⚪ test db stuff - use this to test DynamoDB stuff locally during development insertion and querying
⚪ test db stuff - use this to test DynamoDB stuff locally during development create database table
⚪ test db stuff - use this to test DynamoDB stuff locally during development destroy table

✅ duration when given a short-term permission if a time is explicitly asked for grants the requested time if it is within the limit
✅ duration when given a short-term permission if a time is explicitly asked for grants the max time if user requests a time longer than this
✅ duration when given a short-term permission if a time is explicitly asked for grants at least the minimum duration
✅ duration when given a short-term permission if no time is requested issues default short time
✅ duration when given a short-term permission if no time is requested issues default short time even near 19:00 with a timezone present
✅ duration when given a long-term permission if a time is explicitly asked for grants the requested time if it is provided and less than the maximum
✅ duration when given a long-term permission if a time is explicitly asked for grants the max time if requested time is too long
✅ duration when given a long-term permission if a time is explicitly asked for grants at least the minimum number of seconds
✅ duration when given a long-term permission if no time is requested gives default time if we're a very long way from 19:00 local time
✅ duration when given a long-term permission if no time is requested gives default time if we're after 19:00 local time
✅ duration when given a long-term permission if no time is requested gives until 19:00 if we're within <max time> of 19:00 local time
✅ duration when given a long-term permission if no time is requested and no timezone is supplied, provides the default time, even near 19:00
✅ duration when given a long-term permission if no time is requested and we're quite near 19:00 with a TZ, give the remaining period
⚪ duration when given a long-term permission if no time is requested and we're *very* near 19:00 with a TZ, give the remaining period
✅ duration when given a long-term permission if no time is requested uses the provided timezone to calculate the correct duration
✅ autoLogoutUrl if autoLogout is enabled the returned URL is for the console logout endpoint
✅ autoLogoutUrl if autoLogout is enabled the provided URL is included (URL-encoded) in the redirect_uri GET parameter with its hostname changed to point to us-east-1
✅ autoLogoutUrl if autoLogout is enabled the provided URL is included (URL-encoded) in the redirect_uri GET parameter and the rest of the URL unchanged
✅ autoLogoutUrl returns the provided URL unchanged if autoLogout is not enabled
✅ getRoleName fetches role name from example
✅ getRoleName fetches role name when role is under a path

✅ round trips the example janus data can be read, written and re-read
✅ round trips the example janus data that omits a permissions repo can be read, written and re-read
⚪ development helpers print the generated config file to the console for manual inspection

✅ fromConfig parses the full example
✅ fromConfig parses an example without a permissions repo
✅ loadPermissionsRepo loads the example file's repo
✅ loadPermissionsRepo loads example with no permissions repository
✅ loadAccounts loads the example file's accounts
✅ loadPermissions loads the example file's permissions
✅ loadAccess loads the example file's access definition and extracts the default permissions
✅ loadAccess loads the example file's access definition and extracts the ACL
✅ loadAdmin loads the example file's admin definition
✅ loadSupport loads the example file's support definition extracts the support permissions
✅ loadSupport loads the example file's support definition extracts the support period
✅ loadSupport loads the example file's support definition extracts the rota

✅ allPermissions returns nothing for an empty JanusData
✅ allPermissions includes default access permissions
✅ allPermissions includes access permissions
✅ allPermissions includes access permissions from mulitple users
✅ allPermissions includes admin permissions
✅ allPermissions includes support permissions
✅ allPermissions includes permissions from all sources
✅ toConfig includes the support period
✅ toConfig includes the support period even if it was specified using a non-second period
✅ toConfig includes the permissionsRepo
✅ toConfig excludes permissionsRepo entry if it is empty

✅ Can load a config file
✅ throws a Janus configuration exception if there is an error in the config

✅ policy helper deduplicates statements
✅ enforceCorrectPath returns true for /
✅ enforceCorrectPath returns true for path with leading slash and no trailing slash
✅ enforceCorrectPath returns false if no leading slash
✅ enforceCorrectPath returns false with trailing and leading slash
✅ enforceCorrectPath returns false for edge case of single char
✅ hierarchyPath builds a '/*' pattern for the path '/'
✅ hierarchyPath builds a '/my-path/sub-path/*' pattern for the path '/my-path/sub-path'

✅ policySizeChecks returns nothing if the provided data contains no large policies
✅ policySizeChecks returns a warning if there is a large policy in the access ACL
✅ policySizeChecks returns a warning if there is a large policy in the admin ACL
✅ policySizeChecks returns a warning if there is a large policy in the support ACL
✅ policySizeChecks returns a warning if there is a large policy and returns an 'invalid' validation result if a warning is generated
✅ permissionIdUniqueness returns nothing for valid permissions
✅ permissionIdUniqueness returns nothing for duplicate permissions in separate accounts
✅ permissionIdUniqueness returns a validation error for permissions with duplicate IDs (concatenation of account & label)
✅ permissionIdUniqueness returns a validation error for duplicate permissions across multiple users
✅ isClean returns true for a result with no warnings or errors
✅ isClean returns false for a result with errors but no warnings
✅ isClean returns false for a result with warnings but no errors
✅ isClean returns false for a result with warnings and errors
✅ noErrors returns true for a result with no warnings or errors
✅ noErrors returns true for a result with warnings but no errors
✅ noErrors returns false for a result with errors but no warnings
✅ noErrors returns false for a result with warnings and errors

✅ validateAccountConfig When config has no 'federation' key... should succeed if the accounts list in janusData is empty
✅ validateAccountConfig When config has no 'federation' key... should return an FederationConfigError if the janusData lists one or more accounts
✅ validateAccountConfig When config does have a 'federation' key... should succeed if both account lists are empty
✅ validateAccountConfig When config does have a 'federation' key... should succeed if janusData and config contain the exact same accounts
✅ validateAccountConfig When config does have a 'federation' key... should return an error including the account missing from the config
✅ validateAccountConfig When config does have a 'federation' key... should return an error including all of the accounts missing from the config
✅ validateAccountConfig When config does have a 'federation' key... should warn if janusData is missing an account
✅ validateAccountConfig When config does have a 'federation' key... should warn if janusData is missing more than one account

✅ Monoid instance for ACL entries should correctly combine overlapping entries
✅ Monoid instance for ACL entries correctly combines non-overlapping entries

✅ userAccountAccess given no favourites sorts accounts by the number of available permissions, descending
✅ userAccountAccess given favourite accounts puts a favourite first
✅ userAccountAccess given favourite accounts preserves sorting of non-favourite accounts
✅ userAccountAccess given favourite accounts sorts favourites by provided order
✅ userAccountAccess sorts the account permissions
✅ Permission's ordering preserve dev before admin
✅ Permission's ordering put dev before admin
✅ Permission's ordering preserve dev before another permission
✅ Permission's ordering put dev before another permission
✅ Permission's ordering preserve admin after another permission
✅ Permission's ordering put admin after another permission
✅ Permission's ordering preserves dev - other - admin
✅ Permission's ordering puts dev - other - admin
✅ Permission's ordering orders alphabetically for non dev/admin permissions
✅ Permission's ordering always returns the correct order for shuffled permissions

✅ auditLogAttrs sets up the hash key
✅ auditLogAttrs sets up the (date) range key as milliseconds
✅ auditLogAttrs sets up the (date) range key correctly even when BST is in effect
✅ auditLogAttrs converts duration type to seconds
✅ auditLogAttrs sets up other attributes with db fieldnames
✅ auditLogAttrs sets up console type correctly
✅ auditLogFromAttrs given valid attributes extracts an audit log from valid attributes
✅ auditLogFromAttrs given valid attributes extracts a correct (ms) duration from the DB's seconds field
✅ auditLogFromAttrs when missing a required field fails to extract an AccessLog record
✅ auditLogFromAttrs when missing a required field returns a useful error message when it fails

✅ durationParams extracts duration from request if present
✅ durationParams extracts duration as None if no parameter is available
✅ durationParams extracts duration as None if it is provided but empty
✅ durationParams extracts duration as None if an invalid duration is provided
✅ durationParams extracts timezone offset from request if present
✅ durationParams extracts timezone as None if it is present but empty
✅ durationParams extracts -ve timezone offset from request
✅ durationParams extracts timezone offset as None if no parameter is available
✅ durationParams extracts timezone offset as None if an invalid duration is provided
✅ durationParams extracts duration and timezone offset

✅ formatPeriod prints a nice message for a complex period
✅ formatPeriod prints a nice message for a period with only a few fields
✅ formatPeriod can show a trivial interval
✅ formatDuration correctly formats a small duration
✅ formatDuration correctly formats a large period
✅ formatDuration correctly formats a complex period
✅ firstDayOfWeek returns monday for the example date
✅ firstDayOfWeek returns the same date when given a monday
✅ parseDateStr should parse a nice date
✅ parseDateStr fails to parse junk
✅ weekAround gets the full week surrounding the given date
✅ prevNextAuditWeeks returns the week before and after the given date
✅ prevNextAuditWeeks if previous week is before Janus audit logging began excludes previous week
✅ prevNextAuditWeeks if previous week is before Janus audit logging began still includes the next week
✅ prevNextAuditWeeks if next week is after the current date excludes the next week
✅ prevNextAuditWeeks if next week is after the current date still includes previous week
✅ duration max returns the first duration if it is larger
✅ duration max returns the second duration if it is larger
✅ duration min returns the first duration if it is smaller
✅ duration min returns the second duration if it is smaller

✅ fromCookie parses empty favourites
✅ fromCookie parses legacy favourites with no data
✅ fromCookie parses legacy favourites with data
✅ fromCookie parses empty cookie value
✅ fromCookie returns no favourites from non-base64-encoded cookie value
✅ fromCookie returns no favourites from invalid JSON cookie value
✅ fromCookie extracts a single favourite
✅ fromCookie extracts multiple favourites
✅ fromCookie returns empty favourites if there is no cookie present
✅ toCookie creates a valid cookie with no favourites
✅ toCookie creates a valid cookie
✅ toggleFavourites adds favourite to the end of the list if it does not already exist
✅ toggleFavourites removes favourite from the list if it already exists

✅ accountOwners returns empty account owners if there are no owners
✅ accountOwners fetches all the admins for an account
✅ accountOwners orders admins by username
✅ accountOwners fetches developers and excludes those that are also admins
✅ accountOwners orders developers by username
✅ accountOwners fetches 'other users' and excludes those that are also admins and devs
✅ accountOwners orders 'other users' by username

✅ splitQuerystringParam splits a querystring parameter into its parts
✅ splitQuerystringParam works on a single value
✅ splitQuerystringParam does not fail with empty input

✅ checkConfirmation matches exact account name
✅ checkConfirmation matches account name (different case)
✅ checkConfirmation matches exact account id
✅ checkConfirmation matches account id (different case)
✅ checkConfirmation does not match wrong key
✅ checkConfirmation does not match any incorrect key

✅ userAccess returns None if the user doesn't have any permissions
✅ userAccess returns the user's permissions if they exist
✅ userAccess include default permissions in all users' available permissions
✅ userAccess deduplicates a user's permissions
✅ hasAccess returns true when given a user that has an entry
✅ hasAccess returns false if the user is not explicitly mentioned
✅ support functions userSupportAccess returns support access when given a user currently on the support rota
✅ support functions userSupportAccess returns None if the user is not on the support rota
✅ support functions userSupportAccess returns None if the user is on the support rota, but not for this now
✅ support functions userSupportAccess returns None for an empty username, even if it's mentioned in the rota
✅ support functions userSupportAccess around the cutoff point returns support access just before 11am UK time
✅ support functions userSupportAccess around the cutoff point returns None just after 11am UK time
✅ support functions isSupportUser returns true access when given a user currently on the support rota
✅ support functions isSupportUser returns false if the user is not on the support rota
✅ support functions isSupportUser returns false if the user is on the support rota, but not for this now
✅ support functions isSupportUser returns false for an empty username, even if it's mentioned in the rota
✅ support functions isSupportUser around the cutoff point returns true just before 11am UK time
✅ support functions isSupportUser around the cutoff point returns false just after 11am UK time
✅ support functions can check which users have support access activeSupportUsers returns the correct active users
✅ support functions can check which users have support access activeSupportUsers returns None for a user that has an empty username (means they are still tbd)
✅ support functions can check which users have support access activeSupportUsers returns None if there are no entries for today's date
✅ support functions can check which users have support access activeSupportUsers returns the date the rota started at
✅ support functions can check which users have support access nextSupportUsers returns the correct users for the next rota
✅ support functions can check which users have support access nextSupportUsers returns None for a user that has an empty username (means they are still tbd)
✅ support functions can check which users have support access nextSupportUsers returns None if there are no entries for the next rota by provided date
✅ support functions can check which users have support access nextSupportUsers returns the date the rota started at
✅ support functions can check which users have support access userSupportSlots returns the correct set of future rota slots for user1 from currentTime
✅ support functions can check which users have support access userSupportSlots returns the correct set of future rota slots for user1 from currentTime+2w
✅ support functions can check which users have support access userSupportSlots returns the correct set of future rota slots for user2 from currentTime+2w
✅ support functions can check which users have support access userSupportSlots returns no slots for userA
✅ checkUserPermission returns the permission if a user has been granted access
✅ checkUserPermission returns the permission if it has been granted via admin access
✅ checkUserPermission returns the permission if it has been granted via support access
✅ checkUserPermission returns None if the permission has not been granted to the user
✅ hasExplicitAccess returns true if a user has been granted explicit access
✅ hasExplicitAccess returns false if an admin user does not have explicit access
✅ hasExplicitAccess returns false if a support user does not have explicit access
✅ userAccountAccess returns permissions if a user has been granted explicit access
✅ userAccountAccess returns permissions for an admin user without explicit access to the account
✅ userAccountAccess returns permissions for a support user without explicit access to a support account
✅ userAccountAccess returns empty permissions for a non-admin, non-support user that does not have explicit access
✅ username uses the email address, not first name and last name (which doesn't work for i18n names)
✅ username lower-cases the provided email address

✅ shellCredentials for a single account includes provided key
✅ shellCredentials for a single account includes provided secret
✅ shellCredentials for a single account includes provided session token
✅ shellCredentials for a single account includes account name on each command
✅ shellCredentials for a single account puts leading space on all commands to exclude from bash history
✅ shellCredentials for a single account all lines except the last should end with continuation (&& \) so command pastes properly
✅ shellCredentials for multiple accounts puts leading space on all commands to exclude from bash history
✅ shellCredentials for multiple accounts all lines except the last should end with continuation (&& \) so command pastes properly