From f2ffe03b33ddeb549dd2a48ea781ea112ad132b3 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 18 May 2022 15:04:17 -0500 Subject: [PATCH 1/4] fix: User's should be able to read what roles available --- coderd/rbac/builtin.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/coderd/rbac/builtin.go b/coderd/rbac/builtin.go index 71b0f059f628d..d39d1b56fca49 100644 --- a/coderd/rbac/builtin.go +++ b/coderd/rbac/builtin.go @@ -66,7 +66,8 @@ var ( DisplayName: "Member", Site: permissions(map[Object][]Action{ // All users can read all other users and know they exist. - ResourceUser: {ActionRead}, + ResourceUser: {ActionRead}, + ResourceRoleAssignment: {ActionRead}, }), User: permissions(map[Object][]Action{ ResourceWildcard: {WildcardSymbol}, From 9dde096e81f071571ec0e53fdbd0d91a07b8cee6 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 18 May 2022 15:23:23 -0500 Subject: [PATCH 2/4] fix: Role comparison does not matter on slice order --- coderd/rbac/builtin_internal_test.go | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/coderd/rbac/builtin_internal_test.go b/coderd/rbac/builtin_internal_test.go index a5374dcc37547..3ffe8879a2548 100644 --- a/coderd/rbac/builtin_internal_test.go +++ b/coderd/rbac/builtin_internal_test.go @@ -34,7 +34,7 @@ func TestRoleByName(t *testing.T) { t.Run(c.Role.Name, func(t *testing.T) { role, err := RoleByName(c.Role.Name) require.NoError(t, err, "role exists") - require.Equal(t, c.Role, role) + equalRoles(t, c.Role, role) }) } }) @@ -53,3 +53,18 @@ func TestRoleByName(t *testing.T) { require.Error(t, err, "expect orgID") }) } + +// SameAs compares 2 roles for equality. +func equalRoles(t *testing.T, a, b Role) { + require.Equal(t, a.Name, b.Name, "role names") + require.Equal(t, a.DisplayName, b.DisplayName, "role display names") + require.ElementsMatch(t, a.Site, b.Site, "site permissions") + require.ElementsMatch(t, a.User, b.User, "user permissions") + require.Equal(t, len(a.Org), len(b.Org), "same number of org roles") + + for ak, av := range a.Org { + bv, ok := b.Org[ak] + require.True(t, ok, "org permissions missing: %s", ak) + require.ElementsMatchf(t, av, bv, "org %s permissions", ak) + } +} From 7b0f43bd12a4a86d75c5c8de0c609bbe454a2f7a Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 18 May 2022 15:28:20 -0500 Subject: [PATCH 3/4] Update test with new perms --- coderd/roles_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/coderd/roles_test.go b/coderd/roles_test.go index 0350bcf835377..ae771fddb50e6 100644 --- a/coderd/roles_test.go +++ b/coderd/roles_test.go @@ -128,14 +128,14 @@ func TestListRoles(t *testing.T) { x, err := member.ListSiteRoles(ctx) return x, err }, - AuthorizedError: unauth, + ExpectedRoles: convertRoles(rbac.SiteRoles()), }, { Name: "OrgMemberListOrg", APICall: func() ([]codersdk.Role, error) { return member.ListOrganizationRoles(ctx, admin.OrganizationID) }, - AuthorizedError: unauth, + ExpectedRoles: convertRoles(rbac.OrganizationRoles(admin.OrganizationID)), }, { Name: "NonOrgMemberListOrg", @@ -150,7 +150,7 @@ func TestListRoles(t *testing.T) { APICall: func() ([]codersdk.Role, error) { return orgAdmin.ListSiteRoles(ctx) }, - AuthorizedError: unauth, + ExpectedRoles: convertRoles(rbac.SiteRoles()), }, { Name: "OrgAdminListOrg", From 235a6755b41919d225afba06da5fe868bfc20b29 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 18 May 2022 15:35:45 -0500 Subject: [PATCH 4/4] remove unused const --- coderd/roles_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/coderd/roles_test.go b/coderd/roles_test.go index ae771fddb50e6..22397b7b34c1f 100644 --- a/coderd/roles_test.go +++ b/coderd/roles_test.go @@ -112,7 +112,6 @@ func TestListRoles(t *testing.T) { }) require.NoError(t, err, "create org") - const unauth = "forbidden" const notMember = "not a member of the organization" testCases := []struct {