hashicorp · bosorawis · Jun 17, 2025 · Jun 12, 2025 · Jun 12, 2025 · Jun 12, 2025
@@ -24,8 +24,8 @@ import (
 	"github.com/hashicorp/boundary/internal/db"
 	"github.com/hashicorp/boundary/internal/kms"
 	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
-	"github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/go-secure-stdlib/parseutil"
+	"github.com/hashicorp/go-uuid"
 	"github.com/stretchr/testify/require"
 )
 

@@ -11,7 +11,6 @@ import (
 	"github.com/hashicorp/boundary/internal/db"
 	"github.com/hashicorp/boundary/internal/iam"
 	"github.com/hashicorp/boundary/internal/kms"
-	"github.com/hashicorp/go-uuid"
 	"github.com/stretchr/testify/require"
 )
 
@@ -47,38 +46,3 @@ func TestAuthToken(t testing.TB, conn *db.DB, kms *kms.Kms, scopeId string, opt
 	require.NoError(t, err)
 	return at
 }
-
-// TestRoleGrantsForToken contains information used by TestAuthTokenWithRoles to create
-// roles and their associated grants (with grant scopes)
-type TestRoleGrantsForToken struct {
-	RoleScopeId  string
-	GrantStrings []string
-	GrantScopes  []string
-}
-
-// TestAuthTokenWithRoles creates auth token associated with roles as requested by the caller along
-// with any required resources to achieve said token
-func TestAuthTokenWithRoles(t testing.TB, conn *db.DB, kms *kms.Kms, scopeId string, roles []TestRoleGrantsForToken) *AuthToken {
-	t.Helper()
-	ctx := context.Background()
-	rw := db.New(conn)
-	atRepo, err := NewRepository(ctx, rw, rw, kms)
-	require.NoError(t, err)
-
-	iamRepo, err := iam.NewRepository(ctx, rw, rw, kms)
-	require.NoError(t, err)
-
-	authMethod := password.TestAuthMethods(t, conn, scopeId, 1)[0]
-
-	loginName, err := uuid.GenerateUUID()
-	require.NoError(t, err)
-	acct := password.TestAccount(t, conn, authMethod.GetPublicId(), loginName)
-	user := iam.TestUser(t, iamRepo, scopeId, iam.WithAccountIds(acct.GetPublicId()))
-	for _, r := range roles {
-		role := iam.TestRoleWithGrants(t, conn, r.RoleScopeId, r.GrantScopes, r.GrantStrings)
-		_ = iam.TestUserRole(t, conn, role.PublicId, user.PublicId)
-	}
-	fullGrantToken, err := atRepo.CreateAuthToken(ctx, user, acct.GetPublicId())
-	require.NoError(t, err)
-	return fullGrantToken
-}
@@ -8,9 +8,11 @@ import (
 	"testing"
 
 	"github.com/hashicorp/boundary/globals"
+	"github.com/hashicorp/boundary/internal/auth"
+	"github.com/hashicorp/boundary/internal/auth/oidc"
 	"github.com/hashicorp/boundary/internal/authtoken"
 	"github.com/hashicorp/boundary/internal/credential/vault"
-	"github.com/hashicorp/boundary/internal/daemon/controller/auth"
+	controllerauth "github.com/hashicorp/boundary/internal/daemon/controller/auth"
 	"github.com/hashicorp/boundary/internal/daemon/controller/handlers/credentiallibraries"
 	"github.com/hashicorp/boundary/internal/db"
 	pbs "github.com/hashicorp/boundary/internal/gen/controller/api/services"
@@ -31,6 +33,8 @@ func TestGrants_ReadActions(t *testing.T) {
 	}
 	kmsCache := kms.TestKms(t, conn, wrap)
 	sche := scheduler.TestScheduler(t, conn, wrap)
+	atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache)
+	require.NoError(t, err)
 
 	vaultRepoFn := func() (*vault.Repository, error) {
 		return vault.NewRepository(ctx, rw, rw, kmsCache, sche)
@@ -45,24 +49,24 @@ func TestGrants_ReadActions(t *testing.T) {
 
 	t.Run("List", func(t *testing.T) {
 		testcases := []struct {
-			name          string
-			input         *pbs.ListCredentialLibrariesRequest
-			rolesToCreate []authtoken.TestRoleGrantsForToken
-			wantErr       error
-			wantIDs       []string
+			name     string
+			input    *pbs.ListCredentialLibrariesRequest
+			userFunc func() (*iam.User, auth.Account)
+			wantErr  error
+			wantIDs  []string
 		}{
 			{
 				name: "global role grant descendant returns all credentials library",
 				input: &pbs.ListCredentialLibrariesRequest{
 					CredentialStoreId: proj1CredStore[0].GetPublicId(),
 				},
-				rolesToCreate: []authtoken.TestRoleGrantsForToken{
+				userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{
 					{
-						RoleScopeId:  globals.GlobalPrefix,
-						GrantStrings: []string{"ids=*;type=credential-library;actions=list,read"},
-						GrantScopes:  []string{globals.GrantScopeThis, globals.GrantScopeDescendants},
+						RoleScopeId: globals.GlobalPrefix,
+						Grants:      []string{"ids=*;type=credential-library;actions=list,read"},
+						GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants},
 					},
-				},
+				}),
 				wantErr: nil,
 				wantIDs: []string{proj1Libs[0].GetPublicId(), proj1Libs[1].GetPublicId(), proj1Libs[2].GetPublicId()},
 			},
@@ -71,22 +75,24 @@ func TestGrants_ReadActions(t *testing.T) {
 				input: &pbs.ListCredentialLibrariesRequest{
 					CredentialStoreId: proj1CredStore[0].GetPublicId(),
 				},
-				rolesToCreate: []authtoken.TestRoleGrantsForToken{
+				userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{
 					{
-						RoleScopeId:  org.GetPublicId(),
-						GrantStrings: []string{"ids=*;type=credential-library;actions=list,read"},
-						GrantScopes:  []string{globals.GrantScopeThis, globals.GrantScopeChildren},
+						RoleScopeId: org.GetPublicId(),
+						Grants:      []string{"ids=*;type=credential-library;actions=list,read"},
+						GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren},
 					},
-				},
+				}),
 				wantErr: nil,
 				wantIDs: []string{proj1Libs[0].GetPublicId(), proj1Libs[1].GetPublicId(), proj1Libs[2].GetPublicId()},
 			},
 		}
 
 		for _, tc := range testcases {
 			t.Run(tc.name, func(t *testing.T) {
-				tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate)
-				fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo)
+				user, account := tc.userFunc()
+				tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId())
+				require.NoError(t, err)
+				fullGrantAuthCtx := controllerauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo)
 				got, finalErr := s.ListCredentialLibraries(fullGrantAuthCtx, tc.input)
 				if tc.wantErr != nil {
 					require.ErrorIs(t, finalErr, tc.wantErr)

@@ -8,8 +8,10 @@ import (
 	"testing"
 
 	"github.com/hashicorp/boundary/globals"
+	"github.com/hashicorp/boundary/internal/auth"
+	"github.com/hashicorp/boundary/internal/auth/password"
 	"github.com/hashicorp/boundary/internal/authtoken"
-	"github.com/hashicorp/boundary/internal/daemon/controller/auth"
+	controllerauth "github.com/hashicorp/boundary/internal/daemon/controller/auth"
 	"github.com/hashicorp/boundary/internal/daemon/controller/handlers/hosts"
 	"github.com/hashicorp/boundary/internal/db"
 	pbs "github.com/hashicorp/boundary/internal/gen/controller/api/services"
@@ -52,6 +54,8 @@ func TestGrants_ReadActions(t *testing.T) {
 	}
 	s, err := hosts.NewService(ctx, repoFn, pluginRepoFn, 1000)
 	require.NoError(t, err)
+	atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache)
+	require.NoError(t, err)
 
 	org, proj := iam.TestScopes(t, iamRepo)
 
@@ -68,24 +72,24 @@ func TestGrants_ReadActions(t *testing.T) {
 
 	t.Run("List", func(t *testing.T) {
 		testcases := []struct {
-			name          string
-			input         *pbs.ListHostsRequest
-			rolesToCreate []authtoken.TestRoleGrantsForToken
-			wantErr       error
-			wantIDs       []string
+			name     string
+			input    *pbs.ListHostsRequest
+			userFunc func() (*iam.User, auth.Account)
+			wantErr  error
+			wantIDs  []string
 		}{
 			{
 				name: "global role grant this returns all created hosts",
 				input: &pbs.ListHostsRequest{
 					HostCatalogId: hc.GetPublicId(),
 				},
-				rolesToCreate: []authtoken.TestRoleGrantsForToken{
+				userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{
 					{
-						RoleScopeId:  globals.GlobalPrefix,
-						GrantStrings: []string{"ids=*;type=host;actions=list,read"},
-						GrantScopes:  []string{globals.GrantScopeThis, globals.GrantScopeDescendants},
+						RoleScopeId: globals.GlobalPrefix,
+						Grants:      []string{"ids=*;type=host;actions=list,read"},
+						GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeDescendants},
 					},
-				},
+				}),
 				wantErr: nil,
 				wantIDs: wantHs,
 			},
@@ -94,13 +98,13 @@ func TestGrants_ReadActions(t *testing.T) {
 				input: &pbs.ListHostsRequest{
 					HostCatalogId: hc.GetPublicId(),
 				},
-				rolesToCreate: []authtoken.TestRoleGrantsForToken{
+				userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{
 					{
-						RoleScopeId:  org.PublicId,
-						GrantStrings: []string{"ids=*;type=host;actions=list,read"},
-						GrantScopes:  []string{globals.GrantScopeThis, globals.GrantScopeChildren},
+						RoleScopeId: org.PublicId,
+						Grants:      []string{"ids=*;type=host;actions=list,read"},
+						GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren},
 					},
-				},
+				}),
 				wantErr: nil,
 				wantIDs: wantHs,
 			},
@@ -109,22 +113,24 @@ func TestGrants_ReadActions(t *testing.T) {
 				input: &pbs.ListHostsRequest{
 					HostCatalogId: hc.GetPublicId(),
 				},
-				rolesToCreate: []authtoken.TestRoleGrantsForToken{
+				userFunc: iam.TestUserGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, password.TestAuthMethodWithAccount, []iam.TestRoleGrantsRequest{
 					{
-						RoleScopeId:  proj.PublicId,
-						GrantStrings: []string{"ids=*;type=host;actions=list,read"},
-						GrantScopes:  []string{globals.GrantScopeThis},
+						RoleScopeId: proj.PublicId,
+						Grants:      []string{"ids=*;type=host;actions=list,read"},
+						GrantScopes: []string{globals.GrantScopeThis},
 					},
-				},
+				}),
 				wantErr: nil,
 				wantIDs: wantHs,
 			},
 		}
 
 		for _, tc := range testcases {
 			t.Run(tc.name, func(t *testing.T) {
-				tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate)
-				fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo)
+				user, account := tc.userFunc()
+				tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId())
+				require.NoError(t, err)
+				fullGrantAuthCtx := controllerauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo)
 				got, finalErr := s.ListHosts(fullGrantAuthCtx, tc.input)
 				if tc.wantErr != nil {
 					require.ErrorIs(t, finalErr, tc.wantErr)

@@ -8,8 +8,10 @@ import (
 	"testing"
 
 	"github.com/hashicorp/boundary/globals"
+	"github.com/hashicorp/boundary/internal/auth"
+	"github.com/hashicorp/boundary/internal/auth/oidc"
 	"github.com/hashicorp/boundary/internal/authtoken"
-	"github.com/hashicorp/boundary/internal/daemon/controller/auth"
+	controllerauth "github.com/hashicorp/boundary/internal/daemon/controller/auth"
 	"github.com/hashicorp/boundary/internal/daemon/controller/handlers/roles"
 	"github.com/hashicorp/boundary/internal/db"
 	pbs "github.com/hashicorp/boundary/internal/gen/controller/api/services"
@@ -46,21 +48,24 @@ func TestGrants_ReadActions(t *testing.T) {
 	kmsCache := kms.TestKms(t, conn, wrap)
 	s, err := roles.NewService(ctx, repoFn, 1000)
 	require.NoError(t, err)
+	rw := db.New(conn)
+	atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache)
+	require.NoError(t, err)
 
 	org1, _ := iam.TestScopes(t, iamRepo)
 	org2, proj2 := iam.TestScopes(t, iamRepo)
 	proj3 := iam.TestProject(t, iamRepo, org2.PublicId)
 
 	var defaultOrg1Roles []string
-	org1Roles, err := s.ListRoles(auth.DisabledAuthTestContext(repoFn, org1.GetPublicId()), &pbs.ListRolesRequest{
+	org1Roles, err := s.ListRoles(controllerauth.DisabledAuthTestContext(repoFn, org1.GetPublicId()), &pbs.ListRolesRequest{
 		ScopeId: org1.GetPublicId(),
 	})
 	require.NoError(t, err)
 	for _, r := range org1Roles.Items {
 		defaultOrg1Roles = append(defaultOrg1Roles, r.GetId())
 	}
 
-	org2Roles, err := s.ListRoles(auth.DisabledAuthTestContext(repoFn, org2.GetPublicId()), &pbs.ListRolesRequest{
+	org2Roles, err := s.ListRoles(controllerauth.DisabledAuthTestContext(repoFn, org2.GetPublicId()), &pbs.ListRolesRequest{
 		ScopeId: org2.GetPublicId(),
 	})
 	require.NoError(t, err)
@@ -69,7 +74,7 @@ func TestGrants_ReadActions(t *testing.T) {
 		defaultOrg2Roles = append(defaultOrg2Roles, r.GetId())
 	}
 
-	proj2Roles, err := s.ListRoles(auth.DisabledAuthTestContext(repoFn, proj2.GetPublicId()), &pbs.ListRolesRequest{
+	proj2Roles, err := s.ListRoles(controllerauth.DisabledAuthTestContext(repoFn, proj2.GetPublicId()), &pbs.ListRolesRequest{
 		ScopeId: proj2.GetPublicId(),
 	})
 	require.NoError(t, err)
@@ -78,7 +83,7 @@ func TestGrants_ReadActions(t *testing.T) {
 		defaultProj2Roles = append(defaultProj2Roles, r.GetId())
 	}
 
-	proj3Roles, err := s.ListRoles(auth.DisabledAuthTestContext(repoFn, proj3.GetPublicId()), &pbs.ListRolesRequest{
+	proj3Roles, err := s.ListRoles(controllerauth.DisabledAuthTestContext(repoFn, proj3.GetPublicId()), &pbs.ListRolesRequest{
 		ScopeId: proj3.GetPublicId(),
 	})
 	require.NoError(t, err)
@@ -97,7 +102,7 @@ func TestGrants_ReadActions(t *testing.T) {
 		testcases := []struct {
 			name                string
 			input               *pbs.ListRolesRequest
-			rolesToCreate       []authtoken.TestRoleGrantsForToken
+			userFunc            func() (*iam.User, auth.Account)
 			wantErr             error
 			addRolesAtThisScope bool
 			wantIDs             []string
@@ -108,13 +113,13 @@ func TestGrants_ReadActions(t *testing.T) {
 					ScopeId:   globals.GlobalPrefix,
 					Recursive: true,
 				},
-				rolesToCreate: []authtoken.TestRoleGrantsForToken{
+				userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{
 					{
-						RoleScopeId:  globals.GlobalPrefix,
-						GrantStrings: []string{"ids=*;type=role;actions=list,read"},
-						GrantScopes:  []string{globals.GrantScopeThis, globals.GrantScopeChildren},
+						RoleScopeId: globals.GlobalPrefix,
+						Grants:      []string{"ids=*;type=role;actions=list,read"},
+						GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren},
 					},
-				},
+				}),
 				addRolesAtThisScope: true,
 				wantErr:             nil,
 				wantIDs: append(append([]string{
@@ -128,13 +133,13 @@ func TestGrants_ReadActions(t *testing.T) {
 					ScopeId:   org2.PublicId,
 					Recursive: true,
 				},
-				rolesToCreate: []authtoken.TestRoleGrantsForToken{
+				userFunc: iam.TestUserManagedGroupGrantsFunc(t, conn, kmsCache, globals.GlobalPrefix, oidc.TestAuthMethodWithAccountInManagedGroup, []iam.TestRoleGrantsRequest{
 					{
-						RoleScopeId:  org2.PublicId,
-						GrantStrings: []string{"ids=*;type=role;actions=list,read"},
-						GrantScopes:  []string{globals.GrantScopeThis, globals.GrantScopeChildren},
+						RoleScopeId: org2.PublicId,
+						Grants:      []string{"ids=*;type=role;actions=list,read"},
+						GrantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren},
 					},
-				},
+				}),
 				addRolesAtThisScope: true,
 				wantErr:             nil,
 				wantIDs: append(append([]string{
@@ -146,15 +151,17 @@ func TestGrants_ReadActions(t *testing.T) {
 
 		for _, tc := range testcases {
 			t.Run(tc.name, func(t *testing.T) {
-				tok := authtoken.TestAuthTokenWithRoles(t, conn, kmsCache, globals.GlobalPrefix, tc.rolesToCreate)
-				fullGrantAuthCtx := auth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo)
+				user, account := tc.userFunc()
+				tok, err := atRepo.CreateAuthToken(ctx, user, account.GetPublicId())
+				require.NoError(t, err)
+				fullGrantAuthCtx := controllerauth.TestAuthContextFromToken(t, conn, wrap, tok, iamRepo)
 
 				// TestAuthTokenWithRoles creates a default role, so we need to add it to the expected list
 				// if the grant scope contains 'this'
 				// This will add the default roles to the expected list of roles
 				if tc.addRolesAtThisScope {
 					var rolesAtThisScope []string
-					rolesAtThisScopeList, err := s.ListRoles(auth.DisabledAuthTestContext(repoFn, tc.input.ScopeId), &pbs.ListRolesRequest{
+					rolesAtThisScopeList, err := s.ListRoles(controllerauth.DisabledAuthTestContext(repoFn, tc.input.ScopeId), &pbs.ListRolesRequest{
 						ScopeId: tc.input.ScopeId,
 					})
 					require.NoError(t, err)