test: Unit test to assert role capabilities #1781
Conversation
This unit test allows for asserting which roles can perform actions on various objects. This is much easier than making unit tests to hit the api.
Emyrk
changed the title
coderd/rbac/builtin_test.go
Outdated
| Name: "AUser", | ||
| Actions: []rbac.Action{rbac.ActionCreate, rbac.ActionUpdate, rbac.ActionDelete}, | ||
| Resource: rbac.ResourceUser, | ||
| Assertions: map[bool][]authSubject{ | ||
| true: {admin}, | ||
| false: {member, orgMember, orgAdmin, otherOrgMember, otherOrgAdmin}, | ||
| }, |
There was a problem hiding this comment.
suggestion: Could we rename these fields for clarity? When I initially read the test I got a bit confused, as it appears to me that this test was asserting that any random user resource should have the admin role. Now after reading it, it appears that the Resource in question is the object, and the subjects are all of those identified in assertions.
There was a problem hiding this comment.
Correct. I can rename. I changed this struct up a few times, probably why it ended as it did.
coderd/rbac/builtin_test.go
Outdated
| Resource rbac.Object | ||
| Actions []rbac.Action | ||
| // Assertions must cover all subjects in 'requiredSubjects' | ||
| Assertions map[bool][]authSubject |
There was a problem hiding this comment.
nit: map[authSubject]bool? Kind of easier to reason about. Optional though, this is really a nit pick.
There was a problem hiding this comment.
I felt it was easier to just list out subjects in a 1 line list.
| }, | ||
| }, | ||
| { | ||
| Name: "APIKey", |
There was a problem hiding this comment.
We should probably clarify that the APIKey is owned by the user referred to by orgMember
There was a problem hiding this comment.
It is. I changed member and orgMember to memberMe and orgMemberMe respectively.
- Add comments, rename fields
* test: Unit test to assert role permissions This unit test allows for asserting which roles can perform actions on various objects. This is much easier than making unit tests to hit the api.
This unit test allows for asserting which roles can perform
actions on various objects. This is much easier than making
unit tests to hit the api.