test: include per-org default roles in rbac user subjects

Emyrk · Emyrk · commit 4347bf446cab · 2026-06-03T21:06:41.000Z
Aligns coderdtest.AuthzUserSubjectWithDB with GetAuthorizationUserRoles so tests built via this helper see the per-org default_org_member_roles union, not just organization-member. Also moves the single-use MemberSubject helper into its sole consumer and unexports it. Refs #25936.
diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -908,6 +908,16 @@ func AuthzUserSubjectWithDB(ctx context.Context, t testing.TB, db database.Store
 	require.NoError(t, err)
 	for _, org := range orgs {
 		roles = append(roles, rbac.ScopedRoleOrgMember(org.ID))
+		// The implicit role set (organization-member plus the org's
+		// default_org_member_roles) is unioned at request time by
+		// GetAuthorizationUserRoles. Subjects built directly here bypass
+		// that SQL union, so mirror it explicitly.
+		for _, name := range org.DefaultOrgMemberRoles {
+			roles = append(roles, rbac.RoleIdentifier{
+				Name:           name,
+				OrganizationID: org.ID,
+			})
+		}
 	}
 
 	//nolint:gocritic // We need to expand DB-backed/system roles. The caller
diff --git a/coderd/coderdtest/subjects.go b/coderd/coderdtest/subjects.go
diff --git a/coderd/workspaceconnwatcher/watcher_test.go b/coderd/workspaceconnwatcher/watcher_test.go
@@ -19,6 +19,8 @@ import (
 	"github.com/coder/coder/v2/coderd/database/dbmock"
 	"github.com/coder/coder/v2/coderd/database/pubsub"
 	"github.com/coder/coder/v2/coderd/httpmw"
+	"github.com/coder/coder/v2/coderd/rbac"
+	"github.com/coder/coder/v2/coderd/rbac/rolestore"
 	"github.com/coder/coder/v2/coderd/workspaceconnwatcher"
 	"github.com/coder/coder/v2/coderd/wspubsub"
 	"github.com/coder/coder/v2/codersdk"
@@ -72,7 +74,7 @@ func (h *harness) Dial(ctx context.Context, url string) (*wsjson.Decoder[workspa
 		Handler: http.HandlerFunc(h.watcher.WorkspaceAgentConnectionWatch),
 		CtxMutator: func(ctx context.Context) context.Context {
 			ctx = httpmw.WithWorkspaceParam(ctx, h.workspace)
-			ctx = dbauthz.As(ctx, coderdtest.MemberSubject(userID, orgID))
+			ctx = dbauthz.As(ctx, memberSubject(userID, orgID))
 			return ctx
 		},
 		Logger: h.logger.Named("roundtripper"),
@@ -470,3 +472,29 @@ func TestWatcher_ClosedAfterDial(t *testing.T) {
 	}
 	testutil.TryReceive(ctx, t, closed)
 }
+
+// memberSubject builds an RBAC subject scoped as a basic org member, used to
+// drive the watcher handler through dbauthz checks. Kept local to this test
+// because no other package needs it.
+func memberSubject(userID, orgID uuid.UUID) rbac.Subject {
+	memberRole, err := rbac.RoleByName(rbac.RoleMember())
+	if err != nil {
+		panic(err)
+	}
+	orgMember, err := rolestore.TestingGetSystemRole(
+		rbac.RoleOrgMember(),
+		orgID,
+		rbac.OrgSettings{ShareableWorkspaceOwners: rbac.ShareableWorkspaceOwnersNone},
+	)
+	if err != nil {
+		panic(err)
+	}
+	return rbac.Subject{
+		FriendlyName: "coderdtest-member",
+		Email:        "member@coderd.test",
+		Type:         rbac.SubjectTypeUser,
+		ID:           userID.String(),
+		Roles:        rbac.Roles{memberRole, orgMember},
+		Scope:        rbac.ScopeAll,
+	}.WithCachedASTValue()
+}
diff --git a/testutil/websocket.go b/testutil/websocket.go
@@ -19,7 +19,7 @@ import (
 //			Handler: MyHandler,
 //			CtxMutator: func(ctx context.Context) context.Context {
 //				ctx = httpmw.WithWorkspaceParam(ctx, ws)
-//				ctx = dbauthz.As(ctx, coderdtest.MemberSubject(userID, orgID))
+//				ctx = dbauthz.As(ctx, mySubject(userID, orgID))
 //				return ctx
 //			},
 //	        Logger: logger.Named("roundtripper"),
