Migrate roles and grants to new table structure #5814
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This comment has been minimized.
This comment has been minimized.
|
This PR does rely on code from #5733 to "repair" the broken migrations, so it will need to be rebased |
bosorawis
reviewed
May 30, 2025
internal/db/schema/migrations/oss/postgres/96/03_iam_role_data_migration.up.sql
Outdated
Show resolved
Hide resolved
internal/db/schema/migrations/oss/postgres/96/03_iam_role_data_migration.up.sql
Outdated
Show resolved
Hide resolved
bosorawis
reviewed
May 30, 2025
internal/db/schema/migrations/oss/postgres/96/03_iam_role_data_migration.up.sql
Show resolved
Hide resolved
bosorawis
reviewed
May 30, 2025
internal/db/schema/migrations/oss/postgres/96/03_iam_role_data_migration.up.sql
Show resolved
Hide resolved
bosorawis
reviewed
May 30, 2025
internal/db/schema/migrations/oss/postgres/96/03_iam_role_data_migration.up.sql
Show resolved
Hide resolved
mikemountain
changed the base branch from
llb-normalized-grants
to
bosorawis-sql-grants-migration-hook
This comment has been minimized.
This comment has been minimized.
bosorawis
force-pushed
the
bosorawis-sql-grants-migration-hook
branch
from
462da7b to
101872a
Compare
dkanney
requested changes
Jun 3, 2025
mikemountain
force-pushed
the
mikemountain-grants-migrations
branch
from
1d9c3a4 to
9db78fe
Compare
This comment has been minimized.
This comment has been minimized.
dkanney
reviewed
Jun 4, 2025
This comment has been minimized.
This comment has been minimized.
dkanney
reviewed
Jun 4, 2025
internal/db/schema/migrations/oss/postgres/96/03_iam_role_data_migration.up.sql
Show resolved
Hide resolved
Base automatically changed from
bosorawis-sql-grants-migration-hook
to
llb-normalized-grants
June 5, 2025 00:06
This comment has been minimized.
This comment has been minimized.
mikemountain
force-pushed
the
mikemountain-grants-migrations
branch
from
ef7c1ba to
1cff084
Compare
…omplete the actual data migration in their own files. update migrations and tests clean up removed files rebase onto bosorawis-sql-grants-migration-hook
…k project roles to test migration efficiency update migrations go test file Delete duplicate test file
mikemountain
force-pushed
the
mikemountain-grants-migrations
branch
from
1cff084 to
e1300e3
Compare
This comment has been minimized.
This comment has been minimized.
dkanney
approved these changes
Jun 9, 2025
split migrations into hook files, large test file, and more specific test functions
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
mikemountain
commented
Jun 11, 2025
There was a problem hiding this comment.
This file is a large migration test and adds 30,000 roles to test performance
bosorawis
approved these changes
Jun 11, 2025
internal/db/schema/migrations/oss/postgres/96/01_iam_role_tables.up.sql
Outdated
Show resolved
Hide resolved
| on delete cascade | ||
| on update cascade; | ||
|
|
||
| commit; |
There was a problem hiding this comment.
should we also drop the old tables and columns as a part of this cleanup script?
table:
iam_role_grant_scope
columns:
iam_role.version
iam_role.name
iam_role.description
There was a problem hiding this comment.
I've got that in this separate PR because it was listed as a separate work item
Co-authored-by: Sorawis Nilparuk (Bo) <[email protected]>
|
Database schema diff between To understand how these diffs are generated and some limitations see the Functionsdiff --git a/.schema-diff/funcs_0d43b4dc4ae9cd4eae423b9fcc71f04bdb585540/set_resource.sql b/.schema-diff/funcs_309566a0846660ef028ddc8d20e1eb4060e82a63/set_resource.sql
index 31ae58f06..4bd583854 100644
--- a/.schema-diff/funcs_0d43b4dc4ae9cd4eae423b9fcc71f04bdb585540/set_resource.sql
+++ b/.schema-diff/funcs_309566a0846660ef028ddc8d20e1eb4060e82a63/set_resource.sql
@@ -41,7 +41,6 @@ create function public.set_resource() returns trigger
into type_matches
from kv
where k = 'type';
-
-- if there are multiple canonical grant types specified, throw an error.
-- ensure that the canonical_grant type is only referencing a single resource
if type_matches is not null and array_length(type_matches, 1) > 1 thenTablesdiff --git a/.schema-diff/tables_0d43b4dc4ae9cd4eae423b9fcc71f04bdb585540/iam_role_org_individual_grant_scope.sql b/.schema-diff/tables_309566a0846660ef028ddc8d20e1eb4060e82a63/iam_role_org_individual_grant_scope.sql
index f96d2a86d..001154690 100644
--- a/.schema-diff/tables_0d43b4dc4ae9cd4eae423b9fcc71f04bdb585540/iam_role_org_individual_grant_scope.sql
+++ b/.schema-diff/tables_309566a0846660ef028ddc8d20e1eb4060e82a63/iam_role_org_individual_grant_scope.sql
@@ -37,7 +37,7 @@ create table public.iam_role_org_individual_grant_scope (
-- name: table iam_role_org_individual_grant_scope; type: comment; schema: public; owner: -
--
-comment on table public.iam_role_org_individual_grant_scope is 'iam_role_org_individual_grant_scope is the subtype table for the org role with grant_scope as individual.';
+comment on table public.iam_role_org_individual_grant_scope is 'iam_role_org_individual_grant_scope is a list of individually granted project scope to org roles with grant_scope of individual';
--ViewsUnchanged TriggersUnchanged Indexesdiff --git a/.schema-diff/indexes_0d43b4dc4ae9cd4eae423b9fcc71f04bdb585540/iam_role_grant_canonical_grant_ix.sql b/.schema-diff/indexes_0d43b4dc4ae9cd4eae423b9fcc71f04bdb585540/iam_role_grant_canonical_grant_ix.sql
deleted file mode 100644
index 328c6abda..000000000
--- a/.schema-diff/indexes_0d43b4dc4ae9cd4eae423b9fcc71f04bdb585540/iam_role_grant_canonical_grant_ix.sql
+++ /dev/null
@@ -1,31 +0,0 @@
---
--- postgresql database dump
---
-
--- dumped from database version 13.21
--- dumped by pg_dump version 16.9 (ubuntu 16.9-1.pgdg24.04+1)
-
-set statement_timeout = 0;
-set lock_timeout = 0;
-set idle_in_transaction_session_timeout = 0;
-set client_encoding = 'utf8';
-set standard_conforming_strings = on;
-select pg_catalog.set_config('search_path', '', false);
-set check_function_bodies = false;
-set xmloption = content;
-set client_min_messages = warning;
-set row_security = off;
-
-set default_tablespace = '';
-
---
--- name: iam_role_grant_canonical_grant_ix; type: index; schema: public; owner: -
---
-
-create index iam_role_grant_canonical_grant_ix on public.iam_role_grant using btree (canonical_grant);
-
-
---
--- postgresql database dump complete
---
-ConstraintsUnchanged Foreign Key ConstraintsUnchanged |
mikemountain
added a commit
that referenced
this pull request
Jun 18, 2025
* Refactor migration files to create tables, functions, triggers, and complete the actual data migration in their own files. update migrations and tests clean up removed files rebase onto bosorawis-sql-grants-migration-hook * Add comments to migration files, clean up some formatting, and add 30k project roles to test migration efficiency update migrations go test file Delete duplicate test file * Fix formatting in migration files * Rename hook number to reflect new number of migration files split migrations into hook files, large test file, and more specific test functions * Include missed oss file * Apply suggestions from code review Co-authored-by: Sorawis Nilparuk (Bo) <[email protected]> --------- Co-authored-by: Sorawis Nilparuk (Bo) <[email protected]>
mikemountain
added a commit
that referenced
this pull request
Jun 20, 2025
…#5846) * Create function to define valid set of scopes for each resource (#5558) * Create function to define valid set of scopes for each resource * chore(iam): Update validScopeTypes() to use scope.AllowedIn() * chore(scope): Initialize with iota * feat(scope): Return an error instead scope.Unknown * feat(iam): Replace interface method `validScopeTypes` with `getResourceType` This allows us to call scope.AllowedIn() in one place vs in each implementation of `validScopeTypes` * chore(resource): Refactor other package functions into methods on resource.Type * fix(scope): Add defensive checks around invalid resource types * docs(resource): Add AllowedIn() to the areas to update when adding a new resource type * docs(resource): Improve error message when an invalid type is provided * test(grants): GrantsForUsers tests for Group resource (#5443) * test(grants): WIP: First stab at group associations * test(grants): Add GrantsForUser test for groups * chore(grants): Consolidate repetitive setup logic into functions * test(grants): Add GrantsForUser test for managed groups * test(grants): Add another user with different grants Ensure that non-applicable grants should not be returned because they are not applicable to the user * chore(grants): cleanup * chore(grants): Move common setup steps into a helper function * feat: Define new grants tables (#5486) Create new tables for grants: 1. `iam_role_global`: Roles that are placed in the global scope will be persisted in the `iam_role_global` table. A global role has a `grant_scope` which must be one of: * descendants * children * individual This enforces that a global role's grants either apply to: * All orgs and projects. * All orgs. * An individual set of orgs and/or projects. When the `grant_scope` is set to `individual`, entries for the specific set of orgs and/or projects can be added to the `iam_role_global_individual_grant_scope` table. Separately, a global role can be set to also apply its grant to the global scope by setting `grant_this_role_scope` to true. 2. `iam_role_org`: Roles that are placed in an org scope will be persisted in the `iam_role_org` table. An org role has a `grant_scope` which must be one of: * children * individual This enforces that an org role's grants either apply to: * All projects in the org. * An individual set of projects in the org. When the `grant_scope` is set to `individual`, entries for the specific set of projects can be added to the `iam_role_org_individual_grant_scope` table. **NOTE**: The projects must belong to the org's scope Separately, an org role can be set to also apply its grant to the org by setting `grant_this_role_scope` to true. 3. `resource_enm`: Contains all boundary resources. This is used by `iam_grant` to set the resource from a canonical_grant. 4. `iam_grant` Stores the canonical grant string and the resource for filtering on specific grants. Co-authored-by: Sorawis Nilparuk <[email protected]> Co-authored-by: David Kanney <[email protected]> * add name scope id unique constraints to all iam_role tables (#5623) * Bosorawis domain iam role subtypes (#5626) * add subtype storage definitions * make gen * add all subtype definitions * add const for grant scope individual * remove unnecessary baseRole subtype * add new proto files to make target protobuild * make gen to get protoc-go-inject-tag * add clone, setTableName, and GetScope tests * add ResourceType and Actions test * add create and delete tests for globalROle * finish create and delete tests * add trigger for deleting base role * add trigger to sync update_time back to base iam_role table * add update tests * fix missing err checks * fix iam_role delete subtype trigger function name and use new.update_time instead of now() * add struct documentation to role subtypes * add version update check * add todo comment: * bosorawis sql split global grants scope table (#5638) * split iam_role_global_individual_grant_scope to have separate tables for org and project * small comment change * small comment change * WIP: add tests * remove grant_scope as immutable column * add trigger to delete individual grant scope when grant_scope changes * add a test that covers changing grant_scope * rename function and trigger in iam_role_global * improve assertion in sqltest for iam_role_global * update iam_role_org to delete redundant grants scope * minor comment fix * no longer handle individual grant scope deletion with triggers and rename some functions * add trigger test for grant_scope * rename delete_base_iam_role to delete_iam_role_subtype * SQL formatting use now() instead of interval * bosorawis domain iam implement getRoleScopeType (#5629) * implement getRoleScopeId * move query to query.go * improve notfound err message * improve other err messages * use named parameter and move getRoleScopeId implementation * moved getRoleScopeId test * rename getRoleScopeId to getRoleScopeType * fix public_id ambiguous error * undo unintended change to getUserWithAccount * fix the correct query * rename test * change error code to RecordNotFound * Update internal/iam/repository_role.go Co-authored-by: David Kanney <[email protected]> * switch to slice instead of counter --------- Co-authored-by: David Kanney <[email protected]> * domain: iam: upgrade repository code to use new tables (#5643) * implement getRoleScopeId * move query to query.go * improve notfound err message * improve other err messages * use named parameter and move getRoleScopeId implementation * moved getRoleScopeId test * rename getRoleScopeId to getRoleScopeType * fix public_id ambiguous error * undo unintended change to getUserWithAccount * fix the correct query * split iam_role_global_individual_grant_scope to have separate tables for org and project * small comment change * small comment change * WIP: add tests * remove grant_scope as immutable column * add trigger to delete individual grant scope when grant_scope changes * add a test that covers changing grant_scope * rename function and trigger in iam_role_global * improve assertion in sqltest for iam_role_global * update iam_role_org to delete redundant grants scope * minor comment fix * no longer handle individual grant scope deletion with triggers and rename some functions * rename test * add all subtype definitions * remove unnecessary baseRole subtype * add clone, setTableName, and GetScope tests * add ResourceType and Actions test * add create and delete tests for globalROle * finish create and delete tests * add trigger for deleting base role * add trigger to sync update_time back to base iam_role table * add update tests * fix missing err checks * fix iam_role delete subtype trigger function name and use new.update_time instead of now() * add struct documentation to role subtypes * add version update check * implement getRoleScopeId * implement getRoleScopeId * save * remove struct embedding from iam.Role * fix tests to use new iam.Role definition * repository_role_test.go move to new iam.Role model * repository_principal_role_test.go use new iam.Role model * repository_role_grant_test.go use new iam.Role model in test * add oplog info to sql schema * internal/iam/testing.go use new role schema in TestRole * add toRole helper function to all role subtype * remove tests that are no longer relevant * internal/iam/repository_scope.go use new iam model * internal/iam/repository_role_grant.go use new iam model * internal/iam/repository_principal_role.go use new iam model * internal/iam/repository_role_test.go add test case for global scoped role * internal/iam/repository_grant_scope.go use new iam model * fix query * make create and lookup role work and add tests * add role id to getRoleScopeId error message * make DeleteRole work with new model and add tests * fix update * ensure oplog.ReplayableMessage is implemented on all role subtypes * internal/iam/repository_role_grant.go fix slugging version properly * internal/iam/repository_role.go minor correction to error message saying org instead of scope * internal/iam/repository_role_test.go add more update tests * add immutable_fields tests * fix rebase * change error code to RecordNotFound * refactor to use getScopeType * fix delete test * add getRoleScope utility function * repository_principal_role.go: refactor to remove multiple switch statements * repository_role_grant.go: refactor to reduce LOC * repository_role.go small refactor to use alloc func * repository_grant_scope.go refactor * review comments * implement getRoleScopeId * move query to query.go * improve notfound err message * improve other err messages * use named parameter and move getRoleScopeId implementation * moved getRoleScopeId test * rename getRoleScopeId to getRoleScopeType * fix public_id ambiguous error * undo unintended change to getUserWithAccount * fix the correct query * rename test * change error code to RecordNotFound * Update internal/iam/repository_role.go Co-authored-by: David Kanney <[email protected]> * switch to slice instead of counter * fix merge mistakes * handling special scopes in test function * fix TestRoleWithGrants * fix minor typo * make gen * fix comment typos * Bosorawis domain iam role use new model list role (#5676) * add and use new list roles query * run make gen * tweaked returned error * replace tabs with spaces in query string * missed one tab * remove leading spaces --------- Co-authored-by: David Kanney <[email protected]> * Domain: iam: Repository: update list-grant-scope and test setup to use new model (#5679) * implement getRoleScopeId * move query to query.go * improve notfound err message * improve other err messages * use named parameter and move getRoleScopeId implementation * moved getRoleScopeId test * rename getRoleScopeId to getRoleScopeType * fix public_id ambiguous error * undo unintended change to getUserWithAccount * fix the correct query * split iam_role_global_individual_grant_scope to have separate tables for org and project * small comment change * small comment change * WIP: add tests * remove grant_scope as immutable column * add trigger to delete individual grant scope when grant_scope changes * add a test that covers changing grant_scope * rename function and trigger in iam_role_global * improve assertion in sqltest for iam_role_global * update iam_role_org to delete redundant grants scope * minor comment fix * no longer handle individual grant scope deletion with triggers and rename some functions * rename test * add all subtype definitions * remove unnecessary baseRole subtype * add clone, setTableName, and GetScope tests * add ResourceType and Actions test * add create and delete tests for globalROle * finish create and delete tests * add trigger for deleting base role * add trigger to sync update_time back to base iam_role table * add update tests * fix missing err checks * fix iam_role delete subtype trigger function name and use new.update_time instead of now() * add struct documentation to role subtypes * add version update check * implement getRoleScopeId * implement getRoleScopeId * save * remove struct embedding from iam.Role * fix tests to use new iam.Role definition * repository_role_test.go move to new iam.Role model * repository_principal_role_test.go use new iam.Role model * repository_role_grant_test.go use new iam.Role model in test * add oplog info to sql schema * internal/iam/testing.go use new role schema in TestRole * add toRole helper function to all role subtype * remove tests that are no longer relevant * internal/iam/repository_scope.go use new iam model * internal/iam/repository_role_grant.go use new iam model * internal/iam/repository_principal_role.go use new iam model * internal/iam/repository_role_test.go add test case for global scoped role * internal/iam/repository_grant_scope.go use new iam model * fix query * make create and lookup role work and add tests * add role id to getRoleScopeId error message * make DeleteRole work with new model and add tests * fix update * ensure oplog.ReplayableMessage is implemented on all role subtypes * internal/iam/repository_role_grant.go fix slugging version properly * internal/iam/repository_role.go minor correction to error message saying org instead of scope * internal/iam/repository_role_test.go add more update tests * add immutable_fields tests * fix rebase * change error code to RecordNotFound * refactor to use getScopeType * fix delete test * add getRoleScope utility function * repository_principal_role.go: refactor to remove multiple switch statements * repository_role_grant.go: refactor to reduce LOC * repository_role.go small refactor to use alloc func * repository_grant_scope.go refactor * review comments * implement getRoleScopeId * move query to query.go * improve notfound err message * improve other err messages * use named parameter and move getRoleScopeId implementation * moved getRoleScopeId test * rename getRoleScopeId to getRoleScopeType * fix public_id ambiguous error * undo unintended change to getUserWithAccount * fix the correct query * rename test * change error code to RecordNotFound * Update internal/iam/repository_role.go Co-authored-by: David Kanney <[email protected]> * switch to slice instead of counter * fix merge mistakes * handling special scopes in test function * fix TestRoleWithGrants * fix minor typo * make gen * fix comment typos * Bosorawis domain iam role use new model list role (#5676) * add and use new list roles query * run make gen * tweaked returned error * replace tabs with spaces in query string * missed one tab * remove leading spaces * move ListRoleGrantScopes to repository_grant_scope.go * rename repository_grant_scope to repository_role_grant_scope * add proto definition for global role individual grant scope tables * fix test from removing embeded struct from RoleGrantScope * add grant_scope to proto definition * implement GlobalRoleIndividualOrgGrantScope and GlobalRoleIndividualProjectGrantScope * update comment * run make gen to update comment * implement OrgRoleIndividualGrantScope and add tests * implement part of ListRoleGrantScopes * Add more test * add more test cases and remove add-grants test * unexport listRoleGrantScopes * use reader from function parameter instead of struct method * rename test to match actual function * run make gen * unexport individual grants structs * unexport individual grants structs - missed one file * change TestRole and TestRoleGrantScope function to support new model * add validation for special scopes * add role_org_individual_grant_scope.pb.go to protobuild make target * remove dead code from listRoleGrantScopes * fix testRoleGrantScopeSpecial not handling org role special scope properly * add back query removed by rebase --------- Co-authored-by: David Kanney <[email protected]> * feat: grantsForUser for Global Resources (#5612) * feat: grantsForUser for Global Resources add query to fetch grants for a user for resources that are only globally scoped * Update query based on change to bifurcate individual table * Create subtests for different resources * Return grant.grant_scope instead of the request scope * Remove 'individual' subquery & unused reqScope parameter * Use sql.Named for better readability * Fix op function name * Remove individual grant scope logic from global resource repo function No need to handle individual grant scopes since global resources can only be queried via 'this' grant scope at the global scope. * Fix row scan order * Remove data gen function * Adjust query formatting Remove canonical_grant filter from query. `iam_grant.canonical_grant` is a primary key, so it can't be null anyway -- no need to filter out null canonical grants * Use the consts for u_auth and u_anon * Specify "empty" instead of "NULL" in struct field comment * Build query args with `pq.Array` instead of `fmt.Sprintf` * Fix TestGrantsForUserGlobalResources No longer using a hard-coded value for roleVersion * Refactor grantsForUserGlobalResources tests into testcases * go mod tidy * Update query comment for correctness --------- Co-authored-by: dkanney <[email protected]> Co-authored-by: dkanney <[email protected]> * Bosorawis domain iam implement role grant scopes all (#5701) * implement getRoleScopeId * move query to query.go * improve notfound err message * improve other err messages * use named parameter and move getRoleScopeId implementation * moved getRoleScopeId test * rename getRoleScopeId to getRoleScopeType * fix public_id ambiguous error * undo unintended change to getUserWithAccount * fix the correct query * split iam_role_global_individual_grant_scope to have separate tables for org and project * small comment change * small comment change * WIP: add tests * remove grant_scope as immutable column * add trigger to delete individual grant scope when grant_scope changes * add a test that covers changing grant_scope * rename function and trigger in iam_role_global * improve assertion in sqltest for iam_role_global * update iam_role_org to delete redundant grants scope * minor comment fix * no longer handle individual grant scope deletion with triggers and rename some functions * rename test * add all subtype definitions * remove unnecessary baseRole subtype * add clone, setTableName, and GetScope tests * add ResourceType and Actions test * add create and delete tests for globalROle * finish create and delete tests * add trigger for deleting base role * add trigger to sync update_time back to base iam_role table * add update tests * fix missing err checks * fix iam_role delete subtype trigger function name and use new.update_time instead of now() * add struct documentation to role subtypes * add version update check * implement getRoleScopeId * implement getRoleScopeId * save * remove struct embedding from iam.Role * fix tests to use new iam.Role definition * repository_role_test.go move to new iam.Role model * repository_principal_role_test.go use new iam.Role model * repository_role_grant_test.go use new iam.Role model in test * add oplog info to sql schema * internal/iam/testing.go use new role schema in TestRole * add toRole helper function to all role subtype * remove tests that are no longer relevant * internal/iam/repository_scope.go use new iam model * internal/iam/repository_role_grant.go use new iam model * internal/iam/repository_principal_role.go use new iam model * internal/iam/repository_role_test.go add test case for global scoped role * internal/iam/repository_grant_scope.go use new iam model * fix query * make create and lookup role work and add tests * add role id to getRoleScopeId error message * make DeleteRole work with new model and add tests * fix update * ensure oplog.ReplayableMessage is implemented on all role subtypes * internal/iam/repository_role_grant.go fix slugging version properly * internal/iam/repository_role.go minor correction to error message saying org instead of scope * internal/iam/repository_role_test.go add more update tests * add immutable_fields tests * fix rebase * change error code to RecordNotFound * refactor to use getScopeType * fix delete test * add getRoleScope utility function * repository_principal_role.go: refactor to remove multiple switch statements * repository_role_grant.go: refactor to reduce LOC * repository_role.go small refactor to use alloc func * repository_grant_scope.go refactor * review comments * implement getRoleScopeId * move query to query.go * improve notfound err message * improve other err messages * use named parameter and move getRoleScopeId implementation * moved getRoleScopeId test * rename getRoleScopeId to getRoleScopeType * fix public_id ambiguous error * undo unintended change to getUserWithAccount * fix the correct query * rename test * change error code to RecordNotFound * Update internal/iam/repository_role.go Co-authored-by: David Kanney <[email protected]> * switch to slice instead of counter * fix merge mistakes * handling special scopes in test function * fix TestRoleWithGrants * fix minor typo * make gen * fix comment typos * Bosorawis domain iam role use new model list role (#5676) * add and use new list roles query * run make gen * tweaked returned error * move ListRoleGrantScopes to repository_grant_scope.go * rename repository_grant_scope to repository_role_grant_scope * add proto definition for global role individual grant scope tables * fix test from removing embeded struct from RoleGrantScope * add grant_scope to proto definition * implement GlobalRoleIndividualOrgGrantScope and GlobalRoleIndividualProjectGrantScope * update comment * run make gen to update comment * implement OrgRoleIndividualGrantScope and add tests * implement part of ListRoleGrantScopes * Add more test * add more test cases and remove add-grants test * unexport listRoleGrantScopes * use reader from function parameter instead of struct method * rename test to match actual function * run make gen * unexport individual grants structs * unexport individual grants structs - missed one file * change TestRole and TestRoleGrantScope function to support new model * add validation for special scopes * add role_org_individual_grant_scope.pb.go to protobuild make target * remove dead code from listRoleGrantScopes * fix testRoleGrantScopeSpecial not handling org role special scope properly * change proto grant_this default to true * make TestRole readback the role to get updated version * implement toRoleGrantScope function on the subtypes * implement conversion function * add tests and AddRoleGrantScope before refactor * working delete grant scope before refactor * remove unused functions * refactor repository_role_grant_scope.go * add tests for SetRoleGrantScopes * all tests passing * refactor repository_role_grant_scope.go again * run make gen * no longer embed Resource in roleScopeGranter interface and make interface all internal functions * add additional test case * fix minor typo * add a constraint check for iam_role_org.grant_scope * refactor and comment repository_role_grant_scope.go and add test cases * remove unused code * rename roleScopeGranter to roleGrantScopeUpdater * interface and function rename * address PR comments * remove redundant constraint on iam_role_org * address pr comments * grant this scope to role by default when creating a role * tweak comments and variable names --------- Co-authored-by: David Kanney <[email protected]> * feat: add grant_this_role_scope column to iam_role_project (#5738) * add grant_this_role_scope and sqltes for iam_project_role * update role_project.proto to add grant_this_role_scope field * fix missing fields in role_project.proto * support GrantThisRoleScope field in iam/testing.go * update repository_scope to set GrantThisRoleScope to true * add GrantThisRoleScope to projec role tests to role_test.go * add grant_this_role_scope check to query.go * update roleGrantScopeUpdater to split setGrantScope to setHierarchicalGrantScope and removeHierarchicalGrantScope * update create_role to set default vaule for iam_role_project.grant_this_role_scope * update set, add, delete, list role grant scopes to support grant_this_role_scope in project_role * rename methods * run make gen * make TestRole not bump version when creating roles with default 'this' grants * address pr comments * fix variable names * feat: grantsForUser for Org resources (#5663) * Create grantsForUser query for Org resources * Finish & format query * Change name of field in query From 'role_type' to 'role_parent_scope_id' * Finish grantsForUserOrgResources test - Refactor to match the usual testcase pattern - Use test functions to create test resources * Remove unnecessary check against GrantScopeThis "this" now has its own field and no longer lives alongside the other grant scopes, so we should not check for it against grantScope * Ignore children & descendant grant scopes when querying org resources The only grant_scope that mattters when querying org resources is 'this' * Refactor query to simplify repo function Create separate CTEs for each case: global special (children or descendant), global individual, and org (this). This allows us to query directly into perms.GrantTuple; no additional logic required. * feat: grantsForUser for Project resources (#5669) * Reuse testInput * Create grantsForUserProjectResources query * Create grantsForUserProjectResources repo func * Create tests for grantsForUserProjectResources * Split up CTEs by grant scope and simplify repo function * Add test cases for missing reqScope id * Remove unnecessary join to iam_scope_org table * Reuse 'roles_with_grants' CTE across the grantsForUser queriers * Change reqScope parameter type from `Scope` to `string` (#5748) * Change 'reqScope' parameter type to: string * Simplify grantsForUserGlobalQuery & repo func * Test: GrantsForUser for Accounts for various user to role relationships (#5631) * test(iam): Refactor GrantsForUser tests into a single test * test(iam): Extend TestGrantsForUser to include Account resource Note: These tests will fail until GrantsForUser is refactored to return only grants whose scopes are applicable to this resource * test(iam): test(iam): Add Target resource to TestGrantsForUser * feat: grantsForUser for recursive Global or Org resources (#5747) * Create query: grantsForUserGlobalAndOrgResourcesQuery * Create repo function: grantsForUserGlobalAndOrgResourcesRecursive * Create tests for grantsForUserGlobalAndOrgResources * Restrict recursive list for Global/Org resources to global scope only Return error for non-recursive scopes * Remove unused option parameter * Add additional scope and test cases - Test for grants against a resource with no permission granted for it - Test for grants against a specific resource id without an explicit type set in the grant string - Add a project scope to ensure its grants aren't returned * Return error when passed 'Unknown' or 'All' resource type * Use constants for 'unknown' & '*' resources * feat: grantsForUser for recursive Project resources (#5783) * Create query: grantsForUserProjectResourcesGlobalScopeQuery * Create query: grantsForUserProjectResourcesOrgScopeQuery * Create repo function: grantsForUserProjectResourcesRecursiveScopes * Add recursive testcases to existing grantsForUserProjectResource test function * Address PR feedback - Add testcases for Unknown & All resource types - Change a grant string to a pinned resource. Its resource type changed from Target type to Unknown type - Call through to grantsForUserProjectResources when reqScopeId is a project scope (i.e. a non-recursve scope) * Add 'Recursive' to query var naming * feat: migration hook grants refactor (#5733) * scaffolding * comments * rename migration number * implement FindIllegalAssociations for 97006 hook * refactor findIllegalAssociation query * implement RepairIllegalAssociations and refactor queries * make gen * fix missing err check * pr feedback fix hook fix message wording * sql formatting * update comment * sql formatting * Apply suggestions from code review Co-authored-by: David Kanney <[email protected]> * change 'illegal' to 'invalid' * pr comment feedback * small comment update --------- Co-authored-by: David Kanney <[email protected]> * feat: grantsForUser for Global/Org/Project resources (#5807) * Change naming to be consistent with other grantsForUser functions * Create grantsForUser query for global-scoped Global/Org/Proj resources * Create grantsForUser repo function for Global/Org/Proj resources * Create tests for grantsForUserGlobalOrOrgOrProjectResources * Create grantsForUser query for org-scoped Globa/Org/Proj resources * Add tests for grantsForUser Global/Org/Proj resource query's org & project request_scopes * Add clarifying comments and shorter naming convention * Add 'children' grant_scoped org roles to result set * feat: grants: add resource type parameters to GrantsForUser (#5750) * add resource.Type to auth.Verify callchain * remove WithType option * update internal/auth/additional_verification_test.go to no longer use WithType * handle explicit resource type in aclAndGrantHashForUser * update interceptor_test.go to use resource.Scope for testing auth.Verify * use resource.Scope to test Audit events * add godoc comment on GrantsForUser * add recursive options to iam * add recursive options to auth * internal/auth/ldap/managed_group_role_grants_test.go fix GrantsForUser signature * internal/daemon/controller/handlers/accounts/account_service_test.go fix GrantsForUser signature * update GrantsForUser godoc * replace GrantsForUser tests with a new version with scoped down grants * add mix type assignment to TestGrantsForUser * move GrantsForUser test to internal/iam/repository_role_grant_ext_test.go * remove unused options * rewrite GrantsForUser tests to match the new expectation * handle recursive call in s.authResult * fix missing import from rebase * resolve ListResolvableAlias destination permissions properly * use global scope for ListResolvableAlias aclAndGrantHashForUser * make auth.WithRecursive take boolean input * make iam.WithRecursive option takes a boolean input * auth/options_test.go add assertion for default option values * make gen * add back ACL tests to grants for user * Support previous grants use-cases (#5823) * rename parameter to TestManagedGroupMember * make replace old GrantsForUser with new queries * fix tests and bugs where global grants don't get resolved * remove unnecessary grants from grantsForUserProjectResourcesOrgScopeRecursiveQuery * return full grants for any recursive call * handle this and role scope ID in test * order list result by create time instead of update time * add missing err check * handle converting role scope ID to this in grant scope API * fix role service tests * correct default scope role name * add special handling in grantsForUser for scope resource * fix tests to match role creation that does not bump version * creating alias in invalid scope now returns permissions denied instead of internal * remove test which looks for account in an authmethod in project scope which is an invalid config * fix TestLdapManagedGroupRoleGrants to use scope appropriate resource for the test * fix TestFetchActionSetForId and split org/proj test cases * Validate reqScopeId for grantsForUserRecursive() * Update tests based on recursive grantsForUser changes * Remove last recursive function in favor of grantsForUserRecursive() * move Scope resource to be AllowedIn all scope types * allow multiple resouce types when calling auth.Verify down to GrantsForUsers * use append instead of ranging over slice * minor fix to tests * Skip default role creation to avoid returning default role in test * Update wantErrMsg to accommodate multiple resource types * Add new entries to TestGrantsForUser test results based on recursive query changes * Update unneccessaryRoles in recursive global/org test case based on changes to recursive query --------- Co-authored-by: dkanney <[email protected]> * Migrate roles and grants to new table structure (#5814) * Refactor migration files to create tables, functions, triggers, and complete the actual data migration in their own files. update migrations and tests clean up removed files rebase onto bosorawis-sql-grants-migration-hook * Add comments to migration files, clean up some formatting, and add 30k project roles to test migration efficiency update migrations go test file Delete duplicate test file * Fix formatting in migration files * Rename hook number to reflect new number of migration files split migrations into hook files, large test file, and more specific test functions * Include missed oss file * Apply suggestions from code review Co-authored-by: Sorawis Nilparuk (Bo) <[email protected]> --------- Co-authored-by: Sorawis Nilparuk (Bo) <[email protected]> * Refactor GrantsForUser subqueries to use aggregate functions (#5822) * Use shorter var name * Refactor grantsForUserGlobalResourcesQuery: Use aggregate function array_agg to reduce rows returned from DB Adding mutliple grants to a role exposes the need to aggregate certain fields (canonical_grant). - Before this change, a row is returned for each distinct canonical grant for each role. - After this change, only one row is returned per role. Each row contains an array of all canonical_grants that apply to the role. * Refactor grantsForUserOrgResourcesQuery: Use aggregate function array_agg to reduce rows returned from DB Adding mutliple grants to a role exposes the need to aggregate certain fields (individual_grant_scopes, canonical_grant). - Before this change, a row is returned for each distinct canonical grant for each role. - After this change, only one row is returned per role. Each row contains an array of all canonical_grants (and individual_grant_scopes) that apply to the role. * Refactor grantsForUserProjectResourcesQuery: Use aggregate function array_agg to reduce rows returned from DB Adding mutliple grants to a role exposes the need to aggregate certain fields (individual_grant_scopes, canonical_grant). - Before this change, a row is returned for each distinct canonical grant for each role. - After this change, only one row is returned per role. Each row contains an array of all canonical_grants (and individual_grant_scopes) that apply to the role. * Address PR feedback * Finish PR feedback * Remove unnecessary if-check * Match test name to function name * Refactor grantsForUserRecursiveQuery: Use aggregate function array_agg to reduce rows returned from DB * fix broken test (#5842) * update tests to not check a table that will be dropped in the migration (#5847) * Fix global scope's parent scope id (#5844) * Use variable over hard-coded string * 'global' scope should have no parent scope * Clean up migrated tables (#5837) * Refactor migration files to create tables, functions, triggers, and complete the actual data migration in their own files. update migrations and tests clean up removed files rebase onto bosorawis-sql-grants-migration-hook * Add comments to migration files, clean up some formatting, and add 30k project roles to test migration efficiency update migrations go test file Delete duplicate test file * Fix formatting in migration files * Rename hook number to reflect new number of migration files split migrations into hook files, large test file, and more specific test functions * Drop unneeded iam_role_grant_scope table and unneeded name, description, and version columns from iam_role * fix whitespace * fix broken sql from removing iam role grant scope (#5860) * Ensure table drop also cascades changes to cross-table dependencies * fix broken pgtap from removing iam-role-grant-scope table * drop trigger which deletes from iam-role-grant-scope --------- Co-authored-by: Michael Milton <[email protected]> * test(groups): add grants tests for groups API (#5403) * first test with all the required setup * v1 of test * add primitive func and more test * refactor read tests into a single top level * move token generation to a function * add test for creates * add delete tests * add update test * only check for version and update_time * move setup resource into testcase to support grants with specific ID * add member tests * add group-member test example with multiple actions * remove duplicate group membership tests * ran make gen * fix missing parentID bug * fix typo * fix test names and add test cases * switch from google/uuid to hashicorp/go-uuid * add comment to groupmember tests * small comment change * pull shared test utility code from PR #5418 * refactor role grants out of authtoken package * unexport utility function * Remove dead code * lint and make gen * fix role cration logic * fix password TestAccountFunc implementation * implement TestAccountFunc for LDAP * implement TestAccountFunc for OIDC * implement TestUserFunc for managed groups * use managed groups in grants test * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * switch from list to map based test case for create tests * undo merge mistakes * fix merge mistakes * lint * add setup examples * add output fields tests for getgroup * reimplement with reflect * add test for CreateGroup * add all single resource action tests * add list test * rename function argument * move AssertOutputFields to handlers package * fix lint * make gen * use proto.Message instead of custom interface * switch to hashicorp/go-uuid * fix typo * fix error message * id= to ids= * make generating test accounts more randomized * Trigger CI checks * refactor auth/iam grants test setup * move a test to _test package * lint * minor comment fix * use Id instead of ID * make user/account setup in iam returns account instead of just account ID * missed one change * reorganize tests * make gen * feat: add grants tests for billing resource (#5559) * first test with all the required setup * v1 of test * add primitive func and more test * refactor read tests into a single top level * move token generation to a function * add test for creates * add delete tests * add update test * only check for version and update_time * move setup resource into testcase to support grants with specific ID * add member tests * add group-member test example with multiple actions * remove duplicate group membership tests * ran make gen * fix missing parentID bug * fix typo * fix test names and add test cases * switch from google/uuid to hashicorp/go-uuid * add comment to groupmember tests * small comment change * pull shared test utility code from PR #5418 * refactor role grants out of authtoken package * unexport utility function * Remove dead code * lint and make gen * fix role cration logic * fix password TestAccountFunc implementation * implement TestAccountFunc for LDAP * implement TestAccountFunc for OIDC * implement TestUserFunc for managed groups * use managed groups in grants test * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * switch from list to map based test case for create tests * undo merge mistakes * fix merge mistakes * lint * add setup examples * add output fields tests for getgroup * reimplement with reflect * add test for CreateGroup * add all single resource action tests * add list test * rename function argument * move AssertOutputFields to handlers package * fix lint * make gen * use proto.Message instead of custom interface * switch to hashicorp/go-uuid * fix typo * fix error message * id= to ids= * make generating test accounts more randomized * Trigger CI checks * refactor auth/iam grants test setup * lint * minor comment fix * use Id instead of ID * make user/account setup in iam returns account instead of just account ID * missed one change * reorganize tests * make gen * feat: add grants tests for billing resource add test coverage for testing grants with billing resource. This tests `monthly-active-users` action with billing. billing does not support output_fields so there are no tests for that * add negative test coverage for descendant scope and org scope * move negative tests to the billing resource * revert alias changes * revert alias test name change * resolve rebase conflict --------- Co-authored-by: Sorawis Nilparuk <[email protected]> * Add grants tests for accounts (#5566) * first test with all the required setup * v1 of test * add primitive func and more test * small comment change * refactor role grants out of authtoken package * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * undo merge mistakes * fix merge mistakes * Trigger CI checks * refactor auth/iam grants test setup * Trigger CI checks * add CRUDL tests * add change-password and set-password tests * add UpdateAccount, ChangePassword, SetPassword tests * add ListAccount output_fields test * make gen * fix error message * rebased against llb * make gen * fix post rebase * fix typo * make some tests use type-specific grants * fix rebase issue * add negative test to read * test(credentials): Add grants tests (#5608) * test(credentials): List tests * test(credentials): Get tests * test(credentials): Add "attributes" output_field & one its subtypes to the Read tests * test(credentials): Create tests * test(credentials): Update tests * test(credentials): Delete tests * test(credentials): Add additional test cases for pinned cred store id * feat: add grants tests for alias (#5550) * first test with all the required setup * v1 of test * add primitive func and more test * refactor read tests into a single top level * move token generation to a function * add test for creates * add delete tests * add update test * only check for version and update_time * move setup resource into testcase to support grants with specific ID * add member tests * add group-member test example with multiple actions * remove duplicate group membership tests * ran make gen * fix missing parentID bug * fix typo * fix test names and add test cases * switch from google/uuid to hashicorp/go-uuid * add comment to groupmember tests * small comment change * pull shared test utility code from PR #5418 * refactor role grants out of authtoken package * unexport utility function * Remove dead code * lint and make gen * fix role cration logic * fix password TestAccountFunc implementation * implement TestAccountFunc for LDAP * implement TestAccountFunc for OIDC * implement TestUserFunc for managed groups * use managed groups in grants test * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * switch from list to map based test case for create tests * undo merge mistakes * fix merge mistakes * lint * add setup examples * add output fields tests for getgroup * reimplement with reflect * add test for CreateGroup * add all single resource action tests * add list test * rename function argument * move AssertOutputFields to handlers package * fix lint * make gen * use proto.Message instead of custom interface * switch to hashicorp/go-uuid * fix typo * fix error message * id= to ids= * make generating test accounts more randomized * Trigger CI checks * refactor auth/iam grants test setup * lint * minor comment fix * use Id instead of ID * make user/account setup in iam returns account instead of just account ID * missed one change * reorganize tests * make gen * feat: add grants tests for alias add test coverage for testing grants with alias resource. This tests all actions with aliases and different grant scopes * add tests for output fields * add more test cases for actions, id * update output assert to use shared assert function * rebase * use hashicorp/go-uuid instead of google/uuid --------- Co-authored-by: Sorawis Nilparuk <[email protected]> Co-authored-by: Elim Tsiagbey <[email protected]> * test: add grants tests for host_catalogs (#5573) * first test with all the required setup * v1 of test * add primitive func and more test * refactor read tests into a single top level * move token generation to a function * add test for creates * add delete tests * add update test * only check for version and update_time * move setup resource into testcase to support grants with specific ID * add member tests * add group-member test example with multiple actions * remove duplicate group membership tests * ran make gen * fix missing parentID bug * fix typo * fix test names and add test cases * switch from google/uuid to hashicorp/go-uuid * add comment to groupmember tests * small comment change * pull shared test utility code from PR #5418 * refactor role grants out of authtoken package * unexport utility function * Remove dead code * lint and make gen * fix role cration logic * fix password TestAccountFunc implementation * implement TestAccountFunc for LDAP * implement TestAccountFunc for OIDC * implement TestUserFunc for managed groups * use managed groups in grants test * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * switch from list to map based test case for create tests * undo merge mistakes * fix merge mistakes * lint * add setup examples * add output fields tests for getgroup * reimplement with reflect * add test for CreateGroup * add all single resource action tests * add list test * rename function argument * move AssertOutputFields to handlers package * fix lint * make gen * use proto.Message instead of custom interface * switch to hashicorp/go-uuid * fix typo * fix error message * id= to ids= * make generating test accounts more randomized * Trigger CI checks * refactor auth/iam grants test setup * move a test to _test package * lint * minor comment fix * use Id instead of ID * make user/account setup in iam returns account instead of just account ID * missed one change * reorganize tests * make gen * Trigger CI checks * test: add grants tests for host_catalogs * add test coverage for output fields and write actions * add missing error check assertions * fixup! address PR comments * fixup! fix lint errors * chore(host_catalogs_test): Remove duplicate import * test(hostcatalogs): Add tests for actions w/o grants * test(hostcatalogs): Use ldap managed group for all test cases * feat: add grants tests for billing resource (#5559) * first test with all the required setup * v1 of test * add primitive func and more test * refactor read tests into a single top level * move token generation to a function * add test for creates * add delete tests * add update test * only check for version and update_time * move setup resource into testcase to support grants with specific ID * add member tests * add group-member test example with multiple actions * remove duplicate group membership tests * ran make gen * fix missing parentID bug * fix typo * fix test names and add test cases * switch from google/uuid to hashicorp/go-uuid * add comment to groupmember tests * small comment change * pull shared test utility code from PR #5418 * refactor role grants out of authtoken package * unexport utility function * Remove dead code * lint and make gen * fix role cration logic * fix password TestAccountFunc implementation * implement TestAccountFunc for LDAP * implement TestAccountFunc for OIDC * implement TestUserFunc for managed groups * use managed groups in grants test * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * switch from list to map based test case for create tests * undo merge mistakes * fix merge mistakes * lint * add setup examples * add output fields tests for getgroup * reimplement with reflect * add test for CreateGroup * add all single resource action tests * add list test * rename function argument * move AssertOutputFields to handlers package * fix lint * make gen * use proto.Message instead of custom interface * switch to hashicorp/go-uuid * fix typo * fix error message * id= to ids= * make generating test accounts more randomized * Trigger CI checks * refactor auth/iam grants test setup * lint * minor comment fix * use Id instead of ID * make user/account setup in iam returns account instead of just account ID * missed one change * reorganize tests * make gen * feat: add grants tests for billing resource add test coverage for testing grants with billing resource. This tests `monthly-active-users` action with billing. billing does not support output_fields so there are no tests for that * add negative test coverage for descendant scope and org scope * move negative tests to the billing resource * revert alias changes * revert alias test name change * resolve rebase conflict --------- Co-authored-by: Sorawis Nilparuk <[email protected]> * Add grants tests for accounts (#5566) * first test with all the required setup * v1 of test * add primitive func and more test * small comment change * refactor role grants out of authtoken package * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * undo merge mistakes * fix merge mistakes * Trigger CI checks * refactor auth/iam grants test setup * Trigger CI checks * add CRUDL tests * add change-password and set-password tests * add UpdateAccount, ChangePassword, SetPassword tests * add ListAccount output_fields test * make gen * fix error message * rebased against llb * make gen * fix post rebase * fix typo * make some tests use type-specific grants * fix rebase issue * add negative test to read * test(credentials): Add grants tests (#5608) * test(credentials): List tests * test(credentials): Get tests * test(credentials): Add "attributes" output_field & one its subtypes to the Read tests * test(credentials): Create tests * test(credentials): Update tests * test(credentials): Delete tests * test(credentials): Add additional test cases for pinned cred store id * feat: add grants tests for alias (#5550) * first test with all the required setup * v1 of test * add primitive func and more test * refactor read tests into a single top level * move token generation to a function * add test for creates * add delete tests * add update test * only check for version and update_time * move setup resource into testcase to support grants with specific ID * add member tests * add group-member test example with multiple actions * remove duplicate group membership tests * ran make gen * fix missing parentID bug * fix typo * fix test names and add test cases * switch from google/uuid to hashicorp/go-uuid * add comment to groupmember tests * small comment change * pull shared test utility code from PR #5418 * refactor role grants out of authtoken package * unexport utility function * Remove dead code * lint and make gen * fix role cration logic * fix password TestAccountFunc implementation * implement TestAccountFunc for LDAP * implement TestAccountFunc for OIDC * implement TestUserFunc for managed groups * use managed groups in grants test * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * switch from list to map based test case for create tests * undo merge mistakes * fix merge mistakes * lint * add setup examples * add output fields tests for getgroup * reimplement with reflect * add test for CreateGroup * add all single resource action tests * add list test * rename function argument * move AssertOutputFields to handlers package * fix lint * make gen * use proto.Message instead of custom interface * switch to hashicorp/go-uuid * fix typo * fix error message * id= to ids= * make generating test accounts more randomized * Trigger CI checks * refactor auth/iam grants test setup * lint * minor comment fix * use Id instead of ID * make user/account setup in iam returns account instead of just account ID * missed one change * reorganize tests * make gen * feat: add grants tests for alias add test coverage for testing grants with alias resource. This tests all actions with aliases and different grant scopes * add tests for output fields * add more test cases for actions, id * update output assert to use shared assert function * rebase * use hashicorp/go-uuid instead of google/uuid --------- Co-authored-by: Sorawis Nilparuk <[email protected]> Co-authored-by: Elim Tsiagbey <[email protected]> * test(hostcatalogs): Add an additional project to "create" test cases --------- Co-authored-by: Sorawis Nilparuk <[email protected]> Co-authored-by: dkanney <[email protected]> Co-authored-by: David Kanney <[email protected]> * Add grants tests for authmethods (#5569) * test(authmethods): Simplify read actions test cases * test(authmethods): Create grants tests for write actions * test(authmethods): Create test cases for action: authenticate * test(authmethods): Update tests to use userFunc & other changes from upstream branch * test(authmethods): Add output_fields to ReadActions tests * test(authmethods): Add output_fields to WriteActions tests * chore(authmethods_test): Consolidate common output fields into a single struct * test(authmethods): Add test cases for project roles * test(authmethods): Fix authenticate testcases * test(authmethods): Add tests granting permission to specific ids using multiple roles * test(hostsets): add grants tests (#5591) * test(hostsets): List tests * test(hostsets): Get tests * test(hostsets): Create tests * test(hostsets): Update tests * test(hostsets): Delete tests * test(hostsets}: AddHostSetHosts tests * test(hostsets): RemoveHostSetHosts tests * test(hostsets): SetHostSetHosts tests * test(hostsets): Use unique host-catalog names to avoid duplicate key DB errors * test(hostsets): Add second project to enforce exclusivity when Listing host-sets * test: credentials store grants (#5592) * first test with all the required setup * v1 of test * add primitive func and more test * refactor read tests into a single top level * move token generation to a function * add test for creates * add delete tests * add update test * only check for version and update_time * move setup resource into testcase to support grants with specific ID * add member tests * add group-member test example with multiple actions * remove duplicate group membership tests * ran make gen * fix missing parentID bug * fix typo * fix test names and add test cases * switch from google/uuid to hashicorp/go-uuid * add comment to groupmember tests * small comment change * pull shared test utility code from PR #5418 * refactor role grants out of authtoken package * unexport utility function * Remove dead code * lint and make gen * fix role cration logic * fix password TestAccountFunc implementation * implement TestAccountFunc for LDAP * implement TestAccountFunc for OIDC * implement TestUserFunc for managed groups * use managed groups in grants test * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * switch from list to map based test case for create tests * undo merge mistakes * fix merge mistakes * lint * add setup examples * add output fields tests for getgroup * reimplement with reflect * add test for CreateGroup * add all single resource action tests * add list test * rename function argument * move AssertOutputFields to handlers package * fix lint * make gen * use proto.Message instead of custom interface * switch to hashicorp/go-uuid * fix typo * fix error message * id= to ids= * make generating test accounts more randomized * Trigger CI checks * refactor auth/iam grants test setup * lint * minor comment fix * use Id instead of ID * make user/account setup in iam returns account instead of just account ID * missed one change * save * add list tests * add get test * add create and delete test * add delete and update tests * more tests * fix collection_authorized_actions grants not resolving * complete output_fields tests * fix import groups * make gen * fixed broken tests * fix rebase * switch all tests to TestUserGroupGrantsFunc * remove duplicate test * test: add grants tests for managed groups resource (#5642) * test: add grants tests for managed groups resource * PR reviews * address PR comments * test: add grants tests for auth tokens resource (#5644) * test: add grants tests for auth tokens resource * add authorized actions tests for resources with sub-resources (#5835) * add authorized actions tests for resources with sub-resources * make gen * bosorawis remove TestRoleGrantsForToken (#5840) * refactor auth method grants tests * refactor credential libraries grants tests * refactor hosts grants tests * refactor roles grants tests * refactor scopes grants tests * refactor tcp targets grants tests * refactor users grants tests * refactor worker grants tests * fix authmethod test broken during the refactor * remove authtoken.TestRoleGrantsForToken * add pinned ID test * correct event name * fix make gen and lint * Remove old test Role creation code Removing leftover logic from old grants data model because it caused Group-association tests to fail * update go mod * run make gen and move new migrations to new folder (#5862) * run make gen and move new migrations to new folder * make tools and make gen * update hook number * update prior migration * move 97005 to 97001 for consistency * test: add grants tests for session resource (#5855) * add grants tests for sessions * fix missing parentScopeId * make gen * Resolve GrantsForUser queries via resolveQuery() (#5836) * Add validation for nil resource type * Remove redundant recursive test * Refactor GrantsForUser() to perform query resolution & data mapping - Remove grantsForUser sub-functions - Resolve grantsForUser queries via resolveQuery() - resolveQuery() and map data to GrantTuples in GrantsForUser() * remove dead code --------- Co-authored-by: Sorawis Nilparuk <[email protected]> * add grants tests for scope resource (#5845) (#5865) * 'List' tests for scopes * 'Get' tests for scopes * 'Create' tests for scopes * 'List Key Version Destruction Jobs' tests for scopes * Add output_fields testing to 'Get' test * Add additional test case for list-key-version-destruction-jobs * test: add grants tests for roles resource (#5864) * add grants tests for roles * make gen * test: add grants tests for worker resource (#5841) * add read createControllerLed createWorkerLed tests # Conflicts: # internal/daemon/controller/handlers/workers/grants_test.go * minor refactor * add output fields tests for list * add tests for addworkertags readcertificateauthority reinitializecertificateauthority * finish all worker api tests * fix make gen and lint * fix unchecked error lint * add missing output fields assertion * Bosorawis fix set role grant scope not handle children grant already exist (#5868) * add new test case where role already has children and attempt to set children and individual project * handle case where role already has children grant scope attempt to set children and project * test: add grants tests for target resource (#5861) * additional tests to target resource * add test coverage for SetTargetCredentialSources * make gen * review suggestions * test: add grants test for user resource and fix ACL bug (#5869) * add some list-resolvable-aliases tests * fix missing fields * add more test and found edge case with children grants * more list-resolvable test cases * fix edge case where resource ids not overlapping between parent and child are not considered * resolve conflict * remove name, version, description from expect output_fields * remove name and description from toProto and add godoc comment --------- Co-authored-by: David Kanney <[email protected]> Co-authored-by: Elim Tsiagbey <[email protected]> Co-authored-by: Sorawis Nilparuk <[email protected]> Co-authored-by: Elim Tsiagbey <[email protected]> Co-authored-by: dkanney <[email protected]>
dkanney
added a commit
that referenced
this pull request
Jun 25, 2025
…#5846) * Create function to define valid set of scopes for each resource (#5558) * Create function to define valid set of scopes for each resource * chore(iam): Update validScopeTypes() to use scope.AllowedIn() * chore(scope): Initialize with iota * feat(scope): Return an error instead scope.Unknown * feat(iam): Replace interface method `validScopeTypes` with `getResourceType` This allows us to call scope.AllowedIn() in one place vs in each implementation of `validScopeTypes` * chore(resource): Refactor other package functions into methods on resource.Type * fix(scope): Add defensive checks around invalid resource types * docs(resource): Add AllowedIn() to the areas to update when adding a new resource type * docs(resource): Improve error message when an invalid type is provided * test(grants): GrantsForUsers tests for Group resource (#5443) * test(grants): WIP: First stab at group associations * test(grants): Add GrantsForUser test for groups * chore(grants): Consolidate repetitive setup logic into functions * test(grants): Add GrantsForUser test for managed groups * test(grants): Add another user with different grants Ensure that non-applicable grants should not be returned because they are not applicable to the user * chore(grants): cleanup * chore(grants): Move common setup steps into a helper function * feat: Define new grants tables (#5486) Create new tables for grants: 1. `iam_role_global`: Roles that are placed in the global scope will be persisted in the `iam_role_global` table. A global role has a `grant_scope` which must be one of: * descendants * children * individual This enforces that a global role's grants either apply to: * All orgs and projects. * All orgs. * An individual set of orgs and/or projects. When the `grant_scope` is set to `individual`, entries for the specific set of orgs and/or projects can be added to the `iam_role_global_individual_grant_scope` table. Separately, a global role can be set to also apply its grant to the global scope by setting `grant_this_role_scope` to true. 2. `iam_role_org`: Roles that are placed in an org scope will be persisted in the `iam_role_org` table. An org role has a `grant_scope` which must be one of: * children * individual This enforces that an org role's grants either apply to: * All projects in the org. * An individual set of projects in the org. When the `grant_scope` is set to `individual`, entries for the specific set of projects can be added to the `iam_role_org_individual_grant_scope` table. **NOTE**: The projects must belong to the org's scope Separately, an org role can be set to also apply its grant to the org by setting `grant_this_role_scope` to true. 3. `resource_enm`: Contains all boundary resources. This is used by `iam_grant` to set the resource from a canonical_grant. 4. `iam_grant` Stores the canonical grant string and the resource for filtering on specific grants. Co-authored-by: Sorawis Nilparuk <[email protected]> Co-authored-by: David Kanney <[email protected]> * add name scope id unique constraints to all iam_role tables (#5623) * Bosorawis domain iam role subtypes (#5626) * add subtype storage definitions * make gen * add all subtype definitions * add const for grant scope individual * remove unnecessary baseRole subtype * add new proto files to make target protobuild * make gen to get protoc-go-inject-tag * add clone, setTableName, and GetScope tests * add ResourceType and Actions test * add create and delete tests for globalROle * finish create and delete tests * add trigger for deleting base role * add trigger to sync update_time back to base iam_role table * add update tests * fix missing err checks * fix iam_role delete subtype trigger function name and use new.update_time instead of now() * add struct documentation to role subtypes * add version update check * add todo comment: * bosorawis sql split global grants scope table (#5638) * split iam_role_global_individual_grant_scope to have separate tables for org and project * small comment change * small comment change * WIP: add tests * remove grant_scope as immutable column * add trigger to delete individual grant scope when grant_scope changes * add a test that covers changing grant_scope * rename function and trigger in iam_role_global * improve assertion in sqltest for iam_role_global * update iam_role_org to delete redundant grants scope * minor comment fix * no longer handle individual grant scope deletion with triggers and rename some functions * add trigger test for grant_scope * rename delete_base_iam_role to delete_iam_role_subtype * SQL formatting use now() instead of interval * bosorawis domain iam implement getRoleScopeType (#5629) * implement getRoleScopeId * move query to query.go * improve notfound err message * improve other err messages * use named parameter and move getRoleScopeId implementation * moved getRoleScopeId test * rename getRoleScopeId to getRoleScopeType * fix public_id ambiguous error * undo unintended change to getUserWithAccount * fix the correct query * rename test * change error code to RecordNotFound * Update internal/iam/repository_role.go Co-authored-by: David Kanney <[email protected]> * switch to slice instead of counter --------- Co-authored-by: David Kanney <[email protected]> * domain: iam: upgrade repository code to use new tables (#5643) * implement getRoleScopeId * move query to query.go * improve notfound err message * improve other err messages * use named parameter and move getRoleScopeId implementation * moved getRoleScopeId test * rename getRoleScopeId to getRoleScopeType * fix public_id ambiguous error * undo unintended change to getUserWithAccount * fix the correct query * split iam_role_global_individual_grant_scope to have separate tables for org and project * small comment change * small comment change * WIP: add tests * remove grant_scope as immutable column * add trigger to delete individual grant scope when grant_scope changes * add a test that covers changing grant_scope * rename function and trigger in iam_role_global * improve assertion in sqltest for iam_role_global * update iam_role_org to delete redundant grants scope * minor comment fix * no longer handle individual grant scope deletion with triggers and rename some functions * rename test * add all subtype definitions * remove unnecessary baseRole subtype * add clone, setTableName, and GetScope tests * add ResourceType and Actions test * add create and delete tests for globalROle * finish create and delete tests * add trigger for deleting base role * add trigger to sync update_time back to base iam_role table * add update tests * fix missing err checks * fix iam_role delete subtype trigger function name and use new.update_time instead of now() * add struct documentation to role subtypes * add version update check * implement getRoleScopeId * implement getRoleScopeId * save * remove struct embedding from iam.Role * fix tests to use new iam.Role definition * repository_role_test.go move to new iam.Role model * repository_principal_role_test.go use new iam.Role model * repository_role_grant_test.go use new iam.Role model in test * add oplog info to sql schema * internal/iam/testing.go use new role schema in TestRole * add toRole helper function to all role subtype * remove tests that are no longer relevant * internal/iam/repository_scope.go use new iam model * internal/iam/repository_role_grant.go use new iam model * internal/iam/repository_principal_role.go use new iam model * internal/iam/repository_role_test.go add test case for global scoped role * internal/iam/repository_grant_scope.go use new iam model * fix query * make create and lookup role work and add tests * add role id to getRoleScopeId error message * make DeleteRole work with new model and add tests * fix update * ensure oplog.ReplayableMessage is implemented on all role subtypes * internal/iam/repository_role_grant.go fix slugging version properly * internal/iam/repository_role.go minor correction to error message saying org instead of scope * internal/iam/repository_role_test.go add more update tests * add immutable_fields tests * fix rebase * change error code to RecordNotFound * refactor to use getScopeType * fix delete test * add getRoleScope utility function * repository_principal_role.go: refactor to remove multiple switch statements * repository_role_grant.go: refactor to reduce LOC * repository_role.go small refactor to use alloc func * repository_grant_scope.go refactor * review comments * implement getRoleScopeId * move query to query.go * improve notfound err message * improve other err messages * use named parameter and move getRoleScopeId implementation * moved getRoleScopeId test * rename getRoleScopeId to getRoleScopeType * fix public_id ambiguous error * undo unintended change to getUserWithAccount * fix the correct query * rename test * change error code to RecordNotFound * Update internal/iam/repository_role.go Co-authored-by: David Kanney <[email protected]> * switch to slice instead of counter * fix merge mistakes * handling special scopes in test function * fix TestRoleWithGrants * fix minor typo * make gen * fix comment typos * Bosorawis domain iam role use new model list role (#5676) * add and use new list roles query * run make gen * tweaked returned error * replace tabs with spaces in query string * missed one tab * remove leading spaces --------- Co-authored-by: David Kanney <[email protected]> * Domain: iam: Repository: update list-grant-scope and test setup to use new model (#5679) * implement getRoleScopeId * move query to query.go * improve notfound err message * improve other err messages * use named parameter and move getRoleScopeId implementation * moved getRoleScopeId test * rename getRoleScopeId to getRoleScopeType * fix public_id ambiguous error * undo unintended change to getUserWithAccount * fix the correct query * split iam_role_global_individual_grant_scope to have separate tables for org and project * small comment change * small comment change * WIP: add tests * remove grant_scope as immutable column * add trigger to delete individual grant scope when grant_scope changes * add a test that covers changing grant_scope * rename function and trigger in iam_role_global * improve assertion in sqltest for iam_role_global * update iam_role_org to delete redundant grants scope * minor comment fix * no longer handle individual grant scope deletion with triggers and rename some functions * rename test * add all subtype definitions * remove unnecessary baseRole subtype * add clone, setTableName, and GetScope tests * add ResourceType and Actions test * add create and delete tests for globalROle * finish create and delete tests * add trigger for deleting base role * add trigger to sync update_time back to base iam_role table * add update tests * fix missing err checks * fix iam_role delete subtype trigger function name and use new.update_time instead of now() * add struct documentation to role subtypes * add version update check * implement getRoleScopeId * implement getRoleScopeId * save * remove struct embedding from iam.Role * fix tests to use new iam.Role definition * repository_role_test.go move to new iam.Role model * repository_principal_role_test.go use new iam.Role model * repository_role_grant_test.go use new iam.Role model in test * add oplog info to sql schema * internal/iam/testing.go use new role schema in TestRole * add toRole helper function to all role subtype * remove tests that are no longer relevant * internal/iam/repository_scope.go use new iam model * internal/iam/repository_role_grant.go use new iam model * internal/iam/repository_principal_role.go use new iam model * internal/iam/repository_role_test.go add test case for global scoped role * internal/iam/repository_grant_scope.go use new iam model * fix query * make create and lookup role work and add tests * add role id to getRoleScopeId error message * make DeleteRole work with new model and add tests * fix update * ensure oplog.ReplayableMessage is implemented on all role subtypes * internal/iam/repository_role_grant.go fix slugging version properly * internal/iam/repository_role.go minor correction to error message saying org instead of scope * internal/iam/repository_role_test.go add more update tests * add immutable_fields tests * fix rebase * change error code to RecordNotFound * refactor to use getScopeType * fix delete test * add getRoleScope utility function * repository_principal_role.go: refactor to remove multiple switch statements * repository_role_grant.go: refactor to reduce LOC * repository_role.go small refactor to use alloc func * repository_grant_scope.go refactor * review comments * implement getRoleScopeId * move query to query.go * improve notfound err message * improve other err messages * use named parameter and move getRoleScopeId implementation * moved getRoleScopeId test * rename getRoleScopeId to getRoleScopeType * fix public_id ambiguous error * undo unintended change to getUserWithAccount * fix the correct query * rename test * change error code to RecordNotFound * Update internal/iam/repository_role.go Co-authored-by: David Kanney <[email protected]> * switch to slice instead of counter * fix merge mistakes * handling special scopes in test function * fix TestRoleWithGrants * fix minor typo * make gen * fix comment typos * Bosorawis domain iam role use new model list role (#5676) * add and use new list roles query * run make gen * tweaked returned error * replace tabs with spaces in query string * missed one tab * remove leading spaces * move ListRoleGrantScopes to repository_grant_scope.go * rename repository_grant_scope to repository_role_grant_scope * add proto definition for global role individual grant scope tables * fix test from removing embeded struct from RoleGrantScope * add grant_scope to proto definition * implement GlobalRoleIndividualOrgGrantScope and GlobalRoleIndividualProjectGrantScope * update comment * run make gen to update comment * implement OrgRoleIndividualGrantScope and add tests * implement part of ListRoleGrantScopes * Add more test * add more test cases and remove add-grants test * unexport listRoleGrantScopes * use reader from function parameter instead of struct method * rename test to match actual function * run make gen * unexport individual grants structs * unexport individual grants structs - missed one file * change TestRole and TestRoleGrantScope function to support new model * add validation for special scopes * add role_org_individual_grant_scope.pb.go to protobuild make target * remove dead code from listRoleGrantScopes * fix testRoleGrantScopeSpecial not handling org role special scope properly * add back query removed by rebase --------- Co-authored-by: David Kanney <[email protected]> * feat: grantsForUser for Global Resources (#5612) * feat: grantsForUser for Global Resources add query to fetch grants for a user for resources that are only globally scoped * Update query based on change to bifurcate individual table * Create subtests for different resources * Return grant.grant_scope instead of the request scope * Remove 'individual' subquery & unused reqScope parameter * Use sql.Named for better readability * Fix op function name * Remove individual grant scope logic from global resource repo function No need to handle individual grant scopes since global resources can only be queried via 'this' grant scope at the global scope. * Fix row scan order * Remove data gen function * Adjust query formatting Remove canonical_grant filter from query. `iam_grant.canonical_grant` is a primary key, so it can't be null anyway -- no need to filter out null canonical grants * Use the consts for u_auth and u_anon * Specify "empty" instead of "NULL" in struct field comment * Build query args with `pq.Array` instead of `fmt.Sprintf` * Fix TestGrantsForUserGlobalResources No longer using a hard-coded value for roleVersion * Refactor grantsForUserGlobalResources tests into testcases * go mod tidy * Update query comment for correctness --------- Co-authored-by: dkanney <[email protected]> Co-authored-by: dkanney <[email protected]> * Bosorawis domain iam implement role grant scopes all (#5701) * implement getRoleScopeId * move query to query.go * improve notfound err message * improve other err messages * use named parameter and move getRoleScopeId implementation * moved getRoleScopeId test * rename getRoleScopeId to getRoleScopeType * fix public_id ambiguous error * undo unintended change to getUserWithAccount * fix the correct query * split iam_role_global_individual_grant_scope to have separate tables for org and project * small comment change * small comment change * WIP: add tests * remove grant_scope as immutable column * add trigger to delete individual grant scope when grant_scope changes * add a test that covers changing grant_scope * rename function and trigger in iam_role_global * improve assertion in sqltest for iam_role_global * update iam_role_org to delete redundant grants scope * minor comment fix * no longer handle individual grant scope deletion with triggers and rename some functions * rename test * add all subtype definitions * remove unnecessary baseRole subtype * add clone, setTableName, and GetScope tests * add ResourceType and Actions test * add create and delete tests for globalROle * finish create and delete tests * add trigger for deleting base role * add trigger to sync update_time back to base iam_role table * add update tests * fix missing err checks * fix iam_role delete subtype trigger function name and use new.update_time instead of now() * add struct documentation to role subtypes * add version update check * implement getRoleScopeId * implement getRoleScopeId * save * remove struct embedding from iam.Role * fix tests to use new iam.Role definition * repository_role_test.go move to new iam.Role model * repository_principal_role_test.go use new iam.Role model * repository_role_grant_test.go use new iam.Role model in test * add oplog info to sql schema * internal/iam/testing.go use new role schema in TestRole * add toRole helper function to all role subtype * remove tests that are no longer relevant * internal/iam/repository_scope.go use new iam model * internal/iam/repository_role_grant.go use new iam model * internal/iam/repository_principal_role.go use new iam model * internal/iam/repository_role_test.go add test case for global scoped role * internal/iam/repository_grant_scope.go use new iam model * fix query * make create and lookup role work and add tests * add role id to getRoleScopeId error message * make DeleteRole work with new model and add tests * fix update * ensure oplog.ReplayableMessage is implemented on all role subtypes * internal/iam/repository_role_grant.go fix slugging version properly * internal/iam/repository_role.go minor correction to error message saying org instead of scope * internal/iam/repository_role_test.go add more update tests * add immutable_fields tests * fix rebase * change error code to RecordNotFound * refactor to use getScopeType * fix delete test * add getRoleScope utility function * repository_principal_role.go: refactor to remove multiple switch statements * repository_role_grant.go: refactor to reduce LOC * repository_role.go small refactor to use alloc func * repository_grant_scope.go refactor * review comments * implement getRoleScopeId * move query to query.go * improve notfound err message * improve other err messages * use named parameter and move getRoleScopeId implementation * moved getRoleScopeId test * rename getRoleScopeId to getRoleScopeType * fix public_id ambiguous error * undo unintended change to getUserWithAccount * fix the correct query * rename test * change error code to RecordNotFound * Update internal/iam/repository_role.go Co-authored-by: David Kanney <[email protected]> * switch to slice instead of counter * fix merge mistakes * handling special scopes in test function * fix TestRoleWithGrants * fix minor typo * make gen * fix comment typos * Bosorawis domain iam role use new model list role (#5676) * add and use new list roles query * run make gen * tweaked returned error * move ListRoleGrantScopes to repository_grant_scope.go * rename repository_grant_scope to repository_role_grant_scope * add proto definition for global role individual grant scope tables * fix test from removing embeded struct from RoleGrantScope * add grant_scope to proto definition * implement GlobalRoleIndividualOrgGrantScope and GlobalRoleIndividualProjectGrantScope * update comment * run make gen to update comment * implement OrgRoleIndividualGrantScope and add tests * implement part of ListRoleGrantScopes * Add more test * add more test cases and remove add-grants test * unexport listRoleGrantScopes * use reader from function parameter instead of struct method * rename test to match actual function * run make gen * unexport individual grants structs * unexport individual grants structs - missed one file * change TestRole and TestRoleGrantScope function to support new model * add validation for special scopes * add role_org_individual_grant_scope.pb.go to protobuild make target * remove dead code from listRoleGrantScopes * fix testRoleGrantScopeSpecial not handling org role special scope properly * change proto grant_this default to true * make TestRole readback the role to get updated version * implement toRoleGrantScope function on the subtypes * implement conversion function * add tests and AddRoleGrantScope before refactor * working delete grant scope before refactor * remove unused functions * refactor repository_role_grant_scope.go * add tests for SetRoleGrantScopes * all tests passing * refactor repository_role_grant_scope.go again * run make gen * no longer embed Resource in roleScopeGranter interface and make interface all internal functions * add additional test case * fix minor typo * add a constraint check for iam_role_org.grant_scope * refactor and comment repository_role_grant_scope.go and add test cases * remove unused code * rename roleScopeGranter to roleGrantScopeUpdater * interface and function rename * address PR comments * remove redundant constraint on iam_role_org * address pr comments * grant this scope to role by default when creating a role * tweak comments and variable names --------- Co-authored-by: David Kanney <[email protected]> * feat: add grant_this_role_scope column to iam_role_project (#5738) * add grant_this_role_scope and sqltes for iam_project_role * update role_project.proto to add grant_this_role_scope field * fix missing fields in role_project.proto * support GrantThisRoleScope field in iam/testing.go * update repository_scope to set GrantThisRoleScope to true * add GrantThisRoleScope to projec role tests to role_test.go * add grant_this_role_scope check to query.go * update roleGrantScopeUpdater to split setGrantScope to setHierarchicalGrantScope and removeHierarchicalGrantScope * update create_role to set default vaule for iam_role_project.grant_this_role_scope * update set, add, delete, list role grant scopes to support grant_this_role_scope in project_role * rename methods * run make gen * make TestRole not bump version when creating roles with default 'this' grants * address pr comments * fix variable names * feat: grantsForUser for Org resources (#5663) * Create grantsForUser query for Org resources * Finish & format query * Change name of field in query From 'role_type' to 'role_parent_scope_id' * Finish grantsForUserOrgResources test - Refactor to match the usual testcase pattern - Use test functions to create test resources * Remove unnecessary check against GrantScopeThis "this" now has its own field and no longer lives alongside the other grant scopes, so we should not check for it against grantScope * Ignore children & descendant grant scopes when querying org resources The only grant_scope that mattters when querying org resources is 'this' * Refactor query to simplify repo function Create separate CTEs for each case: global special (children or descendant), global individual, and org (this). This allows us to query directly into perms.GrantTuple; no additional logic required. * feat: grantsForUser for Project resources (#5669) * Reuse testInput * Create grantsForUserProjectResources query * Create grantsForUserProjectResources repo func * Create tests for grantsForUserProjectResources * Split up CTEs by grant scope and simplify repo function * Add test cases for missing reqScope id * Remove unnecessary join to iam_scope_org table * Reuse 'roles_with_grants' CTE across the grantsForUser queriers * Change reqScope parameter type from `Scope` to `string` (#5748) * Change 'reqScope' parameter type to: string * Simplify grantsForUserGlobalQuery & repo func * Test: GrantsForUser for Accounts for various user to role relationships (#5631) * test(iam): Refactor GrantsForUser tests into a single test * test(iam): Extend TestGrantsForUser to include Account resource Note: These tests will fail until GrantsForUser is refactored to return only grants whose scopes are applicable to this resource * test(iam): test(iam): Add Target resource to TestGrantsForUser * feat: grantsForUser for recursive Global or Org resources (#5747) * Create query: grantsForUserGlobalAndOrgResourcesQuery * Create repo function: grantsForUserGlobalAndOrgResourcesRecursive * Create tests for grantsForUserGlobalAndOrgResources * Restrict recursive list for Global/Org resources to global scope only Return error for non-recursive scopes * Remove unused option parameter * Add additional scope and test cases - Test for grants against a resource with no permission granted for it - Test for grants against a specific resource id without an explicit type set in the grant string - Add a project scope to ensure its grants aren't returned * Return error when passed 'Unknown' or 'All' resource type * Use constants for 'unknown' & '*' resources * feat: grantsForUser for recursive Project resources (#5783) * Create query: grantsForUserProjectResourcesGlobalScopeQuery * Create query: grantsForUserProjectResourcesOrgScopeQuery * Create repo function: grantsForUserProjectResourcesRecursiveScopes * Add recursive testcases to existing grantsForUserProjectResource test function * Address PR feedback - Add testcases for Unknown & All resource types - Change a grant string to a pinned resource. Its resource type changed from Target type to Unknown type - Call through to grantsForUserProjectResources when reqScopeId is a project scope (i.e. a non-recursve scope) * Add 'Recursive' to query var naming * feat: migration hook grants refactor (#5733) * scaffolding * comments * rename migration number * implement FindIllegalAssociations for 97006 hook * refactor findIllegalAssociation query * implement RepairIllegalAssociations and refactor queries * make gen * fix missing err check * pr feedback fix hook fix message wording * sql formatting * update comment * sql formatting * Apply suggestions from code review Co-authored-by: David Kanney <[email protected]> * change 'illegal' to 'invalid' * pr comment feedback * small comment update --------- Co-authored-by: David Kanney <[email protected]> * feat: grantsForUser for Global/Org/Project resources (#5807) * Change naming to be consistent with other grantsForUser functions * Create grantsForUser query for global-scoped Global/Org/Proj resources * Create grantsForUser repo function for Global/Org/Proj resources * Create tests for grantsForUserGlobalOrOrgOrProjectResources * Create grantsForUser query for org-scoped Globa/Org/Proj resources * Add tests for grantsForUser Global/Org/Proj resource query's org & project request_scopes * Add clarifying comments and shorter naming convention * Add 'children' grant_scoped org roles to result set * feat: grants: add resource type parameters to GrantsForUser (#5750) * add resource.Type to auth.Verify callchain * remove WithType option * update internal/auth/additional_verification_test.go to no longer use WithType * handle explicit resource type in aclAndGrantHashForUser * update interceptor_test.go to use resource.Scope for testing auth.Verify * use resource.Scope to test Audit events * add godoc comment on GrantsForUser * add recursive options to iam * add recursive options to auth * internal/auth/ldap/managed_group_role_grants_test.go fix GrantsForUser signature * internal/daemon/controller/handlers/accounts/account_service_test.go fix GrantsForUser signature * update GrantsForUser godoc * replace GrantsForUser tests with a new version with scoped down grants * add mix type assignment to TestGrantsForUser * move GrantsForUser test to internal/iam/repository_role_grant_ext_test.go * remove unused options * rewrite GrantsForUser tests to match the new expectation * handle recursive call in s.authResult * fix missing import from rebase * resolve ListResolvableAlias destination permissions properly * use global scope for ListResolvableAlias aclAndGrantHashForUser * make auth.WithRecursive take boolean input * make iam.WithRecursive option takes a boolean input * auth/options_test.go add assertion for default option values * make gen * add back ACL tests to grants for user * Support previous grants use-cases (#5823) * rename parameter to TestManagedGroupMember * make replace old GrantsForUser with new queries * fix tests and bugs where global grants don't get resolved * remove unnecessary grants from grantsForUserProjectResourcesOrgScopeRecursiveQuery * return full grants for any recursive call * handle this and role scope ID in test * order list result by create time instead of update time * add missing err check * handle converting role scope ID to this in grant scope API * fix role service tests * correct default scope role name * add special handling in grantsForUser for scope resource * fix tests to match role creation that does not bump version * creating alias in invalid scope now returns permissions denied instead of internal * remove test which looks for account in an authmethod in project scope which is an invalid config * fix TestLdapManagedGroupRoleGrants to use scope appropriate resource for the test * fix TestFetchActionSetForId and split org/proj test cases * Validate reqScopeId for grantsForUserRecursive() * Update tests based on recursive grantsForUser changes * Remove last recursive function in favor of grantsForUserRecursive() * move Scope resource to be AllowedIn all scope types * allow multiple resouce types when calling auth.Verify down to GrantsForUsers * use append instead of ranging over slice * minor fix to tests * Skip default role creation to avoid returning default role in test * Update wantErrMsg to accommodate multiple resource types * Add new entries to TestGrantsForUser test results based on recursive query changes * Update unneccessaryRoles in recursive global/org test case based on changes to recursive query --------- Co-authored-by: dkanney <[email protected]> * Migrate roles and grants to new table structure (#5814) * Refactor migration files to create tables, functions, triggers, and complete the actual data migration in their own files. update migrations and tests clean up removed files rebase onto bosorawis-sql-grants-migration-hook * Add comments to migration files, clean up some formatting, and add 30k project roles to test migration efficiency update migrations go test file Delete duplicate test file * Fix formatting in migration files * Rename hook number to reflect new number of migration files split migrations into hook files, large test file, and more specific test functions * Include missed oss file * Apply suggestions from code review Co-authored-by: Sorawis Nilparuk (Bo) <[email protected]> --------- Co-authored-by: Sorawis Nilparuk (Bo) <[email protected]> * Refactor GrantsForUser subqueries to use aggregate functions (#5822) * Use shorter var name * Refactor grantsForUserGlobalResourcesQuery: Use aggregate function array_agg to reduce rows returned from DB Adding mutliple grants to a role exposes the need to aggregate certain fields (canonical_grant). - Before this change, a row is returned for each distinct canonical grant for each role. - After this change, only one row is returned per role. Each row contains an array of all canonical_grants that apply to the role. * Refactor grantsForUserOrgResourcesQuery: Use aggregate function array_agg to reduce rows returned from DB Adding mutliple grants to a role exposes the need to aggregate certain fields (individual_grant_scopes, canonical_grant). - Before this change, a row is returned for each distinct canonical grant for each role. - After this change, only one row is returned per role. Each row contains an array of all canonical_grants (and individual_grant_scopes) that apply to the role. * Refactor grantsForUserProjectResourcesQuery: Use aggregate function array_agg to reduce rows returned from DB Adding mutliple grants to a role exposes the need to aggregate certain fields (individual_grant_scopes, canonical_grant). - Before this change, a row is returned for each distinct canonical grant for each role. - After this change, only one row is returned per role. Each row contains an array of all canonical_grants (and individual_grant_scopes) that apply to the role. * Address PR feedback * Finish PR feedback * Remove unnecessary if-check * Match test name to function name * Refactor grantsForUserRecursiveQuery: Use aggregate function array_agg to reduce rows returned from DB * fix broken test (#5842) * update tests to not check a table that will be dropped in the migration (#5847) * Fix global scope's parent scope id (#5844) * Use variable over hard-coded string * 'global' scope should have no parent scope * Clean up migrated tables (#5837) * Refactor migration files to create tables, functions, triggers, and complete the actual data migration in their own files. update migrations and tests clean up removed files rebase onto bosorawis-sql-grants-migration-hook * Add comments to migration files, clean up some formatting, and add 30k project roles to test migration efficiency update migrations go test file Delete duplicate test file * Fix formatting in migration files * Rename hook number to reflect new number of migration files split migrations into hook files, large test file, and more specific test functions * Drop unneeded iam_role_grant_scope table and unneeded name, description, and version columns from iam_role * fix whitespace * fix broken sql from removing iam role grant scope (#5860) * Ensure table drop also cascades changes to cross-table dependencies * fix broken pgtap from removing iam-role-grant-scope table * drop trigger which deletes from iam-role-grant-scope --------- Co-authored-by: Michael Milton <[email protected]> * test(groups): add grants tests for groups API (#5403) * first test with all the required setup * v1 of test * add primitive func and more test * refactor read tests into a single top level * move token generation to a function * add test for creates * add delete tests * add update test * only check for version and update_time * move setup resource into testcase to support grants with specific ID * add member tests * add group-member test example with multiple actions * remove duplicate group membership tests * ran make gen * fix missing parentID bug * fix typo * fix test names and add test cases * switch from google/uuid to hashicorp/go-uuid * add comment to groupmember tests * small comment change * pull shared test utility code from PR #5418 * refactor role grants out of authtoken package * unexport utility function * Remove dead code * lint and make gen * fix role cration logic * fix password TestAccountFunc implementation * implement TestAccountFunc for LDAP * implement TestAccountFunc for OIDC * implement TestUserFunc for managed groups * use managed groups in grants test * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * switch from list to map based test case for create tests * undo merge mistakes * fix merge mistakes * lint * add setup examples * add output fields tests for getgroup * reimplement with reflect * add test for CreateGroup * add all single resource action tests * add list test * rename function argument * move AssertOutputFields to handlers package * fix lint * make gen * use proto.Message instead of custom interface * switch to hashicorp/go-uuid * fix typo * fix error message * id= to ids= * make generating test accounts more randomized * Trigger CI checks * refactor auth/iam grants test setup * move a test to _test package * lint * minor comment fix * use Id instead of ID * make user/account setup in iam returns account instead of just account ID * missed one change * reorganize tests * make gen * feat: add grants tests for billing resource (#5559) * first test with all the required setup * v1 of test * add primitive func and more test * refactor read tests into a single top level * move token generation to a function * add test for creates * add delete tests * add update test * only check for version and update_time * move setup resource into testcase to support grants with specific ID * add member tests * add group-member test example with multiple actions * remove duplicate group membership tests * ran make gen * fix missing parentID bug * fix typo * fix test names and add test cases * switch from google/uuid to hashicorp/go-uuid * add comment to groupmember tests * small comment change * pull shared test utility code from PR #5418 * refactor role grants out of authtoken package * unexport utility function * Remove dead code * lint and make gen * fix role cration logic * fix password TestAccountFunc implementation * implement TestAccountFunc for LDAP * implement TestAccountFunc for OIDC * implement TestUserFunc for managed groups * use managed groups in grants test * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * switch from list to map based test case for create tests * undo merge mistakes * fix merge mistakes * lint * add setup examples * add output fields tests for getgroup * reimplement with reflect * add test for CreateGroup * add all single resource action tests * add list test * rename function argument * move AssertOutputFields to handlers package * fix lint * make gen * use proto.Message instead of custom interface * switch to hashicorp/go-uuid * fix typo * fix error message * id= to ids= * make generating test accounts more randomized * Trigger CI checks * refactor auth/iam grants test setup * lint * minor comment fix * use Id instead of ID * make user/account setup in iam returns account instead of just account ID * missed one change * reorganize tests * make gen * feat: add grants tests for billing resource add test coverage for testing grants with billing resource. This tests `monthly-active-users` action with billing. billing does not support output_fields so there are no tests for that * add negative test coverage for descendant scope and org scope * move negative tests to the billing resource * revert alias changes * revert alias test name change * resolve rebase conflict --------- Co-authored-by: Sorawis Nilparuk <[email protected]> * Add grants tests for accounts (#5566) * first test with all the required setup * v1 of test * add primitive func and more test * small comment change * refactor role grants out of authtoken package * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * undo merge mistakes * fix merge mistakes * Trigger CI checks * refactor auth/iam grants test setup * Trigger CI checks * add CRUDL tests * add change-password and set-password tests * add UpdateAccount, ChangePassword, SetPassword tests * add ListAccount output_fields test * make gen * fix error message * rebased against llb * make gen * fix post rebase * fix typo * make some tests use type-specific grants * fix rebase issue * add negative test to read * test(credentials): Add grants tests (#5608) * test(credentials): List tests * test(credentials): Get tests * test(credentials): Add "attributes" output_field & one its subtypes to the Read tests * test(credentials): Create tests * test(credentials): Update tests * test(credentials): Delete tests * test(credentials): Add additional test cases for pinned cred store id * feat: add grants tests for alias (#5550) * first test with all the required setup * v1 of test * add primitive func and more test * refactor read tests into a single top level * move token generation to a function * add test for creates * add delete tests * add update test * only check for version and update_time * move setup resource into testcase to support grants with specific ID * add member tests * add group-member test example with multiple actions * remove duplicate group membership tests * ran make gen * fix missing parentID bug * fix typo * fix test names and add test cases * switch from google/uuid to hashicorp/go-uuid * add comment to groupmember tests * small comment change * pull shared test utility code from PR #5418 * refactor role grants out of authtoken package * unexport utility function * Remove dead code * lint and make gen * fix role cration logic * fix password TestAccountFunc implementation * implement TestAccountFunc for LDAP * implement TestAccountFunc for OIDC * implement TestUserFunc for managed groups * use managed groups in grants test * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * switch from list to map based test case for create tests * undo merge mistakes * fix merge mistakes * lint * add setup examples * add output fields tests for getgroup * reimplement with reflect * add test for CreateGroup * add all single resource action tests * add list test * rename function argument * move AssertOutputFields to handlers package * fix lint * make gen * use proto.Message instead of custom interface * switch to hashicorp/go-uuid * fix typo * fix error message * id= to ids= * make generating test accounts more randomized * Trigger CI checks * refactor auth/iam grants test setup * lint * minor comment fix * use Id instead of ID * make user/account setup in iam returns account instead of just account ID * missed one change * reorganize tests * make gen * feat: add grants tests for alias add test coverage for testing grants with alias resource. This tests all actions with aliases and different grant scopes * add tests for output fields * add more test cases for actions, id * update output assert to use shared assert function * rebase * use hashicorp/go-uuid instead of google/uuid --------- Co-authored-by: Sorawis Nilparuk <[email protected]> Co-authored-by: Elim Tsiagbey <[email protected]> * test: add grants tests for host_catalogs (#5573) * first test with all the required setup * v1 of test * add primitive func and more test * refactor read tests into a single top level * move token generation to a function * add test for creates * add delete tests * add update test * only check for version and update_time * move setup resource into testcase to support grants with specific ID * add member tests * add group-member test example with multiple actions * remove duplicate group membership tests * ran make gen * fix missing parentID bug * fix typo * fix test names and add test cases * switch from google/uuid to hashicorp/go-uuid * add comment to groupmember tests * small comment change * pull shared test utility code from PR #5418 * refactor role grants out of authtoken package * unexport utility function * Remove dead code * lint and make gen * fix role cration logic * fix password TestAccountFunc implementation * implement TestAccountFunc for LDAP * implement TestAccountFunc for OIDC * implement TestUserFunc for managed groups * use managed groups in grants test * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * switch from list to map based test case for create tests * undo merge mistakes * fix merge mistakes * lint * add setup examples * add output fields tests for getgroup * reimplement with reflect * add test for CreateGroup * add all single resource action tests * add list test * rename function argument * move AssertOutputFields to handlers package * fix lint * make gen * use proto.Message instead of custom interface * switch to hashicorp/go-uuid * fix typo * fix error message * id= to ids= * make generating test accounts more randomized * Trigger CI checks * refactor auth/iam grants test setup * move a test to _test package * lint * minor comment fix * use Id instead of ID * make user/account setup in iam returns account instead of just account ID * missed one change * reorganize tests * make gen * Trigger CI checks * test: add grants tests for host_catalogs * add test coverage for output fields and write actions * add missing error check assertions * fixup! address PR comments * fixup! fix lint errors * chore(host_catalogs_test): Remove duplicate import * test(hostcatalogs): Add tests for actions w/o grants * test(hostcatalogs): Use ldap managed group for all test cases * feat: add grants tests for billing resource (#5559) * first test with all the required setup * v1 of test * add primitive func and more test * refactor read tests into a single top level * move token generation to a function * add test for creates * add delete tests * add update test * only check for version and update_time * move setup resource into testcase to support grants with specific ID * add member tests * add group-member test example with multiple actions * remove duplicate group membership tests * ran make gen * fix missing parentID bug * fix typo * fix test names and add test cases * switch from google/uuid to hashicorp/go-uuid * add comment to groupmember tests * small comment change * pull shared test utility code from PR #5418 * refactor role grants out of authtoken package * unexport utility function * Remove dead code * lint and make gen * fix role cration logic * fix password TestAccountFunc implementation * implement TestAccountFunc for LDAP * implement TestAccountFunc for OIDC * implement TestUserFunc for managed groups * use managed groups in grants test * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * switch from list to map based test case for create tests * undo merge mistakes * fix merge mistakes * lint * add setup examples * add output fields tests for getgroup * reimplement with reflect * add test for CreateGroup * add all single resource action tests * add list test * rename function argument * move AssertOutputFields to handlers package * fix lint * make gen * use proto.Message instead of custom interface * switch to hashicorp/go-uuid * fix typo * fix error message * id= to ids= * make generating test accounts more randomized * Trigger CI checks * refactor auth/iam grants test setup * lint * minor comment fix * use Id instead of ID * make user/account setup in iam returns account instead of just account ID * missed one change * reorganize tests * make gen * feat: add grants tests for billing resource add test coverage for testing grants with billing resource. This tests `monthly-active-users` action with billing. billing does not support output_fields so there are no tests for that * add negative test coverage for descendant scope and org scope * move negative tests to the billing resource * revert alias changes * revert alias test name change * resolve rebase conflict --------- Co-authored-by: Sorawis Nilparuk <[email protected]> * Add grants tests for accounts (#5566) * first test with all the required setup * v1 of test * add primitive func and more test * small comment change * refactor role grants out of authtoken package * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * undo merge mistakes * fix merge mistakes * Trigger CI checks * refactor auth/iam grants test setup * Trigger CI checks * add CRUDL tests * add change-password and set-password tests * add UpdateAccount, ChangePassword, SetPassword tests * add ListAccount output_fields test * make gen * fix error message * rebased against llb * make gen * fix post rebase * fix typo * make some tests use type-specific grants * fix rebase issue * add negative test to read * test(credentials): Add grants tests (#5608) * test(credentials): List tests * test(credentials): Get tests * test(credentials): Add "attributes" output_field & one its subtypes to the Read tests * test(credentials): Create tests * test(credentials): Update tests * test(credentials): Delete tests * test(credentials): Add additional test cases for pinned cred store id * feat: add grants tests for alias (#5550) * first test with all the required setup * v1 of test * add primitive func and more test * refactor read tests into a single top level * move token generation to a function * add test for creates * add delete tests * add update test * only check for version and update_time * move setup resource into testcase to support grants with specific ID * add member tests * add group-member test example with multiple actions * remove duplicate group membership tests * ran make gen * fix missing parentID bug * fix typo * fix test names and add test cases * switch from google/uuid to hashicorp/go-uuid * add comment to groupmember tests * small comment change * pull shared test utility code from PR #5418 * refactor role grants out of authtoken package * unexport utility function * Remove dead code * lint and make gen * fix role cration logic * fix password TestAccountFunc implementation * implement TestAccountFunc for LDAP * implement TestAccountFunc for OIDC * implement TestUserFunc for managed groups * use managed groups in grants test * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * switch from list to map based test case for create tests * undo merge mistakes * fix merge mistakes * lint * add setup examples * add output fields tests for getgroup * reimplement with reflect * add test for CreateGroup * add all single resource action tests * add list test * rename function argument * move AssertOutputFields to handlers package * fix lint * make gen * use proto.Message instead of custom interface * switch to hashicorp/go-uuid * fix typo * fix error message * id= to ids= * make generating test accounts more randomized * Trigger CI checks * refactor auth/iam grants test setup * lint * minor comment fix * use Id instead of ID * make user/account setup in iam returns account instead of just account ID * missed one change * reorganize tests * make gen * feat: add grants tests for alias add test coverage for testing grants with alias resource. This tests all actions with aliases and different grant scopes * add tests for output fields * add more test cases for actions, id * update output assert to use shared assert function * rebase * use hashicorp/go-uuid instead of google/uuid --------- Co-authored-by: Sorawis Nilparuk <[email protected]> Co-authored-by: Elim Tsiagbey <[email protected]> * test(hostcatalogs): Add an additional project to "create" test cases --------- Co-authored-by: Sorawis Nilparuk <[email protected]> Co-authored-by: dkanney <[email protected]> Co-authored-by: David Kanney <[email protected]> * Add grants tests for authmethods (#5569) * test(authmethods): Simplify read actions test cases * test(authmethods): Create grants tests for write actions * test(authmethods): Create test cases for action: authenticate * test(authmethods): Update tests to use userFunc & other changes from upstream branch * test(authmethods): Add output_fields to ReadActions tests * test(authmethods): Add output_fields to WriteActions tests * chore(authmethods_test): Consolidate common output fields into a single struct * test(authmethods): Add test cases for project roles * test(authmethods): Fix authenticate testcases * test(authmethods): Add tests granting permission to specific ids using multiple roles * test(hostsets): add grants tests (#5591) * test(hostsets): List tests * test(hostsets): Get tests * test(hostsets): Create tests * test(hostsets): Update tests * test(hostsets): Delete tests * test(hostsets}: AddHostSetHosts tests * test(hostsets): RemoveHostSetHosts tests * test(hostsets): SetHostSetHosts tests * test(hostsets): Use unique host-catalog names to avoid duplicate key DB errors * test(hostsets): Add second project to enforce exclusivity when Listing host-sets * test: credentials store grants (#5592) * first test with all the required setup * v1 of test * add primitive func and more test * refactor read tests into a single top level * move token generation to a function * add test for creates * add delete tests * add update test * only check for version and update_time * move setup resource into testcase to support grants with specific ID * add member tests * add group-member test example with multiple actions * remove duplicate group membership tests * ran make gen * fix missing parentID bug * fix typo * fix test names and add test cases * switch from google/uuid to hashicorp/go-uuid * add comment to groupmember tests * small comment change * pull shared test utility code from PR #5418 * refactor role grants out of authtoken package * unexport utility function * Remove dead code * lint and make gen * fix role cration logic * fix password TestAccountFunc implementation * implement TestAccountFunc for LDAP * implement TestAccountFunc for OIDC * implement TestUserFunc for managed groups * use managed groups in grants test * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * switch from list to map based test case for create tests * undo merge mistakes * fix merge mistakes * lint * add setup examples * add output fields tests for getgroup * reimplement with reflect * add test for CreateGroup * add all single resource action tests * add list test * rename function argument * move AssertOutputFields to handlers package * fix lint * make gen * use proto.Message instead of custom interface * switch to hashicorp/go-uuid * fix typo * fix error message * id= to ids= * make generating test accounts more randomized * Trigger CI checks * refactor auth/iam grants test setup * lint * minor comment fix * use Id instead of ID * make user/account setup in iam returns account instead of just account ID * missed one change * save * add list tests * add get test * add create and delete test * add delete and update tests * more tests * fix collection_authorized_actions grants not resolving * complete output_fields tests * fix import groups * make gen * fixed broken tests * fix rebase * switch all tests to TestUserGroupGrantsFunc * remove duplicate test * test: add grants tests for managed groups resource (#5642) * test: add grants tests for managed groups resource * PR reviews * address PR comments * test: add grants tests for auth tokens resource (#5644) * test: add grants tests for auth tokens resource * add authorized actions tests for resources with sub-resources (#5835) * add authorized actions tests for resources with sub-resources * make gen * bosorawis remove TestRoleGrantsForToken (#5840) * refactor auth method grants tests * refactor credential libraries grants tests * refactor hosts grants tests * refactor roles grants tests * refactor scopes grants tests * refactor tcp targets grants tests * refactor users grants tests * refactor worker grants tests * fix authmethod test broken during the refactor * remove authtoken.TestRoleGrantsForToken * add pinned ID test * correct event name * fix make gen and lint * Remove old test Role creation code Removing leftover logic from old grants data model because it caused Group-association tests to fail * update go mod * run make gen and move new migrations to new folder (#5862) * run make gen and move new migrations to new folder * make tools and make gen * update hook number * update prior migration * move 97005 to 97001 for consistency * test: add grants tests for session resource (#5855) * add grants tests for sessions * fix missing parentScopeId * make gen * Resolve GrantsForUser queries via resolveQuery() (#5836) * Add validation for nil resource type * Remove redundant recursive test * Refactor GrantsForUser() to perform query resolution & data mapping - Remove grantsForUser sub-functions - Resolve grantsForUser queries via resolveQuery() - resolveQuery() and map data to GrantTuples in GrantsForUser() * remove dead code --------- Co-authored-by: Sorawis Nilparuk <[email protected]> * add grants tests for scope resource (#5845) (#5865) * 'List' tests for scopes * 'Get' tests for scopes * 'Create' tests for scopes * 'List Key Version Destruction Jobs' tests for scopes * Add output_fields testing to 'Get' test * Add additional test case for list-key-version-destruction-jobs * test: add grants tests for roles resource (#5864) * add grants tests for roles * make gen * test: add grants tests for worker resource (#5841) * add read createControllerLed createWorkerLed tests # Conflicts: # internal/daemon/controller/handlers/workers/grants_test.go * minor refactor * add output fields tests for list * add tests for addworkertags readcertificateauthority reinitializecertificateauthority * finish all worker api tests * fix make gen and lint * fix unchecked error lint * add missing output fields assertion * Bosorawis fix set role grant scope not handle children grant already exist (#5868) * add new test case where role already has children and attempt to set children and individual project * handle case where role already has children grant scope attempt to set children and project * test: add grants tests for target resource (#5861) * additional tests to target resource * add test coverage for SetTargetCredentialSources * make gen * review suggestions * test: add grants test for user resource and fix ACL bug (#5869) * add some list-resolvable-aliases tests * fix missing fields * add more test and found edge case with children grants * more list-resolvable test cases * fix edge case where resource ids not overlapping between parent and child are not considered * resolve conflict * remove name, version, description from expect output_fields * remove name and description from toProto and add godoc comment --------- Co-authored-by: David Kanney <[email protected]> Co-authored-by: Elim Tsiagbey <[email protected]> Co-authored-by: Sorawis Nilparuk <[email protected]> Co-authored-by: Elim Tsiagbey <[email protected]> Co-authored-by: dkanney <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR migrates the previous
iam_role_grant_scopestable to new tablesiam_role_global,iam_role_org,iam_role_project,iam_role_global_individual_org_grant_scope,iam_role_global_individual_project_grant_scope, andiam_role_org_individual_grant_scope, making db access and returns more performant.A new table
iam_grantexists, migrated fromiam_role_grantfor all distinct canonical_grants.