mirror of
https://github.com/zitadel/zitadel.git
synced 2025-12-06 15:24:10 +00:00
fix(project_roles): fixed bad permission check in command layer for project roles add/update/delete (#10531)
# Which Problems Are Solved
Project Admins would get permission errors when trying to add project
roles
# How the Problems Are Solved
Fixed wrong parameters were being passed into the permission check
- Closes https://github.com/zitadel/zitadel/issues/10505
(cherry picked from commit 24a7d3ceb1)
This commit is contained in:
Iraq
@@ -12,6 +12,7 @@ import (
|
|||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
|
|
||||||
"github.com/zitadel/zitadel/internal/integration"
|
"github.com/zitadel/zitadel/internal/integration"
|
||||||
|
"github.com/zitadel/zitadel/pkg/grpc/management"
|
||||||
project "github.com/zitadel/zitadel/pkg/grpc/project/v2beta"
|
project "github.com/zitadel/zitadel/pkg/grpc/project/v2beta"
|
||||||
)
|
)
|
||||||
|
|
||||||
@@ -29,7 +30,7 @@ func TestServer_AddProjectRole(t *testing.T) {
|
|||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
ctx context.Context
|
ctx context.Context
|
||||||
prepare func(request *project.AddProjectRoleRequest)
|
prepare func(t *testing.T, request *project.AddProjectRoleRequest)
|
||||||
req *project.AddProjectRoleRequest
|
req *project.AddProjectRoleRequest
|
||||||
want
|
want
|
||||||
wantErr bool
|
wantErr bool
|
||||||
@@ -37,7 +38,7 @@ func TestServer_AddProjectRole(t *testing.T) {
|
|||||||
{
|
{
|
||||||
name: "empty key",
|
name: "empty key",
|
||||||
ctx: iamOwnerCtx,
|
ctx: iamOwnerCtx,
|
||||||
prepare: func(request *project.AddProjectRoleRequest) {
|
prepare: func(t *testing.T, request *project.AddProjectRoleRequest) {
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
||||||
request.ProjectId = projectResp.GetId()
|
request.ProjectId = projectResp.GetId()
|
||||||
},
|
},
|
||||||
@@ -50,7 +51,7 @@ func TestServer_AddProjectRole(t *testing.T) {
|
|||||||
{
|
{
|
||||||
name: "empty displayname",
|
name: "empty displayname",
|
||||||
ctx: iamOwnerCtx,
|
ctx: iamOwnerCtx,
|
||||||
prepare: func(request *project.AddProjectRoleRequest) {
|
prepare: func(t *testing.T, request *project.AddProjectRoleRequest) {
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
||||||
request.ProjectId = projectResp.GetId()
|
request.ProjectId = projectResp.GetId()
|
||||||
},
|
},
|
||||||
@@ -63,7 +64,7 @@ func TestServer_AddProjectRole(t *testing.T) {
|
|||||||
{
|
{
|
||||||
name: "already existing, error",
|
name: "already existing, error",
|
||||||
ctx: iamOwnerCtx,
|
ctx: iamOwnerCtx,
|
||||||
prepare: func(request *project.AddProjectRoleRequest) {
|
prepare: func(t *testing.T, request *project.AddProjectRoleRequest) {
|
||||||
request.ProjectId = alreadyExistingProject.GetId()
|
request.ProjectId = alreadyExistingProject.GetId()
|
||||||
},
|
},
|
||||||
req: &project.AddProjectRoleRequest{
|
req: &project.AddProjectRoleRequest{
|
||||||
@@ -75,7 +76,7 @@ func TestServer_AddProjectRole(t *testing.T) {
|
|||||||
{
|
{
|
||||||
name: "empty, ok",
|
name: "empty, ok",
|
||||||
ctx: iamOwnerCtx,
|
ctx: iamOwnerCtx,
|
||||||
prepare: func(request *project.AddProjectRoleRequest) {
|
prepare: func(t *testing.T, request *project.AddProjectRoleRequest) {
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
||||||
request.ProjectId = projectResp.GetId()
|
request.ProjectId = projectResp.GetId()
|
||||||
},
|
},
|
||||||
@@ -91,7 +92,7 @@ func TestServer_AddProjectRole(t *testing.T) {
|
|||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
if tt.prepare != nil {
|
if tt.prepare != nil {
|
||||||
tt.prepare(tt.req)
|
tt.prepare(t, tt.req)
|
||||||
}
|
}
|
||||||
|
|
||||||
creationDate := time.Now().UTC()
|
creationDate := time.Now().UTC()
|
||||||
@@ -118,18 +119,20 @@ func TestServer_AddProjectRole_Permission(t *testing.T) {
|
|||||||
type want struct {
|
type want struct {
|
||||||
creationDate bool
|
creationDate bool
|
||||||
}
|
}
|
||||||
tests := []struct {
|
|
||||||
|
type test struct {
|
||||||
name string
|
name string
|
||||||
ctx context.Context
|
ctx context.Context
|
||||||
prepare func(request *project.AddProjectRoleRequest)
|
prepare func(t *testing.T, request *project.AddProjectRoleRequest)
|
||||||
req *project.AddProjectRoleRequest
|
req *project.AddProjectRoleRequest
|
||||||
want
|
want
|
||||||
wantErr bool
|
wantErr bool
|
||||||
}{
|
}
|
||||||
|
tests := []*test{
|
||||||
{
|
{
|
||||||
name: "unauthenticated",
|
name: "unauthenticated",
|
||||||
ctx: CTX,
|
ctx: CTX,
|
||||||
prepare: func(request *project.AddProjectRoleRequest) {
|
prepare: func(t *testing.T, request *project.AddProjectRoleRequest) {
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
||||||
request.ProjectId = projectResp.GetId()
|
request.ProjectId = projectResp.GetId()
|
||||||
},
|
},
|
||||||
@@ -142,7 +145,7 @@ func TestServer_AddProjectRole_Permission(t *testing.T) {
|
|||||||
{
|
{
|
||||||
name: "no permission",
|
name: "no permission",
|
||||||
ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeNoPermission),
|
ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeNoPermission),
|
||||||
prepare: func(request *project.AddProjectRoleRequest) {
|
prepare: func(t *testing.T, request *project.AddProjectRoleRequest) {
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
||||||
request.ProjectId = projectResp.GetId()
|
request.ProjectId = projectResp.GetId()
|
||||||
},
|
},
|
||||||
@@ -155,7 +158,7 @@ func TestServer_AddProjectRole_Permission(t *testing.T) {
|
|||||||
{
|
{
|
||||||
name: "organization owner, other org",
|
name: "organization owner, other org",
|
||||||
ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeOrgOwner),
|
ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeOrgOwner),
|
||||||
prepare: func(request *project.AddProjectRoleRequest) {
|
prepare: func(t *testing.T, request *project.AddProjectRoleRequest) {
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
||||||
request.ProjectId = projectResp.GetId()
|
request.ProjectId = projectResp.GetId()
|
||||||
},
|
},
|
||||||
@@ -168,7 +171,7 @@ func TestServer_AddProjectRole_Permission(t *testing.T) {
|
|||||||
{
|
{
|
||||||
name: "organization owner, ok",
|
name: "organization owner, ok",
|
||||||
ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeOrgOwner),
|
ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeOrgOwner),
|
||||||
prepare: func(request *project.AddProjectRoleRequest) {
|
prepare: func(t *testing.T, request *project.AddProjectRoleRequest) {
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.GetId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.GetId(), integration.ProjectName(), false, false)
|
||||||
request.ProjectId = projectResp.GetId()
|
request.ProjectId = projectResp.GetId()
|
||||||
},
|
},
|
||||||
@@ -183,7 +186,7 @@ func TestServer_AddProjectRole_Permission(t *testing.T) {
|
|||||||
{
|
{
|
||||||
name: "instance owner, ok",
|
name: "instance owner, ok",
|
||||||
ctx: iamOwnerCtx,
|
ctx: iamOwnerCtx,
|
||||||
prepare: func(request *project.AddProjectRoleRequest) {
|
prepare: func(t *testing.T, request *project.AddProjectRoleRequest) {
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
||||||
request.ProjectId = projectResp.GetId()
|
request.ProjectId = projectResp.GetId()
|
||||||
},
|
},
|
||||||
@@ -195,11 +198,47 @@ func TestServer_AddProjectRole_Permission(t *testing.T) {
|
|||||||
creationDate: true,
|
creationDate: true,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
func() *test {
|
||||||
|
out := test{
|
||||||
|
name: "add project role as a added project admin, ok",
|
||||||
|
req: &project.AddProjectRoleRequest{
|
||||||
|
RoleKey: integration.RoleKey(),
|
||||||
|
DisplayName: integration.RoleDisplayName(),
|
||||||
|
},
|
||||||
|
want: want{
|
||||||
|
creationDate: true,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
out.prepare = func(t *testing.T, request *project.AddProjectRoleRequest) {
|
||||||
|
// create project
|
||||||
|
projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.Id, integration.ProjectName(), false, false)
|
||||||
|
// create user
|
||||||
|
userID := instance.CreateHumanUser(iamOwnerCtx).GetUserId()
|
||||||
|
loginCTX := instance.WithAuthorization(iamOwnerCtx, integration.UserTypeLogin)
|
||||||
|
instance.RegisterUserPasskey(iamOwnerCtx, userID)
|
||||||
|
_, token, _, _ := instance.CreateVerifiedWebAuthNSession(t, loginCTX, userID)
|
||||||
|
// assign user as project admin
|
||||||
|
_, err := instance.Client.Mgmt.AddProjectMember(iamOwnerCtx, &management.AddProjectMemberRequest{
|
||||||
|
ProjectId: projectResp.GetId(),
|
||||||
|
UserId: userID,
|
||||||
|
Roles: []string{"PROJECT_OWNER_GLOBAL"},
|
||||||
|
})
|
||||||
|
assert.NoError(t, err)
|
||||||
|
|
||||||
|
// set context
|
||||||
|
out.ctx = integration.WithAuthorizationToken(context.Background(), token)
|
||||||
|
|
||||||
|
request.ProjectId = projectResp.GetId()
|
||||||
|
}
|
||||||
|
|
||||||
|
return &out
|
||||||
|
}(),
|
||||||
}
|
}
|
||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
if tt.prepare != nil {
|
if tt.prepare != nil {
|
||||||
tt.prepare(tt.req)
|
tt.prepare(t, tt.req)
|
||||||
}
|
}
|
||||||
|
|
||||||
creationDate := time.Now().UTC()
|
creationDate := time.Now().UTC()
|
||||||
@@ -241,14 +280,14 @@ func TestServer_UpdateProjectRole(t *testing.T) {
|
|||||||
}
|
}
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
prepare func(request *project.UpdateProjectRoleRequest)
|
prepare func(t *testing.T, request *project.UpdateProjectRoleRequest)
|
||||||
args args
|
args args
|
||||||
want want
|
want want
|
||||||
wantErr bool
|
wantErr bool
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
name: "missing permission",
|
name: "missing permission",
|
||||||
prepare: func(request *project.UpdateProjectRoleRequest) {
|
prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) {
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
||||||
roleName := integration.RoleKey()
|
roleName := integration.RoleKey()
|
||||||
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
|
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
|
||||||
@@ -265,7 +304,7 @@ func TestServer_UpdateProjectRole(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "not existing",
|
name: "not existing",
|
||||||
prepare: func(request *project.UpdateProjectRoleRequest) {
|
prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) {
|
||||||
request.RoleKey = "notexisting"
|
request.RoleKey = "notexisting"
|
||||||
return
|
return
|
||||||
},
|
},
|
||||||
@@ -279,7 +318,7 @@ func TestServer_UpdateProjectRole(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "no change, ok",
|
name: "no change, ok",
|
||||||
prepare: func(request *project.UpdateProjectRoleRequest) {
|
prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) {
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
||||||
roleName := integration.RoleKey()
|
roleName := integration.RoleKey()
|
||||||
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
|
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
|
||||||
@@ -298,7 +337,7 @@ func TestServer_UpdateProjectRole(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "change display name, ok",
|
name: "change display name, ok",
|
||||||
prepare: func(request *project.UpdateProjectRoleRequest) {
|
prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) {
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
||||||
roleName := integration.RoleKey()
|
roleName := integration.RoleKey()
|
||||||
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
|
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
|
||||||
@@ -318,7 +357,7 @@ func TestServer_UpdateProjectRole(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "change full, ok",
|
name: "change full, ok",
|
||||||
prepare: func(request *project.UpdateProjectRoleRequest) {
|
prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) {
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
||||||
roleName := integration.RoleKey()
|
roleName := integration.RoleKey()
|
||||||
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
|
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
|
||||||
@@ -341,7 +380,7 @@ func TestServer_UpdateProjectRole(t *testing.T) {
|
|||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
creationDate := time.Now().UTC()
|
creationDate := time.Now().UTC()
|
||||||
tt.prepare(tt.args.req)
|
tt.prepare(t, tt.args.req)
|
||||||
|
|
||||||
got, err := instance.Client.Projectv2Beta.UpdateProjectRole(tt.args.ctx, tt.args.req)
|
got, err := instance.Client.Projectv2Beta.UpdateProjectRole(tt.args.ctx, tt.args.req)
|
||||||
if tt.wantErr {
|
if tt.wantErr {
|
||||||
@@ -370,16 +409,17 @@ func TestServer_UpdateProjectRole_Permission(t *testing.T) {
|
|||||||
change bool
|
change bool
|
||||||
changeDate bool
|
changeDate bool
|
||||||
}
|
}
|
||||||
tests := []struct {
|
type test struct {
|
||||||
name string
|
name string
|
||||||
prepare func(request *project.UpdateProjectRoleRequest)
|
prepare func(t *testing.T, request *project.UpdateProjectRoleRequest)
|
||||||
args args
|
args args
|
||||||
want want
|
want want
|
||||||
wantErr bool
|
wantErr bool
|
||||||
}{
|
}
|
||||||
|
tests := []*test{
|
||||||
{
|
{
|
||||||
name: "unauthenicated",
|
name: "unauthenicated",
|
||||||
prepare: func(request *project.UpdateProjectRoleRequest) {
|
prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) {
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
||||||
roleName := integration.RoleKey()
|
roleName := integration.RoleKey()
|
||||||
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
|
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
|
||||||
@@ -396,7 +436,7 @@ func TestServer_UpdateProjectRole_Permission(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "no permission",
|
name: "no permission",
|
||||||
prepare: func(request *project.UpdateProjectRoleRequest) {
|
prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) {
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
||||||
roleName := integration.RoleKey()
|
roleName := integration.RoleKey()
|
||||||
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
|
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
|
||||||
@@ -413,7 +453,7 @@ func TestServer_UpdateProjectRole_Permission(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "organization owner, other org",
|
name: "organization owner, other org",
|
||||||
prepare: func(request *project.UpdateProjectRoleRequest) {
|
prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) {
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
||||||
roleName := integration.RoleKey()
|
roleName := integration.RoleKey()
|
||||||
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
|
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
|
||||||
@@ -430,7 +470,7 @@ func TestServer_UpdateProjectRole_Permission(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "organization owner, ok",
|
name: "organization owner, ok",
|
||||||
prepare: func(request *project.UpdateProjectRoleRequest) {
|
prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) {
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.GetId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.GetId(), integration.ProjectName(), false, false)
|
||||||
roleName := integration.RoleKey()
|
roleName := integration.RoleKey()
|
||||||
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
|
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
|
||||||
@@ -450,7 +490,7 @@ func TestServer_UpdateProjectRole_Permission(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "instance owner, ok",
|
name: "instance owner, ok",
|
||||||
prepare: func(request *project.UpdateProjectRoleRequest) {
|
prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) {
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
||||||
roleName := integration.RoleKey()
|
roleName := integration.RoleKey()
|
||||||
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
|
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
|
||||||
@@ -468,11 +508,53 @@ func TestServer_UpdateProjectRole_Permission(t *testing.T) {
|
|||||||
changeDate: true,
|
changeDate: true,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
func() *test {
|
||||||
|
out := test{
|
||||||
|
name: "change project role as a added project admin, ok",
|
||||||
|
args: args{
|
||||||
|
req: &project.UpdateProjectRoleRequest{
|
||||||
|
DisplayName: gu.Ptr(integration.RoleKey()),
|
||||||
|
Group: gu.Ptr(integration.RoleKey()),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
want: want{
|
||||||
|
change: true,
|
||||||
|
changeDate: true,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
out.prepare = func(t *testing.T, request *project.UpdateProjectRoleRequest) {
|
||||||
|
// create project
|
||||||
|
projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.Id, integration.ProjectName(), false, false)
|
||||||
|
// create user
|
||||||
|
userID := instance.CreateHumanUser(iamOwnerCtx).GetUserId()
|
||||||
|
loginCTX := instance.WithAuthorization(iamOwnerCtx, integration.UserTypeLogin)
|
||||||
|
instance.RegisterUserPasskey(iamOwnerCtx, userID)
|
||||||
|
_, token, _, _ := instance.CreateVerifiedWebAuthNSession(t, loginCTX, userID)
|
||||||
|
// assign user as project admin
|
||||||
|
_, err := instance.Client.Mgmt.AddProjectMember(iamOwnerCtx, &management.AddProjectMemberRequest{
|
||||||
|
ProjectId: projectResp.GetId(),
|
||||||
|
UserId: userID,
|
||||||
|
Roles: []string{"PROJECT_OWNER_GLOBAL"},
|
||||||
|
})
|
||||||
|
assert.NoError(t, err)
|
||||||
|
|
||||||
|
// set context
|
||||||
|
out.args.ctx = integration.WithAuthorizationToken(context.Background(), token)
|
||||||
|
|
||||||
|
roleName := integration.RoleKey()
|
||||||
|
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
|
||||||
|
request.ProjectId = projectResp.GetId()
|
||||||
|
request.RoleKey = roleName
|
||||||
|
}
|
||||||
|
|
||||||
|
return &out
|
||||||
|
}(),
|
||||||
}
|
}
|
||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
creationDate := time.Now().UTC()
|
creationDate := time.Now().UTC()
|
||||||
tt.prepare(tt.args.req)
|
tt.prepare(t, tt.args.req)
|
||||||
|
|
||||||
got, err := instance.Client.Projectv2Beta.UpdateProjectRole(tt.args.ctx, tt.args.req)
|
got, err := instance.Client.Projectv2Beta.UpdateProjectRole(tt.args.ctx, tt.args.req)
|
||||||
if tt.wantErr {
|
if tt.wantErr {
|
||||||
@@ -508,7 +590,7 @@ func TestServer_DeleteProjectRole(t *testing.T) {
|
|||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
ctx context.Context
|
ctx context.Context
|
||||||
prepare func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time)
|
prepare func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time)
|
||||||
req *project.RemoveProjectRoleRequest
|
req *project.RemoveProjectRoleRequest
|
||||||
wantDeletionDate bool
|
wantDeletionDate bool
|
||||||
wantErr bool
|
wantErr bool
|
||||||
@@ -534,7 +616,7 @@ func TestServer_DeleteProjectRole(t *testing.T) {
|
|||||||
{
|
{
|
||||||
name: "delete",
|
name: "delete",
|
||||||
ctx: iamOwnerCtx,
|
ctx: iamOwnerCtx,
|
||||||
prepare: func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
|
prepare: func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
|
||||||
creationDate := time.Now().UTC()
|
creationDate := time.Now().UTC()
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
||||||
roleName := integration.RoleKey()
|
roleName := integration.RoleKey()
|
||||||
@@ -549,7 +631,7 @@ func TestServer_DeleteProjectRole(t *testing.T) {
|
|||||||
{
|
{
|
||||||
name: "delete, already removed",
|
name: "delete, already removed",
|
||||||
ctx: iamOwnerCtx,
|
ctx: iamOwnerCtx,
|
||||||
prepare: func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
|
prepare: func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
|
||||||
creationDate := time.Now().UTC()
|
creationDate := time.Now().UTC()
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
||||||
roleName := integration.RoleKey()
|
roleName := integration.RoleKey()
|
||||||
@@ -567,7 +649,7 @@ func TestServer_DeleteProjectRole(t *testing.T) {
|
|||||||
t.Run(tt.name, func(t *testing.T) {
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
var creationDate, deletionDate time.Time
|
var creationDate, deletionDate time.Time
|
||||||
if tt.prepare != nil {
|
if tt.prepare != nil {
|
||||||
creationDate, deletionDate = tt.prepare(tt.req)
|
creationDate, deletionDate = tt.prepare(t, tt.req)
|
||||||
}
|
}
|
||||||
got, err := instance.Client.Projectv2Beta.RemoveProjectRole(tt.ctx, tt.req)
|
got, err := instance.Client.Projectv2Beta.RemoveProjectRole(tt.ctx, tt.req)
|
||||||
if tt.wantErr {
|
if tt.wantErr {
|
||||||
@@ -584,18 +666,19 @@ func TestServer_DeleteProjectRole_Permission(t *testing.T) {
|
|||||||
iamOwnerCtx := instance.WithAuthorizationToken(CTX, integration.UserTypeIAMOwner)
|
iamOwnerCtx := instance.WithAuthorizationToken(CTX, integration.UserTypeIAMOwner)
|
||||||
orgResp := instance.CreateOrganization(iamOwnerCtx, integration.OrganizationName(), gofakeit.Email())
|
orgResp := instance.CreateOrganization(iamOwnerCtx, integration.OrganizationName(), gofakeit.Email())
|
||||||
|
|
||||||
tests := []struct {
|
type test struct {
|
||||||
name string
|
name string
|
||||||
ctx context.Context
|
ctx context.Context
|
||||||
prepare func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time)
|
prepare func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time)
|
||||||
req *project.RemoveProjectRoleRequest
|
req *project.RemoveProjectRoleRequest
|
||||||
wantDeletionDate bool
|
wantDeletionDate bool
|
||||||
wantErr bool
|
wantErr bool
|
||||||
}{
|
}
|
||||||
|
tests := []*test{
|
||||||
{
|
{
|
||||||
name: "unauthenticated",
|
name: "unauthenticated",
|
||||||
ctx: CTX,
|
ctx: CTX,
|
||||||
prepare: func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
|
prepare: func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
|
||||||
creationDate := time.Now().UTC()
|
creationDate := time.Now().UTC()
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
||||||
roleName := integration.RoleKey()
|
roleName := integration.RoleKey()
|
||||||
@@ -610,7 +693,7 @@ func TestServer_DeleteProjectRole_Permission(t *testing.T) {
|
|||||||
{
|
{
|
||||||
name: "no permission",
|
name: "no permission",
|
||||||
ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeNoPermission),
|
ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeNoPermission),
|
||||||
prepare: func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
|
prepare: func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
|
||||||
creationDate := time.Now().UTC()
|
creationDate := time.Now().UTC()
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
||||||
roleName := integration.RoleKey()
|
roleName := integration.RoleKey()
|
||||||
@@ -625,7 +708,7 @@ func TestServer_DeleteProjectRole_Permission(t *testing.T) {
|
|||||||
{
|
{
|
||||||
name: "organization owner, other org",
|
name: "organization owner, other org",
|
||||||
ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeOrgOwner),
|
ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeOrgOwner),
|
||||||
prepare: func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
|
prepare: func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
|
||||||
creationDate := time.Now().UTC()
|
creationDate := time.Now().UTC()
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
||||||
roleName := integration.RoleKey()
|
roleName := integration.RoleKey()
|
||||||
@@ -640,7 +723,7 @@ func TestServer_DeleteProjectRole_Permission(t *testing.T) {
|
|||||||
{
|
{
|
||||||
name: "organization owner, ok",
|
name: "organization owner, ok",
|
||||||
ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeOrgOwner),
|
ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeOrgOwner),
|
||||||
prepare: func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
|
prepare: func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
|
||||||
creationDate := time.Now().UTC()
|
creationDate := time.Now().UTC()
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.GetId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.GetId(), integration.ProjectName(), false, false)
|
||||||
roleName := integration.RoleKey()
|
roleName := integration.RoleKey()
|
||||||
@@ -655,7 +738,7 @@ func TestServer_DeleteProjectRole_Permission(t *testing.T) {
|
|||||||
{
|
{
|
||||||
name: "instance owner, ok",
|
name: "instance owner, ok",
|
||||||
ctx: iamOwnerCtx,
|
ctx: iamOwnerCtx,
|
||||||
prepare: func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
|
prepare: func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
|
||||||
creationDate := time.Now().UTC()
|
creationDate := time.Now().UTC()
|
||||||
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
|
||||||
roleName := integration.RoleKey()
|
roleName := integration.RoleKey()
|
||||||
@@ -667,12 +750,48 @@ func TestServer_DeleteProjectRole_Permission(t *testing.T) {
|
|||||||
req: &project.RemoveProjectRoleRequest{},
|
req: &project.RemoveProjectRoleRequest{},
|
||||||
wantDeletionDate: true,
|
wantDeletionDate: true,
|
||||||
},
|
},
|
||||||
|
func() *test {
|
||||||
|
out := test{
|
||||||
|
name: "delete project role as a added project admin, ok",
|
||||||
|
req: &project.RemoveProjectRoleRequest{},
|
||||||
|
wantDeletionDate: true,
|
||||||
|
}
|
||||||
|
|
||||||
|
out.prepare = func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
|
||||||
|
// create project
|
||||||
|
creationDate := time.Now().UTC()
|
||||||
|
projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.Id, integration.ProjectName(), false, false)
|
||||||
|
// create user
|
||||||
|
userID := instance.CreateHumanUser(iamOwnerCtx).GetUserId()
|
||||||
|
loginCTX := instance.WithAuthorization(iamOwnerCtx, integration.UserTypeLogin)
|
||||||
|
instance.RegisterUserPasskey(iamOwnerCtx, userID)
|
||||||
|
_, token, _, _ := instance.CreateVerifiedWebAuthNSession(t, loginCTX, userID)
|
||||||
|
// assign user as project admin
|
||||||
|
_, err := instance.Client.Mgmt.AddProjectMember(iamOwnerCtx, &management.AddProjectMemberRequest{
|
||||||
|
ProjectId: projectResp.GetId(),
|
||||||
|
UserId: userID,
|
||||||
|
Roles: []string{"PROJECT_OWNER_GLOBAL"},
|
||||||
|
})
|
||||||
|
assert.NoError(t, err)
|
||||||
|
|
||||||
|
// set context
|
||||||
|
out.ctx = integration.WithAuthorizationToken(context.Background(), token)
|
||||||
|
|
||||||
|
roleName := integration.RoleKey()
|
||||||
|
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
|
||||||
|
request.ProjectId = projectResp.GetId()
|
||||||
|
request.RoleKey = roleName
|
||||||
|
return creationDate, time.Time{}
|
||||||
|
}
|
||||||
|
|
||||||
|
return &out
|
||||||
|
}(),
|
||||||
}
|
}
|
||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
var creationDate, deletionDate time.Time
|
var creationDate, deletionDate time.Time
|
||||||
if tt.prepare != nil {
|
if tt.prepare != nil {
|
||||||
creationDate, deletionDate = tt.prepare(tt.req)
|
creationDate, deletionDate = tt.prepare(t, tt.req)
|
||||||
}
|
}
|
||||||
got, err := instance.Client.Projectv2Beta.RemoveProjectRole(tt.ctx, tt.req)
|
got, err := instance.Client.Projectv2Beta.RemoveProjectRole(tt.ctx, tt.req)
|
||||||
if tt.wantErr {
|
if tt.wantErr {
|
||||||
|
|||||||
@@ -36,7 +36,7 @@ func (c *Commands) AddProjectRole(ctx context.Context, projectRole *AddProjectRo
|
|||||||
if projectRole.ResourceOwner == "" {
|
if projectRole.ResourceOwner == "" {
|
||||||
projectRole.ResourceOwner = projectResourceOwner
|
projectRole.ResourceOwner = projectResourceOwner
|
||||||
}
|
}
|
||||||
if err := c.checkPermissionWriteProjectRole(ctx, projectRole.ResourceOwner, projectRole.Key); err != nil {
|
if err := c.checkPermissionWriteProjectRole(ctx, projectRole.ResourceOwner, projectRole.AggregateID); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -61,8 +61,8 @@ func (c *Commands) AddProjectRole(ctx context.Context, projectRole *AddProjectRo
|
|||||||
return writeModelToObjectDetails(&roleWriteModel.WriteModel), nil
|
return writeModelToObjectDetails(&roleWriteModel.WriteModel), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *Commands) checkPermissionWriteProjectRole(ctx context.Context, resourceOwner, roleKey string) error {
|
func (c *Commands) checkPermissionWriteProjectRole(ctx context.Context, orgID, projectID string) error {
|
||||||
return c.checkPermission(ctx, domain.PermissionProjectRoleWrite, resourceOwner, roleKey)
|
return c.checkPermission(ctx, domain.PermissionProjectRoleWrite, orgID, projectID)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *Commands) BulkAddProjectRole(ctx context.Context, projectID, resourceOwner string, projectRoles []*AddProjectRole) (details *domain.ObjectDetails, err error) {
|
func (c *Commands) BulkAddProjectRole(ctx context.Context, projectID, resourceOwner string, projectRoles []*AddProjectRole) (details *domain.ObjectDetails, err error) {
|
||||||
@@ -74,7 +74,7 @@ func (c *Commands) BulkAddProjectRole(ctx context.Context, projectID, resourceOw
|
|||||||
if projectRole.ResourceOwner == "" {
|
if projectRole.ResourceOwner == "" {
|
||||||
projectRole.ResourceOwner = projectResourceOwner
|
projectRole.ResourceOwner = projectResourceOwner
|
||||||
}
|
}
|
||||||
if err := c.checkPermissionWriteProjectRole(ctx, projectRole.ResourceOwner, projectRole.Key); err != nil {
|
if err := c.checkPermissionWriteProjectRole(ctx, projectRole.ResourceOwner, projectID); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
if projectRole.ResourceOwner != projectResourceOwner {
|
if projectRole.ResourceOwner != projectResourceOwner {
|
||||||
@@ -135,7 +135,7 @@ func (c *Commands) ChangeProjectRole(ctx context.Context, projectRole *ChangePro
|
|||||||
if projectRole.ResourceOwner == "" {
|
if projectRole.ResourceOwner == "" {
|
||||||
projectRole.ResourceOwner = projectResourceOwner
|
projectRole.ResourceOwner = projectResourceOwner
|
||||||
}
|
}
|
||||||
if err := c.checkPermissionWriteProjectRole(ctx, projectRole.ResourceOwner, projectRole.Key); err != nil {
|
if err := c.checkPermissionWriteProjectRole(ctx, projectRole.ResourceOwner, projectRole.AggregateID); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -175,7 +175,7 @@ func (c *Commands) RemoveProjectRole(ctx context.Context, projectID, key, resour
|
|||||||
if !existingRole.State.Exists() {
|
if !existingRole.State.Exists() {
|
||||||
return writeModelToObjectDetails(&existingRole.WriteModel), nil
|
return writeModelToObjectDetails(&existingRole.WriteModel), nil
|
||||||
}
|
}
|
||||||
if err := c.checkPermissionDeleteProjectRole(ctx, existingRole.ResourceOwner, existingRole.Key); err != nil {
|
if err := c.checkPermissionDeleteProjectRole(ctx, existingRole.ResourceOwner, projectID); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
projectAgg := ProjectAggregateFromWriteModelWithCTX(ctx, &existingRole.WriteModel)
|
projectAgg := ProjectAggregateFromWriteModelWithCTX(ctx, &existingRole.WriteModel)
|
||||||
@@ -204,8 +204,8 @@ func (c *Commands) RemoveProjectRole(ctx context.Context, projectID, key, resour
|
|||||||
return c.pushAppendAndReduceDetails(ctx, existingRole, events...)
|
return c.pushAppendAndReduceDetails(ctx, existingRole, events...)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *Commands) checkPermissionDeleteProjectRole(ctx context.Context, resourceOwner, roleKey string) error {
|
func (c *Commands) checkPermissionDeleteProjectRole(ctx context.Context, orgID, projectID string) error {
|
||||||
return c.checkPermission(ctx, domain.PermissionProjectRoleDelete, resourceOwner, roleKey)
|
return c.checkPermission(ctx, domain.PermissionProjectRoleDelete, orgID, projectID)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *Commands) getProjectRoleWriteModelByID(ctx context.Context, key, projectID, resourceOwner string) (*ProjectRoleWriteModel, error) {
|
func (c *Commands) getProjectRoleWriteModelByID(ctx context.Context, key, projectID, resourceOwner string) (*ProjectRoleWriteModel, error) {
|
||||||
|
|||||||
Reference in New Issue
Block a user