Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: fix groups in children scopes being filtered out by grants #5418

Merged
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
89225b8
add utility functions for grants tests
bosorawis Jan 8, 2025
927b634
use passed in scopeID to create user
bosorawis Jan 8, 2025
aeaf22a
add test for groups list
bosorawis Jan 8, 2025
17c6edf
groups: set ParentScopeId before FetchActionSetForId
bosorawis Jan 8, 2025
d2897b2
add comment to TestRoleGrantsForToken
bosorawis Jan 8, 2025
1d40da5
lint and ran make gen
bosorawis Jan 8, 2025
9168d10
fix import groups
bosorawis Jan 9, 2025
fd75702
add an additional test case
bosorawis Jan 9, 2025
255c49a
remove print
bosorawis Jan 10, 2025
8ebe8ee
changelog
bosorawis Jan 10, 2025
d7ce6f3
fix(alias): set parent scope id for alias resource (#5434)
elimt Jan 21, 2025
b4060fb
fix(worker): set parent scope id for worker resource (#5435)
elimt Jan 21, 2025
dd0c054
fix(user): children scopes being filtered out by grants for user (#5436)
elimt Jan 21, 2025
fafb367
fix(scope): set parent scope id for worker resource (#5439)
elimt Jan 21, 2025
2cea6ea
fix(target): set parent scope id for target resource (#5447)
elimt Jan 21, 2025
3968bf9
fix(roles): set parent scope id for roles resource (#5452)
elimt Jan 22, 2025
4e48003
test(managed-group): add grants test coverage (#5453)
elimt Jan 22, 2025
204d328
fix(host): set parent scope id for host resource (#5455)
elimt Jan 22, 2025
aa3bb04
fix(host-set): set parent scope id for host-set resource (#5456)
elimt Jan 22, 2025
5e74c69
fix(host-catalog): set parent scope id for host-catalog resource (#5457)
elimt Jan 22, 2025
65e9452
fix(credential-store): set parent scope id for credential-store resou…
elimt Jan 22, 2025
64bd692
fix(authmethods): set parent scope ID for auth methods resource (#5448)
bosorawis Jan 22, 2025
537ed18
fix(credential): set parent scope id for credential resource (#5459)
elimt Jan 22, 2025
8b75c1e
fix(accounts): bug grants filter children accounts (#5431)
bosorawis Jan 22, 2025
aa7f13d
fix(authtokens): set parent scope ID for auth token resource (#5451)
bosorawis Jan 22, 2025
aeaae55
fix(credential-libraries): set parent scope ID (#5463)
bosorawis Jan 22, 2025
72892f2
fix(common) set parent ID before fetching action setsparent ID before…
bosorawis Jan 23, 2025
09d75dc
Update CHANGELOG.md
bosorawis Jan 24, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fix(host-catalog): set parent scope id for host-catalog resource (#5457)
set the ParentScopeId before fetching authorized actions for host-catalog resource
  • Loading branch information
elimt authored and bosorawis committed Jan 23, 2025
commit 5e74c6957c3488665f2e3bdc74169f805e44528d
151 changes: 151 additions & 0 deletions internal/daemon/controller/handlers/host_catalogs/grants_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,151 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package host_catalogs_test

import (
"context"
"testing"

"github.com/hashicorp/boundary/globals"
"github.com/hashicorp/boundary/internal/authtoken"
"github.com/hashicorp/boundary/internal/daemon/controller/auth"
"github.com/hashicorp/boundary/internal/daemon/controller/handlers/host_catalogs"
"github.com/hashicorp/boundary/internal/db"
pbs "github.com/hashicorp/boundary/internal/gen/controller/api/services"
"github.com/hashicorp/boundary/internal/host"
hostplugin "github.com/hashicorp/boundary/internal/host/plugin"
"github.com/hashicorp/boundary/internal/host/static"
"github.com/hashicorp/boundary/internal/iam"
"github.com/hashicorp/boundary/internal/kms"
"github.com/hashicorp/boundary/internal/plugin"
"github.com/hashicorp/boundary/internal/scheduler"
plgpb "github.com/hashicorp/boundary/sdk/pbs/plugin"
"github.com/stretchr/testify/require"
)

// TestGrants_ReadActions tests read actions to assert that grants are being applied properly
//
// Role - which scope the role is created in
// - global level
// - org level
// - proj level
// Grant - what IAM grant scope is set for the permission
// - global: descendant
// - org: children
// - project: this
// Scopes [resource]:
// - global
// - org1
// - proj1
func TestGrants_ReadActions(t *testing.T) {
ctx := context.Background()
conn, _ := db.TestSetup(t, "postgres")
wrap := db.TestWrapper(t)
rw := db.New(conn)
iamRepo := iam.TestRepo(t, conn, wrap)
kmsCache := kms.TestKms(t, conn, wrap)
sche := scheduler.TestScheduler(t, conn, wrap)
staticRepoFn := func() (*static.Repository, error) {
return static.NewRepository(ctx, rw, rw, kmsCache)
}
pluginHostRepoFn := func() (*hostplugin.Repository, error) {
return hostplugin.NewRepository(ctx, rw, rw, kmsCache, sche, map[string]plgpb.HostPluginServiceClient{})
}
pluginRepoFn := func() (*plugin.Repository, error) {
return plugin.NewRepository(ctx, rw, rw, kmsCache)
}
iamRepoFn := func() (*iam.Repository, error) {
return iam.TestRepo(t, conn, wrap), nil
}
catalogServiceFn := func() (*host.CatalogRepository, error) {
return host.NewCatalogRepository(ctx, rw, rw)
}
s, err := host_catalogs.NewService(ctx, staticRepoFn, pluginHostRepoFn, pluginRepoFn, iamRepoFn, catalogServiceFn, 1000)
require.NoError(t, err)

org, proj := iam.TestScopes(t, iamRepo)

hcs := static.TestCatalogs(t, conn, proj.GetPublicId(), 5)
var wantHcs []string
for _, h := range hcs {
wantHcs = append(wantHcs, h.GetPublicId())
}

t.Run("List", func(t *testing.T) {
testcases := []struct {
name string
input *pbs.ListHostCatalogsRequest
rolesToCreate []authtoken.TestRoleGrantsForToken
wantErr error
wantIDs []string
}{
{
name: "global role grant this returns all created host catalogs",
input: &pbs.ListHostCatalogsRequest{
ScopeId: proj.GetPublicId(),
Recursive: true,
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: globals.GlobalPrefix,
GrantStrings: []string{"ids=*;type=host-catalog;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants},
},
},
wantErr: nil,
wantIDs: wantHcs,
},
{
name: "org role grant this returns all created host catalogs",
input: &pbs.ListHostCatalogsRequest{
ScopeId: proj.GetPublicId(),
Recursive: true,
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: org.PublicId,
GrantStrings: []string{"ids=*;type=host-catalog;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren},
},
},
wantErr: nil,
wantIDs: wantHcs,
},
{
name: "project role grant this returns all created host catalogs",
input: &pbs.ListHostCatalogsRequest{
ScopeId: proj.GetPublicId(),
Recursive: true,
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: proj.PublicId,
GrantStrings: []string{"ids=*;type=host-catalog;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis},
},
},
wantErr: nil,
wantIDs: wantHcs,
},
}

for _, tc := range testcases {
t.Run(tc.name, func(t *testing.T) {
tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate)
fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo)
got, finalErr := s.ListHostCatalogs(fullGrantAuthCtx, tc.input)
if tc.wantErr != nil {
require.ErrorIs(t, finalErr, tc.wantErr)
return
}
require.NoError(t, finalErr)
var gotIDs []string
for _, g := range got.Items {
gotIDs = append(gotIDs, g.GetId())
}
require.ElementsMatch(t, tc.wantIDs, gotIDs)
})
}
})
}
Original file line number Diff line number Diff line change
Expand Up @@ -775,9 +775,10 @@ func newOutputOpts(
pluginMap map[string]*plugin.Plugin,
) ([]handlers.Option, bool, error) {
res := perms.Resource{
Type: resource.HostCatalog,
Id: item.GetPublicId(),
ScopeId: item.GetProjectId(),
Type: resource.HostCatalog,
Id: item.GetPublicId(),
ScopeId: item.GetProjectId(),
ParentScopeId: scopeInfoMap[item.GetProjectId()].GetParentScopeId(),
}
authorizedActions := authResults.FetchActionSetForId(ctx, item.GetPublicId(), IdActions, auth.WithResource(&res)).Strings()
if len(authorizedActions) == 0 {
Expand Down