Skip to content

Commit

Permalink
Fix user tests.
Browse files Browse the repository at this point in the history
  • Loading branch information
@Joerger
Joerger committed Dec 12, 2023
1 parent 054daf2 commit b4f6d7d
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 7 deletions.
8 changes: 4 additions & 4 deletions lib/auth/users/usersv1/service_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,8 @@ func (a fakeAuthorizer) Authorize(ctx context.Context) (*authz.Context, error) {
},
},
},
Identity: identity,
Identity: identity,
AdminActionAuthorized: true,
}, nil
}

Expand Down Expand Up @@ -102,8 +103,8 @@ func (a fakeAuthorizer) Authorize(ctx context.Context) (*authz.Context, error) {
Username: "alice",
},
},
AdminActionAuthorized: true,
}, nil

}

type fakeChecker struct {
Expand Down Expand Up @@ -866,7 +867,6 @@ func TestRBAC(t *testing.T) {

for _, test := range tests {
t.Run(test.desc, func(t *testing.T) {

env, err := newTestEnv(withAuthorizer(&fakeAuthorizer{authzContext: &authz.Context{
User: llama,
Checker: test.checker,
Expand All @@ -876,6 +876,7 @@ func TestRBAC(t *testing.T) {
Groups: []string{"dev"},
},
},
AdminActionAuthorized: true,
}}))
require.NoError(t, err, "creating test service")

Expand All @@ -888,5 +889,4 @@ func TestRBAC(t *testing.T) {
require.ElementsMatch(t, test.expectChecks, test.checker.checks)
})
}

}
7 changes: 4 additions & 3 deletions lib/authz/permissions.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -193,7 +193,7 @@ type Context struct {
// AdminActionVerified is whether this auth request is verified for admin actions. This
// either means that the request was MFA verified through the context or Hardware Key support,
// or the identity does not require admin MFA (built in roles, bot impersonated user, etc).
adminActionAuthorized bool
AdminActionAuthorized bool
}

// GetUserMetadata returns information about the authenticated identity
Expand Down Expand Up @@ -384,7 +384,7 @@ func (a *authorizer) checkAdminActionVerification(ctx context.Context, authConte
return trace.Wrap(err)
}

authContext.adminActionAuthorized = true
authContext.AdminActionAuthorized = true
return nil
}

Expand Down Expand Up @@ -1101,6 +1101,7 @@ func ContextForBuiltinRole(r BuiltinRole, recConfig types.SessionRecordingConfig
Identity: r,
UnmappedIdentity: r,
disableDeviceRoleMode: true, // Builtin roles skip device trust.
AdminActionAuthorized: true, // builtin roles skip mfa for admin actions.
}, nil
}

Expand Down Expand Up @@ -1324,7 +1325,7 @@ func AuthorizeContextWithVerbs(ctx context.Context, log logrus.FieldLogger, auth

// AuthorizeAdminAction will ensure that the user is authorized to perform admin actions.
func AuthorizeAdminAction(ctx context.Context, authCtx *Context) error {
if !authCtx.adminActionAuthorized {
if !authCtx.AdminActionAuthorized {
return trace.Wrap(&mfa.ErrAdminActionMFARequired)
}
return nil
Expand Down

0 comments on commit b4f6d7d

Please sign in to comment.