test(e2e): Add multi-scope grants test (#4446)

testing/internal/e2e/boundary/role.go

@@ -6,11 +6,13 @@ package boundary
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"testing"
 
 	"github.com/hashicorp/boundary/api"
 	"github.com/hashicorp/boundary/api/roles"
 	"github.com/hashicorp/boundary/testing/internal/e2e"
+	"github.com/hashicorp/go-secure-stdlib/base62"
 	"github.com/stretchr/testify/require"
 )
 
@@ -26,26 +28,57 @@ func CreateNewRoleApi(t testing.TB, ctx context.Context, client *api.Client, sco
 	return newRoleId
 }
 
-// CreateNewRoleCli creates a new role using the cli.
-// Returns the id of the new role.
-func CreateNewRoleCli(t testing.TB, ctx context.Context, scopeId string) string {
+// CreateRoleCli creates a new role using the Boundary CLI.
+// Returns the id of the new role or error
+func CreateRoleCli(t testing.TB, ctx context.Context, scopeId string) (string, error) {
+	name, err := base62.Random(16)
+	if err != nil {
+		return "", fmt.Errorf("error generating role name: %w", err)
+	}
 	output := e2e.RunCommand(ctx, "boundary",
 		e2e.WithArgs(
 			"roles", "create",
 			"-scope-id", scopeId,
-			"-name", "e2e Role",
+			"-name", fmt.Sprintf("e2e Role %s", name),
 			"-description", "e2e",
 			"-format", "json",
 		),
 	)
-	require.NoError(t, output.Err, string(output.Stderr))
+	if output.Err != nil {
+		return "", fmt.Errorf("error creating role: %w: %s", output.Err, string(output.Stderr))
+	}
+
 	var newRoleResult roles.RoleCreateResult
-	err := json.Unmarshal(output.Stdout, &newRoleResult)
-	require.NoError(t, err)
+	if err := json.Unmarshal(output.Stdout, &newRoleResult); err != nil {
+		return "", fmt.Errorf("error unmarshalling role creation result: %w", err)
+	}
 
 	newRoleId := newRoleResult.Item.Id
-	t.Logf("Created Role: %s", newRoleId)
-	return newRoleId
+	t.Logf("Created Role: %s in scope %s", newRoleId, scopeId)
+	return newRoleId, nil
+}
+
+// ListRolesCli lists roles from the specified scope using the Boundary CLI.
+// Returns a slice of roles or error
+func ListRolesCli(t testing.TB, ctx context.Context, scopeId string) ([]*roles.Role, error) {
+	output := e2e.RunCommand(ctx, "boundary",
+		e2e.WithArgs(
+			"roles", "list",
+			"-scope-id", scopeId,
+			"-format", "json",
+		),
+	)
+	if output.Err != nil {
+		return nil, fmt.Errorf("error listing roles in %s scope: %w: %s", scopeId, output.Err, output.Stderr)
+	}
+
+	var roleListResult roles.RoleListResult
+	if err := json.Unmarshal(output.Stdout, &roleListResult); err != nil {
+		return nil, fmt.Errorf("error unmarshalling role list result: %w", err)
+	}
+
+	t.Logf("Listed Roles in scope %s", scopeId)
+	return roleListResult.Items, nil
 }
 
 // AddGrantToRoleCli adds a grant/permission to a role using the cli
@@ -70,4 +103,59 @@ func AddPrincipalToRoleCli(t testing.TB, ctx context.Context, roleId string, pri
 		),
 	)
 	require.NoError(t, output.Err, string(output.Stderr))
+	t.Logf("Principal %s added to role: %s", principal, roleId)
+}
+
+// SetGrantScopesToRoleCli uses Boundary CLI to override grant scopes for the role with the provided ones.
+// Option WithGrantScopeId can be used multiple times to provide grant scope IDs.
+func SetGrantScopesToRoleCli(t testing.TB, ctx context.Context, roleId string, opt ...RoleOption) error {
+	opts := getRoleOpts(opt...)
+	var args []string
+
+	if len(opts.scopeIds) == 0 {
+		return fmt.Errorf("at least one grant scope id must be provided")
+	}
+	for _, id := range opts.scopeIds {
+		args = append(args, "-grant-scope-id", id)
+	}
+
+	output := e2e.RunCommand(ctx, "boundary",
+		e2e.WithArgs(
+			"roles", "set-grant-scopes",
+			"-id", roleId,
+		),
+		e2e.WithArgs(args...),
+	)
+	if output.Err != nil {
+		return fmt.Errorf("error setting grant scopes to role: %w: %s", output.Err, string(output.Stderr))
+	}
+
+	t.Logf("Grant scopes are set to role %s: %v", roleId, opts.scopeIds)
+	return nil
+}
+
+// getRoleOpts iterates the inbound RoleOptions and returns a struct.
+func getRoleOpts(opt ...RoleOption) roleOptions {
+	opts := roleOptions{
+		scopeIds: make([]string, 0),
+	}
+	for _, o := range opt {
+		o(&opts)
+	}
+	return opts
+}
+
+// RoleOption represents how Options are passed as arguments.
+type RoleOption func(*roleOptions)
+
+// roleOptions is a struct representing available options for roles.
+type roleOptions struct {
+	scopeIds []string
+}
+
+// WithGrantScopeId provides an option to set the grant scope to a role.
+func WithGrantScopeId(scopeId string) RoleOption {
+	return func(o *roleOptions) {
+		o.scopeIds = append(o.scopeIds, scopeId)
+	}
 }

testing/internal/e2e/tests/base/role_multi_scope_grants_test.go

@@ -0,0 +1,142 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package base_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/hashicorp/boundary/testing/internal/e2e"
+	"github.com/hashicorp/boundary/testing/internal/e2e/boundary"
+	"github.com/stretchr/testify/require"
+)
+
+// TestCliApplyGrantsForMultipleScopes verifies if roles' grants can be applied for children and descendant scopes
+func TestCliApplyGrantsForMultipleScopes(t *testing.T) {
+	e2e.MaybeSkipTest(t)
+	bc, err := boundary.LoadConfig()
+	require.NoError(t, err)
+
+	ctx := context.Background()
+	boundary.AuthenticateAdminCli(t, ctx)
+
+	// Create Org and Project
+	orgId := boundary.CreateNewOrgCli(t, ctx)
+	t.Cleanup(func() {
+		ctx := context.Background()
+		boundary.AuthenticateAdminCli(t, ctx)
+		output := e2e.RunCommand(ctx, "boundary", e2e.WithArgs("scopes", "delete", "-id", orgId))
+		require.NoError(t, output.Err, string(output.Stderr))
+	})
+	projectId := boundary.CreateNewProjectCli(t, ctx, orgId)
+
+	// Create Account
+	acctName := "e2e-account"
+	accountId, acctPassword := boundary.CreateNewAccountCli(t, ctx, bc.AuthMethodId, acctName)
+	t.Cleanup(func() {
+		boundary.AuthenticateAdminCli(t, ctx)
+		output := e2e.RunCommand(ctx, "boundary",
+			e2e.WithArgs("accounts", "delete", "-id", accountId),
+		)
+		require.NoError(t, output.Err, string(output.Stderr))
+	})
+
+	// Create User and set Account to it
+	userId := boundary.CreateNewUserCli(t, ctx, "global")
+	t.Cleanup(func() {
+		boundary.AuthenticateAdminCli(t, ctx)
+		output := e2e.RunCommand(ctx, "boundary",
+			e2e.WithArgs("users", "delete", "-id", userId),
+		)
+		require.NoError(t, output.Err, string(output.Stderr))
+	})
+	boundary.SetAccountToUserCli(t, ctx, userId, accountId)
+
+	// Authenticate test user and try to:
+	// - list Roles in global scope: expect error
+	// - list Roles in org scope: expect error
+	// - list Roles in proj scope: expect error
+	boundary.AuthenticateCli(t, ctx, bc.AuthMethodId, acctName, acctPassword)
+
+	_, err = boundary.CreateRoleCli(t, ctx, "global")
+	require.Error(t, err)
+
+	_, err = boundary.CreateRoleCli(t, ctx, orgId)
+	require.Error(t, err)
+
+	_, err = boundary.CreateRoleCli(t, ctx, projectId)
+	require.Error(t, err)
+
+	// Create Role, and add grants and principal to it
+	boundary.AuthenticateAdminCli(t, ctx)
+	roleId, err := boundary.CreateRoleCli(t, ctx, "global")
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		boundary.AuthenticateAdminCli(t, ctx)
+		output := e2e.RunCommand(ctx, "boundary",
+			e2e.WithArgs("roles", "delete", "-id", roleId),
+		)
+		require.NoError(t, output.Err, string(output.Stderr))
+	})
+	boundary.AddGrantToRoleCli(t, ctx, roleId, "ids=*;type=role;actions=list")
+	boundary.AddPrincipalToRoleCli(t, ctx, roleId, userId)
+
+	// Authenticate User and try to:
+	// - list Roles in global scope: expect success
+	// - list Roles in org scope: expect error
+	// - list Roles in proj scope: expect error
+	boundary.AuthenticateCli(t, ctx, bc.AuthMethodId, acctName, acctPassword)
+	_, err = boundary.ListRolesCli(t, ctx, "global")
+	require.NoError(t, err)
+
+	_, err = boundary.ListRolesCli(t, ctx, orgId)
+	require.Error(t, err)
+
+	_, err = boundary.ListRolesCli(t, ctx, projectId)
+	require.Error(t, err)
+
+	// Set Grant Scopes to Role: this, children
+	boundary.AuthenticateAdminCli(t, ctx)
+	err = boundary.SetGrantScopesToRoleCli(t, ctx, roleId,
+		boundary.WithGrantScopeId("this"),
+		boundary.WithGrantScopeId("children"),
+	)
+	require.NoError(t, err)
+
+	// Authenticate User and try to:
+	// - list Roles in global scope: expect success
+	// - list Roles in org scope: expect success
+	// - list Roles in proj scope: expect error
+	boundary.AuthenticateCli(t, ctx, bc.AuthMethodId, acctName, acctPassword)
+	_, err = boundary.ListRolesCli(t, ctx, "global")
+	require.NoError(t, err)
+
+	_, err = boundary.ListRolesCli(t, ctx, orgId)
+	require.NoError(t, err)
+
+	_, err = boundary.ListRolesCli(t, ctx, projectId)
+	require.Error(t, err)
+
+	// Set Grant Scopes to Role: this, descendants
+	boundary.AuthenticateAdminCli(t, ctx)
+	err = boundary.SetGrantScopesToRoleCli(t, ctx, roleId,
+		boundary.WithGrantScopeId("this"),
+		boundary.WithGrantScopeId("descendants"),
+	)
+	require.NoError(t, err)
+
+	// Authenticate User and try to:
+	// - list Roles in global scope: expect success
+	// - list Roles in org scope: expect success
+	// - list Roles in proj scope: expect success
+	boundary.AuthenticateCli(t, ctx, bc.AuthMethodId, acctName, acctPassword)
+	_, err = boundary.ListRolesCli(t, ctx, "global")
+	require.NoError(t, err)
+
+	_, err = boundary.ListRolesCli(t, ctx, orgId)
+	require.NoError(t, err)
+
+	_, err = boundary.ListRolesCli(t, ctx, projectId)
+	require.NoError(t, err)
+}

testing/internal/e2e/tests/base/session_cancel_group_test.go

@@ -98,7 +98,8 @@ func TestCliSessionCancelGroup(t *testing.T) {
 	boundary.AddUserToGroup(t, ctx, newUserId, newGroupId)
 
 	// Create a role for a group
-	newRoleId := boundary.CreateNewRoleCli(t, ctx, newProjectId)
+	newRoleId, err := boundary.CreateRoleCli(t, ctx, newProjectId)
+	require.NoError(t, err)
 	boundary.AddGrantToRoleCli(t, ctx, newRoleId, "ids=*;type=target;actions=authorize-session")
 	boundary.AddPrincipalToRoleCli(t, ctx, newRoleId, newGroupId)
 

testing/internal/e2e/tests/base/session_cancel_user_test.go

@@ -93,7 +93,8 @@ func TestCliSessionCancelUser(t *testing.T) {
 
 	// Create a role for user
 	boundary.AuthenticateAdminCli(t, ctx)
-	newRoleId := boundary.CreateNewRoleCli(t, ctx, newProjectId)
+	newRoleId, err := boundary.CreateRoleCli(t, ctx, newProjectId)
+	require.NoError(t, err)
 	boundary.AddGrantToRoleCli(t, ctx, newRoleId, "ids=*;type=target;actions=authorize-session")
 	boundary.AddPrincipalToRoleCli(t, ctx, newRoleId, newUserId)
 

testing/internal/e2e/tests/base/session_end_delete_host_set_test.go

@@ -58,7 +58,8 @@ func TestCliSessionEndWhenHostSetIsDeleted(t *testing.T) {
 		require.NoError(t, output.Err, string(output.Stderr))
 	})
 	boundary.SetAccountToUserCli(t, ctx, newUserId, newAccountId)
-	newRoleId := boundary.CreateNewRoleCli(t, ctx, newProjectId)
+	newRoleId, err := boundary.CreateRoleCli(t, ctx, newProjectId)
+	require.NoError(t, err)
 	boundary.AddGrantToRoleCli(t, ctx, newRoleId, "ids=*;type=target;actions=authorize-session")
 	boundary.AddPrincipalToRoleCli(t, ctx, newRoleId, newUserId)
 

testing/internal/e2e/tests/base/session_end_delete_host_test.go

@@ -58,7 +58,8 @@ func TestCliSessionEndWhenHostIsDeleted(t *testing.T) {
 		require.NoError(t, output.Err, string(output.Stderr))
 	})
 	boundary.SetAccountToUserCli(t, ctx, newUserId, newAccountId)
-	newRoleId := boundary.CreateNewRoleCli(t, ctx, newProjectId)
+	newRoleId, err := boundary.CreateRoleCli(t, ctx, newProjectId)
+	require.NoError(t, err)
 	boundary.AddGrantToRoleCli(t, ctx, newRoleId, "ids=*;type=target;actions=authorize-session")
 	boundary.AddPrincipalToRoleCli(t, ctx, newRoleId, newUserId)
 

testing/internal/e2e/tests/base/session_end_delete_project_test.go

@@ -54,7 +54,8 @@ func TestCliSessionEndWhenProjectIsDeleted(t *testing.T) {
 		require.NoError(t, output.Err, string(output.Stderr))
 	})
 	boundary.SetAccountToUserCli(t, ctx, newUserId, newAccountId)
-	newRoleId := boundary.CreateNewRoleCli(t, ctx, newProjectId)
+	newRoleId, err := boundary.CreateRoleCli(t, ctx, newProjectId)
+	require.NoError(t, err)
 	boundary.AddGrantToRoleCli(t, ctx, newRoleId, "ids=*;type=target;actions=authorize-session")
 	boundary.AddPrincipalToRoleCli(t, ctx, newRoleId, newUserId)
 

testing/internal/e2e/tests/base/session_end_delete_target_test.go

@@ -58,7 +58,8 @@ func TestCliSessionEndWhenTargetIsDeleted(t *testing.T) {
 		require.NoError(t, output.Err, string(output.Stderr))
 	})
 	boundary.SetAccountToUserCli(t, ctx, newUserId, newAccountId)
-	newRoleId := boundary.CreateNewRoleCli(t, ctx, newProjectId)
+	newRoleId, err := boundary.CreateRoleCli(t, ctx, newProjectId)
+	require.NoError(t, err)
 	boundary.AddGrantToRoleCli(t, ctx, newRoleId, "ids=*;type=target;actions=authorize-session")
 	boundary.AddPrincipalToRoleCli(t, ctx, newRoleId, newUserId)
 

testing/internal/e2e/tests/base/session_end_delete_user_test.go

@@ -63,7 +63,8 @@ func TestCliSessionEndWhenUserIsDeleted(t *testing.T) {
 		}
 	})
 	boundary.SetAccountToUserCli(t, ctx, newUserId, newAccountId)
-	newRoleId := boundary.CreateNewRoleCli(t, ctx, newProjectId)
+	newRoleId, err := boundary.CreateRoleCli(t, ctx, newProjectId)
+	require.NoError(t, err)
 	boundary.AddGrantToRoleCli(t, ctx, newRoleId, "ids=*;type=target;actions=authorize-session")
 	boundary.AddPrincipalToRoleCli(t, ctx, newRoleId, newUserId)
 

testing/internal/e2e/tests/base_plus/ldap_test.go

@@ -155,7 +155,8 @@ func TestCliLdap(t *testing.T) {
 	require.Contains(t, managedGroupReadResult.Item.MemberIds, newAccountId)
 
 	// Add managed group as a principal to a role with permissions to read auth methods
-	newRoleId := boundary.CreateNewRoleCli(t, ctx, newOrgId)
+	newRoleId, err := boundary.CreateRoleCli(t, ctx, newOrgId)
+	require.NoError(t, err)
 	boundary.AddPrincipalToRoleCli(t, ctx, newRoleId, managedGroupId)
 	boundary.AddGrantToRoleCli(t, ctx, newRoleId, "ids=*;type=auth-method;actions=read")
 

testing/internal/e2e/tests/base_plus/rate_limit_test.go

@@ -171,7 +171,8 @@ func TestHttpRateLimit(t *testing.T) {
 		require.NoError(t, output.Err, string(output.Stderr))
 	})
 	boundary.SetAccountToUserCli(t, ctx, newUserId, newAccountId)
-	newRoleId := boundary.CreateNewRoleCli(t, ctx, newProjectId)
+	newRoleId, err := boundary.CreateRoleCli(t, ctx, newProjectId)
+	require.NoError(t, err)
 	boundary.AddGrantToRoleCli(t, ctx, newRoleId, "ids=*;type=*;actions=*")
 	boundary.AddPrincipalToRoleCli(t, ctx, newRoleId, newUserId)
 
@@ -306,7 +307,8 @@ func TestCliRateLimit(t *testing.T) {
 		require.NoError(t, output.Err, string(output.Stderr))
 	})
 	boundary.SetAccountToUserCli(t, ctx, newUserId, newAccountId)
-	newRoleId := boundary.CreateNewRoleCli(t, ctx, newProjectId)
+	newRoleId, err := boundary.CreateRoleCli(t, ctx, newProjectId)
+	require.NoError(t, err)
 	boundary.AddGrantToRoleCli(t, ctx, newRoleId, "ids=*;type=*;actions=*")
 	boundary.AddPrincipalToRoleCli(t, ctx, newRoleId, newUserId)
 

testing/internal/e2e/tests/database/migration_test.go

@@ -241,7 +241,8 @@ func populateBoundaryDatabase(t testing.TB, ctx context.Context, c *config, te T
 	boundary.SetAccountToUserCli(t, ctx, newUserId, newAccountId)
 	newGroupId := boundary.CreateNewGroupCli(t, ctx, "global")
 	boundary.AddUserToGroup(t, ctx, newUserId, newGroupId)
-	newRoleId := boundary.CreateNewRoleCli(t, ctx, newProjectId)
+	newRoleId, err := boundary.CreateRoleCli(t, ctx, newProjectId)
+	require.NoError(t, err)
 	boundary.AddGrantToRoleCli(t, ctx, newRoleId, "ids=*;type=target;actions=authorize-session")
 	boundary.AddPrincipalToRoleCli(t, ctx, newRoleId, newGroupId)
 
@@ -277,7 +278,7 @@ func populateBoundaryDatabase(t testing.TB, ctx context.Context, c *config, te T
 	)
 	require.NoError(t, output.Err, string(output.Stderr))
 	var tokenCreateResult vault.CreateTokenResponse
-	err := json.Unmarshal(output.Stdout, &tokenCreateResult)
+	err = json.Unmarshal(output.Stdout, &tokenCreateResult)
 	require.NoError(t, err)
 	credStoreToken := tokenCreateResult.Auth.Client_Token
 	t.Log("Created Vault Cred Store Token")