319014043 Split unit tests, integration tests (#290)

* Rename integration tests to match failsafe conventions
* Run integration tests with failsafe
* Change GitHub Actions config so that it runs unit tests, but skips integration tests

.github/actions/build/action.yml

@@ -21,5 +21,6 @@ runs:
       shell: bash
 
     - name: Build
-      run: mvn -P release -B package -Dmaven.test.skip=true --file ${{ inputs.source-dir }}/pom.xml
+      # Run unit tests, but skip integration tests.
+      run: mvn -P release -B test -DskipITs=true --file ${{ inputs.source-dir }}/pom.xml
       shell: bash

.github/workflows/ci.yml

@@ -35,10 +35,3 @@ jobs:
 
     - name: Build
       uses: ./.github/actions/build
-
-    - name: 'Upload artifact'
-      uses: actions/upload-artifact@v4
-      with:
-        name: jit-access.jar
-        path: sources/target/*.jar
-        retention-days: 14

sources/pom.xml

@@ -140,10 +140,32 @@
         </executions>
       </plugin>
       <plugin>
+        <!--
+          Run unit tests. These tests don't access the network.
+        -->
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-surefire-plugin</artifactId>
         <version>${surefire-plugin.version}</version>
       </plugin>
+      <plugin>
+        <!--
+          Run integration tests. These tests access Google Cloud resources and need a
+          test.properties configuration file. They do not use Quarkus, so we run them
+          in the "test" phase.
+        -->
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-failsafe-plugin</artifactId>
+        <version>${surefire-plugin.version}</version>
+        <executions>
+          <execution>
+            <goals>
+              <goal>integration-test</goal>
+              <goal>verify</goal>
+            </goals>
+            <phase>test</phase>
+          </execution>
+        </executions>
+      </plugin>
     </plugins>
 
     <resources>

sources/src/test/java/com/google/solutions/jitaccess/core/catalog/TestTokenSigner.java → sources/src/test/java/com/google/solutions/jitaccess/core/catalog/ITestTokenSigner.java

@@ -26,15 +26,15 @@
 import com.google.solutions.jitaccess.core.UserEmail;
 import com.google.solutions.jitaccess.core.clients.HttpTransport;
 import com.google.solutions.jitaccess.core.clients.IamCredentialsClient;
-import com.google.solutions.jitaccess.core.clients.IntegrationTestEnvironment;
+import com.google.solutions.jitaccess.core.clients.ITestEnvironment;
 import org.junit.jupiter.api.Test;
 
 import java.time.Duration;
 import java.time.Instant;
 
 import static org.junit.jupiter.api.Assertions.*;
 
-public class TestTokenSigner {
+public class ITestTokenSigner {
   private static final UserEmail SAMPLE_USER_1 = new UserEmail("user-1@example.com");
   private static final UserEmail SAMPLE_USER_2 = new UserEmail("user-2@example.com");
   private static final UserEmail SAMPLE_USER_3 = new UserEmail("user-3@example.com");
@@ -53,9 +53,9 @@ public JsonWebToken.Payload convert(JsonWebToken.Payload object) {
   @Test
   public void signAddsObligatoryClaims() throws Exception {
     var credentialsAdapter = new IamCredentialsClient(
-      IntegrationTestEnvironment.APPLICATION_CREDENTIALS,
+      ITestEnvironment.APPLICATION_CREDENTIALS,
       HttpTransport.Options.DEFAULT);
-    var serviceAccount = IntegrationTestEnvironment.NO_ACCESS_USER;
+    var serviceAccount = ITestEnvironment.NO_ACCESS_USER;
 
     var tokenSignerOptions = new TokenSigner.Options(serviceAccount, Duration.ofMinutes(5));
     var tokenSigner = new TokenSigner(
@@ -98,9 +98,9 @@ public void signAddsObligatoryClaims() throws Exception {
   @Test
   public void whenJwtMissesAudienceClaim_ThenVerifyThrowsException() throws Exception {
     var credentialsAdapter = new IamCredentialsClient(
-      IntegrationTestEnvironment.APPLICATION_CREDENTIALS,
+      ITestEnvironment.APPLICATION_CREDENTIALS,
       HttpTransport.Options.DEFAULT);
-    var serviceAccount = IntegrationTestEnvironment.NO_ACCESS_USER;
+    var serviceAccount = ITestEnvironment.NO_ACCESS_USER;
 
     var tokenSigner = new TokenSigner(
       credentialsAdapter,
@@ -120,9 +120,9 @@ public void whenJwtMissesAudienceClaim_ThenVerifyThrowsException() throws Except
   @Test
   public void whenJwtMissesIssuerClaim_ThenVerifyThrowsException() throws Exception {
     var credentialsAdapter = new IamCredentialsClient(
-      IntegrationTestEnvironment.APPLICATION_CREDENTIALS,
+      ITestEnvironment.APPLICATION_CREDENTIALS,
       HttpTransport.Options.DEFAULT);
-    var serviceAccount = IntegrationTestEnvironment.NO_ACCESS_USER;
+    var serviceAccount = ITestEnvironment.NO_ACCESS_USER;
 
     var tokenSigner = new TokenSigner(
       credentialsAdapter,
@@ -143,9 +143,9 @@ public void whenJwtMissesIssuerClaim_ThenVerifyThrowsException() throws Exceptio
   @Test
   public void whenJwtSignedByWrongServiceAccount_ThenVerifyThrowsException() throws Exception {
     var credentialsAdapter = new IamCredentialsClient(
-      IntegrationTestEnvironment.APPLICATION_CREDENTIALS,
+      ITestEnvironment.APPLICATION_CREDENTIALS,
       HttpTransport.Options.DEFAULT);
-    var serviceAccount = IntegrationTestEnvironment.TEMPORARY_ACCESS_USER;
+    var serviceAccount = ITestEnvironment.TEMPORARY_ACCESS_USER;
 
     var tokenSigner = new TokenSigner(
       credentialsAdapter,
@@ -155,7 +155,7 @@ public void whenJwtSignedByWrongServiceAccount_ThenVerifyThrowsException() throw
       .setAudience(serviceAccount.email)
       .setIssuer(serviceAccount.email);
 
-    var jwt = credentialsAdapter.signJwt(IntegrationTestEnvironment.NO_ACCESS_USER, payload);
+    var jwt = credentialsAdapter.signJwt(ITestEnvironment.NO_ACCESS_USER, payload);
 
     assertThrows(
       TokenVerifier.VerificationException.class,
@@ -167,9 +167,9 @@ public void whenJwtSignedByWrongServiceAccount_ThenVerifyThrowsException() throw
   @Test
   public void whenJwtValid_ThenVerifySucceeds() throws Exception {
     var credentialsAdapter = new IamCredentialsClient(
-      IntegrationTestEnvironment.APPLICATION_CREDENTIALS,
+      ITestEnvironment.APPLICATION_CREDENTIALS,
       HttpTransport.Options.DEFAULT);
-    var serviceAccount = IntegrationTestEnvironment.NO_ACCESS_USER;
+    var serviceAccount = ITestEnvironment.NO_ACCESS_USER;
 
     var tokenSigner = new TokenSigner(
       credentialsAdapter,

sources/src/test/java/com/google/solutions/jitaccess/core/clients/TestAssetInventoryClient.java → sources/src/test/java/com/google/solutions/jitaccess/core/clients/ITestAssetInventoryClient.java

@@ -29,7 +29,7 @@
 
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
-public class TestAssetInventoryClient {
+public class ITestAssetInventoryClient {
   private static final ProjectId SAMPLE_PROJECT = new ProjectId("project-1");
 
   // -------------------------------------------------------------------------
@@ -39,7 +39,7 @@ public class TestAssetInventoryClient {
   @Test
   public void whenUnauthenticated_ThenGetEffectiveIamPoliciesThrowsException() {
     var adapter = new PolicyAnalyzerClient(
-      IntegrationTestEnvironment.INVALID_CREDENTIAL,
+      ITestEnvironment.INVALID_CREDENTIAL,
       HttpTransport.Options.DEFAULT);
 
     assertThrows(
@@ -52,7 +52,7 @@ public void whenUnauthenticated_ThenGetEffectiveIamPoliciesThrowsException() {
   @Test
   public void whenCallerLacksPermission_ThenGetEffectiveIamPoliciesThrowsException() {
     var adapter = new PolicyAnalyzerClient(
-      IntegrationTestEnvironment.NO_ACCESS_CREDENTIALS,
+      ITestEnvironment.NO_ACCESS_CREDENTIALS,
       HttpTransport.Options.DEFAULT);
 
     assertThrows(
@@ -65,13 +65,13 @@ public void whenCallerLacksPermission_ThenGetEffectiveIamPoliciesThrowsException
   @Test
   public void whenProjectDoesNotExist_ThenGetEffectiveIamPoliciesThrowsException() {
     var adapter = new PolicyAnalyzerClient(
-      IntegrationTestEnvironment.APPLICATION_CREDENTIALS,
+      ITestEnvironment.APPLICATION_CREDENTIALS,
       HttpTransport.Options.DEFAULT);
 
     assertThrows(
       ResourceNotFoundException.class,
       () -> adapter.getEffectiveIamPolicies(
-        "projects/" + IntegrationTestEnvironment.PROJECT_ID,
+        "projects/" + ITestEnvironment.PROJECT_ID,
         new ProjectId("0")));
   }
 }