Skip to content

Commit e05b286

Browse files
ethanndicksonethanndickson
committed
add dbauthz test
1 parent 45225e4 commit e05b286

File tree

2 files changed

+67
-36
lines changed

2 files changed

+67
-36
lines changed

coderd/database/dbauthz/dbauthz_test.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1476,6 +1476,7 @@ func (s *MethodTestSuite) TestWorkspace() {
14761476
_ = dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{ID: build.JobID, Type: database.ProvisionerJobTypeWorkspaceBuild})
14771477
res := dbgen.WorkspaceResource(s.T(), db, database.WorkspaceResource{JobID: build.JobID})
14781478
_ = dbgen.WorkspaceAgent(s.T(), db, database.WorkspaceAgent{ResourceID: res.ID})
1479+
// No asserts here because SQLFilter.
14791480
check.Args(ws.OwnerID).Asserts()
14801481
}))
14811482
s.Run("GetAuthorizedWorkspacesAndAgentsByOwnerID", s.Subtest(func(db database.Store, check *expects) {
@@ -1484,6 +1485,7 @@ func (s *MethodTestSuite) TestWorkspace() {
14841485
_ = dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{ID: build.JobID, Type: database.ProvisionerJobTypeWorkspaceBuild})
14851486
res := dbgen.WorkspaceResource(s.T(), db, database.WorkspaceResource{JobID: build.JobID})
14861487
_ = dbgen.WorkspaceAgent(s.T(), db, database.WorkspaceAgent{ResourceID: res.ID})
1488+
// No asserts here because SQLFilter.
14871489
check.Args(ws.OwnerID, emptyPreparedAuthorized{}).Asserts()
14881490
}))
14891491
s.Run("GetLatestWorkspaceBuildByWorkspaceID", s.Subtest(func(db database.Store, check *expects) {

coderd/database/querier_test.go

Lines changed: 65 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -625,6 +625,7 @@ func TestGetAuthorizedWorkspacesAndAgentsByOwnerID(t *testing.T) {
625625
err := migrations.Up(sqlDB)
626626
require.NoError(t, err)
627627
db := database.New(sqlDB)
628+
authorizer := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry())
628629

629630
org := dbgen.Organization(t, db, database.Organization{})
630631
owner := dbgen.User(t, db, database.User{
@@ -669,44 +670,72 @@ func TestGetAuthorizedWorkspacesAndAgentsByOwnerID(t *testing.T) {
669670
CreateAgent: false,
670671
})
671672

672-
authorizer := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry())
673-
userSubject, _, err := httpmw.UserRBACSubject(ctx, db, user.ID, rbac.ExpandableScope(rbac.ScopeAll))
674-
require.NoError(t, err)
675-
preparedUser, err := authorizer.Prepare(ctx, userSubject, policy.ActionRead, rbac.ResourceWorkspace.Type)
676-
require.NoError(t, err)
677-
userCtx := dbauthz.As(ctx, userSubject)
678-
userRows, err := db.GetAuthorizedWorkspacesAndAgentsByOwnerID(userCtx, owner.ID, preparedUser)
679-
require.NoError(t, err)
680-
require.Len(t, userRows, 0)
681-
682-
ownerSubject, _, err := httpmw.UserRBACSubject(ctx, db, owner.ID, rbac.ExpandableScope(rbac.ScopeAll))
683-
require.NoError(t, err)
684-
preparedOwner, err := authorizer.Prepare(ctx, ownerSubject, policy.ActionRead, rbac.ResourceWorkspace.Type)
685-
require.NoError(t, err)
686-
ownerCtx := dbauthz.As(ctx, ownerSubject)
687-
ownerRows, err := db.GetAuthorizedWorkspacesAndAgentsByOwnerID(ownerCtx, owner.ID, preparedOwner)
688-
require.NoError(t, err)
689-
require.Len(t, ownerRows, 4)
690-
for _, row := range ownerRows {
691-
switch row.ID {
692-
case pendingID:
693-
require.Len(t, row.Agents, 1)
694-
require.Equal(t, database.ProvisionerJobStatusPending, row.JobStatus)
695-
case failedID:
696-
require.Len(t, row.Agents, 1)
697-
require.Equal(t, database.ProvisionerJobStatusFailed, row.JobStatus)
698-
case succeededID:
699-
require.Len(t, row.Agents, 2)
700-
require.Equal(t, database.ProvisionerJobStatusSucceeded, row.JobStatus)
701-
require.Equal(t, database.WorkspaceTransitionStart, row.Transition)
702-
case deletedID:
703-
require.Len(t, row.Agents, 0)
704-
require.Equal(t, database.ProvisionerJobStatusSucceeded, row.JobStatus)
705-
require.Equal(t, database.WorkspaceTransitionDelete, row.Transition)
706-
default:
707-
t.Fatalf("unexpected workspace ID: %s", row.ID)
673+
ownerCheckFn := func(ownerRows []database.GetWorkspacesAndAgentsByOwnerIDRow) {
674+
require.Len(t, ownerRows, 4)
675+
for _, row := range ownerRows {
676+
switch row.ID {
677+
case pendingID:
678+
require.Len(t, row.Agents, 1)
679+
require.Equal(t, database.ProvisionerJobStatusPending, row.JobStatus)
680+
case failedID:
681+
require.Len(t, row.Agents, 1)
682+
require.Equal(t, database.ProvisionerJobStatusFailed, row.JobStatus)
683+
case succeededID:
684+
require.Len(t, row.Agents, 2)
685+
require.Equal(t, database.ProvisionerJobStatusSucceeded, row.JobStatus)
686+
require.Equal(t, database.WorkspaceTransitionStart, row.Transition)
687+
case deletedID:
688+
require.Len(t, row.Agents, 0)
689+
require.Equal(t, database.ProvisionerJobStatusSucceeded, row.JobStatus)
690+
require.Equal(t, database.WorkspaceTransitionDelete, row.Transition)
691+
default:
692+
t.Fatalf("unexpected workspace ID: %s", row.ID)
693+
}
708694
}
709695
}
696+
t.Run("sqlQuerier", func(t *testing.T) {
697+
t.Parallel()
698+
699+
userSubject, _, err := httpmw.UserRBACSubject(ctx, db, user.ID, rbac.ExpandableScope(rbac.ScopeAll))
700+
require.NoError(t, err)
701+
preparedUser, err := authorizer.Prepare(ctx, userSubject, policy.ActionRead, rbac.ResourceWorkspace.Type)
702+
require.NoError(t, err)
703+
userCtx := dbauthz.As(ctx, userSubject)
704+
userRows, err := db.GetAuthorizedWorkspacesAndAgentsByOwnerID(userCtx, owner.ID, preparedUser)
705+
require.NoError(t, err)
706+
require.Len(t, userRows, 0)
707+
708+
ownerSubject, _, err := httpmw.UserRBACSubject(ctx, db, owner.ID, rbac.ExpandableScope(rbac.ScopeAll))
709+
require.NoError(t, err)
710+
preparedOwner, err := authorizer.Prepare(ctx, ownerSubject, policy.ActionRead, rbac.ResourceWorkspace.Type)
711+
require.NoError(t, err)
712+
ownerCtx := dbauthz.As(ctx, ownerSubject)
713+
ownerRows, err := db.GetAuthorizedWorkspacesAndAgentsByOwnerID(ownerCtx, owner.ID, preparedOwner)
714+
require.NoError(t, err)
715+
ownerCheckFn(ownerRows)
716+
})
717+
718+
t.Run("dbauthz", func(t *testing.T) {
719+
t.Parallel()
720+
721+
authzdb := dbauthz.New(db, authorizer, slogtest.Make(t, &slogtest.Options{}), coderdtest.AccessControlStorePointer())
722+
723+
userSubject, _, err := httpmw.UserRBACSubject(ctx, authzdb, user.ID, rbac.ExpandableScope(rbac.ScopeAll))
724+
require.NoError(t, err)
725+
userCtx := dbauthz.As(ctx, userSubject)
726+
727+
ownerSubject, _, err := httpmw.UserRBACSubject(ctx, authzdb, owner.ID, rbac.ExpandableScope(rbac.ScopeAll))
728+
require.NoError(t, err)
729+
ownerCtx := dbauthz.As(ctx, ownerSubject)
730+
731+
userRows, err := authzdb.GetWorkspacesAndAgentsByOwnerID(userCtx, owner.ID)
732+
require.NoError(t, err)
733+
require.Len(t, userRows, 0)
734+
735+
ownerRows, err := authzdb.GetWorkspacesAndAgentsByOwnerID(ownerCtx, owner.ID)
736+
require.NoError(t, err)
737+
ownerCheckFn(ownerRows)
738+
})
710739
}
711740

712741
func TestInsertWorkspaceAgentLogs(t *testing.T) {

0 commit comments

Comments
 (0)