Skip to content

refactor: consolidate template and workspace acl validation #19192

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 16 commits into from
Aug 7, 2025
Merged

refactor: consolidate template and workspace acl validation #19192

Changes from 1 commit
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
e30250a
refactor: consolidate template and workspace acl validation
aslilac Aug 6, 2025
e1d3e3c
remove unused function
aslilac Aug 6, 2025
c978adf
hello little paren
aslilac Aug 6, 2025
0e108f1
yeah yeah
aslilac Aug 6, 2025
3a7c8e6
commit of shame
aslilac Aug 6, 2025
7ed357c
commit of shame part 2
aslilac Aug 6, 2025
468cd79
comments
aslilac Aug 6, 2025
5ffa8f9
tests!
aslilac Aug 6, 2025
1e10aa0
actually it only yells about dbauthz, which I can just fix huh
aslilac Aug 6, 2025
e38dceb
:)
aslilac Aug 6, 2025
03125e3
`IS NULL` is actually fine
aslilac Aug 6, 2025
bfe31b8
dbauthz tests
aslilac Aug 6, 2025
e368606
no you're a foreign key
aslilac Aug 6, 2025
5e3f858
more testing
aslilac Aug 6, 2025
4a162df
lint
aslilac Aug 6, 2025
48dd824
nice lil comments
aslilac Aug 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
more testing
  • Loading branch information
@aslilac
aslilac committed Aug 6, 2025
commit 5e3f8589fb7e372c72cbf1b0cae547db66db1db7
84 changes: 84 additions & 0 deletions coderd/rbac/acl/updatevalidator_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
package acl_test

import (
"testing"

"github.com/coder/coder/v2/coderd"
"github.com/coder/coder/v2/coderd/database"
"github.com/coder/coder/v2/coderd/database/dbgen"
"github.com/coder/coder/v2/coderd/database/dbtestutil"
"github.com/coder/coder/v2/coderd/rbac/acl"
"github.com/coder/coder/v2/codersdk"
"github.com/coder/coder/v2/testutil"
"github.com/google/uuid"
"github.com/stretchr/testify/require"
)

func TestOK(t *testing.T) {

Check failure on line 17 in coderd/rbac/acl/updatevalidator_test.go

View workflow job for this annotation

GitHub Actions / lint 

Function TestOK missing the call to method parallel (paralleltest)
db, _ := dbtestutil.NewDB(t, dbtestutil.WithTimezone("UTC"))

Check failure on line 18 in coderd/rbac/acl/updatevalidator_test.go

View workflow job for this annotation

GitHub Actions / lint 

ruleguard: Setting database timezone to UTC may mask timezone-related bugs. (gocritic)
o := dbgen.Organization(t, db, database.Organization{})
g := dbgen.Group(t, db, database.Group{OrganizationID: o.ID})
u := dbgen.User(t, db, database.User{})
ctx := testutil.Context(t, testutil.WaitShort)

update := codersdk.UpdateWorkspaceACL{
UserRoles: map[string]codersdk.WorkspaceRole{
u.ID.String(): codersdk.WorkspaceRoleAdmin,
// An unknown ID is allowed if and only if the specified role is either
// codersdk.WorkspaceRoleDeleted or codersdk.TemplateRoleDeleted.
uuid.NewString(): codersdk.WorkspaceRoleDeleted,
},
GroupRoles: map[string]codersdk.WorkspaceRole{
g.ID.String(): codersdk.WorkspaceRoleAdmin,
// An unknown ID is allowed if and only if the specified role is either
// codersdk.WorkspaceRoleDeleted or codersdk.TemplateRoleDeleted.
uuid.NewString(): codersdk.WorkspaceRoleDeleted,
},
}
errors := acl.Validate(ctx, db, coderd.WorkspaceACLUpdateValidator(update))
require.Empty(t, errors)
}

func TestDeniesUnknownIDs(t *testing.T) {

Check failure on line 42 in coderd/rbac/acl/updatevalidator_test.go

View workflow job for this annotation

GitHub Actions / lint 

Function TestDeniesUnknownIDs missing the call to method parallel (paralleltest)
db, _ := dbtestutil.NewDB(t, dbtestutil.WithTimezone("UTC"))

Check failure on line 43 in coderd/rbac/acl/updatevalidator_test.go

View workflow job for this annotation

GitHub Actions / lint 

ruleguard: Setting database timezone to UTC may mask timezone-related bugs. (gocritic)
ctx := testutil.Context(t, testutil.WaitShort)

update := codersdk.UpdateWorkspaceACL{
UserRoles: map[string]codersdk.WorkspaceRole{
uuid.NewString(): codersdk.WorkspaceRoleAdmin,
},
GroupRoles: map[string]codersdk.WorkspaceRole{
uuid.NewString(): codersdk.WorkspaceRoleAdmin,
},
}
errors := acl.Validate(ctx, db, coderd.WorkspaceACLUpdateValidator(update))
require.Len(t, errors, 2)
require.Equal(t, errors[0].Field, "group_roles")
require.ErrorContains(t, errors[0], "does not exist")
require.Equal(t, errors[1].Field, "user_roles")
require.ErrorContains(t, errors[1], "does not exist")
}

func TestDeniesUnknownRolesAndInvalidIDs(t *testing.T) {

Check failure on line 62 in coderd/rbac/acl/updatevalidator_test.go

View workflow job for this annotation

GitHub Actions / lint 

Function TestDeniesUnknownRolesAndInvalidIDs missing the call to method parallel (paralleltest)
db, _ := dbtestutil.NewDB(t, dbtestutil.WithTimezone("UTC"))

Check failure on line 63 in coderd/rbac/acl/updatevalidator_test.go

View workflow job for this annotation

GitHub Actions / lint 

ruleguard: Setting database timezone to UTC may mask timezone-related bugs. (gocritic)
ctx := testutil.Context(t, testutil.WaitShort)

update := codersdk.UpdateWorkspaceACL{
UserRoles: map[string]codersdk.WorkspaceRole{
"Quifrey": "level 5",
},
GroupRoles: map[string]codersdk.WorkspaceRole{
"apprentices": "level 2",
},
}
errors := acl.Validate(ctx, db, coderd.WorkspaceACLUpdateValidator(update))
require.Len(t, errors, 4)
require.Equal(t, errors[0].Field, "group_roles")
require.ErrorContains(t, errors[0], "role \"level 2\" is not a valid workspace role")
require.Equal(t, errors[1].Field, "group_roles")
require.ErrorContains(t, errors[1], "not a valid UUID")
require.Equal(t, errors[2].Field, "user_roles")
require.ErrorContains(t, errors[2], "role \"level 5\" is not a valid workspace role")
require.Equal(t, errors[3].Field, "user_roles")
require.ErrorContains(t, errors[3], "not a valid UUID")
}
Loading