First full draft of the authz authorize test

Emyrk · Emyrk · commit 7e6cc664696c · 2022-03-31T14:01:05.000-05:00
diff --git a/coderd/authz/action.go b/coderd/authz/action.go
@@ -0,0 +1,10 @@
+package authz
+
+type Action string
+
+const (
+	ReadAction   = "read"
+	WriteAction  = "write"
+	ModifyAction = "modify"
+	DeleteAction = "delete"
+)
diff --git a/coderd/authz/authz.go b/coderd/authz/authz.go
@@ -1,6 +1,12 @@
 package authz
 
 // TODO: Implement Authorize
-func Authorize(subj interface{}, obj Object, action interface{}) error {
+func Authorize(subj Subject, obj Object, action Action) error {
+	// TODO: Expand subject roles into their permissions as appropriate. Apply scopes.
+	return AuthorizePermissions(subj.ID(), []Permission{}, obj, action)
+}
+
+// AuthorizePermissions runs the authorize function with the raw permissions in a single list.
+func AuthorizePermissions(subjID string, permissions []Permission, object Object, action Action) error {
 	return nil
 }
diff --git a/coderd/authz/authz_test.go b/coderd/authz/authz_test.go
@@ -2,26 +2,120 @@ package authz_test
 
 import (
 	"fmt"
+	"github.com/coder/coder/coderd/authz"
 	"github.com/coder/coder/coderd/authz/authztest"
 	"math/bits"
+	"strings"
 	"testing"
 )
 
 var nilSet = authztest.Set{nil}
 
 func Test_ExhaustiveAuthorize(t *testing.T) {
 	all := authztest.GroupedPermissions(authztest.AllPermissions())
-	variants := permissionVariants(all)
-	for name, v := range variants {
+	roleVariants := permissionVariants(all)
+
+	testCases := []struct {
+		Name string
+		Objs []authz.Object
+		// Action is constant
+		// Subject comes from roleVariants
+		Result func(pv string) bool
+	}{
+		{
+			Name: "User:Org",
+			Objs: authztest.Objects(
+				[]string{authztest.PermMe, authztest.PermOrgID},
+			),
+			Result: func(pv string) bool {
+				return strings.Contains(pv, "+")
+			},
+		},
+		{
+			// All U+/- tests should fail
+			Name: "NotUser:Org",
+			Objs: authztest.Objects(
+				[]string{"other", authztest.PermOrgID},
+				[]string{"", authztest.PermOrgID},
+			),
+			Result: func(pv string) bool {
+				if strings.Contains(pv, "U") {
+					return false
+				}
+				return strings.Contains(pv, "+")
+			},
+		},
+		{
+			// All O+/- and U+/- tests should fail
+			Name: "NotUser:NotOrg",
+			Objs: authztest.Objects(
+				[]string{authztest.PermMe, "non-mem"},
+				[]string{"other", "non-mem"},
+				[]string{"other", ""},
+				[]string{"", "non-mem"},
+				[]string{"", ""},
+			),
+			Result: func(pv string) bool {
+				if strings.Contains(pv, "U") {
+					return false
+				}
+				if strings.Contains(pv, "O") {
+					return false
+				}
+				return strings.Contains(pv, "+")
+			},
+		},
+		// TODO: @emyrk for this one, we should probably pass a custom roles variant
+		//{
+		//	// O+, O- no longer pass judgement. Defer to user level judgement (only somewhat tricky case)
+		//	Name: "User:NotOrg",
+		//	Objs: authztest.Objects(
+		//		[]string{authztest.PermMe, ""},
+		//	),
+		//	Result: func(pv string) bool {
+		//		return strings.Contains(pv, "+")
+		//	},
+		//},
+	}
+
+	var pvars int
+	for name, v := range roleVariants {
 		fmt.Printf("%s: %d\n", name, v.Size())
+		pvars += v.Size()
+	}
+	var total int = 0
+	for _, c := range testCases {
+		total += len(c.Objs) * pvars
+	}
+	fmt.Printf("pvars=%d, total=%d\n", pvars, total)
+
+	var tot int
+	for _, c := range testCases {
+		t.Run(c.Name, func(t *testing.T) {
+			for _, o := range c.Objs {
+				for _, v := range roleVariants {
+					v.Each(func(set authztest.Set) {
+						// TODO: Authz.Permissions does allocations at the moment. We should fix that.
+						err := authz.AuthorizePermissions(
+							authztest.PermMe,
+							set.Permissions(),
+							o,
+							authztest.PermAction)
+						var _ = err
+						tot++
+					})
+					v.Reset()
+				}
+			}
+		})
 	}
 }
 
 func permissionVariants(all authztest.SetGroup) map[string]*authztest.Role {
 	// an is any noise above the impactful set
-	an := abstain
+	an := noiseAbstain
 	// ln is any noise below the impactful set
-	ln := positive | negative | abstain
+	ln := noisePositive | noiseNegative | noiseAbstain
 
 	// Cases are X+/- where X indicates the level where the impactful set is.
 	// The impactful set determines the result.
@@ -46,26 +140,25 @@ func permissionVariants(all authztest.SetGroup) map[string]*authztest.Role {
 			neg(all.Site()),
 			noise(ln, all.Org(), all.User()),
 		),
-		// TODO: Figure out cross org noise between org:* and org:mem
-		// Org:*
+		// Org:* -- Added org:mem noise
 		"O+": authztest.NewRole(
-			noise(an, all.Wildcard(), all.Site()),
+			noise(an, all.Wildcard(), all.Site(), all.OrgMem()),
 			pos(all.Org()),
 			noise(ln, all.User()),
 		),
 		"O-": authztest.NewRole(
-			noise(an, all.Wildcard(), all.Site()),
+			noise(an, all.Wildcard(), all.Site(), all.OrgMem()),
 			neg(all.Org()),
 			noise(ln, all.User()),
 		),
-		// Org:Mem
+		// Org:Mem -- Added org:* noise
 		"M+": authztest.NewRole(
-			noise(an, all.Wildcard(), all.Site()),
+			noise(an, all.Wildcard(), all.Site(), all.Org()),
 			pos(all.OrgMem()),
 			noise(ln, all.User()),
 		),
 		"M-": authztest.NewRole(
-			noise(an, all.Wildcard(), all.Site()),
+			noise(an, all.Wildcard(), all.Site(), all.Org()),
 			neg(all.OrgMem()),
 			noise(ln, all.User()),
 		),
@@ -78,16 +171,10 @@ func permissionVariants(all authztest.SetGroup) map[string]*authztest.Role {
 			noise(an, all.Wildcard(), all.Site(), all.Org()),
 			neg(all.User()),
 		),
+		// TODO: @Emyrk the abstain sets
 	}
 }
 
-func l() {
-	//authztest.Levels
-	//noise(an, all.Wildcard()),
-	//	neg(all.Site()),
-	//	noise(ln, all.Org(), all.User()),
-}
-
 // pos returns the positive impactful variant for a given level. It does not
 // include noise at any other level but the one given.
 func pos(lvl authztest.LevelGroup) *authztest.Role {
@@ -108,10 +195,10 @@ func neg(lvl authztest.LevelGroup) *authztest.Role {
 type noiseBits uint8
 
 const (
-	none noiseBits = 1 << iota
-	positive
-	negative
-	abstain
+	_ noiseBits = 1 << iota
+	noisePositive
+	noiseNegative
+	noiseAbstain
 )
 
 func flagMatch(flag, in noiseBits) bool {
@@ -128,13 +215,13 @@ func noise(f noiseBits, lvls ...authztest.LevelGroup) *authztest.Role {
 	for _, lvl := range lvls {
 		sets := make([]authztest.Iterable, 0, bits.OnesCount8(uint8(f)))
 
-		if flagMatch(positive, f) {
+		if flagMatch(noisePositive, f) {
 			sets = append(sets, authztest.Union(lvl.Positive()[:1], nilSet))
 		}
-		if flagMatch(negative, f) {
+		if flagMatch(noiseNegative, f) {
 			sets = append(sets, authztest.Union(lvl.Negative()[:1], nilSet))
 		}
-		if flagMatch(abstain, f) {
+		if flagMatch(noiseAbstain, f) {
 			sets = append(sets, authztest.Union(lvl.Abstain()[:1], nilSet))
 		}
 
diff --git a/coderd/authz/authztest/iterator.go b/coderd/authz/authztest/iterator.go
@@ -1,7 +1,7 @@
 package authztest
 
 import (
-	. "github.com/coder/coder/coderd/authz"
+	"github.com/coder/coder/coderd/authz"
 )
 
 type Iterable interface {
@@ -59,7 +59,7 @@ func (si *unionIterator) Permissions() Set {
 	return si.buffer
 }
 
-func (si unionIterator) Permission() *Permission {
+func (si unionIterator) Permission() *authz.Permission {
 	return si.sets[si.setIdx][si.offset]
 }
 
@@ -103,7 +103,7 @@ func ProductI(sets ...Iterable) *productI {
 		ReturnSize:     retSize,
 		N:              size,
 		PermissionSets: setInterfaces,
-		buffer:         make([]*Permission, retSize),
+		buffer:         make([]*authz.Permission, retSize),
 	}
 }
 
diff --git a/coderd/authz/authztest/object.go b/coderd/authz/authztest/object.go
@@ -0,0 +1,16 @@
+package authztest
+
+import "github.com/coder/coder/coderd/authz"
+
+func Objects(pairs ...[]string) []authz.Object {
+	objs := make([]authz.Object, 0, len(pairs))
+	for _, p := range pairs {
+		objs = append(objs, authz.Object{
+			ObjectID:   PermObjectID,
+			OwnerID:    p[0],
+			OrgOwnerID: p[1],
+			ObjectType: PermObjectType,
+		})
+	}
+	return objs
+}
diff --git a/coderd/authz/authztest/permissions.go b/coderd/authz/authztest/permissions.go
@@ -1,40 +1,45 @@
 package authztest
 
 import (
-	. "github.com/coder/coder/coderd/authz"
+	"github.com/coder/coder/coderd/authz"
 )
 
 const (
-	otherOption = "other"
+	otherOption    = "other"
+	PermObjectType = "resource"
+	PermAction     = "read"
+	PermOrgID      = "mem"
+	PermObjectID   = "rid"
+	PermMe         = "me"
 )
 
 var (
-	levelIDs      = []string{"", "mem"}
-	resourceTypes = []string{"resource", "*", otherOption}
-	resourceIDs   = []string{"rid", "*", otherOption}
-	actions       = []string{"action", "*", otherOption}
+	levelIDs      = []string{"", PermOrgID}
+	resourceTypes = []string{PermObjectType, "*", otherOption}
+	resourceIDs   = []string{PermObjectID, "*", otherOption}
+	actions       = []string{PermAction, "*", otherOption}
 )
 
 // AllPermissions returns all the possible permissions ever.
 func AllPermissions() Set {
 	permissionTypes := []bool{true, false}
-	all := make(Set, 0, len(permissionTypes)*len(PermissionLevels)*len(levelIDs)*len(resourceTypes)*len(resourceIDs)*len(actions))
+	all := make(Set, 0, len(permissionTypes)*len(authz.PermissionLevels)*len(levelIDs)*len(resourceTypes)*len(resourceIDs)*len(actions))
 	for _, s := range permissionTypes {
-		for _, l := range PermissionLevels {
+		for _, l := range authz.PermissionLevels {
 			for _, t := range resourceTypes {
 				for _, i := range resourceIDs {
 					for _, a := range actions {
-						if l == LevelOrg {
-							all = append(all, &Permission{
+						if l == authz.LevelOrg {
+							all = append(all, &authz.Permission{
 								Sign:         s,
 								Level:        l,
-								LevelID:      "mem",
+								LevelID:      PermOrgID,
 								ResourceType: t,
 								ResourceID:   i,
 								Action:       a,
 							})
 						}
-						all = append(all, &Permission{
+						all = append(all, &authz.Permission{
 							Sign:         s,
 							Level:        l,
 							LevelID:      "",
@@ -51,7 +56,7 @@ func AllPermissions() Set {
 }
 
 // Impact returns the impact (positive, negative, abstain) of p
-func Impact(p *Permission) PermissionSet {
+func Impact(p *authz.Permission) PermissionSet {
 	if p.ResourceType == otherOption ||
 		p.ResourceID == otherOption ||
 		p.Action == otherOption {
diff --git a/coderd/authz/authztest/role.go b/coderd/authz/authztest/role.go
@@ -1,11 +1,9 @@
 package authztest
 
 import (
-	. "github.com/coder/coder/coderd/authz"
+	"github.com/coder/coder/coderd/authz"
 )
 
-var _ Permission
-
 // Role can print all possible permutations of the given iterators.
 type Role struct {
 	// returnSize is how many permissions are the returned set for the role
@@ -16,7 +14,7 @@ type Role struct {
 	// This is kinda werird, but the first scan should not move anything.
 	first bool
 
-	buffer []*Permission
+	buffer []*authz.Permission
 }
 
 func NewRole(sets ...Iterable) *Role {
@@ -34,7 +32,7 @@ func NewRole(sets ...Iterable) *Role {
 		returnSize:     retSize,
 		N:              size,
 		PermissionSets: setInterfaces,
-		buffer:         make([]*Permission, retSize),
+		buffer:         make([]*authz.Permission, retSize),
 	}
 }
 
@@ -60,17 +58,14 @@ func (r *Role) Permissions() Set {
 }
 
 func (r *Role) Each(ea func(set Set)) {
+	ea(r.Permissions())
 	for r.Next() {
 		ea(r.Permissions())
 	}
 }
 
 // Next will grab the next cross-product permutation of all permissions of r.
 func (r *Role) Next() bool {
-	if !r.first {
-		r.first = true
-		return true
-	}
 	for i := range r.PermissionSets {
 		if r.PermissionSets[i].Next() {
 			break
diff --git a/coderd/authz/authztest/set.go b/coderd/authz/authztest/set.go
diff --git a/coderd/authz/role.go b/coderd/authz/role.go
diff --git a/coderd/authz/subject.go b/coderd/authz/subject.go

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`package authztest`
`2`	`2`
`3`	`3`	`import (`
`4`		`- . "github.com/coder/coder/coderd/authz"`
	`4`	`+ "github.com/coder/coder/coderd/authz"`
`5`	`5`	`)`
`6`	`6`
`7`	`7`	`type Iterable interface {`
`@@ -59,7 +59,7 @@ func (si *unionIterator) Permissions() Set {`
`59`	`59`	`return si.buffer`
`60`	`60`	`}`
`61`	`61`
`62`		`-func (si unionIterator) Permission() *Permission {`
	`62`	`+func (si unionIterator) Permission() *authz.Permission {`
`63`	`63`	`return si.sets[si.setIdx][si.offset]`
`64`	`64`	`}`
`65`	`65`
`@@ -103,7 +103,7 @@ func ProductI(sets ...Iterable) *productI {`
`103`	`103`	`ReturnSize: retSize,`
`104`	`104`	`N: size,`
`105`	`105`	`PermissionSets: setInterfaces,`
`106`		`- buffer: make([]*Permission, retSize),`
	`106`	`+ buffer: make([]*authz.Permission, retSize),`
`107`	`107`	`}`
`108`	`108`	`}`
`109`	`109`