Add unit tests for new XOR constraint

app/domain/authentication/constraints/required_exclusive_constraint.rb

@@ -1,6 +1,8 @@
 module Authentication
   module Constraints
 
+    # This constraint is initialized with an array of strings.
+    # They represent resource restrictions where exactly one is required.
     class RequiredExclusiveConstraint
 
       def initialize(required_exclusive:)
@@ -9,7 +11,7 @@ def initialize(required_exclusive:)
 
       def validate(resource_restrictions:)
         restrictions_found = resource_restrictions & @required_exclusive
-        raise Errors::Authentication::Constraints::IllegalExclusiveRequiredCombination, @required_exclusive unless restrictions_found.length == 1
+        raise Errors::Authentication::Constraints::IllegalRequiredExclusiveCombination.new(@required_exclusive, restrictions_found) unless restrictions_found.length == 1
       end
 
     end

app/domain/errors.rb

@@ -695,8 +695,9 @@ module Constraints
         code: "CONJ00069E"
       )
 
-      IllegalExclusiveRequiredCombination = ::Util::TrackableErrorClass.new(
-        msg: "Role must have only one of the following required constraints: {0-constraints}",
+      IllegalRequiredExclusiveCombination = ::Util::TrackableErrorClass.new(
+        msg: "Role must have exactly one of the following required constraints: " \
+             "{0-constraints}. Role configured with {1-provided}",
         code: "CONJ00069E"
       )
 

spec/app/domain/authentication/constraints/required_exclusive_constraint_spec.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe(Authentication::Constraints::RequiredExclusiveConstraint) do
+  context "Given RequiredExclusiveConstraint initialized with 3 restrictions" do
+    let(:reqx_restrictions) { %w[reqx_one reqx_two reqx_three] }
+    let(:additional_restriction) { "additional" }
+    let(:raised_error) { ::Errors::Authentication::Constraints::IllegalRequiredExclusiveCombination }
+
+    subject(:constraint) do
+      Authentication::Constraints::RequiredExclusiveConstraint.new(required_exclusive: reqx_restrictions)
+    end
+
+    context "when validating with no ReqX restrictions" do
+      let(:expected_error_message) { /#{Regexp.escape(reqx_restrictions.to_s)}/ }
+
+      subject do
+        constraint.validate(resource_restrictions: [additional_restriction])
+      end
+
+      it "raises an error" do
+        expect { subject }.to raise_error(raised_error, expected_error_message)
+      end
+    end
+
+    context "when validating with one ReqX restriction" do
+      subject do
+        constraint.validate(resource_restrictions: [reqx_restrictions.first, additional_restriction])
+      end
+
+      it "does not raise an error" do
+        expect { subject }.to_not raise_error
+      end
+    end
+
+    context "when validating with many ReqX restrictions" do
+      let(:resource_restrictions) { reqx_restrictions[1, 2] }
+      let(:expected_error_message) { /#{Regexp.escape(resource_restrictions.to_s)}/ }
+
+      subject do
+        constraint.validate(resource_restrictions: resource_restrictions + [additional_restriction])
+      end
+
+      it "raises an error" do
+        expect { subject }.to raise_error(raised_error, expected_error_message)
+      end
+    end
+
+    context "when validating with all ReqX restrictions" do
+      let(:expected_error_message) { /#{Regexp.escape(reqx_restrictions.to_s)}/ }
+
+      subject do
+        constraint.validate(resource_restrictions: reqx_restrictions + [additional_restriction])
+      end
+
+      it "raises an error" do
+        expect { subject }.to raise_error(raised_error, expected_error_message)
+      end
+    end
+
+  end
+end