diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ffe090480..96d7fc9ce2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,8 +5,26 @@ Canonical reference for changes, improvements, and bugfixes for Boundary. ## Next ### New and Improved -* Workers: Added the ability to read and reinitialize the Worker certificate authority ([PR1](https://github.com/hashicorp/boundary/pull/2312), [PR2](https://github.com/hashicorp/boundary/pull/2387)) -* Workers: Return the worker Boundary binary version on worker list and read ([PR](https://github.com/hashicorp/boundary/pull/2377)) + +* Workers: Added the ability to read and reinitialize the Worker certificate + authority ([PR1](https://github.com/hashicorp/boundary/pull/2312), + [PR2](https://github.com/hashicorp/boundary/pull/2387)) +* Workers: Return the worker Boundary binary version on worker list and read + ([PR](https://github.com/hashicorp/boundary/pull/2377)) + +## 0.10.5 (2022/09/13) + +### Bug Fixes + +* grants: Properly resolve "only self" for permissions. When generating + permissions from grants, if a single grant was limited only to a set of "self" + actions and that was the last grant parsed (which would be semi-random + depending on a number of factors), the overall set of permissions would be + marked as only-self. This would result in the generated permissions being more + limiting then they should be based on the grants. This only impacts the + sessions list endpoint. It would result in users that have been granted access + to list other user's sessions to be unable to see these sessions in the list + results ([PR](https://github.com/hashicorp/boundary/pull/2448)). ## 0.10.4 (2022/09/13) diff --git a/internal/authtoken/testing.go b/internal/authtoken/testing.go index 86d0d7825e..59b2ed7447 100644 --- a/internal/authtoken/testing.go +++ b/internal/authtoken/testing.go @@ -11,6 +11,9 @@ import ( "github.com/stretchr/testify/require" ) +// TestAuthToken, despite its name, does more than just return an auth token; it +// also creates an auth method, an account, and a user and binds them together, +// then creates an auth token against it func TestAuthToken(t testing.TB, conn *db.DB, kms *kms.Kms, scopeId string, opt ...Option) *AuthToken { t.Helper() authMethod := password.TestAuthMethods(t, conn, scopeId, 1)[0] diff --git a/internal/daemon/controller/handlers/sessions/session_service_test.go b/internal/daemon/controller/handlers/sessions/session_service_test.go index 5034d6b43d..a65234ce31 100644 --- a/internal/daemon/controller/handlers/sessions/session_service_test.go +++ b/internal/daemon/controller/handlers/sessions/session_service_test.go @@ -185,7 +185,24 @@ func TestList_Self(t *testing.T) { at := authtoken.TestAuthToken(t, conn, kms, o.GetPublicId()) uId := at.GetIamUserId() - otherAt := authtoken.TestAuthToken(t, conn, kms, o.GetPublicId()) + + otherPrivAuthToken := authtoken.TestAuthToken(t, conn, kms, o.GetPublicId()) + unprivAuthToken := authtoken.TestAuthToken(t, conn, kms, o.GetPublicId()) + + // See https://github.com/hashicorp/boundary/pull/2448 -- these roles both + // test functionality and serve as a regression test + + // Create a "privileged" role that gives admin on the scope + privProjRole := iam.TestRole(t, conn, pWithSessions.GetPublicId()) + iam.TestRoleGrant(t, conn, privProjRole.GetPublicId(), "id=*;type=*;actions=*") + iam.TestUserRole(t, conn, privProjRole.GetPublicId(), otherPrivAuthToken.GetIamUserId()) + + // Create an "unprivileged" role that only grants self variants and add the + // unprivileged user and other privileged users + unPrivProjRole := iam.TestRole(t, conn, pWithSessions.GetPublicId()) + iam.TestRoleGrant(t, conn, unPrivProjRole.GetPublicId(), "id=*;type=session;actions=read:self,list,cancel:self") + iam.TestUserRole(t, conn, unPrivProjRole.GetPublicId(), unprivAuthToken.GetIamUserId()) + iam.TestUserRole(t, conn, unPrivProjRole.GetPublicId(), otherPrivAuthToken.GetIamUserId()) hc := static.TestCatalogs(t, conn, pWithSessions.GetPublicId(), 1)[0] hs := static.TestSets(t, conn, hc.GetPublicId(), 1)[0] @@ -218,8 +235,13 @@ func TestList_Self(t *testing.T) { count: 1, }, { - name: "Can't List Others Sessions", - requester: otherAt, + name: "Can List Others Sessions when Authorized", + requester: otherPrivAuthToken, + count: 1, + }, + { + name: "Can't List Others Sessions When Not Authorized", + requester: unprivAuthToken, count: 0, }, }