Skip to content

Commit

Permalink
fix(common) set parent ID before fetching action setsparent ID before…
Browse files Browse the repository at this point in the history 
… fetching action sets (#5467)

* fix(common) set parent ID before fetching action sets

* make gen

* additional test

* rename test

* more tests

* remove duplicate test

* make gen
  • Loading branch information
@bosorawis
bosorawis authored Jan 23, 2025
1 parent fe07774 commit bf4a4c3
Show file tree
Hide file tree
Showing 2 changed files with 188 additions and 9 deletions.
1 change: 1 addition & 0 deletions internal/daemon/controller/common/scopeids/scope_ids.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,7 @@ func GetListingResourceInformation(
for _, scp := range scps {
scpId := scp.GetPublicId()
res.ScopeId = scpId
res.ParentScopeId = scp.GetParentId()
aSet := input.AuthResults.FetchActionSetForType(ctx,
// This is overridden by WithResource
resource.Unknown,
Expand Down
196 changes: 187 additions & 9 deletions internal/daemon/controller/handlers/users/grants_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
talias "github.com/hashicorp/boundary/internal/alias/target"
"github.com/hashicorp/boundary/internal/authtoken"
"github.com/hashicorp/boundary/internal/daemon/controller/auth"
"github.com/hashicorp/boundary/internal/daemon/controller/handlers"
"github.com/hashicorp/boundary/internal/daemon/controller/handlers/users"
"github.com/hashicorp/boundary/internal/db"
pbs "github.com/hashicorp/boundary/internal/gen/controller/api/services"
Expand Down Expand Up @@ -59,14 +60,18 @@ func TestGrants_ReadActions(t *testing.T) {

t.Run("List", func(t *testing.T) {
testcases := []struct {
name string
input *pbs.ListUsersRequest
rolesToCreate []authtoken.TestRoleGrantsForToken
wantErr error
wantIDs []string
name string
input *pbs.ListUsersRequest
// set this flag when the listing user has permission to list global
// AND the test attempts to list users at global scope
// users which gets created as a part of token generation
includeTestUsers bool
rolesToCreate []authtoken.TestRoleGrantsForToken
wantErr error
wantIDs []string
}{
{
name: "global role grant this and children returns global and org users",
name: "global role grant this and children recursive list at global returns global and org users",
input: &pbs.ListUsersRequest{
ScopeId: globals.GlobalPrefix,
Recursive: true,
Expand All @@ -78,7 +83,8 @@ func TestGrants_ReadActions(t *testing.T) {
GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren},
},
},
wantErr: nil,
includeTestUsers: true,
wantErr: nil,
wantIDs: []string{
globals.AnyAuthenticatedUserId,
globals.AnonymousUserId,
Expand All @@ -90,11 +96,12 @@ func TestGrants_ReadActions(t *testing.T) {
},
},
{
name: "org role grant this and children returns org user",
name: "org role grant this and children recursive list at org returns org user",
input: &pbs.ListUsersRequest{
ScopeId: org2.PublicId,
Recursive: true,
},
includeTestUsers: false,
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: org2.PublicId,
Expand All @@ -108,11 +115,182 @@ func TestGrants_ReadActions(t *testing.T) {
org2User2.PublicId,
},
},
{
name: "global role grant children recursive list at org returns org user",
input: &pbs.ListUsersRequest{
ScopeId: org2.PublicId,
Recursive: true,
},
includeTestUsers: false,
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: globals.GlobalPrefix,
GrantStrings: []string{"ids=*;type=user;actions=list,read"},
GrantScopes: []string{globals.GrantScopeChildren},
},
},
wantErr: nil,
wantIDs: []string{
org2User1.PublicId,
org2User2.PublicId,
},
},
{
name: "global role grant children recursive list at global returns all org users",
input: &pbs.ListUsersRequest{
ScopeId: globals.GlobalPrefix,
Recursive: true,
},
includeTestUsers: false,
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: globals.GlobalPrefix,
GrantStrings: []string{"ids=*;type=user;actions=list,read"},
GrantScopes: []string{globals.GrantScopeChildren},
},
},
wantErr: nil,
wantIDs: []string{
org1User1.PublicId,
org2User1.PublicId,
org2User2.PublicId,
},
},
{
name: "org1 role grant this recursive list at global returns org1 users",
input: &pbs.ListUsersRequest{
ScopeId: globals.GlobalPrefix,
Recursive: true,
},
includeTestUsers: false,
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: org1.PublicId,
GrantStrings: []string{"ids=*;type=user;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis},
},
},
wantErr: nil,
wantIDs: []string{
org1User1.PublicId,
},
},
{
name: "individual org grant this recursive list at global returns org user",
input: &pbs.ListUsersRequest{
ScopeId: globals.GlobalPrefix,
Recursive: true,
},
includeTestUsers: false,
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: org1.PublicId,
GrantStrings: []string{"ids=*;type=user;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis},
},
{
RoleScopeID: org2.PublicId,
GrantStrings: []string{"ids=*;type=user;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis},
},
},
wantErr: nil,
wantIDs: []string{
org1User1.PublicId,
org2User1.PublicId,
org2User2.PublicId,
},
},
{
name: "global role grant this recursive list at org returns no user",
input: &pbs.ListUsersRequest{
ScopeId: org2.PublicId,
Recursive: true,
},
includeTestUsers: false,
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: globals.GlobalPrefix,
GrantStrings: []string{"ids=*;type=user;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis},
},
},
wantErr: nil,
wantIDs: []string{},
},
{
name: "global role grant this recursive list at global returns only global user",
input: &pbs.ListUsersRequest{
ScopeId: globals.GlobalPrefix,
Recursive: true,
},
includeTestUsers: true,
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: globals.GlobalPrefix,
GrantStrings: []string{"ids=*;type=user;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis},
},
},
wantErr: nil,
wantIDs: []string{
globals.AnyAuthenticatedUserId,
globals.AnonymousUserId,
globals.RecoveryUserId,
globalUser.PublicId,
},
},
{
name: "global role grant children non-recursive list at global returns forbidden error",
input: &pbs.ListUsersRequest{
ScopeId: globals.GlobalPrefix,
Recursive: false,
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: globals.GlobalPrefix,
GrantStrings: []string{"ids=*;type=user;actions=list,read"},
GrantScopes: []string{globals.GrantScopeChildren},
},
},
wantErr: handlers.ForbiddenError(),
wantIDs: nil,
},
{
name: "org role grant children non-recursive list at global returns forbidden error",
input: &pbs.ListUsersRequest{
ScopeId: globals.GlobalPrefix,
Recursive: false,
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: org2.PublicId,
GrantStrings: []string{"ids=*;type=user;actions=list,read"},
GrantScopes: []string{globals.GrantScopeChildren},
},
},
wantErr: handlers.ForbiddenError(),
wantIDs: nil,
},
{
name: "no grant recursive list returns forbidden error",
input: &pbs.ListUsersRequest{
ScopeId: globals.GlobalPrefix,
Recursive: true,
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{},
wantErr: handlers.ForbiddenError(),
wantIDs: nil,
},
}

for _, tc := range testcases {
t.Run(tc.name, func(t *testing.T) {
tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate)
t.Cleanup(func() {
// deleting user to keep assertions clean since we're listing users over and over
_, _ = iamRepo.DeleteUser(ctx, tok.IamUserId)
})
fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo)
got, finalErr := s.ListUsers(fullGrantAuthCtx, tc.input)
if tc.wantErr != nil {
Expand All @@ -121,7 +299,7 @@ func TestGrants_ReadActions(t *testing.T) {
}
require.NoError(t, finalErr)
var gotIDs []string
if tc.input.ScopeId == globals.GlobalPrefix {
if tc.includeTestUsers {
tc.wantIDs = append(tc.wantIDs, tok.IamUserId)
}
for _, g := range got.Items {
Expand Down

0 comments on commit bf4a4c3

Please sign in to comment.