Merge pull request GoogleCloudPlatform#2826 from maqiuyujoyce/202408-pam-mockgcp

Support mockgcp test for PrivilegedAccessManagerEntitlement

Author: google-oss-prow[bot]

config/tests/samples/create/harness.go

@@ -736,7 +736,7 @@ func MaybeSkip(t *testing.T, name string, resources []*unstructured.Unstructured
 
 			case schema.GroupKind{Group: "privateca.cnrm.cloud.google.com", Kind: "PrivateCACAPool"}:
 
-			case schema.GroupKind{Group: "privilegedaccessmanager.cnrm.google.com", Kind: "PrivilegedAccessManagerEntitlement"}:
+			case schema.GroupKind{Group: "privilegedaccessmanager.cnrm.cloud.google.com", Kind: "PrivilegedAccessManagerEntitlement"}:
 
 			case schema.GroupKind{Group: "pubsub.cnrm.cloud.google.com", Kind: "PubSubSchema"}:
 			case schema.GroupKind{Group: "pubsub.cnrm.cloud.google.com", Kind: "PubSubSubscription"}:

mockgcp/mockprivilegedaccessmanager/entitlement.go

@@ -16,11 +16,16 @@ package mockprivilegedaccessmanager
 
 import (
 	"context"
+	"crypto/md5"
+	"encoding/base64"
+	"fmt"
+	"time"
 
 	"google.golang.org/genproto/googleapis/longrunning"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/proto"
+	"google.golang.org/protobuf/types/known/timestamppb"
 
 	pb "github.com/GoogleCloudPlatform/k8s-config-connector/mockgcp/generated/mockgcp/cloud/privilegedaccessmanager/v1"
 )
@@ -40,6 +45,9 @@ func (s *PrivilegedAccessManager) GetEntitlement(ctx context.Context, req *pb.Ge
 
 	obj := &pb.Entitlement{}
 	if err := s.storage.Get(ctx, fqn, obj); err != nil {
+		if status.Code(err) == codes.NotFound {
+			return nil, status.Errorf(codes.NotFound, "Resource '%s' was not found", fqn)
+		}
 		return nil, err
 	}
 
@@ -53,16 +61,25 @@ func (s *PrivilegedAccessManager) CreateEntitlement(ctx context.Context, req *pb
 		return nil, err
 	}
 
+	now := timestamppb.New(time.Now())
 	fqn := name.String()
 
 	obj := proto.Clone(req.Entitlement).(*pb.Entitlement)
 	obj.Name = fqn
-
+	obj.CreateTime = now
+	obj.UpdateTime = now
+	obj.Etag = computeEtag(obj)
+	obj.State = pb.Entitlement_AVAILABLE
 	if err := s.storage.Create(ctx, fqn, obj); err != nil {
 		return nil, err
 	}
 
-	return s.operations.NewLRO(ctx)
+	metadata := constructOperationMetadata(fqn, "create")
+	return s.operations.StartLRO(ctx, name.parent(), metadata, func() (proto.Message, error) {
+		result := proto.Clone(obj).(*pb.Entitlement)
+		metadata.EndTime = now
+		return result, nil
+	})
 }
 
 func (s *PrivilegedAccessManager) UpdateEntitlement(ctx context.Context, req *pb.UpdateEntitlementRequest) (*longrunning.Operation, error) {
@@ -82,7 +99,6 @@ func (s *PrivilegedAccessManager) UpdateEntitlement(ctx context.Context, req *pb
 	// Required. A list of fields to be updated in this request.
 	paths := req.GetUpdateMask().GetPaths()
 
-	// TODO: Some sort of helper for fieldmask?
 	for _, path := range paths {
 		switch path {
 		case "eligibleUsers":
@@ -106,7 +122,13 @@ func (s *PrivilegedAccessManager) UpdateEntitlement(ctx context.Context, req *pb
 		return nil, err
 	}
 
-	return s.operations.NewLRO(ctx)
+	metadata := constructOperationMetadata(fqn, "update")
+	return s.operations.StartLRO(ctx, name.parent(), metadata, func() (proto.Message, error) {
+		result := proto.Clone(obj).(*pb.Entitlement)
+		now := timestamppb.New(time.Now())
+		metadata.EndTime = now
+		return result, nil
+	})
 }
 
 func (s *PrivilegedAccessManager) DeleteEntitlement(ctx context.Context, req *pb.DeleteEntitlementRequest) (*longrunning.Operation, error) {
@@ -121,6 +143,33 @@ func (s *PrivilegedAccessManager) DeleteEntitlement(ctx context.Context, req *pb
 	if err := s.storage.Delete(ctx, fqn, oldObj); err != nil {
 		return nil, err
 	}
+	metadata := constructOperationMetadata(fqn, "delete")
+	return s.operations.StartLRO(ctx, name.parent(), metadata, func() (proto.Message, error) {
+		result := proto.Clone(oldObj).(*pb.Entitlement)
+		result.State = pb.Entitlement_DELETED
+		result.Name = "projects/${projectNumber}/locations/global/entitlements/privilegedaccessmanagerentitlement-${uniqueId}"
+		now := timestamppb.New(time.Now())
+		metadata.EndTime = now
+		return result, nil
+	})
+}
+
+func computeEtag(obj proto.Message) string {
+	b, err := proto.Marshal(obj)
+	if err != nil {
+		panic(fmt.Sprintf("converting to proto: %v", err))
+	}
+	hash := md5.Sum(b)
+	return base64.URLEncoding.EncodeToString(hash[:])
+}
 
-	return s.operations.NewLRO(ctx)
+func constructOperationMetadata(target, verb string) *pb.OperationMetadata {
+	now := timestamppb.New(time.Now())
+	return &pb.OperationMetadata{
+		Target:                target,
+		CreateTime:            now,
+		ApiVersion:            "v1",
+		RequestedCancellation: false,
+		Verb:                  verb,
+	}
 }

mockgcp/mockprivilegedaccessmanager/names.go

@@ -15,43 +15,44 @@
 package mockprivilegedaccessmanager
 
 import (
+	"fmt"
 	"strings"
 
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
-
-	"github.com/GoogleCloudPlatform/k8s-config-connector/mockgcp/common/projects"
 )
 
 type entitlementName struct {
-	Project       *projects.ProjectData
+	Container     string
 	Location      string
 	EntitlementID string
 }
 
 func (n *entitlementName) String() string {
-	return "projects/" + n.Project.ID + "/locations/" + n.Location + "/entitlements/" + n.EntitlementID
+	return n.parent() + "/entitlements/" + n.EntitlementID
+}
+
+func (n *entitlementName) parent() string {
+	return n.Container + "/locations/" + n.Location
 }
 
 // parseEntitlementName parses a string into a entitlementName.
-// The expected form is projects/<projectID>/locations/<region>/entitlements/<entitlementID>
+// The expected form is projects/<projectID>/locations/<region>/entitlements/<entitlementID>,
+// or folders/<folderID>/locations/<region>/entitlements/<entitlementID>, or
+// organizations/<organizationID>/locations/<region>/entitlements/<entitlementID>.
 func (s *MockService) parseEntitlementName(name string) (*entitlementName, error) {
 	tokens := strings.Split(name, "/")
 
-	if len(tokens) == 6 && tokens[0] == "projects" && tokens[2] == "locations" && tokens[4] == "entitlements" {
-		project, err := s.Projects.GetProjectByID(tokens[1])
-		if err != nil {
-			return nil, err
-		}
+	if len(tokens) == 6 &&
+		(tokens[0] == "projects" || tokens[0] == "folders" || tokens[0] == "organizations") &&
+		tokens[2] == "locations" && tokens[4] == "entitlements" {
 
-		name := &entitlementName{
-			Project:       project,
+		return &entitlementName{
+			Container:     fmt.Sprintf("%s/%s", tokens[0], tokens[1]),
 			Location:      tokens[3],
 			EntitlementID: tokens[5],
-		}
-
-		return name, nil
-	} else {
-		return nil, status.Errorf(codes.InvalidArgument, "name %q is not valid", name)
+		}, nil
 	}
+
+	return nil, status.Errorf(codes.InvalidArgument, "name %q is not valid", name)
 }

mockgcp/mockprivilegedaccessmanager/service.go

@@ -18,10 +18,10 @@ import (
 	"context"
 	"net/http"
 
-	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	"google.golang.org/grpc"
 
 	"github.com/GoogleCloudPlatform/k8s-config-connector/mockgcp/common"
+	"github.com/GoogleCloudPlatform/k8s-config-connector/mockgcp/common/httpmux"
 	"github.com/GoogleCloudPlatform/k8s-config-connector/mockgcp/common/operations"
 	pb "github.com/GoogleCloudPlatform/k8s-config-connector/mockgcp/generated/mockgcp/cloud/privilegedaccessmanager/v1"
 	"github.com/GoogleCloudPlatform/k8s-config-connector/mockgcp/pkg/storage"
@@ -49,19 +49,28 @@ func New(env *common.MockEnvironment, storage storage.Storage) *MockService {
 }
 
 func (s *MockService) ExpectedHosts() []string {
-	return []string{"privilegedaccessmanger.googleapis.com"}
+	return []string{"privilegedaccessmanager.googleapis.com"}
 }
 
 func (s *MockService) Register(grpcServer *grpc.Server) {
 	pb.RegisterPrivilegedAccessManagerServer(grpcServer, s.v1)
 }
 
 func (s *MockService) NewHTTPMux(ctx context.Context, conn *grpc.ClientConn) (http.Handler, error) {
-	mux := runtime.NewServeMux()
 
-	if err := pb.RegisterPrivilegedAccessManagerHandler(ctx, mux, conn); err != nil {
+	mux, err := httpmux.NewServeMux(ctx, conn, httpmux.Options{},
+		pb.RegisterPrivilegedAccessManagerHandler,
+		s.operations.RegisterOperationsPath("/v1/{prefix=**}/operations/{name}"),
+	)
+	if err != nil {
 		return nil, err
 	}
 
+	mux.RewriteError = func(ctx context.Context, error *httpmux.ErrorResponse) {
+		if error.Code == 404 {
+			error.Errors = nil
+		}
+	}
+
 	return mux, nil
 }

tests/e2e/unified_test.go

@@ -652,6 +652,30 @@ func runScenario(ctx context.Context, t *testing.T, testPause bool, fixture reso
 						}
 					})
 
+					// Specific to PAM
+					// Boolean fields in LRO are omitted when false so we need
+					// to add them back.
+					jsonMutators = append(jsonMutators, func(obj map[string]any) {
+						if _, found, _ := unstructured.NestedMap(obj, "metadata"); found {
+							if val, found, err := unstructured.NestedString(obj, "metadata", "@type"); err == nil && found && val == "type.googleapis.com/google.cloud.privilegedaccessmanager.v1.OperationMetadata" {
+								if _, found, err := unstructured.NestedString(obj, "done"); err == nil && !found {
+									// Explicitly set `done` to `false`.
+									if err := unstructured.SetNestedField(obj, false, "done"); err != nil {
+										t.Fatal(err)
+									}
+								}
+
+								if _, found, err := unstructured.NestedString(obj, "metadata", "requestedCancellation"); err == nil && !found {
+									// Explicitly set `metadata.requestedCancellation` to `false`.
+									if err := unstructured.SetNestedField(obj, false, "metadata", "requestedCancellation"); err != nil {
+										t.Fatal(err)
+									}
+								}
+							}
+
+						}
+					})
+
 					// Specific to pubsub
 					addReplacement("revisionCreateTime", "2024-04-01T12:34:56.123456Z")
 					addReplacement("revisionId", "revision-id-placeholder")