Fix authorize calls for group endpoints

Emyrk · Emyrk · commit ea84bc6625fd · 2022-09-23T11:54:23.000-04:00
diff --git a/coderd/coderdtest/authorize.go b/coderd/coderdtest/authorize.go
@@ -27,6 +27,7 @@ func AGPLRoutes(a *AuthTester) (map[string]string, map[string]RouteCheck) {
 	workspaceRBACObj := rbac.ResourceWorkspace.InOrg(a.Organization.ID).WithOwner(a.Workspace.OwnerID.String())
 	workspaceExecObj := rbac.ResourceWorkspaceExecution.InOrg(a.Organization.ID).WithOwner(a.Workspace.OwnerID.String())
 	applicationConnectObj := rbac.ResourceWorkspaceApplicationConnect.InOrg(a.Organization.ID).WithOwner(a.Workspace.OwnerID.String())
+	groupObj := rbac.ResourceGroup.InOrg(a.Organization.ID)
 
 	// skipRoutes allows skipping routes from being checked.
 	skipRoutes := map[string]string{
@@ -243,16 +244,29 @@ func AGPLRoutes(a *AuthTester) (map[string]string, map[string]RouteCheck) {
 		"GET:/api/v2/users":                      {StatusCode: http.StatusOK, AssertObject: rbac.ResourceUser},
 		"GET:/api/v2/applications/auth-redirect": {AssertAction: rbac.ActionCreate, AssertObject: rbac.ResourceAPIKey},
 
+		"DELETE:/api/v2/groups/{group}": {
+			AssertAction: rbac.ActionDelete,
+			AssertObject: groupObj,
+		},
+		"PATCH:/api/v2/groups/{group}": {
+			AssertAction: rbac.ActionUpdate,
+			AssertObject: groupObj,
+		},
+		"GET:/api/v2/groups/{group}": {
+			AssertAction: rbac.ActionRead,
+			AssertObject: groupObj,
+		},
+		"GET:/api/v2/organizations/{organization}/groups/": {
+			StatusCode:   http.StatusOK,
+			AssertAction: rbac.ActionRead,
+			AssertObject: groupObj,
+		},
+
 		// These endpoints need payloads to get to the auth part. Payloads will be required
 		"PUT:/api/v2/users/{user}/roles":                                {StatusCode: http.StatusBadRequest, NoAuthorize: true},
 		"PUT:/api/v2/organizations/{organization}/members/{user}/roles": {NoAuthorize: true},
 		"POST:/api/v2/workspaces/{workspace}/builds":                    {StatusCode: http.StatusBadRequest, NoAuthorize: true},
 		"POST:/api/v2/organizations/{organization}/templateversions":    {StatusCode: http.StatusBadRequest, NoAuthorize: true},
-
-		// TODO: @emyrk @jonayers Fix this unit test by using a valid group
-		"DELETE:/api/v2/groups/{group}": {StatusCode: http.StatusBadRequest, NoAuthorize: true},
-		"PATCH:/api/v2/groups/{group}":  {StatusCode: http.StatusBadRequest, NoAuthorize: true},
-		"GET:/api/v2/groups/{group}":    {StatusCode: http.StatusBadRequest, NoAuthorize: true},
 	}
 
 	// Routes like proxy routes support all HTTP methods. A helper func to expand
@@ -360,6 +374,10 @@ func NewAuthTester(ctx context.Context, t *testing.T, client *codersdk.Client, a
 		ParameterValues: []codersdk.CreateParameterRequest{},
 	})
 	require.NoError(t, err, "template version dry-run")
+	group, err := client.CreateGroup(ctx, admin.OrganizationID, codersdk.CreateGroupRequest{
+		Name: "testgroup",
+	})
+	require.NoError(t, err, "create group")
 
 	templateParam, err := client.CreateParameter(ctx, codersdk.ParameterTemplate, template.ID, codersdk.CreateParameterRequest{
 		Name:              "test-param",
@@ -385,6 +403,7 @@ func NewAuthTester(ctx context.Context, t *testing.T, client *codersdk.Client, a
 		"{jobID}":               templateVersionDryRun.ID.String(),
 		"{templatename}":        template.Name,
 		"{workspace_and_agent}": workspace.Name + "." + workspaceResources[0].Agents[0].Name,
+		"{group}":               group.ID.String(),
 		// Only checking template scoped params here
 		"parameters/{scope}/{id}": fmt.Sprintf("parameters/%s/%s",
 			string(templateParam.Scope), templateParam.ScopeID.String()),
diff --git a/coderd/groups.go b/coderd/groups.go
@@ -56,7 +56,7 @@ func (api *API) patchGroup(rw http.ResponseWriter, r *http.Request) {
 		group = httpmw.GroupParam(r)
 	)
 
-	if !api.Authorize(r, rbac.ActionUpdate, rbac.ResourceGroup) {
+	if !api.Authorize(r, rbac.ActionUpdate, group) {
 		http.NotFound(rw, r)
 		return
 	}
@@ -162,7 +162,7 @@ func (api *API) deleteGroup(rw http.ResponseWriter, r *http.Request) {
 		group = httpmw.GroupParam(r)
 	)
 
-	if !api.Authorize(r, rbac.ActionDelete, rbac.ResourceGroup) {
+	if !api.Authorize(r, rbac.ActionDelete, group) {
 		httpapi.ResourceNotFound(rw)
 		return
 	}
@@ -184,7 +184,7 @@ func (api *API) group(rw http.ResponseWriter, r *http.Request) {
 		group = httpmw.GroupParam(r)
 	)
 
-	if !api.Authorize(r, rbac.ActionRead, rbac.ResourceGroup) {
+	if !api.Authorize(r, rbac.ActionRead, group) {
 		httpapi.ResourceNotFound(rw)
 		return
 	}
@@ -204,27 +204,21 @@ func (api *API) groups(rw http.ResponseWriter, r *http.Request) {
 		org = httpmw.OrganizationParam(r)
 	)
 
-	if !api.Authorize(r, rbac.ActionRead, rbac.ResourceGroup) {
-		httpapi.ResourceNotFound(rw)
-		return
-	}
-
 	groups, err := api.Database.GetGroupsByOrganizationID(ctx, org.ID)
 	if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
 		httpapi.InternalServerError(rw, err)
 		return
 	}
 
-	// Filter templates based on rbac permissions
-	// TODO: authorize filters.
-	// groups, err = AuthorizeFilter(api.HTTPAuth, r, rbac.ActionRead, groups)
-	// if err != nil {
-	// 	httpapi.Write(rw, http.StatusInternalServerError, codersdk.Response{
-	// 		Message: "Internal error fetching templates.",
-	// 		Detail:  err.Error(),
-	// 	})
-	// 	return
-	// }
+	// Filter groups based on rbac permissions
+	groups, err = AuthorizeFilter(api.HTTPAuth, r, rbac.ActionRead, groups)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Internal error fetching groups.",
+			Detail:  err.Error(),
+		})
+		return
+	}
 
 	resp := make([]codersdk.Group, 0, len(groups))
 	for _, group := range groups {
