From 56ca6f041951c31ddc777cb8278d7de326251294 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 8 Jan 2025 15:47:00 -0800 Subject: [PATCH] pull shared test utility code from PR #5418 --- internal/authtoken/testing.go | 36 ++ internal/daemon/controller/auth/testing.go | 36 ++ .../controller/handlers/groups/grants_test.go | 436 ++++++++---------- 3 files changed, 266 insertions(+), 242 deletions(-) diff --git a/internal/authtoken/testing.go b/internal/authtoken/testing.go index 2d89bc24e9..1748d8bd53 100644 --- a/internal/authtoken/testing.go +++ b/internal/authtoken/testing.go @@ -11,6 +11,7 @@ import ( "github.com/hashicorp/boundary/internal/db" "github.com/hashicorp/boundary/internal/iam" "github.com/hashicorp/boundary/internal/kms" + "github.com/hashicorp/go-uuid" "github.com/stretchr/testify/require" ) @@ -46,3 +47,38 @@ func TestAuthToken(t testing.TB, conn *db.DB, kms *kms.Kms, scopeId string, opt require.NoError(t, err) return at } + +// TestRoleGrantsForToken contains information used by TestAuthTokenWithRoles to create +// roles and their associated grants (with grant scopes) +type TestRoleGrantsForToken struct { + RoleScopeID string + GrantStrings []string + GrantScopes []string +} + +// TestAuthTokenWithRoles creates auth token associated with roles as requested by the caller along +// with any required resources to achieve said token +func TestAuthTokenWithRoles(t testing.TB, conn *db.DB, kms *kms.Kms, scopeId string, roles []TestRoleGrantsForToken) *AuthToken { + t.Helper() + ctx := context.Background() + rw := db.New(conn) + atRepo, err := NewRepository(ctx, rw, rw, kms) + require.NoError(t, err) + + iamRepo, err := iam.NewRepository(ctx, rw, rw, kms) + require.NoError(t, err) + + authMethod := password.TestAuthMethods(t, conn, scopeId, 1)[0] + + loginName, err := uuid.GenerateUUID() + require.NoError(t, err) + acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName) + user := iam.TestUser(t, iamRepo, scopeId, iam.WithAccountIds(acct.GetPublicId())) + for _, r := range roles { + role := iam.TestRoleWithGrants(t, conn, r.RoleScopeID, r.GrantScopes, r.GrantStrings) + _ = iam.TestUserRole(t, conn, role.PublicId, user.PublicId) + } + fullGrantToken, err := atRepo.CreateAuthToken(ctx, user, acct.GetPublicId()) + require.NoError(t, err) + return fullGrantToken +} diff --git a/internal/daemon/controller/auth/testing.go b/internal/daemon/controller/auth/testing.go index 0a9c52a75f..28a36e4bff 100644 --- a/internal/daemon/controller/auth/testing.go +++ b/internal/daemon/controller/auth/testing.go @@ -5,11 +5,20 @@ package auth import ( "context" + "testing" + + "github.com/hashicorp/boundary/internal/db" + "github.com/hashicorp/boundary/internal/iam" + "github.com/hashicorp/boundary/internal/kms" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" + "github.com/stretchr/testify/require" "github.com/hashicorp/boundary/globals" + "github.com/hashicorp/boundary/internal/authtoken" "github.com/hashicorp/boundary/internal/daemon/controller/common" authpb "github.com/hashicorp/boundary/internal/gen/controller/auth" "github.com/hashicorp/boundary/internal/requests" + "github.com/hashicorp/boundary/internal/server" ) // DisabledAuthTestContext is meant for testing, and uses a context that has @@ -30,3 +39,30 @@ func DisabledAuthTestContext(iamRepoFn common.IamRepoFactory, scopeId string, op requestContext := context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) return NewVerifierContext(requestContext, iamRepoFn, nil, nil, opts.withKms, &reqInfo) } + +// TestAuthContextFromToken creates an auth context with provided token +// This is used in conjunction with TestAuthTokenWithRoles which creates a test token +func TestAuthContextFromToken(t *testing.T, conn *db.DB, wrap wrapping.Wrapper, token *authtoken.AuthToken, iamRepo *iam.Repository) context.Context { + t.Helper() + ctx := context.Background() + rw := db.New(conn) + kmsCache := kms.TestKms(t, conn, wrap) + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + serversRepoFn := func() (*server.Repository, error) { + return server.NewRepository(ctx, rw, rw, kmsCache) + } + iamRepoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + atRepoFn := func() (*authtoken.Repository, error) { + return atRepo, nil + } + fullGrantAuthCtx := NewVerifierContext(requests.NewRequestContext(ctx, requests.WithUserId(token.GetIamUserId())), + iamRepoFn, atRepoFn, serversRepoFn, kmsCache, &authpb.RequestInfo{ + PublicId: token.PublicId, + Token: token.GetToken(), + TokenFormat: uint32(AuthTokenTypeBearer), + }) + return fullGrantAuthCtx +} diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 66056bafd4..a7e9518c09 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -10,79 +10,21 @@ import ( "testing" "github.com/hashicorp/boundary/globals" - "github.com/hashicorp/boundary/internal/auth/password" "github.com/hashicorp/boundary/internal/authtoken" "github.com/hashicorp/boundary/internal/daemon/controller/auth" "github.com/hashicorp/boundary/internal/daemon/controller/handlers" "github.com/hashicorp/boundary/internal/daemon/controller/handlers/groups" "github.com/hashicorp/boundary/internal/db" pbs "github.com/hashicorp/boundary/internal/gen/controller/api/services" - authpb "github.com/hashicorp/boundary/internal/gen/controller/auth" "github.com/hashicorp/boundary/internal/iam" "github.com/hashicorp/boundary/internal/kms" - "github.com/hashicorp/boundary/internal/requests" - "github.com/hashicorp/boundary/internal/server" pb "github.com/hashicorp/boundary/sdk/pbs/controller/api/resources/groups" - wrapping "github.com/hashicorp/go-kms-wrapping/v2" "github.com/hashicorp/go-uuid" "github.com/stretchr/testify/require" "google.golang.org/protobuf/types/known/fieldmaskpb" "google.golang.org/protobuf/types/known/wrapperspb" ) -type roleRequest struct { - roleScopeID string - grantStrings []string - grantScopes []string -} - -// testGenAuthTokenCtx creates an auth.VerifierContext which contains a valid auth token -// for a user which is associated with roles in the roles parameter -// this function creates an authMethod, account, user at global scope -func testGenAuthTokenCtx(t *testing.T, - ctx context.Context, - conn *db.DB, - wrap wrapping.Wrapper, - iamRepo *iam.Repository, - roles []roleRequest, -) context.Context { - t.Helper() - rw := db.New(conn) - kmsCache := kms.TestKms(t, conn, wrap) - - atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) - require.NoError(t, err) - iamRepoFn := func() (*iam.Repository, error) { - return iamRepo, nil - } - atRepoFn := func() (*authtoken.Repository, error) { - return atRepo, nil - } - - serversRepoFn := func() (*server.Repository, error) { - return server.NewRepository(ctx, rw, rw, kmsCache) - } - authMethod := password.TestAuthMethods(t, conn, globals.GlobalPrefix, 1)[0] - - loginName, err := uuid.GenerateUUID() - require.NoError(t, err) - acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName) - user := iam.TestUser(t, iamRepo, globals.GlobalPrefix, iam.WithAccountIds(acct.GetPublicId())) - for _, r := range roles { - role := iam.TestRoleWithGrants(t, conn, r.roleScopeID, r.grantScopes, r.grantStrings) - _ = iam.TestUserRole(t, conn, role.PublicId, user.PublicId) - } - fullGrantToken, err := atRepo.CreateAuthToken(ctx, user, acct.GetPublicId()) - require.NoError(t, err) - fullGrantAuthCtx := auth.NewVerifierContext(requests.NewRequestContext(ctx, requests.WithUserId(user.GetPublicId())), - iamRepoFn, atRepoFn, serversRepoFn, kmsCache, &authpb.RequestInfo{ - PublicId: fullGrantToken.PublicId, - Token: fullGrantToken.GetToken(), - TokenFormat: uint32(auth.AuthTokenTypeBearer), - }) - return fullGrantAuthCtx -} - // TestGrants_ReadActions tests read actions to assert that grants are being applied properly // // Role - which scope the role is created in @@ -105,6 +47,8 @@ func TestGrants_ReadActions(t *testing.T) { conn, _ := db.TestSetup(t, "postgres") wrap := db.TestWrapper(t) iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) + repoFn := func() (*iam.Repository, error) { return iamRepo, nil } @@ -123,11 +67,11 @@ func TestGrants_ReadActions(t *testing.T) { t.Run("List", func(t *testing.T) { testcases := []struct { - name string - input *pbs.ListGroupsRequest - rolesToCreate []roleRequest - wantErr error - wantIDs []string + name string + input *pbs.ListGroupsRequest + roleGrantsForToken []authtoken.TestRoleGrantsForToken + wantErr error + wantIDs []string }{ { name: "global role grant this only returns in global groups", @@ -137,11 +81,11 @@ func TestGrants_ReadActions(t *testing.T) { Recursive: true, }, wantIDs: []string{globalGroup.PublicId}, - rolesToCreate: []roleRequest{ + roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, }, }, @@ -151,11 +95,11 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - rolesToCreate: []roleRequest{ + roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"ids=*;type=group;actions=list,read"}, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"ids=*;type=group;actions=list,read"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, }, wantErr: nil, @@ -167,11 +111,11 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - rolesToCreate: []roleRequest{ + roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }, wantErr: nil, @@ -183,11 +127,11 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: org2.PublicId, Recursive: true, }, - rolesToCreate: []roleRequest{ + roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"ids=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeDescendants}, }, }, wantErr: nil, @@ -199,11 +143,11 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: org2.PublicId, Recursive: true, }, - rolesToCreate: []roleRequest{ + roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: org2.PublicId, - grantStrings: []string{"ids=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: org2.PublicId, + GrantStrings: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, }, wantErr: nil, @@ -215,13 +159,13 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - rolesToCreate: []roleRequest{ + roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{ + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{ fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId), }, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }, wantErr: handlers.ForbiddenError(), @@ -233,16 +177,16 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - rolesToCreate: []roleRequest{ + roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"ids=*;type=group;actions=read,list"}, - grantScopes: []string{proj1.PublicId, proj2.PublicId, proj3.PublicId}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"ids=*;type=group;actions=read,list"}, + GrantScopes: []string{proj1.PublicId, proj2.PublicId, proj3.PublicId}, }, { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"ids=*;type=group;actions=read,list"}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"ids=*;type=group;actions=read,list"}, + GrantScopes: []string{globals.GrantScopeThis}, }, }, wantErr: nil, @@ -254,11 +198,11 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - rolesToCreate: []roleRequest{ + roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"ids=*;type=target;actions=read,list"}, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"ids=*;type=target;actions=read,list"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }, wantErr: handlers.ForbiddenError(), @@ -268,7 +212,8 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - fullGrantAuthCtx := testGenAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.rolesToCreate) + tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.roleGrantsForToken) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) got, finalErr := s.ListGroups(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) @@ -287,16 +232,16 @@ func TestGrants_ReadActions(t *testing.T) { t.Run("Get", func(t *testing.T) { testcases := []struct { name string - rolesToCreate []roleRequest + rolesToCreate []authtoken.TestRoleGrantsForToken inputWantErrMap map[*pbs.GetGroupRequest]error }{ { name: "global role grant this scope with all permissions", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -309,11 +254,11 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant children scopes with all permissions", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeChildren}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeChildren}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -326,11 +271,11 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant descendant scopes with all permissions", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeDescendants}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -343,11 +288,11 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant this and children scopes with all permissions", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -360,11 +305,11 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant this and descendant scopes with all permissions", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -377,11 +322,11 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "org1 role grant this scope with all permissions", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: org1.GetPublicId(), - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: org1.GetPublicId(), + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -394,11 +339,11 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "org1 role grant children scope with all permissions", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: org1.GetPublicId(), - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeChildren}, + RoleScopeID: org1.GetPublicId(), + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeChildren}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -411,11 +356,11 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "org1 role grant this and children scopes with all permissions", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: org1.GetPublicId(), - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, + RoleScopeID: org1.GetPublicId(), + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -428,11 +373,11 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "proj1 role grant this scope with all permissions", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: proj1.GetPublicId(), - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: proj1.GetPublicId(), + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -445,11 +390,11 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant this and descendant scope with read permissions on specific group", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{fmt.Sprintf("ids=%s;types=group ;actions=read", org1Group.PublicId)}, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{fmt.Sprintf("ids=%s;types=group ;actions=read", org1Group.PublicId)}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -462,14 +407,14 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant this and specific scopes with read permissions on specific group", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{ + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{ fmt.Sprintf("ids=%s;types=group;actions=read", org1Group.PublicId), fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId), }, - grantScopes: []string{org1.PublicId, proj1.PublicId}, + GrantScopes: []string{org1.PublicId, proj1.PublicId}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -482,21 +427,21 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "union multiple role grant specific resources permissions", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{ + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{ fmt.Sprintf("ids=%s;types=group;actions=read", globalGroup.PublicId), }, - grantScopes: []string{globals.GrantScopeThis}, + GrantScopes: []string{globals.GrantScopeThis}, }, { - roleScopeID: org1.GetPublicId(), - grantStrings: []string{ + RoleScopeID: org1.GetPublicId(), + GrantStrings: []string{ fmt.Sprintf("ids=%s;types=group;actions=read", org1Group.PublicId), fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId), }, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -511,7 +456,8 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - fullGrantAuthCtx := testGenAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.rolesToCreate) + tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) for input, wantErr := range tc.inputWantErrMap { _, err := s.GetGroup(fullGrantAuthCtx, input) // not found means expect error @@ -549,6 +495,7 @@ func TestWrites(t *testing.T) { ctx := context.Background() conn, _ := db.TestSetup(t, "postgres") wrap := db.TestWrapper(t) + kmsCache := kms.TestKms(t, conn, wrap) iamRepo := iam.TestRepo(t, conn, wrap) repoFn := func() (*iam.Repository, error) { return iamRepo, nil @@ -563,27 +510,27 @@ func TestWrites(t *testing.T) { allScopeIDs := []string{globals.GlobalPrefix, org1.PublicId, org2.PublicId, proj1.PublicId, proj2.PublicId, proj3.PublicId} testcases := []struct { name string - roles []roleRequest + roles []authtoken.TestRoleGrantsForToken canCreateInScopes []string }{ { name: "grant all can create all", - roles: []roleRequest{ + roles: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }, canCreateInScopes: allScopeIDs, }, { name: "grant children can only create in orgs", - roles: []roleRequest{ + roles: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeChildren}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeChildren}, }, }, canCreateInScopes: []string{org1.PublicId, org2.PublicId}, @@ -592,7 +539,8 @@ func TestWrites(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - fullGrantAuthCtx := testGenAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.roles) + tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.roles) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) for _, scope := range allScopeIDs { name, err := uuid.GenerateUUID() @@ -621,6 +569,7 @@ func TestWrites(t *testing.T) { conn, _ := db.TestSetup(t, "postgres") wrap := db.TestWrapper(t) iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) repoFn := func() (*iam.Repository, error) { return iamRepo, nil } @@ -634,27 +583,27 @@ func TestWrites(t *testing.T) { allScopeIDs := []string{globals.GlobalPrefix, org1.PublicId, org2.PublicId, proj1.PublicId, proj2.PublicId, proj3.PublicId} testcases := []struct { name string - roles []roleRequest + roles []authtoken.TestRoleGrantsForToken deleteAllowedAtScopeIDs []string }{ { name: "grant all can delete all", - roles: []roleRequest{ + roles: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }, deleteAllowedAtScopeIDs: allScopeIDs, }, { name: "grant children can only delete in orgs", - roles: []roleRequest{ + roles: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeChildren}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeChildren}, }, }, deleteAllowedAtScopeIDs: []string{org1.PublicId, org2.PublicId}, @@ -669,7 +618,8 @@ func TestWrites(t *testing.T) { g := iam.TestGroup(t, conn, scp) scopeIdGroupMap[scp] = g } - fullGrantAuthCtx := testGenAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.roles) + tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.roles) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) for scope, group := range scopeIdGroupMap { _, err = s.DeleteGroup(fullGrantAuthCtx, &pbs.DeleteGroupRequest{Id: group.PublicId}) if !slices.Contains(tc.deleteAllowedAtScopeIDs, scope) { @@ -685,18 +635,18 @@ func TestWrites(t *testing.T) { t.Run("update", func(t *testing.T) { testcases := []struct { name string - setupScopesResourcesRoles func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []roleRequest) + setupScopesResourcesRoles func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []authtoken.TestRoleGrantsForToken) wantErr error }{ { name: "global_scope_group_good_grant_success", - setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []roleRequest) { + setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []authtoken.TestRoleGrantsForToken) { g := iam.TestGroup(t, conn, globals.GlobalPrefix) - roles := []roleRequest{ + roles := []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, } return g, roles @@ -705,14 +655,14 @@ func TestWrites(t *testing.T) { }, { name: "grant specific scope success", - setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []roleRequest) { + setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []authtoken.TestRoleGrantsForToken) { _, proj := iam.TestScopes(t, iamRepo) g := iam.TestGroup(t, conn, proj.PublicId) - roles := []roleRequest{ + roles := []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"ids=*;type=*;actions=*"}, - grantScopes: []string{proj.PublicId}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{proj.PublicId}, }, } return g, roles @@ -721,14 +671,14 @@ func TestWrites(t *testing.T) { }, { name: "grant specific resource and scope success", - setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []roleRequest) { + setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []authtoken.TestRoleGrantsForToken) { _, proj := iam.TestScopes(t, iamRepo) g := iam.TestGroup(t, conn, proj.PublicId) - roles := []roleRequest{ + roles := []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{fmt.Sprintf("ids=%s;types=group;actions=*", g.PublicId)}, - grantScopes: []string{proj.PublicId}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{fmt.Sprintf("ids=%s;types=group;actions=*", g.PublicId)}, + GrantScopes: []string{proj.PublicId}, }, } return g, roles @@ -737,13 +687,13 @@ func TestWrites(t *testing.T) { }, { name: "no grant fails update", - setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []roleRequest) { + setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []authtoken.TestRoleGrantsForToken) { g := iam.TestGroup(t, conn, globals.GlobalPrefix) - roles := []roleRequest{ + roles := []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeChildren}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeChildren}, }, } return g, roles @@ -757,15 +707,15 @@ func TestWrites(t *testing.T) { conn, _ := db.TestSetup(t, "postgres") wrap := db.TestWrapper(t) iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) repoFn := func() (*iam.Repository, error) { return iamRepo, nil } s, err := groups.NewService(ctx, repoFn, 1000) require.NoError(t, err) - original, roles := tc.setupScopesResourcesRoles(t, conn, iamRepo) - fullGrantAuthCtx := testGenAuthTokenCtx(t, ctx, conn, wrap, iamRepo, roles) - + tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, roles) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) got, err := s.UpdateGroup(fullGrantAuthCtx, &pbs.UpdateGroupRequest{ Id: original.PublicId, Item: &pb.Group{ @@ -796,6 +746,7 @@ func TestGroupMember(t *testing.T) { conn, _ := db.TestSetup(t, "postgres") wrap := db.TestWrapper(t) iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) repoFn := func() (*iam.Repository, error) { return iamRepo, nil } @@ -821,20 +772,20 @@ func TestGroupMember(t *testing.T) { testcases := []struct { name string - setupGroupAndRole func(t *testing.T) (*iam.Group, []roleRequest) + setupGroupAndRole func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) // collection of actions to be executed in the tests in order, *iam.Group returned from each action which // gets passed to the next action as parameter to preserve information such as `version` increments actions []testActionResult }{ { name: "all actions valid grant success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) { group := iam.TestGroup(t, conn, globals.GlobalPrefix) - return group, []roleRequest{ + return group, []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, } }, @@ -876,18 +827,18 @@ func TestGroupMember(t *testing.T) { }, { name: "only add and set allowed fail to remove", - setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) { group := iam.TestGroup(t, conn, org1.PublicId) - return group, []roleRequest{ + return group, []authtoken.TestRoleGrantsForToken{ { - roleScopeID: org1.PublicId, - grantStrings: []string{"id=*;type=*;actions=add-members"}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: org1.PublicId, + GrantStrings: []string{"id=*;type=*;actions=add-members"}, + GrantScopes: []string{globals.GrantScopeThis}, }, { - roleScopeID: org1.PublicId, - grantStrings: []string{"id=*;type=*;actions=set-members"}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: org1.PublicId, + GrantStrings: []string{"id=*;type=*;actions=set-members"}, + GrantScopes: []string{globals.GrantScopeThis}, }, } }, @@ -929,13 +880,13 @@ func TestGroupMember(t *testing.T) { }, { name: "add_member_valid_specific_grant_success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) { group := iam.TestGroup(t, conn, org2.PublicId) - return group, []roleRequest{ + return group, []authtoken.TestRoleGrantsForToken{ { - roleScopeID: org2.PublicId, - grantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: org2.PublicId, + GrantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, + GrantScopes: []string{globals.GrantScopeThis}, }, } }, @@ -955,15 +906,15 @@ func TestGroupMember(t *testing.T) { }, { name: "remove_member_valid_specific_grant_success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) { group := iam.TestGroup(t, conn, proj2.PublicId) iam.TestGroupMember(t, conn, group.PublicId, org2Users[0].PublicId) iam.TestGroupMember(t, conn, group.PublicId, org2Users[1].PublicId) - return group, []roleRequest{ + return group, []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=remove-members", group.PublicId)}, - grantScopes: []string{proj2.PublicId}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=remove-members", group.PublicId)}, + GrantScopes: []string{proj2.PublicId}, }, } }, @@ -983,13 +934,13 @@ func TestGroupMember(t *testing.T) { }, { name: "cross_scope_add_member_valid_specific_grant_success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) { group := iam.TestGroup(t, conn, proj3.PublicId) - return group, []roleRequest{ + return group, []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, - grantScopes: []string{globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, + GrantScopes: []string{globals.GrantScopeDescendants}, }, } }, @@ -1011,13 +962,13 @@ func TestGroupMember(t *testing.T) { }, { name: "add_member_with_valid_grant_string_invalid_scope_forbidden_error", - setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) { group := iam.TestGroup(t, conn, org2.PublicId) - return group, []roleRequest{ + return group, []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, } }, @@ -1037,23 +988,23 @@ func TestGroupMember(t *testing.T) { }, { name: "multiple_grants_success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) { group := iam.TestGroup(t, conn, proj2.PublicId) - return group, []roleRequest{ + return group, []authtoken.TestRoleGrantsForToken{ { - roleScopeID: proj2.PublicId, - grantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, - grantScopes: []string{proj2.PublicId}, + RoleScopeID: proj2.PublicId, + GrantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, + GrantScopes: []string{proj2.PublicId}, }, { - roleScopeID: proj2.PublicId, - grantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=set-members", group.PublicId)}, - grantScopes: []string{proj2.PublicId}, + RoleScopeID: proj2.PublicId, + GrantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=set-members", group.PublicId)}, + GrantScopes: []string{proj2.PublicId}, }, { - roleScopeID: proj2.PublicId, - grantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=remove-members", group.PublicId)}, - grantScopes: []string{proj2.PublicId}, + RoleScopeID: proj2.PublicId, + GrantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=remove-members", group.PublicId)}, + GrantScopes: []string{proj2.PublicId}, }, } }, @@ -1098,7 +1049,8 @@ func TestGroupMember(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { group, roleReqs := tc.setupGroupAndRole(t) - fullGrantAuthCtx := testGenAuthTokenCtx(t, ctx, conn, wrap, iamRepo, roleReqs) + tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, roleReqs) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) for _, act := range tc.actions { out, err := act.action(fullGrantAuthCtx, group) if act.wantErr != nil {