boundary

Commit Graph

Author	SHA1	Message	Date
Jim	8d6dee09a9	refact: Add db.DB wrapper and refact all test fixtures to use it. (#1535 ) * refact: Changes required for gorm v2 * refact: Add db.DB wrapper and refact all test fixtures to use it Stop leaking the gorm abstraction within our unit tests. * refact: Migrate direct calls to pq to pgx driver The refactor will remove the remaining direct dependencies on the pq driver which has been deprecated in favor of the pgx driver. It includes the addition of common.SqlOpen which is a wrapper around sql.Open, which is needed to deal with the driver name changing from "postgres" to "pgx" but in our code base the dialect and driver are synonyms.	5 years ago
Jim	136ac00b49	refact: Changes required for gorm v2 (#1528 )	5 years ago
Jeff Mitchell	7fc712de44	Bump protoc	5 years ago
Jeff Mitchell	2649d1b966	Move protooptions to sdk/pbs (#1486 ) This prevents a reverse dependency from sdk on the main module.	5 years ago
Todd Knight	39cc245966	Make gen after make tools. Includes make fmt of existing non generated files. (#1438 )	5 years ago
s-christoff	6b78108ecf	Update primary error functions to take a context, deprecate old functions (#1358 ) * add new error funcs which take a ctx and deprecate existing funcs * use context where available when writing error events * remove circular internal/errors pkg dep * suppress some chatty errors using errors.WithoutEvent() * convert auth oidc funcs to take context where needed to write events Co-authored-by: Jim <jlambert@hashicorp.com>	5 years ago
Jeff Mitchell	ce52acb968	Update strutil import	5 years ago
Jeff Mitchell	2cbcf9a563	Update usage of shared-secure-libs (#1393 )	5 years ago
Jeff Mitchell	4d27b58d2d	Add managed groups test (#1289 )	5 years ago
Jeff Mitchell	b513f21153	Add test for GrantsForUser (#1287 ) * Start of test * Add a test for existing GrantsForUser functionality. The test has randomization built in to allocate users across groups and both users and groups across roles. It tracks which users and groups have been assigned to which roles, then ensures that GrantsForUser returns the correct set of roles for a given user. This required modifying the CTE in GrantsForUser to return role_id as well. This doesn't test managed groups yet, that will come in a follow-on PR.	5 years ago
Jeff Mitchell	9ecc384007	Add managed group support to role principals (#1270 )	5 years ago
Michael Gaffney	094bdcdd2b	protobuf: remove unused imports (#1267 ) This removes unused imports in the protobuf files which are reported as warnings by the protoc compiler.	5 years ago
Jeff Mitchell	e6af51943d	Add read:self and delete:self to auth tokens and add logout command (#1162 )	5 years ago
Michael Gaffney	3fe94335d4	Run make fmt	5 years ago
Jeff Mitchell	727d1c7085	Add "no-op" action and use it as default for scope permissions (#1138 ) Because of listing visibility, if no actions are assigned to a user for an individual resource, it's excluded from the list. This is fine and good. However, when we made a change in 0.2.0 to restrict the information returned from listing for the anonymous user for scopes and auth methods, it exposed the fact that because of the way this visibility works we had to add `read` to scopes by default -- thereby rather defeating the purpose of restricting what goes back to `u_anon` requests. The purpose of "no-op" is to never be used for real actions within the API, but as something that can be granted to specifically enable visibility for the targeted user. This makes the controls over list visibility much more granular.	5 years ago
Jim	3ee651deab	fix primary account data returned for users when a passwd auth method is the primary auth method (#1154 )	5 years ago
Jim	75108cbc8b	Ongoing OIDC: return the primary account info along with the user. (#1145 )	5 years ago
Jim	358f5a61fb	bump protoc to v3.15.8 (#1147 )	5 years ago
Jeff Mitchell	be10cc4b42	Update grpc/proto deps (#1136 ) * Update grpc/proto deps * Make gen	5 years ago
Jeff Mitchell	c57841fa2e	Update wording for user not found to indicate the auth method isn't primary for the scope	5 years ago
Jim	dd0f34bc35	Add new OIDC auth method. (#1090 ) Co-authored-by: Todd Knight <T.Alan.Knight@gmail.com> Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com> Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com>	5 years ago
Michael Gaffney	aafbada3ae	Remove calls to `t.Helper()` from test methods (not helpers) (#1063 )	5 years ago
Louis Ruch	93bad3cb83	400 if account already assocaited (#1048 )	5 years ago
Jeff Mitchell	3c430678ae	Fix test scope errors (#1029 ) When using a disabled verifier context we were faking scope information. Due to other recent changes, this was now causing test errors. This adjusts that flow to actually query the DB, fixing tests and making them more like real code.	5 years ago
Jeff Mitchell	aa570f4e48	Honor child scope list permissions when recursing (#1016 ) Current behavior is that you need list grant on the parent scope when recursively listing, and this is sufficient. This is good for administrative workflows but can be unintuitive for resources that only exist at a project level. This change allows permissions on the child scope to also be taken into account, so that you can start a recursive list from a parent scope without direct list support on that scope but still get back child scopes for which list access is granted. This also fixes a bug where visibility of a scope for recursive listing would be based on whether the user had list resources for roles within that scope instead of for the resource type in question.	5 years ago
Jeff Mitchell	fcbf372881	Bump proto/grpc deps (#1017 ) * Bump proto/grpc deps * Back out buf change * Run make gen	5 years ago
Jeff Mitchell	22462cdd84	Add read:self and cancel:self to sessions; add dev unpriv user (#923 ) * Sessions support for read:self and cancel:self permissions. This is automatic with fallback; no API change is needed. * Strips out values from listing if only self actions are allowed on the resource and the user ID is different. This prevents a default ACL of id=;type=session;actions=read:self,cancel:self from causing all values to be visible when listing. Adds an unprivileged user to development/testing instances. This user has only default permissions plus the ability to authorize sessions in the default target.	5 years ago
Louis Ruch	ff1293b983	Don't leak user ids in error messages (#916 )	5 years ago
Jeff Mitchell	cb3980cb8c	Remove list:self from main (#915 ) * Remove list:self from main As per futher discussions, we won't be supporting this, in favor of simply read:self and cancel:self (since listing now already filters out items on which you have no permissions). This doesn't remove list:self entirely from the code base as much of that will simply be converted to read:self and cancel:self -- that will be in a later PR. However, with this removed if we want to release we won't expose an API publicly that isn't going to stick around.	5 years ago
Louis Ruch	628a02ad15	Scope role grants (#913 ) * Add scope read grant to default roles * Update CHANGELOG.md Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>	5 years ago
Jeff Mitchell	1afa3a4b6c	Disallow an invalid grant format (#914 )	5 years ago
Louis Ruch	178d4efa64	ICU-745/Refactor internal/session to new domain errors (#877 ) * Refactor internal/sessions to use domain errors	5 years ago
Todd Knight	02cd972043	Create Sessions List Self Action (#888 )	5 years ago
Jeff Mitchell	6cd97a4a6e	Add support for recursive listing (#885 )	5 years ago
Jeff Mitchell	6b58a3317d	Add recursive listing to roles (#881 ) This also lays the framework for adding recursive listing to the rest of the resources.	5 years ago
Jeff Mitchell	ee33a18caa	Add scope repo function to recursively list (#879 ) A simple function that returns an appropriate set of scopes based on the incoming scope ID. Includes a test.	5 years ago
Louis Ruch	8151b30ce9	ICU-743/Domain errors internal/kms refactor (#848 ) * Domain errors internal/kms refactor * Update changelog * Update internal/host error op * Incorrect error returned in read_writer	5 years ago
Jeff Mitchell	84c617dc49	Run make gen after the gofumpt update	5 years ago
Michael Gaffney	94cb79bbdd	See how Boundary would look with gofumpt applied (#853 ) * See how Boundary would look with https://github.com/mvdan/gofumpt applied Results of running `gofumpt -w -s .` * Update tools file and Makefile for gofumpt Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>	5 years ago
Louis Ruch	70a5899e99	ICU-739/iam domain error refactor (#841 ) * Refactor iam errors * Update db and host doTx error ops * Changelog	5 years ago
Louis Ruch	bfbb179741	ICU-738/Refactor internal/db to domain errors (#815 ) * Refactor internal/db to domain errors	5 years ago
Jeff Mitchell	11b821a200	Bump deps (#818 )	5 years ago
Jim	af6ef1b687	Refactor existing sentinel errors (#774 )	6 years ago
Jeff Mitchell	13631064fc	Don't create a default role when the scope being created is a project (#658 ) * Don't create a default role when the scope being created is a project * Fix up some more tests	6 years ago
Jeff Mitchell	fa700dc002	Add account ID templating (#518 ) * Remove default role and create via the same mechanism as other initial resources	6 years ago
Jeff Mitchell	6ddfe407a3	Update allowed formats of ACL strings (#508 )	6 years ago
Jim	1e71c55920	deprecate access to underlying *sql.DB via internal/db.DB() (#506 )	6 years ago
Jeff Mitchell	cefea936c3	Update ACLs to allow type=*. (#504 )	6 years ago
Jeff Mitchell	a38f40606e	Create default roles in scopes to allow authentication and listing scopes/auth methods (#502 )	6 years ago
Todd Knight	0eb35f49d5	Correcting a bunch of incorrect documentation for the different API services and resources. (#494 )	6 years ago

1 2 3

144 Commits (1cf94d0e3edd25f412ffdb618b0e2116a7c343ea)