@@ -1138,7 +1138,8 @@ func TestGrants_Authentication(t *testing.T) {
11381138 iamRepo := iam .TestRepo (t , conn , wrap )
11391139 atRepo , err := authtoken .NewRepository (ctx , rw , rw , kmsCache )
11401140 require .NoError (t , err )
1141-
1141+ pwRepo , err := password .NewRepository (ctx , rw , rw , kmsCache )
1142+ require .NoError (t , err )
11421143 iamRepoFn := func () (* iam.Repository , error ) {
11431144 return iamRepo , nil
11441145 }
@@ -1149,7 +1150,7 @@ func TestGrants_Authentication(t *testing.T) {
11491150 return ldap .NewRepository (ctx , rw , rw , kmsCache )
11501151 }
11511152 pwRepoFn := func () (* password.Repository , error ) {
1152- return password . NewRepository ( ctx , rw , rw , kmsCache )
1153+ return pwRepo , nil
11531154 }
11541155 atRepoFn := func () (* authtoken.Repository , error ) {
11551156 return atRepo , nil
@@ -1170,9 +1171,6 @@ func TestGrants_Authentication(t *testing.T) {
11701171 require .NoError (t , err )
11711172 org1 , p1 := iam .TestScopes (t , iamRepo )
11721173
1173- pwRepo , err := pwRepoFn ()
1174- require .NoError (t , err )
1175-
11761174 // We need a sys eventer in order to authenticate
11771175 eventConfig := event .TestEventerConfig (t , "TestGrants_WriteActions" , event .TestWithObservationSink (t ))
11781176 testLock := & sync.Mutex {}
@@ -1189,18 +1187,17 @@ func TestGrants_Authentication(t *testing.T) {
11891187 })
11901188
11911189 testcases := []struct {
1192- name string
1193- scopeId string
1194- input * pbs.AuthenticateRequest
1195- userFunc func () (* iam.User , auth.Account )
1196- rolesToCreate []authtoken.TestRoleGrantsForToken
1197- wantErr error
1190+ name string
1191+ scopeId string
1192+ input * pbs.AuthenticateRequest
1193+ userFunc func () (* iam.User , auth.Account )
1194+ wantErr error
11981195 }{
11991196 {
12001197 name : "global role grant this and children can authenticate against a global auth method" ,
12011198 scopeId : globals .GlobalPrefix ,
12021199 input : & pbs.AuthenticateRequest {
1203- TokenType : "token" ,
1200+ Type : "token" ,
12041201 Attrs : & pbs.AuthenticateRequest_PasswordLoginAttributes {
12051202 PasswordLoginAttributes : & pbs.PasswordLoginAttributes {
12061203 LoginName : testLoginName ,
@@ -1215,50 +1212,49 @@ func TestGrants_Authentication(t *testing.T) {
12151212 GrantScopes : []string {globals .GrantScopeThis , globals .GrantScopeChildren },
12161213 },
12171214 }),
1218- rolesToCreate : []authtoken.TestRoleGrantsForToken {{
1219- RoleScopeId : globals .GlobalPrefix ,
1220- GrantStrings : []string {"ids=*;type=auth-method;actions=authenticate" },
1221- GrantScopes : []string {globals .GrantScopeThis , globals .GrantScopeChildren },
1222- }},
12231215 },
12241216 {
12251217 name : "org role can't authenticate against a global auth method" ,
12261218 scopeId : globals .GlobalPrefix ,
12271219 input : & pbs.AuthenticateRequest {
1228- TokenType : "token" ,
1220+ Type : "token" ,
12291221 Attrs : & pbs.AuthenticateRequest_PasswordLoginAttributes {
12301222 PasswordLoginAttributes : & pbs.PasswordLoginAttributes {
12311223 LoginName : testLoginName ,
12321224 Password : testPassword ,
12331225 },
12341226 },
12351227 },
1236- rolesToCreate : []authtoken.TestRoleGrantsForToken {{
1237- RoleScopeId : org1 .PublicId ,
1238- GrantStrings : []string {"ids=*;type=auth-method;actions=authenticate" },
1239- GrantScopes : []string {globals .GrantScopeThis },
1240- }},
1228+ userFunc : iam .TestUserDirectGrantsFunc (t , conn , kmsCache , globals .GlobalPrefix , password .TestAuthMethodWithAccount , []iam.TestRoleGrantsRequest {
1229+ {
1230+ RoleScopeId : org1 .PublicId ,
1231+ Grants : []string {"ids=*;type=auth-method;actions=authenticate" },
1232+ GrantScopes : []string {globals .GrantScopeThis },
1233+ },
1234+ }),
12411235 wantErr : handlers .ForbiddenError (),
12421236 },
12431237 {
12441238 name : "no grants returns 403 error for a global auth method" ,
12451239 scopeId : globals .GlobalPrefix ,
12461240 input : & pbs.AuthenticateRequest {
1247- TokenType : "token" ,
1241+ Type : "token" ,
12481242 Attrs : & pbs.AuthenticateRequest_PasswordLoginAttributes {
12491243 PasswordLoginAttributes : & pbs.PasswordLoginAttributes {
12501244 LoginName : testLoginName ,
12511245 Password : testPassword ,
12521246 },
12531247 },
12541248 },
1255- wantErr : handlers .ForbiddenError (),
1249+ userFunc : iam .TestUserDirectGrantsFunc (t , conn , kmsCache , globals .GlobalPrefix , password .TestAuthMethodWithAccount , []iam.TestRoleGrantsRequest {}),
1250+ wantErr : handlers .ForbiddenError (),
12561251 },
12571252 {
1258- name : "org auth methods, by default, grant anyone permission to authenticate (and list) auth methods" ,
1259- scopeId : org1 .PublicId ,
1253+ name : "org auth methods, by default, grant anyone permission to authenticate (and list) auth methods" ,
1254+ scopeId : org1 .PublicId ,
1255+ userFunc : iam .TestUserDirectGrantsFunc (t , conn , kmsCache , globals .GlobalPrefix , password .TestAuthMethodWithAccount , []iam.TestRoleGrantsRequest {}),
12601256 input : & pbs.AuthenticateRequest {
1261- TokenType : "token" ,
1257+ Type : "token" ,
12621258 Attrs : & pbs.AuthenticateRequest_PasswordLoginAttributes {
12631259 PasswordLoginAttributes : & pbs.PasswordLoginAttributes {
12641260 LoginName : testLoginName ,
@@ -1271,90 +1267,83 @@ func TestGrants_Authentication(t *testing.T) {
12711267 name : "project role can authenticate against org auth methods because by default, org auth methods grant anyone permission to authenticate (and list) auth methods" ,
12721268 scopeId : org1 .PublicId ,
12731269 input : & pbs.AuthenticateRequest {
1274- TokenType : "token" ,
1270+ Type : "token" ,
12751271 Attrs : & pbs.AuthenticateRequest_PasswordLoginAttributes {
12761272 PasswordLoginAttributes : & pbs.PasswordLoginAttributes {
12771273 LoginName : testLoginName ,
12781274 Password : testPassword ,
12791275 },
12801276 },
12811277 },
1282- rolesToCreate : []authtoken.TestRoleGrantsForToken {{
1283- RoleScopeId : p1 .PublicId ,
1284- GrantStrings : []string {"ids=*;type=auth-method;actions=authenticate" },
1285- GrantScopes : []string {globals .GrantScopeThis },
1286- }},
1278+ userFunc : iam .TestUserDirectGrantsFunc (t , conn , kmsCache , globals .GlobalPrefix , password .TestAuthMethodWithAccount , []iam.TestRoleGrantsRequest {
1279+ {
1280+ RoleScopeId : p1 .PublicId ,
1281+ Grants : []string {"ids=*;type=auth-method;actions=authenticate" },
1282+ GrantScopes : []string {globals .GrantScopeThis },
1283+ },
1284+ }),
12871285 },
12881286 {
12891287 name : "granting authenticate again at the org scope allows authentication" ,
12901288 scopeId : org1 .PublicId ,
12911289 input : & pbs.AuthenticateRequest {
1292- TokenType : "token" ,
1290+ Type : "token" ,
12931291 Attrs : & pbs.AuthenticateRequest_PasswordLoginAttributes {
12941292 PasswordLoginAttributes : & pbs.PasswordLoginAttributes {
12951293 LoginName : testLoginName ,
12961294 Password : testPassword ,
12971295 },
12981296 },
12991297 },
1300- rolesToCreate : []authtoken.TestRoleGrantsForToken {{
1301- RoleScopeId : org1 .PublicId ,
1302- GrantStrings : []string {"ids=*;type=auth-method;actions=authenticate" },
1303- GrantScopes : []string {globals .GrantScopeThis },
1304- }},
1298+ userFunc : iam .TestUserDirectGrantsFunc (t , conn , kmsCache , globals .GlobalPrefix , password .TestAuthMethodWithAccount , []iam.TestRoleGrantsRequest {
1299+ {
1300+ RoleScopeId : org1 .PublicId ,
1301+ Grants : []string {"ids=*;type=auth-method;actions=authenticate" },
1302+ GrantScopes : []string {globals .GrantScopeThis },
1303+ },
1304+ }),
13051305 },
13061306 {
13071307 name : "project role can't authenticate against global auth methods" ,
13081308 scopeId : globals .GlobalPrefix ,
13091309 input : & pbs.AuthenticateRequest {
1310- TokenType : "token" ,
1310+ Type : "token" ,
13111311 Attrs : & pbs.AuthenticateRequest_PasswordLoginAttributes {
13121312 PasswordLoginAttributes : & pbs.PasswordLoginAttributes {
13131313 LoginName : testLoginName ,
13141314 Password : testPassword ,
13151315 },
13161316 },
13171317 },
1318- rolesToCreate : []authtoken.TestRoleGrantsForToken {{
1319- RoleScopeId : p1 .PublicId ,
1320- GrantStrings : []string {"ids=*;type=auth-method;actions=authenticate" },
1321- GrantScopes : []string {globals .GrantScopeThis },
1322- }},
1318+ userFunc : iam .TestUserDirectGrantsFunc (t , conn , kmsCache , globals .GlobalPrefix , password .TestAuthMethodWithAccount , []iam.TestRoleGrantsRequest {
1319+ {
1320+ RoleScopeId : p1 .PublicId ,
1321+ Grants : []string {"ids=*;type=auth-method;actions=authenticate" },
1322+ GrantScopes : []string {globals .GrantScopeThis },
1323+ },
1324+ }),
13231325 wantErr : handlers .ForbiddenError (),
13241326 },
13251327 }
13261328
13271329 for _ , tc := range testcases {
13281330 t .Run (tc .name , func (t * testing.T ) {
1329- // Create auth method
1330- if tc .scopeId == globals .GlobalPrefix {
1331- tc .input .AuthMethodId = password .TestAuthMethod (t , conn , globals .GlobalPrefix ).PublicId
1332- } else {
1333- tc .input .AuthMethodId = password .TestAuthMethod (t , conn , org1 .PublicId ).PublicId
1334- }
1335-
1336- // Create account for the auth method
1337- account , err := password .NewAccount (ctx , tc .input .AuthMethodId , password .WithLoginName (testLoginName ))
1331+ // set up an identity that we'll use to call authenticate request on. We'll use this credentials
1332+ // and auth method to make authenticate request on
1333+ tc .input .AuthMethodId = password .TestAuthMethod (t , conn , tc .scopeId ).PublicId
1334+ newAcct , err := password .NewAccount (ctx , tc .input .AuthMethodId , password .WithLoginName (testLoginName ))
13381335 require .NoError (t , err )
1339- account , err = pwRepo .CreateAccount (context .Background (), tc .scopeId , account , password .WithPassword (testPassword ))
1336+ acctToLogin , err : =pwRepo .CreateAccount (context .Background (), tc .scopeId , newAcct , password .WithPassword (testPassword ))
13401337 require .NoError (t , err )
1341- require . NotNil (t , account )
1338+ user := iam . TestUser (t , iamRepo , tc . scopeId , iam . WithAccountIds ( acctToLogin . PublicId ) )
13421339
1343- // Create user linked to the account
1344- user := iam .TestUser (t , iamRepo , tc .scopeId , iam .WithAccountIds (account .PublicId ))
1345-
1346- // Create the desired role/grants for the user
1347- for _ , roleToCreate := range tc .rolesToCreate {
1348- role := iam .TestRoleWithGrants (t , conn , roleToCreate .RoleScopeId , roleToCreate .GrantScopes , roleToCreate .GrantStrings )
1349- iam .TestUserRole (t , conn , role .PublicId , user .PublicId )
1350- }
1351-
1352- // Create auth token for the user
1353- tok , err := atRepo .CreateAuthToken (ctx , user , account .PublicId )
1340+ // set up an identity that we'll use to call authenticate request
1341+ // Authentication API will rely on this user's grants to authorize the request
1342+ user , acctLoggingIn := tc .userFunc ()
1343+ tok , err := atRepo .CreateAuthToken (ctx , user , acctLoggingIn .GetPublicId ())
13541344 require .NoError (t , err )
1355- ctx := controllerauth .TestAuthContextFromToken (t , conn , wrap , tok , iamRepo )
1356-
1357- _ , err = s .Authenticate (ctx , tc .input )
1345+ fullGrantAuthCtx := controllerauth .TestAuthContextFromToken (t , conn , wrap , tok , iamRepo )
1346+ _ , err = s .Authenticate (fullGrantAuthCtx , tc .input )
13581347 if tc .wantErr != nil {
13591348 require .ErrorIs (t , err , tc .wantErr )
13601349 return
0 commit comments