Merge branch 'cj/howto-add-rbac-frobulation' of github.com:coder/coder into cj/howto-add-rbac-frobulation

dannykopping · dannykopping · commit 216720c836d8 · 2024-09-10T10:42:57.000+02:00
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -1484,10 +1484,7 @@ func (q *querier) GetFileTemplates(ctx context.Context, fileID uuid.UUID) ([]dat
 }
 
 func (q *querier) GetFrobulators(ctx context.Context, arg database.GetFrobulatorsParams) ([]database.Frobulator, error) {
-	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceFrobulator.WithOwner(arg.UserID.String()).InOrg(arg.OrgID)); err != nil {
-		return nil, err
-	}
-	return q.db.GetFrobulators(ctx, arg)
+	return fetchWithPostFilter(q.auth, policy.ActionRead, q.db.GetFrobulators)(ctx, arg)
 }
 
 func (q *querier) GetGitSSHKey(ctx context.Context, userID uuid.UUID) (database.GitSSHKey, error) {
diff --git a/coderd/database/dbauthz/dbauthz_test.go b/coderd/database/dbauthz/dbauthz_test.go
@@ -2791,17 +2791,20 @@ func (s *MethodTestSuite) TestNotifications() {
 
 func (s *MethodTestSuite) TestFrobulators() {
 	s.Run("GetFrobulators", s.Subtest(func(db database.Store, check *expects) {
-		user := dbgen.User(s.T(), db, database.User{})
+		// Pre-requisite: create two users and an organization.
+		u1 := dbgen.User(s.T(), db, database.User{})
+		u2 := dbgen.User(s.T(), db, database.User{})
 		org := dbgen.Organization(s.T(), db, database.Organization{})
+		// Create a few frobulator resources: two owned by u1, one owned by u2.
+		fr1 := dbgen.Frobulator(s.T(), db, database.Frobulator{UserID: u1.ID, OrgID: org.ID})
+		fr2 := dbgen.Frobulator(s.T(), db, database.Frobulator{UserID: u1.ID, OrgID: org.ID})
+		_ = dbgen.Frobulator(s.T(), db, database.Frobulator{UserID: u2.ID, OrgID: org.ID})
+		// Assert that calling GetFrobulators with a given user and org ID records a
+		// read action on each of the resources owned by that user.
 		check.Args(database.GetFrobulatorsParams{
-			UserID: user.ID,
+			UserID: u1.ID,
 			OrgID:  org.ID,
-		}).Asserts(
-			rbac.ResourceFrobulator.
-				WithOwner(user.ID.String()).
-				InOrg(org.ID),
-			policy.ActionRead,
-		)
+		}).Asserts(fr1, policy.ActionRead, fr2, policy.ActionRead)
 	}))
 	s.Run("InsertFrobulator", s.Subtest(func(db database.Store, check *expects) {
 		user := dbgen.User(s.T(), db, database.User{})
diff --git a/coderd/database/dbgen/dbgen.go b/coderd/database/dbgen/dbgen.go
@@ -895,9 +895,10 @@ func CustomRole(t testing.TB, db database.Store, seed database.CustomRole) datab
 
 func Frobulator(t testing.TB, db database.Store, orig database.Frobulator) database.Frobulator {
 	frob, err := db.InsertFrobulator(genCtx, database.InsertFrobulatorParams{
-		UserID:      orig.UserID,
-		OrgID:       orig.OrgID,
-		ModelNumber: orig.ModelNumber,
+		ID:          takeFirst(orig.ID, uuid.New()),
+		UserID:      takeFirst(orig.UserID, uuid.New()),
+		OrgID:       takeFirst(orig.OrgID, uuid.New()),
+		ModelNumber: takeFirst(orig.ModelNumber, testutil.GetRandomName(t)),
 	})
 	require.NoError(t, err, "insert frobulator")
 	return frob
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
diff --git a/coderd/database/queries/frobulators.sql b/coderd/database/queries/frobulators.sql
@@ -5,7 +5,7 @@ WHERE user_id = $1 AND org_id = $2;
 
 -- name: InsertFrobulator :one
 INSERT INTO frobulators (id, user_id, org_id, model_number)
-VALUES (gen_random_uuid(), $1, $2, $3)
+VALUES ($1, $2, $3, $4)
 RETURNING *;
 
 -- name: DeleteFrobulator :exec
diff --git a/coderd/frobulators.go b/coderd/frobulators.go
@@ -71,10 +71,15 @@ func (api *API) createFrobulator(rw http.ResponseWriter, r *http.Request) {
 	}
 
 	frob, err := api.Database.InsertFrobulator(ctx, database.InsertFrobulatorParams{
+		ID:          uuid.New(),
 		UserID:      member.UserID,
 		OrgID:       org.ID,
 		ModelNumber: req.ModelNumber,
 	})
+	if httpapi.Is404Error(err) { // Catches forbidden errors as well
+		httpapi.ResourceNotFound(rw)
+		return
+	}
 	if err != nil {
 		httpapi.InternalServerError(rw, err)
 		return
@@ -113,6 +118,10 @@ func (api *API) deleteFrobulator(rw http.ResponseWriter, r *http.Request) {
 		UserID: member.UserID,
 		OrgID:  org.ID,
 	})
+	if httpapi.Is404Error(err) { // Catches forbidden errors as well
+		httpapi.ResourceNotFound(rw)
+		return
+	}
 	if err != nil {
 		httpapi.InternalServerError(rw, err)
 		return
diff --git a/coderd/frobulators_test.go b/coderd/frobulators_test.go
@@ -119,37 +119,37 @@ func TestFrobulators(t *testing.T) {
 		t.Parallel()
 
 		tests := []struct {
-			name         string
-			member       codersdk.User
-			memberOrg    database.Organization
-			adminOrg     database.Organization
-			role         rbac.RoleIdentifier
-			expectedFrob uuid.UUID
-			expectedErr  string
+			name            string
+			member          codersdk.User
+			memberOrg       database.Organization
+			adminOrg        database.Organization
+			role            rbac.RoleIdentifier
+			expectedFrobIDs []uuid.UUID
+			expectedErr     string
 		}{
 			{
-				name:         "owner, same org",
-				member:       member1,
-				memberOrg:    org1,
-				adminOrg:     org1,
-				role:         rbac.RoleOwner(),
-				expectedFrob: frobulatorID,
+				name:            "owner, same org",
+				member:          member1,
+				memberOrg:       org1,
+				adminOrg:        org1,
+				role:            rbac.RoleOwner(),
+				expectedFrobIDs: []uuid.UUID{frobulatorID},
 			},
 			{
-				name:         "owner, different org",
-				member:       member2,
-				memberOrg:    org2,
-				adminOrg:     org1,
-				role:         rbac.RoleOwner(),
-				expectedFrob: frobulator2ID,
+				name:            "owner, different org",
+				member:          member2,
+				memberOrg:       org2,
+				adminOrg:        org1,
+				role:            rbac.RoleOwner(),
+				expectedFrobIDs: []uuid.UUID{frobulator2ID},
 			},
 			{
-				name:         "org admin, same org",
-				member:       member2,
-				memberOrg:    org2,
-				adminOrg:     org2,
-				role:         rbac.ScopedRoleOrgAdmin(org2.ID),
-				expectedFrob: frobulator2ID,
+				name:            "org admin, same org",
+				member:          member2,
+				memberOrg:       org2,
+				adminOrg:        org2,
+				role:            rbac.ScopedRoleOrgAdmin(org2.ID),
+				expectedFrobIDs: []uuid.UUID{frobulator2ID},
 			},
 			{
 				// Org admins do not have permission outside of their own org.
@@ -162,12 +162,13 @@ func TestFrobulators(t *testing.T) {
 			},
 			{
 				// User admins do not have permissions even inside their own org.
-				name:        "user admin, same org",
-				member:      member2,
-				memberOrg:   org2,
-				adminOrg:    org2,
-				role:        rbac.ScopedRoleOrgUserAdmin(org2.ID),
-				expectedErr: "500: An internal server error occurred",
+				// They will simply not see any frobulators to which they do not have access.
+				name:            "user admin, same org",
+				member:          member2,
+				memberOrg:       org2,
+				adminOrg:        org2,
+				role:            rbac.ScopedRoleOrgUserAdmin(org2.ID),
+				expectedFrobIDs: []uuid.UUID{},
 			},
 		}
 
@@ -187,17 +188,13 @@ func TestFrobulators(t *testing.T) {
 					return
 				}
 
-				// Then: the expected frobulator should be returned
+				// Otherwise: the expected frobulator(s) should be returned
 				require.NoError(t, err)
-				require.Len(t, frobs, 1)
-
-				var found bool
+				actualFrobIDs := make([]uuid.UUID, 0, len(frobs))
 				for _, f := range frobs {
-					if f.ID == tc.expectedFrob {
-						found = true
-					}
+					actualFrobIDs = append(actualFrobIDs, f.ID)
 				}
-				require.True(t, found, "reference frobulator not found")
+				require.ElementsMatch(t, tc.expectedFrobIDs, actualFrobIDs, "expected frobulator IDs not found")
 			})
 		}
 	})

Original file line number	Diff line number	Diff line change
`@@ -1484,10 +1484,7 @@ func (q *querier) GetFileTemplates(ctx context.Context, fileID uuid.UUID) ([]dat`
`1484`	`1484`	`}`
`1485`	`1485`
`1486`	`1486`	`func (q *querier) GetFrobulators(ctx context.Context, arg database.GetFrobulatorsParams) ([]database.Frobulator, error) {`
`1487`		`- if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceFrobulator.WithOwner(arg.UserID.String()).InOrg(arg.OrgID)); err != nil {`
`1488`		`- return nil, err`
`1489`		`- }`
`1490`		`- return q.db.GetFrobulators(ctx, arg)`
	`1487`	`+ return fetchWithPostFilter(q.auth, policy.ActionRead, q.db.GetFrobulators)(ctx, arg)`
`1491`	`1488`	`}`
`1492`	`1489`
`1493`	`1490`	`func (q *querier) GetGitSSHKey(ctx context.Context, userID uuid.UUID) (database.GitSSHKey, error) {`