Implement schedules conditions

Author: bernardjkim

lib/accessmonitoring/request_mapping.go

@@ -42,6 +42,10 @@ type AccessRequestExpressionEnv struct {
 	// UserTraits includes arbitrary user traits dynamically provided by the
 	// access monitoring rule handler.
 	UserTraits map[string][]string
+
+	// Schedules contains the dictonary of schedules configured within the
+	// access monitoring rule.
+	Schedules ScheduleDict
 }
 
 type accessRequestExpression typical.Expression[AccessRequestExpressionEnv, any]
@@ -127,11 +131,19 @@ func newRequestConditionParser() (*typical.Parser[AccessRequestExpressionEnv, an
 		"user.traits": typical.DynamicMap(func(env AccessRequestExpressionEnv) (expression.Dict, error) {
 			return expression.DictFromStringSliceMap(env.UserTraits), nil
 		}),
+
+		"spec.schedules": typical.DynamicMap(func(env AccessRequestExpressionEnv) (ScheduleDict, error) {
+			return env.Schedules, nil
+		}),
 	}
 
 	defParserSpec := expression.DefaultParserSpec[AccessRequestExpressionEnv]()
 	defParserSpec.Variables = typicalEnvVar
 
+	inScheduleFn := typical.BinaryFunction[AccessRequestExpressionEnv](inSchedule)
+	defParserSpec.Functions["in_schedule"] = inScheduleFn
+	defParserSpec.Methods["in_schedule"] = inScheduleFn
+
 	requestConditionParser, err := typical.NewParser[AccessRequestExpressionEnv, any](defParserSpec)
 	if err != nil {
 		return nil, trace.Wrap(err)

lib/accessmonitoring/request_mapping_test.go

@@ -20,9 +20,11 @@ package accessmonitoring
 
 import (
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/require"
 
+	accessmonitoringrulesv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessmonitoringrules/v1"
 	"github.com/gravitational/teleport/api/types"
 )
 
@@ -238,6 +240,69 @@ func TestEvaluateCondition(t *testing.T) {
 			},
 			match: false,
 		},
+		{
+			description: "creation time is in schedule",
+			condition:   `access_request.spec.creation_time.in_schedule(spec.schedules["test"])`,
+			env: AccessRequestExpressionEnv{
+				CreationTime: time.Date(2025, time.August, 11, 14, 30, 0, 0, time.UTC), // Monday 14:30
+				Schedules: ScheduleDict{
+					"test": &accessmonitoringrulesv1.Schedule{
+						Time: &accessmonitoringrulesv1.TimeSchedule{
+							Shifts: []*accessmonitoringrulesv1.TimeSchedule_Shift{
+								{
+									Weekday: "Monday",
+									Start:   "14:00",
+									End:     "15:00",
+								},
+							},
+						},
+					},
+				},
+			},
+			match: true,
+		},
+		{
+			description: "shift interval is inclusive",
+			condition:   `access_request.spec.creation_time.in_schedule(spec.schedules["test"])`,
+			env: AccessRequestExpressionEnv{
+				CreationTime: time.Date(2025, time.August, 11, 14, 30, 0, 0, time.UTC), // Monday 14:30
+				Schedules: ScheduleDict{
+					"test": &accessmonitoringrulesv1.Schedule{
+						Time: &accessmonitoringrulesv1.TimeSchedule{
+							Shifts: []*accessmonitoringrulesv1.TimeSchedule_Shift{
+								{
+									Weekday: "Monday",
+									Start:   "14:30",
+									End:     "15:00",
+								},
+							},
+						},
+					},
+				},
+			},
+			match: true,
+		},
+		{
+			description: "schedule name not found",
+			condition:   `access_request.spec.creation_time.in_schedule(spec.schedules["not-found"])`,
+			env: AccessRequestExpressionEnv{
+				CreationTime: time.Date(2025, time.August, 11, 14, 30, 0, 0, time.UTC), // Monday 14:30
+				Schedules: ScheduleDict{
+					"test": &accessmonitoringrulesv1.Schedule{
+						Time: &accessmonitoringrulesv1.TimeSchedule{
+							Shifts: []*accessmonitoringrulesv1.TimeSchedule_Shift{
+								{
+									Weekday: "Monday",
+									Start:   "14:00",
+									End:     "15:00",
+								},
+							},
+						},
+					},
+				},
+			},
+			match: false,
+		},
 	}
 
 	for _, test := range tests {

lib/accessmonitoring/review/review.go

@@ -241,6 +241,8 @@ func (handler *Handler) getMatchingRule(
 	var reviewRule *accessmonitoringrulesv1.AccessMonitoringRule
 
 	for _, rule := range handler.rules.Get() {
+		env.Schedules = accessmonitoring.ScheduleDict(rule.GetSpec().GetSchedules())
+
 		conditionMatch, err := accessmonitoring.EvaluateCondition(rule.GetSpec().GetCondition(), env)
 		if err != nil {
 			handler.Logger.WarnContext(ctx, "Failed to evaluate access monitoring rule",

lib/accessmonitoring/review/review_test.go

@@ -198,6 +198,113 @@ func TestConflictingRules(t *testing.T) {
 	require.NoError(t, handler.HandleAccessRequest(ctx, event))
 }
 
+func TestScheduleRequest(t *testing.T) {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*30)
+	t.Cleanup(cancel)
+
+	testReqID := uuid.New().String()
+	testRuleName := "test-rule"
+	withSecretsFalse := false
+	requesterUserName := "requester"
+
+	requester, err := types.NewUser(requesterUserName)
+	require.NoError(t, err)
+
+	testRule := newApprovedRule(
+		testRuleName,
+		`access_request.spec.creation_time.in_schedule(spec.schedules["test-schedule"])`)
+
+	testRule.Spec.Schedules = map[string]*accessmonitoringrulesv1.Schedule{
+		"test-schedule": {
+			Time: &accessmonitoringrulesv1.TimeSchedule{
+				Shifts: []*accessmonitoringrulesv1.TimeSchedule_Shift{
+					{
+						Weekday: time.Monday.String(),
+						Start:   "14:00",
+						End:     "15:00",
+					},
+				},
+			},
+		},
+	}
+
+	cache := accessmonitoring.NewCache()
+	cache.Put([]*accessmonitoringrulesv1.AccessMonitoringRule{testRule})
+
+	tests := []struct {
+		description  string
+		setupMock    func(m *mockClient)
+		creationTime time.Time
+		assertErr    require.ErrorAssertionFunc
+	}{
+		{
+			description: "test within schedule",
+			setupMock: func(m *mockClient) {
+				m.On("GetUser", mock.Anything, requesterUserName, withSecretsFalse).
+					Return(requester, nil)
+
+				review, err := newAccessReview(
+					requesterUserName,
+					testRuleName,
+					types.RequestState_APPROVED.String(),
+					time.Time{},
+				)
+				require.NoError(t, err)
+
+				m.On("SubmitAccessReview", mock.Anything, types.AccessReviewSubmission{
+					RequestID: testReqID,
+					Review:    review,
+				}).Return(mock.Anything, nil)
+			},
+			creationTime: time.Date(2025, time.August, 11, 14, 30, 0, 0, time.UTC),
+			assertErr:    require.NoError,
+		},
+		{
+			description: "test outside schedule",
+			setupMock: func(m *mockClient) {
+				m.On("GetUser", mock.Anything, requesterUserName, withSecretsFalse).
+					Return(requester, nil)
+
+				m.AssertNotCalled(t, "SubmitAccessReview")
+			},
+			creationTime: time.Date(2025, time.August, 11, 15, 30, 0, 0, time.UTC),
+			assertErr:    require.NoError,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.description, func(t *testing.T) {
+			t.Parallel()
+
+			client := &mockClient{}
+			if test.setupMock != nil {
+				test.setupMock(client)
+			}
+
+			handler, err := NewHandler(Config{
+				HandlerName: handlerName,
+				Client:      client,
+				Cache:       cache,
+			})
+			require.NoError(t, err)
+
+			req, err := types.NewAccessRequest(
+				testReqID,
+				requesterUserName,
+				"role",
+			)
+			require.NoError(t, err)
+			req.SetCreationTime(test.creationTime)
+
+			test.assertErr(t, handler.HandleAccessRequest(ctx, types.Event{
+				Type:     types.OpPut,
+				Resource: req,
+			}))
+			client.AssertExpectations(t)
+		})
+	}
+}
+
 func TestResourceRequest(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*30)
 	t.Cleanup(cancel)

lib/accessmonitoring/schedule.go

@@ -0,0 +1,81 @@
+/*
+Copyright 2025 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package accessmonitoring
+
+import (
+	"time"
+
+	accessmonitoringrulesv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessmonitoringrules/v1"
+
+	"github.com/gravitational/trace"
+)
+
+// ScheduleDict specifies a dictionary of schedules.
+//
+// Implements [typical.Getter]
+type ScheduleDict map[string]*accessmonitoringrulesv1.Schedule
+
+// Get returns the schedule with the specified key name.
+func (d ScheduleDict) Get(key string) (*accessmonitoringrulesv1.Schedule, error) {
+	return d[key], nil
+}
+
+// ClockTime returns a new time value overriding the hour and minute.
+func ClockTime(timestamp time.Time, hourMinute string) (time.Time, error) {
+	const hourMinuteFormat = "15:04" // 24-hour HH:MM format
+
+	parsed, err := time.ParseInLocation(hourMinuteFormat, hourMinute, timestamp.Location())
+	if err != nil {
+		return time.Time{}, trace.Wrap(err)
+	}
+
+	return time.Date(timestamp.Year(), timestamp.Month(), timestamp.Day(),
+		parsed.Hour(), parsed.Minute(), 0, 0, timestamp.Location()), nil
+}
+
+// inSchedule returns true if the timestamp is within the schedule.
+func inSchedule(timestamp time.Time, schedule *accessmonitoringrulesv1.Schedule) (bool, error) {
+	if schedule.GetTime() == nil {
+		return false, nil
+	}
+
+	if len(schedule.GetTime().GetShifts()) == 0 {
+		return false, nil
+	}
+
+	weekday := timestamp.Weekday().String()
+	for _, shift := range schedule.GetTime().GetShifts() {
+		if weekday != shift.Weekday {
+			continue
+		}
+
+		startTime, err := ClockTime(timestamp, shift.Start)
+		if err != nil {
+			return false, trace.Wrap(err, "invalid start time: %q", shift.Start)
+		}
+
+		endTime, err := ClockTime(timestamp, shift.End)
+		if err != nil {
+			return false, trace.Wrap(err, "invalid end time: %q", shift.End)
+		}
+
+		if !timestamp.Before(startTime) && !timestamp.After(endTime) {
+			return true, nil
+		}
+	}
+	return false, nil
+}