Add unit test to test manual role assign

Emyrk · Emyrk · commit 89b1b69e1920 · 2023-07-19T16:18:19.000-04:00
diff --git a/enterprise/coderd/userauth_test.go b/enterprise/coderd/userauth_test.go
@@ -25,7 +25,7 @@ import (
 // nolint:bodyclose
 func TestUserOIDC(t *testing.T) {
 	t.Parallel()
-	t.Run("Roles", func(t *testing.T) {
+	t.Run("RoleSync", func(t *testing.T) {
 		t.Parallel()
 
 		t.Run("NewUserAndRemoveRoles", func(t *testing.T) {
@@ -78,6 +78,44 @@ func TestUserOIDC(t *testing.T) {
 
 			require.Len(t, user.Roles, 0)
 		})
+		t.Run("BlockAssignRoles", func(t *testing.T) {
+			t.Parallel()
+
+			ctx := testutil.Context(t, testutil.WaitMedium)
+			conf := coderdtest.NewOIDCConfig(t, "")
+
+			config := conf.OIDCConfig(t, jwt.MapClaims{})
+			config.AllowSignups = true
+			config.UserRoleField = "roles"
+
+			client, _ := coderdenttest.New(t, &coderdenttest.Options{
+				Options: &coderdtest.Options{
+					OIDCConfig: config,
+				},
+				LicenseOptions: &coderdenttest.LicenseOptions{
+					Features: license.Features{codersdk.FeatureTemplateRBAC: 1},
+				},
+			})
+
+			admin, err := client.User(ctx, "me")
+			require.NoError(t, err)
+			require.Len(t, admin.OrganizationIDs, 1)
+
+			resp := oidcCallback(t, client, conf.EncodeClaims(t, jwt.MapClaims{
+				"email": "alice@coder.com",
+				"roles": []string{},
+			}))
+			require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
+			// Try to manually update user roles, even though controlled by oidc
+			// role sync.
+			_, err = client.UpdateUserRoles(ctx, "alice", codersdk.UpdateRoles{
+				Roles: []string{
+					rbac.RoleTemplateAdmin(),
+				},
+			})
+			require.Error(t, err)
+			require.ErrorContains(t, err, "Cannot modify roles for OIDC users when role sync is enabled.")
+		})
 	})
 
 	t.Run("Groups", func(t *testing.T) {
