Add options to create default and admin roles

Makefile

@@ -161,6 +161,12 @@ protobuild:
 	@protoc-go-inject-tag -input=./internal/oplog/oplog_test/oplog_test.pb.go
 	@protoc-go-inject-tag -input=./internal/iam/store/group_member.pb.go
 	@protoc-go-inject-tag -input=./internal/iam/store/role.pb.go
+	@protoc-go-inject-tag -input=./internal/iam/store/role_global_individual_org_grant_scope.pb.go
+	@protoc-go-inject-tag -input=./internal/iam/store/role_global_individual_project_grant_scope.pb.go
+	@protoc-go-inject-tag -input=./internal/iam/store/role_org_individual_grant_scope.pb.go
+	@protoc-go-inject-tag -input=./internal/iam/store/role_global.pb.go
+	@protoc-go-inject-tag -input=./internal/iam/store/role_org.pb.go
+	@protoc-go-inject-tag -input=./internal/iam/store/role_project.pb.go
 	@protoc-go-inject-tag -input=./internal/iam/store/principal_role.pb.go
 	@protoc-go-inject-tag -input=./internal/iam/store/role_grant.pb.go
 	@protoc-go-inject-tag -input=./internal/iam/store/role_grant_scope.pb.go

globals/globals.go

@@ -18,6 +18,7 @@ const (
 	GrantScopeThis        = "this"
 	GrantScopeChildren    = "children"
 	GrantScopeDescendants = "descendants"
+	GrantScopeIndividual  = "individual"
 
 	// CorrelationIdKey defines the http header and grpc metadata key used for specifying a
 	// correlation id. When getting the correlationId (from the http header or grpc metadata)

go.mod

@@ -66,6 +66,7 @@ require (
 	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/kr/pretty v0.3.1
 	github.com/kr/text v0.2.0
+	github.com/lib/pq v1.10.9
 	github.com/mattn/go-colorable v0.1.14
 	github.com/miekg/dns v1.1.66
 	github.com/mikesmitty/edkey v0.0.0-20170222072505-3356ea4e686a
@@ -172,7 +173,6 @@ require (
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
-	github.com/lib/pq v1.10.9 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-sqlite3 v1.14.22 // indirect
 	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect

internal/api/genapi/input.go

@@ -228,6 +228,18 @@ var inputStructs = []*structInfo{
 				FieldType: "bool",
 				Query:     true,
 			},
+			{
+				Name:      "CreateAdminRole",
+				ProtoName: "create_admin_role",
+				FieldType: "bool",
+				Query:     true,
+			},
+			{
+				Name:      "CreateDefaultRole",
+				ProtoName: "create_default_role",
+				FieldType: "bool",
+				Query:     true,
+			},
 		},
 		versionEnabled:      true,
 		createResponseTypes: []string{CreateResponseType, ReadResponseType, UpdateResponseType, DeleteResponseType, ListResponseType},

internal/auth/additional_verification_test.go

@@ -29,7 +29,7 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func TestFetchActionSetForId(t *testing.T) {
+func TestFetchActionSetForId_orgRole(t *testing.T) {
 	tc := controller.NewTestController(t, nil)
 	defer tc.Shutdown()
 
@@ -73,7 +73,116 @@ func TestFetchActionSetForId(t *testing.T) {
 	iam.TestUserRole(t, conn, orgRole.PublicId, token.UserId)
 	iam.TestRoleGrant(t, conn, orgRole.PublicId, "ids=ttcp_foo;actions=read,update")
 	iam.TestRoleGrant(t, conn, orgRole.PublicId, "ids=ttcp_bar;actions=read,update,delete,authorize-session")
-	iam.TestRoleGrant(t, conn, orgRole.PublicId, "ids=*;type=role;actions=add-grants,remove-grants")
+	iam.TestRoleGrant(t, conn, orgRole.PublicId, "ids=*;type=policy;actions=add-grants,remove-grants")
+
+	cases := []struct {
+		name         string
+		id           string
+		avail        action.ActionSet
+		allowed      action.ActionSet
+		typeOverride resource.Type
+	}{
+		{
+			name: "base",
+		},
+		{
+			name:  "no match",
+			id:    "zip",
+			avail: action.NewActionSet(action.Read, action.Update),
+		},
+		{
+			name:    "disjoint match",
+			id:      "ttcp_bar",
+			avail:   action.NewActionSet(action.Delete, action.AddGrants, action.Read, action.RemoveHostSets),
+			allowed: action.NewActionSet(action.Delete, action.Read),
+		},
+		{
+			name:         "different type",
+			id:           "anything",
+			typeOverride: resource.Scope,
+		},
+		{
+			name:         "type match",
+			id:           "anything",
+			typeOverride: resource.Policy,
+			avail:        action.NewActionSet(action.Read, action.AddGrants),
+			allowed:      action.NewActionSet(action.AddGrants),
+		},
+	}
+	for _, tt := range cases {
+		t.Run(tt.name, func(t *testing.T) {
+			req := require.New(t)
+			ctx := auth.NewVerifierContext(
+				context.Background(),
+				iamRepoFn,
+				authTokenRepoFn,
+				serversRepoFn,
+				tc.Kms(),
+				&authpb.RequestInfo{
+					PublicId:       token.Id,
+					EncryptedToken: strings.Split(token.Token, "_")[2],
+					TokenFormat:    uint32(auth.AuthTokenTypeBearer),
+				})
+			typ := resource.Role
+			if tt.typeOverride != resource.Unknown {
+				typ = tt.typeOverride
+			}
+			res := auth.Verify(ctx, typ, []auth.Option{
+				auth.WithId("ttcp_foo"),
+				auth.WithAction(action.Read),
+				auth.WithScopeId(org.PublicId),
+			}...)
+			req.NoError(res.Error)
+			assert.Equal(t, tt.allowed, res.FetchActionSetForId(ctx, tt.id, tt.avail))
+		})
+	}
+}
+
+func TestFetchActionSetForId_projRole(t *testing.T) {
+	tc := controller.NewTestController(t, nil)
+	defer tc.Shutdown()
+
+	conn := tc.DbConn()
+	client := tc.Client()
+	token := tc.Token()
+	client.SetToken(token.Token)
+	_, proj := iam.TestScopes(t, tc.IamRepo(), iam.WithUserId(token.UserId), iam.WithSkipAdminRoleCreation(true), iam.WithSkipDefaultRoleCreation(true))
+
+	iamRepoFn := func() (*iam.Repository, error) {
+		return tc.IamRepo(), nil
+	}
+	serversRepoFn := func() (*server.Repository, error) {
+		return tc.ServersRepo(), nil
+	}
+	authTokenRepoFn := func() (*authtoken.Repository, error) {
+		return tc.AuthTokenRepo(), nil
+	}
+
+	// Delete the global default role so it doesn't interfere with the
+	// permissions we're testing here
+	rolesClient := roles.NewClient(tc.Client())
+	rolesResp, err := rolesClient.List(tc.Context(), scope.Global.String())
+	require.NoError(t, err)
+	require.NotNil(t, rolesResp)
+	assert.Len(t, rolesResp.GetItems(), 3)
+	var adminRoleId string
+	for _, item := range rolesResp.GetItems() {
+		if strings.Contains(item.Name, "Authenticated User") ||
+			strings.Contains(item.Name, "Login") {
+			_, err := rolesClient.Delete(tc.Context(), item.Id)
+			require.NoError(t, err)
+		} else {
+			adminRoleId = item.Id
+		}
+	}
+	_, err = rolesClient.Delete(tc.Context(), adminRoleId)
+	require.NoError(t, err)
+
+	projRole := iam.TestRole(t, conn, proj.GetPublicId())
+	iam.TestUserRole(t, conn, projRole.PublicId, token.UserId)
+	iam.TestRoleGrant(t, conn, projRole.PublicId, "ids=ttcp_foo;actions=read,update")
+	iam.TestRoleGrant(t, conn, projRole.PublicId, "ids=ttcp_bar;actions=read,update,delete,authorize-session")
+	iam.TestRoleGrant(t, conn, projRole.PublicId, "ids=*;type=role;actions=add-grants,remove-grants")
 
 	cases := []struct {
 		name         string
@@ -127,11 +236,10 @@ func TestFetchActionSetForId(t *testing.T) {
 			if tt.typeOverride != resource.Unknown {
 				typ = tt.typeOverride
 			}
-			res := auth.Verify(ctx, []auth.Option{
+			res := auth.Verify(ctx, typ, []auth.Option{
 				auth.WithId("ttcp_foo"),
 				auth.WithAction(action.Read),
-				auth.WithScopeId(org.PublicId),
-				auth.WithType(typ),
+				auth.WithScopeId(proj.PublicId),
 			}...)
 			req.NoError(res.Error)
 			assert.Equal(t, tt.allowed, res.FetchActionSetForId(ctx, tt.id, tt.avail))

internal/auth/db_test.go

@@ -1,7 +1,7 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-package auth
+package auth_test
 
 import (
 	"context"

internal/auth/ldap/managed_group_role_grants_test.go

@@ -11,6 +11,7 @@ import (
 	"github.com/hashicorp/boundary/internal/db"
 	"github.com/hashicorp/boundary/internal/iam"
 	"github.com/hashicorp/boundary/internal/kms"
+	"github.com/hashicorp/boundary/internal/types/resource"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -73,7 +74,8 @@ func TestLdapManagedGroupRoleGrants(t *testing.T) {
 
 	// okay, let's try the CTE and make sure the user has the grants given via
 	// the ldap managed group
-	tuples, err := iamRepo.GrantsForUser(testCtx, testUser.PublicId)
+	// resource type does not matter here since testGrants has type=*
+	tuples, err := iamRepo.GrantsForUser(testCtx, testUser.PublicId, []resource.Type{resource.Scope}, testScopeId)
 	require.NoError(t, err)
 	// De-dupe role IDs
 	roleIds := make(map[string]bool, len(tuples))
@@ -86,7 +88,7 @@ func TestLdapManagedGroupRoleGrants(t *testing.T) {
 
 	// make sure a user without the appropriate managed group doesn't have grants
 	testUserWithoutManagedGroupRole := iam.TestUser(t, iamRepo, testScopeId)
-	tuples, err = iamRepo.GrantsForUser(testCtx, testUserWithoutManagedGroupRole.PublicId)
+	tuples, err = iamRepo.GrantsForUser(testCtx, testUserWithoutManagedGroupRole.PublicId, []resource.Type{resource.Scope}, testScopeId)
 	require.NoError(t, err)
 	assert.Equal(t, 0, len(tuples))
 
@@ -111,7 +113,7 @@ func TestLdapManagedGroupRoleGrants(t *testing.T) {
 	_ = iam.TestRoleGrant(t, testConn, testRole2.GetPublicId(), testGrant)
 	iam.TestManagedGroupRole(t, testConn, testRole2.GetPublicId(), testOidcManagedGrp.GetPublicId())
 
-	tuples, err = iamRepo.GrantsForUser(testCtx, testUser.GetPublicId())
+	tuples, err = iamRepo.GrantsForUser(testCtx, testUser.GetPublicId(), []resource.Type{resource.SessionRecording}, testScopeId)
 	require.NoError(t, err)
 	assert.Equal(t, 2, len(tuples))
 	t.Log("tuples:", tuples)

internal/auth/ldap/testing.go

@@ -12,16 +12,20 @@ import (
 	"crypto/x509/pkix"
 	"encoding/json"
 	"encoding/pem"
+	"fmt"
 	"math/big"
 	"net"
 	"net/url"
 	"sort"
 	"testing"
 	"time"
 
+	"github.com/hashicorp/boundary/internal/auth"
 	"github.com/hashicorp/boundary/internal/db"
+	"github.com/hashicorp/boundary/internal/kms"
 	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 	"github.com/hashicorp/go-secure-stdlib/parseutil"
+	"github.com/hashicorp/go-uuid"
 	"github.com/stretchr/testify/require"
 )
 
@@ -176,6 +180,21 @@ func TestAccount(t testing.TB, conn *db.DB, am *AuthMethod, loginName string, op
 	return a
 }
 
+// TestAuthMethodWithAccountInManagedGroup creates an authMethod, and an account within that authmethod, an
+// LDAP managed group, and add the newly created account as a member of the LDAP managed group.
+func TestAuthMethodWithAccountInManagedGroup(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeId string) (auth.AuthMethod, auth.Account, auth.ManagedGroup) {
+	t.Helper()
+	uuid, err := uuid.GenerateUUID()
+	require.NoError(t, err)
+	ctx := context.Background()
+	databaseWrapper, err := kmsCache.GetWrapper(context.Background(), scopeId, kms.KeyPurposeDatabase)
+	require.NoError(t, err)
+	am := TestAuthMethod(t, conn, databaseWrapper, scopeId, []string{fmt.Sprintf("ldap://%s", uuid)})
+	managedGroup := TestManagedGroup(t, conn, am, []string{uuid})
+	acct := TestAccount(t, conn, am, "testacct", WithMemberOfGroups(ctx, uuid))
+	return am, acct, managedGroup
+}
+
 // TestManagedGroup creates a test ldap managed group.
 func TestManagedGroup(t testing.TB, conn *db.DB, am *AuthMethod, grpNames []string, opt ...Option) *ManagedGroup {
 	t.Helper()

internal/auth/oidc/testing.go

@@ -24,6 +24,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/hashicorp/boundary/internal/auth"
 	"github.com/hashicorp/boundary/internal/auth/oidc/request"
 	"github.com/hashicorp/boundary/internal/authtoken"
 	"github.com/hashicorp/boundary/internal/db"
@@ -32,6 +33,7 @@ import (
 	"github.com/hashicorp/boundary/internal/kms"
 	"github.com/hashicorp/cap/oidc"
 	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
+	"github.com/hashicorp/go-uuid"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/protobuf/types/known/timestamppb"
 )
@@ -192,6 +194,25 @@ func TestAccount(t testing.TB, conn *db.DB, am *AuthMethod, subject string, opt
 	return a
 }
 
+// TestAuthMethodWithAccountInManagedGroup creates an authMethod, and an account within that authmethod, an
+// OIDC managed group, and add the newly created account as a member of the OIDC managed group.
+func TestAuthMethodWithAccountInManagedGroup(t *testing.T, conn *db.DB, kmsCache *kms.Kms, scopeId string) (auth.AuthMethod, auth.Account, auth.ManagedGroup) {
+	t.Helper()
+	uuid, err := uuid.GenerateUUID()
+	require.NoError(t, err)
+	databaseWrapper, err := kmsCache.GetWrapper(context.Background(), scopeId, kms.KeyPurposeDatabase)
+	require.NoError(t, err)
+	testAuthMethod := TestAuthMethod(t, conn, databaseWrapper, scopeId, ActivePublicState,
+		"alice-rp", "fido",
+		WithIssuer(TestConvertToUrls(t, fmt.Sprintf("https://%s.com", uuid))[0]),
+		WithSigningAlgs(Alg(oidc.RS256)),
+		WithApiUrl(TestConvertToUrls(t, fmt.Sprintf("https://%s.com/callback", uuid))[0]))
+	account := TestAccount(t, conn, testAuthMethod, "testacct")
+	managedGroup := TestManagedGroup(t, conn, testAuthMethod, `"/token/sub" matches ".*"`)
+	TestManagedGroupMember(t, conn, managedGroup.PublicId, account.PublicId)
+	return testAuthMethod, account, managedGroup
+}
+
 // TestManagedGroup creates a test oidc managed group.
 func TestManagedGroup(t testing.TB, conn *db.DB, am *AuthMethod, filter string, opt ...Option) *ManagedGroup {
 	t.Helper()
@@ -211,13 +232,13 @@ func TestManagedGroup(t testing.TB, conn *db.DB, am *AuthMethod, filter string,
 }
 
 // TestManagedGroupMember adds given account IDs to a managed group
-func TestManagedGroupMember(t testing.TB, conn *db.DB, managedGroupId, memberId string, opt ...Option) *ManagedGroupMemberAccount {
+func TestManagedGroupMember(t testing.TB, conn *db.DB, managedGroupId, accountId string, opt ...Option) *ManagedGroupMemberAccount {
 	t.Helper()
 	require := require.New(t)
 	rw := db.New(conn)
 	ctx := context.Background()
 
-	mg, err := NewManagedGroupMemberAccount(ctx, managedGroupId, memberId, opt...)
+	mg, err := NewManagedGroupMemberAccount(ctx, managedGroupId, accountId, opt...)
 	require.NoError(err)
 
 	require.NoError(rw.Create(ctx, mg))