PR comments

Emyrk · Emyrk · commit e10c54598f58 · 2024-08-01T08:24:47.000-05:00
diff --git a/coderd/database/querier_test.go b/coderd/database/querier_test.go
@@ -789,6 +789,9 @@ func TestAuthorizedAuditLogs(t *testing.T) {
 		}))
 	}
 
+	// This map is a simple way to insert a given number of organizations
+	// and audit logs for each organization.
+	// map[orgID][]AuditLogID
 	orgAuditLogs := map[uuid.UUID][]uuid.UUID{
 		uuid.New(): {uuid.New(), uuid.New()},
 		uuid.New(): {uuid.New(), uuid.New()},
@@ -828,46 +831,55 @@ func TestAuthorizedAuditLogs(t *testing.T) {
 	t.Run("NoAccess", func(t *testing.T) {
 		t.Parallel()
 
-		siteAuditorCtx := dbauthz.As(ctx, rbac.Subject{
+		// Given: A user who is a member of 0 organizations
+		memberCtx := dbauthz.As(ctx, rbac.Subject{
 			FriendlyName: "member",
 			ID:           uuid.NewString(),
 			Roles:        rbac.Roles{memberRole},
 			Scope:        rbac.ScopeAll,
 		})
 
-		logs, err := db.GetAuditLogsOffset(siteAuditorCtx, database.GetAuditLogsOffsetParams{})
+		// When: The user queries for audit logs
+		logs, err := db.GetAuditLogsOffset(memberCtx, database.GetAuditLogsOffsetParams{})
 		require.NoError(t, err)
+		// Then: No logs returned
 		require.Len(t, logs, 0, "no logs should be returned")
 	})
 
 	t.Run("SiteWideAuditor", func(t *testing.T) {
 		t.Parallel()
 
+		// Given: A site wide auditor
 		siteAuditorCtx := dbauthz.As(ctx, rbac.Subject{
 			FriendlyName: "owner",
 			ID:           uuid.NewString(),
 			Roles:        rbac.Roles{auditorRole},
 			Scope:        rbac.ScopeAll,
 		})
 
+		// When: the auditor queries for audit logs
 		logs, err := db.GetAuditLogsOffset(siteAuditorCtx, database.GetAuditLogsOffsetParams{})
 		require.NoError(t, err)
+		// Then: All logs are returned
 		require.ElementsMatch(t, auditOnlyIDs(allLogs), auditOnlyIDs(logs))
 	})
 
 	t.Run("SingleOrgAuditor", func(t *testing.T) {
 		t.Parallel()
 
 		orgID := orgIDs[0]
-		siteAuditorCtx := dbauthz.As(ctx, rbac.Subject{
+		// Given: An organization scoped auditor
+		orgAuditCtx := dbauthz.As(ctx, rbac.Subject{
 			FriendlyName: "org-auditor",
 			ID:           uuid.NewString(),
 			Roles:        rbac.Roles{orgAuditorRoles(t, orgID)},
 			Scope:        rbac.ScopeAll,
 		})
 
-		logs, err := db.GetAuditLogsOffset(siteAuditorCtx, database.GetAuditLogsOffsetParams{})
+		// When: The auditor queries for audit logs
+		logs, err := db.GetAuditLogsOffset(orgAuditCtx, database.GetAuditLogsOffsetParams{})
 		require.NoError(t, err)
+		// Then: Only the logs for the organization are returned
 		require.ElementsMatch(t, orgAuditLogs[orgID], auditOnlyIDs(logs))
 	})
 
@@ -876,30 +888,36 @@ func TestAuthorizedAuditLogs(t *testing.T) {
 
 		first := orgIDs[0]
 		second := orgIDs[1]
-		siteAuditorCtx := dbauthz.As(ctx, rbac.Subject{
+		// Given: A user who is an auditor for two organizations
+		multiOrgAuditCtx := dbauthz.As(ctx, rbac.Subject{
 			FriendlyName: "org-auditor",
 			ID:           uuid.NewString(),
 			Roles:        rbac.Roles{orgAuditorRoles(t, first), orgAuditorRoles(t, second)},
 			Scope:        rbac.ScopeAll,
 		})
 
-		logs, err := db.GetAuditLogsOffset(siteAuditorCtx, database.GetAuditLogsOffsetParams{})
+		// When: The user queries for audit logs
+		logs, err := db.GetAuditLogsOffset(multiOrgAuditCtx, database.GetAuditLogsOffsetParams{})
 		require.NoError(t, err)
+		// Then: All logs for both organizations are returned
 		require.ElementsMatch(t, append(orgAuditLogs[first], orgAuditLogs[second]...), auditOnlyIDs(logs))
 	})
 
 	t.Run("ErroneousOrg", func(t *testing.T) {
 		t.Parallel()
 
-		siteAuditorCtx := dbauthz.As(ctx, rbac.Subject{
+		// Given: A user who is an auditor for an organization that has 0 logs
+		userCtx := dbauthz.As(ctx, rbac.Subject{
 			FriendlyName: "org-auditor",
 			ID:           uuid.NewString(),
 			Roles:        rbac.Roles{orgAuditorRoles(t, uuid.New())},
 			Scope:        rbac.ScopeAll,
 		})
 
-		logs, err := db.GetAuditLogsOffset(siteAuditorCtx, database.GetAuditLogsOffsetParams{})
+		// When: The user queries for audit logs
+		logs, err := db.GetAuditLogsOffset(userCtx, database.GetAuditLogsOffsetParams{})
 		require.NoError(t, err)
+		// Then: No logs are returned
 		require.Len(t, logs, 0, "no logs should be returned")
 	})
 }
diff --git a/coderd/rbac/regosql/configs.go b/coderd/rbac/regosql/configs.go
@@ -40,11 +40,10 @@ func AuditLogConverter() *sqltypes.VariableConverter {
 	matcher := sqltypes.NewVariableConverter().RegisterMatcher(
 		resourceIDMatcher(),
 		sqltypes.StringVarMatcher("COALESCE(audit_logs.organization_id :: text, '')", []string{"input", "object", "org_owner"}),
-		// Templates have no user owner, only owner by an organization.
+		// Aduit logs have no user owner, only owner by an organization.
 		sqltypes.AlwaysFalse(userOwnerMatcher()),
 	)
 	matcher.RegisterMatcher(
-		// No ACLs on the user type
 		sqltypes.AlwaysFalse(groupACLMatcher(matcher)),
 		sqltypes.AlwaysFalse(userACLMatcher(matcher)),
 	)

Original file line number	Diff line number	Diff line change
`@@ -40,11 +40,10 @@ func AuditLogConverter() *sqltypes.VariableConverter {`
`40`	`40`	`matcher := sqltypes.NewVariableConverter().RegisterMatcher(`
`41`	`41`	`resourceIDMatcher(),`
`42`	`42`	`sqltypes.StringVarMatcher("COALESCE(audit_logs.organization_id :: text, '')", []string{"input", "object", "org_owner"}),`
`43`		`- // Templates have no user owner, only owner by an organization.`
	`43`	`+ // Aduit logs have no user owner, only owner by an organization.`
`44`	`44`	`sqltypes.AlwaysFalse(userOwnerMatcher()),`
`45`	`45`	`)`
`46`	`46`	`matcher.RegisterMatcher(`
`47`		`- // No ACLs on the user type`
`48`	`47`	`sqltypes.AlwaysFalse(groupACLMatcher(matcher)),`
`49`	`48`	`sqltypes.AlwaysFalse(userACLMatcher(matcher)),`
`50`	`49`	`)`