Merge pull request #4419 from hashicorp/backport/jbrandhorst-always-set-pagination-fields/grossly-pretty-monkfish

This pull request was automerged via backport-assistant

internal/daemon/controller/handlers/accounts/account_service_test.go

@@ -1238,6 +1238,27 @@ func TestListPagination(t *testing.T) {
 				protocmp.IgnoreFields(&pbs.ListAccountsResponse{}, "list_token"),
 			),
 		)
+
+		// Create unauthenticated user
+		unauthAt := authtoken.TestAuthToken(t, conn, kmsCache, o.GetPublicId())
+		unauthR := iam.TestRole(t, conn, pwt.GetPublicId())
+		_ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId())
+
+		// Make a request with the unauthenticated user,
+		// ensure the response is 403 forbidden.
+		requestInfo = authpb.RequestInfo{
+			TokenFormat: uint32(requestauth.AuthTokenTypeBearer),
+			PublicId:    unauthAt.GetPublicId(),
+			Token:       unauthAt.GetToken(),
+		}
+		requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{})
+		ctx = requestauth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kmsCache, &requestInfo)
+
+		_, err = s.ListAccounts(ctx, &pbs.ListAccountsRequest{
+			AuthMethodId: authMethod.GetPublicId(),
+		})
+		require.Error(t, err)
+		assert.Equal(t, handlers.ForbiddenError(), err)
 	})
 
 	t.Run("oidc", func(t *testing.T) {
@@ -1555,6 +1576,27 @@ func TestListPagination(t *testing.T) {
 				protocmp.IgnoreFields(&pbs.ListAccountsResponse{}, "list_token"),
 			),
 		)
+
+		// Create unauthenticated user
+		unauthAt := authtoken.TestAuthToken(t, conn, kmsCache, o.GetPublicId())
+		unauthR := iam.TestRole(t, conn, pwt.GetPublicId())
+		_ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId())
+
+		// Make a request with the unauthenticated user,
+		// ensure the response is 403 forbidden.
+		requestInfo = authpb.RequestInfo{
+			TokenFormat: uint32(requestauth.AuthTokenTypeBearer),
+			PublicId:    unauthAt.GetPublicId(),
+			Token:       unauthAt.GetToken(),
+		}
+		requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{})
+		ctx = requestauth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kmsCache, &requestInfo)
+
+		_, err = s.ListAccounts(ctx, &pbs.ListAccountsRequest{
+			AuthMethodId: authMethod.GetPublicId(),
+		})
+		require.Error(t, err)
+		assert.Equal(t, handlers.ForbiddenError(), err)
 	})
 
 	t.Run("ldap", func(t *testing.T) {
@@ -1869,6 +1911,27 @@ func TestListPagination(t *testing.T) {
 				protocmp.IgnoreFields(&pbs.ListAccountsResponse{}, "list_token"),
 			),
 		)
+
+		// Create unauthenticated user
+		unauthAt := authtoken.TestAuthToken(t, conn, kmsCache, o.GetPublicId())
+		unauthR := iam.TestRole(t, conn, pwt.GetPublicId())
+		_ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId())
+
+		// Make a request with the unauthenticated user,
+		// ensure the response is 403 forbidden.
+		requestInfo = authpb.RequestInfo{
+			TokenFormat: uint32(requestauth.AuthTokenTypeBearer),
+			PublicId:    unauthAt.GetPublicId(),
+			Token:       unauthAt.GetToken(),
+		}
+		requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{})
+		ctx = requestauth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kmsCache, &requestInfo)
+
+		_, err = s.ListAccounts(ctx, &pbs.ListAccountsRequest{
+			AuthMethodId: authMethod.GetPublicId(),
+		})
+		require.Error(t, err)
+		assert.Equal(t, handlers.ForbiddenError(), err)
 	})
 }
 

internal/daemon/controller/handlers/authmethods/authmethod_service.go

@@ -189,10 +189,6 @@ func (s Service) ListAuthMethods(ctx context.Context, req *pbs.ListAuthMethodsRe
 	if err != nil {
 		return nil, err
 	}
-	// If no scopes match, return an empty response
-	if len(scopeIds) == 0 {
-		return &pbs.ListAuthMethodsResponse{}, nil
-	}
 
 	var filterItemFn func(ctx context.Context, item auth.AuthMethod) (bool, error)
 	switch {

internal/daemon/controller/handlers/authmethods/authmethod_service_test.go

@@ -1645,7 +1645,7 @@ func TestListPagination(t *testing.T) {
 	require.NoError(t, err)
 
 	orgNoAms, _ := iam.TestScopes(t, iamRepo)
-	org, proj := iam.TestScopes(t, iamRepo)
+	org, proj := iam.TestScopes(t, iamRepo, iam.WithSkipDefaultRoleCreation(true))
 	databaseWrapper, err := kmsCache.GetWrapper(context.Background(), org.GetPublicId(), kms.KeyPurposeDatabase)
 	require.NoError(t, err)
 
@@ -2020,4 +2020,29 @@ func TestListPagination(t *testing.T) {
 			cmpOptions...,
 		),
 	)
+
+	// Create unauthenticated user
+	unauthAt := authtoken.TestAuthToken(t, conn, kmsCache, org.GetPublicId())
+	unauthR := iam.TestRole(t, conn, proj.GetPublicId())
+	_ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId())
+
+	// Make a request with the unauthenticated user,
+	// ensure the response contains the pagination parameters.
+	requestInfo = authpb.RequestInfo{
+		TokenFormat: uint32(requestauth.AuthTokenTypeBearer),
+		PublicId:    unauthAt.GetPublicId(),
+		Token:       unauthAt.GetToken(),
+	}
+	requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{})
+	ctx = requestauth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kmsCache, &requestInfo)
+
+	got, err = s.ListAuthMethods(ctx, &pbs.ListAuthMethodsRequest{
+		ScopeId:   "global",
+		Recursive: true,
+	})
+	require.NoError(t, err)
+	assert.Empty(t, got.Items)
+	assert.Equal(t, "created_time", got.SortBy)
+	assert.Equal(t, "desc", got.SortDir)
+	assert.Equal(t, "complete", got.ResponseType)
 }

internal/daemon/controller/handlers/authtokens/authtoken_service.go

@@ -103,10 +103,6 @@ func (s Service) ListAuthTokens(ctx context.Context, req *pbs.ListAuthTokensRequ
 	if err != nil {
 		return nil, errors.Wrap(ctx, err, op)
 	}
-	// If no scopes match, return an empty response
-	if len(scopeIds) == 0 {
-		return &pbs.ListAuthTokensResponse{}, nil
-	}
 
 	pageSize := int(s.maxPageSize)
 	// Use the requested page size only if it is smaller than

internal/daemon/controller/handlers/authtokens/authtoken_service_test.go

@@ -790,6 +790,31 @@ func TestListPagination(t *testing.T) {
 			protocmp.IgnoreFields(&pbs.ListAuthTokensResponse{}, "list_token"),
 		),
 	)
+
+	// Create unauthenticated user
+	unauthAt := authtoken.TestAuthToken(t, conn, kms, orgWithTokens.GetPublicId())
+	unauthR := iam.TestRole(t, conn, pwt.GetPublicId())
+	_ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId())
+
+	// Make a request with the unauthenticated user,
+	// ensure the response contains the pagination parameters.
+	requestInfo = authpb.RequestInfo{
+		TokenFormat: uint32(auth.AuthTokenTypeBearer),
+		PublicId:    unauthAt.GetPublicId(),
+		Token:       unauthAt.GetToken(),
+	}
+	requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{})
+	ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo)
+
+	got, err = a.ListAuthTokens(ctx, &pbs.ListAuthTokensRequest{
+		ScopeId:   "global",
+		Recursive: true,
+	})
+	require.NoError(t, err)
+	assert.Len(t, got.Items, 1) // There will always be at least one token, the token used to authenticate
+	assert.Equal(t, "created_time", got.SortBy)
+	assert.Equal(t, "desc", got.SortDir)
+	assert.Equal(t, "complete", got.ResponseType)
 }
 
 func TestDeleteSelf(t *testing.T) {

internal/daemon/controller/handlers/credentiallibraries/credentiallibrary_service_test.go

@@ -3041,4 +3041,25 @@ func TestListPagination(t *testing.T) {
 			protocmp.Transform(),
 		),
 	)
+
+	// Create unauthenticated user
+	unauthAt := authtoken.TestAuthToken(t, conn, kms, o.GetPublicId())
+	unauthR := iam.TestRole(t, conn, prj.GetPublicId())
+	_ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId())
+
+	// Make a request with the unauthenticated user,
+	// ensure the response is 403 forbidden.
+	requestInfo = authpb.RequestInfo{
+		TokenFormat: uint32(auth.AuthTokenTypeBearer),
+		PublicId:    unauthAt.GetPublicId(),
+		Token:       unauthAt.GetToken(),
+	}
+	requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{})
+	ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo)
+
+	_, err = s.ListCredentialLibraries(ctx, &pbs.ListCredentialLibrariesRequest{
+		CredentialStoreId: credStore.PublicId,
+	})
+	require.Error(err)
+	assert.Equal(handlers.ForbiddenError(), err)
 }

internal/daemon/controller/handlers/credentials/credential_service_test.go

@@ -1830,4 +1830,25 @@ func TestListPagination(t *testing.T) {
 			protocmp.IgnoreFields(&pbs.ListCredentialsResponse{}, "list_token"),
 		),
 	)
+
+	// Create unauthenticated user
+	unauthAt := authtoken.TestAuthToken(t, conn, kmsRepo, o.GetPublicId())
+	unauthR := iam.TestRole(t, conn, prj.GetPublicId())
+	_ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId())
+
+	// Make a request with the unauthenticated user,
+	// ensure the response is 403 forbidden.
+	requestInfo = authpb.RequestInfo{
+		TokenFormat: uint32(auth.AuthTokenTypeBearer),
+		PublicId:    unauthAt.GetPublicId(),
+		Token:       unauthAt.GetToken(),
+	}
+	requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{})
+	ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kmsRepo, &requestInfo)
+
+	_, err = s.ListCredentials(ctx, &pbs.ListCredentialsRequest{
+		CredentialStoreId: credStore.PublicId,
+	})
+	require.Error(err)
+	assert.Equal(handlers.ForbiddenError(), err)
 }

internal/daemon/controller/handlers/credentialstores/credentialstore_service_test.go

@@ -2008,4 +2008,26 @@ func TestListPagination(t *testing.T) {
 			protocmp.IgnoreFields(&pbs.ListCredentialStoresResponse{}, "list_token"),
 		),
 	)
+
+	// Create unauthenticated user
+	unauthAt := authtoken.TestAuthToken(t, conn, kms, o.GetPublicId())
+	unauthR := iam.TestRole(t, conn, prj.GetPublicId())
+	_ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId())
+
+	// Make a request with the unauthenticated user,
+	// ensure the response is 403 forbidden.
+	requestInfo = authpb.RequestInfo{
+		TokenFormat: uint32(auth.AuthTokenTypeBearer),
+		PublicId:    unauthAt.GetPublicId(),
+		Token:       unauthAt.GetToken(),
+	}
+	requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{})
+	ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo)
+
+	_, err = s.ListCredentialStores(ctx, &pbs.ListCredentialStoresRequest{
+		ScopeId:   "global",
+		Recursive: true,
+	})
+	require.Error(err)
+	assert.ErrorIs(handlers.ForbiddenError(), err)
 }

internal/daemon/controller/handlers/groups/group_service.go

@@ -114,10 +114,6 @@ func (s Service) ListGroups(ctx context.Context, req *pbs.ListGroupsRequest) (*p
 	if err != nil {
 		return nil, err
 	}
-	// If no scopes match, return an empty response
-	if len(scopeIds) == 0 {
-		return &pbs.ListGroupsResponse{}, nil
-	}
 
 	pageSize := int(s.maxPageSize)
 	// Use the requested page size only if it is smaller than

internal/daemon/controller/handlers/groups/group_service_test.go

@@ -801,6 +801,28 @@ func TestListPagination(t *testing.T) {
 			protocmp.IgnoreFields(&pbs.ListGroupsResponse{}, "list_token"),
 		),
 	)
+
+	// Create unauthenticated user
+	unauthAt := authtoken.TestAuthToken(t, conn, kms, oWithGroups.GetPublicId())
+	unauthR := iam.TestRole(t, conn, pWithGroups.GetPublicId())
+	_ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId())
+
+	// Make a request with the unauthenticated user,
+	// ensure the response is 403 forbidden.
+	requestInfo = authpb.RequestInfo{
+		TokenFormat: uint32(auth.AuthTokenTypeBearer),
+		PublicId:    unauthAt.GetPublicId(),
+		Token:       unauthAt.GetToken(),
+	}
+	requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{})
+	ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo)
+
+	_, err = a.ListGroups(ctx, &pbs.ListGroupsRequest{
+		ScopeId:   "global",
+		Recursive: true,
+	})
+	require.Error(t, err)
+	assert.Equal(t, handlers.ForbiddenError(), err)
 }
 
 func TestDelete(t *testing.T) {

internal/daemon/controller/handlers/host_catalogs/host_catalog_service.go

@@ -174,10 +174,6 @@ func (s Service) ListHostCatalogs(ctx context.Context, req *pbs.ListHostCatalogs
 	if err != nil {
 		return nil, errors.Wrap(ctx, err, op)
 	}
-	// If no scopes match, return an empty response
-	if len(scopeIds) == 0 {
-		return &pbs.ListHostCatalogsResponse{}, nil
-	}
 	pageSize := int(s.maxPageSize)
 	// Use the requested page size only if it is smaller than
 	// the configured max.

internal/daemon/controller/handlers/host_catalogs/host_catalog_service_test.go

@@ -886,6 +886,28 @@ func TestListPagination(t *testing.T) {
 			protocmp.IgnoreFields(&pbs.ListHostCatalogsResponse{}, "list_token"),
 		),
 	)
+
+	// Create unauthenticated user
+	unauthAt := authtoken.TestAuthToken(t, conn, kms, org.GetPublicId())
+	unauthR := iam.TestRole(t, conn, proj.GetPublicId())
+	_ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId())
+
+	// Make a request with the unauthenticated user,
+	// ensure the response contains the pagination parameters.
+	requestInfo = authpb.RequestInfo{
+		TokenFormat: uint32(auth.AuthTokenTypeBearer),
+		PublicId:    unauthAt.GetPublicId(),
+		Token:       unauthAt.GetToken(),
+	}
+	requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{})
+	ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo)
+
+	_, err = s.ListHostCatalogs(ctx, &pbs.ListHostCatalogsRequest{
+		ScopeId:   "global",
+		Recursive: true,
+	})
+	require.Error(t, err)
+	assert.ErrorIs(t, handlers.ForbiddenError(), err)
 }
 
 func TestDelete_Static(t *testing.T) {

internal/daemon/controller/handlers/host_sets/host_set_service_test.go

@@ -856,6 +856,27 @@ func TestListPagination(t *testing.T) {
 				protocmp.IgnoreFields(&pbs.ListHostSetsResponse{}, "list_token"),
 			),
 		)
+
+		// Create unauthenticated user
+		unauthAt := authtoken.TestAuthToken(t, conn, kms, org.GetPublicId())
+		unauthR := iam.TestRole(t, conn, proj.GetPublicId())
+		_ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId())
+
+		// Make a request with the unauthenticated user,
+		// ensure the response contains the pagination parameters.
+		requestInfo := authpb.RequestInfo{
+			TokenFormat: uint32(auth.AuthTokenTypeBearer),
+			PublicId:    unauthAt.GetPublicId(),
+			Token:       unauthAt.GetToken(),
+		}
+		requestContext := context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{})
+		ctx := auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo)
+
+		_, err = s.ListHostSets(ctx, &pbs.ListHostSetsRequest{
+			HostCatalogId: shc.GetPublicId(),
+		})
+		require.Error(t, err)
+		assert.ErrorIs(t, handlers.ForbiddenError(), err)
 	})
 
 	t.Run("plugin-host-sets", func(t *testing.T) {
@@ -1086,6 +1107,27 @@ func TestListPagination(t *testing.T) {
 				protocmp.IgnoreFields(&pbs.ListHostSetsResponse{}, "list_token"),
 			),
 		)
+
+		// Create unauthenticated user
+		unauthAt := authtoken.TestAuthToken(t, conn, kms, org.GetPublicId())
+		unauthR := iam.TestRole(t, conn, proj.GetPublicId())
+		_ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId())
+
+		// Make a request with the unauthenticated user,
+		// ensure the response contains the pagination parameters.
+		requestInfo := authpb.RequestInfo{
+			TokenFormat: uint32(auth.AuthTokenTypeBearer),
+			PublicId:    unauthAt.GetPublicId(),
+			Token:       unauthAt.GetToken(),
+		}
+		requestContext := context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{})
+		ctx := auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo)
+
+		_, err = s.ListHostSets(ctx, &pbs.ListHostSetsRequest{
+			HostCatalogId: phc.GetPublicId(),
+		})
+		require.Error(t, err)
+		assert.ErrorIs(t, handlers.ForbiddenError(), err)
 	})
 }
 

internal/daemon/controller/handlers/hosts/host_service_test.go

@@ -867,6 +867,27 @@ func TestListPagination(t *testing.T) {
 				protocmp.IgnoreFields(&pbs.ListHostsResponse{}, "list_token"),
 			),
 		)
+
+		// Create unauthenticated user
+		unauthAt := authtoken.TestAuthToken(t, conn, kms, org.GetPublicId())
+		unauthR := iam.TestRole(t, conn, proj.GetPublicId())
+		_ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId())
+
+		// Make a request with the unauthenticated user,
+		// ensure the response contains the pagination parameters.
+		requestInfo := authpb.RequestInfo{
+			TokenFormat: uint32(auth.AuthTokenTypeBearer),
+			PublicId:    unauthAt.GetPublicId(),
+			Token:       unauthAt.GetToken(),
+		}
+		requestContext := context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{})
+		ctx := auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo)
+
+		_, err = s.ListHosts(ctx, &pbs.ListHostsRequest{
+			HostCatalogId: shc.GetPublicId(),
+		})
+		require.Error(t, err)
+		assert.ErrorIs(t, handlers.ForbiddenError(), err)
 	})
 
 	t.Run("plugin-hosts", func(t *testing.T) {
@@ -1044,6 +1065,26 @@ func TestListPagination(t *testing.T) {
 				protocmp.IgnoreFields(&pbs.ListHostsResponse{}, "list_token"),
 			),
 		)
+		// Create unauthenticated user
+		unauthAt := authtoken.TestAuthToken(t, conn, kms, org.GetPublicId())
+		unauthR := iam.TestRole(t, conn, proj.GetPublicId())
+		_ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId())
+
+		// Make a request with the unauthenticated user,
+		// ensure the response contains the pagination parameters.
+		requestInfo := authpb.RequestInfo{
+			TokenFormat: uint32(auth.AuthTokenTypeBearer),
+			PublicId:    unauthAt.GetPublicId(),
+			Token:       unauthAt.GetToken(),
+		}
+		requestContext := context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{})
+		ctx := auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo)
+
+		_, err = s.ListHosts(ctx, &pbs.ListHostsRequest{
+			HostCatalogId: phc.GetPublicId(),
+		})
+		require.Error(t, err)
+		assert.ErrorIs(t, handlers.ForbiddenError(), err)
 	})
 }
 

internal/daemon/controller/handlers/managed_groups/managed_group_service_test.go

@@ -997,6 +997,27 @@ func TestListPagination(t *testing.T) {
 				protocmp.IgnoreFields(&pbs.ListManagedGroupsResponse{}, "list_token"),
 			),
 		)
+
+		// Create unauthenticated user
+		unauthAt := authtoken.TestAuthToken(t, conn, kmsCache, o.GetPublicId())
+		unauthR := iam.TestRole(t, conn, pwt.GetPublicId())
+		_ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId())
+
+		// Make a request with the unauthenticated user,
+		// ensure the response contains the pagination parameters.
+		requestInfo = authpb.RequestInfo{
+			TokenFormat: uint32(auth.AuthTokenTypeBearer),
+			PublicId:    unauthAt.GetPublicId(),
+			Token:       unauthAt.GetToken(),
+		}
+		requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{})
+		ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kmsCache, &requestInfo)
+
+		_, err = s.ListManagedGroups(ctx, &pbs.ListManagedGroupsRequest{
+			AuthMethodId: authMethod.GetPublicId(),
+		})
+		require.Error(t, err)
+		assert.ErrorIs(t, handlers.ForbiddenError(), err)
 	})
 
 	t.Run("ldap", func(t *testing.T) {
@@ -1296,6 +1317,27 @@ func TestListPagination(t *testing.T) {
 				protocmp.IgnoreFields(&pbs.ListManagedGroupsResponse{}, "list_token"),
 			),
 		)
+
+		// Create unauthenticated user
+		unauthAt := authtoken.TestAuthToken(t, conn, kmsCache, o.GetPublicId())
+		unauthR := iam.TestRole(t, conn, pwt.GetPublicId())
+		_ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId())
+
+		// Make a request with the unauthenticated user,
+		// ensure the response contains the pagination parameters.
+		requestInfo = authpb.RequestInfo{
+			TokenFormat: uint32(auth.AuthTokenTypeBearer),
+			PublicId:    unauthAt.GetPublicId(),
+			Token:       unauthAt.GetToken(),
+		}
+		requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{})
+		ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kmsCache, &requestInfo)
+
+		_, err = s.ListManagedGroups(ctx, &pbs.ListManagedGroupsRequest{
+			AuthMethodId: authMethod.GetPublicId(),
+		})
+		require.Error(t, err)
+		assert.ErrorIs(t, handlers.ForbiddenError(), err)
 	})
 }
 

internal/daemon/controller/handlers/roles/role_service.go

@@ -123,10 +123,6 @@ func (s Service) ListRoles(ctx context.Context, req *pbs.ListRolesRequest) (*pbs
 	if err != nil {
 		return nil, err
 	}
-	// If no scopes match, return an empty response
-	if len(scopeIds) == 0 {
-		return &pbs.ListRolesResponse{}, nil
-	}
 
 	pageSize := int(s.maxPageSize)
 	// Use the requested page size only if it is smaller than

internal/daemon/controller/handlers/roles/role_service_test.go

@@ -760,6 +760,28 @@ func TestListPagination(t *testing.T) {
 			protocmp.IgnoreFields(&pbs.ListRolesResponse{}, "list_token"),
 		),
 	)
+
+	// Create unauthenticated user
+	unauthAt := authtoken.TestAuthToken(t, conn, kms, oWithRoles.GetPublicId())
+	unauthR := iam.TestRole(t, conn, pWithRoles.GetPublicId())
+	_ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId())
+
+	// Make a request with the unauthenticated user,
+	// ensure the response contains the pagination parameters.
+	requestInfo = authpb.RequestInfo{
+		TokenFormat: uint32(auth.AuthTokenTypeBearer),
+		PublicId:    unauthAt.GetPublicId(),
+		Token:       unauthAt.GetToken(),
+	}
+	requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{})
+	ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo)
+
+	_, err = a.ListRoles(ctx, &pbs.ListRolesRequest{
+		ScopeId:   "global",
+		Recursive: true,
+	})
+	require.Error(t, err)
+	assert.ErrorIs(t, handlers.ForbiddenError(), err)
 }
 
 func TestDelete(t *testing.T) {

internal/daemon/controller/handlers/scopes/scope_service.go

@@ -185,10 +185,6 @@ func (s *Service) ListScopes(ctx context.Context, req *pbs.ListScopesRequest) (*
 	if err != nil {
 		return nil, err
 	}
-	// If no scopes match, return an empty response
-	if len(scopeIds) == 0 {
-		return &pbs.ListScopesResponse{}, nil
-	}
 
 	pageSize := int(s.maxPageSize)
 	// Use the requested page size only if it is smaller than

internal/daemon/controller/handlers/scopes/scope_service_test.go

@@ -690,7 +690,7 @@ func TestListPagination(t *testing.T) {
 		return server.NewRepository(ctx, rw, rw, kms)
 	}
 
-	oWithProjects, p2 := iam.TestScopes(t, repo)
+	oWithProjects, p2 := iam.TestScopes(t, repo, iam.WithSkipDefaultRoleCreation(true))
 	_, err = repo.DeleteScope(context.Background(), p2.GetPublicId())
 	require.NoError(t, err)
 
@@ -974,6 +974,28 @@ func TestListPagination(t *testing.T) {
 			protocmp.IgnoreFields(&pbs.ListScopesResponse{}, "list_token"),
 		),
 	)
+
+	// Create unauthenticated user
+	unauthAt := authtoken.TestAuthToken(t, conn, kms, oWithProjects.GetPublicId())
+	unauthR := iam.TestRole(t, conn, p.GetPublicId())
+	_ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId())
+
+	// Make a request with the unauthenticated user,
+	// ensure the response contains the pagination parameters.
+	requestInfo = authpb.RequestInfo{
+		TokenFormat: uint32(auth.AuthTokenTypeBearer),
+		PublicId:    unauthAt.GetPublicId(),
+		Token:       unauthAt.GetToken(),
+	}
+	requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{})
+	ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo)
+
+	_, err = s.ListScopes(ctx, &pbs.ListScopesRequest{
+		ScopeId:   "global",
+		Recursive: true,
+	})
+	require.Error(t, err)
+	assert.ErrorIs(t, handlers.ForbiddenError(), err)
 }
 
 func TestDelete(t *testing.T) {

internal/daemon/controller/handlers/sessions/session_service_test.go

@@ -746,10 +746,13 @@ func TestListPagination(t *testing.T) {
 		return server.NewRepository(ctx, rw, rw, kms)
 	}
 
-	o, pWithSessions := iam.TestScopes(t, iamRepo)
+	o, pWithSessions := iam.TestScopes(t, iamRepo, iam.WithSkipDefaultRoleCreation(true))
 
 	at := authtoken.TestAuthToken(t, conn, kms, o.GetPublicId())
 	uId := at.GetIamUserId()
+	pr := iam.TestRole(t, conn, pWithSessions.GetPublicId())
+	_ = iam.TestUserRole(t, conn, pr.GetPublicId(), at.GetIamUserId())
+	_ = iam.TestRoleGrant(t, conn, pr.GetPublicId(), "ids=*;type=session;actions=read:self,list,cancel:self")
 
 	hc := static.TestCatalogs(t, conn, pWithSessions.GetPublicId(), 1)[0]
 	hs := static.TestSets(t, conn, hc.GetPublicId(), 1)[0]
@@ -1063,6 +1066,28 @@ func TestListPagination(t *testing.T) {
 			protocmp.IgnoreFields(&pbs.ListSessionsResponse{}, "list_token"),
 		),
 	)
+
+	// Create unauthenticated user
+	unauthAt := authtoken.TestAuthToken(t, conn, kms, o.GetPublicId())
+	unauthR := iam.TestRole(t, conn, pWithSessions.GetPublicId())
+	_ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId())
+
+	// Make a request with the unauthenticated user,
+	// ensure the response contains the pagination parameters.
+	requestInfo = authpb.RequestInfo{
+		TokenFormat: uint32(auth.AuthTokenTypeBearer),
+		PublicId:    unauthAt.GetPublicId(),
+		Token:       unauthAt.GetToken(),
+	}
+	requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{})
+	ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo)
+
+	_, err = s.ListSessions(ctx, &pbs.ListSessionsRequest{
+		ScopeId:   "global",
+		Recursive: true,
+	})
+	require.Error(t, err)
+	assert.ErrorIs(t, handlers.ForbiddenError(), err)
 }
 
 func convertStates(in []*session.State) (string, []*pb.SessionState) {

internal/daemon/controller/handlers/targets/target_service.go

@@ -234,7 +234,11 @@ func (s Service) ListTargets(ctx context.Context, req *pbs.ListTargetsRequest) (
 	// Get all user permissions for the requested scope(s).
 	userPerms := authResults.ACL().ListPermissions(authzScopes, resource.Target, IdActions, authResults.UserId)
 	if len(userPerms) == 0 {
-		return &pbs.ListTargetsResponse{}, nil
+		return &pbs.ListTargetsResponse{
+			ResponseType: "complete",
+			SortBy:       "created_time",
+			SortDir:      "desc",
+		}, nil
 	}
 
 	pageSize := int(s.maxPageSize)

internal/daemon/controller/handlers/targets/tcp/target_service_test.go

@@ -783,6 +783,31 @@ func TestListPagination(t *testing.T) {
 			protocmp.IgnoreFields(&pbs.ListTargetsResponse{}, "list_token"),
 		),
 	)
+
+	// Create unauthenticated user
+	unauthAt := authtoken.TestAuthToken(t, conn, kms, org.GetPublicId())
+	unauthR := iam.TestRole(t, conn, proj.GetPublicId())
+	_ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId())
+
+	// Make a request with the unauthenticated user,
+	// ensure the response contains the pagination parameters.
+	requestInfo = authpb.RequestInfo{
+		TokenFormat: uint32(auth.AuthTokenTypeBearer),
+		PublicId:    unauthAt.GetPublicId(),
+		Token:       unauthAt.GetToken(),
+	}
+	requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{})
+	ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo)
+
+	got, err = s.ListTargets(ctx, &pbs.ListTargetsRequest{
+		ScopeId:   "global",
+		Recursive: true,
+	})
+	require.NoError(t, err)
+	assert.Empty(t, got.Items)
+	assert.Equal(t, "created_time", got.SortBy)
+	assert.Equal(t, "desc", got.SortDir)
+	assert.Equal(t, "complete", got.ResponseType)
 }
 
 func TestDelete(t *testing.T) {

internal/daemon/controller/handlers/users/user_service.go

@@ -113,10 +113,6 @@ func (s Service) ListUsers(ctx context.Context, req *pbs.ListUsersRequest) (*pbs
 	if err != nil {
 		return nil, err
 	}
-	// If no scopes match, return an empty response
-	if len(scopeIds) == 0 {
-		return &pbs.ListUsersResponse{}, nil
-	}
 
 	pageSize := int(s.maxPageSize)
 	// Use the requested page size only if it is smaller than

internal/daemon/controller/handlers/users/user_service_test.go

@@ -419,7 +419,7 @@ func TestListPagination(t *testing.T) {
 	require.NoError(t, err)
 
 	oNoUsers, _ := iam.TestScopes(t, iamRepo)
-	oWithUsers, _ := iam.TestScopes(t, iamRepo)
+	oWithUsers, p := iam.TestScopes(t, iamRepo)
 
 	var allUsers []*pb.User
 	// Get the 3 system users (u_recovery, u_anon, u_auth)
@@ -727,6 +727,28 @@ func TestListPagination(t *testing.T) {
 			protocmp.IgnoreFields(&pbs.ListUsersResponse{}, "list_token"),
 		),
 	)
+
+	// Create unauthenticated user
+	unauthAt := authtoken.TestAuthToken(t, conn, kms, oWithUsers.GetPublicId())
+	unauthR := iam.TestRole(t, conn, p.GetPublicId())
+	_ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId())
+
+	// Make a request with the unauthenticated user,
+	// ensure the response contains the pagination parameters.
+	requestInfo = authpb.RequestInfo{
+		TokenFormat: uint32(auth.AuthTokenTypeBearer),
+		PublicId:    unauthAt.GetPublicId(),
+		Token:       unauthAt.GetToken(),
+	}
+	requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{})
+	ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo)
+
+	_, err = a.ListUsers(ctx, &pbs.ListUsersRequest{
+		ScopeId:   "global",
+		Recursive: true,
+	})
+	require.Error(t, err)
+	assert.ErrorIs(t, handlers.ForbiddenError(), err)
 }
 
 func TestDelete(t *testing.T) {