WIP: chore(grants): Combine common logic into setup function

hashicorp · Feb 13, 2025 · 4c919f4 · 4c919f4
1 parent 892fb32
commit 4c919f4
Showing 1 changed file with 57 additions and 43 deletions.
diff --git a/internal/iam/repository_role_grant_ext_test.go b/internal/iam/repository_role_grant_ext_test.go
@@ -405,125 +405,132 @@ func TestGrantsForUser_DirectAssociation(t *testing.T) {
 	user := iam.TestUser(t, repo, "global")
 	user2 := iam.TestUser(t, repo, "global")
 
+	testUserRoleFunc := func(roleId, userId string) {
+		iam.TestUserRole(t, conn, roleId, userId)
+	}
+
 	// Create a series of scopes with roles in each. We'll create two of each
 	// kind to ensure we're not just picking up the first role in each.
 
 	// The first org/project set contains direct grants, but without
 	// inheritance. We create two roles in each project.
+
+	// Org1, Project1a, Project1b
 	directGrantOrg1, directGrantProj1a, directGrantProj1b := iam.SetupDirectGrantScopes(t, conn, repo)
 
 	// user
 	directGrantOrg1Role := iam.TestRole(t, conn, directGrantOrg1.PublicId)
-	iam.TestUserRole(t, conn, directGrantOrg1Role.PublicId, user.PublicId)
 	directGrantOrg1RoleGrant1 := "ids=*;type=group;actions=*"
-	iam.TestRoleGrant(t, conn, directGrantOrg1Role.PublicId, directGrantOrg1RoleGrant1)
 	directGrantOrg1RoleGrant2 := "ids=*;type=group;actions=create,list"
-	iam.TestRoleGrant(t, conn, directGrantOrg1Role.PublicId, directGrantOrg1RoleGrant2)
+	setup(t, conn, directGrantOrg1Role.PublicId, user.PublicId, testUserRoleFunc,
+		directGrantOrg1RoleGrant1, directGrantOrg1RoleGrant2,
+	)
+
 	// user2
 	directGrantOrg1Role2 := iam.TestRole(t, conn, directGrantOrg1.PublicId)
-	iam.TestUserRole(t, conn, directGrantOrg1Role2.PublicId, user2.PublicId)
 	directGrantOrg1RoleGrant3 := "ids=*;type=group;actions=update"
-	iam.TestRoleGrant(t, conn, directGrantOrg1Role2.PublicId, directGrantOrg1RoleGrant3)
+	setup(t, conn, directGrantOrg1Role2.PublicId, user2.PublicId, testUserRoleFunc, directGrantOrg1RoleGrant3)
 
 	// user
 	directGrantProj1aRole := iam.TestRole(t, conn, directGrantProj1a.PublicId)
-	iam.TestUserRole(t, conn, directGrantProj1aRole.PublicId, user.PublicId)
 	directGrantProj1aRoleGrant := "ids=*;type=group;actions=add-members,read"
-	iam.TestRoleGrant(t, conn, directGrantProj1aRole.PublicId, directGrantProj1aRoleGrant)
+	setup(t, conn, directGrantProj1aRole.PublicId, user.PublicId, testUserRoleFunc, directGrantProj1aRoleGrant)
+
 	directGrantProj1bRole := iam.TestRole(t, conn, directGrantProj1b.PublicId)
-	iam.TestUserRole(t, conn, directGrantProj1bRole.PublicId, user.PublicId)
 	directGrantProj1bRoleGrant := "ids=*;type=group;actions=list,read"
-	iam.TestRoleGrant(t, conn, directGrantProj1bRole.PublicId, directGrantProj1bRoleGrant)
+	setup(t, conn, directGrantProj1bRole.PublicId, user.PublicId, testUserRoleFunc, directGrantProj1bRoleGrant)
+
 	// user2
 	directGrantProj1aRole2 := iam.TestRole(t, conn, directGrantProj1a.PublicId)
-	iam.TestUserRole(t, conn, directGrantProj1aRole2.PublicId, user2.PublicId)
 	directGrantProj1aRoleGrant2 := "ids=*;type=group;actions=set-members"
-	iam.TestRoleGrant(t, conn, directGrantProj1aRole2.PublicId, directGrantProj1aRoleGrant2)
+	setup(t, conn, directGrantProj1aRole2.PublicId, user2.PublicId, testUserRoleFunc, directGrantProj1aRoleGrant2)
+
 	directGrantProj1bRole2 := iam.TestRole(t, conn, directGrantProj1b.PublicId)
-	iam.TestUserRole(t, conn, directGrantProj1bRole2.PublicId, user2.PublicId)
 	directGrantProj1bRoleGrant2 := "ids=*;type=group;actions=delete"
-	iam.TestRoleGrant(t, conn, directGrantProj1bRole2.PublicId, directGrantProj1bRoleGrant2)
+	setup(t, conn, directGrantProj1bRole2.PublicId, user2.PublicId, testUserRoleFunc, directGrantProj1bRoleGrant2)
 
+	// Org2, Project2a, Project2b
 	directGrantOrg2, directGrantProj2a, directGrantProj2b := iam.SetupDirectGrantScopes(t, conn, repo)
+
 	// user
 	directGrantOrg2Role := iam.TestRole(t, conn, directGrantOrg2.PublicId,
 		iam.WithGrantScopeIds([]string{
 			globals.GrantScopeThis,
 			directGrantProj2a.PublicId,
 		}))
-	iam.TestUserRole(t, conn, directGrantOrg2Role.PublicId, user.PublicId)
 	directGrantOrg2RoleGrant1 := "ids=*;type=group;actions=*"
-	iam.TestRoleGrant(t, conn, directGrantOrg2Role.PublicId, directGrantOrg2RoleGrant1)
 	directGrantOrg2RoleGrant2 := "ids=*;type=group;actions=list,read"
-	iam.TestRoleGrant(t, conn, directGrantOrg2Role.PublicId, directGrantOrg2RoleGrant2)
+	setup(t, conn, directGrantOrg2Role.PublicId, user.PublicId, testUserRoleFunc,
+		directGrantOrg2RoleGrant1, directGrantOrg2RoleGrant2,
+	)
 
 	directGrantProj2aRole := iam.TestRole(t, conn, directGrantProj2a.PublicId)
-	iam.TestUserRole(t, conn, directGrantProj2aRole.PublicId, user.PublicId)
 	directGrantProj2aRoleGrant := "ids=hcst_abcd1234,hcst_1234abcd;actions=*"
-	iam.TestRoleGrant(t, conn, directGrantProj2aRole.PublicId, directGrantProj2aRoleGrant)
+	setup(t, conn, directGrantProj2aRole.PublicId, user.PublicId, testUserRoleFunc, directGrantProj2aRoleGrant)
+
 	directGrantProj2bRole := iam.TestRole(t, conn, directGrantProj2b.PublicId)
-	iam.TestUserRole(t, conn, directGrantProj2bRole.PublicId, user.PublicId)
 	directGrantProj2bRoleGrant := "ids=cs_abcd1234;actions=read,update"
-	iam.TestRoleGrant(t, conn, directGrantProj2bRole.PublicId, directGrantProj2bRoleGrant)
+	setup(t, conn, directGrantProj2bRole.PublicId, user.PublicId, testUserRoleFunc, directGrantProj2bRoleGrant)
 
 	// user2
 	directGrantOrg2Role2 := iam.TestRole(t, conn, directGrantOrg2.PublicId,
 		iam.WithGrantScopeIds([]string{
 			globals.GrantScopeThis,
 			directGrantProj2a.PublicId,
 		}))
-	iam.TestUserRole(t, conn, directGrantOrg2Role2.PublicId, user2.PublicId)
 	directGrantOrg2RoleGrant3 := "ids=*;type=group;actions=add-members"
-	iam.TestRoleGrant(t, conn, directGrantOrg2Role2.PublicId, directGrantOrg2RoleGrant3)
+	setup(t, conn, directGrantOrg2Role2.PublicId, user2.PublicId, testUserRoleFunc, directGrantOrg2RoleGrant3)
 
 	directGrantProj2aRole2 := iam.TestRole(t, conn, directGrantProj2a.PublicId)
-	iam.TestUserRole(t, conn, directGrantProj2aRole2.PublicId, user2.PublicId)
 	directGrantProj2aRoleGrant2 := "ids=hcst_abcd1234,hcst_1234abcd;actions=*"
-	iam.TestRoleGrant(t, conn, directGrantProj2aRole2.PublicId, directGrantProj2aRoleGrant2)
+	setup(t, conn, directGrantProj2aRole2.PublicId, user2.PublicId, testUserRoleFunc, directGrantProj2aRoleGrant2)
+
 	directGrantProj2bRole2 := iam.TestRole(t, conn, directGrantProj2b.PublicId)
-	iam.TestUserRole(t, conn, directGrantProj2bRole2.PublicId, user2.PublicId)
 	directGrantProj2bRoleGrant2 := "ids=cs_abcd1234;actions=read,update"
-	iam.TestRoleGrant(t, conn, directGrantProj2bRole2.PublicId, directGrantProj2bRoleGrant2)
+	setup(t, conn, directGrantProj2bRole2.PublicId, user2.PublicId, testUserRoleFunc, directGrantProj2bRoleGrant2)
 
 	// For the second set we create a couple of orgs/projects and then use globals.GrantScopeChildren
+	//
+	// child org 1
 	childGrantOrg1, _ := iam.SetupChildGrantScopes(t, conn, repo)
 
 	// user
 	childGrantOrg1Role := iam.TestRole(t, conn, childGrantOrg1.PublicId,
 		iam.WithGrantScopeIds([]string{
 			globals.GrantScopeChildren,
 		}))
-	iam.TestUserRole(t, conn, childGrantOrg1Role.PublicId, user.PublicId)
 	childGrantOrg1RoleGrant := "ids=*;type=group;actions=add-members,remove-members"
-	iam.TestRoleGrant(t, conn, childGrantOrg1Role.PublicId, childGrantOrg1RoleGrant)
+	setup(t, conn, childGrantOrg1Role.PublicId, user.PublicId, testUserRoleFunc, childGrantOrg1RoleGrant)
+
 	// user2
 	childGrantOrg1Role2 := iam.TestRole(t, conn, childGrantOrg1.PublicId,
 		iam.WithGrantScopeIds([]string{
 			globals.GrantScopeChildren,
 		}))
-	iam.TestUserRole(t, conn, childGrantOrg1Role2.PublicId, user2.PublicId)
 	childGrantOrg1RoleGrant2 := "ids=*;type=group;actions=read"
-	iam.TestRoleGrant(t, conn, childGrantOrg1Role2.PublicId, childGrantOrg1RoleGrant2)
+	setup(t, conn, childGrantOrg1Role2.PublicId, user2.PublicId, testUserRoleFunc, childGrantOrg1RoleGrant2)
 
+	// child org 2
 	childGrantOrg2, _ := iam.SetupChildGrantScopes(t, conn, repo)
+
 	// user
 	childGrantOrg2Role := iam.TestRole(t, conn, childGrantOrg2.PublicId,
 		iam.WithGrantScopeIds([]string{
 			globals.GrantScopeChildren,
 		}))
-	iam.TestUserRole(t, conn, childGrantOrg2Role.PublicId, user.PublicId)
 	childGrantOrg2RoleGrant1 := "ids=*;type=group;actions=set-members"
-	iam.TestRoleGrant(t, conn, childGrantOrg2Role.PublicId, childGrantOrg2RoleGrant1)
 	childGrantOrg2RoleGrant2 := "ids=*;type=group;actions=delete"
-	iam.TestRoleGrant(t, conn, childGrantOrg2Role.PublicId, childGrantOrg2RoleGrant2)
+	setup(t, conn, childGrantOrg2Role.PublicId, user.PublicId, testUserRoleFunc,
+		childGrantOrg2RoleGrant1, childGrantOrg2RoleGrant2,
+	)
+
 	// user2
 	childGrantOrg2Role2 := iam.TestRole(t, conn, childGrantOrg2.PublicId,
 		iam.WithGrantScopeIds([]string{
 			globals.GrantScopeChildren,
 		}))
-	iam.TestUserRole(t, conn, childGrantOrg2Role2.PublicId, user2.PublicId)
 	childGrantOrg2RoleGrant3 := "ids=*;type=group;actions=set-members"
-	iam.TestRoleGrant(t, conn, childGrantOrg2Role2.PublicId, childGrantOrg2RoleGrant3)
+	setup(t, conn, childGrantOrg2Role2.PublicId, user2.PublicId, testUserRoleFunc, childGrantOrg2RoleGrant3)
 
 	// Finally, let's create some roles at global scope with children and descendants grants
 
@@ -532,33 +539,32 @@ func TestGrantsForUser_DirectAssociation(t *testing.T) {
 		iam.WithGrantScopeIds([]string{
 			globals.GrantScopeChildren,
 		}))
-	iam.TestUserRole(t, conn, childGrantGlobalRole.PublicId, user.PublicId)
 	childGrantGlobalRoleGrant := "ids=*;type=group;actions=*"
-	iam.TestRoleGrant(t, conn, childGrantGlobalRole.PublicId, childGrantGlobalRoleGrant)
+	setup(t, conn, childGrantGlobalRole.PublicId, user.PublicId, testUserRoleFunc, childGrantGlobalRoleGrant)
+
 	// user2
 	childGrantGlobalRole2 := iam.TestRole(t, conn, scope.Global.String(),
 		iam.WithGrantScopeIds([]string{
 			globals.GrantScopeChildren,
 		}))
-	iam.TestUserRole(t, conn, childGrantGlobalRole2.PublicId, user2.PublicId)
 	childGrantGlobalRoleGrant2 := "ids=*;type=group;actions=list"
-	iam.TestRoleGrant(t, conn, childGrantGlobalRole2.PublicId, childGrantGlobalRoleGrant2)
+	setup(t, conn, childGrantGlobalRole2.PublicId, user2.PublicId, testUserRoleFunc, childGrantGlobalRoleGrant2)
+
 	// user
 	descendantGrantGlobalRole := iam.TestRole(t, conn, scope.Global.String(),
 		iam.WithGrantScopeIds([]string{
 			globals.GrantScopeDescendants,
 		}))
-	iam.TestUserRole(t, conn, descendantGrantGlobalRole.PublicId, user.PublicId)
 	descendantGrantGlobalRoleGrant := "ids=*;type=group;actions=*"
-	iam.TestRoleGrant(t, conn, descendantGrantGlobalRole.PublicId, descendantGrantGlobalRoleGrant)
+	setup(t, conn, descendantGrantGlobalRole.PublicId, user.PublicId, testUserRoleFunc, descendantGrantGlobalRoleGrant)
+
 	// user2
 	descendantGrantGlobalRole2 := iam.TestRole(t, conn, scope.Global.String(),
 		iam.WithGrantScopeIds([]string{
 			globals.GrantScopeDescendants,
 		}))
-	iam.TestUserRole(t, conn, descendantGrantGlobalRole2.PublicId, user2.PublicId)
 	descendantGrantGlobalRoleGrant2 := "ids=*;type=group;actions=add-members"
-	iam.TestRoleGrant(t, conn, descendantGrantGlobalRole2.PublicId, descendantGrantGlobalRoleGrant2)
+	setup(t, conn, descendantGrantGlobalRole2.PublicId, user2.PublicId, testUserRoleFunc, descendantGrantGlobalRoleGrant2)
 
 	t.Run("db-grants", func(t *testing.T) {
 		// Here we should see exactly what the DB has returned, before we do some
@@ -2393,3 +2399,11 @@ func TestGrantsForUser_ManagedGroup(t *testing.T) {
 		})
 	})
 }
+
+func setup(t *testing.T, conn *db.DB, roleId, userId string, roleAssociationFunc func(roleId string, userId string), grants ...string) {
+	t.Helper()
+	for _, grant := range grants {
+		iam.TestRoleGrant(t, conn, roleId, grant)
+	}
+	roleAssociationFunc(roleId, userId)
+}