Allow scoped tokens to read session status
This commit is contained in:
@@ -109,7 +109,7 @@ func (s *Server) SetSessionState(model vault.Model, locked, dirty bool) {
|
||||
}
|
||||
|
||||
func (s *Server) GetSessionStatus(ctx context.Context, _ *keepassgov1.GetSessionStatusRequest) (*keepassgov1.GetSessionStatusResponse, error) {
|
||||
if _, err := s.authorizeVaultRequest(ctx, apitokens.OperationManageVault); err != nil {
|
||||
if _, err := s.authenticateRequest(ctx); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
s.mu.RLock()
|
||||
|
||||
@@ -100,7 +100,7 @@ func TestVaultServiceRejectsUnauthorizedEntryAccess(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestVaultServiceRejectsUnauthorizedVaultManagement(t *testing.T) {
|
||||
func TestVaultServiceAllowsSessionStatusWithoutManageVault(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
client, _, cleanup := newTestClientForModel(t, vault.Model{
|
||||
@@ -112,9 +112,12 @@ func TestVaultServiceRejectsUnauthorizedVaultManagement(t *testing.T) {
|
||||
})
|
||||
defer cleanup()
|
||||
|
||||
_, err := client.GetSessionStatus(tokenContext(defaultTestTokenSecret), &keepassgov1.GetSessionStatusRequest{})
|
||||
if status.Code(err) != codes.PermissionDenied {
|
||||
t.Fatalf("GetSessionStatus() code = %v, want %v", status.Code(err), codes.PermissionDenied)
|
||||
resp, err := client.GetSessionStatus(tokenContext(defaultTestTokenSecret), &keepassgov1.GetSessionStatusRequest{})
|
||||
if err != nil {
|
||||
t.Fatalf("GetSessionStatus() error = %v", err)
|
||||
}
|
||||
if resp.GetLocked() {
|
||||
t.Fatal("GetSessionStatus().Locked = true, want false")
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user