Add nested AL tests + change IsAccessListMember behaviour by hugoShaka · Pull Request #60271 · gravitational/teleport

hugoShaka · 2025-10-15T15:27:10Z

This PR upstreams some part of #60034 to reduce the size of the PR.

It contains:

the IsAccessListMember behaviour change to always return an error if the user is not a member (reduced footgun risk)
the IsAccessListOwner behaviour change to always return an error if the user is not an owner (reduced footgun risk)
test coverage for nested access lists and cyclic graphs (cycles are skipped as they don't pass today)

The related e PR is :https://github.com/gravitational/teleport.e/pull/7423

This change slightly affects the semantics of returned errors. This doesn't affect the code in the OSS repo but one function in e had to be adapted. The semantic change will also be required for the visitor PR.

lib/accesslists/hierarchy.go

kopiczko · 2025-10-16T18:28:39Z

lib/accesslists/hierarchy_test.go


 	ownershipType, err := IsAccessListOwner(ctx, stubUserNoRequires, acl4, accessListAndMembersGetter, nil, clock)
 	require.Error(t, err)
-	require.ErrorIs(t, err, trace.AccessDenied("User '%s' does not meet the membership requirements for Access List '%s'", member1, acl1.Spec.Title))


Why not verify those error messages?

Because they will change with the visitor PR (it doesn't traverse the graph the same way and cannot produce the same errors). I want the tests to pass for both implementations, without changes

lib/accesslists/hierarchy_test.go

kopiczko · 2025-10-16T18:42:27Z

lib/accesslists/hierarchy_test.go

+
+		typ, err := IsAccessListMember(ctx, user, firstList, aclGetter, locks, clock)
+		require.NoError(t, err)
+		require.Equal(t, accesslistv1.AccessListUserAssignmentType_ACCESS_LIST_USER_ASSIGNMENT_TYPE_INHERITED, typ)


I think it wouldn't hurt to check IsAccessListMember for all lists in the cycle. Same for the test above.

Co-authored-by: Pawel Kopiczko <pawel.kopiczko@goteleport.com>

hugoShaka · 2025-10-22T19:56:01Z

Waiting https://github.com/gravitational/teleport.e/pull/7423

* Add nested AL tests + change IsAccessListMember signature * address marek's feedback * fixup! address marek's feedback * Apply suggestions from code review Co-authored-by: Pawel Kopiczko <pawel.kopiczko@goteleport.com> * address pawel's feedback --------- Co-authored-by: Pawel Kopiczko <pawel.kopiczko@goteleport.com>

…61623) * Add nested AL tests + change IsAccessListMember signature * address marek's feedback * fixup! address marek's feedback * Apply suggestions from code review * address pawel's feedback --------- Co-authored-by: Pawel Kopiczko <pawel.kopiczko@goteleport.com>

Add nested AL tests + change IsAccessListMember signature

1d42fa0

hugoShaka requested review from kopiczko and smallinsky October 15, 2025 15:27

github-actions bot requested review from Tener and nicholasmarais1158 October 15, 2025 15:27

github-actions bot added the size/md label Oct 15, 2025

hugoShaka added the no-changelog Indicates that a PR does not require a changelog entry label Oct 15, 2025

hugoShaka removed request for Tener and nicholasmarais1158 October 15, 2025 15:42

hugoShaka mentioned this pull request Oct 16, 2025

Allow accesslist cycles pt.1 #60034

Merged

smallinsky approved these changes Oct 16, 2025

View reviewed changes

lib/accesslists/hierarchy.go Outdated Show resolved Hide resolved

address marek's feedback

41f526f

hugoShaka changed the title ~~Add nested AL tests + change IsAccessListMember signature~~ Add nested AL tests + change IsAccessListMember behaviour Oct 16, 2025

hugoShaka requested a review from smallinsky October 16, 2025 15:06

smallinsky approved these changes Oct 16, 2025

View reviewed changes

fixup! address marek's feedback

2916d1e

kopiczko approved these changes Oct 16, 2025

View reviewed changes

hugoShaka and others added 2 commits October 16, 2025 15:08

Apply suggestions from code review

b4a5cfb

Co-authored-by: Pawel Kopiczko <pawel.kopiczko@goteleport.com>

address pawel's feedback

c38c2d1

hugoShaka added this pull request to the merge queue Oct 22, 2025

Merged via the queue into master with commit f483fbe Oct 22, 2025
41 checks passed

hugoShaka deleted the hugo/nested-al-test-coverage branch October 22, 2025 20:42

hugoShaka mentioned this pull request Nov 20, 2025

[v18] Add nested AL tests + change IsAccessListMember behaviour #61623

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add nested AL tests + change IsAccessListMember behaviour#60271

Add nested AL tests + change IsAccessListMember behaviour#60271
hugoShaka merged 5 commits intomasterfrom
hugo/nested-al-test-coverage

hugoShaka commented Oct 15, 2025 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

kopiczko Oct 16, 2025

Uh oh!

hugoShaka Oct 16, 2025 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

kopiczko Oct 16, 2025 •

edited

Loading

Uh oh!

hugoShaka commented Oct 22, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

hugoShaka commented Oct 15, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

kopiczko Oct 16, 2025

Choose a reason for hiding this comment

Uh oh!

hugoShaka Oct 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

kopiczko Oct 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

hugoShaka commented Oct 22, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

hugoShaka commented Oct 15, 2025 •

edited

Loading

hugoShaka Oct 16, 2025 •

edited

Loading

kopiczko Oct 16, 2025 •

edited

Loading