLicense|CreateWorkspaceProxy|Replicas|Regions)$`)). |
| 92 | At(m["Method"]). |
| 93 | Report(`This client is operating as the owner user, which has unrestricted permissions. Consider creating a different user.`) |
| 94 | |
| 95 | // Sadly, we need to match both one- and two-valued assignments separately. |
| 96 | m.Match(` |
| 97 | $client, $_ := coderdenttest.New($t, $*_) |
| 98 | $*_ |
| 99 | $_ := $client.$Method($*_) |
| 100 | `).Where(m["t"].Type.Implements("testing.TB") && |
| 101 | m.File().Name.Matches(`_test\.go$`) && |
| 102 | !m["Method"].Text.Matches(`^(UpdateAppearance|Licenses|AddLicense|InsertLicense|DeleteLicense|CreateWorkspaceProxy|Replicas|Regions)$`)). |
| 103 | At(m["Method"]). |
| 104 | Report(`This client is operating as the owner user, which has unrestricted permissions. Consider creating a different user.`) |
| 105 | } |
| 106 | |
| 107 | // Use xerrors everywhere! It provides additional stacktrace info! |
| 108 | // |