mirror of
https://github.com/coder/coder.git
synced 2026-06-03 13:08:25 +00:00
ケイラ
92 lines
3.0 KiB
Go
92 lines
3.0 KiB
Go
package acl_test
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/google/uuid"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/coder/coder/v2/coderd"
|
|
"github.com/coder/coder/v2/coderd/database"
|
|
"github.com/coder/coder/v2/coderd/database/dbgen"
|
|
"github.com/coder/coder/v2/coderd/database/dbtestutil"
|
|
"github.com/coder/coder/v2/coderd/rbac/acl"
|
|
"github.com/coder/coder/v2/codersdk"
|
|
"github.com/coder/coder/v2/testutil"
|
|
)
|
|
|
|
func TestOK(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
db, _ := dbtestutil.NewDB(t)
|
|
o := dbgen.Organization(t, db, database.Organization{})
|
|
g := dbgen.Group(t, db, database.Group{OrganizationID: o.ID})
|
|
u := dbgen.User(t, db, database.User{})
|
|
ctx := testutil.Context(t, testutil.WaitShort)
|
|
|
|
update := codersdk.UpdateWorkspaceACL{
|
|
UserRoles: map[string]codersdk.WorkspaceRole{
|
|
u.ID.String(): codersdk.WorkspaceRoleAdmin,
|
|
// An unknown ID is allowed if and only if the specified role is either
|
|
// codersdk.WorkspaceRoleDeleted or codersdk.TemplateRoleDeleted.
|
|
uuid.NewString(): codersdk.WorkspaceRoleDeleted,
|
|
},
|
|
GroupRoles: map[string]codersdk.WorkspaceRole{
|
|
g.ID.String(): codersdk.WorkspaceRoleAdmin,
|
|
// An unknown ID is allowed if and only if the specified role is either
|
|
// codersdk.WorkspaceRoleDeleted or codersdk.TemplateRoleDeleted.
|
|
uuid.NewString(): codersdk.WorkspaceRoleDeleted,
|
|
},
|
|
}
|
|
errors := acl.Validate(ctx, db, coderd.WorkspaceACLUpdateValidator(update))
|
|
require.Empty(t, errors)
|
|
}
|
|
|
|
func TestDeniesUnknownIDs(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
db, _ := dbtestutil.NewDB(t)
|
|
ctx := testutil.Context(t, testutil.WaitShort)
|
|
|
|
update := codersdk.UpdateWorkspaceACL{
|
|
UserRoles: map[string]codersdk.WorkspaceRole{
|
|
uuid.NewString(): codersdk.WorkspaceRoleAdmin,
|
|
},
|
|
GroupRoles: map[string]codersdk.WorkspaceRole{
|
|
uuid.NewString(): codersdk.WorkspaceRoleAdmin,
|
|
},
|
|
}
|
|
errors := acl.Validate(ctx, db, coderd.WorkspaceACLUpdateValidator(update))
|
|
require.Len(t, errors, 2)
|
|
require.Equal(t, errors[0].Field, "group_roles")
|
|
require.ErrorContains(t, errors[0], "does not exist")
|
|
require.Equal(t, errors[1].Field, "user_roles")
|
|
require.ErrorContains(t, errors[1], "does not exist")
|
|
}
|
|
|
|
func TestDeniesUnknownRolesAndInvalidIDs(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
db, _ := dbtestutil.NewDB(t)
|
|
ctx := testutil.Context(t, testutil.WaitShort)
|
|
|
|
update := codersdk.UpdateWorkspaceACL{
|
|
UserRoles: map[string]codersdk.WorkspaceRole{
|
|
"Quifrey": "level 5",
|
|
},
|
|
GroupRoles: map[string]codersdk.WorkspaceRole{
|
|
"apprentices": "level 2",
|
|
},
|
|
}
|
|
errors := acl.Validate(ctx, db, coderd.WorkspaceACLUpdateValidator(update))
|
|
require.Len(t, errors, 4)
|
|
require.Equal(t, errors[0].Field, "group_roles")
|
|
require.ErrorContains(t, errors[0], "role \"level 2\" is not a valid workspace role")
|
|
require.Equal(t, errors[1].Field, "group_roles")
|
|
require.ErrorContains(t, errors[1], "not a valid UUID")
|
|
require.Equal(t, errors[2].Field, "user_roles")
|
|
require.ErrorContains(t, errors[2], "role \"level 5\" is not a valid workspace role")
|
|
require.Equal(t, errors[3].Field, "user_roles")
|
|
require.ErrorContains(t, errors[3], "not a valid UUID")
|
|
}
|