checkpoint: clean up example_test

johnstcn · johnstcn · commit 0876d122b161 · 2022-04-07T15:06:09.000Z
diff --git a/coderd/authz/authz.go b/coderd/authz/authz.go
@@ -9,10 +9,14 @@ import (
 var ErrUnauthorized = errors.New("unauthorized")
 
 // TODO: Implement Authorize
-func Authorize(subj Subject, res Resource, action rbac.Operation) error {
+func Authorize(subj Subject, res Object, action rbac.Operation) error {
 	// TODO: Expand subject roles into their permissions as appropriate. Apply scopes.
 
-	if SiteEnforcer.RolesHavePermission(subj.Roles(), res.ResourceType(), action) {
+	if res.ObjectType == "" {
+		return ErrUnauthorized
+	}
+
+	if SiteEnforcer.RolesHavePermission(subj.Roles(), res.ObjectType, action) {
 		return nil
 	}
 
diff --git a/coderd/authz/authz_test.go b/coderd/authz/authz_test.go
@@ -0,0 +1,79 @@
+package authz_test
+
+import (
+	"testing"
+
+	"github.com/coder/coder/coderd/authz/rbac"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/coderd/authz"
+)
+
+func TestAuthorize(t *testing.T) {
+	t.Parallel()
+
+	// testCases := []struct {
+	// 	Subject       authz.Subject
+	// 	Resource      authz.Object
+	// 	Action        rbac.Operation
+	// 	ExpectedError string
+	// }{
+	// 	{
+	// 		Subject: &authz.SubjectTODO{
+	// 			UserID: "user",
+	// 			Site:   []rbac.Role{authz.SiteMember},
+	// 			Org: map[string]rbac.Roles{
+	// 				"default": {authz.OrganizationAdmin},
+	// 			},
+	// 		},
+	// 		Resource: &authz.Object{},
+	// 	},
+	// }
+
+	// user will become an authn object, and can even be a database.User if it
+	// fulfills the interface. Until then, use a placeholder.
+	user := authz.SubjectTODO{
+		UserID: "alice",
+		// No site perms
+		Site: []rbac.Role{authz.SiteMember},
+		Org: map[string]rbac.Roles{
+			// Admin of org "default".
+			"default": {authz.OrganizationAdmin},
+		},
+	}
+
+	// TODO: Uncomment all assertions when implementation is done.
+
+	//nolint:paralleltest
+	t.Run("ReadAllWorkspaces", func(t *testing.T) {
+		// To read all workspaces on the site
+		err := authz.Authorize(user, authz.Object{}, authz.ReadAll)
+		var _ = err
+		require.Error(t, err, "this user cannot read all workspaces")
+	})
+
+	// nolint:paralleltest
+	// t.Run("ReadOrgWorkspaces", func(t *testing.T) {
+	// To read all workspaces on the org 'default'
+	// err := authz.Authorize(user, authz.ResourceWorkspace.Org("default"), authz.ActionRead)
+	// require.NoError(t, err, "this user can read all org workspaces in 'default'")
+	// })
+	//
+	// nolint:paralleltest
+	// t.Run("ReadMyWorkspace", func(t *testing.T) {
+	// Note 'database.Workspace' could fulfill the object interface and be passed in directly
+	// err := authz.Authorize(user, authz.ResourceWorkspace.Org("default").Owner(user.UserID), authz.ActionRead)
+	// require.NoError(t, err, "this user can their workspace")
+	//
+	// err = authz.Authorize(user, authz.ResourceWorkspace.Org("default").Owner(user.UserID).AsID("1234"), authz.ActionRead)
+	// require.NoError(t, err, "this user can read workspace '1234'")
+	// })
+	//
+	// nolint:paralleltest
+	// t.Run("CreateNewSiteUser", func(t *testing.T) {
+	// err := authz.Authorize(user, authz.ResourceUser, authz.ActionCreate)
+	// var _ = err
+	// require.Error(t, err, "this user cannot create new users")
+	// })
+}
diff --git a/coderd/authz/example_test.go b/coderd/authz/example_test.go
@@ -27,44 +27,9 @@ func TestExample(t *testing.T) {
 		},
 	}
 
-	// TODO: Uncomment all assertions when implementation is done.
-
-	//nolint:paralleltest
-	t.Run("ReadAllWorkspaces", func(t *testing.T) {
-		// To read all workspaces on the site
-		err := authz.Authorize(user, authz.Object{}, authz.ReadAll)
-		var _ = err
-		require.Error(t, err, "this user cannot read all workspaces")
-	})
-
-	// nolint:paralleltest
-	// t.Run("ReadOrgWorkspaces", func(t *testing.T) {
-	// To read all workspaces on the org 'default'
-	// err := authz.Authorize(user, authz.ResourceWorkspace.Org("default"), authz.ActionRead)
-	// require.NoError(t, err, "this user can read all org workspaces in 'default'")
-	// })
-	//
-	// nolint:paralleltest
-	// t.Run("ReadMyWorkspace", func(t *testing.T) {
-	// Note 'database.Workspace' could fulfill the object interface and be passed in directly
-	// err := authz.Authorize(user, authz.ResourceWorkspace.Org("default").Owner(user.UserID), authz.ActionRead)
-	// require.NoError(t, err, "this user can their workspace")
-	//
-	// err = authz.Authorize(user, authz.ResourceWorkspace.Org("default").Owner(user.UserID).AsID("1234"), authz.ActionRead)
-	// require.NoError(t, err, "this user can read workspace '1234'")
-	// })
-	//
-	// nolint:paralleltest
-	// t.Run("CreateNewSiteUser", func(t *testing.T) {
-	// err := authz.Authorize(user, authz.ResourceUser, authz.ActionCreate)
-	// var _ = err
-	// require.Error(t, err, "this user cannot create new users")
-	// })
-}
-
-func must[r any](v r, err error) r {
-	if err != nil {
-		panic(err)
-	}
-	return v
+	// To read all workspaces on the site
+	err := authz.Authorize(user, authz.Object{
+		ObjectType: authz.Workspaces,
+	}, authz.ReadAll)
+	require.EqualError(t, err, authz.ErrUnauthorized.Error(), "this user cannot read all workspaces")
 }
diff --git a/coderd/authz/object.go b/coderd/authz/object.go
@@ -2,72 +2,77 @@ package authz
 
 import "github.com/coder/coder/coderd/authz/rbac"
 
-type Resource interface {
-	ID() string
-	ResourceType() rbac.Resource
-}
-
-type UserResource interface {
-	Resource
-	OwnerID() string
-}
-
-type OrgResource interface {
-	Resource
-	OrgOwnerID() string
-}
-
-var _ Resource = (*Object)(nil)
-var _ UserResource = (*Object)(nil)
-var _ OrgResource = (*Object)(nil)
+// type Resource interface {
+// ID() string
+// ResourceType() rbac.Resource
+// }
+//
+// type UserResource interface {
+// Resource
+// OwnerID() string
+// }
+//
+// type OrgResource interface {
+// Resource
+// OrgOwnerID() string
+// }
+//
+// var _ Resource = (*Object)(nil)
+// var _ UserResource = (*Object)(nil)
+// var _ OrgResource = (*Object)(nil)
 
 // Object is used to create objects for authz checks when you have none in
 // hand to run the check on.
 // An example is if you want to list all workspaces, you can create a Object
 // that represents the set of workspaces you are trying to get access too.
 // Do not export this type, as it can be created from a resource type constant.
 type Object struct {
-	id       string
-	owner    string
-	orgOwner string
+	// ID       string
+	ID string
+	// Owner    string
+	Owner string
+	// OrgOwner string
+	OrgOwner string
 
-	// objectType is "workspace", "project", "devurl", etc
-	objectType rbac.Resource
+	// ObjectType is "workspace", "project", "devurl", etc
+	// ObjectType rbac.Resource
+	ObjectType rbac.Resource
 	// TODO: SharedUsers?
 }
 
-func (z Object) ID() string {
-	return z.id
-}
-
-func (z Object) ResourceType() rbac.Resource {
-	return z.objectType
-}
-
-func (z Object) OwnerID() string {
-	return z.owner
-}
-
-func (z Object) OrgOwnerID() string {
-	return z.orgOwner
-}
-
+// func (z Object) ID() string {
+// return z.id
+// }
+//
+// func (z Object) ResourceType() rbac.Resource {
+// return z.objectType
+// }
+//
+// func (z Object) OwnerID() string {
+// return z.owner
+// }
+//
+// func (z Object) OrgOwnerID() string {
+// return z.orgOwner
+// }
+//
 // Org adds an org OwnerID to the resource
-//nolint:revive
-func (z Object) Org(orgID string) Object {
-	z.orgOwner = orgID
-	return z
-}
-
+// nolint:revive
+// func (z Object) Org(orgID string) Object {
+// z.orgOwner = orgID
+// return z
+// }
+//
 // Owner adds an OwnerID to the resource
-//nolint:revive
-func (z Object) Owner(id string) Object {
-	z.owner = id
-	return z
-}
-
-//nolint:revive
-func (z Object) AsID(id string) Object {
-	z.id = id
-	return z
-}
+// nolint:revive
+// func (z Object) Owner(id string) Object {
+// z.owner = id
+// return z
+// }
+//
+// nolint:revive
+// func (z Object) AsID(id string) Object {
+// z.id = id
+// return z
+// }
+//
