Skip to content

Commit

Permalink
Fix broken auth Access Request creation tests (#49481)
Browse files Browse the repository at this point in the history
This got exposed while working on Access Request reason required PR:
#49124
  • Loading branch information
kopiczko authored Nov 27, 2024
1 parent 0586dbd commit dcd48d1
Showing 1 changed file with 41 additions and 13 deletions.
54 changes: 41 additions & 13 deletions lib/auth/auth_with_roles_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -8052,7 +8052,7 @@ func TestCreateAccessRequest(t *testing.T) {
clock := srv.Clock()
alice, bob, admin := createSessionTestUsers(t, srv.Auth())

searchRole, err := types.NewRole("requestRole", types.RoleSpecV6{
searchRole, err := types.NewRole("searchRole", types.RoleSpecV6{
Allow: types.RoleConditions{
Request: &types.AccessRequestConditions{
Roles: []string{"requestRole"},
Expand All @@ -8062,11 +8062,32 @@ func TestCreateAccessRequest(t *testing.T) {
})
require.NoError(t, err)

requestRole, err := types.NewRole("requestRole", types.RoleSpecV6{})
requestRole, err := types.NewRole("requestRole", types.RoleSpecV6{
Allow: types.RoleConditions{
GroupLabels: types.Labels{
types.Wildcard: []string{types.Wildcard},
},
NodeLabels: types.Labels{
types.Wildcard: []string{types.Wildcard},
},
},
})
require.NoError(t, err)

srv.Auth().CreateRole(ctx, searchRole)
srv.Auth().CreateRole(ctx, requestRole)
nodeAllowedByRequestRole, err := types.NewServerWithLabels(
"test-node",
types.KindNode,
types.ServerSpecV2{},
map[string]string{"any-key": "any-val"},
)
require.NoError(t, err)

_, err = srv.Auth().UpsertNode(ctx, nodeAllowedByRequestRole)
require.NoError(t, err)
_, err = srv.Auth().CreateRole(ctx, requestRole)
require.NoError(t, err)
_, err = srv.Auth().CreateRole(ctx, searchRole)
require.NoError(t, err)

user, err := srv.Auth().GetUser(ctx, alice, true)
require.NoError(t, err)
Expand Down Expand Up @@ -8109,33 +8130,36 @@ func TestCreateAccessRequest(t *testing.T) {
user: alice,
accessRequest: mustAccessRequest(t, alice, types.RequestState_PENDING, clock.Now(), clock.Now().Add(time.Hour),
[]string{requestRole.GetName()}, []types.ResourceID{
mustResourceID(srv.ClusterName(), types.KindRole, requestRole.GetName()),
mustResourceID(srv.ClusterName(), nodeAllowedByRequestRole.GetKind(), nodeAllowedByRequestRole.GetName()),
}),
errAssertionFunc: require.NoError,
expected: mustAccessRequest(t, alice, types.RequestState_PENDING, clock.Now(), clock.Now().Add(time.Hour),
[]string{requestRole.GetName()}, []types.ResourceID{
mustResourceID(srv.ClusterName(), types.KindRole, requestRole.GetName()),
mustResourceID(srv.ClusterName(), nodeAllowedByRequestRole.GetKind(), nodeAllowedByRequestRole.GetName()),
}),
},
{
name: "admin creates a request for alice",
user: admin,
accessRequest: mustAccessRequest(t, alice, types.RequestState_PENDING, clock.Now(), clock.Now().Add(time.Hour),
[]string{requestRole.GetName()}, []types.ResourceID{
mustResourceID(srv.ClusterName(), types.KindRole, requestRole.GetName()),
mustResourceID(srv.ClusterName(), types.KindUserGroup, userGroup1.GetName()),
}),
errAssertionFunc: require.NoError,
expected: mustAccessRequest(t, alice, types.RequestState_PENDING, clock.Now(), clock.Now().Add(time.Hour),
[]string{requestRole.GetName()}, []types.ResourceID{
mustResourceID(srv.ClusterName(), types.KindRole, requestRole.GetName()),
mustResourceID(srv.ClusterName(), types.KindUserGroup, userGroup1.GetName()),
mustResourceID(srv.ClusterName(), types.KindApp, userGroup1.GetApplications()[0]),
mustResourceID(srv.ClusterName(), types.KindApp, userGroup1.GetApplications()[1]),
mustResourceID(srv.ClusterName(), types.KindApp, userGroup1.GetApplications()[2]),
}),
},
{
name: "bob fails to create a request for alice",
user: bob,
accessRequest: mustAccessRequest(t, alice, types.RequestState_PENDING, clock.Now(), clock.Now().Add(time.Hour),
[]string{requestRole.GetName()}, []types.ResourceID{
mustResourceID(srv.ClusterName(), types.KindRole, requestRole.GetName()),
mustResourceID(srv.ClusterName(), types.KindUserGroup, userGroup1.GetName()),
}),
errAssertionFunc: require.Error,
},
Expand All @@ -8144,7 +8168,7 @@ func TestCreateAccessRequest(t *testing.T) {
user: alice,
accessRequest: mustAccessRequest(t, alice, types.RequestState_PENDING, clock.Now(), clock.Now().Add(time.Hour),
[]string{requestRole.GetName()}, []types.ResourceID{
mustResourceID(srv.ClusterName(), types.KindRole, requestRole.GetName()),
mustResourceID(srv.ClusterName(), nodeAllowedByRequestRole.GetKind(), nodeAllowedByRequestRole.GetName()),
mustResourceID(srv.ClusterName(), types.KindUserGroup, userGroup1.GetName()),
mustResourceID(srv.ClusterName(), types.KindApp, "app1"),
mustResourceID(srv.ClusterName(), types.KindUserGroup, userGroup2.GetName()),
Expand All @@ -8153,7 +8177,7 @@ func TestCreateAccessRequest(t *testing.T) {
errAssertionFunc: require.NoError,
expected: mustAccessRequest(t, alice, types.RequestState_PENDING, clock.Now(), clock.Now().Add(time.Hour),
[]string{requestRole.GetName()}, []types.ResourceID{
mustResourceID(srv.ClusterName(), types.KindRole, requestRole.GetName()),
mustResourceID(srv.ClusterName(), nodeAllowedByRequestRole.GetKind(), nodeAllowedByRequestRole.GetName()),
mustResourceID(srv.ClusterName(), types.KindUserGroup, userGroup1.GetName()),
mustResourceID(srv.ClusterName(), types.KindApp, "app1"),
mustResourceID(srv.ClusterName(), types.KindUserGroup, userGroup2.GetName()),
Expand Down Expand Up @@ -8388,9 +8412,13 @@ func TestAccessRequestNonGreedyAnnotations(t *testing.T) {
require.NoError(t, err)
paymentsServer.SetStaticLabels(map[string]string{"service": "payments"})

idServer, err := types.NewServer("server-identity", types.KindNode, types.ServerSpecV2{})
idServer, err := types.NewServerWithLabels(
"server-identity",
types.KindNode,
types.ServerSpecV2{},
map[string]string{"service": "identity"},
)
require.NoError(t, err)
idServer.SetStaticLabels(map[string]string{"service": "payments"})

ctx := context.Background()
srv := newTestTLSServer(t)
Expand Down

0 comments on commit dcd48d1

Please sign in to comment.