Merge pull request GoogleCloudPlatform#2872 from maqiuyujoyce/202410-pam-full

Support full test cases for PrivilegedAccessManagerEntitlement

Author: google-oss-prow[bot]

mockgcp/mockprivilegedaccessmanager/entitlement.go

@@ -16,9 +16,6 @@ package mockprivilegedaccessmanager
 
 import (
 	"context"
-	"crypto/md5"
-	"encoding/base64"
-	"fmt"
 	"time"
 
 	"google.golang.org/genproto/googleapis/longrunning"
@@ -27,6 +24,7 @@ import (
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
+	"github.com/GoogleCloudPlatform/k8s-config-connector/mockgcp/common/fields"
 	pb "github.com/GoogleCloudPlatform/k8s-config-connector/mockgcp/generated/mockgcp/cloud/privilegedaccessmanager/v1"
 )
 
@@ -68,7 +66,7 @@ func (s *PrivilegedAccessManager) CreateEntitlement(ctx context.Context, req *pb
 	obj.Name = fqn
 	obj.CreateTime = now
 	obj.UpdateTime = now
-	obj.Etag = computeEtag(obj)
+	obj.Etag = fields.ComputeWeakEtag(obj)
 	obj.State = pb.Entitlement_AVAILABLE
 	if err := s.storage.Create(ctx, fqn, obj); err != nil {
 		return nil, err
@@ -147,22 +145,12 @@ func (s *PrivilegedAccessManager) DeleteEntitlement(ctx context.Context, req *pb
 	return s.operations.StartLRO(ctx, name.parent(), metadata, func() (proto.Message, error) {
 		result := proto.Clone(oldObj).(*pb.Entitlement)
 		result.State = pb.Entitlement_DELETED
-		result.Name = "projects/${projectNumber}/locations/global/entitlements/privilegedaccessmanagerentitlement-${uniqueId}"
 		now := timestamppb.New(time.Now())
 		metadata.EndTime = now
 		return result, nil
 	})
 }
 
-func computeEtag(obj proto.Message) string {
-	b, err := proto.Marshal(obj)
-	if err != nil {
-		panic(fmt.Sprintf("converting to proto: %v", err))
-	}
-	hash := md5.Sum(b)
-	return base64.URLEncoding.EncodeToString(hash[:])
-}
-
 func constructOperationMetadata(target, verb string) *pb.OperationMetadata {
 	now := timestamppb.New(time.Now())
 	return &pb.OperationMetadata{

pkg/test/resourcefixture/testdata/basic/privilegedaccessmanager/v1alpha1/privilegedaccessmanagerentitlement/_generated_object_privilegedaccessmanagerentitlement.golden.yaml pkg/test/resourcefixture/testdata/basic/privilegedaccessmanager/v1alpha1/privilegedaccessmanagerentitlement/privilegedaccessmanagerentitlementbasicproject/_generated_object_privilegedaccessmanagerentitlementbasicproject.golden.yaml

@@ -603,7 +603,7 @@ X-Xss-Protection: 0
     ],
     "etag": "abcdef0123A=",
     "maxRequestDuration": "3600s",
-    "name": "projects/${projectNumber}/locations/global/entitlements/privilegedaccessmanagerentitlement-${uniqueId}",
+    "name": "projects/${projectId}/locations/global/entitlements/privilegedaccessmanagerentitlement-${uniqueId}",
     "privilegedAccess": {
       "gcpIamAccess": {
         "resource": "//cloudresourcemanager.googleapis.com/projects/${projectId}",

pkg/test/resourcefixture/testdata/basic/privilegedaccessmanager/v1alpha1/privilegedaccessmanagerentitlement/_http.log pkg/test/resourcefixture/testdata/basic/privilegedaccessmanager/v1alpha1/privilegedaccessmanagerentitlement/privilegedaccessmanagerentitlementbasicproject/_http.log

@@ -0,0 +1,56 @@
+apiVersion: privilegedaccessmanager.cnrm.cloud.google.com/v1alpha1
+kind: PrivilegedAccessManagerEntitlement
+metadata:
+  finalizers:
+  - cnrm.cloud.google.com/finalizer
+  - cnrm.cloud.google.com/deletion-defender
+  generation: 2
+  labels:
+    cnrm-test: "true"
+  name: privilegedaccessmanagerentitlement-${uniqueId}
+  namespace: ${uniqueId}
+spec:
+  additionalNotificationTargets:
+    adminEmailRecipients:
+    - gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com
+    - gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com
+    requesterEmailRecipients:
+    - gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com
+  approvalWorkflow:
+    manualApprovals:
+      requireApproverJustification: true
+      step:
+      - approvalsNeeded: 1
+        approverEmailRecipients:
+        - gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com
+        approvers:
+        - principals:
+          - group:[email protected]
+  eligibleUsers:
+  - principals:
+    - serviceAccount:gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com
+  folderRef:
+    external: folders/123451001
+  location: global
+  maxRequestDuration: 1h0m0s
+  privilegedAccess:
+    gcpIAMAccess:
+      roleBindings:
+      - conditionExpression: request.time > timestamp("2020-10-31T12:00:00.000Z")
+        role: roles/storage.objectViewer
+  requesterJustificationConfig:
+    notMandatory: {}
+status:
+  conditions:
+  - lastTransitionTime: "1970-01-01T00:00:00Z"
+    message: The resource is up to date
+    reason: UpToDate
+    status: "True"
+    type: Ready
+  externalRef: //privilegedaccessmanager.googleapis.com/folders/123451001/locations/global/entitlements/privilegedaccessmanagerentitlement-${uniqueId}
+  observedGeneration: 2
+  observedState:
+    createTime: "1970-01-01T00:00:00Z"
+    etag: abcdef123456
+    state: AVAILABLE
+    updateTime: "1970-01-01T00:00:00Z"