From 208d1451dbf2787f80fcdf5707a62b64c6f8eb74 Mon Sep 17 00:00:00 2001
From: Ante Mihalj <ante.mihalj@webringapps.com>
Date: Mon, 3 Feb 2020 12:40:44 +0100
Subject: [PATCH] feat: Add support for OAuth2 Client metadata property (#38)

See #36
---
 api/v1alpha1/oauth2client_types.go            |  9 ++-
 .../crd/bases/hydra.ory.sh_oauth2clients.yaml |  5 +-
 .../samples/hydra_v1alpha1_oauth2client.yaml  |  3 +
 ...1alpha1_oauth2client_user_credentials.yaml |  3 +
 hydra/client_test.go                          | 65 ++++++++++++++-----
 hydra/types.go                                | 25 ++++---
 6 files changed, 82 insertions(+), 28 deletions(-)

diff --git a/api/v1alpha1/oauth2client_types.go b/api/v1alpha1/oauth2client_types.go
index 92efca9..36d468e 100644
--- a/api/v1alpha1/oauth2client_types.go
+++ b/api/v1alpha1/oauth2client_types.go
@@ -16,6 +16,7 @@ limitations under the License.
 package v1alpha1
 
 import (
+	"encoding/json"
 	"fmt"
 
 	"github.com/ory/hydra-maester/hydra"
@@ -106,8 +107,11 @@ type OAuth2ClientSpec struct {
 
 	// +kubebuilder:validation:Enum=;client_secret_basic;client_secret_post;private_key_jwt;none
 	//
-	// Indication which authenticaiton method shoud be used for the token endpoint
+	// Indication which authentication method shoud be used for the token endpoint
 	TokenEndpointAuthMethod TokenEndpointAuthMethod `json:"tokenEndpointAuthMethod,omitempty"`
+
+	// Metadata is abritrary data
+	Metadata json.RawMessage `json:"metadata,omitempty"`
 }
 
 // +kubebuilder:validation:Enum=client_credentials;authorization_code;implicit;refresh_token
@@ -123,7 +127,7 @@ type ResponseType string
 type RedirectURI string
 
 // +kubebuilder:validation:Enum=;client_secret_basic;client_secret_post;private_key_jwt;none
-// TokenEndpointAuthMethod represents an authenticaiton method for token endpoint
+// TokenEndpointAuthMethod represents an authentication method for token endpoint
 type TokenEndpointAuthMethod string
 
 // OAuth2ClientStatus defines the observed state of OAuth2Client
@@ -176,6 +180,7 @@ func (c *OAuth2Client) ToOAuth2ClientJSON() *hydra.OAuth2ClientJSON {
 		Scope:                   c.Spec.Scope,
 		Owner:                   fmt.Sprintf("%s/%s", c.Name, c.Namespace),
 		TokenEndpointAuthMethod: string(c.Spec.TokenEndpointAuthMethod),
+		Metadata:                c.Spec.Metadata,
 	}
 }
 
diff --git a/config/crd/bases/hydra.ory.sh_oauth2clients.yaml b/config/crd/bases/hydra.ory.sh_oauth2clients.yaml
index 144f312..697c623 100644
--- a/config/crd/bases/hydra.ory.sh_oauth2clients.yaml
+++ b/config/crd/bases/hydra.ory.sh_oauth2clients.yaml
@@ -455,13 +455,16 @@ spec:
               minItems: 1
               type: array
             tokenEndpointAuthMethod:
-              description: Indication which authenticaiton method shoud be used for the token endpoint.
+              description: Indication which authentication method shoud be used for the token endpoint.
               type: string
               enum:
               - client_secret_basic
               - client_secret_post
               - private_key_jwt
               - none
+            metadata:
+              description: Metadata is arbitrary data. This JSON will be stored into client and can be used to hold custom properties
+              type: object
             scope:
               description: Scope is a string containing a space-separated list of
                 scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749])
diff --git a/config/samples/hydra_v1alpha1_oauth2client.yaml b/config/samples/hydra_v1alpha1_oauth2client.yaml
index a53eb99..750eade 100644
--- a/config/samples/hydra_v1alpha1_oauth2client.yaml
+++ b/config/samples/hydra_v1alpha1_oauth2client.yaml
@@ -30,4 +30,7 @@ spec:
     endpoint: /clients
     forwardedProto: https
   tokenEndpointAuthMethod: client_secret_basic
+  metadata:
+    property1: 1
+    property2: "2"
   
diff --git a/config/samples/hydra_v1alpha1_oauth2client_user_credentials.yaml b/config/samples/hydra_v1alpha1_oauth2client_user_credentials.yaml
index 6fc6a00..008e364 100644
--- a/config/samples/hydra_v1alpha1_oauth2client_user_credentials.yaml
+++ b/config/samples/hydra_v1alpha1_oauth2client_user_credentials.yaml
@@ -40,3 +40,6 @@ spec:
     endpoint: /clients
     forwardedProto: https
   tokenEndpointAuthMethod: client_secret_basic
+  metadata:
+    property1: 1
+    property2: "2"
diff --git a/hydra/client_test.go b/hydra/client_test.go
index 606eb69..15e99f6 100644
--- a/hydra/client_test.go
+++ b/hydra/client_test.go
@@ -21,12 +21,13 @@ const (
 	clientsEndpoint = "/clients"
 	schemeHTTP      = "http"
 
-	testID            = "test-id"
-	testClient        = `{"client_id":"test-id","owner":"test-name","scope":"some,scopes","grant_types":["type1"],"token_endpoint_auth_method":"client_secret_basic"}`
-	testClientCreated = `{"client_id":"test-id-2","client_secret":"TmGkvcY7k526","owner":"test-name-2","scope":"some,other,scopes","grant_types":["type2"],"audience":["audience-a","audience-b"],"token_endpoint_auth_method":"client_secret_basic"}`
-	testClientUpdated = `{"client_id":"test-id-3","client_secret":"xFoPPm654por","owner":"test-name-3","scope":"yet,another,scope","grant_types":["type3"],"audience":["audience-c"],"token_endpoint_auth_method":"client_secret_basic"}`
-	testClientList    = `{"client_id":"test-id-4","owner":"test-name-4","scope":"scope1 scope2","grant_types":["type4"],"token_endpoint_auth_method":"client_secret_basic"}`
-	testClientList2   = `{"client_id":"test-id-5","owner":"test-name-5","scope":"scope3 scope4","grant_types":["type5"],"token_endpoint_auth_method":"client_secret_basic"}`
+	testID                        = "test-id"
+	testClient                    = `{"client_id":"test-id","owner":"test-name","scope":"some,scopes","grant_types":["type1"],"token_endpoint_auth_method":"client_secret_basic"}`
+	testClientCreated             = `{"client_id":"test-id-2","client_secret":"TmGkvcY7k526","owner":"test-name-2","scope":"some,other,scopes","grant_types":["type2"],"audience":["audience-a","audience-b"],"token_endpoint_auth_method":"client_secret_basic"}`
+	testClientUpdated             = `{"client_id":"test-id-3","client_secret":"xFoPPm654por","owner":"test-name-3","scope":"yet,another,scope","grant_types":["type3"],"audience":["audience-c"],"token_endpoint_auth_method":"client_secret_basic"}`
+	testClientList                = `{"client_id":"test-id-4","owner":"test-name-4","scope":"scope1 scope2","grant_types":["type4"],"token_endpoint_auth_method":"client_secret_basic"}`
+	testClientList2               = `{"client_id":"test-id-5","owner":"test-name-5","scope":"scope3 scope4","grant_types":["type5"],"token_endpoint_auth_method":"client_secret_basic"}`
+	testClientWithMetadataCreated = `{"client_id":"test-id-21","client_secret":"TmGkvcY7k526","owner":"test-name-21","scope":"some,other,scopes","grant_types":["type2"],"token_endpoint_auth_method":"client_secret_basic","metadata":{"property1":1,"property2":"2"}}`
 
 	statusNotFoundBody            = `{"error":"Not Found","error_description":"Unable to locate the requested resource","status_code":404,"request_id":"id"}`
 	statusConflictBody            = `{"error":"Unable to insert or update resource because a resource with that value exists already","error_description":"","status_code":409,"request_id":"id"`
@@ -128,6 +129,11 @@ func TestCRUD(t *testing.T) {
 				testClientCreated,
 				nil,
 			},
+			"with new client with metadata": {
+				http.StatusCreated,
+				testClientWithMetadataCreated,
+				nil,
+			},
 			"with existing client": {
 				http.StatusConflict,
 				statusConflictBody,
@@ -140,9 +146,14 @@ func TestCRUD(t *testing.T) {
 			},
 		} {
 			t.Run(fmt.Sprintf("case/%s", d), func(t *testing.T) {
-
+				var (
+					err      error
+					o        *hydra.OAuth2ClientJSON
+					expected *hydra.OAuth2ClientJSON
+				)
 				//given
 				new := tc.statusCode == http.StatusCreated
+				newWithMetadata := d == "with new client with metadata"
 
 				h := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 					assert.Equal(c.HydraURL.String(), fmt.Sprintf("%s://%s%s", schemeHTTP, req.Host, req.URL.Path))
@@ -156,7 +167,23 @@ func TestCRUD(t *testing.T) {
 				runServer(&c, h)
 
 				//when
-				o, err := c.PostOAuth2Client(testOAuthJSONPost)
+				if newWithMetadata {
+					meta, _ := json.Marshal(map[string]interface{}{
+						"property1": float64(1),
+						"property2": "2",
+					})
+					var testOAuthJSONPost2 = &hydra.OAuth2ClientJSON{
+						Scope:      "some,other,scopes",
+						GrantTypes: []string{"type2"},
+						Owner:      "test-name-21",
+						Metadata:   meta,
+					}
+					o, err = c.PostOAuth2Client(testOAuthJSONPost2)
+					expected = testOAuthJSONPost2
+				} else {
+					o, err = c.PostOAuth2Client(testOAuthJSONPost)
+					expected = testOAuthJSONPost
+				}
 
 				//then
 				if tc.err == nil {
@@ -168,16 +195,24 @@ func TestCRUD(t *testing.T) {
 
 				if new {
 					require.NotNil(t, o)
-
-					assert.Equal(testOAuthJSONPost.Scope, o.Scope)
-					assert.Equal(testOAuthJSONPost.GrantTypes, o.GrantTypes)
-					assert.Equal(testOAuthJSONPost.Owner, o.Owner)
-					assert.Equal(testOAuthJSONPost.Audience, o.Audience)
+					assert.Equal(expected.Scope, o.Scope)
+					assert.Equal(expected.GrantTypes, o.GrantTypes)
+					assert.Equal(expected.Owner, o.Owner)
+					assert.Equal(expected.Audience, o.Audience)
 					assert.NotNil(o.Secret)
 					assert.NotNil(o.ClientID)
 					assert.NotNil(o.TokenEndpointAuthMethod)
-					if testOAuthJSONPost.TokenEndpointAuthMethod != "" {
-						assert.Equal(testOAuthJSONPost.TokenEndpointAuthMethod, o.TokenEndpointAuthMethod)
+					if expected.TokenEndpointAuthMethod != "" {
+						assert.Equal(expected.TokenEndpointAuthMethod, o.TokenEndpointAuthMethod)
+					}
+					if newWithMetadata {
+						assert.NotNil(o.Metadata)
+						assert.True(len(o.Metadata) > 0)
+						for key, _ := range o.Metadata {
+							assert.Equal(o.Metadata[key], expected.Metadata[key])
+						}
+					} else {
+						assert.Nil(o.Metadata)
 					}
 				}
 			})
diff --git a/hydra/types.go b/hydra/types.go
index 065d6f1..6248a17 100644
--- a/hydra/types.go
+++ b/hydra/types.go
@@ -1,18 +1,23 @@
 package hydra
 
-import "k8s.io/utils/pointer"
+import (
+	"encoding/json"
+
+	"k8s.io/utils/pointer"
+)
 
 // OAuth2ClientJSON represents an OAuth2 client digestible by ORY Hydra
 type OAuth2ClientJSON struct {
-	ClientID                *string  `json:"client_id,omitempty"`
-	Secret                  *string  `json:"client_secret,omitempty"`
-	GrantTypes              []string `json:"grant_types"`
-	RedirectURIs            []string `json:"redirect_uris,omitempty"`
-	ResponseTypes           []string `json:"response_types,omitempty"`
-	Audience                []string `json:"audience,omitempty"`
-	Scope                   string   `json:"scope"`
-	Owner                   string   `json:"owner"`
-	TokenEndpointAuthMethod string   `json:"token_endpoint_auth_method,omitempty"`
+	ClientID                *string         `json:"client_id,omitempty"`
+	Secret                  *string         `json:"client_secret,omitempty"`
+	GrantTypes              []string        `json:"grant_types"`
+	RedirectURIs            []string        `json:"redirect_uris,omitempty"`
+	ResponseTypes           []string        `json:"response_types,omitempty"`
+	Audience                []string        `json:"audience,omitempty"`
+	Scope                   string          `json:"scope"`
+	Owner                   string          `json:"owner"`
+	TokenEndpointAuthMethod string          `json:"token_endpoint_auth_method,omitempty"`
+	Metadata                json.RawMessage `json:"metadata,omitempty"`
 }
 
 // Oauth2ClientCredentials represents client ID and password fetched from a Kubernetes secret