Skip to content

Commit d88c836

Browse files
EmyrkEmyrk
committed
Compiling
1 parent 1bc2cdf commit d88c836

File tree

6 files changed

+45
-35
lines changed

6 files changed

+45
-35
lines changed

coderd/coderdtest/authorize.go

+4-1
Original file line numberDiff line numberDiff line change
@@ -60,10 +60,13 @@ func AssertRBAC(t *testing.T, api *coderd.API, client *codersdk.Client) RBACAsse
6060
roles, err := api.Database.GetAuthorizationUserRoles(ctx, key.UserID)
6161
require.NoError(t, err, "fetch user roles")
6262

63+
roleNames, err := roles.RoleNames()
64+
require.NoError(t, err)
65+
6366
return RBACAsserter{
6467
Subject: rbac.Subject{
6568
ID: key.UserID.String(),
66-
Roles: rbac.RoleNames(roles.Roles),
69+
Roles: rbac.RoleNames(roleNames),
6770
Groups: roles.Groups,
6871
Scope: rbac.ScopeName(key.Scope),
6972
},

coderd/coderdtest/coderdtest.go

+22-16
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,7 @@ import (
5555
"github.com/coder/coder/v2/coderd/autobuild"
5656
"github.com/coder/coder/v2/coderd/awsidentity"
5757
"github.com/coder/coder/v2/coderd/database"
58+
"github.com/coder/coder/v2/coderd/database/db2sdk"
5859
"github.com/coder/coder/v2/coderd/database/dbauthz"
5960
"github.com/coder/coder/v2/coderd/database/dbrollup"
6061
"github.com/coder/coder/v2/coderd/database/dbtestutil"
@@ -677,7 +678,11 @@ func AuthzUserSubject(user codersdk.User, orgID uuid.UUID) rbac.Subject {
677678
// Member role is always implied
678679
roles = append(roles, rbac.RoleMember())
679680
for _, r := range user.Roles {
680-
roles = append(roles, r.Name)
681+
orgID, _ := uuid.Parse(r.OrganizationID) // defaults to nil
682+
roles = append(roles, rbac.RoleName{
683+
Name: r.Name,
684+
OrganizationID: orgID,
685+
})
681686
}
682687
// We assume only 1 org exists
683688
roles = append(roles, rbac.ScopedRoleOrgMember(orgID))
@@ -748,36 +753,37 @@ func createAnotherUserRetry(t testing.TB, client *codersdk.Client, organizationI
748753

749754
if len(roles) > 0 {
750755
// Find the roles for the org vs the site wide roles
751-
orgRoles := make(map[string][]string)
752-
var siteRoles []string
756+
orgRoles := make(map[uuid.UUID][]rbac.RoleName)
757+
var siteRoles []rbac.RoleName
753758

754759
for _, roleName := range roles {
755-
roleName := roleName
756-
orgID, ok := rbac.IsOrgRole(roleName)
757-
roleName, _, err = rbac.RoleSplit(roleName)
758-
require.NoError(t, err, "split org role name")
760+
ok := roleName.IsOrgRole()
759761
if ok {
760-
roleName, _, err = rbac.RoleSplit(roleName)
761-
require.NoError(t, err, "split rolename")
762-
orgRoles[orgID] = append(orgRoles[orgID], roleName)
762+
orgRoles[roleName.OrganizationID] = append(orgRoles[roleName.OrganizationID], roleName)
763763
} else {
764764
siteRoles = append(siteRoles, roleName)
765765
}
766766
}
767767
// Update the roles
768768
for _, r := range user.Roles {
769-
siteRoles = append(siteRoles, r.Name)
769+
orgID, _ := uuid.Parse(r.OrganizationID)
770+
siteRoles = append(siteRoles, rbac.RoleName{
771+
Name: r.Name,
772+
OrganizationID: orgID,
773+
})
774+
}
775+
776+
onlyName := func(role rbac.RoleName) string {
777+
return role.Name
770778
}
771779

772-
user, err = client.UpdateUserRoles(context.Background(), user.ID.String(), codersdk.UpdateRoles{Roles: siteRoles})
780+
user, err = client.UpdateUserRoles(context.Background(), user.ID.String(), codersdk.UpdateRoles{Roles: db2sdk.List(siteRoles, onlyName)})
773781
require.NoError(t, err, "update site roles")
774782

775783
// Update org roles
776784
for orgID, roles := range orgRoles {
777-
organizationID, err := uuid.Parse(orgID)
778-
require.NoError(t, err, fmt.Sprintf("parse org id %q", orgID))
779-
_, err = client.UpdateOrganizationMemberRoles(context.Background(), organizationID, user.ID.String(),
780-
codersdk.UpdateRoles{Roles: roles})
785+
_, err = client.UpdateOrganizationMemberRoles(context.Background(), orgID, user.ID.String(),
786+
codersdk.UpdateRoles{Roles: db2sdk.List(roles, onlyName)})
781787
require.NoError(t, err, "update org membership roles")
782788
}
783789
}

enterprise/coderd/coderd_test.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -497,7 +497,7 @@ func testDBAuthzRole(ctx context.Context) context.Context {
497497
ID: uuid.Nil.String(),
498498
Roles: rbac.Roles([]rbac.Role{
499499
{
500-
Name: "testing",
500+
Name: rbac.RoleName{Name: "testing"},
501501
DisplayName: "Unit Tests",
502502
Site: rbac.Permissions(map[string][]policy.Action{
503503
rbac.ResourceWildcard.Type: {policy.WildcardSymbol},

enterprise/coderd/insights_test.go

+3-3
Original file line numberDiff line numberDiff line change
@@ -78,15 +78,15 @@ func TestTemplateInsightsWithRole(t *testing.T) {
7878

7979
type test struct {
8080
interval codersdk.InsightsReportInterval
81-
role string
81+
role rbac.RoleName
8282
allowed bool
8383
}
8484

8585
tests := []test{
8686
{codersdk.InsightsReportIntervalDay, rbac.RoleTemplateAdmin(), true},
8787
{"", rbac.RoleTemplateAdmin(), true},
88-
{codersdk.InsightsReportIntervalDay, "auditor", true},
89-
{"", "auditor", true},
88+
{codersdk.InsightsReportIntervalDay, rbac.RoleAuditor(), true},
89+
{"", rbac.RoleAuditor(), true},
9090
{codersdk.InsightsReportIntervalDay, rbac.RoleUserAdmin(), false},
9191
{"", rbac.RoleUserAdmin(), false},
9292
{codersdk.InsightsReportIntervalDay, rbac.RoleMember(), false},

enterprise/coderd/roles_test.go

+4-3
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ import (
99
"github.com/stretchr/testify/require"
1010

1111
"github.com/coder/coder/v2/coderd/coderdtest"
12+
"github.com/coder/coder/v2/coderd/rbac"
1213
"github.com/coder/coder/v2/codersdk"
1314
"github.com/coder/coder/v2/enterprise/coderd/coderdenttest"
1415
"github.com/coder/coder/v2/enterprise/coderd/license"
@@ -57,7 +58,7 @@ func TestCustomOrganizationRole(t *testing.T) {
5758
require.NoError(t, err, "upsert role")
5859

5960
// Assign the custom template admin role
60-
tmplAdmin, _ := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID, role.FullName())
61+
tmplAdmin, _ := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID, rbac.RoleName{Name: role.Name, OrganizationID: first.OrganizationID})
6162

6263
// Assert the role exists
6364
// TODO: At present user roles are not returned by the user endpoints.
@@ -124,7 +125,7 @@ func TestCustomOrganizationRole(t *testing.T) {
124125
require.ErrorContains(t, err, "roles are not enabled")
125126

126127
// Assign the custom template admin role
127-
tmplAdmin, _ := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID, role.FullName())
128+
tmplAdmin, _ := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID, rbac.RoleName{Name: role.Name, OrganizationID: first.OrganizationID})
128129

129130
// Try to create a template version, eg using the custom role
130131
coderdtest.CreateTemplateVersion(t, tmplAdmin, first.OrganizationID, nil)
@@ -152,7 +153,7 @@ func TestCustomOrganizationRole(t *testing.T) {
152153
require.NoError(t, err, "upsert role")
153154

154155
// Assign the custom template admin role
155-
tmplAdmin, _ := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID, role.FullName())
156+
tmplAdmin, _ := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID, rbac.RoleName{Name: role.Name, OrganizationID: first.OrganizationID})
156157

157158
// Try to create a template version, eg using the custom role
158159
coderdtest.CreateTemplateVersion(t, tmplAdmin, first.OrganizationID, nil)

enterprise/coderd/userauth_test.go

+11-11
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,7 @@ func TestUserOIDC(t *testing.T) {
6666
cfg.AllowSignups = true
6767
cfg.UserRoleField = "roles"
6868
cfg.UserRoleMapping = map[string][]string{
69-
oidcRoleName: {rbac.RoleTemplateAdmin()},
69+
oidcRoleName: {rbac.RoleTemplateAdmin().String()},
7070
}
7171
},
7272
})
@@ -79,7 +79,7 @@ func TestUserOIDC(t *testing.T) {
7979
"roles": oidcRoleName,
8080
})
8181
require.Equal(t, http.StatusOK, resp.StatusCode)
82-
runner.AssertRoles(t, "alice", []string{rbac.RoleTemplateAdmin()})
82+
runner.AssertRoles(t, "alice", []string{rbac.RoleTemplateAdmin().String()})
8383
})
8484

8585
// A user has some roles, then on an oauth refresh will lose said
@@ -92,23 +92,23 @@ func TestUserOIDC(t *testing.T) {
9292

9393
const oidcRoleName = "TemplateAuthor"
9494
runner := setupOIDCTest(t, oidcTestConfig{
95-
Userinfo: jwt.MapClaims{oidcRoleName: []string{rbac.RoleTemplateAdmin(), rbac.RoleUserAdmin()}},
95+
Userinfo: jwt.MapClaims{oidcRoleName: []string{rbac.RoleTemplateAdmin().String(), rbac.RoleUserAdmin().String()}},
9696
Config: func(cfg *coderd.OIDCConfig) {
9797
cfg.AllowSignups = true
9898
cfg.UserRoleField = "roles"
9999
cfg.UserRoleMapping = map[string][]string{
100-
oidcRoleName: {rbac.RoleTemplateAdmin(), rbac.RoleUserAdmin()},
100+
oidcRoleName: {rbac.RoleTemplateAdmin().String(), rbac.RoleUserAdmin().String()},
101101
}
102102
},
103103
})
104104

105105
// User starts with the owner role
106106
client, resp := runner.Login(t, jwt.MapClaims{
107107
"email": "alice@coder.com",
108-
"roles": []string{"random", oidcRoleName, rbac.RoleOwner()},
108+
"roles": []string{"random", oidcRoleName, rbac.RoleOwner().String()},
109109
})
110110
require.Equal(t, http.StatusOK, resp.StatusCode)
111-
runner.AssertRoles(t, "alice", []string{rbac.RoleTemplateAdmin(), rbac.RoleUserAdmin(), rbac.RoleOwner()})
111+
runner.AssertRoles(t, "alice", []string{rbac.RoleTemplateAdmin().String(), rbac.RoleUserAdmin().String(), rbac.RoleOwner().String()})
112112

113113
// Now refresh the oauth, and check the roles are removed.
114114
// Force a refresh, and assert nothing has changes
@@ -126,23 +126,23 @@ func TestUserOIDC(t *testing.T) {
126126

127127
const oidcRoleName = "TemplateAuthor"
128128
runner := setupOIDCTest(t, oidcTestConfig{
129-
Userinfo: jwt.MapClaims{oidcRoleName: []string{rbac.RoleTemplateAdmin(), rbac.RoleUserAdmin()}},
129+
Userinfo: jwt.MapClaims{oidcRoleName: []string{rbac.RoleTemplateAdmin().String(), rbac.RoleUserAdmin().String()}},
130130
Config: func(cfg *coderd.OIDCConfig) {
131131
cfg.AllowSignups = true
132132
cfg.UserRoleField = "roles"
133133
cfg.UserRoleMapping = map[string][]string{
134-
oidcRoleName: {rbac.RoleTemplateAdmin(), rbac.RoleUserAdmin()},
134+
oidcRoleName: {rbac.RoleTemplateAdmin().String(), rbac.RoleUserAdmin().String()},
135135
}
136136
},
137137
})
138138

139139
// User starts with the owner role
140140
_, resp := runner.Login(t, jwt.MapClaims{
141141
"email": "alice@coder.com",
142-
"roles": []string{"random", oidcRoleName, rbac.RoleOwner()},
142+
"roles": []string{"random", oidcRoleName, rbac.RoleOwner().String()},
143143
})
144144
require.Equal(t, http.StatusOK, resp.StatusCode)
145-
runner.AssertRoles(t, "alice", []string{rbac.RoleTemplateAdmin(), rbac.RoleUserAdmin(), rbac.RoleOwner()})
145+
runner.AssertRoles(t, "alice", []string{rbac.RoleTemplateAdmin().String(), rbac.RoleUserAdmin().String(), rbac.RoleOwner().String()})
146146

147147
// Now login with oauth again, and check the roles are removed.
148148
_, resp = runner.Login(t, jwt.MapClaims{
@@ -175,7 +175,7 @@ func TestUserOIDC(t *testing.T) {
175175
ctx := testutil.Context(t, testutil.WaitShort)
176176
_, err := runner.AdminClient.UpdateUserRoles(ctx, "alice", codersdk.UpdateRoles{
177177
Roles: []string{
178-
rbac.RoleTemplateAdmin(),
178+
rbac.RoleTemplateAdmin().String(),
179179
},
180180
})
181181
require.Error(t, err)

0 commit comments

Comments
 (0)