Add tests

GoogleCloudPlatform · Feb 14, 2024 · 5599bbd · 5599bbd
1 parent 05040f0
commit 5599bbd
Show file tree

Hide file tree

Showing 6 changed files with 129 additions and 75 deletions.
diff --git a/sources/src/main/java/com/google/solutions/jitaccess/core/catalog/EntitlementSet.java b/sources/src/main/java/com/google/solutions/jitaccess/core/catalog/EntitlementSet.java
@@ -54,9 +54,9 @@ public record EntitlementSet<TId extends EntitlementId>(
   }
 
   /**
-   * @return consolidated set of entitlements including available and active ones.
+   * @return current set of entitlements, including available and active ones.
    */
-  public SortedSet<Entitlement<TId>> allEntitlements() { // TODO: expired?
+  public SortedSet<Entitlement<TId>> currentEntitlements() {
     //
     // Return a set containing:
     //
@@ -65,6 +65,8 @@ public SortedSet<Entitlement<TId>> allEntitlements() { // TODO: expired?
     //
     // where (1) and (2) don't overlap.
     //
+    // Expired entitlements are ignored.
+    //
     var availableAndInactive = this.availableEntitlements
       .stream()
       .filter(ent -> !this.activeEntitlementIds.contains(ent.id()))

diff --git a/...in/java/com/google/solutions/jitaccess/core/catalog/project/AssetInventoryRepository.java b/...in/java/com/google/solutions/jitaccess/core/catalog/project/AssetInventoryRepository.java
@@ -236,12 +236,12 @@ public EntitlementSet<ProjectRoleBinding> findEntitlements(
     }
 
     var allExpired = new HashSet<ProjectRoleBinding>();
-    if (statusesToInclude.contains(Entitlement.Status.EXPIRED)) { //TODO: test
+    if (statusesToInclude.contains(Entitlement.Status.EXPIRED)) {
       //
       // Find temporary bindings that reflect activations and
       // re no longer valid.
       //
-      allActive.addAll(allBindings.stream()
+      allExpired.addAll(allBindings.stream()
         // Only temporary access bindings.
         .filter(binding -> JitConstraints.isActivated(binding.getCondition()))
 

diff --git a/sources/src/main/java/com/google/solutions/jitaccess/web/rest/ApiResource.java b/sources/src/main/java/com/google/solutions/jitaccess/web/rest/ApiResource.java
@@ -211,7 +211,7 @@ public ProjectRolesResponse listRoles(
         projectId);
 
       return new ProjectRolesResponse(
-        entitlements.allEntitlements()
+        entitlements.currentEntitlements()
           .stream()
           .map(ent -> new ProjectRole(ent.id().roleBinding(), ent.activationType(), ent.status()))
           .collect(Collectors.toList()),

diff --git a/sources/src/test/java/com/google/solutions/jitaccess/core/catalog/TestEntitlementSet.java b/sources/src/test/java/com/google/solutions/jitaccess/core/catalog/TestEntitlementSet.java
@@ -73,7 +73,7 @@ public void whenActiveIsEmpty_ThenAllEntitlementsReturnsConsolidatedSet() {
 
     assertEquals(Set.of(available1, available2), set.availableEntitlements());
     assertEquals(Set.of(), set.activeEntitlementIds());
-    assertIterableEquals(List.of(available1, available2), set.allEntitlements());
+    assertIterableEquals(List.of(available1, available2), set.currentEntitlements());
   }
 
   @Test
@@ -104,7 +104,7 @@ public void whenOneEntitlementActive_ThenAllEntitlementsReturnsConsolidatedSet()
         "available-1",
         ActivationType.JIT,
         Entitlement.Status.ACTIVE)),
-      set.allEntitlements());
+      set.currentEntitlements());
   }
 
   @Test
@@ -139,7 +139,7 @@ public void whenAllEntitlementsActive_ThenAllEntitlementsReturnsConsolidatedSet(
           "available-2",
           ActivationType.JIT,
           Entitlement.Status.ACTIVE)),
-      set.allEntitlements());
+      set.currentEntitlements());
   }
 
   @Test
@@ -170,6 +170,6 @@ public void whenUnavailableEntitlementsIsActive_ThenAllEntitlementsReturnsConsol
           "unavailable-1",
           ActivationType.NONE,
           Entitlement.Status.ACTIVE)),
-      set.allEntitlements());
+      set.currentEntitlements());
   }
 }
diff --git a/...ava/com/google/solutions/jitaccess/core/catalog/project/TestAssetInventoryRepository.java b/...ava/com/google/solutions/jitaccess/core/catalog/project/TestAssetInventoryRepository.java
@@ -37,6 +37,7 @@
 import org.mockito.Mockito;
 
 import java.io.IOException;
+import java.time.Duration;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
 import java.util.EnumSet;
@@ -317,8 +318,8 @@ public void whenEffectiveIamPoliciesContainEligibleBindings_ThenFindEntitlements
 
       assertIterableEquals(
         List.of("roles/for-user"),
-        entitlements.allEntitlements().stream().map(e -> e.id().roleBinding().role()).collect(Collectors.toList()));
-      var jitEntitlement = entitlements.allEntitlements().first();
+        entitlements.currentEntitlements().stream().map(e -> e.id().roleBinding().role()).collect(Collectors.toList()));
+      var jitEntitlement = entitlements.currentEntitlements().first();
       assertEquals(ActivationType.JIT, jitEntitlement.activationType());
       assertEquals(Entitlement.Status.AVAILABLE, jitEntitlement.status());
     }
@@ -335,8 +336,8 @@ public void whenEffectiveIamPoliciesContainEligibleBindings_ThenFindEntitlements
 
       assertIterableEquals(
         List.of("roles/for-user"),
-        entitlements.allEntitlements().stream().map(e -> e.id().roleBinding().role()).collect(Collectors.toList()));
-      var jitEntitlement = entitlements.allEntitlements().first();
+        entitlements.currentEntitlements().stream().map(e -> e.id().roleBinding().role()).collect(Collectors.toList()));
+      var jitEntitlement = entitlements.currentEntitlements().first();
       assertEquals(ActivationType.MPA, jitEntitlement.activationType());
       assertEquals(Entitlement.Status.AVAILABLE, jitEntitlement.status());
     }
@@ -353,8 +354,8 @@ public void whenEffectiveIamPoliciesContainEligibleBindings_ThenFindEntitlements
 
       assertIterableEquals(
         List.of("roles/for-user"),
-        entitlements.allEntitlements().stream().map(e -> e.id().roleBinding().role()).collect(Collectors.toList()));
-      var jitEntitlement = entitlements.allEntitlements().first();
+        entitlements.currentEntitlements().stream().map(e -> e.id().roleBinding().role()).collect(Collectors.toList()));
+      var jitEntitlement = entitlements.currentEntitlements().first();
       assertEquals(ActivationType.JIT, jitEntitlement.activationType());
       assertEquals(Entitlement.Status.AVAILABLE, jitEntitlement.status());
     }
@@ -366,13 +367,21 @@ public void whenEffectiveIamPoliciesContainsExpiredActivation_ThenFindEntitlemen
       .setRole("roles/for-user")
       .setCondition(new Expr().setExpression(JIT_CONDITION))
       .setMembers(List.of("user:" + SAMPLE_USER.email, "user:other@example.com"));
-    var expiredActivationForUser = new Binding()
+    var expiredActivationForUser1 = new Binding()
       .setRole("roles/for-user")
       .setCondition(new Expr()
         .setTitle(JitConstraints.ACTIVATION_CONDITION_TITLE)
         .setExpression(new TemporaryIamCondition(
           Instant.now().minus(2, ChronoUnit.HOURS),
-          Instant.now().minus(1, ChronoUnit.HOURS)).toString()))
+          Duration.ofHours(1)).toString()))
+      .setMembers(List.of("user:" + SAMPLE_USER.email));
+    var expiredActivationForUser2 = new Binding()
+      .setRole("roles/for-user")
+      .setCondition(new Expr()
+        .setTitle(JitConstraints.ACTIVATION_CONDITION_TITLE)
+        .setExpression(new TemporaryIamCondition(
+          Instant.now().minus(2, ChronoUnit.DAYS),
+          Duration.ofHours(1)).toString()))
       .setMembers(List.of("user:" + SAMPLE_USER.email));
 
     var caiClient = Mockito.mock(AssetInventoryClient.class);
@@ -384,22 +393,58 @@ public void whenEffectiveIamPoliciesContainsExpiredActivation_ThenFindEntitlemen
         new PolicyInfo()
           .setAttachedResource(SAMPLE_PROJECT.path())
           .setPolicy(new Policy()
-            .setBindings(List.of(jitBindingForUser, expiredActivationForUser)))));
+            .setBindings(List.of(
+              jitBindingForUser,
+              expiredActivationForUser1,
+              expiredActivationForUser2)))));
 
     var repository = new AssetInventoryRepository(
       new SynchronousExecutor(),
       Mockito.mock(DirectoryGroupsClient.class),
       caiClient,
       new AssetInventoryRepository.Options("organization/0"));
 
-    var entitlements = repository.findEntitlements(
-      SAMPLE_USER,
-      SAMPLE_PROJECT,
-      EnumSet.of(ActivationType.JIT, ActivationType.MPA),
-      EnumSet.of(Entitlement.Status.AVAILABLE, Entitlement.Status.ACTIVE));
-    var entitlement = entitlements.allEntitlements().first();
-    assertEquals(ActivationType.JIT, entitlement.activationType());
-    assertEquals(Entitlement.Status.AVAILABLE, entitlement.status());
+    //
+    // AVAILABLE + ACTIVE.
+    //
+    {
+      var entitlements = repository.findEntitlements(
+        SAMPLE_USER,
+        SAMPLE_PROJECT,
+        EnumSet.of(ActivationType.JIT, ActivationType.MPA),
+        EnumSet.of(Entitlement.Status.AVAILABLE, Entitlement.Status.ACTIVE));
+
+      assertEquals(1, entitlements.currentEntitlements().size());
+      assertEquals(0, entitlements.activeEntitlementIds().size());
+      assertEquals(0, entitlements.expiredEntitlementIds().size());
+
+      var entitlement = entitlements.currentEntitlements().first();
+      assertEquals(ActivationType.JIT, entitlement.activationType());
+      assertEquals(Entitlement.Status.AVAILABLE, entitlement.status());
+    }
+
+    //
+    // AVAILABLE + ACTIVE + EXPIRED.
+    //
+    {
+      var entitlements = repository.findEntitlements(
+        SAMPLE_USER,
+        SAMPLE_PROJECT,
+        EnumSet.of(ActivationType.JIT, ActivationType.MPA),
+        EnumSet.of(Entitlement.Status.AVAILABLE, Entitlement.Status.ACTIVE, Entitlement.Status.EXPIRED));
+
+      assertEquals(1, entitlements.currentEntitlements().size());
+      assertEquals(0, entitlements.activeEntitlementIds().size());
+      assertEquals(1, entitlements.expiredEntitlementIds().size());
+
+      var entitlement = entitlements.currentEntitlements().first();
+      assertEquals(ActivationType.JIT, entitlement.activationType());
+      assertEquals(Entitlement.Status.AVAILABLE, entitlement.status());
+
+      assertEquals(
+        "roles/for-user",
+        entitlements.expiredEntitlementIds().stream().findFirst().get().roleBinding().role());
+    }
   }
 
   @Test
@@ -434,14 +479,21 @@ public void whenEffectiveIamPoliciesContainsActivation_ThenFindEntitlementsRetur
       caiClient,
       new AssetInventoryRepository.Options("organization/0"));
 
-    var entitlements = repository.findEntitlements(
-      SAMPLE_USER,
-      SAMPLE_PROJECT,
-      EnumSet.of(ActivationType.JIT, ActivationType.MPA),
-      EnumSet.of(Entitlement.Status.AVAILABLE, Entitlement.Status.ACTIVE));
-    var entitlement = entitlements.allEntitlements().first();
-    assertEquals(ActivationType.JIT, entitlement.activationType());
-    assertEquals(Entitlement.Status.ACTIVE, entitlement.status());
+    {
+      var entitlements = repository.findEntitlements(
+        SAMPLE_USER,
+        SAMPLE_PROJECT,
+        EnumSet.of(ActivationType.JIT, ActivationType.MPA),
+        EnumSet.of(Entitlement.Status.AVAILABLE, Entitlement.Status.ACTIVE, Entitlement.Status.EXPIRED));
+
+      assertEquals(1, entitlements.currentEntitlements().size());
+      assertEquals(1, entitlements.activeEntitlementIds().size());
+      assertEquals(0, entitlements.expiredEntitlementIds().size());
+
+      var entitlement = entitlements.currentEntitlements().first();
+      assertEquals(ActivationType.JIT, entitlement.activationType());
+      assertEquals(Entitlement.Status.ACTIVE, entitlement.status());
+    }
   }
 
   //---------------------------------------------------------------------------