test: ParsePermissions from strings

Emyrk · Emyrk · commit 2804b920e82f · 2022-04-04T18:02:54.000-05:00
Add some examples
diff --git a/coderd/authz/action.go b/coderd/authz/action.go
@@ -5,7 +5,7 @@ type Action string
 
 const (
 	ActionRead   = "read"
-	ActionWrite  = "write"
+	ActionCreate = "create"
 	ActionModify = "modify"
 	ActionDelete = "delete"
 )
diff --git a/coderd/authz/authztest/iterator_test.go b/coderd/authz/authztest/iterator_test.go
@@ -53,7 +53,7 @@ func RandomSet(size int) authztest.Set {
 func RandomPermission() authz.Permission {
 	actions := []authz.Action{
 		authz.ActionRead,
-		authz.ActionWrite,
+		authz.ActionCreate,
 		authz.ActionModify,
 		authz.ActionDelete,
 	}
diff --git a/coderd/authz/example_test.go b/coderd/authz/example_test.go
@@ -0,0 +1,67 @@
+package authz_test
+
+import (
+	"testing"
+
+	"github.com/coder/coder/coderd/authz"
+	"github.com/stretchr/testify/require"
+)
+
+// Test_Example gives some examples on how to use the authz library.
+// This serves to test syntax more than functionality.
+func Test_Example(t *testing.T) {
+	t.Parallel()
+
+	// user will become an authn object, and can even be a database.User if it
+	// fulfills the interface. Until then, use a placeholder.
+	user := authz.SubjectTODO{
+		UserID: "alice",
+		// No site perms
+		Site: []authz.Role{},
+		Org: map[string][]authz.Role{
+			// Admin of org "default".
+			"default": {{Permissions: must(authz.ParsePermissions("+org.*.*.*"))}},
+		},
+		User: []authz.Role{
+			// Site user role
+			{Permissions: must(authz.ParsePermissions("+user.*.*.*"))},
+		},
+	}
+
+	// TODO: Uncomment all assertions when implementation is done.
+
+	t.Run("ReadAllWorkspaces", func(t *testing.T) {
+		// To read all workspaces on the site
+		err := authz.Authorize(user, authz.ResourceWorkspace, authz.ActionRead)
+		var _ = err
+		//require.Error(t, err, "this user cannot read all workspaces")
+	})
+
+	t.Run("ReadOrgWorkspaces", func(t *testing.T) {
+		// To read all workspaces on the org 'default'
+		err := authz.Authorize(user, authz.ResourceWorkspace.Org("default"), authz.ActionRead)
+		require.NoError(t, err, "this user can read all org workspaces in 'default'")
+	})
+
+	t.Run("ReadMyWorkspace", func(t *testing.T) {
+		// Note 'database.Workspace' could fulfill the object interface and be passed in directly
+		err := authz.Authorize(user, authz.ResourceWorkspace.Org("default").Owner(user.UserID), authz.ActionRead)
+		require.NoError(t, err, "this user can their workspace")
+
+		err = authz.Authorize(user, authz.ResourceWorkspace.Org("default").Owner(user.UserID).AsID("1234"), authz.ActionRead)
+		require.NoError(t, err, "this user can read workspace '1234'")
+	})
+
+	t.Run("CreateNewSiteUser", func(t *testing.T) {
+		err := authz.Authorize(user, authz.ResourceUser, authz.ActionCreate)
+		var _ = err
+		//require.Error(t, err, "this user cannot create new users")
+	})
+}
+
+func must[r any](v r, err error) r {
+	if err != nil {
+		panic(err)
+	}
+	return v
+}
diff --git a/coderd/authz/permission.go b/coderd/authz/permission.go
@@ -1,6 +1,9 @@
 package authz
 
-import "strings"
+import (
+	"golang.org/x/xerrors"
+	"strings"
+)
 
 type permLevel string
 
@@ -51,3 +54,67 @@ func (p Permission) String() string {
 	s.WriteString(string(p.Action))
 	return s.String()
 }
+
+func ParsePermissions(perms string) ([]Permission, error) {
+	permList := strings.Split(perms, ",")
+	parsed := make([]Permission, 0, len(permList))
+	for _, permStr := range permList {
+		p, err := ParsePermission(strings.TrimSpace(permStr))
+		if err != nil {
+			return nil, xerrors.Errorf("perm '%s': %w", permStr, err)
+		}
+		parsed = append(parsed, p)
+	}
+	return parsed, nil
+}
+
+func ParsePermission(perm string) (Permission, error) {
+	parts := strings.Split(perm, ".")
+	if len(parts) != 4 {
+		return Permission{}, xerrors.Errorf("permission expects 4 parts, got %d", len(parts))
+	}
+
+	level, resType, resID, act := parts[0], parts[1], parts[2], parts[3]
+
+	if len(level) < 2 {
+		return Permission{}, xerrors.Errorf("permission level is too short: '%s'", parts[0])
+	}
+	sign := level[0]
+	levelParts := strings.Split(level[1:], ":")
+	if len(levelParts) > 2 {
+		return Permission{}, xerrors.Errorf("unsupported level format")
+	}
+
+	var permission Permission
+
+	switch sign {
+	case '+':
+		permission.Sign = true
+	case '-':
+	default:
+		return Permission{}, xerrors.Errorf("sign must be +/-")
+	}
+
+	switch permLevel(strings.ToLower(levelParts[0])) {
+	case LevelWildcard:
+		permission.Level = LevelWildcard
+	case LevelSite:
+		permission.Level = LevelSite
+	case LevelOrg:
+		permission.Level = LevelOrg
+	case LevelUser:
+		permission.Level = LevelUser
+	default:
+		return Permission{}, xerrors.Errorf("'%s' is an unsupported level", levelParts[0])
+	}
+
+	if len(levelParts) > 1 {
+		permission.LevelID = levelParts[1]
+	}
+
+	// might want to check if these are valid resource types and actions.
+	permission.ResourceType = ResourceType(resType)
+	permission.ResourceID = resID
+	permission.Action = Action(act)
+	return permission, nil
+}
diff --git a/coderd/authz/permission_test.go b/coderd/authz/permission_test.go
@@ -35,9 +35,9 @@ func Test_PermissionString(t *testing.T) {
 				LevelID:      "",
 				ResourceType: authz.ResourceDevURL,
 				ResourceID:   "1234",
-				Action:       authz.ActionWrite,
+				Action:       authz.ActionCreate,
 			},
-			Expected: "-user.devurl.1234.write",
+			Expected: "-user.devurl.1234.create",
 		},
 		{
 			Name: "OrgID",
@@ -56,7 +56,85 @@ func Test_PermissionString(t *testing.T) {
 	for _, c := range testCases {
 		t.Run(c.Name, func(t *testing.T) {
 			require.Equal(t, c.Expected, c.Permission.String())
+			perm, err := authz.ParsePermission(c.Expected)
+			require.NoError(t, err, "parse perm string")
+			require.Equal(t, c.Permission, perm, "expected perm")
+
+			perms, err := authz.ParsePermissions(c.Expected)
+			require.NoError(t, err, "parse perms string")
+			require.Equal(t, c.Permission, perms[0], "expected perm")
+			require.Len(t, perms, 1, "expect 1 perm")
 		})
 	}
+}
+
+func Test_ParsePermissions(t *testing.T) {
+	t.Parallel()
 
+	testCases := []struct {
+		Name        string
+		Str         string
+		Permissions []authz.Permission
+		ErrStr      string
+	}{
+		{
+			Name:   "NoSign",
+			Str:    "site.*.*.*",
+			ErrStr: "sign must be +/-",
+		},
+		{
+			Name:   "BadLevel",
+			Str:    "+unknown.*.*.*",
+			ErrStr: "unsupported level",
+		},
+		{
+			Name:   "NotEnoughParts",
+			Str:    "+*.*.*",
+			ErrStr: "permission expects 4 parts",
+		},
+		{
+			Name:   "ShortLevel",
+			Str:    "*.*.*.*",
+			ErrStr: "permission level is too short",
+		},
+		{
+			Name:   "BadLevelID",
+			Str:    "org:1234:extra.*.*.*",
+			ErrStr: "unsupported level format",
+		},
+		{
+			Name: "GoodSet",
+			Str:  "+org:1234.workspace.5678.read, -site.*.*.create",
+			Permissions: []authz.Permission{
+				{
+					Sign:         true,
+					Level:        "org",
+					LevelID:      "1234",
+					ResourceType: authz.ResourceWorkspace,
+					ResourceID:   "5678",
+					Action:       authz.ActionRead,
+				},
+				{
+					Sign:         false,
+					Level:        "site",
+					LevelID:      "",
+					ResourceType: "*",
+					ResourceID:   "*",
+					Action:       authz.ActionCreate,
+				},
+			},
+		},
+	}
+	for _, c := range testCases {
+		t.Run(c.Name, func(t *testing.T) {
+			perms, err := authz.ParsePermissions(c.Str)
+			if c.ErrStr != "" {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), c.ErrStr, "exp error")
+			} else {
+				require.NoError(t, err, "parse error")
+				require.Equal(t, c.Permissions, perms, "exp perms")
+			}
+		})
+	}
 }
diff --git a/coderd/authz/resources.go b/coderd/authz/resources.go
@@ -7,6 +7,7 @@ const (
 	ResourceWorkspace ResourceType = "workspace"
 	ResourceProject   ResourceType = "project"
 	ResourceDevURL    ResourceType = "devurl"
+	ResourceUser      ResourceType = "user"
 )
 
 func (t ResourceType) ID() string {
diff --git a/coderd/authz/role.go b/coderd/authz/role.go
@@ -1,6 +1,5 @@
 package authz
 
 type Role struct {
-	Level       permLevel
 	Permissions []Permission
 }
diff --git a/coderd/authz/subject.go b/coderd/authz/subject.go
@@ -26,9 +26,9 @@ type Subject interface {
 type SubjectTODO struct {
 	UserID string `json:"user_id"`
 
-	Site []Role `json:"site_roles"`
-	Org  []Role `json:"org_roles"`
-	User []Role `json:"user_roles"`
+	Site []Role            `json:"site_roles"`
+	Org  map[string][]Role `json:"org_roles"`
+	User []Role            `json:"user_roles"`
 }
 
 func (s SubjectTODO) ID() string {
@@ -39,8 +39,25 @@ func (s SubjectTODO) SiteRoles() ([]Role, error) {
 	return s.Site, nil
 }
 
-func (s SubjectTODO) OrgRoles() ([]Role, error) {
-	return s.Org, nil
+func (s SubjectTODO) OrgRoles(_ context.Context, orgID string) ([]Role, error) {
+	v, ok := s.Org[orgID]
+	if !ok {
+		// Members not in an org return the negative perm
+		return []Role{{
+			Permissions: []Permission{
+				{
+					Sign:         false,
+					Level:        "*",
+					LevelID:      "",
+					ResourceType: "*",
+					ResourceID:   "*",
+					Action:       "*",
+				},
+			},
+		}}, nil
+	}
+
+	return v, nil
 }
 
 func (s SubjectTODO) UserRoles() ([]Role, error) {

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@ type Action string`
`5`	`5`
`6`	`6`	`const (`
`7`	`7`	`ActionRead = "read"`
`8`		`- ActionWrite = "write"`
	`8`	`+ ActionCreate = "create"`
`9`	`9`	`ActionModify = "modify"`
`10`	`10`	`ActionDelete = "delete"`
`11`	`11`	`)`
Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ func RandomSet(size int) authztest.Set {`
`53`	`53`	`func RandomPermission() authz.Permission {`
`54`	`54`	`actions := []authz.Action{`
`55`	`55`	`authz.ActionRead,`
`56`		`- authz.ActionWrite,`
	`56`	`+ authz.ActionCreate,`
`57`	`57`	`authz.ActionModify,`
`58`	`58`	`authz.ActionDelete,`
`59`	`59`	`}`
Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ const (`
`7`	`7`	`ResourceWorkspace ResourceType = "workspace"`
`8`	`8`	`ResourceProject ResourceType = "project"`
`9`	`9`	`ResourceDevURL ResourceType = "devurl"`
	`10`	`+ ResourceUser ResourceType = "user"`
`10`	`11`	`)`
`11`	`12`
`12`	`13`	`func (t ResourceType) ID() string {`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,5 @@`
`1`	`1`	`package authz`
`2`	`2`
`3`	`3`	`type Role struct {`
`4`		`- Level permLevel`
`5`	`4`	`Permissions []Permission`
`6`	`5`	`}`