Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

test(groups): add grants tests for groups API #5403

Open
wants to merge 60 commits into
base: llb-normalized-grants-tests-only
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
60 commits
Select commit Hold shift + click to select a range
592ce1d
first test with all the required setup
bosorawis Dec 17, 2024
9320e4a
v1 of test
bosorawis Dec 18, 2024
41d9d7c
add primitive func and more test
bosorawis Dec 19, 2024
50d45b7
refactor read tests into a single top level
bosorawis Dec 20, 2024
d7b3b9b
move token generation to a function
bosorawis Dec 20, 2024
d02eb95
add test for creates
bosorawis Dec 21, 2024
4850480
add delete tests
bosorawis Dec 24, 2024
184bd0c
add update test
bosorawis Dec 27, 2024
60cb494
only check for version and update_time
bosorawis Dec 27, 2024
abc747e
move setup resource into testcase to support grants with specific ID
bosorawis Dec 27, 2024
3e2a3ef
add member tests
bosorawis Jan 3, 2025
f44ac44
add group-member test example with multiple actions
bosorawis Jan 3, 2025
a3d8e62
remove duplicate group membership tests
bosorawis Jan 3, 2025
962f326
ran make gen
bosorawis Jan 3, 2025
f7d1d20
fix missing parentID bug
bosorawis Jan 4, 2025
6a34f9f
fix typo
bosorawis Jan 4, 2025
245872b
fix test names and add test cases
bosorawis Jan 6, 2025
8bec6ac
switch from google/uuid to hashicorp/go-uuid
bosorawis Jan 6, 2025
f2913a3
add comment to groupmember tests
bosorawis Jan 6, 2025
72c1684
small comment change
bosorawis Jan 7, 2025
8eae79f
pull shared test utility code from PR #5418
bosorawis Jan 8, 2025
cef6f77
refactor role grants out of authtoken package
bosorawis Jan 29, 2025
1054b0c
unexport utility function
bosorawis Jan 29, 2025
aaff0de
Remove dead code
bosorawis Jan 29, 2025
ec257f0
lint and make gen
bosorawis Jan 29, 2025
55c27bc
fix role cration logic
bosorawis Jan 30, 2025
564e523
fix password TestAccountFunc implementation
bosorawis Feb 12, 2025
d83a9fd
implement TestAccountFunc for LDAP
bosorawis Feb 12, 2025
5bd9671
implement TestAccountFunc for OIDC
bosorawis Feb 12, 2025
dde6d2a
implement TestUserFunc for managed groups
bosorawis Feb 12, 2025
877c6b9
use managed groups in grants test
bosorawis Feb 12, 2025
75a244c
undo removal of authtoken.TestAuthTokenWithRoles for future refactor
bosorawis Feb 12, 2025
792f788
switch from list to map based test case for create tests
bosorawis Feb 12, 2025
6517fc0
undo merge mistakes
bosorawis Feb 12, 2025
2bd59de
fix merge mistakes
bosorawis Feb 12, 2025
3df265b
lint
bosorawis Feb 12, 2025
7de8fdc
add setup examples
bosorawis Feb 13, 2025
b62ffa2
add output fields tests for getgroup
bosorawis Feb 14, 2025
3947e34
reimplement with reflect
bosorawis Feb 14, 2025
9e76227
add test for CreateGroup
bosorawis Feb 14, 2025
8f0a4bc
add all single resource action tests
bosorawis Feb 15, 2025
a5acfec
add list test
bosorawis Feb 15, 2025
76ff88f
rename function argument
bosorawis Feb 19, 2025
f78f035
move AssertOutputFields to handlers package
bosorawis Feb 19, 2025
1abdc55
fix lint
bosorawis Feb 19, 2025
fd05e52
make gen
bosorawis Feb 19, 2025
e8f907c
use proto.Message instead of custom interface
bosorawis Feb 19, 2025
fb922ae
switch to hashicorp/go-uuid
bosorawis Feb 19, 2025
666d044
fix typo
bosorawis Feb 20, 2025
3024650
fix error message
bosorawis Feb 25, 2025
34437f9
id= to ids=
bosorawis Feb 25, 2025
a10a4d7
make generating test accounts more randomized
bosorawis Feb 26, 2025
0a8c054
Trigger CI checks
bosorawis Feb 26, 2025
3770310
refactor auth/iam grants test setup
bosorawis Mar 5, 2025
bb6e262
move a test to _test package
bosorawis Mar 5, 2025
ce78b68
lint
bosorawis Mar 5, 2025
dcb616e
minor comment fix
bosorawis Mar 5, 2025
f38167d
use Id instead of ID
bosorawis Mar 5, 2025
06ed75e
make user/account setup in iam returns account instead of just accoun…
bosorawis Mar 6, 2025
cfddcdc
missed one change
bosorawis Mar 6, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion internal/auth/db_test.go
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package auth
package auth_test
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Had to move this to a test package to avoid circular import between iam and auth (iam now imports auth)


import (
"context"
Expand Down
19 changes: 19 additions & 0 deletions internal/auth/ldap/testing.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,19 @@ import (
"crypto/x509/pkix"
"encoding/json"
"encoding/pem"
"fmt"
"math/big"
"net"
"net/url"
"sort"
"testing"
"time"

"github.com/hashicorp/boundary/internal/auth"
"github.com/hashicorp/boundary/internal/db"
"github.com/hashicorp/boundary/internal/kms"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
"github.com/hashicorp/go-uuid"
"github.com/stretchr/testify/require"
)

Expand Down Expand Up @@ -175,6 +179,21 @@ func TestAccount(t testing.TB, conn *db.DB, am *AuthMethod, loginName string, op
return a
}

// TestAuthMethodWithAccountInManagedGroup creates an authMethod, and an account within that authmethod, an
// LDAP managed group, and add the newly created account as a member of the LDAP managed group.
func TestAuthMethodWithAccountInManagedGroup(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeId string) (auth.AuthMethod, auth.Account, auth.ManagedGroup) {
t.Helper()
uuid, err := uuid.GenerateUUID()
require.NoError(t, err)
ctx := context.Background()
databaseWrapper, err := kmsCache.GetWrapper(context.Background(), scopeId, kms.KeyPurposeDatabase)
require.NoError(t, err)
am := TestAuthMethod(t, conn, databaseWrapper, scopeId, []string{fmt.Sprintf("ldap://%s", uuid)})
managedGroup := TestManagedGroup(t, conn, am, []string{uuid})
acct := TestAccount(t, conn, am, "testacct", WithMemberOfGroups(ctx, uuid))
return am, acct, managedGroup
}

// TestManagedGroup creates a test ldap managed group.
func TestManagedGroup(t testing.TB, conn *db.DB, am *AuthMethod, grpNames []string, opt ...Option) *ManagedGroup {
t.Helper()
Expand Down
21 changes: 21 additions & 0 deletions internal/auth/oidc/testing.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ import (
"testing"
"time"

"github.com/hashicorp/boundary/internal/auth"
"github.com/hashicorp/boundary/internal/auth/oidc/request"
"github.com/hashicorp/boundary/internal/authtoken"
"github.com/hashicorp/boundary/internal/db"
Expand All @@ -32,6 +33,7 @@ import (
"github.com/hashicorp/boundary/internal/kms"
"github.com/hashicorp/cap/oidc"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
"github.com/hashicorp/go-uuid"
"github.com/stretchr/testify/require"
"google.golang.org/protobuf/types/known/timestamppb"
)
Expand Down Expand Up @@ -192,6 +194,25 @@ func TestAccount(t testing.TB, conn *db.DB, am *AuthMethod, subject string, opt
return a
}

// TestAuthMethodWithAccountInManagedGroup creates an authMethod, and an account within that authmethod, an
// OIDC managed group, and add the newly created account as a member of the OIDC managed group.
func TestAuthMethodWithAccountInManagedGroup(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeId string) (auth.AuthMethod, auth.Account, auth.ManagedGroup) {
t.Helper()
uuid, err := uuid.GenerateUUID()
require.NoError(t, err)
databaseWrapper, err := kmsCache.GetWrapper(context.Background(), scopeId, kms.KeyPurposeDatabase)
require.NoError(t, err)
testAuthMethod := TestAuthMethod(t, conn, databaseWrapper, scopeId, ActivePublicState,
"alice-rp", "fido",
WithIssuer(TestConvertToUrls(t, fmt.Sprintf("https://%s.com", uuid))[0]),
WithSigningAlgs(Alg(oidc.RS256)),
WithApiUrl(TestConvertToUrls(t, fmt.Sprintf("https://%s.com/callback", uuid))[0]))
account := TestAccount(t, conn, testAuthMethod, "testacct")
managedGroup := TestManagedGroup(t, conn, testAuthMethod, `"/token/sub" matches ".*"`)
TestManagedGroupMember(t, conn, managedGroup.PublicId, account.PublicId)
return testAuthMethod, account, managedGroup
}

// TestManagedGroup creates a test oidc managed group.
func TestManagedGroup(t testing.TB, conn *db.DB, am *AuthMethod, filter string, opt ...Option) *ManagedGroup {
t.Helper()
Expand Down
13 changes: 13 additions & 0 deletions internal/auth/password/testing.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,10 @@ import (
"fmt"
"testing"

"github.com/hashicorp/boundary/globals"
"github.com/hashicorp/boundary/internal/auth"
"github.com/hashicorp/boundary/internal/db"
"github.com/hashicorp/go-uuid"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
Expand Down Expand Up @@ -71,6 +74,16 @@ func TestMultipleAccounts(t testing.TB, conn *db.DB, authMethodId string, count
return auts
}

// TestAuthMethodWithAccount creates an authMethod and an account within that authmethod
// returing both the AM and the account
func TestAuthMethodWithAccount(t *testing.T, conn *db.DB) (auth.AuthMethod, auth.Account) {
authMethod := TestAuthMethod(t, conn, globals.GlobalPrefix)
loginName, err := uuid.GenerateUUID()
require.NoError(t, err)
acct := TestAccount(t, conn, authMethod.GetPublicId(), loginName)
return authMethod, acct
}

// TestAccount creates a password account to the provided DB with the provided
// auth method id and loginName. The auth method must have been created
// previously. See password.NewAccount(...) for a list of supported options.
Expand Down
6 changes: 6 additions & 0 deletions internal/auth/testing.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,15 @@ import (

"github.com/hashicorp/boundary/internal/db"
"github.com/hashicorp/boundary/internal/db/timestamp"
"github.com/hashicorp/boundary/internal/kms"
"github.com/stretchr/testify/require"
)

type (
TestAuthMethodWithAccountFunc func(t *testing.T, conn *db.DB) (AuthMethod, Account)
TestAuthMethodWithAccountInManagedGroup func(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeId string) (AuthMethod, Account, ManagedGroup)
)

// ManagedGroupMemberAccount represents an entry from
// auth_managed_group_member_account. These are used to determine the account
// ids where are a member of managed groups. See: oidc and ldap managed groups
Expand Down
4 changes: 2 additions & 2 deletions internal/authtoken/testing.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ func TestAuthToken(t testing.TB, conn *db.DB, kms *kms.Kms, scopeId string, opt
// TestRoleGrantsForToken contains information used by TestAuthTokenWithRoles to create
// roles and their associated grants (with grant scopes)
type TestRoleGrantsForToken struct {
RoleScopeID string
RoleScopeId string
GrantStrings []string
GrantScopes []string
}
Expand All @@ -75,7 +75,7 @@ func TestAuthTokenWithRoles(t testing.TB, conn *db.DB, kms *kms.Kms, scopeId str
acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName)
user := iam.TestUser(t, iamRepo, scopeId, iam.WithAccountIds(acct.GetPublicId()))
for _, r := range roles {
role := iam.TestRoleWithGrants(t, conn, r.RoleScopeID, r.GrantScopes, r.GrantStrings)
role := iam.TestRoleWithGrants(t, conn, r.RoleScopeId, r.GrantScopes, r.GrantStrings)
_ = iam.TestUserRole(t, conn, role.PublicId, user.PublicId)
}
fullGrantToken, err := atRepo.CreateAuthToken(ctx, user, acct.GetPublicId())
Expand Down
4 changes: 2 additions & 2 deletions internal/daemon/controller/handlers/accounts/grants_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ func TestListPassword_Grants(t *testing.T) {
},
roleRequest: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: globals.GlobalPrefix,
RoleScopeId: globals.GlobalPrefix,
GrantStrings: []string{"ids=*;type=*;actions=list,read"},
GrantScopes: []string{globals.GrantScopeChildren},
},
Expand All @@ -77,7 +77,7 @@ func TestListPassword_Grants(t *testing.T) {
},
roleRequest: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: org.GetPublicId(),
RoleScopeId: org.GetPublicId(),
GrantStrings: []string{"ids=*;type=*;actions=list,read"},
GrantScopes: []string{globals.GrantScopeChildren},
},
Expand Down
4 changes: 2 additions & 2 deletions internal/daemon/controller/handlers/aliases/grants_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ func TestGrants_ReadActions(t *testing.T) {
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: globals.GlobalPrefix,
RoleScopeId: globals.GlobalPrefix,
GrantStrings: []string{"ids=*;type=alias;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis},
},
Expand All @@ -77,7 +77,7 @@ func TestGrants_ReadActions(t *testing.T) {
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: globals.GlobalPrefix,
RoleScopeId: globals.GlobalPrefix,
GrantStrings: []string{"ids=*;type=group;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis},
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ func TestGrants_ReadActions(t *testing.T) {
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: globals.GlobalPrefix,
RoleScopeId: globals.GlobalPrefix,
GrantStrings: []string{"ids=*;type=auth-method;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren},
},
Expand Down Expand Up @@ -149,7 +149,7 @@ func TestGrants_ReadActions(t *testing.T) {
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: org1.PublicId,
RoleScopeId: org1.PublicId,
GrantStrings: []string{"ids=*;type=auth-method;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren},
},
Expand Down Expand Up @@ -205,7 +205,7 @@ func TestGrants_ReadActions(t *testing.T) {
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: globals.GlobalPrefix,
RoleScopeId: globals.GlobalPrefix,
GrantStrings: []string{"ids=*;type=auth-method;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren},
},
Expand All @@ -219,7 +219,7 @@ func TestGrants_ReadActions(t *testing.T) {
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: globals.GlobalPrefix,
RoleScopeId: globals.GlobalPrefix,
GrantStrings: []string{"ids=*;type=auth-method;actions=list,read"},
GrantScopes: []string{globals.GrantScopeChildren},
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ func TestGrants_ReadActions(t *testing.T) {
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: globals.GlobalPrefix,
RoleScopeId: globals.GlobalPrefix,
GrantStrings: []string{"ids=*;type=auth-token;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren},
},
Expand All @@ -95,7 +95,7 @@ func TestGrants_ReadActions(t *testing.T) {
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: org1.PublicId,
RoleScopeId: org1.PublicId,
GrantStrings: []string{"ids=*;type=auth-token;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren},
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ func TestGrants_ReadActions(t *testing.T) {
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: globals.GlobalPrefix,
RoleScopeId: globals.GlobalPrefix,
GrantStrings: []string{"ids=*;type=credential-library;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants},
},
Expand All @@ -73,7 +73,7 @@ func TestGrants_ReadActions(t *testing.T) {
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: org.GetPublicId(),
RoleScopeId: org.GetPublicId(),
GrantStrings: []string{"ids=*;type=credential-library;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren},
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ func TestGrants_ReadActions(t *testing.T) {
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: globals.GlobalPrefix,
RoleScopeId: globals.GlobalPrefix,
GrantStrings: []string{"ids=*;type=credential;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants},
},
Expand All @@ -93,7 +93,7 @@ func TestGrants_ReadActions(t *testing.T) {
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: org.PublicId,
RoleScopeId: org.PublicId,
GrantStrings: []string{"ids=*;type=credential;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren},
},
Expand All @@ -108,7 +108,7 @@ func TestGrants_ReadActions(t *testing.T) {
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: proj.PublicId,
RoleScopeId: proj.PublicId,
GrantStrings: []string{"ids=*;type=credential;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis},
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ func TestGrants_ReadActions(t *testing.T) {
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: globals.GlobalPrefix,
RoleScopeId: globals.GlobalPrefix,
GrantStrings: []string{"ids=*;type=credential-store;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants},
},
Expand All @@ -103,7 +103,7 @@ func TestGrants_ReadActions(t *testing.T) {
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: org.PublicId,
RoleScopeId: org.PublicId,
GrantStrings: []string{"ids=*;type=credential-store;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren},
},
Expand All @@ -118,7 +118,7 @@ func TestGrants_ReadActions(t *testing.T) {
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: proj.PublicId,
RoleScopeId: proj.PublicId,
GrantStrings: []string{"ids=*;type=credential-store;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis},
},
Expand Down
Loading
Loading