@@ -32,6 +32,44 @@ type RBACAsserter struct {
3232 Recorder * RecordingAuthorizer
3333}
3434
35+ // AssertRBAC returns an RBACAsserter for the given user. This asserter will
36+ // allow asserting that the correct RBAC checks are performed for the given user.
37+ // All checks that are not run against this user will be ignored.
38+ func AssertRBAC (t * testing.T , api * coderd.API , client * codersdk.Client ) RBACAsserter {
39+ if client .SessionToken () == "" {
40+ t .Fatal ("client must be logged in" )
41+ }
42+ recorder , ok := api .Authorizer .(* RecordingAuthorizer )
43+ if ! ok {
44+ t .Fatal ("expected RecordingAuthorizer" )
45+ }
46+
47+ // We use the database directly to not cause additional auth checks on behalf
48+ // of the user. This does add authz checks on behalf of the system user, but
49+ // it is hard to avoid that.
50+ ctx := dbauthz .AsSystemRestricted (context .Background ())
51+ token := client .SessionToken ()
52+ parts := strings .Split (token , "-" )
53+ key , err := api .Database .GetAPIKeyByID (ctx , parts [0 ])
54+ require .NoError (t , err , "fetch client api key" )
55+
56+ roles , err := api .Database .GetAuthorizationUserRoles (ctx , key .UserID )
57+ require .NoError (t , err , "fetch user roles" )
58+
59+ return RBACAsserter {
60+ Subject : rbac.Subject {
61+ ID : key .UserID .String (),
62+ Roles : rbac .RoleNames (roles .Roles ),
63+ Groups : roles .Groups ,
64+ Scope : rbac .ScopeName (key .Scope ),
65+ },
66+ Recorder : recorder ,
67+ }
68+ }
69+
70+ // AllCalls is for debugging. If you are not sure where calls are coming from,
71+ // call this and use a debugger or print them. They have small callstacks
72+ // on them to help locate the 'Authorize' call.
3573func (a RBACAsserter ) AllCalls () []AuthCall {
3674 return a .Recorder .AllCalls (& a .Subject )
3775}
@@ -85,48 +123,18 @@ func (a RBACAsserter) convertObjects(t *testing.T, objs ...interface{}) []rbac.O
85123}
86124
87125// Reset will clear all previously recorded authz calls.
126+ // This is helpful when wanting to ignore checks run in test setup.
88127func (a RBACAsserter ) Reset () RBACAsserter {
89128 a .Recorder .Reset ()
90129 return a
91130}
92131
93- func AssertRBAC (t * testing.T , api * coderd.API , client * codersdk.Client ) RBACAsserter {
94- if client .SessionToken () == "" {
95- t .Fatal ("client must be logged in" )
96- }
97- recorder , ok := api .Authorizer .(* RecordingAuthorizer )
98- if ! ok {
99- t .Fatal ("expected RecordingAuthorizer" )
100- }
101-
102- // We use the database directly to not cause additional auth checks on behalf
103- // of the user. This does add authz checks on behalf of the system user, but
104- // it is hard to avoid that.
105- ctx := dbauthz .AsSystemRestricted (context .Background ())
106- token := client .SessionToken ()
107- parts := strings .Split (token , "-" )
108- key , err := api .Database .GetAPIKeyByID (ctx , parts [0 ])
109- require .NoError (t , err , "fetch client api key" )
110-
111- roles , err := api .Database .GetAuthorizationUserRoles (ctx , key .UserID )
112- require .NoError (t , err , "fetch user roles" )
113-
114- return RBACAsserter {
115- Subject : rbac.Subject {
116- ID : key .UserID .String (),
117- Roles : rbac .RoleNames (roles .Roles ),
118- Groups : roles .Groups ,
119- Scope : rbac .ScopeName (key .Scope ),
120- },
121- Recorder : recorder ,
122- }
123- }
124-
125132type AuthCall struct {
126133 rbac.AuthCall
127134
128135 asserted bool
129- callers []string
136+ // callers is a small stack trace for debugging.
137+ callers []string
130138}
131139
132140var _ rbac.Authorizer = (* RecordingAuthorizer )(nil )
0 commit comments