checkpoint: get test compiling but failing

johnstcn · johnstcn · commit b44fc99ed70f · 2022-04-07T14:46:50.000Z
diff --git a/coderd/authz/action.go b/coderd/authz/action.go
diff --git a/coderd/authz/authz.go b/coderd/authz/authz.go
@@ -1,13 +1,10 @@
 package authz
 
+import "github.com/coder/coder/coderd/authz/rbac"
+
 // TODO: Implement Authorize
-func Authorize(subj Subject, obj Resource, action Action) error {
+func Authorize(subj Subject, obj Resource, action rbac.Operation) error {
 	// TODO: Expand subject roles into their permissions as appropriate. Apply scopes.
 
-	return AuthorizePermissions(subj.ID(), []Permission{}, obj, action)
-}
-
-// AuthorizePermissions runs the authorize function with the raw permissions in a single list.
-func AuthorizePermissions(_ string, _ []Permission, _ Resource, _ Action) error {
 	return nil
 }
diff --git a/coderd/authz/domain.go b/coderd/authz/domain.go
diff --git a/coderd/authz/enforcers_test.go b/coderd/authz/enforcers_test.go
@@ -3,8 +3,9 @@ package authz
 import (
 	"testing"
 
-	"github.com/coder/coder/coderd/authz/rbac"
 	"github.com/stretchr/testify/assert"
+
+	"github.com/coder/coder/coderd/authz/rbac"
 )
 
 func TestResolveSiteEnforcer(t *testing.T) {
diff --git a/coderd/authz/example_test.go b/coderd/authz/example_test.go
@@ -1,9 +1,10 @@
 package authz_test
 
 import (
-	"github.com/coder/coder/coderd/authz/rbac"
 	"testing"
 
+	"github.com/coder/coder/coderd/authz/rbac"
+
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/coder/coderd/authz"
@@ -19,14 +20,10 @@ func TestExample(t *testing.T) {
 	user := authz.SubjectTODO{
 		UserID: "alice",
 		// No site perms
-		Site: []rbac.Role{},
-		Org: map[string][]rbac.Role{
+		Site: []rbac.Role{authz.SiteMember},
+		Org: map[string]rbac.Roles{
 			// Admin of org "default".
-			"default": {{Permissions: must(authz.ParsePermissions("+org.*.*.*"))}},
-		},
-		User: []rbac.Role{
-			// Site user role
-			{Permissions: must(authz.ParsePermissions("+user.*.*.*"))},
+			"default": {authz.OrganizationAdmin},
 		},
 	}
 
@@ -35,34 +32,34 @@ func TestExample(t *testing.T) {
 	//nolint:paralleltest
 	t.Run("ReadAllWorkspaces", func(t *testing.T) {
 		// To read all workspaces on the site
-		err := authz.Authorize(user, rbac.ResourceWorkspace, authz.ActionRead)
+		err := authz.Authorize(user, authz.Object{}, authz.ReadAll)
 		var _ = err
-		// require.Error(t, err, "this user cannot read all workspaces")
-	})
-
-	//nolint:paralleltest
-	t.Run("ReadOrgWorkspaces", func(t *testing.T) {
-		// To read all workspaces on the org 'default'
-		err := authz.Authorize(user, authz.ResourceWorkspace.Org("default"), authz.ActionRead)
-		require.NoError(t, err, "this user can read all org workspaces in 'default'")
+		require.Error(t, err, "this user cannot read all workspaces")
 	})
 
-	//nolint:paralleltest
-	t.Run("ReadMyWorkspace", func(t *testing.T) {
-		// Note 'database.Workspace' could fulfill the object interface and be passed in directly
-		err := authz.Authorize(user, authz.ResourceWorkspace.Org("default").Owner(user.UserID), authz.ActionRead)
-		require.NoError(t, err, "this user can their workspace")
-
-		err = authz.Authorize(user, authz.ResourceWorkspace.Org("default").Owner(user.UserID).AsID("1234"), authz.ActionRead)
-		require.NoError(t, err, "this user can read workspace '1234'")
-	})
-
-	//nolint:paralleltest
-	t.Run("CreateNewSiteUser", func(t *testing.T) {
-		err := authz.Authorize(user, authz.ResourceUser, authz.ActionCreate)
-		var _ = err
-		// require.Error(t, err, "this user cannot create new users")
-	})
+	// nolint:paralleltest
+	// t.Run("ReadOrgWorkspaces", func(t *testing.T) {
+	// To read all workspaces on the org 'default'
+	// err := authz.Authorize(user, authz.ResourceWorkspace.Org("default"), authz.ActionRead)
+	// require.NoError(t, err, "this user can read all org workspaces in 'default'")
+	// })
+	//
+	// nolint:paralleltest
+	// t.Run("ReadMyWorkspace", func(t *testing.T) {
+	// Note 'database.Workspace' could fulfill the object interface and be passed in directly
+	// err := authz.Authorize(user, authz.ResourceWorkspace.Org("default").Owner(user.UserID), authz.ActionRead)
+	// require.NoError(t, err, "this user can their workspace")
+	//
+	// err = authz.Authorize(user, authz.ResourceWorkspace.Org("default").Owner(user.UserID).AsID("1234"), authz.ActionRead)
+	// require.NoError(t, err, "this user can read workspace '1234'")
+	// })
+	//
+	// nolint:paralleltest
+	// t.Run("CreateNewSiteUser", func(t *testing.T) {
+	// err := authz.Authorize(user, authz.ResourceUser, authz.ActionCreate)
+	// var _ = err
+	// require.Error(t, err, "this user cannot create new users")
+	// })
 }
 
 func must[r any](v r, err error) r {
diff --git a/coderd/authz/http.go b/coderd/authz/http.go
@@ -1,14 +1,13 @@
 package authz
 
-import "net/http"
-
-func H(obj Resource, act Action, handlerFunc http.HandlerFunc) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		// auth
-		err := Authorize(nil, obj, act)
-		if err != nil {
-			//unauth
-		}
-		handlerFunc.ServeHTTP(w, r)
-	}
-}
+//
+// func H(obj Resource, act Action, handlerFunc http.HandlerFunc) http.HandlerFunc {
+// return func(w http.ResponseWriter, r *http.Request) {
+// auth
+// err := Authorize(nil, obj, act)
+// if err != nil {
+// unauth
+// }
+// handlerFunc.ServeHTTP(w, r)
+// }
+// }
diff --git a/coderd/authz/object.go b/coderd/authz/object.go
@@ -1,8 +1,10 @@
 package authz
 
+import "github.com/coder/coder/coderd/authz/rbac"
+
 type Resource interface {
 	ID() string
-	ResourceType() ResourceType
+	ResourceType() rbac.Resource
 }
 
 type UserResource interface {
@@ -15,57 +17,57 @@ type OrgResource interface {
 	OrgOwnerID() string
 }
 
-var _ Resource = (*zObject)(nil)
-var _ UserResource = (*zObject)(nil)
-var _ OrgResource = (*zObject)(nil)
+var _ Resource = (*Object)(nil)
+var _ UserResource = (*Object)(nil)
+var _ OrgResource = (*Object)(nil)
 
-// zObject is used to create objects for authz checks when you have none in
+// Object is used to create objects for authz checks when you have none in
 // hand to run the check on.
-// An example is if you want to list all workspaces, you can create a zObject
+// An example is if you want to list all workspaces, you can create a Object
 // that represents the set of workspaces you are trying to get access too.
 // Do not export this type, as it can be created from a resource type constant.
-type zObject struct {
+type Object struct {
 	id       string
 	owner    string
 	orgOwner string
 
 	// objectType is "workspace", "project", "devurl", etc
-	objectType ResourceType
+	objectType rbac.Resource
 	// TODO: SharedUsers?
 }
 
-func (z zObject) ID() string {
+func (z Object) ID() string {
 	return z.id
 }
 
-func (z zObject) ResourceType() ResourceType {
+func (z Object) ResourceType() rbac.Resource {
 	return z.objectType
 }
 
-func (z zObject) OwnerID() string {
+func (z Object) OwnerID() string {
 	return z.owner
 }
 
-func (z zObject) OrgOwnerID() string {
+func (z Object) OrgOwnerID() string {
 	return z.orgOwner
 }
 
 // Org adds an org OwnerID to the resource
 //nolint:revive
-func (z zObject) Org(orgID string) zObject {
+func (z Object) Org(orgID string) Object {
 	z.orgOwner = orgID
 	return z
 }
 
 // Owner adds an OwnerID to the resource
 //nolint:revive
-func (z zObject) Owner(id string) zObject {
+func (z Object) Owner(id string) Object {
 	z.owner = id
 	return z
 }
 
 //nolint:revive
-func (z zObject) AsID(id string) zObject {
+func (z Object) AsID(id string) Object {
 	z.id = id
 	return z
 }
diff --git a/coderd/authz/subject.go b/coderd/authz/subject.go
@@ -2,6 +2,7 @@ package authz
 
 import (
 	"context"
+
 	"github.com/coder/coder/coderd/authz/rbac"
 )
 
@@ -41,7 +42,7 @@ func (s SubjectTODO) Roles() (rbac.Roles, error) {
 	return s.Site, nil
 }
 
-func (s SubjectTODO) OwnerRoles(_ context.Context, orgID string) (rbac.Roles, error) {
+func (s SubjectTODO) OrgRoles(_ context.Context, orgID string) (rbac.Roles, error) {
 	v, ok := s.Org[orgID]
 	if !ok {
 		// Members not in an org return the negative perm

Original file line number	Diff line number	Diff line change
`@@ -3,8 +3,9 @@ package authz`
`3`	`3`	`import (`
`4`	`4`	`"testing"`
`5`	`5`
`6`		`- "github.com/coder/coder/coderd/authz/rbac"`
`7`	`6`	`"github.com/stretchr/testify/assert"`
	`7`	`+`
	`8`	`+ "github.com/coder/coder/coderd/authz/rbac"`
`8`	`9`	`)`
`9`	`10`
`10`	`11`	`func TestResolveSiteEnforcer(t *testing.T) {`
Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@ package authz`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"context"`
	`5`	`+`
`5`	`6`	`"github.com/coder/coder/coderd/authz/rbac"`
`6`	`7`	`)`
`7`	`8`
`@@ -41,7 +42,7 @@ func (s SubjectTODO) Roles() (rbac.Roles, error) {`
`41`	`42`	`return s.Site, nil`
`42`	`43`	`}`
`43`	`44`
`44`		`-func (s SubjectTODO) OwnerRoles(_ context.Context, orgID string) (rbac.Roles, error) {`
	`45`	`+func (s SubjectTODO) OrgRoles(_ context.Context, orgID string) (rbac.Roles, error) {`
`45`	`46`	`v, ok := s.Org[orgID]`
`46`	`47`	`if !ok {`
`47`	`48`	`// Members not in an org return the negative perm`