test(grants): GrantsForUsers tests for Group resource #5443
Conversation
dkanney
force-pushed
the
dkanney-test-grants-for-user-group-associations
branch
3 times, most recently
from
6bdc21d to
34114df
Compare
| repo := iam.TestRepo(t, conn, wrap) | ||
| kmsCache := kms.TestKms(t, conn, wrap) | ||
|
|
||
| grant := "ids=*;type=*;actions=*" |
There was a problem hiding this comment.
For the grant, if we're testing against the groups resource, we should set set the grant to look like ids=*;type=group;actions=*.
There was a problem hiding this comment.
I also think we should have multiple grants and multiple roles so we can have multiple grantTuples and assert it's what we expect
There was a problem hiding this comment.
Updated these tests to only test against the Groups resource
| res: perms.Resource{ | ||
| ScopeId: directGrantProj1a.PublicId, | ||
| Id: "cs_abcd1234", | ||
| Type: resource.Credential, |
There was a problem hiding this comment.
Do we hae dedicated tests for Groups resource
There was a problem hiding this comment.
We also have tests against the Groups resource here: Test_MarshalingAndCloning
dkanney
force-pushed
the
dkanney-test-grants-for-user-group-associations
branch
from
34114df to
79b9462
Compare
dkanney
force-pushed
the
dkanney-test-grants-for-user-group-associations
branch
3 times, most recently
from
e7cb846 to
0b6ee1a
Compare
dkanney
changed the title
| directGrantOrg1, directGrantProj1a, directGrantProj1b := iam.SetupDirectGrantScopes(t, conn, repo) | ||
| directGrantOrg1Role := iam.TestRole(t, conn, directGrantOrg1.PublicId) | ||
| iam.TestUserRole(t, conn, directGrantOrg1Role.PublicId, user.PublicId) | ||
| directGrantOrg1RoleGrant1 := "ids=*;type=group;actions=*" |
There was a problem hiding this comment.
does this direct association only test group resource? The title of the test just says TestGrantsForUser_DirectAssociation and the grantString is has type set to "ids=*;type=group;actions=*". When we want to test other resource, are you going to use the same test which builds a grantString for each resource or will they be separated?
There was a problem hiding this comment.
Yes - only the group resource for now. This function should probably be renamed to something Group-specific if we don't plan on adding subtests for the other differently scoped resources (e.g. Auth Methods, Targets).
I figured we could create a separate function for each differently scoped resource since the scope combinations and actions will be different. For instance - Auth Methods apply to global and org scopes only, so we don't need to setup any project scopes like we do here.
| RoleScopeId: directGrantOrg1.PublicId, | ||
| RoleParentScopeId: scope.Global.String(), | ||
| GrantScopeIds: globals.GrantScopeThis, | ||
| Grants: strings.Join([]string{directGrantOrg1RoleGrant1, directGrantOrg1RoleGrant2}, "^"), |
There was a problem hiding this comment.
It looks like ^ is used as a delimiter to split grant strings/grant scope ids.
The grantsForUser query pulls in multiple grant strings/grant scope ids, aggregating them into a single string using ^ as a delimiter. In the code, we use strings.Split(..., "^") to split grant strings/grant scope ids into atomic pieces.
| iam.WithGrantScopeIds([]string{ | ||
| globals.GrantScopeChildren, | ||
| })) | ||
| iam.TestUserRole(t, conn, childGrantGlobalRole.PublicId, globals.AnyAuthenticatedUserId) |
There was a problem hiding this comment.
Why not set the userId here instead of assigning the role to u_auth?
There was a problem hiding this comment.
Oof, I didn't notice I was assigning u_auth to the role here instead of the test user I created.
Pushed a change to use user.PublicId instead of u_auth
| Grants: childGrantGlobalRoleGrant, | ||
| }, | ||
| } | ||
| for i, tuple := range expMultiGrantTuples { |
There was a problem hiding this comment.
Do we assign any roles to a different user to user it does not get returned?
There was a problem hiding this comment.
I realized that did not make sense. I mean do we assign roles to a different user to ensure the only the grants for that 1 particular user gets returned?
In other words, how do we ensure do we have other non-applicable grants that are created but should not be returned because they are not applicable to the user
There was a problem hiding this comment.
That's a good test case - I'll add another user with different grants to each test
dkanney
force-pushed
the
dkanney-test-grants-for-user-group-associations
branch
from
0b6ee1a to
884f33a
Compare
Goal: Write direct & indirect tests for the GrantsForUser function against the Group resource
I created one test for each case: one direct test, one group test, and one managed group test (performed via OIDC). All tests contain grants against the Group resource (and its associated actions)