Add session endpoint test for #2448 (#2450)

CHANGELOG.md

@@ -5,8 +5,26 @@ Canonical reference for changes, improvements, and bugfixes for Boundary.
 ## Next
 
 ### New and Improved
-* Workers: Added the ability to read and reinitialize the Worker certificate authority ([PR1](https://github.com/hashicorp/boundary/pull/2312), [PR2](https://github.com/hashicorp/boundary/pull/2387))
-* Workers: Return the worker Boundary binary version on worker list and read ([PR](https://github.com/hashicorp/boundary/pull/2377))
+
+* Workers: Added the ability to read and reinitialize the Worker certificate
+  authority ([PR1](https://github.com/hashicorp/boundary/pull/2312),
+  [PR2](https://github.com/hashicorp/boundary/pull/2387))
+* Workers: Return the worker Boundary binary version on worker list and read
+  ([PR](https://github.com/hashicorp/boundary/pull/2377))
+
+## 0.10.5 (2022/09/13)
+
+### Bug Fixes
+
+* grants: Properly resolve "only self" for permissions. When generating
+  permissions from grants, if a single grant was limited only to a set of "self"
+  actions and that was the last grant parsed (which would be semi-random
+  depending on a number of factors), the overall set of permissions would be
+  marked as only-self. This would result in the generated permissions being more
+  limiting then they should be based on the grants. This only impacts the
+  sessions list endpoint. It would result in users that have been granted access
+  to list other user's sessions to be unable to see these sessions in the list
+  results ([PR](https://github.com/hashicorp/boundary/pull/2448)).
 
 ## 0.10.4 (2022/09/13)
 

internal/authtoken/testing.go

@@ -11,6 +11,9 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+// TestAuthToken, despite its name, does more than just return an auth token; it
+// also creates an auth method, an account, and a user and binds them together,
+// then creates an auth token against it
 func TestAuthToken(t testing.TB, conn *db.DB, kms *kms.Kms, scopeId string, opt ...Option) *AuthToken {
 	t.Helper()
 	authMethod := password.TestAuthMethods(t, conn, scopeId, 1)[0]

internal/daemon/controller/handlers/sessions/session_service_test.go

@@ -185,7 +185,24 @@ func TestList_Self(t *testing.T) {
 
 	at := authtoken.TestAuthToken(t, conn, kms, o.GetPublicId())
 	uId := at.GetIamUserId()
-	otherAt := authtoken.TestAuthToken(t, conn, kms, o.GetPublicId())
+
+	otherPrivAuthToken := authtoken.TestAuthToken(t, conn, kms, o.GetPublicId())
+	unprivAuthToken := authtoken.TestAuthToken(t, conn, kms, o.GetPublicId())
+
+	// See https://github.com/hashicorp/boundary/pull/2448 -- these roles both
+	// test functionality and serve as a regression test
+
+	// Create a "privileged" role that gives admin on the scope
+	privProjRole := iam.TestRole(t, conn, pWithSessions.GetPublicId())
+	iam.TestRoleGrant(t, conn, privProjRole.GetPublicId(), "id=*;type=*;actions=*")
+	iam.TestUserRole(t, conn, privProjRole.GetPublicId(), otherPrivAuthToken.GetIamUserId())
+
+	// Create an "unprivileged" role that only grants self variants and add the
+	// unprivileged user and other privileged users
+	unPrivProjRole := iam.TestRole(t, conn, pWithSessions.GetPublicId())
+	iam.TestRoleGrant(t, conn, unPrivProjRole.GetPublicId(), "id=*;type=session;actions=read:self,list,cancel:self")
+	iam.TestUserRole(t, conn, unPrivProjRole.GetPublicId(), unprivAuthToken.GetIamUserId())
+	iam.TestUserRole(t, conn, unPrivProjRole.GetPublicId(), otherPrivAuthToken.GetIamUserId())
 
 	hc := static.TestCatalogs(t, conn, pWithSessions.GetPublicId(), 1)[0]
 	hs := static.TestSets(t, conn, hc.GetPublicId(), 1)[0]
@@ -218,8 +235,13 @@ func TestList_Self(t *testing.T) {
 			count:     1,
 		},
 		{
-			name:      "Can't List Others Sessions",
-			requester: otherAt,
+			name:      "Can List Others Sessions when Authorized",
+			requester: otherPrivAuthToken,
+			count:     1,
+		},
+		{
+			name:      "Can't List Others Sessions When Not Authorized",
+			requester: unprivAuthToken,
 			count:     0,
 		},
 	}