From 17049bad35bb6f51d721c86f194beb109b987485 Mon Sep 17 00:00:00 2001 From: Johan Brandhorst-Satzkorn Date: Tue, 6 Feb 2024 23:23:38 +0000 Subject: [PATCH 01/16] backport of commit 231097a3cf68fdcbeba2bd9afde086dc194bfe0f --- .../handlers/targets/target_service.go | 6 ++++- .../targets/tcp/target_service_test.go | 25 +++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/internal/daemon/controller/handlers/targets/target_service.go b/internal/daemon/controller/handlers/targets/target_service.go index 0be8a53849..04f54f4ebc 100644 --- a/internal/daemon/controller/handlers/targets/target_service.go +++ b/internal/daemon/controller/handlers/targets/target_service.go @@ -234,7 +234,11 @@ func (s Service) ListTargets(ctx context.Context, req *pbs.ListTargetsRequest) ( // Get all user permissions for the requested scope(s). userPerms := authResults.ACL().ListPermissions(authzScopes, resource.Target, IdActions, authResults.UserId) if len(userPerms) == 0 { - return &pbs.ListTargetsResponse{}, nil + return &pbs.ListTargetsResponse{ + ResponseType: "complete", + SortBy: "created_time", + SortDir: "desc", + }, nil } pageSize := int(s.maxPageSize) diff --git a/internal/daemon/controller/handlers/targets/tcp/target_service_test.go b/internal/daemon/controller/handlers/targets/tcp/target_service_test.go index 135ae89f2c..badf0fd342 100644 --- a/internal/daemon/controller/handlers/targets/tcp/target_service_test.go +++ b/internal/daemon/controller/handlers/targets/tcp/target_service_test.go @@ -783,6 +783,31 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListTargetsResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kms, org.GetPublicId()) + unauthR := iam.TestRole(t, conn, proj.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response contains the pagination parameters. + requestInfo = authpb.RequestInfo{ + TokenFormat: uint32(auth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo) + + got, err = s.ListTargets(ctx, &pbs.ListTargetsRequest{ + ScopeId: "global", + Recursive: true, + }) + require.NoError(t, err) + assert.Empty(t, got.Items) + assert.Equal(t, "created_time", got.SortBy) + assert.Equal(t, "desc", got.SortDir) + assert.Equal(t, "complete", got.ResponseType) } func TestDelete(t *testing.T) { From f81d8ff9dff7365277f6fc489b0c44b59b98e9ba Mon Sep 17 00:00:00 2001 From: Johan Brandhorst-Satzkorn Date: Wed, 7 Feb 2024 01:27:23 +0000 Subject: [PATCH 02/16] backport of commit 6b3af3a391b2daf16a530c27579b8fa363a3785b --- .../authmethods/authmethod_service.go | 4 --- .../authmethods/authmethod_service_test.go | 27 ++++++++++++++++++- 2 files changed, 26 insertions(+), 5 deletions(-) diff --git a/internal/daemon/controller/handlers/authmethods/authmethod_service.go b/internal/daemon/controller/handlers/authmethods/authmethod_service.go index b6f5a72f68..a552cce655 100644 --- a/internal/daemon/controller/handlers/authmethods/authmethod_service.go +++ b/internal/daemon/controller/handlers/authmethods/authmethod_service.go @@ -189,10 +189,6 @@ func (s Service) ListAuthMethods(ctx context.Context, req *pbs.ListAuthMethodsRe if err != nil { return nil, err } - // If no scopes match, return an empty response - if len(scopeIds) == 0 { - return &pbs.ListAuthMethodsResponse{}, nil - } var filterItemFn func(ctx context.Context, item auth.AuthMethod) (bool, error) switch { diff --git a/internal/daemon/controller/handlers/authmethods/authmethod_service_test.go b/internal/daemon/controller/handlers/authmethods/authmethod_service_test.go index 436e610d5f..4ad29d71f6 100644 --- a/internal/daemon/controller/handlers/authmethods/authmethod_service_test.go +++ b/internal/daemon/controller/handlers/authmethods/authmethod_service_test.go @@ -1645,7 +1645,7 @@ func TestListPagination(t *testing.T) { require.NoError(t, err) orgNoAms, _ := iam.TestScopes(t, iamRepo) - org, proj := iam.TestScopes(t, iamRepo) + org, proj := iam.TestScopes(t, iamRepo, iam.WithSkipDefaultRoleCreation(true)) databaseWrapper, err := kmsCache.GetWrapper(context.Background(), org.GetPublicId(), kms.KeyPurposeDatabase) require.NoError(t, err) @@ -2020,4 +2020,29 @@ func TestListPagination(t *testing.T) { cmpOptions..., ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kmsCache, org.GetPublicId()) + unauthR := iam.TestRole(t, conn, proj.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response contains the pagination parameters. + requestInfo = authpb.RequestInfo{ + TokenFormat: uint32(requestauth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx = requestauth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kmsCache, &requestInfo) + + got, err = s.ListAuthMethods(ctx, &pbs.ListAuthMethodsRequest{ + ScopeId: "global", + Recursive: true, + }) + require.NoError(t, err) + assert.Empty(t, got.Items) + assert.Equal(t, "created_time", got.SortBy) + assert.Equal(t, "desc", got.SortDir) + assert.Equal(t, "complete", got.ResponseType) } From b3399c6fe8bfb3bd0301811a5224c94fcfcf1456 Mon Sep 17 00:00:00 2001 From: Johan Brandhorst-Satzkorn Date: Thu, 15 Feb 2024 02:08:48 +0000 Subject: [PATCH 03/16] backport of commit c9c086dd6d8f2af994c9e6ad570b1cdc5bba5a82 --- .../handlers/accounts/account_service_test.go | 63 +++++++++++++++++++ 1 file changed, 63 insertions(+) diff --git a/internal/daemon/controller/handlers/accounts/account_service_test.go b/internal/daemon/controller/handlers/accounts/account_service_test.go index 363a666565..d9d811037f 100644 --- a/internal/daemon/controller/handlers/accounts/account_service_test.go +++ b/internal/daemon/controller/handlers/accounts/account_service_test.go @@ -1238,6 +1238,27 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListAccountsResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kmsCache, o.GetPublicId()) + unauthR := iam.TestRole(t, conn, pwt.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response is 403 forbidden. + requestInfo = authpb.RequestInfo{ + TokenFormat: uint32(requestauth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx = requestauth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kmsCache, &requestInfo) + + _, err = s.ListAccounts(ctx, &pbs.ListAccountsRequest{ + AuthMethodId: authMethod.GetPublicId(), + }) + require.Error(t, err) + assert.Equal(t, handlers.ForbiddenError(), err) }) t.Run("oidc", func(t *testing.T) { @@ -1555,6 +1576,27 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListAccountsResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kmsCache, o.GetPublicId()) + unauthR := iam.TestRole(t, conn, pwt.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response is 403 forbidden. + requestInfo = authpb.RequestInfo{ + TokenFormat: uint32(requestauth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx = requestauth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kmsCache, &requestInfo) + + _, err = s.ListAccounts(ctx, &pbs.ListAccountsRequest{ + AuthMethodId: authMethod.GetPublicId(), + }) + require.Error(t, err) + assert.Equal(t, handlers.ForbiddenError(), err) }) t.Run("ldap", func(t *testing.T) { @@ -1869,6 +1911,27 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListAccountsResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kmsCache, o.GetPublicId()) + unauthR := iam.TestRole(t, conn, pwt.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response is 403 forbidden. + requestInfo = authpb.RequestInfo{ + TokenFormat: uint32(requestauth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx = requestauth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kmsCache, &requestInfo) + + _, err = s.ListAccounts(ctx, &pbs.ListAccountsRequest{ + AuthMethodId: authMethod.GetPublicId(), + }) + require.Error(t, err) + assert.Equal(t, handlers.ForbiddenError(), err) }) } From e3b2d35bdd182bc6d101f223d8478430823c13d3 Mon Sep 17 00:00:00 2001 From: Johan Brandhorst-Satzkorn Date: Thu, 15 Feb 2024 02:08:58 +0000 Subject: [PATCH 04/16] backport of commit fd959d15a6898bfb708f75f4df03ce6c675a28b3 --- .../handlers/authtokens/authtoken_service.go | 4 --- .../authtokens/authtoken_service_test.go | 25 +++++++++++++++++++ 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/internal/daemon/controller/handlers/authtokens/authtoken_service.go b/internal/daemon/controller/handlers/authtokens/authtoken_service.go index 12489b539c..8c66454e6b 100644 --- a/internal/daemon/controller/handlers/authtokens/authtoken_service.go +++ b/internal/daemon/controller/handlers/authtokens/authtoken_service.go @@ -103,10 +103,6 @@ func (s Service) ListAuthTokens(ctx context.Context, req *pbs.ListAuthTokensRequ if err != nil { return nil, errors.Wrap(ctx, err, op) } - // If no scopes match, return an empty response - if len(scopeIds) == 0 { - return &pbs.ListAuthTokensResponse{}, nil - } pageSize := int(s.maxPageSize) // Use the requested page size only if it is smaller than diff --git a/internal/daemon/controller/handlers/authtokens/authtoken_service_test.go b/internal/daemon/controller/handlers/authtokens/authtoken_service_test.go index 61937220ed..3ee1892dcc 100644 --- a/internal/daemon/controller/handlers/authtokens/authtoken_service_test.go +++ b/internal/daemon/controller/handlers/authtokens/authtoken_service_test.go @@ -790,6 +790,31 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListAuthTokensResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kms, orgWithTokens.GetPublicId()) + unauthR := iam.TestRole(t, conn, pwt.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response contains the pagination parameters. + requestInfo = authpb.RequestInfo{ + TokenFormat: uint32(auth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo) + + got, err = a.ListAuthTokens(ctx, &pbs.ListAuthTokensRequest{ + ScopeId: "global", + Recursive: true, + }) + require.NoError(t, err) + assert.Len(t, got.Items, 1) // There will always be at least one token, the token used to authenticate + assert.Equal(t, "created_time", got.SortBy) + assert.Equal(t, "desc", got.SortDir) + assert.Equal(t, "complete", got.ResponseType) } func TestDeleteSelf(t *testing.T) { From c303c62464970216e7b0111db174efa1edb39d55 Mon Sep 17 00:00:00 2001 From: Johan Brandhorst-Satzkorn Date: Thu, 15 Feb 2024 02:09:08 +0000 Subject: [PATCH 05/16] backport of commit 7e0207fb110f7c81ca5ef21e60dccadede6e5185 --- .../credentiallibrary_service_test.go | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/internal/daemon/controller/handlers/credentiallibraries/credentiallibrary_service_test.go b/internal/daemon/controller/handlers/credentiallibraries/credentiallibrary_service_test.go index 4a4847eb4a..139df50914 100644 --- a/internal/daemon/controller/handlers/credentiallibraries/credentiallibrary_service_test.go +++ b/internal/daemon/controller/handlers/credentiallibraries/credentiallibrary_service_test.go @@ -3041,4 +3041,25 @@ func TestListPagination(t *testing.T) { protocmp.Transform(), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kms, o.GetPublicId()) + unauthR := iam.TestRole(t, conn, prj.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response is 403 forbidden. + requestInfo = authpb.RequestInfo{ + TokenFormat: uint32(auth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo) + + _, err = s.ListCredentialLibraries(ctx, &pbs.ListCredentialLibrariesRequest{ + CredentialStoreId: credStore.PublicId, + }) + require.Error(err) + assert.Equal(handlers.ForbiddenError(), err) } From 6aaaa08a9bfd2bb08641ea3a650a7d97be7b9d66 Mon Sep 17 00:00:00 2001 From: Johan Brandhorst-Satzkorn Date: Thu, 15 Feb 2024 02:09:17 +0000 Subject: [PATCH 06/16] backport of commit 87816167bc4f89e83fd0a427a25fcddd9ffc0509 --- .../credentials/credential_service_test.go | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/internal/daemon/controller/handlers/credentials/credential_service_test.go b/internal/daemon/controller/handlers/credentials/credential_service_test.go index bbccea572e..7f553dfd7c 100644 --- a/internal/daemon/controller/handlers/credentials/credential_service_test.go +++ b/internal/daemon/controller/handlers/credentials/credential_service_test.go @@ -1830,4 +1830,25 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListCredentialsResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kmsRepo, o.GetPublicId()) + unauthR := iam.TestRole(t, conn, prj.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response is 403 forbidden. + requestInfo = authpb.RequestInfo{ + TokenFormat: uint32(auth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kmsRepo, &requestInfo) + + _, err = s.ListCredentials(ctx, &pbs.ListCredentialsRequest{ + CredentialStoreId: credStore.PublicId, + }) + require.Error(err) + assert.Equal(handlers.ForbiddenError(), err) } From a16b08b8450a8c1d765b5b2629be2f1218c06878 Mon Sep 17 00:00:00 2001 From: Johan Brandhorst-Satzkorn Date: Thu, 15 Feb 2024 02:09:27 +0000 Subject: [PATCH 07/16] backport of commit 003bb12ef7b68f091eef86da993612d87d39d34e --- .../credentialstore_service_test.go | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/internal/daemon/controller/handlers/credentialstores/credentialstore_service_test.go b/internal/daemon/controller/handlers/credentialstores/credentialstore_service_test.go index ce2dfc8544..0c84b5b153 100644 --- a/internal/daemon/controller/handlers/credentialstores/credentialstore_service_test.go +++ b/internal/daemon/controller/handlers/credentialstores/credentialstore_service_test.go @@ -2008,4 +2008,26 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListCredentialStoresResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kms, o.GetPublicId()) + unauthR := iam.TestRole(t, conn, prj.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response is 403 forbidden. + requestInfo = authpb.RequestInfo{ + TokenFormat: uint32(auth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo) + + _, err = s.ListCredentialStores(ctx, &pbs.ListCredentialStoresRequest{ + ScopeId: "global", + Recursive: true, + }) + require.Error(err) + assert.ErrorIs(handlers.ForbiddenError(), err) } From 59ff4e1afd14c5c303f22b2d6a54d4c864f0887a Mon Sep 17 00:00:00 2001 From: Johan Brandhorst-Satzkorn Date: Thu, 15 Feb 2024 02:09:35 +0000 Subject: [PATCH 08/16] backport of commit 37f3ebf38522804ac35347b9c11e3ed1f13e838e --- .../handlers/groups/group_service.go | 4 ---- .../handlers/groups/group_service_test.go | 22 +++++++++++++++++++ 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/group_service.go b/internal/daemon/controller/handlers/groups/group_service.go index 3b9ba62986..2e2dc62c02 100644 --- a/internal/daemon/controller/handlers/groups/group_service.go +++ b/internal/daemon/controller/handlers/groups/group_service.go @@ -114,10 +114,6 @@ func (s Service) ListGroups(ctx context.Context, req *pbs.ListGroupsRequest) (*p if err != nil { return nil, err } - // If no scopes match, return an empty response - if len(scopeIds) == 0 { - return &pbs.ListGroupsResponse{}, nil - } pageSize := int(s.maxPageSize) // Use the requested page size only if it is smaller than diff --git a/internal/daemon/controller/handlers/groups/group_service_test.go b/internal/daemon/controller/handlers/groups/group_service_test.go index 434ebe20ce..0418b7a915 100644 --- a/internal/daemon/controller/handlers/groups/group_service_test.go +++ b/internal/daemon/controller/handlers/groups/group_service_test.go @@ -801,6 +801,28 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListGroupsResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kms, oWithGroups.GetPublicId()) + unauthR := iam.TestRole(t, conn, pWithGroups.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response is 403 forbidden. + requestInfo = authpb.RequestInfo{ + TokenFormat: uint32(auth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo) + + _, err = a.ListGroups(ctx, &pbs.ListGroupsRequest{ + ScopeId: "global", + Recursive: true, + }) + require.Error(t, err) + assert.Equal(t, handlers.ForbiddenError(), err) } func TestDelete(t *testing.T) { From 855d634be6574860fdbddf92e1611282392acab4 Mon Sep 17 00:00:00 2001 From: Johan Brandhorst-Satzkorn Date: Thu, 15 Feb 2024 02:09:45 +0000 Subject: [PATCH 09/16] backport of commit 5d42c35e846aab085ced6907e58990104832602d --- .../host_catalogs/host_catalog_service.go | 4 ---- .../host_catalog_service_test.go | 22 +++++++++++++++++++ 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/internal/daemon/controller/handlers/host_catalogs/host_catalog_service.go b/internal/daemon/controller/handlers/host_catalogs/host_catalog_service.go index 93af971732..1e96304983 100644 --- a/internal/daemon/controller/handlers/host_catalogs/host_catalog_service.go +++ b/internal/daemon/controller/handlers/host_catalogs/host_catalog_service.go @@ -174,10 +174,6 @@ func (s Service) ListHostCatalogs(ctx context.Context, req *pbs.ListHostCatalogs if err != nil { return nil, errors.Wrap(ctx, err, op) } - // If no scopes match, return an empty response - if len(scopeIds) == 0 { - return &pbs.ListHostCatalogsResponse{}, nil - } pageSize := int(s.maxPageSize) // Use the requested page size only if it is smaller than // the configured max. diff --git a/internal/daemon/controller/handlers/host_catalogs/host_catalog_service_test.go b/internal/daemon/controller/handlers/host_catalogs/host_catalog_service_test.go index 92e9d69997..a7a6fcd629 100644 --- a/internal/daemon/controller/handlers/host_catalogs/host_catalog_service_test.go +++ b/internal/daemon/controller/handlers/host_catalogs/host_catalog_service_test.go @@ -886,6 +886,28 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListHostCatalogsResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kms, org.GetPublicId()) + unauthR := iam.TestRole(t, conn, proj.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response contains the pagination parameters. + requestInfo = authpb.RequestInfo{ + TokenFormat: uint32(auth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo) + + _, err = s.ListHostCatalogs(ctx, &pbs.ListHostCatalogsRequest{ + ScopeId: "global", + Recursive: true, + }) + require.Error(t, err) + assert.ErrorIs(t, handlers.ForbiddenError(), err) } func TestDelete_Static(t *testing.T) { From 3095e1047533e0f68843f235956876bc5933d754 Mon Sep 17 00:00:00 2001 From: Johan Brandhorst-Satzkorn Date: Thu, 15 Feb 2024 02:09:54 +0000 Subject: [PATCH 10/16] backport of commit 882144d0b6daddd295a796cb744d027eb41437a4 --- .../host_sets/host_set_service_test.go | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/internal/daemon/controller/handlers/host_sets/host_set_service_test.go b/internal/daemon/controller/handlers/host_sets/host_set_service_test.go index c4e99b8cc2..8a9ae59c17 100644 --- a/internal/daemon/controller/handlers/host_sets/host_set_service_test.go +++ b/internal/daemon/controller/handlers/host_sets/host_set_service_test.go @@ -856,6 +856,27 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListHostSetsResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kms, org.GetPublicId()) + unauthR := iam.TestRole(t, conn, proj.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response contains the pagination parameters. + requestInfo := authpb.RequestInfo{ + TokenFormat: uint32(auth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext := context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx := auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo) + + _, err = s.ListHostSets(ctx, &pbs.ListHostSetsRequest{ + HostCatalogId: shc.GetPublicId(), + }) + require.Error(t, err) + assert.ErrorIs(t, handlers.ForbiddenError(), err) }) t.Run("plugin-host-sets", func(t *testing.T) { @@ -1086,6 +1107,27 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListHostSetsResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kms, org.GetPublicId()) + unauthR := iam.TestRole(t, conn, proj.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response contains the pagination parameters. + requestInfo := authpb.RequestInfo{ + TokenFormat: uint32(auth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext := context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx := auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo) + + _, err = s.ListHostSets(ctx, &pbs.ListHostSetsRequest{ + HostCatalogId: phc.GetPublicId(), + }) + require.Error(t, err) + assert.ErrorIs(t, handlers.ForbiddenError(), err) }) } From e8ec30c318c83448f5d8bca3636adfa442b71522 Mon Sep 17 00:00:00 2001 From: Johan Brandhorst-Satzkorn Date: Thu, 15 Feb 2024 02:10:02 +0000 Subject: [PATCH 11/16] backport of commit 1010cf2b311bd8d68521cb457a0a49a4160d0658 --- .../handlers/hosts/host_service_test.go | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/internal/daemon/controller/handlers/hosts/host_service_test.go b/internal/daemon/controller/handlers/hosts/host_service_test.go index 13f09d2020..02b89efd2d 100644 --- a/internal/daemon/controller/handlers/hosts/host_service_test.go +++ b/internal/daemon/controller/handlers/hosts/host_service_test.go @@ -867,6 +867,27 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListHostsResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kms, org.GetPublicId()) + unauthR := iam.TestRole(t, conn, proj.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response contains the pagination parameters. + requestInfo := authpb.RequestInfo{ + TokenFormat: uint32(auth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext := context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx := auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo) + + _, err = s.ListHosts(ctx, &pbs.ListHostsRequest{ + HostCatalogId: shc.GetPublicId(), + }) + require.Error(t, err) + assert.ErrorIs(t, handlers.ForbiddenError(), err) }) t.Run("plugin-hosts", func(t *testing.T) { @@ -1044,6 +1065,26 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListHostsResponse{}, "list_token"), ), ) + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kms, org.GetPublicId()) + unauthR := iam.TestRole(t, conn, proj.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response contains the pagination parameters. + requestInfo := authpb.RequestInfo{ + TokenFormat: uint32(auth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext := context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx := auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo) + + _, err = s.ListHosts(ctx, &pbs.ListHostsRequest{ + HostCatalogId: phc.GetPublicId(), + }) + require.Error(t, err) + assert.ErrorIs(t, handlers.ForbiddenError(), err) }) } From a37307938c4afc9b8a3edecd0d2ab0c8ed2b29c9 Mon Sep 17 00:00:00 2001 From: Johan Brandhorst-Satzkorn Date: Thu, 15 Feb 2024 02:10:10 +0000 Subject: [PATCH 12/16] backport of commit 1bbe510384749bbcfec60ae5f2d95a96fe2732aa --- .../managed_group_service_test.go | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/internal/daemon/controller/handlers/managed_groups/managed_group_service_test.go b/internal/daemon/controller/handlers/managed_groups/managed_group_service_test.go index 3ac8ebc972..c94058e1b2 100644 --- a/internal/daemon/controller/handlers/managed_groups/managed_group_service_test.go +++ b/internal/daemon/controller/handlers/managed_groups/managed_group_service_test.go @@ -997,6 +997,27 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListManagedGroupsResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kmsCache, o.GetPublicId()) + unauthR := iam.TestRole(t, conn, pwt.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response contains the pagination parameters. + requestInfo = authpb.RequestInfo{ + TokenFormat: uint32(auth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kmsCache, &requestInfo) + + _, err = s.ListManagedGroups(ctx, &pbs.ListManagedGroupsRequest{ + AuthMethodId: authMethod.GetPublicId(), + }) + require.Error(t, err) + assert.ErrorIs(t, handlers.ForbiddenError(), err) }) t.Run("ldap", func(t *testing.T) { @@ -1296,6 +1317,27 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListManagedGroupsResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kmsCache, o.GetPublicId()) + unauthR := iam.TestRole(t, conn, pwt.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response contains the pagination parameters. + requestInfo = authpb.RequestInfo{ + TokenFormat: uint32(auth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kmsCache, &requestInfo) + + _, err = s.ListManagedGroups(ctx, &pbs.ListManagedGroupsRequest{ + AuthMethodId: authMethod.GetPublicId(), + }) + require.Error(t, err) + assert.ErrorIs(t, handlers.ForbiddenError(), err) }) } From 2f623e4c62acee44b409ef9918170737692f7c7e Mon Sep 17 00:00:00 2001 From: Johan Brandhorst-Satzkorn Date: Thu, 15 Feb 2024 02:10:15 +0000 Subject: [PATCH 13/16] backport of commit 0c9b963963149ff211a5ac58a8da69de1d46044b --- .../controller/handlers/roles/role_service.go | 4 ---- .../handlers/roles/role_service_test.go | 22 +++++++++++++++++++ 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/internal/daemon/controller/handlers/roles/role_service.go b/internal/daemon/controller/handlers/roles/role_service.go index 7801fef913..d9fff5a05f 100644 --- a/internal/daemon/controller/handlers/roles/role_service.go +++ b/internal/daemon/controller/handlers/roles/role_service.go @@ -123,10 +123,6 @@ func (s Service) ListRoles(ctx context.Context, req *pbs.ListRolesRequest) (*pbs if err != nil { return nil, err } - // If no scopes match, return an empty response - if len(scopeIds) == 0 { - return &pbs.ListRolesResponse{}, nil - } pageSize := int(s.maxPageSize) // Use the requested page size only if it is smaller than diff --git a/internal/daemon/controller/handlers/roles/role_service_test.go b/internal/daemon/controller/handlers/roles/role_service_test.go index c7162e8cfc..1db2cc2f05 100644 --- a/internal/daemon/controller/handlers/roles/role_service_test.go +++ b/internal/daemon/controller/handlers/roles/role_service_test.go @@ -760,6 +760,28 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListRolesResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kms, oWithRoles.GetPublicId()) + unauthR := iam.TestRole(t, conn, pWithRoles.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response contains the pagination parameters. + requestInfo = authpb.RequestInfo{ + TokenFormat: uint32(auth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo) + + _, err = a.ListRoles(ctx, &pbs.ListRolesRequest{ + ScopeId: "global", + Recursive: true, + }) + require.Error(t, err) + assert.ErrorIs(t, handlers.ForbiddenError(), err) } func TestDelete(t *testing.T) { From 32bc0f7fc1d72b0704708861bd2d5247d5bb5b6b Mon Sep 17 00:00:00 2001 From: Johan Brandhorst-Satzkorn Date: Thu, 15 Feb 2024 02:10:21 +0000 Subject: [PATCH 14/16] backport of commit c7fa171248747253880e3e5482b163184b3eacbf --- .../handlers/scopes/scope_service.go | 4 ---- .../handlers/scopes/scope_service_test.go | 24 ++++++++++++++++++- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/internal/daemon/controller/handlers/scopes/scope_service.go b/internal/daemon/controller/handlers/scopes/scope_service.go index a55a7e2d55..267b0d589a 100644 --- a/internal/daemon/controller/handlers/scopes/scope_service.go +++ b/internal/daemon/controller/handlers/scopes/scope_service.go @@ -185,10 +185,6 @@ func (s *Service) ListScopes(ctx context.Context, req *pbs.ListScopesRequest) (* if err != nil { return nil, err } - // If no scopes match, return an empty response - if len(scopeIds) == 0 { - return &pbs.ListScopesResponse{}, nil - } pageSize := int(s.maxPageSize) // Use the requested page size only if it is smaller than diff --git a/internal/daemon/controller/handlers/scopes/scope_service_test.go b/internal/daemon/controller/handlers/scopes/scope_service_test.go index f9cef47341..d1af66e44e 100644 --- a/internal/daemon/controller/handlers/scopes/scope_service_test.go +++ b/internal/daemon/controller/handlers/scopes/scope_service_test.go @@ -690,7 +690,7 @@ func TestListPagination(t *testing.T) { return server.NewRepository(ctx, rw, rw, kms) } - oWithProjects, p2 := iam.TestScopes(t, repo) + oWithProjects, p2 := iam.TestScopes(t, repo, iam.WithSkipDefaultRoleCreation(true)) _, err = repo.DeleteScope(context.Background(), p2.GetPublicId()) require.NoError(t, err) @@ -974,6 +974,28 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListScopesResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kms, oWithProjects.GetPublicId()) + unauthR := iam.TestRole(t, conn, p.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response contains the pagination parameters. + requestInfo = authpb.RequestInfo{ + TokenFormat: uint32(auth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo) + + _, err = s.ListScopes(ctx, &pbs.ListScopesRequest{ + ScopeId: "global", + Recursive: true, + }) + require.Error(t, err) + assert.ErrorIs(t, handlers.ForbiddenError(), err) } func TestDelete(t *testing.T) { From 63273c04cd7cc6f21907c463b8bf5102fa1e8243 Mon Sep 17 00:00:00 2001 From: Johan Brandhorst-Satzkorn Date: Thu, 15 Feb 2024 02:10:27 +0000 Subject: [PATCH 15/16] backport of commit 1f4659a56000aeb7a6c7a9f163406343d3be7959 --- .../handlers/sessions/session_service_test.go | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/internal/daemon/controller/handlers/sessions/session_service_test.go b/internal/daemon/controller/handlers/sessions/session_service_test.go index 48cf5ce090..e41ef33ee7 100644 --- a/internal/daemon/controller/handlers/sessions/session_service_test.go +++ b/internal/daemon/controller/handlers/sessions/session_service_test.go @@ -746,10 +746,13 @@ func TestListPagination(t *testing.T) { return server.NewRepository(ctx, rw, rw, kms) } - o, pWithSessions := iam.TestScopes(t, iamRepo) + o, pWithSessions := iam.TestScopes(t, iamRepo, iam.WithSkipDefaultRoleCreation(true)) at := authtoken.TestAuthToken(t, conn, kms, o.GetPublicId()) uId := at.GetIamUserId() + pr := iam.TestRole(t, conn, pWithSessions.GetPublicId()) + _ = iam.TestUserRole(t, conn, pr.GetPublicId(), at.GetIamUserId()) + _ = iam.TestRoleGrant(t, conn, pr.GetPublicId(), "ids=*;type=session;actions=read:self,list,cancel:self") hc := static.TestCatalogs(t, conn, pWithSessions.GetPublicId(), 1)[0] hs := static.TestSets(t, conn, hc.GetPublicId(), 1)[0] @@ -1063,6 +1066,28 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListSessionsResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kms, o.GetPublicId()) + unauthR := iam.TestRole(t, conn, pWithSessions.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response contains the pagination parameters. + requestInfo = authpb.RequestInfo{ + TokenFormat: uint32(auth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo) + + _, err = s.ListSessions(ctx, &pbs.ListSessionsRequest{ + ScopeId: "global", + Recursive: true, + }) + require.Error(t, err) + assert.ErrorIs(t, handlers.ForbiddenError(), err) } func convertStates(in []*session.State) (string, []*pb.SessionState) { From 6d764c4401f15f53c4c353969d2367b0a5748560 Mon Sep 17 00:00:00 2001 From: Johan Brandhorst-Satzkorn Date: Thu, 15 Feb 2024 02:10:33 +0000 Subject: [PATCH 16/16] backport of commit 4c92f873328d81244ebd86fc4e03947bcb62feaa --- .../controller/handlers/users/user_service.go | 4 ---- .../handlers/users/user_service_test.go | 24 ++++++++++++++++++- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/internal/daemon/controller/handlers/users/user_service.go b/internal/daemon/controller/handlers/users/user_service.go index fc1ec3b211..477c232540 100644 --- a/internal/daemon/controller/handlers/users/user_service.go +++ b/internal/daemon/controller/handlers/users/user_service.go @@ -113,10 +113,6 @@ func (s Service) ListUsers(ctx context.Context, req *pbs.ListUsersRequest) (*pbs if err != nil { return nil, err } - // If no scopes match, return an empty response - if len(scopeIds) == 0 { - return &pbs.ListUsersResponse{}, nil - } pageSize := int(s.maxPageSize) // Use the requested page size only if it is smaller than diff --git a/internal/daemon/controller/handlers/users/user_service_test.go b/internal/daemon/controller/handlers/users/user_service_test.go index c12941f5b0..eaa61f2cfb 100644 --- a/internal/daemon/controller/handlers/users/user_service_test.go +++ b/internal/daemon/controller/handlers/users/user_service_test.go @@ -419,7 +419,7 @@ func TestListPagination(t *testing.T) { require.NoError(t, err) oNoUsers, _ := iam.TestScopes(t, iamRepo) - oWithUsers, _ := iam.TestScopes(t, iamRepo) + oWithUsers, p := iam.TestScopes(t, iamRepo) var allUsers []*pb.User // Get the 3 system users (u_recovery, u_anon, u_auth) @@ -727,6 +727,28 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListUsersResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kms, oWithUsers.GetPublicId()) + unauthR := iam.TestRole(t, conn, p.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response contains the pagination parameters. + requestInfo = authpb.RequestInfo{ + TokenFormat: uint32(auth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo) + + _, err = a.ListUsers(ctx, &pbs.ListUsersRequest{ + ScopeId: "global", + Recursive: true, + }) + require.Error(t, err) + assert.ErrorIs(t, handlers.ForbiddenError(), err) } func TestDelete(t *testing.T) {