Merge pull request #1190 from vmware-tanzu/client-secret-api-noop

aggregated api for oidcclientsecretrequest
2026-01-06 05:27:23 +00:00 · 2022-06-16 10:30:13 -04:00
parent 90077f7135 ff26c424ae
commit 4bf734061d
239 changed files with 9758 additions and 51 deletions
--- a/test/integration/kube_api_discovery_test.go
+++ b/test/integration/kube_api_discovery_test.go
@@ -53,6 +53,7 @@ func TestGetAPIResourceList(t *testing.T) {
 	configConciergeGV := makeGV("config", "concierge")
 	idpSupervisorGV := makeGV("idp", "supervisor")
 	configSupervisorGV := makeGV("config", "supervisor")
+	clientSecretSupervisorGV := makeGV("clientsecret", "supervisor")

 	tests := []struct {
 		group             metav1.APIGroup
@@ -110,6 +111,32 @@ func TestGetAPIResourceList(t *testing.T) {
 				},
 			},
 		},
+		{
+			group: metav1.APIGroup{
+				Name: clientSecretSupervisorGV.Group,
+				Versions: []metav1.GroupVersionForDiscovery{
+					{
+						GroupVersion: clientSecretSupervisorGV.String(),
+						Version:      clientSecretSupervisorGV.Version,
+					},
+				},
+				PreferredVersion: metav1.GroupVersionForDiscovery{
+					GroupVersion: clientSecretSupervisorGV.String(),
+					Version:      clientSecretSupervisorGV.Version,
+				},
+			},
+			resourceByVersion: map[string][]metav1.APIResource{
+				clientSecretSupervisorGV.String(): {
+					{
+						Name:       "oidcclientsecretrequests",
+						Kind:       "OIDCClientSecretRequest",
+						Verbs:      []string{"create", "list"},
+						Namespaced: true,
+						Categories: []string{"pinniped"},
+					},
+				},
+			},
+		},
 		{
 			group: metav1.APIGroup{
 				Name: configSupervisorGV.Group,
@@ -353,7 +380,7 @@ func TestGetAPIResourceList(t *testing.T) {
 	t.Run("every API has a status subresource", func(t *testing.T) {
 		t.Parallel()

-		aggregatedAPIs := sets.NewString("tokencredentialrequests", "whoamirequests")
+		aggregatedAPIs := sets.NewString("tokencredentialrequests", "whoamirequests", "oidcclientsecretrequests")

 		var regular, status []string

--- a/test/integration/supervisor_oidcclientsecret_test.go
+++ b/test/integration/supervisor_oidcclientsecret_test.go
@@ -0,0 +1,54 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package integration
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1"
+	"go.pinniped.dev/test/testlib"
+)
+
+func TestOIDCClientSecretRequest_HappyPath_Parallel(t *testing.T) {
+	env := testlib.IntegrationEnv(t)
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	defer cancel()
+
+	client := testlib.NewSupervisorClientset(t)
+
+	response, err := client.ClientsecretV1alpha1().OIDCClientSecretRequests(env.SupervisorNamespace).Create(ctx,
+		&v1alpha1.OIDCClientSecretRequest{
+			Spec: v1alpha1.OIDCClientSecretRequestSpec{
+				GenerateNewSecret: true,
+			},
+		}, metav1.CreateOptions{})
+	require.NoError(t, err)
+	// the hardcoded values from the nonfunctional request
+	require.Equal(t, response.Status.TotalClientSecrets, 20)
+	require.Equal(t, response.Status.GeneratedSecret, "not-a-real-secret")
+}
+
+func TestOIDCClientSecretRequest_Unauthenticated_Parallel(t *testing.T) {
+	env := testlib.IntegrationEnv(t)
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	defer cancel()
+
+	client := testlib.NewAnonymousSupervisorClientset(t)
+
+	_, err := client.ClientsecretV1alpha1().OIDCClientSecretRequests(env.SupervisorNamespace).Create(ctx,
+		&v1alpha1.OIDCClientSecretRequest{
+			Spec: v1alpha1.OIDCClientSecretRequestSpec{
+				GenerateNewSecret: true,
+			},
+		}, metav1.CreateOptions{})
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "User \"system:anonymous\" cannot create resource \"oidcclientsecretrequests\"")
+}
--- a/test/testlib/client.go
+++ b/test/testlib/client.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package testlib
@@ -86,6 +86,12 @@ func NewSupervisorClientset(t *testing.T) supervisorclientset.Interface {
 	return NewKubeclient(t, NewClientConfig(t)).PinnipedSupervisor
 }

+func NewAnonymousSupervisorClientset(t *testing.T) supervisorclientset.Interface {
+	t.Helper()
+
+	return NewKubeclient(t, NewAnonymousClientRestConfig(t)).PinnipedSupervisor
+}
+
 func NewConciergeClientset(t *testing.T) conciergeclientset.Interface {
 	t.Helper()