From b3399c6fe8bfb3bd0301811a5224c94fcfcf1456 Mon Sep 17 00:00:00 2001 From: Johan Brandhorst-Satzkorn Date: Thu, 15 Feb 2024 02:08:48 +0000 Subject: [PATCH] backport of commit c9c086dd6d8f2af994c9e6ad570b1cdc5bba5a82 --- .../handlers/accounts/account_service_test.go | 63 +++++++++++++++++++ 1 file changed, 63 insertions(+) diff --git a/internal/daemon/controller/handlers/accounts/account_service_test.go b/internal/daemon/controller/handlers/accounts/account_service_test.go index 363a666565..d9d811037f 100644 --- a/internal/daemon/controller/handlers/accounts/account_service_test.go +++ b/internal/daemon/controller/handlers/accounts/account_service_test.go @@ -1238,6 +1238,27 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListAccountsResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kmsCache, o.GetPublicId()) + unauthR := iam.TestRole(t, conn, pwt.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response is 403 forbidden. + requestInfo = authpb.RequestInfo{ + TokenFormat: uint32(requestauth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx = requestauth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kmsCache, &requestInfo) + + _, err = s.ListAccounts(ctx, &pbs.ListAccountsRequest{ + AuthMethodId: authMethod.GetPublicId(), + }) + require.Error(t, err) + assert.Equal(t, handlers.ForbiddenError(), err) }) t.Run("oidc", func(t *testing.T) { @@ -1555,6 +1576,27 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListAccountsResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kmsCache, o.GetPublicId()) + unauthR := iam.TestRole(t, conn, pwt.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response is 403 forbidden. + requestInfo = authpb.RequestInfo{ + TokenFormat: uint32(requestauth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx = requestauth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kmsCache, &requestInfo) + + _, err = s.ListAccounts(ctx, &pbs.ListAccountsRequest{ + AuthMethodId: authMethod.GetPublicId(), + }) + require.Error(t, err) + assert.Equal(t, handlers.ForbiddenError(), err) }) t.Run("ldap", func(t *testing.T) { @@ -1869,6 +1911,27 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListAccountsResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kmsCache, o.GetPublicId()) + unauthR := iam.TestRole(t, conn, pwt.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response is 403 forbidden. + requestInfo = authpb.RequestInfo{ + TokenFormat: uint32(requestauth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx = requestauth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kmsCache, &requestInfo) + + _, err = s.ListAccounts(ctx, &pbs.ListAccountsRequest{ + AuthMethodId: authMethod.GetPublicId(), + }) + require.Error(t, err) + assert.Equal(t, handlers.ForbiddenError(), err) }) }