test: increase test coverage for core package (#352)

* test(resource): add test cases for resource service

* test(grant): add unit test for revoke

* test(grant): add unit test for bulk revoke

* test(policy): increase test coverage

* test(provider): increase test coverage on provider pkg

* chore: implement expecter in mock crypto

Author: rahmatrhd

core/grant/service_test.go

@@ -3,6 +3,7 @@ package grant_test
 import (
 	"context"
 	"errors"
+	"fmt"
 	"testing"
 	"time"
 
@@ -23,6 +24,8 @@ type ServiceTestSuite struct {
 	mockRepository      *mocks.Repository
 	mockProviderService *mocks.ProviderService
 	mockResourceService *mocks.ResourceService
+	mockAuditLogger     *mocks.AuditLogger
+	mockNotifier        *mocks.Notifier
 	service             *grant.Service
 }
 
@@ -34,12 +37,16 @@ func (s *ServiceTestSuite) setup() {
 	s.mockRepository = new(mocks.Repository)
 	s.mockProviderService = new(mocks.ProviderService)
 	s.mockResourceService = new(mocks.ResourceService)
+	s.mockAuditLogger = new(mocks.AuditLogger)
+	s.mockNotifier = new(mocks.Notifier)
 	s.service = grant.NewService(grant.ServiceDeps{
 		Repository:      s.mockRepository,
 		Logger:          log.NewNoop(),
 		Validator:       validator.New(),
 		ProviderService: s.mockProviderService,
 		ResourceService: s.mockResourceService,
+		Notifier:        s.mockNotifier,
+		AuditLogger:     s.mockAuditLogger,
 	})
 }
 
@@ -122,6 +129,190 @@ func (s *ServiceTestSuite) TestGetByID() {
 	})
 }
 
+func (s *ServiceTestSuite) TestRevoke() {
+	id := uuid.New().String()
+	actor := "[email protected]"
+	reason := "test reason"
+	expectedGrantDetails := &domain.Grant{
+		ID:          id,
+		AccountID:   "test-account-id",
+		AccountType: "user",
+		Resource: &domain.Resource{
+			ID: "test-resource-id",
+		},
+	}
+
+	s.Run("should revoke grant on success", func() {
+		s.setup()
+
+		s.mockRepository.EXPECT().
+			GetByID(mock.AnythingOfType("*context.emptyCtx"), id).
+			Return(expectedGrantDetails, nil).Once()
+		s.mockRepository.EXPECT().
+			Update(mock.AnythingOfType("*context.emptyCtx"), mock.AnythingOfType("*domain.Grant")).
+			Run(func(_a0 context.Context, _a1 *domain.Grant) {
+				s.Equal(id, _a1.ID)
+				s.Equal(actor, _a1.RevokedBy)
+				s.Equal(reason, _a1.RevokeReason)
+				s.NotNil(_a1.RevokedAt)
+			}).
+			Return(nil).Once()
+		s.mockProviderService.EXPECT().
+			RevokeAccess(mock.AnythingOfType("*context.emptyCtx"), mock.AnythingOfType("domain.Grant")).
+			Run(func(_a0 context.Context, _a1 domain.Grant) {
+				s.Equal(id, _a1.ID)
+				s.Equal(expectedGrantDetails.AccountID, _a1.AccountID)
+				s.Equal(expectedGrantDetails.AccountType, _a1.AccountType)
+				s.Equal(expectedGrantDetails.Resource.ID, _a1.Resource.ID)
+			}).
+			Return(nil).Once()
+
+		s.mockNotifier.EXPECT().
+			Notify([]domain.Notification{{
+				User: expectedGrantDetails.CreatedBy,
+				Message: domain.NotificationMessage{
+					Type: domain.NotificationTypeAccessRevoked,
+					Variables: map[string]interface{}{
+						"resource_name": fmt.Sprintf("%s (%s: %s)", expectedGrantDetails.Resource.Name, expectedGrantDetails.Resource.ProviderType, expectedGrantDetails.Resource.URN),
+						"role":          expectedGrantDetails.Role,
+						"account_type":  expectedGrantDetails.AccountType,
+						"account_id":    expectedGrantDetails.AccountID,
+						"requestor":     expectedGrantDetails.Owner,
+					},
+				},
+			}}).
+			Return(nil).Once()
+		s.mockAuditLogger.EXPECT().
+			Log(mock.AnythingOfType("*context.emptyCtx"), grant.AuditKeyRevoke, map[string]interface{}{
+				"grant_id": id,
+				"reason":   reason,
+			}).
+			Return(nil).Once()
+
+		expectedGrant, err := s.service.Revoke(context.Background(), id, actor, reason)
+
+		s.NoError(err)
+		s.Equal(id, expectedGrant.ID)
+		s.Equal(actor, expectedGrant.RevokedBy)
+		s.Equal(reason, expectedGrant.RevokeReason)
+		s.NotNil(expectedGrant.RevokedAt)
+		s.Less(*expectedGrant.RevokedAt, time.Now())
+		s.mockRepository.AssertExpectations(s.T())
+	})
+
+	s.Run("should skip revoke in provider and notifications as configured", func() {
+		s.setup()
+
+		s.mockRepository.EXPECT().
+			GetByID(mock.AnythingOfType("*context.emptyCtx"), id).
+			Return(expectedGrantDetails, nil).Once()
+		s.mockRepository.EXPECT().
+			Update(mock.AnythingOfType("*context.emptyCtx"), mock.AnythingOfType("*domain.Grant")).
+			Run(func(_a0 context.Context, _a1 *domain.Grant) {
+				s.Equal(id, _a1.ID)
+				s.Equal(actor, _a1.RevokedBy)
+				s.Equal(reason, _a1.RevokeReason)
+				s.NotNil(_a1.RevokedAt)
+			}).
+			Return(nil).Once()
+
+		s.mockAuditLogger.EXPECT().
+			Log(mock.AnythingOfType("*context.emptyCtx"), grant.AuditKeyRevoke, map[string]interface{}{
+				"grant_id": id,
+				"reason":   reason,
+			}).
+			Return(nil).Once()
+
+		expectedGrant, err := s.service.Revoke(context.Background(), id, actor, reason, grant.SkipRevokeAccessInProvider(), grant.SkipNotifications())
+
+		s.NoError(err)
+		s.Equal(id, expectedGrant.ID)
+		s.Equal(actor, expectedGrant.RevokedBy)
+		s.Equal(reason, expectedGrant.RevokeReason)
+		s.NotNil(expectedGrant.RevokedAt)
+		s.Less(*expectedGrant.RevokedAt, time.Now())
+		s.mockRepository.AssertExpectations(s.T())
+	})
+}
+
+func (s *ServiceTestSuite) TestBulkRevoke() {
+	actor := "[email protected]"
+	reason := "test reason"
+	filter := domain.RevokeGrantsFilter{
+		AccountIDs: []string{"test-account-id"},
+	}
+	expectedGrants := []domain.Grant{
+		{
+			ID:          "id1",
+			AccountID:   "test-account-id",
+			AccountType: "user",
+			Resource: &domain.Resource{
+				ID: "test-resource-id",
+			},
+		},
+		{
+			ID:          "id2",
+			AccountID:   "test-account-id",
+			AccountType: "user",
+			Resource: &domain.Resource{
+				ID: "test-resource-id",
+			},
+		},
+	}
+
+	s.Run("should return revoked grants on success", func() {
+		s.setup()
+
+		expectedListGrantsFilter := domain.ListGrantsFilter{
+			Statuses:      []string{string(domain.GrantStatusActive)},
+			AccountIDs:    filter.AccountIDs,
+			ProviderTypes: filter.ProviderTypes,
+			ProviderURNs:  filter.ProviderURNs,
+			ResourceTypes: filter.ResourceTypes,
+			ResourceURNs:  filter.ResourceURNs,
+		}
+
+		s.mockRepository.EXPECT().
+			List(mock.AnythingOfType("*context.emptyCtx"), expectedListGrantsFilter).
+			Return(expectedGrants, nil).Once()
+		for _, g := range expectedGrants {
+			grant := g
+			s.mockProviderService.EXPECT().
+				RevokeAccess(mock.AnythingOfType("*context.emptyCtx"), mock.AnythingOfType("domain.Grant")).
+				Run(func(_a0 context.Context, _a1 domain.Grant) {
+					s.Equal(grant.ID, _a1.ID)
+					s.Equal(grant.AccountID, _a1.AccountID)
+					s.Equal(grant.AccountType, _a1.AccountType)
+					s.Equal(grant.Resource.ID, _a1.Resource.ID)
+				}).
+				Return(nil).Once()
+
+			s.mockRepository.EXPECT().
+				Update(mock.AnythingOfType("*context.emptyCtx"), mock.AnythingOfType("*domain.Grant")).
+				Run(func(_a0 context.Context, _a1 *domain.Grant) {
+					s.Equal(grant.ID, _a1.ID)
+					s.Equal(actor, _a1.RevokedBy)
+					s.Equal(reason, _a1.RevokeReason)
+					s.NotNil(_a1.RevokedAt)
+				}).
+				Return(nil).Once()
+		}
+
+		revokedGrants, actualError := s.service.BulkRevoke(context.Background(), filter, actor, reason)
+
+		s.NoError(actualError)
+		for i, g := range revokedGrants {
+			revokedGrant := g
+			expectedGrant := expectedGrants[i]
+			s.Equal(expectedGrant.ID, revokedGrant.ID)
+			s.Equal(actor, revokedGrant.RevokedBy)
+			s.Equal(reason, revokedGrant.RevokeReason)
+			s.NotNil(revokedGrant.RevokedAt)
+			s.Less(*revokedGrant.RevokedAt, time.Now())
+		}
+	})
+}
+
 func (s *ServiceTestSuite) TestPrepare() {
 	s.Run("should return error if appeal is invalid", func() {
 		testCases := []struct {
@@ -339,7 +530,7 @@ func (s *ServiceTestSuite) TestImportFromProvider() {
 						{
 							AccountID:   "test-account-id-2",
 							AccountType: "serviceAccount",
-							Permission:  "test-permission",
+							Permission:  "test-permission-2",
 						},
 					},
 				},
@@ -362,8 +553,8 @@ func (s *ServiceTestSuite) TestImportFromProvider() {
 						ResourceID:       "test-resource-id",
 						AccountID:        "test-account-id-2",
 						AccountType:      "serviceAccount",
-						Role:             "test-role-id",
-						Permissions:      []string{"test-permission"},
+						Role:             "test-permission-2",
+						Permissions:      []string{"test-permission-2"},
 						IsPermanent:      true,
 						Status:           domain.GrantStatusActive,
 						StatusInProvider: domain.GrantStatusActive,

core/policy/service_test.go

@@ -24,6 +24,7 @@ type ServiceTestSuite struct {
 	mockResourceService  *policymocks.ResourceService
 	mockProviderService  *policymocks.ProviderService
 	mockAuditLogger      *policymocks.AuditLogger
+	mockCrypto           *mocks.Crypto
 	service              *policy.Service
 }
 
@@ -33,9 +34,9 @@ func (s *ServiceTestSuite) SetupTest() {
 	s.mockProviderService = new(policymocks.ProviderService)
 	s.mockAuditLogger = new(policymocks.AuditLogger)
 
-	mockCrypto := new(mocks.Crypto)
+	s.mockCrypto = new(mocks.Crypto)
 	v := validator.New()
-	iamManager := identities.NewManager(mockCrypto, v)
+	iamManager := identities.NewManager(s.mockCrypto, v)
 
 	s.service = policy.NewService(policy.ServiceDeps{
 		Repository:      s.mockPolicyRepository,
@@ -325,11 +326,24 @@ func (s *ServiceTestSuite) TestCreate() {
 			AllowPermanentAccess:         false,
 			AllowActiveAccessExtensionIn: "24h",
 		},
+		IAM: &domain.IAMConfig{
+			Provider: "http",
+			Config: map[string]interface{}{
+				"url": "http://test-localhost:8080",
+				"auth": map[string]interface{}{
+					"type":     "basic",
+					"username": "test-user",
+					"password": "test-password",
+				},
+			},
+		},
 	}
 
 	s.Run("should return error if got error from the policy repository", func() {
 		expectedError := errors.New("error from repository")
 		s.mockPolicyRepository.EXPECT().Create(mock.AnythingOfType("*context.emptyCtx"), mock.Anything).Return(expectedError).Once()
+		s.mockCrypto.EXPECT().Encrypt("test-password").Return("test-password", nil).Once()
+		s.mockCrypto.EXPECT().Decrypt("test-password").Return("test-password", nil).Once()
 
 		actualError := s.service.Create(context.Background(), validPolicy)
 
@@ -344,6 +358,8 @@ func (s *ServiceTestSuite) TestCreate() {
 
 		expectedVersion := uint(1)
 		s.mockPolicyRepository.EXPECT().Create(mock.AnythingOfType("*context.emptyCtx"), p).Return(nil).Once()
+		s.mockCrypto.EXPECT().Encrypt("test-password").Return("test-password", nil).Once()
+		s.mockCrypto.EXPECT().Decrypt("test-password").Return("test-password", nil).Once()
 		s.mockAuditLogger.EXPECT().Log(mock.Anything, policy.AuditKeyPolicyCreate, mock.Anything).Return(nil).Once()
 
 		actualError := s.service.Create(context.Background(), p)
@@ -357,6 +373,8 @@ func (s *ServiceTestSuite) TestCreate() {
 	s.Run("should pass the model from the param", func() {
 		s.mockPolicyRepository.EXPECT().Create(mock.AnythingOfType("*context.emptyCtx"), validPolicy).Return(nil).Once()
 		s.mockAuditLogger.EXPECT().Log(mock.Anything, policy.AuditKeyPolicyCreate, mock.Anything).Return(nil).Once()
+		s.mockCrypto.EXPECT().Encrypt("test-password").Return("test-password", nil).Once()
+		s.mockCrypto.EXPECT().Decrypt("test-password").Return("test-password", nil).Once()
 
 		actualError := s.service.Create(context.Background(), validPolicy)
 
@@ -628,8 +646,23 @@ func (s *ServiceTestSuite) TestFind() {
 	})
 
 	s.Run("should return list of records on success", func() {
-		expectedResult := []*domain.Policy{}
+		expectedResult := []*domain.Policy{
+			{
+				IAM: &domain.IAMConfig{
+					Provider: "http",
+					Config: map[string]interface{}{
+						"url": "http://test-localhost:8080",
+						"auth": map[string]interface{}{
+							"type":     "basic",
+							"username": "test-user",
+							"password": "test-password",
+						},
+					},
+				},
+			},
+		}
 		s.mockPolicyRepository.EXPECT().Find(mock.AnythingOfType("*context.emptyCtx")).Return(expectedResult, nil).Once()
+		s.mockCrypto.EXPECT().Decrypt("test-password").Return("test-password", nil).Once()
 
 		actualResult, actualError := s.service.Find(context.Background())
 
@@ -651,8 +684,21 @@ func (s *ServiceTestSuite) TestGetOne() {
 	})
 
 	s.Run("should return list of records on success", func() {
-		expectedResult := &domain.Policy{}
+		expectedResult := &domain.Policy{
+			IAM: &domain.IAMConfig{
+				Provider: "http",
+				Config: map[string]interface{}{
+					"url": "http://test-localhost:8080",
+					"auth": map[string]interface{}{
+						"type":     "basic",
+						"username": "test-user",
+						"password": "test-password",
+					},
+				},
+			},
+		}
 		s.mockPolicyRepository.EXPECT().GetOne(mock.AnythingOfType("*context.emptyCtx"), mock.Anything, mock.Anything).Return(expectedResult, nil).Once()
+		s.mockCrypto.EXPECT().Decrypt("test-password").Return("test-password", nil).Once()
 
 		actualResult, actualError := s.service.GetOne(context.Background(), "", 0)
 
@@ -685,6 +731,17 @@ func (s *ServiceTestSuite) TestUpdate() {
 					},
 				},
 			},
+			IAM: &domain.IAMConfig{
+				Provider: "http",
+				Config: map[string]interface{}{
+					"url": "http://test-localhost:8080",
+					"auth": map[string]interface{}{
+						"type":     "basic",
+						"username": "test-user",
+						"password": "test-password",
+					},
+				},
+			},
 		}
 
 		expectedLatestPolicy := &domain.Policy{
@@ -694,6 +751,8 @@ func (s *ServiceTestSuite) TestUpdate() {
 		expectedNewVersion := uint(6)
 		s.mockPolicyRepository.EXPECT().GetOne(mock.AnythingOfType("*context.emptyCtx"), p.ID, uint(0)).Return(expectedLatestPolicy, nil).Once()
 		s.mockPolicyRepository.EXPECT().Create(mock.AnythingOfType("*context.emptyCtx"), p).Return(nil)
+		s.mockCrypto.EXPECT().Encrypt("test-password").Return("test-password", nil).Once()
+		s.mockCrypto.EXPECT().Decrypt("test-password").Return("test-password", nil).Once()
 		s.mockAuditLogger.EXPECT().Log(mock.Anything, policy.AuditKeyPolicyUpdate, mock.Anything).Return(nil).Once()
 
 		s.service.Update(context.Background(), p)