test(e2e): Add test that creates a user with the right permissions to start a session

testing/internal/e2e/boundary/account.go

@@ -0,0 +1,75 @@
+package boundary
+
+import (
+	"context"
+	"encoding/json"
+	"os"
+	"testing"
+
+	"github.com/hashicorp/boundary/api"
+	"github.com/hashicorp/boundary/api/accounts"
+	"github.com/hashicorp/boundary/testing/internal/e2e"
+	"github.com/hashicorp/go-secure-stdlib/base62"
+	"github.com/stretchr/testify/require"
+)
+
+// CreateNewAccountApi creates a new account using the go api.
+// Returns the id of the new account as well as the password that was generated
+func CreateNewAccountApi(t testing.TB, ctx context.Context, client *api.Client, loginName string) (accountId string, password string) {
+	c, err := loadConfig()
+	require.NoError(t, err)
+
+	aClient := accounts.NewClient(client)
+	password, err = base62.Random(16)
+	require.NoError(t, err)
+	newAccountResult, err := aClient.Create(ctx, c.AuthMethodId,
+		accounts.WithPasswordAccountLoginName(loginName),
+		accounts.WithPasswordAccountPassword(password),
+	)
+	require.NoError(t, err)
+
+	accountId = newAccountResult.Item.Id
+	t.Logf("Create Account: %s", accountId)
+	t.Cleanup(func() {
+		_, err := aClient.Delete(ctx, accountId)
+		require.NoError(t, err)
+	})
+
+	return
+}
+
+// CreateNewAccountCli creates a new account using the cli.
+// Returns the id of the new account as well as the password that was generated
+func CreateNewAccountCli(t testing.TB, loginName string) (string, string) {
+	c, err := loadConfig()
+	require.NoError(t, err)
+
+	ctx := context.Background()
+	password, err := base62.Random(16)
+	require.NoError(t, err)
+	os.Setenv("E2E_TEST_ACCOUNT_PASSWORD", password)
+	output := e2e.RunCommand(ctx, "boundary", "accounts", "create", "password",
+		"-auth-method-id", c.AuthMethodId,
+		"-login-name", loginName,
+		"-password", "env://E2E_TEST_ACCOUNT_PASSWORD",
+		"-name", "e2e Account "+loginName,
+		"-description", "e2e Account",
+		"-format", "json",
+	)
+	require.NoError(t, output.Err, string(output.Stderr))
+
+	var newAccountResult accounts.AccountCreateResult
+	err = json.Unmarshal(output.Stdout, &newAccountResult)
+	require.NoError(t, err)
+
+	newAccountId := newAccountResult.Item.Id
+	t.Cleanup(func() {
+		AuthenticateAdminCli(t)
+		output := e2e.RunCommand(ctx, "boundary", "accounts", "delete", "-id", newAccountId)
+		require.NoError(t, output.Err, string(output.Stderr))
+	})
+
+	t.Logf("Created Account: %s", newAccountId)
+
+	return newAccountId, password
+}

testing/internal/e2e/boundary/scope.go

@@ -58,6 +58,7 @@ func CreateNewOrgCli(t testing.TB) string {
 
 	newOrgId := newOrgResult.Item.Id
 	t.Cleanup(func() {
+		AuthenticateAdminCli(t)
 		output := e2e.RunCommand(ctx, "boundary", "scopes", "delete", "-id", newOrgId)
 		require.NoError(t, output.Err, string(output.Stderr))
 	})

testing/internal/e2e/boundary/user.go

@@ -0,0 +1,64 @@
+package boundary
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+
+	"github.com/hashicorp/boundary/api"
+	"github.com/hashicorp/boundary/api/users"
+	"github.com/hashicorp/boundary/testing/internal/e2e"
+	"github.com/stretchr/testify/require"
+)
+
+// CreateNewUserCli creates a new user using the go api.
+// Returns the id of the new user
+func CreateNewUserApi(t testing.TB, ctx context.Context, client *api.Client, scopeId string) string {
+	uClient := users.NewClient(client)
+	newUserResult, err := uClient.Create(ctx, scopeId)
+	require.NoError(t, err)
+	newUserId := newUserResult.Item.Id
+	t.Logf("Created User: %s", newUserId)
+	t.Cleanup(func() {
+		_, err := uClient.Delete(ctx, newUserId)
+		require.NoError(t, err)
+	})
+
+	return newUserId
+}
+
+// CreateNewUserCli creates a new user using the cli.
+// Returns the id of the new user
+func CreateNewUserCli(t testing.TB, scopeId string) string {
+	ctx := context.Background()
+	output := e2e.RunCommand(ctx, "boundary", "users", "create",
+		"-scope-id", scopeId,
+		"-name", "e2e User",
+		"-description", "e2e User",
+		"-format", "json",
+	)
+	require.NoError(t, output.Err, string(output.Stderr))
+
+	var newUserResult users.UserCreateResult
+	err := json.Unmarshal(output.Stdout, &newUserResult)
+	require.NoError(t, err)
+
+	newUserId := newUserResult.Item.Id
+	t.Cleanup(func() {
+		AuthenticateAdminCli(t)
+		output := e2e.RunCommand(ctx, "boundary", "users", "delete", "-id", newUserId)
+		require.NoError(t, output.Err, string(output.Stderr))
+	})
+	t.Logf("Created User: %s", newUserId)
+
+	return newUserId
+}
+
+// SetAccountToUserCli sets an account to a the specified user using the cli.
+func SetAccountToUserCli(t testing.TB, userId string, accountId string) {
+	output := e2e.RunCommand(context.Background(), "boundary", "users", "set-accounts",
+		"-id", userId,
+		"-account", accountId,
+	)
+	require.NoError(t, output.Err, string(output.Stderr))
+}

testing/internal/e2e/host/static/session_cancel_user_test.go

@@ -0,0 +1,217 @@
+package static_test
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"testing"
+	"time"
+
+	"github.com/cenkalti/backoff/v4"
+	"github.com/hashicorp/boundary/api/roles"
+	"github.com/hashicorp/boundary/api/sessions"
+	"github.com/hashicorp/boundary/api/users"
+	"github.com/hashicorp/boundary/testing/internal/e2e"
+	"github.com/hashicorp/boundary/testing/internal/e2e/boundary"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// TestSessionCancelUserCli uses the cli to create a new user and sets up the right permissions for
+// the user to connect to the created target. The test also confirms that an admin can cancel the
+// user's session.
+func TestSessionCancelUserCli(t *testing.T) {
+	e2e.MaybeSkipTest(t)
+	c, err := loadConfig()
+	require.NoError(t, err)
+
+	boundary.AuthenticateAdminCli(t)
+	newOrgId := boundary.CreateNewOrgCli(t)
+	newProjectId := boundary.CreateNewProjectCli(t, newOrgId)
+	newHostCatalogId := boundary.CreateNewHostCatalogCli(t, newProjectId)
+	newHostSetId := boundary.CreateNewHostSetCli(t, newHostCatalogId)
+	newHostId := boundary.CreateNewHostCli(t, newHostCatalogId, c.TargetIp)
+	boundary.AddHostToHostSetCli(t, newHostSetId, newHostId)
+	newTargetId := boundary.CreateNewTargetCli(t, newProjectId, c.TargetPort)
+	boundary.AddHostSourceToTargetCli(t, newTargetId, newHostSetId)
+	acctName := "e2e-account"
+	newAccountId, acctPassword := boundary.CreateNewAccountCli(t, acctName)
+	newUserId := boundary.CreateNewUserCli(t, "global")
+	boundary.SetAccountToUserCli(t, newUserId, newAccountId)
+
+	// Try to connect to the target as a user without permissions
+	ctx := context.Background()
+	boundary.AuthenticateCli(t, acctName, acctPassword)
+	output := e2e.RunCommand(ctx, "boundary", "connect",
+		"-target-id", newTargetId,
+		"-format", "json",
+		"-exec", "/usr/bin/ssh", "--",
+		"-l", c.TargetSshUser,
+		"-i", c.TargetSshKeyPath,
+		"-o", "UserKnownHostsFile=/dev/null",
+		"-o", "StrictHostKeyChecking=no",
+		"-o", "IdentitiesOnly=yes", // forces the use of the provided key
+		"-p", "{{boundary.port}}", // this is provided by boundary
+		"{{boundary.ip}}",
+		"hostname -i",
+	)
+	require.Error(t, output.Err, string(output.Stdout), string(output.Stderr))
+	var response e2e.CliError
+	err = json.Unmarshal(output.Stderr, &response)
+	require.NoError(t, err)
+	require.Equal(t, 403, response.Status)
+	t.Log("Successfully received an error when connecting to target as a user without permissions")
+
+	// Create a role
+	boundary.AuthenticateAdminCli(t)
+	output = e2e.RunCommand(ctx, "boundary", "roles", "create",
+		"-scope-id", newProjectId,
+		"-name", "e2e Role",
+		"-format", "json",
+	)
+	require.NoError(t, output.Err, string(output.Stderr))
+	var newRoleResult roles.RoleCreateResult
+	err = json.Unmarshal(output.Stdout, &newRoleResult)
+	require.NoError(t, err)
+	newRoleId := newRoleResult.Item.Id
+	t.Logf("Created Role: %s", newRoleId)
+
+	// Add grant to role
+	output = e2e.RunCommand(ctx, "boundary", "roles", "add-grants",
+		"-id", newRoleId,
+		"-grant", "id=*;type=target;actions=authorize-session",
+	)
+	require.NoError(t, output.Err, string(output.Stderr))
+
+	// Add user to role
+	output = e2e.RunCommand(ctx, "boundary", "roles", "add-principals",
+		"-id", newRoleId,
+		"-principal", newUserId,
+	)
+	require.NoError(t, output.Err, string(output.Stderr))
+
+	// Connect to target to create a session
+	ctxCancel, cancel := context.WithCancel(context.Background())
+	errChan := make(chan *e2e.CommandResult)
+	go func() {
+		boundary.AuthenticateCli(t, acctName, acctPassword)
+		t.Log("Starting session as user...")
+		errChan <- e2e.RunCommand(ctxCancel, "boundary", "connect",
+			"-target-id", newTargetId,
+			"-exec", "/usr/bin/ssh", "--",
+			"-l", c.TargetSshUser,
+			"-i", c.TargetSshKeyPath,
+			"-o", "UserKnownHostsFile=/dev/null",
+			"-o", "StrictHostKeyChecking=no",
+			"-o", "IdentitiesOnly=yes", // forces the use of the provided key
+			"-p", "{{boundary.port}}", // this is provided by boundary
+			"{{boundary.ip}}",
+			"hostname -i; sleep 60",
+		)
+	}()
+	t.Cleanup(cancel)
+
+	// Get list of sessions
+	var session *sessions.Session
+	err = backoff.RetryNotify(
+		func() error {
+			output := e2e.RunCommand(ctx, "boundary", "sessions", "list", "-scope-id", newProjectId, "-format", "json")
+			if output.Err != nil {
+				return backoff.Permanent(errors.New(string(output.Stderr)))
+			}
+
+			var sessionListResult sessions.SessionListResult
+			err = json.Unmarshal(output.Stdout, &sessionListResult)
+			if err != nil {
+				return backoff.Permanent(err)
+			}
+
+			sessionCount := len(sessionListResult.Items)
+			if sessionCount == 0 {
+				return errors.New("No items are appearing in the session list")
+			}
+
+			t.Logf("Found %d session(s)", sessionCount)
+			if sessionCount != 1 {
+				return backoff.Permanent(errors.New("Only one session was expected to be found"))
+			}
+
+			session = sessionListResult.Items[0]
+			return nil
+		},
+		backoff.WithMaxRetries(backoff.NewConstantBackOff(3*time.Second), 5),
+		func(err error, td time.Duration) {
+			t.Logf("%s. Retrying...", err.Error())
+		},
+	)
+	require.NoError(t, err)
+	assert.Equal(t, newTargetId, session.TargetId)
+	assert.Equal(t, newHostId, session.HostId)
+	require.Equal(t, "active", session.Status)
+
+	// Cancel session
+	output = e2e.RunCommand(ctx, "boundary", "sessions", "cancel", "-id", session.Id)
+	require.NoError(t, output.Err, string(output.Stderr))
+
+	output = e2e.RunCommand(ctx, "boundary", "sessions", "read", "-id", session.Id, "-format", "json")
+	require.NoError(t, output.Err, string(output.Stderr))
+	var newSessionReadResult sessions.SessionReadResult
+	err = json.Unmarshal(output.Stdout, &newSessionReadResult)
+	require.NoError(t, err)
+	require.Condition(t, func() bool {
+		return newSessionReadResult.Item.Status == "canceling" || newSessionReadResult.Item.Status == "terminated"
+	})
+
+	// Check output from session
+	select {
+	case output := <-errChan:
+		// `boundary connect` returns a 255 when cancelled
+		require.Equal(t, output.ExitCode, 255, string(output.Stdout), string(output.Stderr))
+	case <-time.After(time.Second * 5):
+		t.Fatal("Timed out waiting for session command to exit")
+	}
+
+	t.Log("Successfully cancelled session")
+}
+
+// TestCreateUserApi uses the go api to create a new user and add some grants to the user
+func TestCreateUserApi(t *testing.T) {
+	e2e.MaybeSkipTest(t)
+	c, err := loadConfig()
+	require.NoError(t, err)
+
+	client, err := boundary.NewApiClient()
+	require.NoError(t, err)
+	ctx := context.Background()
+
+	newOrgId := boundary.CreateNewOrgApi(t, ctx, client)
+	newProjectId := boundary.CreateNewProjectApi(t, ctx, client, newOrgId)
+	newHostCatalogId := boundary.CreateNewHostCatalogApi(t, ctx, client, newProjectId)
+	newHostSetId := boundary.CreateNewHostSetApi(t, ctx, client, newHostCatalogId)
+	newHostId := boundary.CreateNewHostApi(t, ctx, client, newHostCatalogId, c.TargetIp)
+	boundary.AddHostToHostSetApi(t, ctx, client, newHostSetId, newHostId)
+	newTargetId := boundary.CreateNewTargetApi(t, ctx, client, newProjectId, c.TargetPort)
+	boundary.AddHostSourceToTargetApi(t, ctx, client, newTargetId, newHostSetId)
+
+	acctName := "e2e-account"
+	newAcctId, _ := boundary.CreateNewAccountApi(t, ctx, client, acctName)
+	newUserId := boundary.CreateNewUserApi(t, ctx, client, "global")
+	uClient := users.NewClient(client)
+	uClient.SetAccounts(ctx, newUserId, 0, []string{newAcctId})
+
+	rClient := roles.NewClient(client)
+	newRoleResult, err := rClient.Create(ctx, newProjectId)
+	require.NoError(t, err)
+	newRoleId := newRoleResult.Item.Id
+	t.Logf("Create Role: %s", newRoleId)
+
+	_, err = rClient.AddGrants(ctx, newRoleId, 0, []string{"id=*;type=target;actions=authorize-session"},
+		roles.WithAutomaticVersioning(true),
+	)
+	require.NoError(t, err)
+
+	_, err = rClient.AddPrincipals(ctx, newRoleId, 0, []string{newUserId},
+		roles.WithAutomaticVersioning(true),
+	)
+	require.NoError(t, err)
+}