test(groups): add grants tests for groups API

internal/auth/db_test.go

@@ -1,7 +1,7 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package auth
+package auth_test
 
 import (
 	"context"

internal/auth/ldap/testing.go

@@ -12,15 +12,19 @@ import (
 	"crypto/x509/pkix"
 	"encoding/json"
 	"encoding/pem"
+	"fmt"
 	"math/big"
 	"net"
 	"net/url"
 	"sort"
 	"testing"
 	"time"
 
+	"github.com/hashicorp/boundary/internal/auth"
 	"github.com/hashicorp/boundary/internal/db"
+	"github.com/hashicorp/boundary/internal/kms"
 	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
+	"github.com/hashicorp/go-uuid"
 	"github.com/stretchr/testify/require"
 )
 
@@ -175,6 +179,21 @@ func TestAccount(t testing.TB, conn *db.DB, am *AuthMethod, loginName string, op
 	return a
 }
 
+// TestAuthMethodWithAccountInManagedGroup creates an authMethod, and an account within that authmethod, an
+// LDAP managed group, and add the newly created account as a member of the LDAP managed group.
+func TestAuthMethodWithAccountInManagedGroup(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeId string) (auth.AuthMethod, auth.Account, auth.ManagedGroup) {
+	t.Helper()
+	uuid, err := uuid.GenerateUUID()
+	require.NoError(t, err)
+	ctx := context.Background()
+	databaseWrapper, err := kmsCache.GetWrapper(context.Background(), scopeId, kms.KeyPurposeDatabase)
+	require.NoError(t, err)
+	am := TestAuthMethod(t, conn, databaseWrapper, scopeId, []string{fmt.Sprintf("ldap://%s", uuid)})
+	managedGroup := TestManagedGroup(t, conn, am, []string{uuid})
+	acct := TestAccount(t, conn, am, "testacct", WithMemberOfGroups(ctx, uuid))
+	return am, acct, managedGroup
+}
+
 // TestManagedGroup creates a test ldap managed group.
 func TestManagedGroup(t testing.TB, conn *db.DB, am *AuthMethod, grpNames []string, opt ...Option) *ManagedGroup {
 	t.Helper()

internal/auth/oidc/testing.go

@@ -24,6 +24,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/hashicorp/boundary/internal/auth"
 	"github.com/hashicorp/boundary/internal/auth/oidc/request"
 	"github.com/hashicorp/boundary/internal/authtoken"
 	"github.com/hashicorp/boundary/internal/db"
@@ -32,6 +33,7 @@ import (
 	"github.com/hashicorp/boundary/internal/kms"
 	"github.com/hashicorp/cap/oidc"
 	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
+	"github.com/hashicorp/go-uuid"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/protobuf/types/known/timestamppb"
 )
@@ -192,6 +194,25 @@ func TestAccount(t testing.TB, conn *db.DB, am *AuthMethod, subject string, opt
 	return a
 }
 
+// TestAuthMethodWithAccountInManagedGroup creates an authMethod, and an account within that authmethod, an
+// OIDC managed group, and add the newly created account as a member of the OIDC managed group.
+func TestAuthMethodWithAccountInManagedGroup(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeId string) (auth.AuthMethod, auth.Account, auth.ManagedGroup) {
+	t.Helper()
+	uuid, err := uuid.GenerateUUID()
+	require.NoError(t, err)
+	databaseWrapper, err := kmsCache.GetWrapper(context.Background(), scopeId, kms.KeyPurposeDatabase)
+	require.NoError(t, err)
+	testAuthMethod := TestAuthMethod(t, conn, databaseWrapper, scopeId, ActivePublicState,
+		"alice-rp", "fido",
+		WithIssuer(TestConvertToUrls(t, fmt.Sprintf("https://%s.com", uuid))[0]),
+		WithSigningAlgs(Alg(oidc.RS256)),
+		WithApiUrl(TestConvertToUrls(t, fmt.Sprintf("https://%s.com/callback", uuid))[0]))
+	account := TestAccount(t, conn, testAuthMethod, "testacct")
+	managedGroup := TestManagedGroup(t, conn, testAuthMethod, `"/token/sub" matches ".*"`)
+	TestManagedGroupMember(t, conn, managedGroup.PublicId, account.PublicId)
+	return testAuthMethod, account, managedGroup
+}
+
 // TestManagedGroup creates a test oidc managed group.
 func TestManagedGroup(t testing.TB, conn *db.DB, am *AuthMethod, filter string, opt ...Option) *ManagedGroup {
 	t.Helper()

internal/auth/password/testing.go

@@ -8,7 +8,10 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/hashicorp/boundary/globals"
+	"github.com/hashicorp/boundary/internal/auth"
 	"github.com/hashicorp/boundary/internal/db"
+	"github.com/hashicorp/go-uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -71,6 +74,16 @@ func TestMultipleAccounts(t testing.TB, conn *db.DB, authMethodId string, count
 	return auts
 }
 
+// TestAuthMethodWithAccount creates an authMethod and an account within that authmethod
+// returing both the AM and the account
+func TestAuthMethodWithAccount(t *testing.T, conn *db.DB) (auth.AuthMethod, auth.Account) {
+	authMethod := TestAuthMethod(t, conn, globals.GlobalPrefix)
+	loginName, err := uuid.GenerateUUID()
+	require.NoError(t, err)
+	acct := TestAccount(t, conn, authMethod.GetPublicId(), loginName)
+	return authMethod, acct
+}
+
 // TestAccount creates a password account to the provided DB with the provided
 // auth method id and loginName.  The auth method must have been created
 // previously. See password.NewAccount(...) for a list of supported options.

internal/auth/testing.go

@@ -10,9 +10,15 @@ import (
 
 	"github.com/hashicorp/boundary/internal/db"
 	"github.com/hashicorp/boundary/internal/db/timestamp"
+	"github.com/hashicorp/boundary/internal/kms"
 	"github.com/stretchr/testify/require"
 )
 
+type (
+	TestAuthMethodWithAccountFunc           func(t *testing.T, conn *db.DB) (AuthMethod, Account)
+	TestAuthMethodWithAccountInManagedGroup func(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeId string) (AuthMethod, Account, ManagedGroup)
+)
+
 // ManagedGroupMemberAccount represents an entry from
 // auth_managed_group_member_account.  These are used to determine the account
 // ids where are a member of managed groups.  See: oidc and ldap managed groups

internal/authtoken/testing.go

@@ -51,7 +51,7 @@ func TestAuthToken(t testing.TB, conn *db.DB, kms *kms.Kms, scopeId string, opt
 // TestRoleGrantsForToken contains information used by TestAuthTokenWithRoles to create
 // roles and their associated grants (with grant scopes)
 type TestRoleGrantsForToken struct {
-	RoleScopeID  string
+	RoleScopeId  string
 	GrantStrings []string
 	GrantScopes  []string
 }
@@ -75,7 +75,7 @@ func TestAuthTokenWithRoles(t testing.TB, conn *db.DB, kms *kms.Kms, scopeId str
 	acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName)
 	user := iam.TestUser(t, iamRepo, scopeId, iam.WithAccountIds(acct.GetPublicId()))
 	for _, r := range roles {
-		role := iam.TestRoleWithGrants(t, conn, r.RoleScopeID, r.GrantScopes, r.GrantStrings)
+		role := iam.TestRoleWithGrants(t, conn, r.RoleScopeId, r.GrantScopes, r.GrantStrings)
 		_ = iam.TestUserRole(t, conn, role.PublicId, user.PublicId)
 	}
 	fullGrantToken, err := atRepo.CreateAuthToken(ctx, user, acct.GetPublicId())

internal/daemon/controller/handlers/accounts/grants_test.go

@@ -61,7 +61,7 @@ func TestListPassword_Grants(t *testing.T) {
 			},
 			roleRequest: []authtoken.TestRoleGrantsForToken{
 				{
-					RoleScopeID:  globals.GlobalPrefix,
+					RoleScopeId:  globals.GlobalPrefix,
 					GrantStrings: []string{"ids=*;type=*;actions=list,read"},
 					GrantScopes:  []string{globals.GrantScopeChildren},
 				},
@@ -77,7 +77,7 @@ func TestListPassword_Grants(t *testing.T) {
 			},
 			roleRequest: []authtoken.TestRoleGrantsForToken{
 				{
-					RoleScopeID:  org.GetPublicId(),
+					RoleScopeId:  org.GetPublicId(),
 					GrantStrings: []string{"ids=*;type=*;actions=list,read"},
 					GrantScopes:  []string{globals.GrantScopeChildren},
 				},

internal/daemon/controller/handlers/aliases/grants_test.go

@@ -61,7 +61,7 @@ func TestGrants_ReadActions(t *testing.T) {
 				},
 				rolesToCreate: []authtoken.TestRoleGrantsForToken{
 					{
-						RoleScopeID:  globals.GlobalPrefix,
+						RoleScopeId:  globals.GlobalPrefix,
 						GrantStrings: []string{"ids=*;type=alias;actions=list,read"},
 						GrantScopes:  []string{globals.GrantScopeThis},
 					},
@@ -77,7 +77,7 @@ func TestGrants_ReadActions(t *testing.T) {
 				},
 				rolesToCreate: []authtoken.TestRoleGrantsForToken{
 					{
-						RoleScopeID:  globals.GlobalPrefix,
+						RoleScopeId:  globals.GlobalPrefix,
 						GrantStrings: []string{"ids=*;type=group;actions=list,read"},
 						GrantScopes:  []string{globals.GrantScopeThis},
 					},

internal/daemon/controller/handlers/authmethods/grants_test.go

@@ -100,7 +100,7 @@ func TestGrants_ReadActions(t *testing.T) {
 				},
 				rolesToCreate: []authtoken.TestRoleGrantsForToken{
 					{
-						RoleScopeID:  globals.GlobalPrefix,
+						RoleScopeId:  globals.GlobalPrefix,
 						GrantStrings: []string{"ids=*;type=auth-method;actions=list,read"},
 						GrantScopes:  []string{globals.GrantScopeThis, globals.GrantScopeChildren},
 					},
@@ -149,7 +149,7 @@ func TestGrants_ReadActions(t *testing.T) {
 				},
 				rolesToCreate: []authtoken.TestRoleGrantsForToken{
 					{
-						RoleScopeID:  org1.PublicId,
+						RoleScopeId:  org1.PublicId,
 						GrantStrings: []string{"ids=*;type=auth-method;actions=list,read"},
 						GrantScopes:  []string{globals.GrantScopeThis, globals.GrantScopeChildren},
 					},
@@ -205,7 +205,7 @@ func TestGrants_ReadActions(t *testing.T) {
 				},
 				rolesToCreate: []authtoken.TestRoleGrantsForToken{
 					{
-						RoleScopeID:  globals.GlobalPrefix,
+						RoleScopeId:  globals.GlobalPrefix,
 						GrantStrings: []string{"ids=*;type=auth-method;actions=list,read"},
 						GrantScopes:  []string{globals.GrantScopeThis, globals.GrantScopeChildren},
 					},
@@ -219,7 +219,7 @@ func TestGrants_ReadActions(t *testing.T) {
 				},
 				rolesToCreate: []authtoken.TestRoleGrantsForToken{
 					{
-						RoleScopeID:  globals.GlobalPrefix,
+						RoleScopeId:  globals.GlobalPrefix,
 						GrantStrings: []string{"ids=*;type=auth-method;actions=list,read"},
 						GrantScopes:  []string{globals.GrantScopeChildren},
 					},

internal/daemon/controller/handlers/authtokens/grants_test.go

@@ -79,7 +79,7 @@ func TestGrants_ReadActions(t *testing.T) {
 				},
 				rolesToCreate: []authtoken.TestRoleGrantsForToken{
 					{
-						RoleScopeID:  globals.GlobalPrefix,
+						RoleScopeId:  globals.GlobalPrefix,
 						GrantStrings: []string{"ids=*;type=auth-token;actions=list,read"},
 						GrantScopes:  []string{globals.GrantScopeThis, globals.GrantScopeChildren},
 					},
@@ -95,7 +95,7 @@ func TestGrants_ReadActions(t *testing.T) {
 				},
 				rolesToCreate: []authtoken.TestRoleGrantsForToken{
 					{
-						RoleScopeID:  org1.PublicId,
+						RoleScopeId:  org1.PublicId,
 						GrantStrings: []string{"ids=*;type=auth-token;actions=list,read"},
 						GrantScopes:  []string{globals.GrantScopeThis, globals.GrantScopeChildren},
 					},

internal/daemon/controller/handlers/credentiallibraries/grants_test.go

@@ -58,7 +58,7 @@ func TestGrants_ReadActions(t *testing.T) {
 				},
 				rolesToCreate: []authtoken.TestRoleGrantsForToken{
 					{
-						RoleScopeID:  globals.GlobalPrefix,
+						RoleScopeId:  globals.GlobalPrefix,
 						GrantStrings: []string{"ids=*;type=credential-library;actions=list,read"},
 						GrantScopes:  []string{globals.GrantScopeThis, globals.GrantScopeDescendants},
 					},
@@ -73,7 +73,7 @@ func TestGrants_ReadActions(t *testing.T) {
 				},
 				rolesToCreate: []authtoken.TestRoleGrantsForToken{
 					{
-						RoleScopeID:  org.GetPublicId(),
+						RoleScopeId:  org.GetPublicId(),
 						GrantStrings: []string{"ids=*;type=credential-library;actions=list,read"},
 						GrantScopes:  []string{globals.GrantScopeThis, globals.GrantScopeChildren},
 					},

internal/daemon/controller/handlers/credentials/grants_test.go

@@ -78,7 +78,7 @@ func TestGrants_ReadActions(t *testing.T) {
 				},
 				rolesToCreate: []authtoken.TestRoleGrantsForToken{
 					{
-						RoleScopeID:  globals.GlobalPrefix,
+						RoleScopeId:  globals.GlobalPrefix,
 						GrantStrings: []string{"ids=*;type=credential;actions=list,read"},
 						GrantScopes:  []string{globals.GrantScopeThis, globals.GrantScopeDescendants},
 					},
@@ -93,7 +93,7 @@ func TestGrants_ReadActions(t *testing.T) {
 				},
 				rolesToCreate: []authtoken.TestRoleGrantsForToken{
 					{
-						RoleScopeID:  org.PublicId,
+						RoleScopeId:  org.PublicId,
 						GrantStrings: []string{"ids=*;type=credential;actions=list,read"},
 						GrantScopes:  []string{globals.GrantScopeThis, globals.GrantScopeChildren},
 					},
@@ -108,7 +108,7 @@ func TestGrants_ReadActions(t *testing.T) {
 				},
 				rolesToCreate: []authtoken.TestRoleGrantsForToken{
 					{
-						RoleScopeID:  proj.PublicId,
+						RoleScopeId:  proj.PublicId,
 						GrantStrings: []string{"ids=*;type=credential;actions=list,read"},
 						GrantScopes:  []string{globals.GrantScopeThis},
 					},

internal/daemon/controller/handlers/credentialstores/grants_test.go

@@ -87,7 +87,7 @@ func TestGrants_ReadActions(t *testing.T) {
 				},
 				rolesToCreate: []authtoken.TestRoleGrantsForToken{
 					{
-						RoleScopeID:  globals.GlobalPrefix,
+						RoleScopeId:  globals.GlobalPrefix,
 						GrantStrings: []string{"ids=*;type=credential-store;actions=list,read"},
 						GrantScopes:  []string{globals.GrantScopeThis, globals.GrantScopeDescendants},
 					},
@@ -103,7 +103,7 @@ func TestGrants_ReadActions(t *testing.T) {
 				},
 				rolesToCreate: []authtoken.TestRoleGrantsForToken{
 					{
-						RoleScopeID:  org.PublicId,
+						RoleScopeId:  org.PublicId,
 						GrantStrings: []string{"ids=*;type=credential-store;actions=list,read"},
 						GrantScopes:  []string{globals.GrantScopeThis, globals.GrantScopeChildren},
 					},
@@ -118,7 +118,7 @@ func TestGrants_ReadActions(t *testing.T) {
 				},
 				rolesToCreate: []authtoken.TestRoleGrantsForToken{
 					{
-						RoleScopeID:  proj.PublicId,
+						RoleScopeId:  proj.PublicId,
 						GrantStrings: []string{"ids=*;type=credential-store;actions=list,read"},
 						GrantScopes:  []string{globals.GrantScopeThis},
 					},