test with unprivileged user

Author: david-crespo

nexus/tests/integration_tests/metrics.rs

@@ -9,16 +9,19 @@ use crate::integration_tests::instances::{
 };
 use chrono::Utc;
 use dropshot::test_util::ClientTestContext;
-use dropshot::ResultsPage;
+use dropshot::{HttpErrorResponseBody, ResultsPage};
 use http::{Method, StatusCode};
+use nexus_auth::authn::USER_TEST_UNPRIVILEGED;
+use nexus_db_queries::db::identity::Asset;
 use nexus_test_utils::background::activate_background_task;
 use nexus_test_utils::http_testing::{AuthnMode, NexusRequest, RequestBuilder};
 use nexus_test_utils::resource_helpers::{
     create_default_ip_pool, create_disk, create_instance, create_project,
-    object_create_error, objects_list_page_authz, DiskTest,
+    grant_iam, object_create_error, objects_list_page_authz, DiskTest,
 };
 use nexus_test_utils::ControlPlaneTestContext;
 use nexus_test_utils_macros::nexus_test;
+use nexus_types::external_api::shared::ProjectRole;
 use nexus_types::external_api::views::OxqlQueryResult;
 use nexus_types::silo::DEFAULT_SILO_ID;
 use omicron_test_utils::dev::poll::{wait_for_condition, CondCheckError};
@@ -637,8 +640,44 @@ async fn test_project_timeseries_query(
         object_create_error(client, url, &body, StatusCode::NOT_FOUND).await;
     assert_eq!(result.message, "not found: project with name \"nonexistent\"");
 
-    // try a project in your silo that you can't read
-    // try a project in another silo
+    // unprivileged user gets 404 on project that exists, but which they can't read
+    let url = "/v1/timeseries/query/project/project1";
+    let body = nexus_types::external_api::params::TimeseriesQuery {
+        query: q1.to_string(),
+    };
+
+    let request = RequestBuilder::new(client, Method::POST, url)
+        .body(Some(&body))
+        .expect_status(Some(StatusCode::NOT_FOUND));
+    let result = NexusRequest::new(request)
+        .authn_as(AuthnMode::UnprivilegedUser)
+        .execute()
+        .await
+        .unwrap()
+        .parsed_body::<HttpErrorResponseBody>()
+        .unwrap();
+    assert_eq!(result.message, "not found: project with name \"project1\"");
+
+    // now grant the user access to that project only
+    grant_iam(
+        client,
+        "/v1/projects/project1",
+        ProjectRole::Viewer,
+        USER_TEST_UNPRIVILEGED.id(),
+        AuthnMode::PrivilegedUser,
+    )
+    .await;
+
+    // now they can access the timeseries. how cool is that
+    let request = RequestBuilder::new(client, Method::POST, url)
+        .body(Some(&body))
+        .expect_status(Some(StatusCode::OK));
+    let result = NexusRequest::new(request)
+        .authn_as(AuthnMode::UnprivilegedUser)
+        .execute_and_parse_unwrap::<OxqlQueryResult>()
+        .await;
+    assert_eq!(result.tables.len(), 1);
+    assert_eq!(result.tables[0].timeseries().len(), 1);
 }
 
 #[nexus_test]