Allow asserting many rbac checks in recording authorizer

Emyrk · Emyrk · commit 5accbfe9cc7e · 2023-01-26T14:59:08.000-06:00
diff --git a/coderd/authzquery/workspace_test.go b/coderd/authzquery/workspace_test.go
@@ -5,6 +5,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/moby/moby/pkg/namesgenerator"
+
 	"github.com/coder/coder/coderd/rbac"
 
 	"github.com/google/uuid"
@@ -24,34 +26,61 @@ func TestWorkspace(t *testing.T) {
 		// TODO: Recorder should record all authz calls
 		rec   = &coderdtest.RecordingAuthorizer{}
 		q     = authzquery.NewAuthzQuerier(db, rec)
-		ctx   = context.Background()
-		actor = authzquery.WithAuthorizeContext(ctx,
-			uuid.New(),
-			rbac.RoleNames{rbac.RoleOwner()},
-			[]string{},
-			rbac.ScopeAll,
-		)
+		actor = rbac.Subject{
+			ID:     uuid.New().String(),
+			Roles:  rbac.RoleNames{rbac.RoleOwner()},
+			Groups: []string{},
+			Scope:  rbac.ScopeAll,
+		}
+		ctx = authzquery.WithAuthorizeContext(context.Background(), actor)
 	)
 
-	// Seed db
-	workspace, err := db.InsertWorkspace(ctx, database.InsertWorkspaceParams{
+	workspace := insertRandomWorkspace(t, db)
+
+	// Test recorder
+	_, err := q.GetWorkspaceByID(ctx, workspace.ID)
+	require.NoError(t, err)
+
+	_, err = q.UpdateWorkspace(ctx, database.UpdateWorkspaceParams{
+		ID:   workspace.ID,
+		Name: "new-name",
+	})
+	require.NoError(t, err)
+
+	rec.AssertActor(t, actor,
+		rec.Pair(rbac.ActionRead, workspace),
+		rec.Pair(rbac.ActionUpdate, workspace),
+	)
+	require.NoError(t, rec.AllAsserted())
+}
+
+func insertRandomWorkspace(t *testing.T, db database.Store, opts ...func(w *database.Workspace)) database.Workspace {
+	workspace := &database.Workspace{
 		ID:             uuid.New(),
-		CreatedAt:      time.Time{},
-		UpdatedAt:      time.Time{},
+		CreatedAt:      time.Now().Add(time.Hour * -1),
+		UpdatedAt:      time.Now(),
 		OwnerID:        uuid.New(),
 		OrganizationID: uuid.New(),
 		TemplateID:     uuid.New(),
-		Name:           "fake-workspace",
-	})
-	require.NoError(t, err)
+		Deleted:        false,
+		Name:           namesgenerator.GetRandomName(1),
+		LastUsedAt:     time.Now(),
+	}
+	for _, opt := range opts {
+		opt(workspace)
+	}
 
-	// Test
-	// NoAuth
-	_, err = q.GetWorkspaceByID(ctx, workspace.ID)
-	require.Error(t, err, "no actor in context")
-
-	// Test recorder
-	_, err = q.GetWorkspaceByID(actor, workspace.ID)
-	require.NoError(t, err)
-	require.Equal(t, rec.Called.Object, workspace.RBACObject())
+	newWorkspace, err := db.InsertWorkspace(context.Background(), database.InsertWorkspaceParams{
+		ID:                workspace.ID,
+		CreatedAt:         workspace.CreatedAt,
+		UpdatedAt:         workspace.UpdatedAt,
+		OwnerID:           workspace.OwnerID,
+		OrganizationID:    workspace.OrganizationID,
+		TemplateID:        workspace.TemplateID,
+		Name:              workspace.Name,
+		AutostartSchedule: workspace.AutostartSchedule,
+		Ttl:               workspace.Ttl,
+	})
+	require.NoError(t, err, "insert workspace")
+	return newWorkspace
 }
diff --git a/coderd/coderdtest/authorize.go b/coderd/coderdtest/authorize.go
@@ -508,18 +508,19 @@ func (a *AuthTester) Test(ctx context.Context, assertRoute map[string]RouteCheck
 							assert.Equal(t, http.StatusForbidden, resp.StatusCode, "expect unauthorized")
 						}
 					}
-					if a.authorizer.Called != nil {
+					if a.authorizer.LastCall() != nil {
+						last := a.authorizer.LastCall()
 						if routeAssertions.AssertAction != "" {
-							assert.Equal(t, routeAssertions.AssertAction, a.authorizer.Called.Action, "resource action")
+							assert.Equal(t, routeAssertions.AssertAction, last.Action, "resource action")
 						}
 						if routeAssertions.AssertObject.Type != "" {
-							assert.Equal(t, routeAssertions.AssertObject.Type, a.authorizer.Called.Object.Type, "resource type")
+							assert.Equal(t, routeAssertions.AssertObject.Type, last.Object.Type, "resource type")
 						}
 						if routeAssertions.AssertObject.Owner != "" {
-							assert.Equal(t, routeAssertions.AssertObject.Owner, a.authorizer.Called.Object.Owner, "resource owner")
+							assert.Equal(t, routeAssertions.AssertObject.Owner, last.Object.Owner, "resource owner")
 						}
 						if routeAssertions.AssertObject.OrgID != "" {
-							assert.Equal(t, routeAssertions.AssertObject.OrgID, a.authorizer.Called.Object.OrgID, "resource org")
+							assert.Equal(t, routeAssertions.AssertObject.OrgID, last.Object.OrgID, "resource org")
 						}
 					}
 				} else {
@@ -533,30 +534,81 @@ func (a *AuthTester) Test(ctx context.Context, assertRoute map[string]RouteCheck
 }
 
 type authCall struct {
-	Subject rbac.Subject
-	Action  rbac.Action
-	Object  rbac.Object
+	Actor  rbac.Subject
+	Action rbac.Action
+	Object rbac.Object
+
+	asserted bool
 }
 
 type RecordingAuthorizer struct {
-	Called       *authCall
+	Called       []authCall
 	AlwaysReturn error
 }
 
 var _ rbac.Authorizer = (*RecordingAuthorizer)(nil)
 
+type ActionObjectPair struct {
+	Action rbac.Action
+	Object rbac.Object
+}
+
+// Pair is on the RecordingAuthorizer to be easy to find and keep the pkg
+// interface smaller.
+func (r *RecordingAuthorizer) Pair(action rbac.Action, object rbac.Objecter) ActionObjectPair {
+	return ActionObjectPair{
+		Action: action,
+		Object: object.RBACObject(),
+	}
+}
+
+func (r *RecordingAuthorizer) AllAsserted() error {
+	missed := 0
+	for _, c := range r.Called {
+		if !c.asserted {
+			missed++
+		}
+	}
+
+	if missed > 0 {
+		return xerrors.Errorf("missed %d calls", missed)
+	}
+	return nil
+}
+
+// AssertActor asserts in order.
+func (r *RecordingAuthorizer) AssertActor(t *testing.T, actor rbac.Subject, did ...ActionObjectPair) {
+	ptr := 0
+	for i, call := range r.Called {
+		if ptr == len(did) {
+			// Finished all assertions
+			return
+		}
+		if call.Actor.ID == actor.ID {
+			//action, object := did[ptr], on[ptr]
+			action, object := did[ptr].Action, did[ptr].Object
+			assert.Equalf(t, action, call.Action, "assert action %d", ptr)
+			assert.Equalf(t, object, call.Object, "assert object %d", ptr)
+			r.Called[i].asserted = true
+			ptr++
+		}
+	}
+
+	assert.Equalf(t, len(did), ptr, "assert actor: didn't find all actions, %d missing actions", len(did)-ptr)
+}
+
 // AuthorizeSQL does not record the call. This matches the postgres behavior
 // of not calling Authorize()
 func (r *RecordingAuthorizer) AuthorizeSQL(_ context.Context, _ rbac.Subject, _ rbac.Action, _ rbac.Object) error {
 	return r.AlwaysReturn
 }
 
 func (r *RecordingAuthorizer) Authorize(_ context.Context, subject rbac.Subject, action rbac.Action, object rbac.Object) error {
-	r.Called = &authCall{
-		Subject: subject,
-		Action:  action,
-		Object:  object,
-	}
+	r.Called = append(r.Called, authCall{
+		Actor:  subject,
+		Action: action,
+		Object: object,
+	})
 	return r.AlwaysReturn
 }
 
@@ -601,3 +653,12 @@ func (f fakePreparedAuthorizer) RegoString() string {
 	}
 	panic("not implemented")
 }
+
+// LastCall is implemented to support legacy tests.
+// Deprecated
+func (r *RecordingAuthorizer) LastCall() *authCall {
+	if len(r.Called) == 0 {
+		return nil
+	}
+	return &r.Called[len(r.Called)-1]
+}
