test: Roles, sets, permissions, iterators

Emyrk · Emyrk · commit bbd1c4c05703 · 2022-04-01T14:20:06.000-05:00
diff --git a/coderd/authz/authztest/iterator_test.go b/coderd/authz/authztest/iterator_test.go
@@ -11,30 +11,41 @@ import (
 )
 
 func TestUnion(t *testing.T) {
-	for i := 0; i < 10; i++ {
+	for i := 0; i < 100; i++ {
 		allPerms := make(authztest.Set, 0)
 		// 2 - 4 sets
-		sets := make([]authztest.Set, 2+must(crand.Intn(2)))
+		sets := make([]authztest.Set, 1+must(crand.Intn(2)))
 		for j := range sets {
-			sets[j] = make(authztest.Set, 1+must(crand.Intn(4)))
+			sets[j] = RandomSet(1 + must(crand.Intn(4)))
 			allPerms = append(allPerms, sets[j]...)
 		}
 
-		u := authztest.Union(sets...)
-		require.Equal(t, len(allPerms), u.Size(), "union set total")
-		require.Equal(t, 1, u.ReturnSize(), "union ret size is 1")
+		ui := authztest.Union(sets...).Iterator()
+		require.Equal(t, len(allPerms), ui.Size(), "union set total")
+		require.Equal(t, 1, ui.ReturnSize(), "union ret size is 1")
 		for c := 0; ; c++ {
-			require.Equal(t, allPerms[c], u.Permission(), "permission order")
-			require.Equal(t, 1, len(u.Permissions()), "permissions size")
-			require.Equal(t, allPerms[c], u.Permissions()[0], "permission order")
-			if !u.Next() {
+			require.Equal(t, 1, len(ui.Permissions()), "permissions size")
+			require.Equal(t, allPerms[c], ui.Permissions()[0], "permission order")
+			if !ui.Next() {
 				break
 			}
 		}
 
-		u.Reset()
-		require.True(t, u.Next(), "reset should make next true again")
+		ui.Reset()
+		// If the size is 1, next will always return false
+		if ui.Size() > 1 {
+			require.True(t, ui.Next(), "reset should make next true again")
+		}
+	}
+}
+
+func RandomSet(size int) authztest.Set {
+	set := make(authztest.Set, 0, size)
+	for i := 0; i < size; i++ {
+		p := RandomPermission()
+		set = append(set, &p)
 	}
+	return set
 }
 
 func RandomPermission() authz.Permission {
diff --git a/coderd/authz/authztest/permissions_test.go b/coderd/authz/authztest/permissions_test.go
@@ -0,0 +1,15 @@
+package authztest_test
+
+import (
+	"testing"
+
+	"github.com/coder/coder/coderd/authz/authztest"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_AllPermissions(t *testing.T) {
+	// If this changes, then we might have to fix some other tests. This constant
+	// is the basis for understanding the permutation counts.
+	const totalUniquePermissions int = 270
+	require.Equal(t, len(authztest.AllPermissions()), totalUniquePermissions, "expected set size")
+}
diff --git a/coderd/authz/authztest/role.go b/coderd/authz/authztest/role.go
@@ -65,6 +65,7 @@ func (r *Role) Each(ea func(set Set)) {
 }
 
 // Next will grab the next cross-product permutation of all permissions of r.
+// When Next() returns false, the role would be Reset()
 func (r *Role) Next() bool {
 	for i := range r.PermissionSets {
 		if r.PermissionSets[i].Next() {
diff --git a/coderd/authz/authztest/role_test.go b/coderd/authz/authztest/role_test.go
@@ -0,0 +1,59 @@
+package authztest_test
+
+import (
+	"testing"
+
+	"github.com/coder/coder/coderd/authz/authztest"
+	crand "github.com/coder/coder/cryptorand"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_NewRole(t *testing.T) {
+	for i := 0; i < 50; i++ {
+		sets := make([]authztest.Iterable, 1+(i%4))
+		var total int = 1
+		for j := range sets {
+			size := 1 + must(crand.Intn(3))
+			if i < 5 {
+				// Enforce 1 size sets for some cases
+				size = 1
+			}
+			sets[j] = RandomSet(size)
+			total *= size
+		}
+
+		crossProduct := authztest.NewRole(sets...)
+		t.Run("CrossProduct", func(t *testing.T) {
+			require.Equal(t, total, crossProduct.Size(), "correct N")
+			require.Equal(t, len(sets), crossProduct.ReturnSize(), "return size")
+			var c int
+			crossProduct.Each(func(set authztest.Set) {
+				require.Equal(t, crossProduct.ReturnSize(), len(set), "each set is correct size")
+				c++
+			})
+			require.Equal(t, total, c, "each run N times")
+
+			if crossProduct.Size() > 1 {
+				crossProduct.Reset()
+				require.Truef(t, crossProduct.Next(), "reset should always make this true")
+			}
+		})
+
+		t.Run("NestedRoles", func(t *testing.T) {
+			merged := authztest.NewRole(sets[0])
+			for i := 1; i < len(sets); i++ {
+				merged = authztest.NewRole(sets[i], merged)
+			}
+
+			crossProduct.Reset()
+			for {
+				require.Equal(t, crossProduct.Permissions(), merged.Permissions(), "same next")
+				mn, cn := merged.Next(), crossProduct.Next()
+				require.Equal(t, cn, mn, "next should be same")
+				if !cn {
+					break
+				}
+			}
+		})
+	}
+}
diff --git a/coderd/authz/authztest/set.go b/coderd/authz/authztest/set.go
@@ -10,6 +10,8 @@ type Set []*authz.Permission
 
 var _ Iterable = (Set)(nil)
 
+// Permissions is a helper function to get the Permissions as non-pointers.
+// <nil> permissions are omitted
 func (s Set) Permissions() []authz.Permission {
 	perms := make([]authz.Permission, 0, len(s))
 	for i := range s {
diff --git a/coderd/authz/authztest/set_test.go b/coderd/authz/authztest/set_test.go
@@ -0,0 +1,64 @@
+package authztest_test
+
+import (
+	"github.com/coder/coder/coderd/authz"
+	"github.com/coder/coder/coderd/authz/authztest"
+	"testing"
+
+	crand "github.com/coder/coder/cryptorand"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_Set(t *testing.T) {
+	t.Run("Simple", func(t *testing.T) {
+		for i := 0; i < 10; i++ {
+			set := RandomSet(i)
+			require.Equal(t, i, len(set), "set size")
+			require.Equal(t, i, len(set.Permissions()), "set size")
+			perms := set.Permissions()
+			for i, p := range set {
+				require.Equal(t, *p, perms[i])
+			}
+		}
+	})
+
+	t.Run("NilPerms", func(t *testing.T) {
+		for i := 0; i < 100; i++ {
+			set := RandomSet(i)
+			// Set some nils
+			nilCount := 0
+			for i := 0; i < len(set); i++ {
+				if must(crand.Bool()) {
+					set[i] = nil
+					nilCount++
+				}
+			}
+			require.Equal(t, i-nilCount, len(set.Permissions()))
+		}
+	})
+
+	t.Run("String", func(t *testing.T) {
+		set := authztest.Set{
+			&authz.Permission{
+				Sign:         true,
+				Level:        authz.LevelOrg,
+				LevelID:      "1234",
+				ResourceType: authz.ResourceWorkspace,
+				ResourceID:   "1234",
+				Action:       authz.ActionRead,
+			},
+			&authz.Permission{
+				Sign:         false,
+				Level:        authz.LevelSite,
+				LevelID:      "",
+				ResourceType: authz.ResourceWorkspace,
+				ResourceID:   "*",
+				Action:       authz.ActionRead,
+			},
+		}
+
+		require.Equal(t,
+			"+org:1234.workspace.1234.read, -site.workspace.*.read",
+			set.String(), "exp string")
+	})
+}

Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,7 @@ func (r *Role) Each(ea func(set Set)) {`
`65`	`65`	`}`
`66`	`66`
`67`	`67`	`// Next will grab the next cross-product permutation of all permissions of r.`
	`68`	`+// When Next() returns false, the role would be Reset()`
`68`	`69`	`func (r *Role) Next() bool {`
`69`	`70`	`for i := range r.PermissionSets {`
`70`	`71`	`if r.PermissionSets[i].Next() {`