diff --git a/.circleci/config.yml b/.circleci/config.yml index 921c47b..1b99697 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,9 +1,5 @@ version: 2 jobs: - aloha: - machine: true - steps: - - run: echo "Aloha! ;-)" build: docker: - image: circleci/golang:1.12 @@ -145,36 +141,31 @@ workflows: version: 2 "test, build and release": jobs: - - aloha: + - build: filters: tags: only: /.*/ -# ENABLE IT once controller with make target will be created -# - build: -# filters: -# tags: -# only: /.*/ -# - test-integration: -# filters: -# tags: -# only: /.*/ -# - test: -# filters: -# tags: -# only: /.*/ -# - release: -# requires: -# - test -# filters: -# tags: -# only: /.*/ -# branches: -# ignore: /.*/ -# - release-changelog: -# requires: -# - release -# filters: -# tags: -# only: /.*/ -# branches: -# ignore: /.*/ + - test-integration: + filters: + tags: + only: /.*/ + - test: + filters: + tags: + only: /.*/ + - release: + requires: + - test + filters: + tags: + only: /.*/ + branches: + ignore: /.*/ + - release-changelog: + requires: + - release + filters: + tags: + only: /.*/ + branches: + ignore: /.*/ diff --git a/.gitignore b/.gitignore index d97ffc5..18298d8 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,5 @@ bin *.swp *.swo *~ + +config/default/manager_image_patch.yaml-e \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index e6c589a..d9a2281 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,6 +13,7 @@ RUN go mod download COPY main.go main.go COPY api/ api/ COPY controllers/ controllers/ +COPY hydra/ hydra/ # Build RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager main.go diff --git a/Makefile b/Makefile index 2d9d3dd..9ac3067 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,12 @@ all: manager # Run tests test: generate fmt vet manifests - go test ./api/... ./controllers/... -coverprofile cover.out + go test ./api/... ./controllers/... ./hydra... -coverprofile cover.out + +# Run integration tests on local KIND cluster +# TODO: modify once integration tests have been implemented +test-integration: + echo "no tests yet" # Build manager binary manager: generate fmt vet diff --git a/api/v1alpha1/oauth2client_types.go b/api/v1alpha1/oauth2client_types.go index 2538c61..201dc58 100644 --- a/api/v1alpha1/oauth2client_types.go +++ b/api/v1alpha1/oauth2client_types.go @@ -16,25 +16,53 @@ limitations under the License. package v1alpha1 import ( + "github.com/ory/hydra-maester/hydra" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! -// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. - // OAuth2ClientSpec defines the desired state of OAuth2Client type OAuth2ClientSpec struct { - // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster - // Important: Run "make" to regenerate code after modifying this file + // +kubebuilder:validation:MaxItems=4 + // +kubebuilder:validation:MinItems=1 + // + // GrantTypes is an array of grant types the client is allowed to use. + GrantTypes []GrantType `json:"grantTypes"` + + // +kubebuilder:validation:MaxItems=3 + // +kubebuilder:validation:MinItems=1 + // + // ResponseTypes is an array of the OAuth 2.0 response type strings that the client can + // use at the authorization endpoint. + ResponseTypes []ResponseType `json:"responseTypes,omitempty"` + + // +kubebuilder:validation:Pattern=([a-zA-Z0-9\.\*]+\s?)+ + // + // Scope is a string containing a space-separated list of scope values (as + // described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client + // can use when requesting access tokens. + Scope string `json:"scope"` } +// +kubebuilder:validation:Enum=client_credentials;authorization_code;implicit;refresh_token +// GrantType represents an OAuth 2.0 grant type +type GrantType string + +// +kubebuilder:validation:Enum=id_token;code;token +// ResponseType represents an OAuth 2.0 response type strings +type ResponseType string + // OAuth2ClientStatus defines the observed state of OAuth2Client type OAuth2ClientStatus struct { - // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster - // Important: Run "make" to regenerate code after modifying this file + // Secret points to the K8s secret that contains this client's id and password + Secret *string `json:"secret,omitempty"` + // ClientID is the id for this client. + ClientID *string `json:"clientID,omitempty"` + // ObservedGeneration represents the most recent generation observed by the daemon set controller. + ObservedGeneration int64 `json:"observedGeneration,omitempty"` } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status // OAuth2Client is the Schema for the oauth2clients API type OAuth2Client struct { @@ -57,3 +85,30 @@ type OAuth2ClientList struct { func init() { SchemeBuilder.Register(&OAuth2Client{}, &OAuth2ClientList{}) } + +// ToOAuth2ClientJSON converts an OAuth2Client into a OAuth2ClientJSON object that represents an OAuth2 client digestible by ORY Hydra +func (c *OAuth2Client) ToOAuth2ClientJSON() *hydra.OAuth2ClientJSON { + return &hydra.OAuth2ClientJSON{ + Name: c.Name, + ClientID: c.Status.ClientID, + GrantTypes: grantToStringSlice(c.Spec.GrantTypes), + ResponseTypes: responseToStringSlice(c.Spec.ResponseTypes), + Scope: c.Spec.Scope, + } +} + +func responseToStringSlice(rt []ResponseType) []string { + var output = make([]string, len(rt)) + for i, elem := range rt { + output[i] = string(elem) + } + return output +} + +func grantToStringSlice(gt []GrantType) []string { + var output = make([]string, len(gt)) + for i, elem := range gt { + output[i] = string(elem) + } + return output +} diff --git a/api/v1alpha1/oauth2client_types_test.go b/api/v1alpha1/oauth2client_types_test.go index 4711cfd..84dc96d 100644 --- a/api/v1alpha1/oauth2client_types_test.go +++ b/api/v1alpha1/oauth2client_types_test.go @@ -16,61 +16,114 @@ limitations under the License. package v1alpha1 import ( - . "github.com/onsi/ginkgo" - . "github.com/onsi/gomega" + "fmt" + "path/filepath" + "testing" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "golang.org/x/net/context" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" + "k8s.io/client-go/kubernetes/scheme" + "k8s.io/client-go/rest" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/envtest" ) -// These tests are written in BDD-style using Ginkgo framework. Refer to -// http://onsi.github.io/ginkgo to learn more. +var ( + k8sClient client.Client + cfg *rest.Config + testEnv *envtest.Environment + key types.NamespacedName + created, fetched *OAuth2Client + createErr, getErr, deleteErr error +) -var _ = Describe("OAuth2Client", func() { - var ( - key types.NamespacedName - created, fetched *OAuth2Client - ) +func TestCreateAPI(t *testing.T) { - BeforeEach(func() { - // Add any setup steps that needs to be executed before each test - }) + runEnv(t) + defer stopEnv(t) - AfterEach(func() { - // Add any teardown steps that needs to be executed after each test - }) + t.Run("should handle an object properly", func(t *testing.T) { - // Add Tests for OpenAPI validation (or additonal CRD features) specified in - // your API definition. - // Avoid adding tests for vanilla CRUD operations because they would - // test Kubernetes API server, which isn't the goal here. - Context("Create API", func() { + key = types.NamespacedName{ + Name: "foo", + Namespace: "default", + } - It("should create an object successfully", func() { + t.Run("by creating an API object if it meets CRD requirements", func(t *testing.T) { - key = types.NamespacedName{ - Name: "foo", - Namespace: "default", - } - created = &OAuth2Client{ - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - Namespace: "default", - }} + resetTestClient() - By("creating an API obj") - Expect(k8sClient.Create(context.TODO(), created)).To(Succeed()) + createErr = k8sClient.Create(context.TODO(), created) + require.NoError(t, createErr) fetched = &OAuth2Client{} - Expect(k8sClient.Get(context.TODO(), key, fetched)).To(Succeed()) - Expect(fetched).To(Equal(created)) + getErr = k8sClient.Get(context.TODO(), key, fetched) + require.NoError(t, getErr) + assert.Equal(t, created, fetched) - By("deleting the created object") - Expect(k8sClient.Delete(context.TODO(), created)).To(Succeed()) - Expect(k8sClient.Get(context.TODO(), key, created)).ToNot(Succeed()) + deleteErr = k8sClient.Delete(context.TODO(), created) + require.NoError(t, deleteErr) + + getErr = k8sClient.Get(context.TODO(), key, created) + require.Error(t, getErr) }) - }) + t.Run("by failing if the requested object doesn't meet CRD requirements", func(t *testing.T) { -}) + for desc, modifyClient := range map[string]func(){ + "invalid grant type": func() { created.Spec.GrantTypes = []GrantType{"invalid"} }, + "invalid response type": func() { created.Spec.ResponseTypes = []ResponseType{"invalid"} }, + "invalid scope": func() { created.Spec.Scope = "" }, + } { + t.Run(fmt.Sprintf("case=%s", desc), func(t *testing.T) { + + resetTestClient() + modifyClient() + createErr = k8sClient.Create(context.TODO(), created) + require.Error(t, createErr) + }) + } + }) + }) +} + +func runEnv(t *testing.T) { + + testEnv = &envtest.Environment{ + CRDDirectoryPaths: []string{filepath.Join("..", "..", "config", "crd", "bases")}, + } + + err := SchemeBuilder.AddToScheme(scheme.Scheme) + require.NoError(t, err) + + cfg, err = testEnv.Start() + require.NoError(t, err) + require.NotNil(t, cfg) + + k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}) + require.NoError(t, err) + require.NotNil(t, k8sClient) + +} + +func stopEnv(t *testing.T) { + err := testEnv.Stop() + require.NoError(t, err) +} + +func resetTestClient() { + created = &OAuth2Client{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Namespace: "default", + }, + Spec: OAuth2ClientSpec{ + GrantTypes: []GrantType{"implicit", "client_credentials", "authorization_code", "refresh_token"}, + ResponseTypes: []ResponseType{"id_token", "code", "token"}, + Scope: "read,write", + }, + } +} diff --git a/api/v1alpha1/suite_test.go b/api/v1alpha1/suite_test.go deleted file mode 100644 index 42dfb19..0000000 --- a/api/v1alpha1/suite_test.go +++ /dev/null @@ -1,74 +0,0 @@ -/* - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - "path/filepath" - "testing" - - . "github.com/onsi/ginkgo" - . "github.com/onsi/gomega" - - "k8s.io/client-go/kubernetes/scheme" - "k8s.io/client-go/rest" - "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/envtest" - logf "sigs.k8s.io/controller-runtime/pkg/log" - "sigs.k8s.io/controller-runtime/pkg/log/zap" -) - -// These tests use Ginkgo (BDD-style Go testing framework). Refer to -// http://onsi.github.io/ginkgo/ to learn more about Ginkgo. - -var cfg *rest.Config -var k8sClient client.Client -var testEnv *envtest.Environment - -func TestAPIs(t *testing.T) { - RegisterFailHandler(Fail) - - RunSpecsWithDefaultAndCustomReporters(t, - "v1alpha1 Suite", - []Reporter{envtest.NewlineReporter{}}) -} - -var _ = BeforeSuite(func(done Done) { - logf.SetLogger(zap.LoggerTo(GinkgoWriter, true)) - - By("bootstrapping test environment") - testEnv = &envtest.Environment{ - CRDDirectoryPaths: []string{filepath.Join("..", "..", "config", "crd", "bases")}, - } - - err := SchemeBuilder.AddToScheme(scheme.Scheme) - Expect(err).NotTo(HaveOccurred()) - - cfg, err = testEnv.Start() - Expect(err).ToNot(HaveOccurred()) - Expect(cfg).ToNot(BeNil()) - - k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}) - Expect(err).ToNot(HaveOccurred()) - Expect(k8sClient).ToNot(BeNil()) - - close(done) -}, 60) - -var _ = AfterSuite(func() { - By("tearing down the test environment") - err := testEnv.Stop() - Expect(err).ToNot(HaveOccurred()) -}) diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index fe93b3e..1d02578 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -28,8 +28,8 @@ func (in *OAuth2Client) DeepCopyInto(out *OAuth2Client) { *out = *in out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec - out.Status = in.Status + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuth2Client. @@ -85,6 +85,16 @@ func (in *OAuth2ClientList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OAuth2ClientSpec) DeepCopyInto(out *OAuth2ClientSpec) { *out = *in + if in.GrantTypes != nil { + in, out := &in.GrantTypes, &out.GrantTypes + *out = make([]GrantType, len(*in)) + copy(*out, *in) + } + if in.ResponseTypes != nil { + in, out := &in.ResponseTypes, &out.ResponseTypes + *out = make([]ResponseType, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuth2ClientSpec. @@ -100,6 +110,16 @@ func (in *OAuth2ClientSpec) DeepCopy() *OAuth2ClientSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OAuth2ClientStatus) DeepCopyInto(out *OAuth2ClientStatus) { *out = *in + if in.Secret != nil { + in, out := &in.Secret, &out.Secret + *out = new(string) + **out = **in + } + if in.ClientID != nil { + in, out := &in.ClientID, &out.ClientID + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuth2ClientStatus. diff --git a/config/crd/bases/hydra.ory.sh_oauth2clients.yaml b/config/crd/bases/hydra.ory.sh_oauth2clients.yaml new file mode 100644 index 0000000..d0594b9 --- /dev/null +++ b/config/crd/bases/hydra.ory.sh_oauth2clients.yaml @@ -0,0 +1,450 @@ + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: oauth2clients.hydra.ory.sh +spec: + group: hydra.ory.sh + names: + kind: OAuth2Client + plural: oauth2clients + scope: "" + subresources: + status: {} + validation: + openAPIV3Schema: + description: OAuth2Client is the Schema for the oauth2clients API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + properties: + annotations: + additionalProperties: + type: string + description: 'Annotations is an unstructured key value map stored with + a resource that may be set by external tools to store and retrieve + arbitrary metadata. They are not queryable and should be preserved + when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations' + type: object + clusterName: + description: The name of the cluster which the object belongs to. This + is used to distinguish resources with same name and namespace in different + clusters. This field is not set anywhere right now and apiserver is + going to ignore it if set in create or update request. + type: string + creationTimestamp: + description: "CreationTimestamp is a timestamp representing the server + time when this object was created. It is not guaranteed to be set + in happens-before order across separate operations. Clients may not + set this value. It is represented in RFC3339 form and is in UTC. \n + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" + format: date-time + type: string + deletionGracePeriodSeconds: + description: Number of seconds allowed for this object to gracefully + terminate before it will be removed from the system. Only set when + deletionTimestamp is also set. May only be shortened. Read-only. + format: int64 + type: integer + deletionTimestamp: + description: "DeletionTimestamp is RFC 3339 date and time at which this + resource will be deleted. This field is set by the server when a graceful + deletion is requested by the user, and is not directly settable by + a client. The resource is expected to be deleted (no longer visible + from resource lists, and not reachable by name) after the time in + this field, once the finalizers list is empty. As long as the finalizers + list contains items, deletion is blocked. Once the deletionTimestamp + is set, this value may not be unset or be set further into the future, + although it may be shortened or the resource may be deleted prior + to this time. For example, a user may request that a pod is deleted + in 30 seconds. The Kubelet will react by sending a graceful termination + signal to the containers in the pod. After that 30 seconds, the Kubelet + will send a hard termination signal (SIGKILL) to the container and + after cleanup, remove the pod from the API. In the presence of network + partitions, this object may still exist after this timestamp, until + an administrator or automated process can determine the resource is + fully terminated. If not set, graceful deletion of the object has + not been requested. \n Populated by the system when a graceful deletion + is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" + format: date-time + type: string + finalizers: + description: Must be empty before the object is deleted from the registry. + Each entry is an identifier for the responsible component that will + remove the entry from the list. If the deletionTimestamp of the object + is non-nil, entries in this list can only be removed. + items: + type: string + type: array + generateName: + description: "GenerateName is an optional prefix, used by the server, + to generate a unique name ONLY IF the Name field has not been provided. + If this field is used, the name returned to the client will be different + than the name passed. This value will also be combined with a unique + suffix. The provided value has the same validation rules as the Name + field, and may be truncated by the length of the suffix required to + make the value unique on the server. \n If this field is specified + and the generated name exists, the server will NOT return a 409 - + instead, it will either return 201 Created or 500 with Reason ServerTimeout + indicating a unique name could not be found in the time allotted, + and the client should retry (optionally after the time indicated in + the Retry-After header). \n Applied only if Name is not specified. + More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#idempotency" + type: string + generation: + description: A sequence number representing a specific generation of + the desired state. Populated by the system. Read-only. + format: int64 + type: integer + initializers: + description: "An initializer is a controller which enforces some system + invariant at object creation time. This field is a list of initializers + that have not yet acted on this object. If nil or empty, this object + has been completely initialized. Otherwise, the object is considered + uninitialized and is hidden (in list/watch and get calls) from clients + that haven't explicitly asked to observe uninitialized objects. \n + When an object is created, the system will populate this list with + the current set of initializers. Only privileged users may set or + modify this list. Once it is empty, it may not be modified further + by any user. \n DEPRECATED - initializers are an alpha field and will + be removed in v1.15." + properties: + pending: + description: Pending is a list of initializers that must execute + in order before this object is visible. When the last pending + initializer is removed, and no failing result is set, the initializers + struct will be set to nil and the object is considered as initialized + and visible to all clients. + items: + properties: + name: + description: name of the process that is responsible for initializing + this object. + type: string + required: + - name + type: object + type: array + result: + description: If result is set with the Failure field, the object + will be persisted to storage and then deleted, ensuring that other + clients can observe the deletion. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this + representation of an object. Servers should convert recognized + schemas to the latest internal value, and may reject unrecognized + values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + code: + description: Suggested HTTP return code for this status, 0 if + not set. + format: int32 + type: integer + details: + description: Extended data associated with the reason. Each + reason may define its own extended details. This field is + optional and the data returned is not guaranteed to conform + to any schema except that defined by the reason type. + properties: + causes: + description: The Causes array includes more details associated + with the StatusReason failure. Not all StatusReasons may + provide detailed causes. + items: + properties: + field: + description: "The field of the resource that has caused + this error, as named by its JSON serialization. + May include dot and postfix notation for nested + attributes. Arrays are zero-indexed. Fields may + appear more than once in an array of causes due + to fields having multiple errors. Optional. \n Examples: + \ \"name\" - the field \"name\" on the current + resource \"items[0].name\" - the field \"name\" + on the first array entry in \"items\"" + type: string + message: + description: A human-readable description of the cause + of the error. This field may be presented as-is + to a reader. + type: string + reason: + description: A machine-readable description of the + cause of the error. If this value is empty there + is no information available. + type: string + type: object + type: array + group: + description: The group attribute of the resource associated + with the status StatusReason. + type: string + kind: + description: 'The kind attribute of the resource associated + with the status StatusReason. On some operations may differ + from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + name: + description: The name attribute of the resource associated + with the status StatusReason (when there is a single name + which can be described). + type: string + retryAfterSeconds: + description: If specified, the time in seconds before the + operation should be retried. Some errors may indicate + the client must take an alternate action - for those errors + this field may indicate how long to wait before taking + the alternate action. + format: int32 + type: integer + uid: + description: 'UID of the resource. (when there is a single + resource which can be described). More info: http://kubernetes.io/docs/user-guide/identifiers#uids' + type: string + type: object + kind: + description: 'Kind is a string value representing the REST resource + this object represents. Servers may infer this from the endpoint + the client submits requests to. Cannot be updated. In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + message: + description: A human-readable description of the status of this + operation. + type: string + metadata: + description: 'Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + properties: + continue: + description: continue may be set if the user set a limit + on the number of items returned, and indicates that the + server has more data available. The value is opaque and + may be used to issue another request to the endpoint that + served this list to retrieve the next set of available + objects. Continuing a consistent list may not be possible + if the server configuration has changed or more than a + few minutes have passed. The resourceVersion field returned + when using this continue value will be identical to the + value in the first response, unless you have received + this token from an error message. + type: string + resourceVersion: + description: 'String that identifies the server''s internal + version of this object that can be used by clients to + determine when objects have changed. Value must be treated + as opaque by clients and passed unmodified back to the + server. Populated by the system. Read-only. More info: + https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency' + type: string + selfLink: + description: selfLink is a URL representing this object. + Populated by the system. Read-only. + type: string + type: object + reason: + description: A machine-readable description of why this operation + is in the "Failure" status. If this value is empty there is + no information available. A Reason clarifies an HTTP status + code but does not override it. + type: string + status: + description: 'Status of the operation. One of: "Success" or + "Failure". More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status' + type: string + type: object + required: + - pending + type: object + labels: + additionalProperties: + type: string + description: 'Map of string keys and values that can be used to organize + and categorize (scope and select) objects. May match selectors of + replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels' + type: object + managedFields: + description: "ManagedFields maps workflow-id and version to the set + of fields that are managed by that workflow. This is mostly for internal + housekeeping, and users typically shouldn't need to set or understand + this field. A workflow can be the user's name, a controller's name, + or the name of a specific apply path like \"ci-cd\". The set of fields + is always in the version that the workflow used when modifying the + object. \n This field is alpha and can be changed or removed without + notice." + items: + properties: + apiVersion: + description: APIVersion defines the version of this resource that + this field set applies to. The format is "group/version" just + like the top-level APIVersion field. It is necessary to track + the version of a field set because it cannot be automatically + converted. + type: string + fields: + additionalProperties: true + description: Fields identifies a set of fields. + type: object + manager: + description: Manager is an identifier of the workflow managing + these fields. + type: string + operation: + description: Operation is the type of operation which lead to + this ManagedFieldsEntry being created. The only valid values + for this field are 'Apply' and 'Update'. + type: string + time: + description: Time is timestamp of when these fields were set. + It should always be empty if Operation is 'Apply' + format: date-time + type: string + type: object + type: array + name: + description: 'Name must be unique within a namespace. Is required when + creating resources, although some resources may allow a client to + request the generation of an appropriate name automatically. Name + is primarily intended for creation idempotence and configuration definition. + Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names' + type: string + namespace: + description: "Namespace defines the space within each name must be unique. + An empty namespace is equivalent to the \"default\" namespace, but + \"default\" is the canonical representation. Not all objects are required + to be scoped to a namespace - the value of this field for those objects + will be empty. \n Must be a DNS_LABEL. Cannot be updated. More info: + http://kubernetes.io/docs/user-guide/namespaces" + type: string + ownerReferences: + description: List of objects depended by this object. If ALL objects + in the list have been deleted, this object will be garbage collected. + If this object is managed by a controller, then an entry in this list + will point to this controller, with the controller field set to true. + There cannot be more than one managing controller. + items: + properties: + apiVersion: + description: API version of the referent. + type: string + blockOwnerDeletion: + description: If true, AND if the owner has the "foregroundDeletion" + finalizer, then the owner cannot be deleted from the key-value + store until this reference is removed. Defaults to false. To + set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. + type: boolean + controller: + description: If true, this reference points to the managing controller. + type: boolean + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' + type: string + uid: + description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' + type: string + required: + - apiVersion + - kind + - name + - uid + type: object + type: array + resourceVersion: + description: "An opaque value that represents the internal version of + this object that can be used by clients to determine when objects + have changed. May be used for optimistic concurrency, change detection, + and the watch operation on a resource or set of resources. Clients + must treat these values as opaque and passed unmodified back to the + server. They may only be valid for a particular resource or set of + resources. \n Populated by the system. Read-only. Value must be treated + as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency" + type: string + selfLink: + description: SelfLink is a URL representing this object. Populated by + the system. Read-only. + type: string + uid: + description: "UID is the unique in time and space value for this object. + It is typically generated by the server on successful creation of + a resource and is not allowed to change on PUT operations. \n Populated + by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids" + type: string + type: object + spec: + properties: + grantTypes: + description: GrantTypes is an array of grant types the client is allowed + to use. + items: + enum: + - client_credentials + - authorization_code + - implicit + - refresh_token + type: string + maxItems: 4 + minItems: 1 + type: array + responseTypes: + description: ResponseTypes is an array of the OAuth 2.0 response type + strings that the client can use at the authorization endpoint. + items: + enum: + - id_token + - code + - token + type: string + maxItems: 3 + minItems: 1 + type: array + scope: + description: Scope is a string containing a space-separated list of + scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) + that the client can use when requesting access tokens. + pattern: ([a-zA-Z0-9\.\*]+\s?)+ + type: string + required: + - grantTypes + - scope + type: object + status: + properties: + clientID: + description: ClientID is the id for this client. + type: string + observedGeneration: + description: ObservedGeneration represents the most recent generation + observed by the daemon set controller. + format: int64 + type: integer + secret: + description: Secret points to the K8s secret that contains this client's + id and password + type: string + type: object + type: object + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/default/manager_image_patch.yaml b/config/default/manager_image_patch.yaml index eb90957..b84e6c1 100644 --- a/config/default/manager_image_patch.yaml +++ b/config/default/manager_image_patch.yaml @@ -8,5 +8,5 @@ spec: spec: containers: # Change the value of image field below to your controller image URL - - image: IMAGE_URL + - image: controller:latest name: manager diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml new file mode 100644 index 0000000..81385f3 --- /dev/null +++ b/config/rbac/role.yaml @@ -0,0 +1,40 @@ + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: manager-role +rules: +- apiGroups: + - hydra.ory.sh + resources: + - oauth2clients + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - hydra.ory.sh + resources: + - oauth2clients/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml new file mode 100644 index 0000000..e69de29 diff --git a/controllers/oauth2client_controller.go b/controllers/oauth2client_controller.go index e1b8749..74a2d89 100644 --- a/controllers/oauth2client_controller.go +++ b/controllers/oauth2client_controller.go @@ -17,28 +17,77 @@ package controllers import ( "context" + "fmt" + + "k8s.io/apimachinery/pkg/types" "github.com/go-logr/logr" + hydrav1alpha1 "github.com/ory/hydra-maester/api/v1alpha1" + "github.com/ory/hydra-maester/hydra" + apiv1 "k8s.io/api/core/v1" + apierrs "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" - - hydrav1alpha1 "github.com/ory/hydra-maester/api/v1alpha1" ) +const ( + clientIDKey = "client_id" + clientSecretKey = "client_secret" +) + +type HydraClientInterface interface { + GetOAuth2Client(id string) (*hydra.OAuth2ClientJSON, bool, error) + PostOAuth2Client(o *hydra.OAuth2ClientJSON) (*hydra.OAuth2ClientJSON, error) + PutOAuth2Client(o *hydra.OAuth2ClientJSON) (*hydra.OAuth2ClientJSON, error) + DeleteOAuth2Client(id string) error +} + // OAuth2ClientReconciler reconciles a OAuth2Client object type OAuth2ClientReconciler struct { + HydraClient HydraClientInterface + Log logr.Logger client.Client - Log logr.Logger } // +kubebuilder:rbac:groups=hydra.ory.sh,resources=oauth2clients,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=hydra.ory.sh,resources=oauth2clients/status,verbs=get;update;patch +// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;patch;delete func (r *OAuth2ClientReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { - _ = context.Background() + ctx := context.Background() _ = r.Log.WithValues("oauth2client", req.NamespacedName) - // your logic here + var client hydrav1alpha1.OAuth2Client + if err := r.Get(ctx, req.NamespacedName, &client); err != nil { + if apierrs.IsNotFound(err) { + if err := r.unregisterOAuth2Client(ctx, req.NamespacedName); err != nil { + return ctrl.Result{}, err + } + return ctrl.Result{}, nil + } + return ctrl.Result{}, err + } + + if client.Generation != client.Status.ObservedGeneration { + + var registered = false + var err error + + if client.Status.ClientID != nil { + + _, registered, err = r.HydraClient.GetOAuth2Client(*client.Status.ClientID) + if err != nil { + return ctrl.Result{}, err + } + } + + if !registered { + return ctrl.Result{}, r.registerOAuth2Client(ctx, &client) + } + + return ctrl.Result{}, r.updateRegisteredOAuth2Client(&client) + } return ctrl.Result{}, nil } @@ -48,3 +97,49 @@ func (r *OAuth2ClientReconciler) SetupWithManager(mgr ctrl.Manager) error { For(&hydrav1alpha1.OAuth2Client{}). Complete(r) } + +func (r *OAuth2ClientReconciler) registerOAuth2Client(ctx context.Context, client *hydrav1alpha1.OAuth2Client) error { + created, err := r.HydraClient.PostOAuth2Client(client.ToOAuth2ClientJSON()) + if err != nil { + return err + } + + clientSecret := apiv1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: client.Name, + Namespace: client.Namespace, + }, + Data: map[string][]byte{ + clientSecretKey: []byte(*created.Secret), + clientIDKey: []byte(*created.ClientID), + }, + } + + err = r.Create(ctx, &clientSecret) + if err != nil { + return err + } + + client.Status.Secret = &clientSecret.Name + client.Status.ClientID = created.ClientID + client.Status.ObservedGeneration = client.Generation + return r.Status().Update(ctx, client) +} + +func (r *OAuth2ClientReconciler) unregisterOAuth2Client(ctx context.Context, namespacedName types.NamespacedName) error { + var sec apiv1.Secret + if err := r.Get(ctx, namespacedName, &sec); err != nil { + if apierrs.IsNotFound(err) { + r.Log.Info(fmt.Sprintf("unable to find secret corresponding with client %s/%s. Manual deletion recommended", namespacedName.Name, namespacedName.Namespace)) + return nil + } + return err + } + + return r.HydraClient.DeleteOAuth2Client(string(sec.Data[clientIDKey])) +} + +func (r *OAuth2ClientReconciler) updateRegisteredOAuth2Client(client *hydrav1alpha1.OAuth2Client) error { + _, err := r.HydraClient.PutOAuth2Client(client.ToOAuth2ClientJSON()) + return err +} diff --git a/controllers/oauth2client_controller_integration_test.go b/controllers/oauth2client_controller_integration_test.go new file mode 100644 index 0000000..6863767 --- /dev/null +++ b/controllers/oauth2client_controller_integration_test.go @@ -0,0 +1,197 @@ +package controllers_test + +import ( + "context" + "fmt" + "time" + + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" + hydrav1alpha1 "github.com/ory/hydra-maester/api/v1alpha1" + "github.com/ory/hydra-maester/controllers" + "github.com/ory/hydra-maester/hydra" + apiv1 "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + "k8s.io/client-go/kubernetes/scheme" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/controller" + "sigs.k8s.io/controller-runtime/pkg/handler" + "sigs.k8s.io/controller-runtime/pkg/manager" + "sigs.k8s.io/controller-runtime/pkg/reconcile" + "sigs.k8s.io/controller-runtime/pkg/source" +) + +const timeout = time.Second * 5 + +var _ = Describe("OAuth2Client Controller", func() { + Context("in a happy-path scenario", func() { + + var tstName = "test" + var tstNamespace = "default" + var tstScopes = "a b c" + var tstClientID = "testClientID" + var tstSecret = "testSecret" + + var expectedRequest = reconcile.Request{NamespacedName: types.NamespacedName{Name: tstName, Namespace: tstNamespace}} + It("should call create OAuth2 client in Hydra and a Secret", func() { + + s := scheme.Scheme + err := hydrav1alpha1.AddToScheme(s) + Expect(err).NotTo(HaveOccurred()) + + // Setup the Manager and Controller. Wrap the Controller Reconcile function so it writes each request to a + // channel when it is finished. + mgr, err := manager.New(cfg, manager.Options{Scheme: s}) + Expect(err).NotTo(HaveOccurred()) + c := mgr.GetClient() + + mch := (&mockHydraClient{}). + withSecret(tstSecret). + withClientID(tstClientID) + + recFn, requests := SetupTestReconcile(getAPIReconciler(mgr, mch)) + //_, requests := SetupTestReconcile(getApiReconciler(mgr)) + + Expect(add(mgr, recFn)).To(Succeed()) + + //Start the manager and the controller + stopMgr, mgrStopped := StartTestManager(mgr) + + //Ensure manager is stopped properly + defer func() { + close(stopMgr) + mgrStopped.Wait() + }() + + instance := testInstance(tstName, tstNamespace, tstScopes) + err = c.Create(context.TODO(), instance) + // The instance object may not be a valid object because it might be missing some required fields. + // Please modify the instance object by adding required fields and then remove the following if statement. + if apierrors.IsInvalid(err) { + Fail(fmt.Sprintf("failed to create object, got an invalid object error: %v", err)) + return + } + Expect(err).NotTo(HaveOccurred()) + defer c.Delete(context.TODO(), instance) + Eventually(requests, timeout).Should(Receive(Equal(expectedRequest))) + + //Verify the created CR instance status + var retrieved hydrav1alpha1.OAuth2Client + ok := client.ObjectKey{Name: tstName, Namespace: tstNamespace} + err = c.Get(context.TODO(), ok, &retrieved) + Expect(err).NotTo(HaveOccurred()) + + Expect(*retrieved.Status.ClientID).To(Equal(tstClientID)) + Expect(*retrieved.Status.Secret).To(Equal(tstName)) //Secret contents is not visible in the CR instance! + + //Verify the created Secret + var createdSecret = apiv1.Secret{} + k8sClient.Get(context.TODO(), ok, &createdSecret) + Expect(err).NotTo(HaveOccurred()) + Expect(createdSecret.Data["client_secret"]).To(Equal([]byte(tstSecret))) + }) + }) +}) + +// add adds a new Controller to mgr with r as the reconcile.Reconciler +func add(mgr manager.Manager, r reconcile.Reconciler) error { + // Create a new controller + c, err := controller.New("api-gateway-controller", mgr, controller.Options{Reconciler: r}) + if err != nil { + return err + } + + // Watch for changes to Api + err = c.Watch(&source.Kind{Type: &hydrav1alpha1.OAuth2Client{}}, &handler.EnqueueRequestForObject{}) + if err != nil { + return err + } + + // TODO(user): Modify this to be the types you create + // Uncomment watch a Deployment created by Guestbook - change this for objects you create + //err = c.Watch(&source.Kind{Type: &appsv1.Deployment{}}, &handler.EnqueueRequestForOwner{ + // IsController: true, + // OwnerType: &webappv1.Guestbook{}, + //}) + //if err != nil { + // return err + //} + + return nil +} + +func getAPIReconciler(mgr ctrl.Manager, mock *mockHydraClient) reconcile.Reconciler { + return &controllers.OAuth2ClientReconciler{ + Client: mgr.GetClient(), + Log: ctrl.Log.WithName("controllers").WithName("OAuth2Client"), + HydraClient: mock, + } +} + +func testInstance(name, namespace, scopes string) *hydrav1alpha1.OAuth2Client { + + return &hydrav1alpha1.OAuth2Client{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: hydrav1alpha1.OAuth2ClientSpec{ + GrantTypes: []hydrav1alpha1.GrantType{"client_credentials"}, + ResponseTypes: []hydrav1alpha1.ResponseType{"token"}, + Scope: scopes, + }} +} + +//TODO: Replace with full-fledged mocking framework (mockery/go-mock) +type mockHydraClient struct { + resSecret string + resClientID string + postedData *hydra.OAuth2ClientJSON +} + +func (m *mockHydraClient) withSecret(secret string) *mockHydraClient { + m.resSecret = secret + return m +} + +func (m *mockHydraClient) withClientID(clientID string) *mockHydraClient { + m.resClientID = clientID + return m +} + +//Returns the data previously "stored" by PostOAuth2Client +func (m *mockHydraClient) GetOAuth2Client(id string) (*hydra.OAuth2ClientJSON, bool, error) { + res := &hydra.OAuth2ClientJSON{ + ClientID: &m.resClientID, + Secret: &m.resSecret, + Name: m.postedData.Name, + GrantTypes: m.postedData.GrantTypes, + ResponseTypes: m.postedData.ResponseTypes, + Scope: m.postedData.Scope, + } + return res, true, nil +} + +func (m *mockHydraClient) PostOAuth2Client(o *hydra.OAuth2ClientJSON) (*hydra.OAuth2ClientJSON, error) { + m.postedData = o + res := &hydra.OAuth2ClientJSON{ + ClientID: &m.resClientID, + Secret: &m.resSecret, + Name: o.Name, + GrantTypes: o.GrantTypes, + ResponseTypes: o.ResponseTypes, + Scope: o.Scope, + } + return res, nil +} + +func (m *mockHydraClient) DeleteOAuth2Client(id string) error { + panic("Should not be invoked!") +} + +func (m *mockHydraClient) PutOAuth2Client(o *hydra.OAuth2ClientJSON) (*hydra.OAuth2ClientJSON, error) { + panic("Should not be invoked!") +} diff --git a/controllers/suite_test.go b/controllers/suite_test.go index 515bbf5..4fc6128 100644 --- a/controllers/suite_test.go +++ b/controllers/suite_test.go @@ -13,22 +13,24 @@ See the License for the specific language governing permissions and limitations under the License. */ -package controllers +package controllers_test import ( "path/filepath" + "sync" "testing" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" - hydrav1alpha1 "github.com/ory/hydra-maester/api/v1alpha1" "k8s.io/client-go/kubernetes/scheme" "k8s.io/client-go/rest" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/envtest" logf "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/controller-runtime/pkg/manager" + "sigs.k8s.io/controller-runtime/pkg/reconcile" // +kubebuilder:scaffold:imports ) @@ -55,13 +57,11 @@ var _ = BeforeSuite(func(done Done) { CRDDirectoryPaths: []string{filepath.Join("..", "config", "crd", "bases")}, } - cfg, err := testEnv.Start() + var err error + cfg, err = testEnv.Start() Expect(err).ToNot(HaveOccurred()) Expect(cfg).ToNot(BeNil()) - err = hydrav1alpha1.AddToScheme(scheme.Scheme) - Expect(err).NotTo(HaveOccurred()) - // +kubebuilder:scaffold:scheme k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}) @@ -76,3 +76,27 @@ var _ = AfterSuite(func() { err := testEnv.Stop() Expect(err).ToNot(HaveOccurred()) }) + +// SetupTestReconcile returns a reconcile.Reconcile implementation that delegates to inner and +// writes the request to requests after Reconcile is finished. +func SetupTestReconcile(inner reconcile.Reconciler) (reconcile.Reconciler, chan reconcile.Request) { + requests := make(chan reconcile.Request) + fn := reconcile.Func(func(req reconcile.Request) (reconcile.Result, error) { + result, err := inner.Reconcile(req) + requests <- req + return result, err + }) + return fn, requests +} + +// StartTestManager adds recFn +func StartTestManager(mgr manager.Manager) (chan struct{}, *sync.WaitGroup) { + stop := make(chan struct{}) + wg := &sync.WaitGroup{} + wg.Add(1) + go func() { + defer wg.Done() + Expect(mgr.Start(stop)).NotTo(HaveOccurred()) + }() + return stop, wg +} diff --git a/go.mod b/go.mod index f55bc45..7478161 100644 --- a/go.mod +++ b/go.mod @@ -6,8 +6,11 @@ require ( github.com/go-logr/logr v0.1.0 github.com/onsi/ginkgo v1.6.0 github.com/onsi/gomega v1.4.2 + github.com/stretchr/testify v1.3.0 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd + k8s.io/api v0.0.0-20190409021203-6e4e0e4f393b k8s.io/apimachinery v0.0.0-20190404173353-6a84e37a896d k8s.io/client-go v11.0.1-0.20190409021438-1a26190bd76a+incompatible + k8s.io/utils v0.0.0-20190506122338-8fab8cb257d5 sigs.k8s.io/controller-runtime v0.2.0-beta.2 ) diff --git a/hydra/client.go b/hydra/client.go new file mode 100644 index 0000000..be28dab --- /dev/null +++ b/hydra/client.go @@ -0,0 +1,149 @@ +package hydra + +import ( + "bytes" + "encoding/json" + "fmt" + "io" + "net/http" + "net/url" + "path" +) + +type Client struct { + HydraURL url.URL + HTTPClient *http.Client +} + +func (c *Client) GetOAuth2Client(id string) (*OAuth2ClientJSON, bool, error) { + + var jsonClient *OAuth2ClientJSON + + req, err := c.newRequest(http.MethodGet, id, nil) + if err != nil { + return nil, false, err + } + + resp, err := c.do(req, &jsonClient) + if err != nil { + return nil, false, err + } + + switch resp.StatusCode { + case http.StatusOK: + return jsonClient, true, nil + case http.StatusNotFound: + return nil, false, nil + default: + return nil, false, fmt.Errorf("%s %s http request returned unexpected status code %s", req.Method, req.URL.String(), resp.Status) + } +} + +func (c *Client) PostOAuth2Client(o *OAuth2ClientJSON) (*OAuth2ClientJSON, error) { + + var jsonClient *OAuth2ClientJSON + + req, err := c.newRequest(http.MethodPost, "", o) + if err != nil { + return nil, err + } + + resp, err := c.do(req, &jsonClient) + if err != nil { + return nil, err + } + + switch resp.StatusCode { + case http.StatusCreated: + return jsonClient, nil + case http.StatusConflict: + return nil, fmt.Errorf(" %s %s http request failed: requested ID already exists", req.Method, req.URL) + default: + return nil, fmt.Errorf("%s %s http request returned unexpected status code: %s", req.Method, req.URL, resp.Status) + } +} + +func (c *Client) PutOAuth2Client(o *OAuth2ClientJSON) (*OAuth2ClientJSON, error) { + + var jsonClient *OAuth2ClientJSON + + req, err := c.newRequest(http.MethodPut, *o.ClientID, o) + if err != nil { + return nil, err + } + + resp, err := c.do(req, &jsonClient) + if err != nil { + return nil, err + } + + if resp.StatusCode != http.StatusOK { + return nil, fmt.Errorf("%s %s http request returned unexpected status code: %s", req.Method, req.URL, resp.Status) + } + + return jsonClient, nil +} + +func (c *Client) DeleteOAuth2Client(id string) error { + + req, err := c.newRequest(http.MethodDelete, id, nil) + if err != nil { + return err + } + + resp, err := c.do(req, nil) + if err != nil { + return err + } + + switch resp.StatusCode { + case http.StatusNoContent: + return nil + case http.StatusNotFound: + fmt.Printf("client with id %s does not exist", id) + return nil + default: + return fmt.Errorf("%s %s http request returned unexpected status code %s", req.Method, req.URL.String(), resp.Status) + } +} + +func (c *Client) newRequest(method, relativePath string, body interface{}) (*http.Request, error) { + + var buf io.ReadWriter + if body != nil { + buf = new(bytes.Buffer) + err := json.NewEncoder(buf).Encode(body) + if err != nil { + return nil, err + } + } + + u := c.HydraURL + u.Path = path.Join(u.Path, relativePath) + + req, err := http.NewRequest(method, u.String(), buf) + if err != nil { + return nil, err + } + + if body != nil { + req.Header.Set("Content-Type", "application/json") + } + req.Header.Set("Accept", "application/json") + + return req, nil + +} + +func (c *Client) do(req *http.Request, v interface{}) (*http.Response, error) { + resp, err := c.HTTPClient.Do(req) + if err != nil { + return nil, err + } + + defer resp.Body.Close() + if v != nil { + err = json.NewDecoder(resp.Body).Decode(v) + } + return resp, err +} diff --git a/hydra/client_test.go b/hydra/client_test.go new file mode 100644 index 0000000..fa566c8 --- /dev/null +++ b/hydra/client_test.go @@ -0,0 +1,269 @@ +package hydra_test + +import ( + "encoding/json" + "errors" + "fmt" + "net/http" + "net/http/httptest" + "net/url" + "testing" + + "k8s.io/utils/pointer" + + "github.com/ory/hydra-maester/hydra" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +const ( + testID = "test-id" + schemeHTTP = "http" + testClient = `{"client_id":"test-id","client_name":"test-name","scope":"some,scopes","grant_types":["type1"]}` + testClientCreated = `{"client_id":"test-id-2", "client_secret": "TmGkvcY7k526","client_name":"test-name-2","scope":"some,other,scopes","grant_types":["type2"]}` + testClientUpdated = `{"client_id":"test-id-3", "client_secret": "xFoPPm654por","client_name":"test-name-3","scope":"yet,another,scope","grant_types":["type3"]}` + emptyBody = `{}` + clientsEndpoint = "/clients" +) + +type server struct { + statusCode int + respBody string + err error +} + +var testOAuthJSONPost = &hydra.OAuth2ClientJSON{ + Name: "test-name-2", + Scope: "some,other,scopes", + GrantTypes: []string{"type2"}, +} + +var testOAuthJSONPut = &hydra.OAuth2ClientJSON{ + ClientID: pointer.StringPtr("test-id-3"), + Name: "test-name-3", + Scope: "yet,another,scope", + GrantTypes: []string{"type3"}, +} + +func TestCRUD(t *testing.T) { + + assert := assert.New(t) + + c := hydra.Client{ + HTTPClient: &http.Client{}, + HydraURL: url.URL{Scheme: schemeHTTP}, + } + + t.Run("method=get", func(t *testing.T) { + + for d, tc := range map[string]server{ + "getting registered client": { + http.StatusOK, + testClient, + nil, + }, + "getting unregistered client": { + http.StatusNotFound, + emptyBody, + nil, + }, + "internal server error when requesting": { + http.StatusInternalServerError, + emptyBody, + errors.New("http request returned unexpected status code"), + }, + } { + t.Run(fmt.Sprintf("case/%s", d), func(t *testing.T) { + + //given + shouldFind := tc.statusCode == http.StatusOK + + h := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + assert.Equal(fmt.Sprintf("%s/%s", c.HydraURL.String(), testID), fmt.Sprintf("%s://%s%s", schemeHTTP, req.Host, req.URL.Path)) + assert.Equal(http.MethodGet, req.Method) + w.WriteHeader(tc.statusCode) + w.Write([]byte(tc.respBody)) + if shouldFind { + w.Header().Set("Content-type", "application/json") + } + }) + runServer(&c, h) + + //when + o, found, err := c.GetOAuth2Client(testID) + + //then + if tc.err == nil { + require.NoError(t, err) + } else { + require.Error(t, err) + assert.Contains(err.Error(), tc.err.Error()) + } + + assert.Equal(shouldFind, found) + if shouldFind { + require.NotNil(t, o) + var expected hydra.OAuth2ClientJSON + json.Unmarshal([]byte(testClient), &expected) + assert.Equal(&expected, o) + } + }) + } + }) + + t.Run("method=post", func(t *testing.T) { + + for d, tc := range map[string]server{ + "with new client": { + http.StatusCreated, + testClientCreated, + nil, + }, + "with existing client": { + http.StatusConflict, + emptyBody, + errors.New("requested ID already exists"), + }, + "internal server error when requesting": { + http.StatusInternalServerError, + emptyBody, + errors.New("http request returned unexpected status code"), + }, + } { + t.Run(fmt.Sprintf("case/%s", d), func(t *testing.T) { + + //given + new := tc.statusCode == http.StatusCreated + + h := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + assert.Equal(c.HydraURL.String(), fmt.Sprintf("%s://%s%s", schemeHTTP, req.Host, req.URL.Path)) + assert.Equal(http.MethodPost, req.Method) + w.WriteHeader(tc.statusCode) + w.Write([]byte(tc.respBody)) + if new { + w.Header().Set("Content-type", "application/json") + } + }) + runServer(&c, h) + + //when + o, err := c.PostOAuth2Client(testOAuthJSONPost) + + //then + if tc.err == nil { + require.NoError(t, err) + } else { + require.Error(t, err) + assert.Contains(err.Error(), tc.err.Error()) + } + + if new { + require.NotNil(t, o) + + assert.Equal(testOAuthJSONPost.Name, o.Name) + assert.Equal(testOAuthJSONPost.Scope, o.Scope) + assert.Equal(testOAuthJSONPost.GrantTypes, o.GrantTypes) + assert.NotNil(o.Secret) + assert.NotNil(o.ClientID) + } + }) + } + }) + + t.Run("method=put", func(t *testing.T) { + for d, tc := range map[string]server{ + "with registered client": { + http.StatusOK, + testClientUpdated, + nil, + }, + "internal server error when requesting": { + http.StatusInternalServerError, + emptyBody, + errors.New("http request returned unexpected status code"), + }, + } { + t.Run(fmt.Sprintf("case/%s", d), func(t *testing.T) { + + ok := tc.statusCode == http.StatusOK + + //given + h := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + assert.Equal(fmt.Sprintf("%s/%s", c.HydraURL.String(), *testOAuthJSONPut.ClientID), fmt.Sprintf("%s://%s%s", schemeHTTP, req.Host, req.URL.Path)) + assert.Equal(http.MethodPut, req.Method) + w.WriteHeader(tc.statusCode) + w.Write([]byte(tc.respBody)) + if ok { + w.Header().Set("Content-type", "application/json") + } + }) + runServer(&c, h) + + //when + o, err := c.PutOAuth2Client(testOAuthJSONPut) + + //then + if tc.err == nil { + require.NoError(t, err) + } else { + require.Error(t, err) + assert.Contains(err.Error(), tc.err.Error()) + } + + if ok { + require.NotNil(t, o) + + assert.Equal(testOAuthJSONPut.Name, o.Name) + assert.Equal(testOAuthJSONPut.Scope, o.Scope) + assert.Equal(testOAuthJSONPut.GrantTypes, o.GrantTypes) + assert.Equal(testOAuthJSONPut.ClientID, o.ClientID) + assert.NotNil(o.Secret) + } + }) + } + }) + + t.Run("method=delete", func(t *testing.T) { + + for d, tc := range map[string]server{ + "with registered client": { + statusCode: http.StatusNoContent, + }, + "with unregistered client": { + statusCode: http.StatusNotFound, + }, + "internal server error when requesting": { + statusCode: http.StatusInternalServerError, + err: errors.New("http request returned unexpected status code"), + }, + } { + t.Run(fmt.Sprintf("case/%s", d), func(t *testing.T) { + + //given + h := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + assert.Equal(fmt.Sprintf("%s/%s", c.HydraURL.String(), testID), fmt.Sprintf("%s://%s%s", schemeHTTP, req.Host, req.URL.Path)) + assert.Equal(http.MethodDelete, req.Method) + w.WriteHeader(tc.statusCode) + }) + runServer(&c, h) + + //when + err := c.DeleteOAuth2Client(testID) + + //then + if tc.err == nil { + require.NoError(t, err) + } else { + require.Error(t, err) + assert.Contains(err.Error(), tc.err.Error()) + } + }) + } + }) +} + +func runServer(c *hydra.Client, h http.HandlerFunc) { + s := httptest.NewServer(h) + serverUrl, _ := url.Parse(s.URL) + c.HydraURL = *serverUrl.ResolveReference(&url.URL{Path: clientsEndpoint}) +} diff --git a/hydra/types.go b/hydra/types.go new file mode 100644 index 0000000..e036fde --- /dev/null +++ b/hydra/types.go @@ -0,0 +1,11 @@ +package hydra + +// OAuth2ClientJSON represents an OAuth2 client digestible by ORY Hydra +type OAuth2ClientJSON struct { + ClientID *string `json:"client_id,omitempty"` + Name string `json:"client_name"` + GrantTypes []string `json:"grant_types"` + ResponseTypes []string `json:"response_types,omitempty"` + Scope string `json:"scope"` + Secret *string `json:"client_secret,omitempty"` +} diff --git a/main.go b/main.go index 86d9ee6..258a317 100644 --- a/main.go +++ b/main.go @@ -17,10 +17,16 @@ package main import ( "flag" + "fmt" + "net/http" + "net/url" "os" + "github.com/ory/hydra-maester/hydra" + hydrav1alpha1 "github.com/ory/hydra-maester/api/v1alpha1" "github.com/ory/hydra-maester/controllers" + apiv1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime" _ "k8s.io/client-go/plugin/pkg/client/auth/gcp" ctrl "sigs.k8s.io/controller-runtime" @@ -35,14 +41,22 @@ var ( func init() { + apiv1.AddToScheme(scheme) hydrav1alpha1.AddToScheme(scheme) // +kubebuilder:scaffold:scheme } func main() { var metricsAddr string + var hydraURL string + var port int + var endpoint string var enableLeaderElection bool + flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.") + flag.StringVar(&hydraURL, "hydra-url", "http://ory-hydra-admin.kyma-system.svc.cluster.local", "The address of ORY Hydra") + flag.IntVar(&port, "port", 4445, "Port ORY Hydra is listening on") + flag.StringVar(&endpoint, "endpoint", "/clients", "ORY Hydra's client endpoint") flag.BoolVar(&enableLeaderElection, "enable-leader-election", false, "Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.") flag.Parse() @@ -59,9 +73,19 @@ func main() { os.Exit(1) } + u, err := url.Parse(fmt.Sprintf("%s:%d", hydraURL, port)) + if err != nil { + setupLog.Error(err, "unable to parse ORY Hydra's URL", "controller", "OAuth2Client") + os.Exit(1) + } + err = (&controllers.OAuth2ClientReconciler{ Client: mgr.GetClient(), Log: ctrl.Log.WithName("controllers").WithName("OAuth2Client"), + HydraClient: &hydra.Client{ + HydraURL: *u.ResolveReference(&url.URL{Path: endpoint}), + HTTPClient: &http.Client{}, + }, }).SetupWithManager(mgr) if err != nil { setupLog.Error(err, "unable to create controller", "controller", "OAuth2Client")