Jobs, orgs, and extra methods implemented

Emyrk · Emyrk · commit 338e3001036f · 2023-02-02T17:51:07.000-06:00
diff --git a/coderd/authzquery/job.go b/coderd/authzquery/job.go
@@ -106,6 +106,21 @@ func (q *AuthzQuerier) GetProvisionerJobByID(ctx context.Context, id uuid.UUID)
 	return job, nil
 }
 
+func (q *AuthzQuerier) GetProvisionerJobsByIDs(ctx context.Context, ids []uuid.UUID) ([]database.ProvisionerJob, error) {
+	// TODO: This is missing authorization and is incorrect. This call is used by telemetry, and by 1 http route.
+	// That http handler should find a better way to fetch these jobs with easier rbac authz.
+	return q.database.GetProvisionerJobsByIDs(ctx, ids)
+}
+
+func (q *AuthzQuerier) GetProvisionerLogsByIDBetween(ctx context.Context, arg database.GetProvisionerLogsByIDBetweenParams) ([]database.ProvisionerJobLog, error) {
+	// Authorized read on job lets the actor also read the logs.
+	_, err := q.GetProvisionerJobByID(ctx, arg.JobID)
+	if err != nil {
+		return nil, err
+	}
+	return q.database.GetProvisionerLogsByIDBetween(ctx, arg)
+}
+
 func authorizedTemplateVersionFromJob(ctx context.Context, q *AuthzQuerier, job database.ProvisionerJob) (database.TemplateVersion, error) {
 	switch job.Type {
 	case database.ProvisionerJobTypeTemplateVersionDryRun:
diff --git a/coderd/authzquery/job_test.go b/coderd/authzquery/job_test.go
@@ -91,4 +91,23 @@ func (suite *MethodTestSuite) TestProvsionerJob() {
 				asserts(v.RBACObject(tpl), []rbac.Action{rbac.ActionRead, rbac.ActionUpdate}))
 		})
 	})
+	suite.Run("GetProvisionerJobsByIDs", func() {
+		suite.RunMethodTest(func(t *testing.T, db database.Store) MethodCase {
+			a := dbgen.ProvisionerJob(t, db, database.ProvisionerJob{})
+			b := dbgen.ProvisionerJob(t, db, database.ProvisionerJob{})
+			return methodCase(inputs([]uuid.UUID{a.ID, b.ID}), asserts())
+		})
+	})
+	suite.Run("GetProvisionerLogsByIDBetween", func() {
+		suite.RunMethodTest(func(t *testing.T, db database.Store) MethodCase {
+			w := dbgen.Workspace(t, db, database.Workspace{})
+			j := dbgen.ProvisionerJob(t, db, database.ProvisionerJob{
+				Type: database.ProvisionerJobTypeWorkspaceBuild,
+			})
+			_ = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{JobID: j.ID, WorkspaceID: w.ID})
+			return methodCase(inputs(database.GetProvisionerLogsByIDBetweenParams{
+				JobID: j.ID,
+			}), asserts(w, rbac.ActionRead))
+		})
+	})
 }
diff --git a/coderd/authzquery/methods.go b/coderd/authzquery/methods.go
@@ -5,8 +5,6 @@ package authzquery
 import (
 	"context"
 
-	"github.com/google/uuid"
-
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/rbac"
 )
@@ -18,21 +16,6 @@ func (q *AuthzQuerier) GetProvisionerDaemons(ctx context.Context) ([]database.Pr
 	return authorizedFetchSet(q.authorizer, fetch)(ctx, nil)
 }
 
-func (q *AuthzQuerier) GetProvisionerJobsByIDs(ctx context.Context, ids []uuid.UUID) ([]database.ProvisionerJob, error) {
-	// TODO: This is missing authorization and is incorrect. This call is used by telemetry, and by 1 http route.
-	// That http handler should find a better way to fetch these jobs with easier rbac authz.
-	return q.database.GetProvisionerJobsByIDs(ctx, ids)
-}
-
-func (q *AuthzQuerier) GetProvisionerLogsByIDBetween(ctx context.Context, arg database.GetProvisionerLogsByIDBetweenParams) ([]database.ProvisionerJobLog, error) {
-	// Authorized read on job lets the actor also read the logs.
-	_, err := q.GetProvisionerJobByID(ctx, arg.JobID)
-	if err != nil {
-		return nil, err
-	}
-	return q.database.GetProvisionerLogsByIDBetween(ctx, arg)
-}
-
 func (q *AuthzQuerier) GetDeploymentDAUs(ctx context.Context) ([]database.GetDeploymentDAUsRow, error) {
 	if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceUser.All()); err != nil {
 		return nil, err
diff --git a/coderd/authzquery/methods_test.go b/coderd/authzquery/methods_test.go
@@ -100,7 +100,7 @@ func (s *MethodTestSuite) RunMethodTest(testCaseF func(t *testing.T, db database
 	az := authzquery.NewAuthzQuerier(db, rec, slog.Make())
 	actor := rbac.Subject{
 		ID:     uuid.NewString(),
-		Roles:  rbac.RoleNames{},
+		Roles:  rbac.RoleNames{rbac.RoleOwner()},
 		Groups: []string{},
 		Scope:  rbac.ScopeAll,
 	}
@@ -255,3 +255,20 @@ func asserts(inputs ...any) []AssertRBAC {
 	}
 	return out
 }
+
+func (suite *MethodTestSuite) TestExtraMethods() {
+	suite.Run("GetProvisionerDaemons", func() {
+		suite.RunMethodTest(func(t *testing.T, db database.Store) MethodCase {
+			d, err := db.InsertProvisionerDaemon(context.Background(), database.InsertProvisionerDaemonParams{
+				ID: uuid.New(),
+			})
+			require.NoError(t, err, "insert provisioner daemon")
+			return methodCase(inputs(), asserts(d, rbac.ActionRead))
+		})
+	})
+	suite.Run("GetDeploymentDAUs", func() {
+		suite.RunMethodTest(func(t *testing.T, db database.Store) MethodCase {
+			return methodCase(inputs(), asserts(rbac.ResourceUser.All(), rbac.ActionRead))
+		})
+	})
+}
diff --git a/coderd/authzquery/organization_test.go b/coderd/authzquery/organization_test.go
@@ -0,0 +1,127 @@
+package authzquery_test
+
+import (
+	"testing"
+
+	"github.com/google/uuid"
+
+	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/database/dbgen"
+	"github.com/coder/coder/coderd/rbac"
+)
+
+func (suite *MethodTestSuite) TestOrganization() {
+	suite.Run("GetGroupsByOrganizationID", func() {
+		suite.RunMethodTest(func(t *testing.T, db database.Store) MethodCase {
+			o := dbgen.Organization(t, db, database.Organization{})
+			a := dbgen.Group(t, db, database.Group{OrganizationID: o.ID})
+			b := dbgen.Group(t, db, database.Group{OrganizationID: o.ID})
+			return methodCase(inputs(o.ID), asserts(a, rbac.ActionRead, b, rbac.ActionRead))
+		})
+	})
+	suite.Run("GetOrganizationByID", func() {
+		suite.RunMethodTest(func(t *testing.T, db database.Store) MethodCase {
+			o := dbgen.Organization(t, db, database.Organization{})
+			return methodCase(inputs(o.ID), asserts(o, rbac.ActionRead))
+		})
+	})
+	suite.Run("GetOrganizationByName", func() {
+		suite.RunMethodTest(func(t *testing.T, db database.Store) MethodCase {
+			o := dbgen.Organization(t, db, database.Organization{})
+			return methodCase(inputs(o.Name), asserts(o, rbac.ActionRead))
+		})
+	})
+	suite.Run("GetOrganizationIDsByMemberIDs", func() {
+		suite.RunMethodTest(func(t *testing.T, db database.Store) MethodCase {
+			o := dbgen.Organization(t, db, database.Organization{})
+			u := dbgen.User(t, db, database.User{})
+			var _ = o.ID
+			// TODO: Implement this and do rbac check
+			//mem := dbgen.OrganizationMember(t, db, database.OrganizationMember{OrganizationID: o.ID, UserID: u.ID})
+			return methodCase(inputs([]uuid.UUID{u.ID}), asserts())
+		})
+	})
+	suite.Run("GetOrganizationMemberByUserID", func() {
+		suite.RunMethodTest(func(t *testing.T, db database.Store) MethodCase {
+			o := dbgen.Organization(t, db, database.Organization{})
+			u := dbgen.User(t, db, database.User{})
+			// TODO: Implement this and do rbac check
+			//mem := dbgen.OrganizationMember(t, db, database.OrganizationMember{OrganizationID: o.ID, UserID: u.ID})
+			return methodCase(inputs(database.GetOrganizationMemberByUserIDParams{
+				OrganizationID: o.ID,
+				UserID:         u.ID,
+			}), asserts())
+		})
+	})
+	suite.Run("GetOrganizationMembershipsByUserID", func() {
+		suite.RunMethodTest(func(t *testing.T, db database.Store) MethodCase {
+			o := dbgen.Organization(t, db, database.Organization{})
+			u := dbgen.User(t, db, database.User{})
+			var _ = o.ID
+			// TODO: Implement this and do rbac check
+			//mem := dbgen.OrganizationMember(t, db, database.OrganizationMember{OrganizationID: o.ID, UserID: u.ID})
+			return methodCase(inputs(u.ID), asserts())
+		})
+	})
+	suite.Run("GetOrganizations", func() {
+		suite.RunMethodTest(func(t *testing.T, db database.Store) MethodCase {
+			a := dbgen.Organization(t, db, database.Organization{})
+			b := dbgen.Organization(t, db, database.Organization{})
+			return methodCase(inputs(), asserts(a, rbac.ActionRead, b, rbac.ActionRead))
+		})
+	})
+	suite.Run("GetOrganizationsByUserID", func() {
+		suite.RunMethodTest(func(t *testing.T, db database.Store) MethodCase {
+			o := dbgen.Organization(t, db, database.Organization{})
+			u := dbgen.User(t, db, database.User{})
+			var _ = o.ID
+			// TODO: Implement this and do rbac check
+			//mem := dbgen.OrganizationMember(t, db, database.OrganizationMember{OrganizationID: o.ID, UserID: u.ID})
+			return methodCase(inputs(u.ID), asserts(u, rbac.ActionRead))
+		})
+	})
+	suite.Run("InsertOrganization", func() {
+		suite.RunMethodTest(func(t *testing.T, db database.Store) MethodCase {
+			return methodCase(inputs(database.InsertOrganizationParams{
+				ID:   uuid.New(),
+				Name: "random",
+			}), asserts(rbac.ResourceOrganization, rbac.ActionCreate))
+		})
+	})
+	suite.Run("InsertOrganizationMember", func() {
+		suite.RunMethodTest(func(t *testing.T, db database.Store) MethodCase {
+			o := dbgen.Organization(t, db, database.Organization{})
+			u := dbgen.User(t, db, database.User{})
+
+			return methodCase(inputs(database.InsertOrganizationMemberParams{
+				OrganizationID: o.ID,
+				UserID:         u.ID,
+				Roles:          []string{rbac.RoleOrgAdmin(o.ID)},
+			}), asserts(
+				rbac.ResourceRoleAssignment.InOrg(o.ID), rbac.ActionCreate,
+				rbac.ResourceOrganizationMember.InOrg(o.ID).WithID(u.ID), rbac.ActionCreate),
+			)
+		})
+	})
+	suite.Run("UpdateMemberRoles", func() {
+		suite.RunMethodTest(func(t *testing.T, db database.Store) MethodCase {
+			o := dbgen.Organization(t, db, database.Organization{})
+			u := dbgen.User(t, db, database.User{})
+			// TODO: Implement this and do rbac check
+			//mem := dbgen.OrganizationMember(t, db, database.OrganizationMember{
+			//	OrganizationID: o.ID,
+			//	UserID:         u.ID,
+			//	Roles:          []string{rbac.RoleOrgAdmin(o.ID)},
+			//})
+
+			return methodCase(inputs(database.UpdateMemberRolesParams{
+				GrantedRoles: []string{},
+				UserID:       u.ID,
+				OrgID:        o.ID,
+			}), asserts(
+				rbac.ResourceRoleAssignment.InOrg(o.ID), rbac.ActionDelete,
+				rbac.ResourceOrganizationMember.InOrg(o.ID).WithID(u.ID), rbac.ActionCreate,
+			))
+		})
+	})
+}
