synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-06 15:41:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Add user roles, but do not yet enforce them (#1200)

Browse Source 
* chore: Rework roles to be expandable by name alone
This commit is contained in:
Steven Masley
2022-04-29 09:04:19 -05:00
committed by GitHub
parent ba4c3ce3b9
commit 35211e2190
26 changed files with 1150 additions and 232 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
coderd/rbac/example_test.go
View File

@ -4,6 +4,8 @@ import (
"context"
"testing"
"github.com/google/uuid"
"github.com/stretchr/testify/require"
"github.com/coder/coder/coderd/rbac"
@ -16,14 +18,15 @@ func TestExample(t *testing.T) {
ctx := context.Background()
authorizer, err := rbac.NewAuthorizer()
require.NoError(t, err)
defaultOrg := uuid.New()
// user will become an authn object, and can even be a database.User if it
// fulfills the interface. Until then, use a placeholder.
user := subject{
UserID: "alice",
Roles: []rbac.Role{
rbac.RoleOrgAdmin("default"),
rbac.RoleMember,
must(rbac.RoleByName(rbac.RoleMember())),
must(rbac.RoleByName(rbac.RoleOrgAdmin(defaultOrg))),
},
}
@ -38,17 +41,24 @@ func TestExample(t *testing.T) {
//nolint:paralleltest
t.Run("ReadOrgWorkspaces", func(t *testing.T) {
// To read all workspaces on the org 'default'
err := authorizer.Authorize(ctx, user.UserID, user.Roles, rbac.ActionRead, rbac.ResourceWorkspace.InOrg("default"))
err := authorizer.Authorize(ctx, user.UserID, user.Roles, rbac.ActionRead, rbac.ResourceWorkspace.InOrg(defaultOrg))
require.NoError(t, err, "this user can read all org workspaces in 'default'")
})
//nolint:paralleltest
t.Run("ReadMyWorkspace", func(t *testing.T) {
// Note 'database.Workspace' could fulfill the object interface and be passed in directly
err := authorizer.Authorize(ctx, user.UserID, user.Roles, rbac.ActionRead, rbac.ResourceWorkspace.InOrg("default").WithOwner(user.UserID))
err := authorizer.Authorize(ctx, user.UserID, user.Roles, rbac.ActionRead, rbac.ResourceWorkspace.InOrg(defaultOrg).WithOwner(user.UserID))
require.NoError(t, err, "this user can their workspace")
err = authorizer.Authorize(ctx, user.UserID, user.Roles, rbac.ActionRead, rbac.ResourceWorkspace.InOrg("default").WithOwner(user.UserID).WithID("1234"))
err = authorizer.Authorize(ctx, user.UserID, user.Roles, rbac.ActionRead, rbac.ResourceWorkspace.InOrg(defaultOrg).WithOwner(user.UserID).WithID("1234"))
require.NoError(t, err, "this user can read workspace '1234'")
})
}
func must[T any](value T, err error) T {
if err != nil {
panic(err)
}
return value
}