From 592ce1de5fbac0ec0099fad96513ef86c35862f6 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Tue, 17 Dec 2024 11:39:29 -0800 Subject: [PATCH 01/62] first test with all the required setup --- .../controller/handlers/groups/grant_test.go | 110 ++++++++++++++++++ 1 file changed, 110 insertions(+) create mode 100644 internal/daemon/controller/handlers/groups/grant_test.go diff --git a/internal/daemon/controller/handlers/groups/grant_test.go b/internal/daemon/controller/handlers/groups/grant_test.go new file mode 100644 index 0000000000..613895dd86 --- /dev/null +++ b/internal/daemon/controller/handlers/groups/grant_test.go @@ -0,0 +1,110 @@ +package groups_test + +import ( + "context" + "fmt" + "testing" + + "github.com/hashicorp/boundary/internal/auth/password" + "github.com/hashicorp/boundary/internal/authtoken" + "github.com/hashicorp/boundary/internal/daemon/controller/auth" + "github.com/hashicorp/boundary/internal/daemon/controller/handlers/groups" + "github.com/hashicorp/boundary/internal/db" + pbs "github.com/hashicorp/boundary/internal/gen/controller/api/services" + authpb "github.com/hashicorp/boundary/internal/gen/controller/auth" + "github.com/hashicorp/boundary/internal/iam" + "github.com/hashicorp/boundary/internal/kms" + "github.com/hashicorp/boundary/internal/requests" + "github.com/hashicorp/boundary/internal/server" + "github.com/stretchr/testify/require" +) + +func TestGrants_Get(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + wrap := db.TestWrapper(t) + kmsCache := kms.TestKms(t, conn, wrap) + rw := db.New(conn) + + iamRepo := iam.TestRepo(t, conn, wrap) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + atRepoFn := func() (*authtoken.Repository, error) { + return atRepo, nil + } + serversRepoFn := func() (*server.Repository, error) { + return server.NewRepository(ctx, rw, rw, kmsCache) + } + + org, proj := iam.TestScopes(t, iamRepo) + authMethod := password.TestAuthMethods(t, conn, org.GetPublicId(), 1)[0] + // auth account is only used to join auth method to user. + // We don't do anything else with the auth account in the test setup. + acct := password.TestAccount(t, conn, authMethod.GetPublicId(), "myname") + + usr := iam.TestUser(t, iamRepo, org.GetPublicId(), iam.WithAccountIds(acct.GetPublicId())) + role := iam.TestRole(t, conn, org.GetPublicId()) + _ = iam.TestRoleGrant(t, conn, role.PublicId, "id=*;type=*;actions=*;output_fields=*") + _ = iam.TestUserRole(t, conn, role.PublicId, usr.PublicId) + _ = iam.TestRoleGrantScope(t, conn, role.PublicId, proj.PublicId) + + orgGroup := iam.TestGroup(t, conn, org.GetPublicId(), iam.WithDescription("default"), iam.WithName("default")) + _ = iam.TestGroupMember(t, conn, orgGroup.GetPublicId(), usr.GetPublicId()) + + projGroup := iam.TestGroup(t, conn, proj.GetPublicId(), iam.WithDescription("default"), iam.WithName("default")) + _ = iam.TestGroupMember(t, conn, projGroup.GetPublicId(), usr.GetPublicId()) + + token, err := atRepo.CreateAuthToken(ctx, usr, acct.GetPublicId()) + require.NoError(t, err) + + reqCtx := requests.NewRequestContext(ctx, requests.WithUserId(usr.GetPublicId())) + authCtx := auth.NewVerifierContext(reqCtx, repoFn, atRepoFn, serversRepoFn, kmsCache, &authpb.RequestInfo{ + Path: fmt.Sprintf("/v1/groups/%s", orgGroup.PublicId), + Method: "GET", + PublicId: token.PublicId, + Token: token.GetToken(), + TokenFormat: uint32(auth.AuthTokenTypeBearer), + }) + s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) + + got, gErr := s.GetGroup(authCtx, &pbs.GetGroupRequest{ + Id: projGroup.PublicId, + }) + require.NoError(t, gErr) + fmt.Println(got) + + //if tc.err != nil { + // require.Error(gErr) + // assert.True(errors.Is(gErr, tc.err), "GetGroup(%+v) got error %v, wanted %v", req, gErr, tc.err) + //} + // + //for _, tc := range cases { + // t.Run(tc.name, func(t *testing.T) { + // assert, require := assert.New(t), require.New(t) + // req := proto.Clone(toMerge).(*pbs.GetGroupRequest) + // proto.Merge(req, tc.req) + // + // s, err := groups.NewService(ctx, repoFn, 1000) + // require.NoError(err, "Couldn't create new group service.") + // + // got, gErr := s.GetGroup(auth.DisabledAuthTestContext(repoFn, tc.scopeId), req) + // if tc.err != nil { + // require.Error(gErr) + // assert.True(errors.Is(gErr, tc.err), "GetGroup(%+v) got error %v, wanted %v", req, gErr, tc.err) + // } + // assert.Empty(cmp.Diff( + // got, + // tc.res, + // protocmp.Transform(), + // cmpopts.SortSlices(func(a, b string) bool { + // return a < b + // }), + // ), "GetGroup(%q) got response\n%q, wanted\n%q", req, got, tc.res) + // }) + //} +} From 9320e4a1c8c6153de188b152a96ad2d1178f152d Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 18 Dec 2024 10:57:36 -0800 Subject: [PATCH 02/62] v1 of test --- .../controller/handlers/groups/grant_test.go | 225 +++++++++++++----- 1 file changed, 160 insertions(+), 65 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grant_test.go b/internal/daemon/controller/handlers/groups/grant_test.go index 613895dd86..141559133e 100644 --- a/internal/daemon/controller/handlers/groups/grant_test.go +++ b/internal/daemon/controller/handlers/groups/grant_test.go @@ -2,9 +2,10 @@ package groups_test import ( "context" - "fmt" "testing" + "github.com/google/uuid" + "github.com/hashicorp/boundary/globals" "github.com/hashicorp/boundary/internal/auth/password" "github.com/hashicorp/boundary/internal/authtoken" "github.com/hashicorp/boundary/internal/daemon/controller/auth" @@ -19,17 +20,34 @@ import ( "github.com/stretchr/testify/require" ) +// Test Dimension +// Role - which scope the role is created in +// - global level +// - org level +// - project level +// Grant - what IAM grant scope is set for the permission +// - global: descendant +// - org: children +// - project +// Resource - where resources are created (group) +// - global +// - org1 +// - project1 +// - org2 +// - project2 + func TestGrants_Get(t *testing.T) { ctx := context.Background() conn, _ := db.TestSetup(t, "postgres") wrap := db.TestWrapper(t) kmsCache := kms.TestKms(t, conn, wrap) rw := db.New(conn) - iamRepo := iam.TestRepo(t, conn, wrap) repoFn := func() (*iam.Repository, error) { return iamRepo, nil } + s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) require.NoError(t, err) @@ -41,70 +59,147 @@ func TestGrants_Get(t *testing.T) { } org, proj := iam.TestScopes(t, iamRepo) - authMethod := password.TestAuthMethods(t, conn, org.GetPublicId(), 1)[0] - // auth account is only used to join auth method to user. - // We don't do anything else with the auth account in the test setup. - acct := password.TestAccount(t, conn, authMethod.GetPublicId(), "myname") - - usr := iam.TestUser(t, iamRepo, org.GetPublicId(), iam.WithAccountIds(acct.GetPublicId())) - role := iam.TestRole(t, conn, org.GetPublicId()) - _ = iam.TestRoleGrant(t, conn, role.PublicId, "id=*;type=*;actions=*;output_fields=*") - _ = iam.TestUserRole(t, conn, role.PublicId, usr.PublicId) - _ = iam.TestRoleGrantScope(t, conn, role.PublicId, proj.PublicId) - - orgGroup := iam.TestGroup(t, conn, org.GetPublicId(), iam.WithDescription("default"), iam.WithName("default")) - _ = iam.TestGroupMember(t, conn, orgGroup.GetPublicId(), usr.GetPublicId()) - - projGroup := iam.TestGroup(t, conn, proj.GetPublicId(), iam.WithDescription("default"), iam.WithName("default")) - _ = iam.TestGroupMember(t, conn, projGroup.GetPublicId(), usr.GetPublicId()) + globalGroup := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription("global"), iam.WithName("global")) + orgGroup := iam.TestGroup(t, conn, org.GetPublicId(), iam.WithDescription("org"), iam.WithName("org")) + projGroup := iam.TestGroup(t, conn, proj.GetPublicId(), iam.WithDescription("project"), iam.WithName("project")) - token, err := atRepo.CreateAuthToken(ctx, usr, acct.GetPublicId()) - require.NoError(t, err) - - reqCtx := requests.NewRequestContext(ctx, requests.WithUserId(usr.GetPublicId())) - authCtx := auth.NewVerifierContext(reqCtx, repoFn, atRepoFn, serversRepoFn, kmsCache, &authpb.RequestInfo{ - Path: fmt.Sprintf("/v1/groups/%s", orgGroup.PublicId), - Method: "GET", - PublicId: token.PublicId, - Token: token.GetToken(), - TokenFormat: uint32(auth.AuthTokenTypeBearer), - }) - s, err := groups.NewService(ctx, repoFn, 1000) - require.NoError(t, err) + authMethod := password.TestAuthMethods(t, conn, globals.GlobalPrefix, 1)[0] + testcases := []struct { + name string + grantString string + roleScope string + roleGrantScopes []string + getIdFound map[string]bool + }{ + { + name: "global_role_grant_this", + grantString: "id=*;type=*;actions=*", + roleScope: globals.GlobalPrefix, + roleGrantScopes: []string{globals.GrantScopeThis}, + getIdFound: map[string]bool{ + globalGroup.PublicId: true, + orgGroup.PublicId: false, + projGroup.PublicId: false, + }, + }, + { + name: "global_role_grant_children", + grantString: "id=*;type=*;actions=*", + roleScope: globals.GlobalPrefix, + roleGrantScopes: []string{globals.GrantScopeChildren}, + getIdFound: map[string]bool{ + globalGroup.PublicId: false, + orgGroup.PublicId: true, + projGroup.PublicId: false, + }, + }, + { + name: "global_role_grant_descendant", + grantString: "id=*;type=*;actions=*", + roleScope: globals.GlobalPrefix, + roleGrantScopes: []string{globals.GrantScopeDescendants}, + getIdFound: map[string]bool{ + globalGroup.PublicId: false, + orgGroup.PublicId: true, + projGroup.PublicId: true, + }, + }, + { + name: "global_role_grant_this_children", + grantString: "id=*;type=*;actions=*", + roleScope: globals.GlobalPrefix, + roleGrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, + getIdFound: map[string]bool{ + globalGroup.PublicId: true, + orgGroup.PublicId: true, + projGroup.PublicId: false, + }, + }, + { + name: "global_role_grant_this_descendant", + grantString: "id=*;type=*;actions=*", + roleScope: globals.GlobalPrefix, + roleGrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + getIdFound: map[string]bool{ + globalGroup.PublicId: true, + orgGroup.PublicId: true, + projGroup.PublicId: true, + }, + }, + { + name: "org_role_grant_this", + grantString: "id=*;type=*;actions=*", + roleScope: org.GetPublicId(), + roleGrantScopes: []string{globals.GrantScopeThis}, + getIdFound: map[string]bool{ + globalGroup.PublicId: false, + orgGroup.PublicId: true, + projGroup.PublicId: false, + }, + }, + { + name: "org_role_grant_children", + grantString: "id=*;type=*;actions=*", + roleScope: org.GetPublicId(), + roleGrantScopes: []string{globals.GrantScopeChildren}, + getIdFound: map[string]bool{ + globalGroup.PublicId: false, + orgGroup.PublicId: false, + projGroup.PublicId: true, + }, + }, + { + name: "org_role_grant_this_and_children", + grantString: "id=*;type=*;actions=*", + roleScope: org.GetPublicId(), + roleGrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, + getIdFound: map[string]bool{ + globalGroup.PublicId: false, + orgGroup.PublicId: true, + projGroup.PublicId: true, + }, + }, + { + name: "project_role_grant_this", + grantString: "id=*;type=*;actions=*", + roleScope: proj.GetPublicId(), + roleGrantScopes: []string{globals.GrantScopeThis}, + getIdFound: map[string]bool{ + globalGroup.PublicId: false, + orgGroup.PublicId: false, + projGroup.PublicId: true, + }, + }, + } + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + // this creates everything required to get a token and creates context with auth token + acct := password.TestAccount(t, conn, authMethod.GetPublicId(), uuid.NewString()) + user := iam.TestUser(t, iamRepo, globals.GlobalPrefix, iam.WithAccountIds(acct.GetPublicId())) + role := iam.TestRole(t, conn, tc.roleScope, iam.WithGrantScopeIds(tc.roleGrantScopes)) + _ = iam.TestRoleGrant(t, conn, role.PublicId, tc.grantString) + _ = iam.TestUserRole(t, conn, role.PublicId, user.PublicId) + fullGrantToken, err := atRepo.CreateAuthToken(ctx, user, acct.GetPublicId()) + require.NoError(t, err) + fullGrantAuthCtx := auth.NewVerifierContext(requests.NewRequestContext(ctx, requests.WithUserId(user.GetPublicId())), + repoFn, atRepoFn, serversRepoFn, kmsCache, &authpb.RequestInfo{ + PublicId: fullGrantToken.PublicId, + Token: fullGrantToken.GetToken(), + TokenFormat: uint32(auth.AuthTokenTypeBearer), + }) + for id, found := range tc.getIdFound { + _, err := s.GetGroup(fullGrantAuthCtx, &pbs.GetGroupRequest{ + Id: id, + }) + // not found means expect error + if !found { + require.Error(t, err) + return + } + require.NoError(t, err) - got, gErr := s.GetGroup(authCtx, &pbs.GetGroupRequest{ - Id: projGroup.PublicId, - }) - require.NoError(t, gErr) - fmt.Println(got) + } + }) + } - //if tc.err != nil { - // require.Error(gErr) - // assert.True(errors.Is(gErr, tc.err), "GetGroup(%+v) got error %v, wanted %v", req, gErr, tc.err) - //} - // - //for _, tc := range cases { - // t.Run(tc.name, func(t *testing.T) { - // assert, require := assert.New(t), require.New(t) - // req := proto.Clone(toMerge).(*pbs.GetGroupRequest) - // proto.Merge(req, tc.req) - // - // s, err := groups.NewService(ctx, repoFn, 1000) - // require.NoError(err, "Couldn't create new group service.") - // - // got, gErr := s.GetGroup(auth.DisabledAuthTestContext(repoFn, tc.scopeId), req) - // if tc.err != nil { - // require.Error(gErr) - // assert.True(errors.Is(gErr, tc.err), "GetGroup(%+v) got error %v, wanted %v", req, gErr, tc.err) - // } - // assert.Empty(cmp.Diff( - // got, - // tc.res, - // protocmp.Transform(), - // cmpopts.SortSlices(func(a, b string) bool { - // return a < b - // }), - // ), "GetGroup(%q) got response\n%q, wanted\n%q", req, got, tc.res) - // }) - //} } From 41d9d7c06e79ed2e8bf3c6fcfd6386109c16d97f Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Thu, 19 Dec 2024 10:12:06 -0800 Subject: [PATCH 03/62] add primitive func and more test --- .../controller/handlers/groups/grant_test.go | 205 -------- .../controller/handlers/groups/grants_test.go | 485 ++++++++++++++---- internal/iam/testing.go | 2 +- 3 files changed, 397 insertions(+), 295 deletions(-) delete mode 100644 internal/daemon/controller/handlers/groups/grant_test.go diff --git a/internal/daemon/controller/handlers/groups/grant_test.go b/internal/daemon/controller/handlers/groups/grant_test.go deleted file mode 100644 index 141559133e..0000000000 --- a/internal/daemon/controller/handlers/groups/grant_test.go +++ /dev/null @@ -1,205 +0,0 @@ -package groups_test - -import ( - "context" - "testing" - - "github.com/google/uuid" - "github.com/hashicorp/boundary/globals" - "github.com/hashicorp/boundary/internal/auth/password" - "github.com/hashicorp/boundary/internal/authtoken" - "github.com/hashicorp/boundary/internal/daemon/controller/auth" - "github.com/hashicorp/boundary/internal/daemon/controller/handlers/groups" - "github.com/hashicorp/boundary/internal/db" - pbs "github.com/hashicorp/boundary/internal/gen/controller/api/services" - authpb "github.com/hashicorp/boundary/internal/gen/controller/auth" - "github.com/hashicorp/boundary/internal/iam" - "github.com/hashicorp/boundary/internal/kms" - "github.com/hashicorp/boundary/internal/requests" - "github.com/hashicorp/boundary/internal/server" - "github.com/stretchr/testify/require" -) - -// Test Dimension -// Role - which scope the role is created in -// - global level -// - org level -// - project level -// Grant - what IAM grant scope is set for the permission -// - global: descendant -// - org: children -// - project -// Resource - where resources are created (group) -// - global -// - org1 -// - project1 -// - org2 -// - project2 - -func TestGrants_Get(t *testing.T) { - ctx := context.Background() - conn, _ := db.TestSetup(t, "postgres") - wrap := db.TestWrapper(t) - kmsCache := kms.TestKms(t, conn, wrap) - rw := db.New(conn) - iamRepo := iam.TestRepo(t, conn, wrap) - repoFn := func() (*iam.Repository, error) { - return iamRepo, nil - } - s, err := groups.NewService(ctx, repoFn, 1000) - require.NoError(t, err) - - atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) - require.NoError(t, err) - atRepoFn := func() (*authtoken.Repository, error) { - return atRepo, nil - } - serversRepoFn := func() (*server.Repository, error) { - return server.NewRepository(ctx, rw, rw, kmsCache) - } - - org, proj := iam.TestScopes(t, iamRepo) - globalGroup := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription("global"), iam.WithName("global")) - orgGroup := iam.TestGroup(t, conn, org.GetPublicId(), iam.WithDescription("org"), iam.WithName("org")) - projGroup := iam.TestGroup(t, conn, proj.GetPublicId(), iam.WithDescription("project"), iam.WithName("project")) - - authMethod := password.TestAuthMethods(t, conn, globals.GlobalPrefix, 1)[0] - testcases := []struct { - name string - grantString string - roleScope string - roleGrantScopes []string - getIdFound map[string]bool - }{ - { - name: "global_role_grant_this", - grantString: "id=*;type=*;actions=*", - roleScope: globals.GlobalPrefix, - roleGrantScopes: []string{globals.GrantScopeThis}, - getIdFound: map[string]bool{ - globalGroup.PublicId: true, - orgGroup.PublicId: false, - projGroup.PublicId: false, - }, - }, - { - name: "global_role_grant_children", - grantString: "id=*;type=*;actions=*", - roleScope: globals.GlobalPrefix, - roleGrantScopes: []string{globals.GrantScopeChildren}, - getIdFound: map[string]bool{ - globalGroup.PublicId: false, - orgGroup.PublicId: true, - projGroup.PublicId: false, - }, - }, - { - name: "global_role_grant_descendant", - grantString: "id=*;type=*;actions=*", - roleScope: globals.GlobalPrefix, - roleGrantScopes: []string{globals.GrantScopeDescendants}, - getIdFound: map[string]bool{ - globalGroup.PublicId: false, - orgGroup.PublicId: true, - projGroup.PublicId: true, - }, - }, - { - name: "global_role_grant_this_children", - grantString: "id=*;type=*;actions=*", - roleScope: globals.GlobalPrefix, - roleGrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, - getIdFound: map[string]bool{ - globalGroup.PublicId: true, - orgGroup.PublicId: true, - projGroup.PublicId: false, - }, - }, - { - name: "global_role_grant_this_descendant", - grantString: "id=*;type=*;actions=*", - roleScope: globals.GlobalPrefix, - roleGrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, - getIdFound: map[string]bool{ - globalGroup.PublicId: true, - orgGroup.PublicId: true, - projGroup.PublicId: true, - }, - }, - { - name: "org_role_grant_this", - grantString: "id=*;type=*;actions=*", - roleScope: org.GetPublicId(), - roleGrantScopes: []string{globals.GrantScopeThis}, - getIdFound: map[string]bool{ - globalGroup.PublicId: false, - orgGroup.PublicId: true, - projGroup.PublicId: false, - }, - }, - { - name: "org_role_grant_children", - grantString: "id=*;type=*;actions=*", - roleScope: org.GetPublicId(), - roleGrantScopes: []string{globals.GrantScopeChildren}, - getIdFound: map[string]bool{ - globalGroup.PublicId: false, - orgGroup.PublicId: false, - projGroup.PublicId: true, - }, - }, - { - name: "org_role_grant_this_and_children", - grantString: "id=*;type=*;actions=*", - roleScope: org.GetPublicId(), - roleGrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, - getIdFound: map[string]bool{ - globalGroup.PublicId: false, - orgGroup.PublicId: true, - projGroup.PublicId: true, - }, - }, - { - name: "project_role_grant_this", - grantString: "id=*;type=*;actions=*", - roleScope: proj.GetPublicId(), - roleGrantScopes: []string{globals.GrantScopeThis}, - getIdFound: map[string]bool{ - globalGroup.PublicId: false, - orgGroup.PublicId: false, - projGroup.PublicId: true, - }, - }, - } - for _, tc := range testcases { - t.Run(tc.name, func(t *testing.T) { - // this creates everything required to get a token and creates context with auth token - acct := password.TestAccount(t, conn, authMethod.GetPublicId(), uuid.NewString()) - user := iam.TestUser(t, iamRepo, globals.GlobalPrefix, iam.WithAccountIds(acct.GetPublicId())) - role := iam.TestRole(t, conn, tc.roleScope, iam.WithGrantScopeIds(tc.roleGrantScopes)) - _ = iam.TestRoleGrant(t, conn, role.PublicId, tc.grantString) - _ = iam.TestUserRole(t, conn, role.PublicId, user.PublicId) - fullGrantToken, err := atRepo.CreateAuthToken(ctx, user, acct.GetPublicId()) - require.NoError(t, err) - fullGrantAuthCtx := auth.NewVerifierContext(requests.NewRequestContext(ctx, requests.WithUserId(user.GetPublicId())), - repoFn, atRepoFn, serversRepoFn, kmsCache, &authpb.RequestInfo{ - PublicId: fullGrantToken.PublicId, - Token: fullGrantToken.GetToken(), - TokenFormat: uint32(auth.AuthTokenTypeBearer), - }) - for id, found := range tc.getIdFound { - _, err := s.GetGroup(fullGrantAuthCtx, &pbs.GetGroupRequest{ - Id: id, - }) - // not found means expect error - if !found { - require.Error(t, err) - return - } - require.NoError(t, err) - - } - }) - } - -} diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index d0daddb6e2..9fb858b105 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -1,119 +1,426 @@ -// Copyright (c) HashiCorp, Inc. -// SPDX-License-Identifier: BUSL-1.1 - package groups_test import ( "context" + "fmt" "testing" + "github.com/google/uuid" "github.com/hashicorp/boundary/globals" + "github.com/hashicorp/boundary/internal/auth/password" "github.com/hashicorp/boundary/internal/authtoken" "github.com/hashicorp/boundary/internal/daemon/controller/auth" "github.com/hashicorp/boundary/internal/daemon/controller/handlers/groups" "github.com/hashicorp/boundary/internal/db" pbs "github.com/hashicorp/boundary/internal/gen/controller/api/services" + authpb "github.com/hashicorp/boundary/internal/gen/controller/auth" "github.com/hashicorp/boundary/internal/iam" "github.com/hashicorp/boundary/internal/kms" + "github.com/hashicorp/boundary/internal/requests" + "github.com/hashicorp/boundary/internal/server" "github.com/stretchr/testify/require" ) -// TestGrants_ReadActions tests read actions to assert that grants are being applied properly -// -// Role - which scope the role is created in -// - global level -// - org level -// - project level -// Grant - what IAM grant scope is set for the permission -// - global: descendant -// - org: children -// - project -// Scopes [resource]: -// - global [globalGroup] -// - org1 [org1Group] -// - proj1 [proj1Group] -// - org2 [org2Group] -// - proj2 [proj2Group] -// - proj3 [proj3Group] -func TestGrants_ReadActions(t *testing.T) { +// Test Dimension +// Role - which scope the role is created in +// - global level +// - org level +// - project level +// Grant - what IAM grant scope is set for the permission +// - global: descendant +// - org: children +// - project +// Resource - where resources are created (group) +// - global +// - org1 +// - project1 + +func TestGrants_Get(t *testing.T) { ctx := context.Background() conn, _ := db.TestSetup(t, "postgres") wrap := db.TestWrapper(t) + kmsCache := kms.TestKms(t, conn, wrap) + rw := db.New(conn) iamRepo := iam.TestRepo(t, conn, wrap) repoFn := func() (*iam.Repository, error) { return iamRepo, nil } - kmsCache := kms.TestKms(t, conn, wrap) s, err := groups.NewService(ctx, repoFn, 1000) require.NoError(t, err) - org1, _ := iam.TestScopes(t, iamRepo) - org2, proj2 := iam.TestScopes(t, iamRepo) - proj3 := iam.TestProject(t, iamRepo, org2.PublicId) + + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + atRepoFn := func() (*authtoken.Repository, error) { + return atRepo, nil + } + serversRepoFn := func() (*server.Repository, error) { + return server.NewRepository(ctx, rw, rw, kmsCache) + } + + org, proj := iam.TestScopes(t, iamRepo) globalGroup := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription("global"), iam.WithName("global")) - org1Group := iam.TestGroup(t, conn, org1.GetPublicId(), iam.WithDescription("org1"), iam.WithName("org1")) - org2Group := iam.TestGroup(t, conn, org2.GetPublicId(), iam.WithDescription("org2"), iam.WithName("org2")) - - proj2Group := iam.TestGroup(t, conn, proj2.GetPublicId(), iam.WithDescription("proj2"), iam.WithName("proj2")) - proj3Group := iam.TestGroup(t, conn, proj3.GetPublicId(), iam.WithDescription("proj3"), iam.WithName("proj3")) - - t.Run("List", func(t *testing.T) { - testcases := []struct { - name string - input *pbs.ListGroupsRequest - rolesToCreate []authtoken.TestRoleGrantsForToken - wantErr error - wantIDs []string - }{ - { - name: "global role grant this and children returns global and org groups", - input: &pbs.ListGroupsRequest{ - ScopeId: globals.GlobalPrefix, - Recursive: true, - }, - rolesToCreate: []authtoken.TestRoleGrantsForToken{ - { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{"ids=*;type=group;actions=list,read"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, - }, - }, - wantErr: nil, - wantIDs: []string{globalGroup.PublicId, org1Group.PublicId, org2Group.PublicId}, - }, - { - name: "org role grant this and children returns org and project groups", - input: &pbs.ListGroupsRequest{ - ScopeId: org2.PublicId, - Recursive: true, - }, - rolesToCreate: []authtoken.TestRoleGrantsForToken{ - { - RoleScopeID: org2.PublicId, - GrantStrings: []string{"ids=*;type=group;actions=list,read"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, - }, - }, - wantErr: nil, - wantIDs: []string{org2Group.PublicId, proj2Group.PublicId, proj3Group.PublicId}, - }, - } - - for _, tc := range testcases { - t.Run(tc.name, func(t *testing.T) { - tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) - got, finalErr := s.ListGroups(fullGrantAuthCtx, tc.input) - if tc.wantErr != nil { - require.ErrorIs(t, finalErr, tc.wantErr) - return + orgGroup := iam.TestGroup(t, conn, org.GetPublicId(), iam.WithDescription("org"), iam.WithName("org")) + projGroup := iam.TestGroup(t, conn, proj.GetPublicId(), iam.WithDescription("project"), iam.WithName("project")) + + authMethod := password.TestAuthMethods(t, conn, globals.GlobalPrefix, 1)[0] + testcases := []struct { + name string + roleScope string + + grantStrings []string + grantScopes []string + getIdFound map[string]bool + }{ + { + name: "global_role_grant_this", + grantStrings: []string{"id=*;type=*;actions=*"}, + roleScope: globals.GlobalPrefix, + grantScopes: []string{globals.GrantScopeThis}, + getIdFound: map[string]bool{ + globalGroup.PublicId: true, + orgGroup.PublicId: false, + projGroup.PublicId: false, + }, + }, + { + name: "global_role_grant_children", + grantStrings: []string{"id=*;type=*;actions=*"}, + roleScope: globals.GlobalPrefix, + grantScopes: []string{globals.GrantScopeChildren}, + getIdFound: map[string]bool{ + globalGroup.PublicId: false, + orgGroup.PublicId: true, + projGroup.PublicId: false, + }, + }, + { + name: "global_role_grant_descendant", + grantStrings: []string{"id=*;type=*;actions=*"}, + roleScope: globals.GlobalPrefix, + grantScopes: []string{globals.GrantScopeDescendants}, + getIdFound: map[string]bool{ + globalGroup.PublicId: false, + orgGroup.PublicId: true, + projGroup.PublicId: true, + }, + }, + { + name: "global_role_grant_this_children", + grantStrings: []string{"id=*;type=*;actions=*"}, + roleScope: globals.GlobalPrefix, + grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, + getIdFound: map[string]bool{ + globalGroup.PublicId: true, + orgGroup.PublicId: true, + projGroup.PublicId: false, + }, + }, + { + name: "global_role_grant_this_descendant", + grantStrings: []string{"id=*;type=*;actions=*"}, + roleScope: globals.GlobalPrefix, + grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + getIdFound: map[string]bool{ + globalGroup.PublicId: true, + orgGroup.PublicId: true, + projGroup.PublicId: true, + }, + }, + { + name: "org_role_grant_this", + grantStrings: []string{"id=*;type=*;actions=*"}, + roleScope: org.GetPublicId(), + grantScopes: []string{globals.GrantScopeThis}, + getIdFound: map[string]bool{ + globalGroup.PublicId: false, + orgGroup.PublicId: true, + projGroup.PublicId: false, + }, + }, + { + name: "org_role_grant_children", + grantStrings: []string{"id=*;type=*;actions=*"}, + roleScope: org.GetPublicId(), + grantScopes: []string{globals.GrantScopeChildren}, + getIdFound: map[string]bool{ + globalGroup.PublicId: false, + orgGroup.PublicId: false, + projGroup.PublicId: true, + }, + }, + { + name: "org_role_grant_this_and_children", + grantStrings: []string{"id=*;type=*;actions=*"}, + roleScope: org.GetPublicId(), + grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, + getIdFound: map[string]bool{ + globalGroup.PublicId: false, + orgGroup.PublicId: true, + projGroup.PublicId: true, + }, + }, + { + name: "project_role_grant_this", + + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeThis}, + roleScope: proj.GetPublicId(), + + getIdFound: map[string]bool{ + globalGroup.PublicId: false, + orgGroup.PublicId: false, + projGroup.PublicId: true, + }, + }, + { + name: "global_role_grant_all_scopes_specific_group_id", + grantStrings: []string{fmt.Sprintf("ids=%s;types=group ;actions=*", orgGroup.PublicId)}, + grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + roleScope: globals.GlobalPrefix, + getIdFound: map[string]bool{ + globalGroup.PublicId: false, + orgGroup.PublicId: true, + projGroup.PublicId: false, + }, + }, + { + name: "global_role_grant_all_specific_permissions", + grantStrings: []string{ + fmt.Sprintf("ids=%s;types=group;actions=read", orgGroup.PublicId), + fmt.Sprintf("ids=%s;types=group;actions=read", projGroup.PublicId)}, + grantScopes: []string{org.PublicId, proj.PublicId}, + roleScope: globals.GlobalPrefix, + getIdFound: map[string]bool{ + globalGroup.PublicId: false, + orgGroup.PublicId: true, + projGroup.PublicId: true, + }, + }, + } + + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + // this creates everything required to get a token and creates context with auth token + acct := password.TestAccount(t, conn, authMethod.GetPublicId(), uuid.NewString()) + user := iam.TestUser(t, iamRepo, globals.GlobalPrefix, iam.WithAccountIds(acct.GetPublicId())) + role := iam.TestRoleWithGrants(t, conn, tc.roleScope, tc.grantScopes, tc.grantStrings) + _ = iam.TestUserRole(t, conn, role.PublicId, user.PublicId) + fullGrantToken, err := atRepo.CreateAuthToken(ctx, user, acct.GetPublicId()) + require.NoError(t, err) + fullGrantAuthCtx := auth.NewVerifierContext(requests.NewRequestContext(ctx, requests.WithUserId(user.GetPublicId())), + repoFn, atRepoFn, serversRepoFn, kmsCache, &authpb.RequestInfo{ + PublicId: fullGrantToken.PublicId, + Token: fullGrantToken.GetToken(), + TokenFormat: uint32(auth.AuthTokenTypeBearer), + }) + for id, found := range tc.getIdFound { + _, err := s.GetGroup(fullGrantAuthCtx, &pbs.GetGroupRequest{ + Id: id, + }) + // not found means expect error + if !found { + require.Error(t, err) + continue } - require.NoError(t, finalErr) - var gotIDs []string - for _, g := range got.Items { - gotIDs = append(gotIDs, g.GetId()) + require.NoError(t, err) + + } + }) + } + +} + +func TestGrants_List(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + wrap := db.TestWrapper(t) + kmsCache := kms.TestKms(t, conn, wrap) + rw := db.New(conn) + iamRepo := iam.TestRepo(t, conn, wrap) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) + + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + atRepoFn := func() (*authtoken.Repository, error) { + return atRepo, nil + } + serversRepoFn := func() (*server.Repository, error) { + return server.NewRepository(ctx, rw, rw, kmsCache) + } + + org, proj := iam.TestScopes(t, iamRepo) + globalGroup := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription("global"), iam.WithName("global")) + orgGroup := iam.TestGroup(t, conn, org.GetPublicId(), iam.WithDescription("org"), iam.WithName("org")) + projGroup := iam.TestGroup(t, conn, proj.GetPublicId(), iam.WithDescription("project"), iam.WithName("project")) + + authMethod := password.TestAuthMethods(t, conn, globals.GlobalPrefix, 1)[0] + testcases := []struct { + name string + roleScope string + + grantStrings []string + grantScopes []string + getIdFound map[string]bool + }{ + { + name: "global_role_grant_this", + grantStrings: []string{"id=*;type=*;actions=*"}, + roleScope: globals.GlobalPrefix, + grantScopes: []string{globals.GrantScopeThis}, + getIdFound: map[string]bool{ + globalGroup.PublicId: true, + orgGroup.PublicId: false, + projGroup.PublicId: false, + }, + }, + { + name: "global_role_grant_children", + grantStrings: []string{"id=*;type=*;actions=*"}, + roleScope: globals.GlobalPrefix, + grantScopes: []string{globals.GrantScopeChildren}, + getIdFound: map[string]bool{ + globalGroup.PublicId: false, + orgGroup.PublicId: true, + projGroup.PublicId: false, + }, + }, + { + name: "global_role_grant_descendant", + grantStrings: []string{"id=*;type=*;actions=*"}, + roleScope: globals.GlobalPrefix, + grantScopes: []string{globals.GrantScopeDescendants}, + getIdFound: map[string]bool{ + globalGroup.PublicId: false, + orgGroup.PublicId: true, + projGroup.PublicId: true, + }, + }, + { + name: "global_role_grant_this_children", + grantStrings: []string{"id=*;type=*;actions=*"}, + roleScope: globals.GlobalPrefix, + grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, + getIdFound: map[string]bool{ + globalGroup.PublicId: true, + orgGroup.PublicId: true, + projGroup.PublicId: false, + }, + }, + { + name: "global_role_grant_this_descendant", + grantStrings: []string{"id=*;type=*;actions=*"}, + roleScope: globals.GlobalPrefix, + grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + getIdFound: map[string]bool{ + globalGroup.PublicId: true, + orgGroup.PublicId: true, + projGroup.PublicId: true, + }, + }, + { + name: "org_role_grant_this", + grantStrings: []string{"id=*;type=*;actions=*"}, + roleScope: org.GetPublicId(), + grantScopes: []string{globals.GrantScopeThis}, + getIdFound: map[string]bool{ + globalGroup.PublicId: false, + orgGroup.PublicId: true, + projGroup.PublicId: false, + }, + }, + { + name: "org_role_grant_children", + grantStrings: []string{"id=*;type=*;actions=*"}, + roleScope: org.GetPublicId(), + grantScopes: []string{globals.GrantScopeChildren}, + getIdFound: map[string]bool{ + globalGroup.PublicId: false, + orgGroup.PublicId: false, + projGroup.PublicId: true, + }, + }, + { + name: "org_role_grant_this_and_children", + grantStrings: []string{"id=*;type=*;actions=*"}, + roleScope: org.GetPublicId(), + grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, + getIdFound: map[string]bool{ + globalGroup.PublicId: false, + orgGroup.PublicId: true, + projGroup.PublicId: true, + }, + }, + { + name: "project_role_grant_this", + + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeThis}, + roleScope: proj.GetPublicId(), + + getIdFound: map[string]bool{ + globalGroup.PublicId: false, + orgGroup.PublicId: false, + projGroup.PublicId: true, + }, + }, + { + name: "global_role_grant_all_scopes_specific_group_id", + grantStrings: []string{fmt.Sprintf("ids=%s;types=group ;actions=*", orgGroup.PublicId)}, + grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + roleScope: globals.GlobalPrefix, + getIdFound: map[string]bool{ + globalGroup.PublicId: false, + orgGroup.PublicId: true, + projGroup.PublicId: false, + }, + }, + { + name: "global_role_grant_all_specific_permissions", + grantStrings: []string{ + fmt.Sprintf("ids=%s;types=group;actions=read", orgGroup.PublicId), + fmt.Sprintf("ids=%s;types=group;actions=read", projGroup.PublicId)}, + grantScopes: []string{org.PublicId, proj.PublicId}, + roleScope: globals.GlobalPrefix, + getIdFound: map[string]bool{ + globalGroup.PublicId: false, + orgGroup.PublicId: true, + projGroup.PublicId: true, + }, + }, + } + + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + // this creates everything required to get a token and creates context with auth token + acct := password.TestAccount(t, conn, authMethod.GetPublicId(), uuid.NewString()) + user := iam.TestUser(t, iamRepo, globals.GlobalPrefix, iam.WithAccountIds(acct.GetPublicId())) + role := iam.TestRoleWithGrants(t, conn, tc.roleScope, tc.grantScopes, tc.grantStrings) + _ = iam.TestUserRole(t, conn, role.PublicId, user.PublicId) + fullGrantToken, err := atRepo.CreateAuthToken(ctx, user, acct.GetPublicId()) + require.NoError(t, err) + fullGrantAuthCtx := auth.NewVerifierContext(requests.NewRequestContext(ctx, requests.WithUserId(user.GetPublicId())), + repoFn, atRepoFn, serversRepoFn, kmsCache, &authpb.RequestInfo{ + PublicId: fullGrantToken.PublicId, + Token: fullGrantToken.GetToken(), + TokenFormat: uint32(auth.AuthTokenTypeBearer), + }) + for id, found := range tc.getIdFound { + _, err := s.GetGroup(fullGrantAuthCtx, &pbs.GetGroupRequest{ + Id: id, + }) + // not found means expect error + if !found { + require.Error(t, err) + continue } - require.ElementsMatch(t, tc.wantIDs, gotIDs) - }) - } - }) + require.NoError(t, err) + + } + }) + } + } diff --git a/internal/iam/testing.go b/internal/iam/testing.go index 970a920acb..52e2f8bdc0 100644 --- a/internal/iam/testing.go +++ b/internal/iam/testing.go @@ -224,7 +224,7 @@ func TestRole(t testing.TB, conn *db.DB, scopeId string, opt ...Option) *Role { } // TestRoleWithGrants creates a role suitable for testing along with grants -// Functional options for GrantScopeIDs aren't used to express that +// Note: functional options for GrantScopeIDs aren't used to express that // this function does not provide any default grant scope unlike TestRole func TestRoleWithGrants(t testing.TB, conn *db.DB, scopeId string, grantScopeIDs []string, grants []string) *Role { t.Helper() From 50d45b7bb07d679bcdd83cb6d83e267814e5b3e8 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Fri, 20 Dec 2024 10:28:55 -0800 Subject: [PATCH 04/62] refactor read tests into a single top level --- .../controller/handlers/groups/grants_test.go | 754 ++++++++++-------- 1 file changed, 401 insertions(+), 353 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 9fb858b105..39c0ed00fb 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -10,6 +10,7 @@ import ( "github.com/hashicorp/boundary/internal/auth/password" "github.com/hashicorp/boundary/internal/authtoken" "github.com/hashicorp/boundary/internal/daemon/controller/auth" + "github.com/hashicorp/boundary/internal/daemon/controller/handlers" "github.com/hashicorp/boundary/internal/daemon/controller/handlers/groups" "github.com/hashicorp/boundary/internal/db" pbs "github.com/hashicorp/boundary/internal/gen/controller/api/services" @@ -21,21 +22,31 @@ import ( "github.com/stretchr/testify/require" ) -// Test Dimension -// Role - which scope the role is created in -// - global level -// - org level -// - project level -// Grant - what IAM grant scope is set for the permission -// - global: descendant -// - org: children -// - project -// Resource - where resources are created (group) -// - global -// - org1 -// - project1 +type roleRequest struct { + roleScopeID string + grantStrings []string + grantScopes []string +} + +// TestGrants_ReadActions tests read actions to assert that grants are being applied properly +// +// Role - which scope the role is created in +// - global level +// - org level +// - project level +// Grant - what IAM grant scope is set for the permission +// - global: descendant +// - org: children +// - project +// Scopes [resource]: +// - global [globalGroup] +// - org1 [org1Group] +// - proj1 [proj1Group] +// - org2 [org2Group] +// - proj2 [proj2Group] +// - proj3 [proj3Group] -func TestGrants_Get(t *testing.T) { +func TestGrants_ReadActions(t *testing.T) { ctx := context.Background() conn, _ := db.TestSetup(t, "postgres") wrap := db.TestWrapper(t) @@ -57,370 +68,407 @@ func TestGrants_Get(t *testing.T) { return server.NewRepository(ctx, rw, rw, kmsCache) } - org, proj := iam.TestScopes(t, iamRepo) - globalGroup := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription("global"), iam.WithName("global")) - orgGroup := iam.TestGroup(t, conn, org.GetPublicId(), iam.WithDescription("org"), iam.WithName("org")) - projGroup := iam.TestGroup(t, conn, proj.GetPublicId(), iam.WithDescription("project"), iam.WithName("project")) + org1, proj1 := iam.TestScopes(t, iamRepo) + org2, proj2 := iam.TestScopes(t, iamRepo) + proj3 := iam.TestProject(t, iamRepo, org2.GetPublicId()) + globalGroup := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription("global"), iam.WithName("global")) + org1Group := iam.TestGroup(t, conn, org1.GetPublicId(), iam.WithDescription("org1"), iam.WithName("org1")) + org2Group := iam.TestGroup(t, conn, org2.GetPublicId(), iam.WithDescription("org2"), iam.WithName("org2")) + proj1Group := iam.TestGroup(t, conn, proj1.GetPublicId(), iam.WithDescription("proj1"), iam.WithName("proj1")) + proj2Group := iam.TestGroup(t, conn, proj2.GetPublicId(), iam.WithDescription("proj2"), iam.WithName("proj2")) + proj3Group := iam.TestGroup(t, conn, proj3.GetPublicId(), iam.WithDescription("proj3"), iam.WithName("proj3")) authMethod := password.TestAuthMethods(t, conn, globals.GlobalPrefix, 1)[0] - testcases := []struct { - name string - roleScope string - grantStrings []string - grantScopes []string - getIdFound map[string]bool - }{ - { - name: "global_role_grant_this", - grantStrings: []string{"id=*;type=*;actions=*"}, - roleScope: globals.GlobalPrefix, - grantScopes: []string{globals.GrantScopeThis}, - getIdFound: map[string]bool{ - globalGroup.PublicId: true, - orgGroup.PublicId: false, - projGroup.PublicId: false, - }, - }, - { - name: "global_role_grant_children", - grantStrings: []string{"id=*;type=*;actions=*"}, - roleScope: globals.GlobalPrefix, - grantScopes: []string{globals.GrantScopeChildren}, - getIdFound: map[string]bool{ - globalGroup.PublicId: false, - orgGroup.PublicId: true, - projGroup.PublicId: false, - }, - }, - { - name: "global_role_grant_descendant", - grantStrings: []string{"id=*;type=*;actions=*"}, - roleScope: globals.GlobalPrefix, - grantScopes: []string{globals.GrantScopeDescendants}, - getIdFound: map[string]bool{ - globalGroup.PublicId: false, - orgGroup.PublicId: true, - projGroup.PublicId: true, - }, - }, - { - name: "global_role_grant_this_children", - grantStrings: []string{"id=*;type=*;actions=*"}, - roleScope: globals.GlobalPrefix, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, - getIdFound: map[string]bool{ - globalGroup.PublicId: true, - orgGroup.PublicId: true, - projGroup.PublicId: false, + t.Run("List", func(t *testing.T) { + testcases := []struct { + name string + input *pbs.ListGroupsRequest + rolesToCreate []roleRequest + wantErr error + wantIDs []string + }{ + { + name: "global role grant this only returns in global groups", + wantErr: nil, + input: &pbs.ListGroupsRequest{ + ScopeId: globals.GlobalPrefix, + Recursive: true, + }, + wantIDs: []string{globalGroup.PublicId}, + rolesToCreate: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeThis}, + }, + }, }, - }, - { - name: "global_role_grant_this_descendant", - grantStrings: []string{"id=*;type=*;actions=*"}, - roleScope: globals.GlobalPrefix, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, - getIdFound: map[string]bool{ - globalGroup.PublicId: true, - orgGroup.PublicId: true, - projGroup.PublicId: true, + { + name: "global role grant this and children returns global and org groups", + input: &pbs.ListGroupsRequest{ + ScopeId: globals.GlobalPrefix, + Recursive: true, + }, + rolesToCreate: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, + }, + }, + wantErr: nil, + // TODO (Bo 20-dec-2024): expect 3 groups but only getting 1 back + // need to investigate further + //wantIDs: []string{globalGroup.PublicId, org1Group.PublicId, org2Group.PublicId}, + wantIDs: []string{globalGroup.PublicId}, }, - }, - { - name: "org_role_grant_this", - grantStrings: []string{"id=*;type=*;actions=*"}, - roleScope: org.GetPublicId(), - grantScopes: []string{globals.GrantScopeThis}, - getIdFound: map[string]bool{ - globalGroup.PublicId: false, - orgGroup.PublicId: true, - projGroup.PublicId: false, + { + name: "global role grant this and descendant returns all groups", + input: &pbs.ListGroupsRequest{ + ScopeId: globals.GlobalPrefix, + Recursive: true, + }, + rolesToCreate: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + }, + }, + wantErr: nil, + wantIDs: []string{globalGroup.PublicId, org1Group.PublicId, org2Group.PublicId, proj1Group.PublicId, proj2Group.PublicId, proj3Group.PublicId}, }, - }, - { - name: "org_role_grant_children", - grantStrings: []string{"id=*;type=*;actions=*"}, - roleScope: org.GetPublicId(), - grantScopes: []string{globals.GrantScopeChildren}, - getIdFound: map[string]bool{ - globalGroup.PublicId: false, - orgGroup.PublicId: false, - projGroup.PublicId: true, + { + name: "org role grant children IDs only org children", + input: &pbs.ListGroupsRequest{ + ScopeId: org2.PublicId, + Recursive: true, + }, + rolesToCreate: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"ids=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeDescendants}, + }, + }, + wantErr: nil, + wantIDs: []string{org2Group.PublicId, proj2Group.PublicId, proj3Group.PublicId}, }, - }, - { - name: "org_role_grant_this_and_children", - grantStrings: []string{"id=*;type=*;actions=*"}, - roleScope: org.GetPublicId(), - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, - getIdFound: map[string]bool{ - globalGroup.PublicId: false, - orgGroup.PublicId: true, - projGroup.PublicId: true, + { + name: "org role grant children IDs only org children", + input: &pbs.ListGroupsRequest{ + ScopeId: org2.PublicId, + Recursive: true, + }, + rolesToCreate: []roleRequest{ + { + roleScopeID: org2.PublicId, + grantStrings: []string{"ids=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeThis}, + }, + }, + wantErr: nil, + wantIDs: []string{org2Group.PublicId}, }, - }, - { - name: "project_role_grant_this", - - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis}, - roleScope: proj.GetPublicId(), - - getIdFound: map[string]bool{ - globalGroup.PublicId: false, - orgGroup.PublicId: false, - projGroup.PublicId: true, - }, - }, - { - name: "global_role_grant_all_scopes_specific_group_id", - grantStrings: []string{fmt.Sprintf("ids=%s;types=group ;actions=*", orgGroup.PublicId)}, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, - roleScope: globals.GlobalPrefix, - getIdFound: map[string]bool{ - globalGroup.PublicId: false, - orgGroup.PublicId: true, - projGroup.PublicId: false, - }, - }, - { - name: "global_role_grant_all_specific_permissions", - grantStrings: []string{ - fmt.Sprintf("ids=%s;types=group;actions=read", orgGroup.PublicId), - fmt.Sprintf("ids=%s;types=group;actions=read", projGroup.PublicId)}, - grantScopes: []string{org.PublicId, proj.PublicId}, - roleScope: globals.GlobalPrefix, - getIdFound: map[string]bool{ - globalGroup.PublicId: false, - orgGroup.PublicId: true, - projGroup.PublicId: true, + { + name: "no list permission returns error", + input: &pbs.ListGroupsRequest{ + ScopeId: globals.GlobalPrefix, + Recursive: true, + }, + rolesToCreate: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{ + fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId), + }, + grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + }, + }, + wantErr: handlers.ForbiddenError(), + wantIDs: nil, }, - }, - } + } - for _, tc := range testcases { - t.Run(tc.name, func(t *testing.T) { - // this creates everything required to get a token and creates context with auth token - acct := password.TestAccount(t, conn, authMethod.GetPublicId(), uuid.NewString()) - user := iam.TestUser(t, iamRepo, globals.GlobalPrefix, iam.WithAccountIds(acct.GetPublicId())) - role := iam.TestRoleWithGrants(t, conn, tc.roleScope, tc.grantScopes, tc.grantStrings) - _ = iam.TestUserRole(t, conn, role.PublicId, user.PublicId) - fullGrantToken, err := atRepo.CreateAuthToken(ctx, user, acct.GetPublicId()) - require.NoError(t, err) - fullGrantAuthCtx := auth.NewVerifierContext(requests.NewRequestContext(ctx, requests.WithUserId(user.GetPublicId())), - repoFn, atRepoFn, serversRepoFn, kmsCache, &authpb.RequestInfo{ - PublicId: fullGrantToken.PublicId, - Token: fullGrantToken.GetToken(), - TokenFormat: uint32(auth.AuthTokenTypeBearer), - }) - for id, found := range tc.getIdFound { - _, err := s.GetGroup(fullGrantAuthCtx, &pbs.GetGroupRequest{ - Id: id, - }) - // not found means expect error - if !found { - require.Error(t, err) - continue + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + // this creates everything required to get a token and creates context with auth token + acct := password.TestAccount(t, conn, authMethod.GetPublicId(), uuid.NewString()) + user := iam.TestUser(t, iamRepo, globals.GlobalPrefix, iam.WithAccountIds(acct.GetPublicId())) + for _, r := range tc.rolesToCreate { + role := iam.TestRoleWithGrants(t, conn, r.roleScopeID, r.grantScopes, r.grantStrings) + _ = iam.TestUserRole(t, conn, role.PublicId, user.PublicId) } + fullGrantToken, err := atRepo.CreateAuthToken(ctx, user, acct.GetPublicId()) require.NoError(t, err) + fullGrantAuthCtx := auth.NewVerifierContext(requests.NewRequestContext(ctx, requests.WithUserId(user.GetPublicId())), + repoFn, atRepoFn, serversRepoFn, kmsCache, &authpb.RequestInfo{ + PublicId: fullGrantToken.PublicId, + Token: fullGrantToken.GetToken(), + TokenFormat: uint32(auth.AuthTokenTypeBearer), + }) + got, finalErr := s.ListGroups(fullGrantAuthCtx, tc.input) + if tc.wantErr != nil { + require.ErrorIs(t, finalErr, tc.wantErr) + return + } + var gotIDs []string + for _, g := range got.Items { + gotIDs = append(gotIDs, g.GetId()) + } + require.NoError(t, finalErr) + require.ElementsMatch(t, tc.wantIDs, gotIDs) + }) + } + }) - } - }) - } - -} - -func TestGrants_List(t *testing.T) { - ctx := context.Background() - conn, _ := db.TestSetup(t, "postgres") - wrap := db.TestWrapper(t) - kmsCache := kms.TestKms(t, conn, wrap) - rw := db.New(conn) - iamRepo := iam.TestRepo(t, conn, wrap) - repoFn := func() (*iam.Repository, error) { - return iamRepo, nil - } - s, err := groups.NewService(ctx, repoFn, 1000) - require.NoError(t, err) - - atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) - require.NoError(t, err) - atRepoFn := func() (*authtoken.Repository, error) { - return atRepo, nil - } - serversRepoFn := func() (*server.Repository, error) { - return server.NewRepository(ctx, rw, rw, kmsCache) - } - - org, proj := iam.TestScopes(t, iamRepo) - globalGroup := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription("global"), iam.WithName("global")) - orgGroup := iam.TestGroup(t, conn, org.GetPublicId(), iam.WithDescription("org"), iam.WithName("org")) - projGroup := iam.TestGroup(t, conn, proj.GetPublicId(), iam.WithDescription("project"), iam.WithName("project")) - - authMethod := password.TestAuthMethods(t, conn, globals.GlobalPrefix, 1)[0] - testcases := []struct { - name string - roleScope string - - grantStrings []string - grantScopes []string - getIdFound map[string]bool - }{ - { - name: "global_role_grant_this", - grantStrings: []string{"id=*;type=*;actions=*"}, - roleScope: globals.GlobalPrefix, - grantScopes: []string{globals.GrantScopeThis}, - getIdFound: map[string]bool{ - globalGroup.PublicId: true, - orgGroup.PublicId: false, - projGroup.PublicId: false, + t.Run("List", func(t *testing.T) { + testcases := []struct { + name string + rolesToCreate []roleRequest + wantErr map[string]error + outputFieldAsserter func(t *testing.T) + }{ + { + name: "global_role_grant_this", + rolesToCreate: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeThis}, + }, + }, + wantErr: map[string]error{ + globalGroup.PublicId: nil, + org1Group.PublicId: handlers.ForbiddenError(), + proj1Group.PublicId: handlers.ForbiddenError(), + }, }, - }, - { - name: "global_role_grant_children", - grantStrings: []string{"id=*;type=*;actions=*"}, - roleScope: globals.GlobalPrefix, - grantScopes: []string{globals.GrantScopeChildren}, - getIdFound: map[string]bool{ - globalGroup.PublicId: false, - orgGroup.PublicId: true, - projGroup.PublicId: false, + { + name: "global_role_grant_children", + rolesToCreate: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeChildren}, + }, + }, + wantErr: map[string]error{ + globalGroup.PublicId: handlers.ForbiddenError(), + org1Group.PublicId: nil, + proj1Group.PublicId: handlers.ForbiddenError(), + }, }, - }, - { - name: "global_role_grant_descendant", - grantStrings: []string{"id=*;type=*;actions=*"}, - roleScope: globals.GlobalPrefix, - grantScopes: []string{globals.GrantScopeDescendants}, - getIdFound: map[string]bool{ - globalGroup.PublicId: false, - orgGroup.PublicId: true, - projGroup.PublicId: true, + { + name: "global_role_grant_descendant", + rolesToCreate: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeDescendants}, + }, + }, + wantErr: map[string]error{ + globalGroup.PublicId: handlers.ForbiddenError(), + org1Group.PublicId: nil, + proj1Group.PublicId: nil, + }, }, - }, - { - name: "global_role_grant_this_children", - grantStrings: []string{"id=*;type=*;actions=*"}, - roleScope: globals.GlobalPrefix, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, - getIdFound: map[string]bool{ - globalGroup.PublicId: true, - orgGroup.PublicId: true, - projGroup.PublicId: false, + { + name: "global_role_grant_this_children", + rolesToCreate: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, + }, + }, + wantErr: map[string]error{ + globalGroup.PublicId: nil, + org1Group.PublicId: nil, + proj1Group.PublicId: handlers.ForbiddenError(), + }, }, - }, - { - name: "global_role_grant_this_descendant", - grantStrings: []string{"id=*;type=*;actions=*"}, - roleScope: globals.GlobalPrefix, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, - getIdFound: map[string]bool{ - globalGroup.PublicId: true, - orgGroup.PublicId: true, - projGroup.PublicId: true, + { + name: "global_role_grant_this_descendant", + rolesToCreate: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + }, + }, + wantErr: map[string]error{ + globalGroup.PublicId: nil, + org1Group.PublicId: nil, + proj1Group.PublicId: nil, + }, }, - }, - { - name: "org_role_grant_this", - grantStrings: []string{"id=*;type=*;actions=*"}, - roleScope: org.GetPublicId(), - grantScopes: []string{globals.GrantScopeThis}, - getIdFound: map[string]bool{ - globalGroup.PublicId: false, - orgGroup.PublicId: true, - projGroup.PublicId: false, + { + name: "org_role_grant_this", + rolesToCreate: []roleRequest{ + { + roleScopeID: org1.GetPublicId(), + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeThis}, + }, + }, + wantErr: map[string]error{ + globalGroup.PublicId: handlers.ForbiddenError(), + org1Group.PublicId: nil, + proj1Group.PublicId: handlers.ForbiddenError(), + }, }, - }, - { - name: "org_role_grant_children", - grantStrings: []string{"id=*;type=*;actions=*"}, - roleScope: org.GetPublicId(), - grantScopes: []string{globals.GrantScopeChildren}, - getIdFound: map[string]bool{ - globalGroup.PublicId: false, - orgGroup.PublicId: false, - projGroup.PublicId: true, + { + name: "org_role_grant_children", + rolesToCreate: []roleRequest{ + { + roleScopeID: org1.GetPublicId(), + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeChildren}, + }, + }, + wantErr: map[string]error{ + globalGroup.PublicId: handlers.ForbiddenError(), + org1Group.PublicId: handlers.ForbiddenError(), + proj1Group.PublicId: nil, + }, }, - }, - { - name: "org_role_grant_this_and_children", - grantStrings: []string{"id=*;type=*;actions=*"}, - roleScope: org.GetPublicId(), - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, - getIdFound: map[string]bool{ - globalGroup.PublicId: false, - orgGroup.PublicId: true, - projGroup.PublicId: true, + { + name: "org_role_grant_this_and_children", + rolesToCreate: []roleRequest{ + { + roleScopeID: org1.GetPublicId(), + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, + }, + }, + wantErr: map[string]error{ + globalGroup.PublicId: handlers.ForbiddenError(), + org1Group.PublicId: nil, + proj1Group.PublicId: nil, + }, }, - }, - { - name: "project_role_grant_this", - - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis}, - roleScope: proj.GetPublicId(), - - getIdFound: map[string]bool{ - globalGroup.PublicId: false, - orgGroup.PublicId: false, - projGroup.PublicId: true, + { + name: "project_role_grant_this", + rolesToCreate: []roleRequest{ + { + roleScopeID: proj1.GetPublicId(), + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeThis}, + }, + }, + wantErr: map[string]error{ + globalGroup.PublicId: handlers.ForbiddenError(), + org1Group.PublicId: handlers.ForbiddenError(), + proj1Group.PublicId: nil, + }, }, - }, - { - name: "global_role_grant_all_scopes_specific_group_id", - grantStrings: []string{fmt.Sprintf("ids=%s;types=group ;actions=*", orgGroup.PublicId)}, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, - roleScope: globals.GlobalPrefix, - getIdFound: map[string]bool{ - globalGroup.PublicId: false, - orgGroup.PublicId: true, - projGroup.PublicId: false, + { + name: "global_role_grant_all_scopes_specific_group_id", + rolesToCreate: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{fmt.Sprintf("ids=%s;types=group ;actions=read", org1Group.PublicId)}, + grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + }, + }, + wantErr: map[string]error{ + globalGroup.PublicId: handlers.ForbiddenError(), + org1Group.PublicId: nil, + proj1Group.PublicId: handlers.ForbiddenError(), + }, }, - }, - { - name: "global_role_grant_all_specific_permissions", - grantStrings: []string{ - fmt.Sprintf("ids=%s;types=group;actions=read", orgGroup.PublicId), - fmt.Sprintf("ids=%s;types=group;actions=read", projGroup.PublicId)}, - grantScopes: []string{org.PublicId, proj.PublicId}, - roleScope: globals.GlobalPrefix, - getIdFound: map[string]bool{ - globalGroup.PublicId: false, - orgGroup.PublicId: true, - projGroup.PublicId: true, + { + name: "global_role_grant_all_specific_permissions", + rolesToCreate: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{ + fmt.Sprintf("ids=%s;types=group;actions=read", org1Group.PublicId), + fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId)}, + grantScopes: []string{org1.PublicId, proj1.PublicId}, + }, + }, + wantErr: map[string]error{ + globalGroup.PublicId: handlers.ForbiddenError(), + org1Group.PublicId: nil, + proj1Group.PublicId: nil, + }, }, - }, - } + { + name: "global_role_grant_all_specific_permissions", + rolesToCreate: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{ + fmt.Sprintf("ids=%s;types=group;actions=read", org1Group.PublicId), + fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId)}, + grantScopes: []string{org1.PublicId, proj1.PublicId}, + }, + }, + wantErr: map[string]error{ + globalGroup.PublicId: handlers.ForbiddenError(), + org1Group.PublicId: nil, + proj1Group.PublicId: nil, + }, + }, + { + name: "global_role_grant_all_specific_permissions", + rolesToCreate: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{ + fmt.Sprintf("ids=%s;types=group;actions=read", globalGroup.PublicId)}, + grantScopes: []string{globals.GrantScopeThis}, + }, + { + roleScopeID: org1.GetPublicId(), + grantStrings: []string{ + fmt.Sprintf("ids=%s;types=group;actions=read", org1Group.PublicId), + fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId)}, + grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, + }, + }, - for _, tc := range testcases { - t.Run(tc.name, func(t *testing.T) { - // this creates everything required to get a token and creates context with auth token - acct := password.TestAccount(t, conn, authMethod.GetPublicId(), uuid.NewString()) - user := iam.TestUser(t, iamRepo, globals.GlobalPrefix, iam.WithAccountIds(acct.GetPublicId())) - role := iam.TestRoleWithGrants(t, conn, tc.roleScope, tc.grantScopes, tc.grantStrings) - _ = iam.TestUserRole(t, conn, role.PublicId, user.PublicId) - fullGrantToken, err := atRepo.CreateAuthToken(ctx, user, acct.GetPublicId()) - require.NoError(t, err) - fullGrantAuthCtx := auth.NewVerifierContext(requests.NewRequestContext(ctx, requests.WithUserId(user.GetPublicId())), - repoFn, atRepoFn, serversRepoFn, kmsCache, &authpb.RequestInfo{ - PublicId: fullGrantToken.PublicId, - Token: fullGrantToken.GetToken(), - TokenFormat: uint32(auth.AuthTokenTypeBearer), - }) - for id, found := range tc.getIdFound { - _, err := s.GetGroup(fullGrantAuthCtx, &pbs.GetGroupRequest{ - Id: id, - }) - // not found means expect error - if !found { - require.Error(t, err) - continue + wantErr: map[string]error{ + globalGroup.PublicId: nil, + org1Group.PublicId: nil, + proj1Group.PublicId: nil, + }, + }, + } + + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + // this creates everything required to get a token and creates context with auth token + acct := password.TestAccount(t, conn, authMethod.GetPublicId(), uuid.NewString()) + user := iam.TestUser(t, iamRepo, globals.GlobalPrefix, iam.WithAccountIds(acct.GetPublicId())) + for _, r := range tc.rolesToCreate { + role := iam.TestRoleWithGrants(t, conn, r.roleScopeID, r.grantScopes, r.grantStrings) + _ = iam.TestUserRole(t, conn, role.PublicId, user.PublicId) } + fullGrantToken, err := atRepo.CreateAuthToken(ctx, user, acct.GetPublicId()) require.NoError(t, err) - - } - }) - } - + fullGrantAuthCtx := auth.NewVerifierContext(requests.NewRequestContext(ctx, requests.WithUserId(user.GetPublicId())), + repoFn, atRepoFn, serversRepoFn, kmsCache, &authpb.RequestInfo{ + PublicId: fullGrantToken.PublicId, + Token: fullGrantToken.GetToken(), + TokenFormat: uint32(auth.AuthTokenTypeBearer), + }) + for id, wantErr := range tc.wantErr { + _, err := s.GetGroup(fullGrantAuthCtx, &pbs.GetGroupRequest{ + Id: id, + }) + // not found means expect error + if wantErr != nil { + require.ErrorIs(t, err, wantErr) + continue + } + require.NoError(t, err) + } + }) + } + }) } From d7b3b9b24bb49cae8906fd8c01319bb19dd68b41 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Fri, 20 Dec 2024 15:08:42 -0800 Subject: [PATCH 05/62] move token generation to a function --- .../controller/handlers/groups/grants_test.go | 93 ++++++++++--------- 1 file changed, 49 insertions(+), 44 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 39c0ed00fb..831bf0b915 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -19,6 +19,7 @@ import ( "github.com/hashicorp/boundary/internal/kms" "github.com/hashicorp/boundary/internal/requests" "github.com/hashicorp/boundary/internal/server" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" "github.com/stretchr/testify/require" ) @@ -28,6 +29,52 @@ type roleRequest struct { grantScopes []string } +// genAuthTokenCtx creates an auth.VerifierContext which contains a valid auth token +// for a user which is associated with roles in the roles parameter +// this function creates an authMethod, account, user at global scope +func genAuthTokenCtx(t *testing.T, + ctx context.Context, + conn *db.DB, + wrap wrapping.Wrapper, + iamRepo *iam.Repository, + roles []roleRequest, +) context.Context { + t.Helper() + rw := db.New(conn) + kmsCache := kms.TestKms(t, conn, wrap) + + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + iamRepoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + atRepoFn := func() (*authtoken.Repository, error) { + return atRepo, nil + } + + serversRepoFn := func() (*server.Repository, error) { + return server.NewRepository(ctx, rw, rw, kmsCache) + } + authMethod := password.TestAuthMethods(t, conn, globals.GlobalPrefix, 1)[0] + + acct := password.TestAccount(t, conn, authMethod.GetPublicId(), uuid.NewString()) + user := iam.TestUser(t, iamRepo, globals.GlobalPrefix, iam.WithAccountIds(acct.GetPublicId())) + for _, r := range roles { + role := iam.TestRoleWithGrants(t, conn, r.roleScopeID, r.grantScopes, r.grantStrings) + _ = iam.TestUserRole(t, conn, role.PublicId, user.PublicId) + } + fullGrantToken, err := atRepo.CreateAuthToken(ctx, user, acct.GetPublicId()) + require.NoError(t, err) + fullGrantAuthCtx := auth.NewVerifierContext(requests.NewRequestContext(ctx, requests.WithUserId(user.GetPublicId())), + iamRepoFn, atRepoFn, serversRepoFn, kmsCache, &authpb.RequestInfo{ + PublicId: fullGrantToken.PublicId, + Token: fullGrantToken.GetToken(), + TokenFormat: uint32(auth.AuthTokenTypeBearer), + }) + + return fullGrantAuthCtx +} + // TestGrants_ReadActions tests read actions to assert that grants are being applied properly // // Role - which scope the role is created in @@ -50,24 +97,12 @@ func TestGrants_ReadActions(t *testing.T) { ctx := context.Background() conn, _ := db.TestSetup(t, "postgres") wrap := db.TestWrapper(t) - kmsCache := kms.TestKms(t, conn, wrap) - rw := db.New(conn) iamRepo := iam.TestRepo(t, conn, wrap) repoFn := func() (*iam.Repository, error) { return iamRepo, nil } s, err := groups.NewService(ctx, repoFn, 1000) require.NoError(t, err) - - atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) - require.NoError(t, err) - atRepoFn := func() (*authtoken.Repository, error) { - return atRepo, nil - } - serversRepoFn := func() (*server.Repository, error) { - return server.NewRepository(ctx, rw, rw, kmsCache) - } - org1, proj1 := iam.TestScopes(t, iamRepo) org2, proj2 := iam.TestScopes(t, iamRepo) proj3 := iam.TestProject(t, iamRepo, org2.GetPublicId()) @@ -78,7 +113,6 @@ func TestGrants_ReadActions(t *testing.T) { proj1Group := iam.TestGroup(t, conn, proj1.GetPublicId(), iam.WithDescription("proj1"), iam.WithName("proj1")) proj2Group := iam.TestGroup(t, conn, proj2.GetPublicId(), iam.WithDescription("proj2"), iam.WithName("proj2")) proj3Group := iam.TestGroup(t, conn, proj3.GetPublicId(), iam.WithDescription("proj3"), iam.WithName("proj3")) - authMethod := password.TestAuthMethods(t, conn, globals.GlobalPrefix, 1)[0] t.Run("List", func(t *testing.T) { testcases := []struct { @@ -193,21 +227,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - // this creates everything required to get a token and creates context with auth token - acct := password.TestAccount(t, conn, authMethod.GetPublicId(), uuid.NewString()) - user := iam.TestUser(t, iamRepo, globals.GlobalPrefix, iam.WithAccountIds(acct.GetPublicId())) - for _, r := range tc.rolesToCreate { - role := iam.TestRoleWithGrants(t, conn, r.roleScopeID, r.grantScopes, r.grantStrings) - _ = iam.TestUserRole(t, conn, role.PublicId, user.PublicId) - } - fullGrantToken, err := atRepo.CreateAuthToken(ctx, user, acct.GetPublicId()) - require.NoError(t, err) - fullGrantAuthCtx := auth.NewVerifierContext(requests.NewRequestContext(ctx, requests.WithUserId(user.GetPublicId())), - repoFn, atRepoFn, serversRepoFn, kmsCache, &authpb.RequestInfo{ - PublicId: fullGrantToken.PublicId, - Token: fullGrantToken.GetToken(), - TokenFormat: uint32(auth.AuthTokenTypeBearer), - }) + fullGrantAuthCtx := genAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.rolesToCreate) got, finalErr := s.ListGroups(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) @@ -431,7 +451,6 @@ func TestGrants_ReadActions(t *testing.T) { grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, }, - wantErr: map[string]error{ globalGroup.PublicId: nil, org1Group.PublicId: nil, @@ -442,21 +461,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - // this creates everything required to get a token and creates context with auth token - acct := password.TestAccount(t, conn, authMethod.GetPublicId(), uuid.NewString()) - user := iam.TestUser(t, iamRepo, globals.GlobalPrefix, iam.WithAccountIds(acct.GetPublicId())) - for _, r := range tc.rolesToCreate { - role := iam.TestRoleWithGrants(t, conn, r.roleScopeID, r.grantScopes, r.grantStrings) - _ = iam.TestUserRole(t, conn, role.PublicId, user.PublicId) - } - fullGrantToken, err := atRepo.CreateAuthToken(ctx, user, acct.GetPublicId()) - require.NoError(t, err) - fullGrantAuthCtx := auth.NewVerifierContext(requests.NewRequestContext(ctx, requests.WithUserId(user.GetPublicId())), - repoFn, atRepoFn, serversRepoFn, kmsCache, &authpb.RequestInfo{ - PublicId: fullGrantToken.PublicId, - Token: fullGrantToken.GetToken(), - TokenFormat: uint32(auth.AuthTokenTypeBearer), - }) + fullGrantAuthCtx := genAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.rolesToCreate) for id, wantErr := range tc.wantErr { _, err := s.GetGroup(fullGrantAuthCtx, &pbs.GetGroupRequest{ Id: id, From d02eb95cc285a351a9b226522bd877d1e9fdef25 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Fri, 20 Dec 2024 17:45:58 -0800 Subject: [PATCH 06/62] add test for creates --- .../controller/handlers/groups/grants_test.go | 104 ++++++++++++++++++ 1 file changed, 104 insertions(+) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 831bf0b915..81a225db84 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -19,8 +19,10 @@ import ( "github.com/hashicorp/boundary/internal/kms" "github.com/hashicorp/boundary/internal/requests" "github.com/hashicorp/boundary/internal/server" + pb "github.com/hashicorp/boundary/sdk/pbs/controller/api/resources/groups" wrapping "github.com/hashicorp/go-kms-wrapping/v2" "github.com/stretchr/testify/require" + "google.golang.org/protobuf/types/known/wrapperspb" ) type roleRequest struct { @@ -477,3 +479,105 @@ func TestGrants_ReadActions(t *testing.T) { } }) } + +// TestGrants_ReadActions tests write actions to assert that grants are being applied properly +// +// [create, update, delete] +// Role - which scope the role is created in +// - global level +// - org level +// - project level +// Grant - what IAM grant scope is set for the permission +// - global: descendant +// - org: children +// - project +// Scopes [resource]: +// - global [globalGroup] +// - org1 [org1Group] +// - proj1 [proj1Group] +// - org2 [org2Group] +// - proj2 [proj2Group] +// - proj3 [proj3Group] +func TestWriteActions(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + wrap := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, wrap) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) + + org1, proj1 := iam.TestScopes(t, iamRepo) + org2, proj2 := iam.TestScopes(t, iamRepo) + proj3 := iam.TestProject(t, iamRepo, org2.GetPublicId()) + + testcases := []struct { + name string + roles []roleRequest + createdInScopeAndError map[string]error + }{ + { + name: "grant all can create all", + roles: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + }, + }, + createdInScopeAndError: map[string]error{ + globals.GlobalPrefix: nil, + org1.PublicId: nil, + org2.PublicId: nil, + proj1.PublicId: nil, + proj2.PublicId: nil, + proj3.PublicId: nil, + }, + }, + { + name: "grant children can only create in orgs", + roles: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeChildren}, + }, + }, + createdInScopeAndError: map[string]error{ + globals.GlobalPrefix: handlers.ForbiddenError(), + org1.PublicId: nil, + org2.PublicId: nil, + proj1.PublicId: handlers.ForbiddenError(), + proj2.PublicId: handlers.ForbiddenError(), + proj3.PublicId: handlers.ForbiddenError(), + }, + }, + } + + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + fullGrantAuthCtx := genAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.roles) + + for scp, wantErr := range tc.createdInScopeAndError { + name := uuid.NewString() + got, err := s.CreateGroup(fullGrantAuthCtx, &pbs.CreateGroupRequest{ + Item: &pb.Group{ + ScopeId: scp, + Name: &wrapperspb.StringValue{Value: name}, + Description: &wrapperspb.StringValue{Value: name}, + }, + }) + if wantErr != nil { + require.ErrorIs(t, wantErr, err) + continue + } + require.NoErrorf(t, err, "failed to create group in scope %s", scp) + g, _, err := iamRepo.LookupGroup(ctx, got.Item.Id) + require.NoError(t, err) + require.Equal(t, name, g.Name) + } + }) + } +} From 4850480aef86e10afc81e4ae51cb88ade0052ac9 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Mon, 23 Dec 2024 16:12:23 -0800 Subject: [PATCH 07/62] add delete tests --- .../controller/handlers/groups/grants_test.go | 201 +++++++++++------- 1 file changed, 129 insertions(+), 72 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 81a225db84..159b98f788 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -3,6 +3,7 @@ package groups_test import ( "context" "fmt" + "slices" "testing" "github.com/google/uuid" @@ -480,7 +481,7 @@ func TestGrants_ReadActions(t *testing.T) { }) } -// TestGrants_ReadActions tests write actions to assert that grants are being applied properly +// TestWriteActions tests write actions to assert that grants are being applied properly // // [create, update, delete] // Role - which scope the role is created in @@ -499,85 +500,141 @@ func TestGrants_ReadActions(t *testing.T) { // - proj2 [proj2Group] // - proj3 [proj3Group] func TestWriteActions(t *testing.T) { - ctx := context.Background() - conn, _ := db.TestSetup(t, "postgres") - wrap := db.TestWrapper(t) - iamRepo := iam.TestRepo(t, conn, wrap) - repoFn := func() (*iam.Repository, error) { - return iamRepo, nil - } - s, err := groups.NewService(ctx, repoFn, 1000) - require.NoError(t, err) + t.Run("create", func(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + wrap := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, wrap) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) - org1, proj1 := iam.TestScopes(t, iamRepo) - org2, proj2 := iam.TestScopes(t, iamRepo) - proj3 := iam.TestProject(t, iamRepo, org2.GetPublicId()) + org1, proj1 := iam.TestScopes(t, iamRepo) + org2, proj2 := iam.TestScopes(t, iamRepo) + proj3 := iam.TestProject(t, iamRepo, org2.GetPublicId()) - testcases := []struct { - name string - roles []roleRequest - createdInScopeAndError map[string]error - }{ - { - name: "grant all can create all", - roles: []roleRequest{ - { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + allScopeIDs := []string{globals.GlobalPrefix, org1.PublicId, org2.PublicId, proj1.PublicId, proj2.PublicId, proj3.PublicId} + testcases := []struct { + name string + roles []roleRequest + canCreateInScopes []string + }{ + { + name: "grant all can create all", + roles: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + }, }, + canCreateInScopes: allScopeIDs, }, - createdInScopeAndError: map[string]error{ - globals.GlobalPrefix: nil, - org1.PublicId: nil, - org2.PublicId: nil, - proj1.PublicId: nil, - proj2.PublicId: nil, - proj3.PublicId: nil, - }, - }, - { - name: "grant children can only create in orgs", - roles: []roleRequest{ - { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeChildren}, + { + name: "grant children can only create in orgs", + roles: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeChildren}, + }, }, + canCreateInScopes: []string{org1.PublicId, org2.PublicId}, }, - createdInScopeAndError: map[string]error{ - globals.GlobalPrefix: handlers.ForbiddenError(), - org1.PublicId: nil, - org2.PublicId: nil, - proj1.PublicId: handlers.ForbiddenError(), - proj2.PublicId: handlers.ForbiddenError(), - proj3.PublicId: handlers.ForbiddenError(), - }, - }, - } + } + + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + fullGrantAuthCtx := genAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.roles) + + for _, scope := range allScopeIDs { + name := uuid.NewString() + got, err := s.CreateGroup(fullGrantAuthCtx, &pbs.CreateGroupRequest{ + Item: &pb.Group{ + ScopeId: scope, + Name: &wrapperspb.StringValue{Value: name}, + Description: &wrapperspb.StringValue{Value: name}, + }, + }) + if !slices.Contains(tc.canCreateInScopes, scope) { + require.ErrorIs(t, err, handlers.ForbiddenError()) + continue + } + require.NoErrorf(t, err, "failed to create group in scope %s", scope) + g, _, err := iamRepo.LookupGroup(ctx, got.Item.Id) + require.NoError(t, err) + require.Equal(t, name, g.Name) + } + }) + } + }) + t.Run("delete", func(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + wrap := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, wrap) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) + + org1, proj1 := iam.TestScopes(t, iamRepo) + org2, proj2 := iam.TestScopes(t, iamRepo) + proj3 := iam.TestProject(t, iamRepo, org2.GetPublicId()) - for _, tc := range testcases { - t.Run(tc.name, func(t *testing.T) { - fullGrantAuthCtx := genAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.roles) + allScopeIDs := []string{globals.GlobalPrefix, org1.PublicId, org2.PublicId, proj1.PublicId, proj2.PublicId, proj3.PublicId} - for scp, wantErr := range tc.createdInScopeAndError { - name := uuid.NewString() - got, err := s.CreateGroup(fullGrantAuthCtx, &pbs.CreateGroupRequest{ - Item: &pb.Group{ - ScopeId: scp, - Name: &wrapperspb.StringValue{Value: name}, - Description: &wrapperspb.StringValue{Value: name}, + testcases := []struct { + name string + roles []roleRequest + deleteAllowedAtScopeIDs []string + }{ + { + name: "grant all can delete all", + roles: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + }, + }, + deleteAllowedAtScopeIDs: allScopeIDs, + }, + { + name: "grant children can only delete in orgs", + roles: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeChildren}, }, - }) - if wantErr != nil { - require.ErrorIs(t, wantErr, err) - continue + }, + deleteAllowedAtScopeIDs: []string{org1.PublicId, org2.PublicId}, + }, + } + + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + // setup a map to track which scope correlates to a group + scopeIdGroupMap := map[string]*iam.Group{} + for _, scp := range allScopeIDs { + g := iam.TestGroup(t, conn, scp) + scopeIdGroupMap[scp] = g } - require.NoErrorf(t, err, "failed to create group in scope %s", scp) - g, _, err := iamRepo.LookupGroup(ctx, got.Item.Id) - require.NoError(t, err) - require.Equal(t, name, g.Name) - } - }) - } + fullGrantAuthCtx := genAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.roles) + for scope, group := range scopeIdGroupMap { + _, err = s.DeleteGroup(fullGrantAuthCtx, &pbs.DeleteGroupRequest{Id: group.PublicId}) + if !slices.Contains(tc.deleteAllowedAtScopeIDs, scope) { + require.ErrorIs(t, err, handlers.ForbiddenError()) + continue + } + require.NoErrorf(t, err, "failed to delete group in scope %s", scope) + } + }) + } + }) + } From 184bd0c509868a41f8a00c07d0806d4da5db0546 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Fri, 27 Dec 2024 14:54:52 -0800 Subject: [PATCH 08/62] add update test --- .../controller/handlers/groups/grants_test.go | 115 +++++++++++++++++- 1 file changed, 114 insertions(+), 1 deletion(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 159b98f788..631461057a 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -6,6 +6,8 @@ import ( "slices" "testing" + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" "github.com/google/uuid" "github.com/hashicorp/boundary/globals" "github.com/hashicorp/boundary/internal/auth/password" @@ -23,6 +25,8 @@ import ( pb "github.com/hashicorp/boundary/sdk/pbs/controller/api/resources/groups" wrapping "github.com/hashicorp/go-kms-wrapping/v2" "github.com/stretchr/testify/require" + "google.golang.org/protobuf/testing/protocmp" + "google.golang.org/protobuf/types/known/fieldmaskpb" "google.golang.org/protobuf/types/known/wrapperspb" ) @@ -586,7 +590,6 @@ func TestWriteActions(t *testing.T) { proj3 := iam.TestProject(t, iamRepo, org2.GetPublicId()) allScopeIDs := []string{globals.GlobalPrefix, org1.PublicId, org2.PublicId, proj1.PublicId, proj2.PublicId, proj3.PublicId} - testcases := []struct { name string roles []roleRequest @@ -637,4 +640,114 @@ func TestWriteActions(t *testing.T) { } }) + t.Run("update", func(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + wrap := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, wrap) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) + + //org1, proj1 := iam.TestScopes(t, iamRepo) + //org2, proj2 := iam.TestScopes(t, iamRepo) + //proj3 := iam.TestProject(t, iamRepo, org2.GetPublicId()) + + testcases := []struct { + name string + roles []roleRequest + setup func(*testing.T) (*pbs.UpdateGroupRequest, *pb.Group) + wantErr error + }{ + { + name: "global_scope_group_good_grant_success", + roles: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeThis}, + }, + }, + setup: func(t *testing.T) (*pbs.UpdateGroupRequest, *pb.Group) { + g := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithName("name"), iam.WithDescription("description")) + noAuthCtx := auth.DisabledAuthTestContext(repoFn, globals.GlobalPrefix) + gotGroup, err := s.GetGroup(noAuthCtx, &pbs.GetGroupRequest{Id: g.PublicId}) + require.NoError(t, err) + input := &pbs.UpdateGroupRequest{ + Id: g.PublicId, + Item: &pb.Group{ + Name: &wrapperspb.StringValue{Value: "new-name"}, + Description: &wrapperspb.StringValue{Value: "new-description"}, + Version: 1, + }, + UpdateMask: &fieldmaskpb.FieldMask{ + Paths: []string{"name", "description"}, + }, + } + want := gotGroup.Item + want.Name = input.Item.Name + want.Description = input.Item.Description + want.Version = 2 + return input, want + }, + wantErr: nil, + }, + { + name: "no grant fails update", + roles: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeChildren}, + }, + }, + setup: func(t *testing.T) (*pbs.UpdateGroupRequest, *pb.Group) { + g := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithName("name"), iam.WithDescription("description")) + input := &pbs.UpdateGroupRequest{ + Id: g.PublicId, + Item: &pb.Group{ + Name: &wrapperspb.StringValue{Value: "new-name"}, + Description: &wrapperspb.StringValue{Value: "new-description"}, + Version: 1, + }, + UpdateMask: &fieldmaskpb.FieldMask{ + Paths: []string{"name", "description"}, + }, + } + return input, nil + }, + wantErr: handlers.ForbiddenError(), + }, + } + + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + fullGrantAuthCtx := genAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.roles) + input, want := tc.setup(t) + got, err := s.UpdateGroup(fullGrantAuthCtx, input) + if tc.wantErr != nil { + require.Error(t, err) + require.ErrorIs(t, err, tc.wantErr) + return + } + require.NoError(t, err) + + // remove update time from assertion due to its unpredictability + got.Item.UpdatedTime = nil + want.UpdatedTime = nil + + require.Empty(t, cmp.Diff( + got.Item, + want, + protocmp.Transform(), + cmpopts.SortSlices(func(a, b string) bool { + return a < b + }), + )) + }) + } + }) + } From 60cb494d48a99eda179d25ebc70c58189415fa0c Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Fri, 27 Dec 2024 15:03:16 -0800 Subject: [PATCH 09/62] only check for version and update_time --- .../controller/handlers/groups/grants_test.go | 42 +++++-------------- 1 file changed, 11 insertions(+), 31 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 631461057a..ca0ac33acf 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -6,8 +6,6 @@ import ( "slices" "testing" - "github.com/google/go-cmp/cmp" - "github.com/google/go-cmp/cmp/cmpopts" "github.com/google/uuid" "github.com/hashicorp/boundary/globals" "github.com/hashicorp/boundary/internal/auth/password" @@ -25,7 +23,6 @@ import ( pb "github.com/hashicorp/boundary/sdk/pbs/controller/api/resources/groups" wrapping "github.com/hashicorp/go-kms-wrapping/v2" "github.com/stretchr/testify/require" - "google.golang.org/protobuf/testing/protocmp" "google.golang.org/protobuf/types/known/fieldmaskpb" "google.golang.org/protobuf/types/known/wrapperspb" ) @@ -658,7 +655,7 @@ func TestWriteActions(t *testing.T) { testcases := []struct { name string roles []roleRequest - setup func(*testing.T) (*pbs.UpdateGroupRequest, *pb.Group) + setup func(t *testing.T) (*iam.Group, *pbs.UpdateGroupRequest) wantErr error }{ { @@ -670,27 +667,21 @@ func TestWriteActions(t *testing.T) { grantScopes: []string{globals.GrantScopeThis}, }, }, - setup: func(t *testing.T) (*pbs.UpdateGroupRequest, *pb.Group) { - g := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithName("name"), iam.WithDescription("description")) - noAuthCtx := auth.DisabledAuthTestContext(repoFn, globals.GlobalPrefix) - gotGroup, err := s.GetGroup(noAuthCtx, &pbs.GetGroupRequest{Id: g.PublicId}) + setup: func(t *testing.T) (*iam.Group, *pbs.UpdateGroupRequest) { + g := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithName(uuid.NewString()), iam.WithDescription(uuid.NewString())) require.NoError(t, err) input := &pbs.UpdateGroupRequest{ Id: g.PublicId, Item: &pb.Group{ - Name: &wrapperspb.StringValue{Value: "new-name"}, - Description: &wrapperspb.StringValue{Value: "new-description"}, + Name: &wrapperspb.StringValue{Value: uuid.NewString()}, + Description: &wrapperspb.StringValue{Value: uuid.NewString()}, Version: 1, }, UpdateMask: &fieldmaskpb.FieldMask{ Paths: []string{"name", "description"}, }, } - want := gotGroup.Item - want.Name = input.Item.Name - want.Description = input.Item.Description - want.Version = 2 - return input, want + return g, input }, wantErr: nil, }, @@ -703,7 +694,7 @@ func TestWriteActions(t *testing.T) { grantScopes: []string{globals.GrantScopeChildren}, }, }, - setup: func(t *testing.T) (*pbs.UpdateGroupRequest, *pb.Group) { + setup: func(t *testing.T) (*iam.Group, *pbs.UpdateGroupRequest) { g := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithName("name"), iam.WithDescription("description")) input := &pbs.UpdateGroupRequest{ Id: g.PublicId, @@ -716,7 +707,7 @@ func TestWriteActions(t *testing.T) { Paths: []string{"name", "description"}, }, } - return input, nil + return g, input }, wantErr: handlers.ForbiddenError(), }, @@ -725,7 +716,7 @@ func TestWriteActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { fullGrantAuthCtx := genAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.roles) - input, want := tc.setup(t) + originalGroup, input := tc.setup(t) got, err := s.UpdateGroup(fullGrantAuthCtx, input) if tc.wantErr != nil { require.Error(t, err) @@ -733,19 +724,8 @@ func TestWriteActions(t *testing.T) { return } require.NoError(t, err) - - // remove update time from assertion due to its unpredictability - got.Item.UpdatedTime = nil - want.UpdatedTime = nil - - require.Empty(t, cmp.Diff( - got.Item, - want, - protocmp.Transform(), - cmpopts.SortSlices(func(a, b string) bool { - return a < b - }), - )) + require.Equal(t, uint32(2), got.Item.Version) + require.True(t, got.Item.UpdatedTime.AsTime().After(originalGroup.UpdateTime.AsTime())) }) } }) From abc747ee7fea1811def92846871fb1a3038de699 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Fri, 27 Dec 2024 15:34:26 -0800 Subject: [PATCH 10/62] move setup resource into testcase to support grants with specific ID --- .../controller/handlers/groups/grants_test.go | 136 ++++++++++-------- 1 file changed, 75 insertions(+), 61 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index ca0ac33acf..b3e4006284 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -638,86 +638,101 @@ func TestWriteActions(t *testing.T) { }) t.Run("update", func(t *testing.T) { - ctx := context.Background() - conn, _ := db.TestSetup(t, "postgres") - wrap := db.TestWrapper(t) - iamRepo := iam.TestRepo(t, conn, wrap) - repoFn := func() (*iam.Repository, error) { - return iamRepo, nil - } - s, err := groups.NewService(ctx, repoFn, 1000) - require.NoError(t, err) - - //org1, proj1 := iam.TestScopes(t, iamRepo) - //org2, proj2 := iam.TestScopes(t, iamRepo) - //proj3 := iam.TestProject(t, iamRepo, org2.GetPublicId()) - testcases := []struct { - name string - roles []roleRequest - setup func(t *testing.T) (*iam.Group, *pbs.UpdateGroupRequest) - wantErr error + name string + setupScopesResourcesRoles func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []roleRequest) + wantErr error }{ { name: "global_scope_group_good_grant_success", - roles: []roleRequest{ - { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis}, - }, + setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []roleRequest) { + g := iam.TestGroup(t, conn, globals.GlobalPrefix) + roles := []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeThis}, + }, + } + return g, roles }, - setup: func(t *testing.T) (*iam.Group, *pbs.UpdateGroupRequest) { - g := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithName(uuid.NewString()), iam.WithDescription(uuid.NewString())) - require.NoError(t, err) - input := &pbs.UpdateGroupRequest{ - Id: g.PublicId, - Item: &pb.Group{ - Name: &wrapperspb.StringValue{Value: uuid.NewString()}, - Description: &wrapperspb.StringValue{Value: uuid.NewString()}, - Version: 1, + wantErr: nil, + }, + { + name: "grant specific scope success", + setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []roleRequest) { + _, proj := iam.TestScopes(t, iamRepo) + g := iam.TestGroup(t, conn, proj.PublicId) + roles := []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{proj.PublicId}, }, - UpdateMask: &fieldmaskpb.FieldMask{ - Paths: []string{"name", "description"}, + } + return g, roles + }, + wantErr: nil, + }, + { + name: "grant specific resource and scope success", + setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []roleRequest) { + _, proj := iam.TestScopes(t, iamRepo) + g := iam.TestGroup(t, conn, proj.PublicId) + roles := []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{fmt.Sprintf("id=%s;type=*;actions=*", g.PublicId)}, + grantScopes: []string{proj.PublicId}, }, } - return g, input + return g, roles }, wantErr: nil, }, { name: "no grant fails update", - roles: []roleRequest{ - { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeChildren}, - }, - }, - setup: func(t *testing.T) (*iam.Group, *pbs.UpdateGroupRequest) { - g := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithName("name"), iam.WithDescription("description")) - input := &pbs.UpdateGroupRequest{ - Id: g.PublicId, - Item: &pb.Group{ - Name: &wrapperspb.StringValue{Value: "new-name"}, - Description: &wrapperspb.StringValue{Value: "new-description"}, - Version: 1, - }, - UpdateMask: &fieldmaskpb.FieldMask{ - Paths: []string{"name", "description"}, + setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []roleRequest) { + g := iam.TestGroup(t, conn, globals.GlobalPrefix) + roles := []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeChildren}, }, } - return g, input + return g, roles }, wantErr: handlers.ForbiddenError(), }, } - for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - fullGrantAuthCtx := genAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.roles) - originalGroup, input := tc.setup(t) - got, err := s.UpdateGroup(fullGrantAuthCtx, input) + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + wrap := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, wrap) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) + + original, roles := tc.setupScopesResourcesRoles(t, conn, iamRepo) + fullGrantAuthCtx := genAuthTokenCtx(t, ctx, conn, wrap, iamRepo, roles) + + got, err := s.UpdateGroup(fullGrantAuthCtx, &pbs.UpdateGroupRequest{ + Id: original.PublicId, + Item: &pb.Group{ + Name: &wrapperspb.StringValue{Value: "new-name"}, + Description: &wrapperspb.StringValue{Value: "new-description"}, + Version: 1, + }, + UpdateMask: &fieldmaskpb.FieldMask{ + Paths: []string{"name", "description"}, + }, + }) + if tc.wantErr != nil { require.Error(t, err) require.ErrorIs(t, err, tc.wantErr) @@ -725,9 +740,8 @@ func TestWriteActions(t *testing.T) { } require.NoError(t, err) require.Equal(t, uint32(2), got.Item.Version) - require.True(t, got.Item.UpdatedTime.AsTime().After(originalGroup.UpdateTime.AsTime())) + require.True(t, got.Item.UpdatedTime.AsTime().After(original.UpdateTime.AsTime())) }) } }) - } From 3e2a3ef5973588eb03414fd46d707385a03c316e Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Thu, 2 Jan 2025 17:33:02 -0800 Subject: [PATCH 11/62] add member tests --- .../controller/handlers/groups/grants_test.go | 448 +++++++++++++++--- 1 file changed, 385 insertions(+), 63 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index b3e4006284..8126b143df 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -96,7 +96,6 @@ func genAuthTokenCtx(t *testing.T, // - org2 [org2Group] // - proj2 [proj2Group] // - proj3 [proj3Group] - func TestGrants_ReadActions(t *testing.T) { ctx := context.Background() conn, _ := db.TestSetup(t, "postgres") @@ -247,12 +246,11 @@ func TestGrants_ReadActions(t *testing.T) { } }) - t.Run("List", func(t *testing.T) { + t.Run("Get", func(t *testing.T) { testcases := []struct { - name string - rolesToCreate []roleRequest - wantErr map[string]error - outputFieldAsserter func(t *testing.T) + name string + rolesToCreate []roleRequest + inputWantErrMap map[*pbs.GetGroupRequest]error }{ { name: "global_role_grant_this", @@ -263,10 +261,10 @@ func TestGrants_ReadActions(t *testing.T) { grantScopes: []string{globals.GrantScopeThis}, }, }, - wantErr: map[string]error{ - globalGroup.PublicId: nil, - org1Group.PublicId: handlers.ForbiddenError(), - proj1Group.PublicId: handlers.ForbiddenError(), + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + &pbs.GetGroupRequest{Id: globalGroup.PublicId}: nil, + &pbs.GetGroupRequest{Id: org1Group.PublicId}: handlers.ForbiddenError(), + &pbs.GetGroupRequest{Id: proj1Group.PublicId}: handlers.ForbiddenError(), }, }, { @@ -278,10 +276,10 @@ func TestGrants_ReadActions(t *testing.T) { grantScopes: []string{globals.GrantScopeChildren}, }, }, - wantErr: map[string]error{ - globalGroup.PublicId: handlers.ForbiddenError(), - org1Group.PublicId: nil, - proj1Group.PublicId: handlers.ForbiddenError(), + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + &pbs.GetGroupRequest{Id: globalGroup.PublicId}: handlers.ForbiddenError(), + &pbs.GetGroupRequest{Id: org1Group.PublicId}: nil, + &pbs.GetGroupRequest{Id: proj1Group.PublicId}: handlers.ForbiddenError(), }, }, { @@ -293,10 +291,10 @@ func TestGrants_ReadActions(t *testing.T) { grantScopes: []string{globals.GrantScopeDescendants}, }, }, - wantErr: map[string]error{ - globalGroup.PublicId: handlers.ForbiddenError(), - org1Group.PublicId: nil, - proj1Group.PublicId: nil, + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + &pbs.GetGroupRequest{Id: globalGroup.PublicId}: handlers.ForbiddenError(), + &pbs.GetGroupRequest{Id: org1Group.PublicId}: nil, + &pbs.GetGroupRequest{Id: proj1Group.PublicId}: nil, }, }, { @@ -308,10 +306,10 @@ func TestGrants_ReadActions(t *testing.T) { grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, }, - wantErr: map[string]error{ - globalGroup.PublicId: nil, - org1Group.PublicId: nil, - proj1Group.PublicId: handlers.ForbiddenError(), + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + &pbs.GetGroupRequest{Id: globalGroup.PublicId}: nil, + &pbs.GetGroupRequest{Id: org1Group.PublicId}: nil, + &pbs.GetGroupRequest{Id: proj1Group.PublicId}: handlers.ForbiddenError(), }, }, { @@ -323,10 +321,10 @@ func TestGrants_ReadActions(t *testing.T) { grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }, - wantErr: map[string]error{ - globalGroup.PublicId: nil, - org1Group.PublicId: nil, - proj1Group.PublicId: nil, + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + &pbs.GetGroupRequest{Id: globalGroup.PublicId}: nil, + &pbs.GetGroupRequest{Id: org1Group.PublicId}: nil, + &pbs.GetGroupRequest{Id: proj1Group.PublicId}: nil, }, }, { @@ -338,10 +336,10 @@ func TestGrants_ReadActions(t *testing.T) { grantScopes: []string{globals.GrantScopeThis}, }, }, - wantErr: map[string]error{ - globalGroup.PublicId: handlers.ForbiddenError(), - org1Group.PublicId: nil, - proj1Group.PublicId: handlers.ForbiddenError(), + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + &pbs.GetGroupRequest{Id: globalGroup.PublicId}: handlers.ForbiddenError(), + &pbs.GetGroupRequest{Id: org1Group.PublicId}: nil, + &pbs.GetGroupRequest{Id: proj1Group.PublicId}: handlers.ForbiddenError(), }, }, { @@ -353,10 +351,10 @@ func TestGrants_ReadActions(t *testing.T) { grantScopes: []string{globals.GrantScopeChildren}, }, }, - wantErr: map[string]error{ - globalGroup.PublicId: handlers.ForbiddenError(), - org1Group.PublicId: handlers.ForbiddenError(), - proj1Group.PublicId: nil, + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + &pbs.GetGroupRequest{Id: globalGroup.PublicId}: handlers.ForbiddenError(), + &pbs.GetGroupRequest{Id: org1Group.PublicId}: handlers.ForbiddenError(), + &pbs.GetGroupRequest{Id: proj1Group.PublicId}: nil, }, }, { @@ -368,10 +366,10 @@ func TestGrants_ReadActions(t *testing.T) { grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, }, - wantErr: map[string]error{ - globalGroup.PublicId: handlers.ForbiddenError(), - org1Group.PublicId: nil, - proj1Group.PublicId: nil, + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + &pbs.GetGroupRequest{Id: globalGroup.PublicId}: handlers.ForbiddenError(), + &pbs.GetGroupRequest{Id: org1Group.PublicId}: nil, + &pbs.GetGroupRequest{Id: proj1Group.PublicId}: nil, }, }, { @@ -383,10 +381,10 @@ func TestGrants_ReadActions(t *testing.T) { grantScopes: []string{globals.GrantScopeThis}, }, }, - wantErr: map[string]error{ - globalGroup.PublicId: handlers.ForbiddenError(), - org1Group.PublicId: handlers.ForbiddenError(), - proj1Group.PublicId: nil, + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + &pbs.GetGroupRequest{Id: globalGroup.PublicId}: handlers.ForbiddenError(), + &pbs.GetGroupRequest{Id: org1Group.PublicId}: handlers.ForbiddenError(), + &pbs.GetGroupRequest{Id: proj1Group.PublicId}: nil, }, }, { @@ -398,10 +396,10 @@ func TestGrants_ReadActions(t *testing.T) { grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }, - wantErr: map[string]error{ - globalGroup.PublicId: handlers.ForbiddenError(), - org1Group.PublicId: nil, - proj1Group.PublicId: handlers.ForbiddenError(), + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + &pbs.GetGroupRequest{Id: globalGroup.PublicId}: handlers.ForbiddenError(), + &pbs.GetGroupRequest{Id: org1Group.PublicId}: nil, + &pbs.GetGroupRequest{Id: proj1Group.PublicId}: handlers.ForbiddenError(), }, }, { @@ -415,10 +413,10 @@ func TestGrants_ReadActions(t *testing.T) { grantScopes: []string{org1.PublicId, proj1.PublicId}, }, }, - wantErr: map[string]error{ - globalGroup.PublicId: handlers.ForbiddenError(), - org1Group.PublicId: nil, - proj1Group.PublicId: nil, + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + &pbs.GetGroupRequest{Id: globalGroup.PublicId}: handlers.ForbiddenError(), + &pbs.GetGroupRequest{Id: org1Group.PublicId}: nil, + &pbs.GetGroupRequest{Id: proj1Group.PublicId}: nil, }, }, { @@ -432,10 +430,10 @@ func TestGrants_ReadActions(t *testing.T) { grantScopes: []string{org1.PublicId, proj1.PublicId}, }, }, - wantErr: map[string]error{ - globalGroup.PublicId: handlers.ForbiddenError(), - org1Group.PublicId: nil, - proj1Group.PublicId: nil, + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + &pbs.GetGroupRequest{Id: globalGroup.PublicId}: handlers.ForbiddenError(), + &pbs.GetGroupRequest{Id: org1Group.PublicId}: nil, + &pbs.GetGroupRequest{Id: proj1Group.PublicId}: nil, }, }, { @@ -455,10 +453,10 @@ func TestGrants_ReadActions(t *testing.T) { grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, }, - wantErr: map[string]error{ - globalGroup.PublicId: nil, - org1Group.PublicId: nil, - proj1Group.PublicId: nil, + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + &pbs.GetGroupRequest{Id: globalGroup.PublicId}: nil, + &pbs.GetGroupRequest{Id: org1Group.PublicId}: nil, + &pbs.GetGroupRequest{Id: proj1Group.PublicId}: nil, }, }, } @@ -466,10 +464,8 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { fullGrantAuthCtx := genAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.rolesToCreate) - for id, wantErr := range tc.wantErr { - _, err := s.GetGroup(fullGrantAuthCtx, &pbs.GetGroupRequest{ - Id: id, - }) + for input, wantErr := range tc.inputWantErrMap { + _, err := s.GetGroup(fullGrantAuthCtx, input) // not found means expect error if wantErr != nil { require.ErrorIs(t, err, wantErr) @@ -732,7 +728,6 @@ func TestWriteActions(t *testing.T) { Paths: []string{"name", "description"}, }, }) - if tc.wantErr != nil { require.Error(t, err) require.ErrorIs(t, err, tc.wantErr) @@ -745,3 +740,330 @@ func TestWriteActions(t *testing.T) { } }) } + +// TestGroupMember tests actions performed on the group-members (child-resources) +func TestGroupMember(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + wrap := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, wrap) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) + + org1, proj1 := iam.TestScopes(t, iamRepo) + org2, proj2 := iam.TestScopes(t, iamRepo) + proj3 := iam.TestProject(t, iamRepo, org2.GetPublicId()) + + globalUsers := []*iam.User{iam.TestUser(t, iamRepo, globals.GlobalPrefix), iam.TestUser(t, iamRepo, globals.GlobalPrefix)} + org1Users := []*iam.User{iam.TestUser(t, iamRepo, org1.PublicId), iam.TestUser(t, iamRepo, org1.PublicId)} + org2Users := []*iam.User{iam.TestUser(t, iamRepo, org2.PublicId), iam.TestUser(t, iamRepo, org2.PublicId)} + + type itemGetter interface { + GetItem() *pb.Group + } + + type testActionResult struct { + action func(context.Context, *iam.Group) (itemGetter, error) + wantErr error + } + + testcases := []struct { + name string + setupGroupAndRole func(t *testing.T) (*iam.Group, []roleRequest) + // collection of actions to be executed in the tests in order + actions []testActionResult + }{ + { + name: "all_actions_valid_grant_success", + setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { + group := iam.TestGroup(t, conn, globals.GlobalPrefix) + return group, []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeThis}, + }, + } + }, + actions: []testActionResult{ + { + action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + out, err := s.AddGroupMembers(authCtx, &pbs.AddGroupMembersRequest{ + Id: g.PublicId, + Version: g.Version, + MemberIds: userIDs(org1Users), + }) + return out, err + }, + wantErr: nil, + }, + { + action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + out, err := s.SetGroupMembers(authCtx, &pbs.SetGroupMembersRequest{ + Id: g.PublicId, + Version: g.Version, + MemberIds: userIDs(globalUsers), + }) + return out, err + }, + wantErr: nil, + }, + { + action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + out, err := s.RemoveGroupMembers(authCtx, &pbs.RemoveGroupMembersRequest{ + Id: g.PublicId, + Version: g.Version, + MemberIds: userIDs(globalUsers), + }) + return out, err + }, + wantErr: nil, + }, + }, + }, + { + name: "add_and_set_allowed_fail_to_remove", + setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { + group := iam.TestGroup(t, conn, org1.PublicId) + return group, []roleRequest{ + { + roleScopeID: org1.PublicId, + grantStrings: []string{"id=*;type=*;actions=add-members"}, + grantScopes: []string{globals.GrantScopeThis}, + }, + { + roleScopeID: org1.PublicId, + grantStrings: []string{"id=*;type=*;actions=set-members"}, + grantScopes: []string{globals.GrantScopeThis}, + }, + } + }, + actions: []testActionResult{ + { + action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + out, err := s.AddGroupMembers(authCtx, &pbs.AddGroupMembersRequest{ + Id: g.PublicId, + Version: g.Version, + MemberIds: userIDs(org1Users), + }) + return out, err + }, + wantErr: nil, + }, + { + action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + out, err := s.SetGroupMembers(authCtx, &pbs.SetGroupMembersRequest{ + Id: g.PublicId, + Version: g.Version, + MemberIds: userIDs(org1Users), + }) + return out, err + }, + wantErr: nil, + }, + { + action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + out, err := s.RemoveGroupMembers(authCtx, &pbs.RemoveGroupMembersRequest{ + Id: g.PublicId, + Version: g.Version, + MemberIds: userIDs(org1Users), + }) + return out, err + }, + wantErr: handlers.ForbiddenError(), + }, + }, + }, + { + name: "remove_member_valid_grant_success", + setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { + group := iam.TestGroup(t, conn, proj1.PublicId) + iam.TestGroupMember(t, conn, group.PublicId, org1Users[0].PublicId) + iam.TestGroupMember(t, conn, group.PublicId, org1Users[1].PublicId) + return group, []roleRequest{ + { + roleScopeID: proj1.PublicId, + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeThis}, + }, + } + }, + actions: []testActionResult{ + { + action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + out, err := s.RemoveGroupMembers(authCtx, &pbs.RemoveGroupMembersRequest{ + Id: g.PublicId, + Version: g.Version, + MemberIds: userIDs(org1Users), + }) + return out, err + }, + wantErr: nil, + }, + }, + }, + { + name: "set_member_valid_specific_grant_success", + setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { + group := iam.TestGroup(t, conn, proj1.PublicId) + return group, []roleRequest{ + { + roleScopeID: proj1.PublicId, + grantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=set-members", group.PublicId)}, + grantScopes: []string{globals.GrantScopeThis}, + }, + } + }, + actions: []testActionResult{ + { + action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + out, err := s.SetGroupMembers(authCtx, &pbs.SetGroupMembersRequest{ + Id: g.PublicId, + Version: g.Version, + MemberIds: userIDs(org1Users), + }) + return out, err + }, + wantErr: nil, + }, + }, + }, + { + name: "add_member_valid_specific_grant_success", + setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { + group := iam.TestGroup(t, conn, org2.PublicId) + return group, []roleRequest{ + { + roleScopeID: org2.PublicId, + grantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, + grantScopes: []string{globals.GrantScopeThis}, + }, + } + }, + actions: []testActionResult{ + { + action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + out, err := s.AddGroupMembers(authCtx, &pbs.AddGroupMembersRequest{ + Id: g.PublicId, + Version: g.Version, + MemberIds: userIDs(org2Users), + }) + return out, err + }, + wantErr: nil, + }, + }, + }, + { + name: "remove_member_valid_specific_grant_success", + setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { + group := iam.TestGroup(t, conn, proj2.PublicId) + iam.TestGroupMember(t, conn, group.PublicId, org2Users[0].PublicId) + iam.TestGroupMember(t, conn, group.PublicId, org2Users[1].PublicId) + return group, []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=remove-members", group.PublicId)}, + grantScopes: []string{proj2.PublicId}, + }, + } + }, + actions: []testActionResult{ + { + action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + out, err := s.RemoveGroupMembers(authCtx, &pbs.RemoveGroupMembersRequest{ + Id: g.PublicId, + Version: g.Version, + MemberIds: userIDs(org2Users), + }) + return out, err + }, + wantErr: nil, + }, + }, + }, + { + name: "cross_scope_add_member_valid_specific_grant_success", + setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { + group := iam.TestGroup(t, conn, proj3.PublicId) + return group, []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, + grantScopes: []string{globals.GrantScopeDescendants}, + }, + } + }, + actions: []testActionResult{ + { + action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + users := userIDs(org1Users) + users = append(users, userIDs(org2Users)...) + out, err := s.AddGroupMembers(authCtx, &pbs.AddGroupMembersRequest{ + Id: g.PublicId, + Version: g.Version, + MemberIds: users, + }) + return out, err + }, + wantErr: nil, + }, + }, + }, + { + name: "add_member_with_valid_grant_string_invalid_scope_forbidden_error", + setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { + group := iam.TestGroup(t, conn, org2.PublicId) + return group, []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"id=*;type=*;actions=*"}, + grantScopes: []string{globals.GrantScopeThis}, + }, + } + }, + actions: []testActionResult{ + { + action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + out, err := s.AddGroupMembers(authCtx, &pbs.AddGroupMembersRequest{ + Id: g.PublicId, + Version: g.Version, + MemberIds: userIDs(org2Users), + }) + return out, err + }, + wantErr: handlers.ForbiddenError(), + }, + }, + }, + } + + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + group, roleReqs := tc.setupGroupAndRole(t) + fullGrantAuthCtx := genAuthTokenCtx(t, ctx, conn, wrap, iamRepo, roleReqs) + for _, act := range tc.actions { + out, err := act.action(fullGrantAuthCtx, group) + if act.wantErr != nil { + require.Error(t, err) + require.ErrorIs(t, err, act.wantErr) + continue + } + require.NoError(t, err) + // set version for future updates + group.Version = out.GetItem().Version + } + }) + } +} + +func userIDs(users []*iam.User) []string { + result := make([]string, len(users)) + for i, u := range users { + result[i] = u.PublicId + } + return result +} From f44ac44966bd76abb87361378e7b1bc0c3ac5688 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Fri, 3 Jan 2025 09:18:12 -0800 Subject: [PATCH 12/62] add group-member test example with multiple actions --- .../controller/handlers/groups/grants_test.go | 88 +++++++++++++++---- 1 file changed, 73 insertions(+), 15 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 8126b143df..151a5505d1 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -236,11 +236,11 @@ func TestGrants_ReadActions(t *testing.T) { require.ErrorIs(t, finalErr, tc.wantErr) return } + require.NoError(t, finalErr) var gotIDs []string for _, g := range got.Items { gotIDs = append(gotIDs, g.GetId()) } - require.NoError(t, finalErr) require.ElementsMatch(t, tc.wantIDs, gotIDs) }) } @@ -761,12 +761,12 @@ func TestGroupMember(t *testing.T) { org1Users := []*iam.User{iam.TestUser(t, iamRepo, org1.PublicId), iam.TestUser(t, iamRepo, org1.PublicId)} org2Users := []*iam.User{iam.TestUser(t, iamRepo, org2.PublicId), iam.TestUser(t, iamRepo, org2.PublicId)} - type itemGetter interface { + type groupGetter interface { GetItem() *pb.Group } type testActionResult struct { - action func(context.Context, *iam.Group) (itemGetter, error) + action func(context.Context, *iam.Group) (groupGetter, error) wantErr error } @@ -790,7 +790,7 @@ func TestGroupMember(t *testing.T) { }, actions: []testActionResult{ { - action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + action: func(authCtx context.Context, g *iam.Group) (groupGetter, error) { out, err := s.AddGroupMembers(authCtx, &pbs.AddGroupMembersRequest{ Id: g.PublicId, Version: g.Version, @@ -801,7 +801,7 @@ func TestGroupMember(t *testing.T) { wantErr: nil, }, { - action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + action: func(authCtx context.Context, g *iam.Group) (groupGetter, error) { out, err := s.SetGroupMembers(authCtx, &pbs.SetGroupMembersRequest{ Id: g.PublicId, Version: g.Version, @@ -812,7 +812,7 @@ func TestGroupMember(t *testing.T) { wantErr: nil, }, { - action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + action: func(authCtx context.Context, g *iam.Group) (groupGetter, error) { out, err := s.RemoveGroupMembers(authCtx, &pbs.RemoveGroupMembersRequest{ Id: g.PublicId, Version: g.Version, @@ -843,7 +843,7 @@ func TestGroupMember(t *testing.T) { }, actions: []testActionResult{ { - action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + action: func(authCtx context.Context, g *iam.Group) (groupGetter, error) { out, err := s.AddGroupMembers(authCtx, &pbs.AddGroupMembersRequest{ Id: g.PublicId, Version: g.Version, @@ -854,7 +854,7 @@ func TestGroupMember(t *testing.T) { wantErr: nil, }, { - action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + action: func(authCtx context.Context, g *iam.Group) (groupGetter, error) { out, err := s.SetGroupMembers(authCtx, &pbs.SetGroupMembersRequest{ Id: g.PublicId, Version: g.Version, @@ -865,7 +865,7 @@ func TestGroupMember(t *testing.T) { wantErr: nil, }, { - action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + action: func(authCtx context.Context, g *iam.Group) (groupGetter, error) { out, err := s.RemoveGroupMembers(authCtx, &pbs.RemoveGroupMembersRequest{ Id: g.PublicId, Version: g.Version, @@ -893,7 +893,7 @@ func TestGroupMember(t *testing.T) { }, actions: []testActionResult{ { - action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + action: func(authCtx context.Context, g *iam.Group) (groupGetter, error) { out, err := s.RemoveGroupMembers(authCtx, &pbs.RemoveGroupMembersRequest{ Id: g.PublicId, Version: g.Version, @@ -919,7 +919,7 @@ func TestGroupMember(t *testing.T) { }, actions: []testActionResult{ { - action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + action: func(authCtx context.Context, g *iam.Group) (groupGetter, error) { out, err := s.SetGroupMembers(authCtx, &pbs.SetGroupMembersRequest{ Id: g.PublicId, Version: g.Version, @@ -945,7 +945,7 @@ func TestGroupMember(t *testing.T) { }, actions: []testActionResult{ { - action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + action: func(authCtx context.Context, g *iam.Group) (groupGetter, error) { out, err := s.AddGroupMembers(authCtx, &pbs.AddGroupMembersRequest{ Id: g.PublicId, Version: g.Version, @@ -973,7 +973,7 @@ func TestGroupMember(t *testing.T) { }, actions: []testActionResult{ { - action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + action: func(authCtx context.Context, g *iam.Group) (groupGetter, error) { out, err := s.RemoveGroupMembers(authCtx, &pbs.RemoveGroupMembersRequest{ Id: g.PublicId, Version: g.Version, @@ -999,7 +999,7 @@ func TestGroupMember(t *testing.T) { }, actions: []testActionResult{ { - action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + action: func(authCtx context.Context, g *iam.Group) (groupGetter, error) { users := userIDs(org1Users) users = append(users, userIDs(org2Users)...) out, err := s.AddGroupMembers(authCtx, &pbs.AddGroupMembersRequest{ @@ -1027,7 +1027,7 @@ func TestGroupMember(t *testing.T) { }, actions: []testActionResult{ { - action: func(authCtx context.Context, g *iam.Group) (itemGetter, error) { + action: func(authCtx context.Context, g *iam.Group) (groupGetter, error) { out, err := s.AddGroupMembers(authCtx, &pbs.AddGroupMembersRequest{ Id: g.PublicId, Version: g.Version, @@ -1039,6 +1039,64 @@ func TestGroupMember(t *testing.T) { }, }, }, + { + name: "multiple_grants_success", + setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { + group := iam.TestGroup(t, conn, proj2.PublicId) + return group, []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, + grantScopes: []string{proj2.PublicId}, + }, + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=set-members", group.PublicId)}, + grantScopes: []string{proj2.PublicId}, + }, + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=remove-members", group.PublicId)}, + grantScopes: []string{proj2.PublicId}, + }, + } + }, + actions: []testActionResult{ + { + action: func(authCtx context.Context, g *iam.Group) (groupGetter, error) { + out, err := s.AddGroupMembers(authCtx, &pbs.AddGroupMembersRequest{ + Id: g.PublicId, + Version: g.Version, + MemberIds: userIDs(org2Users), + }) + return out, err + }, + wantErr: nil, + }, + { + action: func(authCtx context.Context, g *iam.Group) (groupGetter, error) { + out, err := s.SetGroupMembers(authCtx, &pbs.SetGroupMembersRequest{ + Id: g.PublicId, + Version: g.Version, + MemberIds: userIDs(org2Users), + }) + return out, err + }, + wantErr: nil, + }, + { + action: func(authCtx context.Context, g *iam.Group) (groupGetter, error) { + out, err := s.RemoveGroupMembers(authCtx, &pbs.RemoveGroupMembersRequest{ + Id: g.PublicId, + Version: g.Version, + MemberIds: userIDs(org2Users), + }) + return out, err + }, + wantErr: nil, + }, + }, + }, } for _, tc := range testcases { From a3d8e62e6e616d890d0dff49073fa01629130973 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Fri, 3 Jan 2025 09:44:34 -0800 Subject: [PATCH 13/62] remove duplicate group membership tests --- .../controller/handlers/groups/grants_test.go | 69 ++----------------- 1 file changed, 7 insertions(+), 62 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 151a5505d1..a95e1d3e4f 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -75,7 +75,6 @@ func genAuthTokenCtx(t *testing.T, Token: fullGrantToken.GetToken(), TokenFormat: uint32(auth.AuthTokenTypeBearer), }) - return fullGrantAuthCtx } @@ -496,7 +495,7 @@ func TestGrants_ReadActions(t *testing.T) { // - org2 [org2Group] // - proj2 [proj2Group] // - proj3 [proj3Group] -func TestWriteActions(t *testing.T) { +func TestWrites(t *testing.T) { t.Run("create", func(t *testing.T) { ctx := context.Background() conn, _ := db.TestSetup(t, "postgres") @@ -753,7 +752,7 @@ func TestGroupMember(t *testing.T) { s, err := groups.NewService(ctx, repoFn, 1000) require.NoError(t, err) - org1, proj1 := iam.TestScopes(t, iamRepo) + org1, _ := iam.TestScopes(t, iamRepo) org2, proj2 := iam.TestScopes(t, iamRepo) proj3 := iam.TestProject(t, iamRepo, org2.GetPublicId()) @@ -777,7 +776,7 @@ func TestGroupMember(t *testing.T) { actions []testActionResult }{ { - name: "all_actions_valid_grant_success", + name: "all actions valid grant success", setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { group := iam.TestGroup(t, conn, globals.GlobalPrefix) return group, []roleRequest{ @@ -825,7 +824,7 @@ func TestGroupMember(t *testing.T) { }, }, { - name: "add_and_set_allowed_fail_to_remove", + name: "only add and set allowed fail to remove", setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { group := iam.TestGroup(t, conn, org1.PublicId) return group, []roleRequest{ @@ -877,60 +876,6 @@ func TestGroupMember(t *testing.T) { }, }, }, - { - name: "remove_member_valid_grant_success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { - group := iam.TestGroup(t, conn, proj1.PublicId) - iam.TestGroupMember(t, conn, group.PublicId, org1Users[0].PublicId) - iam.TestGroupMember(t, conn, group.PublicId, org1Users[1].PublicId) - return group, []roleRequest{ - { - roleScopeID: proj1.PublicId, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis}, - }, - } - }, - actions: []testActionResult{ - { - action: func(authCtx context.Context, g *iam.Group) (groupGetter, error) { - out, err := s.RemoveGroupMembers(authCtx, &pbs.RemoveGroupMembersRequest{ - Id: g.PublicId, - Version: g.Version, - MemberIds: userIDs(org1Users), - }) - return out, err - }, - wantErr: nil, - }, - }, - }, - { - name: "set_member_valid_specific_grant_success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { - group := iam.TestGroup(t, conn, proj1.PublicId) - return group, []roleRequest{ - { - roleScopeID: proj1.PublicId, - grantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=set-members", group.PublicId)}, - grantScopes: []string{globals.GrantScopeThis}, - }, - } - }, - actions: []testActionResult{ - { - action: func(authCtx context.Context, g *iam.Group) (groupGetter, error) { - out, err := s.SetGroupMembers(authCtx, &pbs.SetGroupMembersRequest{ - Id: g.PublicId, - Version: g.Version, - MemberIds: userIDs(org1Users), - }) - return out, err - }, - wantErr: nil, - }, - }, - }, { name: "add_member_valid_specific_grant_success", setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { @@ -1045,17 +990,17 @@ func TestGroupMember(t *testing.T) { group := iam.TestGroup(t, conn, proj2.PublicId) return group, []roleRequest{ { - roleScopeID: globals.GlobalPrefix, + roleScopeID: proj2.PublicId, grantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, grantScopes: []string{proj2.PublicId}, }, { - roleScopeID: globals.GlobalPrefix, + roleScopeID: proj2.PublicId, grantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=set-members", group.PublicId)}, grantScopes: []string{proj2.PublicId}, }, { - roleScopeID: globals.GlobalPrefix, + roleScopeID: proj2.PublicId, grantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=remove-members", group.PublicId)}, grantScopes: []string{proj2.PublicId}, }, From 962f326e4e94b22a7b43b809a2a816e7404a688a Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Fri, 3 Jan 2025 09:50:28 -0800 Subject: [PATCH 14/62] ran make gen --- .../controller/handlers/groups/grants_test.go | 95 ++++++++++--------- 1 file changed, 51 insertions(+), 44 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index a95e1d3e4f..ca2b799c00 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -1,3 +1,6 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: BUSL-1.1 + package groups_test import ( @@ -156,7 +159,7 @@ func TestGrants_ReadActions(t *testing.T) { wantErr: nil, // TODO (Bo 20-dec-2024): expect 3 groups but only getting 1 back // need to investigate further - //wantIDs: []string{globalGroup.PublicId, org1Group.PublicId, org2Group.PublicId}, + // wantIDs: []string{globalGroup.PublicId, org1Group.PublicId, org2Group.PublicId}, wantIDs: []string{globalGroup.PublicId}, }, { @@ -261,9 +264,9 @@ func TestGrants_ReadActions(t *testing.T) { }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ - &pbs.GetGroupRequest{Id: globalGroup.PublicId}: nil, - &pbs.GetGroupRequest{Id: org1Group.PublicId}: handlers.ForbiddenError(), - &pbs.GetGroupRequest{Id: proj1Group.PublicId}: handlers.ForbiddenError(), + {Id: globalGroup.PublicId}: nil, + {Id: org1Group.PublicId}: handlers.ForbiddenError(), + {Id: proj1Group.PublicId}: handlers.ForbiddenError(), }, }, { @@ -276,9 +279,9 @@ func TestGrants_ReadActions(t *testing.T) { }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ - &pbs.GetGroupRequest{Id: globalGroup.PublicId}: handlers.ForbiddenError(), - &pbs.GetGroupRequest{Id: org1Group.PublicId}: nil, - &pbs.GetGroupRequest{Id: proj1Group.PublicId}: handlers.ForbiddenError(), + {Id: globalGroup.PublicId}: handlers.ForbiddenError(), + {Id: org1Group.PublicId}: nil, + {Id: proj1Group.PublicId}: handlers.ForbiddenError(), }, }, { @@ -291,9 +294,9 @@ func TestGrants_ReadActions(t *testing.T) { }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ - &pbs.GetGroupRequest{Id: globalGroup.PublicId}: handlers.ForbiddenError(), - &pbs.GetGroupRequest{Id: org1Group.PublicId}: nil, - &pbs.GetGroupRequest{Id: proj1Group.PublicId}: nil, + {Id: globalGroup.PublicId}: handlers.ForbiddenError(), + {Id: org1Group.PublicId}: nil, + {Id: proj1Group.PublicId}: nil, }, }, { @@ -306,9 +309,9 @@ func TestGrants_ReadActions(t *testing.T) { }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ - &pbs.GetGroupRequest{Id: globalGroup.PublicId}: nil, - &pbs.GetGroupRequest{Id: org1Group.PublicId}: nil, - &pbs.GetGroupRequest{Id: proj1Group.PublicId}: handlers.ForbiddenError(), + {Id: globalGroup.PublicId}: nil, + {Id: org1Group.PublicId}: nil, + {Id: proj1Group.PublicId}: handlers.ForbiddenError(), }, }, { @@ -321,9 +324,9 @@ func TestGrants_ReadActions(t *testing.T) { }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ - &pbs.GetGroupRequest{Id: globalGroup.PublicId}: nil, - &pbs.GetGroupRequest{Id: org1Group.PublicId}: nil, - &pbs.GetGroupRequest{Id: proj1Group.PublicId}: nil, + {Id: globalGroup.PublicId}: nil, + {Id: org1Group.PublicId}: nil, + {Id: proj1Group.PublicId}: nil, }, }, { @@ -336,9 +339,9 @@ func TestGrants_ReadActions(t *testing.T) { }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ - &pbs.GetGroupRequest{Id: globalGroup.PublicId}: handlers.ForbiddenError(), - &pbs.GetGroupRequest{Id: org1Group.PublicId}: nil, - &pbs.GetGroupRequest{Id: proj1Group.PublicId}: handlers.ForbiddenError(), + {Id: globalGroup.PublicId}: handlers.ForbiddenError(), + {Id: org1Group.PublicId}: nil, + {Id: proj1Group.PublicId}: handlers.ForbiddenError(), }, }, { @@ -351,9 +354,9 @@ func TestGrants_ReadActions(t *testing.T) { }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ - &pbs.GetGroupRequest{Id: globalGroup.PublicId}: handlers.ForbiddenError(), - &pbs.GetGroupRequest{Id: org1Group.PublicId}: handlers.ForbiddenError(), - &pbs.GetGroupRequest{Id: proj1Group.PublicId}: nil, + {Id: globalGroup.PublicId}: handlers.ForbiddenError(), + {Id: org1Group.PublicId}: handlers.ForbiddenError(), + {Id: proj1Group.PublicId}: nil, }, }, { @@ -366,9 +369,9 @@ func TestGrants_ReadActions(t *testing.T) { }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ - &pbs.GetGroupRequest{Id: globalGroup.PublicId}: handlers.ForbiddenError(), - &pbs.GetGroupRequest{Id: org1Group.PublicId}: nil, - &pbs.GetGroupRequest{Id: proj1Group.PublicId}: nil, + {Id: globalGroup.PublicId}: handlers.ForbiddenError(), + {Id: org1Group.PublicId}: nil, + {Id: proj1Group.PublicId}: nil, }, }, { @@ -381,9 +384,9 @@ func TestGrants_ReadActions(t *testing.T) { }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ - &pbs.GetGroupRequest{Id: globalGroup.PublicId}: handlers.ForbiddenError(), - &pbs.GetGroupRequest{Id: org1Group.PublicId}: handlers.ForbiddenError(), - &pbs.GetGroupRequest{Id: proj1Group.PublicId}: nil, + {Id: globalGroup.PublicId}: handlers.ForbiddenError(), + {Id: org1Group.PublicId}: handlers.ForbiddenError(), + {Id: proj1Group.PublicId}: nil, }, }, { @@ -396,9 +399,9 @@ func TestGrants_ReadActions(t *testing.T) { }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ - &pbs.GetGroupRequest{Id: globalGroup.PublicId}: handlers.ForbiddenError(), - &pbs.GetGroupRequest{Id: org1Group.PublicId}: nil, - &pbs.GetGroupRequest{Id: proj1Group.PublicId}: handlers.ForbiddenError(), + {Id: globalGroup.PublicId}: handlers.ForbiddenError(), + {Id: org1Group.PublicId}: nil, + {Id: proj1Group.PublicId}: handlers.ForbiddenError(), }, }, { @@ -408,14 +411,15 @@ func TestGrants_ReadActions(t *testing.T) { roleScopeID: globals.GlobalPrefix, grantStrings: []string{ fmt.Sprintf("ids=%s;types=group;actions=read", org1Group.PublicId), - fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId)}, + fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId), + }, grantScopes: []string{org1.PublicId, proj1.PublicId}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ - &pbs.GetGroupRequest{Id: globalGroup.PublicId}: handlers.ForbiddenError(), - &pbs.GetGroupRequest{Id: org1Group.PublicId}: nil, - &pbs.GetGroupRequest{Id: proj1Group.PublicId}: nil, + {Id: globalGroup.PublicId}: handlers.ForbiddenError(), + {Id: org1Group.PublicId}: nil, + {Id: proj1Group.PublicId}: nil, }, }, { @@ -425,14 +429,15 @@ func TestGrants_ReadActions(t *testing.T) { roleScopeID: globals.GlobalPrefix, grantStrings: []string{ fmt.Sprintf("ids=%s;types=group;actions=read", org1Group.PublicId), - fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId)}, + fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId), + }, grantScopes: []string{org1.PublicId, proj1.PublicId}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ - &pbs.GetGroupRequest{Id: globalGroup.PublicId}: handlers.ForbiddenError(), - &pbs.GetGroupRequest{Id: org1Group.PublicId}: nil, - &pbs.GetGroupRequest{Id: proj1Group.PublicId}: nil, + {Id: globalGroup.PublicId}: handlers.ForbiddenError(), + {Id: org1Group.PublicId}: nil, + {Id: proj1Group.PublicId}: nil, }, }, { @@ -441,21 +446,23 @@ func TestGrants_ReadActions(t *testing.T) { { roleScopeID: globals.GlobalPrefix, grantStrings: []string{ - fmt.Sprintf("ids=%s;types=group;actions=read", globalGroup.PublicId)}, + fmt.Sprintf("ids=%s;types=group;actions=read", globalGroup.PublicId), + }, grantScopes: []string{globals.GrantScopeThis}, }, { roleScopeID: org1.GetPublicId(), grantStrings: []string{ fmt.Sprintf("ids=%s;types=group;actions=read", org1Group.PublicId), - fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId)}, + fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId), + }, grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ - &pbs.GetGroupRequest{Id: globalGroup.PublicId}: nil, - &pbs.GetGroupRequest{Id: org1Group.PublicId}: nil, - &pbs.GetGroupRequest{Id: proj1Group.PublicId}: nil, + {Id: globalGroup.PublicId}: nil, + {Id: org1Group.PublicId}: nil, + {Id: proj1Group.PublicId}: nil, }, }, } From f7d1d20acc50b0708712267bb2e928254f52cb9a Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Fri, 3 Jan 2025 16:02:18 -0800 Subject: [PATCH 15/62] fix missing parentID bug --- .../controller/handlers/groups/grants_test.go | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index ca2b799c00..4ee98662a7 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -152,16 +152,13 @@ func TestGrants_ReadActions(t *testing.T) { rolesToCreate: []roleRequest{ { roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, + grantStrings: []string{"ids=*;type=group;actions=list,read"}, grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, }, wantErr: nil, - // TODO (Bo 20-dec-2024): expect 3 groups but only getting 1 back - // need to investigate further - // wantIDs: []string{globalGroup.PublicId, org1Group.PublicId, org2Group.PublicId}, - wantIDs: []string{globalGroup.PublicId}, - }, + wantIDs: []string{globalGroup.PublicId, org1Group.PublicId, org2Group.PublicId}, + q}, { name: "global role grant this and descendant returns all groups", input: &pbs.ListGroupsRequest{ @@ -668,7 +665,7 @@ func TestWrites(t *testing.T) { roles := []roleRequest{ { roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, + grantStrings: []string{"ids=*;type=*;actions=*"}, grantScopes: []string{proj.PublicId}, }, } @@ -684,7 +681,7 @@ func TestWrites(t *testing.T) { roles := []roleRequest{ { roleScopeID: globals.GlobalPrefix, - grantStrings: []string{fmt.Sprintf("id=%s;type=*;actions=*", g.PublicId)}, + grantStrings: []string{fmt.Sprintf("ids=%s;types=group;actions=*", g.PublicId)}, grantScopes: []string{proj.PublicId}, }, } From 6a34f9f467a5f967a4930851ea29f1d836ecc323 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Fri, 3 Jan 2025 16:12:07 -0800 Subject: [PATCH 16/62] fix typo --- internal/daemon/controller/handlers/groups/grants_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 4ee98662a7..74e9ec5198 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -158,7 +158,7 @@ func TestGrants_ReadActions(t *testing.T) { }, wantErr: nil, wantIDs: []string{globalGroup.PublicId, org1Group.PublicId, org2Group.PublicId}, - q}, + }, { name: "global role grant this and descendant returns all groups", input: &pbs.ListGroupsRequest{ From 245872b43412cc4ea198722ef4b3d5c4e5338bc5 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Mon, 6 Jan 2025 15:24:41 -0800 Subject: [PATCH 17/62] fix test names and add test cases --- .../controller/handlers/groups/grants_test.go | 119 ++++++++++++------ 1 file changed, 81 insertions(+), 38 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 74e9ec5198..76ecf8235f 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -36,10 +36,10 @@ type roleRequest struct { grantScopes []string } -// genAuthTokenCtx creates an auth.VerifierContext which contains a valid auth token +// testGenAuthTokenCtx creates an auth.VerifierContext which contains a valid auth token // for a user which is associated with roles in the roles parameter // this function creates an authMethod, account, user at global scope -func genAuthTokenCtx(t *testing.T, +func testGenAuthTokenCtx(t *testing.T, ctx context.Context, conn *db.DB, wrap wrapping.Wrapper, @@ -225,11 +225,48 @@ func TestGrants_ReadActions(t *testing.T) { wantErr: handlers.ForbiddenError(), wantIDs: nil, }, + { + name: "global role scope specific grants only returns granted scopes", + input: &pbs.ListGroupsRequest{ + ScopeId: globals.GlobalPrefix, + Recursive: true, + }, + rolesToCreate: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"ids=*;type=group;actions=read,list"}, + grantScopes: []string{proj1.PublicId, proj2.PublicId, proj3.PublicId}, + }, + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"ids=*;type=group;actions=read,list"}, + grantScopes: []string{globals.GrantScopeThis}, + }, + }, + wantErr: nil, + wantIDs: []string{globalGroup.PublicId, proj1Group.PublicId, proj2Group.PublicId, proj3Group.PublicId}, + }, + { + name: "global role not granted group resources returns error", + input: &pbs.ListGroupsRequest{ + ScopeId: globals.GlobalPrefix, + Recursive: true, + }, + rolesToCreate: []roleRequest{ + { + roleScopeID: globals.GlobalPrefix, + grantStrings: []string{"ids=*;type=target;actions=read,list"}, + grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + }, + }, + wantErr: handlers.ForbiddenError(), + wantIDs: nil, + }, } for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - fullGrantAuthCtx := genAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.rolesToCreate) + fullGrantAuthCtx := testGenAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.rolesToCreate) got, finalErr := s.ListGroups(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) @@ -252,7 +289,7 @@ func TestGrants_ReadActions(t *testing.T) { inputWantErrMap map[*pbs.GetGroupRequest]error }{ { - name: "global_role_grant_this", + name: "global role grant this scope with all permissions", rolesToCreate: []roleRequest{ { roleScopeID: globals.GlobalPrefix, @@ -264,10 +301,12 @@ func TestGrants_ReadActions(t *testing.T) { {Id: globalGroup.PublicId}: nil, {Id: org1Group.PublicId}: handlers.ForbiddenError(), {Id: proj1Group.PublicId}: handlers.ForbiddenError(), + {Id: org2Group.PublicId}: handlers.ForbiddenError(), + {Id: proj2Group.PublicId}: handlers.ForbiddenError(), }, }, { - name: "global_role_grant_children", + name: "global role grant children scopes with all permissions", rolesToCreate: []roleRequest{ { roleScopeID: globals.GlobalPrefix, @@ -279,10 +318,12 @@ func TestGrants_ReadActions(t *testing.T) { {Id: globalGroup.PublicId}: handlers.ForbiddenError(), {Id: org1Group.PublicId}: nil, {Id: proj1Group.PublicId}: handlers.ForbiddenError(), + {Id: org2Group.PublicId}: nil, + {Id: proj2Group.PublicId}: handlers.ForbiddenError(), }, }, { - name: "global_role_grant_descendant", + name: "global role grant descendant scopes with all permissions", rolesToCreate: []roleRequest{ { roleScopeID: globals.GlobalPrefix, @@ -294,10 +335,12 @@ func TestGrants_ReadActions(t *testing.T) { {Id: globalGroup.PublicId}: handlers.ForbiddenError(), {Id: org1Group.PublicId}: nil, {Id: proj1Group.PublicId}: nil, + {Id: org2Group.PublicId}: nil, + {Id: proj2Group.PublicId}: nil, }, }, { - name: "global_role_grant_this_children", + name: "global role grant this and children scopes with all permissions", rolesToCreate: []roleRequest{ { roleScopeID: globals.GlobalPrefix, @@ -309,10 +352,12 @@ func TestGrants_ReadActions(t *testing.T) { {Id: globalGroup.PublicId}: nil, {Id: org1Group.PublicId}: nil, {Id: proj1Group.PublicId}: handlers.ForbiddenError(), + {Id: org2Group.PublicId}: nil, + {Id: proj2Group.PublicId}: handlers.ForbiddenError(), }, }, { - name: "global_role_grant_this_descendant", + name: "global role grant this and descendant scopes with all permissions", rolesToCreate: []roleRequest{ { roleScopeID: globals.GlobalPrefix, @@ -324,10 +369,12 @@ func TestGrants_ReadActions(t *testing.T) { {Id: globalGroup.PublicId}: nil, {Id: org1Group.PublicId}: nil, {Id: proj1Group.PublicId}: nil, + {Id: org2Group.PublicId}: nil, + {Id: proj2Group.PublicId}: nil, }, }, { - name: "org_role_grant_this", + name: "org1 role grant this scope with all permissions", rolesToCreate: []roleRequest{ { roleScopeID: org1.GetPublicId(), @@ -339,10 +386,12 @@ func TestGrants_ReadActions(t *testing.T) { {Id: globalGroup.PublicId}: handlers.ForbiddenError(), {Id: org1Group.PublicId}: nil, {Id: proj1Group.PublicId}: handlers.ForbiddenError(), + {Id: org2Group.PublicId}: handlers.ForbiddenError(), + {Id: proj2Group.PublicId}: handlers.ForbiddenError(), }, }, { - name: "org_role_grant_children", + name: "org1 role grant children scope with all permissions", rolesToCreate: []roleRequest{ { roleScopeID: org1.GetPublicId(), @@ -354,10 +403,12 @@ func TestGrants_ReadActions(t *testing.T) { {Id: globalGroup.PublicId}: handlers.ForbiddenError(), {Id: org1Group.PublicId}: handlers.ForbiddenError(), {Id: proj1Group.PublicId}: nil, + {Id: org2Group.PublicId}: handlers.ForbiddenError(), + {Id: proj2Group.PublicId}: handlers.ForbiddenError(), }, }, { - name: "org_role_grant_this_and_children", + name: "org1 role grant this and children scopes with all permissions", rolesToCreate: []roleRequest{ { roleScopeID: org1.GetPublicId(), @@ -369,10 +420,12 @@ func TestGrants_ReadActions(t *testing.T) { {Id: globalGroup.PublicId}: handlers.ForbiddenError(), {Id: org1Group.PublicId}: nil, {Id: proj1Group.PublicId}: nil, + {Id: org2Group.PublicId}: handlers.ForbiddenError(), + {Id: proj2Group.PublicId}: handlers.ForbiddenError(), }, }, { - name: "project_role_grant_this", + name: "proj1 role grant this scope with all permissions", rolesToCreate: []roleRequest{ { roleScopeID: proj1.GetPublicId(), @@ -384,10 +437,12 @@ func TestGrants_ReadActions(t *testing.T) { {Id: globalGroup.PublicId}: handlers.ForbiddenError(), {Id: org1Group.PublicId}: handlers.ForbiddenError(), {Id: proj1Group.PublicId}: nil, + {Id: org2Group.PublicId}: handlers.ForbiddenError(), + {Id: proj2Group.PublicId}: handlers.ForbiddenError(), }, }, { - name: "global_role_grant_all_scopes_specific_group_id", + name: "global role grant this and descendant scope with read permissions on specific group", rolesToCreate: []roleRequest{ { roleScopeID: globals.GlobalPrefix, @@ -399,28 +454,12 @@ func TestGrants_ReadActions(t *testing.T) { {Id: globalGroup.PublicId}: handlers.ForbiddenError(), {Id: org1Group.PublicId}: nil, {Id: proj1Group.PublicId}: handlers.ForbiddenError(), + {Id: org2Group.PublicId}: handlers.ForbiddenError(), + {Id: proj2Group.PublicId}: handlers.ForbiddenError(), }, }, { - name: "global_role_grant_all_specific_permissions", - rolesToCreate: []roleRequest{ - { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{ - fmt.Sprintf("ids=%s;types=group;actions=read", org1Group.PublicId), - fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId), - }, - grantScopes: []string{org1.PublicId, proj1.PublicId}, - }, - }, - inputWantErrMap: map[*pbs.GetGroupRequest]error{ - {Id: globalGroup.PublicId}: handlers.ForbiddenError(), - {Id: org1Group.PublicId}: nil, - {Id: proj1Group.PublicId}: nil, - }, - }, - { - name: "global_role_grant_all_specific_permissions", + name: "global role grant this and specific scopes with read permissions on specific group", rolesToCreate: []roleRequest{ { roleScopeID: globals.GlobalPrefix, @@ -435,10 +474,12 @@ func TestGrants_ReadActions(t *testing.T) { {Id: globalGroup.PublicId}: handlers.ForbiddenError(), {Id: org1Group.PublicId}: nil, {Id: proj1Group.PublicId}: nil, + {Id: org2Group.PublicId}: handlers.ForbiddenError(), + {Id: proj2Group.PublicId}: handlers.ForbiddenError(), }, }, { - name: "global_role_grant_all_specific_permissions", + name: "union multiple role grant specific resources permissions", rolesToCreate: []roleRequest{ { roleScopeID: globals.GlobalPrefix, @@ -460,13 +501,15 @@ func TestGrants_ReadActions(t *testing.T) { {Id: globalGroup.PublicId}: nil, {Id: org1Group.PublicId}: nil, {Id: proj1Group.PublicId}: nil, + {Id: org2Group.PublicId}: handlers.ForbiddenError(), + {Id: proj2Group.PublicId}: handlers.ForbiddenError(), }, }, } for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - fullGrantAuthCtx := genAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.rolesToCreate) + fullGrantAuthCtx := testGenAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.rolesToCreate) for input, wantErr := range tc.inputWantErrMap { _, err := s.GetGroup(fullGrantAuthCtx, input) // not found means expect error @@ -547,7 +590,7 @@ func TestWrites(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - fullGrantAuthCtx := genAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.roles) + fullGrantAuthCtx := testGenAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.roles) for _, scope := range allScopeIDs { name := uuid.NewString() @@ -623,7 +666,7 @@ func TestWrites(t *testing.T) { g := iam.TestGroup(t, conn, scp) scopeIdGroupMap[scp] = g } - fullGrantAuthCtx := genAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.roles) + fullGrantAuthCtx := testGenAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.roles) for scope, group := range scopeIdGroupMap { _, err = s.DeleteGroup(fullGrantAuthCtx, &pbs.DeleteGroupRequest{Id: group.PublicId}) if !slices.Contains(tc.deleteAllowedAtScopeIDs, scope) { @@ -718,7 +761,7 @@ func TestWrites(t *testing.T) { require.NoError(t, err) original, roles := tc.setupScopesResourcesRoles(t, conn, iamRepo) - fullGrantAuthCtx := genAuthTokenCtx(t, ctx, conn, wrap, iamRepo, roles) + fullGrantAuthCtx := testGenAuthTokenCtx(t, ctx, conn, wrap, iamRepo, roles) got, err := s.UpdateGroup(fullGrantAuthCtx, &pbs.UpdateGroupRequest{ Id: original.PublicId, @@ -1051,7 +1094,7 @@ func TestGroupMember(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { group, roleReqs := tc.setupGroupAndRole(t) - fullGrantAuthCtx := genAuthTokenCtx(t, ctx, conn, wrap, iamRepo, roleReqs) + fullGrantAuthCtx := testGenAuthTokenCtx(t, ctx, conn, wrap, iamRepo, roleReqs) for _, act := range tc.actions { out, err := act.action(fullGrantAuthCtx, group) if act.wantErr != nil { From 8bec6acb77611fce54bd04b7e9a8220fd5620e9b Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Mon, 6 Jan 2025 15:28:07 -0800 Subject: [PATCH 18/62] switch from google/uuid to hashicorp/go-uuid --- .../daemon/controller/handlers/groups/grants_test.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 76ecf8235f..33cfa10634 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -9,7 +9,6 @@ import ( "slices" "testing" - "github.com/google/uuid" "github.com/hashicorp/boundary/globals" "github.com/hashicorp/boundary/internal/auth/password" "github.com/hashicorp/boundary/internal/authtoken" @@ -25,6 +24,7 @@ import ( "github.com/hashicorp/boundary/internal/server" pb "github.com/hashicorp/boundary/sdk/pbs/controller/api/resources/groups" wrapping "github.com/hashicorp/go-kms-wrapping/v2" + "github.com/hashicorp/go-uuid" "github.com/stretchr/testify/require" "google.golang.org/protobuf/types/known/fieldmaskpb" "google.golang.org/protobuf/types/known/wrapperspb" @@ -64,7 +64,9 @@ func testGenAuthTokenCtx(t *testing.T, } authMethod := password.TestAuthMethods(t, conn, globals.GlobalPrefix, 1)[0] - acct := password.TestAccount(t, conn, authMethod.GetPublicId(), uuid.NewString()) + loginName, err := uuid.GenerateUUID() + require.NoError(t, err) + acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName) user := iam.TestUser(t, iamRepo, globals.GlobalPrefix, iam.WithAccountIds(acct.GetPublicId())) for _, r := range roles { role := iam.TestRoleWithGrants(t, conn, r.roleScopeID, r.grantScopes, r.grantStrings) @@ -593,7 +595,8 @@ func TestWrites(t *testing.T) { fullGrantAuthCtx := testGenAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.roles) for _, scope := range allScopeIDs { - name := uuid.NewString() + name, err := uuid.GenerateUUID() + require.NoError(t, err) got, err := s.CreateGroup(fullGrantAuthCtx, &pbs.CreateGroupRequest{ Item: &pb.Group{ ScopeId: scope, From f2913a3e7a11fa040aee003ddbdcfec89bd945d1 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Mon, 6 Jan 2025 15:40:47 -0800 Subject: [PATCH 19/62] add comment to groupmember tests --- internal/daemon/controller/handlers/groups/grants_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 33cfa10634..66056bafd4 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -822,7 +822,8 @@ func TestGroupMember(t *testing.T) { testcases := []struct { name string setupGroupAndRole func(t *testing.T) (*iam.Group, []roleRequest) - // collection of actions to be executed in the tests in order + // collection of actions to be executed in the tests in order, *iam.Group returned from each action which + // gets passed to the next action as parameter to preserve information such as `version` increments actions []testActionResult }{ { From 72c16848181234bb737765fd07f27ddbd0242936 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Mon, 6 Jan 2025 16:18:13 -0800 Subject: [PATCH 20/62] small comment change --- internal/iam/testing.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/iam/testing.go b/internal/iam/testing.go index 52e2f8bdc0..970a920acb 100644 --- a/internal/iam/testing.go +++ b/internal/iam/testing.go @@ -224,7 +224,7 @@ func TestRole(t testing.TB, conn *db.DB, scopeId string, opt ...Option) *Role { } // TestRoleWithGrants creates a role suitable for testing along with grants -// Note: functional options for GrantScopeIDs aren't used to express that +// Functional options for GrantScopeIDs aren't used to express that // this function does not provide any default grant scope unlike TestRole func TestRoleWithGrants(t testing.TB, conn *db.DB, scopeId string, grantScopeIDs []string, grants []string) *Role { t.Helper() From 8eae79f43a0b907e2b1e0a2ff6042dfae5d5f360 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 8 Jan 2025 15:47:00 -0800 Subject: [PATCH 21/62] pull shared test utility code from PR #5418 --- .../controller/handlers/groups/grants_test.go | 436 ++++++++---------- 1 file changed, 194 insertions(+), 242 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 66056bafd4..a7e9518c09 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -10,79 +10,21 @@ import ( "testing" "github.com/hashicorp/boundary/globals" - "github.com/hashicorp/boundary/internal/auth/password" "github.com/hashicorp/boundary/internal/authtoken" "github.com/hashicorp/boundary/internal/daemon/controller/auth" "github.com/hashicorp/boundary/internal/daemon/controller/handlers" "github.com/hashicorp/boundary/internal/daemon/controller/handlers/groups" "github.com/hashicorp/boundary/internal/db" pbs "github.com/hashicorp/boundary/internal/gen/controller/api/services" - authpb "github.com/hashicorp/boundary/internal/gen/controller/auth" "github.com/hashicorp/boundary/internal/iam" "github.com/hashicorp/boundary/internal/kms" - "github.com/hashicorp/boundary/internal/requests" - "github.com/hashicorp/boundary/internal/server" pb "github.com/hashicorp/boundary/sdk/pbs/controller/api/resources/groups" - wrapping "github.com/hashicorp/go-kms-wrapping/v2" "github.com/hashicorp/go-uuid" "github.com/stretchr/testify/require" "google.golang.org/protobuf/types/known/fieldmaskpb" "google.golang.org/protobuf/types/known/wrapperspb" ) -type roleRequest struct { - roleScopeID string - grantStrings []string - grantScopes []string -} - -// testGenAuthTokenCtx creates an auth.VerifierContext which contains a valid auth token -// for a user which is associated with roles in the roles parameter -// this function creates an authMethod, account, user at global scope -func testGenAuthTokenCtx(t *testing.T, - ctx context.Context, - conn *db.DB, - wrap wrapping.Wrapper, - iamRepo *iam.Repository, - roles []roleRequest, -) context.Context { - t.Helper() - rw := db.New(conn) - kmsCache := kms.TestKms(t, conn, wrap) - - atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) - require.NoError(t, err) - iamRepoFn := func() (*iam.Repository, error) { - return iamRepo, nil - } - atRepoFn := func() (*authtoken.Repository, error) { - return atRepo, nil - } - - serversRepoFn := func() (*server.Repository, error) { - return server.NewRepository(ctx, rw, rw, kmsCache) - } - authMethod := password.TestAuthMethods(t, conn, globals.GlobalPrefix, 1)[0] - - loginName, err := uuid.GenerateUUID() - require.NoError(t, err) - acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName) - user := iam.TestUser(t, iamRepo, globals.GlobalPrefix, iam.WithAccountIds(acct.GetPublicId())) - for _, r := range roles { - role := iam.TestRoleWithGrants(t, conn, r.roleScopeID, r.grantScopes, r.grantStrings) - _ = iam.TestUserRole(t, conn, role.PublicId, user.PublicId) - } - fullGrantToken, err := atRepo.CreateAuthToken(ctx, user, acct.GetPublicId()) - require.NoError(t, err) - fullGrantAuthCtx := auth.NewVerifierContext(requests.NewRequestContext(ctx, requests.WithUserId(user.GetPublicId())), - iamRepoFn, atRepoFn, serversRepoFn, kmsCache, &authpb.RequestInfo{ - PublicId: fullGrantToken.PublicId, - Token: fullGrantToken.GetToken(), - TokenFormat: uint32(auth.AuthTokenTypeBearer), - }) - return fullGrantAuthCtx -} - // TestGrants_ReadActions tests read actions to assert that grants are being applied properly // // Role - which scope the role is created in @@ -105,6 +47,8 @@ func TestGrants_ReadActions(t *testing.T) { conn, _ := db.TestSetup(t, "postgres") wrap := db.TestWrapper(t) iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) + repoFn := func() (*iam.Repository, error) { return iamRepo, nil } @@ -123,11 +67,11 @@ func TestGrants_ReadActions(t *testing.T) { t.Run("List", func(t *testing.T) { testcases := []struct { - name string - input *pbs.ListGroupsRequest - rolesToCreate []roleRequest - wantErr error - wantIDs []string + name string + input *pbs.ListGroupsRequest + roleGrantsForToken []authtoken.TestRoleGrantsForToken + wantErr error + wantIDs []string }{ { name: "global role grant this only returns in global groups", @@ -137,11 +81,11 @@ func TestGrants_ReadActions(t *testing.T) { Recursive: true, }, wantIDs: []string{globalGroup.PublicId}, - rolesToCreate: []roleRequest{ + roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, }, }, @@ -151,11 +95,11 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - rolesToCreate: []roleRequest{ + roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"ids=*;type=group;actions=list,read"}, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"ids=*;type=group;actions=list,read"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, }, wantErr: nil, @@ -167,11 +111,11 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - rolesToCreate: []roleRequest{ + roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }, wantErr: nil, @@ -183,11 +127,11 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: org2.PublicId, Recursive: true, }, - rolesToCreate: []roleRequest{ + roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"ids=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeDescendants}, }, }, wantErr: nil, @@ -199,11 +143,11 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: org2.PublicId, Recursive: true, }, - rolesToCreate: []roleRequest{ + roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: org2.PublicId, - grantStrings: []string{"ids=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: org2.PublicId, + GrantStrings: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, }, wantErr: nil, @@ -215,13 +159,13 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - rolesToCreate: []roleRequest{ + roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{ + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{ fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId), }, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }, wantErr: handlers.ForbiddenError(), @@ -233,16 +177,16 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - rolesToCreate: []roleRequest{ + roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"ids=*;type=group;actions=read,list"}, - grantScopes: []string{proj1.PublicId, proj2.PublicId, proj3.PublicId}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"ids=*;type=group;actions=read,list"}, + GrantScopes: []string{proj1.PublicId, proj2.PublicId, proj3.PublicId}, }, { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"ids=*;type=group;actions=read,list"}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"ids=*;type=group;actions=read,list"}, + GrantScopes: []string{globals.GrantScopeThis}, }, }, wantErr: nil, @@ -254,11 +198,11 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - rolesToCreate: []roleRequest{ + roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"ids=*;type=target;actions=read,list"}, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"ids=*;type=target;actions=read,list"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }, wantErr: handlers.ForbiddenError(), @@ -268,7 +212,8 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - fullGrantAuthCtx := testGenAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.rolesToCreate) + tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.roleGrantsForToken) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) got, finalErr := s.ListGroups(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) @@ -287,16 +232,16 @@ func TestGrants_ReadActions(t *testing.T) { t.Run("Get", func(t *testing.T) { testcases := []struct { name string - rolesToCreate []roleRequest + rolesToCreate []authtoken.TestRoleGrantsForToken inputWantErrMap map[*pbs.GetGroupRequest]error }{ { name: "global role grant this scope with all permissions", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -309,11 +254,11 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant children scopes with all permissions", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeChildren}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeChildren}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -326,11 +271,11 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant descendant scopes with all permissions", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeDescendants}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -343,11 +288,11 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant this and children scopes with all permissions", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -360,11 +305,11 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant this and descendant scopes with all permissions", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -377,11 +322,11 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "org1 role grant this scope with all permissions", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: org1.GetPublicId(), - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: org1.GetPublicId(), + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -394,11 +339,11 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "org1 role grant children scope with all permissions", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: org1.GetPublicId(), - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeChildren}, + RoleScopeID: org1.GetPublicId(), + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeChildren}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -411,11 +356,11 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "org1 role grant this and children scopes with all permissions", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: org1.GetPublicId(), - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, + RoleScopeID: org1.GetPublicId(), + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -428,11 +373,11 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "proj1 role grant this scope with all permissions", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: proj1.GetPublicId(), - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: proj1.GetPublicId(), + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -445,11 +390,11 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant this and descendant scope with read permissions on specific group", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{fmt.Sprintf("ids=%s;types=group ;actions=read", org1Group.PublicId)}, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{fmt.Sprintf("ids=%s;types=group ;actions=read", org1Group.PublicId)}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -462,14 +407,14 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant this and specific scopes with read permissions on specific group", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{ + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{ fmt.Sprintf("ids=%s;types=group;actions=read", org1Group.PublicId), fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId), }, - grantScopes: []string{org1.PublicId, proj1.PublicId}, + GrantScopes: []string{org1.PublicId, proj1.PublicId}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -482,21 +427,21 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "union multiple role grant specific resources permissions", - rolesToCreate: []roleRequest{ + rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{ + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{ fmt.Sprintf("ids=%s;types=group;actions=read", globalGroup.PublicId), }, - grantScopes: []string{globals.GrantScopeThis}, + GrantScopes: []string{globals.GrantScopeThis}, }, { - roleScopeID: org1.GetPublicId(), - grantStrings: []string{ + RoleScopeID: org1.GetPublicId(), + GrantStrings: []string{ fmt.Sprintf("ids=%s;types=group;actions=read", org1Group.PublicId), fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId), }, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, }, inputWantErrMap: map[*pbs.GetGroupRequest]error{ @@ -511,7 +456,8 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - fullGrantAuthCtx := testGenAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.rolesToCreate) + tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) for input, wantErr := range tc.inputWantErrMap { _, err := s.GetGroup(fullGrantAuthCtx, input) // not found means expect error @@ -549,6 +495,7 @@ func TestWrites(t *testing.T) { ctx := context.Background() conn, _ := db.TestSetup(t, "postgres") wrap := db.TestWrapper(t) + kmsCache := kms.TestKms(t, conn, wrap) iamRepo := iam.TestRepo(t, conn, wrap) repoFn := func() (*iam.Repository, error) { return iamRepo, nil @@ -563,27 +510,27 @@ func TestWrites(t *testing.T) { allScopeIDs := []string{globals.GlobalPrefix, org1.PublicId, org2.PublicId, proj1.PublicId, proj2.PublicId, proj3.PublicId} testcases := []struct { name string - roles []roleRequest + roles []authtoken.TestRoleGrantsForToken canCreateInScopes []string }{ { name: "grant all can create all", - roles: []roleRequest{ + roles: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }, canCreateInScopes: allScopeIDs, }, { name: "grant children can only create in orgs", - roles: []roleRequest{ + roles: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeChildren}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeChildren}, }, }, canCreateInScopes: []string{org1.PublicId, org2.PublicId}, @@ -592,7 +539,8 @@ func TestWrites(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - fullGrantAuthCtx := testGenAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.roles) + tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.roles) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) for _, scope := range allScopeIDs { name, err := uuid.GenerateUUID() @@ -621,6 +569,7 @@ func TestWrites(t *testing.T) { conn, _ := db.TestSetup(t, "postgres") wrap := db.TestWrapper(t) iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) repoFn := func() (*iam.Repository, error) { return iamRepo, nil } @@ -634,27 +583,27 @@ func TestWrites(t *testing.T) { allScopeIDs := []string{globals.GlobalPrefix, org1.PublicId, org2.PublicId, proj1.PublicId, proj2.PublicId, proj3.PublicId} testcases := []struct { name string - roles []roleRequest + roles []authtoken.TestRoleGrantsForToken deleteAllowedAtScopeIDs []string }{ { name: "grant all can delete all", - roles: []roleRequest{ + roles: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }, deleteAllowedAtScopeIDs: allScopeIDs, }, { name: "grant children can only delete in orgs", - roles: []roleRequest{ + roles: []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeChildren}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeChildren}, }, }, deleteAllowedAtScopeIDs: []string{org1.PublicId, org2.PublicId}, @@ -669,7 +618,8 @@ func TestWrites(t *testing.T) { g := iam.TestGroup(t, conn, scp) scopeIdGroupMap[scp] = g } - fullGrantAuthCtx := testGenAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.roles) + tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.roles) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) for scope, group := range scopeIdGroupMap { _, err = s.DeleteGroup(fullGrantAuthCtx, &pbs.DeleteGroupRequest{Id: group.PublicId}) if !slices.Contains(tc.deleteAllowedAtScopeIDs, scope) { @@ -685,18 +635,18 @@ func TestWrites(t *testing.T) { t.Run("update", func(t *testing.T) { testcases := []struct { name string - setupScopesResourcesRoles func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []roleRequest) + setupScopesResourcesRoles func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []authtoken.TestRoleGrantsForToken) wantErr error }{ { name: "global_scope_group_good_grant_success", - setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []roleRequest) { + setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []authtoken.TestRoleGrantsForToken) { g := iam.TestGroup(t, conn, globals.GlobalPrefix) - roles := []roleRequest{ + roles := []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, } return g, roles @@ -705,14 +655,14 @@ func TestWrites(t *testing.T) { }, { name: "grant specific scope success", - setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []roleRequest) { + setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []authtoken.TestRoleGrantsForToken) { _, proj := iam.TestScopes(t, iamRepo) g := iam.TestGroup(t, conn, proj.PublicId) - roles := []roleRequest{ + roles := []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"ids=*;type=*;actions=*"}, - grantScopes: []string{proj.PublicId}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{proj.PublicId}, }, } return g, roles @@ -721,14 +671,14 @@ func TestWrites(t *testing.T) { }, { name: "grant specific resource and scope success", - setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []roleRequest) { + setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []authtoken.TestRoleGrantsForToken) { _, proj := iam.TestScopes(t, iamRepo) g := iam.TestGroup(t, conn, proj.PublicId) - roles := []roleRequest{ + roles := []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{fmt.Sprintf("ids=%s;types=group;actions=*", g.PublicId)}, - grantScopes: []string{proj.PublicId}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{fmt.Sprintf("ids=%s;types=group;actions=*", g.PublicId)}, + GrantScopes: []string{proj.PublicId}, }, } return g, roles @@ -737,13 +687,13 @@ func TestWrites(t *testing.T) { }, { name: "no grant fails update", - setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []roleRequest) { + setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []authtoken.TestRoleGrantsForToken) { g := iam.TestGroup(t, conn, globals.GlobalPrefix) - roles := []roleRequest{ + roles := []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeChildren}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeChildren}, }, } return g, roles @@ -757,15 +707,15 @@ func TestWrites(t *testing.T) { conn, _ := db.TestSetup(t, "postgres") wrap := db.TestWrapper(t) iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) repoFn := func() (*iam.Repository, error) { return iamRepo, nil } s, err := groups.NewService(ctx, repoFn, 1000) require.NoError(t, err) - original, roles := tc.setupScopesResourcesRoles(t, conn, iamRepo) - fullGrantAuthCtx := testGenAuthTokenCtx(t, ctx, conn, wrap, iamRepo, roles) - + tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, roles) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) got, err := s.UpdateGroup(fullGrantAuthCtx, &pbs.UpdateGroupRequest{ Id: original.PublicId, Item: &pb.Group{ @@ -796,6 +746,7 @@ func TestGroupMember(t *testing.T) { conn, _ := db.TestSetup(t, "postgres") wrap := db.TestWrapper(t) iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) repoFn := func() (*iam.Repository, error) { return iamRepo, nil } @@ -821,20 +772,20 @@ func TestGroupMember(t *testing.T) { testcases := []struct { name string - setupGroupAndRole func(t *testing.T) (*iam.Group, []roleRequest) + setupGroupAndRole func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) // collection of actions to be executed in the tests in order, *iam.Group returned from each action which // gets passed to the next action as parameter to preserve information such as `version` increments actions []testActionResult }{ { name: "all actions valid grant success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) { group := iam.TestGroup(t, conn, globals.GlobalPrefix) - return group, []roleRequest{ + return group, []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, } }, @@ -876,18 +827,18 @@ func TestGroupMember(t *testing.T) { }, { name: "only add and set allowed fail to remove", - setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) { group := iam.TestGroup(t, conn, org1.PublicId) - return group, []roleRequest{ + return group, []authtoken.TestRoleGrantsForToken{ { - roleScopeID: org1.PublicId, - grantStrings: []string{"id=*;type=*;actions=add-members"}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: org1.PublicId, + GrantStrings: []string{"id=*;type=*;actions=add-members"}, + GrantScopes: []string{globals.GrantScopeThis}, }, { - roleScopeID: org1.PublicId, - grantStrings: []string{"id=*;type=*;actions=set-members"}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: org1.PublicId, + GrantStrings: []string{"id=*;type=*;actions=set-members"}, + GrantScopes: []string{globals.GrantScopeThis}, }, } }, @@ -929,13 +880,13 @@ func TestGroupMember(t *testing.T) { }, { name: "add_member_valid_specific_grant_success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) { group := iam.TestGroup(t, conn, org2.PublicId) - return group, []roleRequest{ + return group, []authtoken.TestRoleGrantsForToken{ { - roleScopeID: org2.PublicId, - grantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: org2.PublicId, + GrantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, + GrantScopes: []string{globals.GrantScopeThis}, }, } }, @@ -955,15 +906,15 @@ func TestGroupMember(t *testing.T) { }, { name: "remove_member_valid_specific_grant_success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) { group := iam.TestGroup(t, conn, proj2.PublicId) iam.TestGroupMember(t, conn, group.PublicId, org2Users[0].PublicId) iam.TestGroupMember(t, conn, group.PublicId, org2Users[1].PublicId) - return group, []roleRequest{ + return group, []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=remove-members", group.PublicId)}, - grantScopes: []string{proj2.PublicId}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=remove-members", group.PublicId)}, + GrantScopes: []string{proj2.PublicId}, }, } }, @@ -983,13 +934,13 @@ func TestGroupMember(t *testing.T) { }, { name: "cross_scope_add_member_valid_specific_grant_success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) { group := iam.TestGroup(t, conn, proj3.PublicId) - return group, []roleRequest{ + return group, []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, - grantScopes: []string{globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, + GrantScopes: []string{globals.GrantScopeDescendants}, }, } }, @@ -1011,13 +962,13 @@ func TestGroupMember(t *testing.T) { }, { name: "add_member_with_valid_grant_string_invalid_scope_forbidden_error", - setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) { group := iam.TestGroup(t, conn, org2.PublicId) - return group, []roleRequest{ + return group, []authtoken.TestRoleGrantsForToken{ { - roleScopeID: globals.GlobalPrefix, - grantStrings: []string{"id=*;type=*;actions=*"}, - grantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: globals.GlobalPrefix, + GrantStrings: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, } }, @@ -1037,23 +988,23 @@ func TestGroupMember(t *testing.T) { }, { name: "multiple_grants_success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, []roleRequest) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) { group := iam.TestGroup(t, conn, proj2.PublicId) - return group, []roleRequest{ + return group, []authtoken.TestRoleGrantsForToken{ { - roleScopeID: proj2.PublicId, - grantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, - grantScopes: []string{proj2.PublicId}, + RoleScopeID: proj2.PublicId, + GrantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, + GrantScopes: []string{proj2.PublicId}, }, { - roleScopeID: proj2.PublicId, - grantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=set-members", group.PublicId)}, - grantScopes: []string{proj2.PublicId}, + RoleScopeID: proj2.PublicId, + GrantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=set-members", group.PublicId)}, + GrantScopes: []string{proj2.PublicId}, }, { - roleScopeID: proj2.PublicId, - grantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=remove-members", group.PublicId)}, - grantScopes: []string{proj2.PublicId}, + RoleScopeID: proj2.PublicId, + GrantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=remove-members", group.PublicId)}, + GrantScopes: []string{proj2.PublicId}, }, } }, @@ -1098,7 +1049,8 @@ func TestGroupMember(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { group, roleReqs := tc.setupGroupAndRole(t) - fullGrantAuthCtx := testGenAuthTokenCtx(t, ctx, conn, wrap, iamRepo, roleReqs) + tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, roleReqs) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) for _, act := range tc.actions { out, err := act.action(fullGrantAuthCtx, group) if act.wantErr != nil { From cef6f7730c1ccd0aa488d44885d281b9a75ad40d Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 29 Jan 2025 14:48:40 -0800 Subject: [PATCH 22/62] refactor role grants out of authtoken package --- internal/authtoken/testing.go | 36 -- internal/daemon/controller/auth/testing.go | 2 +- .../controller/handlers/groups/grants_test.go | 527 ++++++++++-------- internal/iam/testing.go | 138 ++++- 4 files changed, 411 insertions(+), 292 deletions(-) diff --git a/internal/authtoken/testing.go b/internal/authtoken/testing.go index 1748d8bd53..2d89bc24e9 100644 --- a/internal/authtoken/testing.go +++ b/internal/authtoken/testing.go @@ -11,7 +11,6 @@ import ( "github.com/hashicorp/boundary/internal/db" "github.com/hashicorp/boundary/internal/iam" "github.com/hashicorp/boundary/internal/kms" - "github.com/hashicorp/go-uuid" "github.com/stretchr/testify/require" ) @@ -47,38 +46,3 @@ func TestAuthToken(t testing.TB, conn *db.DB, kms *kms.Kms, scopeId string, opt require.NoError(t, err) return at } - -// TestRoleGrantsForToken contains information used by TestAuthTokenWithRoles to create -// roles and their associated grants (with grant scopes) -type TestRoleGrantsForToken struct { - RoleScopeID string - GrantStrings []string - GrantScopes []string -} - -// TestAuthTokenWithRoles creates auth token associated with roles as requested by the caller along -// with any required resources to achieve said token -func TestAuthTokenWithRoles(t testing.TB, conn *db.DB, kms *kms.Kms, scopeId string, roles []TestRoleGrantsForToken) *AuthToken { - t.Helper() - ctx := context.Background() - rw := db.New(conn) - atRepo, err := NewRepository(ctx, rw, rw, kms) - require.NoError(t, err) - - iamRepo, err := iam.NewRepository(ctx, rw, rw, kms) - require.NoError(t, err) - - authMethod := password.TestAuthMethods(t, conn, scopeId, 1)[0] - - loginName, err := uuid.GenerateUUID() - require.NoError(t, err) - acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName) - user := iam.TestUser(t, iamRepo, scopeId, iam.WithAccountIds(acct.GetPublicId())) - for _, r := range roles { - role := iam.TestRoleWithGrants(t, conn, r.RoleScopeID, r.GrantScopes, r.GrantStrings) - _ = iam.TestUserRole(t, conn, role.PublicId, user.PublicId) - } - fullGrantToken, err := atRepo.CreateAuthToken(ctx, user, acct.GetPublicId()) - require.NoError(t, err) - return fullGrantToken -} diff --git a/internal/daemon/controller/auth/testing.go b/internal/daemon/controller/auth/testing.go index b100d1e222..ef044fb20a 100644 --- a/internal/daemon/controller/auth/testing.go +++ b/internal/daemon/controller/auth/testing.go @@ -41,7 +41,7 @@ func DisabledAuthTestContext(iamRepoFn common.IamRepoFactory, scopeId string, op // TestAuthContextFromToken creates an auth context with provided token // This is used in conjunction with TestAuthTokenWithRoles which creates a test token -func TestAuthContextFromToken(t *testing.T, conn *db.DB, wrap wrapping.Wrapper, token *authtoken.AuthToken, iamRepo *iam.Repository) context.Context { +func TestAuthContextFromToken(t *testing.T, conn *db.DB, wrap wrapping.Wrapper, iamRepo *iam.Repository, token *authtoken.AuthToken) context.Context { t.Helper() ctx := context.Background() rw := db.New(conn) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index a7e9518c09..682386d921 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -6,6 +6,7 @@ package groups_test import ( "context" "fmt" + "github.com/hashicorp/boundary/internal/auth/password" "slices" "testing" @@ -45,9 +46,12 @@ import ( func TestGrants_ReadActions(t *testing.T) { ctx := context.Background() conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) wrap := db.TestWrapper(t) iamRepo := iam.TestRepo(t, conn, wrap) kmsCache := kms.TestKms(t, conn, wrap) + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) repoFn := func() (*iam.Repository, error) { return iamRepo, nil @@ -67,11 +71,11 @@ func TestGrants_ReadActions(t *testing.T) { t.Run("List", func(t *testing.T) { testcases := []struct { - name string - input *pbs.ListGroupsRequest - roleGrantsForToken []authtoken.TestRoleGrantsForToken - wantErr error - wantIDs []string + name string + input *pbs.ListGroupsRequest + userFunc func() *iam.User + wantErr error + wantIDs []string }{ { name: "global role grant this only returns in global groups", @@ -80,14 +84,14 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - wantIDs: []string{globalGroup.PublicId}, - roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{"id=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, - }, + }), + wantIDs: []string{globalGroup.PublicId}, }, { name: "global role grant this and children returns global and org groups", @@ -95,13 +99,13 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{"ids=*;type=group;actions=list,read"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=list,read"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, - }, + }), wantErr: nil, wantIDs: []string{globalGroup.PublicId, org1Group.PublicId, org2Group.PublicId}, }, @@ -111,13 +115,13 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{"id=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, - }, + }), wantErr: nil, wantIDs: []string{globalGroup.PublicId, org1Group.PublicId, org2Group.PublicId, proj1Group.PublicId, proj2Group.PublicId, proj3Group.PublicId}, }, @@ -127,13 +131,13 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: org2.PublicId, Recursive: true, }, - roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeDescendants}, }, - }, + }), wantErr: nil, wantIDs: []string{org2Group.PublicId, proj2Group.PublicId, proj3Group.PublicId}, }, @@ -143,13 +147,13 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: org2.PublicId, Recursive: true, }, - roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: org2.PublicId, - GrantStrings: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: org2.PublicId, + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, - }, + }), wantErr: nil, wantIDs: []string{org2Group.PublicId}, }, @@ -159,15 +163,15 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{ + Grants: []string{ fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId), }, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, - }, + }), wantErr: handlers.ForbiddenError(), wantIDs: nil, }, @@ -177,18 +181,18 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{"ids=*;type=group;actions=read,list"}, - GrantScopes: []string{proj1.PublicId, proj2.PublicId, proj3.PublicId}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=read,list"}, + GrantScopes: []string{proj1.PublicId, proj2.PublicId, proj3.PublicId}, }, { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{"ids=*;type=group;actions=read,list"}, - GrantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=read,list"}, + GrantScopes: []string{globals.GrantScopeThis}, }, - }, + }), wantErr: nil, wantIDs: []string{globalGroup.PublicId, proj1Group.PublicId, proj2Group.PublicId, proj3Group.PublicId}, }, @@ -198,13 +202,13 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - roleGrantsForToken: []authtoken.TestRoleGrantsForToken{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{"ids=*;type=target;actions=read,list"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"ids=*;type=target;actions=read,list"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, - }, + }), wantErr: handlers.ForbiddenError(), wantIDs: nil, }, @@ -212,8 +216,16 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.roleGrantsForToken) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + user := tc.userFunc() + authMethod := password.TestAuthMethod(t, conn, globals.GlobalPrefix) + loginName, err := uuid.GenerateUUID() + require.NoError(t, err) + acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName) + _, err = iamRepo.SetUserAccounts(ctx, user.PublicId, user.Version, []string{acct.PublicId}) + require.NoError(t, err) + tok, err := atRepo.CreateAuthToken(ctx, user, acct.PublicId) + require.NoError(t, err) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) got, finalErr := s.ListGroups(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) @@ -232,18 +244,35 @@ func TestGrants_ReadActions(t *testing.T) { t.Run("Get", func(t *testing.T) { testcases := []struct { name string - rolesToCreate []authtoken.TestRoleGrantsForToken + userFunc func() *iam.User inputWantErrMap map[*pbs.GetGroupRequest]error }{ { - name: "global role grant this scope with all permissions", - rolesToCreate: []authtoken.TestRoleGrantsForToken{ + name: "global role group grant this scope with all permissions", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{"id=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, + }), + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + {Id: globalGroup.PublicId}: nil, + {Id: org1Group.PublicId}: handlers.ForbiddenError(), + {Id: proj1Group.PublicId}: handlers.ForbiddenError(), + {Id: org2Group.PublicId}: handlers.ForbiddenError(), + {Id: proj2Group.PublicId}: handlers.ForbiddenError(), }, + }, + { + name: "global role group grant this scope with all permissions", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), inputWantErrMap: map[*pbs.GetGroupRequest]error{ {Id: globalGroup.PublicId}: nil, {Id: org1Group.PublicId}: handlers.ForbiddenError(), @@ -254,13 +283,13 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant children scopes with all permissions", - rolesToCreate: []authtoken.TestRoleGrantsForToken{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{"id=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeChildren}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeChildren}, }, - }, + }), inputWantErrMap: map[*pbs.GetGroupRequest]error{ {Id: globalGroup.PublicId}: handlers.ForbiddenError(), {Id: org1Group.PublicId}: nil, @@ -271,13 +300,13 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant descendant scopes with all permissions", - rolesToCreate: []authtoken.TestRoleGrantsForToken{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{"id=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeDescendants}, }, - }, + }), inputWantErrMap: map[*pbs.GetGroupRequest]error{ {Id: globalGroup.PublicId}: handlers.ForbiddenError(), {Id: org1Group.PublicId}: nil, @@ -288,13 +317,13 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant this and children scopes with all permissions", - rolesToCreate: []authtoken.TestRoleGrantsForToken{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{"id=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, - }, + }), inputWantErrMap: map[*pbs.GetGroupRequest]error{ {Id: globalGroup.PublicId}: nil, {Id: org1Group.PublicId}: nil, @@ -305,13 +334,13 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant this and descendant scopes with all permissions", - rolesToCreate: []authtoken.TestRoleGrantsForToken{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{"id=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, - }, + }), inputWantErrMap: map[*pbs.GetGroupRequest]error{ {Id: globalGroup.PublicId}: nil, {Id: org1Group.PublicId}: nil, @@ -322,13 +351,13 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "org1 role grant this scope with all permissions", - rolesToCreate: []authtoken.TestRoleGrantsForToken{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: org1.GetPublicId(), - GrantStrings: []string{"id=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: org1.GetPublicId(), + Grants: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, - }, + }), inputWantErrMap: map[*pbs.GetGroupRequest]error{ {Id: globalGroup.PublicId}: handlers.ForbiddenError(), {Id: org1Group.PublicId}: nil, @@ -339,13 +368,13 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "org1 role grant children scope with all permissions", - rolesToCreate: []authtoken.TestRoleGrantsForToken{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: org1.GetPublicId(), - GrantStrings: []string{"id=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeChildren}, + RoleScopeID: org1.GetPublicId(), + Grants: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeChildren}, }, - }, + }), inputWantErrMap: map[*pbs.GetGroupRequest]error{ {Id: globalGroup.PublicId}: handlers.ForbiddenError(), {Id: org1Group.PublicId}: handlers.ForbiddenError(), @@ -356,13 +385,13 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "org1 role grant this and children scopes with all permissions", - rolesToCreate: []authtoken.TestRoleGrantsForToken{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: org1.GetPublicId(), - GrantStrings: []string{"id=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, + RoleScopeID: org1.GetPublicId(), + Grants: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, - }, + }), inputWantErrMap: map[*pbs.GetGroupRequest]error{ {Id: globalGroup.PublicId}: handlers.ForbiddenError(), {Id: org1Group.PublicId}: nil, @@ -373,13 +402,13 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "proj1 role grant this scope with all permissions", - rolesToCreate: []authtoken.TestRoleGrantsForToken{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: proj1.GetPublicId(), - GrantStrings: []string{"id=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: proj1.GetPublicId(), + Grants: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, - }, + }), inputWantErrMap: map[*pbs.GetGroupRequest]error{ {Id: globalGroup.PublicId}: handlers.ForbiddenError(), {Id: org1Group.PublicId}: handlers.ForbiddenError(), @@ -390,13 +419,13 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant this and descendant scope with read permissions on specific group", - rolesToCreate: []authtoken.TestRoleGrantsForToken{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{fmt.Sprintf("ids=%s;types=group ;actions=read", org1Group.PublicId)}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{fmt.Sprintf("ids=%s;types=group ;actions=read", org1Group.PublicId)}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, - }, + }), inputWantErrMap: map[*pbs.GetGroupRequest]error{ {Id: globalGroup.PublicId}: handlers.ForbiddenError(), {Id: org1Group.PublicId}: nil, @@ -407,16 +436,16 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant this and specific scopes with read permissions on specific group", - rolesToCreate: []authtoken.TestRoleGrantsForToken{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{ + Grants: []string{ fmt.Sprintf("ids=%s;types=group;actions=read", org1Group.PublicId), fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId), }, GrantScopes: []string{org1.PublicId, proj1.PublicId}, }, - }, + }), inputWantErrMap: map[*pbs.GetGroupRequest]error{ {Id: globalGroup.PublicId}: handlers.ForbiddenError(), {Id: org1Group.PublicId}: nil, @@ -427,23 +456,23 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "union multiple role grant specific resources permissions", - rolesToCreate: []authtoken.TestRoleGrantsForToken{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{ + Grants: []string{ fmt.Sprintf("ids=%s;types=group;actions=read", globalGroup.PublicId), }, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: org1.GetPublicId(), - GrantStrings: []string{ + Grants: []string{ fmt.Sprintf("ids=%s;types=group;actions=read", org1Group.PublicId), fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId), }, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, - }, + }), inputWantErrMap: map[*pbs.GetGroupRequest]error{ {Id: globalGroup.PublicId}: nil, {Id: org1Group.PublicId}: nil, @@ -456,8 +485,16 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + user := tc.userFunc() + authMethod := password.TestAuthMethod(t, conn, globals.GlobalPrefix) + loginName, err := uuid.GenerateUUID() + require.NoError(t, err) + acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName) + _, err = iamRepo.SetUserAccounts(ctx, user.PublicId, user.Version, []string{acct.PublicId}) + require.NoError(t, err) + tok, err := atRepo.CreateAuthToken(ctx, user, acct.PublicId) + require.NoError(t, err) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) for input, wantErr := range tc.inputWantErrMap { _, err := s.GetGroup(fullGrantAuthCtx, input) // not found means expect error @@ -494,9 +531,12 @@ func TestWrites(t *testing.T) { t.Run("create", func(t *testing.T) { ctx := context.Background() conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) wrap := db.TestWrapper(t) kmsCache := kms.TestKms(t, conn, wrap) iamRepo := iam.TestRepo(t, conn, wrap) + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) repoFn := func() (*iam.Repository, error) { return iamRepo, nil } @@ -510,38 +550,45 @@ func TestWrites(t *testing.T) { allScopeIDs := []string{globals.GlobalPrefix, org1.PublicId, org2.PublicId, proj1.PublicId, proj2.PublicId, proj3.PublicId} testcases := []struct { name string - roles []authtoken.TestRoleGrantsForToken + userFunc func() *iam.User canCreateInScopes []string }{ { name: "grant all can create all", - roles: []authtoken.TestRoleGrantsForToken{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{"id=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, - }, + }), canCreateInScopes: allScopeIDs, }, { name: "grant children can only create in orgs", - roles: []authtoken.TestRoleGrantsForToken{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{"id=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeChildren}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeChildren}, }, - }, + }), canCreateInScopes: []string{org1.PublicId, org2.PublicId}, }, } for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.roles) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) - + user := tc.userFunc() + authMethod := password.TestAuthMethod(t, conn, globals.GlobalPrefix) + loginName, err := uuid.GenerateUUID() + require.NoError(t, err) + acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName) + _, err = iamRepo.SetUserAccounts(ctx, user.PublicId, user.Version, []string{acct.PublicId}) + require.NoError(t, err) + tok, err := atRepo.CreateAuthToken(ctx, user, acct.PublicId) + require.NoError(t, err) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) for _, scope := range allScopeIDs { name, err := uuid.GenerateUUID() require.NoError(t, err) @@ -567,12 +614,16 @@ func TestWrites(t *testing.T) { t.Run("delete", func(t *testing.T) { ctx := context.Background() conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) wrap := db.TestWrapper(t) iamRepo := iam.TestRepo(t, conn, wrap) kmsCache := kms.TestKms(t, conn, wrap) repoFn := func() (*iam.Repository, error) { return iamRepo, nil } + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + s, err := groups.NewService(ctx, repoFn, 1000) require.NoError(t, err) @@ -583,29 +634,29 @@ func TestWrites(t *testing.T) { allScopeIDs := []string{globals.GlobalPrefix, org1.PublicId, org2.PublicId, proj1.PublicId, proj2.PublicId, proj3.PublicId} testcases := []struct { name string - roles []authtoken.TestRoleGrantsForToken + userFunc func() *iam.User deleteAllowedAtScopeIDs []string }{ { name: "grant all can delete all", - roles: []authtoken.TestRoleGrantsForToken{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{"id=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, - }, + }), deleteAllowedAtScopeIDs: allScopeIDs, }, { name: "grant children can only delete in orgs", - roles: []authtoken.TestRoleGrantsForToken{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{"id=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeChildren}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeChildren}, }, - }, + }), deleteAllowedAtScopeIDs: []string{org1.PublicId, org2.PublicId}, }, } @@ -618,8 +669,16 @@ func TestWrites(t *testing.T) { g := iam.TestGroup(t, conn, scp) scopeIdGroupMap[scp] = g } - tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.roles) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + user := tc.userFunc() + authMethod := password.TestAuthMethod(t, conn, globals.GlobalPrefix) + loginName, err := uuid.GenerateUUID() + require.NoError(t, err) + acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName) + _, err = iamRepo.SetUserAccounts(ctx, user.PublicId, user.Version, []string{acct.PublicId}) + require.NoError(t, err) + tok, err := atRepo.CreateAuthToken(ctx, user, acct.PublicId) + require.NoError(t, err) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) for scope, group := range scopeIdGroupMap { _, err = s.DeleteGroup(fullGrantAuthCtx, &pbs.DeleteGroupRequest{Id: group.PublicId}) if !slices.Contains(tc.deleteAllowedAtScopeIDs, scope) { @@ -634,69 +693,65 @@ func TestWrites(t *testing.T) { t.Run("update", func(t *testing.T) { testcases := []struct { - name string - setupScopesResourcesRoles func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []authtoken.TestRoleGrantsForToken) - wantErr error + name string + setupScopesResourcesAndUser func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() *iam.User) + wantErr error }{ { name: "global_scope_group_good_grant_success", - setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []authtoken.TestRoleGrantsForToken) { + setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() *iam.User) { g := iam.TestGroup(t, conn, globals.GlobalPrefix) - roles := []authtoken.TestRoleGrantsForToken{ + return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{"id=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, - } - return g, roles + }) }, wantErr: nil, }, { name: "grant specific scope success", - setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []authtoken.TestRoleGrantsForToken) { + setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() *iam.User) { _, proj := iam.TestScopes(t, iamRepo) g := iam.TestGroup(t, conn, proj.PublicId) - roles := []authtoken.TestRoleGrantsForToken{ + return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{proj.PublicId}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{proj.PublicId}, }, - } - return g, roles + }) }, wantErr: nil, }, { name: "grant specific resource and scope success", - setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []authtoken.TestRoleGrantsForToken) { + setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() *iam.User) { _, proj := iam.TestScopes(t, iamRepo) g := iam.TestGroup(t, conn, proj.PublicId) - roles := []authtoken.TestRoleGrantsForToken{ + return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{fmt.Sprintf("ids=%s;types=group;actions=*", g.PublicId)}, - GrantScopes: []string{proj.PublicId}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{fmt.Sprintf("ids=%s;types=group;actions=*", g.PublicId)}, + GrantScopes: []string{proj.PublicId}, }, - } - return g, roles + }) }, wantErr: nil, }, { name: "no grant fails update", - setupScopesResourcesRoles: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []authtoken.TestRoleGrantsForToken) { + setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() *iam.User) { g := iam.TestGroup(t, conn, globals.GlobalPrefix) - roles := []authtoken.TestRoleGrantsForToken{ + return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{"id=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeChildren}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeChildren}, }, - } - return g, roles + }) }, wantErr: handlers.ForbiddenError(), }, @@ -705,17 +760,27 @@ func TestWrites(t *testing.T) { t.Run(tc.name, func(t *testing.T) { ctx := context.Background() conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) wrap := db.TestWrapper(t) iamRepo := iam.TestRepo(t, conn, wrap) kmsCache := kms.TestKms(t, conn, wrap) + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) repoFn := func() (*iam.Repository, error) { return iamRepo, nil } s, err := groups.NewService(ctx, repoFn, 1000) require.NoError(t, err) - original, roles := tc.setupScopesResourcesRoles(t, conn, iamRepo) - tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, roles) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + original, userFunc := tc.setupScopesResourcesAndUser(t, conn, iamRepo, kmsCache) + user := userFunc() + authMethod := password.TestAuthMethod(t, conn, globals.GlobalPrefix) + loginName, err := uuid.GenerateUUID() + require.NoError(t, err) + acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName) + _, err = iamRepo.SetUserAccounts(ctx, user.PublicId, user.Version, []string{acct.PublicId}) + require.NoError(t, err) + tok, err := atRepo.CreateAuthToken(ctx, user, acct.PublicId) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) got, err := s.UpdateGroup(fullGrantAuthCtx, &pbs.UpdateGroupRequest{ Id: original.PublicId, Item: &pb.Group{ @@ -744,12 +809,15 @@ func TestWrites(t *testing.T) { func TestGroupMember(t *testing.T) { ctx := context.Background() conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) wrap := db.TestWrapper(t) iamRepo := iam.TestRepo(t, conn, wrap) kmsCache := kms.TestKms(t, conn, wrap) repoFn := func() (*iam.Repository, error) { return iamRepo, nil } + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) s, err := groups.NewService(ctx, repoFn, 1000) require.NoError(t, err) @@ -772,22 +840,24 @@ func TestGroupMember(t *testing.T) { testcases := []struct { name string - setupGroupAndRole func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) + userFunc func() *iam.User + setupGroupAndRole func(t *testing.T) (*iam.Group, func() *iam.User) // collection of actions to be executed in the tests in order, *iam.Group returned from each action which // gets passed to the next action as parameter to preserve information such as `version` increments actions []testActionResult }{ { name: "all actions valid grant success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) { + + setupGroupAndRole: func(t *testing.T) (*iam.Group, func() *iam.User) { group := iam.TestGroup(t, conn, globals.GlobalPrefix) - return group, []authtoken.TestRoleGrantsForToken{ + return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{"id=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, - } + }) }, actions: []testActionResult{ { @@ -827,20 +897,20 @@ func TestGroupMember(t *testing.T) { }, { name: "only add and set allowed fail to remove", - setupGroupAndRole: func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, func() *iam.User) { group := iam.TestGroup(t, conn, org1.PublicId) - return group, []authtoken.TestRoleGrantsForToken{ + return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: org1.PublicId, - GrantStrings: []string{"id=*;type=*;actions=add-members"}, - GrantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: org1.PublicId, + Grants: []string{"id=*;type=*;actions=add-members"}, + GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: org1.PublicId, - GrantStrings: []string{"id=*;type=*;actions=set-members"}, - GrantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: org1.PublicId, + Grants: []string{"id=*;type=*;actions=set-members"}, + GrantScopes: []string{globals.GrantScopeThis}, }, - } + }) }, actions: []testActionResult{ { @@ -880,15 +950,15 @@ func TestGroupMember(t *testing.T) { }, { name: "add_member_valid_specific_grant_success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, func() *iam.User) { group := iam.TestGroup(t, conn, org2.PublicId) - return group, []authtoken.TestRoleGrantsForToken{ + return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: org2.PublicId, - GrantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, - GrantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: org2.PublicId, + Grants: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, + GrantScopes: []string{globals.GrantScopeThis}, }, - } + }) }, actions: []testActionResult{ { @@ -906,17 +976,17 @@ func TestGroupMember(t *testing.T) { }, { name: "remove_member_valid_specific_grant_success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, func() *iam.User) { group := iam.TestGroup(t, conn, proj2.PublicId) iam.TestGroupMember(t, conn, group.PublicId, org2Users[0].PublicId) iam.TestGroupMember(t, conn, group.PublicId, org2Users[1].PublicId) - return group, []authtoken.TestRoleGrantsForToken{ + return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=remove-members", group.PublicId)}, - GrantScopes: []string{proj2.PublicId}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{fmt.Sprintf("id=%s;types=group;actions=remove-members", group.PublicId)}, + GrantScopes: []string{proj2.PublicId}, }, - } + }) }, actions: []testActionResult{ { @@ -934,15 +1004,15 @@ func TestGroupMember(t *testing.T) { }, { name: "cross_scope_add_member_valid_specific_grant_success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, func() *iam.User) { group := iam.TestGroup(t, conn, proj3.PublicId) - return group, []authtoken.TestRoleGrantsForToken{ + return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, - GrantScopes: []string{globals.GrantScopeDescendants}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, + GrantScopes: []string{globals.GrantScopeDescendants}, }, - } + }) }, actions: []testActionResult{ { @@ -962,15 +1032,15 @@ func TestGroupMember(t *testing.T) { }, { name: "add_member_with_valid_grant_string_invalid_scope_forbidden_error", - setupGroupAndRole: func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, func() *iam.User) { group := iam.TestGroup(t, conn, org2.PublicId) - return group, []authtoken.TestRoleGrantsForToken{ + return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, - GrantStrings: []string{"id=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis}, + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, - } + }) }, actions: []testActionResult{ { @@ -988,25 +1058,25 @@ func TestGroupMember(t *testing.T) { }, { name: "multiple_grants_success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, []authtoken.TestRoleGrantsForToken) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, func() *iam.User) { group := iam.TestGroup(t, conn, proj2.PublicId) - return group, []authtoken.TestRoleGrantsForToken{ + return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ { - RoleScopeID: proj2.PublicId, - GrantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, - GrantScopes: []string{proj2.PublicId}, + RoleScopeID: proj2.PublicId, + Grants: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, + GrantScopes: []string{proj2.PublicId}, }, { - RoleScopeID: proj2.PublicId, - GrantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=set-members", group.PublicId)}, - GrantScopes: []string{proj2.PublicId}, + RoleScopeID: proj2.PublicId, + Grants: []string{fmt.Sprintf("id=%s;types=group;actions=set-members", group.PublicId)}, + GrantScopes: []string{proj2.PublicId}, }, { - RoleScopeID: proj2.PublicId, - GrantStrings: []string{fmt.Sprintf("id=%s;types=group;actions=remove-members", group.PublicId)}, - GrantScopes: []string{proj2.PublicId}, + RoleScopeID: proj2.PublicId, + Grants: []string{fmt.Sprintf("id=%s;types=group;actions=remove-members", group.PublicId)}, + GrantScopes: []string{proj2.PublicId}, }, - } + }) }, actions: []testActionResult{ { @@ -1048,9 +1118,16 @@ func TestGroupMember(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - group, roleReqs := tc.setupGroupAndRole(t) - tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, roleReqs) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + group, userFn := tc.setupGroupAndRole(t) + user := userFn() + authMethod := password.TestAuthMethod(t, conn, globals.GlobalPrefix) + loginName, err := uuid.GenerateUUID() + require.NoError(t, err) + acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName) + _, err = iamRepo.SetUserAccounts(ctx, user.PublicId, user.Version, []string{acct.PublicId}) + require.NoError(t, err) + tok, err := atRepo.CreateAuthToken(ctx, user, acct.PublicId) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) for _, act := range tc.actions { out, err := act.action(fullGrantAuthCtx, group) if act.wantErr != nil { diff --git a/internal/iam/testing.go b/internal/iam/testing.go index 970a920acb..2976e9a94b 100644 --- a/internal/iam/testing.go +++ b/internal/iam/testing.go @@ -223,36 +223,6 @@ func TestRole(t testing.TB, conn *db.DB, scopeId string, opt ...Option) *Role { return role } -// TestRoleWithGrants creates a role suitable for testing along with grants -// Functional options for GrantScopeIDs aren't used to express that -// this function does not provide any default grant scope unlike TestRole -func TestRoleWithGrants(t testing.TB, conn *db.DB, scopeId string, grantScopeIDs []string, grants []string) *Role { - t.Helper() - - ctx := context.Background() - require := require.New(t) - rw := db.New(conn) - - role, err := NewRole(ctx, scopeId) - require.NoError(err) - id, err := newRoleId(ctx) - require.NoError(err) - role.PublicId = id - require.NoError(rw.Create(ctx, role)) - require.NotEmpty(role.PublicId) - - for _, gsi := range grantScopeIDs { - gs, err := NewRoleGrantScope(ctx, id, gsi) - require.NoError(err) - require.NoError(rw.Create(ctx, gs)) - role.GrantScopes = append(role.GrantScopes, gs) - } - for _, g := range grants { - _ = TestRoleGrant(t, conn, role.PublicId, g) - } - return role -} - func TestRoleGrant(t testing.TB, conn *db.DB, roleId, grant string, opt ...Option) *RoleGrant { t.Helper() require := require.New(t) @@ -345,6 +315,114 @@ func TestManagedGroupRole(t testing.TB, conn *db.DB, roleId, managedGrpId string return r } +type TestRoleGrantsRequest struct { + RoleScopeID string + GrantScopes []string + Grants []string +} + +type TestGrantAssociationMethod int + +const ( + TestGrantsForUserDirectAssociation TestGrantAssociationMethod = iota + TestGrantsForUserGroupAssociation + TestGrantsForUserManagedGroupAssociation +) + +// TestRoleWithGrants creates a role suitable for testing along with grants +// Functional options for GrantScopes aren't used to express that +// this function does not provide any default grant scope unlike TestRole +func TestRoleWithGrants(t testing.TB, conn *db.DB, scopeId string, grantScopeIDs []string, grants []string) *Role { + t.Helper() + + ctx := context.Background() + require := require.New(t) + rw := db.New(conn) + + role, err := NewRole(ctx, scopeId) + require.NoError(err) + id, err := newRoleId(ctx) + require.NoError(err) + role.PublicId = id + require.NoError(rw.Create(ctx, role)) + require.NotEmpty(role.PublicId) + + for _, gsi := range grantScopeIDs { + gs, err := NewRoleGrantScope(ctx, id, gsi) + require.NoError(err) + require.NoError(rw.Create(ctx, gs)) + role.GrantScopes = append(role.GrantScopes, gs) + } + for _, g := range grants { + _ = TestRoleGrant(t, conn, role.PublicId, g) + } + return role +} + +// TestUserDirectGrantsFunc returns a function that creates a user which has been given +// the request grants via direct association +func TestUserDirectGrantsFunc(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeID string, testRoleGrants []TestRoleGrantsRequest) func() *User { + return func() *User { + t.Helper() + ctx := context.Background() + rw := db.New(conn) + repo, err := NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + u, err := NewUser(ctx, scopeID) + require.NoError(t, err) + user, err := repo.CreateUser(ctx, u) + require.NoError(t, err) + for _, trg := range testRoleGrants { + role := TestRoleWithGrants(t, conn, trg.RoleScopeID, trg.GrantScopes, trg.Grants) + _ = TestUserRole(t, conn, role.PublicId, user.PublicId) + } + return user + } +} + +// TestUserGroupGrantsFunc returns a function that creates a user which has been given +// the request grants via direct association. +// Group is created as a part of this method +func TestUserGroupGrantsFunc(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeID string, testRoleGrants []TestRoleGrantsRequest) func() *User { + return func() *User { + t.Helper() + ctx := context.Background() + rw := db.New(conn) + role, err := NewRole(ctx, scopeID) + require.NoError(t, err) + id, err := newRoleId(ctx) + require.NoError(t, err) + role.PublicId = id + require.NoError(t, rw.Create(ctx, role)) + require.NotEmpty(t, role.PublicId) + repo, err := NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + g, err := NewGroup(ctx, scopeID) + require.NoError(t, err) + group, err := repo.CreateGroup(ctx, g) + require.NoError(t, err) + u, err := NewUser(ctx, scopeID) + require.NoError(t, err) + user, err := repo.CreateUser(ctx, u) + require.NoError(t, err) + for _, trg := range testRoleGrants { + for _, gsi := range trg.GrantScopes { + gs, err := NewRoleGrantScope(ctx, id, gsi) + require.NoError(t, err) + require.NoError(t, rw.Create(ctx, gs)) + role.GrantScopes = append(role.GrantScopes, gs) + } + for _, g := range trg.Grants { + _ = TestRoleGrant(t, conn, role.PublicId, g) + } + _ = TestGroupRole(t, conn, role.PublicId, group.PublicId) + } + _, err = repo.AddGroupMembers(ctx, group.PublicId, group.Version, []string{user.PublicId}) + require.NoError(t, err) + return user + } +} + // testAccount is a temporary test function. TODO - replace with an auth // subsystem testAccount function. If userId is zero value, then an auth // account will be created with a null IamUserId From 1054b0c7bb8b11e2d3fa3d0a7a05e70354780800 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 29 Jan 2025 14:49:52 -0800 Subject: [PATCH 23/62] unexport utility function --- internal/iam/testing.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/iam/testing.go b/internal/iam/testing.go index 2976e9a94b..240fbb0e60 100644 --- a/internal/iam/testing.go +++ b/internal/iam/testing.go @@ -329,10 +329,10 @@ const ( TestGrantsForUserManagedGroupAssociation ) -// TestRoleWithGrants creates a role suitable for testing along with grants +// testRoleWithGrants creates a role suitable for testing along with grants // Functional options for GrantScopes aren't used to express that // this function does not provide any default grant scope unlike TestRole -func TestRoleWithGrants(t testing.TB, conn *db.DB, scopeId string, grantScopeIDs []string, grants []string) *Role { +func testRoleWithGrants(t testing.TB, conn *db.DB, scopeId string, grantScopeIDs []string, grants []string) *Role { t.Helper() ctx := context.Background() @@ -373,7 +373,7 @@ func TestUserDirectGrantsFunc(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scop user, err := repo.CreateUser(ctx, u) require.NoError(t, err) for _, trg := range testRoleGrants { - role := TestRoleWithGrants(t, conn, trg.RoleScopeID, trg.GrantScopes, trg.Grants) + role := testRoleWithGrants(t, conn, trg.RoleScopeID, trg.GrantScopes, trg.Grants) _ = TestUserRole(t, conn, role.PublicId, user.PublicId) } return user From aaff0ded2b5793ccf399701f57b27f4a6ffd06dc Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 29 Jan 2025 14:51:47 -0800 Subject: [PATCH 24/62] Remove dead code --- internal/iam/testing.go | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/internal/iam/testing.go b/internal/iam/testing.go index 240fbb0e60..cf23370151 100644 --- a/internal/iam/testing.go +++ b/internal/iam/testing.go @@ -315,20 +315,6 @@ func TestManagedGroupRole(t testing.TB, conn *db.DB, roleId, managedGrpId string return r } -type TestRoleGrantsRequest struct { - RoleScopeID string - GrantScopes []string - Grants []string -} - -type TestGrantAssociationMethod int - -const ( - TestGrantsForUserDirectAssociation TestGrantAssociationMethod = iota - TestGrantsForUserGroupAssociation - TestGrantsForUserManagedGroupAssociation -) - // testRoleWithGrants creates a role suitable for testing along with grants // Functional options for GrantScopes aren't used to express that // this function does not provide any default grant scope unlike TestRole @@ -359,6 +345,12 @@ func testRoleWithGrants(t testing.TB, conn *db.DB, scopeId string, grantScopeIDs return role } +type TestRoleGrantsRequest struct { + RoleScopeID string + GrantScopes []string + Grants []string +} + // TestUserDirectGrantsFunc returns a function that creates a user which has been given // the request grants via direct association func TestUserDirectGrantsFunc(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeID string, testRoleGrants []TestRoleGrantsRequest) func() *User { From ec257f0d093c15d2c2eeb372af351dc6ab1db207 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 29 Jan 2025 15:00:01 -0800 Subject: [PATCH 25/62] lint and make gen --- internal/daemon/controller/handlers/groups/grants_test.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 682386d921..ff2883a75e 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -6,11 +6,11 @@ package groups_test import ( "context" "fmt" - "github.com/hashicorp/boundary/internal/auth/password" "slices" "testing" "github.com/hashicorp/boundary/globals" + "github.com/hashicorp/boundary/internal/auth/password" "github.com/hashicorp/boundary/internal/authtoken" "github.com/hashicorp/boundary/internal/daemon/controller/auth" "github.com/hashicorp/boundary/internal/daemon/controller/handlers" @@ -780,6 +780,7 @@ func TestWrites(t *testing.T) { _, err = iamRepo.SetUserAccounts(ctx, user.PublicId, user.Version, []string{acct.PublicId}) require.NoError(t, err) tok, err := atRepo.CreateAuthToken(ctx, user, acct.PublicId) + require.NoError(t, err) fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) got, err := s.UpdateGroup(fullGrantAuthCtx, &pbs.UpdateGroupRequest{ Id: original.PublicId, @@ -1127,6 +1128,7 @@ func TestGroupMember(t *testing.T) { _, err = iamRepo.SetUserAccounts(ctx, user.PublicId, user.Version, []string{acct.PublicId}) require.NoError(t, err) tok, err := atRepo.CreateAuthToken(ctx, user, acct.PublicId) + require.NoError(t, err) fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) for _, act := range tc.actions { out, err := act.action(fullGrantAuthCtx, group) From 55c27bc65e5c30c1eeb34942ac7fc6a0caee3360 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 29 Jan 2025 16:09:08 -0800 Subject: [PATCH 26/62] fix role cration logic --- internal/iam/testing.go | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/internal/iam/testing.go b/internal/iam/testing.go index cf23370151..7f4c763917 100644 --- a/internal/iam/testing.go +++ b/internal/iam/testing.go @@ -373,7 +373,7 @@ func TestUserDirectGrantsFunc(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scop } // TestUserGroupGrantsFunc returns a function that creates a user which has been given -// the request grants via direct association. +// the request grants by being a part of a group. // Group is created as a part of this method func TestUserGroupGrantsFunc(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeID string, testRoleGrants []TestRoleGrantsRequest) func() *User { return func() *User { @@ -398,15 +398,7 @@ func TestUserGroupGrantsFunc(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scope user, err := repo.CreateUser(ctx, u) require.NoError(t, err) for _, trg := range testRoleGrants { - for _, gsi := range trg.GrantScopes { - gs, err := NewRoleGrantScope(ctx, id, gsi) - require.NoError(t, err) - require.NoError(t, rw.Create(ctx, gs)) - role.GrantScopes = append(role.GrantScopes, gs) - } - for _, g := range trg.Grants { - _ = TestRoleGrant(t, conn, role.PublicId, g) - } + role := testRoleWithGrants(t, conn, trg.RoleScopeID, trg.GrantScopes, trg.Grants) _ = TestGroupRole(t, conn, role.PublicId, group.PublicId) } _, err = repo.AddGroupMembers(ctx, group.PublicId, group.Version, []string{user.PublicId}) From 564e52306a416dea8bf80c5e494e8d9a240aa102 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Tue, 11 Feb 2025 18:21:22 -0800 Subject: [PATCH 27/62] fix password TestAccountFunc implementation --- internal/auth/password/testing.go | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/internal/auth/password/testing.go b/internal/auth/password/testing.go index 0273c28e7a..dbd67ff504 100644 --- a/internal/auth/password/testing.go +++ b/internal/auth/password/testing.go @@ -8,7 +8,9 @@ import ( "fmt" "testing" + "github.com/hashicorp/boundary/globals" "github.com/hashicorp/boundary/internal/db" + "github.com/hashicorp/go-uuid" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) @@ -71,6 +73,19 @@ func TestMultipleAccounts(t testing.TB, conn *db.DB, authMethodId string, count return auts } +// TestAccountFunc returns a function that creates auth method and an account in that auth method +// which returns the created account ID in a slice +// This is used to normalize account creation across multiple auth method types +func TestAccountFunc(t testing.TB, conn *db.DB) func() string { + return func() string { + authMethod := TestAuthMethod(t, conn, globals.GlobalPrefix) + loginName, err := uuid.GenerateUUID() + require.NoError(t, err) + acct := TestAccount(t, conn, authMethod.GetPublicId(), loginName) + return acct.PublicId + } +} + // TestAccount creates a password account to the provided DB with the provided // auth method id and loginName. The auth method must have been created // previously. See password.NewAccount(...) for a list of supported options. From d83a9fd1d43b017a3e3560d8e48ad10996da0a72 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Tue, 11 Feb 2025 18:21:37 -0800 Subject: [PATCH 28/62] implement TestAccountFunc for LDAP --- internal/auth/ldap/testing.go | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/internal/auth/ldap/testing.go b/internal/auth/ldap/testing.go index c33bf5f7d8..cea3dc3e2e 100644 --- a/internal/auth/ldap/testing.go +++ b/internal/auth/ldap/testing.go @@ -20,6 +20,7 @@ import ( "time" "github.com/hashicorp/boundary/internal/db" + "github.com/hashicorp/boundary/internal/kms" wrapping "github.com/hashicorp/go-kms-wrapping/v2" "github.com/stretchr/testify/require" ) @@ -175,6 +176,21 @@ func TestAccount(t testing.TB, conn *db.DB, am *AuthMethod, loginName string, op return a } +// TestAccountFunc returns a function that creates an LDAP auth method, a managed group, and an account in that method which +// is also a member of the created ManagedGroup. The function returns the public ID of the managed group and the account. +func TestAccountFunc(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeID string) func() (managedGroupID string, accountID string) { + return func() (string, string) { + t.Helper() + ctx := context.Background() + databaseWrapper, err := kmsCache.GetWrapper(context.Background(), scopeID, kms.KeyPurposeDatabase) + require.NoError(t, err) + am := TestAuthMethod(t, conn, databaseWrapper, scopeID, []string{"ldap://testldap"}) + managedGroup := TestManagedGroup(t, conn, am, []string{"test-group"}) + acct := TestAccount(t, conn, am, "testacct", WithMemberOfGroups(ctx, "test-group")) + return managedGroup.PublicId, acct.PublicId + } +} + // TestManagedGroup creates a test ldap managed group. func TestManagedGroup(t testing.TB, conn *db.DB, am *AuthMethod, grpNames []string, opt ...Option) *ManagedGroup { t.Helper() From 5bd96710119996da848ea5c2cba02885ca6a6602 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Tue, 11 Feb 2025 18:21:46 -0800 Subject: [PATCH 29/62] implement TestAccountFunc for OIDC --- internal/auth/oidc/testing.go | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/internal/auth/oidc/testing.go b/internal/auth/oidc/testing.go index 5ec87d0f0f..ce6976fb4a 100644 --- a/internal/auth/oidc/testing.go +++ b/internal/auth/oidc/testing.go @@ -192,6 +192,25 @@ func TestAccount(t testing.TB, conn *db.DB, am *AuthMethod, subject string, opt return a } +// TestAccountFunc returns a function that creates an OIDC auth method, an account on that auth method, and an OIDC managed group +// which has a filter that matches the account's subject. The function returns the managed group's public ID and the account's public ID. +func TestAccountFunc(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeID string) func() (managedGroupID string, accountID string) { + return func() (string, string) { + t.Helper() + databaseWrapper, err := kmsCache.GetWrapper(context.Background(), scopeID, kms.KeyPurposeDatabase) + require.NoError(t, err) + testAuthMethod := TestAuthMethod(t, conn, databaseWrapper, scopeID, ActivePublicState, + "alice-rp", "fido", + WithIssuer(TestConvertToUrls(t, "https://alice.com")[0]), + WithSigningAlgs(Alg(oidc.RS256)), + WithApiUrl(TestConvertToUrls(t, "https://alice.com/callback")[0])) + account := TestAccount(t, conn, testAuthMethod, "testacct") + managedGroup := TestManagedGroup(t, conn, testAuthMethod, `"/token/sub" matches ".*"`) + TestManagedGroupMember(t, conn, managedGroup.PublicId, account.PublicId) + return managedGroup.PublicId, account.PublicId + } +} + // TestManagedGroup creates a test oidc managed group. func TestManagedGroup(t testing.TB, conn *db.DB, am *AuthMethod, filter string, opt ...Option) *ManagedGroup { t.Helper() From dde6d2aea2b99b6f21fdc668b2728b66f7e56fa3 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Tue, 11 Feb 2025 18:22:07 -0800 Subject: [PATCH 30/62] implement TestUserFunc for managed groups --- internal/iam/testing.go | 83 ++++++++++++++++++++++++++++++++--------- 1 file changed, 65 insertions(+), 18 deletions(-) diff --git a/internal/iam/testing.go b/internal/iam/testing.go index 7f4c763917..b8de2aa4d0 100644 --- a/internal/iam/testing.go +++ b/internal/iam/testing.go @@ -351,35 +351,85 @@ type TestRoleGrantsRequest struct { Grants []string } -// TestUserDirectGrantsFunc returns a function that creates a user which has been given -// the request grants via direct association -func TestUserDirectGrantsFunc(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeID string, testRoleGrants []TestRoleGrantsRequest) func() *User { - return func() *User { +// TestUserManagedGroupGrantsFunc returns a function that creates a user which has been given +// the request grants through managed group. +// Note: This method is not responsible for associating the user to the managed group. That action needs to be done +// by the caller +// This function returns iam.User and the AccountID from the account setup func +func TestUserManagedGroupGrantsFunc( + t *testing.T, + conn *db.DB, + kmsCache *kms.Kms, + scopeID string, + managedGroupAccountSetupFunc func() (string, string), + testRoleGrants []TestRoleGrantsRequest) func() (*User, string) { + return func() (*User, string) { t.Helper() ctx := context.Background() rw := db.New(conn) repo, err := NewRepository(ctx, rw, rw, kmsCache) require.NoError(t, err) - u, err := NewUser(ctx, scopeID) + managedGroupID, accountID := managedGroupAccountSetupFunc() + user := TestUser(t, repo, scopeID, WithAccountIds(accountID)) + for _, trg := range testRoleGrants { + role := testRoleWithGrants(t, conn, trg.RoleScopeID, trg.GrantScopes, trg.Grants) + _ = TestManagedGroupRole(t, conn, role.PublicId, managedGroupID) + } + user, acctIDs, err := repo.LookupUser(ctx, user.PublicId) require.NoError(t, err) - user, err := repo.CreateUser(ctx, u) + require.Len(t, acctIDs, 1) + return user, acctIDs[0] + } +} + +// TestUserDirectGrantsFunc returns a function that creates and returns user which has been given +// the request grants via direct association. +// This function returns iam.User and the AccountID from the account setup func +func TestUserDirectGrantsFunc( + t *testing.T, + conn *db.DB, + kmsCache *kms.Kms, + scopeID string, + accountIDFunc func() string, + testRoleGrants []TestRoleGrantsRequest) func() (*User, string) { + return func() (*User, string) { + t.Helper() + accountID := accountIDFunc() + ctx := context.Background() + rw := db.New(conn) + repo, err := NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + user := TestUser(t, repo, scopeID, WithAccountIds(accountID)) require.NoError(t, err) for _, trg := range testRoleGrants { role := testRoleWithGrants(t, conn, trg.RoleScopeID, trg.GrantScopes, trg.Grants) _ = TestUserRole(t, conn, role.PublicId, user.PublicId) } - return user + user, acctIDs, err := repo.LookupUser(ctx, user.PublicId) + require.NoError(t, err) + require.Len(t, acctIDs, 1) + return user, acctIDs[0] } } // TestUserGroupGrantsFunc returns a function that creates a user which has been given // the request grants by being a part of a group. // Group is created as a part of this method -func TestUserGroupGrantsFunc(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeID string, testRoleGrants []TestRoleGrantsRequest) func() *User { - return func() *User { +// This function returns iam.User and the AccountID from the account setup func +func TestUserGroupGrantsFunc( + t *testing.T, + conn *db.DB, + kmsCache *kms.Kms, + scopeID string, + accountIDsFunc func() string, + testRoleGrants []TestRoleGrantsRequest) func() (*User, string) { + return func() (*User, string) { t.Helper() + accountID := accountIDsFunc() ctx := context.Background() rw := db.New(conn) + repo, err := NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) role, err := NewRole(ctx, scopeID) require.NoError(t, err) id, err := newRoleId(ctx) @@ -387,23 +437,20 @@ func TestUserGroupGrantsFunc(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scope role.PublicId = id require.NoError(t, rw.Create(ctx, role)) require.NotEmpty(t, role.PublicId) - repo, err := NewRepository(ctx, rw, rw, kmsCache) require.NoError(t, err) - g, err := NewGroup(ctx, scopeID) - require.NoError(t, err) - group, err := repo.CreateGroup(ctx, g) - require.NoError(t, err) - u, err := NewUser(ctx, scopeID) - require.NoError(t, err) - user, err := repo.CreateUser(ctx, u) + group := TestGroup(t, conn, scopeID) require.NoError(t, err) + user := TestUser(t, repo, scopeID, WithAccountIds(accountID)) for _, trg := range testRoleGrants { role := testRoleWithGrants(t, conn, trg.RoleScopeID, trg.GrantScopes, trg.Grants) _ = TestGroupRole(t, conn, role.PublicId, group.PublicId) } _, err = repo.AddGroupMembers(ctx, group.PublicId, group.Version, []string{user.PublicId}) require.NoError(t, err) - return user + user, acctIDs, err := repo.LookupUser(ctx, user.PublicId) + require.NoError(t, err) + require.Len(t, acctIDs, 1) + return user, acctIDs[0] } } From 877c6b9ffeb22603d22c941fb3f0c7a5ffbacb34 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Tue, 11 Feb 2025 18:22:17 -0800 Subject: [PATCH 31/62] use managed groups in grants test --- .../controller/handlers/groups/grants_test.go | 186 ++++++++---------- 1 file changed, 84 insertions(+), 102 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index ff2883a75e..e21124cb80 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -10,6 +10,8 @@ import ( "testing" "github.com/hashicorp/boundary/globals" + "github.com/hashicorp/boundary/internal/auth/ldap" + "github.com/hashicorp/boundary/internal/auth/oidc" "github.com/hashicorp/boundary/internal/auth/password" "github.com/hashicorp/boundary/internal/authtoken" "github.com/hashicorp/boundary/internal/daemon/controller/auth" @@ -73,7 +75,7 @@ func TestGrants_ReadActions(t *testing.T) { testcases := []struct { name string input *pbs.ListGroupsRequest - userFunc func() *iam.User + userFunc func() (*iam.User, string) wantErr error wantIDs []string }{ @@ -84,7 +86,7 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"id=*;type=*;actions=*"}, @@ -99,7 +101,7 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=list,read"}, @@ -109,13 +111,29 @@ func TestGrants_ReadActions(t *testing.T) { wantErr: nil, wantIDs: []string{globalGroup.PublicId, org1Group.PublicId, org2Group.PublicId}, }, + { + name: "global role grant via managed groups this and children returns org and proj groups", + input: &pbs.ListGroupsRequest{ + ScopeId: org1.PublicId, + Recursive: true, + }, + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: org1.PublicId, + Grants: []string{"ids=*;type=group;actions=list,read"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, + }, + }), + wantErr: nil, + wantIDs: []string{org1Group.PublicId, proj1Group.PublicId}, + }, { name: "global role grant this and descendant returns all groups", input: &pbs.ListGroupsRequest{ ScopeId: globals.GlobalPrefix, Recursive: true, }, - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"id=*;type=*;actions=*"}, @@ -131,7 +149,7 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: org2.PublicId, Recursive: true, }, - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, @@ -142,12 +160,12 @@ func TestGrants_ReadActions(t *testing.T) { wantIDs: []string{org2Group.PublicId, proj2Group.PublicId, proj3Group.PublicId}, }, { - name: "org role grant children IDs only org children", + name: "LDAP org role grant children IDs only org children", input: &pbs.ListGroupsRequest{ ScopeId: org2.PublicId, Recursive: true, }, - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ { RoleScopeID: org2.PublicId, Grants: []string{"ids=*;type=*;actions=*"}, @@ -163,7 +181,7 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{ @@ -181,7 +199,7 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=read,list"}, @@ -202,7 +220,7 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=target;actions=read,list"}, @@ -216,14 +234,8 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - user := tc.userFunc() - authMethod := password.TestAuthMethod(t, conn, globals.GlobalPrefix) - loginName, err := uuid.GenerateUUID() - require.NoError(t, err) - acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName) - _, err = iamRepo.SetUserAccounts(ctx, user.PublicId, user.Version, []string{acct.PublicId}) - require.NoError(t, err) - tok, err := atRepo.CreateAuthToken(ctx, user, acct.PublicId) + user, accountID := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, accountID) require.NoError(t, err) fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) got, finalErr := s.ListGroups(fullGrantAuthCtx, tc.input) @@ -244,12 +256,12 @@ func TestGrants_ReadActions(t *testing.T) { t.Run("Get", func(t *testing.T) { testcases := []struct { name string - userFunc func() *iam.User + userFunc func() (*iam.User, string) inputWantErrMap map[*pbs.GetGroupRequest]error }{ { name: "global role group grant this scope with all permissions", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"id=*;type=*;actions=*"}, @@ -266,7 +278,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role group grant this scope with all permissions", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"id=*;type=*;actions=*"}, @@ -283,7 +295,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant children scopes with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"id=*;type=*;actions=*"}, @@ -300,7 +312,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant descendant scopes with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"id=*;type=*;actions=*"}, @@ -317,7 +329,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant this and children scopes with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"id=*;type=*;actions=*"}, @@ -334,7 +346,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant this and descendant scopes with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"id=*;type=*;actions=*"}, @@ -351,7 +363,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "org1 role grant this scope with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: org1.GetPublicId(), Grants: []string{"id=*;type=*;actions=*"}, @@ -368,7 +380,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "org1 role grant children scope with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: org1.GetPublicId(), Grants: []string{"id=*;type=*;actions=*"}, @@ -385,7 +397,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "org1 role grant this and children scopes with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: org1.GetPublicId(), Grants: []string{"id=*;type=*;actions=*"}, @@ -402,7 +414,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "proj1 role grant this scope with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: proj1.GetPublicId(), Grants: []string{"id=*;type=*;actions=*"}, @@ -419,7 +431,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant this and descendant scope with read permissions on specific group", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{fmt.Sprintf("ids=%s;types=group ;actions=read", org1Group.PublicId)}, @@ -436,7 +448,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant this and specific scopes with read permissions on specific group", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{ @@ -456,7 +468,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "union multiple role grant specific resources permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{ @@ -485,14 +497,8 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - user := tc.userFunc() - authMethod := password.TestAuthMethod(t, conn, globals.GlobalPrefix) - loginName, err := uuid.GenerateUUID() - require.NoError(t, err) - acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName) - _, err = iamRepo.SetUserAccounts(ctx, user.PublicId, user.Version, []string{acct.PublicId}) - require.NoError(t, err) - tok, err := atRepo.CreateAuthToken(ctx, user, acct.PublicId) + user, accountID := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, accountID) require.NoError(t, err) fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) for input, wantErr := range tc.inputWantErrMap { @@ -550,12 +556,12 @@ func TestWrites(t *testing.T) { allScopeIDs := []string{globals.GlobalPrefix, org1.PublicId, org2.PublicId, proj1.PublicId, proj2.PublicId, proj3.PublicId} testcases := []struct { name string - userFunc func() *iam.User + userFunc func() (*iam.User, string) canCreateInScopes []string }{ { name: "grant all can create all", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"id=*;type=*;actions=*"}, @@ -566,7 +572,7 @@ func TestWrites(t *testing.T) { }, { name: "grant children can only create in orgs", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"id=*;type=*;actions=*"}, @@ -579,14 +585,8 @@ func TestWrites(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - user := tc.userFunc() - authMethod := password.TestAuthMethod(t, conn, globals.GlobalPrefix) - loginName, err := uuid.GenerateUUID() - require.NoError(t, err) - acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName) - _, err = iamRepo.SetUserAccounts(ctx, user.PublicId, user.Version, []string{acct.PublicId}) - require.NoError(t, err) - tok, err := atRepo.CreateAuthToken(ctx, user, acct.PublicId) + user, accountID := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, accountID) require.NoError(t, err) fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) for _, scope := range allScopeIDs { @@ -634,12 +634,12 @@ func TestWrites(t *testing.T) { allScopeIDs := []string{globals.GlobalPrefix, org1.PublicId, org2.PublicId, proj1.PublicId, proj2.PublicId, proj3.PublicId} testcases := []struct { name string - userFunc func() *iam.User + userFunc func() (*iam.User, string) deleteAllowedAtScopeIDs []string }{ { name: "grant all can delete all", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"id=*;type=*;actions=*"}, @@ -650,7 +650,7 @@ func TestWrites(t *testing.T) { }, { name: "grant children can only delete in orgs", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"id=*;type=*;actions=*"}, @@ -669,14 +669,8 @@ func TestWrites(t *testing.T) { g := iam.TestGroup(t, conn, scp) scopeIdGroupMap[scp] = g } - user := tc.userFunc() - authMethod := password.TestAuthMethod(t, conn, globals.GlobalPrefix) - loginName, err := uuid.GenerateUUID() - require.NoError(t, err) - acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName) - _, err = iamRepo.SetUserAccounts(ctx, user.PublicId, user.Version, []string{acct.PublicId}) - require.NoError(t, err) - tok, err := atRepo.CreateAuthToken(ctx, user, acct.PublicId) + user, accountID := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, accountID) require.NoError(t, err) fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) for scope, group := range scopeIdGroupMap { @@ -694,14 +688,14 @@ func TestWrites(t *testing.T) { t.Run("update", func(t *testing.T) { testcases := []struct { name string - setupScopesResourcesAndUser func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() *iam.User) + setupScopesResourcesAndUser func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, string)) wantErr error }{ { name: "global_scope_group_good_grant_success", - setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() *iam.User) { + setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, string)) { g := iam.TestGroup(t, conn, globals.GlobalPrefix) - return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"id=*;type=*;actions=*"}, @@ -713,10 +707,10 @@ func TestWrites(t *testing.T) { }, { name: "grant specific scope success", - setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() *iam.User) { + setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, string)) { _, proj := iam.TestScopes(t, iamRepo) g := iam.TestGroup(t, conn, proj.PublicId) - return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, @@ -728,10 +722,10 @@ func TestWrites(t *testing.T) { }, { name: "grant specific resource and scope success", - setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() *iam.User) { + setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, string)) { _, proj := iam.TestScopes(t, iamRepo) g := iam.TestGroup(t, conn, proj.PublicId) - return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{fmt.Sprintf("ids=%s;types=group;actions=*", g.PublicId)}, @@ -743,9 +737,9 @@ func TestWrites(t *testing.T) { }, { name: "no grant fails update", - setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() *iam.User) { + setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, string)) { g := iam.TestGroup(t, conn, globals.GlobalPrefix) - return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"id=*;type=*;actions=*"}, @@ -772,14 +766,8 @@ func TestWrites(t *testing.T) { s, err := groups.NewService(ctx, repoFn, 1000) require.NoError(t, err) original, userFunc := tc.setupScopesResourcesAndUser(t, conn, iamRepo, kmsCache) - user := userFunc() - authMethod := password.TestAuthMethod(t, conn, globals.GlobalPrefix) - loginName, err := uuid.GenerateUUID() - require.NoError(t, err) - acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName) - _, err = iamRepo.SetUserAccounts(ctx, user.PublicId, user.Version, []string{acct.PublicId}) - require.NoError(t, err) - tok, err := atRepo.CreateAuthToken(ctx, user, acct.PublicId) + user, accountID := userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, accountID) require.NoError(t, err) fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) got, err := s.UpdateGroup(fullGrantAuthCtx, &pbs.UpdateGroupRequest{ @@ -842,7 +830,7 @@ func TestGroupMember(t *testing.T) { testcases := []struct { name string userFunc func() *iam.User - setupGroupAndRole func(t *testing.T) (*iam.Group, func() *iam.User) + setupGroupAndRole func(t *testing.T) (*iam.Group, func() (*iam.User, string)) // collection of actions to be executed in the tests in order, *iam.Group returned from each action which // gets passed to the next action as parameter to preserve information such as `version` increments actions []testActionResult @@ -850,9 +838,9 @@ func TestGroupMember(t *testing.T) { { name: "all actions valid grant success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, func() *iam.User) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, string)) { group := iam.TestGroup(t, conn, globals.GlobalPrefix) - return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"id=*;type=*;actions=*"}, @@ -898,9 +886,9 @@ func TestGroupMember(t *testing.T) { }, { name: "only add and set allowed fail to remove", - setupGroupAndRole: func(t *testing.T) (*iam.Group, func() *iam.User) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, string)) { group := iam.TestGroup(t, conn, org1.PublicId) - return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: org1.PublicId, Grants: []string{"id=*;type=*;actions=add-members"}, @@ -951,9 +939,9 @@ func TestGroupMember(t *testing.T) { }, { name: "add_member_valid_specific_grant_success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, func() *iam.User) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, string)) { group := iam.TestGroup(t, conn, org2.PublicId) - return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: org2.PublicId, Grants: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, @@ -977,11 +965,11 @@ func TestGroupMember(t *testing.T) { }, { name: "remove_member_valid_specific_grant_success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, func() *iam.User) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, string)) { group := iam.TestGroup(t, conn, proj2.PublicId) iam.TestGroupMember(t, conn, group.PublicId, org2Users[0].PublicId) iam.TestGroupMember(t, conn, group.PublicId, org2Users[1].PublicId) - return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{fmt.Sprintf("id=%s;types=group;actions=remove-members", group.PublicId)}, @@ -1005,9 +993,9 @@ func TestGroupMember(t *testing.T) { }, { name: "cross_scope_add_member_valid_specific_grant_success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, func() *iam.User) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, string)) { group := iam.TestGroup(t, conn, proj3.PublicId) - return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, @@ -1033,9 +1021,9 @@ func TestGroupMember(t *testing.T) { }, { name: "add_member_with_valid_grant_string_invalid_scope_forbidden_error", - setupGroupAndRole: func(t *testing.T) (*iam.Group, func() *iam.User) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, string)) { group := iam.TestGroup(t, conn, org2.PublicId) - return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"id=*;type=*;actions=*"}, @@ -1059,9 +1047,9 @@ func TestGroupMember(t *testing.T) { }, { name: "multiple_grants_success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, func() *iam.User) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, string)) { group := iam.TestGroup(t, conn, proj2.PublicId) - return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, []iam.TestRoleGrantsRequest{ + return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: proj2.PublicId, Grants: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, @@ -1120,14 +1108,8 @@ func TestGroupMember(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { group, userFn := tc.setupGroupAndRole(t) - user := userFn() - authMethod := password.TestAuthMethod(t, conn, globals.GlobalPrefix) - loginName, err := uuid.GenerateUUID() - require.NoError(t, err) - acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName) - _, err = iamRepo.SetUserAccounts(ctx, user.PublicId, user.Version, []string{acct.PublicId}) - require.NoError(t, err) - tok, err := atRepo.CreateAuthToken(ctx, user, acct.PublicId) + user, accountID := userFn() + tok, err := atRepo.CreateAuthToken(ctx, user, accountID) require.NoError(t, err) fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) for _, act := range tc.actions { From 75a244c01ad3104bb7b05bb62e51e217b7115aaf Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Tue, 11 Feb 2025 18:47:04 -0800 Subject: [PATCH 32/62] undo removal of authtoken.TestAuthTokenWithRoles for future refactor --- internal/authtoken/testing.go | 36 +++++++++++++++++++ .../handlers/accounts/grants_test.go | 3 +- .../handlers/aliases/grants_test.go | 2 +- .../handlers/authmethods/grants_test.go | 4 +-- .../handlers/authtokens/grants_test.go | 2 +- .../credentiallibraries/grants_test.go | 2 +- .../handlers/credentials/grants_test.go | 2 +- .../handlers/credentialstores/grants_test.go | 2 +- .../handlers/host_catalogs/grants_test.go | 2 +- .../handlers/host_sets/grants_test.go | 2 +- .../controller/handlers/hosts/grants_test.go | 2 +- .../handlers/managed_groups/grants_test.go | 2 +- .../controller/handlers/roles/grants_test.go | 2 +- .../controller/handlers/scopes/grants_test.go | 2 +- .../handlers/targets/tcp/grants_test.go | 2 +- .../controller/handlers/users/grants_test.go | 2 +- .../handlers/workers/grants_test.go | 2 +- internal/iam/testing.go | 19 +++++----- 18 files changed, 65 insertions(+), 25 deletions(-) diff --git a/internal/authtoken/testing.go b/internal/authtoken/testing.go index 2d89bc24e9..6b88afc1ff 100644 --- a/internal/authtoken/testing.go +++ b/internal/authtoken/testing.go @@ -11,9 +11,45 @@ import ( "github.com/hashicorp/boundary/internal/db" "github.com/hashicorp/boundary/internal/iam" "github.com/hashicorp/boundary/internal/kms" + "github.com/hashicorp/go-uuid" "github.com/stretchr/testify/require" ) +// TestRoleGrantsForToken contains information used by TestAuthTokenWithRoles to create +// roles and their associated grants (with grant scopes) +type TestRoleGrantsForToken struct { + RoleScopeID string + GrantStrings []string + GrantScopes []string +} + +// TestAuthTokenWithRoles creates auth token associated with roles as requested by the caller along +// with any required resources to achieve said token +func TestAuthTokenWithRoles(t testing.TB, conn *db.DB, kms *kms.Kms, scopeId string, roles []TestRoleGrantsForToken) *AuthToken { + t.Helper() + ctx := context.Background() + rw := db.New(conn) + atRepo, err := NewRepository(ctx, rw, rw, kms) + require.NoError(t, err) + + iamRepo, err := iam.NewRepository(ctx, rw, rw, kms) + require.NoError(t, err) + + authMethod := password.TestAuthMethods(t, conn, scopeId, 1)[0] + + loginName, err := uuid.GenerateUUID() + require.NoError(t, err) + acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName) + user := iam.TestUser(t, iamRepo, scopeId, iam.WithAccountIds(acct.GetPublicId())) + for _, r := range roles { + role := iam.TestRoleWithGrants(t, conn, r.RoleScopeID, r.GrantScopes, r.GrantStrings) + _ = iam.TestUserRole(t, conn, role.PublicId, user.PublicId) + } + fullGrantToken, err := atRepo.CreateAuthToken(ctx, user, acct.GetPublicId()) + require.NoError(t, err) + return fullGrantToken +} + // TestAuthToken, despite its name, does more than just return an auth token; it // also creates an auth method, an account, and a user and binds them together, // then creates an auth token against it diff --git a/internal/daemon/controller/handlers/accounts/grants_test.go b/internal/daemon/controller/handlers/accounts/grants_test.go index 53fc16ce8a..5b27810913 100644 --- a/internal/daemon/controller/handlers/accounts/grants_test.go +++ b/internal/daemon/controller/handlers/accounts/grants_test.go @@ -92,7 +92,8 @@ func TestListPassword_Grants(t *testing.T) { s, err := accounts.NewService(ctx, pwRepoFn, oidcRepoFn, ldapRepoFn, 1000) require.NoError(t, err, "Couldn't create new user service.") tok := authtoken.TestAuthTokenWithRoles(t, conn, kms, globals.GlobalPrefix, tc.roleRequest) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) + got, gErr := s.ListAccounts(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.Error(t, err) diff --git a/internal/daemon/controller/handlers/aliases/grants_test.go b/internal/daemon/controller/handlers/aliases/grants_test.go index 81973163df..8a2f656f18 100644 --- a/internal/daemon/controller/handlers/aliases/grants_test.go +++ b/internal/daemon/controller/handlers/aliases/grants_test.go @@ -89,7 +89,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) got, finalErr := s.ListAliases(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/authmethods/grants_test.go b/internal/daemon/controller/handlers/authmethods/grants_test.go index 02ebd550cc..5d94ae389b 100644 --- a/internal/daemon/controller/handlers/authmethods/grants_test.go +++ b/internal/daemon/controller/handlers/authmethods/grants_test.go @@ -165,7 +165,7 @@ func TestGrants_ReadActions(t *testing.T) { // auth method created during token generation will not be taken into considerations during this test // adding to the ignoreList so it can be ignored later ignoreList = append(ignoreList, tok.GetAuthMethodId()) - fullGrantAuthCtx := controllerauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := controllerauth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) got, finalErr := s.ListAuthMethods(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) @@ -249,7 +249,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := controllerauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := controllerauth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) for amId, wantErr := range tc.amIDExpectErrMap { _, err := s.GetAuthMethod(fullGrantAuthCtx, &pbs.GetAuthMethodRequest{ Id: amId, diff --git a/internal/daemon/controller/handlers/authtokens/grants_test.go b/internal/daemon/controller/handlers/authtokens/grants_test.go index 2394c0b39f..20d6e05d12 100644 --- a/internal/daemon/controller/handlers/authtokens/grants_test.go +++ b/internal/daemon/controller/handlers/authtokens/grants_test.go @@ -108,7 +108,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) got, finalErr := s.ListAuthTokens(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/credentiallibraries/grants_test.go b/internal/daemon/controller/handlers/credentiallibraries/grants_test.go index 7e4a12ff0b..e00fab7f0a 100644 --- a/internal/daemon/controller/handlers/credentiallibraries/grants_test.go +++ b/internal/daemon/controller/handlers/credentiallibraries/grants_test.go @@ -86,7 +86,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) got, finalErr := s.ListCredentialLibraries(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/credentials/grants_test.go b/internal/daemon/controller/handlers/credentials/grants_test.go index 2799d0d3e8..35c4517c4f 100644 --- a/internal/daemon/controller/handlers/credentials/grants_test.go +++ b/internal/daemon/controller/handlers/credentials/grants_test.go @@ -121,7 +121,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) got, finalErr := s.ListCredentials(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/credentialstores/grants_test.go b/internal/daemon/controller/handlers/credentialstores/grants_test.go index 5ff3f50525..eb7fa413c6 100644 --- a/internal/daemon/controller/handlers/credentialstores/grants_test.go +++ b/internal/daemon/controller/handlers/credentialstores/grants_test.go @@ -131,7 +131,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) got, finalErr := s.ListCredentialStores(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/host_catalogs/grants_test.go b/internal/daemon/controller/handlers/host_catalogs/grants_test.go index 9576fd010e..ace52a339c 100644 --- a/internal/daemon/controller/handlers/host_catalogs/grants_test.go +++ b/internal/daemon/controller/handlers/host_catalogs/grants_test.go @@ -133,7 +133,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) got, finalErr := s.ListHostCatalogs(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/host_sets/grants_test.go b/internal/daemon/controller/handlers/host_sets/grants_test.go index 4fa763221f..d89e53c391 100644 --- a/internal/daemon/controller/handlers/host_sets/grants_test.go +++ b/internal/daemon/controller/handlers/host_sets/grants_test.go @@ -122,7 +122,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) got, finalErr := s.ListHostSets(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/hosts/grants_test.go b/internal/daemon/controller/handlers/hosts/grants_test.go index 6715878bfb..e53f7c3e1c 100644 --- a/internal/daemon/controller/handlers/hosts/grants_test.go +++ b/internal/daemon/controller/handlers/hosts/grants_test.go @@ -124,7 +124,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) got, finalErr := s.ListHosts(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/managed_groups/grants_test.go b/internal/daemon/controller/handlers/managed_groups/grants_test.go index f73ba91c9f..75e2d5c93a 100644 --- a/internal/daemon/controller/handlers/managed_groups/grants_test.go +++ b/internal/daemon/controller/handlers/managed_groups/grants_test.go @@ -108,7 +108,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) got, finalErr := s.ListManagedGroups(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/roles/grants_test.go b/internal/daemon/controller/handlers/roles/grants_test.go index e55c62121f..54fabb17a3 100644 --- a/internal/daemon/controller/handlers/roles/grants_test.go +++ b/internal/daemon/controller/handlers/roles/grants_test.go @@ -147,7 +147,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) // TestAuthTokenWithRoles creates a default role, so we need to add it to the expected list // if the grant scope contains 'this' diff --git a/internal/daemon/controller/handlers/scopes/grants_test.go b/internal/daemon/controller/handlers/scopes/grants_test.go index b3f99944b4..13e17a18d8 100644 --- a/internal/daemon/controller/handlers/scopes/grants_test.go +++ b/internal/daemon/controller/handlers/scopes/grants_test.go @@ -94,7 +94,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) got, finalErr := s.ListScopes(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/targets/tcp/grants_test.go b/internal/daemon/controller/handlers/targets/tcp/grants_test.go index cb91035926..73b4d94a9f 100644 --- a/internal/daemon/controller/handlers/targets/tcp/grants_test.go +++ b/internal/daemon/controller/handlers/targets/tcp/grants_test.go @@ -89,7 +89,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kms, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrapper, tok, iamRepo) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrapper, iamRepo, tok) got, finalErr := s.ListTargets(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/users/grants_test.go b/internal/daemon/controller/handlers/users/grants_test.go index a4bc80c486..65aff0a52e 100644 --- a/internal/daemon/controller/handlers/users/grants_test.go +++ b/internal/daemon/controller/handlers/users/grants_test.go @@ -291,7 +291,7 @@ func TestGrants_ReadActions(t *testing.T) { // deleting user to keep assertions clean since we're listing users over and over _, _ = iamRepo.DeleteUser(ctx, tok.IamUserId) }) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) got, finalErr := s.ListUsers(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/workers/grants_test.go b/internal/daemon/controller/handlers/workers/grants_test.go index dc1aef0d28..52213de6fa 100644 --- a/internal/daemon/controller/handlers/workers/grants_test.go +++ b/internal/daemon/controller/handlers/workers/grants_test.go @@ -109,7 +109,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kms, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrapper, tok, iamRepo) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrapper, iamRepo, tok) got, finalErr := s.ListWorkers(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/iam/testing.go b/internal/iam/testing.go index b8de2aa4d0..17f6e81743 100644 --- a/internal/iam/testing.go +++ b/internal/iam/testing.go @@ -315,10 +315,10 @@ func TestManagedGroupRole(t testing.TB, conn *db.DB, roleId, managedGrpId string return r } -// testRoleWithGrants creates a role suitable for testing along with grants +// TestRoleWithGrants creates a role suitable for testing along with grants // Functional options for GrantScopes aren't used to express that // this function does not provide any default grant scope unlike TestRole -func testRoleWithGrants(t testing.TB, conn *db.DB, scopeId string, grantScopeIDs []string, grants []string) *Role { +func TestRoleWithGrants(t testing.TB, conn *db.DB, scopeId string, grantScopeIDs []string, grants []string) *Role { t.Helper() ctx := context.Background() @@ -362,7 +362,8 @@ func TestUserManagedGroupGrantsFunc( kmsCache *kms.Kms, scopeID string, managedGroupAccountSetupFunc func() (string, string), - testRoleGrants []TestRoleGrantsRequest) func() (*User, string) { + testRoleGrants []TestRoleGrantsRequest, +) func() (*User, string) { return func() (*User, string) { t.Helper() ctx := context.Background() @@ -372,7 +373,7 @@ func TestUserManagedGroupGrantsFunc( managedGroupID, accountID := managedGroupAccountSetupFunc() user := TestUser(t, repo, scopeID, WithAccountIds(accountID)) for _, trg := range testRoleGrants { - role := testRoleWithGrants(t, conn, trg.RoleScopeID, trg.GrantScopes, trg.Grants) + role := TestRoleWithGrants(t, conn, trg.RoleScopeID, trg.GrantScopes, trg.Grants) _ = TestManagedGroupRole(t, conn, role.PublicId, managedGroupID) } user, acctIDs, err := repo.LookupUser(ctx, user.PublicId) @@ -391,7 +392,8 @@ func TestUserDirectGrantsFunc( kmsCache *kms.Kms, scopeID string, accountIDFunc func() string, - testRoleGrants []TestRoleGrantsRequest) func() (*User, string) { + testRoleGrants []TestRoleGrantsRequest, +) func() (*User, string) { return func() (*User, string) { t.Helper() accountID := accountIDFunc() @@ -402,7 +404,7 @@ func TestUserDirectGrantsFunc( user := TestUser(t, repo, scopeID, WithAccountIds(accountID)) require.NoError(t, err) for _, trg := range testRoleGrants { - role := testRoleWithGrants(t, conn, trg.RoleScopeID, trg.GrantScopes, trg.Grants) + role := TestRoleWithGrants(t, conn, trg.RoleScopeID, trg.GrantScopes, trg.Grants) _ = TestUserRole(t, conn, role.PublicId, user.PublicId) } user, acctIDs, err := repo.LookupUser(ctx, user.PublicId) @@ -422,7 +424,8 @@ func TestUserGroupGrantsFunc( kmsCache *kms.Kms, scopeID string, accountIDsFunc func() string, - testRoleGrants []TestRoleGrantsRequest) func() (*User, string) { + testRoleGrants []TestRoleGrantsRequest, +) func() (*User, string) { return func() (*User, string) { t.Helper() accountID := accountIDsFunc() @@ -442,7 +445,7 @@ func TestUserGroupGrantsFunc( require.NoError(t, err) user := TestUser(t, repo, scopeID, WithAccountIds(accountID)) for _, trg := range testRoleGrants { - role := testRoleWithGrants(t, conn, trg.RoleScopeID, trg.GrantScopes, trg.Grants) + role := TestRoleWithGrants(t, conn, trg.RoleScopeID, trg.GrantScopes, trg.Grants) _ = TestGroupRole(t, conn, role.PublicId, group.PublicId) } _, err = repo.AddGroupMembers(ctx, group.PublicId, group.Version, []string{user.PublicId}) From 792f7880cc5045a5c00650382ae72499a2ca4eb0 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Tue, 11 Feb 2025 18:58:39 -0800 Subject: [PATCH 33/62] switch from list to map based test case for create tests --- .../controller/handlers/groups/grants_test.go | 42 ++++++++++--------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index e21124cb80..f7f126c83b 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -22,7 +22,6 @@ import ( "github.com/hashicorp/boundary/internal/iam" "github.com/hashicorp/boundary/internal/kms" pb "github.com/hashicorp/boundary/sdk/pbs/controller/api/resources/groups" - "github.com/hashicorp/go-uuid" "github.com/stretchr/testify/require" "google.golang.org/protobuf/types/known/fieldmaskpb" "google.golang.org/protobuf/types/known/wrapperspb" @@ -553,11 +552,10 @@ func TestWrites(t *testing.T) { org2, proj2 := iam.TestScopes(t, iamRepo) proj3 := iam.TestProject(t, iamRepo, org2.GetPublicId()) - allScopeIDs := []string{globals.GlobalPrefix, org1.PublicId, org2.PublicId, proj1.PublicId, proj2.PublicId, proj3.PublicId} testcases := []struct { name string userFunc func() (*iam.User, string) - canCreateInScopes []string + canCreateInScopes map[*pbs.CreateGroupRequest]error }{ { name: "grant all can create all", @@ -568,7 +566,14 @@ func TestWrites(t *testing.T) { GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }), - canCreateInScopes: allScopeIDs, + canCreateInScopes: map[*pbs.CreateGroupRequest]error{ + &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: globals.GlobalPrefix}}: nil, + &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: org1.PublicId}}: nil, + &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: org2.PublicId}}: nil, + &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: proj1.PublicId}}: nil, + &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: proj2.PublicId}}: nil, + &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: proj3.PublicId}}: nil, + }, }, { name: "grant children can only create in orgs", @@ -579,7 +584,14 @@ func TestWrites(t *testing.T) { GrantScopes: []string{globals.GrantScopeChildren}, }, }), - canCreateInScopes: []string{org1.PublicId, org2.PublicId}, + canCreateInScopes: map[*pbs.CreateGroupRequest]error{ + &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: globals.GlobalPrefix}}: handlers.ForbiddenError(), + &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: org1.PublicId}}: nil, + &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: org2.PublicId}}: nil, + &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: proj1.PublicId}}: handlers.ForbiddenError(), + &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: proj2.PublicId}}: handlers.ForbiddenError(), + &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: proj3.PublicId}}: handlers.ForbiddenError(), + }, }, } @@ -589,24 +601,14 @@ func TestWrites(t *testing.T) { tok, err := atRepo.CreateAuthToken(ctx, user, accountID) require.NoError(t, err) fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) - for _, scope := range allScopeIDs { - name, err := uuid.GenerateUUID() - require.NoError(t, err) - got, err := s.CreateGroup(fullGrantAuthCtx, &pbs.CreateGroupRequest{ - Item: &pb.Group{ - ScopeId: scope, - Name: &wrapperspb.StringValue{Value: name}, - Description: &wrapperspb.StringValue{Value: name}, - }, - }) - if !slices.Contains(tc.canCreateInScopes, scope) { - require.ErrorIs(t, err, handlers.ForbiddenError()) + + for req, wantErr := range tc.canCreateInScopes { + _, err := s.CreateGroup(fullGrantAuthCtx, req) + if wantErr != nil { + require.ErrorIs(t, err, wantErr) continue } - require.NoErrorf(t, err, "failed to create group in scope %s", scope) - g, _, err := iamRepo.LookupGroup(ctx, got.Item.Id) require.NoError(t, err) - require.Equal(t, name, g.Name) } }) } From 6517fc019518f5e99d484c705c9d930497975001 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Tue, 11 Feb 2025 19:00:54 -0800 Subject: [PATCH 34/62] undo merge mistakes --- internal/authtoken/testing.go | 66 +++++++++---------- .../handlers/accounts/grants_test.go | 3 +- .../handlers/aliases/grants_test.go | 2 +- .../handlers/authmethods/grants_test.go | 4 +- .../handlers/authtokens/grants_test.go | 2 +- .../credentiallibraries/grants_test.go | 2 +- .../handlers/credentials/grants_test.go | 2 +- .../handlers/credentialstores/grants_test.go | 2 +- .../handlers/host_catalogs/grants_test.go | 2 +- .../handlers/host_sets/grants_test.go | 2 +- .../controller/handlers/hosts/grants_test.go | 2 +- .../handlers/managed_groups/grants_test.go | 2 +- .../controller/handlers/roles/grants_test.go | 2 +- .../controller/handlers/scopes/grants_test.go | 2 +- .../handlers/targets/tcp/grants_test.go | 2 +- .../controller/handlers/users/grants_test.go | 2 +- .../handlers/workers/grants_test.go | 2 +- 17 files changed, 50 insertions(+), 51 deletions(-) diff --git a/internal/authtoken/testing.go b/internal/authtoken/testing.go index 6b88afc1ff..1748d8bd53 100644 --- a/internal/authtoken/testing.go +++ b/internal/authtoken/testing.go @@ -15,6 +15,39 @@ import ( "github.com/stretchr/testify/require" ) +// TestAuthToken, despite its name, does more than just return an auth token; it +// also creates an auth method, an account, and a user and binds them together, +// then creates an auth token against it +func TestAuthToken(t testing.TB, conn *db.DB, kms *kms.Kms, scopeId string, opt ...Option) *AuthToken { + t.Helper() + + opts := getOpts(opt...) + passwordOpts := password.GetOpts(opts.withPasswordOptions...) + loginName := passwordOpts.WithLoginName + if loginName == "" { + loginName = "name1" + } + + authMethod := password.TestAuthMethods(t, conn, scopeId, 1)[0] + // auth account is only used to join auth method to user. + // We don't do anything else with the auth account in the test setup. + acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName, opts.withPasswordOptions...) + + ctx := context.Background() + rw := db.New(conn) + iamRepo, err := iam.NewRepository(ctx, rw, rw, kms) + require.NoError(t, err) + + u := iam.TestUser(t, iamRepo, scopeId, append(opts.withIamOptions, iam.WithAccountIds(acct.PublicId))...) + + repo, err := NewRepository(ctx, rw, rw, kms) + require.NoError(t, err) + + at, err := repo.CreateAuthToken(ctx, u, acct.GetPublicId(), opt...) + require.NoError(t, err) + return at +} + // TestRoleGrantsForToken contains information used by TestAuthTokenWithRoles to create // roles and their associated grants (with grant scopes) type TestRoleGrantsForToken struct { @@ -49,36 +82,3 @@ func TestAuthTokenWithRoles(t testing.TB, conn *db.DB, kms *kms.Kms, scopeId str require.NoError(t, err) return fullGrantToken } - -// TestAuthToken, despite its name, does more than just return an auth token; it -// also creates an auth method, an account, and a user and binds them together, -// then creates an auth token against it -func TestAuthToken(t testing.TB, conn *db.DB, kms *kms.Kms, scopeId string, opt ...Option) *AuthToken { - t.Helper() - - opts := getOpts(opt...) - passwordOpts := password.GetOpts(opts.withPasswordOptions...) - loginName := passwordOpts.WithLoginName - if loginName == "" { - loginName = "name1" - } - - authMethod := password.TestAuthMethods(t, conn, scopeId, 1)[0] - // auth account is only used to join auth method to user. - // We don't do anything else with the auth account in the test setup. - acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName, opts.withPasswordOptions...) - - ctx := context.Background() - rw := db.New(conn) - iamRepo, err := iam.NewRepository(ctx, rw, rw, kms) - require.NoError(t, err) - - u := iam.TestUser(t, iamRepo, scopeId, append(opts.withIamOptions, iam.WithAccountIds(acct.PublicId))...) - - repo, err := NewRepository(ctx, rw, rw, kms) - require.NoError(t, err) - - at, err := repo.CreateAuthToken(ctx, u, acct.GetPublicId(), opt...) - require.NoError(t, err) - return at -} diff --git a/internal/daemon/controller/handlers/accounts/grants_test.go b/internal/daemon/controller/handlers/accounts/grants_test.go index 5b27810913..53fc16ce8a 100644 --- a/internal/daemon/controller/handlers/accounts/grants_test.go +++ b/internal/daemon/controller/handlers/accounts/grants_test.go @@ -92,8 +92,7 @@ func TestListPassword_Grants(t *testing.T) { s, err := accounts.NewService(ctx, pwRepoFn, oidcRepoFn, ldapRepoFn, 1000) require.NoError(t, err, "Couldn't create new user service.") tok := authtoken.TestAuthTokenWithRoles(t, conn, kms, globals.GlobalPrefix, tc.roleRequest) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) - + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) got, gErr := s.ListAccounts(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.Error(t, err) diff --git a/internal/daemon/controller/handlers/aliases/grants_test.go b/internal/daemon/controller/handlers/aliases/grants_test.go index 8a2f656f18..81973163df 100644 --- a/internal/daemon/controller/handlers/aliases/grants_test.go +++ b/internal/daemon/controller/handlers/aliases/grants_test.go @@ -89,7 +89,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) got, finalErr := s.ListAliases(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/authmethods/grants_test.go b/internal/daemon/controller/handlers/authmethods/grants_test.go index 5d94ae389b..02ebd550cc 100644 --- a/internal/daemon/controller/handlers/authmethods/grants_test.go +++ b/internal/daemon/controller/handlers/authmethods/grants_test.go @@ -165,7 +165,7 @@ func TestGrants_ReadActions(t *testing.T) { // auth method created during token generation will not be taken into considerations during this test // adding to the ignoreList so it can be ignored later ignoreList = append(ignoreList, tok.GetAuthMethodId()) - fullGrantAuthCtx := controllerauth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) + fullGrantAuthCtx := controllerauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) got, finalErr := s.ListAuthMethods(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) @@ -249,7 +249,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := controllerauth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) + fullGrantAuthCtx := controllerauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) for amId, wantErr := range tc.amIDExpectErrMap { _, err := s.GetAuthMethod(fullGrantAuthCtx, &pbs.GetAuthMethodRequest{ Id: amId, diff --git a/internal/daemon/controller/handlers/authtokens/grants_test.go b/internal/daemon/controller/handlers/authtokens/grants_test.go index 20d6e05d12..2394c0b39f 100644 --- a/internal/daemon/controller/handlers/authtokens/grants_test.go +++ b/internal/daemon/controller/handlers/authtokens/grants_test.go @@ -108,7 +108,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) got, finalErr := s.ListAuthTokens(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/credentiallibraries/grants_test.go b/internal/daemon/controller/handlers/credentiallibraries/grants_test.go index e00fab7f0a..7e4a12ff0b 100644 --- a/internal/daemon/controller/handlers/credentiallibraries/grants_test.go +++ b/internal/daemon/controller/handlers/credentiallibraries/grants_test.go @@ -86,7 +86,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) got, finalErr := s.ListCredentialLibraries(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/credentials/grants_test.go b/internal/daemon/controller/handlers/credentials/grants_test.go index 35c4517c4f..2799d0d3e8 100644 --- a/internal/daemon/controller/handlers/credentials/grants_test.go +++ b/internal/daemon/controller/handlers/credentials/grants_test.go @@ -121,7 +121,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) got, finalErr := s.ListCredentials(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/credentialstores/grants_test.go b/internal/daemon/controller/handlers/credentialstores/grants_test.go index eb7fa413c6..5ff3f50525 100644 --- a/internal/daemon/controller/handlers/credentialstores/grants_test.go +++ b/internal/daemon/controller/handlers/credentialstores/grants_test.go @@ -131,7 +131,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) got, finalErr := s.ListCredentialStores(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/host_catalogs/grants_test.go b/internal/daemon/controller/handlers/host_catalogs/grants_test.go index ace52a339c..9576fd010e 100644 --- a/internal/daemon/controller/handlers/host_catalogs/grants_test.go +++ b/internal/daemon/controller/handlers/host_catalogs/grants_test.go @@ -133,7 +133,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) got, finalErr := s.ListHostCatalogs(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/host_sets/grants_test.go b/internal/daemon/controller/handlers/host_sets/grants_test.go index d89e53c391..4fa763221f 100644 --- a/internal/daemon/controller/handlers/host_sets/grants_test.go +++ b/internal/daemon/controller/handlers/host_sets/grants_test.go @@ -122,7 +122,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) got, finalErr := s.ListHostSets(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/hosts/grants_test.go b/internal/daemon/controller/handlers/hosts/grants_test.go index e53f7c3e1c..6715878bfb 100644 --- a/internal/daemon/controller/handlers/hosts/grants_test.go +++ b/internal/daemon/controller/handlers/hosts/grants_test.go @@ -124,7 +124,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) got, finalErr := s.ListHosts(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/managed_groups/grants_test.go b/internal/daemon/controller/handlers/managed_groups/grants_test.go index 75e2d5c93a..f73ba91c9f 100644 --- a/internal/daemon/controller/handlers/managed_groups/grants_test.go +++ b/internal/daemon/controller/handlers/managed_groups/grants_test.go @@ -108,7 +108,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) got, finalErr := s.ListManagedGroups(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/roles/grants_test.go b/internal/daemon/controller/handlers/roles/grants_test.go index 54fabb17a3..e55c62121f 100644 --- a/internal/daemon/controller/handlers/roles/grants_test.go +++ b/internal/daemon/controller/handlers/roles/grants_test.go @@ -147,7 +147,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) // TestAuthTokenWithRoles creates a default role, so we need to add it to the expected list // if the grant scope contains 'this' diff --git a/internal/daemon/controller/handlers/scopes/grants_test.go b/internal/daemon/controller/handlers/scopes/grants_test.go index 13e17a18d8..b3f99944b4 100644 --- a/internal/daemon/controller/handlers/scopes/grants_test.go +++ b/internal/daemon/controller/handlers/scopes/grants_test.go @@ -94,7 +94,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) got, finalErr := s.ListScopes(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/targets/tcp/grants_test.go b/internal/daemon/controller/handlers/targets/tcp/grants_test.go index 73b4d94a9f..cb91035926 100644 --- a/internal/daemon/controller/handlers/targets/tcp/grants_test.go +++ b/internal/daemon/controller/handlers/targets/tcp/grants_test.go @@ -89,7 +89,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kms, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrapper, iamRepo, tok) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrapper, tok, iamRepo) got, finalErr := s.ListTargets(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/users/grants_test.go b/internal/daemon/controller/handlers/users/grants_test.go index 65aff0a52e..a4bc80c486 100644 --- a/internal/daemon/controller/handlers/users/grants_test.go +++ b/internal/daemon/controller/handlers/users/grants_test.go @@ -291,7 +291,7 @@ func TestGrants_ReadActions(t *testing.T) { // deleting user to keep assertions clean since we're listing users over and over _, _ = iamRepo.DeleteUser(ctx, tok.IamUserId) }) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) got, finalErr := s.ListUsers(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) diff --git a/internal/daemon/controller/handlers/workers/grants_test.go b/internal/daemon/controller/handlers/workers/grants_test.go index 52213de6fa..dc1aef0d28 100644 --- a/internal/daemon/controller/handlers/workers/grants_test.go +++ b/internal/daemon/controller/handlers/workers/grants_test.go @@ -109,7 +109,7 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { tok := authtoken.TestAuthTokenWithRoles(t, conn, kms, globals.GlobalPrefix, tc.rolesToCreate) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrapper, iamRepo, tok) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrapper, tok, iamRepo) got, finalErr := s.ListWorkers(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) From 2bd59dee1bbd1de38c2a82d97cab184ea426401c Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 12 Feb 2025 09:48:12 -0800 Subject: [PATCH 35/62] fix merge mistakes --- internal/daemon/controller/auth/testing.go | 2 +- .../daemon/controller/handlers/groups/grants_test.go | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/internal/daemon/controller/auth/testing.go b/internal/daemon/controller/auth/testing.go index ef044fb20a..b100d1e222 100644 --- a/internal/daemon/controller/auth/testing.go +++ b/internal/daemon/controller/auth/testing.go @@ -41,7 +41,7 @@ func DisabledAuthTestContext(iamRepoFn common.IamRepoFactory, scopeId string, op // TestAuthContextFromToken creates an auth context with provided token // This is used in conjunction with TestAuthTokenWithRoles which creates a test token -func TestAuthContextFromToken(t *testing.T, conn *db.DB, wrap wrapping.Wrapper, iamRepo *iam.Repository, token *authtoken.AuthToken) context.Context { +func TestAuthContextFromToken(t *testing.T, conn *db.DB, wrap wrapping.Wrapper, token *authtoken.AuthToken, iamRepo *iam.Repository) context.Context { t.Helper() ctx := context.Background() rw := db.New(conn) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index f7f126c83b..bb7b29938a 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -236,7 +236,7 @@ func TestGrants_ReadActions(t *testing.T) { user, accountID := tc.userFunc() tok, err := atRepo.CreateAuthToken(ctx, user, accountID) require.NoError(t, err) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) got, finalErr := s.ListGroups(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) @@ -499,7 +499,7 @@ func TestGrants_ReadActions(t *testing.T) { user, accountID := tc.userFunc() tok, err := atRepo.CreateAuthToken(ctx, user, accountID) require.NoError(t, err) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) for input, wantErr := range tc.inputWantErrMap { _, err := s.GetGroup(fullGrantAuthCtx, input) // not found means expect error @@ -600,7 +600,7 @@ func TestWrites(t *testing.T) { user, accountID := tc.userFunc() tok, err := atRepo.CreateAuthToken(ctx, user, accountID) require.NoError(t, err) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) for req, wantErr := range tc.canCreateInScopes { _, err := s.CreateGroup(fullGrantAuthCtx, req) @@ -674,7 +674,7 @@ func TestWrites(t *testing.T) { user, accountID := tc.userFunc() tok, err := atRepo.CreateAuthToken(ctx, user, accountID) require.NoError(t, err) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) for scope, group := range scopeIdGroupMap { _, err = s.DeleteGroup(fullGrantAuthCtx, &pbs.DeleteGroupRequest{Id: group.PublicId}) if !slices.Contains(tc.deleteAllowedAtScopeIDs, scope) { @@ -771,7 +771,7 @@ func TestWrites(t *testing.T) { user, accountID := userFunc() tok, err := atRepo.CreateAuthToken(ctx, user, accountID) require.NoError(t, err) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) got, err := s.UpdateGroup(fullGrantAuthCtx, &pbs.UpdateGroupRequest{ Id: original.PublicId, Item: &pb.Group{ @@ -1113,7 +1113,7 @@ func TestGroupMember(t *testing.T) { user, accountID := userFn() tok, err := atRepo.CreateAuthToken(ctx, user, accountID) require.NoError(t, err) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, iamRepo, tok) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) for _, act := range tc.actions { out, err := act.action(fullGrantAuthCtx, group) if act.wantErr != nil { From 3df265bd5a49c696456cb07f67888093aa347ec2 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 12 Feb 2025 10:02:10 -0800 Subject: [PATCH 36/62] lint --- .../controller/handlers/groups/grants_test.go | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index bb7b29938a..b285d8c59e 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -567,12 +567,12 @@ func TestWrites(t *testing.T) { }, }), canCreateInScopes: map[*pbs.CreateGroupRequest]error{ - &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: globals.GlobalPrefix}}: nil, - &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: org1.PublicId}}: nil, - &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: org2.PublicId}}: nil, - &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: proj1.PublicId}}: nil, - &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: proj2.PublicId}}: nil, - &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: proj3.PublicId}}: nil, + {Item: &pb.Group{ScopeId: globals.GlobalPrefix}}: nil, + {Item: &pb.Group{ScopeId: org1.PublicId}}: nil, + {Item: &pb.Group{ScopeId: org2.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj1.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj2.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj3.PublicId}}: nil, }, }, { @@ -585,12 +585,12 @@ func TestWrites(t *testing.T) { }, }), canCreateInScopes: map[*pbs.CreateGroupRequest]error{ - &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: globals.GlobalPrefix}}: handlers.ForbiddenError(), - &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: org1.PublicId}}: nil, - &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: org2.PublicId}}: nil, - &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: proj1.PublicId}}: handlers.ForbiddenError(), - &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: proj2.PublicId}}: handlers.ForbiddenError(), - &pbs.CreateGroupRequest{Item: &pb.Group{ScopeId: proj3.PublicId}}: handlers.ForbiddenError(), + {Item: &pb.Group{ScopeId: globals.GlobalPrefix}}: handlers.ForbiddenError(), + {Item: &pb.Group{ScopeId: org1.PublicId}}: nil, + {Item: &pb.Group{ScopeId: org2.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj1.PublicId}}: handlers.ForbiddenError(), + {Item: &pb.Group{ScopeId: proj2.PublicId}}: handlers.ForbiddenError(), + {Item: &pb.Group{ScopeId: proj3.PublicId}}: handlers.ForbiddenError(), }, }, } From 7de8fdca64ba1793c637441b157749a8b8c7faa6 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Thu, 13 Feb 2025 10:13:37 -0800 Subject: [PATCH 37/62] add setup examples --- .../controller/handlers/groups/grants_test.go | 56 ++++++++++++++++++- 1 file changed, 55 insertions(+), 1 deletion(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index b285d8c59e..5a08a1bf85 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -558,7 +558,7 @@ func TestWrites(t *testing.T) { canCreateInScopes map[*pbs.CreateGroupRequest]error }{ { - name: "grant all can create all", + name: "direct grant all can create all", userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, @@ -575,6 +575,60 @@ func TestWrites(t *testing.T) { {Item: &pb.Group{ScopeId: proj3.PublicId}}: nil, }, }, + { + name: "groups grant all can create all", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + }, + }), + canCreateInScopes: map[*pbs.CreateGroupRequest]error{ + {Item: &pb.Group{ScopeId: globals.GlobalPrefix}}: nil, + {Item: &pb.Group{ScopeId: org1.PublicId}}: nil, + {Item: &pb.Group{ScopeId: org2.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj1.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj2.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj3.PublicId}}: nil, + }, + }, + { + name: "ldap grant all can create all", + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + }, + }), + canCreateInScopes: map[*pbs.CreateGroupRequest]error{ + {Item: &pb.Group{ScopeId: globals.GlobalPrefix}}: nil, + {Item: &pb.Group{ScopeId: org1.PublicId}}: nil, + {Item: &pb.Group{ScopeId: org2.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj1.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj2.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj3.PublicId}}: nil, + }, + }, + { + name: "oidc grant all can create all", + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + }, + }), + canCreateInScopes: map[*pbs.CreateGroupRequest]error{ + {Item: &pb.Group{ScopeId: globals.GlobalPrefix}}: nil, + {Item: &pb.Group{ScopeId: org1.PublicId}}: nil, + {Item: &pb.Group{ScopeId: org2.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj1.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj2.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj3.PublicId}}: nil, + }, + }, { name: "grant children can only create in orgs", userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ From b62ffa2961fed0be5e6a5e4cee43223c414ed0a7 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Thu, 13 Feb 2025 18:50:49 -0800 Subject: [PATCH 38/62] add output fields tests for getgroup --- .../controller/handlers/groups/grants_test.go | 190 +++++++++++++++++- 1 file changed, 187 insertions(+), 3 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 5a08a1bf85..f8d98f512e 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -514,7 +514,7 @@ func TestGrants_ReadActions(t *testing.T) { }) } -// TestWriteActions tests write actions to assert that grants are being applied properly +// TestGrants_WriteActions tests write actions to assert that grants are being applied properly // // [create, update, delete] // Role - which scope the role is created in @@ -532,7 +532,7 @@ func TestGrants_ReadActions(t *testing.T) { // - org2 [org2Group] // - proj2 [proj2Group] // - proj3 [proj3Group] -func TestWrites(t *testing.T) { +func TestGrants_WriteActions(t *testing.T) { t.Run("create", func(t *testing.T) { ctx := context.Background() conn, _ := db.TestSetup(t, "postgres") @@ -851,7 +851,7 @@ func TestWrites(t *testing.T) { } // TestGroupMember tests actions performed on the group-members (child-resources) -func TestGroupMember(t *testing.T) { +func TestGrants_ChildResourcesActions(t *testing.T) { ctx := context.Background() conn, _ := db.TestSetup(t, "postgres") rw := db.New(conn) @@ -1183,6 +1183,190 @@ func TestGroupMember(t *testing.T) { } } +func TestOutputFields(t *testing.T) { + t.Run("GetGroup", func(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) + wrap := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + u := iam.TestUser(t, iamRepo, globals.GlobalPrefix) + globalGroup := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription("global"), iam.WithName("global")) + _ = iam.TestGroupMember(t, conn, globalGroup.PublicId, u.PublicId) + s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) + + testcases := []struct { + name string + userFunc func() (*iam.User, string) + expectOutfields []string + }{ + { + name: "grants name and description", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=read;output_fields=name,description"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.NameField, globals.DescriptionField}, + }, + { + name: "grants scope and scopeID", + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=read;output_fields=scope,scope_id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.ScopeField, globals.ScopeIdField}, + }, + { + name: "grants update_time and create_time", + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=read;output_fields=updated_time,created_time"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.UpdatedTimeField, globals.CreatedTimeField}, + }, + { + name: "grants id, authorized_actions, version", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=read;output_fields=id,authorized_actions,version"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.IdField, globals.AuthorizedActionsField, globals.VersionField}, + }, + { + name: "grants members, member_id", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=read;output_fields=members,member_ids"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.MembersField, globals.MemberIdsField}, + }, + { + name: "composite grants id, authorized_actions, member_ids", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=read;output_fields=id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=read;output_fields=member_ids"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=read;output_fields=authorized_actions"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.IdField, globals.MemberIdsField, globals.AuthorizedActionsField}, + }, + } + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + user, accountID := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, accountID) + require.NoError(t, err) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + out, err := s.GetGroup(fullGrantAuthCtx, &pbs.GetGroupRequest{Id: globalGroup.PublicId}) + require.NoError(t, err) + assertOutputFields(t, out.Item, tc.expectOutfields) + }) + } + + }) +} + +func assertOutputFields(t *testing.T, g *pb.Group, expectFields []string) { + if slices.Contains(expectFields, globals.IdField) { + require.NotEmpty(t, g.Id) + } else { + require.Empty(t, g.Id) + } + + if slices.Contains(expectFields, globals.ScopeIdField) { + require.NotEmpty(t, g.ScopeId) + } else { + require.Empty(t, g.ScopeId) + } + + if slices.Contains(expectFields, globals.DescriptionField) { + require.NotEmpty(t, g.Description) + } else { + require.Empty(t, g.Description) + } + + if slices.Contains(expectFields, globals.NameField) { + require.NotEmpty(t, g.Name) + } else { + require.Empty(t, g.Name) + } + + if slices.Contains(expectFields, globals.CreatedTimeField) { + require.NotEmpty(t, g.CreatedTime) + } else { + require.Empty(t, g.CreatedTime) + } + + if slices.Contains(expectFields, globals.UpdatedTimeField) { + require.NotEmpty(t, g.UpdatedTime) + } else { + require.Empty(t, g.UpdatedTime) + } + + if slices.Contains(expectFields, globals.VersionField) { + require.NotEmpty(t, g.Version) + } else { + require.Empty(t, g.Version) + } + + if slices.Contains(expectFields, globals.ScopeField) { + require.NotEmpty(t, g.Scope) + } else { + require.Empty(t, g.Scope) + } + + if slices.Contains(expectFields, globals.AuthorizedActionsField) { + require.NotEmpty(t, g.AuthorizedActions) + } else { + require.Empty(t, g.AuthorizedActions) + } + + if slices.Contains(expectFields, globals.MemberIdsField) { + require.NotEmpty(t, g.MemberIds) + } else { + require.Empty(t, g.MemberIds) + } + + if slices.Contains(expectFields, globals.MembersField) { + require.NotEmpty(t, g.Members) + } else { + require.Empty(t, g.Members) + } +} + func userIDs(users []*iam.User) []string { result := make([]string, len(users)) for i, u := range users { From 3947e34fd4e54a1dc0abefb5e1a9760d113867b1 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Fri, 14 Feb 2025 14:53:33 -0800 Subject: [PATCH 39/62] reimplement with reflect --- .../controller/handlers/groups/grants_test.go | 83 ++++--------------- 1 file changed, 14 insertions(+), 69 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index f8d98f512e..9207cba852 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -1197,8 +1197,8 @@ func TestOutputFields(t *testing.T) { return iamRepo, nil } u := iam.TestUser(t, iamRepo, globals.GlobalPrefix) - globalGroup := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription("global"), iam.WithName("global")) - _ = iam.TestGroupMember(t, conn, globalGroup.PublicId, u.PublicId) + globalGroupWithMember := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription("global"), iam.WithName("global")) + _ = iam.TestGroupMember(t, conn, globalGroupWithMember.PublicId, u.PublicId) s, err := groups.NewService(ctx, repoFn, 1000) require.NoError(t, err) @@ -1290,80 +1290,25 @@ func TestOutputFields(t *testing.T) { tok, err := atRepo.CreateAuthToken(ctx, user, accountID) require.NoError(t, err) fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) - out, err := s.GetGroup(fullGrantAuthCtx, &pbs.GetGroupRequest{Id: globalGroup.PublicId}) + out, err := s.GetGroup(fullGrantAuthCtx, &pbs.GetGroupRequest{Id: globalGroupWithMember.PublicId}) require.NoError(t, err) assertOutputFields(t, out.Item, tc.expectOutfields) }) } - }) -} +} func assertOutputFields(t *testing.T, g *pb.Group, expectFields []string) { - if slices.Contains(expectFields, globals.IdField) { - require.NotEmpty(t, g.Id) - } else { - require.Empty(t, g.Id) - } - - if slices.Contains(expectFields, globals.ScopeIdField) { - require.NotEmpty(t, g.ScopeId) - } else { - require.Empty(t, g.ScopeId) - } - - if slices.Contains(expectFields, globals.DescriptionField) { - require.NotEmpty(t, g.Description) - } else { - require.Empty(t, g.Description) - } - - if slices.Contains(expectFields, globals.NameField) { - require.NotEmpty(t, g.Name) - } else { - require.Empty(t, g.Name) - } - - if slices.Contains(expectFields, globals.CreatedTimeField) { - require.NotEmpty(t, g.CreatedTime) - } else { - require.Empty(t, g.CreatedTime) - } - - if slices.Contains(expectFields, globals.UpdatedTimeField) { - require.NotEmpty(t, g.UpdatedTime) - } else { - require.Empty(t, g.UpdatedTime) - } - - if slices.Contains(expectFields, globals.VersionField) { - require.NotEmpty(t, g.Version) - } else { - require.Empty(t, g.Version) - } - - if slices.Contains(expectFields, globals.ScopeField) { - require.NotEmpty(t, g.Scope) - } else { - require.Empty(t, g.Scope) - } - - if slices.Contains(expectFields, globals.AuthorizedActionsField) { - require.NotEmpty(t, g.AuthorizedActions) - } else { - require.Empty(t, g.AuthorizedActions) - } - - if slices.Contains(expectFields, globals.MemberIdsField) { - require.NotEmpty(t, g.MemberIds) - } else { - require.Empty(t, g.MemberIds) - } - - if slices.Contains(expectFields, globals.MembersField) { - require.NotEmpty(t, g.Members) - } else { - require.Empty(t, g.Members) + msg := g.ProtoReflect() + descriptor := msg.Descriptor() + for i := 0; i < descriptor.Fields().Len(); i++ { + fd := descriptor.Fields().Get(i) + fieldName := string(fd.Name()) + if !slices.Contains(expectFields, fieldName) { + require.Falsef(t, msg.Has(fd), "expect field '%s' to be empty but got %+v", fd.Name(), msg.Get(fd).Interface()) + continue + } + require.Truef(t, msg.Has(fd), "expect field '%s' to be empty but got %+v", fd.Name(), msg.Get(fd).Interface()) } } From 9e762278f580b489902cc058d0f9ca2b058a859f Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Fri, 14 Feb 2025 15:16:50 -0800 Subject: [PATCH 40/62] add test for CreateGroup --- .../controller/handlers/groups/grants_test.go | 171 ++++++++++++++++++ 1 file changed, 171 insertions(+) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 9207cba852..26213307c3 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -9,6 +9,7 @@ import ( "slices" "testing" + "github.com/google/uuid" "github.com/hashicorp/boundary/globals" "github.com/hashicorp/boundary/internal/auth/ldap" "github.com/hashicorp/boundary/internal/auth/oidc" @@ -1296,8 +1297,178 @@ func TestOutputFields(t *testing.T) { }) } }) + t.Run("CreateGroup", func(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) + wrap := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + s, err := groups.NewService(ctx, repoFn, 1000) + testcases := []struct { + name string + userFunc func() (*iam.User, string) + input *pbs.CreateGroupRequest + expectOutfields []string + }{ + { + name: "grants name and description", + input: &pbs.CreateGroupRequest{ + Item: &pb.Group{ + Name: &wrapperspb.StringValue{Value: uuid.NewString()}, + Description: &wrapperspb.StringValue{Value: uuid.NewString()}, + ScopeId: globals.GlobalPrefix, + }, + }, + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=name,description"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.NameField, globals.DescriptionField}, + }, + { + name: "grants scope and scopeID", + input: &pbs.CreateGroupRequest{ + Item: &pb.Group{ + Name: &wrapperspb.StringValue{Value: uuid.NewString()}, + Description: &wrapperspb.StringValue{Value: uuid.NewString()}, + ScopeId: globals.GlobalPrefix, + }, + }, + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=scope,scope_id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.ScopeField, globals.ScopeIdField}, + }, + { + name: "grants update_time and create_time", + input: &pbs.CreateGroupRequest{ + Item: &pb.Group{ + Name: &wrapperspb.StringValue{Value: uuid.NewString()}, + Description: &wrapperspb.StringValue{Value: uuid.NewString()}, + ScopeId: globals.GlobalPrefix, + }, + }, + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=updated_time,created_time"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.UpdatedTimeField, globals.CreatedTimeField}, + }, + { + name: "grants id, authorized_actions, version", + input: &pbs.CreateGroupRequest{ + Item: &pb.Group{ + Name: &wrapperspb.StringValue{Value: uuid.NewString()}, + Description: &wrapperspb.StringValue{Value: uuid.NewString()}, + ScopeId: globals.GlobalPrefix, + }, + }, + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.IdField, globals.AuthorizedActionsField, globals.VersionField}, + }, + { + name: "composite grants all fields", + input: &pbs.CreateGroupRequest{ + Item: &pb.Group{ + Name: &wrapperspb.StringValue{Value: uuid.NewString()}, + Description: &wrapperspb.StringValue{Value: uuid.NewString()}, + ScopeId: globals.GlobalPrefix, + }, + }, + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=scope"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=scope_id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=name"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=description"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=created_time"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=authorized_actions"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=version"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{ + globals.IdField, + globals.ScopeField, + globals.ScopeIdField, + globals.NameField, + globals.DescriptionField, + globals.CreatedTimeField, + globals.AuthorizedActionsField, + globals.VersionField, + }, + }, + } + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + user, accountID := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, accountID) + require.NoError(t, err) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + out, err := s.CreateGroup(fullGrantAuthCtx, tc.input) + require.NoError(t, err) + assertOutputFields(t, out.Item, tc.expectOutfields) + }) + } + }) } + +// assertOutputFields asserts that the output fields of a group match the expected fields +// fields that is nil or empty in the result will throw an error if they are listed in expectedFields +// e.g. members when group does not contian any members func assertOutputFields(t *testing.T, g *pb.Group, expectFields []string) { msg := g.ProtoReflect() descriptor := msg.Descriptor() From 8f0a4bc7fd7712c74a1e3ab57574035fde092923 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Fri, 14 Feb 2025 17:09:41 -0800 Subject: [PATCH 41/62] add all single resource action tests --- .../controller/handlers/groups/grants_test.go | 587 +++++++++++++++++- 1 file changed, 585 insertions(+), 2 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 26213307c3..e4d568e1ba 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -1197,8 +1197,8 @@ func TestOutputFields(t *testing.T) { repoFn := func() (*iam.Repository, error) { return iamRepo, nil } - u := iam.TestUser(t, iamRepo, globals.GlobalPrefix) globalGroupWithMember := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription("global"), iam.WithName("global")) + u := iam.TestUser(t, iamRepo, globals.GlobalPrefix) _ = iam.TestGroupMember(t, conn, globalGroupWithMember.PublicId, u.PublicId) s, err := groups.NewService(ctx, repoFn, 1000) require.NoError(t, err) @@ -1310,7 +1310,6 @@ func TestOutputFields(t *testing.T) { return iamRepo, nil } s, err := groups.NewService(ctx, repoFn, 1000) - testcases := []struct { name string userFunc func() (*iam.User, string) @@ -1464,6 +1463,590 @@ func TestOutputFields(t *testing.T) { }) } }) + + t.Run("UpdateGroup", func(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) + wrap := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + + // this can be used across test cases because we're only testing for output fields, not the update behaviors + inputFunc := func(t *testing.T) *pbs.UpdateGroupRequest { + globalGroupWithMember := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription("global"), iam.WithName("global")) + u := iam.TestUser(t, iamRepo, globals.GlobalPrefix) + _ = iam.TestGroupMember(t, conn, globalGroupWithMember.PublicId, u.PublicId) + return &pbs.UpdateGroupRequest{ + Id: globalGroupWithMember.PublicId, + Item: &pb.Group{ + Name: &wrapperspb.StringValue{Value: uuid.NewString()}, + Description: &wrapperspb.StringValue{Value: uuid.NewString()}, + Version: globalGroupWithMember.Version, + }, + UpdateMask: &fieldmaskpb.FieldMask{ + Paths: []string{"name", "description"}, + }, + } + } + + s, err := groups.NewService(ctx, repoFn, 1000) + testcases := []struct { + name string + userFunc func() (*iam.User, string) + expectOutfields []string + }{ + { + name: "grants name and description", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=name,description"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.NameField, globals.DescriptionField}, + }, + { + name: "grants scope and scopeID", + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=scope,scope_id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.ScopeField, globals.ScopeIdField}, + }, + { + name: "grants update_time and create_time", + + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=updated_time,created_time"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.UpdatedTimeField, globals.CreatedTimeField}, + }, + { + name: "grants id, authorized_actions, version", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.IdField, globals.AuthorizedActionsField, globals.VersionField}, + }, + { + name: "composite grants all fields", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=scope"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=scope_id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=name"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=description"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=created_time"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=authorized_actions"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=version"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{ + globals.IdField, + globals.ScopeField, + globals.ScopeIdField, + globals.NameField, + globals.DescriptionField, + globals.CreatedTimeField, + globals.AuthorizedActionsField, + globals.VersionField, + }, + }, + } + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + user, accountID := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, accountID) + require.NoError(t, err) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + out, err := s.UpdateGroup(fullGrantAuthCtx, inputFunc(t)) + require.NoError(t, err) + assertOutputFields(t, out.Item, tc.expectOutfields) + }) + } + }) + + t.Run("AddGroupMembers", func(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) + wrap := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + + // this can be used across test cases because we're only testing for output fields, not the update behaviors + inputFunc := func(t *testing.T) *pbs.AddGroupMembersRequest { + globalGroupWithMember := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription(uuid.NewString()), iam.WithName(uuid.NewString())) + u := iam.TestUser(t, iamRepo, globals.GlobalPrefix) + return &pbs.AddGroupMembersRequest{ + Id: globalGroupWithMember.PublicId, + Version: globalGroupWithMember.Version, + MemberIds: []string{u.PublicId}, + } + } + s, err := groups.NewService(ctx, repoFn, 1000) + testcases := []struct { + name string + userFunc func() (*iam.User, string) + expectOutfields []string + }{ + { + name: "grants name and description", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=name,description"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.NameField, globals.DescriptionField}, + }, + { + name: "grants scope and scopeID", + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=scope,scope_id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.ScopeField, globals.ScopeIdField}, + }, + { + name: "grants update_time and create_time", + + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=updated_time,created_time"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.UpdatedTimeField, globals.CreatedTimeField}, + }, + { + name: "grants id, authorized_actions, version", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.IdField, globals.AuthorizedActionsField, globals.VersionField}, + }, + { + name: "composite grants all fields", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=scope"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=scope_id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=name"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=description"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=created_time"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=authorized_actions"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=version"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{ + globals.IdField, + globals.ScopeField, + globals.ScopeIdField, + globals.NameField, + globals.DescriptionField, + globals.CreatedTimeField, + globals.AuthorizedActionsField, + globals.VersionField, + }, + }, + } + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + user, accountID := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, accountID) + require.NoError(t, err) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + out, err := s.AddGroupMembers(fullGrantAuthCtx, inputFunc(t)) + require.NoError(t, err) + assertOutputFields(t, out.Item, tc.expectOutfields) + }) + } + }) + + t.Run("SetGroupMembers", func(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) + wrap := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + + // this can be used across test cases because we're only testing for output fields, not the update behaviors + inputFunc := func(t *testing.T) *pbs.SetGroupMembersRequest { + globalGroupWithMember := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription(uuid.NewString()), iam.WithName(uuid.NewString())) + u := iam.TestUser(t, iamRepo, globals.GlobalPrefix) + return &pbs.SetGroupMembersRequest{ + Id: globalGroupWithMember.PublicId, + Version: globalGroupWithMember.Version, + MemberIds: []string{u.PublicId}, + } + } + s, err := groups.NewService(ctx, repoFn, 1000) + testcases := []struct { + name string + userFunc func() (*iam.User, string) + expectOutfields []string + }{ + { + name: "grants name and description", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=name,description"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.NameField, globals.DescriptionField}, + }, + { + name: "grants scope and scopeID", + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=scope,scope_id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.ScopeField, globals.ScopeIdField}, + }, + { + name: "grants update_time and create_time", + + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=updated_time,created_time"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.UpdatedTimeField, globals.CreatedTimeField}, + }, + { + name: "grants id, authorized_actions, version", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.IdField, globals.AuthorizedActionsField, globals.VersionField}, + }, + { + name: "composite grants all fields", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=scope"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=scope_id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=name"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=description"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=created_time"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=authorized_actions"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=version"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{ + globals.IdField, + globals.ScopeField, + globals.ScopeIdField, + globals.NameField, + globals.DescriptionField, + globals.CreatedTimeField, + globals.AuthorizedActionsField, + globals.VersionField, + }, + }, + } + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + user, accountID := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, accountID) + require.NoError(t, err) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + out, err := s.SetGroupMembers(fullGrantAuthCtx, inputFunc(t)) + require.NoError(t, err) + assertOutputFields(t, out.Item, tc.expectOutfields) + }) + } + }) + + t.Run("RemoveGroupMembers", func(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) + wrap := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + + // this can be used across test cases because we're only testing for output fields, not the update behaviors + inputFunc := func(t *testing.T) *pbs.RemoveGroupMembersRequest { + globalGroupWithMember := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription(uuid.NewString()), iam.WithName(uuid.NewString())) + // create 2 users and remove one so the tests can differentiate between the group without members vs. having no access to read members + u1 := iam.TestUser(t, iamRepo, globals.GlobalPrefix) + u2 := iam.TestUser(t, iamRepo, globals.GlobalPrefix) + _ = iam.TestGroupMember(t, conn, globalGroupWithMember.PublicId, u1.PublicId) + _ = iam.TestGroupMember(t, conn, globalGroupWithMember.PublicId, u2.PublicId) + return &pbs.RemoveGroupMembersRequest{ + Id: globalGroupWithMember.PublicId, + Version: globalGroupWithMember.Version, + MemberIds: []string{u2.PublicId}, + } + } + s, err := groups.NewService(ctx, repoFn, 1000) + testcases := []struct { + name string + userFunc func() (*iam.User, string) + expectOutfields []string + }{ + { + name: "grants name and description", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=name,description"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.NameField, globals.DescriptionField}, + }, + { + name: "grants scope and scopeID", + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=scope,scope_id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.ScopeField, globals.ScopeIdField}, + }, + { + name: "grants update_time and create_time", + + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=updated_time,created_time"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.UpdatedTimeField, globals.CreatedTimeField}, + }, + { + name: "grants id, authorized_actions, version", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.IdField, globals.AuthorizedActionsField, globals.VersionField}, + }, + { + name: "composite grants all fields", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=scope"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=scope_id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=name"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=description"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=created_time"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=authorized_actions"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=version"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{ + globals.IdField, + globals.ScopeField, + globals.ScopeIdField, + globals.NameField, + globals.DescriptionField, + globals.CreatedTimeField, + globals.AuthorizedActionsField, + globals.VersionField, + }, + }, + } + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + user, accountID := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, accountID) + require.NoError(t, err) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + out, err := s.RemoveGroupMembers(fullGrantAuthCtx, inputFunc(t)) + require.NoError(t, err) + assertOutputFields(t, out.Item, tc.expectOutfields) + }) + } + }) } // assertOutputFields asserts that the output fields of a group match the expected fields From a5acfec26bcfb67ce86d7f97e066ef157795d00e Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Fri, 14 Feb 2025 18:18:52 -0800 Subject: [PATCH 42/62] add list test --- .../controller/handlers/groups/grants_test.go | 124 ++++++++++++++++++ 1 file changed, 124 insertions(+) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index e4d568e1ba..6b4f6352d1 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -1185,6 +1185,129 @@ func TestGrants_ChildResourcesActions(t *testing.T) { } func TestOutputFields(t *testing.T) { + + t.Run("ListGroups", func(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) + wrap := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + + globalGroup := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription("global"), iam.WithName("global")) + + org, proj := iam.TestScopes(t, iamRepo) + orgGroup := iam.TestGroup(t, conn, org.PublicId, iam.WithDescription("org"), iam.WithName("org")) + projGroup := iam.TestGroup(t, conn, proj.PublicId, iam.WithDescription("proj"), iam.WithName("proj")) + + globalUser := iam.TestUser(t, iamRepo, globals.GlobalPrefix) + orgUser := iam.TestUser(t, iamRepo, globals.GlobalPrefix) + projectUser := iam.TestUser(t, iamRepo, globals.GlobalPrefix) + + _ = iam.TestGroupMember(t, conn, globalGroup.PublicId, globalUser.PublicId) + _ = iam.TestGroupMember(t, conn, orgGroup.PublicId, orgUser.PublicId) + _ = iam.TestGroupMember(t, conn, projGroup.PublicId, projectUser.PublicId) + s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) + testcases := []struct { + name string + userFunc func() (*iam.User, string) + // keys are the group IDs | this also means 'id' is required in the outputfields for assertions to work properly + expectOutfields map[string][]string + }{ + { + name: "grants name, version, description", + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=id,name,description"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + }, + }), + expectOutfields: map[string][]string{ + globalGroup.PublicId: {globals.IdField, globals.NameField, globals.DescriptionField}, + orgGroup.PublicId: {globals.IdField, globals.NameField, globals.DescriptionField}, + projGroup.PublicId: {globals.IdField, globals.NameField, globals.DescriptionField}, + }, + }, + { + name: "grants scope, scopeID, authorized_actions", + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=id,scope,scope_id,authorized_actions"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + }, + }), + expectOutfields: map[string][]string{ + globalGroup.PublicId: {globals.IdField, globals.ScopeField, globals.ScopeIdField, globals.AuthorizedActionsField}, + orgGroup.PublicId: {globals.IdField, globals.ScopeField, globals.ScopeIdField, globals.AuthorizedActionsField}, + projGroup.PublicId: {globals.IdField, globals.ScopeField, globals.ScopeIdField, globals.AuthorizedActionsField}, + }}, + { + name: "grants update_time, create_time", + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=id,updated_time,created_time,members,member_ids"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + }, + }), + expectOutfields: map[string][]string{ + globalGroup.PublicId: {globals.IdField, globals.CreatedTimeField, globals.UpdatedTimeField}, + orgGroup.PublicId: {globals.IdField, globals.CreatedTimeField, globals.UpdatedTimeField}, + projGroup.PublicId: {globals.IdField, globals.CreatedTimeField, globals.UpdatedTimeField}, + }, + }, + { + name: "different output_fields for different scope", + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=id,name,description"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeID: globals.GlobalPrefix, + Grants: []string{"id=*;type=group;actions=*;output_fields=id,scope,scope_id,created_time,updated_time"}, + GrantScopes: []string{globals.GrantScopeChildren}, + }, + { + RoleScopeID: proj.PublicId, + Grants: []string{"id=*;type=group;actions=*;output_fields=id,authorized_actions"}, + GrantScopes: []string{proj.PublicId}, + }, + }), + expectOutfields: map[string][]string{ + globalGroup.PublicId: {globals.IdField, globals.NameField, globals.DescriptionField}, + orgGroup.PublicId: {globals.IdField, globals.ScopeField, globals.ScopeIdField, globals.CreatedTimeField, globals.UpdatedTimeField}, + projGroup.PublicId: {globals.IdField, globals.AuthorizedActionsField}, + }, + }, + } + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + user, accountID := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, accountID) + require.NoError(t, err) + fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + out, err := s.ListGroups(fullGrantAuthCtx, &pbs.ListGroupsRequest{ + ScopeId: globals.GlobalPrefix, + Recursive: true, + }) + require.NoError(t, err) + for _, item := range out.Items { + assertOutputFields(t, item, tc.expectOutfields[item.Id]) + } + }) + } + }) + t.Run("GetGroup", func(t *testing.T) { ctx := context.Background() conn, _ := db.TestSetup(t, "postgres") @@ -2047,6 +2170,7 @@ func TestOutputFields(t *testing.T) { }) } }) + } // assertOutputFields asserts that the output fields of a group match the expected fields From 76ff88ff15a19f67c225dacd5498ab06b33a6a09 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 19 Feb 2025 13:46:04 -0800 Subject: [PATCH 43/62] rename function argument --- internal/iam/testing.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/iam/testing.go b/internal/iam/testing.go index 17f6e81743..0605a71763 100644 --- a/internal/iam/testing.go +++ b/internal/iam/testing.go @@ -423,12 +423,12 @@ func TestUserGroupGrantsFunc( conn *db.DB, kmsCache *kms.Kms, scopeID string, - accountIDsFunc func() string, + accountIDFunc func() string, testRoleGrants []TestRoleGrantsRequest, ) func() (*User, string) { return func() (*User, string) { t.Helper() - accountID := accountIDsFunc() + accountID := accountIDFunc() ctx := context.Background() rw := db.New(conn) repo, err := NewRepository(ctx, rw, rw, kmsCache) From f78f035c3a6ef9df9d849f2acfc5496b309da144 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 19 Feb 2025 14:09:47 -0800 Subject: [PATCH 44/62] move AssertOutputFields to handlers package --- .../controller/handlers/groups/grants_test.go | 31 +++++-------------- .../daemon/controller/handlers/testing.go | 30 ++++++++++++++++++ 2 files changed, 37 insertions(+), 24 deletions(-) create mode 100644 internal/daemon/controller/handlers/testing.go diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 6b4f6352d1..920eecc7a9 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -1302,7 +1302,7 @@ func TestOutputFields(t *testing.T) { }) require.NoError(t, err) for _, item := range out.Items { - assertOutputFields(t, item, tc.expectOutfields[item.Id]) + handlers.AssertOutputFields(t, item, tc.expectOutfields[item.Id]) } }) } @@ -1416,7 +1416,7 @@ func TestOutputFields(t *testing.T) { fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) out, err := s.GetGroup(fullGrantAuthCtx, &pbs.GetGroupRequest{Id: globalGroupWithMember.PublicId}) require.NoError(t, err) - assertOutputFields(t, out.Item, tc.expectOutfields) + handlers.AssertOutputFields(t, out.Item, tc.expectOutfields) }) } }) @@ -1582,7 +1582,7 @@ func TestOutputFields(t *testing.T) { fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) out, err := s.CreateGroup(fullGrantAuthCtx, tc.input) require.NoError(t, err) - assertOutputFields(t, out.Item, tc.expectOutfields) + handlers.AssertOutputFields(t, out.Item, tc.expectOutfields) }) } }) @@ -1733,7 +1733,7 @@ func TestOutputFields(t *testing.T) { fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) out, err := s.UpdateGroup(fullGrantAuthCtx, inputFunc(t)) require.NoError(t, err) - assertOutputFields(t, out.Item, tc.expectOutfields) + handlers.AssertOutputFields(t, out.Item, tc.expectOutfields) }) } }) @@ -1876,7 +1876,7 @@ func TestOutputFields(t *testing.T) { fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) out, err := s.AddGroupMembers(fullGrantAuthCtx, inputFunc(t)) require.NoError(t, err) - assertOutputFields(t, out.Item, tc.expectOutfields) + handlers.AssertOutputFields(t, out.Item, tc.expectOutfields) }) } }) @@ -2019,7 +2019,7 @@ func TestOutputFields(t *testing.T) { fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) out, err := s.SetGroupMembers(fullGrantAuthCtx, inputFunc(t)) require.NoError(t, err) - assertOutputFields(t, out.Item, tc.expectOutfields) + handlers.AssertOutputFields(t, out.Item, tc.expectOutfields) }) } }) @@ -2166,30 +2166,13 @@ func TestOutputFields(t *testing.T) { fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) out, err := s.RemoveGroupMembers(fullGrantAuthCtx, inputFunc(t)) require.NoError(t, err) - assertOutputFields(t, out.Item, tc.expectOutfields) + handlers.AssertOutputFields(t, out.Item, tc.expectOutfields) }) } }) } -// assertOutputFields asserts that the output fields of a group match the expected fields -// fields that is nil or empty in the result will throw an error if they are listed in expectedFields -// e.g. members when group does not contian any members -func assertOutputFields(t *testing.T, g *pb.Group, expectFields []string) { - msg := g.ProtoReflect() - descriptor := msg.Descriptor() - for i := 0; i < descriptor.Fields().Len(); i++ { - fd := descriptor.Fields().Get(i) - fieldName := string(fd.Name()) - if !slices.Contains(expectFields, fieldName) { - require.Falsef(t, msg.Has(fd), "expect field '%s' to be empty but got %+v", fd.Name(), msg.Get(fd).Interface()) - continue - } - require.Truef(t, msg.Has(fd), "expect field '%s' to be empty but got %+v", fd.Name(), msg.Get(fd).Interface()) - } -} - func userIDs(users []*iam.User) []string { result := make([]string, len(users)) for i, u := range users { diff --git a/internal/daemon/controller/handlers/testing.go b/internal/daemon/controller/handlers/testing.go new file mode 100644 index 0000000000..b7bc5eb3e4 --- /dev/null +++ b/internal/daemon/controller/handlers/testing.go @@ -0,0 +1,30 @@ +package handlers + +import ( + "testing" + + "github.com/stretchr/testify/require" + "golang.org/x/exp/slices" + "google.golang.org/protobuf/reflect/protoreflect" +) + +type protoReflector interface { + ProtoReflect() protoreflect.Message +} + +// assertOutputFields asserts that the output fields of a group match the expected fields +// fields that is nil or empty in the result will throw an error if they are listed in expectedFields +// e.g. members when group does not contian any members +func AssertOutputFields(t *testing.T, p protoReflector, expectFields []string) { + msg := p.ProtoReflect() + descriptor := msg.Descriptor() + for i := 0; i < descriptor.Fields().Len(); i++ { + fd := descriptor.Fields().Get(i) + fieldName := string(fd.Name()) + if !slices.Contains(expectFields, fieldName) { + require.Falsef(t, msg.Has(fd), "expect field '%s' to be empty but got %+v", fd.Name(), msg.Get(fd).Interface()) + continue + } + require.Truef(t, msg.Has(fd), "expect field '%s' to be empty but got %+v", fd.Name(), msg.Get(fd).Interface()) + } +} From 1abdc550860275c583e8dd75c8d5687d299ad84a Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 19 Feb 2025 14:11:31 -0800 Subject: [PATCH 45/62] fix lint --- internal/daemon/controller/handlers/groups/grants_test.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 920eecc7a9..2956f74aa1 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -1433,6 +1433,7 @@ func TestOutputFields(t *testing.T) { return iamRepo, nil } s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) testcases := []struct { name string userFunc func() (*iam.User, string) @@ -1619,6 +1620,7 @@ func TestOutputFields(t *testing.T) { } s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) testcases := []struct { name string userFunc func() (*iam.User, string) @@ -1762,6 +1764,7 @@ func TestOutputFields(t *testing.T) { } } s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) testcases := []struct { name string userFunc func() (*iam.User, string) From fd05e52537a19ef4a36e78646d738701b5fbefea Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 19 Feb 2025 14:14:09 -0800 Subject: [PATCH 46/62] make gen --- internal/daemon/controller/handlers/groups/grants_test.go | 5 ++--- internal/daemon/controller/handlers/testing.go | 3 +++ 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 2956f74aa1..3fa7d5b402 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -1185,7 +1185,6 @@ func TestGrants_ChildResourcesActions(t *testing.T) { } func TestOutputFields(t *testing.T) { - t.Run("ListGroups", func(t *testing.T) { ctx := context.Background() conn, _ := db.TestSetup(t, "postgres") @@ -1248,7 +1247,8 @@ func TestOutputFields(t *testing.T) { globalGroup.PublicId: {globals.IdField, globals.ScopeField, globals.ScopeIdField, globals.AuthorizedActionsField}, orgGroup.PublicId: {globals.IdField, globals.ScopeField, globals.ScopeIdField, globals.AuthorizedActionsField}, projGroup.PublicId: {globals.IdField, globals.ScopeField, globals.ScopeIdField, globals.AuthorizedActionsField}, - }}, + }, + }, { name: "grants update_time, create_time", userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ @@ -2173,7 +2173,6 @@ func TestOutputFields(t *testing.T) { }) } }) - } func userIDs(users []*iam.User) []string { diff --git a/internal/daemon/controller/handlers/testing.go b/internal/daemon/controller/handlers/testing.go index b7bc5eb3e4..a76c50693f 100644 --- a/internal/daemon/controller/handlers/testing.go +++ b/internal/daemon/controller/handlers/testing.go @@ -1,3 +1,6 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: BUSL-1.1 + package handlers import ( From e8f907ce0c33135d47d4143016f896c81471ad65 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 19 Feb 2025 14:33:24 -0800 Subject: [PATCH 47/62] use proto.Message instead of custom interface --- internal/daemon/controller/handlers/testing.go | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/internal/daemon/controller/handlers/testing.go b/internal/daemon/controller/handlers/testing.go index a76c50693f..371b4402cf 100644 --- a/internal/daemon/controller/handlers/testing.go +++ b/internal/daemon/controller/handlers/testing.go @@ -8,17 +8,13 @@ import ( "github.com/stretchr/testify/require" "golang.org/x/exp/slices" - "google.golang.org/protobuf/reflect/protoreflect" + "google.golang.org/protobuf/proto" ) -type protoReflector interface { - ProtoReflect() protoreflect.Message -} - // assertOutputFields asserts that the output fields of a group match the expected fields // fields that is nil or empty in the result will throw an error if they are listed in expectedFields // e.g. members when group does not contian any members -func AssertOutputFields(t *testing.T, p protoReflector, expectFields []string) { +func AssertOutputFields(t *testing.T, p proto.Message, expectFields []string) { msg := p.ProtoReflect() descriptor := msg.Descriptor() for i := 0; i < descriptor.Fields().Len(); i++ { From fb922ae2c1aa14b23def21bc04d5d4dedeb94ac9 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 19 Feb 2025 15:24:21 -0800 Subject: [PATCH 48/62] switch to hashicorp/go-uuid --- .../controller/handlers/groups/grants_test.go | 47 ++++++++++++------- 1 file changed, 31 insertions(+), 16 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 3fa7d5b402..46813e3db8 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -9,7 +9,6 @@ import ( "slices" "testing" - "github.com/google/uuid" "github.com/hashicorp/boundary/globals" "github.com/hashicorp/boundary/internal/auth/ldap" "github.com/hashicorp/boundary/internal/auth/oidc" @@ -23,6 +22,7 @@ import ( "github.com/hashicorp/boundary/internal/iam" "github.com/hashicorp/boundary/internal/kms" pb "github.com/hashicorp/boundary/sdk/pbs/controller/api/resources/groups" + "github.com/hashicorp/go-uuid" "github.com/stretchr/testify/require" "google.golang.org/protobuf/types/known/fieldmaskpb" "google.golang.org/protobuf/types/known/wrapperspb" @@ -1432,6 +1432,11 @@ func TestOutputFields(t *testing.T) { repoFn := func() (*iam.Repository, error) { return iamRepo, nil } + genUuid := func() string { + u, _ := uuid.GenerateUUID() + return u + } + s, err := groups.NewService(ctx, repoFn, 1000) require.NoError(t, err) testcases := []struct { @@ -1444,8 +1449,8 @@ func TestOutputFields(t *testing.T) { name: "grants name and description", input: &pbs.CreateGroupRequest{ Item: &pb.Group{ - Name: &wrapperspb.StringValue{Value: uuid.NewString()}, - Description: &wrapperspb.StringValue{Value: uuid.NewString()}, + Name: &wrapperspb.StringValue{Value: genUuid()}, + Description: &wrapperspb.StringValue{Value: genUuid()}, ScopeId: globals.GlobalPrefix, }, }, @@ -1462,8 +1467,8 @@ func TestOutputFields(t *testing.T) { name: "grants scope and scopeID", input: &pbs.CreateGroupRequest{ Item: &pb.Group{ - Name: &wrapperspb.StringValue{Value: uuid.NewString()}, - Description: &wrapperspb.StringValue{Value: uuid.NewString()}, + Name: &wrapperspb.StringValue{Value: genUuid()}, + Description: &wrapperspb.StringValue{Value: genUuid()}, ScopeId: globals.GlobalPrefix, }, }, @@ -1480,8 +1485,8 @@ func TestOutputFields(t *testing.T) { name: "grants update_time and create_time", input: &pbs.CreateGroupRequest{ Item: &pb.Group{ - Name: &wrapperspb.StringValue{Value: uuid.NewString()}, - Description: &wrapperspb.StringValue{Value: uuid.NewString()}, + Name: &wrapperspb.StringValue{Value: genUuid()}, + Description: &wrapperspb.StringValue{Value: genUuid()}, ScopeId: globals.GlobalPrefix, }, }, @@ -1498,8 +1503,8 @@ func TestOutputFields(t *testing.T) { name: "grants id, authorized_actions, version", input: &pbs.CreateGroupRequest{ Item: &pb.Group{ - Name: &wrapperspb.StringValue{Value: uuid.NewString()}, - Description: &wrapperspb.StringValue{Value: uuid.NewString()}, + Name: &wrapperspb.StringValue{Value: genUuid()}, + Description: &wrapperspb.StringValue{Value: genUuid()}, ScopeId: globals.GlobalPrefix, }, }, @@ -1516,8 +1521,8 @@ func TestOutputFields(t *testing.T) { name: "composite grants all fields", input: &pbs.CreateGroupRequest{ Item: &pb.Group{ - Name: &wrapperspb.StringValue{Value: uuid.NewString()}, - Description: &wrapperspb.StringValue{Value: uuid.NewString()}, + Name: &wrapperspb.StringValue{Value: genUuid()}, + Description: &wrapperspb.StringValue{Value: genUuid()}, ScopeId: globals.GlobalPrefix, }, }, @@ -1603,14 +1608,16 @@ func TestOutputFields(t *testing.T) { // this can be used across test cases because we're only testing for output fields, not the update behaviors inputFunc := func(t *testing.T) *pbs.UpdateGroupRequest { + name, _ := uuid.GenerateUUID() + desc, _ := uuid.GenerateUUID() globalGroupWithMember := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription("global"), iam.WithName("global")) u := iam.TestUser(t, iamRepo, globals.GlobalPrefix) _ = iam.TestGroupMember(t, conn, globalGroupWithMember.PublicId, u.PublicId) return &pbs.UpdateGroupRequest{ Id: globalGroupWithMember.PublicId, Item: &pb.Group{ - Name: &wrapperspb.StringValue{Value: uuid.NewString()}, - Description: &wrapperspb.StringValue{Value: uuid.NewString()}, + Name: &wrapperspb.StringValue{Value: name}, + Description: &wrapperspb.StringValue{Value: desc}, Version: globalGroupWithMember.Version, }, UpdateMask: &fieldmaskpb.FieldMask{ @@ -1755,7 +1762,9 @@ func TestOutputFields(t *testing.T) { // this can be used across test cases because we're only testing for output fields, not the update behaviors inputFunc := func(t *testing.T) *pbs.AddGroupMembersRequest { - globalGroupWithMember := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription(uuid.NewString()), iam.WithName(uuid.NewString())) + name, _ := uuid.GenerateUUID() + desc, _ := uuid.GenerateUUID() + globalGroupWithMember := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription(desc), iam.WithName(name)) u := iam.TestUser(t, iamRepo, globals.GlobalPrefix) return &pbs.AddGroupMembersRequest{ Id: globalGroupWithMember.PublicId, @@ -1899,7 +1908,9 @@ func TestOutputFields(t *testing.T) { // this can be used across test cases because we're only testing for output fields, not the update behaviors inputFunc := func(t *testing.T) *pbs.SetGroupMembersRequest { - globalGroupWithMember := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription(uuid.NewString()), iam.WithName(uuid.NewString())) + name, _ := uuid.GenerateUUID() + desc, _ := uuid.GenerateUUID() + globalGroupWithMember := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription(desc), iam.WithName(name)) u := iam.TestUser(t, iamRepo, globals.GlobalPrefix) return &pbs.SetGroupMembersRequest{ Id: globalGroupWithMember.PublicId, @@ -1908,6 +1919,7 @@ func TestOutputFields(t *testing.T) { } } s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) testcases := []struct { name string userFunc func() (*iam.User, string) @@ -2042,7 +2054,9 @@ func TestOutputFields(t *testing.T) { // this can be used across test cases because we're only testing for output fields, not the update behaviors inputFunc := func(t *testing.T) *pbs.RemoveGroupMembersRequest { - globalGroupWithMember := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription(uuid.NewString()), iam.WithName(uuid.NewString())) + name, _ := uuid.GenerateUUID() + desc, _ := uuid.GenerateUUID() + globalGroupWithMember := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription(desc), iam.WithName(name)) // create 2 users and remove one so the tests can differentiate between the group without members vs. having no access to read members u1 := iam.TestUser(t, iamRepo, globals.GlobalPrefix) u2 := iam.TestUser(t, iamRepo, globals.GlobalPrefix) @@ -2055,6 +2069,7 @@ func TestOutputFields(t *testing.T) { } } s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) testcases := []struct { name string userFunc func() (*iam.User, string) From 666d0446938896834661b64a6e94358cf3cc7dfa Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 19 Feb 2025 17:04:10 -0800 Subject: [PATCH 49/62] fix typo --- internal/daemon/controller/handlers/testing.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/daemon/controller/handlers/testing.go b/internal/daemon/controller/handlers/testing.go index 371b4402cf..94b9e587cb 100644 --- a/internal/daemon/controller/handlers/testing.go +++ b/internal/daemon/controller/handlers/testing.go @@ -11,9 +11,9 @@ import ( "google.golang.org/protobuf/proto" ) -// assertOutputFields asserts that the output fields of a group match the expected fields +// AssertOutputFields asserts that the output fields of a group match the expected fields // fields that is nil or empty in the result will throw an error if they are listed in expectedFields -// e.g. members when group does not contian any members +// e.g. members when group does not contain any members func AssertOutputFields(t *testing.T, p proto.Message, expectFields []string) { msg := p.ProtoReflect() descriptor := msg.Descriptor() From 3024650ab1319f159531e8dbf5849b793b01bed0 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Tue, 25 Feb 2025 09:59:16 -0800 Subject: [PATCH 50/62] fix error message --- internal/daemon/controller/handlers/testing.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/daemon/controller/handlers/testing.go b/internal/daemon/controller/handlers/testing.go index 94b9e587cb..5941293052 100644 --- a/internal/daemon/controller/handlers/testing.go +++ b/internal/daemon/controller/handlers/testing.go @@ -24,6 +24,6 @@ func AssertOutputFields(t *testing.T, p proto.Message, expectFields []string) { require.Falsef(t, msg.Has(fd), "expect field '%s' to be empty but got %+v", fd.Name(), msg.Get(fd).Interface()) continue } - require.Truef(t, msg.Has(fd), "expect field '%s' to be empty but got %+v", fd.Name(), msg.Get(fd).Interface()) + require.Truef(t, msg.Has(fd), "expect field '%s' NOT be empty but got %+v", fd.Name(), msg.Get(fd).Interface()) } } From 34437f93eae7fce353f5f929c8998ae9d9ec52f7 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Tue, 25 Feb 2025 10:03:12 -0800 Subject: [PATCH 51/62] id= to ids= --- .../controller/handlers/groups/grants_test.go | 210 +++++++++--------- 1 file changed, 105 insertions(+), 105 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 46813e3db8..5b8966f2eb 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -89,7 +89,7 @@ func TestGrants_ReadActions(t *testing.T) { userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=*;actions=*"}, + Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -136,7 +136,7 @@ func TestGrants_ReadActions(t *testing.T) { userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=*;actions=*"}, + Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }), @@ -264,7 +264,7 @@ func TestGrants_ReadActions(t *testing.T) { userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=*;actions=*"}, + Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -281,7 +281,7 @@ func TestGrants_ReadActions(t *testing.T) { userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=*;actions=*"}, + Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -298,7 +298,7 @@ func TestGrants_ReadActions(t *testing.T) { userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=*;actions=*"}, + Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeChildren}, }, }), @@ -315,7 +315,7 @@ func TestGrants_ReadActions(t *testing.T) { userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=*;actions=*"}, + Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeDescendants}, }, }), @@ -332,7 +332,7 @@ func TestGrants_ReadActions(t *testing.T) { userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=*;actions=*"}, + Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, }), @@ -349,7 +349,7 @@ func TestGrants_ReadActions(t *testing.T) { userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=*;actions=*"}, + Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }), @@ -366,7 +366,7 @@ func TestGrants_ReadActions(t *testing.T) { userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: org1.GetPublicId(), - Grants: []string{"id=*;type=*;actions=*"}, + Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -383,7 +383,7 @@ func TestGrants_ReadActions(t *testing.T) { userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: org1.GetPublicId(), - Grants: []string{"id=*;type=*;actions=*"}, + Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeChildren}, }, }), @@ -400,7 +400,7 @@ func TestGrants_ReadActions(t *testing.T) { userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: org1.GetPublicId(), - Grants: []string{"id=*;type=*;actions=*"}, + Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, }), @@ -417,7 +417,7 @@ func TestGrants_ReadActions(t *testing.T) { userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: proj1.GetPublicId(), - Grants: []string{"id=*;type=*;actions=*"}, + Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -563,7 +563,7 @@ func TestGrants_WriteActions(t *testing.T) { userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=*;actions=*"}, + Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }), @@ -581,7 +581,7 @@ func TestGrants_WriteActions(t *testing.T) { userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=*;actions=*"}, + Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }), @@ -599,7 +599,7 @@ func TestGrants_WriteActions(t *testing.T) { userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=*;actions=*"}, + Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }), @@ -617,7 +617,7 @@ func TestGrants_WriteActions(t *testing.T) { userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=*;actions=*"}, + Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }), @@ -635,7 +635,7 @@ func TestGrants_WriteActions(t *testing.T) { userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=*;actions=*"}, + Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeChildren}, }, }), @@ -699,7 +699,7 @@ func TestGrants_WriteActions(t *testing.T) { userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=*;actions=*"}, + Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }), @@ -710,7 +710,7 @@ func TestGrants_WriteActions(t *testing.T) { userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=*;actions=*"}, + Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeChildren}, }, }), @@ -755,7 +755,7 @@ func TestGrants_WriteActions(t *testing.T) { return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=*;actions=*"}, + Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis}, }, }) @@ -799,7 +799,7 @@ func TestGrants_WriteActions(t *testing.T) { return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=*;actions=*"}, + Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeChildren}, }, }) @@ -900,7 +900,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=*;actions=*"}, + Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis}, }, }) @@ -948,12 +948,12 @@ func TestGrants_ChildResourcesActions(t *testing.T) { return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: org1.PublicId, - Grants: []string{"id=*;type=*;actions=add-members"}, + Grants: []string{"ids=*;type=*;actions=add-members"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: org1.PublicId, - Grants: []string{"id=*;type=*;actions=set-members"}, + Grants: []string{"ids=*;type=*;actions=set-members"}, GrantScopes: []string{globals.GrantScopeThis}, }, }) @@ -1001,7 +1001,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: org2.PublicId, - Grants: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, + Grants: []string{fmt.Sprintf("ids=%s;types=group;actions=add-members", group.PublicId)}, GrantScopes: []string{globals.GrantScopeThis}, }, }) @@ -1029,7 +1029,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{fmt.Sprintf("id=%s;types=group;actions=remove-members", group.PublicId)}, + Grants: []string{fmt.Sprintf("ids=%s;types=group;actions=remove-members", group.PublicId)}, GrantScopes: []string{proj2.PublicId}, }, }) @@ -1055,7 +1055,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, + Grants: []string{fmt.Sprintf("ids=%s;types=group;actions=add-members", group.PublicId)}, GrantScopes: []string{globals.GrantScopeDescendants}, }, }) @@ -1083,7 +1083,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=*;actions=*"}, + Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis}, }, }) @@ -1109,17 +1109,17 @@ func TestGrants_ChildResourcesActions(t *testing.T) { return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: proj2.PublicId, - Grants: []string{fmt.Sprintf("id=%s;types=group;actions=add-members", group.PublicId)}, + Grants: []string{fmt.Sprintf("ids=%s;types=group;actions=add-members", group.PublicId)}, GrantScopes: []string{proj2.PublicId}, }, { RoleScopeID: proj2.PublicId, - Grants: []string{fmt.Sprintf("id=%s;types=group;actions=set-members", group.PublicId)}, + Grants: []string{fmt.Sprintf("ids=%s;types=group;actions=set-members", group.PublicId)}, GrantScopes: []string{proj2.PublicId}, }, { RoleScopeID: proj2.PublicId, - Grants: []string{fmt.Sprintf("id=%s;types=group;actions=remove-members", group.PublicId)}, + Grants: []string{fmt.Sprintf("ids=%s;types=group;actions=remove-members", group.PublicId)}, GrantScopes: []string{proj2.PublicId}, }, }) @@ -1224,7 +1224,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=id,name,description"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id,name,description"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }), @@ -1239,7 +1239,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=id,scope,scope_id,authorized_actions"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id,scope,scope_id,authorized_actions"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }), @@ -1254,7 +1254,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=id,updated_time,created_time,members,member_ids"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id,updated_time,created_time,members,member_ids"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }), @@ -1269,17 +1269,17 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=id,name,description"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id,name,description"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=id,scope,scope_id,created_time,updated_time"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id,scope,scope_id,created_time,updated_time"}, GrantScopes: []string{globals.GrantScopeChildren}, }, { RoleScopeID: proj.PublicId, - Grants: []string{"id=*;type=group;actions=*;output_fields=id,authorized_actions"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions"}, GrantScopes: []string{proj.PublicId}, }, }), @@ -1336,7 +1336,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=read;output_fields=name,description"}, + Grants: []string{"ids=*;type=group;actions=read;output_fields=name,description"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1347,7 +1347,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=read;output_fields=scope,scope_id"}, + Grants: []string{"ids=*;type=group;actions=read;output_fields=scope,scope_id"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1358,7 +1358,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=read;output_fields=updated_time,created_time"}, + Grants: []string{"ids=*;type=group;actions=read;output_fields=updated_time,created_time"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1369,7 +1369,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=read;output_fields=id,authorized_actions,version"}, + Grants: []string{"ids=*;type=group;actions=read;output_fields=id,authorized_actions,version"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1380,7 +1380,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=read;output_fields=members,member_ids"}, + Grants: []string{"ids=*;type=group;actions=read;output_fields=members,member_ids"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1391,17 +1391,17 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=read;output_fields=id"}, + Grants: []string{"ids=*;type=group;actions=read;output_fields=id"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=read;output_fields=member_ids"}, + Grants: []string{"ids=*;type=group;actions=read;output_fields=member_ids"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=read;output_fields=authorized_actions"}, + Grants: []string{"ids=*;type=group;actions=read;output_fields=authorized_actions"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1457,7 +1457,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=name,description"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1475,7 +1475,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=scope,scope_id"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1493,7 +1493,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=updated_time,created_time"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1511,7 +1511,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1529,42 +1529,42 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=id"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=scope"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=scope_id"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope_id"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=name"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=name"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=description"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=description"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=created_time"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=created_time"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=authorized_actions"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=authorized_actions"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=version"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=version"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1638,7 +1638,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=name,description"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1649,7 +1649,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=scope,scope_id"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1661,7 +1661,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=updated_time,created_time"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1672,7 +1672,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1683,42 +1683,42 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=id"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=scope"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=scope_id"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope_id"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=name"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=name"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=description"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=description"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=created_time"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=created_time"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=authorized_actions"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=authorized_actions"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=version"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=version"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1784,7 +1784,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=name,description"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1795,7 +1795,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=scope,scope_id"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1807,7 +1807,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=updated_time,created_time"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1818,7 +1818,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1829,42 +1829,42 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=id"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=scope"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=scope_id"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope_id"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=name"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=name"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=description"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=description"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=created_time"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=created_time"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=authorized_actions"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=authorized_actions"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=version"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=version"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1930,7 +1930,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=name,description"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1941,7 +1941,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=scope,scope_id"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1953,7 +1953,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=updated_time,created_time"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1964,7 +1964,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -1975,42 +1975,42 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=id"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=scope"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=scope_id"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope_id"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=name"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=name"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=description"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=description"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=created_time"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=created_time"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=authorized_actions"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=authorized_actions"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=version"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=version"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -2080,7 +2080,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=name,description"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -2091,7 +2091,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=scope,scope_id"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -2103,7 +2103,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=updated_time,created_time"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -2114,7 +2114,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), @@ -2125,42 +2125,42 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=id"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=scope"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=scope_id"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope_id"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=name"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=name"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=description"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=description"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=created_time"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=created_time"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=authorized_actions"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=authorized_actions"}, GrantScopes: []string{globals.GrantScopeThis}, }, { RoleScopeID: globals.GlobalPrefix, - Grants: []string{"id=*;type=group;actions=*;output_fields=version"}, + Grants: []string{"ids=*;type=group;actions=*;output_fields=version"}, GrantScopes: []string{globals.GrantScopeThis}, }, }), From a10a4d7095cf06fd5dbaebdabad04242ae56e016 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Tue, 25 Feb 2025 19:02:38 -0800 Subject: [PATCH 52/62] make generating test accounts more randomized --- internal/auth/ldap/testing.go | 10 +++++++--- internal/auth/oidc/testing.go | 7 +++++-- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/internal/auth/ldap/testing.go b/internal/auth/ldap/testing.go index cea3dc3e2e..c0900fef74 100644 --- a/internal/auth/ldap/testing.go +++ b/internal/auth/ldap/testing.go @@ -12,6 +12,7 @@ import ( "crypto/x509/pkix" "encoding/json" "encoding/pem" + "fmt" "math/big" "net" "net/url" @@ -22,6 +23,7 @@ import ( "github.com/hashicorp/boundary/internal/db" "github.com/hashicorp/boundary/internal/kms" wrapping "github.com/hashicorp/go-kms-wrapping/v2" + "github.com/hashicorp/go-uuid" "github.com/stretchr/testify/require" ) @@ -181,12 +183,14 @@ func TestAccount(t testing.TB, conn *db.DB, am *AuthMethod, loginName string, op func TestAccountFunc(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeID string) func() (managedGroupID string, accountID string) { return func() (string, string) { t.Helper() + uuid, err := uuid.GenerateUUID() + require.NoError(t, err) ctx := context.Background() databaseWrapper, err := kmsCache.GetWrapper(context.Background(), scopeID, kms.KeyPurposeDatabase) require.NoError(t, err) - am := TestAuthMethod(t, conn, databaseWrapper, scopeID, []string{"ldap://testldap"}) - managedGroup := TestManagedGroup(t, conn, am, []string{"test-group"}) - acct := TestAccount(t, conn, am, "testacct", WithMemberOfGroups(ctx, "test-group")) + am := TestAuthMethod(t, conn, databaseWrapper, scopeID, []string{fmt.Sprintf("ldap://%s", uuid)}) + managedGroup := TestManagedGroup(t, conn, am, []string{uuid}) + acct := TestAccount(t, conn, am, "testacct", WithMemberOfGroups(ctx, uuid)) return managedGroup.PublicId, acct.PublicId } } diff --git a/internal/auth/oidc/testing.go b/internal/auth/oidc/testing.go index ce6976fb4a..f7efb758ea 100644 --- a/internal/auth/oidc/testing.go +++ b/internal/auth/oidc/testing.go @@ -32,6 +32,7 @@ import ( "github.com/hashicorp/boundary/internal/kms" "github.com/hashicorp/cap/oidc" wrapping "github.com/hashicorp/go-kms-wrapping/v2" + "github.com/hashicorp/go-uuid" "github.com/stretchr/testify/require" "google.golang.org/protobuf/types/known/timestamppb" ) @@ -197,13 +198,15 @@ func TestAccount(t testing.TB, conn *db.DB, am *AuthMethod, subject string, opt func TestAccountFunc(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeID string) func() (managedGroupID string, accountID string) { return func() (string, string) { t.Helper() + uuid, err := uuid.GenerateUUID() + require.NoError(t, err) databaseWrapper, err := kmsCache.GetWrapper(context.Background(), scopeID, kms.KeyPurposeDatabase) require.NoError(t, err) testAuthMethod := TestAuthMethod(t, conn, databaseWrapper, scopeID, ActivePublicState, "alice-rp", "fido", - WithIssuer(TestConvertToUrls(t, "https://alice.com")[0]), + WithIssuer(TestConvertToUrls(t, fmt.Sprintf("https://%s.com", uuid))[0]), WithSigningAlgs(Alg(oidc.RS256)), - WithApiUrl(TestConvertToUrls(t, "https://alice.com/callback")[0])) + WithApiUrl(TestConvertToUrls(t, fmt.Sprintf("https://%s.com/callback", uuid))[0])) account := TestAccount(t, conn, testAuthMethod, "testacct") managedGroup := TestManagedGroup(t, conn, testAuthMethod, `"/token/sub" matches ".*"`) TestManagedGroupMember(t, conn, managedGroup.PublicId, account.PublicId) From 0a8c05412daaf79248e97a0d090b7d68a365c160 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 26 Feb 2025 09:48:14 -0800 Subject: [PATCH 53/62] Trigger CI checks From 377031017569751ed909fe02c05545524f87285b Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 5 Mar 2025 11:32:37 -0800 Subject: [PATCH 54/62] refactor auth/iam grants test setup --- internal/auth/ldap/testing.go | 29 ++-- internal/auth/oidc/testing.go | 37 +++-- internal/auth/password/testing.go | 20 ++- internal/auth/testing.go | 4 + .../controller/handlers/groups/grants_test.go | 150 +++++++++--------- internal/iam/testing.go | 21 +-- 6 files changed, 131 insertions(+), 130 deletions(-) diff --git a/internal/auth/ldap/testing.go b/internal/auth/ldap/testing.go index c0900fef74..207597b69a 100644 --- a/internal/auth/ldap/testing.go +++ b/internal/auth/ldap/testing.go @@ -20,6 +20,7 @@ import ( "testing" "time" + "github.com/hashicorp/boundary/internal/auth" "github.com/hashicorp/boundary/internal/db" "github.com/hashicorp/boundary/internal/kms" wrapping "github.com/hashicorp/go-kms-wrapping/v2" @@ -178,21 +179,19 @@ func TestAccount(t testing.TB, conn *db.DB, am *AuthMethod, loginName string, op return a } -// TestAccountFunc returns a function that creates an LDAP auth method, a managed group, and an account in that method which -// is also a member of the created ManagedGroup. The function returns the public ID of the managed group and the account. -func TestAccountFunc(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeID string) func() (managedGroupID string, accountID string) { - return func() (string, string) { - t.Helper() - uuid, err := uuid.GenerateUUID() - require.NoError(t, err) - ctx := context.Background() - databaseWrapper, err := kmsCache.GetWrapper(context.Background(), scopeID, kms.KeyPurposeDatabase) - require.NoError(t, err) - am := TestAuthMethod(t, conn, databaseWrapper, scopeID, []string{fmt.Sprintf("ldap://%s", uuid)}) - managedGroup := TestManagedGroup(t, conn, am, []string{uuid}) - acct := TestAccount(t, conn, am, "testacct", WithMemberOfGroups(ctx, uuid)) - return managedGroup.PublicId, acct.PublicId - } +// TestAuthMethodWithAccountInManagedGroup creates an authMethod, and an account within that authmethod, an +// LDAP managed group, and add the newly created account as a member of the LDAP managed group. +func TestAuthMethodWithAccountInManagedGroup(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeID string) (auth.AuthMethod, auth.Account, auth.ManagedGroup) { + t.Helper() + uuid, err := uuid.GenerateUUID() + require.NoError(t, err) + ctx := context.Background() + databaseWrapper, err := kmsCache.GetWrapper(context.Background(), scopeID, kms.KeyPurposeDatabase) + require.NoError(t, err) + am := TestAuthMethod(t, conn, databaseWrapper, scopeID, []string{fmt.Sprintf("ldap://%s", uuid)}) + managedGroup := TestManagedGroup(t, conn, am, []string{uuid}) + acct := TestAccount(t, conn, am, "testacct", WithMemberOfGroups(ctx, uuid)) + return am, acct, managedGroup } // TestManagedGroup creates a test ldap managed group. diff --git a/internal/auth/oidc/testing.go b/internal/auth/oidc/testing.go index f7efb758ea..c1263e8ca3 100644 --- a/internal/auth/oidc/testing.go +++ b/internal/auth/oidc/testing.go @@ -24,6 +24,7 @@ import ( "testing" "time" + "github.com/hashicorp/boundary/internal/auth" "github.com/hashicorp/boundary/internal/auth/oidc/request" "github.com/hashicorp/boundary/internal/authtoken" "github.com/hashicorp/boundary/internal/db" @@ -193,25 +194,23 @@ func TestAccount(t testing.TB, conn *db.DB, am *AuthMethod, subject string, opt return a } -// TestAccountFunc returns a function that creates an OIDC auth method, an account on that auth method, and an OIDC managed group -// which has a filter that matches the account's subject. The function returns the managed group's public ID and the account's public ID. -func TestAccountFunc(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeID string) func() (managedGroupID string, accountID string) { - return func() (string, string) { - t.Helper() - uuid, err := uuid.GenerateUUID() - require.NoError(t, err) - databaseWrapper, err := kmsCache.GetWrapper(context.Background(), scopeID, kms.KeyPurposeDatabase) - require.NoError(t, err) - testAuthMethod := TestAuthMethod(t, conn, databaseWrapper, scopeID, ActivePublicState, - "alice-rp", "fido", - WithIssuer(TestConvertToUrls(t, fmt.Sprintf("https://%s.com", uuid))[0]), - WithSigningAlgs(Alg(oidc.RS256)), - WithApiUrl(TestConvertToUrls(t, fmt.Sprintf("https://%s.com/callback", uuid))[0])) - account := TestAccount(t, conn, testAuthMethod, "testacct") - managedGroup := TestManagedGroup(t, conn, testAuthMethod, `"/token/sub" matches ".*"`) - TestManagedGroupMember(t, conn, managedGroup.PublicId, account.PublicId) - return managedGroup.PublicId, account.PublicId - } +// TestAuthMethodWithAccountInManagedGroup creates an authMethod, and an account within that authmethod, an +// OIDC managed group, and add the newly created account as a member of the OIDC managed group. +func TestAuthMethodWithAccountInManagedGroup(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeID string) (auth.AuthMethod, auth.Account, auth.ManagedGroup) { + t.Helper() + uuid, err := uuid.GenerateUUID() + require.NoError(t, err) + databaseWrapper, err := kmsCache.GetWrapper(context.Background(), scopeID, kms.KeyPurposeDatabase) + require.NoError(t, err) + testAuthMethod := TestAuthMethod(t, conn, databaseWrapper, scopeID, ActivePublicState, + "alice-rp", "fido", + WithIssuer(TestConvertToUrls(t, fmt.Sprintf("https://%s.com", uuid))[0]), + WithSigningAlgs(Alg(oidc.RS256)), + WithApiUrl(TestConvertToUrls(t, fmt.Sprintf("https://%s.com/callback", uuid))[0])) + account := TestAccount(t, conn, testAuthMethod, "testacct") + managedGroup := TestManagedGroup(t, conn, testAuthMethod, `"/token/sub" matches ".*"`) + TestManagedGroupMember(t, conn, managedGroup.PublicId, account.PublicId) + return testAuthMethod, account, managedGroup } // TestManagedGroup creates a test oidc managed group. diff --git a/internal/auth/password/testing.go b/internal/auth/password/testing.go index dbd67ff504..275acfe630 100644 --- a/internal/auth/password/testing.go +++ b/internal/auth/password/testing.go @@ -9,6 +9,7 @@ import ( "testing" "github.com/hashicorp/boundary/globals" + "github.com/hashicorp/boundary/internal/auth" "github.com/hashicorp/boundary/internal/db" "github.com/hashicorp/go-uuid" "github.com/stretchr/testify/assert" @@ -73,17 +74,14 @@ func TestMultipleAccounts(t testing.TB, conn *db.DB, authMethodId string, count return auts } -// TestAccountFunc returns a function that creates auth method and an account in that auth method -// which returns the created account ID in a slice -// This is used to normalize account creation across multiple auth method types -func TestAccountFunc(t testing.TB, conn *db.DB) func() string { - return func() string { - authMethod := TestAuthMethod(t, conn, globals.GlobalPrefix) - loginName, err := uuid.GenerateUUID() - require.NoError(t, err) - acct := TestAccount(t, conn, authMethod.GetPublicId(), loginName) - return acct.PublicId - } +// TestAuthMethodWithAccount creates an authMethod and an account within that authmethod +// returing both the AM and the account +func TestAuthMethodWithAccount(t *testing.T, conn *db.DB) (auth.AuthMethod, auth.Account) { + authMethod := TestAuthMethod(t, conn, globals.GlobalPrefix) + loginName, err := uuid.GenerateUUID() + require.NoError(t, err) + acct := TestAccount(t, conn, authMethod.GetPublicId(), loginName) + return authMethod, acct } // TestAccount creates a password account to the provided DB with the provided diff --git a/internal/auth/testing.go b/internal/auth/testing.go index 42297f7415..7f06f54280 100644 --- a/internal/auth/testing.go +++ b/internal/auth/testing.go @@ -10,6 +10,7 @@ import ( "github.com/hashicorp/boundary/internal/db" "github.com/hashicorp/boundary/internal/db/timestamp" + "github.com/hashicorp/boundary/internal/kms" "github.com/stretchr/testify/require" ) @@ -56,3 +57,6 @@ func TestManagedGroupMemberAccounts(t *testing.T, conn *db.DB, managedGroupId st TestSortManagedGroupMemberAccounts(t, mgmAccts) return mgmAccts } + +type TestAuthMethodWithAccountFunc func(t *testing.T, conn *db.DB) (AuthMethod, Account) +type TestAuthMethodWithAccountInManagedGroup func(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeID string) (AuthMethod, Account, ManagedGroup) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 5b8966f2eb..530dbd1d9f 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -86,7 +86,7 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, @@ -101,7 +101,7 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=list,read"}, @@ -117,7 +117,7 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: org1.PublicId, Recursive: true, }, - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { RoleScopeID: org1.PublicId, Grants: []string{"ids=*;type=group;actions=list,read"}, @@ -133,7 +133,7 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, @@ -149,7 +149,7 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: org2.PublicId, Recursive: true, }, - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, @@ -165,7 +165,7 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: org2.PublicId, Recursive: true, }, - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { RoleScopeID: org2.PublicId, Grants: []string{"ids=*;type=*;actions=*"}, @@ -181,7 +181,7 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{ @@ -199,7 +199,7 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=read,list"}, @@ -220,7 +220,7 @@ func TestGrants_ReadActions(t *testing.T) { ScopeId: globals.GlobalPrefix, Recursive: true, }, - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=target;actions=read,list"}, @@ -261,7 +261,7 @@ func TestGrants_ReadActions(t *testing.T) { }{ { name: "global role group grant this scope with all permissions", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, @@ -278,7 +278,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role group grant this scope with all permissions", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, @@ -295,7 +295,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant children scopes with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, @@ -312,7 +312,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant descendant scopes with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, @@ -329,7 +329,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant this and children scopes with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, @@ -346,7 +346,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant this and descendant scopes with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, @@ -363,7 +363,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "org1 role grant this scope with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: org1.GetPublicId(), Grants: []string{"ids=*;type=*;actions=*"}, @@ -380,7 +380,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "org1 role grant children scope with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: org1.GetPublicId(), Grants: []string{"ids=*;type=*;actions=*"}, @@ -397,7 +397,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "org1 role grant this and children scopes with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: org1.GetPublicId(), Grants: []string{"ids=*;type=*;actions=*"}, @@ -414,7 +414,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "proj1 role grant this scope with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: proj1.GetPublicId(), Grants: []string{"ids=*;type=*;actions=*"}, @@ -431,7 +431,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant this and descendant scope with read permissions on specific group", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{fmt.Sprintf("ids=%s;types=group ;actions=read", org1Group.PublicId)}, @@ -448,7 +448,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "global role grant this and specific scopes with read permissions on specific group", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{ @@ -468,7 +468,7 @@ func TestGrants_ReadActions(t *testing.T) { }, { name: "union multiple role grant specific resources permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{ @@ -560,7 +560,7 @@ func TestGrants_WriteActions(t *testing.T) { }{ { name: "direct grant all can create all", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, @@ -578,7 +578,7 @@ func TestGrants_WriteActions(t *testing.T) { }, { name: "groups grant all can create all", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, @@ -596,7 +596,7 @@ func TestGrants_WriteActions(t *testing.T) { }, { name: "ldap grant all can create all", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, @@ -614,7 +614,7 @@ func TestGrants_WriteActions(t *testing.T) { }, { name: "oidc grant all can create all", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, @@ -632,7 +632,7 @@ func TestGrants_WriteActions(t *testing.T) { }, { name: "grant children can only create in orgs", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, @@ -696,7 +696,7 @@ func TestGrants_WriteActions(t *testing.T) { }{ { name: "grant all can delete all", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, @@ -707,7 +707,7 @@ func TestGrants_WriteActions(t *testing.T) { }, { name: "grant children can only delete in orgs", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, @@ -752,7 +752,7 @@ func TestGrants_WriteActions(t *testing.T) { name: "global_scope_group_good_grant_success", setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, string)) { g := iam.TestGroup(t, conn, globals.GlobalPrefix) - return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, @@ -767,7 +767,7 @@ func TestGrants_WriteActions(t *testing.T) { setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, string)) { _, proj := iam.TestScopes(t, iamRepo) g := iam.TestGroup(t, conn, proj.PublicId) - return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, @@ -782,7 +782,7 @@ func TestGrants_WriteActions(t *testing.T) { setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, string)) { _, proj := iam.TestScopes(t, iamRepo) g := iam.TestGroup(t, conn, proj.PublicId) - return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{fmt.Sprintf("ids=%s;types=group;actions=*", g.PublicId)}, @@ -796,7 +796,7 @@ func TestGrants_WriteActions(t *testing.T) { name: "no grant fails update", setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, string)) { g := iam.TestGroup(t, conn, globals.GlobalPrefix) - return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, @@ -897,7 +897,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, string)) { group := iam.TestGroup(t, conn, globals.GlobalPrefix) - return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, @@ -945,7 +945,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { name: "only add and set allowed fail to remove", setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, string)) { group := iam.TestGroup(t, conn, org1.PublicId) - return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: org1.PublicId, Grants: []string{"ids=*;type=*;actions=add-members"}, @@ -998,7 +998,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { name: "add_member_valid_specific_grant_success", setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, string)) { group := iam.TestGroup(t, conn, org2.PublicId) - return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: org2.PublicId, Grants: []string{fmt.Sprintf("ids=%s;types=group;actions=add-members", group.PublicId)}, @@ -1026,7 +1026,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { group := iam.TestGroup(t, conn, proj2.PublicId) iam.TestGroupMember(t, conn, group.PublicId, org2Users[0].PublicId) iam.TestGroupMember(t, conn, group.PublicId, org2Users[1].PublicId) - return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{fmt.Sprintf("ids=%s;types=group;actions=remove-members", group.PublicId)}, @@ -1052,7 +1052,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { name: "cross_scope_add_member_valid_specific_grant_success", setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, string)) { group := iam.TestGroup(t, conn, proj3.PublicId) - return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{fmt.Sprintf("ids=%s;types=group;actions=add-members", group.PublicId)}, @@ -1080,7 +1080,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { name: "add_member_with_valid_grant_string_invalid_scope_forbidden_error", setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, string)) { group := iam.TestGroup(t, conn, org2.PublicId) - return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, @@ -1106,7 +1106,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { name: "multiple_grants_success", setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, string)) { group := iam.TestGroup(t, conn, proj2.PublicId) - return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: proj2.PublicId, Grants: []string{fmt.Sprintf("ids=%s;types=group;actions=add-members", group.PublicId)}, @@ -1221,7 +1221,7 @@ func TestOutputFields(t *testing.T) { }{ { name: "grants name, version, description", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id,name,description"}, @@ -1236,7 +1236,7 @@ func TestOutputFields(t *testing.T) { }, { name: "grants scope, scopeID, authorized_actions", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id,scope,scope_id,authorized_actions"}, @@ -1251,7 +1251,7 @@ func TestOutputFields(t *testing.T) { }, { name: "grants update_time, create_time", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id,updated_time,created_time,members,member_ids"}, @@ -1266,7 +1266,7 @@ func TestOutputFields(t *testing.T) { }, { name: "different output_fields for different scope", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id,name,description"}, @@ -1333,7 +1333,7 @@ func TestOutputFields(t *testing.T) { }{ { name: "grants name and description", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=read;output_fields=name,description"}, @@ -1344,7 +1344,7 @@ func TestOutputFields(t *testing.T) { }, { name: "grants scope and scopeID", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=read;output_fields=scope,scope_id"}, @@ -1355,7 +1355,7 @@ func TestOutputFields(t *testing.T) { }, { name: "grants update_time and create_time", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=read;output_fields=updated_time,created_time"}, @@ -1366,7 +1366,7 @@ func TestOutputFields(t *testing.T) { }, { name: "grants id, authorized_actions, version", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=read;output_fields=id,authorized_actions,version"}, @@ -1377,7 +1377,7 @@ func TestOutputFields(t *testing.T) { }, { name: "grants members, member_id", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=read;output_fields=members,member_ids"}, @@ -1388,7 +1388,7 @@ func TestOutputFields(t *testing.T) { }, { name: "composite grants id, authorized_actions, member_ids", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=read;output_fields=id"}, @@ -1454,7 +1454,7 @@ func TestOutputFields(t *testing.T) { ScopeId: globals.GlobalPrefix, }, }, - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, @@ -1472,7 +1472,7 @@ func TestOutputFields(t *testing.T) { ScopeId: globals.GlobalPrefix, }, }, - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, @@ -1490,7 +1490,7 @@ func TestOutputFields(t *testing.T) { ScopeId: globals.GlobalPrefix, }, }, - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, @@ -1508,7 +1508,7 @@ func TestOutputFields(t *testing.T) { ScopeId: globals.GlobalPrefix, }, }, - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, @@ -1526,7 +1526,7 @@ func TestOutputFields(t *testing.T) { ScopeId: globals.GlobalPrefix, }, }, - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, @@ -1635,7 +1635,7 @@ func TestOutputFields(t *testing.T) { }{ { name: "grants name and description", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, @@ -1646,7 +1646,7 @@ func TestOutputFields(t *testing.T) { }, { name: "grants scope and scopeID", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, @@ -1658,7 +1658,7 @@ func TestOutputFields(t *testing.T) { { name: "grants update_time and create_time", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, @@ -1669,7 +1669,7 @@ func TestOutputFields(t *testing.T) { }, { name: "grants id, authorized_actions, version", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, @@ -1680,7 +1680,7 @@ func TestOutputFields(t *testing.T) { }, { name: "composite grants all fields", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, @@ -1781,7 +1781,7 @@ func TestOutputFields(t *testing.T) { }{ { name: "grants name and description", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, @@ -1792,7 +1792,7 @@ func TestOutputFields(t *testing.T) { }, { name: "grants scope and scopeID", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, @@ -1804,7 +1804,7 @@ func TestOutputFields(t *testing.T) { { name: "grants update_time and create_time", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, @@ -1815,7 +1815,7 @@ func TestOutputFields(t *testing.T) { }, { name: "grants id, authorized_actions, version", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, @@ -1826,7 +1826,7 @@ func TestOutputFields(t *testing.T) { }, { name: "composite grants all fields", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, @@ -1927,7 +1927,7 @@ func TestOutputFields(t *testing.T) { }{ { name: "grants name and description", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, @@ -1938,7 +1938,7 @@ func TestOutputFields(t *testing.T) { }, { name: "grants scope and scopeID", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, @@ -1950,7 +1950,7 @@ func TestOutputFields(t *testing.T) { { name: "grants update_time and create_time", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, @@ -1961,7 +1961,7 @@ func TestOutputFields(t *testing.T) { }, { name: "grants id, authorized_actions, version", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, @@ -1972,7 +1972,7 @@ func TestOutputFields(t *testing.T) { }, { name: "composite grants all fields", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, @@ -2077,7 +2077,7 @@ func TestOutputFields(t *testing.T) { }{ { name: "grants name and description", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, @@ -2088,7 +2088,7 @@ func TestOutputFields(t *testing.T) { }, { name: "grants scope and scopeID", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, @@ -2100,7 +2100,7 @@ func TestOutputFields(t *testing.T) { { name: "grants update_time and create_time", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAccountFunc(t, conn, kmsCache, globals.GlobalPrefix), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, @@ -2111,7 +2111,7 @@ func TestOutputFields(t *testing.T) { }, { name: "grants id, authorized_actions, version", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, @@ -2122,7 +2122,7 @@ func TestOutputFields(t *testing.T) { }, { name: "composite grants all fields", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAccountFunc(t, conn), []iam.TestRoleGrantsRequest{ + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeID: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, diff --git a/internal/iam/testing.go b/internal/iam/testing.go index 0605a71763..fb0282aee9 100644 --- a/internal/iam/testing.go +++ b/internal/iam/testing.go @@ -9,6 +9,7 @@ import ( "testing" "github.com/hashicorp/boundary/globals" + "github.com/hashicorp/boundary/internal/auth" "github.com/hashicorp/boundary/internal/auth/store" "github.com/hashicorp/boundary/internal/db" dbassert "github.com/hashicorp/boundary/internal/db/assert" @@ -361,7 +362,7 @@ func TestUserManagedGroupGrantsFunc( conn *db.DB, kmsCache *kms.Kms, scopeID string, - managedGroupAccountSetupFunc func() (string, string), + managedGroupAccountSetupFunc auth.TestAuthMethodWithAccountInManagedGroup, testRoleGrants []TestRoleGrantsRequest, ) func() (*User, string) { return func() (*User, string) { @@ -370,11 +371,11 @@ func TestUserManagedGroupGrantsFunc( rw := db.New(conn) repo, err := NewRepository(ctx, rw, rw, kmsCache) require.NoError(t, err) - managedGroupID, accountID := managedGroupAccountSetupFunc() - user := TestUser(t, repo, scopeID, WithAccountIds(accountID)) + _, account, mg := managedGroupAccountSetupFunc(t, conn, kmsCache, scopeID) + user := TestUser(t, repo, scopeID, WithAccountIds(account.GetPublicId())) for _, trg := range testRoleGrants { role := TestRoleWithGrants(t, conn, trg.RoleScopeID, trg.GrantScopes, trg.Grants) - _ = TestManagedGroupRole(t, conn, role.PublicId, managedGroupID) + _ = TestManagedGroupRole(t, conn, role.PublicId, mg.GetPublicId()) } user, acctIDs, err := repo.LookupUser(ctx, user.PublicId) require.NoError(t, err) @@ -391,17 +392,17 @@ func TestUserDirectGrantsFunc( conn *db.DB, kmsCache *kms.Kms, scopeID string, - accountIDFunc func() string, + setupFunc auth.TestAuthMethodWithAccountFunc, testRoleGrants []TestRoleGrantsRequest, ) func() (*User, string) { return func() (*User, string) { t.Helper() - accountID := accountIDFunc() + _, account := setupFunc(t, conn) ctx := context.Background() rw := db.New(conn) repo, err := NewRepository(ctx, rw, rw, kmsCache) require.NoError(t, err) - user := TestUser(t, repo, scopeID, WithAccountIds(accountID)) + user := TestUser(t, repo, scopeID, WithAccountIds(account.GetPublicId())) require.NoError(t, err) for _, trg := range testRoleGrants { role := TestRoleWithGrants(t, conn, trg.RoleScopeID, trg.GrantScopes, trg.Grants) @@ -423,12 +424,12 @@ func TestUserGroupGrantsFunc( conn *db.DB, kmsCache *kms.Kms, scopeID string, - accountIDFunc func() string, + setupFunc auth.TestAuthMethodWithAccountFunc, testRoleGrants []TestRoleGrantsRequest, ) func() (*User, string) { return func() (*User, string) { t.Helper() - accountID := accountIDFunc() + _, account := setupFunc(t, conn) ctx := context.Background() rw := db.New(conn) repo, err := NewRepository(ctx, rw, rw, kmsCache) @@ -443,7 +444,7 @@ func TestUserGroupGrantsFunc( require.NoError(t, err) group := TestGroup(t, conn, scopeID) require.NoError(t, err) - user := TestUser(t, repo, scopeID, WithAccountIds(accountID)) + user := TestUser(t, repo, scopeID, WithAccountIds(account.GetPublicId())) for _, trg := range testRoleGrants { role := TestRoleWithGrants(t, conn, trg.RoleScopeID, trg.GrantScopes, trg.Grants) _ = TestGroupRole(t, conn, role.PublicId, group.PublicId) From bb6e262436522f7f33384b89b0b9b85e47298abc Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 5 Mar 2025 12:12:01 -0800 Subject: [PATCH 55/62] move a test to _test package --- internal/auth/db_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/auth/db_test.go b/internal/auth/db_test.go index 08cec1940c..932dc2cfdc 100644 --- a/internal/auth/db_test.go +++ b/internal/auth/db_test.go @@ -1,7 +1,7 @@ // Copyright (c) HashiCorp, Inc. // SPDX-License-Identifier: BUSL-1.1 -package auth +package auth_test import ( "context" From ce78b6835b25299d29a162a67b6fb14bb81f2c14 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 5 Mar 2025 12:17:17 -0800 Subject: [PATCH 56/62] lint --- internal/auth/testing.go | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/internal/auth/testing.go b/internal/auth/testing.go index 7f06f54280..0cb6e30e51 100644 --- a/internal/auth/testing.go +++ b/internal/auth/testing.go @@ -14,6 +14,11 @@ import ( "github.com/stretchr/testify/require" ) +type ( + TestAuthMethodWithAccountFunc func(t *testing.T, conn *db.DB) (AuthMethod, Account) + TestAuthMethodWithAccountInManagedGroup func(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeID string) (AuthMethod, Account, ManagedGroup) +) + // ManagedGroupMemberAccount represents an entry from // auth_managed_group_member_account. These are used to determine the account // ids where are a member of managed groups. See: oidc and ldap managed groups @@ -57,6 +62,3 @@ func TestManagedGroupMemberAccounts(t *testing.T, conn *db.DB, managedGroupId st TestSortManagedGroupMemberAccounts(t, mgmAccts) return mgmAccts } - -type TestAuthMethodWithAccountFunc func(t *testing.T, conn *db.DB) (AuthMethod, Account) -type TestAuthMethodWithAccountInManagedGroup func(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeID string) (AuthMethod, Account, ManagedGroup) From dcb616e6be0ba1e6f2b7c26db3846c8fa51f43c8 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 5 Mar 2025 12:17:44 -0800 Subject: [PATCH 57/62] minor comment fix --- internal/daemon/controller/handlers/groups/grants_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 530dbd1d9f..bb3ab9d789 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -851,7 +851,7 @@ func TestGrants_WriteActions(t *testing.T) { }) } -// TestGroupMember tests actions performed on the group-members (child-resources) +// TestGrants_ChildResourcesActions tests actions performed on the group-members (child-resources) func TestGrants_ChildResourcesActions(t *testing.T) { ctx := context.Background() conn, _ := db.TestSetup(t, "postgres") From f38167d202848b01edf4103394e5c644138f91d5 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 5 Mar 2025 15:26:12 -0800 Subject: [PATCH 58/62] use Id instead of ID --- internal/auth/ldap/testing.go | 6 +- internal/auth/oidc/testing.go | 6 +- internal/auth/testing.go | 2 +- internal/authtoken/testing.go | 4 +- .../handlers/accounts/grants_test.go | 4 +- .../handlers/aliases/grants_test.go | 4 +- .../handlers/authmethods/grants_test.go | 8 +- .../handlers/authtokens/grants_test.go | 4 +- .../credentiallibraries/grants_test.go | 4 +- .../handlers/credentials/grants_test.go | 6 +- .../handlers/credentialstores/grants_test.go | 6 +- .../controller/handlers/groups/grants_test.go | 278 +++++++++--------- .../handlers/host_catalogs/grants_test.go | 6 +- .../handlers/host_sets/grants_test.go | 6 +- .../controller/handlers/hosts/grants_test.go | 6 +- .../handlers/managed_groups/grants_test.go | 4 +- .../controller/handlers/roles/grants_test.go | 4 +- .../controller/handlers/scopes/grants_test.go | 4 +- .../handlers/targets/tcp/grants_test.go | 4 +- .../daemon/controller/handlers/testing.go | 4 +- .../controller/handlers/users/grants_test.go | 22 +- .../handlers/workers/grants_test.go | 4 +- internal/iam/testing.go | 30 +- 23 files changed, 213 insertions(+), 213 deletions(-) diff --git a/internal/auth/ldap/testing.go b/internal/auth/ldap/testing.go index 207597b69a..417bda9c21 100644 --- a/internal/auth/ldap/testing.go +++ b/internal/auth/ldap/testing.go @@ -181,14 +181,14 @@ func TestAccount(t testing.TB, conn *db.DB, am *AuthMethod, loginName string, op // TestAuthMethodWithAccountInManagedGroup creates an authMethod, and an account within that authmethod, an // LDAP managed group, and add the newly created account as a member of the LDAP managed group. -func TestAuthMethodWithAccountInManagedGroup(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeID string) (auth.AuthMethod, auth.Account, auth.ManagedGroup) { +func TestAuthMethodWithAccountInManagedGroup(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeId string) (auth.AuthMethod, auth.Account, auth.ManagedGroup) { t.Helper() uuid, err := uuid.GenerateUUID() require.NoError(t, err) ctx := context.Background() - databaseWrapper, err := kmsCache.GetWrapper(context.Background(), scopeID, kms.KeyPurposeDatabase) + databaseWrapper, err := kmsCache.GetWrapper(context.Background(), scopeId, kms.KeyPurposeDatabase) require.NoError(t, err) - am := TestAuthMethod(t, conn, databaseWrapper, scopeID, []string{fmt.Sprintf("ldap://%s", uuid)}) + am := TestAuthMethod(t, conn, databaseWrapper, scopeId, []string{fmt.Sprintf("ldap://%s", uuid)}) managedGroup := TestManagedGroup(t, conn, am, []string{uuid}) acct := TestAccount(t, conn, am, "testacct", WithMemberOfGroups(ctx, uuid)) return am, acct, managedGroup diff --git a/internal/auth/oidc/testing.go b/internal/auth/oidc/testing.go index c1263e8ca3..3d0876532b 100644 --- a/internal/auth/oidc/testing.go +++ b/internal/auth/oidc/testing.go @@ -196,13 +196,13 @@ func TestAccount(t testing.TB, conn *db.DB, am *AuthMethod, subject string, opt // TestAuthMethodWithAccountInManagedGroup creates an authMethod, and an account within that authmethod, an // OIDC managed group, and add the newly created account as a member of the OIDC managed group. -func TestAuthMethodWithAccountInManagedGroup(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeID string) (auth.AuthMethod, auth.Account, auth.ManagedGroup) { +func TestAuthMethodWithAccountInManagedGroup(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeId string) (auth.AuthMethod, auth.Account, auth.ManagedGroup) { t.Helper() uuid, err := uuid.GenerateUUID() require.NoError(t, err) - databaseWrapper, err := kmsCache.GetWrapper(context.Background(), scopeID, kms.KeyPurposeDatabase) + databaseWrapper, err := kmsCache.GetWrapper(context.Background(), scopeId, kms.KeyPurposeDatabase) require.NoError(t, err) - testAuthMethod := TestAuthMethod(t, conn, databaseWrapper, scopeID, ActivePublicState, + testAuthMethod := TestAuthMethod(t, conn, databaseWrapper, scopeId, ActivePublicState, "alice-rp", "fido", WithIssuer(TestConvertToUrls(t, fmt.Sprintf("https://%s.com", uuid))[0]), WithSigningAlgs(Alg(oidc.RS256)), diff --git a/internal/auth/testing.go b/internal/auth/testing.go index 0cb6e30e51..86e80e5425 100644 --- a/internal/auth/testing.go +++ b/internal/auth/testing.go @@ -16,7 +16,7 @@ import ( type ( TestAuthMethodWithAccountFunc func(t *testing.T, conn *db.DB) (AuthMethod, Account) - TestAuthMethodWithAccountInManagedGroup func(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeID string) (AuthMethod, Account, ManagedGroup) + TestAuthMethodWithAccountInManagedGroup func(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeId string) (AuthMethod, Account, ManagedGroup) ) // ManagedGroupMemberAccount represents an entry from diff --git a/internal/authtoken/testing.go b/internal/authtoken/testing.go index 1748d8bd53..1956033b82 100644 --- a/internal/authtoken/testing.go +++ b/internal/authtoken/testing.go @@ -51,7 +51,7 @@ func TestAuthToken(t testing.TB, conn *db.DB, kms *kms.Kms, scopeId string, opt // TestRoleGrantsForToken contains information used by TestAuthTokenWithRoles to create // roles and their associated grants (with grant scopes) type TestRoleGrantsForToken struct { - RoleScopeID string + RoleScopeId string GrantStrings []string GrantScopes []string } @@ -75,7 +75,7 @@ func TestAuthTokenWithRoles(t testing.TB, conn *db.DB, kms *kms.Kms, scopeId str acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName) user := iam.TestUser(t, iamRepo, scopeId, iam.WithAccountIds(acct.GetPublicId())) for _, r := range roles { - role := iam.TestRoleWithGrants(t, conn, r.RoleScopeID, r.GrantScopes, r.GrantStrings) + role := iam.TestRoleWithGrants(t, conn, r.RoleScopeId, r.GrantScopes, r.GrantStrings) _ = iam.TestUserRole(t, conn, role.PublicId, user.PublicId) } fullGrantToken, err := atRepo.CreateAuthToken(ctx, user, acct.GetPublicId()) diff --git a/internal/daemon/controller/handlers/accounts/grants_test.go b/internal/daemon/controller/handlers/accounts/grants_test.go index 53fc16ce8a..e144c2a38b 100644 --- a/internal/daemon/controller/handlers/accounts/grants_test.go +++ b/internal/daemon/controller/handlers/accounts/grants_test.go @@ -61,7 +61,7 @@ func TestListPassword_Grants(t *testing.T) { }, roleRequest: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=*;actions=list,read"}, GrantScopes: []string{globals.GrantScopeChildren}, }, @@ -77,7 +77,7 @@ func TestListPassword_Grants(t *testing.T) { }, roleRequest: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: org.GetPublicId(), + RoleScopeId: org.GetPublicId(), GrantStrings: []string{"ids=*;type=*;actions=list,read"}, GrantScopes: []string{globals.GrantScopeChildren}, }, diff --git a/internal/daemon/controller/handlers/aliases/grants_test.go b/internal/daemon/controller/handlers/aliases/grants_test.go index 81973163df..a0c496a6af 100644 --- a/internal/daemon/controller/handlers/aliases/grants_test.go +++ b/internal/daemon/controller/handlers/aliases/grants_test.go @@ -61,7 +61,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=alias;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -77,7 +77,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=group;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis}, }, diff --git a/internal/daemon/controller/handlers/authmethods/grants_test.go b/internal/daemon/controller/handlers/authmethods/grants_test.go index 02ebd550cc..219a858817 100644 --- a/internal/daemon/controller/handlers/authmethods/grants_test.go +++ b/internal/daemon/controller/handlers/authmethods/grants_test.go @@ -100,7 +100,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=auth-method;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, @@ -149,7 +149,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: org1.PublicId, + RoleScopeId: org1.PublicId, GrantStrings: []string{"ids=*;type=auth-method;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, @@ -205,7 +205,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=auth-method;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, @@ -219,7 +219,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=auth-method;actions=list,read"}, GrantScopes: []string{globals.GrantScopeChildren}, }, diff --git a/internal/daemon/controller/handlers/authtokens/grants_test.go b/internal/daemon/controller/handlers/authtokens/grants_test.go index 2394c0b39f..8eb9305964 100644 --- a/internal/daemon/controller/handlers/authtokens/grants_test.go +++ b/internal/daemon/controller/handlers/authtokens/grants_test.go @@ -79,7 +79,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=auth-token;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, @@ -95,7 +95,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: org1.PublicId, + RoleScopeId: org1.PublicId, GrantStrings: []string{"ids=*;type=auth-token;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, diff --git a/internal/daemon/controller/handlers/credentiallibraries/grants_test.go b/internal/daemon/controller/handlers/credentiallibraries/grants_test.go index 7e4a12ff0b..d9ec3e593c 100644 --- a/internal/daemon/controller/handlers/credentiallibraries/grants_test.go +++ b/internal/daemon/controller/handlers/credentiallibraries/grants_test.go @@ -58,7 +58,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=credential-library;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, @@ -73,7 +73,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: org.GetPublicId(), + RoleScopeId: org.GetPublicId(), GrantStrings: []string{"ids=*;type=credential-library;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, diff --git a/internal/daemon/controller/handlers/credentials/grants_test.go b/internal/daemon/controller/handlers/credentials/grants_test.go index 2799d0d3e8..846f760807 100644 --- a/internal/daemon/controller/handlers/credentials/grants_test.go +++ b/internal/daemon/controller/handlers/credentials/grants_test.go @@ -78,7 +78,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=credential;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, @@ -93,7 +93,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: org.PublicId, + RoleScopeId: org.PublicId, GrantStrings: []string{"ids=*;type=credential;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, @@ -108,7 +108,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: proj.PublicId, + RoleScopeId: proj.PublicId, GrantStrings: []string{"ids=*;type=credential;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis}, }, diff --git a/internal/daemon/controller/handlers/credentialstores/grants_test.go b/internal/daemon/controller/handlers/credentialstores/grants_test.go index 5ff3f50525..880dc922da 100644 --- a/internal/daemon/controller/handlers/credentialstores/grants_test.go +++ b/internal/daemon/controller/handlers/credentialstores/grants_test.go @@ -87,7 +87,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=credential-store;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, @@ -103,7 +103,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: org.PublicId, + RoleScopeId: org.PublicId, GrantStrings: []string{"ids=*;type=credential-store;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, @@ -118,7 +118,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: proj.PublicId, + RoleScopeId: proj.PublicId, GrantStrings: []string{"ids=*;type=credential-store;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis}, }, diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index bb3ab9d789..d427d94963 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -88,7 +88,7 @@ func TestGrants_ReadActions(t *testing.T) { }, userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -103,7 +103,7 @@ func TestGrants_ReadActions(t *testing.T) { }, userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, @@ -119,7 +119,7 @@ func TestGrants_ReadActions(t *testing.T) { }, userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { - RoleScopeID: org1.PublicId, + RoleScopeId: org1.PublicId, Grants: []string{"ids=*;type=group;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, @@ -135,7 +135,7 @@ func TestGrants_ReadActions(t *testing.T) { }, userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, @@ -151,7 +151,7 @@ func TestGrants_ReadActions(t *testing.T) { }, userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeDescendants}, }, @@ -167,7 +167,7 @@ func TestGrants_ReadActions(t *testing.T) { }, userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { - RoleScopeID: org2.PublicId, + RoleScopeId: org2.PublicId, Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -183,7 +183,7 @@ func TestGrants_ReadActions(t *testing.T) { }, userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{ fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId), }, @@ -201,12 +201,12 @@ func TestGrants_ReadActions(t *testing.T) { }, userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=read,list"}, GrantScopes: []string{proj1.PublicId, proj2.PublicId, proj3.PublicId}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=read,list"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -222,7 +222,7 @@ func TestGrants_ReadActions(t *testing.T) { }, userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=target;actions=read,list"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, @@ -263,7 +263,7 @@ func TestGrants_ReadActions(t *testing.T) { name: "global role group grant this scope with all permissions", userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -280,7 +280,7 @@ func TestGrants_ReadActions(t *testing.T) { name: "global role group grant this scope with all permissions", userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -297,7 +297,7 @@ func TestGrants_ReadActions(t *testing.T) { name: "global role grant children scopes with all permissions", userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeChildren}, }, @@ -314,7 +314,7 @@ func TestGrants_ReadActions(t *testing.T) { name: "global role grant descendant scopes with all permissions", userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeDescendants}, }, @@ -331,7 +331,7 @@ func TestGrants_ReadActions(t *testing.T) { name: "global role grant this and children scopes with all permissions", userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, @@ -348,7 +348,7 @@ func TestGrants_ReadActions(t *testing.T) { name: "global role grant this and descendant scopes with all permissions", userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, @@ -365,7 +365,7 @@ func TestGrants_ReadActions(t *testing.T) { name: "org1 role grant this scope with all permissions", userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: org1.GetPublicId(), + RoleScopeId: org1.GetPublicId(), Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -382,7 +382,7 @@ func TestGrants_ReadActions(t *testing.T) { name: "org1 role grant children scope with all permissions", userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: org1.GetPublicId(), + RoleScopeId: org1.GetPublicId(), Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeChildren}, }, @@ -399,7 +399,7 @@ func TestGrants_ReadActions(t *testing.T) { name: "org1 role grant this and children scopes with all permissions", userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: org1.GetPublicId(), + RoleScopeId: org1.GetPublicId(), Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, @@ -416,7 +416,7 @@ func TestGrants_ReadActions(t *testing.T) { name: "proj1 role grant this scope with all permissions", userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: proj1.GetPublicId(), + RoleScopeId: proj1.GetPublicId(), Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -433,7 +433,7 @@ func TestGrants_ReadActions(t *testing.T) { name: "global role grant this and descendant scope with read permissions on specific group", userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{fmt.Sprintf("ids=%s;types=group ;actions=read", org1Group.PublicId)}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, @@ -450,7 +450,7 @@ func TestGrants_ReadActions(t *testing.T) { name: "global role grant this and specific scopes with read permissions on specific group", userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{ fmt.Sprintf("ids=%s;types=group;actions=read", org1Group.PublicId), fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId), @@ -470,14 +470,14 @@ func TestGrants_ReadActions(t *testing.T) { name: "union multiple role grant specific resources permissions", userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{ fmt.Sprintf("ids=%s;types=group;actions=read", globalGroup.PublicId), }, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: org1.GetPublicId(), + RoleScopeId: org1.GetPublicId(), Grants: []string{ fmt.Sprintf("ids=%s;types=group;actions=read", org1Group.PublicId), fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId), @@ -562,7 +562,7 @@ func TestGrants_WriteActions(t *testing.T) { name: "direct grant all can create all", userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, @@ -580,7 +580,7 @@ func TestGrants_WriteActions(t *testing.T) { name: "groups grant all can create all", userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, @@ -598,7 +598,7 @@ func TestGrants_WriteActions(t *testing.T) { name: "ldap grant all can create all", userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, @@ -616,7 +616,7 @@ func TestGrants_WriteActions(t *testing.T) { name: "oidc grant all can create all", userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, @@ -634,7 +634,7 @@ func TestGrants_WriteActions(t *testing.T) { name: "grant children can only create in orgs", userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeChildren}, }, @@ -688,33 +688,33 @@ func TestGrants_WriteActions(t *testing.T) { org2, proj2 := iam.TestScopes(t, iamRepo) proj3 := iam.TestProject(t, iamRepo, org2.GetPublicId()) - allScopeIDs := []string{globals.GlobalPrefix, org1.PublicId, org2.PublicId, proj1.PublicId, proj2.PublicId, proj3.PublicId} + allScopeIds := []string{globals.GlobalPrefix, org1.PublicId, org2.PublicId, proj1.PublicId, proj2.PublicId, proj3.PublicId} testcases := []struct { name string userFunc func() (*iam.User, string) - deleteAllowedAtScopeIDs []string + deleteAllowedAtScopeIds []string }{ { name: "grant all can delete all", userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, }), - deleteAllowedAtScopeIDs: allScopeIDs, + deleteAllowedAtScopeIds: allScopeIds, }, { name: "grant children can only delete in orgs", userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeChildren}, }, }), - deleteAllowedAtScopeIDs: []string{org1.PublicId, org2.PublicId}, + deleteAllowedAtScopeIds: []string{org1.PublicId, org2.PublicId}, }, } @@ -722,7 +722,7 @@ func TestGrants_WriteActions(t *testing.T) { t.Run(tc.name, func(t *testing.T) { // setup a map to track which scope correlates to a group scopeIdGroupMap := map[string]*iam.Group{} - for _, scp := range allScopeIDs { + for _, scp := range allScopeIds { g := iam.TestGroup(t, conn, scp) scopeIdGroupMap[scp] = g } @@ -732,7 +732,7 @@ func TestGrants_WriteActions(t *testing.T) { fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) for scope, group := range scopeIdGroupMap { _, err = s.DeleteGroup(fullGrantAuthCtx, &pbs.DeleteGroupRequest{Id: group.PublicId}) - if !slices.Contains(tc.deleteAllowedAtScopeIDs, scope) { + if !slices.Contains(tc.deleteAllowedAtScopeIds, scope) { require.ErrorIs(t, err, handlers.ForbiddenError()) continue } @@ -754,7 +754,7 @@ func TestGrants_WriteActions(t *testing.T) { g := iam.TestGroup(t, conn, globals.GlobalPrefix) return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -769,7 +769,7 @@ func TestGrants_WriteActions(t *testing.T) { g := iam.TestGroup(t, conn, proj.PublicId) return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{proj.PublicId}, }, @@ -784,7 +784,7 @@ func TestGrants_WriteActions(t *testing.T) { g := iam.TestGroup(t, conn, proj.PublicId) return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{fmt.Sprintf("ids=%s;types=group;actions=*", g.PublicId)}, GrantScopes: []string{proj.PublicId}, }, @@ -798,7 +798,7 @@ func TestGrants_WriteActions(t *testing.T) { g := iam.TestGroup(t, conn, globals.GlobalPrefix) return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeChildren}, }, @@ -899,7 +899,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { group := iam.TestGroup(t, conn, globals.GlobalPrefix) return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -947,12 +947,12 @@ func TestGrants_ChildResourcesActions(t *testing.T) { group := iam.TestGroup(t, conn, org1.PublicId) return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: org1.PublicId, + RoleScopeId: org1.PublicId, Grants: []string{"ids=*;type=*;actions=add-members"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: org1.PublicId, + RoleScopeId: org1.PublicId, Grants: []string{"ids=*;type=*;actions=set-members"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1000,7 +1000,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { group := iam.TestGroup(t, conn, org2.PublicId) return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: org2.PublicId, + RoleScopeId: org2.PublicId, Grants: []string{fmt.Sprintf("ids=%s;types=group;actions=add-members", group.PublicId)}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1028,7 +1028,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { iam.TestGroupMember(t, conn, group.PublicId, org2Users[1].PublicId) return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{fmt.Sprintf("ids=%s;types=group;actions=remove-members", group.PublicId)}, GrantScopes: []string{proj2.PublicId}, }, @@ -1054,7 +1054,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { group := iam.TestGroup(t, conn, proj3.PublicId) return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{fmt.Sprintf("ids=%s;types=group;actions=add-members", group.PublicId)}, GrantScopes: []string{globals.GrantScopeDescendants}, }, @@ -1082,7 +1082,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { group := iam.TestGroup(t, conn, org2.PublicId) return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1108,17 +1108,17 @@ func TestGrants_ChildResourcesActions(t *testing.T) { group := iam.TestGroup(t, conn, proj2.PublicId) return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: proj2.PublicId, + RoleScopeId: proj2.PublicId, Grants: []string{fmt.Sprintf("ids=%s;types=group;actions=add-members", group.PublicId)}, GrantScopes: []string{proj2.PublicId}, }, { - RoleScopeID: proj2.PublicId, + RoleScopeId: proj2.PublicId, Grants: []string{fmt.Sprintf("ids=%s;types=group;actions=set-members", group.PublicId)}, GrantScopes: []string{proj2.PublicId}, }, { - RoleScopeID: proj2.PublicId, + RoleScopeId: proj2.PublicId, Grants: []string{fmt.Sprintf("ids=%s;types=group;actions=remove-members", group.PublicId)}, GrantScopes: []string{proj2.PublicId}, }, @@ -1223,7 +1223,7 @@ func TestOutputFields(t *testing.T) { name: "grants name, version, description", userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id,name,description"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, @@ -1235,10 +1235,10 @@ func TestOutputFields(t *testing.T) { }, }, { - name: "grants scope, scopeID, authorized_actions", + name: "grants scope, scopeId, authorized_actions", userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id,scope,scope_id,authorized_actions"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, @@ -1253,7 +1253,7 @@ func TestOutputFields(t *testing.T) { name: "grants update_time, create_time", userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id,updated_time,created_time,members,member_ids"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, @@ -1268,17 +1268,17 @@ func TestOutputFields(t *testing.T) { name: "different output_fields for different scope", userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id,name,description"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id,scope,scope_id,created_time,updated_time"}, GrantScopes: []string{globals.GrantScopeChildren}, }, { - RoleScopeID: proj.PublicId, + RoleScopeId: proj.PublicId, Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions"}, GrantScopes: []string{proj.PublicId}, }, @@ -1302,7 +1302,7 @@ func TestOutputFields(t *testing.T) { }) require.NoError(t, err) for _, item := range out.Items { - handlers.AssertOutputFields(t, item, tc.expectOutfields[item.Id]) + handlers.TestAssertOutputFields(t, item, tc.expectOutfields[item.Id]) } }) } @@ -1335,7 +1335,7 @@ func TestOutputFields(t *testing.T) { name: "grants name and description", userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=read;output_fields=name,description"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1343,10 +1343,10 @@ func TestOutputFields(t *testing.T) { expectOutfields: []string{globals.NameField, globals.DescriptionField}, }, { - name: "grants scope and scopeID", + name: "grants scope and scopeId", userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=read;output_fields=scope,scope_id"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1357,7 +1357,7 @@ func TestOutputFields(t *testing.T) { name: "grants update_time and create_time", userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=read;output_fields=updated_time,created_time"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1368,7 +1368,7 @@ func TestOutputFields(t *testing.T) { name: "grants id, authorized_actions, version", userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=read;output_fields=id,authorized_actions,version"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1379,7 +1379,7 @@ func TestOutputFields(t *testing.T) { name: "grants members, member_id", userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=read;output_fields=members,member_ids"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1390,17 +1390,17 @@ func TestOutputFields(t *testing.T) { name: "composite grants id, authorized_actions, member_ids", userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=read;output_fields=id"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=read;output_fields=member_ids"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=read;output_fields=authorized_actions"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1416,7 +1416,7 @@ func TestOutputFields(t *testing.T) { fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) out, err := s.GetGroup(fullGrantAuthCtx, &pbs.GetGroupRequest{Id: globalGroupWithMember.PublicId}) require.NoError(t, err) - handlers.AssertOutputFields(t, out.Item, tc.expectOutfields) + handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) }) } }) @@ -1456,7 +1456,7 @@ func TestOutputFields(t *testing.T) { }, userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1464,7 +1464,7 @@ func TestOutputFields(t *testing.T) { expectOutfields: []string{globals.NameField, globals.DescriptionField}, }, { - name: "grants scope and scopeID", + name: "grants scope and scopeId", input: &pbs.CreateGroupRequest{ Item: &pb.Group{ Name: &wrapperspb.StringValue{Value: genUuid()}, @@ -1474,7 +1474,7 @@ func TestOutputFields(t *testing.T) { }, userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1492,7 +1492,7 @@ func TestOutputFields(t *testing.T) { }, userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1510,7 +1510,7 @@ func TestOutputFields(t *testing.T) { }, userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1528,42 +1528,42 @@ func TestOutputFields(t *testing.T) { }, userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=scope"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=scope_id"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=name"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=description"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=created_time"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=authorized_actions"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=version"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1588,7 +1588,7 @@ func TestOutputFields(t *testing.T) { fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) out, err := s.CreateGroup(fullGrantAuthCtx, tc.input) require.NoError(t, err) - handlers.AssertOutputFields(t, out.Item, tc.expectOutfields) + handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) }) } }) @@ -1637,7 +1637,7 @@ func TestOutputFields(t *testing.T) { name: "grants name and description", userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1645,10 +1645,10 @@ func TestOutputFields(t *testing.T) { expectOutfields: []string{globals.NameField, globals.DescriptionField}, }, { - name: "grants scope and scopeID", + name: "grants scope and scopeId", userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1660,7 +1660,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1671,7 +1671,7 @@ func TestOutputFields(t *testing.T) { name: "grants id, authorized_actions, version", userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1682,42 +1682,42 @@ func TestOutputFields(t *testing.T) { name: "composite grants all fields", userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=scope"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=scope_id"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=name"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=description"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=created_time"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=authorized_actions"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=version"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1742,7 +1742,7 @@ func TestOutputFields(t *testing.T) { fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) out, err := s.UpdateGroup(fullGrantAuthCtx, inputFunc(t)) require.NoError(t, err) - handlers.AssertOutputFields(t, out.Item, tc.expectOutfields) + handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) }) } }) @@ -1783,7 +1783,7 @@ func TestOutputFields(t *testing.T) { name: "grants name and description", userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1791,10 +1791,10 @@ func TestOutputFields(t *testing.T) { expectOutfields: []string{globals.NameField, globals.DescriptionField}, }, { - name: "grants scope and scopeID", + name: "grants scope and scopeId", userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1806,7 +1806,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1817,7 +1817,7 @@ func TestOutputFields(t *testing.T) { name: "grants id, authorized_actions, version", userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1828,42 +1828,42 @@ func TestOutputFields(t *testing.T) { name: "composite grants all fields", userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=scope"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=scope_id"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=name"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=description"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=created_time"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=authorized_actions"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=version"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1888,7 +1888,7 @@ func TestOutputFields(t *testing.T) { fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) out, err := s.AddGroupMembers(fullGrantAuthCtx, inputFunc(t)) require.NoError(t, err) - handlers.AssertOutputFields(t, out.Item, tc.expectOutfields) + handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) }) } }) @@ -1929,7 +1929,7 @@ func TestOutputFields(t *testing.T) { name: "grants name and description", userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1937,10 +1937,10 @@ func TestOutputFields(t *testing.T) { expectOutfields: []string{globals.NameField, globals.DescriptionField}, }, { - name: "grants scope and scopeID", + name: "grants scope and scopeId", userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1952,7 +1952,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1963,7 +1963,7 @@ func TestOutputFields(t *testing.T) { name: "grants id, authorized_actions, version", userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -1974,42 +1974,42 @@ func TestOutputFields(t *testing.T) { name: "composite grants all fields", userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=scope"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=scope_id"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=name"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=description"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=created_time"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=authorized_actions"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=version"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -2034,7 +2034,7 @@ func TestOutputFields(t *testing.T) { fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) out, err := s.SetGroupMembers(fullGrantAuthCtx, inputFunc(t)) require.NoError(t, err) - handlers.AssertOutputFields(t, out.Item, tc.expectOutfields) + handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) }) } }) @@ -2079,7 +2079,7 @@ func TestOutputFields(t *testing.T) { name: "grants name and description", userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -2087,10 +2087,10 @@ func TestOutputFields(t *testing.T) { expectOutfields: []string{globals.NameField, globals.DescriptionField}, }, { - name: "grants scope and scopeID", + name: "grants scope and scopeId", userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -2102,7 +2102,7 @@ func TestOutputFields(t *testing.T) { userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -2113,7 +2113,7 @@ func TestOutputFields(t *testing.T) { name: "grants id, authorized_actions, version", userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -2124,42 +2124,42 @@ func TestOutputFields(t *testing.T) { name: "composite grants all fields", userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=scope"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=scope_id"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=name"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=description"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=created_time"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=authorized_actions"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=group;actions=*;output_fields=version"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -2184,7 +2184,7 @@ func TestOutputFields(t *testing.T) { fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) out, err := s.RemoveGroupMembers(fullGrantAuthCtx, inputFunc(t)) require.NoError(t, err) - handlers.AssertOutputFields(t, out.Item, tc.expectOutfields) + handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) }) } }) diff --git a/internal/daemon/controller/handlers/host_catalogs/grants_test.go b/internal/daemon/controller/handlers/host_catalogs/grants_test.go index 9576fd010e..e8df94081b 100644 --- a/internal/daemon/controller/handlers/host_catalogs/grants_test.go +++ b/internal/daemon/controller/handlers/host_catalogs/grants_test.go @@ -88,7 +88,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=host-catalog;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, @@ -104,7 +104,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: org.PublicId, + RoleScopeId: org.PublicId, GrantStrings: []string{"ids=*;type=host-catalog;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, @@ -120,7 +120,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: proj.PublicId, + RoleScopeId: proj.PublicId, GrantStrings: []string{"ids=*;type=host-catalog;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis}, }, diff --git a/internal/daemon/controller/handlers/host_sets/grants_test.go b/internal/daemon/controller/handlers/host_sets/grants_test.go index 4fa763221f..4920ab219c 100644 --- a/internal/daemon/controller/handlers/host_sets/grants_test.go +++ b/internal/daemon/controller/handlers/host_sets/grants_test.go @@ -79,7 +79,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=host-set;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, @@ -94,7 +94,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: org.PublicId, + RoleScopeId: org.PublicId, GrantStrings: []string{"ids=*;type=host-set;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, @@ -109,7 +109,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: proj.PublicId, + RoleScopeId: proj.PublicId, GrantStrings: []string{"ids=*;type=host-set;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis}, }, diff --git a/internal/daemon/controller/handlers/hosts/grants_test.go b/internal/daemon/controller/handlers/hosts/grants_test.go index 6715878bfb..c3532ebebb 100644 --- a/internal/daemon/controller/handlers/hosts/grants_test.go +++ b/internal/daemon/controller/handlers/hosts/grants_test.go @@ -81,7 +81,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=host;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, @@ -96,7 +96,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: org.PublicId, + RoleScopeId: org.PublicId, GrantStrings: []string{"ids=*;type=host;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, @@ -111,7 +111,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: proj.PublicId, + RoleScopeId: proj.PublicId, GrantStrings: []string{"ids=*;type=host;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis}, }, diff --git a/internal/daemon/controller/handlers/managed_groups/grants_test.go b/internal/daemon/controller/handlers/managed_groups/grants_test.go index f73ba91c9f..1196c5e7c4 100644 --- a/internal/daemon/controller/handlers/managed_groups/grants_test.go +++ b/internal/daemon/controller/handlers/managed_groups/grants_test.go @@ -78,7 +78,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=managed-group;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, @@ -93,7 +93,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: org.PublicId, + RoleScopeId: org.PublicId, GrantStrings: []string{"ids=*;type=managed-group;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, diff --git a/internal/daemon/controller/handlers/roles/grants_test.go b/internal/daemon/controller/handlers/roles/grants_test.go index e55c62121f..b7f61ee5a6 100644 --- a/internal/daemon/controller/handlers/roles/grants_test.go +++ b/internal/daemon/controller/handlers/roles/grants_test.go @@ -110,7 +110,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=role;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, @@ -130,7 +130,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: org2.PublicId, + RoleScopeId: org2.PublicId, GrantStrings: []string{"ids=*;type=role;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, diff --git a/internal/daemon/controller/handlers/scopes/grants_test.go b/internal/daemon/controller/handlers/scopes/grants_test.go index b3f99944b4..15e9ae2ef7 100644 --- a/internal/daemon/controller/handlers/scopes/grants_test.go +++ b/internal/daemon/controller/handlers/scopes/grants_test.go @@ -60,7 +60,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=scope;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, @@ -79,7 +79,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: org1.PublicId, + RoleScopeId: org1.PublicId, GrantStrings: []string{"ids=*;type=scope;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, diff --git a/internal/daemon/controller/handlers/targets/tcp/grants_test.go b/internal/daemon/controller/handlers/targets/tcp/grants_test.go index cb91035926..509aff1a56 100644 --- a/internal/daemon/controller/handlers/targets/tcp/grants_test.go +++ b/internal/daemon/controller/handlers/targets/tcp/grants_test.go @@ -60,7 +60,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: org1.GetPublicId(), + RoleScopeId: org1.GetPublicId(), GrantStrings: []string{"ids=*;type=target;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, @@ -76,7 +76,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: proj2.GetPublicId(), + RoleScopeId: proj2.GetPublicId(), GrantStrings: []string{"ids=*;type=target;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis}, }, diff --git a/internal/daemon/controller/handlers/testing.go b/internal/daemon/controller/handlers/testing.go index 5941293052..98897952c5 100644 --- a/internal/daemon/controller/handlers/testing.go +++ b/internal/daemon/controller/handlers/testing.go @@ -11,10 +11,10 @@ import ( "google.golang.org/protobuf/proto" ) -// AssertOutputFields asserts that the output fields of a group match the expected fields +// TestAssertOutputFields asserts that the output fields of a group match the expected fields // fields that is nil or empty in the result will throw an error if they are listed in expectedFields // e.g. members when group does not contain any members -func AssertOutputFields(t *testing.T, p proto.Message, expectFields []string) { +func TestAssertOutputFields(t *testing.T, p proto.Message, expectFields []string) { msg := p.ProtoReflect() descriptor := msg.Descriptor() for i := 0; i < descriptor.Fields().Len(); i++ { diff --git a/internal/daemon/controller/handlers/users/grants_test.go b/internal/daemon/controller/handlers/users/grants_test.go index a4bc80c486..7f04b8105a 100644 --- a/internal/daemon/controller/handlers/users/grants_test.go +++ b/internal/daemon/controller/handlers/users/grants_test.go @@ -78,7 +78,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=user;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, @@ -104,7 +104,7 @@ func TestGrants_ReadActions(t *testing.T) { includeTestUsers: false, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: org2.PublicId, + RoleScopeId: org2.PublicId, GrantStrings: []string{"ids=*;type=user;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, @@ -124,7 +124,7 @@ func TestGrants_ReadActions(t *testing.T) { includeTestUsers: false, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=user;actions=list,read"}, GrantScopes: []string{globals.GrantScopeChildren}, }, @@ -144,7 +144,7 @@ func TestGrants_ReadActions(t *testing.T) { includeTestUsers: false, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=user;actions=list,read"}, GrantScopes: []string{globals.GrantScopeChildren}, }, @@ -165,7 +165,7 @@ func TestGrants_ReadActions(t *testing.T) { includeTestUsers: false, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: org1.PublicId, + RoleScopeId: org1.PublicId, GrantStrings: []string{"ids=*;type=user;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -184,12 +184,12 @@ func TestGrants_ReadActions(t *testing.T) { includeTestUsers: false, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: org1.PublicId, + RoleScopeId: org1.PublicId, GrantStrings: []string{"ids=*;type=user;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis}, }, { - RoleScopeID: org2.PublicId, + RoleScopeId: org2.PublicId, GrantStrings: []string{"ids=*;type=user;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -210,7 +210,7 @@ func TestGrants_ReadActions(t *testing.T) { includeTestUsers: false, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=user;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -227,7 +227,7 @@ func TestGrants_ReadActions(t *testing.T) { includeTestUsers: true, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=user;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -248,7 +248,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=user;actions=list,read"}, GrantScopes: []string{globals.GrantScopeChildren}, }, @@ -264,7 +264,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: org2.PublicId, + RoleScopeId: org2.PublicId, GrantStrings: []string{"ids=*;type=user;actions=list,read"}, GrantScopes: []string{globals.GrantScopeChildren}, }, diff --git a/internal/daemon/controller/handlers/workers/grants_test.go b/internal/daemon/controller/handlers/workers/grants_test.go index dc1aef0d28..6ec676c179 100644 --- a/internal/daemon/controller/handlers/workers/grants_test.go +++ b/internal/daemon/controller/handlers/workers/grants_test.go @@ -81,7 +81,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=worker;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis}, }, @@ -97,7 +97,7 @@ func TestGrants_ReadActions(t *testing.T) { }, rolesToCreate: []authtoken.TestRoleGrantsForToken{ { - RoleScopeID: globals.GlobalPrefix, + RoleScopeId: globals.GlobalPrefix, GrantStrings: []string{"ids=*;type=group;actions=list,read"}, GrantScopes: []string{globals.GrantScopeThis}, }, diff --git a/internal/iam/testing.go b/internal/iam/testing.go index fb0282aee9..8abdbf6bfe 100644 --- a/internal/iam/testing.go +++ b/internal/iam/testing.go @@ -319,7 +319,7 @@ func TestManagedGroupRole(t testing.TB, conn *db.DB, roleId, managedGrpId string // TestRoleWithGrants creates a role suitable for testing along with grants // Functional options for GrantScopes aren't used to express that // this function does not provide any default grant scope unlike TestRole -func TestRoleWithGrants(t testing.TB, conn *db.DB, scopeId string, grantScopeIDs []string, grants []string) *Role { +func TestRoleWithGrants(t testing.TB, conn *db.DB, scopeId string, grantScopeIds []string, grants []string) *Role { t.Helper() ctx := context.Background() @@ -334,7 +334,7 @@ func TestRoleWithGrants(t testing.TB, conn *db.DB, scopeId string, grantScopeIDs require.NoError(rw.Create(ctx, role)) require.NotEmpty(role.PublicId) - for _, gsi := range grantScopeIDs { + for _, gsi := range grantScopeIds { gs, err := NewRoleGrantScope(ctx, id, gsi) require.NoError(err) require.NoError(rw.Create(ctx, gs)) @@ -347,7 +347,7 @@ func TestRoleWithGrants(t testing.TB, conn *db.DB, scopeId string, grantScopeIDs } type TestRoleGrantsRequest struct { - RoleScopeID string + RoleScopeId string GrantScopes []string Grants []string } @@ -361,7 +361,7 @@ func TestUserManagedGroupGrantsFunc( t *testing.T, conn *db.DB, kmsCache *kms.Kms, - scopeID string, + scopeId string, managedGroupAccountSetupFunc auth.TestAuthMethodWithAccountInManagedGroup, testRoleGrants []TestRoleGrantsRequest, ) func() (*User, string) { @@ -371,10 +371,10 @@ func TestUserManagedGroupGrantsFunc( rw := db.New(conn) repo, err := NewRepository(ctx, rw, rw, kmsCache) require.NoError(t, err) - _, account, mg := managedGroupAccountSetupFunc(t, conn, kmsCache, scopeID) - user := TestUser(t, repo, scopeID, WithAccountIds(account.GetPublicId())) + _, account, mg := managedGroupAccountSetupFunc(t, conn, kmsCache, scopeId) + user := TestUser(t, repo, scopeId, WithAccountIds(account.GetPublicId())) for _, trg := range testRoleGrants { - role := TestRoleWithGrants(t, conn, trg.RoleScopeID, trg.GrantScopes, trg.Grants) + role := TestRoleWithGrants(t, conn, trg.RoleScopeId, trg.GrantScopes, trg.Grants) _ = TestManagedGroupRole(t, conn, role.PublicId, mg.GetPublicId()) } user, acctIDs, err := repo.LookupUser(ctx, user.PublicId) @@ -391,7 +391,7 @@ func TestUserDirectGrantsFunc( t *testing.T, conn *db.DB, kmsCache *kms.Kms, - scopeID string, + scopeId string, setupFunc auth.TestAuthMethodWithAccountFunc, testRoleGrants []TestRoleGrantsRequest, ) func() (*User, string) { @@ -402,10 +402,10 @@ func TestUserDirectGrantsFunc( rw := db.New(conn) repo, err := NewRepository(ctx, rw, rw, kmsCache) require.NoError(t, err) - user := TestUser(t, repo, scopeID, WithAccountIds(account.GetPublicId())) + user := TestUser(t, repo, scopeId, WithAccountIds(account.GetPublicId())) require.NoError(t, err) for _, trg := range testRoleGrants { - role := TestRoleWithGrants(t, conn, trg.RoleScopeID, trg.GrantScopes, trg.Grants) + role := TestRoleWithGrants(t, conn, trg.RoleScopeId, trg.GrantScopes, trg.Grants) _ = TestUserRole(t, conn, role.PublicId, user.PublicId) } user, acctIDs, err := repo.LookupUser(ctx, user.PublicId) @@ -423,7 +423,7 @@ func TestUserGroupGrantsFunc( t *testing.T, conn *db.DB, kmsCache *kms.Kms, - scopeID string, + scopeId string, setupFunc auth.TestAuthMethodWithAccountFunc, testRoleGrants []TestRoleGrantsRequest, ) func() (*User, string) { @@ -434,7 +434,7 @@ func TestUserGroupGrantsFunc( rw := db.New(conn) repo, err := NewRepository(ctx, rw, rw, kmsCache) require.NoError(t, err) - role, err := NewRole(ctx, scopeID) + role, err := NewRole(ctx, scopeId) require.NoError(t, err) id, err := newRoleId(ctx) require.NoError(t, err) @@ -442,11 +442,11 @@ func TestUserGroupGrantsFunc( require.NoError(t, rw.Create(ctx, role)) require.NotEmpty(t, role.PublicId) require.NoError(t, err) - group := TestGroup(t, conn, scopeID) + group := TestGroup(t, conn, scopeId) require.NoError(t, err) - user := TestUser(t, repo, scopeID, WithAccountIds(account.GetPublicId())) + user := TestUser(t, repo, scopeId, WithAccountIds(account.GetPublicId())) for _, trg := range testRoleGrants { - role := TestRoleWithGrants(t, conn, trg.RoleScopeID, trg.GrantScopes, trg.Grants) + role := TestRoleWithGrants(t, conn, trg.RoleScopeId, trg.GrantScopes, trg.Grants) _ = TestGroupRole(t, conn, role.PublicId, group.PublicId) } _, err = repo.AddGroupMembers(ctx, group.PublicId, group.Version, []string{user.PublicId}) From 06ed75e0fb96e249ed2738ceaedb120875242a72 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 5 Mar 2025 16:23:11 -0800 Subject: [PATCH 59/62] make user/account setup in iam returns account instead of just account ID --- .../controller/handlers/groups/grants_test.go | 129 +++++++++--------- internal/iam/testing.go | 16 +-- 2 files changed, 73 insertions(+), 72 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index d427d94963..a42d491ac2 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -10,11 +10,12 @@ import ( "testing" "github.com/hashicorp/boundary/globals" + "github.com/hashicorp/boundary/internal/auth" "github.com/hashicorp/boundary/internal/auth/ldap" "github.com/hashicorp/boundary/internal/auth/oidc" "github.com/hashicorp/boundary/internal/auth/password" "github.com/hashicorp/boundary/internal/authtoken" - "github.com/hashicorp/boundary/internal/daemon/controller/auth" + cauth "github.com/hashicorp/boundary/internal/daemon/controller/auth" "github.com/hashicorp/boundary/internal/daemon/controller/handlers" "github.com/hashicorp/boundary/internal/daemon/controller/handlers/groups" "github.com/hashicorp/boundary/internal/db" @@ -75,7 +76,7 @@ func TestGrants_ReadActions(t *testing.T) { testcases := []struct { name string input *pbs.ListGroupsRequest - userFunc func() (*iam.User, string) + userFunc func() (*iam.User, auth.Account) wantErr error wantIDs []string }{ @@ -234,10 +235,10 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - user, accountID := tc.userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, accountID) + user, account := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) require.NoError(t, err) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) got, finalErr := s.ListGroups(fullGrantAuthCtx, tc.input) if tc.wantErr != nil { require.ErrorIs(t, finalErr, tc.wantErr) @@ -256,7 +257,7 @@ func TestGrants_ReadActions(t *testing.T) { t.Run("Get", func(t *testing.T) { testcases := []struct { name string - userFunc func() (*iam.User, string) + userFunc func() (*iam.User, auth.Account) inputWantErrMap map[*pbs.GetGroupRequest]error }{ { @@ -497,10 +498,10 @@ func TestGrants_ReadActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - user, accountID := tc.userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, accountID) + user, account := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) require.NoError(t, err) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) for input, wantErr := range tc.inputWantErrMap { _, err := s.GetGroup(fullGrantAuthCtx, input) // not found means expect error @@ -555,7 +556,7 @@ func TestGrants_WriteActions(t *testing.T) { testcases := []struct { name string - userFunc func() (*iam.User, string) + userFunc func() (*iam.User, auth.Account) canCreateInScopes map[*pbs.CreateGroupRequest]error }{ { @@ -652,10 +653,10 @@ func TestGrants_WriteActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - user, accountID := tc.userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, accountID) + user, account := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) require.NoError(t, err) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) for req, wantErr := range tc.canCreateInScopes { _, err := s.CreateGroup(fullGrantAuthCtx, req) @@ -691,7 +692,7 @@ func TestGrants_WriteActions(t *testing.T) { allScopeIds := []string{globals.GlobalPrefix, org1.PublicId, org2.PublicId, proj1.PublicId, proj2.PublicId, proj3.PublicId} testcases := []struct { name string - userFunc func() (*iam.User, string) + userFunc func() (*iam.User, auth.Account) deleteAllowedAtScopeIds []string }{ { @@ -726,10 +727,10 @@ func TestGrants_WriteActions(t *testing.T) { g := iam.TestGroup(t, conn, scp) scopeIdGroupMap[scp] = g } - user, accountID := tc.userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, accountID) + user, account := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) require.NoError(t, err) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) for scope, group := range scopeIdGroupMap { _, err = s.DeleteGroup(fullGrantAuthCtx, &pbs.DeleteGroupRequest{Id: group.PublicId}) if !slices.Contains(tc.deleteAllowedAtScopeIds, scope) { @@ -745,12 +746,12 @@ func TestGrants_WriteActions(t *testing.T) { t.Run("update", func(t *testing.T) { testcases := []struct { name string - setupScopesResourcesAndUser func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, string)) + setupScopesResourcesAndUser func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, auth.Account)) wantErr error }{ { name: "global_scope_group_good_grant_success", - setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, string)) { + setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, auth.Account)) { g := iam.TestGroup(t, conn, globals.GlobalPrefix) return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { @@ -764,7 +765,7 @@ func TestGrants_WriteActions(t *testing.T) { }, { name: "grant specific scope success", - setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, string)) { + setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, auth.Account)) { _, proj := iam.TestScopes(t, iamRepo) g := iam.TestGroup(t, conn, proj.PublicId) return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ @@ -779,7 +780,7 @@ func TestGrants_WriteActions(t *testing.T) { }, { name: "grant specific resource and scope success", - setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, string)) { + setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, auth.Account)) { _, proj := iam.TestScopes(t, iamRepo) g := iam.TestGroup(t, conn, proj.PublicId) return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ @@ -794,7 +795,7 @@ func TestGrants_WriteActions(t *testing.T) { }, { name: "no grant fails update", - setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, string)) { + setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, auth.Account)) { g := iam.TestGroup(t, conn, globals.GlobalPrefix) return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { @@ -823,10 +824,10 @@ func TestGrants_WriteActions(t *testing.T) { s, err := groups.NewService(ctx, repoFn, 1000) require.NoError(t, err) original, userFunc := tc.setupScopesResourcesAndUser(t, conn, iamRepo, kmsCache) - user, accountID := userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, accountID) + user, account := userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) require.NoError(t, err) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) got, err := s.UpdateGroup(fullGrantAuthCtx, &pbs.UpdateGroupRequest{ Id: original.PublicId, Item: &pb.Group{ @@ -887,7 +888,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { testcases := []struct { name string userFunc func() *iam.User - setupGroupAndRole func(t *testing.T) (*iam.Group, func() (*iam.User, string)) + setupGroupAndRole func(t *testing.T) (*iam.Group, func() (*iam.User, auth.Account)) // collection of actions to be executed in the tests in order, *iam.Group returned from each action which // gets passed to the next action as parameter to preserve information such as `version` increments actions []testActionResult @@ -895,7 +896,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { { name: "all actions valid grant success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, string)) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, auth.Account)) { group := iam.TestGroup(t, conn, globals.GlobalPrefix) return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { @@ -943,7 +944,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { }, { name: "only add and set allowed fail to remove", - setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, string)) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, auth.Account)) { group := iam.TestGroup(t, conn, org1.PublicId) return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { @@ -996,7 +997,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { }, { name: "add_member_valid_specific_grant_success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, string)) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, auth.Account)) { group := iam.TestGroup(t, conn, org2.PublicId) return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { @@ -1022,7 +1023,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { }, { name: "remove_member_valid_specific_grant_success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, string)) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, auth.Account)) { group := iam.TestGroup(t, conn, proj2.PublicId) iam.TestGroupMember(t, conn, group.PublicId, org2Users[0].PublicId) iam.TestGroupMember(t, conn, group.PublicId, org2Users[1].PublicId) @@ -1050,7 +1051,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { }, { name: "cross_scope_add_member_valid_specific_grant_success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, string)) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, auth.Account)) { group := iam.TestGroup(t, conn, proj3.PublicId) return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { @@ -1078,7 +1079,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { }, { name: "add_member_with_valid_grant_string_invalid_scope_forbidden_error", - setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, string)) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, auth.Account)) { group := iam.TestGroup(t, conn, org2.PublicId) return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { @@ -1104,7 +1105,7 @@ func TestGrants_ChildResourcesActions(t *testing.T) { }, { name: "multiple_grants_success", - setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, string)) { + setupGroupAndRole: func(t *testing.T) (*iam.Group, func() (*iam.User, auth.Account)) { group := iam.TestGroup(t, conn, proj2.PublicId) return group, iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { @@ -1165,10 +1166,10 @@ func TestGrants_ChildResourcesActions(t *testing.T) { for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { group, userFn := tc.setupGroupAndRole(t) - user, accountID := userFn() - tok, err := atRepo.CreateAuthToken(ctx, user, accountID) + user, account := userFn() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) require.NoError(t, err) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) for _, act := range tc.actions { out, err := act.action(fullGrantAuthCtx, group) if act.wantErr != nil { @@ -1215,7 +1216,7 @@ func TestOutputFields(t *testing.T) { require.NoError(t, err) testcases := []struct { name string - userFunc func() (*iam.User, string) + userFunc func() (*iam.User, auth.Account) // keys are the group IDs | this also means 'id' is required in the outputfields for assertions to work properly expectOutfields map[string][]string }{ @@ -1292,10 +1293,10 @@ func TestOutputFields(t *testing.T) { } for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - user, accountID := tc.userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, accountID) + user, account := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) require.NoError(t, err) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) out, err := s.ListGroups(fullGrantAuthCtx, &pbs.ListGroupsRequest{ ScopeId: globals.GlobalPrefix, Recursive: true, @@ -1328,7 +1329,7 @@ func TestOutputFields(t *testing.T) { testcases := []struct { name string - userFunc func() (*iam.User, string) + userFunc func() (*iam.User, auth.Account) expectOutfields []string }{ { @@ -1410,10 +1411,10 @@ func TestOutputFields(t *testing.T) { } for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - user, accountID := tc.userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, accountID) + user, account := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) require.NoError(t, err) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) out, err := s.GetGroup(fullGrantAuthCtx, &pbs.GetGroupRequest{Id: globalGroupWithMember.PublicId}) require.NoError(t, err) handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) @@ -1441,7 +1442,7 @@ func TestOutputFields(t *testing.T) { require.NoError(t, err) testcases := []struct { name string - userFunc func() (*iam.User, string) + userFunc func() (*iam.User, auth.Account) input *pbs.CreateGroupRequest expectOutfields []string }{ @@ -1582,10 +1583,10 @@ func TestOutputFields(t *testing.T) { } for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - user, accountID := tc.userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, accountID) + user, account := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) require.NoError(t, err) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) out, err := s.CreateGroup(fullGrantAuthCtx, tc.input) require.NoError(t, err) handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) @@ -1630,7 +1631,7 @@ func TestOutputFields(t *testing.T) { require.NoError(t, err) testcases := []struct { name string - userFunc func() (*iam.User, string) + userFunc func() (*iam.User, auth.Account) expectOutfields []string }{ { @@ -1736,10 +1737,10 @@ func TestOutputFields(t *testing.T) { } for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - user, accountID := tc.userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, accountID) + user, account := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) require.NoError(t, err) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) out, err := s.UpdateGroup(fullGrantAuthCtx, inputFunc(t)) require.NoError(t, err) handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) @@ -1776,7 +1777,7 @@ func TestOutputFields(t *testing.T) { require.NoError(t, err) testcases := []struct { name string - userFunc func() (*iam.User, string) + userFunc func() (*iam.User, auth.Account) expectOutfields []string }{ { @@ -1882,10 +1883,10 @@ func TestOutputFields(t *testing.T) { } for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - user, accountID := tc.userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, accountID) + user, account := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) require.NoError(t, err) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) out, err := s.AddGroupMembers(fullGrantAuthCtx, inputFunc(t)) require.NoError(t, err) handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) @@ -1922,7 +1923,7 @@ func TestOutputFields(t *testing.T) { require.NoError(t, err) testcases := []struct { name string - userFunc func() (*iam.User, string) + userFunc func() (*iam.User, auth.Account) expectOutfields []string }{ { @@ -2028,10 +2029,10 @@ func TestOutputFields(t *testing.T) { } for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - user, accountID := tc.userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, accountID) + user, account := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) require.NoError(t, err) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) out, err := s.SetGroupMembers(fullGrantAuthCtx, inputFunc(t)) require.NoError(t, err) handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) @@ -2072,7 +2073,7 @@ func TestOutputFields(t *testing.T) { require.NoError(t, err) testcases := []struct { name string - userFunc func() (*iam.User, string) + userFunc func() (*iam.User, auth.Account) expectOutfields []string }{ { @@ -2178,10 +2179,10 @@ func TestOutputFields(t *testing.T) { } for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - user, accountID := tc.userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, accountID) + user, account := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) require.NoError(t, err) - fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) out, err := s.RemoveGroupMembers(fullGrantAuthCtx, inputFunc(t)) require.NoError(t, err) handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) diff --git a/internal/iam/testing.go b/internal/iam/testing.go index 8abdbf6bfe..1f6c7414d0 100644 --- a/internal/iam/testing.go +++ b/internal/iam/testing.go @@ -364,8 +364,8 @@ func TestUserManagedGroupGrantsFunc( scopeId string, managedGroupAccountSetupFunc auth.TestAuthMethodWithAccountInManagedGroup, testRoleGrants []TestRoleGrantsRequest, -) func() (*User, string) { - return func() (*User, string) { +) func() (*User, auth.Account) { + return func() (*User, auth.Account) { t.Helper() ctx := context.Background() rw := db.New(conn) @@ -394,8 +394,8 @@ func TestUserDirectGrantsFunc( scopeId string, setupFunc auth.TestAuthMethodWithAccountFunc, testRoleGrants []TestRoleGrantsRequest, -) func() (*User, string) { - return func() (*User, string) { +) func() (*User, auth.Account) { + return func() (*User, auth.Account) { t.Helper() _, account := setupFunc(t, conn) ctx := context.Background() @@ -411,7 +411,7 @@ func TestUserDirectGrantsFunc( user, acctIDs, err := repo.LookupUser(ctx, user.PublicId) require.NoError(t, err) require.Len(t, acctIDs, 1) - return user, acctIDs[0] + return user, account } } @@ -426,8 +426,8 @@ func TestUserGroupGrantsFunc( scopeId string, setupFunc auth.TestAuthMethodWithAccountFunc, testRoleGrants []TestRoleGrantsRequest, -) func() (*User, string) { - return func() (*User, string) { +) func() (*User, auth.Account) { + return func() (*User, auth.Account) { t.Helper() _, account := setupFunc(t, conn) ctx := context.Background() @@ -454,7 +454,7 @@ func TestUserGroupGrantsFunc( user, acctIDs, err := repo.LookupUser(ctx, user.PublicId) require.NoError(t, err) require.Len(t, acctIDs, 1) - return user, acctIDs[0] + return user, account } } From cfddcdc3fc8a421658af5d967e82d9cfec363062 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Wed, 5 Mar 2025 16:32:49 -0800 Subject: [PATCH 60/62] missed one change --- internal/iam/testing.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/iam/testing.go b/internal/iam/testing.go index 1f6c7414d0..3d8effea70 100644 --- a/internal/iam/testing.go +++ b/internal/iam/testing.go @@ -380,7 +380,7 @@ func TestUserManagedGroupGrantsFunc( user, acctIDs, err := repo.LookupUser(ctx, user.PublicId) require.NoError(t, err) require.Len(t, acctIDs, 1) - return user, acctIDs[0] + return user, account } } From 5b5cd82f5d6b438efcfe867915f7589aa482c973 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Tue, 18 Mar 2025 08:53:03 -0700 Subject: [PATCH 61/62] reorganize tests --- .../controller/handlers/groups/grants_test.go | 3315 ++++++++--------- 1 file changed, 1648 insertions(+), 1667 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index a42d491ac2..6cc7560f80 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -29,24 +29,7 @@ import ( "google.golang.org/protobuf/types/known/wrapperspb" ) -// TestGrants_ReadActions tests read actions to assert that grants are being applied properly -// -// Role - which scope the role is created in -// - global level -// - org level -// - project level -// Grant - what IAM grant scope is set for the permission -// - global: descendant -// - org: children -// - project -// Scopes [resource]: -// - global [globalGroup] -// - org1 [org1Group] -// - proj1 [proj1Group] -// - org2 [org2Group] -// - proj2 [proj2Group] -// - proj3 [proj3Group] -func TestGrants_ReadActions(t *testing.T) { +func TestGrants_ListGroups(t *testing.T) { ctx := context.Background() conn, _ := db.TestSetup(t, "postgres") rw := db.New(conn) @@ -71,789 +54,789 @@ func TestGrants_ReadActions(t *testing.T) { proj1Group := iam.TestGroup(t, conn, proj1.GetPublicId(), iam.WithDescription("proj1"), iam.WithName("proj1")) proj2Group := iam.TestGroup(t, conn, proj2.GetPublicId(), iam.WithDescription("proj2"), iam.WithName("proj2")) proj3Group := iam.TestGroup(t, conn, proj3.GetPublicId(), iam.WithDescription("proj3"), iam.WithName("proj3")) - - t.Run("List", func(t *testing.T) { - testcases := []struct { - name string - input *pbs.ListGroupsRequest - userFunc func() (*iam.User, auth.Account) - wantErr error - wantIDs []string - }{ - { - name: "global role grant this only returns in global groups", - wantErr: nil, - input: &pbs.ListGroupsRequest{ - ScopeId: globals.GlobalPrefix, - Recursive: true, - }, - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - wantIDs: []string{globalGroup.PublicId}, + testcases := []struct { + name string + input *pbs.ListGroupsRequest + userFunc func() (*iam.User, auth.Account) + wantErr error + wantIDs []string + }{ + { + name: "global role grant this only returns in global groups", + wantErr: nil, + input: &pbs.ListGroupsRequest{ + ScopeId: globals.GlobalPrefix, + Recursive: true, }, - { - name: "global role grant this and children returns global and org groups", - input: &pbs.ListGroupsRequest{ - ScopeId: globals.GlobalPrefix, - Recursive: true, + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=list,read"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, - }, - }), - wantErr: nil, - wantIDs: []string{globalGroup.PublicId, org1Group.PublicId, org2Group.PublicId}, + }), + wantIDs: []string{globalGroup.PublicId}, + }, + { + name: "global role grant this and children returns global and org groups", + input: &pbs.ListGroupsRequest{ + ScopeId: globals.GlobalPrefix, + Recursive: true, }, - { - name: "global role grant via managed groups this and children returns org and proj groups", - input: &pbs.ListGroupsRequest{ - ScopeId: org1.PublicId, - Recursive: true, + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=list,read"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: org1.PublicId, - Grants: []string{"ids=*;type=group;actions=list,read"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, - }, - }), - wantErr: nil, - wantIDs: []string{org1Group.PublicId, proj1Group.PublicId}, + }), + wantErr: nil, + wantIDs: []string{globalGroup.PublicId, org1Group.PublicId, org2Group.PublicId}, + }, + { + name: "global role grant via managed groups this and children returns org and proj groups", + input: &pbs.ListGroupsRequest{ + ScopeId: org1.PublicId, + Recursive: true, }, - { - name: "global role grant this and descendant returns all groups", - input: &pbs.ListGroupsRequest{ - ScopeId: globals.GlobalPrefix, - Recursive: true, + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: org1.PublicId, + Grants: []string{"ids=*;type=group;actions=list,read"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, - }, - }), - wantErr: nil, - wantIDs: []string{globalGroup.PublicId, org1Group.PublicId, org2Group.PublicId, proj1Group.PublicId, proj2Group.PublicId, proj3Group.PublicId}, + }), + wantErr: nil, + wantIDs: []string{org1Group.PublicId, proj1Group.PublicId}, + }, + { + name: "global role grant this and descendant returns all groups", + input: &pbs.ListGroupsRequest{ + ScopeId: globals.GlobalPrefix, + Recursive: true, }, - { - name: "org role grant children IDs only org children", - input: &pbs.ListGroupsRequest{ - ScopeId: org2.PublicId, - Recursive: true, + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeDescendants}, - }, - }), - wantErr: nil, - wantIDs: []string{org2Group.PublicId, proj2Group.PublicId, proj3Group.PublicId}, + }), + wantErr: nil, + wantIDs: []string{globalGroup.PublicId, org1Group.PublicId, org2Group.PublicId, proj1Group.PublicId, proj2Group.PublicId, proj3Group.PublicId}, + }, + { + name: "org role grant children IDs only org children", + input: &pbs.ListGroupsRequest{ + ScopeId: org2.PublicId, + Recursive: true, }, - { - name: "LDAP org role grant children IDs only org children", - input: &pbs.ListGroupsRequest{ - ScopeId: org2.PublicId, - Recursive: true, + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeDescendants}, }, - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: org2.PublicId, - Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - wantErr: nil, - wantIDs: []string{org2Group.PublicId}, + }), + wantErr: nil, + wantIDs: []string{org2Group.PublicId, proj2Group.PublicId, proj3Group.PublicId}, + }, + { + name: "LDAP org role grant children IDs only org children", + input: &pbs.ListGroupsRequest{ + ScopeId: org2.PublicId, + Recursive: true, }, - { - name: "no list permission returns error", - input: &pbs.ListGroupsRequest{ - ScopeId: globals.GlobalPrefix, - Recursive: true, + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: org2.PublicId, + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{ - fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId), - }, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, - }, - }), - wantErr: handlers.ForbiddenError(), - wantIDs: nil, + }), + wantErr: nil, + wantIDs: []string{org2Group.PublicId}, + }, + { + name: "no list permission returns error", + input: &pbs.ListGroupsRequest{ + ScopeId: globals.GlobalPrefix, + Recursive: true, }, - { - name: "global role scope specific grants only returns granted scopes", - input: &pbs.ListGroupsRequest{ - ScopeId: globals.GlobalPrefix, - Recursive: true, - }, - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=read,list"}, - GrantScopes: []string{proj1.PublicId, proj2.PublicId, proj3.PublicId}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=read,list"}, - GrantScopes: []string{globals.GrantScopeThis}, + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{ + fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId), }, - }), - wantErr: nil, - wantIDs: []string{globalGroup.PublicId, proj1Group.PublicId, proj2Group.PublicId, proj3Group.PublicId}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + }, + }), + wantErr: handlers.ForbiddenError(), + wantIDs: nil, + }, + { + name: "global role scope specific grants only returns granted scopes", + input: &pbs.ListGroupsRequest{ + ScopeId: globals.GlobalPrefix, + Recursive: true, }, - { - name: "global role not granted group resources returns error", - input: &pbs.ListGroupsRequest{ - ScopeId: globals.GlobalPrefix, - Recursive: true, + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=read,list"}, + GrantScopes: []string{proj1.PublicId, proj2.PublicId, proj3.PublicId}, }, - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=target;actions=read,list"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, - }, - }), - wantErr: handlers.ForbiddenError(), - wantIDs: nil, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=read,list"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + wantErr: nil, + wantIDs: []string{globalGroup.PublicId, proj1Group.PublicId, proj2Group.PublicId, proj3Group.PublicId}, + }, + { + name: "global role not granted group resources returns error", + input: &pbs.ListGroupsRequest{ + ScopeId: globals.GlobalPrefix, + Recursive: true, }, - } + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=target;actions=read,list"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + }, + }), + wantErr: handlers.ForbiddenError(), + wantIDs: nil, + }, + } - for _, tc := range testcases { - t.Run(tc.name, func(t *testing.T) { - user, account := tc.userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) - require.NoError(t, err) - fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) - got, finalErr := s.ListGroups(fullGrantAuthCtx, tc.input) - if tc.wantErr != nil { - require.ErrorIs(t, finalErr, tc.wantErr) - return - } - require.NoError(t, finalErr) - var gotIDs []string - for _, g := range got.Items { - gotIDs = append(gotIDs, g.GetId()) - } - require.ElementsMatch(t, tc.wantIDs, gotIDs) - }) - } - }) + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + user, account := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) + require.NoError(t, err) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + got, finalErr := s.ListGroups(fullGrantAuthCtx, tc.input) + if tc.wantErr != nil { + require.ErrorIs(t, finalErr, tc.wantErr) + return + } + require.NoError(t, finalErr) + var gotIDs []string + for _, g := range got.Items { + gotIDs = append(gotIDs, g.GetId()) + } + require.ElementsMatch(t, tc.wantIDs, gotIDs) + }) + } +} - t.Run("Get", func(t *testing.T) { - testcases := []struct { - name string - userFunc func() (*iam.User, auth.Account) - inputWantErrMap map[*pbs.GetGroupRequest]error - }{ - { - name: "global role group grant this scope with all permissions", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - inputWantErrMap: map[*pbs.GetGroupRequest]error{ - {Id: globalGroup.PublicId}: nil, - {Id: org1Group.PublicId}: handlers.ForbiddenError(), - {Id: proj1Group.PublicId}: handlers.ForbiddenError(), - {Id: org2Group.PublicId}: handlers.ForbiddenError(), - {Id: proj2Group.PublicId}: handlers.ForbiddenError(), +func TestGrants_GetGroup(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) + wrap := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) + org1, proj1 := iam.TestScopes(t, iamRepo) + org2, proj2 := iam.TestScopes(t, iamRepo) + + globalGroup := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription("global"), iam.WithName("global")) + org1Group := iam.TestGroup(t, conn, org1.GetPublicId(), iam.WithDescription("org1"), iam.WithName("org1")) + org2Group := iam.TestGroup(t, conn, org2.GetPublicId(), iam.WithDescription("org2"), iam.WithName("org2")) + proj1Group := iam.TestGroup(t, conn, proj1.GetPublicId(), iam.WithDescription("proj1"), iam.WithName("proj1")) + proj2Group := iam.TestGroup(t, conn, proj2.GetPublicId(), iam.WithDescription("proj2"), iam.WithName("proj2")) + + testcases := []struct { + name string + userFunc func() (*iam.User, auth.Account) + inputWantErrMap map[*pbs.GetGroupRequest]error + }{ + { + name: "global role group grant this scope with all permissions", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, + }), + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + {Id: globalGroup.PublicId}: nil, + {Id: org1Group.PublicId}: handlers.ForbiddenError(), + {Id: proj1Group.PublicId}: handlers.ForbiddenError(), + {Id: org2Group.PublicId}: handlers.ForbiddenError(), + {Id: proj2Group.PublicId}: handlers.ForbiddenError(), }, - { - name: "global role group grant this scope with all permissions", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - inputWantErrMap: map[*pbs.GetGroupRequest]error{ - {Id: globalGroup.PublicId}: nil, - {Id: org1Group.PublicId}: handlers.ForbiddenError(), - {Id: proj1Group.PublicId}: handlers.ForbiddenError(), - {Id: org2Group.PublicId}: handlers.ForbiddenError(), - {Id: proj2Group.PublicId}: handlers.ForbiddenError(), + }, + { + name: "global role group grant this scope with all permissions", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, + }), + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + {Id: globalGroup.PublicId}: nil, + {Id: org1Group.PublicId}: handlers.ForbiddenError(), + {Id: proj1Group.PublicId}: handlers.ForbiddenError(), + {Id: org2Group.PublicId}: handlers.ForbiddenError(), + {Id: proj2Group.PublicId}: handlers.ForbiddenError(), }, - { - name: "global role grant children scopes with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeChildren}, - }, - }), - inputWantErrMap: map[*pbs.GetGroupRequest]error{ - {Id: globalGroup.PublicId}: handlers.ForbiddenError(), - {Id: org1Group.PublicId}: nil, - {Id: proj1Group.PublicId}: handlers.ForbiddenError(), - {Id: org2Group.PublicId}: nil, - {Id: proj2Group.PublicId}: handlers.ForbiddenError(), + }, + { + name: "global role grant children scopes with all permissions", + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeChildren}, }, + }), + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + {Id: globalGroup.PublicId}: handlers.ForbiddenError(), + {Id: org1Group.PublicId}: nil, + {Id: proj1Group.PublicId}: handlers.ForbiddenError(), + {Id: org2Group.PublicId}: nil, + {Id: proj2Group.PublicId}: handlers.ForbiddenError(), }, - { - name: "global role grant descendant scopes with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeDescendants}, - }, - }), - inputWantErrMap: map[*pbs.GetGroupRequest]error{ - {Id: globalGroup.PublicId}: handlers.ForbiddenError(), - {Id: org1Group.PublicId}: nil, - {Id: proj1Group.PublicId}: nil, - {Id: org2Group.PublicId}: nil, - {Id: proj2Group.PublicId}: nil, + }, + { + name: "global role grant descendant scopes with all permissions", + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeDescendants}, }, + }), + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + {Id: globalGroup.PublicId}: handlers.ForbiddenError(), + {Id: org1Group.PublicId}: nil, + {Id: proj1Group.PublicId}: nil, + {Id: org2Group.PublicId}: nil, + {Id: proj2Group.PublicId}: nil, }, - { - name: "global role grant this and children scopes with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, - }, - }), - inputWantErrMap: map[*pbs.GetGroupRequest]error{ - {Id: globalGroup.PublicId}: nil, - {Id: org1Group.PublicId}: nil, - {Id: proj1Group.PublicId}: handlers.ForbiddenError(), - {Id: org2Group.PublicId}: nil, - {Id: proj2Group.PublicId}: handlers.ForbiddenError(), + }, + { + name: "global role grant this and children scopes with all permissions", + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, + }), + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + {Id: globalGroup.PublicId}: nil, + {Id: org1Group.PublicId}: nil, + {Id: proj1Group.PublicId}: handlers.ForbiddenError(), + {Id: org2Group.PublicId}: nil, + {Id: proj2Group.PublicId}: handlers.ForbiddenError(), }, - { - name: "global role grant this and descendant scopes with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, - }, - }), - inputWantErrMap: map[*pbs.GetGroupRequest]error{ - {Id: globalGroup.PublicId}: nil, - {Id: org1Group.PublicId}: nil, - {Id: proj1Group.PublicId}: nil, - {Id: org2Group.PublicId}: nil, - {Id: proj2Group.PublicId}: nil, + }, + { + name: "global role grant this and descendant scopes with all permissions", + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, + }), + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + {Id: globalGroup.PublicId}: nil, + {Id: org1Group.PublicId}: nil, + {Id: proj1Group.PublicId}: nil, + {Id: org2Group.PublicId}: nil, + {Id: proj2Group.PublicId}: nil, }, - { - name: "org1 role grant this scope with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: org1.GetPublicId(), - Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - inputWantErrMap: map[*pbs.GetGroupRequest]error{ - {Id: globalGroup.PublicId}: handlers.ForbiddenError(), - {Id: org1Group.PublicId}: nil, - {Id: proj1Group.PublicId}: handlers.ForbiddenError(), - {Id: org2Group.PublicId}: handlers.ForbiddenError(), - {Id: proj2Group.PublicId}: handlers.ForbiddenError(), + }, + { + name: "org1 role grant this scope with all permissions", + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: org1.GetPublicId(), + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, + }), + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + {Id: globalGroup.PublicId}: handlers.ForbiddenError(), + {Id: org1Group.PublicId}: nil, + {Id: proj1Group.PublicId}: handlers.ForbiddenError(), + {Id: org2Group.PublicId}: handlers.ForbiddenError(), + {Id: proj2Group.PublicId}: handlers.ForbiddenError(), }, - { - name: "org1 role grant children scope with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: org1.GetPublicId(), - Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeChildren}, - }, - }), - inputWantErrMap: map[*pbs.GetGroupRequest]error{ - {Id: globalGroup.PublicId}: handlers.ForbiddenError(), - {Id: org1Group.PublicId}: handlers.ForbiddenError(), - {Id: proj1Group.PublicId}: nil, - {Id: org2Group.PublicId}: handlers.ForbiddenError(), - {Id: proj2Group.PublicId}: handlers.ForbiddenError(), + }, + { + name: "org1 role grant children scope with all permissions", + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: org1.GetPublicId(), + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeChildren}, }, + }), + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + {Id: globalGroup.PublicId}: handlers.ForbiddenError(), + {Id: org1Group.PublicId}: handlers.ForbiddenError(), + {Id: proj1Group.PublicId}: nil, + {Id: org2Group.PublicId}: handlers.ForbiddenError(), + {Id: proj2Group.PublicId}: handlers.ForbiddenError(), }, - { - name: "org1 role grant this and children scopes with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: org1.GetPublicId(), - Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, - }, - }), - inputWantErrMap: map[*pbs.GetGroupRequest]error{ - {Id: globalGroup.PublicId}: handlers.ForbiddenError(), - {Id: org1Group.PublicId}: nil, - {Id: proj1Group.PublicId}: nil, - {Id: org2Group.PublicId}: handlers.ForbiddenError(), - {Id: proj2Group.PublicId}: handlers.ForbiddenError(), + }, + { + name: "org1 role grant this and children scopes with all permissions", + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: org1.GetPublicId(), + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, + }), + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + {Id: globalGroup.PublicId}: handlers.ForbiddenError(), + {Id: org1Group.PublicId}: nil, + {Id: proj1Group.PublicId}: nil, + {Id: org2Group.PublicId}: handlers.ForbiddenError(), + {Id: proj2Group.PublicId}: handlers.ForbiddenError(), }, - { - name: "proj1 role grant this scope with all permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: proj1.GetPublicId(), - Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - inputWantErrMap: map[*pbs.GetGroupRequest]error{ - {Id: globalGroup.PublicId}: handlers.ForbiddenError(), - {Id: org1Group.PublicId}: handlers.ForbiddenError(), - {Id: proj1Group.PublicId}: nil, - {Id: org2Group.PublicId}: handlers.ForbiddenError(), - {Id: proj2Group.PublicId}: handlers.ForbiddenError(), + }, + { + name: "proj1 role grant this scope with all permissions", + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: proj1.GetPublicId(), + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis}, }, + }), + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + {Id: globalGroup.PublicId}: handlers.ForbiddenError(), + {Id: org1Group.PublicId}: handlers.ForbiddenError(), + {Id: proj1Group.PublicId}: nil, + {Id: org2Group.PublicId}: handlers.ForbiddenError(), + {Id: proj2Group.PublicId}: handlers.ForbiddenError(), }, - { - name: "global role grant this and descendant scope with read permissions on specific group", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{fmt.Sprintf("ids=%s;types=group ;actions=read", org1Group.PublicId)}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, - }, - }), - inputWantErrMap: map[*pbs.GetGroupRequest]error{ - {Id: globalGroup.PublicId}: handlers.ForbiddenError(), - {Id: org1Group.PublicId}: nil, - {Id: proj1Group.PublicId}: handlers.ForbiddenError(), - {Id: org2Group.PublicId}: handlers.ForbiddenError(), - {Id: proj2Group.PublicId}: handlers.ForbiddenError(), + }, + { + name: "global role grant this and descendant scope with read permissions on specific group", + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{fmt.Sprintf("ids=%s;types=group ;actions=read", org1Group.PublicId)}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, + }), + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + {Id: globalGroup.PublicId}: handlers.ForbiddenError(), + {Id: org1Group.PublicId}: nil, + {Id: proj1Group.PublicId}: handlers.ForbiddenError(), + {Id: org2Group.PublicId}: handlers.ForbiddenError(), + {Id: proj2Group.PublicId}: handlers.ForbiddenError(), }, - { - name: "global role grant this and specific scopes with read permissions on specific group", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{ - fmt.Sprintf("ids=%s;types=group;actions=read", org1Group.PublicId), - fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId), - }, - GrantScopes: []string{org1.PublicId, proj1.PublicId}, + }, + { + name: "global role grant this and specific scopes with read permissions on specific group", + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{ + fmt.Sprintf("ids=%s;types=group;actions=read", org1Group.PublicId), + fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId), }, - }), - inputWantErrMap: map[*pbs.GetGroupRequest]error{ - {Id: globalGroup.PublicId}: handlers.ForbiddenError(), - {Id: org1Group.PublicId}: nil, - {Id: proj1Group.PublicId}: nil, - {Id: org2Group.PublicId}: handlers.ForbiddenError(), - {Id: proj2Group.PublicId}: handlers.ForbiddenError(), + GrantScopes: []string{org1.PublicId, proj1.PublicId}, }, + }), + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + {Id: globalGroup.PublicId}: handlers.ForbiddenError(), + {Id: org1Group.PublicId}: nil, + {Id: proj1Group.PublicId}: nil, + {Id: org2Group.PublicId}: handlers.ForbiddenError(), + {Id: proj2Group.PublicId}: handlers.ForbiddenError(), }, - { - name: "union multiple role grant specific resources permissions", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{ - fmt.Sprintf("ids=%s;types=group;actions=read", globalGroup.PublicId), - }, - GrantScopes: []string{globals.GrantScopeThis}, + }, + { + name: "union multiple role grant specific resources permissions", + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{ + fmt.Sprintf("ids=%s;types=group;actions=read", globalGroup.PublicId), }, - { - RoleScopeId: org1.GetPublicId(), - Grants: []string{ - fmt.Sprintf("ids=%s;types=group;actions=read", org1Group.PublicId), - fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId), - }, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: org1.GetPublicId(), + Grants: []string{ + fmt.Sprintf("ids=%s;types=group;actions=read", org1Group.PublicId), + fmt.Sprintf("ids=%s;types=group;actions=read", proj1Group.PublicId), }, - }), - inputWantErrMap: map[*pbs.GetGroupRequest]error{ - {Id: globalGroup.PublicId}: nil, - {Id: org1Group.PublicId}: nil, - {Id: proj1Group.PublicId}: nil, - {Id: org2Group.PublicId}: handlers.ForbiddenError(), - {Id: proj2Group.PublicId}: handlers.ForbiddenError(), + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren}, }, + }), + inputWantErrMap: map[*pbs.GetGroupRequest]error{ + {Id: globalGroup.PublicId}: nil, + {Id: org1Group.PublicId}: nil, + {Id: proj1Group.PublicId}: nil, + {Id: org2Group.PublicId}: handlers.ForbiddenError(), + {Id: proj2Group.PublicId}: handlers.ForbiddenError(), }, - } + }, + } - for _, tc := range testcases { - t.Run(tc.name, func(t *testing.T) { - user, account := tc.userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) - require.NoError(t, err) - fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) - for input, wantErr := range tc.inputWantErrMap { - _, err := s.GetGroup(fullGrantAuthCtx, input) - // not found means expect error - if wantErr != nil { - require.ErrorIs(t, err, wantErr) - continue - } - require.NoError(t, err) + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + user, account := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) + require.NoError(t, err) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + for input, wantErr := range tc.inputWantErrMap { + _, err := s.GetGroup(fullGrantAuthCtx, input) + // not found means expect error + if wantErr != nil { + require.ErrorIs(t, err, wantErr) + continue } - }) - } - }) + require.NoError(t, err) + } + }) + } } -// TestGrants_WriteActions tests write actions to assert that grants are being applied properly -// -// [create, update, delete] -// Role - which scope the role is created in -// - global level -// - org level -// - project level -// Grant - what IAM grant scope is set for the permission -// - global: descendant -// - org: children -// - project -// Scopes [resource]: -// - global [globalGroup] -// - org1 [org1Group] -// - proj1 [proj1Group] -// - org2 [org2Group] -// - proj2 [proj2Group] -// - proj3 [proj3Group] -func TestGrants_WriteActions(t *testing.T) { - t.Run("create", func(t *testing.T) { - ctx := context.Background() - conn, _ := db.TestSetup(t, "postgres") - rw := db.New(conn) - wrap := db.TestWrapper(t) - kmsCache := kms.TestKms(t, conn, wrap) - iamRepo := iam.TestRepo(t, conn, wrap) - atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) - require.NoError(t, err) - repoFn := func() (*iam.Repository, error) { - return iamRepo, nil - } - s, err := groups.NewService(ctx, repoFn, 1000) - require.NoError(t, err) +func TestGrants_CreateGroup(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) + wrap := db.TestWrapper(t) + kmsCache := kms.TestKms(t, conn, wrap) + iamRepo := iam.TestRepo(t, conn, wrap) + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) - org1, proj1 := iam.TestScopes(t, iamRepo) - org2, proj2 := iam.TestScopes(t, iamRepo) - proj3 := iam.TestProject(t, iamRepo, org2.GetPublicId()) + org1, proj1 := iam.TestScopes(t, iamRepo) + org2, proj2 := iam.TestScopes(t, iamRepo) + proj3 := iam.TestProject(t, iamRepo, org2.GetPublicId()) - testcases := []struct { - name string - userFunc func() (*iam.User, auth.Account) - canCreateInScopes map[*pbs.CreateGroupRequest]error - }{ - { - name: "direct grant all can create all", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, - }, - }), - canCreateInScopes: map[*pbs.CreateGroupRequest]error{ - {Item: &pb.Group{ScopeId: globals.GlobalPrefix}}: nil, - {Item: &pb.Group{ScopeId: org1.PublicId}}: nil, - {Item: &pb.Group{ScopeId: org2.PublicId}}: nil, - {Item: &pb.Group{ScopeId: proj1.PublicId}}: nil, - {Item: &pb.Group{ScopeId: proj2.PublicId}}: nil, - {Item: &pb.Group{ScopeId: proj3.PublicId}}: nil, + testcases := []struct { + name string + userFunc func() (*iam.User, auth.Account) + canCreateInScopes map[*pbs.CreateGroupRequest]error + }{ + { + name: "direct grant all can create all", + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, + }), + canCreateInScopes: map[*pbs.CreateGroupRequest]error{ + {Item: &pb.Group{ScopeId: globals.GlobalPrefix}}: nil, + {Item: &pb.Group{ScopeId: org1.PublicId}}: nil, + {Item: &pb.Group{ScopeId: org2.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj1.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj2.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj3.PublicId}}: nil, }, - { - name: "groups grant all can create all", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, - }, - }), - canCreateInScopes: map[*pbs.CreateGroupRequest]error{ - {Item: &pb.Group{ScopeId: globals.GlobalPrefix}}: nil, - {Item: &pb.Group{ScopeId: org1.PublicId}}: nil, - {Item: &pb.Group{ScopeId: org2.PublicId}}: nil, - {Item: &pb.Group{ScopeId: proj1.PublicId}}: nil, - {Item: &pb.Group{ScopeId: proj2.PublicId}}: nil, - {Item: &pb.Group{ScopeId: proj3.PublicId}}: nil, + }, + { + name: "groups grant all can create all", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, + }), + canCreateInScopes: map[*pbs.CreateGroupRequest]error{ + {Item: &pb.Group{ScopeId: globals.GlobalPrefix}}: nil, + {Item: &pb.Group{ScopeId: org1.PublicId}}: nil, + {Item: &pb.Group{ScopeId: org2.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj1.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj2.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj3.PublicId}}: nil, }, - { - name: "ldap grant all can create all", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, - }, - }), - canCreateInScopes: map[*pbs.CreateGroupRequest]error{ - {Item: &pb.Group{ScopeId: globals.GlobalPrefix}}: nil, - {Item: &pb.Group{ScopeId: org1.PublicId}}: nil, - {Item: &pb.Group{ScopeId: org2.PublicId}}: nil, - {Item: &pb.Group{ScopeId: proj1.PublicId}}: nil, - {Item: &pb.Group{ScopeId: proj2.PublicId}}: nil, - {Item: &pb.Group{ScopeId: proj3.PublicId}}: nil, + }, + { + name: "ldap grant all can create all", + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, + }), + canCreateInScopes: map[*pbs.CreateGroupRequest]error{ + {Item: &pb.Group{ScopeId: globals.GlobalPrefix}}: nil, + {Item: &pb.Group{ScopeId: org1.PublicId}}: nil, + {Item: &pb.Group{ScopeId: org2.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj1.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj2.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj3.PublicId}}: nil, }, - { - name: "oidc grant all can create all", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, - }, - }), - canCreateInScopes: map[*pbs.CreateGroupRequest]error{ - {Item: &pb.Group{ScopeId: globals.GlobalPrefix}}: nil, - {Item: &pb.Group{ScopeId: org1.PublicId}}: nil, - {Item: &pb.Group{ScopeId: org2.PublicId}}: nil, - {Item: &pb.Group{ScopeId: proj1.PublicId}}: nil, - {Item: &pb.Group{ScopeId: proj2.PublicId}}: nil, - {Item: &pb.Group{ScopeId: proj3.PublicId}}: nil, + }, + { + name: "oidc grant all can create all", + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, + }), + canCreateInScopes: map[*pbs.CreateGroupRequest]error{ + {Item: &pb.Group{ScopeId: globals.GlobalPrefix}}: nil, + {Item: &pb.Group{ScopeId: org1.PublicId}}: nil, + {Item: &pb.Group{ScopeId: org2.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj1.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj2.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj3.PublicId}}: nil, }, - { - name: "grant children can only create in orgs", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeChildren}, - }, - }), - canCreateInScopes: map[*pbs.CreateGroupRequest]error{ - {Item: &pb.Group{ScopeId: globals.GlobalPrefix}}: handlers.ForbiddenError(), - {Item: &pb.Group{ScopeId: org1.PublicId}}: nil, - {Item: &pb.Group{ScopeId: org2.PublicId}}: nil, - {Item: &pb.Group{ScopeId: proj1.PublicId}}: handlers.ForbiddenError(), - {Item: &pb.Group{ScopeId: proj2.PublicId}}: handlers.ForbiddenError(), - {Item: &pb.Group{ScopeId: proj3.PublicId}}: handlers.ForbiddenError(), + }, + { + name: "grant children can only create in orgs", + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeChildren}, }, + }), + canCreateInScopes: map[*pbs.CreateGroupRequest]error{ + {Item: &pb.Group{ScopeId: globals.GlobalPrefix}}: handlers.ForbiddenError(), + {Item: &pb.Group{ScopeId: org1.PublicId}}: nil, + {Item: &pb.Group{ScopeId: org2.PublicId}}: nil, + {Item: &pb.Group{ScopeId: proj1.PublicId}}: handlers.ForbiddenError(), + {Item: &pb.Group{ScopeId: proj2.PublicId}}: handlers.ForbiddenError(), + {Item: &pb.Group{ScopeId: proj3.PublicId}}: handlers.ForbiddenError(), }, - } + }, + } - for _, tc := range testcases { - t.Run(tc.name, func(t *testing.T) { - user, account := tc.userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) - require.NoError(t, err) - fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + user, account := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) + require.NoError(t, err) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) - for req, wantErr := range tc.canCreateInScopes { - _, err := s.CreateGroup(fullGrantAuthCtx, req) - if wantErr != nil { - require.ErrorIs(t, err, wantErr) - continue - } - require.NoError(t, err) + for req, wantErr := range tc.canCreateInScopes { + _, err := s.CreateGroup(fullGrantAuthCtx, req) + if wantErr != nil { + require.ErrorIs(t, err, wantErr) + continue } - }) - } - }) - t.Run("delete", func(t *testing.T) { - ctx := context.Background() - conn, _ := db.TestSetup(t, "postgres") - rw := db.New(conn) - wrap := db.TestWrapper(t) - iamRepo := iam.TestRepo(t, conn, wrap) - kmsCache := kms.TestKms(t, conn, wrap) - repoFn := func() (*iam.Repository, error) { - return iamRepo, nil - } - atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) - require.NoError(t, err) + require.NoError(t, err) + } + }) + } +} + +func TestGrants_DeleteGroup(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) + wrap := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + + s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) + + org1, proj1 := iam.TestScopes(t, iamRepo) + org2, proj2 := iam.TestScopes(t, iamRepo) + proj3 := iam.TestProject(t, iamRepo, org2.GetPublicId()) - s, err := groups.NewService(ctx, repoFn, 1000) - require.NoError(t, err) + allScopeIds := []string{globals.GlobalPrefix, org1.PublicId, org2.PublicId, proj1.PublicId, proj2.PublicId, proj3.PublicId} + testcases := []struct { + name string + userFunc func() (*iam.User, auth.Account) + deleteAllowedAtScopeIds []string + }{ + { + name: "grant all can delete all", + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + }, + }), + deleteAllowedAtScopeIds: allScopeIds, + }, + { + name: "grant children can only delete in orgs", + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeChildren}, + }, + }), + deleteAllowedAtScopeIds: []string{org1.PublicId, org2.PublicId}, + }, + } - org1, proj1 := iam.TestScopes(t, iamRepo) - org2, proj2 := iam.TestScopes(t, iamRepo) - proj3 := iam.TestProject(t, iamRepo, org2.GetPublicId()) + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + // setup a map to track which scope correlates to a group + scopeIdGroupMap := map[string]*iam.Group{} + for _, scp := range allScopeIds { + g := iam.TestGroup(t, conn, scp) + scopeIdGroupMap[scp] = g + } + user, account := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) + require.NoError(t, err) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + for scope, group := range scopeIdGroupMap { + _, err = s.DeleteGroup(fullGrantAuthCtx, &pbs.DeleteGroupRequest{Id: group.PublicId}) + if !slices.Contains(tc.deleteAllowedAtScopeIds, scope) { + require.ErrorIs(t, err, handlers.ForbiddenError()) + continue + } + require.NoErrorf(t, err, "failed to delete group in scope %s", scope) + } + }) + } +} - allScopeIds := []string{globals.GlobalPrefix, org1.PublicId, org2.PublicId, proj1.PublicId, proj2.PublicId, proj3.PublicId} - testcases := []struct { - name string - userFunc func() (*iam.User, auth.Account) - deleteAllowedAtScopeIds []string - }{ - { - name: "grant all can delete all", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ +func TestGrants_UpdateGroup(t *testing.T) { + testcases := []struct { + name string + setupScopesResourcesAndUser func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, auth.Account)) + wantErr error + }{ + { + name: "global_scope_group_good_grant_success", + setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, auth.Account)) { + g := iam.TestGroup(t, conn, globals.GlobalPrefix) + return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, + GrantScopes: []string{globals.GrantScopeThis}, }, - }), - deleteAllowedAtScopeIds: allScopeIds, + }) }, - { - name: "grant children can only delete in orgs", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + wantErr: nil, + }, + { + name: "grant specific scope success", + setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, auth.Account)) { + _, proj := iam.TestScopes(t, iamRepo) + g := iam.TestGroup(t, conn, proj.PublicId) + return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ { RoleScopeId: globals.GlobalPrefix, Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeChildren}, + GrantScopes: []string{proj.PublicId}, }, - }), - deleteAllowedAtScopeIds: []string{org1.PublicId, org2.PublicId}, - }, - } - - for _, tc := range testcases { - t.Run(tc.name, func(t *testing.T) { - // setup a map to track which scope correlates to a group - scopeIdGroupMap := map[string]*iam.Group{} - for _, scp := range allScopeIds { - g := iam.TestGroup(t, conn, scp) - scopeIdGroupMap[scp] = g - } - user, account := tc.userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) - require.NoError(t, err) - fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) - for scope, group := range scopeIdGroupMap { - _, err = s.DeleteGroup(fullGrantAuthCtx, &pbs.DeleteGroupRequest{Id: group.PublicId}) - if !slices.Contains(tc.deleteAllowedAtScopeIds, scope) { - require.ErrorIs(t, err, handlers.ForbiddenError()) - continue - } - require.NoErrorf(t, err, "failed to delete group in scope %s", scope) - } - }) - } - }) - - t.Run("update", func(t *testing.T) { - testcases := []struct { - name string - setupScopesResourcesAndUser func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, auth.Account)) - wantErr error - }{ - { - name: "global_scope_group_good_grant_success", - setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, auth.Account)) { - g := iam.TestGroup(t, conn, globals.GlobalPrefix) - return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }) - }, - wantErr: nil, - }, - { - name: "grant specific scope success", - setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, auth.Account)) { - _, proj := iam.TestScopes(t, iamRepo) - g := iam.TestGroup(t, conn, proj.PublicId) - return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{proj.PublicId}, - }, - }) - }, - wantErr: nil, - }, - { - name: "grant specific resource and scope success", - setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, auth.Account)) { - _, proj := iam.TestScopes(t, iamRepo) - g := iam.TestGroup(t, conn, proj.PublicId) - return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{fmt.Sprintf("ids=%s;types=group;actions=*", g.PublicId)}, - GrantScopes: []string{proj.PublicId}, - }, - }) - }, - wantErr: nil, - }, - { - name: "no grant fails update", - setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, auth.Account)) { - g := iam.TestGroup(t, conn, globals.GlobalPrefix) - return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=*;actions=*"}, - GrantScopes: []string{globals.GrantScopeChildren}, - }, - }) - }, - wantErr: handlers.ForbiddenError(), + }) }, - } - for _, tc := range testcases { - t.Run(tc.name, func(t *testing.T) { - ctx := context.Background() - conn, _ := db.TestSetup(t, "postgres") - rw := db.New(conn) - wrap := db.TestWrapper(t) - iamRepo := iam.TestRepo(t, conn, wrap) - kmsCache := kms.TestKms(t, conn, wrap) - atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) - require.NoError(t, err) - repoFn := func() (*iam.Repository, error) { - return iamRepo, nil - } - s, err := groups.NewService(ctx, repoFn, 1000) - require.NoError(t, err) - original, userFunc := tc.setupScopesResourcesAndUser(t, conn, iamRepo, kmsCache) - user, account := userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) - require.NoError(t, err) - fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) - got, err := s.UpdateGroup(fullGrantAuthCtx, &pbs.UpdateGroupRequest{ - Id: original.PublicId, - Item: &pb.Group{ - Name: &wrapperspb.StringValue{Value: "new-name"}, - Description: &wrapperspb.StringValue{Value: "new-description"}, - Version: 1, + wantErr: nil, + }, + { + name: "grant specific resource and scope success", + setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, auth.Account)) { + _, proj := iam.TestScopes(t, iamRepo) + g := iam.TestGroup(t, conn, proj.PublicId) + return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{fmt.Sprintf("ids=%s;types=group;actions=*", g.PublicId)}, + GrantScopes: []string{proj.PublicId}, }, - UpdateMask: &fieldmaskpb.FieldMask{ - Paths: []string{"name", "description"}, + }) + }, + wantErr: nil, + }, + { + name: "no grant fails update", + setupScopesResourcesAndUser: func(t *testing.T, conn *db.DB, iamRepo *iam.Repository, kmsCache *kms.Kms) (*iam.Group, func() (*iam.User, auth.Account)) { + g := iam.TestGroup(t, conn, globals.GlobalPrefix) + return g, iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=*;actions=*"}, + GrantScopes: []string{globals.GrantScopeChildren}, }, }) - if tc.wantErr != nil { - require.Error(t, err) - require.ErrorIs(t, err, tc.wantErr) - return - } - require.NoError(t, err) - require.Equal(t, uint32(2), got.Item.Version) - require.True(t, got.Item.UpdatedTime.AsTime().After(original.UpdateTime.AsTime())) + }, + wantErr: handlers.ForbiddenError(), + }, + } + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) + wrap := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) + original, userFunc := tc.setupScopesResourcesAndUser(t, conn, iamRepo, kmsCache) + user, account := userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) + require.NoError(t, err) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + got, err := s.UpdateGroup(fullGrantAuthCtx, &pbs.UpdateGroupRequest{ + Id: original.PublicId, + Item: &pb.Group{ + Name: &wrapperspb.StringValue{Value: "new-name"}, + Description: &wrapperspb.StringValue{Value: "new-description"}, + Version: 1, + }, + UpdateMask: &fieldmaskpb.FieldMask{ + Paths: []string{"name", "description"}, + }, }) - } - }) + if tc.wantErr != nil { + require.Error(t, err) + require.ErrorIs(t, err, tc.wantErr) + return + } + require.NoError(t, err) + require.Equal(t, uint32(2), got.Item.Version) + require.True(t, got.Item.UpdatedTime.AsTime().After(original.UpdateTime.AsTime())) + }) + } } -// TestGrants_ChildResourcesActions tests actions performed on the group-members (child-resources) -func TestGrants_ChildResourcesActions(t *testing.T) { +func TestGrants_GroupMembership(t *testing.T) { ctx := context.Background() conn, _ := db.TestSetup(t, "postgres") rw := db.New(conn) @@ -1185,1010 +1168,1008 @@ func TestGrants_ChildResourcesActions(t *testing.T) { } } -func TestOutputFields(t *testing.T) { - t.Run("ListGroups", func(t *testing.T) { - ctx := context.Background() - conn, _ := db.TestSetup(t, "postgres") - rw := db.New(conn) - wrap := db.TestWrapper(t) - iamRepo := iam.TestRepo(t, conn, wrap) - kmsCache := kms.TestKms(t, conn, wrap) - atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) - require.NoError(t, err) - repoFn := func() (*iam.Repository, error) { - return iamRepo, nil - } +func TestOutputFields_ListGroups(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) + wrap := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } - globalGroup := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription("global"), iam.WithName("global")) + globalGroup := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription("global"), iam.WithName("global")) - org, proj := iam.TestScopes(t, iamRepo) - orgGroup := iam.TestGroup(t, conn, org.PublicId, iam.WithDescription("org"), iam.WithName("org")) - projGroup := iam.TestGroup(t, conn, proj.PublicId, iam.WithDescription("proj"), iam.WithName("proj")) + org, proj := iam.TestScopes(t, iamRepo) + orgGroup := iam.TestGroup(t, conn, org.PublicId, iam.WithDescription("org"), iam.WithName("org")) + projGroup := iam.TestGroup(t, conn, proj.PublicId, iam.WithDescription("proj"), iam.WithName("proj")) - globalUser := iam.TestUser(t, iamRepo, globals.GlobalPrefix) - orgUser := iam.TestUser(t, iamRepo, globals.GlobalPrefix) - projectUser := iam.TestUser(t, iamRepo, globals.GlobalPrefix) + globalUser := iam.TestUser(t, iamRepo, globals.GlobalPrefix) + orgUser := iam.TestUser(t, iamRepo, globals.GlobalPrefix) + projectUser := iam.TestUser(t, iamRepo, globals.GlobalPrefix) - _ = iam.TestGroupMember(t, conn, globalGroup.PublicId, globalUser.PublicId) - _ = iam.TestGroupMember(t, conn, orgGroup.PublicId, orgUser.PublicId) - _ = iam.TestGroupMember(t, conn, projGroup.PublicId, projectUser.PublicId) - s, err := groups.NewService(ctx, repoFn, 1000) - require.NoError(t, err) - testcases := []struct { - name string - userFunc func() (*iam.User, auth.Account) - // keys are the group IDs | this also means 'id' is required in the outputfields for assertions to work properly - expectOutfields map[string][]string - }{ - { - name: "grants name, version, description", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=id,name,description"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, - }, - }), - expectOutfields: map[string][]string{ - globalGroup.PublicId: {globals.IdField, globals.NameField, globals.DescriptionField}, - orgGroup.PublicId: {globals.IdField, globals.NameField, globals.DescriptionField}, - projGroup.PublicId: {globals.IdField, globals.NameField, globals.DescriptionField}, + _ = iam.TestGroupMember(t, conn, globalGroup.PublicId, globalUser.PublicId) + _ = iam.TestGroupMember(t, conn, orgGroup.PublicId, orgUser.PublicId) + _ = iam.TestGroupMember(t, conn, projGroup.PublicId, projectUser.PublicId) + s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) + testcases := []struct { + name string + userFunc func() (*iam.User, auth.Account) + // keys are the group IDs | this also means 'id' is required in the outputfields for assertions to work properly + expectOutfields map[string][]string + }{ + { + name: "grants name, version, description", + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id,name,description"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, + }), + expectOutfields: map[string][]string{ + globalGroup.PublicId: {globals.IdField, globals.NameField, globals.DescriptionField}, + orgGroup.PublicId: {globals.IdField, globals.NameField, globals.DescriptionField}, + projGroup.PublicId: {globals.IdField, globals.NameField, globals.DescriptionField}, }, - { - name: "grants scope, scopeId, authorized_actions", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=id,scope,scope_id,authorized_actions"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, - }, - }), - expectOutfields: map[string][]string{ - globalGroup.PublicId: {globals.IdField, globals.ScopeField, globals.ScopeIdField, globals.AuthorizedActionsField}, - orgGroup.PublicId: {globals.IdField, globals.ScopeField, globals.ScopeIdField, globals.AuthorizedActionsField}, - projGroup.PublicId: {globals.IdField, globals.ScopeField, globals.ScopeIdField, globals.AuthorizedActionsField}, + }, + { + name: "grants scope, scopeId, authorized_actions", + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id,scope,scope_id,authorized_actions"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, + }), + expectOutfields: map[string][]string{ + globalGroup.PublicId: {globals.IdField, globals.ScopeField, globals.ScopeIdField, globals.AuthorizedActionsField}, + orgGroup.PublicId: {globals.IdField, globals.ScopeField, globals.ScopeIdField, globals.AuthorizedActionsField}, + projGroup.PublicId: {globals.IdField, globals.ScopeField, globals.ScopeIdField, globals.AuthorizedActionsField}, }, - { - name: "grants update_time, create_time", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=id,updated_time,created_time,members,member_ids"}, - GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, - }, - }), - expectOutfields: map[string][]string{ - globalGroup.PublicId: {globals.IdField, globals.CreatedTimeField, globals.UpdatedTimeField}, - orgGroup.PublicId: {globals.IdField, globals.CreatedTimeField, globals.UpdatedTimeField}, - projGroup.PublicId: {globals.IdField, globals.CreatedTimeField, globals.UpdatedTimeField}, + }, + { + name: "grants update_time, create_time", + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id,updated_time,created_time,members,member_ids"}, + GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants}, }, + }), + expectOutfields: map[string][]string{ + globalGroup.PublicId: {globals.IdField, globals.CreatedTimeField, globals.UpdatedTimeField}, + orgGroup.PublicId: {globals.IdField, globals.CreatedTimeField, globals.UpdatedTimeField}, + projGroup.PublicId: {globals.IdField, globals.CreatedTimeField, globals.UpdatedTimeField}, }, - { - name: "different output_fields for different scope", - userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=id,name,description"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=id,scope,scope_id,created_time,updated_time"}, - GrantScopes: []string{globals.GrantScopeChildren}, - }, - { - RoleScopeId: proj.PublicId, - Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions"}, - GrantScopes: []string{proj.PublicId}, - }, - }), - expectOutfields: map[string][]string{ - globalGroup.PublicId: {globals.IdField, globals.NameField, globals.DescriptionField}, - orgGroup.PublicId: {globals.IdField, globals.ScopeField, globals.ScopeIdField, globals.CreatedTimeField, globals.UpdatedTimeField}, - projGroup.PublicId: {globals.IdField, globals.AuthorizedActionsField}, + }, + { + name: "different output_fields for different scope", + userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id,name,description"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id,scope,scope_id,created_time,updated_time"}, + GrantScopes: []string{globals.GrantScopeChildren}, + }, + { + RoleScopeId: proj.PublicId, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions"}, + GrantScopes: []string{proj.PublicId}, }, + }), + expectOutfields: map[string][]string{ + globalGroup.PublicId: {globals.IdField, globals.NameField, globals.DescriptionField}, + orgGroup.PublicId: {globals.IdField, globals.ScopeField, globals.ScopeIdField, globals.CreatedTimeField, globals.UpdatedTimeField}, + projGroup.PublicId: {globals.IdField, globals.AuthorizedActionsField}, }, - } - for _, tc := range testcases { - t.Run(tc.name, func(t *testing.T) { - user, account := tc.userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) - require.NoError(t, err) - fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) - out, err := s.ListGroups(fullGrantAuthCtx, &pbs.ListGroupsRequest{ - ScopeId: globals.GlobalPrefix, - Recursive: true, - }) - require.NoError(t, err) - for _, item := range out.Items { - handlers.TestAssertOutputFields(t, item, tc.expectOutfields[item.Id]) - } + }, + } + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + user, account := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) + require.NoError(t, err) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + out, err := s.ListGroups(fullGrantAuthCtx, &pbs.ListGroupsRequest{ + ScopeId: globals.GlobalPrefix, + Recursive: true, }) - } - }) + require.NoError(t, err) + for _, item := range out.Items { + handlers.TestAssertOutputFields(t, item, tc.expectOutfields[item.Id]) + } + }) + } +} - t.Run("GetGroup", func(t *testing.T) { - ctx := context.Background() - conn, _ := db.TestSetup(t, "postgres") - rw := db.New(conn) - wrap := db.TestWrapper(t) - iamRepo := iam.TestRepo(t, conn, wrap) - kmsCache := kms.TestKms(t, conn, wrap) - atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) - require.NoError(t, err) - repoFn := func() (*iam.Repository, error) { - return iamRepo, nil - } - globalGroupWithMember := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription("global"), iam.WithName("global")) - u := iam.TestUser(t, iamRepo, globals.GlobalPrefix) - _ = iam.TestGroupMember(t, conn, globalGroupWithMember.PublicId, u.PublicId) - s, err := groups.NewService(ctx, repoFn, 1000) - require.NoError(t, err) +func TestOutputFields_GetGroup(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) + wrap := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + globalGroupWithMember := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription("global"), iam.WithName("global")) + u := iam.TestUser(t, iamRepo, globals.GlobalPrefix) + _ = iam.TestGroupMember(t, conn, globalGroupWithMember.PublicId, u.PublicId) + s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) - testcases := []struct { - name string - userFunc func() (*iam.User, auth.Account) - expectOutfields []string - }{ - { - name: "grants name and description", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=read;output_fields=name,description"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.NameField, globals.DescriptionField}, - }, - { - name: "grants scope and scopeId", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=read;output_fields=scope,scope_id"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.ScopeField, globals.ScopeIdField}, - }, - { - name: "grants update_time and create_time", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=read;output_fields=updated_time,created_time"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.UpdatedTimeField, globals.CreatedTimeField}, - }, - { - name: "grants id, authorized_actions, version", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=read;output_fields=id,authorized_actions,version"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.IdField, globals.AuthorizedActionsField, globals.VersionField}, - }, - { - name: "grants members, member_id", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=read;output_fields=members,member_ids"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.MembersField, globals.MemberIdsField}, - }, - { - name: "composite grants id, authorized_actions, member_ids", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=read;output_fields=id"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=read;output_fields=member_ids"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=read;output_fields=authorized_actions"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.IdField, globals.MemberIdsField, globals.AuthorizedActionsField}, - }, - } - for _, tc := range testcases { - t.Run(tc.name, func(t *testing.T) { - user, account := tc.userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) - require.NoError(t, err) - fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) - out, err := s.GetGroup(fullGrantAuthCtx, &pbs.GetGroupRequest{Id: globalGroupWithMember.PublicId}) - require.NoError(t, err) - handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) - }) - } - }) - t.Run("CreateGroup", func(t *testing.T) { - ctx := context.Background() - conn, _ := db.TestSetup(t, "postgres") - rw := db.New(conn) - wrap := db.TestWrapper(t) - iamRepo := iam.TestRepo(t, conn, wrap) - kmsCache := kms.TestKms(t, conn, wrap) - atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) - require.NoError(t, err) - repoFn := func() (*iam.Repository, error) { - return iamRepo, nil - } - genUuid := func() string { - u, _ := uuid.GenerateUUID() - return u - } + testcases := []struct { + name string + userFunc func() (*iam.User, auth.Account) + expectOutfields []string + }{ + { + name: "grants name and description", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=read;output_fields=name,description"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.NameField, globals.DescriptionField}, + }, + { + name: "grants scope and scopeId", + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=read;output_fields=scope,scope_id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.ScopeField, globals.ScopeIdField}, + }, + { + name: "grants update_time and create_time", + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=read;output_fields=updated_time,created_time"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.UpdatedTimeField, globals.CreatedTimeField}, + }, + { + name: "grants id, authorized_actions, version", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=read;output_fields=id,authorized_actions,version"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.IdField, globals.AuthorizedActionsField, globals.VersionField}, + }, + { + name: "grants members, member_id", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=read;output_fields=members,member_ids"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.MembersField, globals.MemberIdsField}, + }, + { + name: "composite grants id, authorized_actions, member_ids", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=read;output_fields=id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=read;output_fields=member_ids"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=read;output_fields=authorized_actions"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.IdField, globals.MemberIdsField, globals.AuthorizedActionsField}, + }, + } + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + user, account := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) + require.NoError(t, err) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + out, err := s.GetGroup(fullGrantAuthCtx, &pbs.GetGroupRequest{Id: globalGroupWithMember.PublicId}) + require.NoError(t, err) + handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) + }) + } +} - s, err := groups.NewService(ctx, repoFn, 1000) - require.NoError(t, err) - testcases := []struct { - name string - userFunc func() (*iam.User, auth.Account) - input *pbs.CreateGroupRequest - expectOutfields []string - }{ - { - name: "grants name and description", - input: &pbs.CreateGroupRequest{ - Item: &pb.Group{ - Name: &wrapperspb.StringValue{Value: genUuid()}, - Description: &wrapperspb.StringValue{Value: genUuid()}, - ScopeId: globals.GlobalPrefix, - }, +func TestOutputFields_CreateGroup(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) + wrap := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + genUuid := func() string { + u, _ := uuid.GenerateUUID() + return u + } + + s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) + testcases := []struct { + name string + userFunc func() (*iam.User, auth.Account) + input *pbs.CreateGroupRequest + expectOutfields []string + }{ + { + name: "grants name and description", + input: &pbs.CreateGroupRequest{ + Item: &pb.Group{ + Name: &wrapperspb.StringValue{Value: genUuid()}, + Description: &wrapperspb.StringValue{Value: genUuid()}, + ScopeId: globals.GlobalPrefix, }, - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.NameField, globals.DescriptionField}, }, - { - name: "grants scope and scopeId", - input: &pbs.CreateGroupRequest{ - Item: &pb.Group{ - Name: &wrapperspb.StringValue{Value: genUuid()}, - Description: &wrapperspb.StringValue{Value: genUuid()}, - ScopeId: globals.GlobalPrefix, - }, + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, + GrantScopes: []string{globals.GrantScopeThis}, }, - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.ScopeField, globals.ScopeIdField}, - }, - { - name: "grants update_time and create_time", - input: &pbs.CreateGroupRequest{ - Item: &pb.Group{ - Name: &wrapperspb.StringValue{Value: genUuid()}, - Description: &wrapperspb.StringValue{Value: genUuid()}, - ScopeId: globals.GlobalPrefix, - }, + }), + expectOutfields: []string{globals.NameField, globals.DescriptionField}, + }, + { + name: "grants scope and scopeId", + input: &pbs.CreateGroupRequest{ + Item: &pb.Group{ + Name: &wrapperspb.StringValue{Value: genUuid()}, + Description: &wrapperspb.StringValue{Value: genUuid()}, + ScopeId: globals.GlobalPrefix, }, - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.UpdatedTimeField, globals.CreatedTimeField}, }, - { - name: "grants id, authorized_actions, version", - input: &pbs.CreateGroupRequest{ - Item: &pb.Group{ - Name: &wrapperspb.StringValue{Value: genUuid()}, - Description: &wrapperspb.StringValue{Value: genUuid()}, - ScopeId: globals.GlobalPrefix, - }, + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.ScopeField, globals.ScopeIdField}, + }, + { + name: "grants update_time and create_time", + input: &pbs.CreateGroupRequest{ + Item: &pb.Group{ + Name: &wrapperspb.StringValue{Value: genUuid()}, + Description: &wrapperspb.StringValue{Value: genUuid()}, + ScopeId: globals.GlobalPrefix, }, - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.IdField, globals.AuthorizedActionsField, globals.VersionField}, }, - { - name: "composite grants all fields", - input: &pbs.CreateGroupRequest{ - Item: &pb.Group{ - Name: &wrapperspb.StringValue{Value: genUuid()}, - Description: &wrapperspb.StringValue{Value: genUuid()}, - ScopeId: globals.GlobalPrefix, - }, + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, + GrantScopes: []string{globals.GrantScopeThis}, }, - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=scope"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=scope_id"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=name"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=description"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=created_time"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=authorized_actions"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=version"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{ - globals.IdField, - globals.ScopeField, - globals.ScopeIdField, - globals.NameField, - globals.DescriptionField, - globals.CreatedTimeField, - globals.AuthorizedActionsField, - globals.VersionField, + }), + expectOutfields: []string{globals.UpdatedTimeField, globals.CreatedTimeField}, + }, + { + name: "grants id, authorized_actions, version", + input: &pbs.CreateGroupRequest{ + Item: &pb.Group{ + Name: &wrapperspb.StringValue{Value: genUuid()}, + Description: &wrapperspb.StringValue{Value: genUuid()}, + ScopeId: globals.GlobalPrefix, }, }, - } - for _, tc := range testcases { - t.Run(tc.name, func(t *testing.T) { - user, account := tc.userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) - require.NoError(t, err) - fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) - out, err := s.CreateGroup(fullGrantAuthCtx, tc.input) - require.NoError(t, err) - handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) - }) - } - }) - - t.Run("UpdateGroup", func(t *testing.T) { - ctx := context.Background() - conn, _ := db.TestSetup(t, "postgres") - rw := db.New(conn) - wrap := db.TestWrapper(t) - iamRepo := iam.TestRepo(t, conn, wrap) - kmsCache := kms.TestKms(t, conn, wrap) - atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) - require.NoError(t, err) - repoFn := func() (*iam.Repository, error) { - return iamRepo, nil - } - - // this can be used across test cases because we're only testing for output fields, not the update behaviors - inputFunc := func(t *testing.T) *pbs.UpdateGroupRequest { - name, _ := uuid.GenerateUUID() - desc, _ := uuid.GenerateUUID() - globalGroupWithMember := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription("global"), iam.WithName("global")) - u := iam.TestUser(t, iamRepo, globals.GlobalPrefix) - _ = iam.TestGroupMember(t, conn, globalGroupWithMember.PublicId, u.PublicId) - return &pbs.UpdateGroupRequest{ - Id: globalGroupWithMember.PublicId, - Item: &pb.Group{ - Name: &wrapperspb.StringValue{Value: name}, - Description: &wrapperspb.StringValue{Value: desc}, - Version: globalGroupWithMember.Version, + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, + GrantScopes: []string{globals.GrantScopeThis}, }, - UpdateMask: &fieldmaskpb.FieldMask{ - Paths: []string{"name", "description"}, + }), + expectOutfields: []string{globals.IdField, globals.AuthorizedActionsField, globals.VersionField}, + }, + { + name: "composite grants all fields", + input: &pbs.CreateGroupRequest{ + Item: &pb.Group{ + Name: &wrapperspb.StringValue{Value: genUuid()}, + Description: &wrapperspb.StringValue{Value: genUuid()}, + ScopeId: globals.GlobalPrefix, }, - } - } - - s, err := groups.NewService(ctx, repoFn, 1000) - require.NoError(t, err) - testcases := []struct { - name string - userFunc func() (*iam.User, auth.Account) - expectOutfields []string - }{ - { - name: "grants name and description", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.NameField, globals.DescriptionField}, }, - { - name: "grants scope and scopeId", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.ScopeField, globals.ScopeIdField}, + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope_id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=name"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=description"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=created_time"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=authorized_actions"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=version"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{ + globals.IdField, + globals.ScopeField, + globals.ScopeIdField, + globals.NameField, + globals.DescriptionField, + globals.CreatedTimeField, + globals.AuthorizedActionsField, + globals.VersionField, }, - { - name: "grants update_time and create_time", + }, + } + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + user, account := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) + require.NoError(t, err) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + out, err := s.CreateGroup(fullGrantAuthCtx, tc.input) + require.NoError(t, err) + handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) + }) + } +} +func TestOutputFields_UpdateGroup(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) + wrap := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.UpdatedTimeField, globals.CreatedTimeField}, - }, - { - name: "grants id, authorized_actions, version", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.IdField, globals.AuthorizedActionsField, globals.VersionField}, + // this can be used across test cases because we're only testing for output fields, not the update behaviors + inputFunc := func(t *testing.T) *pbs.UpdateGroupRequest { + name, _ := uuid.GenerateUUID() + desc, _ := uuid.GenerateUUID() + globalGroupWithMember := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription("global"), iam.WithName("global")) + u := iam.TestUser(t, iamRepo, globals.GlobalPrefix) + _ = iam.TestGroupMember(t, conn, globalGroupWithMember.PublicId, u.PublicId) + return &pbs.UpdateGroupRequest{ + Id: globalGroupWithMember.PublicId, + Item: &pb.Group{ + Name: &wrapperspb.StringValue{Value: name}, + Description: &wrapperspb.StringValue{Value: desc}, + Version: globalGroupWithMember.Version, }, - { - name: "composite grants all fields", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=scope"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=scope_id"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=name"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=description"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=created_time"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=authorized_actions"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=version"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{ - globals.IdField, - globals.ScopeField, - globals.ScopeIdField, - globals.NameField, - globals.DescriptionField, - globals.CreatedTimeField, - globals.AuthorizedActionsField, - globals.VersionField, - }, + UpdateMask: &fieldmaskpb.FieldMask{ + Paths: []string{"name", "description"}, }, } - for _, tc := range testcases { - t.Run(tc.name, func(t *testing.T) { - user, account := tc.userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) - require.NoError(t, err) - fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) - out, err := s.UpdateGroup(fullGrantAuthCtx, inputFunc(t)) - require.NoError(t, err) - handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) - }) - } - }) + } - t.Run("AddGroupMembers", func(t *testing.T) { - ctx := context.Background() - conn, _ := db.TestSetup(t, "postgres") - rw := db.New(conn) - wrap := db.TestWrapper(t) - iamRepo := iam.TestRepo(t, conn, wrap) - kmsCache := kms.TestKms(t, conn, wrap) - atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) - require.NoError(t, err) - repoFn := func() (*iam.Repository, error) { - return iamRepo, nil - } + s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) + testcases := []struct { + name string + userFunc func() (*iam.User, auth.Account) + expectOutfields []string + }{ + { + name: "grants name and description", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.NameField, globals.DescriptionField}, + }, + { + name: "grants scope and scopeId", + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.ScopeField, globals.ScopeIdField}, + }, + { + name: "grants update_time and create_time", - // this can be used across test cases because we're only testing for output fields, not the update behaviors - inputFunc := func(t *testing.T) *pbs.AddGroupMembersRequest { - name, _ := uuid.GenerateUUID() - desc, _ := uuid.GenerateUUID() - globalGroupWithMember := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription(desc), iam.WithName(name)) - u := iam.TestUser(t, iamRepo, globals.GlobalPrefix) - return &pbs.AddGroupMembersRequest{ - Id: globalGroupWithMember.PublicId, - Version: globalGroupWithMember.Version, - MemberIds: []string{u.PublicId}, - } - } - s, err := groups.NewService(ctx, repoFn, 1000) - require.NoError(t, err) - testcases := []struct { - name string - userFunc func() (*iam.User, auth.Account) - expectOutfields []string - }{ - { - name: "grants name and description", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.NameField, globals.DescriptionField}, - }, - { - name: "grants scope and scopeId", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.ScopeField, globals.ScopeIdField}, + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.UpdatedTimeField, globals.CreatedTimeField}, + }, + { + name: "grants id, authorized_actions, version", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.IdField, globals.AuthorizedActionsField, globals.VersionField}, + }, + { + name: "composite grants all fields", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope_id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=name"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=description"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=created_time"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=authorized_actions"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=version"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{ + globals.IdField, + globals.ScopeField, + globals.ScopeIdField, + globals.NameField, + globals.DescriptionField, + globals.CreatedTimeField, + globals.AuthorizedActionsField, + globals.VersionField, }, - { - name: "grants update_time and create_time", + }, + } + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + user, account := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) + require.NoError(t, err) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + out, err := s.UpdateGroup(fullGrantAuthCtx, inputFunc(t)) + require.NoError(t, err) + handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) + }) + } +} - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.UpdatedTimeField, globals.CreatedTimeField}, - }, - { - name: "grants id, authorized_actions, version", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.IdField, globals.AuthorizedActionsField, globals.VersionField}, - }, - { - name: "composite grants all fields", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=scope"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=scope_id"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=name"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=description"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=created_time"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=authorized_actions"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=version"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{ - globals.IdField, - globals.ScopeField, - globals.ScopeIdField, - globals.NameField, - globals.DescriptionField, - globals.CreatedTimeField, - globals.AuthorizedActionsField, - globals.VersionField, +func TestOutputFields_AddGroupMembers(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) + wrap := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } + + // this can be used across test cases because we're only testing for output fields, not the update behaviors + inputFunc := func(t *testing.T) *pbs.AddGroupMembersRequest { + name, _ := uuid.GenerateUUID() + desc, _ := uuid.GenerateUUID() + globalGroupWithMember := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription(desc), iam.WithName(name)) + u := iam.TestUser(t, iamRepo, globals.GlobalPrefix) + return &pbs.AddGroupMembersRequest{ + Id: globalGroupWithMember.PublicId, + Version: globalGroupWithMember.Version, + MemberIds: []string{u.PublicId}, + } + } + s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) + testcases := []struct { + name string + userFunc func() (*iam.User, auth.Account) + expectOutfields []string + }{ + { + name: "grants name and description", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.NameField, globals.DescriptionField}, + }, + { + name: "grants scope and scopeId", + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.ScopeField, globals.ScopeIdField}, + }, + { + name: "grants update_time and create_time", + + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.UpdatedTimeField, globals.CreatedTimeField}, + }, + { + name: "grants id, authorized_actions, version", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.IdField, globals.AuthorizedActionsField, globals.VersionField}, + }, + { + name: "composite grants all fields", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope_id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=name"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=description"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=created_time"}, + GrantScopes: []string{globals.GrantScopeThis}, }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=authorized_actions"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=version"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{ + globals.IdField, + globals.ScopeField, + globals.ScopeIdField, + globals.NameField, + globals.DescriptionField, + globals.CreatedTimeField, + globals.AuthorizedActionsField, + globals.VersionField, }, - } - for _, tc := range testcases { - t.Run(tc.name, func(t *testing.T) { - user, account := tc.userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) - require.NoError(t, err) - fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) - out, err := s.AddGroupMembers(fullGrantAuthCtx, inputFunc(t)) - require.NoError(t, err) - handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) - }) - } - }) + }, + } + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + user, account := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) + require.NoError(t, err) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + out, err := s.AddGroupMembers(fullGrantAuthCtx, inputFunc(t)) + require.NoError(t, err) + handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) + }) + } +} - t.Run("SetGroupMembers", func(t *testing.T) { - ctx := context.Background() - conn, _ := db.TestSetup(t, "postgres") - rw := db.New(conn) - wrap := db.TestWrapper(t) - iamRepo := iam.TestRepo(t, conn, wrap) - kmsCache := kms.TestKms(t, conn, wrap) - atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) - require.NoError(t, err) - repoFn := func() (*iam.Repository, error) { - return iamRepo, nil - } +func TestOutputFields_SetGroupMembers(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) + wrap := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } - // this can be used across test cases because we're only testing for output fields, not the update behaviors - inputFunc := func(t *testing.T) *pbs.SetGroupMembersRequest { - name, _ := uuid.GenerateUUID() - desc, _ := uuid.GenerateUUID() - globalGroupWithMember := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription(desc), iam.WithName(name)) - u := iam.TestUser(t, iamRepo, globals.GlobalPrefix) - return &pbs.SetGroupMembersRequest{ - Id: globalGroupWithMember.PublicId, - Version: globalGroupWithMember.Version, - MemberIds: []string{u.PublicId}, - } + // this can be used across test cases because we're only testing for output fields, not the update behaviors + inputFunc := func(t *testing.T) *pbs.SetGroupMembersRequest { + name, _ := uuid.GenerateUUID() + desc, _ := uuid.GenerateUUID() + globalGroupWithMember := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription(desc), iam.WithName(name)) + u := iam.TestUser(t, iamRepo, globals.GlobalPrefix) + return &pbs.SetGroupMembersRequest{ + Id: globalGroupWithMember.PublicId, + Version: globalGroupWithMember.Version, + MemberIds: []string{u.PublicId}, } - s, err := groups.NewService(ctx, repoFn, 1000) - require.NoError(t, err) - testcases := []struct { - name string - userFunc func() (*iam.User, auth.Account) - expectOutfields []string - }{ - { - name: "grants name and description", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.NameField, globals.DescriptionField}, - }, - { - name: "grants scope and scopeId", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.ScopeField, globals.ScopeIdField}, - }, - { - name: "grants update_time and create_time", + } + s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) + testcases := []struct { + name string + userFunc func() (*iam.User, auth.Account) + expectOutfields []string + }{ + { + name: "grants name and description", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.NameField, globals.DescriptionField}, + }, + { + name: "grants scope and scopeId", + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.ScopeField, globals.ScopeIdField}, + }, + { + name: "grants update_time and create_time", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.UpdatedTimeField, globals.CreatedTimeField}, - }, - { - name: "grants id, authorized_actions, version", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.IdField, globals.AuthorizedActionsField, globals.VersionField}, - }, - { - name: "composite grants all fields", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=scope"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=scope_id"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=name"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=description"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=created_time"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=authorized_actions"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=version"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{ - globals.IdField, - globals.ScopeField, - globals.ScopeIdField, - globals.NameField, - globals.DescriptionField, - globals.CreatedTimeField, - globals.AuthorizedActionsField, - globals.VersionField, + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, + GrantScopes: []string{globals.GrantScopeThis}, }, + }), + expectOutfields: []string{globals.UpdatedTimeField, globals.CreatedTimeField}, + }, + { + name: "grants id, authorized_actions, version", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.IdField, globals.AuthorizedActionsField, globals.VersionField}, + }, + { + name: "composite grants all fields", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope_id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=name"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=description"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=created_time"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=authorized_actions"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=version"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{ + globals.IdField, + globals.ScopeField, + globals.ScopeIdField, + globals.NameField, + globals.DescriptionField, + globals.CreatedTimeField, + globals.AuthorizedActionsField, + globals.VersionField, }, - } - for _, tc := range testcases { - t.Run(tc.name, func(t *testing.T) { - user, account := tc.userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) - require.NoError(t, err) - fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) - out, err := s.SetGroupMembers(fullGrantAuthCtx, inputFunc(t)) - require.NoError(t, err) - handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) - }) - } - }) + }, + } + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + user, account := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) + require.NoError(t, err) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + out, err := s.SetGroupMembers(fullGrantAuthCtx, inputFunc(t)) + require.NoError(t, err) + handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) + }) + } +} - t.Run("RemoveGroupMembers", func(t *testing.T) { - ctx := context.Background() - conn, _ := db.TestSetup(t, "postgres") - rw := db.New(conn) - wrap := db.TestWrapper(t) - iamRepo := iam.TestRepo(t, conn, wrap) - kmsCache := kms.TestKms(t, conn, wrap) - atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) - require.NoError(t, err) - repoFn := func() (*iam.Repository, error) { - return iamRepo, nil - } +func TestOutputFields_RemoveGroupMembers(t *testing.T) { + ctx := context.Background() + conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) + wrap := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, wrap) + kmsCache := kms.TestKms(t, conn, wrap) + atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache) + require.NoError(t, err) + repoFn := func() (*iam.Repository, error) { + return iamRepo, nil + } - // this can be used across test cases because we're only testing for output fields, not the update behaviors - inputFunc := func(t *testing.T) *pbs.RemoveGroupMembersRequest { - name, _ := uuid.GenerateUUID() - desc, _ := uuid.GenerateUUID() - globalGroupWithMember := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription(desc), iam.WithName(name)) - // create 2 users and remove one so the tests can differentiate between the group without members vs. having no access to read members - u1 := iam.TestUser(t, iamRepo, globals.GlobalPrefix) - u2 := iam.TestUser(t, iamRepo, globals.GlobalPrefix) - _ = iam.TestGroupMember(t, conn, globalGroupWithMember.PublicId, u1.PublicId) - _ = iam.TestGroupMember(t, conn, globalGroupWithMember.PublicId, u2.PublicId) - return &pbs.RemoveGroupMembersRequest{ - Id: globalGroupWithMember.PublicId, - Version: globalGroupWithMember.Version, - MemberIds: []string{u2.PublicId}, - } + // this can be used across test cases because we're only testing for output fields, not the update behaviors + inputFunc := func(t *testing.T) *pbs.RemoveGroupMembersRequest { + name, _ := uuid.GenerateUUID() + desc, _ := uuid.GenerateUUID() + globalGroupWithMember := iam.TestGroup(t, conn, globals.GlobalPrefix, iam.WithDescription(desc), iam.WithName(name)) + // create 2 users and remove one so the tests can differentiate between the group without members vs. having no access to read members + u1 := iam.TestUser(t, iamRepo, globals.GlobalPrefix) + u2 := iam.TestUser(t, iamRepo, globals.GlobalPrefix) + _ = iam.TestGroupMember(t, conn, globalGroupWithMember.PublicId, u1.PublicId) + _ = iam.TestGroupMember(t, conn, globalGroupWithMember.PublicId, u2.PublicId) + return &pbs.RemoveGroupMembersRequest{ + Id: globalGroupWithMember.PublicId, + Version: globalGroupWithMember.Version, + MemberIds: []string{u2.PublicId}, } - s, err := groups.NewService(ctx, repoFn, 1000) - require.NoError(t, err) - testcases := []struct { - name string - userFunc func() (*iam.User, auth.Account) - expectOutfields []string - }{ - { - name: "grants name and description", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.NameField, globals.DescriptionField}, - }, - { - name: "grants scope and scopeId", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.ScopeField, globals.ScopeIdField}, - }, - { - name: "grants update_time and create_time", + } + s, err := groups.NewService(ctx, repoFn, 1000) + require.NoError(t, err) + testcases := []struct { + name string + userFunc func() (*iam.User, auth.Account) + expectOutfields []string + }{ + { + name: "grants name and description", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=name,description"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.NameField, globals.DescriptionField}, + }, + { + name: "grants scope and scopeId", + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope,scope_id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.ScopeField, globals.ScopeIdField}, + }, + { + name: "grants update_time and create_time", - userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.UpdatedTimeField, globals.CreatedTimeField}, - }, - { - name: "grants id, authorized_actions, version", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{globals.IdField, globals.AuthorizedActionsField, globals.VersionField}, - }, - { - name: "composite grants all fields", - userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=scope"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=scope_id"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=name"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=description"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=created_time"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=authorized_actions"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - { - RoleScopeId: globals.GlobalPrefix, - Grants: []string{"ids=*;type=group;actions=*;output_fields=version"}, - GrantScopes: []string{globals.GrantScopeThis}, - }, - }), - expectOutfields: []string{ - globals.IdField, - globals.ScopeField, - globals.ScopeIdField, - globals.NameField, - globals.DescriptionField, - globals.CreatedTimeField, - globals.AuthorizedActionsField, - globals.VersionField, + userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=updated_time,created_time"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.UpdatedTimeField, globals.CreatedTimeField}, + }, + { + name: "grants id, authorized_actions, version", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id,authorized_actions,version"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{globals.IdField, globals.AuthorizedActionsField, globals.VersionField}, + }, + { + name: "composite grants all fields", + userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{ + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=id"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=scope_id"}, + GrantScopes: []string{globals.GrantScopeThis}, }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=name"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=description"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=created_time"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=authorized_actions"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + { + RoleScopeId: globals.GlobalPrefix, + Grants: []string{"ids=*;type=group;actions=*;output_fields=version"}, + GrantScopes: []string{globals.GrantScopeThis}, + }, + }), + expectOutfields: []string{ + globals.IdField, + globals.ScopeField, + globals.ScopeIdField, + globals.NameField, + globals.DescriptionField, + globals.CreatedTimeField, + globals.AuthorizedActionsField, + globals.VersionField, }, - } - for _, tc := range testcases { - t.Run(tc.name, func(t *testing.T) { - user, account := tc.userFunc() - tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) - require.NoError(t, err) - fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) - out, err := s.RemoveGroupMembers(fullGrantAuthCtx, inputFunc(t)) - require.NoError(t, err) - handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) - }) - } - }) + }, + } + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + user, account := tc.userFunc() + tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId()) + require.NoError(t, err) + fullGrantAuthCtx := cauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo) + out, err := s.RemoveGroupMembers(fullGrantAuthCtx, inputFunc(t)) + require.NoError(t, err) + handlers.TestAssertOutputFields(t, out.Item, tc.expectOutfields) + }) + } } func userIDs(users []*iam.User) []string { From ac0f70cd81d7676fa5820c576a0dec6f5b1a2816 Mon Sep 17 00:00:00 2001 From: Sorawis Nilparuk Date: Tue, 18 Mar 2025 09:24:27 -0700 Subject: [PATCH 62/62] make gen --- internal/daemon/controller/handlers/groups/grants_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go index 6cc7560f80..3add57a07e 100644 --- a/internal/daemon/controller/handlers/groups/grants_test.go +++ b/internal/daemon/controller/handlers/groups/grants_test.go @@ -1576,6 +1576,7 @@ func TestOutputFields_CreateGroup(t *testing.T) { }) } } + func TestOutputFields_UpdateGroup(t *testing.T) { ctx := context.Background() conn, _ := db.TestSetup(t, "postgres")