Skip to content

test: add unit test to verify group permission behavior #14223

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Aug 12, 2024
Merged

test: add unit test to verify group permission behavior #14223

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a42e77c
test: add unit test to verify group permission behavior
Emyrk Aug 9, 2024
0b9711e
fmt
Emyrk Aug 9, 2024
e14728e
Update coderd/database/dbauthz/groupsauth_test.go
Emyrk Aug 12, 2024
80bbcac
pre suggestions
Emyrk Aug 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
168 changes: 168 additions & 0 deletions coderd/database/dbauthz/groupsauth_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,168 @@
package dbauthz_test

import (
"context"
"testing"

"github.com/google/uuid"
"github.com/prometheus/client_golang/prometheus"
"github.com/stretchr/testify/require"

"cdr.dev/slog/sloggers/slogtest"
"github.com/coder/coder/v2/coderd/coderdtest"
"github.com/coder/coder/v2/coderd/database"
"github.com/coder/coder/v2/coderd/database/dbauthz"
"github.com/coder/coder/v2/coderd/database/dbgen"
"github.com/coder/coder/v2/coderd/database/dbmem"
"github.com/coder/coder/v2/coderd/database/dbtestutil"
"github.com/coder/coder/v2/coderd/rbac"
)

// nolint:tparallel
func TestGroupsAuth(t *testing.T) {
t.Parallel()

if dbtestutil.WillUsePostgres() {
t.Skip("this test would take too long to run on postgres")
}

authz := rbac.NewAuthorizer(prometheus.NewRegistry())

db := dbauthz.New(dbmem.New(), authz, slogtest.Make(t, &slogtest.Options{
IgnoreErrors: true,
}), coderdtest.AccessControlStorePointer())

ownerCtx := dbauthz.As(context.Background(), rbac.Subject{
ID: "owner",
Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.RoleOwner()}.Expand())),
Groups: []string{},
Scope: rbac.ExpandableScope(rbac.ScopeAll),
})
Comment on lines +35 to +40
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: it's unfortunate to need to copy this role instead of referencing the OG owner

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea, I needed the original owner role for setup. Given the pattern of the tabled tests, it felt weird to not fully define the role in the table again


org := dbgen.Organization(t, db, database.Organization{})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we test multi-org here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

coder/coderd/database/dbauthz/groupsauth_test.go

Line 136 in 80bbcac

Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.ScopedRoleOrgUserAdmin(uuid.New())}.Expand())),

I threw in a different org admin. We don't actually need another org in the db for the authz test.

group := dbgen.Group(t, db, database.Group{
OrganizationID: org.ID,
})

var users []database.User
for i := 0; i < 5; i++ {
user := dbgen.User(t, db, database.User{})
users = append(users, user)
err := db.InsertGroupMember(ownerCtx, database.InsertGroupMemberParams{
UserID: user.ID,
GroupID: group.ID,
})
require.NoError(t, err)
}

totalMembers := len(users)
testCases := []struct {
Name string
Subject rbac.Subject
ReadGroup bool
ReadMembers bool
MembersExpected int
}{
{
Name: "Owner",
Subject: rbac.Subject{
ID: "owner",
Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.RoleOwner()}.Expand())),
Groups: []string{},
Scope: rbac.ExpandableScope(rbac.ScopeAll),
},
ReadGroup: true,
ReadMembers: true,
MembersExpected: totalMembers,
},
{
Name: "UserAdmin",
Subject: rbac.Subject{
ID: "useradmin",
Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.RoleUserAdmin()}.Expand())),
Groups: []string{},
Scope: rbac.ExpandableScope(rbac.ScopeAll),
},
ReadGroup: true,
ReadMembers: true,
MembersExpected: totalMembers,
},
{
Name: "OrgAdmin",
Subject: rbac.Subject{
ID: "orgadmin",
Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.ScopedRoleOrgAdmin(org.ID)}.Expand())),
Groups: []string{},
Scope: rbac.ExpandableScope(rbac.ScopeAll),
},
ReadGroup: true,
ReadMembers: true,
MembersExpected: totalMembers,
},
{
Name: "OrgUserAdmin",
Subject: rbac.Subject{
ID: "orgUserAdmin",
Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.ScopedRoleOrgUserAdmin(org.ID)}.Expand())),
Groups: []string{},
Scope: rbac.ExpandableScope(rbac.ScopeAll),
},
ReadGroup: true,
ReadMembers: true,
MembersExpected: totalMembers,
},
{
Name: "GroupMember",
Subject: rbac.Subject{
ID: users[0].ID.String(),
Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.ScopedRoleOrgMember(org.ID)}.Expand())),
Groups: []string{
group.Name,
},
Scope: rbac.ExpandableScope(rbac.ScopeAll),
},
// TODO: currently group members cannot see their own groups.
// If this is fixed, these booleans should be flipped to true.
ReadGroup: false,
ReadMembers: false,
// TODO: If fixed, they should only be able to see themselves
// MembersExpected: 1,
},
{
// Org admin in the incorrect organization
Name: "DifferentOrgAdmin",
Subject: rbac.Subject{
ID: "orgadmin",
Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.ScopedRoleOrgUserAdmin(uuid.New())}.Expand())),
Groups: []string{},
Scope: rbac.ExpandableScope(rbac.ScopeAll),
},
ReadGroup: false,
ReadMembers: false,
},
}

for _, tc := range testCases {
tc := tc
t.Run(tc.Name, func(t *testing.T) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fun idea: you could actually just generate the name here from ${tc.Subject.ID}_ReadGroup${tc.ReadGroup}_ReadMembers${tc.ReadMembers}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately if I do that, the Goland table test runner no longer works.

It looks like I can use %s format directives, but %t breaks it. And the goland feature allows me to select just 1 to run 🤷‍♂️

t.Parallel()

actorCtx := dbauthz.As(context.Background(), tc.Subject)
_, err := db.GetGroupByID(actorCtx, group.ID)
if tc.ReadGroup {
require.NoError(t, err, "group read")
} else {
require.Error(t, err, "group read")
}

members, err := db.GetGroupMembersByGroupID(actorCtx, group.ID)
if tc.ReadMembers {
require.NoError(t, err, "member read")
require.Len(t, members, tc.MembersExpected, "member count found does not match")
} else {
require.Error(t, err, "member read")
require.True(t, dbauthz.IsNotAuthorizedError(err), "not authorized error")
}
})
}
}
Loading
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy