From 59ff4e1afd14c5c303f22b2d6a54d4c864f0887a Mon Sep 17 00:00:00 2001 From: Johan Brandhorst-Satzkorn Date: Thu, 15 Feb 2024 02:09:35 +0000 Subject: [PATCH] backport of commit 37f3ebf38522804ac35347b9c11e3ed1f13e838e --- .../handlers/groups/group_service.go | 4 ---- .../handlers/groups/group_service_test.go | 22 +++++++++++++++++++ 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/internal/daemon/controller/handlers/groups/group_service.go b/internal/daemon/controller/handlers/groups/group_service.go index 3b9ba62986..2e2dc62c02 100644 --- a/internal/daemon/controller/handlers/groups/group_service.go +++ b/internal/daemon/controller/handlers/groups/group_service.go @@ -114,10 +114,6 @@ func (s Service) ListGroups(ctx context.Context, req *pbs.ListGroupsRequest) (*p if err != nil { return nil, err } - // If no scopes match, return an empty response - if len(scopeIds) == 0 { - return &pbs.ListGroupsResponse{}, nil - } pageSize := int(s.maxPageSize) // Use the requested page size only if it is smaller than diff --git a/internal/daemon/controller/handlers/groups/group_service_test.go b/internal/daemon/controller/handlers/groups/group_service_test.go index 434ebe20ce..0418b7a915 100644 --- a/internal/daemon/controller/handlers/groups/group_service_test.go +++ b/internal/daemon/controller/handlers/groups/group_service_test.go @@ -801,6 +801,28 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListGroupsResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kms, oWithGroups.GetPublicId()) + unauthR := iam.TestRole(t, conn, pWithGroups.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response is 403 forbidden. + requestInfo = authpb.RequestInfo{ + TokenFormat: uint32(auth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo) + + _, err = a.ListGroups(ctx, &pbs.ListGroupsRequest{ + ScopeId: "global", + Recursive: true, + }) + require.Error(t, err) + assert.Equal(t, handlers.ForbiddenError(), err) } func TestDelete(t *testing.T) {