8000 Merge branch 'main' into templates-redirect · coder/coder@f8b48f9 · GitHub
[go: up one dir, main page]

Skip to content

Commit f8b48f9

Browse files
committed
Merge branch 'main' into templates-redirect
2 parents ff0101b + 59a80d7 commit f8b48f9

36 files changed

+1779
-138
lines changed

cli/configssh_internal_test.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -138,6 +138,7 @@ func Test_sshConfigSplitOnCoderSection(t *testing.T) {
138138

139139
// This test tries to mimic the behavior of OpenSSH
140140
// when executing e.g. a ProxyCommand.
141+
// nolint:tparallel
141142
func Test_sshConfigExecEscape(t *testing.T) {
142143
t.Parallel()
143144

@@ -154,11 +155,10 @@ func Test_sshConfigExecEscape(t *testing.T) {
154155
{"tabs", "path with \ttabs", false},
155156
{"newline fails", "path with \nnewline", true},
156157
}
158+
// nolint:paralleltest // Fixes a flake
157159
for _, tt := range tests {
158160
tt := tt
159161
t.Run(tt.name, func(t *testing.T) {
160-
t.Parallel()
161-
162162
if runtime.GOOS == "windows" {
163163
t.Skip("Windows doesn't typically execute via /bin/sh or cmd.exe, so this test is not applicable.")
164164
}
Lines changed: 168 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,168 @@
1+
package dbauthz_test
2+
3+
import (
4+
"context"
5+
"testing"
6+
7+
"github.com/google/uuid"
8+
"github.com/prometheus/client_golang/prometheus"
9+
"github.com/stretchr/testify/require"
10+
11+
"cdr.dev/slog/sloggers/slogtest"
12+
"github.com/coder/coder/v2/coderd/coderdtest"
13+
"github.com/coder/coder/v2/coderd/database"
14+
"github.com/coder/coder/v2/coderd/database/dbauthz"
15+
"github.com/coder/coder/v2/coderd/database/dbgen"
16+
"github.com/coder/coder/v2/coderd/database/dbmem"
17+
"github.com/coder/coder/v2/coderd/database/dbtestutil"
18+
"github.com/coder/coder/v2/coderd/rbac"
19+
)
20+
21+
// nolint:tparallel
22+
func TestGroupsAuth(t *testing.T) {
23+
t.Parallel()
24+
25+
if dbtestutil.WillUsePostgres() {
26+
t.Skip("this test would take too long to run on postgres")
27+
}
28+
29+
authz := rbac.NewAuthorizer(prometheus.NewRegistry())
30+
31+
db := dbauthz.New(dbmem.New(), authz, slogtest.Make(t, &slogtest.Options{
32+
IgnoreErrors: true,
33+
}), coderdtest.AccessControlStorePointer())
34+
35+
ownerCtx := dbauthz.As(context.Background(), rbac.Subject{
36+
ID: "owner",
37+
Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.RoleOwner()}.Expand())),
38+
Groups: []string{},
39+
Scope: rbac.ExpandableScope(rbac.ScopeAll),
40+
})
41+
42+
org := dbgen.Organization(t, db, database.Organization{})
43+
group := dbgen.Group(t, db, database.Group{
44+
OrganizationID: org.ID,
45+
})
46+
47+
var users []database.User
48+
for i := 0; i < 5; i++ {
49+
user := dbgen.User(t, db, database.User{})
50+
users = append(users, user)
51+
err := db.InsertGroupMember(ownerCtx, database.InsertGroupMemberParams{
52+
UserID: user.ID,
53+
GroupID: group.ID,
54+
})
55+
require.NoError(t, err)
56+
}
57+
58+
totalMembers := len(users)
59+
testCases := []struct {
60+
Name string
61+
Subject rbac.Subject
62+
ReadGroup bool
63+
ReadMembers bool
64+
MembersExpected int
65+
}{
66+
{
67+
Name: "Owner",
68+
Subject: rbac.Subject{
69+
ID: "owner",
70+
Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.RoleOwner()}.Expand())),
71+
Groups: []string{},
72+
Scope: rbac.ExpandableScope(rbac.ScopeAll),
73+
},
74+
ReadGroup: true,
75+
ReadMembers: true,
76+
MembersExpected: totalMembers,
77+
},
78+
{
79+
Name: "UserAdmin",
80+
Subject: rbac.Subject{
81+
ID: "useradmin",
82+
Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.RoleUserAdmin()}.Expand())),
83+
Groups: []string{},
84+
Scope: rbac.ExpandableScope(rbac.ScopeAll),
85+
},
86+
ReadGroup: true,
87+
ReadMembers: true,
88+
MembersExpected: totalMembers,
89+
},
90+
{
91+
Name: "OrgAdmin",
92+
Subject: rbac.Subject{
93+
ID: "orgadmin",
94+
Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.ScopedRoleOrgAdmin(org.ID)}.Expand())),
95+
Groups: []string{},
96+
Scope: rbac.ExpandableScope(rbac.ScopeAll),
97+
},
98+
ReadGroup: true,
99+
ReadMembers: true,
100+
MembersExpected: totalMembers,
101+
},
102+
{
103+
Name: "OrgUserAdmin",
104+
Subject: rbac.Subject{
105+
ID: "orgUserAdmin",
106+
Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.ScopedRoleOrgUserAdmin(org.ID)}.Expand())),
107+
Groups: []string{},
108+
Scope: rbac.ExpandableScope(rbac.ScopeAll),
109+
},
110+
ReadGroup: true,
111+
ReadMembers: true,
112+
MembersExpected: totalMembers,
113+
},
114+
{
115+
Name: "GroupMember",
116+
Subject: rbac.Subject{
117+
ID: users[0].ID.String(),
118+
Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.ScopedRoleOrgMember(org.ID)}.Expand())),
119+
Groups: []string{
120+
group.Name,
121+
},
122+
Scope: rbac.ExpandableScope(rbac.ScopeAll),
123+
},
124+
// TODO: currently group members cannot see their own groups.
125+
// If this is fixed, these booleans should be flipped to true.
126+
ReadGroup: false,
127+
ReadMembers: false,
128+
// TODO: If fixed, they should only be able to see themselves
129+
// MembersExpected: 1,
130+
},
131+
{
132+
// Org admin in the incorrect organization
133+
Name: "DifferentOrgAdmin",
134+
Subject: rbac.Subject{
135+
ID: "orgadmin",
136+
Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.ScopedRoleOrgUserAdmin(uuid.New())}.Expand())),
137+
Groups: []string{},
138+
Scope: rbac.ExpandableScope(rbac.ScopeAll),
139+
},
140+
ReadGroup: false,
141+
ReadMembers: false,
142+
},
143+
}
144+
145+
for _, tc := range testCases {
146+
tc := tc
147+
t.Run(tc.Name, func(t *testing.T) {
148+
t.Parallel()
149+
150+
actorCtx := dbauthz.As(context.Background(), tc.Subject)
151+
_, err := db.GetGroupByID(actorCtx, group.ID)
152+
if tc.ReadGroup {
153+
require.NoError(t, err, "group read")
154+
} else {
155+
require.Error(t, err, "group read")
156+
}
157+
158+
members, err := db.GetGroupMembersByGroupID(actorCtx, group.ID)
159+
if tc.ReadMembers {
160+
require.NoError(t, err, "member read")
161+
require.Len(t, members, tc.MembersExpected, "member count found does not match")
162+
} else {
163+
require.Error(t, err, "member read")
164+
require.True(t, dbauthz.IsNotAuthorizedError(err), "not authorized error")
165+
}
166+
})
167+
}
168+
}

coderd/database/queries.sql.go

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/queries/notifications.sql

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -170,4 +170,5 @@ WHERE id = @id::uuid;
170170
-- name: GetNotificationTemplatesByKind :many
171171
SELECT *
172172
FROM notification_templates
173-
WHERE kind = @kind::notification_template_kind;
173+
WHERE kind = @kind::notification_template_kind
174+
ORDER BY name ASC;

flake.nix

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -117,7 +117,7 @@
117117
name = "coder-${osArch}";
118118
# Updated with ./scripts/update-flake.sh`.
119119
# This should be updated whenever go.mod changes!
120-
vendorHash = "sha256-QMCiFn/QQNJr/vfqwBq4KUMFbCC0ZQdvKaWf25za5xk=";
120+
vendorHash = "sha256-AZ0qzh7H+UwnZNyg2iaNMSUWlGgomI/mo70T+FdF7ws=";
121121
proxyVendor = true;
122122
src = ./.;
123123
nativeBuildInputs = with pkgs; [ getopt openssl zstd ];

go.mod

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -78,7 +78,7 @@ require (
7878
github.com/briandowns/spinner v1.18.1
7979
github.com/cakturk/go-netstat v0.0.0-20200220111822-e5b49efee7a5
8080
github.com/cenkalti/backoff/v4 v4.3.0
81-
github.com/charmbracelet/glamour v0.7.0
81+
github.com/charmbracelet/glamour v0.8.0
8282
github.com/chromedp/cdproto v0.0.0-20240801214329-3f85d328b335
8383
github.com/chromedp/chromedp v0.10.0
8484
github.com/cli/safeexec v1.0.1
@@ -136,9 +136,9 @@ require (
136136
github.com/mitchellh/go-wordwrap v1.0.1
137137
github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c
138138
github.com/moby/moby v27.1.1+incompatible
139-
github.com/muesli/termenv v0.15.2
139+
github.com/muesli/termenv v0.15.3-0.20240618155329-98d742f6907a
140140
github.com/open-policy-agent/opa v0.67.0
141-
github.com/ory/dockertest/v3 v3.10.0
141+
github.com/ory/dockertest/v3 v3.11.0
142142
github.com/pion/udp v0.1.4
143143
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
144144
github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e
@@ -211,6 +211,7 @@ require (
211211
github.com/DataDog/go-libddwaf/v3 v3.2.1 // indirect
212212
github.com/alecthomas/chroma/v2 v2.14.0 // indirect
213213
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
214+
github.com/charmbracelet/x/ansi v0.1.4 // indirect
214215
github.com/distribution/reference v0.6.0 // indirect
215216
github.com/go-jose/go-jose/v4 v4.0.2 // indirect
216217
github.com/go-viper/mapstructure/v2 v2.0.0 // indirect
@@ -267,16 +268,16 @@ require (
267268
github.com/cespare/xxhash/v2 v2.3.0 // indirect
268269
// In later at least v0.7.1, lipgloss changes its terminal detection
269270
// which breaks most of our CLI golden files tests.
270-
github.com/charmbracelet/lipgloss v0.8.0 // indirect
271+
github.com/charmbracelet/lipgloss v0.12.1 // indirect
271272
github.com/chromedp/sysutil v1.0.0 // indirect
272273
github.com/clbanning/mxj/v2 v2.7.0 // indirect
273274
github.com/cloudflare/circl v1.3.7 // indirect
274-
github.com/containerd/continuity v0.4.2 // indirect
275+
github.com/containerd/continuity v0.4.3 // indirect
275276
github.com/coreos/go-iptables v0.6.0 // indirect
276277
github.com/dlclark/regexp2 v1.11.0 // indirect
277278
github.com/docker/cli v27.1.1+incompatible // indirect
278279
github.com/docker/docker v27.1.1+incompatible // indirect
279-
github.com/docker/go-connections v0.4.0 // indirect
280+
github.com/docker/go-connections v0.5.0 // indirect
280281
github.com/docker/go-units v0.5.0 // indirect
281282
github.com/dustin/go-humanize v1.0.1 // indirect
282283
github.com/ebitengine/purego v0.6.0-alpha.5 // indirect
@@ -312,7 +313,7 @@ require (
312313
github.com/google/s2a-go v0.1.8 // indirect
313314
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
314315
github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
315-
github.com/gorilla/css v1.0.0 // indirect
316+
github.com/gorilla/css v1.0.1 // indirect
316317
github.com/gorilla/mux v1.8.1 // indirect
317318
github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
318319
github.com/hashicorp/errwrap v1.1.0 // indirect
@@ -345,7 +346,7 @@ require (
345346
github.com/mdlayher/sdnotify v1.0.0 // indirect
346347
github.com/mdlayher/socket v0.5.0 // indirect
347348
github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
348-
github.com/microcosm-cc/bluemonday v1.0.25 // indirect
349+
github.com/microcosm-cc/bluemonday v1.0.27 // indirect
349350
github.com/miekg/dns v1.1.57 // indirect
350351
github.com/mitchellh/copystructure v1.2.0 // indirect
351352
github.com/mitchellh/go-ps v1.0.0 // indirect
@@ -355,10 +356,9 @@ require (
355356
github.com/muesli/reflow v0.3.0 // indirect
356357
github.com/niklasfasching/go-org v1.7.0 // indirect
357358
github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d // indirect
358-
github.com/olekukonko/tablewriter v0.0.5 // indirect
359359
github.com/opencontainers/go-digest v1.0.0 // indirect
360360
github.com/opencontainers/image-spec v1.1.0 // indirect
361-
github.com/opencontainers/runc v1.1.12 // indirect
361+
github.com/opencontainers/runc v1.1.13 // indirect
362362
github.com/outcaste-io/ristretto v0.2.3 // indirect
363363
github.com/pelletier/go-toml/v2 v2.2.2 // indirect
364364
github.com/philhofer/fwd v1.1.2 // indirect
@@ -369,7 +369,7 @@ require (
369369
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
370370
github.com/riandyrn/otelchi v0.5.1 // indirect
371371
github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3 // indirect
372-
github.com/rivo/uniseg v0.4.4 // indirect
372+
github.com/rivo/uniseg v0.4.7 // indirect
373373
github.com/satori/go.uuid v1.2.1-0.20181028125025-b2ce2384e17b // indirect
374374
github.com/secure-systems-lab/go-securesystemslib v0.7.0 // indirect
375375
github.com/sirupsen/logrus v1.9.3 // indirect

0 commit comments

Comments
 (0)
0