@@ -52,7 +52,10 @@ func dbauthzAuthorizationContext(m dsl.Matcher) {
5252func testingWithOwnerUser (m dsl.Matcher ) {
5353 m .Import ("testing" )
5454 m .Import ("github.com/coder/coder/v2/cli/clitest" )
55+ m .Import ("github.com/coder/coder/v2/enterprise/coderd/coderenttest" )
5556
57+ // For both AGPL and enterprise code, we check for SetupConfig being called with a
58+ // client authenticated as the Owner user.
5659 m .Match (`
5760 $_ := coderdtest.CreateFirstUser($t, $client)
5861 $*_
@@ -63,6 +66,40 @@ func testingWithOwnerUser(m dsl.Matcher) {
6366 m .File ().Name .Matches (`_test\.go$` )).
6467 At (m ["SetupConfig" ]).
6568 Report (`The CLI will be operating as the owner user, which has unrestricted permissions. Consider creating a different user.` )
69+
70+ m .Match (`
71+ $client, $_ := coderdenttest.New($t, $*_)
72+ $*_
73+ clitest.$SetupConfig($t, $client, $_)
74+ ` ).Where (m ["t" ].Type .Implements ("testing.TB" ) &&
75+ m ["SetupConfig" ].Text .Matches ("^SetupConfig$" ) &&
76+ m .File ().Name .Matches (`_test\.go$` )).
77+ At (m ["SetupConfig" ]).
78+ Report (`The CLI will be operating as the owner user, which has unrestricted permissions. Consider creating a different user.` )
79+
80+ // For the enterprise code, we check for any method called on the client.
81+ // While we want to be a bit stricter here, some methods are known to require
82+ // the owner user, so we exclude them.
83+ m .Match (`
84+ $client, $_ := coderdenttest.New($t, $*_)
85+ $*_
86+ $_, $_ := $client.$Method($*_)
87+ ` ).Where (m ["t" ].Type .Implements ("testing.TB" ) &&
88+ m .File ().Name .Matches (`_test\.go$` ) &&
89+ ! m ["Method" ].Text .Matches (`^(UpdateAppearance|Licenses|AddLicense|InsertLicense|DeleteLicense|CreateWorkspaceProxy|Replicas|Regions)$` )).
90+ At (m ["Method" ]).
91+ Report (`This client is operating as the owner user, which has unrestricted permissions. Consider creating a different user.` )
92+
93+ // Sadly, we need to match both one- and two-valued assignments separately.
94+ m .Match (`
95+ $client, $_ := coderdenttest.New($t, $*_)
96+ $*_
97+ $_ := $client.$Method($*_)
98+ ` ).Where (m ["t" ].Type .Implements ("testing.TB" ) &&
99+ m .File ().Name .Matches (`_test\.go$` ) &&
100+ ! m ["Method" ].Text .Matches (`^(UpdateAppearance|Licenses|AddLicense|InsertLicense|DeleteLicense|CreateWorkspaceProxy|Replicas|Regions)$` )).
101+ At (m ["Method" ]).
102+ Report (`This client is operating as the owner user, which has unrestricted permissions. Consider creating a different user.` )
66103}
67104
68105// Use xerrors everywhere! It provides additional stacktrace info!
0 commit comments