Skip to content

Commit df343de

Browse files
bosorawisbosorawis
committed
add pinned ID test
1 parent e8032e0 commit df343de

File tree

1 file changed

+92
-74
lines changed

1 file changed

+92
-74
lines changed

internal/daemon/controller/handlers/authmethods/grants_test.go

Lines changed: 92 additions & 74 deletions
Original file line numberDiff line numberDiff line change
@@ -768,6 +768,8 @@ func TestGrants_Create(t *testing.T) {
768768
}
769769
}
770770

771+
type directGrantUserAccountSetup func() (*iam.User, auth.Account)
772+
771773
func TestGrants_Update(t *testing.T) {
772774
ctx := context.Background()
773775
conn, _ := db.TestSetup(t, "postgres")
@@ -812,18 +814,29 @@ func TestGrants_Update(t *testing.T) {
812814

813815
testcases := []struct {
814816
name string
815-
userFunc func() (*iam.User, auth.Account)
817+
setupFunc func(t *testing.T) (directGrantUserAccountSetup, map[string]expectedOutput)
816818
canUpdateAuthMethod func(t *testing.T) map[string]expectedOutput
817819
}{
818820
{
819821
name: "global role grant this and children can update global auth method",
820-
userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{
821-
{
822-
RoleScopeId: globals.GlobalPrefix,
823-
Grants: []string{"ids=*;type=auth-method;actions=update;output_fields=id,scope_id,name,description,type,version"},
824-
GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren},
825-
},
826-
}),
822+
setupFunc: func(t *testing.T) (directGrantUserAccountSetup, map[string]expectedOutput) {
823+
globalAmId := password.TestAuthMethod(t, conn, globals.GlobalPrefix).PublicId
824+
org1AmId := password.TestAuthMethod(t, conn, org1.PublicId).PublicId
825+
org2AmId := password.TestAuthMethod(t, conn, org2.PublicId).PublicId
826+
wantOutput := map[string]expectedOutput{
827+
globalAmId: {wantOutfields: []string{globals.IdField, globals.ScopeIdField, globals.NameField, globals.DescriptionField, globals.TypeField, globals.VersionField}},
828+
org1AmId: {wantOutfields: []string{globals.IdField, globals.ScopeIdField, globals.NameField, globals.DescriptionField, globals.TypeField, globals.VersionField}},
829+
org2AmId: {wantOutfields: []string{globals.IdField, globals.ScopeIdField, globals.NameField, globals.DescriptionField, globals.TypeField, globals.VersionField}},
830+
}
831+
userAccountFunc := iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{
832+
{
833+
RoleScopeId: globals.GlobalPrefix,
834+
Grants: []string{"ids=*;type=auth-method;actions=update;output_fields=id,scope_id,name,description,type,version"},
835+
GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren},
836+
},
837+
})
838+
return userAccountFunc, wantOutput
839+
},
827840
canUpdateAuthMethod: func(t *testing.T) map[string]expectedOutput {
828841
globalAmId := password.TestAuthMethod(t, conn, globals.GlobalPrefix).PublicId
829842
org1AmId := password.TestAuthMethod(t, conn, org1.PublicId).PublicId
@@ -837,141 +850,146 @@ func TestGrants_Update(t *testing.T) {
837850
},
838851
{
839852
name: "global role grant this & org role grant this can update their respective auth methods",
840-
userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{
841-
{
842-
RoleScopeId: globals.GlobalPrefix,
843-
Grants: []string{"ids=*;type=auth-method;actions=update;output_fields=id,name,description,version"},
844-
GrantScopes: []string{globals.GrantScopeThis},
845-
},
846-
{
847-
RoleScopeId: org1.PublicId,
848-
Grants: []string{"ids=*;type=auth-method;actions=update;output_fields=id,scope_id,type,version"},
849-
GrantScopes: []string{globals.GrantScopeThis},
850-
},
851-
}),
852-
canUpdateAuthMethod: func(t *testing.T) map[string]expectedOutput {
853+
setupFunc: func(t *testing.T) (directGrantUserAccountSetup, map[string]expectedOutput) {
853854
globalAmId := password.TestAuthMethod(t, conn, globals.GlobalPrefix).PublicId
854855
org1AmId := password.TestAuthMethod(t, conn, org1.PublicId).PublicId
855856
org2AmId := password.TestAuthMethod(t, conn, org2.PublicId).PublicId
856-
return map[string]expectedOutput{
857+
wantOutput := map[string]expectedOutput{
857858
globalAmId: {wantOutfields: []string{globals.IdField, globals.NameField, globals.DescriptionField, globals.VersionField}},
858859
org1AmId: {wantOutfields: []string{globals.IdField, globals.ScopeIdField, globals.TypeField, globals.VersionField}},
859860
org2AmId: {wantErr: handlers.ForbiddenError()},
860861
}
862+
userAccountFunc := iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{
863+
{
864+
RoleScopeId: globals.GlobalPrefix,
865+
Grants: []string{"ids=*;type=auth-method;actions=update;output_fields=id,name,description,version"},
866+
GrantScopes: []string{globals.GrantScopeThis},
867+
},
868+
{
869+
RoleScopeId: org1.PublicId,
870+
Grants: []string{"ids=*;type=auth-method;actions=update;output_fields=id,scope_id,type,version"},
871+
GrantScopes: []string{globals.GrantScopeThis},
872+
},
873+
})
874+
return userAccountFunc, wantOutput
861875
},
862876
},
863877
{
864878
name: "org role can't update global auth methods",
865-
userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{
866-
{
867-
RoleScopeId: org1.PublicId,
868-
Grants: []string{"ids=*;type=auth-method;actions=update;output_fields=id,version,created_time,updated_time"},
869-
GrantScopes: []string{globals.GrantScopeThis},
870-
},
871-
}),
872-
canUpdateAuthMethod: func(t *testing.T) map[string]expectedOutput {
879+
setupFunc: func(t *testing.T) (directGrantUserAccountSetup, map[string]expectedOutput) {
873880
globalAmId := password.TestAuthMethod(t, conn, globals.GlobalPrefix).PublicId
874881
org1AmId := password.TestAuthMethod(t, conn, org1.PublicId).PublicId
875882
org2AmId := password.TestAuthMethod(t, conn, org2.PublicId).PublicId
876-
return map[string]expectedOutput{
883+
wantOutput := map[string]expectedOutput{
877884
globalAmId: {wantErr: handlers.ForbiddenError()},
878885
org1AmId: {wantOutfields: []string{globals.IdField, globals.VersionField, globals.CreatedTimeField, globals.UpdatedTimeField}},
879886
org2AmId: {wantErr: handlers.ForbiddenError()},
880887
}
888+
userAccountFunc := iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{
889+
{
890+
RoleScopeId: org1.PublicId,
891+
Grants: []string{"ids=*;type=auth-method;actions=update;output_fields=id,version,created_time,updated_time"},
892+
GrantScopes: []string{globals.GrantScopeThis},
893+
},
894+
})
895+
return userAccountFunc, wantOutput
881896
},
882897
},
883898
{
884899
name: "global role grant children of global auth method's id can only update children auth methods",
885-
userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{
886-
{
887-
RoleScopeId: globals.GlobalPrefix,
888-
Grants: []string{"ids=*;type=auth-method;actions=update;output_fields=id"},
889-
GrantScopes: []string{globals.GrantScopeChildren},
890-
},
891-
}),
892-
canUpdateAuthMethod: func(t *testing.T) map[string]expectedOutput {
900+
setupFunc: func(t *testing.T) (directGrantUserAccountSetup, map[string]expectedOutput) {
893901
globalAmId := password.TestAuthMethod(t, conn, globals.GlobalPrefix).PublicId
894902
org1AmId := password.TestAuthMethod(t, conn, org1.PublicId).PublicId
895903
org2AmId := password.TestAuthMethod(t, conn, org2.PublicId).PublicId
896-
return map[string]expectedOutput{
904+
wantOutput := map[string]expectedOutput{
897905
globalAmId: {wantErr: handlers.ForbiddenError()},
898906
org1AmId: {wantOutfields: []string{globals.IdField}},
899-
org2AmId: {wantOutfields: []string{globals.IdField}},
907+
org2AmId: {wantErr: handlers.ForbiddenError()},
900908
}
909+
userAccountFunc := iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{
910+
{
911+
RoleScopeId: globals.GlobalPrefix,
912+
Grants: []string{
913+
fmt.Sprintf("ids=%s;type=auth-method;actions=update;output_fields=id", org1AmId),
914+
},
915+
GrantScopes: []string{globals.GrantScopeChildren},
916+
},
917+
})
918+
return userAccountFunc, wantOutput
901919
},
902920
},
903921
{
904922
name: "incorrect grants returns 403 error",
905-
userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{
906-
{
907-
RoleScopeId: globals.GlobalPrefix,
908-
Grants: []string{"ids=*;type=auth-method;actions=list,read,create"},
909-
GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren},
910-
},
911-
{
912-
RoleScopeId: org1.PublicId,
913-
Grants: []string{"ids=*;type=auth-method;actions=list,read,create"},
914-
GrantScopes: []string{globals.GrantScopeThis},
915-
},
916-
}),
917-
canUpdateAuthMethod: func(t *testing.T) map[string]expectedOutput {
923+
setupFunc: func(t *testing.T) (directGrantUserAccountSetup, map[string]expectedOutput) {
918924
globalAmId := password.TestAuthMethod(t, conn, globals.GlobalPrefix).PublicId
919925
org1AmId := password.TestAuthMethod(t, conn, org1.PublicId).PublicId
920926
org2AmId := password.TestAuthMethod(t, conn, org2.PublicId).PublicId
921-
922-
return map[string]expectedOutput{
927+
wantOutput := map[string]expectedOutput{
923928
globalAmId: {wantErr: handlers.ForbiddenError()},
924929
org1AmId: {wantErr: handlers.ForbiddenError()},
925930
org2AmId: {wantErr: handlers.ForbiddenError()},
926931
}
932+
userAccountFunc := iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{
933+
{
934+
RoleScopeId: globals.GlobalPrefix,
935+
Grants: []string{"ids=*;type=auth-method;actions=list,read,create"},
936+
GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren},
937+
},
938+
{
939+
RoleScopeId: org1.PublicId,
940+
Grants: []string{"ids=*;type=auth-method;actions=list,read,create"},
941+
GrantScopes: []string{globals.GrantScopeThis},
942+
},
943+
})
944+
return userAccountFunc, wantOutput
927945
},
928946
},
929947
{
930-
name: "no grants returns 403 error",
931-
userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{}),
932-
canUpdateAuthMethod: func(t *testing.T) map[string]expectedOutput {
948+
name: "no grants returns 403 error",
949+
setupFunc: func(t *testing.T) (directGrantUserAccountSetup, map[string]expectedOutput) {
933950
globalAmId := password.TestAuthMethod(t, conn, globals.GlobalPrefix).PublicId
934951
org1AmId := password.TestAuthMethod(t, conn, org1.PublicId).PublicId
935952
org2AmId := password.TestAuthMethod(t, conn, org2.PublicId).PublicId
936-
937-
return map[string]expectedOutput{
953+
wantOutput := map[string]expectedOutput{
938954
globalAmId: {wantErr: handlers.ForbiddenError()},
939955
org1AmId: {wantErr: handlers.ForbiddenError()},
940956
org2AmId: {wantErr: handlers.ForbiddenError()},
941957
}
958+
userAccountFunc := iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{})
959+
return userAccountFunc, wantOutput
942960
},
943961
},
944962
{
945963
name: "project role can't update auth methods in any scope (403)",
946-
userFunc: iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{
947-
{
948-
RoleScopeId: p1.GetPublicId(),
949-
Grants: []string{"ids=*;type=*;actions=*"},
950-
GrantScopes: []string{globals.GrantScopeThis},
951-
},
952-
}),
953-
canUpdateAuthMethod: func(t *testing.T) map[string]expectedOutput {
964+
setupFunc: func(t *testing.T) (directGrantUserAccountSetup, map[string]expectedOutput) {
954965
globalAmId := password.TestAuthMethod(t, conn, globals.GlobalPrefix).PublicId
955966
org1AmId := password.TestAuthMethod(t, conn, org1.PublicId).PublicId
956967
org2AmId := password.TestAuthMethod(t, conn, org2.PublicId).PublicId
957-
958-
return map[string]expectedOutput{
968+
wantOutput := map[string]expectedOutput{
959969
globalAmId: {wantErr: handlers.ForbiddenError()},
960970
org1AmId: {wantErr: handlers.ForbiddenError()},
961971
org2AmId: {wantErr: handlers.ForbiddenError()},
962972
}
973+
userAccountFunc := iam.TestUserDirectGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{
974+
{
975+
RoleScopeId: p1.GetPublicId(),
976+
Grants: []string{"ids=*;type=*;actions=*"},
977+
GrantScopes: []string{globals.GrantScopeThis},
978+
},
979+
})
980+
return userAccountFunc, wantOutput
963981
},
964982
},
965983
}
966984

967985
for i, tc := range testcases {
968986
t.Run(tc.name, func(t *testing.T) {
969-
user, account := tc.userFunc()
987+
userAccountFunc, canUpdateAuthMethos := tc.setupFunc(t)
988+
user, account := userAccountFunc()
970989
tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId())
971990
require.NoError(t, err)
972991
fullGrantAuthCtx := controllerauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo)
973-
974-
for amId, expectedOutput := range tc.canUpdateAuthMethod(t) {
992+
for amId, expectedOutput := range canUpdateAuthMethos {
975993
resp, err := s.UpdateAuthMethod(fullGrantAuthCtx, &pbs.UpdateAuthMethodRequest{
976994
Id: amId,
977995
UpdateMask: &field_mask.FieldMask{

0 commit comments

Comments
 (0)