tests: add roles CLI tests (#644)

internal/tests/cli/boundary/_helpers.bash

@@ -1,14 +1,21 @@
-export BOUNDARY_ADDR='http://127.0.0.1:9200'
+export BOUNDARY_ADDR="${BOUNDARY_ADDR:-http://127.0.0.1:9200}"
 export DEFAULT_PASSWORD='password'
-export DEFAULT_USER='admin'
+export DEFAULT_LOGIN='admin'
 export DEFAULT_AMPW='ampw_1234567890'
 export DEFAULT_P_ID='p_1234567890'
 export DEFAULT_O_ID='o_1234567890'
+export DEFAULT_GLOBAL='global'
 export DEFAULT_TARGET='ttcp_1234567890'
 export DEFAULT_HOST_SET='hsst_1234567890'
 export DEFAULT_HOST_CATALOG='hcst_1234567890'
 export DEFAULT_HOST='hst_1234567890'
+export DEFAULT_USER='u_1234567890'
 
 function strip() {
   echo "$1" | tr -d '"'
 }
+
+function strip_all() {
+  echo "$1" | tr -d '"' | tr -d '\'\'
+}
+

internal/tests/cli/boundary/_roles.bash

@@ -0,0 +1,91 @@
+function create_role() {
+  local sid=$1
+  local name=$2
+  local gsid=$3
+  
+  boundary roles create \
+    -scope-id $sid \
+    -name $name \
+    -description 'test role' \
+    -grant-scope-id $gsid
+}
+
+function read_role() {
+  boundary roles read -id $1 -format json
+}
+
+function delete_role() {
+  boundary roles delete -id $1
+}
+
+function list_roles() {
+  boundary roles list -scope-id $1 -format json
+}
+
+function assoc_role_grant() {
+  local grant=$1
+  local id=$2
+  
+  boundary roles add-grants -grant $grant -id $id
+}
+
+function assoc_role_principal() {
+  local principal=$1
+  local id=$2
+  
+  boundary roles add-principals -principal $principal -id $id 
+}
+
+function remove_role_grant() {
+  local grant=$1
+  local id=$2
+  
+  boundary roles remove-grants -grant $grant -id $id
+}
+
+function remove_role_principal() {
+  local principal=$1
+  local id=$2
+  
+  boundary roles remove-principals -principal $principal -id $id
+}
+
+function role_id() {
+  local name=$1
+  local sid=$2
+  strip $(list_roles $sid | jq -c ".[] | select(.name | contains(\"$name\")) | .[\"id\"]")
+}
+
+function role_principal_ids() {
+  local rid=$1
+  strip $(read_role $rid | jq '.["principals"][]["id"]') 
+}
+
+function role_has_principal_id() {
+  local rid=$1
+  local pid=$2
+  local ids=$(role_principal_ids $rid)
+  for id in $ids; do
+    if [ $(strip "$id") == "$pid" ]; then
+      return 0 
+    fi
+  done
+  return 1 
+}
+
+function role_grants() {
+  local rid=$1
+  read_role $rid | jq -rc '.grant_strings | @sh'
+}
+
+function role_has_grant() {
+  local rid=$1
+  local g=$2
+  local hasgrants=$(role_grants $rid)
+  for grant in $hasgrants; do
+    if [ $(strip_all "$grant") == "$g" ]; then
+      return 0 
+    fi
+  done
+  return 1 
+}

internal/tests/cli/boundary/groups.bats

@@ -8,7 +8,7 @@ load _helpers
 export NEW_GROUP='test'
 
 @test "boundary/login: can login as default user" {
-  run login $DEFAULT_USER
+  run login $DEFAULT_LOGIN
   echo "$output"
   [ "$status" -eq 0 ]
 }

internal/tests/cli/boundary/host_catalogs.bats

@@ -7,7 +7,7 @@ load _helpers
 export NEW_HOST_CATALOG='test'
 
 @test "boundary/login: can login as default user" {
-  run login $DEFAULT_USER
+  run login $DEFAULT_LOGIN
   echo "$output"
   [ "$status" -eq 0 ]
 }

internal/tests/cli/boundary/host_sets.bats

@@ -7,7 +7,7 @@ load _helpers
 export NEW_HOST_SET='test'
 
 @test "boundary/login: can login as default user" {
-  run login $DEFAULT_USER
+  run login $DEFAULT_LOGIN
   echo "$output"
   [ "$status" -eq 0 ]
 }

internal/tests/cli/boundary/hosts.bats

@@ -7,7 +7,7 @@ load _helpers
 export NEW_HOST='test'
 
 @test "boundary/login: can login as default user" {
-  run login $DEFAULT_USER
+  run login $DEFAULT_LOGIN
   echo "$output"
   [ "$status" -eq 0 ]
 }

internal/tests/cli/boundary/roles.bats

@@ -0,0 +1,114 @@
+#!/usr/bin/env bats
+
+load _accounts
+load _auth
+load _roles
+load _helpers
+
+export NEW_ROLE='test'
+export NEW_GRANT='id=*;type=*;actions=create,read,update,delete,list'
+
+@test "boundary/login: can login as default principal" {
+  run login $DEFAULT_LOGIN
+  echo "$output"
+  [ "$status" -eq 0 ]
+}
+
+@test "boundary/roles: can add $NEW_ROLE role to global scope granting rights in default org scope" {
+	run create_role 'global' $NEW_ROLE $DEFAULT_O_ID   
+  echo "$output"
+	[ "$status" -eq 0 ]
+}
+
+@test "boundary/roles: can not add already created $NEW_ROLE role" {
+	run create_role 'global' $NEW_ROLE $DEFAULT_O_ID   
+  echo "$output"
+	[ "$status" -eq 1 ]
+}
+
+@test "boundary/roles: can read $NEW_ROLE role" {
+  local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL)
+  echo "rid $rid"
+	run read_role $rid
+  echo "$output"
+	[ "$status" -eq 0 ]
+}
+
+@test "boundary/role/add-principals: can associate $NEW_ROLE role with default principal" {	
+  local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL)
+  run assoc_role_principal $DEFAULT_USER $rid
+  echo "$output"
+  [ "$status" -eq 0 ]
+}
+
+
+
+@test "boundary/role/add-principals: $NEW_ROLE role contains default principal" {	
+  local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL)
+  run role_has_principal_id $rid $DEFAULT_USER
+  echo "$output"
+  [ "$status" -eq 0 ]
+}
+
+@test "boundary/role/remove-principals: can remove default principal from $NEW_ROLE role" {	
+  local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL)
+  run remove_role_principal $DEFAULT_USER $rid
+  echo "$output"
+  [ "$status" -eq 0 ]
+}
+
+@test "boundary/role/remove-principals: $NEW_ROLE role no longer contains default principal" {	
+  local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL)
+  run role_has_principal_id $rid $DEFAULT_USER
+  echo "$output"
+  [ "$status" -eq 1 ]
+}
+
+@test "boundary/role/add-grants: can associate $NEW_ROLE role with $NEW_GRANT grant" {	
+  local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL)
+  run assoc_role_grant $NEW_GRANT $rid
+  echo "$output"
+  [ "$status" -eq 0 ]
+}
+
+@test "boundary/role/add-grantss: $NEW_ROLE role contains $NEW_GRANT grant" {	
+  local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL)
+  run role_has_grant $rid $NEW_GRANT
+  echo "$output"
+  [ "$status" -eq 0 ]
+}
+
+@test "boundary/role/remove-grants: can remove $NEW_GRANT grant from $NEW_ROLE role" {	
+  local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL)
+  run remove_role_grant $NEW_GRANT $rid
+  echo "$output"
+  [ "$status" -eq 0 ]
+}
+
+@test "boundary/role/remove-grants: $NEW_ROLE role no longer contains $NEW_GRANT grant" {	
+  local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL)
+  run role_has_grant $rid $NEW_GRANT
+  echo "$output"
+  [ "$status" -eq 1 ]
+}
+
+@test "boundary/role: can delete $NEW_ROLE role" {
+  local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL)
+  run delete_role $rid 
+  echo "$output"
+  [ "$status" -eq 0 ]
+}
+
+@test "boundary/role: can not delete already deleted $NEW_ROLE role" {
+  local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL)
+  run delete_role $rid 
+  echo "$output"
+  [ "$status" -eq 1 ]
+}
+
+@test "boundary/roles: can not read deleted $NEW_ROLE role" {
+  local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL)
+	run read_role $rid
+  echo "$output"
+	[ "$status" -eq 1 ]
+}

internal/tests/cli/boundary/target.bats

@@ -7,7 +7,7 @@ load _helpers
 
 
 @test "boundary/login: can login as default user" {
-  run login $DEFAULT_USER
+  run login $DEFAULT_LOGIN
   [ "$status" -eq 0 ]
 }
 

internal/tests/cli/boundary/user.bats

@@ -8,7 +8,7 @@ load _helpers
 export NEW_USER='test'
 
 @test "boundary/login: can login as default user" {
-  run login $DEFAULT_USER
+  run login $DEFAULT_LOGIN
   [ "$status" -eq 0 ]
 }
 
@@ -57,14 +57,14 @@ export NEW_USER='test'
 }
 
 @test "boundary/user: can delete $NEW_USER user" {
-  login $DEFAULT_USER
+  login $DEFAULT_LOGIN
   local uid=$(user_id $NEW_USER)
   run delete_user $uid 
   [ "$status" -eq 0 ]
 }
 
 @test "boundary/user: can not delete already deleted $NEW_USER user" {
-  login $DEFAULT_USER
+  login $DEFAULT_LOGIN
   local uid=$(user_id $NEW_USER)
   run delete_user $uid 
   [ "$status" -eq 1 ]