diff --git a/internal/daemon/controller/handlers/aliases/alias_service.go b/internal/daemon/controller/handlers/aliases/alias_service.go index f05374546e..be67c21e45 100644 --- a/internal/daemon/controller/handlers/aliases/alias_service.go +++ b/internal/daemon/controller/handlers/aliases/alias_service.go @@ -588,8 +588,13 @@ func validateCreateRequest(req *pbs.CreateAliasRequest) error { if !strings.EqualFold(req.GetItem().GetType(), aliasTypeTarget) { badFields[globals.TypeField] = "This field is required. Current supported values are 'target'." } - if req.GetItem().GetTargetAliasAttributes().GetAuthorizeSessionArguments().GetHostId() != "" && req.GetItem().GetDestinationId().GetValue() == "" { - badFields[globals.DestinationIdField] = "This field is required when 'attributes.authorize_sesion_arguments.host_id' is specified." + if req.GetItem().GetTargetAliasAttributes().GetAuthorizeSessionArguments().GetHostId() != "" { + if req.GetItem().GetDestinationId().GetValue() == "" { + badFields[globals.DestinationIdField] = "This field is required when 'attributes.authorize_sesion_arguments.host_id' is specified." + } + if !handlers.ValidId(handlers.Id(req.GetItem().GetTargetAliasAttributes().GetAuthorizeSessionArguments().GetHostId()), globals.StaticHostPrefix, globals.PluginHostPrefix) { + badFields["host_id"] = "Incorrectly formatted identifier." + } } return badFields }) @@ -601,6 +606,10 @@ func validateUpdateRequest(req *pbs.UpdateAliasRequest) error { if handlers.MaskContains(req.GetUpdateMask().GetPaths(), "value") && req.GetItem().GetValue() == "" { badFields["value"] = "This field is required." } + if req.GetItem().GetTargetAliasAttributes().GetAuthorizeSessionArguments().GetHostId() != "" && + !handlers.ValidId(handlers.Id(req.GetItem().GetTargetAliasAttributes().GetAuthorizeSessionArguments().GetHostId()), globals.StaticHostPrefix, globals.PluginHostPrefix) { + badFields["host_id"] = "Incorrectly formatted identifier." + } return badFields }, globals.TargetAliasPrefix) } diff --git a/internal/daemon/controller/handlers/aliases/alias_service_test.go b/internal/daemon/controller/handlers/aliases/alias_service_test.go index 4409402fc2..045ac8e18b 100644 --- a/internal/daemon/controller/handlers/aliases/alias_service_test.go +++ b/internal/daemon/controller/handlers/aliases/alias_service_test.go @@ -777,6 +777,76 @@ func TestCreate(t *testing.T) { }, }, }, + { + name: "Alias to existing target with static host id", + req: &pbs.CreateAliasRequest{Item: &pb.Alias{ + Type: "target", + ScopeId: scope.Global.String(), + Value: "target-assigned.valid.alias.two", + Attrs: &pb.Alias_TargetAliasAttributes{ + TargetAliasAttributes: &pb.TargetAliasAttributes{ + AuthorizeSessionArguments: &pb.AuthorizeSessionArguments{ + HostId: "hst_1234567890", + }, + }, + }, + DestinationId: wrapperspb.String(tar.GetPublicId()), + }}, + res: &pbs.CreateAliasResponse{ + Uri: fmt.Sprintf("aliases/%s_", globals.TargetAliasPrefix), + Item: &pb.Alias{ + Type: "target", + ScopeId: scope.Global.String(), + Scope: globalScopeInfo, + Value: "target-assigned.valid.alias.two", + Attrs: &pb.Alias_TargetAliasAttributes{ + TargetAliasAttributes: &pb.TargetAliasAttributes{ + AuthorizeSessionArguments: &pb.AuthorizeSessionArguments{ + HostId: "hst_1234567890", + }, + }, + }, + DestinationId: wrapperspb.String(tar.GetPublicId()), + Version: 1, + AuthorizedActions: testAuthorizedActions, + }, + }, + }, + { + name: "Alias to existing target with dynamic host id", + req: &pbs.CreateAliasRequest{Item: &pb.Alias{ + Type: "target", + ScopeId: scope.Global.String(), + Value: "target-assigned.valid.alias.three", + Attrs: &pb.Alias_TargetAliasAttributes{ + TargetAliasAttributes: &pb.TargetAliasAttributes{ + AuthorizeSessionArguments: &pb.AuthorizeSessionArguments{ + HostId: "hplg_1234567890", + }, + }, + }, + DestinationId: wrapperspb.String(tar.GetPublicId()), + }}, + res: &pbs.CreateAliasResponse{ + Uri: fmt.Sprintf("aliases/%s_", globals.TargetAliasPrefix), + Item: &pb.Alias{ + Type: "target", + ScopeId: scope.Global.String(), + Scope: globalScopeInfo, + Value: "target-assigned.valid.alias.three", + Attrs: &pb.Alias_TargetAliasAttributes{ + TargetAliasAttributes: &pb.TargetAliasAttributes{ + AuthorizeSessionArguments: &pb.AuthorizeSessionArguments{ + HostId: "hplg_1234567890", + }, + }, + }, + DestinationId: wrapperspb.String(tar.GetPublicId()), + Version: 1, + AuthorizedActions: testAuthorizedActions, + }, + }, + }, { name: "Omitting the alias type", req: &pbs.CreateAliasRequest{Item: &pb.Alias{ @@ -802,6 +872,23 @@ func TestCreate(t *testing.T) { }}, errContains: `This field is required when 'attributes.authorize_sesion_arguments.host_id' is specified.`, }, + { + name: "improperly formatted host id", + req: &pbs.CreateAliasRequest{Item: &pb.Alias{ + Type: "target", + ScopeId: scope.Global.String(), + Value: "bad-host-id.alias", + DestinationId: wrapperspb.String(tar.GetPublicId()), + Attrs: &pb.Alias_TargetAliasAttributes{ + TargetAliasAttributes: &pb.TargetAliasAttributes{ + AuthorizeSessionArguments: &pb.AuthorizeSessionArguments{ + HostId: "badid_1234567890", + }, + }, + }, + }}, + errContains: `Incorrectly formatted identifier.`, + }, { name: "Alias to non existing target", req: &pbs.CreateAliasRequest{Item: &pb.Alias{ @@ -1235,6 +1322,107 @@ func TestUpdate(t *testing.T) { res: nil, err: handlers.ApiErrorWithCode(codes.InvalidArgument), }, + { + name: "Cant use invalid host id", + req: &pbs.UpdateAliasRequest{ + Id: og.GetPublicId(), + UpdateMask: &field_mask.FieldMask{ + Paths: []string{"host_id"}, + }, + Item: &pb.Alias{ + Description: wrapperspb.String("new desc"), + Attrs: &pb.Alias_TargetAliasAttributes{ + &pb.TargetAliasAttributes{ + AuthorizeSessionArguments: &pb.AuthorizeSessionArguments{ + HostId: "badid_1234567890", + }, + }, + }, + }, + }, + res: nil, + err: handlers.ApiErrorWithCode(codes.InvalidArgument), + }, + { + name: "Update with static host id", + req: &pbs.UpdateAliasRequest{ + Id: og.GetPublicId(), + UpdateMask: &field_mask.FieldMask{ + Paths: []string{"attributes.authorize_session_arguments.host_id"}, + }, + Item: &pb.Alias{ + Description: wrapperspb.String("new desc"), + Attrs: &pb.Alias_TargetAliasAttributes{ + &pb.TargetAliasAttributes{ + AuthorizeSessionArguments: &pb.AuthorizeSessionArguments{ + HostId: "hst_1234567890", + }, + }, + }, + }, + }, + res: &pbs.UpdateAliasResponse{ + Item: &pb.Alias{ + Type: "target", + Id: og.GetPublicId(), + Name: wrapperspb.String("default"), + ScopeId: og.GetScopeId(), + Scope: globalScopeInfo, + Value: "default", + DestinationId: wrapperspb.String(tar.GetPublicId()), + Description: wrapperspb.String("default"), + CreatedTime: og.GetCreateTime().GetTimestamp(), + AuthorizedActions: testAuthorizedActions, + Attrs: &pb.Alias_TargetAliasAttributes{ + &pb.TargetAliasAttributes{ + AuthorizeSessionArguments: &pb.AuthorizeSessionArguments{ + HostId: "hst_1234567890", + }, + }, + }, + }, + }, + }, + { + name: "Update with dynamic host id", + req: &pbs.UpdateAliasRequest{ + Id: og.GetPublicId(), + UpdateMask: &field_mask.FieldMask{ + Paths: []string{"attributes.authorize_session_arguments.host_id"}, + }, + Item: &pb.Alias{ + Description: wrapperspb.String("new desc"), + Attrs: &pb.Alias_TargetAliasAttributes{ + &pb.TargetAliasAttributes{ + AuthorizeSessionArguments: &pb.AuthorizeSessionArguments{ + HostId: "hplg_1234567890", + }, + }, + }, + }, + }, + res: &pbs.UpdateAliasResponse{ + Item: &pb.Alias{ + Type: "target", + Id: og.GetPublicId(), + Name: wrapperspb.String("default"), + ScopeId: og.GetScopeId(), + Scope: globalScopeInfo, + Value: "default", + DestinationId: wrapperspb.String(tar.GetPublicId()), + Description: wrapperspb.String("default"), + CreatedTime: og.GetCreateTime().GetTimestamp(), + AuthorizedActions: testAuthorizedActions, + Attrs: &pb.Alias_TargetAliasAttributes{ + &pb.TargetAliasAttributes{ + AuthorizeSessionArguments: &pb.AuthorizeSessionArguments{ + HostId: "hplg_1234567890", + }, + }, + }, + }, + }, + }, { name: "Cant specify Created Time", req: &pbs.UpdateAliasRequest{