Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: fix groups in children scopes being filtered out by grants #5418

Merged
Merged
Changes from 1 commit
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
89225b8
add utility functions for grants tests
bosorawis Jan 8, 2025
927b634
use passed in scopeID to create user
bosorawis Jan 8, 2025
aeaf22a
add test for groups list
bosorawis Jan 8, 2025
17c6edf
groups: set ParentScopeId before FetchActionSetForId
bosorawis Jan 8, 2025
d2897b2
add comment to TestRoleGrantsForToken
bosorawis Jan 8, 2025
1d40da5
lint and ran make gen
bosorawis Jan 8, 2025
9168d10
fix import groups
bosorawis Jan 9, 2025
fd75702
add an additional test case
bosorawis Jan 9, 2025
255c49a
remove print
bosorawis Jan 10, 2025
8ebe8ee
changelog
bosorawis Jan 10, 2025
d7ce6f3
fix(alias): set parent scope id for alias resource (#5434)
elimt Jan 21, 2025
b4060fb
fix(worker): set parent scope id for worker resource (#5435)
elimt Jan 21, 2025
dd0c054
fix(user): children scopes being filtered out by grants for user (#5436)
elimt Jan 21, 2025
fafb367
fix(scope): set parent scope id for worker resource (#5439)
elimt Jan 21, 2025
2cea6ea
fix(target): set parent scope id for target resource (#5447)
elimt Jan 21, 2025
3968bf9
fix(roles): set parent scope id for roles resource (#5452)
elimt Jan 22, 2025
4e48003
test(managed-group): add grants test coverage (#5453)
elimt Jan 22, 2025
204d328
fix(host): set parent scope id for host resource (#5455)
elimt Jan 22, 2025
aa3bb04
fix(host-set): set parent scope id for host-set resource (#5456)
elimt Jan 22, 2025
5e74c69
fix(host-catalog): set parent scope id for host-catalog resource (#5457)
elimt Jan 22, 2025
65e9452
fix(credential-store): set parent scope id for credential-store resou…
elimt Jan 22, 2025
64bd692
fix(authmethods): set parent scope ID for auth methods resource (#5448)
bosorawis Jan 22, 2025
537ed18
fix(credential): set parent scope id for credential resource (#5459)
elimt Jan 22, 2025
8b75c1e
fix(accounts): bug grants filter children accounts (#5431)
bosorawis Jan 22, 2025
aa7f13d
fix(authtokens): set parent scope ID for auth token resource (#5451)
bosorawis Jan 22, 2025
aeaae55
fix(credential-libraries): set parent scope ID (#5463)
bosorawis Jan 22, 2025
72892f2
fix(common) set parent ID before fetching action setsparent ID before…
bosorawis Jan 23, 2025
09d75dc
Update CHANGELOG.md
bosorawis Jan 24, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fix(alias): set parent scope id for alias resource (#5434)
set the `ParentScopeId` before fetching authorized actions for alias
elimt authored and bosorawis committed Jan 23, 2025
commit d7ce6f37c5b012a337f591c38b5947d046bec7ff
Original file line number Diff line number Diff line change
@@ -648,6 +648,7 @@ func newOutputOpts(ctx context.Context, item *target.Alias, scopeInfoMap map[str
}
res.Id = item.GetPublicId()
res.ScopeId = item.GetScopeId()
res.ParentScopeId = scopeInfoMap[item.GetScopeId()].GetParentScopeId()
authorizedActions := authResults.FetchActionSetForId(ctx, item.GetPublicId(), IdActions, auth.WithResource(&res))
if len(authorizedActions) == 0 {
return nil, false
107 changes: 107 additions & 0 deletions internal/daemon/controller/handlers/aliases/grants_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package aliases_test

import (
"context"
"testing"

"github.com/hashicorp/boundary/globals"
"github.com/hashicorp/boundary/internal/alias/target"
"github.com/hashicorp/boundary/internal/authtoken"
"github.com/hashicorp/boundary/internal/daemon/controller/auth"
"github.com/hashicorp/boundary/internal/daemon/controller/handlers"
"github.com/hashicorp/boundary/internal/daemon/controller/handlers/aliases"
"github.com/hashicorp/boundary/internal/db"
pbs "github.com/hashicorp/boundary/internal/gen/controller/api/services"
"github.com/hashicorp/boundary/internal/iam"
"github.com/hashicorp/boundary/internal/kms"
"github.com/stretchr/testify/require"
"google.golang.org/grpc/codes"
)

// TestGrants_ReadActions tests read actions to assert that grants are being applied properly
//
// Role - which scope the role is created in
// - global level
// Scopes [resource]:
// - globalAlias1 [globalAlias]
// - globalAlias2 [globalAlias]
func TestGrants_ReadActions(t *testing.T) {
ctx := context.Background()
conn, _ := db.TestSetup(t, "postgres")
rw := db.New(conn)
wrap := db.TestWrapper(t)
kmsCache := kms.TestKms(t, conn, wrap)
iamRepo := iam.TestRepo(t, conn, wrap)
iamRepoFn := func() (*iam.Repository, error) {
return iamRepo, nil
}
repoFn := func() (*target.Repository, error) {
return target.NewRepository(ctx, rw, rw, kmsCache)
}
s, err := aliases.NewService(ctx, repoFn, iamRepoFn, 1000)
require.NoError(t, err)
globalAlias1 := target.TestAlias(t, rw, "test.alias.one", target.WithDescription("alias_1"), target.WithName("alias_one"))
globalAlias2 := target.TestAlias(t, rw, "test.alias.two", target.WithDescription("alias_2"), target.WithName("alias_two"))
t.Run("List", func(t *testing.T) {
testcases := []struct {
name string
input *pbs.ListAliasesRequest
rolesToCreate []authtoken.TestRoleGrantsForToken
wantErr error
wantIDs []string
}{
{
name: "global role grant this returns all created aliases",
input: &pbs.ListAliasesRequest{
ScopeId: globals.GlobalPrefix,
Recursive: true,
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: globals.GlobalPrefix,
GrantStrings: []string{"ids=*;type=alias;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis},
},
},
wantErr: nil,
wantIDs: []string{globalAlias1.PublicId, globalAlias2.PublicId},
},
{
name: "global role grant this with a non-applicable type throws an error",
input: &pbs.ListAliasesRequest{
ScopeId: globals.GlobalPrefix,
Recursive: true,
},
rolesToCreate: []authtoken.TestRoleGrantsForToken{
{
RoleScopeID: globals.GlobalPrefix,
GrantStrings: []string{"ids=*;type=group;actions=list,read"},
GrantScopes: []string{globals.GrantScopeThis},
},
},
wantErr: handlers.ApiErrorWithCode(codes.PermissionDenied),
},
}

for _, tc := range testcases {
t.Run(tc.name, func(t *testing.T) {
tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate)
fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo)
got, finalErr := s.ListAliases(fullGrantAuthCtx, tc.input)
if tc.wantErr != nil {
require.ErrorIs(t, finalErr, tc.wantErr)
return
}
require.NoError(t, finalErr)
var gotIDs []string
for _, g := range got.Items {
gotIDs = append(gotIDs, g.GetId())
}
require.ElementsMatch(t, tc.wantIDs, gotIDs)
})
}
})
}