Allow scoped tokens to read session status

This commit is contained in:
Joe Julian
2026-04-11 16:51:24 -07:00
parent e16067b345
commit 12796ef639
2 changed files with 8 additions and 5 deletions
+1 -1
View File
@@ -109,7 +109,7 @@ func (s *Server) SetSessionState(model vault.Model, locked, dirty bool) {
}
func (s *Server) GetSessionStatus(ctx context.Context, _ *keepassgov1.GetSessionStatusRequest) (*keepassgov1.GetSessionStatusResponse, error) {
if _, err := s.authorizeVaultRequest(ctx, apitokens.OperationManageVault); err != nil {
if _, err := s.authenticateRequest(ctx); err != nil {
return nil, err
}
s.mu.RLock()
+7 -4
View File
@@ -100,7 +100,7 @@ func TestVaultServiceRejectsUnauthorizedEntryAccess(t *testing.T) {
}
}
func TestVaultServiceRejectsUnauthorizedVaultManagement(t *testing.T) {
func TestVaultServiceAllowsSessionStatusWithoutManageVault(t *testing.T) {
t.Parallel()
client, _, cleanup := newTestClientForModel(t, vault.Model{
@@ -112,9 +112,12 @@ func TestVaultServiceRejectsUnauthorizedVaultManagement(t *testing.T) {
})
defer cleanup()
_, err := client.GetSessionStatus(tokenContext(defaultTestTokenSecret), &keepassgov1.GetSessionStatusRequest{})
if status.Code(err) != codes.PermissionDenied {
t.Fatalf("GetSessionStatus() code = %v, want %v", status.Code(err), codes.PermissionDenied)
resp, err := client.GetSessionStatus(tokenContext(defaultTestTokenSecret), &keepassgov1.GetSessionStatusRequest{})
if err != nil {
t.Fatalf("GetSessionStatus() error = %v", err)
}
if resp.GetLocked() {
t.Fatal("GetSessionStatus().Locked = true, want false")
}
}