test: add tests for authorized-action (#893)

internal/tests/cli/boundary/_authorized_actions.bash

@@ -0,0 +1,8 @@
+function has_authorized_action() {
+  # accepts the output of a read on a arbitrary resource that has authorized_actions in its
+  # output and the action to expect in the list as the second argument:
+  #    has_authorized_action $out authorize-session
+  local out=$1
+  local action=$2
+  echo $out | jq -c ".authorized_actions | contains([\"$action\"])"
+}

internal/tests/cli/boundary/_groups.bash

@@ -1,9 +1,11 @@
+load _authorized_actions
+
 function create_group() {
   boundary groups create -scope-id global -name $1 -description 'test group'
 }
 
 function read_group() {
-  boundary groups read -id $1
+  boundary groups read -id $1 -format json
 }
 
 function delete_group() {
@@ -39,3 +41,16 @@ function group_has_member_id() {
   done
   return 1 
 }
+
+function has_default_group_actions() {
+  # tests that the group resource contains default actions
+  local out=$1
+  local actions=('read' 'update' 'delete' 'add-members' 'set-members' 'remove-members')
+
+  for action in ${actions[@]}; do
+    $(has_authorized_action "$out" "$action") || {
+      echo "failed to find $action action in output: $out"
+      return 1
+    } 
+  done
+}

internal/tests/cli/boundary/_host_catalogs.bash

@@ -1,3 +1,5 @@
+load _authorized_actions
+
 function create_host_catalog() {
   local name=$1
   local sid=$2
@@ -9,7 +11,7 @@ function create_host_catalog() {
 }
 
 function read_host_catalog() {
-  boundary host-catalogs read -id $1
+  boundary host-catalogs read -id $1 -format json
 }
 
 function delete_host_catalog() {
@@ -25,3 +27,15 @@ function host_catalog_id() {
   local sid=$2
   strip $(list_host_catalogs $sid | jq -c ".[] | select(.name | contains(\"$id\")) | .[\"id\"]")
 }
+
+function has_default_host_catalog_actions() {
+  local out=$1
+  local actions=('read' 'update' 'delete')
+
+  for action in ${actions[@]}; do
+    $(has_authorized_action "$out" "$action") || {
+      echo "failed to find $action action in output: $out"
+      return 1 
+    } 
+  done
+}

internal/tests/cli/boundary/_host_sets.bash

@@ -1,3 +1,5 @@
+load _authorized_actions
+
 function create_host_set() {
   local hcid=$1
   local name=$2
@@ -47,3 +49,15 @@ function host_set_has_host_id() {
   done
   return 1 
 }
+
+function has_default_host_set_actions() {
+  local out=$1
+  local actions=('read' 'update' 'delete' 'add-hosts' 'set-hosts' 'remove-hosts')
+
+  for action in ${actions[@]}; do
+    $(has_authorized_action "$out" "$action") || {
+      echo "failed to find $action action in output: $out"
+      return 1 
+    } 
+  done
+}

internal/tests/cli/boundary/_hosts.bash

@@ -1,3 +1,5 @@
+load _authorized_actions
+
 function create_host() {
   local name=$1
   local hcid=$2
@@ -10,7 +12,7 @@ function create_host() {
 }
 
 function read_host() {
-  boundary hosts read -id $1
+  boundary hosts read -id $1 -format json
 }
 
 function delete_host() {
@@ -27,3 +29,15 @@ function host_id() {
   
   strip $(list_hosts $hcid | jq -c ".[] | select(.name | contains(\"$name\")) | .[\"id\"]")
 }
+
+function has_default_host_actions() {
+  local out=$1
+  local actions=('read' 'update' 'delete')
+
+  for action in ${actions[@]}; do
+    $(has_authorized_action "$out" "$action") || {
+      echo "failed to find $action action in output: $out"
+      return 1 
+    } 
+  done
+}

internal/tests/cli/boundary/_roles.bash

@@ -1,3 +1,5 @@
+load _authorized_actions
+
 function create_role() {
   local sid=$1
   local name=$2
@@ -89,3 +91,15 @@ function role_has_grant() {
   done
   return 1 
 }
+
+function has_default_role_actions() {
+  local out=$1
+  local actions=('read' 'update' 'delete' 'add-principals' 'set-principals' 'remove-principals' 'add-grants' 'set-grants' 'remove-grants')
+
+  for action in ${actions[@]}; do
+    $(has_authorized_action "$out" "$action") || {
+      echo "failed to find $action action in output: $out"
+      return 1 
+    } 
+  done
+}

internal/tests/cli/boundary/_scopes.bash

@@ -1,3 +1,5 @@
+load _authorized_actions
+
 function create_scope() {
   local parent=$1
   local name=$2
@@ -27,3 +29,15 @@ function scope_id() {
   
   strip $(list_scopes $sid | jq -c ".[] | select(.name | contains(\"$name\")) | .[\"id\"]")
 }
+
+function has_default_scope_actions() {
+  local out=$1
+  local actions=('read' 'update' 'delete')
+
+  for action in ${actions[@]}; do
+    $(has_authorized_action "$out" "$action") || {
+      echo "failed to find $action action in output: $out"
+      return 1 
+    } 
+  done
+}

internal/tests/cli/boundary/_targets.bash

@@ -1,3 +1,5 @@
+load _authorized_actions
+
 export TGT_NAME='test'
 
 function create_tcp_target() {
@@ -12,7 +14,7 @@ function create_tcp_target() {
 }
 
 function read_target() {
-  boundary targets read -id $1
+  boundary targets read -id $1 -format json
 }
 
 function delete_target() {
@@ -52,3 +54,15 @@ function target_has_host_set_id() {
   done
   return 1 
 }
+
+function has_default_target_actions() {
+  local out=$1
+  local actions=('read' 'update' 'delete' 'add-host-sets' 'set-host-sets' 'remove-host-sets' 'authorize-session')
+
+  for action in ${actions[@]}; do
+    $(has_authorized_action "$out" "$action") || {
+      echo "failed to find $action action in output: $out"
+      return 1 
+    } 
+  done
+}

internal/tests/cli/boundary/_users.bash

@@ -1,9 +1,11 @@
+load _authorized_actions
+
 function create_user() {
   boundary users create -scope-id global -name $1 -description 'test user'
 }
 
 function read_user() {
-  boundary users read -id $1
+  boundary users read -id $1 -format json
 }
 
 function delete_user() {
@@ -18,6 +20,19 @@ function assoc_user_acct() {
   boundary users add-accounts -account $1 -id $2
 }
 
+function has_default_user_actions() {
+  # tests that the user resource contains default actions
+  local out=$1
+  local actions=('read' 'update' 'delete' 'add-accounts' 'set-accounts' 'remove-accounts')
+
+  for action in ${actions[@]}; do
+    $(has_authorized_action "$out" "$action") || {
+      echo "failed to find $action action in output: $out"
+      return 1 
+    } 
+  done
+}
+
 function user_id() {
   local user=$1
   strip $(list_users | jq -c ".[] | select(.name | contains(\"$user\")) | .[\"id\"]")

internal/tests/cli/boundary/groups.bats

@@ -32,6 +32,15 @@ export NEW_GROUP='test'
 	[ "$status" -eq 0 ]
 }
 
+@test "boundary/groups: the $NEW_GROUP group contains default authorized-actions" {
+  local gid=$(group_id $NEW_GROUP)
+  local out=$(read_group $gid)
+
+	run has_default_group_actions "$out" 
+  echo "$output"
+	[ "$status" -eq 0 ]
+}
+
 @test "boundary/group/add-members: can associate $NEW_GROUP group with default user" {	
   local gid=$(group_id $NEW_GROUP)
   run assoc_group_acct 'u_1234567890' $gid

internal/tests/cli/boundary/host_catalogs.bats

@@ -12,40 +12,49 @@ export NEW_HOST_CATALOG='test'
   [ "$status" -eq 0 ]
 }
 
-@test "boundary/hosts-catalogs: can create $NEW_HOST_CATALOG host catalog in default project scope" {
+@test "boundary/host-catalogs: can create $NEW_HOST_CATALOG host catalog in default project scope" {
 	run create_host_catalog $NEW_HOST_CATALOG $DEFAULT_P_ID
   echo "$output"
 	[ "$status" -eq 0 ]
 }
 
-@test "boundary/hosts: can not create already created $NEW_HOST_CATALOG host catalog in default project scope" {
+@test "boundary/host-catalogs: can not create already created $NEW_HOST_CATALOG host catalog in default project scope" {
 	run create_host_catalog $NEW_HOST_CATALOG
   echo "$output"
 	[ "$status" -eq 1 ]
 }
 
-@test "boundary/hosts: can read $NEW_HOST_CATALOG host catalog in default project scope" {
+@test "boundary/host-catalogs: can read $NEW_HOST_CATALOG host catalog in default project scope" {
   local hid=$(host_catalog_id $NEW_HOST_CATALOG $DEFAULT_P_ID)
 	run read_host_catalog $hid
   echo "$output"
 	[ "$status" -eq 0 ]
 }
 
-@test "boundary/host: can delete $NEW_HOST_CATALOG host in default project scope" {
+@test "boundary/host-catalogs: the $NEW_HOST_CATALOG host catalog contains default authorized-actions" {
+  local hid=$(host_catalog_id $NEW_HOST_CATALOG $DEFAULT_P_ID)
+  local out=$(read_host_catalog $hid)
+
+	run has_default_host_catalog_actions "$out" 
+  echo "$output"
+	[ "$status" -eq 0 ]
+}
+
+@test "boundary/host-catalogs: can delete $NEW_HOST_CATALOG host in default project scope" {
   local hid=$(host_catalog_id $NEW_HOST_CATALOG $DEFAULT_P_ID)
   run delete_host_catalog $hid 
   echo "$output"
   [ "$status" -eq 0 ]
 }
 
-@test "boundary/host: can not delete already deleted $NEW_HOST_CATALOG host in default project scope" {
+@test "boundary/host-catalogs: can not delete already deleted $NEW_HOST_CATALOG host in default project scope" {
   local hid=$(host_catalog_id $NEW_HOST_CATALOG $DEFAULT_P_ID)
   run delete_host_catalog $hid 
   echo "$output"
   [ "$status" -eq 1 ]
 }
 
-@test "boundary/hosts: can not read deleted $NEW_HOST_CATALOG host in default project scope" {
+@test "boundary/host-catalogs: can not read deleted $NEW_HOST_CATALOG host in default project scope" {
   local hid=$(host_catalog_id $NEW_HOST_CATALOG $DEFAULT_P_ID)
 	run read_host_catalog $hid
   echo "$output"

internal/tests/cli/boundary/host_sets.bats

@@ -31,6 +31,15 @@ export NEW_HOST_SET='test'
 	[ "$status" -eq 0 ]
 }
 
+@test "boundary/host-sets: the $NEW_HOST_SET host set contains default authorized-actions" {
+  local hsid=$(host_set_id $NEW_HOST_SET $DEFAULT_HOST_CATALOG)
+  local out=$(read_host_set $hsid)
+
+	run has_default_host_set_actions "$out" 
+  echo "$output"
+	[ "$status" -eq 0 ]
+}
+
 @test "boundary/host-set/add-host: can associate $NEW_HOST_SET host set with default host" {	
   local hsid=$(host_set_id $NEW_HOST_SET $DEFAULT_HOST_CATALOG)
   run assoc_host_set_host $DEFAULT_HOST $hsid

internal/tests/cli/boundary/hosts.bats

@@ -31,6 +31,15 @@ export NEW_HOST='test'
 	[ "$status" -eq 0 ]
 }
 
+@test "boundary/hosts: the $NEW_HOST host contains default authorized-actions" {
+  local hid=$(host_id $NEW_HOST $DEFAULT_HOST_CATALOG)
+  local out=$(read_host $hid)
+
+	run has_default_host_actions "$out" 
+  echo "$output"
+	[ "$status" -eq 0 ]
+}
+
 @test "boundary/host: can delete $NEW_HOST host" {
   local hid=$(host_id $NEW_HOST $DEFAULT_HOST_CATALOG)
   run delete_host $hid 

internal/tests/cli/boundary/roles.bats

@@ -28,12 +28,20 @@ export NEW_GRANT='id=*;type=*;actions=create,read,update,delete,list'
 
 @test "boundary/roles: can read $NEW_ROLE role" {
   local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL)
-  echo "rid $rid"
 	run read_role $rid
   echo "$output"
 	[ "$status" -eq 0 ]
 }
 
+@test "boundary/roles: the $NEW_ROLE role contains default authorized-actions" {
+  local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL)
+  local out=$(read_role $rid)
+
+	run has_default_role_actions "$out" 
+  echo "$output"
+	[ "$status" -eq 0 ]
+}
+
 @test "boundary/role/add-principals: can associate $NEW_ROLE role with default principal" {	
   local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL)
   run assoc_role_principal $DEFAULT_USER $rid

internal/tests/cli/boundary/scopes.bats

@@ -4,8 +4,8 @@ load _auth
 load _scopes
 load _helpers
 
-export NEW_PROJECT='test_project'
 export NEW_ORG='test_org'
+export NEW_PROJECT='test_project'
 
 @test "boundary/login: can login as default user" {
   run login $DEFAULT_LOGIN
@@ -25,6 +25,15 @@ export NEW_ORG='test_org'
 	[ "$status" -eq 0 ]
 }
 
+@test "boundary/scopes: the $NEW_ORG scope contains default org authorized-actions" {
+  local sid=$(scope_id $NEW_ORG $DEFAULT_GLOBAL)
+  local out=$(read_scope $sid)
+
+	run has_default_scope_actions "$out" 
+  echo "$output"
+	[ "$status" -eq 0 ]
+}
+
 @test "boundary/scopes: can create $NEW_PROJECT project level scope" {
   local parent=$(scope_id $NEW_ORG $DEFAULT_GLOBAL)
 	run create_scope $parent $NEW_PROJECT
@@ -40,6 +49,16 @@ export NEW_ORG='test_org'
 	[ "$status" -eq 0 ]
 }
 
+@test "boundary/scopes: the $NEW_PROJECT scope contains default project authorized-actions" {
+  local parent=$(scope_id $NEW_ORG $DEFAULT_GLOBAL)
+  local sid=$(scope_id $NEW_PROJECT $parent)
+  local out=$(read_scope $sid)
+
+	run has_default_scope_actions "$out" 
+  echo "$output"
+	[ "$status" -eq 0 ]
+}
+
 @test "boundary/scopes: can delete $NEW_PROJECT project level scope" {
   local parent=$(scope_id $NEW_ORG $DEFAULT_GLOBAL)
   local sid=$(scope_id $NEW_PROJECT $parent)

internal/tests/cli/boundary/target.bats

@@ -33,6 +33,15 @@ load _helpers
   [ "$status" -eq 0 ]
 }
 
+@test "boundary/target: the $TGT_NAME target contains default authorized-actions" {
+  local id=$(target_id $DEFAULT_P_ID $TGT_NAME)
+  local out=$(read_target $id)
+
+	run has_default_target_actions "$out" 
+  echo "$output"
+	[ "$status" -eq 0 ]
+}
+
 @test "boundary/target: default user can add default host set to created target" {
   local id=$(target_id $DEFAULT_P_ID $TGT_NAME)
   run assoc_host_sets $id $DEFAULT_HOST_SET  

internal/tests/cli/boundary/user.bats

@@ -28,6 +28,15 @@ export NEW_USER='test'
 	[ "$status" -eq 0 ]
 }
 
+@test "boundary/users: the $NEW_USER user contains default authorized-actions" {
+  local uid=$(user_id $NEW_USER)
+  local out=$(read_user $uid)
+
+	run has_default_user_actions "$out" 
+  echo "$output"
+	[ "$status" -eq 0 ]
+}
+
 @test "boundary/account/password: can add $NEW_USER account" {
 	run create_account $NEW_USER
 	[ "$status" -eq 0 ]