DELETE license API endpoint #3697
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Spike Curtis <spike@coder.com>
Signed-off-by: Spike Curtis <spike@coder.com>
Emyrk
approved these changes
Aug 25, 2022
Comment on lines
+121
to
+141
| urlParameters := map[string]string{ | ||
| "{organization}": admin.OrganizationID.String(), | ||
| "{user}": admin.UserID.String(), | ||
| "{organizationname}": organization.Name, | ||
| "{workspace}": workspace.ID.String(), | ||
| "{workspacebuild}": workspace.LatestBuild.ID.String(), | ||
| "{workspacename}": workspace.Name, | ||
| "{workspacebuildname}": workspace.LatestBuild.Name, | ||
| "{workspaceagent}": workspaceResources[0].Agents[0].ID.String(), | ||
| "{buildnumber}": strconv.FormatInt(int64(workspace.LatestBuild.BuildNumber), 10), | ||
| "{template}": template.ID.String(), | ||
| "{hash}": file.Hash, | ||
| "{workspaceresource}": workspaceResources[0].ID.String(), | ||
| "{workspaceapp}": workspaceResources[0].Agents[0].Apps[0].Name, | ||
| "{templateversion}": version.ID.String(), | ||
| "{jobID}": templateVersionDryRun.ID.String(), | ||
| "{templatename}": template.Name, | ||
| // Only checking template scoped params here | ||
| "parameters/{scope}/{id}": fmt.Sprintf("parameters/%s/%s", | ||
| string(templateParam.Scope), templateParam.ScopeID.String()), | ||
| } |
| @@ -422,32 +445,18 @@ func (a *AuthTester) Test(ctx context.Context, assertRoute map[string]RouteCheck | |||
| } | |||
| a.t.Run(name, func(t *testing.T) { | |||
| a.authorizer.reset() | |||
| routeAssertions, ok := assertRoute[strings.TrimRight(name, "/")] | |||
| routeKey := strings.TrimRight(name, "/") | |||
| routeAssertions, ok := assertRoute[routeKey] | |||
| if !ok { | |||
| // By default, all omitted routes check for just "authorize" called | |||
There was a problem hiding this comment.
I think we need to drop this comment then? This was initially done because I was lazy, but I totally see how it allowed some routes to drift 🤦♂️
There was a problem hiding this comment.
I still think it's fine for routes in the walk not to be in assertRoute and us just check that auth is called.
The issue is that there were entries in the assertRoute that were not present in the walk. Those entries asserted particular RBAC actions and objects, but because the routes were misspelled, the assertions were never checked.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
First PR for #3281
Follow on PR will include the CLI command.
@Emyrk In addition to the DELETE API, I've added a new check to the TestAuthorizeAllEndpoints test, which asserts that each route assertion actually gets checked during the API walk. As it turns out, some of them were not getting hit, and we were silently thinking that certain RBAC assertions were being checked when they were not. Most were simple errors in the parameter names in the paths (this could be due to drift in the API definition). But, there were some where the RBAC check is actually different, so I would like you to take a look at the updates to the assertions.