test: Check that we can retrieve entities with their correct 'access_…

…entitlements' fields

Signed-off-by: Gabriel Mougard <[email protected]>

test/suites/auth.sh

@@ -169,7 +169,6 @@ fine_grained: true"
 
   [ "$(LXD_CONF="${LXD_CONF2}" lxc auth identity info tls:)" = "${expectedTLSInfo}" ]
 
-
   # Identity permissions.
   ! lxc auth group permission add test-group identity [email protected] can_view || false # Missing authentication method
   lxc auth group permission add test-group identity oidc/[email protected] can_view # Valid
@@ -289,6 +288,37 @@ fine_grained: true"
   [ "$(LXD_CONF="${LXD_CONF6}" CERTNAME=unrestricted my_curl -X GET "https://${LXD_ADDR}/1.0/auth/identities/current" | jq -r .metadata.fine_grained)" = "false" ]
   lxc config trust remove "${lxdconf6_fingerprint_short}"
 
+  lxc auth identity group add oidc/[email protected] test-group
+  # Create a new test project, add some entitlements on it and check that these are reflected in the 'access_entitlements' field returned from the API.
+  lxc project create test-project
+  lxc auth group permission add test-group project test-project can_view
+  lxc auth group permission add test-group project test-project can_edit
+  lxc auth group permission add test-group project test-project can_delete
+
+  # Check the created project entitlements given a list of candidate entitlements (some are wrong: `can_create_instances` and `can_create_networks`. These should not be returned).
+  [ "$(lxc_remote query "oidc:/1.0/projects/test-project?recursion=1&with-access-entitlements=can_view,can_edit,can_delete,can_create_instances,can_create_networks" | jq -c '.access_entitlements')" = '["can_view","can_edit","can_delete"]' ]
+  lxc project delete test-project
+
+  # Repeat the same test for other entity types.
+  # Instance
+  ensure_import_testimage
+  lxc init testimage test-foo
+  lxc auth group permission add test-group instance test-foo can_view project=default
+  lxc auth group permission add test-group instance test-foo can_edit project=default
+  lxc auth group permission add test-group instance test-foo can_delete project=default
+  [ "$(lxc_remote query "oidc:/1.0/instances/test-foo?project=default&recursion=1&with-access-entitlements=can_view,can_edit,can_delete,can_exec" | jq -c '.access_entitlements')" = '["can_view","can_edit","can_delete"]' ]
+  lxc delete test-foo -f
+
+  # Storage volume
+  # Storage volume entitlements test
+  pool_name="$(lxc storage list -f csv | cut -d, -f1)"
+  lxc storage volume create "${pool_name}" test-volume
+  lxc auth group permission add test-group storage_volume test-volume can_view project=default pool="${pool_name}" type=custom
+  lxc auth group permission add test-group storage_volume test-volume can_edit project=default pool="${pool_name}" type=custom
+  lxc auth group permission add test-group storage_volume test-volume can_delete project=default pool="${pool_name}" type=custom
+  [ "$(lxc_remote query "oidc:/1.0/storage-pools/${pool_name}/volumes/custom/test-volume?project=default&recursion=1&with-access-entitlements=can_view,can_edit,can_delete,can_manage_backups,can_manage_snapshots" | jq -c '.access_entitlements')" = '["can_view","can_edit","can_delete"]' ]
+  lxc storage volume delete "${pool_name}" test-volume
+
   # Cleanup
   lxc auth group delete test-group
   lxc auth identity-provider-group delete test-idp-group
@@ -305,7 +335,6 @@ fine_grained: true"
   lxc config unset oidc.client.id
 }
 
-
 storage_pool_used_by() {
   remote="${1}"