test: Unit test permission string

Emyrk · Emyrk · commit c4ee59062c16 · 2022-04-04T09:46:51.000-05:00
- Add some docs
diff --git a/coderd/authz/authz_test.go b/coderd/authz/authz_test.go
@@ -1,11 +1,12 @@
 package authz_test
 
 import (
-	"github.com/coder/coder/coderd/authz"
-	"github.com/coder/coder/coderd/authz/authztest"
 	"math/bits"
 	"strings"
 	"testing"
+
+	"github.com/coder/coder/coderd/authz"
+	"github.com/coder/coder/coderd/authz/authztest"
 )
 
 var nilSet = authztest.Set{nil}
diff --git a/coderd/authz/authztest/README.md b/coderd/authz/authztest/README.md
@@ -0,0 +1,23 @@
+# Authztest
+
+An authz permission is a combination of `level`, `resource_type`, `resource_id`, and action`. For testing purposes, we can assume only 1 action and resource exists. This package can generate all possible permissions from this.
+
+A `Set` is a slice of permissions. The search space of all possible sets is too large, so instead this package allows generating more meaningful sets for testing. This is equivalent to pruning in AI problems: a technique to reduce the size of the search space by removing parts that do not have significance.
+
+This is the final pruned search space used in authz. Each set is represented by a ✅, ❌, or ⛶. The leftmost set in a row that is not '⛶' is the impactful set. The impactful set determines the access result. All other sets are non-impactful, and should include the `<nil>` permission. The resulting search space for a row is the cross product between all sets in said row. 
+
+| Row | *    | Site | Org  | Org:mem | User | Access |
+|-----|------|------|------|---------|------|--------|
+| W+  | ✅⛶   | ✅❌⛶  | ✅❌⛶  | ✅❌⛶     | ✅❌⛶  | ✅      |
+| W-  | ❌+✅⛶ | ✅❌⛶  | ✅❌⛶  | ✅❌⛶     | ✅❌⛶  | ❌      |
+| S+  | ⛶    | ✅⛶   | ✅❌⛶  | ❌✅⛶     | ❌✅⛶  | ✅      |
+| S-  | ⛶    | ❌+✅⛶ | ✅❌⛶  | ❌✅⛶     | ❌✅⛶  | ❌      |
+| O+  | ⛶    | ⛶    | ✅⛶   | ❌✅⛶     | ❌✅⛶  | ✅      |
+| O-  | ⛶    | ⛶    | ❌+✅⛶ | ❌✅⛶     | ❌✅⛶  | ❌      |
+| M+  | ⛶    | ⛶    | ⛶    | ✅⛶      | ❌✅⛶  | ✅      |
+| M-  | ⛶    | ⛶    | ⛶    | ❌+✅⛶    | ❌✅⛶  | ❌      |
+| U+  | ⛶    | ⛶    | ⛶    | ⛶       | ✅⛶   | ✅      |
+| U-  | ⛶    | ⛶    | ⛶    | ⛶       | ❌+✅⛶ | ❌      |
+| A+  | ⛶    | ⛶    | ⛶    | ⛶       | ✅+⛶  | ✅      |
+| A-  | ⛶    | ⛶    | ⛶    | ⛶       | ⛶    | ❌      |
+
diff --git a/coderd/authz/authztest/doc.go b/coderd/authz/authztest/doc.go
@@ -0,0 +1,2 @@
+// Package authztest is a helper package for generating permissions to test the authz library.
+package authztest
diff --git a/coderd/authz/authztest/iterator.go b/coderd/authz/authztest/iterator.go
@@ -18,7 +18,7 @@ type Iterator interface {
 	Size() int
 }
 
-// unionIterator is very primitive, just used to hold a place in a set.
+// unionIterator is used to merge sets, or a union in set theory.
 type unionIterator struct {
 	// setIdx determines which set the offset is for
 	setIdx int
diff --git a/coderd/authz/authztest/role.go b/coderd/authz/authztest/role.go
@@ -4,14 +4,15 @@ import (
 	"github.com/coder/coder/coderd/authz"
 )
 
-// Role can print all possible permutations of the given iterators.
+// Role can print all possible permutations of the given iterators. It represents
+// the cross product between all sets given.
 type Role struct {
 	// returnSize is how many permissions are the returned set for the role
 	returnSize int
 	// N is the total number of permutations of sets this role will produce.
 	N              int
 	PermissionSets []Iterator
-	// This is kinda werird, but the first scan should not move anything.
+	// This is kinda weird, but the first scan should not move anything.
 	first bool
 
 	buffer []*authz.Permission
diff --git a/coderd/authz/authztest/set_test.go b/coderd/authz/authztest/set_test.go
@@ -1,10 +1,10 @@
 package authztest_test
 
 import (
-	"github.com/coder/coder/coderd/authz"
-	"github.com/coder/coder/coderd/authz/authztest"
 	"testing"
 
+	"github.com/coder/coder/coderd/authz"
+	"github.com/coder/coder/coderd/authz/authztest"
 	crand "github.com/coder/coder/cryptorand"
 	"github.com/stretchr/testify/require"
 )
diff --git a/coderd/authz/object.go b/coderd/authz/object.go
@@ -23,6 +23,7 @@ var _ OrgResource = (*zObject)(nil)
 // hand to run the check on.
 // An example is if you want to list all workspaces, you can create a zObject
 // that represents the set of workspaces you are trying to get access too.
+// Do not export this type, as it can be created from a resource type constant.
 type zObject struct {
 	ObjectID   string `json:"object_id"`
 	OwnedBy    string `json:"owner_id"`
diff --git a/coderd/authz/permission_test.go b/coderd/authz/permission_test.go
@@ -1,12 +1,65 @@
 package authz_test
 
 import (
+	"github.com/stretchr/testify/require"
 	"testing"
 
 	"github.com/coder/coder/coderd/authz"
 	crand "github.com/coder/coder/cryptorand"
 )
 
+func Test_PermissionString(t *testing.T) {
+	testCases := []struct {
+		Name       string
+		Permission authz.Permission
+		Expected   string
+	}{
+		{
+			Name: "BasicPositive",
+			Permission: authz.Permission{
+				Sign:         true,
+				Level:        authz.LevelSite,
+				LevelID:      "",
+				ResourceType: authz.ResourceWorkspace,
+				ResourceID:   "*",
+				Action:       authz.ActionRead,
+			},
+			Expected: "+site.workspace.*.read",
+		},
+		{
+			Name: "BasicNegative",
+			Permission: authz.Permission{
+				Sign:         false,
+				Level:        authz.LevelUser,
+				LevelID:      "",
+				ResourceType: authz.ResourceDevURL,
+				ResourceID:   "1234",
+				Action:       authz.ActionWrite,
+			},
+			Expected: "-user.devurl.1234.write",
+		},
+		{
+			Name: "OrgID",
+			Permission: authz.Permission{
+				Sign:         false,
+				Level:        authz.LevelOrg,
+				LevelID:      "default",
+				ResourceType: authz.ResourceProject,
+				ResourceID:   "456",
+				Action:       authz.ActionModify,
+			},
+			Expected: "-org:default.project.456.modify",
+		},
+	}
+
+	for _, c := range testCases {
+		t.Run(c.Name, func(t *testing.T) {
+			require.Equal(t, c.Expected, c.Permission.String())
+		})
+	}
+
+}
+
 func BenchmarkPermissionString(b *testing.B) {
 	total := 10000
 	if b.N < total {
diff --git a/coderd/authz/subject.go b/coderd/authz/subject.go
@@ -22,6 +22,7 @@ type Subject interface {
 
 // SubjectTODO is a placeholder until we get an actual actor struct in place.
 // This will come with the Authn epic.
+// TODO: @emyrk delete this data structure when authn exists
 type SubjectTODO struct {
 	UserID string `json:"user_id"`
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+// Package authztest is a helper package for generating permissions to test the authz library.`
	`2`	`+package authztest`
Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ type Iterator interface {`
`18`	`18`	`Size() int`
`19`	`19`	`}`
`20`	`20`
`21`		`-// unionIterator is very primitive, just used to hold a place in a set.`
	`21`	`+// unionIterator is used to merge sets, or a union in set theory.`
`22`	`22`	`type unionIterator struct {`
`23`	`23`	`// setIdx determines which set the offset is for`
`24`	`24`	`setIdx int`