Merge bf07eb9 into 2987f2e

.pre-commit-config.yaml

@@ -0,0 +1,12 @@
+repos:
+    -   repo: git@github.com:Yelp/detect-secrets
+        rev: v0.13.1
+        hooks:
+        -   id: detect-secrets
+            args: ['--baseline', '.secrets.baseline']
+            exclude: Gopkg.lock
+    -   repo: https://github.com/pre-commit/pre-commit-hooks
+        rev: v2.5.0
+        hooks:
+        -   id: no-commit-to-branch
+            args: [--branch, develop, --branch, master, --pattern, release/.*]

.secrets.baseline

@@ -0,0 +1,149 @@
+{
+  "exclude": {
+    "files": null,
+    "lines": null
+  },
+  "generated_at": "2020-10-23T21:00:22Z",
+  "plugins_used": [
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "base64_limit": 4.5,
+      "name": "Base64HighEntropyString"
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "hex_limit": 3,
+      "name": "HexHighEntropyString"
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "keyword_exclude": null,
+      "name": "KeywordDetector"
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "results": {
+    "docs/openapi.yaml": [
+      {
+        "hashed_secret": "f9fdc64928c96c7ad56bf7da557f70345d83a6ed",
+        "is_verified": false,
+        "line_number": 1472,
+        "type": "Base64 High Entropy String"
+      }
+    ],
+    "main.go": [
+      {
+        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+        "is_verified": false,
+        "line_number": 31,
+        "type": "Basic Auth Credentials"
+      }
+    ],
+    "vendor/github.com/jmoiron/sqlx/go.sum": [
+      {
+        "hashed_secret": "d93770a7d54e264578e829085b6edfb7daf24575",
+        "is_verified": false,
+        "line_number": 1,
+        "type": "Base64 High Entropy String"
+      },
+      {
+        "hashed_secret": "9e9a414d11593ef9a5292a992416e022c8ab2862",
+        "is_verified": false,
+        "line_number": 2,
+        "type": "Base64 High Entropy String"
+      },
+      {
+        "hashed_secret": "d9cbcba80017e84f642d6eee7150e3851cc55fc4",
+        "is_verified": false,
+        "line_number": 3,
+        "type": "Base64 High Entropy String"
+      },
+      {
+        "hashed_secret": "5bd147c32611329506fb4827a21c52738aece5c7",
+        "is_verified": false,
+        "line_number": 4,
+        "type": "Base64 High Entropy String"
+      },
+      {
+        "hashed_secret": "a2709bd13a8ef284332830b8a2c04ccf4d2e96d8",
+        "is_verified": false,
+        "line_number": 5,
+        "type": "Base64 High Entropy String"
+      },
+      {
+        "hashed_secret": "af7c8bf7dbc993e43c6d5514cc0b8e50a1ba28fe",
+        "is_verified": false,
+        "line_number": 6,
+        "type": "Base64 High Entropy String"
+      }
+    ],
+    "vendor/github.com/lib/pq/doc.go": [
+      {
+        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+        "is_verified": false,
+        "line_number": 27,
+        "type": "Basic Auth Credentials"
+      },
+      {
+        "hashed_secret": "392cbf7a3c6f6543162882e0ba1fbcb48dac5f55",
+        "is_verified": false,
+        "line_number": 76,
+        "type": "Secret Keyword"
+      },
+      {
+        "hashed_secret": "07d50fb612f4149a6fe1ce53c0a3150f2212c0ce",
+        "is_verified": false,
+        "line_number": 80,
+        "type": "Secret Keyword"
+      }
+    ],
+    "vendor/github.com/lib/pq/url.go": [
+      {
+        "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4",
+        "is_verified": false,
+        "line_number": 21,
+        "type": "Basic Auth Credentials"
+      }
+    ]
+  },
+  "version": "0.13.1",
+  "word_list": {
+    "file": null,
+    "hash": null
+  }
+}

arborist/server_test.go

@@ -598,7 +598,7 @@ func TestServer(t *testing.T) {
 		_ = db.MustExec("DELETE FROM usr")
 	}
 
-	checkAuthSuccess := func(t *testing.T, body []byte) {
+	checkAuthSuccess := func(t *testing.T, body []byte, outcome bool) {
 		w := httptest.NewRecorder()
 		req := newRequest("POST", "/auth/request", bytes.NewBuffer(body))
 		handler.ServeHTTP(w, req)
@@ -613,7 +613,7 @@ func TestServer(t *testing.T) {
 			httpError(t, w, "couldn't read response from auth request")
 		}
 		msg := fmt.Sprintf("got response body: %s", w.Body.String())
-		assert.Equal(t, true, result.Auth, msg)
+		assert.Equal(t, outcome, result.Auth, msg)
 	}
 
 	// testSetup should be used for any setup or teardown that should go in all
@@ -3221,8 +3221,47 @@ func TestServer(t *testing.T) {
 					serviceName,
 					"read",
 				))
-				checkAuthSuccess(t, authRequestBody)
+				checkAuthSuccess(t, authRequestBody, true)
 			})
+			t.Run("CheckingStar", func(t *testing.T) {
+				createRoleBytes(
+					t,
+					[]byte(`{
+						"id": "roleForAnonCheckingStar",
+						"permissions": [
+							{"id": "wanabeserviceStar", "action": {"service": "*", "method": "create"}}
+						]
+					}`),
+				)
+				createPolicyBytes(
+					t,
+					[]byte(fmt.Sprintf(
+						`{
+							"id": "policyForAnonCheckingStar",
+							"resource_paths": ["%s"],
+							"role_ids": ["roleForAnonCheckingStar"]
+						}`,
+						resourcePath,
+					)),
+				)
+				grantGroupPolicy(t, arborist.AnonymousGroup, "policyForAnonCheckingStar")
+				authRequestBody := []byte(fmt.Sprintf(
+					`{
+						"user": {"token": ""},
+						"request": {
+							"resource": "%s",
+							"action": {
+								"service": "%s",
+								"method": "%s"
+							}
+						}
+					}`,
+					resourcePath,
+					serviceName,
+					"write", // Attempt to write when only allowed to create
+				))
+				checkAuthSuccess(t, authRequestBody, false)
+				})
 		})
 
 		deleteEverything()