From 48a36a3dbc337b916ef158f6629425b7c102c3e5 Mon Sep 17 00:00:00 2001
From: hc-github-team-secure-boundary
 <82989682+hc-github-team-secure-boundary@users.noreply.github.com>
Date: Mon, 7 Jul 2025 14:33:45 -0400
Subject: [PATCH] backport of commit 6b2d5718b2ed9d84adf5e5cdb7308026d961058e
 (#5902)

Co-authored-by: Sorawis Nilparuk <sorawis.nilparuk@hashicorp.com>
---
 .../controller/handlers/host_catalogs/grants_test.go | 12 +++++++++++-
 .../handlers/host_catalogs/host_catalog_service.go   |  2 +-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/internal/daemon/controller/handlers/host_catalogs/grants_test.go b/internal/daemon/controller/handlers/host_catalogs/grants_test.go
index 610802a460..4753d9e35b 100644
--- a/internal/daemon/controller/handlers/host_catalogs/grants_test.go
+++ b/internal/daemon/controller/handlers/host_catalogs/grants_test.go
@@ -516,7 +516,17 @@ func TestGrants_ReadActions(t *testing.T) {
 		user, account := iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, ldap.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{
 			{
 				RoleScopeId: globals.GlobalPrefix,
-				Grants:      []string{"ids=*;type=*;actions=*"},
+				Grants:      []string{"ids=*;type=host-catalog;actions=*"},
+				GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants},
+			},
+			{
+				RoleScopeId: globals.GlobalPrefix,
+				Grants:      []string{"ids=*;type=host;actions=*"},
+				GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants},
+			},
+			{
+				RoleScopeId: globals.GlobalPrefix,
+				Grants:      []string{"ids=*;type=host-set;actions=*"},
 				GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants},
 			},
 		})()
diff --git a/internal/daemon/controller/handlers/host_catalogs/host_catalog_service.go b/internal/daemon/controller/handlers/host_catalogs/host_catalog_service.go
index f69048706a..703288e078 100644
--- a/internal/daemon/controller/handlers/host_catalogs/host_catalog_service.go
+++ b/internal/daemon/controller/handlers/host_catalogs/host_catalog_service.go
@@ -701,7 +701,7 @@ func (s Service) authResult(ctx context.Context, id string, a action.Type, isRec
 	res := auth.VerifyResults{}
 
 	var parentId string
-	opts := []auth.Option{auth.WithAction(a), auth.WithRecursive(isRecursive)}
+	opts := []auth.Option{auth.WithAction(a), auth.WithRecursive(isRecursive), auth.WithFetchAdditionalResourceGrants(additionalResourceGrants...)}
 	switch a {
 	case action.List, action.Create:
 		parentId = id