Skip to content

chore: Move scope into the same auth call #4162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Sep 23, 2022
Merged

chore: Move scope into the same auth call #4162

Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
84b7213
chore: Move scope into the same auth call
Emyrk Sep 22, 2022
2247a72
pass scope in partial executations
Emyrk Sep 22, 2022
67e029f
Re-enable test
Emyrk Sep 22, 2022
7c238d4
Spent too many hours to realize the unit test needed to be fixed
Emyrk Sep 23, 2022
0d6044c
test: Add more test vectors
Emyrk Sep 23, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Re-enable test
  • Loading branch information
@Emyrk
Emyrk committed Sep 22, 2022
commit 67e029fe2a731fad2509a172fd6f17fcd8100e60
43 changes: 21 additions & 22 deletions coderd/rbac/authz_internal_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -348,15 +348,15 @@ func TestAuthorizeDomain(t *testing.T) {
},
}

testAuthorize(t, "WorkspaceToken", user,
testAuthorize(t, "ApplicationToken", user,
// Create (connect) Actions
cases(func(c authTestCase) authTestCase {
c.actions = []Action{ActionCreate}
return c
}, []authTestCase{
// Org + me
{resource: ResourceWorkspaceApplicationConnect.InOrg(defOrg).WithOwner(user.UserID), allow: true},
{resource: ResourceWorkspaceApplicationConnect.InOrg(defOrg), allow: true},
{resource: ResourceWorkspaceApplicationConnect.InOrg(defOrg), allow: false},

{resource: ResourceWorkspaceApplicationConnect.WithOwner(user.UserID), allow: true},

Expand Down Expand Up @@ -664,17 +664,17 @@ func TestAuthorizeScope(t *testing.T) {
var _ = unusedID

testAuthorize(t, "Admin_ScopeApplicationConnect", user, []authTestCase{
//{resource: ResourceWorkspace.InOrg(defOrg).WithOwner(user.UserID), actions: allActions(), allow: false},
//{resource: ResourceWorkspace.InOrg(defOrg), actions: allActions(), allow: false},
//{resource: ResourceWorkspace.WithOwner(user.UserID), actions: allActions(), allow: false},
//{resource: ResourceWorkspace.All(), actions: allActions(), allow: false},
//{resource: ResourceWorkspace.InOrg(unusedID).WithOwner(user.UserID), actions: allActions(), allow: false},
//{resource: ResourceWorkspace.InOrg(unusedID), actions: allActions(), allow: false},
//{resource: ResourceWorkspace.InOrg(defOrg).WithOwner("not-me"), actions: allActions(), allow: false},
//{resource: ResourceWorkspace.WithOwner("not-me"), actions: allActions(), allow: false},
//{resource: ResourceWorkspace.InOrg(unusedID).WithOwner("not-me"), actions: allActions(), allow: false},
//{resource: ResourceWorkspace.InOrg(unusedID), actions: allActions(), allow: false},
//{resource: ResourceWorkspace.WithOwner("not-me"), actions: allActions(), allow: false},
{resource: ResourceWorkspace.InOrg(defOrg).WithOwner(user.UserID), actions: allActions(), allow: false},
{resource: ResourceWorkspace.InOrg(defOrg), actions: allActions(), allow: false},
{resource: ResourceWorkspace.WithOwner(user.UserID), actions: allActions(), allow: false},
{resource: ResourceWorkspace.All(), actions: allActions(), allow: false},
{resource: ResourceWorkspace.InOrg(unusedID).WithOwner(user.UserID), actions: allActions(), allow: false},
{resource: ResourceWorkspace.InOrg(unusedID), actions: allActions(), allow: false},
{resource: ResourceWorkspace.InOrg(defOrg).WithOwner("not-me"), actions: allActions(), allow: false},
{resource: ResourceWorkspace.WithOwner("not-me"), actions: allActions(), allow: false},
{resource: ResourceWorkspace.InOrg(unusedID).WithOwner("not-me"), actions: allActions(), allow: false},
{resource: ResourceWorkspace.InOrg(unusedID), actions: allActions(), allow: false},
{resource: ResourceWorkspace.WithOwner("not-me"), actions: allActions(), allow: false},

// Allowed by scope:
{resource: ResourceWorkspaceApplicationConnect.InOrg(defOrg).WithOwner("not-me"), actions: []Action{ActionCreate}, allow: true},
Expand Down Expand Up @@ -747,16 +747,15 @@ func testAuthorize(t *testing.T, name string, subject subject, sets ...[]authTes
// Also check the rego policy can form a valid partial query result.
// This ensures we can convert the queries into SQL WHERE clauses in the future.
// If this function returns 'Support' sections, then we cannot convert the query into SQL.
if len(partialAuthz.partialQueries.Support) > 0 {
d, _ := json.Marshal(partialAuthz.input)
t.Logf("input: %s", string(d))
for _, q := range partialAuthz.partialQueries.Queries {
t.Logf("query: %+v", q.String())
}
for _, s := range partialAuthz.partialQueries.Support {
t.Logf("support: %+v", s.String())
}
d, _ := json.Marshal(partialAuthz.input)
t.Logf("input: %s", string(d))
for _, q := range partialAuthz.partialQueries.Queries {
t.Logf("query: %+v", q.String())
}
for _, s := range partialAuthz.partialQueries.Support {
t.Logf("support: %+v", s.String())
}

require.Equal(t, 0, len(partialAuthz.partialQueries.Support), "expected 0 support rules in scope authorizer")

partialErr := partialAuthz.Authorize(ctx, c.resource)
Expand Down