chore: add unit test to verify OIDCClaims query

Emyrk · Emyrk · commit 0b70d363be2a · 2024-11-14T13:23:37.000-06:00
diff --git a/coderd/database/modelqueries.go b/coderd/database/modelqueries.go
@@ -531,6 +531,6 @@ func insertAuthorizedFilter(query string, replaceWith string) (string, error) {
 
 // UpdateUserLinkRawJSON is a custom query for unit testing. Do not ever expose this
 func (q *sqlQuerier) UpdateUserLinkRawJSON(ctx context.Context, userID uuid.UUID, data json.RawMessage) error {
-	_, err := q.sdb.Exec("INSERT INTO user_links (user_id, claims) VALUES ($1, $2)", userID, data)
+	_, err := q.sdb.ExecContext(ctx, "UPDATE user_links SET claims = $2 WHERE user_id = $1", userID, data)
 	return err
 }
diff --git a/coderd/database/oidcclaims_test.go b/coderd/database/oidcclaims_test.go
@@ -10,8 +10,9 @@ import (
 
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbfake"
+	"github.com/coder/coder/v2/coderd/database/dbgen"
 	"github.com/coder/coder/v2/coderd/database/dbtestutil"
-	"github.com/coder/coder/v2/coderd/database/dbtime"
+	"github.com/coder/coder/v2/coderd/util/slice"
 	"github.com/coder/coder/v2/testutil"
 )
 
@@ -35,29 +36,41 @@ func TestOIDCClaims(t *testing.T) {
 	alice := g.withLink(database.LoginTypeOIDC, toJSON(extraKeys{
 		UserLinkClaims: database.UserLinkClaims{
 			IDTokenClaims: map[string]interface{}{
-				"sub": "alice",
-			},
-			UserInfoClaims: map[string]interface{}{
-				"sub": "alice",
+				"sub":      "alice",
+				"alice-id": "from-bob",
 			},
+			UserInfoClaims: nil,
 		},
 		// Always should be a no-op
 		Foo: "bar",
 	}))
 	bob := g.withLink(database.LoginTypeOIDC, toJSON(database.UserLinkClaims{
 		IDTokenClaims: map[string]interface{}{
-			"sub": "bob",
+			"sub":    "bob",
+			"bob-id": "from-bob",
+			"array": []string{
+				"a", "b", "c",
+			},
+			"map": map[string]interface{}{
+				"key": "value",
+				"foo": "bar",
+			},
+			"nil": nil,
 		},
 		UserInfoClaims: map[string]interface{}{
-			"sub": "bob",
+			"sub":      "bob",
+			"bob-info": []string{},
+			"number":   42,
 		},
 	}))
 	charlie := g.withLink(database.LoginTypeOIDC, toJSON(database.UserLinkClaims{
 		IDTokenClaims: map[string]interface{}{
-			"sub": "charlie",
+			"sub":        "charlie",
+			"charlie-id": "charlie",
 		},
 		UserInfoClaims: map[string]interface{}{
-			"sub": "charlie",
+			"sub":          "charlie",
+			"charlie-info": "charlie",
 		},
 	}))
 
@@ -87,17 +100,23 @@ func TestOIDCClaims(t *testing.T) {
 	orgA := dbfake.Organization(t, db).Members(
 		append(problematics,
 			alice,
-			bob)...,
+			bob,
+		)...,
 	).Do()
 	orgB := dbfake.Organization(t, db).Members(
 		append(problematics,
+			bob,
 			charlie,
 		)...,
 	).Do()
 
 	// Verify the OIDC claim fields
-	requireClaims(t, db, orgA.Org.ID, []string{"sub"})
-	requireClaims(t, db, orgB.Org.ID, []string{"sub"})
+	always := []string{"array", "map", "nil", "number"}
+	expectA := append([]string{"sub", "alice-id", "bob-id", "bob-info"}, always...)
+	expectB := append([]string{"sub", "bob-id", "bob-info", "charlie-id", "charlie-info"}, always...)
+	requireClaims(t, db, orgA.Org.ID, expectA)
+	requireClaims(t, db, orgB.Org.ID, expectB)
+	requireClaims(t, db, uuid.Nil, slice.Unique(append(expectA, expectB...)))
 }
 
 func requireClaims(t *testing.T, db database.Store, orgID uuid.UUID, want []string) {
@@ -129,34 +148,23 @@ func (g userGenerator) user(lt database.LoginType, createLink bool, rawJSON json
 
 	t.Helper()
 
-	u, err := db.InsertUser(context.Background(), database.InsertUserParams{
-		ID:        uuid.New(),
-		Email:     testutil.GetRandomName(t),
-		Username:  testutil.GetRandomName(t),
-		Name:      testutil.GetRandomName(t),
-		CreatedAt: dbtime.Now(),
-		UpdatedAt: dbtime.Now(),
-		RBACRoles: []string{},
+	u := dbgen.User(t, db, database.User{
 		LoginType: lt,
-		Status:    string(database.UserStatusActive),
 	})
-	require.NoError(t, err)
 
 	if !createLink {
 		return u
 	}
 
-	link, err := db.InsertUserLink(context.Background(), database.InsertUserLinkParams{
+	link := dbgen.UserLink(t, db, database.UserLink{
 		UserID:    u.ID,
 		LoginType: lt,
-		Claims:    database.UserLinkClaims{},
 	})
-	require.NoError(t, err)
 
 	if sql, ok := db.(rawUpdater); ok {
 		// The only way to put arbitrary json into the db for testing edge cases.
 		// Making this a public API would be a mistake.
-		err = sql.UpdateUserLinkRawJSON(context.Background(), u.ID, rawJSON)
+		err := sql.UpdateUserLinkRawJSON(context.Background(), u.ID, rawJSON)
 		require.NoError(t, err)
 	} else {
 		// no need to test the json key logic in dbmem. Everything is type safe.

Original file line number	Diff line number	Diff line change
`@@ -531,6 +531,6 @@ func insertAuthorizedFilter(query string, replaceWith string) (string, error) {`
`531`	`531`
`532`	`532`	`// UpdateUserLinkRawJSON is a custom query for unit testing. Do not ever expose this`
`533`	`533`	`func (q *sqlQuerier) UpdateUserLinkRawJSON(ctx context.Context, userID uuid.UUID, data json.RawMessage) error {`
`534`		`- _, err := q.sdb.Exec("INSERT INTO user_links (user_id, claims) VALUES ($1, $2)", userID, data)`
	`534`	`+ _, err := q.sdb.ExecContext(ctx, "UPDATE user_links SET claims = $2 WHERE user_id = $1", userID, data)`
`535`	`535`	`return err`
`536`	`536`	`}`