From 01a68729f84a1849beb2a8c1ffcea7fa34395949 Mon Sep 17 00:00:00 2001 From: Gabriel Mougard Date: Thu, 9 Jan 2025 12:51:40 +0100 Subject: [PATCH] test: Check that we can retrieve entities with their correct 'access_entitlements' fields Signed-off-by: Gabriel Mougard --- test/suites/auth.sh | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/test/suites/auth.sh b/test/suites/auth.sh index 0e37e655c94f..0ca16cd0121e 100644 --- a/test/suites/auth.sh +++ b/test/suites/auth.sh @@ -169,7 +169,6 @@ fine_grained: true" [ "$(LXD_CONF="${LXD_CONF2}" lxc auth identity info tls:)" = "${expectedTLSInfo}" ] - # Identity permissions. ! lxc auth group permission add test-group identity test-user@example.com can_view || false # Missing authentication method lxc auth group permission add test-group identity oidc/test-user@example.com can_view # Valid @@ -289,6 +288,37 @@ fine_grained: true" [ "$(LXD_CONF="${LXD_CONF6}" CERTNAME=unrestricted my_curl -X GET "https://${LXD_ADDR}/1.0/auth/identities/current" | jq -r .metadata.fine_grained)" = "false" ] lxc config trust remove "${lxdconf6_fingerprint_short}" + lxc auth identity group add oidc/test-user@example.com test-group + # Create a new test project, add some entitlements on it and check that these are reflected in the 'access_entitlements' field returned from the API. + lxc project create test-project + lxc auth group permission add test-group project test-project can_view + lxc auth group permission add test-group project test-project can_edit + lxc auth group permission add test-group project test-project can_delete + + # Check the created project entitlements given a list of candidate entitlements (some are wrong: `can_create_instances` and `can_create_networks`. These should not be returned). + [ "$(lxc_remote query "oidc:/1.0/projects/test-project?recursion=1&with-access-entitlements=can_view,can_edit,can_delete,can_create_instances,can_create_networks" | jq -c '.access_entitlements')" = '["can_view","can_edit","can_delete"]' ] + lxc project delete test-project + + # Repeat the same test for other entity types. + # Instance + ensure_import_testimage + lxc init testimage test-foo + lxc auth group permission add test-group instance test-foo can_view project=default + lxc auth group permission add test-group instance test-foo can_edit project=default + lxc auth group permission add test-group instance test-foo can_delete project=default + [ "$(lxc_remote query "oidc:/1.0/instances/test-foo?project=default&recursion=1&with-access-entitlements=can_view,can_edit,can_delete,can_exec" | jq -c '.access_entitlements')" = '["can_view","can_edit","can_delete"]' ] + lxc delete test-foo -f + + # Storage volume + # Storage volume entitlements test + pool_name="$(lxc storage list -f csv | cut -d, -f1)" + lxc storage volume create "${pool_name}" test-volume + lxc auth group permission add test-group storage_volume test-volume can_view project=default pool="${pool_name}" type=custom + lxc auth group permission add test-group storage_volume test-volume can_edit project=default pool="${pool_name}" type=custom + lxc auth group permission add test-group storage_volume test-volume can_delete project=default pool="${pool_name}" type=custom + [ "$(lxc_remote query "oidc:/1.0/storage-pools/${pool_name}/volumes/custom/test-volume?project=default&recursion=1&with-access-entitlements=can_view,can_edit,can_delete,can_manage_backups,can_manage_snapshots" | jq -c '.access_entitlements')" = '["can_view","can_edit","can_delete"]' ] + lxc storage volume delete "${pool_name}" test-volume + # Cleanup lxc auth group delete test-group lxc auth identity-provider-group delete test-idp-group @@ -305,7 +335,6 @@ fine_grained: true" lxc config unset oidc.client.id } - storage_pool_used_by() { remote="${1}"