auth: Add more tests for entity enrichment with entitlements #14973
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gabrielmougard
force-pushed
the
fix/continue-entitlement-tests
branch
from
adf22a4 to
62c1c61
Compare
gabrielmougard
force-pushed
the
fix/continue-entitlement-tests
branch
3 times, most recently
from
351ce70 to
42954b9
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
gabrielmougard
force-pushed
the
fix/continue-entitlement-tests
branch
3 times, most recently
from
57bb795 to
25c7335
Compare
gabrielmougard
force-pushed
the
fix/continue-entitlement-tests
branch
2 times, most recently
from
8026848 to
dfc1e69
Compare
gabrielmougard
force-pushed
the
fix/continue-entitlement-tests
branch
from
dfc1e69 to
ed4ab9e
Compare
gabrielmougard
force-pushed
the
fix/continue-entitlement-tests
branch
7 times, most recently
from
12eaf11 to
077ebe8
Compare
github-actions
bot
added
Documentation
gabrielmougard
force-pushed
the
fix/continue-entitlement-tests
branch
5 times, most recently
from
3a2a3f1 to
0c270f7
Compare
tomponline
reviewed
Feb 18, 2025
gabrielmougard
force-pushed
the
fix/continue-entitlement-tests
branch
from
f3f4a03 to
812d005
Compare
…uld not be enriched with entitlements Signed-off-by: Gabriel Mougard <[email protected]>
…p>, volume<snapshot|backup> entities Signed-off-by: Gabriel Mougard <[email protected]>
…lice of pointers Signed-off-by: Gabriel Mougard <[email protected]>
gabrielmougard
force-pushed
the
fix/continue-entitlement-tests
branch
from
812d005 to
af7d62a
Compare
markylaing
reviewed
Feb 20, 2025
test/suites/auth.sh
Outdated
| echo "Second check failed (or pool not found)!" >&2 | ||
| false | ||
| fi | ||
|
|
There was a problem hiding this comment.
Storage pools aren't project specific. This should work without the project=default key value pair when adding the permissions, and without the project query parameter.
Also, why did you list all storage pools, rather than just querying for the one that permissions have been granted against?
There was a problem hiding this comment.
Ok, removing this query param. As for the tests, I need to test both endpoints to see if entitlements are attached in both cases: the storage-pools/{name} one and the storage-pools/
markylaing
reviewed
Feb 20, 2025
markylaing
reviewed
Feb 20, 2025
markylaing
reviewed
Feb 20, 2025
markylaing
requested changes
Feb 20, 2025
There was a problem hiding this comment.
I like the pattern you've created in the tests by listing all and using jq to make assertions. For me it's quite clear what's going on, but more comments on the test wouldn't hurt.
Additionally, the with-access-entitlements tests are getting quite long. Could you please move them into another bash function and call that?
|
@markylaing thanks for the review! |
gabrielmougard
force-pushed
the
fix/continue-entitlement-tests
branch
from
af7d62a to
000f97a
Compare
…ceOnly.` Signed-off-by: Gabriel Mougard <[email protected]>
Signed-off-by: Gabriel Mougard <[email protected]>
gabrielmougard
force-pushed
the
fix/continue-entitlement-tests
branch
from
000f97a to
7fa1d7e
Compare
markylaing
requested changes
Feb 24, 2025
gabrielmougard
force-pushed
the
fix/continue-entitlement-tests
branch
from
4f90416 to
e851b13
Compare
Signed-off-by: Gabriel Mougard <[email protected]>
gabrielmougard
force-pushed
the
fix/continue-entitlement-tests
branch
from
e851b13 to
b0a63b9
Compare
|
@markylaing @gabrielmougard is this ready for final review now? |
|
yes (I addressed @markylaing latest comment regarding moving the tests in their own function) |
markylaing
reviewed
Feb 24, 2025
| lxc auth group permission add test-group server admin | ||
| lxc auth group permission add test-group server viewer | ||
| lxc auth group permission add test-group server project_manager | ||
| [ "$(lxc_remote query "oidc:/1.0?with-access-entitlements=admin,viewer,project_manager" | jq -r '.access_entitlements | sort | @csv')" = '"admin","project_manager","viewer"' ] | ||
| } |
There was a problem hiding this comment.
Missing newline at the end of the file.
markylaing
reviewed
Feb 24, 2025
Comment on lines
290
to
+292
| lxc auth identity group add oidc/[email protected] test-group | ||
| # Create a new test project, add some entitlements on it and check that these are reflected in the 'access_entitlements' field returned from the API. | ||
| lxc project create test-project | ||
| lxc auth group permission add test-group project test-project can_view | ||
| lxc auth group permission add test-group project test-project can_edit | ||
| lxc auth group permission add test-group project test-project can_delete | ||
|
|
||
| # Check the created project entitlements given a list of candidate entitlements (some are wrong: `can_create_instances` and `can_create_networks`. These should not be returned). | ||
| [ "$(lxc_remote query "oidc:/1.0/projects/test-project?recursion=1&with-access-entitlements=can_view,can_edit,can_delete,can_create_instances,can_create_networks" | jq -r '.access_entitlements | sort | @csv')" = '"can_delete","can_edit","can_view"' ] | ||
| lxc project delete test-project | ||
|
|
||
| # Repeat the same test for other entity types. | ||
| # Instance | ||
| ensure_import_testimage | ||
| lxc init testimage test-foo | ||
| lxc auth group permission add test-group instance test-foo can_view project=default | ||
| lxc auth group permission add test-group instance test-foo can_edit project=default | ||
| lxc auth group permission add test-group instance test-foo can_delete project=default | ||
| [ "$(lxc_remote query "oidc:/1.0/instances/test-foo?project=default&recursion=1&with-access-entitlements=can_view,can_edit,can_delete,can_exec" | jq -r '.access_entitlements | sort | @csv')" = '"can_delete","can_edit","can_view"' ] | ||
| lxc delete test-foo -f | ||
|
|
||
| # Storage volume | ||
| # Storage volume entitlements test | ||
| pool_name="$(lxc storage list -f csv | cut -d, -f1)" | ||
| lxc storage volume create "${pool_name}" test-volume | ||
| lxc auth group permission add test-group storage_volume test-volume can_view project=default pool="${pool_name}" type=custom | ||
| lxc auth group permission add test-group storage_volume test-volume can_edit project=default pool="${pool_name}" type=custom | ||
| lxc auth group permission add test-group storage_volume test-volume can_delete project=default pool="${pool_name}" type=custom | ||
| [ "$(lxc_remote query "oidc:/1.0/storage-pools/${pool_name}/volumes/custom/test-volume?project=default&recursion=1&with-access-entitlements=can_view,can_edit,can_delete,can_manage_backups,can_manage_snapshots" | jq -r '.access_entitlements | sort | @csv')" = '"can_delete","can_edit","can_view"' ] | ||
| lxc storage volume delete "${pool_name}" test-volume | ||
| entities_enrichment_with_entitlements |
There was a problem hiding this comment.
You can move this to just below line 220 and then you won't need to re-add the OIDC user to the test group on line 290.
markylaing
approved these changes
Feb 24, 2025
tomponline
added a commit
that referenced
this pull request
Feb 26, 2025
Permissions for auth groups and certificates were not being deleted properly by the triggers. This caused dangling permissions to be logged when new tests were added by @gabrielmougard in #14973. More details on the trigger changes can be found in the commit messages. I've also added a regex to `deps/panic-checker` to check for this log line and fail any future tests if it is found again. I've run the tests with this addition to the test suite before and after adding the fix to ensure it works and catches the log message. Note that these dangling permissions are *not* a security issue because they reference entities by their ID. If they are dangling, it means they are no longer referencing anything and therefore not granting access. They also can never reference another new entity, since all of our database IDs are set to auto-increment.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds tests for the enrichment of the remaining LXD entities that are eligible. This also remove support for entitlement enrichment for instance<snapshot|backup> and volume<snapshot|backup>. These are managed by the parent instance/volume
can_mange_<snapshots|backups>