From e8ec30c318c83448f5d8bca3636adfa442b71522 Mon Sep 17 00:00:00 2001
From: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>
Date: Thu, 15 Feb 2024 02:10:02 +0000
Subject: [PATCH] backport of commit 1010cf2b311bd8d68521cb457a0a49a4160d0658

---
 .../handlers/hosts/host_service_test.go       | 41 +++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/internal/daemon/controller/handlers/hosts/host_service_test.go b/internal/daemon/controller/handlers/hosts/host_service_test.go
index 13f09d2020..02b89efd2d 100644
--- a/internal/daemon/controller/handlers/hosts/host_service_test.go
+++ b/internal/daemon/controller/handlers/hosts/host_service_test.go
@@ -867,6 +867,27 @@ func TestListPagination(t *testing.T) {
 				protocmp.IgnoreFields(&pbs.ListHostsResponse{}, "list_token"),
 			),
 		)
+
+		// Create unauthenticated user
+		unauthAt := authtoken.TestAuthToken(t, conn, kms, org.GetPublicId())
+		unauthR := iam.TestRole(t, conn, proj.GetPublicId())
+		_ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId())
+
+		// Make a request with the unauthenticated user,
+		// ensure the response contains the pagination parameters.
+		requestInfo := authpb.RequestInfo{
+			TokenFormat: uint32(auth.AuthTokenTypeBearer),
+			PublicId:    unauthAt.GetPublicId(),
+			Token:       unauthAt.GetToken(),
+		}
+		requestContext := context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{})
+		ctx := auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo)
+
+		_, err = s.ListHosts(ctx, &pbs.ListHostsRequest{
+			HostCatalogId: shc.GetPublicId(),
+		})
+		require.Error(t, err)
+		assert.ErrorIs(t, handlers.ForbiddenError(), err)
 	})
 
 	t.Run("plugin-hosts", func(t *testing.T) {
@@ -1044,6 +1065,26 @@ func TestListPagination(t *testing.T) {
 				protocmp.IgnoreFields(&pbs.ListHostsResponse{}, "list_token"),
 			),
 		)
+		// Create unauthenticated user
+		unauthAt := authtoken.TestAuthToken(t, conn, kms, org.GetPublicId())
+		unauthR := iam.TestRole(t, conn, proj.GetPublicId())
+		_ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId())
+
+		// Make a request with the unauthenticated user,
+		// ensure the response contains the pagination parameters.
+		requestInfo := authpb.RequestInfo{
+			TokenFormat: uint32(auth.AuthTokenTypeBearer),
+			PublicId:    unauthAt.GetPublicId(),
+			Token:       unauthAt.GetToken(),
+		}
+		requestContext := context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{})
+		ctx := auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo)
+
+		_, err = s.ListHosts(ctx, &pbs.ListHostsRequest{
+			HostCatalogId: phc.GetPublicId(),
+		})
+		require.Error(t, err)
+		assert.ErrorIs(t, handlers.ForbiddenError(), err)
 	})
 }