-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[v16] Implement auto-approvals for datadog (#47602)
* Implement auto-approvals for datadog * Address feedback - Use standard teleport.dev/schedules annotation - Link Datadog API docs * Check annotations before api calls
- Loading branch information
1 parent
8bf9dbc
commit 4c2ecf7
Showing
21 changed files
with
494 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -20,7 +20,9 @@ package accessrequest | |
|
||
import ( | ||
"context" | ||
"fmt" | ||
"testing" | ||
"time" | ||
|
||
"github.com/stretchr/testify/mock" | ||
"github.com/stretchr/testify/require" | ||
|
@@ -39,6 +41,22 @@ func (m *mockTeleportClient) GetRole(ctx context.Context, name string) (types.Ro | |
return args.Get(0).(types.Role), args.Error(1) | ||
} | ||
|
||
func (m *mockTeleportClient) SubmitAccessReview(ctx context.Context, review types.AccessReviewSubmission) (types.AccessRequest, error) { | ||
review.Review.Created = time.Time{} | ||
args := m.Called(ctx, review) | ||
return (types.AccessRequest)(nil), args.Error(1) | ||
} | ||
|
||
type mockMessagingBot struct { | ||
mock.Mock | ||
MessagingBot | ||
} | ||
|
||
func (m *mockMessagingBot) FetchOncallUsers(ctx context.Context, req types.AccessRequest) ([]string, error) { | ||
args := m.Called(ctx, req) | ||
return args.Get(0).([]string), args.Error(1) | ||
} | ||
|
||
func TestGetLoginsByRole(t *testing.T) { | ||
teleportClient := &mockTeleportClient{} | ||
teleportClient.On("GetRole", mock.Anything, "admin").Return(&types.RoleV6{ | ||
|
@@ -82,3 +100,72 @@ func TestGetLoginsByRole(t *testing.T) { | |
require.Equal(t, expected, loginsByRole) | ||
teleportClient.AssertNumberOfCalls(t, "GetRole", 3) | ||
} | ||
|
||
func TestTryApproveRequest(t *testing.T) { | ||
teleportClient := &mockTeleportClient{} | ||
bot := &mockMessagingBot{} | ||
app := App{ | ||
apiClient: teleportClient, | ||
bot: bot, | ||
teleportUser: "test-access-plugin", | ||
pluginName: "test", | ||
} | ||
user := "[email protected]" | ||
requestID := "request-0" | ||
|
||
// Example with user on-call | ||
bot.On("FetchOncallUsers", mock.Anything, &types.AccessRequestV3{ | ||
Spec: types.AccessRequestSpecV3{ | ||
User: user, | ||
SystemAnnotations: map[string][]string{ | ||
"example-auto-approvals": {"team-includes-requester"}, | ||
}, | ||
}, | ||
}).Return([]string{user}, (error)(nil)) | ||
|
||
// Example with user not on-call | ||
bot.On("FetchOncallUsers", mock.Anything, &types.AccessRequestV3{ | ||
Spec: types.AccessRequestSpecV3{ | ||
User: user, | ||
SystemAnnotations: map[string][]string{ | ||
"example-auto-approvals": {"team-not-includes-requester"}, | ||
}, | ||
}, | ||
}).Return([]string{"[email protected]"}, (error)(nil)) | ||
|
||
// Successful review | ||
teleportClient.On("SubmitAccessReview", mock.Anything, types.AccessReviewSubmission{ | ||
RequestID: requestID, | ||
Review: types.AccessReview{ | ||
Author: app.teleportUser, | ||
ProposedState: types.RequestState_APPROVED, | ||
Reason: fmt.Sprintf("Access request has been automatically approved by %q plugin because user %q is on-call.", app.pluginName, user), | ||
}, | ||
}).Return((types.AccessRequest)(nil), (error)(nil)) | ||
|
||
ctx := context.Background() | ||
|
||
// Test user is on-call | ||
require.NoError(t, app.tryApproveRequest(ctx, requestID, &types.AccessRequestV3{ | ||
Spec: types.AccessRequestSpecV3{ | ||
User: user, | ||
SystemAnnotations: map[string][]string{ | ||
"example-auto-approvals": {"team-includes-requester"}, | ||
}, | ||
}, | ||
})) | ||
bot.AssertNumberOfCalls(t, "FetchOncallUsers", 1) | ||
teleportClient.AssertNumberOfCalls(t, "SubmitAccessReview", 1) | ||
|
||
// Test user is not on-call | ||
require.NoError(t, app.tryApproveRequest(ctx, requestID, &types.AccessRequestV3{ | ||
Spec: types.AccessRequestSpecV3{ | ||
User: user, | ||
SystemAnnotations: map[string][]string{ | ||
"example-auto-approvals": {"team-not-includes-requester"}, | ||
}, | ||
}, | ||
})) | ||
bot.AssertNumberOfCalls(t, "FetchOncallUsers", 2) | ||
teleportClient.AssertNumberOfCalls(t, "SubmitAccessReview", 1) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.