diff --git a/testing/internal/e2e/boundary/account.go b/testing/internal/e2e/boundary/account.go new file mode 100644 index 0000000000..47a034e36f --- /dev/null +++ b/testing/internal/e2e/boundary/account.go @@ -0,0 +1,75 @@ +package boundary + +import ( + "context" + "encoding/json" + "os" + "testing" + + "github.com/hashicorp/boundary/api" + "github.com/hashicorp/boundary/api/accounts" + "github.com/hashicorp/boundary/testing/internal/e2e" + "github.com/hashicorp/go-secure-stdlib/base62" + "github.com/stretchr/testify/require" +) + +// CreateNewAccountApi creates a new account using the go api. +// Returns the id of the new account as well as the password that was generated +func CreateNewAccountApi(t testing.TB, ctx context.Context, client *api.Client, loginName string) (accountId string, password string) { + c, err := loadConfig() + require.NoError(t, err) + + aClient := accounts.NewClient(client) + password, err = base62.Random(16) + require.NoError(t, err) + newAccountResult, err := aClient.Create(ctx, c.AuthMethodId, + accounts.WithPasswordAccountLoginName(loginName), + accounts.WithPasswordAccountPassword(password), + ) + require.NoError(t, err) + + accountId = newAccountResult.Item.Id + t.Logf("Create Account: %s", accountId) + t.Cleanup(func() { + _, err := aClient.Delete(ctx, accountId) + require.NoError(t, err) + }) + + return +} + +// CreateNewAccountCli creates a new account using the cli. +// Returns the id of the new account as well as the password that was generated +func CreateNewAccountCli(t testing.TB, loginName string) (string, string) { + c, err := loadConfig() + require.NoError(t, err) + + ctx := context.Background() + password, err := base62.Random(16) + require.NoError(t, err) + os.Setenv("E2E_TEST_ACCOUNT_PASSWORD", password) + output := e2e.RunCommand(ctx, "boundary", "accounts", "create", "password", + "-auth-method-id", c.AuthMethodId, + "-login-name", loginName, + "-password", "env://E2E_TEST_ACCOUNT_PASSWORD", + "-name", "e2e Account "+loginName, + "-description", "e2e Account", + "-format", "json", + ) + require.NoError(t, output.Err, string(output.Stderr)) + + var newAccountResult accounts.AccountCreateResult + err = json.Unmarshal(output.Stdout, &newAccountResult) + require.NoError(t, err) + + newAccountId := newAccountResult.Item.Id + t.Cleanup(func() { + AuthenticateAdminCli(t) + output := e2e.RunCommand(ctx, "boundary", "accounts", "delete", "-id", newAccountId) + require.NoError(t, output.Err, string(output.Stderr)) + }) + + t.Logf("Created Account: %s", newAccountId) + + return newAccountId, password +} diff --git a/testing/internal/e2e/boundary/scope.go b/testing/internal/e2e/boundary/scope.go index ec21884090..ce5bde565b 100644 --- a/testing/internal/e2e/boundary/scope.go +++ b/testing/internal/e2e/boundary/scope.go @@ -58,6 +58,7 @@ func CreateNewOrgCli(t testing.TB) string { newOrgId := newOrgResult.Item.Id t.Cleanup(func() { + AuthenticateAdminCli(t) output := e2e.RunCommand(ctx, "boundary", "scopes", "delete", "-id", newOrgId) require.NoError(t, output.Err, string(output.Stderr)) }) diff --git a/testing/internal/e2e/boundary/user.go b/testing/internal/e2e/boundary/user.go new file mode 100644 index 0000000000..7d26d28329 --- /dev/null +++ b/testing/internal/e2e/boundary/user.go @@ -0,0 +1,64 @@ +package boundary + +import ( + "context" + "encoding/json" + "testing" + + "github.com/hashicorp/boundary/api" + "github.com/hashicorp/boundary/api/users" + "github.com/hashicorp/boundary/testing/internal/e2e" + "github.com/stretchr/testify/require" +) + +// CreateNewUserCli creates a new user using the go api. +// Returns the id of the new user +func CreateNewUserApi(t testing.TB, ctx context.Context, client *api.Client, scopeId string) string { + uClient := users.NewClient(client) + newUserResult, err := uClient.Create(ctx, scopeId) + require.NoError(t, err) + newUserId := newUserResult.Item.Id + t.Logf("Created User: %s", newUserId) + t.Cleanup(func() { + _, err := uClient.Delete(ctx, newUserId) + require.NoError(t, err) + }) + + return newUserId +} + +// CreateNewUserCli creates a new user using the cli. +// Returns the id of the new user +func CreateNewUserCli(t testing.TB, scopeId string) string { + ctx := context.Background() + output := e2e.RunCommand(ctx, "boundary", "users", "create", + "-scope-id", scopeId, + "-name", "e2e User", + "-description", "e2e User", + "-format", "json", + ) + require.NoError(t, output.Err, string(output.Stderr)) + + var newUserResult users.UserCreateResult + err := json.Unmarshal(output.Stdout, &newUserResult) + require.NoError(t, err) + + newUserId := newUserResult.Item.Id + t.Cleanup(func() { + AuthenticateAdminCli(t) + output := e2e.RunCommand(ctx, "boundary", "users", "delete", "-id", newUserId) + require.NoError(t, output.Err, string(output.Stderr)) + }) + t.Logf("Created User: %s", newUserId) + + return newUserId +} + +// SetAccountToUserCli sets an account to a the specified user using the cli. +func SetAccountToUserCli(t testing.TB, userId string, accountId string) { + output := e2e.RunCommand(context.Background(), "boundary", "users", "set-accounts", + "-id", userId, + "-account", accountId, + ) + require.NoError(t, output.Err, string(output.Stderr)) +} diff --git a/testing/internal/e2e/host/static/session_cancel_user_test.go b/testing/internal/e2e/host/static/session_cancel_user_test.go new file mode 100644 index 0000000000..6935374846 --- /dev/null +++ b/testing/internal/e2e/host/static/session_cancel_user_test.go @@ -0,0 +1,217 @@ +package static_test + +import ( + "context" + "encoding/json" + "errors" + "testing" + "time" + + "github.com/cenkalti/backoff/v4" + "github.com/hashicorp/boundary/api/roles" + "github.com/hashicorp/boundary/api/sessions" + "github.com/hashicorp/boundary/api/users" + "github.com/hashicorp/boundary/testing/internal/e2e" + "github.com/hashicorp/boundary/testing/internal/e2e/boundary" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +// TestSessionCancelUserCli uses the cli to create a new user and sets up the right permissions for +// the user to connect to the created target. The test also confirms that an admin can cancel the +// user's session. +func TestSessionCancelUserCli(t *testing.T) { + e2e.MaybeSkipTest(t) + c, err := loadConfig() + require.NoError(t, err) + + boundary.AuthenticateAdminCli(t) + newOrgId := boundary.CreateNewOrgCli(t) + newProjectId := boundary.CreateNewProjectCli(t, newOrgId) + newHostCatalogId := boundary.CreateNewHostCatalogCli(t, newProjectId) + newHostSetId := boundary.CreateNewHostSetCli(t, newHostCatalogId) + newHostId := boundary.CreateNewHostCli(t, newHostCatalogId, c.TargetIp) + boundary.AddHostToHostSetCli(t, newHostSetId, newHostId) + newTargetId := boundary.CreateNewTargetCli(t, newProjectId, c.TargetPort) + boundary.AddHostSourceToTargetCli(t, newTargetId, newHostSetId) + acctName := "e2e-account" + newAccountId, acctPassword := boundary.CreateNewAccountCli(t, acctName) + newUserId := boundary.CreateNewUserCli(t, "global") + boundary.SetAccountToUserCli(t, newUserId, newAccountId) + + // Try to connect to the target as a user without permissions + ctx := context.Background() + boundary.AuthenticateCli(t, acctName, acctPassword) + output := e2e.RunCommand(ctx, "boundary", "connect", + "-target-id", newTargetId, + "-format", "json", + "-exec", "/usr/bin/ssh", "--", + "-l", c.TargetSshUser, + "-i", c.TargetSshKeyPath, + "-o", "UserKnownHostsFile=/dev/null", + "-o", "StrictHostKeyChecking=no", + "-o", "IdentitiesOnly=yes", // forces the use of the provided key + "-p", "{{boundary.port}}", // this is provided by boundary + "{{boundary.ip}}", + "hostname -i", + ) + require.Error(t, output.Err, string(output.Stdout), string(output.Stderr)) + var response e2e.CliError + err = json.Unmarshal(output.Stderr, &response) + require.NoError(t, err) + require.Equal(t, 403, response.Status) + t.Log("Successfully received an error when connecting to target as a user without permissions") + + // Create a role + boundary.AuthenticateAdminCli(t) + output = e2e.RunCommand(ctx, "boundary", "roles", "create", + "-scope-id", newProjectId, + "-name", "e2e Role", + "-format", "json", + ) + require.NoError(t, output.Err, string(output.Stderr)) + var newRoleResult roles.RoleCreateResult + err = json.Unmarshal(output.Stdout, &newRoleResult) + require.NoError(t, err) + newRoleId := newRoleResult.Item.Id + t.Logf("Created Role: %s", newRoleId) + + // Add grant to role + output = e2e.RunCommand(ctx, "boundary", "roles", "add-grants", + "-id", newRoleId, + "-grant", "id=*;type=target;actions=authorize-session", + ) + require.NoError(t, output.Err, string(output.Stderr)) + + // Add user to role + output = e2e.RunCommand(ctx, "boundary", "roles", "add-principals", + "-id", newRoleId, + "-principal", newUserId, + ) + require.NoError(t, output.Err, string(output.Stderr)) + + // Connect to target to create a session + ctxCancel, cancel := context.WithCancel(context.Background()) + errChan := make(chan *e2e.CommandResult) + go func() { + boundary.AuthenticateCli(t, acctName, acctPassword) + t.Log("Starting session as user...") + errChan <- e2e.RunCommand(ctxCancel, "boundary", "connect", + "-target-id", newTargetId, + "-exec", "/usr/bin/ssh", "--", + "-l", c.TargetSshUser, + "-i", c.TargetSshKeyPath, + "-o", "UserKnownHostsFile=/dev/null", + "-o", "StrictHostKeyChecking=no", + "-o", "IdentitiesOnly=yes", // forces the use of the provided key + "-p", "{{boundary.port}}", // this is provided by boundary + "{{boundary.ip}}", + "hostname -i; sleep 60", + ) + }() + t.Cleanup(cancel) + + // Get list of sessions + var session *sessions.Session + err = backoff.RetryNotify( + func() error { + output := e2e.RunCommand(ctx, "boundary", "sessions", "list", "-scope-id", newProjectId, "-format", "json") + if output.Err != nil { + return backoff.Permanent(errors.New(string(output.Stderr))) + } + + var sessionListResult sessions.SessionListResult + err = json.Unmarshal(output.Stdout, &sessionListResult) + if err != nil { + return backoff.Permanent(err) + } + + sessionCount := len(sessionListResult.Items) + if sessionCount == 0 { + return errors.New("No items are appearing in the session list") + } + + t.Logf("Found %d session(s)", sessionCount) + if sessionCount != 1 { + return backoff.Permanent(errors.New("Only one session was expected to be found")) + } + + session = sessionListResult.Items[0] + return nil + }, + backoff.WithMaxRetries(backoff.NewConstantBackOff(3*time.Second), 5), + func(err error, td time.Duration) { + t.Logf("%s. Retrying...", err.Error()) + }, + ) + require.NoError(t, err) + assert.Equal(t, newTargetId, session.TargetId) + assert.Equal(t, newHostId, session.HostId) + require.Equal(t, "active", session.Status) + + // Cancel session + output = e2e.RunCommand(ctx, "boundary", "sessions", "cancel", "-id", session.Id) + require.NoError(t, output.Err, string(output.Stderr)) + + output = e2e.RunCommand(ctx, "boundary", "sessions", "read", "-id", session.Id, "-format", "json") + require.NoError(t, output.Err, string(output.Stderr)) + var newSessionReadResult sessions.SessionReadResult + err = json.Unmarshal(output.Stdout, &newSessionReadResult) + require.NoError(t, err) + require.Condition(t, func() bool { + return newSessionReadResult.Item.Status == "canceling" || newSessionReadResult.Item.Status == "terminated" + }) + + // Check output from session + select { + case output := <-errChan: + // `boundary connect` returns a 255 when cancelled + require.Equal(t, output.ExitCode, 255, string(output.Stdout), string(output.Stderr)) + case <-time.After(time.Second * 5): + t.Fatal("Timed out waiting for session command to exit") + } + + t.Log("Successfully cancelled session") +} + +// TestCreateUserApi uses the go api to create a new user and add some grants to the user +func TestCreateUserApi(t *testing.T) { + e2e.MaybeSkipTest(t) + c, err := loadConfig() + require.NoError(t, err) + + client, err := boundary.NewApiClient() + require.NoError(t, err) + ctx := context.Background() + + newOrgId := boundary.CreateNewOrgApi(t, ctx, client) + newProjectId := boundary.CreateNewProjectApi(t, ctx, client, newOrgId) + newHostCatalogId := boundary.CreateNewHostCatalogApi(t, ctx, client, newProjectId) + newHostSetId := boundary.CreateNewHostSetApi(t, ctx, client, newHostCatalogId) + newHostId := boundary.CreateNewHostApi(t, ctx, client, newHostCatalogId, c.TargetIp) + boundary.AddHostToHostSetApi(t, ctx, client, newHostSetId, newHostId) + newTargetId := boundary.CreateNewTargetApi(t, ctx, client, newProjectId, c.TargetPort) + boundary.AddHostSourceToTargetApi(t, ctx, client, newTargetId, newHostSetId) + + acctName := "e2e-account" + newAcctId, _ := boundary.CreateNewAccountApi(t, ctx, client, acctName) + newUserId := boundary.CreateNewUserApi(t, ctx, client, "global") + uClient := users.NewClient(client) + uClient.SetAccounts(ctx, newUserId, 0, []string{newAcctId}) + + rClient := roles.NewClient(client) + newRoleResult, err := rClient.Create(ctx, newProjectId) + require.NoError(t, err) + newRoleId := newRoleResult.Item.Id + t.Logf("Create Role: %s", newRoleId) + + _, err = rClient.AddGrants(ctx, newRoleId, 0, []string{"id=*;type=target;actions=authorize-session"}, + roles.WithAutomaticVersioning(true), + ) + require.NoError(t, err) + + _, err = rClient.AddPrincipals(ctx, newRoleId, 0, []string{newUserId}, + roles.WithAutomaticVersioning(true), + ) + require.NoError(t, err) +}