feat: add template RBAC/groups (#4235)

2025-07-06 15:41:45 +00:00 · 2022-10-10 15:37:06 -05:00
parent 2687e3db49
commit 3120c94c22
122 changed files with 8088 additions and 1062 deletions
--- a/enterprise/coderd/coderdenttest/coderdenttest.go
+++ b/enterprise/coderd/coderdenttest/coderdenttest.go
@ -62,6 +62,7 @@ func NewWithAPI(t *testing.T, options *Options) (*codersdk.Client, io.Closer, *c
 	}
 	srv, cancelFunc, oop := coderdtest.NewOptions(t, options.Options)
 	coderAPI, err := coderd.New(context.Background(), &coderd.Options{
+		RBACEnabled:                true,
 		AuditLogging:               options.AuditLogging,
 		BrowserOnly:                options.BrowserOnly,
 		SCIMAPIKey:                 options.SCIMAPIKey,
@ -76,6 +77,7 @@ func NewWithAPI(t *testing.T, options *Options) (*codersdk.Client, io.Closer, *c
 	if options.IncludeProvisionerDaemon {
 		provisionerCloser = coderdtest.NewProvisionerDaemon(t, coderAPI.AGPL)
 	}
+
 	t.Cleanup(func() {
 		cancelFunc()
 		_ = provisionerCloser.Close()
@ -96,6 +98,7 @@ type LicenseOptions struct {
 	BrowserOnly    bool
 	SCIM           bool
 	WorkspaceQuota bool
+	RBACEnabled    bool
 }

 // AddLicense generates a new license with the options provided and inserts it.
@ -132,6 +135,11 @@ func GenerateLicense(t *testing.T, options LicenseOptions) string {
 		workspaceQuota = 1
 	}

+	rbac := int64(0)
+	if options.RBACEnabled {
+		rbac = 1
+	}
+
 	c := &license.Claims{
 		RegisteredClaims: jwt.RegisteredClaims{
 			Issuer:    "test@testing.test",
@ -151,6 +159,7 @@ func GenerateLicense(t *testing.T, options LicenseOptions) string {
 			BrowserOnly:    browserOnly,
 			SCIM:           scim,
 			WorkspaceQuota: workspaceQuota,
+			RBAC:           rbac,
 		},
 	}
 	tok := jwt.NewWithClaims(jwt.SigningMethodEdDSA, c)
--- a/enterprise/coderd/coderdenttest/coderdenttest_test.go
+++ b/enterprise/coderd/coderdenttest/coderdenttest_test.go
@ -6,9 +6,13 @@ import (
 	"net/http"
 	"testing"

+	"github.com/stretchr/testify/require"
+
 	"github.com/coder/coder/coderd/coderdtest"
 	"github.com/coder/coder/coderd/rbac"
+	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/enterprise/coderd/coderdenttest"
+	"github.com/coder/coder/testutil"
 )

 func TestNew(t *testing.T) {
@ -26,10 +30,20 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 			IncludeProvisionerDaemon: true,
 		},
 	})
+	ctx, _ := testutil.Context(t)
 	admin := coderdtest.CreateFirstUser(t, client)
-	license := coderdenttest.AddLicense(t, client, coderdenttest.LicenseOptions{})
-	a := coderdtest.NewAuthTester(context.Background(), t, client, api.AGPL, admin)
+	license := coderdenttest.AddLicense(t, client, coderdenttest.LicenseOptions{
+		RBACEnabled: true,
+	})
+	group, err := client.CreateGroup(ctx, admin.OrganizationID, codersdk.CreateGroupRequest{
+		Name: "testgroup",
+	})
+	require.NoError(t, err)
+
+	groupObj := rbac.ResourceGroup.InOrg(admin.OrganizationID)
+	a := coderdtest.NewAuthTester(ctx, t, client, api.AGPL, admin)
 	a.URLParams["licenses/{id}"] = fmt.Sprintf("licenses/%d", license.ID)
+	a.URLParams["groups/{group}"] = fmt.Sprintf("groups/%s", group.ID.String())

 	skipRoutes, assertRoute := coderdtest.AGPLRoutes(a)
 	assertRoute["GET:/api/v2/entitlements"] = coderdtest.RouteCheck{
@ -48,6 +62,31 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 		AssertAction: rbac.ActionDelete,
 		AssertObject: rbac.ResourceLicense,
 	}
+	assertRoute["GET:/api/v2/templates/{template}/acl"] = coderdtest.RouteCheck{
+		AssertAction: rbac.ActionRead,
+		AssertObject: rbac.ResourceTemplate,
+	}
+	assertRoute["PATCH:/api/v2/templates/{template}/acl"] = coderdtest.RouteCheck{
+		AssertAction: rbac.ActionCreate,
+		AssertObject: rbac.ResourceTemplate,
+	}
+	assertRoute["GET:/api/v2/organizations/{organization}/groups"] = coderdtest.RouteCheck{
+		StatusCode:   http.StatusOK,
+		AssertAction: rbac.ActionRead,
+		AssertObject: groupObj,
+	}
+	assertRoute["PATCH:/api/v2/groups/{group}"] = coderdtest.RouteCheck{
+		AssertAction: rbac.ActionRead,
+		AssertObject: groupObj,
+	}
+	assertRoute["PATCH:/api/v2/groups/{group}"] = coderdtest.RouteCheck{
+		AssertAction: rbac.ActionUpdate,
+		AssertObject: groupObj,
+	}
+	assertRoute["DELETE:/api/v2/groups/{group}"] = coderdtest.RouteCheck{
+		AssertAction: rbac.ActionDelete,
+		AssertObject: groupObj,
+	}

 	a.Test(context.Background(), assertRoute, skipRoutes)
 }