@@ -9,16 +9,20 @@ use crate::integration_tests::instances::{
9
9
} ;
10
10
use chrono:: Utc ;
11
11
use dropshot:: test_util:: ClientTestContext ;
12
- use dropshot:: ResultsPage ;
12
+ use dropshot:: { HttpErrorResponseBody , ResultsPage } ;
13
13
use http:: { Method , StatusCode } ;
14
+ use nexus_auth:: authn:: USER_TEST_UNPRIVILEGED ;
15
+ use nexus_db_queries:: db:: fixed_data:: silo:: DEFAULT_SILO ;
16
+ use nexus_db_queries:: db:: identity:: { Asset , Resource } ;
14
17
use nexus_test_utils:: background:: activate_background_task;
15
18
use nexus_test_utils:: http_testing:: { AuthnMode , NexusRequest , RequestBuilder } ;
16
19
use nexus_test_utils:: resource_helpers:: {
17
20
create_default_ip_pool, create_disk, create_instance, create_project,
18
- object_create_error, objects_list_page_authz, DiskTest ,
21
+ grant_iam , object_create_error, objects_list_page_authz, DiskTest ,
19
22
} ;
20
23
use nexus_test_utils:: ControlPlaneTestContext ;
21
24
use nexus_test_utils_macros:: nexus_test;
25
+ use nexus_types:: external_api:: shared:: ProjectRole ;
22
26
use nexus_types:: external_api:: views:: OxqlQueryResult ;
23
27
use nexus_types:: silo:: DEFAULT_SILO_ID ;
24
28
use omicron_test_utils:: dev:: poll:: { wait_for_condition, CondCheckError } ;
@@ -637,8 +641,45 @@ async fn test_project_timeseries_query(
637
641
object_create_error ( client, url, & body, StatusCode :: NOT_FOUND ) . await ;
638
642
assert_eq ! ( result. message, "not found: project with name \" nonexistent\" " ) ;
639
643
640
- // try a project in your silo that you can't read
641
- // try a project in another silo
644
+ // unprivileged user gets 404 on project that exists, but which they can't read
645
+ let url = "/v1/timeseries/query/project/project1" ;
646
+ let body = nexus_types:: external_api:: params:: TimeseriesQuery {
647
+ query : q1. to_string ( ) ,
648
+ } ;
649
+ let result = NexusRequest :: new (
650
+ RequestBuilder :: new ( client, Method :: POST , url)
651
+ . body ( Some ( & body) )
652
+ . expect_status ( Some ( StatusCode :: NOT_FOUND ) ) ,
653
+ )
654
+ . authn_as ( AuthnMode :: UnprivilegedUser )
655
+ . execute ( )
656
+ . await
657
+ . unwrap ( )
658
+ . parsed_body :: < HttpErrorResponseBody > ( )
659
+ . unwrap ( ) ;
660
+ assert_eq ! ( result. message, "not found: project with name \" project1\" " ) ;
661
+
662
+ // now grant the user access to that project only
663
+ grant_iam (
664
+ client,
665
+ "/v1/projects/project1" ,
666
+ ProjectRole :: Viewer ,
667
+ USER_TEST_UNPRIVILEGED . id ( ) ,
668
+ AuthnMode :: PrivilegedUser ,
669
+ )
670
+ . await ;
671
+
672
+ let result = NexusRequest :: new (
673
+ RequestBuilder :: new ( client, Method :: POST , url)
674
+ . body ( Some ( & body) )
675
+ . expect_status ( Some ( StatusCode :: OK ) ) ,
676
+ )
677
+ . authn_as ( AuthnMode :: UnprivilegedUser )
678
+ . execute ( )
679
+ . await
680
+ . unwrap ( )
681
+ . parsed_body :: < OxqlQueryResult > ( )
682
+ . unwrap ( ) ;
642
683
}
643
684
644
685
#[ nexus_test]
0 commit comments