feat: introduce grant entity

Makefile

@@ -2,7 +2,7 @@ NAME="github.com/odpf/guardian"
 LAST_COMMIT := $(shell git rev-parse --short HEAD)
 LAST_TAG := "$(shell git rev-list --tags --max-count=1)"
 APP_VERSION := "$(shell git describe --tags ${LAST_TAG})-next"
-PROTON_COMMIT := "60db5133e25d38a650d1e4960416320e2dbfe83a"
+PROTON_COMMIT := "868c736571827d3d1af1b401f490b4349b59c9e1"
 
 .PHONY: all build test clean dist vet proto install
 

api/handler/v1beta1/access.go

@@ -0,0 +1,113 @@
+package v1beta1
+
+import (
+	"context"
+	"errors"
+
+	guardianv1beta1 "github.com/odpf/guardian/api/proto/odpf/guardian/v1beta1"
+	"github.com/odpf/guardian/core/access"
+	"github.com/odpf/guardian/domain"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+func (s *GRPCServer) ListAccesses(ctx context.Context, req *guardianv1beta1.ListAccessesRequest) (*guardianv1beta1.ListAccessesResponse, error) {
+	filter := domain.ListAccessesFilter{
+		Statuses:     req.GetStatuses(),
+		AccountIDs:   req.GetAccountIds(),
+		AccountTypes: req.GetAccountTypes(),
+		ResourceIDs:  req.GetResourceIds(),
+	}
+	accesses, err := s.accessService.List(ctx, filter)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list access: %v", err)
+	}
+
+	var accessProtos []*guardianv1beta1.Access
+	for _, a := range accesses {
+		accessProto, err := s.adapter.ToAccessProto(a)
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to parse access %q: %v", a.ID, err)
+		}
+		accessProtos = append(accessProtos, accessProto)
+	}
+
+	return &guardianv1beta1.ListAccessesResponse{
+		Accesses: accessProtos,
+	}, nil
+}
+
+func (s *GRPCServer) GetAccess(ctx context.Context, req *guardianv1beta1.GetAccessRequest) (*guardianv1beta1.GetAccessResponse, error) {
+	a, err := s.accessService.GetByID(ctx, req.GetId())
+	if err != nil {
+		if errors.Is(err, access.ErrAccessNotFound) {
+			return nil, status.Errorf(codes.NotFound, "access %q not found: %v", req.GetId(), err)
+		}
+		return nil, status.Errorf(codes.Internal, "failed to get access details: %v", err)
+	}
+
+	accessProto, err := s.adapter.ToAccessProto(*a)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to parse access: %v", err)
+	}
+
+	return &guardianv1beta1.GetAccessResponse{
+		Access: accessProto,
+	}, nil
+}
+
+func (s *GRPCServer) RevokeAccess(ctx context.Context, req *guardianv1beta1.RevokeAccessRequest) (*guardianv1beta1.RevokeAccessResponse, error) {
+	actor, err := s.getUser(ctx)
+	if err != nil {
+		return nil, status.Error(codes.Unauthenticated, "failed to get metadata: actor")
+	}
+
+	a, err := s.accessService.Revoke(ctx, req.GetId(), actor, req.GetReason())
+	if err != nil {
+		if errors.Is(err, access.ErrAccessNotFound) {
+			return nil, status.Error(codes.NotFound, "access not found")
+		}
+		return nil, status.Errorf(codes.Internal, "failed to revoke access: %v", err)
+	}
+
+	accessProto, err := s.adapter.ToAccessProto(*a)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to parse access: %v", err)
+	}
+
+	return &guardianv1beta1.RevokeAccessResponse{
+		Access: accessProto,
+	}, nil
+}
+
+func (s *GRPCServer) RevokeAccesses(ctx context.Context, req *guardianv1beta1.RevokeAccessesRequest) (*guardianv1beta1.RevokeAccessesResponse, error) {
+	actor, err := s.getUser(ctx)
+	if err != nil {
+		return nil, status.Error(codes.Unauthenticated, "failed to get metadata: actor")
+	}
+
+	filter := domain.RevokeAccessesFilter{
+		AccountIDs:    req.GetAccountIds(),
+		ProviderTypes: req.GetProviderTypes(),
+		ProviderURNs:  req.GetProviderUrns(),
+		ResourceTypes: req.GetResourceTypes(),
+		ResourceURNs:  req.GetResourceUrns(),
+	}
+	accesses, err := s.accessService.BulkRevoke(ctx, filter, actor, req.GetReason())
+	if err != nil {
+		return nil, status.Error(codes.Internal, "failed to revoke accesses in bulk")
+	}
+
+	var accessesProto []*guardianv1beta1.Access
+	for _, a := range accesses {
+		accessProto, err := s.adapter.ToAccessProto(*a)
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to parse access: %v", err)
+		}
+		accessesProto = append(accessesProto, accessProto)
+	}
+
+	return &guardianv1beta1.RevokeAccessesResponse{
+		Accesses: accessesProto,
+	}, nil
+}

api/handler/v1beta1/access_test.go

@@ -0,0 +1,253 @@
+package v1beta1_test
+
+import (
+	"context"
+	"errors"
+	"time"
+
+	guardianv1beta1 "github.com/odpf/guardian/api/proto/odpf/guardian/v1beta1"
+	"github.com/odpf/guardian/core/access"
+	"github.com/odpf/guardian/domain"
+	"github.com/stretchr/testify/mock"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/timestamppb"
+)
+
+func (s *GrpcHandlersSuite) TestListAccesses() {
+	s.Run("should return list of access on success", func() {
+		s.setup()
+		timeNow := time.Now()
+
+		dummyAccesses := []domain.Access{
+			{
+				ID:             "test-id",
+				Status:         "test-status",
+				AccountID:      "test-account-id",
+				AccountType:    "test-account-type",
+				ResourceID:     "test-resource-id",
+				Permissions:    []string{"test-permission"},
+				ExpirationDate: &timeNow,
+				AppealID:       "test-appeal-id",
+				RevokedBy:      "test-revoked-by",
+				RevokedAt:      &timeNow,
+				RevokeReason:   "test-revoke-reason",
+				CreatedAt:      timeNow,
+				UpdatedAt:      timeNow,
+				Resource: &domain.Resource{
+					ID: "test-resource-id",
+				},
+				Appeal: &domain.Appeal{
+					ID: "test-appeal-id",
+				},
+			},
+		}
+		expectedResponse := &guardianv1beta1.ListAccessesResponse{
+			Accesses: []*guardianv1beta1.Access{
+				{
+					Id:             "test-id",
+					Status:         "test-status",
+					AccountId:      "test-account-id",
+					AccountType:    "test-account-type",
+					ResourceId:     "test-resource-id",
+					Permissions:    []string{"test-permission"},
+					ExpirationDate: timestamppb.New(timeNow),
+					AppealId:       "test-appeal-id",
+					RevokedBy:      "test-revoked-by",
+					RevokedAt:      timestamppb.New(timeNow),
+					RevokeReason:   "test-revoke-reason",
+					CreatedAt:      timestamppb.New(timeNow),
+					UpdatedAt:      timestamppb.New(timeNow),
+					Resource: &guardianv1beta1.Resource{
+						Id: "test-resource-id",
+					},
+					Appeal: &guardianv1beta1.Appeal{
+						Id: "test-appeal-id",
+					},
+				},
+			},
+		}
+		expectedFilter := domain.ListAccessesFilter{
+			Statuses:     []string{"test-status"},
+			AccountIDs:   []string{"test-account-id"},
+			AccountTypes: []string{"test-account-type"},
+			ResourceIDs:  []string{"test-resource-id"},
+		}
+		s.accessService.EXPECT().
+			List(mock.AnythingOfType("*context.emptyCtx"), expectedFilter).
+			Return(dummyAccesses, nil).Once()
+
+		req := &guardianv1beta1.ListAccessesRequest{
+			Statuses:     expectedFilter.Statuses,
+			AccountIds:   expectedFilter.AccountIDs,
+			AccountTypes: expectedFilter.AccountTypes,
+			ResourceIds:  expectedFilter.ResourceIDs,
+		}
+		res, err := s.grpcServer.ListAccesses(context.Background(), req)
+
+		s.NoError(err)
+		s.Equal(expectedResponse, res)
+		s.accessService.AssertExpectations(s.T())
+	})
+
+	s.Run("should return error if service returns an error", func() {
+		s.setup()
+
+		expectedError := errors.New("unexpected error")
+		s.accessService.EXPECT().
+			List(mock.AnythingOfType("*context.emptyCtx"), mock.AnythingOfType("domain.ListAccessesFilter")).
+			Return(nil, expectedError).Once()
+
+		req := &guardianv1beta1.ListAccessesRequest{}
+		res, err := s.grpcServer.ListAccesses(context.Background(), req)
+
+		s.Equal(codes.Internal, status.Code(err))
+		s.Nil(res)
+		s.accessService.AssertExpectations(s.T())
+	})
+
+	s.Run("should return error if there is an error when parsing the access", func() {
+		s.setup()
+
+		expectedAccesses := []domain.Access{
+			{
+				Resource: &domain.Resource{
+					Details: map[string]interface{}{
+						"foo": make(chan int), // invalid value
+					},
+				},
+			},
+		}
+		s.accessService.EXPECT().
+			List(mock.AnythingOfType("*context.emptyCtx"), mock.AnythingOfType("domain.ListAccessesFilter")).
+			Return(expectedAccesses, nil).Once()
+
+		req := &guardianv1beta1.ListAccessesRequest{}
+		res, err := s.grpcServer.ListAccesses(context.Background(), req)
+
+		s.Equal(codes.Internal, status.Code(err))
+		s.Nil(res)
+		s.accessService.AssertExpectations(s.T())
+	})
+}
+
+func (s *GrpcHandlersSuite) TestGetAccess() {
+	s.Run("should return access details on succes", func() {
+		s.setup()
+		timeNow := time.Now()
+
+		accessID := "test-id"
+		dummyAccess := &domain.Access{
+			ID:             accessID,
+			Status:         "test-status",
+			AccountID:      "test-account-id",
+			AccountType:    "test-account-type",
+			ResourceID:     "test-resource-id",
+			Permissions:    []string{"test-permission"},
+			ExpirationDate: &timeNow,
+			AppealID:       "test-appeal-id",
+			RevokedBy:      "test-revoked-by",
+			RevokedAt:      &timeNow,
+			RevokeReason:   "test-revoke-reason",
+			CreatedAt:      timeNow,
+			UpdatedAt:      timeNow,
+			Resource: &domain.Resource{
+				ID: "test-resource-id",
+			},
+			Appeal: &domain.Appeal{
+				ID: "test-appeal-id",
+			},
+		}
+		expectedResponse := &guardianv1beta1.GetAccessResponse{
+			Access: &guardianv1beta1.Access{
+				Id:             accessID,
+				Status:         "test-status",
+				AccountId:      "test-account-id",
+				AccountType:    "test-account-type",
+				ResourceId:     "test-resource-id",
+				Permissions:    []string{"test-permission"},
+				ExpirationDate: timestamppb.New(timeNow),
+				AppealId:       "test-appeal-id",
+				RevokedBy:      "test-revoked-by",
+				RevokedAt:      timestamppb.New(timeNow),
+				RevokeReason:   "test-revoke-reason",
+				CreatedAt:      timestamppb.New(timeNow),
+				UpdatedAt:      timestamppb.New(timeNow),
+				Resource: &guardianv1beta1.Resource{
+					Id: "test-resource-id",
+				},
+				Appeal: &guardianv1beta1.Appeal{
+					Id: "test-appeal-id",
+				},
+			},
+		}
+		s.accessService.EXPECT().
+			GetByID(mock.AnythingOfType("*context.emptyCtx"), accessID).
+			Return(dummyAccess, nil).Once()
+
+		req := &guardianv1beta1.GetAccessRequest{Id: accessID}
+		res, err := s.grpcServer.GetAccess(context.Background(), req)
+
+		s.NoError(err)
+		s.Equal(expectedResponse, res)
+		s.accessService.AssertExpectations(s.T())
+	})
+
+	s.Run("should return error if access service returns an error", func() {
+		testCases := []struct {
+			name          string
+			expectedError error
+			expectedCode  codes.Code
+		}{
+			{
+				"should return not found error if record not found",
+				access.ErrAccessNotFound,
+				codes.NotFound,
+			},
+			{
+				"should return internal error if there's an unexpected error",
+				errors.New("unexpected error"),
+				codes.Internal,
+			},
+		}
+
+		for _, tc := range testCases {
+			s.Run(tc.name, func() {
+				s.setup()
+
+				s.accessService.EXPECT().
+					GetByID(mock.AnythingOfType("*context.emptyCtx"), mock.AnythingOfType("string")).
+					Return(nil, tc.expectedError).Once()
+
+				req := &guardianv1beta1.GetAccessRequest{Id: "test-id"}
+				res, err := s.grpcServer.GetAccess(context.Background(), req)
+
+				s.Equal(tc.expectedCode, status.Code(err))
+				s.Nil(res)
+				s.accessService.AssertExpectations(s.T())
+			})
+		}
+	})
+
+	s.Run("should return error if there is an error when parsing the access", func() {
+		s.setup()
+
+		expectedAccess := &domain.Access{
+			Resource: &domain.Resource{
+				Details: map[string]interface{}{
+					"foo": make(chan int), // invalid value
+				},
+			},
+		}
+		s.accessService.EXPECT().
+			GetByID(mock.AnythingOfType("*context.emptyCtx"), mock.AnythingOfType("string")).
+			Return(expectedAccess, nil).Once()
+
+		req := &guardianv1beta1.GetAccessRequest{Id: "test-id"}
+		res, err := s.grpcServer.GetAccess(context.Background(), req)
+
+		s.Equal(codes.Internal, status.Code(err))
+		s.Nil(res)
+		s.accessService.AssertExpectations(s.T())
+	})
+}