WithID unit tests and model method support

Emyrk · Emyrk · commit b9fed910857b · 2023-01-18T11:57:08.000-06:00
- Add ID to compileSQL matchers
diff --git a/coderd/database/modelmethods.go b/coderd/database/modelmethods.go
@@ -19,7 +19,8 @@ func (s APIKeyScope) ToRBAC() rbac.Scope {
 
 func (t Template) RBACObject() rbac.Object {
 	obj := rbac.ResourceTemplate
-	return obj.InOrg(t.OrganizationID).
+	return obj.WithID(t.ID).
+		InOrg(t.OrganizationID).
 		WithACLUserList(t.UserACL).
 		WithGroupACL(t.GroupACL)
 }
@@ -30,42 +31,57 @@ func (TemplateVersion) RBACObject(template Template) rbac.Object {
 }
 
 func (g Group) RBACObject() rbac.Object {
-	return rbac.ResourceGroup.InOrg(g.OrganizationID)
+	return rbac.ResourceGroup.WithID(g.ID).
+		InOrg(g.OrganizationID)
 }
 
 func (w Workspace) RBACObject() rbac.Object {
-	return rbac.ResourceWorkspace.InOrg(w.OrganizationID).WithOwner(w.OwnerID.String())
+	return rbac.ResourceWorkspace.WithID(w.ID).
+		InOrg(w.OrganizationID).
+		WithOwner(w.OwnerID.String())
 }
 
 func (w Workspace) ExecutionRBAC() rbac.Object {
-	return rbac.ResourceWorkspaceExecution.InOrg(w.OrganizationID).WithOwner(w.OwnerID.String())
+	return rbac.ResourceWorkspaceExecution.
+		WithID(w.ID).
+		InOrg(w.OrganizationID).
+		WithOwner(w.OwnerID.String())
 }
 
 func (w Workspace) ApplicationConnectRBAC() rbac.Object {
-	return rbac.ResourceWorkspaceApplicationConnect.InOrg(w.OrganizationID).WithOwner(w.OwnerID.String())
+	return rbac.ResourceWorkspaceApplicationConnect.
+		WithID(w.ID).
+		InOrg(w.OrganizationID).
+		WithOwner(w.OwnerID.String())
 }
 
 func (m OrganizationMember) RBACObject() rbac.Object {
-	return rbac.ResourceOrganizationMember.InOrg(m.OrganizationID)
+	return rbac.ResourceOrganizationMember.
+		WithID(m.UserID).
+		InOrg(m.OrganizationID)
 }
 
 func (o Organization) RBACObject() rbac.Object {
-	return rbac.ResourceOrganization.InOrg(o.ID)
+	return rbac.ResourceOrganization.
+		WithID(o.ID).
+		InOrg(o.ID)
 }
 
-func (ProvisionerDaemon) RBACObject() rbac.Object {
-	return rbac.ResourceProvisionerDaemon
+func (p ProvisionerDaemon) RBACObject() rbac.Object {
+	return rbac.ResourceProvisionerDaemon.WithID(p.ID)
 }
 
 func (f File) RBACObject() rbac.Object {
-	return rbac.ResourceFile.WithOwner(f.CreatedBy.String())
+	return rbac.ResourceFile.
+		WithID(f.ID).
+		WithOwner(f.CreatedBy.String())
 }
 
 // RBACObject returns the RBAC object for the site wide user resource.
 // If you are trying to get the RBAC object for the UserData, use
 // rbac.ResourceUserData
-func (User) RBACObject() rbac.Object {
-	return rbac.ResourceUser
+func (u User) RBACObject() rbac.Object {
+	return rbac.ResourceUser.WithID(u.ID)
 }
 
 func (License) RBACObject() rbac.Object {
diff --git a/coderd/rbac/authz_internal_test.go b/coderd/rbac/authz_internal_test.go
@@ -788,6 +788,76 @@ func TestAuthorizeScope(t *testing.T) {
 			{resource: ResourceWorkspaceApplicationConnect.InOrg(unusedID).WithOwner("not-me"), actions: []Action{ActionCreate}, allow: false},
 		},
 	)
+
+	workspaceID := uuid.New()
+	user = subject{
+		UserID: "me",
+		Roles: []Role{
+			must(RoleByName(RoleMember())),
+			must(RoleByName(RoleOrgMember(defOrg))),
+		},
+		Scope: ScopeRole{
+			Role: Role{
+				Name:        "workspace_agent",
+				DisplayName: "Workspace Agent",
+				Site: permissions(map[string][]Action{
+					// Only read access for workspaces.
+					ResourceWorkspace.Type: {ActionRead},
+				}),
+				Org:  map[string][]Permission{},
+				User: []Permission{},
+			},
+			AllowIDList: []string{workspaceID.String()},
+		},
+	}
+
+	testAuthorize(t, "User_WorkspaceAgent", user,
+		// Test all cases with the workspace id
+		cases(func(c authTestCase) authTestCase {
+			c.actions = []Action{ActionCreate, ActionUpdate, ActionDelete}
+			c.allow = false
+			c.resource.WithID(workspaceID)
+			return c
+		}, []authTestCase{
+			{resource: ResourceWorkspace.InOrg(defOrg).WithOwner(user.UserID)},
+			{resource: ResourceWorkspace.InOrg(defOrg)},
+			{resource: ResourceWorkspace.WithOwner(user.UserID)},
+			{resource: ResourceWorkspace.All()},
+			{resource: ResourceWorkspace.InOrg(unusedID).WithOwner(user.UserID)},
+			{resource: ResourceWorkspace.InOrg(unusedID)},
+			{resource: ResourceWorkspace.InOrg(defOrg).WithOwner("not-me")},
+			{resource: ResourceWorkspace.WithOwner("not-me")},
+			{resource: ResourceWorkspace.InOrg(unusedID).WithOwner("not-me")},
+			{resource: ResourceWorkspace.InOrg(unusedID)},
+			{resource: ResourceWorkspace.WithOwner("not-me")},
+		}),
+		// Test cases with random ids. These should always fail from the scope.
+		cases(func(c authTestCase) authTestCase {
+			c.actions = []Action{ActionRead, ActionCreate, ActionUpdate, ActionDelete}
+			c.allow = false
+			c.resource.WithID(uuid.New())
+			return c
+		}, []authTestCase{
+			{resource: ResourceWorkspace.InOrg(defOrg).WithOwner(user.UserID)},
+			{resource: ResourceWorkspace.InOrg(defOrg)},
+			{resource: ResourceWorkspace.WithOwner(user.UserID)},
+			{resource: ResourceWorkspace.All()},
+			{resource: ResourceWorkspace.InOrg(unusedID).WithOwner(user.UserID)},
+			{resource: ResourceWorkspace.InOrg(unusedID)},
+			{resource: ResourceWorkspace.InOrg(defOrg).WithOwner("not-me")},
+			{resource: ResourceWorkspace.WithOwner("not-me")},
+			{resource: ResourceWorkspace.InOrg(unusedID).WithOwner("not-me")},
+			{resource: ResourceWorkspace.InOrg(unusedID)},
+			{resource: ResourceWorkspace.WithOwner("not-me")},
+		}),
+		// Allowed by scope:
+		[]authTestCase{
+			{resource: ResourceWorkspace.WithID(workspaceID).InOrg(defOrg).WithOwner(user.UserID), actions: []Action{ActionRead}, allow: true},
+			// The scope will return true, but the user perms return false for resources not owned by the user.
+			{resource: ResourceWorkspace.WithID(workspaceID).InOrg(defOrg).WithOwner("not-me"), actions: []Action{ActionRead}, allow: false},
+			{resource: ResourceWorkspace.WithID(workspaceID).InOrg(unusedID).WithOwner("not-me"), actions: []Action{ActionRead}, allow: false},
+		},
+	)
 }
 
 // cases applies a given function to all test cases. This makes generalities easier to create.
diff --git a/coderd/rbac/regosql/configs.go b/coderd/rbac/regosql/configs.go
@@ -2,6 +2,10 @@ package regosql
 
 import "github.com/coder/coder/coderd/rbac/regosql/sqltypes"
 
+func resourceIDMatcher() sqltypes.VariableMatcher {
+	return sqltypes.StringVarMatcher("id :: text", []string{"input", "object", "id"})
+}
+
 func organizationOwnerMatcher() sqltypes.VariableMatcher {
 	return sqltypes.StringVarMatcher("organization_id :: text", []string{"input", "object", "org_owner"})
 }
@@ -20,6 +24,7 @@ func userACLMatcher(m sqltypes.VariableMatcher) sqltypes.VariableMatcher {
 
 func TemplateConverter() *sqltypes.VariableConverter {
 	matcher := sqltypes.NewVariableConverter().RegisterMatcher(
+		resourceIDMatcher(),
 		organizationOwnerMatcher(),
 		// Templates have no user owner, only owner by an organization.
 		sqltypes.AlwaysFalse(userOwnerMatcher()),
@@ -35,6 +40,7 @@ func TemplateConverter() *sqltypes.VariableConverter {
 // group or user ACL columns.
 func NoACLConverter() *sqltypes.VariableConverter {
 	matcher := sqltypes.NewVariableConverter().RegisterMatcher(
+		resourceIDMatcher(),
 		organizationOwnerMatcher(),
 		userOwnerMatcher(),
 	)
@@ -48,6 +54,7 @@ func NoACLConverter() *sqltypes.VariableConverter {
 
 func DefaultVariableConverter() *sqltypes.VariableConverter {
 	matcher := sqltypes.NewVariableConverter().RegisterMatcher(
+		resourceIDMatcher(),
 		organizationOwnerMatcher(),
 		userOwnerMatcher(),
 	)
