fix(aliases): check target alias host id on create and update (#4435)

* fix(aliases): check target alias host id on create and update
2 years ago · 48d958e395
parent 0429ac678f
commit 48d958e395
2 changed files with 199 additions and 2 deletions
--- a/internal/daemon/controller/handlers/aliases/alias_service.go
+++ b/internal/daemon/controller/handlers/aliases/alias_service.go
@ -588,8 +588,13 @@ func validateCreateRequest(req *pbs.CreateAliasRequest) error {
 		if !strings.EqualFold(req.GetItem().GetType(), aliasTypeTarget) {
 			badFields[globals.TypeField] = "This field is required. Current supported values are 'target'."
 		}
-		if req.GetItem().GetTargetAliasAttributes().GetAuthorizeSessionArguments().GetHostId() != "" && req.GetItem().GetDestinationId().GetValue() == "" {
-			badFields[globals.DestinationIdField] = "This field is required when 'attributes.authorize_sesion_arguments.host_id' is specified."
+		if req.GetItem().GetTargetAliasAttributes().GetAuthorizeSessionArguments().GetHostId() != "" {
+			if req.GetItem().GetDestinationId().GetValue() == "" {
+				badFields[globals.DestinationIdField] = "This field is required when 'attributes.authorize_sesion_arguments.host_id' is specified."
+			}
+			if !handlers.ValidId(handlers.Id(req.GetItem().GetTargetAliasAttributes().GetAuthorizeSessionArguments().GetHostId()), globals.StaticHostPrefix, globals.PluginHostPrefix) {
+				badFields["host_id"] = "Incorrectly formatted identifier."
+			}
 		}
 		return badFields
 	})
@ -601,6 +606,10 @@ func validateUpdateRequest(req *pbs.UpdateAliasRequest) error {
 		if handlers.MaskContains(req.GetUpdateMask().GetPaths(), "value") && req.GetItem().GetValue() == "" {
 			badFields["value"] = "This field is required."
 		}
+		if req.GetItem().GetTargetAliasAttributes().GetAuthorizeSessionArguments().GetHostId() != "" &&
+			!handlers.ValidId(handlers.Id(req.GetItem().GetTargetAliasAttributes().GetAuthorizeSessionArguments().GetHostId()), globals.StaticHostPrefix, globals.PluginHostPrefix) {
+			badFields["host_id"] = "Incorrectly formatted identifier."
+		}
 		return badFields
 	}, globals.TargetAliasPrefix)
 }
--- a/internal/daemon/controller/handlers/aliases/alias_service_test.go
+++ b/internal/daemon/controller/handlers/aliases/alias_service_test.go
@ -777,6 +777,76 @@ func TestCreate(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "Alias to existing target with static host id",
+			req: &pbs.CreateAliasRequest{Item: &pb.Alias{
+				Type:    "target",
+				ScopeId: scope.Global.String(),
+				Value:   "target-assigned.valid.alias.two",
+				Attrs: &pb.Alias_TargetAliasAttributes{
+					TargetAliasAttributes: &pb.TargetAliasAttributes{
+						AuthorizeSessionArguments: &pb.AuthorizeSessionArguments{
+							HostId: "hst_1234567890",
+						},
+					},
+				},
+				DestinationId: wrapperspb.String(tar.GetPublicId()),
+			}},
+			res: &pbs.CreateAliasResponse{
+				Uri: fmt.Sprintf("aliases/%s_", globals.TargetAliasPrefix),
+				Item: &pb.Alias{
+					Type:    "target",
+					ScopeId: scope.Global.String(),
+					Scope:   globalScopeInfo,
+					Value:   "target-assigned.valid.alias.two",
+					Attrs: &pb.Alias_TargetAliasAttributes{
+						TargetAliasAttributes: &pb.TargetAliasAttributes{
+							AuthorizeSessionArguments: &pb.AuthorizeSessionArguments{
+								HostId: "hst_1234567890",
+							},
+						},
+					},
+					DestinationId:     wrapperspb.String(tar.GetPublicId()),
+					Version:           1,
+					AuthorizedActions: testAuthorizedActions,
+				},
+			},
+		},
+		{
+			name: "Alias to existing target with dynamic host id",
+			req: &pbs.CreateAliasRequest{Item: &pb.Alias{
+				Type:    "target",
+				ScopeId: scope.Global.String(),
+				Value:   "target-assigned.valid.alias.three",
+				Attrs: &pb.Alias_TargetAliasAttributes{
+					TargetAliasAttributes: &pb.TargetAliasAttributes{
+						AuthorizeSessionArguments: &pb.AuthorizeSessionArguments{
+							HostId: "hplg_1234567890",
+						},
+					},
+				},
+				DestinationId: wrapperspb.String(tar.GetPublicId()),
+			}},
+			res: &pbs.CreateAliasResponse{
+				Uri: fmt.Sprintf("aliases/%s_", globals.TargetAliasPrefix),
+				Item: &pb.Alias{
+					Type:    "target",
+					ScopeId: scope.Global.String(),
+					Scope:   globalScopeInfo,
+					Value:   "target-assigned.valid.alias.three",
+					Attrs: &pb.Alias_TargetAliasAttributes{
+						TargetAliasAttributes: &pb.TargetAliasAttributes{
+							AuthorizeSessionArguments: &pb.AuthorizeSessionArguments{
+								HostId: "hplg_1234567890",
+							},
+						},
+					},
+					DestinationId:     wrapperspb.String(tar.GetPublicId()),
+					Version:           1,
+					AuthorizedActions: testAuthorizedActions,
+				},
+			},
+		},
 		{
 			name: "Omitting the alias type",
 			req: &pbs.CreateAliasRequest{Item: &pb.Alias{
@ -802,6 +872,23 @@ func TestCreate(t *testing.T) {
 			}},
 			errContains: `This field is required when 'attributes.authorize_sesion_arguments.host_id' is specified.`,
 		},
+		{
+			name: "improperly formatted host id",
+			req: &pbs.CreateAliasRequest{Item: &pb.Alias{
+				Type:          "target",
+				ScopeId:       scope.Global.String(),
+				Value:         "bad-host-id.alias",
+				DestinationId: wrapperspb.String(tar.GetPublicId()),
+				Attrs: &pb.Alias_TargetAliasAttributes{
+					TargetAliasAttributes: &pb.TargetAliasAttributes{
+						AuthorizeSessionArguments: &pb.AuthorizeSessionArguments{
+							HostId: "badid_1234567890",
+						},
+					},
+				},
+			}},
+			errContains: `Incorrectly formatted identifier.`,
+		},
 		{
 			name: "Alias to non existing target",
 			req: &pbs.CreateAliasRequest{Item: &pb.Alias{
@ -1235,6 +1322,107 @@ func TestUpdate(t *testing.T) {
 			res: nil,
 			err: handlers.ApiErrorWithCode(codes.InvalidArgument),
 		},
+		{
+			name: "Cant use invalid host id",
+			req: &pbs.UpdateAliasRequest{
+				Id: og.GetPublicId(),
+				UpdateMask: &field_mask.FieldMask{
+					Paths: []string{"host_id"},
+				},
+				Item: &pb.Alias{
+					Description: wrapperspb.String("new desc"),
+					Attrs: &pb.Alias_TargetAliasAttributes{
+						&pb.TargetAliasAttributes{
+							AuthorizeSessionArguments: &pb.AuthorizeSessionArguments{
+								HostId: "badid_1234567890",
+							},
+						},
+					},
+				},
+			},
+			res: nil,
+			err: handlers.ApiErrorWithCode(codes.InvalidArgument),
+		},
+		{
+			name: "Update with static host id",
+			req: &pbs.UpdateAliasRequest{
+				Id: og.GetPublicId(),
+				UpdateMask: &field_mask.FieldMask{
+					Paths: []string{"attributes.authorize_session_arguments.host_id"},
+				},
+				Item: &pb.Alias{
+					Description: wrapperspb.String("new desc"),
+					Attrs: &pb.Alias_TargetAliasAttributes{
+						&pb.TargetAliasAttributes{
+							AuthorizeSessionArguments: &pb.AuthorizeSessionArguments{
+								HostId: "hst_1234567890",
+							},
+						},
+					},
+				},
+			},
+			res: &pbs.UpdateAliasResponse{
+				Item: &pb.Alias{
+					Type:              "target",
+					Id:                og.GetPublicId(),
+					Name:              wrapperspb.String("default"),
+					ScopeId:           og.GetScopeId(),
+					Scope:             globalScopeInfo,
+					Value:             "default",
+					DestinationId:     wrapperspb.String(tar.GetPublicId()),
+					Description:       wrapperspb.String("default"),
+					CreatedTime:       og.GetCreateTime().GetTimestamp(),
+					AuthorizedActions: testAuthorizedActions,
+					Attrs: &pb.Alias_TargetAliasAttributes{
+						&pb.TargetAliasAttributes{
+							AuthorizeSessionArguments: &pb.AuthorizeSessionArguments{
+								HostId: "hst_1234567890",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "Update with dynamic host id",
+			req: &pbs.UpdateAliasRequest{
+				Id: og.GetPublicId(),
+				UpdateMask: &field_mask.FieldMask{
+					Paths: []string{"attributes.authorize_session_arguments.host_id"},
+				},
+				Item: &pb.Alias{
+					Description: wrapperspb.String("new desc"),
+					Attrs: &pb.Alias_TargetAliasAttributes{
+						&pb.TargetAliasAttributes{
+							AuthorizeSessionArguments: &pb.AuthorizeSessionArguments{
+								HostId: "hplg_1234567890",
+							},
+						},
+					},
+				},
+			},
+			res: &pbs.UpdateAliasResponse{
+				Item: &pb.Alias{
+					Type:              "target",
+					Id:                og.GetPublicId(),
+					Name:              wrapperspb.String("default"),
+					ScopeId:           og.GetScopeId(),
+					Scope:             globalScopeInfo,
+					Value:             "default",
+					DestinationId:     wrapperspb.String(tar.GetPublicId()),
+					Description:       wrapperspb.String("default"),
+					CreatedTime:       og.GetCreateTime().GetTimestamp(),
+					AuthorizedActions: testAuthorizedActions,
+					Attrs: &pb.Alias_TargetAliasAttributes{
+						&pb.TargetAliasAttributes{
+							AuthorizeSessionArguments: &pb.AuthorizeSessionArguments{
+								HostId: "hplg_1234567890",
+							},
+						},
+					},
+				},
+			},
+		},
 		{
 			name: "Cant specify Created Time",
 			req: &pbs.UpdateAliasRequest{