Merge branch 'main' into add-logs

Author: nobe4

.github/workflows/acceptance.yml

@@ -60,7 +60,7 @@ jobs:
         ruby: [ '3.1.2', '3.2.2', '3.3.0', '3.3.1' ]
 
     steps:
-      - uses: ruby/setup-ruby@1198b074305f9356bd56dd4b311757cc0dab2f1c # pin@v1.175.1
+      - uses: ruby/setup-ruby@32110d4e311bd8996b2a82bf2a43b714ccc91777 # pin@v1.221.0
         with:
           bundler-cache: true
           ruby-version: ${{ matrix.ruby }}

.github/workflows/build.yml

@@ -25,7 +25,7 @@ jobs:
       - name: checkout
         uses: actions/checkout@v4
 
-      - uses: ruby/setup-ruby@1198b074305f9356bd56dd4b311757cc0dab2f1c # pin@v1.175.1
+      - uses: ruby/setup-ruby@32110d4e311bd8996b2a82bf2a43b714ccc91777 # pin@v1.221.0
         with:
           bundler-cache: true
 

.github/workflows/codeql-analysis.yml

@@ -21,7 +21,7 @@ jobs:
       - name: checkout
         uses: actions/checkout@v4
 
-      - uses: ruby/setup-ruby@1198b074305f9356bd56dd4b311757cc0dab2f1c # pin@v1.175.1
+      - uses: ruby/setup-ruby@32110d4e311bd8996b2a82bf2a43b714ccc91777 # pin@v1.221.0
         with:
           ruby-version: ${{ matrix.ruby }}
           bundler-cache: true

.github/workflows/lint.yml

@@ -21,10 +21,12 @@ jobs:
     steps:
       - name: checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
-      - uses: ruby/setup-ruby@1198b074305f9356bd56dd4b311757cc0dab2f1c # pin@v1.175.1
+      - uses: ruby/setup-ruby@32110d4e311bd8996b2a82bf2a43b714ccc91777 # pin@v1.221.0
         with:
-          bundler-cache: true
+          bundler-cache: false
 
       - name: bootstrap
         run: script/bootstrap

.github/workflows/release.yml

@@ -21,7 +21,7 @@ jobs:
       - name: checkout
         uses: actions/checkout@v4
 
-      - uses: ruby/setup-ruby@1198b074305f9356bd56dd4b311757cc0dab2f1c # pin@v1.175.1
+      - uses: ruby/setup-ruby@32110d4e311bd8996b2a82bf2a43b714ccc91777 # pin@v1.221.0
         with:
           ruby-version: ${{ matrix.ruby }}
           bundler-cache: true

.github/workflows/test.yml

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    entitlements-app (1.1.0)
+    entitlements-app (1.2.0)
       concurrent-ruby (~> 1.3, >= 1.3.1)
       faraday (~> 2.0)
       logger (~> 1.6)
@@ -33,6 +33,7 @@ GEM
     crack (1.0.0)
       bigdecimal
       rexml
+    date (3.4.1)
     debug (1.8.0)
       irb (>= 1.5.0)
       reline (>= 0.3.1)
@@ -67,19 +68,20 @@ GEM
     parser (3.3.1.0)
       ast (~> 2.4.1)
       racc
-    psych (5.1.2)
+    psych (5.2.3)
+      date
       stringio
     public_suffix (5.0.5)
     racc (1.8.0)
-    rack (3.0.11)
+    rack (3.0.16)
     rainbow (3.1.1)
     rake (13.2.1)
     rdoc (6.7.0)
       psych (>= 4.0.0)
     regexp_parser (2.9.2)
     reline (0.5.8)
       io-console (~> 0.5)
-    rexml (3.3.9)
+    rexml (3.4.2)
     rspec (3.8.0)
       rspec-core (~> 3.8.0)
       rspec-expectations (~> 3.8.0)
@@ -131,11 +133,11 @@ GEM
       simplecov (< 1.0)
     simplecov-html (0.12.3)
     simplecov_json_formatter (0.1.4)
-    stringio (3.1.0)
+    stringio (3.1.4)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
     unicode-display_width (2.5.0)
-    uri (0.13.0)
+    uri (0.13.2)
     vcr (6.2.0)
     webmock (3.23.1)
       addressable (>= 2.8.0)

Gemfile.lock

@@ -34,6 +34,28 @@ def description
             parsed_data.fetch("description", "")
           end
 
+          # Standard interface: Get the schema version of this group.
+          #
+          # Takes no arguments.
+          # Examples: "entitlements/v1", "entitlements/v1.2.3", "entitlements/1.2.3"
+          # Format: namespace/major.minor.patch
+          #
+          # Returns a String with the schema version (k8s-style), or "entitlements/v1" if undefined.
+          Contract C::None => String
+          def schema_version
+            schema_version = parsed_data.fetch("schema_version", "entitlements/v1").to_s
+
+            namespace, version = schema_version.split("/")
+
+            unless namespace.match?(/\A[a-zA-Z0-9]+\z/) && version.match?(/\A(v?\d+(\.\d+){0,2})\z/)
+              raise "Invalid schema version format: #{schema_version} - Expected format is '<namespace>/<version>' " \
+                    "- Examples: entitlements/v1, entitlements/v1.2.3, entitlements/1.2.3"
+            end
+
+            # rebuild the schema version string to ensure it's in the correct format and return it
+            return "#{namespace}/#{version}"
+          end
+
           # Files can support modifiers that act independently of rules.
           # This returns the modifiers from the file as a hash.
           #

lib/entitlements/data/groups/calculated/yaml.rb

@@ -2,6 +2,6 @@
 
 module Entitlements
   module Version
-    VERSION = "1.1.0"
+    VERSION = "1.2.0"
   end
 end

lib/version.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 require_relative "../../../../spec_helper"
 
+# NOTE: The test suite mocks all dates with allow(Time).to receive(:now).and_return(Time.utc(2018, 4, 1, 12, 0, 0))
+
 describe Entitlements::Data::Groups::Calculated::YAML do
   let(:people_obj) { Entitlements::Data::People::YAML.new(filename: fixture("people.yaml")) }
   let(:cache) { { people_obj: people_obj } }
@@ -35,6 +37,57 @@
     end
   end
 
+  describe "#schema_version" do
+    it "returns the version string when one is set" do
+      filename = fixture("ldap-config/filters/no-filters-with-schema-version.yaml")
+      subject = described_class.new(filename: filename)
+      expect(subject.schema_version).to eq("entitlements/1.2.3")
+    end
+
+    it "returns the version string when one is set without the patch" do
+      filename = fixture("ldap-config/filters/no-filters-with-schema-version-no-patch.yaml")
+      subject = described_class.new(filename: filename)
+      expect(subject.schema_version).to eq("entitlements/1.2")
+    end
+
+    it "returns the version string when one is set with just the major version" do
+      filename = fixture("ldap-config/filters/no-filters-with-schema-version-major.yaml")
+      subject = described_class.new(filename: filename)
+      expect(subject.schema_version).to eq("entitlements/1")
+    end
+
+    it "returns the version string when one is set with just the major version (with v prefix)" do
+      filename = fixture("ldap-config/filters/no-filters-with-schema-version-major-with-v.yaml")
+      subject = described_class.new(filename: filename)
+      expect(subject.schema_version).to eq("entitlements/v1")
+    end
+
+
+    it "returns the version string when one is set (with v prefix)" do
+      filename = fixture("ldap-config/filters/no-filters-with-schema-version-with-v.yaml")
+      subject = described_class.new(filename: filename)
+      expect(subject.schema_version).to eq("entitlements/v1.2.3")
+    end
+
+    it "returns the default version when schema_version is undefined" do
+      filename = fixture("ldap-config/filters/no-filters-description.yaml")
+      subject = described_class.new(filename: filename)
+      expect(subject.schema_version).to eq("entitlements/v1")
+    end
+
+    it "throws an error when an invalid schema_version string is provided" do
+      filename = fixture("ldap-config/filters/no-filters-with-bad-schema-version.yaml")
+      subject = described_class.new(filename: filename)
+      expect { subject.schema_version }.to raise_error(RuntimeError, /Invalid schema version format/)
+    end
+
+    it "throws an error when the version string is missing the namespace" do
+      filename = fixture("ldap-config/filters/no-filters-with-missing-version-namespace.yaml")
+      subject = described_class.new(filename: filename)
+      expect { subject.schema_version }.to raise_error(RuntimeError, /Invalid schema version format/)
+    end
+  end
+
   describe "#initialize_filters" do
     it "returns the default filter hash when no filters are defined" do
       filename = fixture("ldap-config/filters/no-filters.yaml")
@@ -232,7 +285,12 @@
       context "complex structure" do
         let(:filename) { fixture("ldap-config/yaml/expiration-complex.yaml") }
 
-        it "constructs the correct rule set" do
+        it "constructs the correct rule set with complex nested expiration" do
+          # Expected results based on expiration-complex.yaml:
+          # - username: peterbald (no expiration) -> kept
+          # - and: group foo/bar (Sept 2018, not expired) and foo/baz (March 2018, expired) -> only foo/bar kept
+          # - or: all usernames expired (March 2018) -> empty array
+          # - or: cheetoh (March 2018, expired) and nebelung (Sept 2018, not expired) -> only nebelung kept
           answer = {
             "or"=>[
               {"username"=>"peterbald"},
@@ -245,6 +303,104 @@
           expect(result).to eq(answer)
         end
       end
+
+      context "individual username expiration" do
+        let(:filename) { fixture("ldap-config/yaml/expiration-individual-usernames.yaml") }
+
+        it "filters out expired usernames while keeping non-expired ones" do
+          answer = {
+            "or" => [
+              { "username" => "alice" },
+              { "username" => "charlie" },
+              { "username" => "diana" }
+            ]
+          }
+          result = subject.send(:rules)
+          expect(result).to eq(answer)
+        end
+      end
+
+      context "group expiration" do
+        let(:filename) { fixture("ldap-config/yaml/expiration-groups.yaml") }
+
+        it "filters out expired groups while keeping non-expired ones" do
+          answer = {
+            "or" => [
+              { "group" => "team/active" },
+              { "group" => "team/future" },
+              { "username" => "standalone" }
+            ]
+          }
+          result = subject.send(:rules)
+          expect(result).to eq(answer)
+        end
+      end
+
+      context "mixed expiration with nested structures" do
+        let(:filename) { fixture("ldap-config/yaml/expiration-mixed-nested.yaml") }
+
+        it "correctly handles expiration in nested and/or structures" do
+          answer = {
+            "or" => [
+              { "username" => "always-active" },
+              { "and" => [
+                  { "group" => "team/core" }
+                ]
+              },
+              { "or" => [
+                  { "username" => "still-active" }
+                ]
+              }
+            ]
+          }
+          result = subject.send(:rules)
+          expect(result).to eq(answer)
+        end
+      end
+
+      context "all individual entries expired" do
+        let(:filename) { fixture("ldap-config/yaml/expiration-all-individual-expired.yaml") }
+
+        it "returns empty arrays for containers with all expired entries" do
+          answer = {
+            "or" => []
+          }
+          result = subject.send(:rules)
+          expect(result).to eq(answer)
+        end
+      end
+
+      context "expired entries but expirations are disabled" do
+        let(:filename) { fixture("ldap-config/yaml/expiration-ignore-test.yaml") }
+
+        it "ignores all expiration dates when ignore_expirations is true" do
+          begin
+            Entitlements.config["ignore_expirations"] = true
+
+            answer = {
+              "or" => [
+                { "username" => "active-user" },
+                { "username" => "expired-user" },
+                { "group" => "expired-group" }
+              ]
+            }
+            result = subject.send(:rules)
+            expect(result).to eq(answer)
+          ensure
+            Entitlements.config.delete("ignore_expirations")
+          end
+        end
+      end
+
+      context "invalid expiration date" do
+        let(:filename) { fixture("ldap-config/yaml/expiration-invalid-date.yaml") }
+
+        it "raises an error for invalid expiration date format" do
+          expect do
+            subject.send(:rules)
+          end.to raise_error(ArgumentError, /Invalid expiration date "not-a-date"/)
+        end
+      end
     end
   end
 end