Skip to content

Commit 02d0476

Browse files
committed
test with unprivileged user
1 parent d05fe87 commit 02d0476

File tree

1 file changed

+45
-4
lines changed

1 file changed

+45
-4
lines changed

nexus/tests/integration_tests/metrics.rs

Lines changed: 45 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -9,16 +9,20 @@ use crate::integration_tests::instances::{
99
};
1010
use chrono::Utc;
1111
use dropshot::test_util::ClientTestContext;
12-
use dropshot::ResultsPage;
12+
use dropshot::{HttpErrorResponseBody, ResultsPage};
1313
use http::{Method, StatusCode};
14+
use nexus_auth::authn::USER_TEST_UNPRIVILEGED;
15+
use nexus_db_queries::db::fixed_data::silo::DEFAULT_SILO;
16+
use nexus_db_queries::db::identity::{Asset, Resource};
1417
use nexus_test_utils::background::activate_background_task;
1518
use nexus_test_utils::http_testing::{AuthnMode, NexusRequest, RequestBuilder};
1619
use nexus_test_utils::resource_helpers::{
1720
create_default_ip_pool, create_disk, create_instance, create_project,
18-
object_create_error, objects_list_page_authz, DiskTest,
21+
grant_iam, object_create_error, objects_list_page_authz, DiskTest,
1922
};
2023
use nexus_test_utils::ControlPlaneTestContext;
2124
use nexus_test_utils_macros::nexus_test;
25+
use nexus_types::external_api::shared::ProjectRole;
2226
use nexus_types::external_api::views::OxqlQueryResult;
2327
use nexus_types::silo::DEFAULT_SILO_ID;
2428
use omicron_test_utils::dev::poll::{wait_for_condition, CondCheckError};
@@ -637,8 +641,45 @@ async fn test_project_timeseries_query(
637641
object_create_error(client, url, &body, StatusCode::NOT_FOUND).await;
638642
assert_eq!(result.message, "not found: project with name \"nonexistent\"");
639643

640-
// try a project in your silo that you can't read
641-
// try a project in another silo
644+
// unprivileged user gets 404 on project that exists, but which they can't read
645+
let url = "/v1/timeseries/query/project/project1";
646+
let body = nexus_types::external_api::params::TimeseriesQuery {
647+
query: q1.to_string(),
648+
};
649+
let result = NexusRequest::new(
650+
RequestBuilder::new(client, Method::POST, url)
651+
.body(Some(&body))
652+
.expect_status(Some(StatusCode::NOT_FOUND)),
653+
)
654+
.authn_as(AuthnMode::UnprivilegedUser)
655+
.execute()
656+
.await
657+
.unwrap()
658+
.parsed_body::<HttpErrorResponseBody>()
659+
.unwrap();
660+
assert_eq!(result.message, "not found: project with name \"project1\"");
661+
662+
// now grant the user access to that project only
663+
grant_iam(
664+
client,
665+
"/v1/projects/project1",
666+
ProjectRole::Viewer,
667+
USER_TEST_UNPRIVILEGED.id(),
668+
AuthnMode::PrivilegedUser,
669+
)
670+
.await;
671+
672+
let result = NexusRequest::new(
673+
RequestBuilder::new(client, Method::POST, url)
674+
.body(Some(&body))
675+
.expect_status(Some(StatusCode::OK)),
676+
)
677+
.authn_as(AuthnMode::UnprivilegedUser)
678+
.execute()
679+
.await
680+
.unwrap()
681+
.parsed_body::<OxqlQueryResult>()
682+
.unwrap();
642683
}
643684

644685
#[nexus_test]

0 commit comments

Comments
 (0)