hashicorp · jefferai · Mar 24, 2021 · Mar 18, 2021 · Mar 19, 2021 · Mar 22, 2021
@@ -63,10 +63,11 @@ type RequestInfo struct {
 }
 
 type VerifyResults struct {
-	UserId      string
-	AuthTokenId string
-	Error       error
-	Scope       *scopes.ScopeInfo
+	UserId        string
+	AuthTokenId   string
+	Error         error
+	Scope         *scopes.ScopeInfo
+	Authenticated bool
 
 	// RoundTripValue can be set to allow the function performing authentication
 	// (often accompanied by lookup(s)) to return a result of that lookup to the
@@ -175,7 +176,8 @@ func Verify(ctx context.Context, opt ...Option) (ret VerifyResults) {
 	}
 
 	ret.AuthTokenId = v.requestInfo.PublicId
-	if !authResults.Allowed {
+	ret.Authenticated = authResults.Authenticated
+	if !authResults.Authorized {
 		if v.requestInfo.DisableAuthzFailures {
 			ret.Error = nil
 			// TODO: Decide whether to remove this
@@ -407,7 +409,8 @@ func (v verifier) performAuthCheck() (aclResults perms.ACLResults, userId string
 
 	// At this point we don't need to look up grants since it's automatically allowed
 	if v.requestInfo.TokenFormat == AuthTokenTypeRecoveryKms {
-		aclResults.Allowed = true
+		aclResults.Authenticated = true
+		aclResults.Authorized = true
 		retErr = nil
 		return
 	}
@@ -442,6 +445,11 @@ func (v verifier) performAuthCheck() (aclResults perms.ACLResults, userId string
 
 	retAcl = perms.NewACL(parsedGrants...)
 	aclResults = retAcl.Allowed(*v.res, v.act)
+	// We don't set authenticated above because setting this but not authorized
+	// is used for further permissions checks, such as during recursive listing.
+	// So we want to make sure any code relying on that has the full set of
+	// grants successfully loaded.
+	aclResults.Authenticated = true
 	retErr = nil
 	return
 }
@@ -469,9 +477,11 @@ func (r *VerifyResults) fetchActions(ctx context.Context, id string, typ resourc
 
 	opts := getOpts(opt...)
 	res := opts.withResource
+	// If not passed in, use what's already been populated through verification
 	if res == nil {
 		res = r.v.res
 	}
+	// If this is being called directly we may not have a resource yet
 	if res == nil {
 		res = new(perms.Resource)
 	}
@@ -484,7 +494,7 @@ func (r *VerifyResults) fetchActions(ctx context.Context, id string, typ resourc
 
 	ret := make(action.ActionSet, 0, len(availableActions))
 	for _, act := range availableActions {
-		if r.v.acl.Allowed(*res, act).Allowed {
+		if r.v.acl.Allowed(*res, act).Authorized {
 			ret = append(ret, act)
 		}
 	}

@@ -19,7 +19,6 @@ type options struct {
 	withPublicId                string
 	withName                    string
 	withDescription             string
-	withGroupGrants             bool
 	withLimit                   int
 	withAutoVivify              bool
 	withGrantScopeId            string
@@ -36,21 +35,13 @@ func getDefaultOptions() options {
 		withPublicId:        "",
 		withName:            "",
 		withDescription:     "",
-		withGroupGrants:     false,
 		withLimit:           0,
 		withAutoVivify:      false,
 		withGrantScopeId:    "",
 		withSkipVetForWrite: false,
 	}
 }
 
-// WithGroupGrants provides and option to include group grants
-func WithGroupGrants(enable bool) Option {
-	return func(o *options) {
-		o.withGroupGrants = enable
-	}
-}
-
 // WithPublicId provides an optional public id
 func WithPublicId(id string) Option {
 	return func(o *options) {

@@ -30,7 +30,8 @@ type ACL struct {
 // pass more detailed information along in the future if we want. It was useful
 // in Vault, may be useful here.
 type ACLResults struct {
-	Allowed bool
+	Authenticated bool
+	Authorized    bool
 
 	// This is included but unexported for testing/debugging
 	scopeMap map[string][]Grant
@@ -102,7 +103,7 @@ func (a ACL) Allowed(r Resource, aType action.Type) (results ACLResults) {
 			aType != action.List &&
 			aType != action.Create:
 
-			results.Allowed = true
+			results.Authorized = true
 			return
 
 		// type=<resource.type>;actions=<action> when action is list(:self) or
@@ -116,7 +117,7 @@ func (a ACL) Allowed(r Resource, aType action.Type) (results ACLResults) {
 			(aType == action.List ||
 				aType == action.Create):
 
-			results.Allowed = true
+			results.Authorized = true
 			return
 
 		// id=*;type=<resource.type>;actions=<action> where type cannot be
@@ -126,7 +127,7 @@ func (a ACL) Allowed(r Resource, aType action.Type) (results ACLResults) {
 			(grant.typ == r.Type ||
 				grant.typ == resource.All):
 
-			results.Allowed = true
+			results.Authorized = true
 			return
 
 		// id=<pin>;type=<resource.type>;actions=<action> where type can be a
@@ -137,7 +138,7 @@ func (a ACL) Allowed(r Resource, aType action.Type) (results ACLResults) {
 			(grant.typ == r.Type || grant.typ == resource.All) &&
 			!topLevelType(r.Type):
 
-			results.Allowed = true
+			results.Authorized = true
 			return
 		}
 	}