Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: fix groups in children scopes being filtered out by grants #5418

Merged
Merged
Changes from 1 commit
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
89225b8
add utility functions for grants tests
bosorawis Jan 8, 2025
927b634
use passed in scopeID to create user
bosorawis Jan 8, 2025
aeaf22a
add test for groups list
bosorawis Jan 8, 2025
17c6edf
groups: set ParentScopeId before FetchActionSetForId
bosorawis Jan 8, 2025
d2897b2
add comment to TestRoleGrantsForToken
bosorawis Jan 8, 2025
1d40da5
lint and ran make gen
bosorawis Jan 8, 2025
9168d10
fix import groups
bosorawis Jan 9, 2025
fd75702
add an additional test case
bosorawis Jan 9, 2025
255c49a
remove print
bosorawis Jan 10, 2025
8ebe8ee
changelog
bosorawis Jan 10, 2025
d7ce6f3
fix(alias): set parent scope id for alias resource (#5434)
elimt Jan 21, 2025
b4060fb
fix(worker): set parent scope id for worker resource (#5435)
elimt Jan 21, 2025
dd0c054
fix(user): children scopes being filtered out by grants for user (#5436)
elimt Jan 21, 2025
fafb367
fix(scope): set parent scope id for worker resource (#5439)
elimt Jan 21, 2025
2cea6ea
fix(target): set parent scope id for target resource (#5447)
elimt Jan 21, 2025
3968bf9
fix(roles): set parent scope id for roles resource (#5452)
elimt Jan 22, 2025
4e48003
test(managed-group): add grants test coverage (#5453)
elimt Jan 22, 2025
204d328
fix(host): set parent scope id for host resource (#5455)
elimt Jan 22, 2025
aa3bb04
fix(host-set): set parent scope id for host-set resource (#5456)
elimt Jan 22, 2025
5e74c69
fix(host-catalog): set parent scope id for host-catalog resource (#5457)
elimt Jan 22, 2025
65e9452
fix(credential-store): set parent scope id for credential-store resou…
elimt Jan 22, 2025
64bd692
fix(authmethods): set parent scope ID for auth methods resource (#5448)
bosorawis Jan 22, 2025
537ed18
fix(credential): set parent scope id for credential resource (#5459)
elimt Jan 22, 2025
8b75c1e
fix(accounts): bug grants filter children accounts (#5431)
bosorawis Jan 22, 2025
aa7f13d
fix(authtokens): set parent scope ID for auth token resource (#5451)
bosorawis Jan 22, 2025
aeaae55
fix(credential-libraries): set parent scope ID (#5463)
bosorawis Jan 22, 2025
72892f2
fix(common) set parent ID before fetching action setsparent ID before…
bosorawis Jan 23, 2025
09d75dc
Update CHANGELOG.md
bosorawis Jan 24, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fix(authtokens): set parent scope ID for auth token resource (#5451)
* fix authtokens not passing children scope ID

* make gen
bosorawis committed Jan 23, 2025
commit aa7f13d4aaa5bab5eece4cb16b96eece6b6a3d05
Original file line number Diff line number Diff line change
@@ -457,6 +457,8 @@ func newOutputOpts(ctx context.Context, item *authtoken.AuthToken, scopeInfoMap
}
res.Id = item.GetPublicId()
res.ScopeId = item.GetScopeId()
res.ParentScopeId = scopeInfoMap[item.GetScopeId()].GetParentScopeId()

authorizedActions := authResults.FetchActionSetForId(ctx, item.GetPublicId(), IdActions, auth.WithResource(&res))
if len(authorizedActions) == 0 {
return nil, false
130 changes: 130 additions & 0 deletions internal/daemon/controller/handlers/authtokens/grants_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,130 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package authtokens_test

import (
"context"
"fmt"
"testing"

"github.com/hashicorp/boundary/globals"
"github.com/hashicorp/boundary/internal/authtoken"
"github.com/hashicorp/boundary/internal/daemon/controller/auth"
at "github.com/hashicorp/boundary/internal/daemon/controller/handlers/authtokens"
"github.com/hashicorp/boundary/internal/db"
pbs "github.com/hashicorp/boundary/internal/gen/controller/api/services"
"github.com/hashicorp/boundary/internal/iam"
"github.com/hashicorp/boundary/internal/kms"
"github.com/stretchr/testify/require"
)

// TestGrants_ReadActions tests read actions to assert that grants are being applied properly
//
// Role - which scope the role is created in
// - global level
// - org level
// - project level
// Grant - what IAM grant scope is set for the permission
// - global: descendant
// - org: children
// - project
// Scopes [resource]:
// - global [globalGroup]
// - org1 [org1Group]
// - proj1 [proj1Group]
// - org2 [org2Group]
// - proj2 [proj2Group]
// - proj3 [proj3Group]
func TestGrants_ReadActions(t *testing.T) {
ctx := context.Background()
conn, _ := db.TestSetup(t, "postgres")
rw := db.New(conn)
wrap := db.TestWrapper(t)
iamRepo := iam.TestRepo(t, conn, wrap)

iamRepoFn := func() (*iam.Repository, error) {
return iamRepo, nil
}
kmsCache := kms.TestKms(t, conn, wrap)

atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache)
require.NoError(t, err)
atRepoFn := func() (*authtoken.Repository, error) { return atRepo, nil }

s, err := at.NewService(ctx, atRepoFn, iamRepoFn, 1000)

require.NoError(t, err)

org1, _ := iam.TestScopes(t, iamRepo)
org2, _ := iam.TestScopes(t, iamRepo)

globalAT := authtoken.TestAuthToken(t, conn, kmsCache, globals.GlobalPrefix)
org1AT := authtoken.TestAuthToken(t, conn, kmsCache, org1.GetPublicId())
org2AT := authtoken.TestAuthToken(t, conn, kmsCache, org2.GetPublicId())

t.Run("List", func(t *testing.T) {
testcases := []struct {
name string
input *pbs.ListAuthTokensRequest
rolesToCreate []authtoken.TestRoleGrantsForToken
wantErr error
wantIDs []string
}{
{
name: "global role grant this and children returns global and org groups",
input: &pbs.ListAuthTokensRequest{
ScopeId: globals.GlobalPrefix,
Recursive: true,
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: globals.GlobalPrefix,
GrantStrings: []string{"ids=*;type=auth-token;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren},
},
},
wantErr: nil,
wantIDs: []string{globalAT.PublicId, org1AT.PublicId, org2AT.PublicId},
},
{
name: "org role grant this and children returns org groups",
input: &pbs.ListAuthTokensRequest{
ScopeId: org1.PublicId,
Recursive: true,
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: org1.PublicId,
GrantStrings: []string{"ids=*;type=auth-token;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren},
},
},
wantErr: nil,
wantIDs: []string{org1AT.PublicId},
},
}

for _, tc := range testcases {
t.Run(tc.name, func(t *testing.T) {
tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate)
fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo)
got, finalErr := s.ListAuthTokens(fullGrantAuthCtx, tc.input)
if tc.wantErr != nil {
require.ErrorIs(t, finalErr, tc.wantErr)
return
}
require.NoError(t, finalErr)
var gotIDs []string
for _, g := range got.Items {
fmt.Println("ID:", g.GetId(), "Scope:", g.GetScopeId())
gotIDs = append(gotIDs, g.GetId())
}

for _, id := range tc.wantIDs {
require.Contains(t, gotIDs, id)
}
})
}
})
}