test: credentials store grants (#5592)

* first test with all the required setup

* v1 of test

* add primitive func and more test

* refactor read tests into a single top level

* move token generation to a function

* add test for creates

* add delete tests

* add update test

* only check for version and update_time

* move setup resource into testcase to support grants with specific ID

* add member tests

* add group-member test example with multiple actions

* remove duplicate group membership tests

* ran make gen

* fix missing parentID bug

* fix typo

* fix test names and add test cases

* switch from google/uuid to hashicorp/go-uuid

* add comment to groupmember tests

* small comment change

* pull shared test utility code from PR #5418

* refactor role grants out of authtoken package

* unexport utility function

* Remove dead code

* lint and make gen

* fix role cration logic

* fix password TestAccountFunc implementation

* implement TestAccountFunc for LDAP

* implement TestAccountFunc for OIDC

* implement TestUserFunc for managed groups

* use managed groups in grants test

* undo removal of authtoken.TestAuthTokenWithRoles for future refactor

* switch from list to map based test case for create tests

* undo merge mistakes

* fix merge mistakes

* lint

* add setup examples

* add output fields tests for getgroup

* reimplement with reflect

* add test for CreateGroup

* add all single resource action tests

* add list test

* rename function argument

* move AssertOutputFields to handlers package

* fix lint

* make gen

* use proto.Message instead of custom interface

* switch to hashicorp/go-uuid

* fix typo

* fix error message

* id= to ids=

* make generating test accounts more randomized

* Trigger CI checks

* refactor auth/iam grants test setup

* lint

* minor comment fix

* use Id instead of ID

* make user/account setup in iam returns account instead of just account ID

* missed one change

* save

* add list tests

* add get test

* add create and delete test

* add delete and update tests

* more tests

* fix collection_authorized_actions grants not resolving

* complete output_fields tests

* fix import groups

* make gen

* fixed broken tests

* fix rebase

* switch all tests to TestUserGroupGrantsFunc

* remove duplicate test

Author: bosorawis

internal/daemon/controller/handlers/credentialstores/credentialstore_service.go

@@ -324,7 +324,7 @@ func (s Service) GetCredentialStore(ctx context.Context, req *pbs.GetCredentialS
 		outputOpts = append(outputOpts, handlers.WithAuthorizedActions(authResults.FetchActionSetForId(ctx, cs.GetPublicId(), IdActions).Strings()))
 	}
 	if outputFields.Has(globals.AuthorizedCollectionActionsField) {
-		collectionActions, err := calculateAuthorizedCollectionActions(ctx, authResults, cs.GetPublicId())
+		collectionActions, err := calculateAuthorizedCollectionActions(ctx, authResults, authResults.Scope, cs.GetPublicId())
 		if err != nil {
 			return nil, err
 		}
@@ -369,7 +369,7 @@ func (s Service) CreateCredentialStore(ctx context.Context, req *pbs.CreateCrede
 		outputOpts = append(outputOpts, handlers.WithAuthorizedActions(authResults.FetchActionSetForId(ctx, cs.GetPublicId(), IdActions).Strings()))
 	}
 	if outputFields.Has(globals.AuthorizedCollectionActionsField) {
-		collectionActions, err := calculateAuthorizedCollectionActions(ctx, authResults, cs.GetPublicId())
+		collectionActions, err := calculateAuthorizedCollectionActions(ctx, authResults, authResults.Scope, cs.GetPublicId())
 		if err != nil {
 			return nil, err
 		}
@@ -417,7 +417,7 @@ func (s Service) UpdateCredentialStore(ctx context.Context, req *pbs.UpdateCrede
 		outputOpts = append(outputOpts, handlers.WithAuthorizedActions(authResults.FetchActionSetForId(ctx, cs.GetPublicId(), IdActions).Strings()))
 	}
 	if outputFields.Has(globals.AuthorizedCollectionActionsField) {
-		collectionActions, err := calculateAuthorizedCollectionActions(ctx, authResults, cs.GetPublicId())
+		collectionActions, err := calculateAuthorizedCollectionActions(ctx, authResults, authResults.Scope, cs.GetPublicId())
 		if err != nil {
 			return nil, err
 		}
@@ -697,7 +697,7 @@ func newOutputOpts(
 		outputOpts = append(outputOpts, handlers.WithAuthorizedActions(authorizedActions))
 	}
 	if outputFields.Has(globals.AuthorizedCollectionActionsField) {
-		collectionActions, err := calculateAuthorizedCollectionActions(ctx, authResults, item.GetPublicId())
+		collectionActions, err := calculateAuthorizedCollectionActions(ctx, authResults, authzScopes[item.GetProjectId()], item.GetPublicId())
 		if err != nil {
 			return nil, false, err
 		}
@@ -1000,15 +1000,15 @@ func validateListRequest(ctx context.Context, req *pbs.ListCredentialStoresReque
 	return nil
 }
 
-func calculateAuthorizedCollectionActions(ctx context.Context, authResults auth.VerifyResults, id string) (map[string]*structpb.ListValue, error) {
+func calculateAuthorizedCollectionActions(ctx context.Context, authResults auth.VerifyResults, itemScopeInfo *scopes.ScopeInfo, itemId string) (map[string]*structpb.ListValue, error) {
 	var collectionActions map[string]*structpb.ListValue
 	var err error
-	switch globals.ResourceInfoFromPrefix(id).Subtype {
+	switch globals.ResourceInfoFromPrefix(itemId).Subtype {
 	case vault.Subtype:
-		collectionActions, err = auth.CalculateAuthorizedCollectionActions(ctx, authResults, vaultCollectionTypeMap, authResults.Scope, id)
+		collectionActions, err = auth.CalculateAuthorizedCollectionActions(ctx, authResults, vaultCollectionTypeMap, itemScopeInfo, itemId)
 
 	case static.Subtype:
-		collectionActions, err = auth.CalculateAuthorizedCollectionActions(ctx, authResults, staticCollectionTypeMap, authResults.Scope, id)
+		collectionActions, err = auth.CalculateAuthorizedCollectionActions(ctx, authResults, staticCollectionTypeMap, itemScopeInfo, itemId)
 	}
 	if err != nil {
 		return nil, err