fix: check user user is active in aibridge auth (#26173) (#26264) · coder/coder@943b04f

name: "deleted user",

expectedErr: aibridgedserver.ErrDeletedUser,

mocksFn: func(db *dbmock.MockStore, apiKey database.APIKey, user database.User) {

user.Deleted = true

db.EXPECT().GetAPIKeyByID(gomock.Any(), apiKey.ID).Times(1).Return(apiKey, nil)

db.EXPECT().GetUserByID(gomock.Any(), user.ID).Times(1).Return(database.User{ID: user.ID, Deleted: true}, nil)

db.EXPECT().GetUserByID(gomock.Any(), user.ID).Times(1).Return(user, nil)

},

},

{

name: "suspended user",

expectedErr: aibridgedserver.ErrInactiveUser,

mocksFn: func(db *dbmock.MockStore, apiKey database.APIKey, user database.User) {

user.Status = database.UserStatusSuspended

db.EXPECT().GetAPIKeyByID(gomock.Any(), apiKey.ID).Times(1).Return(apiKey, nil)

db.EXPECT().GetUserByID(gomock.Any(), user.ID).Times(1).Return(user, nil)

},

},

{

name: "dormant user",

expectedErr: aibridgedserver.ErrInactiveUser,

mocksFn: func(db *dbmock.MockStore, apiKey database.APIKey, user database.User) {

user.Status = database.UserStatusDormant

db.EXPECT().GetAPIKeyByID(gomock.Any(), apiKey.ID).Times(1).Return(apiKey, nil)

db.EXPECT().GetUserByID(gomock.Any(), user.ID).Times(1).Return(user, nil)

},

},

{

name: "system user",

expectedErr: aibridgedserver.ErrSystemUser,

mocksFn: func(db *dbmock.MockStore, apiKey database.APIKey, user database.User) {

user.IsSystem = true

db.EXPECT().GetAPIKeyByID(gomock.Any(), apiKey.ID).Times(1).Return(apiKey, nil)

db.EXPECT().GetUserByID(gomock.Any(), user.ID).Times(1).Return(database.User{ID: user.ID, IsSystem: true}, nil)

db.EXPECT().GetUserByID(gomock.Any(), user.ID).Times(1).Return(user, nil)

},

},

{

// When IsAuthorizedRequest carries KeyId instead of Key, the server skips

// the secret check and validates only that the key exists, is unexpired, and

// belongs to a non-deleted non-system user. This is the path used by

// belongs to an active, non-deleted, non-system user. This is the path used by

// in-process delegated callers (e.g., chatd) that hold only the key ID.

func TestAuthorization_Delegated(t *testing.T) {

t.Parallel()

name: "deleted user",

expectedErr: aibridgedserver.ErrDeletedUser,

mocksFn: func(db *dbmock.MockStore, apiKey database.APIKey, user database.User) {

user.Deleted = true

db.EXPECT().GetAPIKeyByID(gomock.Any(), apiKey.ID).Times(1).Return(apiKey, nil)

db.EXPECT().GetUserByID(gomock.Any(), user.ID).Times(1).Return(database.User{ID: user.ID, Deleted: true}, nil)

db.EXPECT().GetUserByID(gomock.Any(), user.ID).Times(1).Return(user, nil)

},

},

{

// The delegated path must reject inactive users; transport

// trust does not override account suspension.

name: "suspended user",

expectedErr: aibridgedserver.ErrInactiveUser,

mocksFn: func(db *dbmock.MockStore, apiKey database.APIKey, user database.User) {

user.Status = database.UserStatusSuspended

db.EXPECT().GetAPIKeyByID(gomock.Any(), apiKey.ID).Times(1).Return(apiKey, nil)

db.EXPECT().GetUserByID(gomock.Any(), user.ID).Times(1).Return(user, nil)

},

},

{

// Dormant users are inactive unless they are explicitly

// reactivated through the HTTP middleware path.

name: "dormant user",

expectedErr: aibridgedserver.ErrInactiveUser,

mocksFn: func(db *dbmock.MockStore, apiKey database.APIKey, user database.User) {

user.Status = database.UserStatusDormant

db.EXPECT().GetAPIKeyByID(gomock.Any(), apiKey.ID).Times(1).Return(apiKey, nil)

db.EXPECT().GetUserByID(gomock.Any(), user.ID).Times(1).Return(user, nil)

},

},

{

name: "system user",

expectedErr: aibridgedserver.ErrSystemUser,

mocksFn: func(db *dbmock.MockStore, apiKey database.APIKey, user database.User) {

user.IsSystem = true

db.EXPECT().GetAPIKeyByID(gomock.Any(), apiKey.ID).Times(1).Return(apiKey, nil)

db.EXPECT().GetUserByID(gomock.Any(), user.ID).Times(1).Return(database.User{ID: user.ID, IsSystem: true}, nil)

db.EXPECT().GetUserByID(gomock.Any(), user.ID).Times(1).Return(user, nil)

},

},

}