whitney-coder
diff --git a/‎coderd/authz/authz.go
Lines changed: 6 additions & 0 deletions b/‎coderd/authz/authz.go
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/authz/authz_test.go
Lines changed: 150 additions & 0 deletions b/‎coderd/authz/authz_test.go
Lines changed: 150 additions & 0 deletions
diff --git a/‎coderd/authz/authztest/group.go
Lines changed: 10 additions & 10 deletions b/‎coderd/authz/authztest/group.go
Lines changed: 10 additions & 10 deletions
diff --git a/‎coderd/authz/authztest/group_test.go
Lines changed: 10 additions & 10 deletions b/‎coderd/authz/authztest/group_test.go
Lines changed: 10 additions & 10 deletions
diff --git a/‎coderd/authz/authztest/iterator.go
Lines changed: 35 additions & 8 deletions b/‎coderd/authz/authztest/iterator.go
Lines changed: 35 additions & 8 deletions
diff --git a/‎coderd/authz/authztest/level.go
Lines changed: 20 additions & 20 deletions b/‎coderd/authz/authztest/level.go
Lines changed: 20 additions & 20 deletions
@@ -0,0 +1,6 @@
+package authz
+
+// TODO: Implement Authorize
+func Authorize(subj interface{}, obj Object, action interface{}) error {
+	return nil
+}
@@ -0,0 +1,150 @@
+package authz_test
+
+import (
+	"fmt"
+	"github.com/coder/coder/coderd/authz/authztest"
+	"math/bits"
+	"testing"
+)
+
+var nilSet = authztest.Set{nil}
+
+func Test_ExhaustiveAuthorize(t *testing.T) {
+	all := authztest.GroupedPermissions(authztest.AllPermissions())
+	variants := permissionVariants(all)
+	for name, v := range variants {
+		fmt.Printf("%s: %d\n", name, v.Size())
+	}
+}
+
+func permissionVariants(all authztest.SetGroup) map[string]*authztest.Role {
+	// an is any noise above the impactful set
+	an := abstain
+	// ln is any noise below the impactful set
+	ln := positive | negative | abstain
+
+	// Cases are X+/- where X indicates the level where the impactful set is.
+	// The impactful set determines the result.
+	return map[string]*authztest.Role{
+		// Wild
+		"W+": authztest.NewRole(
+			pos(all.Wildcard()),
+			noise(ln, all.Site(), all.Org(), all.User()),
+		),
+		"W-": authztest.NewRole(
+			neg(all.Wildcard()),
+			noise(ln, all.Site(), all.Org(), all.User()),
+		),
+		// Site
+		"S+": authztest.NewRole(
+			noise(an, all.Wildcard()),
+			pos(all.Site()),
+			noise(ln, all.Org(), all.User()),
+		),
+		"S-": authztest.NewRole(
+			noise(an, all.Wildcard()),
+			neg(all.Site()),
+			noise(ln, all.Org(), all.User()),
+		),
+		// TODO: Figure out cross org noise between org:* and org:mem
+		// Org:*
+		"O+": authztest.NewRole(
+			noise(an, all.Wildcard(), all.Site()),
+			pos(all.Org()),
+			noise(ln, all.User()),
+		),
+		"O-": authztest.NewRole(
+			noise(an, all.Wildcard(), all.Site()),
+			neg(all.Org()),
+			noise(ln, all.User()),
+		),
+		// Org:Mem
+		"M+": authztest.NewRole(
+			noise(an, all.Wildcard(), all.Site()),
+			pos(all.OrgMem()),
+			noise(ln, all.User()),
+		),
+		"M-": authztest.NewRole(
+			noise(an, all.Wildcard(), all.Site()),
+			neg(all.OrgMem()),
+			noise(ln, all.User()),
+		),
+		// User
+		"U+": authztest.NewRole(
+			noise(an, all.Wildcard(), all.Site(), all.Org()),
+			pos(all.User()),
+		),
+		"U-": authztest.NewRole(
+			noise(an, all.Wildcard(), all.Site(), all.Org()),
+			neg(all.User()),
+		),
+	}
+}
+
+func l() {
+	//authztest.Levels
+	//noise(an, all.Wildcard()),
+	//	neg(all.Site()),
+	//	noise(ln, all.Org(), all.User()),
+}
+
+// pos returns the positive impactful variant for a given level. It does not
+// include noise at any other level but the one given.
+func pos(lvl authztest.LevelGroup) *authztest.Role {
+	return authztest.NewRole(
+		lvl.Positive(),
+		authztest.Union(lvl.Abstain()[:1], nilSet),
+	)
+}
+
+func neg(lvl authztest.LevelGroup) *authztest.Role {
+	return authztest.NewRole(
+		lvl.Negative(),
+		authztest.Union(lvl.Positive()[:1], nilSet),
+		authztest.Union(lvl.Abstain()[:1], nilSet),
+	)
+}
+
+type noiseBits uint8
+
+const (
+	none noiseBits = 1 << iota
+	positive
+	negative
+	abstain
+)
+
+func flagMatch(flag, in noiseBits) bool {
+	return flag&in != 0
+}
+
+// noise returns the noise permission permutations for a given level. You can
+// use this helper function when this level is not impactful.
+// The returned role is the permutations including at least one example of
+// positive, negative, and neutral permissions. It also includes the set of
+// no additional permissions.
+func noise(f noiseBits, lvls ...authztest.LevelGroup) *authztest.Role {
+	rs := make([]authztest.Iterable, 0, len(lvls))
+	for _, lvl := range lvls {
+		sets := make([]authztest.Iterable, 0, bits.OnesCount8(uint8(f)))
+
+		if flagMatch(positive, f) {
+			sets = append(sets, authztest.Union(lvl.Positive()[:1], nilSet))
+		}
+		if flagMatch(negative, f) {
+			sets = append(sets, authztest.Union(lvl.Negative()[:1], nilSet))
+		}
+		if flagMatch(abstain, f) {
+			sets = append(sets, authztest.Union(lvl.Abstain()[:1], nilSet))
+		}
+
+		rs = append(rs, authztest.NewRole(
+			sets...,
+		))
+	}
+
+	if len(rs) == 1 {
+		return rs[0].(*authztest.Role)
+	}
+	return authztest.NewRole(rs...)
+}
@@ -18,17 +18,17 @@ var nilSet = Set{nil}
 // *.*.*.*
 //var PermissionSetWPlus = NewRole(
 //	all.Wildcard().Positive(),
-//	union(all.Wildcard().Abstain(), nilSet),
+//	Union(all.Wildcard().Abstain(), nilSet),
 //
-//	union(all.Site().Positive(), nilSet),
-//	union(all.Site().Negative(), nilSet),
-//	union(all.Site().Abstain(), nilSet),
+//	Union(all.Site().Positive(), nilSet),
+//	Union(all.Site().Negative(), nilSet),
+//	Union(all.Site().Abstain(), nilSet),
 //
-//	union(all.AllOrgs().Positive(), nilSet),
-//	union(all.AllOrgs().Negative(), nilSet),
-//	union(all.AllOrgs().Abstain(), nilSet),
+//	Union(all.AllOrgs().Positive(), nilSet),
+//	Union(all.AllOrgs().Negative(), nilSet),
+//	Union(all.AllOrgs().Abstain(), nilSet),
 //
-//	union(all.User().Positive(), nilSet),
-//	union(all.User().Negative(), nilSet),
-//	union(all.User().Abstain(), nilSet),
+//	Union(all.User().Positive(), nilSet),
+//	Union(all.User().Negative(), nilSet),
+//	Union(all.User().Abstain(), nilSet),
 //)
@@ -9,19 +9,19 @@ func Test_PermissionSetWPlusSearchSpace(t *testing.T) {
 	all := GroupedPermissions(AllPermissions())
 	wplus := NewRole(
 		all.Wildcard().Positive(),
-		union(all.Wildcard().Abstain()[:1], nilSet),
+		Union(all.Wildcard().Abstain()[:1], nilSet),
 
-		union(all.Site().Positive()[:1], nilSet),
-		union(all.Site().Negative()[:1], nilSet),
-		union(all.Site().Abstain()[:1], nilSet),
+		Union(all.Site().Positive()[:1], nilSet),
+		Union(all.Site().Negative()[:1], nilSet),
+		Union(all.Site().Abstain()[:1], nilSet),
 
-		union(all.AllOrgs().Positive()[:1], nilSet),
-		union(all.AllOrgs().Negative()[:1], nilSet),
-		union(all.AllOrgs().Abstain()[:1], nilSet),
+		Union(all.AllOrgs().Positive()[:1], nilSet),
+		Union(all.AllOrgs().Negative()[:1], nilSet),
+		Union(all.AllOrgs().Abstain()[:1], nilSet),
 
-		union(all.User().Positive()[:1], nilSet),
-		union(all.User().Negative()[:1], nilSet),
-		union(all.User().Abstain()[:1], nilSet),
+		Union(all.User().Positive()[:1], nilSet),
+		Union(all.User().Negative()[:1], nilSet),
+		Union(all.User().Abstain()[:1], nilSet),
 	)
 	fmt.Println(wplus.N)
 	fmt.Println(len(AllPermissions()))
 
@@ -4,12 +4,12 @@ import (
 	. "github.com/coder/coder/coderd/authz"
 )
 
-type iterable interface {
-	Iterator() iterator
+type Iterable interface {
+	Iterator() Iterator
 }
 
-type iterator interface {
-	iterable
+type Iterator interface {
+	Iterable
 
 	Next() bool
 	Permissions() Set
@@ -32,7 +32,7 @@ type unionIterator struct {
 	N int
 }
 
-func union(sets ...Set) *unionIterator {
+func Union(sets ...Set) *unionIterator {
 	var n int
 	for _, s := range sets {
 		n += len(s)
@@ -76,18 +76,45 @@ func (si *unionIterator) Size() int {
 	return si.N
 }
 
-func (si *unionIterator) Iterator() iterator {
+func (si *unionIterator) Iterator() Iterator {
 	return si
 }
 
+type productI struct {
+	ReturnSize     int
+	N              int
+	PermissionSets []Iterator
+
+	buffer Set
+}
+
+func ProductI(sets ...Iterable) *productI {
+	setInterfaces := make([]Iterator, 0, len(sets))
+	var retSize int
+	var size int = 1
+	for _, s := range sets {
+		v := s.Iterator()
+		setInterfaces = append(setInterfaces, v)
+		retSize += v.ReturnSize()
+		// size is the cross product of all Iterator sets
+		size *= v.Size()
+	}
+	return &productI{
+		ReturnSize:     retSize,
+		N:              size,
+		PermissionSets: setInterfaces,
+		buffer:         make([]*Permission, retSize),
+	}
+}
+
 type productIterator struct {
 	i, j   int
 	a      Set
 	b      Set
 	buffer Set
 }
 
-func product(a, b Set) *productIterator {
+func Product(a, b Set) *productIterator {
 	i := &productIterator{
 		i: 0,
 		j: 0,
@@ -128,6 +155,6 @@ func (s *productIterator) Size() int {
 	return len(s.a) * len(s.b)
 }
 
-func (s *productIterator) Iterator() iterator {
+func (s *productIterator) Iterator() Iterator {
 	return s
 }
@@ -5,13 +5,13 @@ import "github.com/coder/coder/coderd/authz"
 type level string
 
 const (
-	levelWild   level = "level-wild"
-	levelSite   level = "level-site"
-	levelOrg    level = "level-org"
-	levelOrgMem level = "level-org:mem"
-	// levelOrgAll is a helper to get both org levels above
-	levelOrgAll level = "level-org:*"
-	levelUser   level = "level-user"
+	LevelWildKey   level = "level-wild"
+	LevelSiteKey   level = "level-site"
+	LevelOrgKey    level = "level-org"
+	LevelOrgMemKey level = "level-org:mem"
+	// LevelOrgAllKey is a helper to get both org levels above
+	LevelOrgAllKey level = "level-org:*"
+	LevelUserKey   level = "level-user"
 )
 
 // LevelGroup is all permissions for a given level
@@ -43,7 +43,7 @@ func (lg LevelGroup) Abstain() Set {
 
 func GroupedPermissions(perms Set) SetGroup {
 	groups := make(SetGroup)
-	allLevelKeys := []level{levelWild, levelSite, levelOrg, levelOrgMem, levelOrgAll, levelUser}
+	allLevelKeys := []level{LevelWildKey, LevelSiteKey, LevelOrgKey, LevelOrgMemKey, LevelOrgAllKey, LevelUserKey}
 
 	for _, l := range allLevelKeys {
 		groups[l] = make(LevelGroup)
@@ -53,18 +53,18 @@ func GroupedPermissions(perms Set) SetGroup {
 		m := Impact(p)
 		switch {
 		case p.Level == authz.LevelSite:
-			groups[levelSite][m] = append(groups[levelSite][m], p)
+			groups[LevelSiteKey][m] = append(groups[LevelSiteKey][m], p)
 		case p.Level == authz.LevelOrg:
-			groups[levelOrgAll][m] = append(groups[levelOrgAll][m], p)
+			groups[LevelOrgAllKey][m] = append(groups[LevelOrgAllKey][m], p)
 			if p.LevelID == "" || p.LevelID == "*" {
-				groups[levelOrg][m] = append(groups[levelOrg][m], p)
+				groups[LevelOrgKey][m] = append(groups[LevelOrgKey][m], p)
 			} else {
-				groups[levelOrgMem][m] = append(groups[levelOrgMem][m], p)
+				groups[LevelOrgMemKey][m] = append(groups[LevelOrgMemKey][m], p)
 			}
 		case p.Level == authz.LevelUser:
-			groups[levelUser][m] = append(groups[levelUser][m], p)
+			groups[LevelUserKey][m] = append(groups[LevelUserKey][m], p)
 		case p.Level == authz.LevelWildcard:
-			groups[levelWild][m] = append(groups[levelWild][m], p)
+			groups[LevelWildKey][m] = append(groups[LevelWildKey][m], p)
 		}
 	}
 
@@ -74,25 +74,25 @@ func GroupedPermissions(perms Set) SetGroup {
 type SetGroup map[level]LevelGroup
 
 func (s SetGroup) Wildcard() LevelGroup {
-	return s[levelWild]
+	return s[LevelWildKey]
 }
 
 func (s SetGroup) Site() LevelGroup {
-	return s[levelSite]
+	return s[LevelSiteKey]
 }
 
 func (s SetGroup) Org() LevelGroup {
-	return s[levelOrg]
+	return s[LevelOrgKey]
 }
 
 func (s SetGroup) AllOrgs() LevelGroup {
-	return s[levelOrgAll]
+	return s[LevelOrgAllKey]
 }
 
 func (s SetGroup) OrgMem() LevelGroup {
-	return s[levelOrgMem]
+	return s[LevelOrgMemKey]
 }
 
 func (s SetGroup) User() LevelGroup {
-	return s[levelUser]
+	return s[LevelUserKey]
 }