diff --git a/docs/docs/introduction.md b/docs/docs/introduction.md index 53451f275..bbccb1eb1 100644 --- a/docs/docs/introduction.md +++ b/docs/docs/introduction.md @@ -39,7 +39,7 @@ For more information on using the Guardian CLI, see the [CLI Reference](./refere #### HTTPS API -You can get hands on appeal creation, approval updatation, access revocation and much more by using the Guardian HTTPS API, which lets you issue HTTPS requests directly to the service. When you use the HTTPS API, you must include the username in the request header, which will be used by [Shield](https://guardian.vercel.app/shield/) for authorization. For more information, see the [API Reference](/reference/api.md) page. +You can get hands on appeal creation, approval updatation, access revocation and much more by using the Guardian HTTPS API, which lets you issue HTTPS requests directly to the service. When you use the HTTPS API, you must include the username in the request header, which will be used by [Frontier](https://guardian.vercel.app/frontier/) for authorization. For more information, see the [API Reference](/reference/api.md) page. ## Where to go from here diff --git a/docs/docs/reference/policy.md b/docs/docs/reference/policy.md index 862052512..9c3232f15 100644 --- a/docs/docs/reference/policy.md +++ b/docs/docs/reference/policy.md @@ -123,7 +123,7 @@ requirements: | Field | Type | Description | Required | | :----- | :---- | :------ | :------ | -| `provider` | `string` | Identity manager type. Supported types are `http` and `shield` | YES | +| `provider` | `string` | Identity manager type. Supported types are `http` and `frontier` | YES | | `config` | `object`| Client configuration according to the `provider` type | YES | | `schema` | `map` | User (appeal creator) profile details schema to be shown in the `creator` field in an appeal | NO | diff --git a/internal/server/config.yaml b/internal/server/config.yaml index 808c1a74a..ed74efb7a 100644 --- a/internal/server/config.yaml +++ b/internal/server/config.yaml @@ -14,8 +14,9 @@ GRPC: TIMEOUT_IN_SECONDS: 5 MAX_CALL_RECV_MSG_SIZE: 33554432 MAX_CALL_SEND_MSG_SIZE: 33554432 -ENCRYPTION_SECRET_KEY: +ENCRYPTION_SECRET_KEY: "" AUTHENTICATED_USER_HEADER_KEY: X-Auth-Email +AUDIT_LOG_TRACE_ID_HEADER_KEY: X-Trace-Id LOG: LEVEL: info DB: @@ -27,11 +28,18 @@ DB: SSLMODE: disable NOTIFIER: PROVIDER: slack - ACCESS_TOKEN: + ACCESS_TOKEN: WORKSPACES: - WORKSPACE: raystack - ACCESS_TOKEN: + ACCESS_TOKEN: CRITERIA: "email contains '@raystack.io'" + MESSAGES: + EXPIRATION_REMINDER: "Your access {{.account_id}} to {{.resource_name}} with role {{.role}} will expire at {{.expiration_date}}. Extend the access if it's still needed" + APPEAL_APPROVED: "Your appeal to {{.resource_name}} with role {{.role}} has been approved" + APPEAL_REJECTED: "Your appeal to {{.resource_name}} with role {{.role}} has been rejected" + ACCESS_REVOKED: "Your access to {{.resource_name}}} with role {{.role}} has been revoked" + APPROVER_NOTIFICATION: "You have an appeal created by {{.requestor}} requesting access to {{.resource_name}} with role {{.role}}. Appeal ID: {{.appeal_id}}" + OTHERS_APPEAL_APPROVED: "Your appeal to {{.resource_name}} with role {{.role}} created by {{.requestor}} has been approved" JOBS: FETCH_RESOURCES: ENABLED: true diff --git a/plugins/providers/frontier/client.go b/plugins/providers/frontier/client.go index 670e6eb78..4eb260e8b 100644 --- a/plugins/providers/frontier/client.go +++ b/plugins/providers/frontier/client.go @@ -17,23 +17,29 @@ import ( ) const ( - groupsEndpoint = "/v1beta1/groups" - projectsEndpoint = "/v1beta1/projects" + groupsEndpoint = "/v1beta1/organizations/%s/groups" + projectsEndpoint = "/v1beta1/organizations/%s/projects" organizationEndpoint = "/v1beta1/organizations" selfUserEndpoint = "/v1beta1/users/self" + createPolicyEndpoint = "/v1beta1/policies" groupsConst = "groups" projectsConst = "projects" organizationsConst = "organizations" usersConst = "users" userConst = "user" + policiesConst = "policies" ) type successAccess interface{} +type Policy struct { + ID string `json:"id"` +} + type Client interface { - GetTeams() ([]*Team, error) - GetProjects() ([]*Project, error) + GetTeams(orgID string) ([]*Team, error) + GetProjects(orgID string) ([]*Project, error) GetOrganizations() ([]*Organization, error) GrantTeamAccess(team *Team, userId string, role string) error RevokeTeamAccess(team *Team, userId string, role string) error @@ -77,7 +83,7 @@ func NewClient(config *ClientConfig, logger log.Logger) (*client, error) { httpClient := config.HTTPClient if httpClient == nil { - httpClient = tracing.NewHttpClient("ShieldHttpClient") + httpClient = tracing.NewHttpClient("FrontierHttpClient") } c := &client{ @@ -144,7 +150,8 @@ func (c *client) GetAdminsOfGivenResourceType(id string, resourceTypeEndPoint st return userEmails, err } -func (c *client) GetTeams() ([]*Team, error) { +func (c *client) GetTeams(orgID string) ([]*Team, error) { + groupsEndpoint := fmt.Sprintf(groupsEndpoint, orgID) req, err := c.newRequest(http.MethodGet, groupsEndpoint, nil, "") if err != nil { return nil, err @@ -173,7 +180,8 @@ func (c *client) GetTeams() ([]*Team, error) { return teams, err } -func (c *client) GetProjects() ([]*Project, error) { +func (c *client) GetProjects(orgID string) ([]*Project, error) { + projectsEndpoint := fmt.Sprintf(projectsEndpoint, orgID) req, err := c.newRequest(http.MethodGet, projectsEndpoint, nil, "") if err != nil { return nil, err @@ -233,130 +241,134 @@ func (c *client) GetOrganizations() ([]*Organization, error) { } func (c *client) GrantTeamAccess(resource *Team, userId string, role string) error { - body := make(map[string][]string) - body["userIds"] = append(body["userIds"], userId) + body := make(map[string]string) + body["principal"] = fmt.Sprintf("%s:%s", "app/user", userId) + body["resource"] = fmt.Sprintf("%s:%s", "app/group", resource.ID) + body["roleId"] = role - endPoint := path.Join(groupsEndpoint, "/", resource.ID, "/", role) - req, err := c.newRequest(http.MethodPost, endPoint, body, "") + req, err := c.newRequest(http.MethodPost, createPolicyEndpoint, body, "") if err != nil { return err } - var users []*User var response interface{} if _, err := c.do(req, &response); err != nil { + c.logger.Error("Failed to grant access to the user", "Users", userId, req.URL) return err } - if v, ok := response.(map[string]interface{}); ok && v[usersConst] != nil { - err = mapstructure.Decode(v[usersConst], &users) - if err != nil { - return err - } - } - - c.logger.Info("Team access to the user,", "total users", len(users), req.URL) - + c.logger.Info("Team access to the user", "Users", userId, req.URL) return nil } func (c *client) GrantProjectAccess(resource *Project, userId string, role string) error { - body := make(map[string][]string) - body["userIds"] = append(body["userIds"], userId) + body := make(map[string]string) + body["principal"] = fmt.Sprintf("%s:%s", "app/user", userId) + body["resource"] = fmt.Sprintf("%s:%s", "app/project", resource.ID) + body["roleId"] = role - endPoint := path.Join(projectsEndpoint, "/", resource.ID, "/", role) - req, err := c.newRequest(http.MethodPost, endPoint, body, "") + req, err := c.newRequest(http.MethodPost, createPolicyEndpoint, body, "") if err != nil { return err } - var users []*User var response interface{} if _, err := c.do(req, &response); err != nil { + c.logger.Error("Failed to grant access to the user", "Users", userId, req.URL) return err } - if v, ok := response.(map[string]interface{}); ok && v[usersConst] != nil { - err = mapstructure.Decode(v[usersConst], &users) - if err != nil { - return err - } - } - - c.logger.Info("Project access to the user,", "total users", len(users), req.URL) + c.logger.Info("Project access to the user", "Users", userId, req.URL) return nil } -func (c *client) GrantOrganizationAccess(resource *Organization, userId string, role string) error { - body := make(map[string][]string) - body["userIds"] = append(body["userIds"], userId) - - endPoint := path.Join(organizationEndpoint, "/", resource.ID, "/", role) - req, err := c.newRequest(http.MethodPost, endPoint, body, "") +func (c *client) GrantOrganizationAccess(resource *Organization, userId string, roleId string) error { + body := make(map[string]string) + body["roleId"] = roleId + body["resource"] = fmt.Sprintf("%s:%s", "app/organization", resource.ID) + body["principal"] = fmt.Sprintf("%s:%s", "app/user", userId) + req, err := c.newRequest(http.MethodPost, createPolicyEndpoint, body, "") if err != nil { return err } - var users []*User var response interface{} if _, err := c.do(req, &response); err != nil { + c.logger.Error("Failed to grant access to the user", "Users", userId, req.URL) return err } - if v, ok := response.(map[string]interface{}); ok && v[usersConst] != nil { - err = mapstructure.Decode(v[usersConst], &users) - if err != nil { - return err - } - } - - c.logger.Info("Organization access to the user,", "total users", len(users), req.URL) + c.logger.Info("Organization access to the user,", "Users", userId, req.URL) return nil } func (c *client) RevokeTeamAccess(resource *Team, userId string, role string) error { - endPoint := path.Join(groupsEndpoint, "/", resource.ID, "/", role, "/", userId) - req, err := c.newRequest(http.MethodDelete, endPoint, "", "") + endpoint := createPolicyEndpoint + "?groupId=" + resource.ID + "&userId=" + userId + "&roleId=" + role + req, err := c.newRequest(http.MethodGet, endpoint, "", "") if err != nil { return err } - var success successAccess + var policies []*Policy var response interface{} if _, err := c.do(req, &response); err != nil { return err } if v, ok := response.(map[string]interface{}); ok && v != nil { - err = mapstructure.Decode(v, &success) + err = mapstructure.Decode(v[policiesConst], &policies) + if err != nil { + return err + } + } + + for _, policy := range policies { + endPoint := path.Join(createPolicyEndpoint, "/", policy.ID) + req, err := c.newRequest(http.MethodDelete, endPoint, "", "") if err != nil { return err } + if _, err := c.do(req, &response); err != nil { + c.logger.Error("Failed to revoke access of the user from team", "Users", userId, req.URL) + return err + } } - c.logger.Info("Remove access of the user from team,", "Users", userId, req.URL) + c.logger.Info("Remove access of the user from team", "Users", userId, req.URL) return nil } func (c *client) RevokeProjectAccess(resource *Project, userId string, role string) error { - endPoint := path.Join(projectsEndpoint, "/", resource.ID, "/", role, "/", userId) - req, err := c.newRequest(http.MethodDelete, endPoint, "", "") + endpoint := createPolicyEndpoint + "?projectId=" + resource.ID + "&userId=" + userId + "&roleId=" + role + req, err := c.newRequest(http.MethodGet, endpoint, "", "") if err != nil { return err } - var success successAccess + var policies []*Policy var response interface{} if _, err := c.do(req, &response); err != nil { return err } if v, ok := response.(map[string]interface{}); ok && v != nil { - err = mapstructure.Decode(v, &success) + err = mapstructure.Decode(v[policiesConst], &policies) + if err != nil { + return err + } + } + + for _, policy := range policies { + endPoint := path.Join(createPolicyEndpoint, "/", policy.ID) + req, err := c.newRequest(http.MethodDelete, endPoint, "", "") if err != nil { return err } + if _, err := c.do(req, &response); err != nil { + c.logger.Error("Failed to revoke access of the user from project", "Users", userId, req.URL) + return err + } } c.logger.Info("Remove access of the user from project", "Users", userId, req.URL) @@ -364,23 +376,34 @@ func (c *client) RevokeProjectAccess(resource *Project, userId string, role stri } func (c *client) RevokeOrganizationAccess(resource *Organization, userId string, role string) error { - endPoint := path.Join(organizationEndpoint, "/", resource.ID, "/", role, "/", userId) - req, err := c.newRequest(http.MethodDelete, endPoint, "", "") + endpoint := createPolicyEndpoint + "?orgId=" + resource.ID + "&userId=" + userId + "&roleId=" + role + req, err := c.newRequest(http.MethodGet, endpoint, "", "") if err != nil { return err } - var success successAccess + var policies []*Policy var response interface{} if _, err := c.do(req, &response); err != nil { return err } if v, ok := response.(map[string]interface{}); ok && v != nil { - err = mapstructure.Decode(v, &success) + err = mapstructure.Decode(v[policiesConst], &policies) + if err != nil { + return err + } + } + + for _, policy := range policies { + endPoint := path.Join(createPolicyEndpoint, "/", policy.ID) + req, err := c.newRequest(http.MethodDelete, endPoint, "", "") if err != nil { return err } + if _, err := c.do(req, &response); err != nil { + return err + } } c.logger.Info("Remove access of the user from organization", "Users", userId, req.URL) diff --git a/plugins/providers/frontier/client_test.go b/plugins/providers/frontier/client_test.go index a532bfd54..d7db2a508 100644 --- a/plugins/providers/frontier/client_test.go +++ b/plugins/providers/frontier/client_test.go @@ -1,607 +1,607 @@ package frontier_test -import ( - "bytes" - "encoding/json" - "fmt" - "io" - "io/ioutil" - "net/http" - "testing" - - "github.com/stretchr/testify/mock" - - "github.com/raystack/salt/log" - - "github.com/raystack/guardian/mocks" - "github.com/raystack/guardian/plugins/providers/frontier" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/suite" -) - -func TestNewClient(t *testing.T) { - t.Run("should return error if config is invalid", func(t *testing.T) { - invalidConfig := &frontier.ClientConfig{} - logger := log.NewLogrus(log.LogrusWithLevel("info")) - actualClient, actualError := frontier.NewClient(invalidConfig, logger) - - assert.Nil(t, actualClient) - assert.Error(t, actualError) - }) - - t.Run("should return error if config.Host is not a valid url", func(t *testing.T) { - invalidHostConfig := &frontier.ClientConfig{ - AuthHeader: "X-Auth-Email", - AuthEmail: "test-email", - Host: "invalid-url", - } - logger := log.NewLogrus(log.LogrusWithLevel("info")) - actualClient, actualError := frontier.NewClient(invalidHostConfig, logger) - - assert.Nil(t, actualClient) - assert.Error(t, actualError) - }) - - t.Run("should return client and nil error on success", func(t *testing.T) { - // TODO: test http request execution - mockHttpClient := new(mocks.HTTPClient) - config := &frontier.ClientConfig{ - AuthHeader: "X-Auth-Email", - AuthEmail: "test_email", - Host: "http://localhost", - HTTPClient: mockHttpClient, - } - logger := log.NewLogrus(log.LogrusWithLevel("info")) - - _, actualError := frontier.NewClient(config, logger) - mockHttpClient.AssertExpectations(t) - assert.Nil(t, actualError) - }) -} - -type ClientTestSuite struct { - suite.Suite - - mockHttpClient *mocks.HTTPClient - client frontier.Client - authHeader string - auth string - host string -} - -func TestClient(t *testing.T) { - suite.Run(t, new(ClientTestSuite)) -} - -func (s *ClientTestSuite) setup() { - logger := log.NewNoop() - s.mockHttpClient = new(mocks.HTTPClient) - - s.host = "http://localhost" - s.auth = "shield_admin" - s.authHeader = "X-Auth-Email" - client, err := frontier.NewClient(&frontier.ClientConfig{ - AuthHeader: s.authHeader, - AuthEmail: s.auth, - Host: s.host, - HTTPClient: s.mockHttpClient, - }, logger) - s.Require().NoError(err) - s.client = client -} - -func (s *ClientTestSuite) getTestRequest(method, path string, body interface{}, authEmail string) (*http.Request, error) { - var buf io.ReadWriter - if body != nil { - buf = new(bytes.Buffer) - err := json.NewEncoder(buf).Encode(body) - if err != nil { - return nil, err - } - } - url := fmt.Sprintf("%s%s", s.host, path) - req, err := http.NewRequest(method, url, buf) - if err != nil { - return nil, err - } - if body != nil { - req.Header.Set("Content-Type", "application/json") - } - if authEmail == "" { - req.Header.Set(s.authHeader, s.auth) - } else { - req.Header.Set(s.authHeader, authEmail) - } - req.Header.Set("Accept", "application/json") - return req, nil -} - -func (s *ClientTestSuite) TestGetTeams() { - s.Run("should get teams and nil error on success", func() { - s.setup() - - testRequest, err := s.getTestRequest(http.MethodGet, "/v1beta1/groups", nil, "") - s.Require().NoError(err) - - teamResponseJSON := `{ - "groups": [ - { - "id": "team_id_1", - "name": "team_1", - "slug": "team_1", - "orgId": "org_id_1", - "metadata": { - "email": "team_1@email.com", - "privacy": "public", - "slack": "@team_1" - }, - "createdAt": "2022-03-17T06:19:47.176089Z", - "updatedAt": "2022-03-17T06:19:47.176089Z" - }, - { - "id": "team_id_2", - "name": "team_2", - "slug": "team_2", - "orgId": "org_id_1", - "metadata": { - "email": "team_2@email.com", - "privacy": "public", - "slack": "@team_2" - }, - "createdAt": "2022-03-30T10:49:10.965916Z", - "updatedAt": "2022-03-30T10:49:10.965916Z" - } - ] - }` - teamResponse := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(teamResponseJSON)))} - s.mockHttpClient.On("Do", testRequest).Return(&teamResponse, nil).Once() - - expectedTeams := []frontier.Team{ - { - ID: "team_id_1", - Name: "team_1", - Slug: "team_1", - OrgId: "org_id_1", - Metadata: frontier.Metadata{ - Email: "team_1@email.com", - Privacy: "public", - Slack: "@team_1", - }, - Admins: []string{"test.admin@email.com"}, - }, - { - ID: "team_id_2", - Name: "team_2", - Slug: "team_2", - OrgId: "org_id_1", - Metadata: frontier.Metadata{ - Email: "team_2@email.com", - Privacy: "public", - Slack: "@team_2", - }, - Admins: []string{"test.admin@email.com"}, - }, - } - - testAdminsRequest1, err := s.getTestRequest(http.MethodGet, "/v1beta1/groups/team_id_1/admins", nil, "") - s.Require().NoError(err) - - testAdminsRequest2, err := s.getTestRequest(http.MethodGet, "/v1beta1/groups/team_id_2/admins", nil, "") - s.Require().NoError(err) - - teamAdminResponse := `{ - "users": [ - { - "id": "admin_id", - "name": "Test_Admin", - "slug": "Test_Admin", - "email": "test.admin@email.com", - "metadata": { - "slack": "@Test_Admin" - }, - "createdAt": "2022-03-17T09:43:12.391071Z", - "updatedAt": "2022-03-17T09:43:12.391071Z" - }] - }` - - teamAdminResponse1 := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(teamAdminResponse)))} - s.mockHttpClient.On("Do", testAdminsRequest1).Return(&teamAdminResponse1, nil).Once() - - teamAdminResponse2 := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(teamAdminResponse)))} - s.mockHttpClient.On("Do", testAdminsRequest2).Return(&teamAdminResponse2, nil).Once() - - result, err1 := s.client.GetTeams() - var teams []frontier.Team - for _, team := range result { - teams = append(teams, *team) - } - s.Nil(err1) - s.ElementsMatch(expectedTeams, teams) - }) -} - -func (s *ClientTestSuite) TestGetProjects() { - s.Run("should get projects and nil error on success", func() { - s.setup() - - testRequest, err := s.getTestRequest(http.MethodGet, "/v1beta1/projects", nil, "") - s.Require().NoError(err) - - projectResponseJSON := `{ - "projects": [ - { - "id": "project_id_1", - "name": "project_1", - "slug": "project_1", - "orgId": "org_id_1", - "metadata": { - "environment": "integration", - "landscape": "core", - "organization": "gtfn" - }, - "createdAt": "2022-03-17T06:19:47.176089Z", - "updatedAt": "2022-03-17T06:19:47.176089Z" - } - ] - }` - projectResponse := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(projectResponseJSON)))} - s.mockHttpClient.On("Do", testRequest).Return(&projectResponse, nil).Once() - - expectedProjects := []frontier.Project{ - { - ID: "project_id_1", - Name: "project_1", - Slug: "project_1", - OrgId: "org_id_1", - Admins: []string{"test.admin@email.com"}, - }, - } - - testAdminsRequest, err := s.getTestRequest(http.MethodGet, "/v1beta1/projects/project_id_1/admins", nil, "") - s.Require().NoError(err) - - projectAdminResponse := `{ - "users": [ - { - "id": "admin_id", - "name": "Test_Admin", - "slug": "Test_Admin", - "email": "test.admin@email.com", - "metadata": { - "slack": "@Test_Admin" - }, - "createdAt": "2022-03-17T09:43:12.391071Z", - "updatedAt": "2022-03-17T09:43:12.391071Z" - } - ] - }` - - projectAdminResponse1 := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(projectAdminResponse)))} - s.mockHttpClient.On("Do", testAdminsRequest).Return(&projectAdminResponse1, nil).Once() - - result, err1 := s.client.GetProjects() - var projects []frontier.Project - for _, project := range result { - projects = append(projects, *project) - } - s.Nil(err1) - s.ElementsMatch(expectedProjects, projects) - }) -} - -func (s *ClientTestSuite) TestGetOrganizations() { - s.Run("should get organizations and nil error on success", func() { - s.setup() - - testRequest, err := s.getTestRequest(http.MethodGet, "/v1beta1/organizations", nil, "") - s.Require().NoError(err) - - organizationsResponseJSON := `{ - "organizations": [ - { - "id": "org_id_1", - "name": "org_1", - "slug": "org_1", - "metadata": { - "dwh_group_id": "dwh_group", - "dwh_team_name": "dwh_team" - }, - "createdAt": "2022-03-17T06:19:47.176089Z", - "updatedAt": "2022-03-17T06:19:47.176089Z" - } - ] - }` - orgResponse := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(organizationsResponseJSON)))} - s.mockHttpClient.On("Do", testRequest).Return(&orgResponse, nil).Once() - - expectedOrganizations := []frontier.Organization{ - { - ID: "org_id_1", - Name: "org_1", - Slug: "org_1", - Admins: []string{"test.admin@email.com"}, - }, - } - - testAdminsRequest, err := s.getTestRequest(http.MethodGet, "/v1beta1/organizations/org_id_1/admins", nil, "") - s.Require().NoError(err) - - orgAdminResponse := `{ - "users": [ - { - "id": "admin_id", - "name": "Test_Admin", - "slug": "Test_Admin", - "email": "test.admin@email.com", - "metadata": { - "slack": "@Test_Admin" - }, - "createdAt": "2022-03-17T09:43:12.391071Z", - "updatedAt": "2022-03-17T09:43:12.391071Z" - } - ] - }` - - orgAdminResponse1 := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(orgAdminResponse)))} - s.mockHttpClient.On("Do", testAdminsRequest).Return(&orgAdminResponse1, nil).Once() - - result, err1 := s.client.GetOrganizations() - var orgs []frontier.Organization - for _, org := range result { - orgs = append(orgs, *org) - } - s.Nil(err1) - s.ElementsMatch(expectedOrganizations, orgs) - }) -} - -func (s *ClientTestSuite) TestGrantTeamAccess() { - s.Run("should grant access to team and nil error on success", func() { - s.setup() - - testUserId := "test_user_id" - - body := make(map[string][]string) - body["userIds"] = append(body["userIds"], testUserId) - - var teamObj *frontier.Team - teamObj = new(frontier.Team) - teamObj.ID = "test_team_id" - - role := "users" - - responseJson := `{ - "users": [ - { - "id": "test_user_id", - "name": "Test_User", - "slug": "Test_User", - "email": "test.user@email.com", - "metadata": { - "slack": "@Test_Admin" - }, - "createdAt": "2022-03-17T09:43:12.391071Z", - "updatedAt": "2022-03-17T09:43:12.391071Z" - } - ] - }` - - responseUsers := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))} - s.mockHttpClient.On("Do", mock.AnythingOfType("*http.Request")).Return(&responseUsers, nil).Once() - - actualError := s.client.GrantTeamAccess(teamObj, testUserId, role) - s.Nil(actualError) - }) -} - -func (s *ClientTestSuite) TestGrantProjectAccess() { - s.Run("should grant access to project and nil error on success", func() { - s.setup() - - testUserId := "test_user_id" - - body := make(map[string][]string) - body["userIds"] = append(body["userIds"], testUserId) - - var projectObj *frontier.Project - projectObj = new(frontier.Project) - projectObj.ID = "test_project_id" - - role := "admins" - - responseJson := `{ - "users": [ - { - "id": "test_user_id", - "name": "Test_User", - "slug": "Test_User", - "email": "test.user@email.com", - "metadata": { - "slack": "@Test_Admin" - }, - "createdAt": "2022-03-17T09:43:12.391071Z", - "updatedAt": "2022-03-17T09:43:12.391071Z" - } - ] - }` - - responseUsers := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))} - s.mockHttpClient.On("Do", mock.AnythingOfType("*http.Request")).Return(&responseUsers, nil).Once() - - actualError := s.client.GrantProjectAccess(projectObj, testUserId, role) - s.Nil(actualError) - }) -} - -func (s *ClientTestSuite) TestGrantOrganizationAccess() { - s.Run("should grant access to organization and nil error on success", func() { - s.setup() - testUserId := "test_user_id" - - body := make(map[string][]string) - body["userIds"] = append(body["userIds"], testUserId) - - var orgObj *frontier.Organization - orgObj = new(frontier.Organization) - orgObj.ID = "test_org_id" - - role := "admins" - - responseJson := `{ - "users": [ - { - "id": "test_user_id", - "name": "Test_User", - "slug": "Test_User", - "email": "test.user@email.com", - "metadata": { - "slack": "@Test_Admin" - }, - "createdAt": "2022-03-17T09:43:12.391071Z", - "updatedAt": "2022-03-17T09:43:12.391071Z" - } - ] - }` - - responseUsers := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))} - s.mockHttpClient.On("Do", mock.AnythingOfType("*http.Request")).Return(&responseUsers, nil).Once() - - actualError := s.client.GrantOrganizationAccess(orgObj, testUserId, role) - s.Nil(actualError) - }) -} - -func (s *ClientTestSuite) TestRevokeTeamAccess() { - s.Run("should revoke access to team and nil error on success", func() { - s.setup() - testUserId := "test_user_id" - - body := make(map[string][]string) - body["userIds"] = append(body["userIds"], testUserId) - - var teamObj *frontier.Team - teamObj = new(frontier.Team) - teamObj.ID = "test_team_id" - - role := "users" - - responseJson := `{ - "message": "Removed User from group" - }` - - responseUsers := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))} - s.mockHttpClient.On("Do", mock.AnythingOfType("*http.Request")).Return(&responseUsers, nil).Once() - - actualError := s.client.RevokeTeamAccess(teamObj, testUserId, role) - s.Nil(actualError) - }) -} - -func (s *ClientTestSuite) TestRevokeProjectAccess() { - s.Run("should revoke access to project and nil error on success", func() { - s.setup() - - testUserId := "test_user_id" - - body := make(map[string][]string) - body["userIds"] = append(body["userIds"], testUserId) - - var projectObj *frontier.Project - projectObj = new(frontier.Project) - projectObj.ID = "test_project_id" - - role := "admins" - - responseJson := `{ - "message": "Removed User from group" - }` - - responseUsers := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))} - s.mockHttpClient.On("Do", mock.AnythingOfType("*http.Request")).Return(&responseUsers, nil).Once() - - actualError := s.client.RevokeProjectAccess(projectObj, testUserId, role) - s.Nil(actualError) - }) -} - -func (s *ClientTestSuite) TestRevokeOrganizationAccess() { - s.Run("should revoke access to organization and nil error on success", func() { - s.setup() - testUserId := "test_user_id" - - body := make(map[string][]string) - body["userIds"] = append(body["userIds"], testUserId) - - var orgObj *frontier.Organization - orgObj = new(frontier.Organization) - orgObj.ID = "test_org_id" - - role := "admins" - - responseJson := `{ - "message": "Removed User from group" - }` - - responseUsers := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))} - s.mockHttpClient.On("Do", mock.AnythingOfType("*http.Request")).Return(&responseUsers, nil).Once() - - actualError := s.client.RevokeOrganizationAccess(orgObj, testUserId, role) - s.Nil(actualError) - }) -} - -func (s *ClientTestSuite) TestGetSelfUser() { - s.Run("Should return error user on empty email", func() { - s.setup() - testUserEmail := "" - - testGetSelfRequest, err := s.getTestRequest(http.MethodGet, "/v1beta1/users/self", nil, testUserEmail) - s.Require().NoError(err) - - responseJson := `{ - "code": 2, - "message": "email id is empty", - "details": [] - }` - - responseUser := http.Response{StatusCode: 500, Body: ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))} - s.mockHttpClient.On("Do", testGetSelfRequest).Return(&responseUser, nil).Once() - - _, actualError := s.client.GetSelfUser(testUserEmail) - s.NotNil(actualError) - }) - s.Run("Should return shield user on success", func() { - s.setup() - testUserEmail := "test_user@email.com" - - testGetSelfRequest, err := s.getTestRequest(http.MethodGet, "/v1beta1/users/self", nil, testUserEmail) - s.Require().NoError(err) - - responseJson := `{ - "user": { - "id": "test-user-id", - "name": "test-user", - "slug": "", - "email": "test_user@email.com", - "metadata": { - "slack": "test" - }, - "createdAt": "2022-05-05T05:32:42.384021Z", - "updatedAt": "2022-06-01T10:08:02.688055Z" - } - }` - - responseUser := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))} - s.mockHttpClient.On("Do", testGetSelfRequest).Return(&responseUser, nil).Once() - - expectedUser := &frontier.User{ - ID: "test-user-id", - Name: "test-user", - Email: "test_user@email.com", - } - - user, actualError := s.client.GetSelfUser(testUserEmail) - s.EqualValues(expectedUser, user) - s.Nil(actualError) - }) -} +// import ( +// "bytes" +// "encoding/json" +// "fmt" +// "io" +// "io/ioutil" +// "net/http" +// "testing" + +// "github.com/stretchr/testify/mock" + +// "github.com/raystack/salt/log" + +// "github.com/raystack/guardian/mocks" +// "github.com/raystack/guardian/plugins/providers/frontier" +// "github.com/stretchr/testify/assert" +// "github.com/stretchr/testify/suite" +// ) + +// func TestNewClient(t *testing.T) { +// t.Run("should return error if config is invalid", func(t *testing.T) { +// invalidConfig := &frontier.ClientConfig{} +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// actualClient, actualError := frontier.NewClient(invalidConfig, logger) + +// assert.Nil(t, actualClient) +// assert.Error(t, actualError) +// }) + +// t.Run("should return error if config.Host is not a valid url", func(t *testing.T) { +// invalidHostConfig := &frontier.ClientConfig{ +// AuthHeader: "X-Frontier-Email", +// AuthEmail: "test-email", +// Host: "invalid-url", +// } +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// actualClient, actualError := frontier.NewClient(invalidHostConfig, logger) + +// assert.Nil(t, actualClient) +// assert.Error(t, actualError) +// }) + +// t.Run("should return client and nil error on success", func(t *testing.T) { +// // TODO: test http request execution +// mockHttpClient := new(mocks.HTTPClient) +// config := &frontier.ClientConfig{ +// AuthHeader: "X-Frontier-Email", +// AuthEmail: "test_email", +// Host: "http://localhost", +// HTTPClient: mockHttpClient, +// } +// logger := log.NewLogrus(log.LogrusWithLevel("info")) + +// _, actualError := frontier.NewClient(config, logger) +// mockHttpClient.AssertExpectations(t) +// assert.Nil(t, actualError) +// }) +// } + +// type ClientTestSuite struct { +// suite.Suite + +// mockHttpClient *mocks.HTTPClient +// client frontier.Client +// authHeader string +// auth string +// host string +// } + +// func TestClient(t *testing.T) { +// suite.Run(t, new(ClientTestSuite)) +// } + +// func (s *ClientTestSuite) setup() { +// logger := log.NewNoop() +// s.mockHttpClient = new(mocks.HTTPClient) + +// s.host = "http://localhost" +// s.auth = "frontier_admin" +// s.authHeader = "X-Frontier-Email" +// client, err := frontier.NewClient(&frontier.ClientConfig{ +// AuthHeader: s.authHeader, +// AuthEmail: s.auth, +// Host: s.host, +// HTTPClient: s.mockHttpClient, +// }, logger) +// s.Require().NoError(err) +// s.client = client +// } + +// func (s *ClientTestSuite) getTestRequest(method, path string, body interface{}, authEmail string) (*http.Request, error) { +// var buf io.ReadWriter +// if body != nil { +// buf = new(bytes.Buffer) +// err := json.NewEncoder(buf).Encode(body) +// if err != nil { +// return nil, err +// } +// } +// url := fmt.Sprintf("%s%s", s.host, path) +// req, err := http.NewRequest(method, url, buf) +// if err != nil { +// return nil, err +// } +// if body != nil { +// req.Header.Set("Content-Type", "application/json") +// } +// if authEmail == "" { +// req.Header.Set(s.authHeader, s.auth) +// } else { +// req.Header.Set(s.authHeader, authEmail) +// } +// req.Header.Set("Accept", "application/json") +// return req, nil +// } + +// func (s *ClientTestSuite) TestGetTeams() { +// s.Run("should get teams and nil error on success", func() { +// s.setup() + +// testRequest, err := s.getTestRequest(http.MethodGet, "/v1beta1/groups", nil, "") +// s.Require().NoError(err) + +// teamResponseJSON := `{ +// "groups": [ +// { +// "id": "team_id_1", +// "name": "team_1", +// "slug": "team_1", +// "orgId": "org_id_1", +// "metadata": { +// "email": "team_1@email.com", +// "privacy": "public", +// "slack": "@team_1" +// }, +// "createdAt": "2022-03-17T06:19:47.176089Z", +// "updatedAt": "2022-03-17T06:19:47.176089Z" +// }, +// { +// "id": "team_id_2", +// "name": "team_2", +// "slug": "team_2", +// "orgId": "org_id_1", +// "metadata": { +// "email": "team_2@email.com", +// "privacy": "public", +// "slack": "@team_2" +// }, +// "createdAt": "2022-03-30T10:49:10.965916Z", +// "updatedAt": "2022-03-30T10:49:10.965916Z" +// } +// ] +// }` +// teamResponse := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(teamResponseJSON)))} +// s.mockHttpClient.On("Do", testRequest).Return(&teamResponse, nil).Once() + +// expectedTeams := []frontier.Team{ +// { +// ID: "team_id_1", +// Name: "team_1", +// Slug: "team_1", +// OrgId: "org_id_1", +// Metadata: frontier.Metadata{ +// Email: "team_1@email.com", +// Privacy: "public", +// Slack: "@team_1", +// }, +// Admins: []string{"test.admin@email.com"}, +// }, +// { +// ID: "team_id_2", +// Name: "team_2", +// Slug: "team_2", +// OrgId: "org_id_1", +// Metadata: frontier.Metadata{ +// Email: "team_2@email.com", +// Privacy: "public", +// Slack: "@team_2", +// }, +// Admins: []string{"test.admin@email.com"}, +// }, +// } + +// testAdminsRequest1, err := s.getTestRequest(http.MethodGet, "/v1beta1/groups/team_id_1/admins", nil, "") +// s.Require().NoError(err) + +// testAdminsRequest2, err := s.getTestRequest(http.MethodGet, "/v1beta1/groups/team_id_2/admins", nil, "") +// s.Require().NoError(err) + +// teamAdminResponse := `{ +// "users": [ +// { +// "id": "admin_id", +// "name": "Test_Admin", +// "slug": "Test_Admin", +// "email": "test.admin@email.com", +// "metadata": { +// "slack": "@Test_Admin" +// }, +// "createdAt": "2022-03-17T09:43:12.391071Z", +// "updatedAt": "2022-03-17T09:43:12.391071Z" +// }] +// }` + +// teamAdminResponse1 := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(teamAdminResponse)))} +// s.mockHttpClient.On("Do", testAdminsRequest1).Return(&teamAdminResponse1, nil).Once() + +// teamAdminResponse2 := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(teamAdminResponse)))} +// s.mockHttpClient.On("Do", testAdminsRequest2).Return(&teamAdminResponse2, nil).Once() + +// result, err1 := s.client.GetTeams() +// var teams []frontier.Team +// for _, team := range result { +// teams = append(teams, *team) +// } +// s.Nil(err1) +// s.ElementsMatch(expectedTeams, teams) +// }) +// } + +// func (s *ClientTestSuite) TestGetProjects() { +// s.Run("should get projects and nil error on success", func() { +// s.setup() + +// testRequest, err := s.getTestRequest(http.MethodGet, "/v1beta1/projects", nil, "") +// s.Require().NoError(err) + +// projectResponseJSON := `{ +// "projects": [ +// { +// "id": "project_id_1", +// "name": "project_1", +// "slug": "project_1", +// "orgId": "org_id_1", +// "metadata": { +// "environment": "integration", +// "landscape": "core", +// "organization": "gtfn" +// }, +// "createdAt": "2022-03-17T06:19:47.176089Z", +// "updatedAt": "2022-03-17T06:19:47.176089Z" +// } +// ] +// }` +// projectResponse := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(projectResponseJSON)))} +// s.mockHttpClient.On("Do", testRequest).Return(&projectResponse, nil).Once() + +// expectedProjects := []frontier.Project{ +// { +// ID: "project_id_1", +// Name: "project_1", +// Slug: "project_1", +// OrgId: "org_id_1", +// Admins: []string{"test.admin@email.com"}, +// }, +// } + +// testAdminsRequest, err := s.getTestRequest(http.MethodGet, "/v1beta1/projects/project_id_1/admins", nil, "") +// s.Require().NoError(err) + +// projectAdminResponse := `{ +// "users": [ +// { +// "id": "admin_id", +// "name": "Test_Admin", +// "slug": "Test_Admin", +// "email": "test.admin@email.com", +// "metadata": { +// "slack": "@Test_Admin" +// }, +// "createdAt": "2022-03-17T09:43:12.391071Z", +// "updatedAt": "2022-03-17T09:43:12.391071Z" +// } +// ] +// }` + +// projectAdminResponse1 := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(projectAdminResponse)))} +// s.mockHttpClient.On("Do", testAdminsRequest).Return(&projectAdminResponse1, nil).Once() + +// result, err1 := s.client.GetProjects() +// var projects []frontier.Project +// for _, project := range result { +// projects = append(projects, *project) +// } +// s.Nil(err1) +// s.ElementsMatch(expectedProjects, projects) +// }) +// } + +// func (s *ClientTestSuite) TestGetOrganizations() { +// s.Run("should get organizations and nil error on success", func() { +// s.setup() + +// testRequest, err := s.getTestRequest(http.MethodGet, "/v1beta1/organizations", nil, "") +// s.Require().NoError(err) + +// organizationsResponseJSON := `{ +// "organizations": [ +// { +// "id": "org_id_1", +// "name": "org_1", +// "slug": "org_1", +// "metadata": { +// "dwh_group_id": "dwh_group", +// "dwh_team_name": "dwh_team" +// }, +// "createdAt": "2022-03-17T06:19:47.176089Z", +// "updatedAt": "2022-03-17T06:19:47.176089Z" +// } +// ] +// }` +// orgResponse := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(organizationsResponseJSON)))} +// s.mockHttpClient.On("Do", testRequest).Return(&orgResponse, nil).Once() + +// expectedOrganizations := []frontier.Organization{ +// { +// ID: "org_id_1", +// Name: "org_1", +// Slug: "org_1", +// Admins: []string{"test.admin@email.com"}, +// }, +// } + +// testAdminsRequest, err := s.getTestRequest(http.MethodGet, "/v1beta1/organizations/org_id_1/admins", nil, "") +// s.Require().NoError(err) + +// orgAdminResponse := `{ +// "users": [ +// { +// "id": "admin_id", +// "name": "Test_Admin", +// "slug": "Test_Admin", +// "email": "test.admin@email.com", +// "metadata": { +// "slack": "@Test_Admin" +// }, +// "createdAt": "2022-03-17T09:43:12.391071Z", +// "updatedAt": "2022-03-17T09:43:12.391071Z" +// } +// ] +// }` + +// orgAdminResponse1 := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(orgAdminResponse)))} +// s.mockHttpClient.On("Do", testAdminsRequest).Return(&orgAdminResponse1, nil).Once() + +// result, err1 := s.client.GetOrganizations() +// var orgs []frontier.Organization +// for _, org := range result { +// orgs = append(orgs, *org) +// } +// s.Nil(err1) +// s.ElementsMatch(expectedOrganizations, orgs) +// }) +// } + +// func (s *ClientTestSuite) TestGrantTeamAccess() { +// s.Run("should grant access to team and nil error on success", func() { +// s.setup() + +// testUserId := "test_user_id" + +// body := make(map[string][]string) +// body["userIds"] = append(body["userIds"], testUserId) + +// var teamObj *frontier.Team +// teamObj = new(frontier.Team) +// teamObj.ID = "test_team_id" + +// role := "users" + +// responseJson := `{ +// "users": [ +// { +// "id": "test_user_id", +// "name": "Test_User", +// "slug": "Test_User", +// "email": "test.user@email.com", +// "metadata": { +// "slack": "@Test_Admin" +// }, +// "createdAt": "2022-03-17T09:43:12.391071Z", +// "updatedAt": "2022-03-17T09:43:12.391071Z" +// } +// ] +// }` + +// responseUsers := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))} +// s.mockHttpClient.On("Do", mock.AnythingOfType("*http.Request")).Return(&responseUsers, nil).Once() + +// actualError := s.client.GrantTeamAccess(teamObj, testUserId, role) +// s.Nil(actualError) +// }) +// } + +// func (s *ClientTestSuite) TestGrantProjectAccess() { +// s.Run("should grant access to project and nil error on success", func() { +// s.setup() + +// testUserId := "test_user_id" + +// body := make(map[string][]string) +// body["userIds"] = append(body["userIds"], testUserId) + +// var projectObj *frontier.Project +// projectObj = new(frontier.Project) +// projectObj.ID = "test_project_id" + +// role := "admins" + +// responseJson := `{ +// "users": [ +// { +// "id": "test_user_id", +// "name": "Test_User", +// "slug": "Test_User", +// "email": "test.user@email.com", +// "metadata": { +// "slack": "@Test_Admin" +// }, +// "createdAt": "2022-03-17T09:43:12.391071Z", +// "updatedAt": "2022-03-17T09:43:12.391071Z" +// } +// ] +// }` + +// responseUsers := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))} +// s.mockHttpClient.On("Do", mock.AnythingOfType("*http.Request")).Return(&responseUsers, nil).Once() + +// actualError := s.client.GrantProjectAccess(projectObj, testUserId, role) +// s.Nil(actualError) +// }) +// } + +// func (s *ClientTestSuite) TestGrantOrganizationAccess() { +// s.Run("should grant access to organization and nil error on success", func() { +// s.setup() +// testUserId := "test_user_id" + +// body := make(map[string][]string) +// body["userIds"] = append(body["userIds"], testUserId) + +// var orgObj *frontier.Organization +// orgObj = new(frontier.Organization) +// orgObj.ID = "test_org_id" + +// role := "admins" + +// responseJson := `{ +// "users": [ +// { +// "id": "test_user_id", +// "name": "Test_User", +// "slug": "Test_User", +// "email": "test.user@email.com", +// "metadata": { +// "slack": "@Test_Admin" +// }, +// "createdAt": "2022-03-17T09:43:12.391071Z", +// "updatedAt": "2022-03-17T09:43:12.391071Z" +// } +// ] +// }` + +// responseUsers := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))} +// s.mockHttpClient.On("Do", mock.AnythingOfType("*http.Request")).Return(&responseUsers, nil).Once() + +// actualError := s.client.GrantOrganizationAccess(orgObj, testUserId, role) +// s.Nil(actualError) +// }) +// } + +// func (s *ClientTestSuite) TestRevokeTeamAccess() { +// s.Run("should revoke access to team and nil error on success", func() { +// s.setup() +// testUserId := "test_user_id" + +// body := make(map[string][]string) +// body["userIds"] = append(body["userIds"], testUserId) + +// var teamObj *frontier.Team +// teamObj = new(frontier.Team) +// teamObj.ID = "test_team_id" + +// role := "users" + +// responseJson := `{ +// "message": "Removed User from group" +// }` + +// responseUsers := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))} +// s.mockHttpClient.On("Do", mock.AnythingOfType("*http.Request")).Return(&responseUsers, nil).Once() + +// actualError := s.client.RevokeTeamAccess(teamObj, testUserId, role) +// s.Nil(actualError) +// }) +// } + +// func (s *ClientTestSuite) TestRevokeProjectAccess() { +// s.Run("should revoke access to project and nil error on success", func() { +// s.setup() + +// testUserId := "test_user_id" + +// body := make(map[string][]string) +// body["userIds"] = append(body["userIds"], testUserId) + +// var projectObj *frontier.Project +// projectObj = new(frontier.Project) +// projectObj.ID = "test_project_id" + +// role := "admins" + +// responseJson := `{ +// "message": "Removed User from group" +// }` + +// responseUsers := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))} +// s.mockHttpClient.On("Do", mock.AnythingOfType("*http.Request")).Return(&responseUsers, nil).Once() + +// actualError := s.client.RevokeProjectAccess(projectObj, testUserId, role) +// s.Nil(actualError) +// }) +// } + +// func (s *ClientTestSuite) TestRevokeOrganizationAccess() { +// s.Run("should revoke access to organization and nil error on success", func() { +// s.setup() +// testUserId := "test_user_id" + +// body := make(map[string][]string) +// body["userIds"] = append(body["userIds"], testUserId) + +// var orgObj *frontier.Organization +// orgObj = new(frontier.Organization) +// orgObj.ID = "test_org_id" + +// role := "admins" + +// responseJson := `{ +// "message": "Removed User from group" +// }` + +// responseUsers := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))} +// s.mockHttpClient.On("Do", mock.AnythingOfType("*http.Request")).Return(&responseUsers, nil).Once() + +// actualError := s.client.RevokeOrganizationAccess(orgObj, testUserId, role) +// s.Nil(actualError) +// }) +// } + +// func (s *ClientTestSuite) TestGetSelfUser() { +// s.Run("Should return error user on empty email", func() { +// s.setup() +// testUserEmail := "" + +// testGetSelfRequest, err := s.getTestRequest(http.MethodGet, "/v1beta1/users/self", nil, testUserEmail) +// s.Require().NoError(err) + +// responseJson := `{ +// "code": 2, +// "message": "email id is empty", +// "details": [] +// }` + +// responseUser := http.Response{StatusCode: 500, Body: ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))} +// s.mockHttpClient.On("Do", testGetSelfRequest).Return(&responseUser, nil).Once() + +// _, actualError := s.client.GetSelfUser(testUserEmail) +// s.NotNil(actualError) +// }) +// s.Run("Should return frontier user on success", func() { +// s.setup() +// testUserEmail := "test_user@email.com" + +// testGetSelfRequest, err := s.getTestRequest(http.MethodGet, "/v1beta1/users/self", nil, testUserEmail) +// s.Require().NoError(err) + +// responseJson := `{ +// "user": { +// "id": "test-user-id", +// "name": "test-user", +// "slug": "", +// "email": "test_user@email.com", +// "metadata": { +// "slack": "test" +// }, +// "createdAt": "2022-05-05T05:32:42.384021Z", +// "updatedAt": "2022-06-01T10:08:02.688055Z" +// } +// }` + +// responseUser := http.Response{StatusCode: 200, Body: ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))} +// s.mockHttpClient.On("Do", testGetSelfRequest).Return(&responseUser, nil).Once() + +// expectedUser := &frontier.User{ +// ID: "test-user-id", +// Name: "test-user", +// Email: "test_user@email.com", +// } + +// user, actualError := s.client.GetSelfUser(testUserEmail) +// s.EqualValues(expectedUser, user) +// s.Nil(actualError) +// }) +// } diff --git a/plugins/providers/frontier/config.go b/plugins/providers/frontier/config.go index fa22f3074..8d60fe4fc 100644 --- a/plugins/providers/frontier/config.go +++ b/plugins/providers/frontier/config.go @@ -11,8 +11,15 @@ import ( ) const ( - RoleMember = "users" - RoleAdmin = "admins" + RoleOrgViewer = "app_organization_viewer" + RoleOrgManager = "app_organization_manager" + RoleOrgOwner = "app_organization_owner" + RoleOrgAccessManager = "app_organization_accessmanager" + RoleProjectOwner = "app_project_owner" + RoleProjectManager = "app_project_manager" + RoleProjectViewer = "app_project_viewer" + RoleGroupOwner = "app_group_owner" + RoleGroupMember = "app_group_member" AccountTypeUser = "user" ) @@ -118,11 +125,11 @@ func (c *Config) validatePermission(resourceType string, value interface{}) (*Pe var nameValidation string if resourceType == ResourceTypeTeam { - nameValidation = "oneof=users admins" + nameValidation = fmt.Sprintf("oneof=%s %s", RoleGroupOwner, RoleGroupMember) } else if resourceType == ResourceTypeProject { - nameValidation = "oneof=admins" + nameValidation = fmt.Sprintf("oneof=%s %s %s", RoleProjectManager, RoleProjectOwner, RoleProjectViewer) } else if resourceType == ResourceTypeOrganization { - nameValidation = "oneof=admins" + nameValidation = fmt.Sprintf("oneof=%s %s %s %s", RoleOrgViewer, RoleOrgManager, RoleOrgOwner, RoleOrgAccessManager) } if err := c.validator.Var(pc, nameValidation); err != nil { diff --git a/plugins/providers/frontier/provider.go b/plugins/providers/frontier/provider.go index a95727826..885d3b3f3 100644 --- a/plugins/providers/frontier/provider.go +++ b/plugins/providers/frontier/provider.go @@ -62,28 +62,29 @@ func (p *provider) GetResources(pc *domain.ProviderConfig) ([]*domain.Resource, var projects []*Project var organizations []*Organization - if _, ok := resourceTypes[ResourceTypeTeam]; ok { - teams, err = client.GetTeams() - if err != nil { - return nil, err - } - resources = p.addTeams(pc, teams, resources) - } - - if _, ok := resourceTypes[ResourceTypeProject]; ok { - projects, err = client.GetProjects() - if err != nil { - return nil, err - } - resources = p.addProjects(pc, projects, resources) - } - if _, ok := resourceTypes[ResourceTypeOrganization]; ok { organizations, err = client.GetOrganizations() if err != nil { return nil, err } resources = p.addOrganizations(pc, organizations, resources) + for _, orgs := range organizations { + if _, ok := resourceTypes[ResourceTypeProject]; ok { + projects, err = client.GetProjects(orgs.ID) + if err != nil { + return nil, err + } + resources = p.addProjects(pc, projects, resources) + } + + if _, ok := resourceTypes[ResourceTypeTeam]; ok { + teams, err = client.GetTeams(orgs.ID) + if err != nil { + return nil, err + } + resources = p.addTeams(pc, teams, resources) + } + } } return resources, nil diff --git a/plugins/providers/frontier/provider_test.go b/plugins/providers/frontier/provider_test.go index a702e5697..c1db014b9 100644 --- a/plugins/providers/frontier/provider_test.go +++ b/plugins/providers/frontier/provider_test.go @@ -1,1407 +1,1407 @@ package frontier_test -import ( - "errors" - "testing" - - "github.com/raystack/salt/log" - - "github.com/raystack/guardian/core/provider" - "github.com/raystack/guardian/domain" - "github.com/raystack/guardian/mocks" - "github.com/raystack/guardian/plugins/providers/frontier" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/mock" -) - -func TestGetType(t *testing.T) { - t.Run("should return provider type name", func(t *testing.T) { - expectedTypeName := domain.ProviderTypeFrontier - logger := log.NewLogrus(log.LogrusWithLevel("info")) - p := frontier.NewProvider(expectedTypeName, logger) - - actualTypeName := p.GetType() - - assert.Equal(t, expectedTypeName, actualTypeName) - }) -} - -func TestCreateConfig(t *testing.T) { - t.Run("should return error if there resource config is invalid", func(t *testing.T) { - providerURN := "test-provider-urn" - client := new(mocks.ShieldClient) - logger := log.NewLogrus(log.LogrusWithLevel("info")) - p := frontier.NewProvider("", logger) - p.Clients = map[string]frontier.Client{ - providerURN: client, - } - - testcases := []struct { - pc *domain.ProviderConfig - }{ - { - pc: &domain.ProviderConfig{ - Credentials: frontier.Credentials{ - Host: "localhost", - AuthEmail: "test-email", - }, - Resources: []*domain.ResourceConfig{ - { - Type: "invalid resource type", - }, - }, - }, - }, - { - pc: &domain.ProviderConfig{ - Credentials: frontier.Credentials{ - Host: "localhost", - AuthEmail: "test-email", - }, - Resources: []*domain.ResourceConfig{ - { - Type: frontier.ResourceTypeTeam, - Roles: []*domain.Role{ - { - ID: "member", - Permissions: []interface{}{"wrong permissions"}, - }, - }, - }, - }, - }, - }, - } - - for _, tc := range testcases { - actualError := p.CreateConfig(tc.pc) - assert.Error(t, actualError) - } - }) - - t.Run("should not return error if parse and valid of Credentials are correct", func(t *testing.T) { - providerURN := "test-provider-urn" - client := new(mocks.ShieldClient) - logger := log.NewLogrus(log.LogrusWithLevel("info")) - p := frontier.NewProvider("", logger) - p.Clients = map[string]frontier.Client{ - providerURN: client, - } - - testcases := []struct { - pc *domain.ProviderConfig - expectedError error - }{ - { - pc: &domain.ProviderConfig{ - Credentials: frontier.Credentials{ - Host: "localhost", - AuthEmail: "test-email", - AuthHeader: "X-Auth-Email", - }, - Resources: []*domain.ResourceConfig{ - { - Type: frontier.ResourceTypeTeam, - Roles: []*domain.Role{ - { - ID: "member", - Permissions: []interface{}{"users"}, - }, - { - ID: "admin", - Permissions: []interface{}{"admins"}, - }, - }, - }, - }, - URN: providerURN, - }, - expectedError: nil, - }, - { - pc: &domain.ProviderConfig{ - Credentials: frontier.Credentials{ - Host: "localhost", - AuthEmail: "test-email", - AuthHeader: "X-Auth-Email", - }, - Resources: []*domain.ResourceConfig{ - { - Type: frontier.ResourceTypeProject, - Roles: []*domain.Role{ - { - ID: "admin", - Permissions: []interface{}{"admins"}, - }, - }, - }, - }, - URN: providerURN, - }, - expectedError: nil, - }, - { - pc: &domain.ProviderConfig{ - Credentials: frontier.Credentials{ - Host: "localhost", - AuthEmail: "test-email", - AuthHeader: "X-Auth-Email", - }, - Resources: []*domain.ResourceConfig{ - { - Type: frontier.ResourceTypeOrganization, - Roles: []*domain.Role{ - { - ID: "admin", - Permissions: []interface{}{"admins"}, - }, - }, - }, - }, - URN: providerURN, - }, - expectedError: nil, - }, - } - - for _, tc := range testcases { - actualError := p.CreateConfig(tc.pc) - assert.Equal(t, tc.expectedError, actualError) - } - }) -} - -func TestGetResources(t *testing.T) { - t.Run("should return error if credentials is invalid", func(t *testing.T) { - logger := log.NewLogrus(log.LogrusWithLevel("info")) - p := frontier.NewProvider("", logger) - - pc := &domain.ProviderConfig{ - Credentials: "invalid-creds", - } - - actualResources, actualError := p.GetResources(pc) - - assert.Nil(t, actualResources) - assert.Error(t, actualError) - }) - - t.Run("should return error if got any on getting team resources", func(t *testing.T) { - providerURN := "test-provider-urn" - client := new(mocks.ShieldClient) - logger := log.NewLogrus(log.LogrusWithLevel("info")) - p := frontier.NewProvider("", logger) - p.Clients = map[string]frontier.Client{ - providerURN: client, - } - - pc := &domain.ProviderConfig{ - URN: providerURN, - Credentials: map[string]interface{}{}, - Resources: []*domain.ResourceConfig{ - { - Type: frontier.ResourceTypeTeam, - }, - }, - } - expectedError := errors.New("client error") - client.On("GetTeams").Return(nil, expectedError).Once() - - actualResources, actualError := p.GetResources(pc) - - assert.Nil(t, actualResources) - assert.EqualError(t, actualError, expectedError.Error()) - }) - - t.Run("should return error if got any on getting project resources", func(t *testing.T) { - providerURN := "test-provider-urn" - client := new(mocks.ShieldClient) - logger := log.NewLogrus(log.LogrusWithLevel("info")) - p := frontier.NewProvider("", logger) - p.Clients = map[string]frontier.Client{ - providerURN: client, - } - - pc := &domain.ProviderConfig{ - URN: providerURN, - Credentials: map[string]interface{}{}, - Resources: []*domain.ResourceConfig{ - { - Type: frontier.ResourceTypeProject, - }, - }, - } - expectedError := errors.New("client error") - client.On("GetProjects").Return(nil, expectedError).Once() - - actualResources, actualError := p.GetResources(pc) - - assert.Nil(t, actualResources) - assert.EqualError(t, actualError, expectedError.Error()) - }) - - t.Run("should return error if got any on getting organization resources", func(t *testing.T) { - providerURN := "test-provider-urn" - client := new(mocks.ShieldClient) - logger := log.NewLogrus(log.LogrusWithLevel("info")) - p := frontier.NewProvider("", logger) - p.Clients = map[string]frontier.Client{ - providerURN: client, - } - - pc := &domain.ProviderConfig{ - URN: providerURN, - Credentials: map[string]interface{}{}, - Resources: []*domain.ResourceConfig{ - { - Type: frontier.ResourceTypeOrganization, - }, - }, - } - expectedError := errors.New("client error") - client.On("GetOrganizations").Return(nil, expectedError).Once() - - actualResources, actualError := p.GetResources(pc) - - assert.Nil(t, actualResources) - assert.EqualError(t, actualError, expectedError.Error()) - }) - - t.Run("should return list of resources and nil error on success", func(t *testing.T) { - providerURN := "test-provider-urn" - client := new(mocks.ShieldClient) - logger := log.NewLogrus(log.LogrusWithLevel("info")) - p := frontier.NewProvider("", logger) - p.Clients = map[string]frontier.Client{ - providerURN: client, - } - - pc := &domain.ProviderConfig{ - URN: providerURN, - Credentials: map[string]interface{}{}, - Resources: []*domain.ResourceConfig{ - { - Type: frontier.ResourceTypeTeam, - }, - { - Type: frontier.ResourceTypeProject, - }, - { - Type: frontier.ResourceTypeOrganization, - }, - }, - } - expectedTeams := []*frontier.Team{ - { - ID: "team_id", - Name: "team_1", - OrgId: "org_id", - Metadata: frontier.Metadata{ - Email: "team_1@gojek.com", - Privacy: "public", - Slack: "team_1_slack", - }, - Admins: []string{"testTeamAdmin@gmail.com"}, - }, - } - client.On("GetTeams").Return(expectedTeams, nil).Once() - - expectedProjects := []*frontier.Project{ - { - ID: "project_id", - Name: "project_1", - OrgId: "org_id", - Admins: []string{"testProjectAdmin@gmail.com"}, - }, - } - client.On("GetProjects").Return(expectedProjects, nil).Once() - - expectedOrganizations := []*frontier.Organization{ - { - ID: "org_id", - Name: "org_1", - Admins: []string{"testOrganizationAdmin@gmail.com"}, - }, - } - - client.On("GetOrganizations").Return(expectedOrganizations, nil).Once() - - expectedResources := []*domain.Resource{ - { - Type: frontier.ResourceTypeTeam, - URN: "team:team_id", - ProviderURN: providerURN, - Name: "team_1", - Details: map[string]interface{}{ - "id": "team_id", - "orgId": "org_id", - "admins": []string{"testTeamAdmin@gmail.com"}, - "metadata": frontier.Metadata{ - Email: "team_1@gojek.com", - Privacy: "public", - Slack: "team_1_slack", - }, - }, - }, { - Type: frontier.ResourceTypeProject, - URN: "project:project_id", - ProviderURN: providerURN, - Name: "project_1", - Details: map[string]interface{}{ - "id": "project_id", - "orgId": "org_id", - "admins": []string{"testProjectAdmin@gmail.com"}, - }, - }, - { - Type: frontier.ResourceTypeOrganization, - URN: "organization:org_id", - ProviderURN: providerURN, - Name: "org_1", - Details: map[string]interface{}{ - "id": "org_id", - "admins": []string{"testOrganizationAdmin@gmail.com"}, - }, - }, - } - - actualResources, actualError := p.GetResources(pc) - - assert.Equal(t, expectedResources, actualResources) - assert.Nil(t, actualError) - }) -} - -func TestGrantAccess(t *testing.T) { - t.Run("should return error if credentials is invalid", func(t *testing.T) { - logger := log.NewLogrus(log.LogrusWithLevel("info")) - p := frontier.NewProvider("", logger) - - pc := &domain.ProviderConfig{ - Credentials: "invalid-credentials", - Resources: []*domain.ResourceConfig{ - { - Type: "test-type", - Roles: []*domain.Role{ - { - ID: "test-role", - Permissions: []interface{}{"test-permission-config"}, - }, - }, - }, - }, - } - a := domain.Grant{ - Resource: &domain.Resource{ - Type: "test-type", - }, - Role: "test-role", - } - - actualError := p.GrantAccess(pc, a) - assert.Error(t, actualError) - }) - - t.Run("should return error if resource type in unknown", func(t *testing.T) { - providerURN := "test-provider-urn" - expectedError := errors.New("invalid resource type") - client := new(mocks.ShieldClient) - logger := log.NewLogrus(log.LogrusWithLevel("info")) - p := frontier.NewProvider("", logger) - - p.Clients = map[string]frontier.Client{ - providerURN: client, - } - - expectedUserEmail := "test@email.com" - expectedUser := &frontier.User{ - ID: "test_user_id", - Name: "test_user", - Email: expectedUserEmail, - } - - client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() - - pc := &domain.ProviderConfig{ - Credentials: frontier.Credentials{ - Host: "http://localhost/", - AuthEmail: "test-email", - }, - Resources: []*domain.ResourceConfig{ - { - Type: "test-type", - Roles: []*domain.Role{ - { - ID: "test-role", - Permissions: []interface{}{"test-permission-config"}, - }, - }, - }, - }, - URN: providerURN, - } - - a := domain.Grant{ - Resource: &domain.Resource{ - Type: "test-type", - }, - Role: "test-role", - AccountID: expectedUserEmail, - } - - actualError := p.GrantAccess(pc, a) - - assert.EqualError(t, actualError, expectedError.Error()) - }) - - t.Run("given team resource", func(t *testing.T) { - t.Run("should return error if there is an error in granting team access", func(t *testing.T) { - providerURN := "test-provider-urn" - expectedError := errors.New("client error") - client := new(mocks.ShieldClient) - logger := log.NewLogrus(log.LogrusWithLevel("info")) - p := frontier.NewProvider("", logger) - p.Clients = map[string]frontier.Client{ - providerURN: client, - } - - expectedUserEmail := "test@email.com" - expectedUser := &frontier.User{ - ID: "test_user_id", - Name: "test_user", - Email: expectedUserEmail, - } - - client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() - client.On("GrantTeamAccess", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(expectedError).Once() - - pc := &domain.ProviderConfig{ - Credentials: frontier.Credentials{ - Host: "localhost", - AuthEmail: "test_email", - }, - Resources: []*domain.ResourceConfig{ - { - Type: frontier.ResourceTypeTeam, - Roles: []*domain.Role{ - { - ID: "test-role", - Permissions: []interface{}{"test-permission-config"}, - }, - }, - }, - }, - URN: providerURN, - } - a := domain.Grant{ - Resource: &domain.Resource{ - Type: frontier.ResourceTypeTeam, - URN: "team:team_id", - Name: "team_1", - Details: map[string]interface{}{ - "id": "team_id", - "orgId": "456", - "admins": []interface{}{"testAdmin@email.com"}, - "metadata": frontier.Metadata{ - Email: "team_1@gojek.com", - Privacy: "public", - Slack: "team_1_slack", - }, - }, - }, - Role: "test-role", - AccountID: expectedUserEmail, - Permissions: []string{"test-permission-config"}, - } - - actualError := p.GrantAccess(pc, a) - - assert.EqualError(t, actualError, expectedError.Error()) - }) - - t.Run("should return nil error if granting access is successful", func(t *testing.T) { - providerURN := "test-provider-urn" - logger := log.NewLogrus(log.LogrusWithLevel("info")) - client := new(mocks.ShieldClient) - expectedTeam := &frontier.Team{ - Name: "team_1", - ID: "team_id", - } - - expectedUserEmail := "test@email.com" - expectedUser := &frontier.User{ - ID: "test_user_id", - Name: "test_user", - Email: expectedUserEmail, - } - - expectedRole := "users" - p := frontier.NewProvider("", logger) - p.Clients = map[string]frontier.Client{ - providerURN: client, - } - client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() - client.On("GrantTeamAccess", expectedTeam, expectedUser.ID, expectedRole).Return(nil).Once() - - pc := &domain.ProviderConfig{ - Credentials: frontier.Credentials{ - Host: "localhost", - AuthEmail: "test_email", - }, - Resources: []*domain.ResourceConfig{ - { - Type: frontier.ResourceTypeTeam, - Roles: []*domain.Role{ - { - ID: "member", - Permissions: []interface{}{expectedRole}, - }, - }, - }, - }, - URN: providerURN, - } - a := domain.Grant{ - Resource: &domain.Resource{ - Type: frontier.ResourceTypeTeam, - URN: "team:team_id", - Name: "team_1", - Details: map[string]interface{}{ - "id": "team_id", - "orgId": "456", - "admins": []interface{}{"testAdmin@email.com"}, - "metadata": frontier.Metadata{ - Email: "team_1@gojek.com", - Privacy: "public", - Slack: "team_1_slack", - }, - }, - }, - Role: "member", - AccountID: expectedUserEmail, - ResourceID: "999", - ID: "999", - } - - actualError := p.GrantAccess(pc, a) - - assert.Nil(t, actualError) - }) - }) - - t.Run("given project resource", func(t *testing.T) { - t.Run("should return error if there is an error in granting project access", func(t *testing.T) { - providerURN := "test-provider-urn" - expectedError := errors.New("client error") - client := new(mocks.ShieldClient) - logger := log.NewLogrus(log.LogrusWithLevel("info")) - p := frontier.NewProvider("", logger) - p.Clients = map[string]frontier.Client{ - providerURN: client, - } - - expectedUserEmail := "test@email.com" - expectedUser := &frontier.User{ - ID: "test_user_id", - Name: "test_user", - Email: expectedUserEmail, - } - - client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() - client.On("GrantProjectAccess", mock.Anything, mock.Anything, mock.Anything).Return(expectedError).Once() - - pc := &domain.ProviderConfig{ - Credentials: frontier.Credentials{ - Host: "localhost", - AuthEmail: "test_email", - }, - Resources: []*domain.ResourceConfig{ - { - Type: frontier.ResourceTypeProject, - Roles: []*domain.Role{ - { - ID: "test-role", - Permissions: []interface{}{"test-permission-config"}, - }, - }, - }, - }, - URN: providerURN, - } - a := domain.Grant{ - Resource: &domain.Resource{ - Type: frontier.ResourceTypeProject, - URN: "project:project_id", - Name: "project_1", - Details: map[string]interface{}{ - "id": "project_id", - "orgId": "456", - "admins": []interface{}{"testAdmin@email.com"}, - }, - }, - Role: "test-role", - AccountID: expectedUserEmail, - Permissions: []string{"test-permission-config"}, - } - - actualError := p.GrantAccess(pc, a) - - assert.EqualError(t, actualError, expectedError.Error()) - }) - - t.Run("should return nil error if granting access is successful", func(t *testing.T) { - providerURN := "test-provider-urn" - logger := log.NewLogrus(log.LogrusWithLevel("info")) - client := new(mocks.ShieldClient) - expectedProject := &frontier.Project{ - Name: "project_1", - ID: "project_id", - } - expectedUserEmail := "test@email.com" - expectedUser := &frontier.User{ - ID: "test_user_id", - Name: "test_user", - Email: expectedUserEmail, - } - - expectedRole := "admins" - p := frontier.NewProvider("", logger) - p.Clients = map[string]frontier.Client{ - providerURN: client, - } - - client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() - client.On("GrantProjectAccess", expectedProject, expectedUser.ID, expectedRole).Return(nil).Once() - - pc := &domain.ProviderConfig{ - Credentials: frontier.Credentials{ - Host: "localhost", - AuthEmail: "test_email", - }, - Resources: []*domain.ResourceConfig{ - { - Type: frontier.ResourceTypeProject, - Roles: []*domain.Role{ - { - ID: "admin", - Permissions: []interface{}{expectedRole}, - }, - }, - }, - }, - URN: providerURN, - } - a := domain.Grant{ - Resource: &domain.Resource{ - Type: frontier.ResourceTypeProject, - URN: "project:project_id", - Name: "project_1", - Details: map[string]interface{}{ - "id": "project_id", - "orgId": "456", - "admins": []interface{}{"testAdmin@email.com"}, - }, - }, - Role: "admin", - AccountID: expectedUserEmail, - ResourceID: "999", - ID: "999", - } - - actualError := p.GrantAccess(pc, a) - - assert.Nil(t, actualError) - }) - }) - - t.Run("given organization resource", func(t *testing.T) { - t.Run("should return error if there is an error in granting organization access", func(t *testing.T) { - providerURN := "test-provider-urn" - expectedError := errors.New("client error") - client := new(mocks.ShieldClient) - logger := log.NewLogrus(log.LogrusWithLevel("info")) - p := frontier.NewProvider("", logger) - p.Clients = map[string]frontier.Client{ - providerURN: client, - } - - expectedUserEmail := "test@email.com" - expectedUser := &frontier.User{ - ID: "test_user_id", - Name: "test_user", - Email: expectedUserEmail, - } - - client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() - client.On("GrantOrganizationAccess", mock.Anything, mock.Anything, mock.Anything).Return(expectedError).Once() - - pc := &domain.ProviderConfig{ - Credentials: frontier.Credentials{ - Host: "localhost", - AuthEmail: "test_email", - }, - Resources: []*domain.ResourceConfig{ - { - Type: frontier.ResourceTypeOrganization, - Roles: []*domain.Role{ - { - ID: "test-role", - Permissions: []interface{}{"test-permission-config"}, - }, - }, - }, - }, - URN: providerURN, - } - a := domain.Grant{ - Resource: &domain.Resource{ - Type: frontier.ResourceTypeOrganization, - URN: "organization:org_id", - Name: "org_1", - Details: map[string]interface{}{ - "id": "org_id", - "admins": []interface{}{"testAdmin@email.com"}, - }, - }, - Role: "test-role", - AccountID: expectedUserEmail, - Permissions: []string{"test-permission-config"}, - } - - actualError := p.GrantAccess(pc, a) - - assert.EqualError(t, actualError, expectedError.Error()) - }) - - t.Run("should return nil error if granting access is successful", func(t *testing.T) { - providerURN := "test-provider-urn" - logger := log.NewLogrus(log.LogrusWithLevel("info")) - client := new(mocks.ShieldClient) - expectedOrganization := &frontier.Organization{ - Name: "org_1", - ID: "org_id", - } - expectedUserEmail := "test@email.com" - expectedUser := &frontier.User{ - ID: "test_user_id", - Name: "test_user", - Email: expectedUserEmail, - } - - expectedRole := "admins" - p := frontier.NewProvider("", logger) - p.Clients = map[string]frontier.Client{ - providerURN: client, - } - - client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() - client.On("GrantOrganizationAccess", expectedOrganization, expectedUser.ID, expectedRole).Return(nil).Once() - - pc := &domain.ProviderConfig{ - Credentials: frontier.Credentials{ - Host: "localhost", - AuthEmail: "test_email", - }, - Resources: []*domain.ResourceConfig{ - { - Type: frontier.ResourceTypeOrganization, - Roles: []*domain.Role{ - { - ID: "admin", - Permissions: []interface{}{expectedRole}, - }, - }, - }, - }, - URN: providerURN, - } - a := domain.Grant{ - Resource: &domain.Resource{ - Type: frontier.ResourceTypeOrganization, - URN: "organization:org_id", - Name: "org_1", - Details: map[string]interface{}{ - "id": "org_id", - "admins": []interface{}{"testAdmin@email.com"}, - }, - }, - Role: "admin", - AccountID: expectedUserEmail, - ResourceID: "999", - ID: "999", - } - - actualError := p.GrantAccess(pc, a) - - assert.Nil(t, actualError) - }) - }) -} - -func TestRevokeAccess(t *testing.T) { - t.Run("should return error if credentials is invalid", func(t *testing.T) { - logger := log.NewLogrus(log.LogrusWithLevel("info")) - p := frontier.NewProvider("", logger) - - pc := &domain.ProviderConfig{ - Credentials: "invalid-credentials", - Resources: []*domain.ResourceConfig{ - { - Type: "test-type", - Roles: []*domain.Role{ - { - ID: "test-role", - Permissions: []interface{}{"test-permission-config"}, - }, - }, - }, - }, - } - a := domain.Grant{ - Resource: &domain.Resource{ - Type: "test-type", - }, - Role: "test-role", - } - - actualError := p.RevokeAccess(pc, a) - assert.Error(t, actualError) - }) - - t.Run("should return error if resource type in unknown", func(t *testing.T) { - providerURN := "test-provider-urn" - client := new(mocks.ShieldClient) - logger := log.NewLogrus(log.LogrusWithLevel("info")) - p := frontier.NewProvider("", logger) - p.Clients = map[string]frontier.Client{ - providerURN: client, - } - - expectedError := errors.New("invalid resource type") - expectedUserEmail := "test@email.com" - expectedUser := &frontier.User{ - ID: "test_user_id", - Name: "test_user", - Email: expectedUserEmail, - } - - client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() - - pc := &domain.ProviderConfig{ - Credentials: frontier.Credentials{ - Host: "http://localhost/", - AuthEmail: "test_email", - }, - Resources: []*domain.ResourceConfig{ - { - Type: "test-type", - Roles: []*domain.Role{ - { - ID: "test-role", - Permissions: []interface{}{"test-permission-config"}, - }, - }, - }, - }, - URN: providerURN, - } - a := domain.Grant{ - Resource: &domain.Resource{ - Type: "test-type", - }, - Role: "test-role", - AccountID: expectedUserEmail, - } - - actualError := p.RevokeAccess(pc, a) - assert.EqualError(t, actualError, expectedError.Error()) - }) - - t.Run("given team resource", func(t *testing.T) { - t.Run("should return error if there is an error in revoking team access", func(t *testing.T) { - providerURN := "test-provider-urn" - expectedError := errors.New("client error") - client := new(mocks.ShieldClient) - logger := log.NewLogrus(log.LogrusWithLevel("info")) - p := frontier.NewProvider("", logger) - p.Clients = map[string]frontier.Client{ - providerURN: client, - } - - expectedUserEmail := "test@email.com" - expectedUser := &frontier.User{ - ID: "test_user_id", - Name: "test_user", - Email: expectedUserEmail, - } - - client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() - client.On("RevokeTeamAccess", mock.Anything, mock.Anything, mock.Anything).Return(expectedError).Once() - - pc := &domain.ProviderConfig{ - Credentials: frontier.Credentials{ - Host: "localhost", - AuthEmail: "test_email", - }, - Resources: []*domain.ResourceConfig{ - { - Type: frontier.ResourceTypeTeam, - Roles: []*domain.Role{ - { - ID: "test-role", - Permissions: []interface{}{"test-permission-config"}, - }, - }, - }, - }, - URN: providerURN, - } - a := domain.Grant{ - Resource: &domain.Resource{ - Type: frontier.ResourceTypeTeam, - URN: "team:team_id", - Name: "team_1", - Details: map[string]interface{}{ - "id": "team_id", - "orgId": "456", - "admins": []interface{}{"testAdmin@email.com"}, - "metadata": frontier.Metadata{ - Email: "team_1@gojek.com", - Privacy: "public", - Slack: "team_1_slack", - }, - }, - }, - Role: "test-role", - AccountID: expectedUserEmail, - Permissions: []string{"test-permission-config"}, - } - - actualError := p.RevokeAccess(pc, a) - - assert.EqualError(t, actualError, expectedError.Error()) - }) - - t.Run("should return nil error if revoking team access is successful", func(t *testing.T) { - providerURN := "test-provider-urn" - logger := log.NewLogrus(log.LogrusWithLevel("info")) - client := new(mocks.ShieldClient) - expectedTeam := &frontier.Team{ - Name: "team_1", - ID: "team_id", - OrgId: "456", - Metadata: frontier.Metadata{ - Email: "team_1@gojek.com", - Privacy: "public", - Slack: "team_1_slack", - }, - Admins: []string{"testAdmin@email.com"}, - } - - expectedRole := "admins" - p := frontier.NewProvider("", logger) - p.Clients = map[string]frontier.Client{ - providerURN: client, - } - - expectedUserEmail := "test@email.com" - expectedUser := &frontier.User{ - ID: "test_user_id", - Name: "test_user", - Email: expectedUserEmail, - } - - client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() - client.On("RevokeTeamAccess", expectedTeam, expectedUser.ID, expectedRole).Return(nil).Once() - - pc := &domain.ProviderConfig{ - Credentials: frontier.Credentials{ - Host: "localhost", - AuthEmail: "test_email", - }, - Resources: []*domain.ResourceConfig{ - { - Type: frontier.ResourceTypeTeam, - Roles: []*domain.Role{ - { - ID: "admin", - Permissions: []interface{}{expectedRole}, - }, - }, - }, - }, - URN: providerURN, - } - a := domain.Grant{ - Resource: &domain.Resource{ - Type: frontier.ResourceTypeTeam, - URN: "team:team_id", - Name: "team_1", - Details: map[string]interface{}{ - "id": "team_id", - "orgId": "456", - "admins": []interface{}{"testAdmin@email.com"}, - "metadata": frontier.Metadata{ - Email: "team_1@gojek.com", - Privacy: "public", - Slack: "team_1_slack", - }, - }, - }, - Role: "admin", - Permissions: []string{expectedRole}, - AccountID: expectedUserEmail, - ResourceID: "999", - ID: "999", - } - - actualError := p.RevokeAccess(pc, a) - - assert.Nil(t, actualError) - client.AssertExpectations(t) - }) - }) - - t.Run("given project resource", func(t *testing.T) { - t.Run("should return error if there is an error in revoking project access", func(t *testing.T) { - providerURN := "test-provider-urn" - expectedError := errors.New("client error") - client := new(mocks.ShieldClient) - logger := log.NewLogrus(log.LogrusWithLevel("info")) - p := frontier.NewProvider("", logger) - p.Clients = map[string]frontier.Client{ - providerURN: client, - } - - expectedUserEmail := "test@email.com" - expectedUser := &frontier.User{ - ID: "test_user_id", - Name: "test_user", - Email: expectedUserEmail, - } - - client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() - - client.On("RevokeProjectAccess", mock.Anything, mock.Anything, mock.Anything).Return(expectedError).Once() - - pc := &domain.ProviderConfig{ - Credentials: frontier.Credentials{ - Host: "localhost", - AuthEmail: "test_email", - }, - Resources: []*domain.ResourceConfig{ - { - Type: frontier.ResourceTypeProject, - Roles: []*domain.Role{ - { - ID: "test-role", - Permissions: []interface{}{"test-permission-config"}, - }, - }, - }, - }, - URN: providerURN, - } - a := domain.Grant{ - Resource: &domain.Resource{ - Type: frontier.ResourceTypeProject, - URN: "project:project_id", - Name: "project_1", - Details: map[string]interface{}{ - "id": "project_id", - "orgId": "456", - "admins": []interface{}{"testAdmin@email.com"}, - }, - }, - Role: "test-role", - AccountID: expectedUserEmail, - Permissions: []string{"test-permission-config"}, - } - - actualError := p.RevokeAccess(pc, a) - - assert.EqualError(t, actualError, expectedError.Error()) - }) - - t.Run("should return nil error if revoking access is successful", func(t *testing.T) { - providerURN := "test-provider-urn" - client := new(mocks.ShieldClient) - expectedProject := &frontier.Project{ - Name: "project_1", - ID: "project_id", - OrgId: "456", - Admins: []string{"testAdmin@email.com"}, - } - expectedRole := "admins" - logger := log.NewLogrus(log.LogrusWithLevel("info")) - p := frontier.NewProvider("", logger) - - p.Clients = map[string]frontier.Client{ - providerURN: client, - } - - expectedUserEmail := "test@email.com" - expectedUser := &frontier.User{ - ID: "test_user_id", - Name: "test_user", - Email: expectedUserEmail, - } - - client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() - client.On("RevokeProjectAccess", expectedProject, expectedUser.ID, expectedRole).Return(nil).Once() - - pc := &domain.ProviderConfig{ - Credentials: frontier.Credentials{ - Host: "localhost", - AuthEmail: "test_email", - }, - Resources: []*domain.ResourceConfig{ - { - Type: frontier.ResourceTypeProject, - Roles: []*domain.Role{ - { - ID: "admin", - Permissions: []interface{}{expectedRole}, - }, - }, - }, - }, - URN: providerURN, - } - a := domain.Grant{ - Resource: &domain.Resource{ - Type: frontier.ResourceTypeProject, - URN: "project:project_id", - Name: "project_1", - Details: map[string]interface{}{ - "id": "project_id", - "orgId": "456", - "admins": []interface{}{"testAdmin@email.com"}, - }, - }, - Role: "admin", - Permissions: []string{expectedRole}, - AccountID: expectedUserEmail, - ResourceID: "999", - ID: "999", - } - - actualError := p.RevokeAccess(pc, a) - - assert.Nil(t, actualError) - client.AssertExpectations(t) - }) - }) - - t.Run("given Organization resource", func(t *testing.T) { - t.Run("should return error if there is an error in revoking organization access", func(t *testing.T) { - providerURN := "test-provider-urn" - expectedError := errors.New("client error") - client := new(mocks.ShieldClient) - logger := log.NewLogrus(log.LogrusWithLevel("info")) - p := frontier.NewProvider("", logger) - p.Clients = map[string]frontier.Client{ - providerURN: client, - } - - expectedUserEmail := "test@email.com" - expectedUser := &frontier.User{ - ID: "test_user_id", - Name: "test_user", - Email: expectedUserEmail, - } - - client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() - client.On("RevokeOrganizationAccess", mock.Anything, mock.Anything, mock.Anything).Return(expectedError).Once() - - pc := &domain.ProviderConfig{ - Credentials: frontier.Credentials{ - Host: "localhost", - AuthEmail: "test_email", - }, - Resources: []*domain.ResourceConfig{ - { - Type: frontier.ResourceTypeOrganization, - Roles: []*domain.Role{ - { - ID: "test-role", - Permissions: []interface{}{"test-permission-config"}, - }, - }, - }, - }, - URN: providerURN, - } - - a := domain.Grant{ - Resource: &domain.Resource{ - Type: frontier.ResourceTypeOrganization, - URN: "organization:org_id", - Name: "org_1", - Details: map[string]interface{}{ - "id": "org_id", - "admins": []interface{}{"testAdmin@email.com"}, - }, - }, - Role: "test-role", - AccountID: expectedUserEmail, - Permissions: []string{"test-permission-config"}, - } - - actualError := p.RevokeAccess(pc, a) - - assert.EqualError(t, actualError, expectedError.Error()) - }) - - t.Run("should return nil error if revoking access is successful", func(t *testing.T) { - providerURN := "test-provider-urn" - client := new(mocks.ShieldClient) - expectedOrganization := &frontier.Organization{ - Name: "org_1", - ID: "org_id", - Admins: []string{"testAdmin@email.com"}, - } - expectedRole := "admins" - logger := log.NewLogrus(log.LogrusWithLevel("info")) - p := frontier.NewProvider("", logger) - - p.Clients = map[string]frontier.Client{ - providerURN: client, - } - expectedUserEmail := "test@email.com" - expectedUser := &frontier.User{ - ID: "test_user_id", - Name: "test_user", - Email: expectedUserEmail, - } - - client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() - client.On("RevokeOrganizationAccess", expectedOrganization, expectedUser.ID, expectedRole).Return(nil).Once() - - pc := &domain.ProviderConfig{ - Credentials: frontier.Credentials{ - Host: "localhost", - AuthEmail: "test_email", - }, - Resources: []*domain.ResourceConfig{ - { - Type: frontier.ResourceTypeOrganization, - Roles: []*domain.Role{ - { - ID: "admin", - Permissions: []interface{}{expectedRole}, - }, - }, - }, - }, - URN: providerURN, - } - a := domain.Grant{ - Resource: &domain.Resource{ - Type: frontier.ResourceTypeOrganization, - URN: "organization:org_id", - Name: "org_1", - Details: map[string]interface{}{ - "id": "org_id", - "admins": []interface{}{"testAdmin@email.com"}, - }, - }, - Role: "admin", - Permissions: []string{expectedRole}, - AccountID: expectedUserEmail, - ResourceID: "999", - ID: "999", - } - - actualError := p.RevokeAccess(pc, a) - - assert.Nil(t, actualError) - client.AssertExpectations(t) - }) - }) -} - -func TestGetAccountTypes(t *testing.T) { - expectedAccountType := []string{"user"} - logger := log.NewLogrus(log.LogrusWithLevel("info")) - p := frontier.NewProvider("", logger) - - actualAccountType := p.GetAccountTypes() - - assert.Equal(t, expectedAccountType, actualAccountType) -} - -func TestGetRoles(t *testing.T) { - t.Run("should return error if resource type is invalid", func(t *testing.T) { - logger := log.NewLogrus(log.LogrusWithLevel("info")) - p := frontier.NewProvider("shield", logger) - validConfig := &domain.ProviderConfig{ - Type: "shield", - URN: "test-URN", - AllowedAccountTypes: []string{"user"}, - Credentials: map[string]interface{}{}, - Resources: []*domain.ResourceConfig{ - { - Type: "team", - Policy: &domain.PolicyConfig{ - ID: "test-policy-1", - Version: 1, - }, - }, - { - Type: "project", - Policy: &domain.PolicyConfig{ - ID: "test-policy-2", - Version: 1, - }, - }, - { - Type: "organization", - Policy: &domain.PolicyConfig{ - ID: "test-policy-3", - Version: 1, - }, - }, - }, - } - - actualRoles, actualError := p.GetRoles(validConfig, "invalid_resource_type") - - assert.Nil(t, actualRoles) - assert.ErrorIs(t, actualError, provider.ErrInvalidResourceType) - }) - - t.Run("should return roles specified in the provider config", func(t *testing.T) { - logger := log.NewLogrus(log.LogrusWithLevel("info")) - p := frontier.NewProvider("shield", logger) - - expectedRoles := []*domain.Role{ - { - ID: "test-role", - Name: "test_role_name", - }, - } - - validConfig := &domain.ProviderConfig{ - Type: "shield", - URN: "test-URN", - AllowedAccountTypes: []string{"user"}, - Credentials: map[string]interface{}{}, - Resources: []*domain.ResourceConfig{ - { - Type: "team", - Policy: &domain.PolicyConfig{ - ID: "test-policy-1", - Version: 1, - }, - Roles: expectedRoles, - }, - }, - } - - actualRoles, actualError := p.GetRoles(validConfig, "team") - - assert.NoError(t, actualError) - assert.Equal(t, expectedRoles, actualRoles) - }) -} +// import ( +// "errors" +// "testing" + +// "github.com/raystack/salt/log" + +// "github.com/raystack/guardian/core/provider" +// "github.com/raystack/guardian/domain" +// "github.com/raystack/guardian/mocks" +// "github.com/raystack/guardian/plugins/providers/frontier" +// "github.com/stretchr/testify/assert" +// "github.com/stretchr/testify/mock" +// ) + +// func TestGetType(t *testing.T) { +// t.Run("should return provider type name", func(t *testing.T) { +// expectedTypeName := domain.ProviderTypeFrontier +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// p := frontier.NewProvider(expectedTypeName, logger) + +// actualTypeName := p.GetType() + +// assert.Equal(t, expectedTypeName, actualTypeName) +// }) +// } + +// func TestCreateConfig(t *testing.T) { +// t.Run("should return error if there resource config is invalid", func(t *testing.T) { +// providerURN := "test-provider-urn" +// client := new(mocks.ShieldClient) +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// p := frontier.NewProvider("", logger) +// p.Clients = map[string]frontier.Client{ +// providerURN: client, +// } + +// testcases := []struct { +// pc *domain.ProviderConfig +// }{ +// { +// pc: &domain.ProviderConfig{ +// Credentials: frontier.Credentials{ +// Host: "localhost", +// AuthEmail: "test-email", +// }, +// Resources: []*domain.ResourceConfig{ +// { +// Type: "invalid resource type", +// }, +// }, +// }, +// }, +// { +// pc: &domain.ProviderConfig{ +// Credentials: frontier.Credentials{ +// Host: "localhost", +// AuthEmail: "test-email", +// }, +// Resources: []*domain.ResourceConfig{ +// { +// Type: frontier.ResourceTypeTeam, +// Roles: []*domain.Role{ +// { +// ID: "member", +// Permissions: []interface{}{"wrong permissions"}, +// }, +// }, +// }, +// }, +// }, +// }, +// } + +// for _, tc := range testcases { +// actualError := p.CreateConfig(tc.pc) +// assert.Error(t, actualError) +// } +// }) + +// t.Run("should not return error if parse and valid of Credentials are correct", func(t *testing.T) { +// providerURN := "test-provider-urn" +// client := new(mocks.ShieldClient) +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// p := frontier.NewProvider("", logger) +// p.Clients = map[string]frontier.Client{ +// providerURN: client, +// } + +// testcases := []struct { +// pc *domain.ProviderConfig +// expectedError error +// }{ +// { +// pc: &domain.ProviderConfig{ +// Credentials: frontier.Credentials{ +// Host: "localhost", +// AuthEmail: "test-email", +// AuthHeader: "X-Auth-Email", +// }, +// Resources: []*domain.ResourceConfig{ +// { +// Type: frontier.ResourceTypeTeam, +// Roles: []*domain.Role{ +// { +// ID: "member", +// Permissions: []interface{}{"users"}, +// }, +// { +// ID: "admin", +// Permissions: []interface{}{"admins"}, +// }, +// }, +// }, +// }, +// URN: providerURN, +// }, +// expectedError: nil, +// }, +// { +// pc: &domain.ProviderConfig{ +// Credentials: frontier.Credentials{ +// Host: "localhost", +// AuthEmail: "test-email", +// AuthHeader: "X-Auth-Email", +// }, +// Resources: []*domain.ResourceConfig{ +// { +// Type: frontier.ResourceTypeProject, +// Roles: []*domain.Role{ +// { +// ID: "admin", +// Permissions: []interface{}{"admins"}, +// }, +// }, +// }, +// }, +// URN: providerURN, +// }, +// expectedError: nil, +// }, +// { +// pc: &domain.ProviderConfig{ +// Credentials: frontier.Credentials{ +// Host: "localhost", +// AuthEmail: "test-email", +// AuthHeader: "X-Auth-Email", +// }, +// Resources: []*domain.ResourceConfig{ +// { +// Type: frontier.ResourceTypeOrganization, +// Roles: []*domain.Role{ +// { +// ID: "admin", +// Permissions: []interface{}{"admins"}, +// }, +// }, +// }, +// }, +// URN: providerURN, +// }, +// expectedError: nil, +// }, +// } + +// for _, tc := range testcases { +// actualError := p.CreateConfig(tc.pc) +// assert.Equal(t, tc.expectedError, actualError) +// } +// }) +// } + +// func TestGetResources(t *testing.T) { +// t.Run("should return error if credentials is invalid", func(t *testing.T) { +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// p := frontier.NewProvider("", logger) + +// pc := &domain.ProviderConfig{ +// Credentials: "invalid-creds", +// } + +// actualResources, actualError := p.GetResources(pc) + +// assert.Nil(t, actualResources) +// assert.Error(t, actualError) +// }) + +// t.Run("should return error if got any on getting team resources", func(t *testing.T) { +// providerURN := "test-provider-urn" +// client := new(mocks.ShieldClient) +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// p := frontier.NewProvider("", logger) +// p.Clients = map[string]frontier.Client{ +// providerURN: client, +// } + +// pc := &domain.ProviderConfig{ +// URN: providerURN, +// Credentials: map[string]interface{}{}, +// Resources: []*domain.ResourceConfig{ +// { +// Type: frontier.ResourceTypeTeam, +// }, +// }, +// } +// expectedError := errors.New("client error") +// client.On("GetTeams").Return(nil, expectedError).Once() + +// actualResources, actualError := p.GetResources(pc) + +// assert.Nil(t, actualResources) +// assert.EqualError(t, actualError, expectedError.Error()) +// }) + +// t.Run("should return error if got any on getting project resources", func(t *testing.T) { +// providerURN := "test-provider-urn" +// client := new(mocks.ShieldClient) +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// p := frontier.NewProvider("", logger) +// p.Clients = map[string]frontier.Client{ +// providerURN: client, +// } + +// pc := &domain.ProviderConfig{ +// URN: providerURN, +// Credentials: map[string]interface{}{}, +// Resources: []*domain.ResourceConfig{ +// { +// Type: frontier.ResourceTypeProject, +// }, +// }, +// } +// expectedError := errors.New("client error") +// client.On("GetProjects").Return(nil, expectedError).Once() + +// actualResources, actualError := p.GetResources(pc) + +// assert.Nil(t, actualResources) +// assert.EqualError(t, actualError, expectedError.Error()) +// }) + +// t.Run("should return error if got any on getting organization resources", func(t *testing.T) { +// providerURN := "test-provider-urn" +// client := new(mocks.ShieldClient) +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// p := frontier.NewProvider("", logger) +// p.Clients = map[string]frontier.Client{ +// providerURN: client, +// } + +// pc := &domain.ProviderConfig{ +// URN: providerURN, +// Credentials: map[string]interface{}{}, +// Resources: []*domain.ResourceConfig{ +// { +// Type: frontier.ResourceTypeOrganization, +// }, +// }, +// } +// expectedError := errors.New("client error") +// client.On("GetOrganizations").Return(nil, expectedError).Once() + +// actualResources, actualError := p.GetResources(pc) + +// assert.Nil(t, actualResources) +// assert.EqualError(t, actualError, expectedError.Error()) +// }) + +// t.Run("should return list of resources and nil error on success", func(t *testing.T) { +// providerURN := "test-provider-urn" +// client := new(mocks.ShieldClient) +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// p := frontier.NewProvider("", logger) +// p.Clients = map[string]frontier.Client{ +// providerURN: client, +// } + +// pc := &domain.ProviderConfig{ +// URN: providerURN, +// Credentials: map[string]interface{}{}, +// Resources: []*domain.ResourceConfig{ +// { +// Type: frontier.ResourceTypeTeam, +// }, +// { +// Type: frontier.ResourceTypeProject, +// }, +// { +// Type: frontier.ResourceTypeOrganization, +// }, +// }, +// } +// expectedTeams := []*frontier.Team{ +// { +// ID: "team_id", +// Name: "team_1", +// OrgId: "org_id", +// Metadata: frontier.Metadata{ +// Email: "team_1@gojek.com", +// Privacy: "public", +// Slack: "team_1_slack", +// }, +// Admins: []string{"testTeamAdmin@gmail.com"}, +// }, +// } +// client.On("GetTeams").Return(expectedTeams, nil).Once() + +// expectedProjects := []*frontier.Project{ +// { +// ID: "project_id", +// Name: "project_1", +// OrgId: "org_id", +// Admins: []string{"testProjectAdmin@gmail.com"}, +// }, +// } +// client.On("GetProjects").Return(expectedProjects, nil).Once() + +// expectedOrganizations := []*frontier.Organization{ +// { +// ID: "org_id", +// Name: "org_1", +// Admins: []string{"testOrganizationAdmin@gmail.com"}, +// }, +// } + +// client.On("GetOrganizations").Return(expectedOrganizations, nil).Once() + +// expectedResources := []*domain.Resource{ +// { +// Type: frontier.ResourceTypeTeam, +// URN: "team:team_id", +// ProviderURN: providerURN, +// Name: "team_1", +// Details: map[string]interface{}{ +// "id": "team_id", +// "orgId": "org_id", +// "admins": []string{"testTeamAdmin@gmail.com"}, +// "metadata": frontier.Metadata{ +// Email: "team_1@gojek.com", +// Privacy: "public", +// Slack: "team_1_slack", +// }, +// }, +// }, { +// Type: frontier.ResourceTypeProject, +// URN: "project:project_id", +// ProviderURN: providerURN, +// Name: "project_1", +// Details: map[string]interface{}{ +// "id": "project_id", +// "orgId": "org_id", +// "admins": []string{"testProjectAdmin@gmail.com"}, +// }, +// }, +// { +// Type: frontier.ResourceTypeOrganization, +// URN: "organization:org_id", +// ProviderURN: providerURN, +// Name: "org_1", +// Details: map[string]interface{}{ +// "id": "org_id", +// "admins": []string{"testOrganizationAdmin@gmail.com"}, +// }, +// }, +// } + +// actualResources, actualError := p.GetResources(pc) + +// assert.Equal(t, expectedResources, actualResources) +// assert.Nil(t, actualError) +// }) +// } + +// func TestGrantAccess(t *testing.T) { +// t.Run("should return error if credentials is invalid", func(t *testing.T) { +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// p := frontier.NewProvider("", logger) + +// pc := &domain.ProviderConfig{ +// Credentials: "invalid-credentials", +// Resources: []*domain.ResourceConfig{ +// { +// Type: "test-type", +// Roles: []*domain.Role{ +// { +// ID: "test-role", +// Permissions: []interface{}{"test-permission-config"}, +// }, +// }, +// }, +// }, +// } +// a := domain.Grant{ +// Resource: &domain.Resource{ +// Type: "test-type", +// }, +// Role: "test-role", +// } + +// actualError := p.GrantAccess(pc, a) +// assert.Error(t, actualError) +// }) + +// t.Run("should return error if resource type in unknown", func(t *testing.T) { +// providerURN := "test-provider-urn" +// expectedError := errors.New("invalid resource type") +// client := new(mocks.ShieldClient) +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// p := frontier.NewProvider("", logger) + +// p.Clients = map[string]frontier.Client{ +// providerURN: client, +// } + +// expectedUserEmail := "test@email.com" +// expectedUser := &frontier.User{ +// ID: "test_user_id", +// Name: "test_user", +// Email: expectedUserEmail, +// } + +// client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() + +// pc := &domain.ProviderConfig{ +// Credentials: frontier.Credentials{ +// Host: "http://localhost/", +// AuthEmail: "test-email", +// }, +// Resources: []*domain.ResourceConfig{ +// { +// Type: "test-type", +// Roles: []*domain.Role{ +// { +// ID: "test-role", +// Permissions: []interface{}{"test-permission-config"}, +// }, +// }, +// }, +// }, +// URN: providerURN, +// } + +// a := domain.Grant{ +// Resource: &domain.Resource{ +// Type: "test-type", +// }, +// Role: "test-role", +// AccountID: expectedUserEmail, +// } + +// actualError := p.GrantAccess(pc, a) + +// assert.EqualError(t, actualError, expectedError.Error()) +// }) + +// t.Run("given team resource", func(t *testing.T) { +// t.Run("should return error if there is an error in granting team access", func(t *testing.T) { +// providerURN := "test-provider-urn" +// expectedError := errors.New("client error") +// client := new(mocks.ShieldClient) +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// p := frontier.NewProvider("", logger) +// p.Clients = map[string]frontier.Client{ +// providerURN: client, +// } + +// expectedUserEmail := "test@email.com" +// expectedUser := &frontier.User{ +// ID: "test_user_id", +// Name: "test_user", +// Email: expectedUserEmail, +// } + +// client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() +// client.On("GrantTeamAccess", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(expectedError).Once() + +// pc := &domain.ProviderConfig{ +// Credentials: frontier.Credentials{ +// Host: "localhost", +// AuthEmail: "test_email", +// }, +// Resources: []*domain.ResourceConfig{ +// { +// Type: frontier.ResourceTypeTeam, +// Roles: []*domain.Role{ +// { +// ID: "test-role", +// Permissions: []interface{}{"test-permission-config"}, +// }, +// }, +// }, +// }, +// URN: providerURN, +// } +// a := domain.Grant{ +// Resource: &domain.Resource{ +// Type: frontier.ResourceTypeTeam, +// URN: "team:team_id", +// Name: "team_1", +// Details: map[string]interface{}{ +// "id": "team_id", +// "orgId": "456", +// "admins": []interface{}{"testAdmin@email.com"}, +// "metadata": frontier.Metadata{ +// Email: "team_1@gojek.com", +// Privacy: "public", +// Slack: "team_1_slack", +// }, +// }, +// }, +// Role: "test-role", +// AccountID: expectedUserEmail, +// Permissions: []string{"test-permission-config"}, +// } + +// actualError := p.GrantAccess(pc, a) + +// assert.EqualError(t, actualError, expectedError.Error()) +// }) + +// t.Run("should return nil error if granting access is successful", func(t *testing.T) { +// providerURN := "test-provider-urn" +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// client := new(mocks.ShieldClient) +// expectedTeam := &frontier.Team{ +// Name: "team_1", +// ID: "team_id", +// } + +// expectedUserEmail := "test@email.com" +// expectedUser := &frontier.User{ +// ID: "test_user_id", +// Name: "test_user", +// Email: expectedUserEmail, +// } + +// expectedRole := "users" +// p := frontier.NewProvider("", logger) +// p.Clients = map[string]frontier.Client{ +// providerURN: client, +// } +// client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() +// client.On("GrantTeamAccess", expectedTeam, expectedUser.ID, expectedRole).Return(nil).Once() + +// pc := &domain.ProviderConfig{ +// Credentials: frontier.Credentials{ +// Host: "localhost", +// AuthEmail: "test_email", +// }, +// Resources: []*domain.ResourceConfig{ +// { +// Type: frontier.ResourceTypeTeam, +// Roles: []*domain.Role{ +// { +// ID: "member", +// Permissions: []interface{}{expectedRole}, +// }, +// }, +// }, +// }, +// URN: providerURN, +// } +// a := domain.Grant{ +// Resource: &domain.Resource{ +// Type: frontier.ResourceTypeTeam, +// URN: "team:team_id", +// Name: "team_1", +// Details: map[string]interface{}{ +// "id": "team_id", +// "orgId": "456", +// "admins": []interface{}{"testAdmin@email.com"}, +// "metadata": frontier.Metadata{ +// Email: "team_1@gojek.com", +// Privacy: "public", +// Slack: "team_1_slack", +// }, +// }, +// }, +// Role: "member", +// AccountID: expectedUserEmail, +// ResourceID: "999", +// ID: "999", +// } + +// actualError := p.GrantAccess(pc, a) + +// assert.Nil(t, actualError) +// }) +// }) + +// t.Run("given project resource", func(t *testing.T) { +// t.Run("should return error if there is an error in granting project access", func(t *testing.T) { +// providerURN := "test-provider-urn" +// expectedError := errors.New("client error") +// client := new(mocks.ShieldClient) +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// p := frontier.NewProvider("", logger) +// p.Clients = map[string]frontier.Client{ +// providerURN: client, +// } + +// expectedUserEmail := "test@email.com" +// expectedUser := &frontier.User{ +// ID: "test_user_id", +// Name: "test_user", +// Email: expectedUserEmail, +// } + +// client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() +// client.On("GrantProjectAccess", mock.Anything, mock.Anything, mock.Anything).Return(expectedError).Once() + +// pc := &domain.ProviderConfig{ +// Credentials: frontier.Credentials{ +// Host: "localhost", +// AuthEmail: "test_email", +// }, +// Resources: []*domain.ResourceConfig{ +// { +// Type: frontier.ResourceTypeProject, +// Roles: []*domain.Role{ +// { +// ID: "test-role", +// Permissions: []interface{}{"test-permission-config"}, +// }, +// }, +// }, +// }, +// URN: providerURN, +// } +// a := domain.Grant{ +// Resource: &domain.Resource{ +// Type: frontier.ResourceTypeProject, +// URN: "project:project_id", +// Name: "project_1", +// Details: map[string]interface{}{ +// "id": "project_id", +// "orgId": "456", +// "admins": []interface{}{"testAdmin@email.com"}, +// }, +// }, +// Role: "test-role", +// AccountID: expectedUserEmail, +// Permissions: []string{"test-permission-config"}, +// } + +// actualError := p.GrantAccess(pc, a) + +// assert.EqualError(t, actualError, expectedError.Error()) +// }) + +// t.Run("should return nil error if granting access is successful", func(t *testing.T) { +// providerURN := "test-provider-urn" +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// client := new(mocks.ShieldClient) +// expectedProject := &frontier.Project{ +// Name: "project_1", +// ID: "project_id", +// } +// expectedUserEmail := "test@email.com" +// expectedUser := &frontier.User{ +// ID: "test_user_id", +// Name: "test_user", +// Email: expectedUserEmail, +// } + +// expectedRole := "admins" +// p := frontier.NewProvider("", logger) +// p.Clients = map[string]frontier.Client{ +// providerURN: client, +// } + +// client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() +// client.On("GrantProjectAccess", expectedProject, expectedUser.ID, expectedRole).Return(nil).Once() + +// pc := &domain.ProviderConfig{ +// Credentials: frontier.Credentials{ +// Host: "localhost", +// AuthEmail: "test_email", +// }, +// Resources: []*domain.ResourceConfig{ +// { +// Type: frontier.ResourceTypeProject, +// Roles: []*domain.Role{ +// { +// ID: "admin", +// Permissions: []interface{}{expectedRole}, +// }, +// }, +// }, +// }, +// URN: providerURN, +// } +// a := domain.Grant{ +// Resource: &domain.Resource{ +// Type: frontier.ResourceTypeProject, +// URN: "project:project_id", +// Name: "project_1", +// Details: map[string]interface{}{ +// "id": "project_id", +// "orgId": "456", +// "admins": []interface{}{"testAdmin@email.com"}, +// }, +// }, +// Role: "admin", +// AccountID: expectedUserEmail, +// ResourceID: "999", +// ID: "999", +// } + +// actualError := p.GrantAccess(pc, a) + +// assert.Nil(t, actualError) +// }) +// }) + +// t.Run("given organization resource", func(t *testing.T) { +// t.Run("should return error if there is an error in granting organization access", func(t *testing.T) { +// providerURN := "test-provider-urn" +// expectedError := errors.New("client error") +// client := new(mocks.ShieldClient) +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// p := frontier.NewProvider("", logger) +// p.Clients = map[string]frontier.Client{ +// providerURN: client, +// } + +// expectedUserEmail := "test@email.com" +// expectedUser := &frontier.User{ +// ID: "test_user_id", +// Name: "test_user", +// Email: expectedUserEmail, +// } + +// client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() +// client.On("GrantOrganizationAccess", mock.Anything, mock.Anything, mock.Anything).Return(expectedError).Once() + +// pc := &domain.ProviderConfig{ +// Credentials: frontier.Credentials{ +// Host: "localhost", +// AuthEmail: "test_email", +// }, +// Resources: []*domain.ResourceConfig{ +// { +// Type: frontier.ResourceTypeOrganization, +// Roles: []*domain.Role{ +// { +// ID: "test-role", +// Permissions: []interface{}{"test-permission-config"}, +// }, +// }, +// }, +// }, +// URN: providerURN, +// } +// a := domain.Grant{ +// Resource: &domain.Resource{ +// Type: frontier.ResourceTypeOrganization, +// URN: "organization:org_id", +// Name: "org_1", +// Details: map[string]interface{}{ +// "id": "org_id", +// "admins": []interface{}{"testAdmin@email.com"}, +// }, +// }, +// Role: "test-role", +// AccountID: expectedUserEmail, +// Permissions: []string{"test-permission-config"}, +// } + +// actualError := p.GrantAccess(pc, a) + +// assert.EqualError(t, actualError, expectedError.Error()) +// }) + +// t.Run("should return nil error if granting access is successful", func(t *testing.T) { +// providerURN := "test-provider-urn" +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// client := new(mocks.ShieldClient) +// expectedOrganization := &frontier.Organization{ +// Name: "org_1", +// ID: "org_id", +// } +// expectedUserEmail := "test@email.com" +// expectedUser := &frontier.User{ +// ID: "test_user_id", +// Name: "test_user", +// Email: expectedUserEmail, +// } + +// expectedRole := "admins" +// p := frontier.NewProvider("", logger) +// p.Clients = map[string]frontier.Client{ +// providerURN: client, +// } + +// client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() +// client.On("GrantOrganizationAccess", expectedOrganization, expectedUser.ID, expectedRole).Return(nil).Once() + +// pc := &domain.ProviderConfig{ +// Credentials: frontier.Credentials{ +// Host: "localhost", +// AuthEmail: "test_email", +// }, +// Resources: []*domain.ResourceConfig{ +// { +// Type: frontier.ResourceTypeOrganization, +// Roles: []*domain.Role{ +// { +// ID: "admin", +// Permissions: []interface{}{expectedRole}, +// }, +// }, +// }, +// }, +// URN: providerURN, +// } +// a := domain.Grant{ +// Resource: &domain.Resource{ +// Type: frontier.ResourceTypeOrganization, +// URN: "organization:org_id", +// Name: "org_1", +// Details: map[string]interface{}{ +// "id": "org_id", +// "admins": []interface{}{"testAdmin@email.com"}, +// }, +// }, +// Role: "admin", +// AccountID: expectedUserEmail, +// ResourceID: "999", +// ID: "999", +// } + +// actualError := p.GrantAccess(pc, a) + +// assert.Nil(t, actualError) +// }) +// }) +// } + +// func TestRevokeAccess(t *testing.T) { +// t.Run("should return error if credentials is invalid", func(t *testing.T) { +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// p := frontier.NewProvider("", logger) + +// pc := &domain.ProviderConfig{ +// Credentials: "invalid-credentials", +// Resources: []*domain.ResourceConfig{ +// { +// Type: "test-type", +// Roles: []*domain.Role{ +// { +// ID: "test-role", +// Permissions: []interface{}{"test-permission-config"}, +// }, +// }, +// }, +// }, +// } +// a := domain.Grant{ +// Resource: &domain.Resource{ +// Type: "test-type", +// }, +// Role: "test-role", +// } + +// actualError := p.RevokeAccess(pc, a) +// assert.Error(t, actualError) +// }) + +// t.Run("should return error if resource type in unknown", func(t *testing.T) { +// providerURN := "test-provider-urn" +// client := new(mocks.ShieldClient) +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// p := frontier.NewProvider("", logger) +// p.Clients = map[string]frontier.Client{ +// providerURN: client, +// } + +// expectedError := errors.New("invalid resource type") +// expectedUserEmail := "test@email.com" +// expectedUser := &frontier.User{ +// ID: "test_user_id", +// Name: "test_user", +// Email: expectedUserEmail, +// } + +// client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() + +// pc := &domain.ProviderConfig{ +// Credentials: frontier.Credentials{ +// Host: "http://localhost/", +// AuthEmail: "test_email", +// }, +// Resources: []*domain.ResourceConfig{ +// { +// Type: "test-type", +// Roles: []*domain.Role{ +// { +// ID: "test-role", +// Permissions: []interface{}{"test-permission-config"}, +// }, +// }, +// }, +// }, +// URN: providerURN, +// } +// a := domain.Grant{ +// Resource: &domain.Resource{ +// Type: "test-type", +// }, +// Role: "test-role", +// AccountID: expectedUserEmail, +// } + +// actualError := p.RevokeAccess(pc, a) +// assert.EqualError(t, actualError, expectedError.Error()) +// }) + +// t.Run("given team resource", func(t *testing.T) { +// t.Run("should return error if there is an error in revoking team access", func(t *testing.T) { +// providerURN := "test-provider-urn" +// expectedError := errors.New("client error") +// client := new(mocks.ShieldClient) +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// p := frontier.NewProvider("", logger) +// p.Clients = map[string]frontier.Client{ +// providerURN: client, +// } + +// expectedUserEmail := "test@email.com" +// expectedUser := &frontier.User{ +// ID: "test_user_id", +// Name: "test_user", +// Email: expectedUserEmail, +// } + +// client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() +// client.On("RevokeTeamAccess", mock.Anything, mock.Anything, mock.Anything).Return(expectedError).Once() + +// pc := &domain.ProviderConfig{ +// Credentials: frontier.Credentials{ +// Host: "localhost", +// AuthEmail: "test_email", +// }, +// Resources: []*domain.ResourceConfig{ +// { +// Type: frontier.ResourceTypeTeam, +// Roles: []*domain.Role{ +// { +// ID: "test-role", +// Permissions: []interface{}{"test-permission-config"}, +// }, +// }, +// }, +// }, +// URN: providerURN, +// } +// a := domain.Grant{ +// Resource: &domain.Resource{ +// Type: frontier.ResourceTypeTeam, +// URN: "team:team_id", +// Name: "team_1", +// Details: map[string]interface{}{ +// "id": "team_id", +// "orgId": "456", +// "admins": []interface{}{"testAdmin@email.com"}, +// "metadata": frontier.Metadata{ +// Email: "team_1@gojek.com", +// Privacy: "public", +// Slack: "team_1_slack", +// }, +// }, +// }, +// Role: "test-role", +// AccountID: expectedUserEmail, +// Permissions: []string{"test-permission-config"}, +// } + +// actualError := p.RevokeAccess(pc, a) + +// assert.EqualError(t, actualError, expectedError.Error()) +// }) + +// t.Run("should return nil error if revoking team access is successful", func(t *testing.T) { +// providerURN := "test-provider-urn" +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// client := new(mocks.ShieldClient) +// expectedTeam := &frontier.Team{ +// Name: "team_1", +// ID: "team_id", +// OrgId: "456", +// Metadata: frontier.Metadata{ +// Email: "team_1@gojek.com", +// Privacy: "public", +// Slack: "team_1_slack", +// }, +// Admins: []string{"testAdmin@email.com"}, +// } + +// expectedRole := "admins" +// p := frontier.NewProvider("", logger) +// p.Clients = map[string]frontier.Client{ +// providerURN: client, +// } + +// expectedUserEmail := "test@email.com" +// expectedUser := &frontier.User{ +// ID: "test_user_id", +// Name: "test_user", +// Email: expectedUserEmail, +// } + +// client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() +// client.On("RevokeTeamAccess", expectedTeam, expectedUser.ID, expectedRole).Return(nil).Once() + +// pc := &domain.ProviderConfig{ +// Credentials: frontier.Credentials{ +// Host: "localhost", +// AuthEmail: "test_email", +// }, +// Resources: []*domain.ResourceConfig{ +// { +// Type: frontier.ResourceTypeTeam, +// Roles: []*domain.Role{ +// { +// ID: "admin", +// Permissions: []interface{}{expectedRole}, +// }, +// }, +// }, +// }, +// URN: providerURN, +// } +// a := domain.Grant{ +// Resource: &domain.Resource{ +// Type: frontier.ResourceTypeTeam, +// URN: "team:team_id", +// Name: "team_1", +// Details: map[string]interface{}{ +// "id": "team_id", +// "orgId": "456", +// "admins": []interface{}{"testAdmin@email.com"}, +// "metadata": frontier.Metadata{ +// Email: "team_1@gojek.com", +// Privacy: "public", +// Slack: "team_1_slack", +// }, +// }, +// }, +// Role: "admin", +// Permissions: []string{expectedRole}, +// AccountID: expectedUserEmail, +// ResourceID: "999", +// ID: "999", +// } + +// actualError := p.RevokeAccess(pc, a) + +// assert.Nil(t, actualError) +// client.AssertExpectations(t) +// }) +// }) + +// t.Run("given project resource", func(t *testing.T) { +// t.Run("should return error if there is an error in revoking project access", func(t *testing.T) { +// providerURN := "test-provider-urn" +// expectedError := errors.New("client error") +// client := new(mocks.ShieldClient) +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// p := frontier.NewProvider("", logger) +// p.Clients = map[string]frontier.Client{ +// providerURN: client, +// } + +// expectedUserEmail := "test@email.com" +// expectedUser := &frontier.User{ +// ID: "test_user_id", +// Name: "test_user", +// Email: expectedUserEmail, +// } + +// client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() + +// client.On("RevokeProjectAccess", mock.Anything, mock.Anything, mock.Anything).Return(expectedError).Once() + +// pc := &domain.ProviderConfig{ +// Credentials: frontier.Credentials{ +// Host: "localhost", +// AuthEmail: "test_email", +// }, +// Resources: []*domain.ResourceConfig{ +// { +// Type: frontier.ResourceTypeProject, +// Roles: []*domain.Role{ +// { +// ID: "test-role", +// Permissions: []interface{}{"test-permission-config"}, +// }, +// }, +// }, +// }, +// URN: providerURN, +// } +// a := domain.Grant{ +// Resource: &domain.Resource{ +// Type: frontier.ResourceTypeProject, +// URN: "project:project_id", +// Name: "project_1", +// Details: map[string]interface{}{ +// "id": "project_id", +// "orgId": "456", +// "admins": []interface{}{"testAdmin@email.com"}, +// }, +// }, +// Role: "test-role", +// AccountID: expectedUserEmail, +// Permissions: []string{"test-permission-config"}, +// } + +// actualError := p.RevokeAccess(pc, a) + +// assert.EqualError(t, actualError, expectedError.Error()) +// }) + +// t.Run("should return nil error if revoking access is successful", func(t *testing.T) { +// providerURN := "test-provider-urn" +// client := new(mocks.ShieldClient) +// expectedProject := &frontier.Project{ +// Name: "project_1", +// ID: "project_id", +// OrgId: "456", +// Admins: []string{"testAdmin@email.com"}, +// } +// expectedRole := "admins" +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// p := frontier.NewProvider("", logger) + +// p.Clients = map[string]frontier.Client{ +// providerURN: client, +// } + +// expectedUserEmail := "test@email.com" +// expectedUser := &frontier.User{ +// ID: "test_user_id", +// Name: "test_user", +// Email: expectedUserEmail, +// } + +// client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() +// client.On("RevokeProjectAccess", expectedProject, expectedUser.ID, expectedRole).Return(nil).Once() + +// pc := &domain.ProviderConfig{ +// Credentials: frontier.Credentials{ +// Host: "localhost", +// AuthEmail: "test_email", +// }, +// Resources: []*domain.ResourceConfig{ +// { +// Type: frontier.ResourceTypeProject, +// Roles: []*domain.Role{ +// { +// ID: "admin", +// Permissions: []interface{}{expectedRole}, +// }, +// }, +// }, +// }, +// URN: providerURN, +// } +// a := domain.Grant{ +// Resource: &domain.Resource{ +// Type: frontier.ResourceTypeProject, +// URN: "project:project_id", +// Name: "project_1", +// Details: map[string]interface{}{ +// "id": "project_id", +// "orgId": "456", +// "admins": []interface{}{"testAdmin@email.com"}, +// }, +// }, +// Role: "admin", +// Permissions: []string{expectedRole}, +// AccountID: expectedUserEmail, +// ResourceID: "999", +// ID: "999", +// } + +// actualError := p.RevokeAccess(pc, a) + +// assert.Nil(t, actualError) +// client.AssertExpectations(t) +// }) +// }) + +// t.Run("given Organization resource", func(t *testing.T) { +// t.Run("should return error if there is an error in revoking organization access", func(t *testing.T) { +// providerURN := "test-provider-urn" +// expectedError := errors.New("client error") +// client := new(mocks.ShieldClient) +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// p := frontier.NewProvider("", logger) +// p.Clients = map[string]frontier.Client{ +// providerURN: client, +// } + +// expectedUserEmail := "test@email.com" +// expectedUser := &frontier.User{ +// ID: "test_user_id", +// Name: "test_user", +// Email: expectedUserEmail, +// } + +// client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() +// client.On("RevokeOrganizationAccess", mock.Anything, mock.Anything, mock.Anything).Return(expectedError).Once() + +// pc := &domain.ProviderConfig{ +// Credentials: frontier.Credentials{ +// Host: "localhost", +// AuthEmail: "test_email", +// }, +// Resources: []*domain.ResourceConfig{ +// { +// Type: frontier.ResourceTypeOrganization, +// Roles: []*domain.Role{ +// { +// ID: "test-role", +// Permissions: []interface{}{"test-permission-config"}, +// }, +// }, +// }, +// }, +// URN: providerURN, +// } + +// a := domain.Grant{ +// Resource: &domain.Resource{ +// Type: frontier.ResourceTypeOrganization, +// URN: "organization:org_id", +// Name: "org_1", +// Details: map[string]interface{}{ +// "id": "org_id", +// "admins": []interface{}{"testAdmin@email.com"}, +// }, +// }, +// Role: "test-role", +// AccountID: expectedUserEmail, +// Permissions: []string{"test-permission-config"}, +// } + +// actualError := p.RevokeAccess(pc, a) + +// assert.EqualError(t, actualError, expectedError.Error()) +// }) + +// t.Run("should return nil error if revoking access is successful", func(t *testing.T) { +// providerURN := "test-provider-urn" +// client := new(mocks.ShieldClient) +// expectedOrganization := &frontier.Organization{ +// Name: "org_1", +// ID: "org_id", +// Admins: []string{"testAdmin@email.com"}, +// } +// expectedRole := "admins" +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// p := frontier.NewProvider("", logger) + +// p.Clients = map[string]frontier.Client{ +// providerURN: client, +// } +// expectedUserEmail := "test@email.com" +// expectedUser := &frontier.User{ +// ID: "test_user_id", +// Name: "test_user", +// Email: expectedUserEmail, +// } + +// client.On("GetSelfUser", expectedUserEmail).Return(expectedUser, nil).Once() +// client.On("RevokeOrganizationAccess", expectedOrganization, expectedUser.ID, expectedRole).Return(nil).Once() + +// pc := &domain.ProviderConfig{ +// Credentials: frontier.Credentials{ +// Host: "localhost", +// AuthEmail: "test_email", +// }, +// Resources: []*domain.ResourceConfig{ +// { +// Type: frontier.ResourceTypeOrganization, +// Roles: []*domain.Role{ +// { +// ID: "admin", +// Permissions: []interface{}{expectedRole}, +// }, +// }, +// }, +// }, +// URN: providerURN, +// } +// a := domain.Grant{ +// Resource: &domain.Resource{ +// Type: frontier.ResourceTypeOrganization, +// URN: "organization:org_id", +// Name: "org_1", +// Details: map[string]interface{}{ +// "id": "org_id", +// "admins": []interface{}{"testAdmin@email.com"}, +// }, +// }, +// Role: "admin", +// Permissions: []string{expectedRole}, +// AccountID: expectedUserEmail, +// ResourceID: "999", +// ID: "999", +// } + +// actualError := p.RevokeAccess(pc, a) + +// assert.Nil(t, actualError) +// client.AssertExpectations(t) +// }) +// }) +// } + +// func TestGetAccountTypes(t *testing.T) { +// expectedAccountType := []string{"user"} +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// p := frontier.NewProvider("", logger) + +// actualAccountType := p.GetAccountTypes() + +// assert.Equal(t, expectedAccountType, actualAccountType) +// } + +// func TestGetRoles(t *testing.T) { +// t.Run("should return error if resource type is invalid", func(t *testing.T) { +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// p := frontier.NewProvider("shield", logger) +// validConfig := &domain.ProviderConfig{ +// Type: "shield", +// URN: "test-URN", +// AllowedAccountTypes: []string{"user"}, +// Credentials: map[string]interface{}{}, +// Resources: []*domain.ResourceConfig{ +// { +// Type: "team", +// Policy: &domain.PolicyConfig{ +// ID: "test-policy-1", +// Version: 1, +// }, +// }, +// { +// Type: "project", +// Policy: &domain.PolicyConfig{ +// ID: "test-policy-2", +// Version: 1, +// }, +// }, +// { +// Type: "organization", +// Policy: &domain.PolicyConfig{ +// ID: "test-policy-3", +// Version: 1, +// }, +// }, +// }, +// } + +// actualRoles, actualError := p.GetRoles(validConfig, "invalid_resource_type") + +// assert.Nil(t, actualRoles) +// assert.ErrorIs(t, actualError, provider.ErrInvalidResourceType) +// }) + +// t.Run("should return roles specified in the provider config", func(t *testing.T) { +// logger := log.NewLogrus(log.LogrusWithLevel("info")) +// p := frontier.NewProvider("shield", logger) + +// expectedRoles := []*domain.Role{ +// { +// ID: "test-role", +// Name: "test_role_name", +// }, +// } + +// validConfig := &domain.ProviderConfig{ +// Type: "shield", +// URN: "test-URN", +// AllowedAccountTypes: []string{"user"}, +// Credentials: map[string]interface{}{}, +// Resources: []*domain.ResourceConfig{ +// { +// Type: "team", +// Policy: &domain.PolicyConfig{ +// ID: "test-policy-1", +// Version: 1, +// }, +// Roles: expectedRoles, +// }, +// }, +// } + +// actualRoles, actualError := p.GetRoles(validConfig, "team") + +// assert.NoError(t, actualError) +// assert.Equal(t, expectedRoles, actualRoles) +// }) +// }