From 41d3dffa9bb1f57ebb31f5f10352144fd9694d97 Mon Sep 17 00:00:00 2001 From: Stan Ryzhov <60649800+stasryzhov@users.noreply.github.com> Date: Fri, 1 Mar 2024 12:53:42 -0500 Subject: [PATCH] test(e2e): Add multi-scope grants test (#4446) --- testing/internal/e2e/boundary/role.go | 106 +++++++++++-- .../base/role_multi_scope_grants_test.go | 142 ++++++++++++++++++ .../tests/base/session_cancel_group_test.go | 3 +- .../tests/base/session_cancel_user_test.go | 3 +- .../base/session_end_delete_host_set_test.go | 3 +- .../base/session_end_delete_host_test.go | 3 +- .../base/session_end_delete_project_test.go | 3 +- .../base/session_end_delete_target_test.go | 3 +- .../base/session_end_delete_user_test.go | 3 +- .../internal/e2e/tests/base_plus/ldap_test.go | 3 +- .../e2e/tests/base_plus/rate_limit_test.go | 6 +- .../e2e/tests/database/migration_test.go | 5 +- 12 files changed, 262 insertions(+), 21 deletions(-) create mode 100644 testing/internal/e2e/tests/base/role_multi_scope_grants_test.go diff --git a/testing/internal/e2e/boundary/role.go b/testing/internal/e2e/boundary/role.go index cb6f9193a8..2b79da873e 100644 --- a/testing/internal/e2e/boundary/role.go +++ b/testing/internal/e2e/boundary/role.go @@ -6,11 +6,13 @@ package boundary import ( "context" "encoding/json" + "fmt" "testing" "github.com/hashicorp/boundary/api" "github.com/hashicorp/boundary/api/roles" "github.com/hashicorp/boundary/testing/internal/e2e" + "github.com/hashicorp/go-secure-stdlib/base62" "github.com/stretchr/testify/require" ) @@ -26,26 +28,57 @@ func CreateNewRoleApi(t testing.TB, ctx context.Context, client *api.Client, sco return newRoleId } -// CreateNewRoleCli creates a new role using the cli. -// Returns the id of the new role. -func CreateNewRoleCli(t testing.TB, ctx context.Context, scopeId string) string { +// CreateRoleCli creates a new role using the Boundary CLI. +// Returns the id of the new role or error +func CreateRoleCli(t testing.TB, ctx context.Context, scopeId string) (string, error) { + name, err := base62.Random(16) + if err != nil { + return "", fmt.Errorf("error generating role name: %w", err) + } output := e2e.RunCommand(ctx, "boundary", e2e.WithArgs( "roles", "create", "-scope-id", scopeId, - "-name", "e2e Role", + "-name", fmt.Sprintf("e2e Role %s", name), "-description", "e2e", "-format", "json", ), ) - require.NoError(t, output.Err, string(output.Stderr)) + if output.Err != nil { + return "", fmt.Errorf("error creating role: %w: %s", output.Err, string(output.Stderr)) + } + var newRoleResult roles.RoleCreateResult - err := json.Unmarshal(output.Stdout, &newRoleResult) - require.NoError(t, err) + if err := json.Unmarshal(output.Stdout, &newRoleResult); err != nil { + return "", fmt.Errorf("error unmarshalling role creation result: %w", err) + } newRoleId := newRoleResult.Item.Id - t.Logf("Created Role: %s", newRoleId) - return newRoleId + t.Logf("Created Role: %s in scope %s", newRoleId, scopeId) + return newRoleId, nil +} + +// ListRolesCli lists roles from the specified scope using the Boundary CLI. +// Returns a slice of roles or error +func ListRolesCli(t testing.TB, ctx context.Context, scopeId string) ([]*roles.Role, error) { + output := e2e.RunCommand(ctx, "boundary", + e2e.WithArgs( + "roles", "list", + "-scope-id", scopeId, + "-format", "json", + ), + ) + if output.Err != nil { + return nil, fmt.Errorf("error listing roles in %s scope: %w: %s", scopeId, output.Err, output.Stderr) + } + + var roleListResult roles.RoleListResult + if err := json.Unmarshal(output.Stdout, &roleListResult); err != nil { + return nil, fmt.Errorf("error unmarshalling role list result: %w", err) + } + + t.Logf("Listed Roles in scope %s", scopeId) + return roleListResult.Items, nil } // AddGrantToRoleCli adds a grant/permission to a role using the cli @@ -70,4 +103,59 @@ func AddPrincipalToRoleCli(t testing.TB, ctx context.Context, roleId string, pri ), ) require.NoError(t, output.Err, string(output.Stderr)) + t.Logf("Principal %s added to role: %s", principal, roleId) +} + +// SetGrantScopesToRoleCli uses Boundary CLI to override grant scopes for the role with the provided ones. +// Option WithGrantScopeId can be used multiple times to provide grant scope IDs. +func SetGrantScopesToRoleCli(t testing.TB, ctx context.Context, roleId string, opt ...RoleOption) error { + opts := getRoleOpts(opt...) + var args []string + + if len(opts.scopeIds) == 0 { + return fmt.Errorf("at least one grant scope id must be provided") + } + for _, id := range opts.scopeIds { + args = append(args, "-grant-scope-id", id) + } + + output := e2e.RunCommand(ctx, "boundary", + e2e.WithArgs( + "roles", "set-grant-scopes", + "-id", roleId, + ), + e2e.WithArgs(args...), + ) + if output.Err != nil { + return fmt.Errorf("error setting grant scopes to role: %w: %s", output.Err, string(output.Stderr)) + } + + t.Logf("Grant scopes are set to role %s: %v", roleId, opts.scopeIds) + return nil +} + +// getRoleOpts iterates the inbound RoleOptions and returns a struct. +func getRoleOpts(opt ...RoleOption) roleOptions { + opts := roleOptions{ + scopeIds: make([]string, 0), + } + for _, o := range opt { + o(&opts) + } + return opts +} + +// RoleOption represents how Options are passed as arguments. +type RoleOption func(*roleOptions) + +// roleOptions is a struct representing available options for roles. +type roleOptions struct { + scopeIds []string +} + +// WithGrantScopeId provides an option to set the grant scope to a role. +func WithGrantScopeId(scopeId string) RoleOption { + return func(o *roleOptions) { + o.scopeIds = append(o.scopeIds, scopeId) + } } diff --git a/testing/internal/e2e/tests/base/role_multi_scope_grants_test.go b/testing/internal/e2e/tests/base/role_multi_scope_grants_test.go new file mode 100644 index 0000000000..0b2b5de41a --- /dev/null +++ b/testing/internal/e2e/tests/base/role_multi_scope_grants_test.go @@ -0,0 +1,142 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: BUSL-1.1 + +package base_test + +import ( + "context" + "testing" + + "github.com/hashicorp/boundary/testing/internal/e2e" + "github.com/hashicorp/boundary/testing/internal/e2e/boundary" + "github.com/stretchr/testify/require" +) + +// TestCliApplyGrantsForMultipleScopes verifies if roles' grants can be applied for children and descendant scopes +func TestCliApplyGrantsForMultipleScopes(t *testing.T) { + e2e.MaybeSkipTest(t) + bc, err := boundary.LoadConfig() + require.NoError(t, err) + + ctx := context.Background() + boundary.AuthenticateAdminCli(t, ctx) + + // Create Org and Project + orgId := boundary.CreateNewOrgCli(t, ctx) + t.Cleanup(func() { + ctx := context.Background() + boundary.AuthenticateAdminCli(t, ctx) + output := e2e.RunCommand(ctx, "boundary", e2e.WithArgs("scopes", "delete", "-id", orgId)) + require.NoError(t, output.Err, string(output.Stderr)) + }) + projectId := boundary.CreateNewProjectCli(t, ctx, orgId) + + // Create Account + acctName := "e2e-account" + accountId, acctPassword := boundary.CreateNewAccountCli(t, ctx, bc.AuthMethodId, acctName) + t.Cleanup(func() { + boundary.AuthenticateAdminCli(t, ctx) + output := e2e.RunCommand(ctx, "boundary", + e2e.WithArgs("accounts", "delete", "-id", accountId), + ) + require.NoError(t, output.Err, string(output.Stderr)) + }) + + // Create User and set Account to it + userId := boundary.CreateNewUserCli(t, ctx, "global") + t.Cleanup(func() { + boundary.AuthenticateAdminCli(t, ctx) + output := e2e.RunCommand(ctx, "boundary", + e2e.WithArgs("users", "delete", "-id", userId), + ) + require.NoError(t, output.Err, string(output.Stderr)) + }) + boundary.SetAccountToUserCli(t, ctx, userId, accountId) + + // Authenticate test user and try to: + // - list Roles in global scope: expect error + // - list Roles in org scope: expect error + // - list Roles in proj scope: expect error + boundary.AuthenticateCli(t, ctx, bc.AuthMethodId, acctName, acctPassword) + + _, err = boundary.CreateRoleCli(t, ctx, "global") + require.Error(t, err) + + _, err = boundary.CreateRoleCli(t, ctx, orgId) + require.Error(t, err) + + _, err = boundary.CreateRoleCli(t, ctx, projectId) + require.Error(t, err) + + // Create Role, and add grants and principal to it + boundary.AuthenticateAdminCli(t, ctx) + roleId, err := boundary.CreateRoleCli(t, ctx, "global") + require.NoError(t, err) + t.Cleanup(func() { + boundary.AuthenticateAdminCli(t, ctx) + output := e2e.RunCommand(ctx, "boundary", + e2e.WithArgs("roles", "delete", "-id", roleId), + ) + require.NoError(t, output.Err, string(output.Stderr)) + }) + boundary.AddGrantToRoleCli(t, ctx, roleId, "ids=*;type=role;actions=list") + boundary.AddPrincipalToRoleCli(t, ctx, roleId, userId) + + // Authenticate User and try to: + // - list Roles in global scope: expect success + // - list Roles in org scope: expect error + // - list Roles in proj scope: expect error + boundary.AuthenticateCli(t, ctx, bc.AuthMethodId, acctName, acctPassword) + _, err = boundary.ListRolesCli(t, ctx, "global") + require.NoError(t, err) + + _, err = boundary.ListRolesCli(t, ctx, orgId) + require.Error(t, err) + + _, err = boundary.ListRolesCli(t, ctx, projectId) + require.Error(t, err) + + // Set Grant Scopes to Role: this, children + boundary.AuthenticateAdminCli(t, ctx) + err = boundary.SetGrantScopesToRoleCli(t, ctx, roleId, + boundary.WithGrantScopeId("this"), + boundary.WithGrantScopeId("children"), + ) + require.NoError(t, err) + + // Authenticate User and try to: + // - list Roles in global scope: expect success + // - list Roles in org scope: expect success + // - list Roles in proj scope: expect error + boundary.AuthenticateCli(t, ctx, bc.AuthMethodId, acctName, acctPassword) + _, err = boundary.ListRolesCli(t, ctx, "global") + require.NoError(t, err) + + _, err = boundary.ListRolesCli(t, ctx, orgId) + require.NoError(t, err) + + _, err = boundary.ListRolesCli(t, ctx, projectId) + require.Error(t, err) + + // Set Grant Scopes to Role: this, descendants + boundary.AuthenticateAdminCli(t, ctx) + err = boundary.SetGrantScopesToRoleCli(t, ctx, roleId, + boundary.WithGrantScopeId("this"), + boundary.WithGrantScopeId("descendants"), + ) + require.NoError(t, err) + + // Authenticate User and try to: + // - list Roles in global scope: expect success + // - list Roles in org scope: expect success + // - list Roles in proj scope: expect success + boundary.AuthenticateCli(t, ctx, bc.AuthMethodId, acctName, acctPassword) + _, err = boundary.ListRolesCli(t, ctx, "global") + require.NoError(t, err) + + _, err = boundary.ListRolesCli(t, ctx, orgId) + require.NoError(t, err) + + _, err = boundary.ListRolesCli(t, ctx, projectId) + require.NoError(t, err) +} diff --git a/testing/internal/e2e/tests/base/session_cancel_group_test.go b/testing/internal/e2e/tests/base/session_cancel_group_test.go index 666e1916f0..63eaa4a01a 100644 --- a/testing/internal/e2e/tests/base/session_cancel_group_test.go +++ b/testing/internal/e2e/tests/base/session_cancel_group_test.go @@ -98,7 +98,8 @@ func TestCliSessionCancelGroup(t *testing.T) { boundary.AddUserToGroup(t, ctx, newUserId, newGroupId) // Create a role for a group - newRoleId := boundary.CreateNewRoleCli(t, ctx, newProjectId) + newRoleId, err := boundary.CreateRoleCli(t, ctx, newProjectId) + require.NoError(t, err) boundary.AddGrantToRoleCli(t, ctx, newRoleId, "ids=*;type=target;actions=authorize-session") boundary.AddPrincipalToRoleCli(t, ctx, newRoleId, newGroupId) diff --git a/testing/internal/e2e/tests/base/session_cancel_user_test.go b/testing/internal/e2e/tests/base/session_cancel_user_test.go index 6406e989a9..6faf4be221 100644 --- a/testing/internal/e2e/tests/base/session_cancel_user_test.go +++ b/testing/internal/e2e/tests/base/session_cancel_user_test.go @@ -93,7 +93,8 @@ func TestCliSessionCancelUser(t *testing.T) { // Create a role for user boundary.AuthenticateAdminCli(t, ctx) - newRoleId := boundary.CreateNewRoleCli(t, ctx, newProjectId) + newRoleId, err := boundary.CreateRoleCli(t, ctx, newProjectId) + require.NoError(t, err) boundary.AddGrantToRoleCli(t, ctx, newRoleId, "ids=*;type=target;actions=authorize-session") boundary.AddPrincipalToRoleCli(t, ctx, newRoleId, newUserId) diff --git a/testing/internal/e2e/tests/base/session_end_delete_host_set_test.go b/testing/internal/e2e/tests/base/session_end_delete_host_set_test.go index 97c9130a5f..444cb5255b 100644 --- a/testing/internal/e2e/tests/base/session_end_delete_host_set_test.go +++ b/testing/internal/e2e/tests/base/session_end_delete_host_set_test.go @@ -58,7 +58,8 @@ func TestCliSessionEndWhenHostSetIsDeleted(t *testing.T) { require.NoError(t, output.Err, string(output.Stderr)) }) boundary.SetAccountToUserCli(t, ctx, newUserId, newAccountId) - newRoleId := boundary.CreateNewRoleCli(t, ctx, newProjectId) + newRoleId, err := boundary.CreateRoleCli(t, ctx, newProjectId) + require.NoError(t, err) boundary.AddGrantToRoleCli(t, ctx, newRoleId, "ids=*;type=target;actions=authorize-session") boundary.AddPrincipalToRoleCli(t, ctx, newRoleId, newUserId) diff --git a/testing/internal/e2e/tests/base/session_end_delete_host_test.go b/testing/internal/e2e/tests/base/session_end_delete_host_test.go index 7c7d96cfb6..0963794497 100644 --- a/testing/internal/e2e/tests/base/session_end_delete_host_test.go +++ b/testing/internal/e2e/tests/base/session_end_delete_host_test.go @@ -58,7 +58,8 @@ func TestCliSessionEndWhenHostIsDeleted(t *testing.T) { require.NoError(t, output.Err, string(output.Stderr)) }) boundary.SetAccountToUserCli(t, ctx, newUserId, newAccountId) - newRoleId := boundary.CreateNewRoleCli(t, ctx, newProjectId) + newRoleId, err := boundary.CreateRoleCli(t, ctx, newProjectId) + require.NoError(t, err) boundary.AddGrantToRoleCli(t, ctx, newRoleId, "ids=*;type=target;actions=authorize-session") boundary.AddPrincipalToRoleCli(t, ctx, newRoleId, newUserId) diff --git a/testing/internal/e2e/tests/base/session_end_delete_project_test.go b/testing/internal/e2e/tests/base/session_end_delete_project_test.go index a00caee840..0150e023fe 100644 --- a/testing/internal/e2e/tests/base/session_end_delete_project_test.go +++ b/testing/internal/e2e/tests/base/session_end_delete_project_test.go @@ -54,7 +54,8 @@ func TestCliSessionEndWhenProjectIsDeleted(t *testing.T) { require.NoError(t, output.Err, string(output.Stderr)) }) boundary.SetAccountToUserCli(t, ctx, newUserId, newAccountId) - newRoleId := boundary.CreateNewRoleCli(t, ctx, newProjectId) + newRoleId, err := boundary.CreateRoleCli(t, ctx, newProjectId) + require.NoError(t, err) boundary.AddGrantToRoleCli(t, ctx, newRoleId, "ids=*;type=target;actions=authorize-session") boundary.AddPrincipalToRoleCli(t, ctx, newRoleId, newUserId) diff --git a/testing/internal/e2e/tests/base/session_end_delete_target_test.go b/testing/internal/e2e/tests/base/session_end_delete_target_test.go index 954ce74f04..79ac503f6b 100644 --- a/testing/internal/e2e/tests/base/session_end_delete_target_test.go +++ b/testing/internal/e2e/tests/base/session_end_delete_target_test.go @@ -58,7 +58,8 @@ func TestCliSessionEndWhenTargetIsDeleted(t *testing.T) { require.NoError(t, output.Err, string(output.Stderr)) }) boundary.SetAccountToUserCli(t, ctx, newUserId, newAccountId) - newRoleId := boundary.CreateNewRoleCli(t, ctx, newProjectId) + newRoleId, err := boundary.CreateRoleCli(t, ctx, newProjectId) + require.NoError(t, err) boundary.AddGrantToRoleCli(t, ctx, newRoleId, "ids=*;type=target;actions=authorize-session") boundary.AddPrincipalToRoleCli(t, ctx, newRoleId, newUserId) diff --git a/testing/internal/e2e/tests/base/session_end_delete_user_test.go b/testing/internal/e2e/tests/base/session_end_delete_user_test.go index 3337cf9b96..4aef7837bb 100644 --- a/testing/internal/e2e/tests/base/session_end_delete_user_test.go +++ b/testing/internal/e2e/tests/base/session_end_delete_user_test.go @@ -63,7 +63,8 @@ func TestCliSessionEndWhenUserIsDeleted(t *testing.T) { } }) boundary.SetAccountToUserCli(t, ctx, newUserId, newAccountId) - newRoleId := boundary.CreateNewRoleCli(t, ctx, newProjectId) + newRoleId, err := boundary.CreateRoleCli(t, ctx, newProjectId) + require.NoError(t, err) boundary.AddGrantToRoleCli(t, ctx, newRoleId, "ids=*;type=target;actions=authorize-session") boundary.AddPrincipalToRoleCli(t, ctx, newRoleId, newUserId) diff --git a/testing/internal/e2e/tests/base_plus/ldap_test.go b/testing/internal/e2e/tests/base_plus/ldap_test.go index ff36ab193d..d55f7af9b0 100644 --- a/testing/internal/e2e/tests/base_plus/ldap_test.go +++ b/testing/internal/e2e/tests/base_plus/ldap_test.go @@ -155,7 +155,8 @@ func TestCliLdap(t *testing.T) { require.Contains(t, managedGroupReadResult.Item.MemberIds, newAccountId) // Add managed group as a principal to a role with permissions to read auth methods - newRoleId := boundary.CreateNewRoleCli(t, ctx, newOrgId) + newRoleId, err := boundary.CreateRoleCli(t, ctx, newOrgId) + require.NoError(t, err) boundary.AddPrincipalToRoleCli(t, ctx, newRoleId, managedGroupId) boundary.AddGrantToRoleCli(t, ctx, newRoleId, "ids=*;type=auth-method;actions=read") diff --git a/testing/internal/e2e/tests/base_plus/rate_limit_test.go b/testing/internal/e2e/tests/base_plus/rate_limit_test.go index 7720c86450..b4efd0ef17 100644 --- a/testing/internal/e2e/tests/base_plus/rate_limit_test.go +++ b/testing/internal/e2e/tests/base_plus/rate_limit_test.go @@ -171,7 +171,8 @@ func TestHttpRateLimit(t *testing.T) { require.NoError(t, output.Err, string(output.Stderr)) }) boundary.SetAccountToUserCli(t, ctx, newUserId, newAccountId) - newRoleId := boundary.CreateNewRoleCli(t, ctx, newProjectId) + newRoleId, err := boundary.CreateRoleCli(t, ctx, newProjectId) + require.NoError(t, err) boundary.AddGrantToRoleCli(t, ctx, newRoleId, "ids=*;type=*;actions=*") boundary.AddPrincipalToRoleCli(t, ctx, newRoleId, newUserId) @@ -306,7 +307,8 @@ func TestCliRateLimit(t *testing.T) { require.NoError(t, output.Err, string(output.Stderr)) }) boundary.SetAccountToUserCli(t, ctx, newUserId, newAccountId) - newRoleId := boundary.CreateNewRoleCli(t, ctx, newProjectId) + newRoleId, err := boundary.CreateRoleCli(t, ctx, newProjectId) + require.NoError(t, err) boundary.AddGrantToRoleCli(t, ctx, newRoleId, "ids=*;type=*;actions=*") boundary.AddPrincipalToRoleCli(t, ctx, newRoleId, newUserId) diff --git a/testing/internal/e2e/tests/database/migration_test.go b/testing/internal/e2e/tests/database/migration_test.go index f9c1d74b19..e92cbbc473 100644 --- a/testing/internal/e2e/tests/database/migration_test.go +++ b/testing/internal/e2e/tests/database/migration_test.go @@ -241,7 +241,8 @@ func populateBoundaryDatabase(t testing.TB, ctx context.Context, c *config, te T boundary.SetAccountToUserCli(t, ctx, newUserId, newAccountId) newGroupId := boundary.CreateNewGroupCli(t, ctx, "global") boundary.AddUserToGroup(t, ctx, newUserId, newGroupId) - newRoleId := boundary.CreateNewRoleCli(t, ctx, newProjectId) + newRoleId, err := boundary.CreateRoleCli(t, ctx, newProjectId) + require.NoError(t, err) boundary.AddGrantToRoleCli(t, ctx, newRoleId, "ids=*;type=target;actions=authorize-session") boundary.AddPrincipalToRoleCli(t, ctx, newRoleId, newGroupId) @@ -277,7 +278,7 @@ func populateBoundaryDatabase(t testing.TB, ctx context.Context, c *config, te T ) require.NoError(t, output.Err, string(output.Stderr)) var tokenCreateResult vault.CreateTokenResponse - err := json.Unmarshal(output.Stdout, &tokenCreateResult) + err = json.Unmarshal(output.Stdout, &tokenCreateResult) require.NoError(t, err) credStoreToken := tokenCreateResult.Auth.Client_Token t.Log("Created Vault Cred Store Token")