fix: correct permissions for projects on v2 api (#9973)

# Which Problems Are Solved Permission checks in project v2beta API did not cover projects and granted projects correctly. # How the Problems Are Solved Add permission checks v1 correctly to the list queries, add correct permission checks v2 for projects. # Additional Changes Correct Pre-Checks for project grants that the right resource owner is used. # Additional Context Permission checks v2 for project grants is still outstanding under #9972.
2025-08-12 10:49:25 +00:00 · 2025-06-04 13:46:10 +02:00
parent 6aeaa89c25
commit 85e3b7449c
15 changed files with 950 additions and 102 deletions
--- a/internal/api/grpc/project/v2beta/integration/project_grant_test.go
+++ b/internal/api/grpc/project/v2beta/integration/project_grant_test.go
@@ -169,6 +169,12 @@ func TestServer_CreateProjectGrant_Permission(t *testing.T) {
 	iamOwnerCtx := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
 	orgResp := instance.CreateOrganization(iamOwnerCtx, gofakeit.AppName(), gofakeit.Email())

+	userResp := instance.CreateMachineUser(iamOwnerCtx)
+	patResp := instance.CreatePersonalAccessToken(iamOwnerCtx, userResp.GetUserId())
+	projectResp := createProject(iamOwnerCtx, instance, t, instance.DefaultOrg.GetId(), false, false)
+	instance.CreateProjectMembership(t, iamOwnerCtx, projectResp.GetId(), userResp.GetUserId())
+	projectOwnerCtx := integration.WithAuthorizationToken(CTX, patResp.Token)
+
 	type want struct {
 		creationDate bool
 	}
@@ -206,6 +212,33 @@ func TestServer_CreateProjectGrant_Permission(t *testing.T) {
 			req:     &project.CreateProjectGrantRequest{},
 			wantErr: true,
 		},
+		{
+			name: "project owner, other project",
+			ctx:  projectOwnerCtx,
+			prepare: func(request *project.CreateProjectGrantRequest) {
+				projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
+				grantedOrgResp := instance.CreateOrganization(iamOwnerCtx, gofakeit.AppName(), gofakeit.Email())
+
+				request.ProjectId = projectResp.GetId()
+				request.GrantedOrganizationId = grantedOrgResp.GetOrganizationId()
+			},
+			req:     &project.CreateProjectGrantRequest{},
+			wantErr: true,
+		},
+		{
+			name: "project owner, ok",
+			ctx:  projectOwnerCtx,
+			prepare: func(request *project.CreateProjectGrantRequest) {
+				request.ProjectId = projectResp.GetId()
+
+				grantedOrg := instance.CreateOrganization(iamOwnerCtx, gofakeit.AppName(), gofakeit.Email())
+				request.GrantedOrganizationId = grantedOrg.GetOrganizationId()
+			},
+			req: &project.CreateProjectGrantRequest{},
+			want: want{
+				creationDate: true,
+			},
+		},
 		{
 			name: "organization owner, other org",
 			ctx:  instance.WithAuthorization(CTX, integration.UserTypeOrgOwner),
@@ -405,6 +438,13 @@ func TestServer_UpdateProjectGrant_Permission(t *testing.T) {
 	iamOwnerCtx := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
 	orgResp := instance.CreateOrganization(iamOwnerCtx, gofakeit.AppName(), gofakeit.Email())

+	userResp := instance.CreateMachineUser(iamOwnerCtx)
+	patResp := instance.CreatePersonalAccessToken(iamOwnerCtx, userResp.GetUserId())
+	projectID := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.GetId(), gofakeit.AppName(), false, false).GetId()
+	instance.CreateProjectGrant(iamOwnerCtx, t, projectID, orgResp.GetOrganizationId())
+	instance.CreateProjectGrantMembership(t, iamOwnerCtx, projectID, orgResp.GetOrganizationId(), userResp.GetUserId())
+	projectGrantOwnerCtx := integration.WithAuthorizationToken(CTX, patResp.Token)
+
 	type args struct {
 		ctx context.Context
 		req *project.UpdateProjectGrantRequest
@@ -458,6 +498,25 @@ func TestServer_UpdateProjectGrant_Permission(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "project grant owner, no permission",
+			prepare: func(request *project.UpdateProjectGrantRequest) {
+				roles := []string{gofakeit.Animal(), gofakeit.Animal(), gofakeit.Animal()}
+				request.ProjectId = projectID
+				request.GrantedOrganizationId = orgResp.GetOrganizationId()
+
+				for _, role := range roles {
+					instance.AddProjectRole(iamOwnerCtx, t, projectID, role, role, "")
+				}
+
+				request.RoleKeys = roles
+			},
+			args: args{
+				ctx: projectGrantOwnerCtx,
+				req: &project.UpdateProjectGrantRequest{},
+			},
+			wantErr: true,
+		},
 		{
 			name: "organization owner, other org",
 			prepare: func(request *project.UpdateProjectGrantRequest) {
@@ -598,7 +657,7 @@ func TestServer_DeleteProjectGrant(t *testing.T) {
 				ProjectId:             "notexisting",
 				GrantedOrganizationId: "notexisting",
 			},
-			wantErr: true,
+			wantDeletionDate: false,
 		},
 		{
 			name: "delete",
@@ -650,8 +709,8 @@ func TestServer_DeleteProjectGrant(t *testing.T) {
 				instance.DeleteProjectGrant(iamOwnerCtx, t, projectResp.GetId(), grantedOrg.GetOrganizationId())
 				return creationDate, time.Now().UTC()
 			},
-			req:     &project.DeleteProjectGrantRequest{},
-			wantErr: true,
+			req:              &project.DeleteProjectGrantRequest{},
+			wantDeletionDate: true,
 		},
 	}
 	for _, tt := range tests {