@@ -17,6 +17,8 @@ import (
1717 "github.com/coder/coder/coderd/coderdtest"
1818 "github.com/coder/coder/coderd/rbac"
1919 "github.com/coder/coder/codersdk"
20+ "github.com/coder/coder/provisioner/echo"
21+ "github.com/coder/coder/provisionersdk/proto"
2022)
2123
2224func TestMain (m * testing.M ) {
@@ -47,13 +49,32 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
4749 require .NoError (t , err , "fetch org" )
4850
4951 // Setup some data in the database.
50- version := coderdtest .CreateTemplateVersion (t , client , admin .OrganizationID , nil )
52+ version := coderdtest .CreateTemplateVersion (t , client , admin .OrganizationID , & echo.Responses {
53+ Parse : echo .ParseComplete ,
54+ Provision : []* proto.Provision_Response {{
55+ Type : & proto.Provision_Response_Complete {
56+ Complete : & proto.Provision_Complete {
57+ // Return a workspace resource
58+ Resources : []* proto.Resource {{
59+ Name : "some" ,
60+ Type : "example" ,
61+ Agents : []* proto.Agent {{
62+ Id : "something" ,
63+ Auth : & proto.Agent_Token {},
64+ }},
65+ }},
66+ },
67+ },
68+ }},
69+ })
5170 coderdtest .AwaitTemplateVersionJob (t , client , version .ID )
5271 template := coderdtest .CreateTemplate (t , client , admin .OrganizationID , version .ID )
5372 workspace := coderdtest .CreateWorkspace (t , client , admin .OrganizationID , template .ID )
5473 coderdtest .AwaitWorkspaceBuildJob (t , client , workspace .LatestBuild .ID )
5574 file , err := client .Upload (ctx , codersdk .ContentTypeTar , make ([]byte , 1024 ))
5675 require .NoError (t , err , "upload file" )
76+ workspaceResources , err := client .WorkspaceResourcesByBuild (ctx , workspace .LatestBuild .ID )
77+ require .NoError (t , err , "workspace resources" )
5778
5879 // Always fail auth from this point forward
5980 authorizer .AlwaysReturn = rbac .ForbiddenWithInternal (xerrors .New ("fake implementation" ), nil , nil )
@@ -78,6 +99,9 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
7899 "POST:/api/v2/users/logout" : {NoAuthorize : true },
79100 "GET:/api/v2/users/authmethods" : {NoAuthorize : true },
80101
102+ // Has it's own auth
103+ "GET:/api/v2/users/oauth2/github/callback" : {NoAuthorize : true },
104+
81105 // All workspaceagents endpoints do not use rbac
82106 "POST:/api/v2/workspaceagents/aws-instance-identity" : {NoAuthorize : true },
83107 "POST:/api/v2/workspaceagents/azure-instance-identity" : {NoAuthorize : true },
@@ -94,11 +118,6 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
94118 "GET:/api/v2/workspaceagents/{workspaceagent}/turn" : {NoAuthorize : true },
95119
96120 // TODO: @emyrk these need to be fixed by adding authorize calls
97- "GET:/api/v2/workspaceresources/{workspaceresource}" : {NoAuthorize : true },
98-
99- "GET:/api/v2/users/oauth2/github/callback" : {NoAuthorize : true },
100-
101- "PUT:/api/v2/organizations/{organization}/members/{user}/roles" : {NoAuthorize : true },
102121 "GET:/api/v2/organizations/{organization}/provisionerdaemons" : {NoAuthorize : true },
103122 "GET:/api/v2/organizations/{organization}/templates/{templatename}" : {NoAuthorize : true },
104123 "POST:/api/v2/organizations/{organization}/templateversions" : {NoAuthorize : true },
@@ -108,17 +127,6 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
108127 "GET:/api/v2/parameters/{scope}/{id}" : {NoAuthorize : true },
109128 "DELETE:/api/v2/parameters/{scope}/{id}/{name}" : {NoAuthorize : true },
110129
111- "GET:/api/v2/templates/{template}/versions" : {NoAuthorize : true },
112- "PATCH:/api/v2/templates/{template}/versions" : {NoAuthorize : true },
113- "GET:/api/v2/templates/{template}/versions/{templateversionname}" : {NoAuthorize : true },
114-
115- "GET:/api/v2/templateversions/{templateversion}" : {NoAuthorize : true },
116- "PATCH:/api/v2/templateversions/{templateversion}/cancel" : {NoAuthorize : true },
117- "GET:/api/v2/templateversions/{templateversion}/logs" : {NoAuthorize : true },
118- "GET:/api/v2/templateversions/{templateversion}/parameters" : {NoAuthorize : true },
119- "GET:/api/v2/templateversions/{templateversion}/resources" : {NoAuthorize : true },
120- "GET:/api/v2/templateversions/{templateversion}/schema" : {NoAuthorize : true },
121-
122130 "POST:/api/v2/users/{user}/organizations" : {NoAuthorize : true },
123131
124132 "GET:/api/v2/workspaces/{workspace}/watch" : {NoAuthorize : true },
@@ -164,6 +172,10 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
164172 AssertAction : rbac .ActionUpdate ,
165173 AssertObject : workspaceRBACObj ,
166174 },
175+ "GET:/api/v2/workspaceresources/{workspaceresource}" : {
176+ AssertAction : rbac .ActionRead ,
177+ AssertObject : workspaceRBACObj ,
178+ },
167179 "PATCH:/api/v2/workspacebuilds/{workspacebuild}/cancel" : {
168180 AssertAction : rbac .ActionUpdate ,
169181 AssertObject : workspaceRBACObj ,
@@ -199,12 +211,51 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
199211 AssertObject : rbac .ResourceTemplate .InOrg (template .OrganizationID ).WithID (template .ID .String ()),
200212 },
201213 "POST:/api/v2/files" : {AssertAction : rbac .ActionCreate , AssertObject : rbac .ResourceFile },
202- "GET:/api/v2/files/{fileHash}" : {AssertAction : rbac .ActionRead ,
203- AssertObject : rbac .ResourceFile .WithOwner (admin .UserID .String ()).WithID (file .Hash )},
214+ "GET:/api/v2/files/{fileHash}" : {
215+ AssertAction : rbac .ActionRead ,
216+ AssertObject : rbac .ResourceFile .WithOwner (admin .UserID .String ()).WithID (file .Hash ),
217+ },
218+ "GET:/api/v2/templates/{template}/versions" : {
219+ AssertAction : rbac .ActionRead ,
220+ AssertObject : rbac .ResourceTemplate .InOrg (template .OrganizationID ).WithID (template .ID .String ()),
221+ },
222+ "PATCH:/api/v2/templates/{template}/versions" : {
223+ AssertAction : rbac .ActionUpdate ,
224+ AssertObject : rbac .ResourceTemplate .InOrg (template .OrganizationID ).WithID (template .ID .String ()),
225+ },
226+ "GET:/api/v2/templates/{template}/versions/{templateversionname}" : {
227+ AssertAction : rbac .ActionRead ,
228+ AssertObject : rbac .ResourceTemplate .InOrg (template .OrganizationID ).WithID (template .ID .String ()),
229+ },
230+ "GET:/api/v2/templateversions/{templateversion}" : {
231+ AssertAction : rbac .ActionRead ,
232+ AssertObject : rbac .ResourceTemplate .InOrg (template .OrganizationID ).WithID (template .ID .String ()),
233+ },
234+ "PATCH:/api/v2/templateversions/{templateversion}/cancel" : {
235+ AssertAction : rbac .ActionUpdate ,
236+ AssertObject : rbac .ResourceTemplate .InOrg (template .OrganizationID ).WithID (template .ID .String ()),
237+ },
238+ "GET:/api/v2/templateversions/{templateversion}/logs" : {
239+ AssertAction : rbac .ActionRead ,
240+ AssertObject : rbac .ResourceTemplate .InOrg (template .OrganizationID ).WithID (template .ID .String ()),
241+ },
242+ "GET:/api/v2/templateversions/{templateversion}/parameters" : {
243+ AssertAction : rbac .ActionRead ,
244+ AssertObject : rbac .ResourceTemplate .InOrg (template .OrganizationID ).WithID (template .ID .String ()),
245+ },
246+ "GET:/api/v2/templateversions/{templateversion}/resources" : {
247+ AssertAction : rbac .ActionRead ,
248+ AssertObject : rbac .ResourceTemplate .InOrg (template .OrganizationID ).WithID (template .ID .String ()),
249+ },
250+ "GET:/api/v2/templateversions/{templateversion}/schema" : {
251+ AssertAction : rbac .ActionRead ,
252+ AssertObject : rbac .ResourceTemplate .InOrg (template .OrganizationID ).WithID (template .ID .String ()),
253+ },
204254
205255 // These endpoints need payloads to get to the auth part. Payloads will be required
206- "PUT:/api/v2/users/{user}/roles" : {StatusCode : http .StatusBadRequest , NoAuthorize : true },
207- "POST:/api/v2/workspaces/{workspace}/builds" : {StatusCode : http .StatusBadRequest , NoAuthorize : true },
256+ "PUT:/api/v2/users/{user}/roles" : {StatusCode : http .StatusBadRequest , NoAuthorize : true },
257+ "PUT:/api/v2/organizations/{organization}/members/{user}/roles" : {NoAuthorize : true },
258+ "POST:/api/v2/workspaces/{workspace}/builds" : {StatusCode : http .StatusBadRequest , NoAuthorize : true },
208259 }
209260
210261 for k , v := range assertRoute {
@@ -240,6 +291,8 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
240291 route = strings .ReplaceAll (route , "{workspacebuildname}" , workspace .LatestBuild .Name )
241292 route = strings .ReplaceAll (route , "{template}" , template .ID .String ())
242293 route = strings .ReplaceAll (route , "{hash}" , file .Hash )
294+ route = strings .ReplaceAll (route , "{workspaceresource}" , workspaceResources [0 ].ID .String ())
295+ route = strings .ReplaceAll (route , "{templateversion}" , version .ID .String ())
243296
244297 resp , err := client .Request (context .Background (), method , route , nil )
245298 require .NoError (t , err , "do req" )
0 commit comments