Push some new test and recoding logic

Emyrk · Emyrk · commit ff735100a0be · 2023-01-26T16:44:19.000-06:00
diff --git a/coderd/authzquery/authz_test.go b/coderd/authzquery/authz_test.go
@@ -4,6 +4,14 @@ import (
 	"context"
 	"reflect"
 	"testing"
+	"time"
+
+	"github.com/moby/moby/pkg/namesgenerator"
+
+	"github.com/coder/coder/testutil"
+
+	"github.com/coder/coder/coderd/database"
+	"github.com/stretchr/testify/require"
 
 	"github.com/google/uuid"
 
@@ -41,3 +49,128 @@ func TestAuthzQueryRecursive(t *testing.T) {
 		reflect.ValueOf(q).Method(i).Call(ins)
 	}
 }
+
+type authorizeTest struct {
+	Data func(t *testing.T, tc *authorizeTest) map[string]interface{}
+	// Test is all the calls to the AuthzStore
+	Test func(ctx context.Context, t *testing.T, tc *authorizeTest, q authzquery.AuthzStore)
+	// Assert is the objects and the expected RBAC calls.
+	// If 2 reads are expected on the same object, pass in 2 rbac.Reads.
+	Asserts map[string][]rbac.Action
+
+	names map[string]uuid.UUID
+}
+
+func (tc *authorizeTest) Lookup(name string) uuid.UUID {
+	if tc.names == nil {
+		tc.names = make(map[string]uuid.UUID)
+	}
+	if id, ok := tc.names[name]; ok {
+		return id
+	}
+	id := uuid.New()
+	tc.names[name] = id
+	return id
+}
+
+func testAuthorizeFunction(t *testing.T, testCase *authorizeTest) {
+	t.Helper()
+
+	// The actor does not really matter since all authz calls will succeed.
+	actor := rbac.Subject{
+		ID:     uuid.New().String(),
+		Roles:  rbac.RoleNames{},
+		Groups: []string{},
+		Scope:  rbac.ScopeAll,
+	}
+
+	// Always use a fake database.
+	db := databasefake.New()
+
+	// Record all authorization calls. This will allow all authorization calls
+	// to succeed.
+	rec := &coderdtest.RecordingAuthorizer{}
+	q := authzquery.NewAuthzQuerier(db, rec)
+
+	// Setup Context
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort)
+	ctx = authzquery.WithAuthorizeContext(ctx, actor)
+	t.Cleanup(cancel)
+
+	// Seed all data into the database that is required for the test.
+	data := setupTestData(t, testCase, db, ctx)
+
+	// Run the test.
+	testCase.Test(ctx, t, testCase, q)
+
+	// Asset RBAC calls.
+	pairs := make([]coderdtest.ActionObjectPair, 0)
+	for objectName, asserts := range testCase.Asserts {
+		object := data[objectName]
+		for _, assert := range asserts {
+			pairs = append(pairs, rec.Pair(assert, object))
+		}
+	}
+	rec.UnorderedAssertActor(t, actor, pairs...)
+	require.NoError(t, rec.AllAsserted(), "all authz checks asserted")
+}
+
+func setupTestData(t *testing.T, testCase *authorizeTest, db database.Store, ctx context.Context) map[string]rbac.Objecter {
+	rbacObjects := make(map[string]rbac.Objecter)
+	// Setup the test data.
+	orgID := uuid.New()
+	data := testCase.Data(t, testCase)
+	for name, v := range data {
+		switch orig := v.(type) {
+		case database.Template:
+			template, err := db.InsertTemplate(ctx, database.InsertTemplateParams{
+				ID:                           testCase.Lookup(name),
+				CreatedAt:                    time.Now(),
+				UpdatedAt:                    time.Now(),
+				OrganizationID:               takeFirst(orig.OrganizationID, orgID),
+				Name:                         takeFirst(orig.Name, namesgenerator.GetRandomName(1)),
+				Provisioner:                  takeFirst(orig.Provisioner, database.ProvisionerTypeEcho),
+				ActiveVersionID:              takeFirst(orig.ActiveVersionID, uuid.New()),
+				Description:                  takeFirst(orig.Description, namesgenerator.GetRandomName(1)),
+				DefaultTTL:                   takeFirst(orig.DefaultTTL, 3600),
+				CreatedBy:                    takeFirst(orig.CreatedBy, uuid.New()),
+				Icon:                         takeFirst(orig.Icon, namesgenerator.GetRandomName(1)),
+				UserACL:                      orig.UserACL,
+				GroupACL:                     orig.GroupACL,
+				DisplayName:                  takeFirst(orig.DisplayName, namesgenerator.GetRandomName(1)),
+				AllowUserCancelWorkspaceJobs: takeFirst(orig.AllowUserCancelWorkspaceJobs, true),
+			})
+			require.NoError(t, err, "insert template")
+
+			// Reinsert the template.
+			data[name] = template
+			rbacObjects[name] = template
+		case database.Workspace:
+			workspace, err := db.InsertWorkspace(ctx, database.InsertWorkspaceParams{
+				ID:                testCase.Lookup(name),
+				CreatedAt:         time.Now(),
+				UpdatedAt:         time.Now(),
+				OrganizationID:    takeFirst(orig.OrganizationID, orgID),
+				TemplateID:        takeFirst(orig.TemplateID, uuid.New()),
+				Name:              takeFirst(orig.Name, namesgenerator.GetRandomName(1)),
+				AutostartSchedule: orig.AutostartSchedule,
+				Ttl:               orig.Ttl,
+			})
+			require.NoError(t, err, "insert workspace")
+
+			// Reinsert the workspace.
+			data[name] = workspace
+			rbacObjects[name] = workspace
+		}
+	}
+	return rbacObjects
+}
+
+// takeFirst will take the first non empty value.
+func takeFirst[Value comparable](def Value, next Value) Value {
+	var empty Value
+	if def == empty {
+		return next
+	}
+	return def
+}
diff --git a/coderd/authzquery/authzquerier.go b/coderd/authzquery/authzquerier.go
@@ -23,6 +23,9 @@ var _ database.Store = (*AuthzQuerier)(nil)
 type AuthzQuerier struct {
 	database   database.Store
 	authorizer rbac.Authorizer
+
+	// constantActor makes all actors on context ignored.
+	constantActor *rbac.Subject
 }
 
 func NewAuthzQuerier(db database.Store, authorizer rbac.Authorizer) *AuthzQuerier {
@@ -50,6 +53,10 @@ func (q *AuthzQuerier) InTx(function func(querier database.Store) error, txOpts
 	}, txOpts)
 }
 
+func (q *AuthzQuerier) As(subject rbac.Subject) database.Store {
+	return NewAuthzQuerier(q.database, q.authorizer, subject)
+}
+
 // authorizeContext is a helper function to authorize an action on an object.
 func (q *AuthzQuerier) authorizeContext(ctx context.Context, action rbac.Action, object rbac.Objecter) error {
 	act, ok := actorFromContext(ctx)
diff --git a/coderd/authzquery/workspace_test.go b/coderd/authzquery/workspace_test.go
@@ -19,6 +19,56 @@ import (
 	"github.com/coder/coder/coderd/database/databasefake"
 )
 
+func TestWorkspaceFunctions(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		Name   string
+		Config *authorizeTest
+	}{
+		{
+			Name: "GetByID",
+			Config: &authorizeTest{
+				Data: func(t *testing.T, tc *authorizeTest) map[string]interface{} {
+					return map[string]interface{}{
+						"u-one": database.User{},
+						"w-one": database.Workspace{
+							Name:       "peter-pan",
+							OwnerID:    tc.Lookup("u-one"),
+							TemplateID: tc.Lookup("t-one"),
+						},
+						"t-one": database.Template{},
+					}
+				},
+				Test: func(ctx context.Context, t *testing.T, tc *authorizeTest, q authzquery.AuthzStore) {
+					wrk, err := q.GetWorkspaceByID(ctx, tc.Lookup("w-one"))
+					require.NoError(t, err)
+
+					wrk, err = q.GetWorkspaceByID(ctx, tc.Lookup("w-one"))
+					require.NoError(t, err)
+
+					_, err = q.GetTemplateByID(ctx, wrk.TemplateID)
+					require.NoError(t, err)
+				},
+				Asserts: map[string][]rbac.Action{
+					"w-one": {rbac.ActionRead, rbac.ActionRead},
+					"t-one": {rbac.ActionRead},
+				},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		tc := tc
+		t.Run(tc.Name, func(t *testing.T) {
+			t.Parallel()
+
+			testAuthorizeFunction(t, tc.Config)
+		})
+	}
+
+}
+
 func TestWorkspace(t *testing.T) {
 	// GetWorkspaceByID
 	var (
diff --git a/coderd/coderdtest/authorize.go b/coderd/coderdtest/authorize.go
@@ -576,7 +576,35 @@ func (r *RecordingAuthorizer) AllAsserted() error {
 	return nil
 }
 
-// AssertActor asserts in order.
+// UnorderedAssertActor is the same as AssertActor, except it doesn't care about
+// order. It will assert the first call that matches the actor and pair.
+// It will not assert the same call twice, so if there is a duplicate assertion,
+// the pair will need to be passed in twice.
+func (r *RecordingAuthorizer) UnorderedAssertActor(t *testing.T, actor rbac.Subject, dids ...ActionObjectPair) {
+	for _, did := range dids {
+		found := false
+	InnerCalledLoop:
+		for i, c := range r.Called {
+			if c.asserted {
+				// Do not assert an already asserted call.
+				continue
+			}
+
+			if c.Action == did.Action &&
+				c.Object.Equal(did.Object) &&
+				c.Actor.Equal(actor) {
+
+				r.Called[i].asserted = true
+				found = true
+				break InnerCalledLoop
+			}
+		}
+		require.Truef(t, found, "did not find call for %s %s", did.Action, did.Object.Type)
+	}
+}
+
+// AssertActor asserts in order. If the order of authz calls does not match,
+// this will fail.
 func (r *RecordingAuthorizer) AssertActor(t *testing.T, actor rbac.Subject, did ...ActionObjectPair) {
 	ptr := 0
 	for i, call := range r.Called {
diff --git a/coderd/rbac/authz.go b/coderd/rbac/authz.go
@@ -6,6 +6,8 @@ import (
 	"sync"
 	"time"
 
+	"github.com/coder/coder/coderd/util/slice"
+
 	"github.com/open-policy-agent/opa/rego"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"
@@ -26,6 +28,25 @@ type Subject struct {
 	Scope  ExpandableScope
 }
 
+func (s Subject) Equal(b Subject) bool {
+	if s.ID != b.ID {
+		return false
+	}
+
+	if !slice.SameElements(s.Groups, b.Groups) {
+		return false
+	}
+
+	if !slice.SameElements(s.SafeRoleNames(), b.SafeRoleNames()) {
+		return false
+	}
+
+	if s.SafeScopeName() != b.SafeScopeName() {
+		return false
+	}
+	return true
+}
+
 // SafeScopeName prevent nil pointer dereference.
 func (s Subject) SafeScopeName() string {
 	if s.Scope == nil {
diff --git a/coderd/rbac/object.go b/coderd/rbac/object.go
@@ -176,6 +176,23 @@ type Object struct {
 	ACLGroupList map[string][]Action ` json:"acl_group_list"`
 }
 
+func (z Object) Equal(b Object) bool {
+	if z.ID != b.ID {
+		return false
+	}
+	if z.Owner != b.Owner {
+		return false
+	}
+	if z.OrgID != b.OrgID {
+		return false
+	}
+	if z.Type != b.Type {
+		return false
+	}
+	// TODO: Handle ACLS
+	return true
+}
+
 func (z Object) RBACObject() Object {
 	return z
 }
diff --git a/coderd/util/slice/slice.go b/coderd/util/slice/slice.go
@@ -1,5 +1,20 @@
 package slice
 
+// SameElements returns true if the 2 lists have the same elements in any
+// order.
+func SameElements[T comparable](a []T, b []T) bool {
+	if len(a) != len(b) {
+		return false
+	}
+
+	for _, element := range a {
+		if !Contains(b, element) {
+			return false
+		}
+	}
+	return true
+}
+
 func ContainsCompare[T any](haystack []T, needle T, equal func(a, b T) bool) bool {
 	for _, hay := range haystack {
 		if equal(needle, hay) {
