Skip to content

Commit 5928c37

Browse files
EmyrkEmyrk
committed
Add unit tests for InTx and Ping
1 parent 6fed479 commit 5928c37

File tree

2 files changed

+48
-6
lines changed

2 files changed

+48
-6
lines changed

coderd/authzquery/authz_test.go

Lines changed: 47 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -6,18 +6,17 @@ import (
66
"reflect"
77
"testing"
88

9+
"github.com/google/uuid"
910
"github.com/stretchr/testify/require"
10-
11-
"cdr.dev/slog/sloggers/slogtest"
12-
1311
"golang.org/x/xerrors"
1412

15-
"github.com/google/uuid"
16-
1713
"cdr.dev/slog"
14+
"cdr.dev/slog/sloggers/slogtest"
1815
"github.com/coder/coder/coderd/authzquery"
1916
"github.com/coder/coder/coderd/coderdtest"
17+
"github.com/coder/coder/coderd/database"
2018
"github.com/coder/coder/coderd/database/dbfake"
19+
"github.com/coder/coder/coderd/database/dbgen"
2120
"github.com/coder/coder/coderd/rbac"
2221
)
2322

@@ -36,6 +35,15 @@ func TestNotAuthorizedError(t *testing.T) {
3635
require.ErrorAs(t, err, &authErr, "must be a NotAuthorizedError")
3736
require.ErrorIs(t, authErr.Err, testErr, "internal error must match")
3837
})
38+
39+
t.Run("MissingActor", func(t *testing.T) {
40+
q := authzquery.NewAuthzQuerier(dbfake.New(), &coderdtest.RecordingAuthorizer{
41+
Wrapped: &coderdtest.FakeAuthorizer{AlwaysReturn: nil},
42+
}, slog.Make())
43+
// This should fail because the actor is missing.
44+
_, err := q.GetWorkspaceByID(context.Background(), uuid.New())
45+
require.ErrorIs(t, err, authzquery.NoActorError, "must be a NoActorError")
46+
})
3947
}
4048

4149
// TestAuthzQueryRecursive is a simple test to search for infinite recursion
@@ -72,6 +80,40 @@ func TestAuthzQueryRecursive(t *testing.T) {
7280
}
7381
}
7482

83+
func TestPing(t *testing.T) {
84+
t.Parallel()
85+
86+
q := authzquery.NewAuthzQuerier(dbfake.New(), &coderdtest.RecordingAuthorizer{}, slog.Make())
87+
_, err := q.Ping(context.Background())
88+
require.NoError(t, err, "must not error")
89+
}
90+
91+
// TestInTX is not perfect, just checks that it properly checks auth.
92+
func TestInTX(t *testing.T) {
93+
t.Parallel()
94+
95+
db := dbfake.New()
96+
q := authzquery.NewAuthzQuerier(db, &coderdtest.RecordingAuthorizer{
97+
Wrapped: &coderdtest.FakeAuthorizer{AlwaysReturn: xerrors.New("custom error")},
98+
}, slog.Make())
99+
actor := rbac.Subject{
100+
ID: uuid.NewString(),
101+
Roles: rbac.RoleNames{rbac.RoleOwner()},
102+
Groups: []string{},
103+
Scope: rbac.ScopeAll,
104+
}
105+
106+
w := dbgen.Workspace(t, db, database.Workspace{})
107+
ctx := authzquery.WithAuthorizeContext(context.Background(), actor)
108+
err := q.InTx(func(tx database.Store) error {
109+
// The inner tx should use the parent's authz
110+
_, err := tx.GetWorkspaceByID(ctx, w.ID)
111+
return err
112+
}, nil)
113+
require.Error(t, err, "must error")
114+
require.ErrorAs(t, err, &authzquery.NotAuthorizedError{}, "must be an authorized error")
115+
}
116+
75117
func must[T any](value T, err error) T {
76118
if err != nil {
77119
panic(err)

coderd/authzquery/authzquerier.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@ func (q *AuthzQuerier) InTx(function func(querier database.Store) error, txOpts
4747
// TODO: @emyrk verify this works.
4848
return q.db.InTx(func(tx database.Store) error {
4949
// Wrap the transaction store in an AuthzQuerier.
50-
wrapped := NewAuthzQuerier(tx, q.auth, slog.Make())
50+
wrapped := NewAuthzQuerier(tx, q.auth, q.log)
5151
return function(wrapped)
5252
}, txOpts)
5353
}

0 commit comments

Comments
 (0)