Add organization parameter query

kylecarbs · kylecarbs · commit 2d90bfffc43a · 2022-01-23T16:33:28.000Z
diff --git a/httpmw/organizationparam.go b/httpmw/organizationparam.go
@@ -0,0 +1,86 @@
+package httpmw
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+	"fmt"
+	"net/http"
+
+	"github.com/go-chi/chi"
+
+	"github.com/coder/coder/database"
+	"github.com/coder/coder/httpapi"
+)
+
+type organizationParamContextKey struct{}
+type organizationMemberParamContextKey struct{}
+
+// OrganizationParam returns the organization from the ExtractOrganizationParam handler.
+func OrganizationParam(r *http.Request) database.Organization {
+	organization, ok := r.Context().Value(organizationParamContextKey{}).(database.Organization)
+	if !ok {
+		panic("developer error: organization param middleware not provided")
+	}
+	return organization
+}
+
+// OrganizationMemberParam returns the organization membership that allowed the query
+// from the ExtractOrganizationParam handler.
+func OrganizationMemberParam(r *http.Request) database.OrganizationMember {
+	organizationMember, ok := r.Context().Value(organizationMemberParamContextKey{}).(database.OrganizationMember)
+	if !ok {
+		panic("developer error: organization param middleware not provided")
+	}
+	return organizationMember
+}
+
+// ExtractOrganizationParam grabs an organization and user membership from the "organization" URL parameter.
+// This middleware requires the API key middleware for authentication.
+func ExtractOrganizationParam(db database.Store) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+			apiKey := APIKey(r)
+			organizationName := chi.URLParam(r, "organization")
+			if organizationName == "" {
+				httpapi.Write(rw, http.StatusBadRequest, httpapi.Response{
+					Message: "organization name must be provided",
+				})
+				return
+			}
+			organization, err := db.GetOrganizationByName(r.Context(), organizationName)
+			if errors.Is(err, sql.ErrNoRows) {
+				httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
+					Message: fmt.Sprintf("organization %q does not exist", organizationName),
+				})
+				return
+			}
+			if err != nil {
+				httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
+					Message: fmt.Sprintf("get organization: %s", err.Error()),
+				})
+				return
+			}
+			organizationMember, err := db.GetOrganizationMemberByUserID(r.Context(), database.GetOrganizationMemberByUserIDParams{
+				OrganizationID: organization.ID,
+				UserID:         apiKey.UserID,
+			})
+			if errors.Is(err, sql.ErrNoRows) {
+				httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
+					Message: "not a member of the organization",
+				})
+				return
+			}
+			if err != nil {
+				httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
+					Message: fmt.Sprintf("get organization member: %s", err.Error()),
+				})
+				return
+			}
+
+			ctx := context.WithValue(r.Context(), organizationParamContextKey{}, organization)
+			ctx = context.WithValue(ctx, organizationMemberParamContextKey{}, organizationMember)
+			next.ServeHTTP(rw, r.WithContext(ctx))
+		})
+	}
+}
diff --git a/httpmw/organizationparam_test.go b/httpmw/organizationparam_test.go
@@ -0,0 +1,147 @@
+package httpmw_test
+
+import (
+	"context"
+	"crypto/sha256"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/go-chi/chi"
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cryptorand"
+	"github.com/coder/coder/database"
+	"github.com/coder/coder/database/databasefake"
+	"github.com/coder/coder/httpmw"
+)
+
+func TestOrganizationParam(t *testing.T) {
+	t.Parallel()
+
+	setupAuthentication := func(db database.Store, r *http.Request) database.User {
+		var (
+			id, secret = randomAPIKeyParts()
+			hashed     = sha256.Sum256([]byte(secret))
+		)
+		r.AddCookie(&http.Cookie{
+			Name:  httpmw.AuthCookie,
+			Value: fmt.Sprintf("%s-%s", id, secret),
+		})
+		userID, err := cryptorand.String(16)
+		require.NoError(t, err)
+		username, err := cryptorand.String(8)
+		require.NoError(t, err)
+		user, err := db.InsertUser(r.Context(), database.InsertUserParams{
+			ID:             userID,
+			Email:          "testaccount@coder.com",
+			Name:           "example",
+			LoginType:      database.LoginTypeBuiltIn,
+			HashedPassword: hashed[:],
+			Username:       username,
+			CreatedAt:      database.Now(),
+			UpdatedAt:      database.Now(),
+		})
+		require.NoError(t, err)
+		_, err = db.InsertAPIKey(r.Context(), database.InsertAPIKeyParams{
+			ID:           id,
+			UserID:       user.ID,
+			HashedSecret: hashed[:],
+			LastUsed:     database.Now(),
+			ExpiresAt:    database.Now().Add(time.Minute),
+		})
+		require.NoError(t, err)
+		return user
+	}
+
+	t.Run("None", func(t *testing.T) {
+		var (
+			db = databasefake.New()
+			r  = httptest.NewRequest("GET", "/", nil)
+			rw = httptest.NewRecorder()
+			_  = setupAuthentication(db, r)
+		)
+		httpmw.ExtractAPIKey(db, nil)(httpmw.ExtractOrganizationParam(db)(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+		}))).ServeHTTP(rw, r)
+		res := rw.Result()
+		defer res.Body.Close()
+		require.Equal(t, http.StatusBadRequest, res.StatusCode)
+	})
+
+	t.Run("NotFound", func(t *testing.T) {
+		var (
+			db = databasefake.New()
+			r  = httptest.NewRequest("GET", "/", nil)
+			rw = httptest.NewRecorder()
+			_  = setupAuthentication(db, r)
+		)
+		routeContext := chi.NewRouteContext()
+		routeContext.URLParams.Add("organization", "example")
+		r = r.WithContext(context.WithValue(r.Context(), chi.RouteCtxKey, routeContext))
+		httpmw.ExtractAPIKey(db, nil)(httpmw.ExtractOrganizationParam(db)(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+		}))).ServeHTTP(rw, r)
+		res := rw.Result()
+		defer res.Body.Close()
+		require.Equal(t, http.StatusNotFound, res.StatusCode)
+	})
+
+	t.Run("NotInOrganization", func(t *testing.T) {
+		var (
+			db = databasefake.New()
+			r  = httptest.NewRequest("GET", "/", nil)
+			rw = httptest.NewRecorder()
+			_  = setupAuthentication(db, r)
+		)
+		organization, err := db.InsertOrganization(r.Context(), database.InsertOrganizationParams{
+			ID:        uuid.NewString(),
+			Name:      "test",
+			CreatedAt: database.Now(),
+			UpdatedAt: database.Now(),
+		})
+		require.NoError(t, err)
+		routeContext := chi.NewRouteContext()
+		routeContext.URLParams.Add("organization", organization.Name)
+		r = r.WithContext(context.WithValue(r.Context(), chi.RouteCtxKey, routeContext))
+		httpmw.ExtractAPIKey(db, nil)(httpmw.ExtractOrganizationParam(db)(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+		}))).ServeHTTP(rw, r)
+		res := rw.Result()
+		defer res.Body.Close()
+		require.Equal(t, http.StatusUnauthorized, res.StatusCode)
+	})
+
+	t.Run("Success", func(t *testing.T) {
+		var (
+			db   = databasefake.New()
+			r    = httptest.NewRequest("GET", "/", nil)
+			rw   = httptest.NewRecorder()
+			user = setupAuthentication(db, r)
+		)
+		organization, err := db.InsertOrganization(r.Context(), database.InsertOrganizationParams{
+			ID:        uuid.NewString(),
+			Name:      "test",
+			CreatedAt: database.Now(),
+			UpdatedAt: database.Now(),
+		})
+		require.NoError(t, err)
+		_, err = db.InsertOrganizationMember(r.Context(), database.InsertOrganizationMemberParams{
+			OrganizationID: organization.ID,
+			UserID:         user.ID,
+			CreatedAt:      database.Now(),
+			UpdatedAt:      database.Now(),
+		})
+		require.NoError(t, err)
+		routeContext := chi.NewRouteContext()
+		routeContext.URLParams.Add("organization", organization.Name)
+		r = r.WithContext(context.WithValue(r.Context(), chi.RouteCtxKey, routeContext))
+		httpmw.ExtractAPIKey(db, nil)(httpmw.ExtractOrganizationParam(db)(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+			_ = httpmw.OrganizationParam(r)
+			_ = httpmw.OrganizationMemberParam(r)
+		}))).ServeHTTP(rw, r)
+		res := rw.Result()
+		defer res.Body.Close()
+		require.Equal(t, http.StatusUnauthorized, res.StatusCode)
+	})
+}
