From 678be9902a52374abfe1b697fbd658f301ab7bc2 Mon Sep 17 00:00:00 2001 From: Joshua Casey Date: Tue, 11 Jun 2024 10:16:18 -0500 Subject: [PATCH] Lint new files from the GitHub branch --- .../federation_domain_watcher_test.go | 6 +- .../github_upstream_watcher.go | 57 ++- .../github_upstream_watcher_test.go | 388 +++++++++--------- internal/controller/utils.go | 4 +- .../callback/callback_handler_test.go | 6 +- .../endpoints/token/token_handler_test.go | 2 +- .../resolved_github_provider.go | 4 +- .../upstreamprovider/upstream_provider.go | 6 +- .../oidctestutil/testgithubprovider.go | 18 +- internal/upstreamgithub/upstreamgithub.go | 20 +- .../upstreamgithub/upstreamgithub_test.go | 30 +- test/integration/e2e_test.go | 16 +- test/integration/supervisor_login_test.go | 12 +- test/testlib/client.go | 2 +- 14 files changed, 285 insertions(+), 286 deletions(-) diff --git a/internal/controller/supervisorconfig/federation_domain_watcher_test.go b/internal/controller/supervisorconfig/federation_domain_watcher_test.go index b606f9c87..172dec76c 100644 --- a/internal/controller/supervisorconfig/federation_domain_watcher_test.go +++ b/internal/controller/supervisorconfig/federation_domain_watcher_test.go @@ -633,13 +633,13 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) { federationDomainIssuerWithDefaultIDP(t, federationDomain1.Spec.Issuer, gitHubIdentityProvider.ObjectMeta), federationDomainIssuerWithDefaultIDP(t, federationDomain2.Spec.Issuer, gitHubIdentityProvider.ObjectMeta), }, - wantStatusUpdates: []*configv1alpha1.FederationDomain{ + wantStatusUpdates: []*supervisorconfigv1alpha1.FederationDomain{ expectedFederationDomainStatusUpdate(federationDomain1, - configv1alpha1.FederationDomainPhaseReady, + supervisorconfigv1alpha1.FederationDomainPhaseReady, allHappyConditionsLegacyConfigurationSuccess(federationDomain1.Spec.Issuer, gitHubIdentityProvider.Name, frozenMetav1Now, 123), ), expectedFederationDomainStatusUpdate(federationDomain2, - configv1alpha1.FederationDomainPhaseReady, + supervisorconfigv1alpha1.FederationDomainPhaseReady, allHappyConditionsLegacyConfigurationSuccess(federationDomain2.Spec.Issuer, gitHubIdentityProvider.Name, frozenMetav1Now, 123), ), }, diff --git a/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher.go b/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher.go index b1de18d0c..c9580d98b 100644 --- a/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher.go +++ b/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher.go @@ -18,15 +18,14 @@ import ( "golang.org/x/oauth2" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/equality" - k8sapierrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" - errorsutil "k8s.io/apimachinery/pkg/util/errors" - k8sutilerrors "k8s.io/apimachinery/pkg/util/errors" + utilerrors "k8s.io/apimachinery/pkg/util/errors" corev1informers "k8s.io/client-go/informers/core/v1" "k8s.io/utils/clock" - "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" + idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" idpinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1" pinnipedcontroller "go.pinniped.dev/internal/controller" @@ -106,7 +105,7 @@ func New( withInformer( gitHubIdentityProviderInformer, pinnipedcontroller.SimpleFilter(func(obj metav1.Object) bool { - gitHubIDP, ok := obj.(*v1alpha1.GitHubIdentityProvider) + gitHubIDP, ok := obj.(*idpv1alpha1.GitHubIdentityProvider) return ok && gitHubIDP.Namespace == namespace }, pinnipedcontroller.SingletonQueue()), controllerlib.InformerOption{}, @@ -127,7 +126,7 @@ func (c *gitHubWatcherController) Sync(ctx controllerlib.Context) error { } // Sort them by name just so that the logs output is consistent - slices.SortStableFunc(actualUpstreams, func(a, b *v1alpha1.GitHubIdentityProvider) int { + slices.SortStableFunc(actualUpstreams, func(a, b *idpv1alpha1.GitHubIdentityProvider) int { return strings.Compare(a.Name, b.Name) }) @@ -151,14 +150,14 @@ func (c *gitHubWatcherController) Sync(ctx controllerlib.Context) error { applicationErrors = append([]error{controllerlib.ErrSyntheticRequeue}, applicationErrors...) } - return errorsutil.NewAggregate(applicationErrors) + return utilerrors.NewAggregate(applicationErrors) } func (c *gitHubWatcherController) validateClientSecret(secretName string) (*metav1.Condition, string, string, error) { secret, unableToRetrieveSecretErr := c.secretInformer.Lister().Secrets(c.namespace).Get(secretName) // This error requires user interaction, so ignore it. - if k8sapierrors.IsNotFound(unableToRetrieveSecretErr) { + if apierrors.IsNotFound(unableToRetrieveSecretErr) { unableToRetrieveSecretErr = nil } @@ -207,16 +206,16 @@ func (c *gitHubWatcherController) validateClientSecret(secretName string) (*meta }, clientID, clientSecret, nil } -func validateOrganizationsPolicy(organizationsSpec *v1alpha1.GitHubOrganizationsSpec) *metav1.Condition { - var policy v1alpha1.GitHubAllowedAuthOrganizationsPolicy +func validateOrganizationsPolicy(organizationsSpec *idpv1alpha1.GitHubOrganizationsSpec) *metav1.Condition { + var policy idpv1alpha1.GitHubAllowedAuthOrganizationsPolicy if organizationsSpec.Policy != nil { policy = *organizationsSpec.Policy } // Should not happen due to CRD defaulting, enum validation, and CEL validation (for recent versions of K8s only!) // That is why the message here is very minimal - if (policy == v1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers && len(organizationsSpec.Allowed) == 0) || - (policy == v1alpha1.GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations && len(organizationsSpec.Allowed) > 0) { + if (policy == idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers && len(organizationsSpec.Allowed) == 0) || + (policy == idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations && len(organizationsSpec.Allowed) > 0) { return &metav1.Condition{ Type: OrganizationsPolicyValid, Status: metav1.ConditionTrue, @@ -242,7 +241,7 @@ func validateOrganizationsPolicy(organizationsSpec *v1alpha1.GitHubOrganizations } } -func (c *gitHubWatcherController) validateUpstreamAndUpdateConditions(ctx controllerlib.Context, upstream *v1alpha1.GitHubIdentityProvider) ( +func (c *gitHubWatcherController) validateUpstreamAndUpdateConditions(ctx controllerlib.Context, upstream *idpv1alpha1.GitHubIdentityProvider) ( *upstreamgithub.Provider, // If validated, returns the config error, // This error will only refer to programmatic errors such as inability to perform a Dial or dereference a pointer, not configuration errors ) { @@ -285,7 +284,7 @@ func (c *gitHubWatcherController) validateUpstreamAndUpdateConditions(ctx contro // Status: metav1.ConditionFalse, never be omitted. if len(conditions) != countExpectedConditions { // untested since all code paths return the same number of conditions applicationErrors = append(applicationErrors, fmt.Errorf("expected %d conditions but found %d conditions", countExpectedConditions, len(conditions))) - return nil, k8sutilerrors.NewAggregate(applicationErrors) + return nil, utilerrors.NewAggregate(applicationErrors) } hadErrorCondition, updateStatusErr := c.updateStatus(ctx.Context, upstream, conditions) if updateStatusErr != nil { @@ -293,7 +292,7 @@ func (c *gitHubWatcherController) validateUpstreamAndUpdateConditions(ctx contro } // Any error condition means we will not add the IDP to the cache, so just return nil here if hadErrorCondition { - return nil, k8sutilerrors.NewAggregate(applicationErrors) + return nil, utilerrors.NewAggregate(applicationErrors) } provider := upstreamgithub.New( @@ -320,7 +319,7 @@ func (c *gitHubWatcherController) validateUpstreamAndUpdateConditions(ctx contro HttpClient: httpClient, }, ) - return provider, k8sutilerrors.NewAggregate(applicationErrors) + return provider, utilerrors.NewAggregate(applicationErrors) } func apiBaseUrl(upstreamSpecHost string, hostURL string) string { @@ -330,7 +329,7 @@ func apiBaseUrl(upstreamSpecHost string, hostURL string) string { return defaultApiBaseURL } -func validateHost(gitHubAPIConfig v1alpha1.GitHubAPIConfig) (*metav1.Condition, *endpointaddr.HostPort) { +func validateHost(gitHubAPIConfig idpv1alpha1.GitHubAPIConfig) (*metav1.Condition, *endpointaddr.HostPort) { buildInvalidHost := func(host, reason string) *metav1.Condition { return &metav1.Condition{ Type: HostValid, @@ -360,7 +359,7 @@ func validateHost(gitHubAPIConfig v1alpha1.GitHubAPIConfig) (*metav1.Condition, }, &hostPort } -func (c *gitHubWatcherController) validateTLSConfiguration(tlsSpec *v1alpha1.TLSSpec) (*metav1.Condition, *x509.CertPool) { +func (c *gitHubWatcherController) validateTLSConfiguration(tlsSpec *idpv1alpha1.TLSSpec) (*metav1.Condition, *x509.CertPool) { certPool, _, buildCertPoolErr := pinnipedcontroller.BuildCertPoolIDP(tlsSpec) if buildCertPoolErr != nil { // buildCertPoolErr is not recoverable with a resync. @@ -428,7 +427,7 @@ func buildDialErrorMessage(tlsDialErr error) string { return reason } -func validateUserAndGroupAttributes(upstream *v1alpha1.GitHubIdentityProvider) (*metav1.Condition, v1alpha1.GitHubGroupNameAttribute, v1alpha1.GitHubUsernameAttribute) { +func validateUserAndGroupAttributes(upstream *idpv1alpha1.GitHubIdentityProvider) (*metav1.Condition, idpv1alpha1.GitHubGroupNameAttribute, idpv1alpha1.GitHubUsernameAttribute) { buildInvalidCondition := func(message string) *metav1.Condition { return &metav1.Condition{ Type: ClaimsValid, @@ -438,14 +437,14 @@ func validateUserAndGroupAttributes(upstream *v1alpha1.GitHubIdentityProvider) ( } } - var usernameAttribute v1alpha1.GitHubUsernameAttribute + var usernameAttribute idpv1alpha1.GitHubUsernameAttribute if upstream.Spec.Claims.Username == nil { return buildInvalidCondition("spec.claims.username is required"), "", "" } else { usernameAttribute = *upstream.Spec.Claims.Username } - var groupNameAttribute v1alpha1.GitHubGroupNameAttribute + var groupNameAttribute idpv1alpha1.GitHubGroupNameAttribute if upstream.Spec.Claims.Groups == nil { return buildInvalidCondition("spec.claims.groups is required"), "", "" } else { @@ -453,17 +452,17 @@ func validateUserAndGroupAttributes(upstream *v1alpha1.GitHubIdentityProvider) ( } switch usernameAttribute { - case v1alpha1.GitHubUsernameLoginAndID: - case v1alpha1.GitHubUsernameLogin: - case v1alpha1.GitHubUsernameID: + case idpv1alpha1.GitHubUsernameLoginAndID: + case idpv1alpha1.GitHubUsernameLogin: + case idpv1alpha1.GitHubUsernameID: default: // Should not happen due to CRD enum validation return buildInvalidCondition(fmt.Sprintf("spec.claims.username (%q) is not valid", usernameAttribute)), "", "" } switch groupNameAttribute { - case v1alpha1.GitHubUseTeamNameForGroupName: - case v1alpha1.GitHubUseTeamSlugForGroupName: + case idpv1alpha1.GitHubUseTeamNameForGroupName: + case idpv1alpha1.GitHubUseTeamSlugForGroupName: default: // Should not happen due to CRD enum validation return buildInvalidCondition(fmt.Sprintf("spec.claims.groups (%q) is not valid", groupNameAttribute)), "", "" @@ -479,7 +478,7 @@ func validateUserAndGroupAttributes(upstream *v1alpha1.GitHubIdentityProvider) ( func (c *gitHubWatcherController) updateStatus( ctx context.Context, - upstream *v1alpha1.GitHubIdentityProvider, + upstream *idpv1alpha1.GitHubIdentityProvider, conditions []*metav1.Condition) (bool, error) { log := c.log.WithValues("namespace", upstream.Namespace, "name", upstream.Name) updated := upstream.DeepCopy() @@ -492,9 +491,9 @@ func (c *gitHubWatcherController) updateStatus( metav1.NewTime(c.clock.Now()), ) - updated.Status.Phase = v1alpha1.GitHubPhaseReady + updated.Status.Phase = idpv1alpha1.GitHubPhaseReady if hadErrorCondition { - updated.Status.Phase = v1alpha1.GitHubPhaseError + updated.Status.Phase = idpv1alpha1.GitHubPhaseError } if equality.Semantic.DeepEqual(upstream, updated) { diff --git a/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher_test.go b/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher_test.go index 0da18dff8..5b9df963f 100644 --- a/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher_test.go +++ b/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher_test.go @@ -30,9 +30,9 @@ import ( clocktesting "k8s.io/utils/clock/testing" "k8s.io/utils/ptr" - "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" + idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake" - pinnipedinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions" + supervisorinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions" "go.pinniped.dev/internal/certauthority" pinnipedcontroller "go.pinniped.dev/internal/controller" "go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers" @@ -49,12 +49,12 @@ import ( var ( githubIDPGVR = schema.GroupVersionResource{ - Group: v1alpha1.SchemeGroupVersion.Group, - Version: v1alpha1.SchemeGroupVersion.Version, + Group: idpv1alpha1.SchemeGroupVersion.Group, + Version: idpv1alpha1.SchemeGroupVersion.Version, Resource: "githubidentityproviders", } - githubIDPKind = v1alpha1.SchemeGroupVersion.WithKind("GitHubIdentityProvider") + githubIDPKind = idpv1alpha1.SchemeGroupVersion.WithKind("GitHubIdentityProvider") ) func TestController(t *testing.T) { @@ -98,62 +98,62 @@ func TestController(t *testing.T) { }, } - validMinimalIDP := &v1alpha1.GitHubIdentityProvider{ + validMinimalIDP := &idpv1alpha1.GitHubIdentityProvider{ ObjectMeta: metav1.ObjectMeta{ Name: "minimal-idp-name", Namespace: namespace, UID: types.UID("minimal-uid"), Generation: wantObservedGeneration, }, - Spec: v1alpha1.GitHubIdentityProviderSpec{ - GitHubAPI: v1alpha1.GitHubAPIConfig{ + Spec: idpv1alpha1.GitHubIdentityProviderSpec{ + GitHubAPI: idpv1alpha1.GitHubAPIConfig{ Host: ptr.To(goodServerDomain), - TLS: &v1alpha1.TLSSpec{ + TLS: &idpv1alpha1.TLSSpec{ CertificateAuthorityData: goodServerCAB64, }, }, - Client: v1alpha1.GitHubClientSpec{ + Client: idpv1alpha1.GitHubClientSpec{ SecretName: goodSecret.Name, }, // These claims are optional when using the actual Kubernetes CRD. // However, they are required here because CRD defaulting/validation does not occur during testing. - Claims: v1alpha1.GitHubClaims{ - Username: ptr.To(v1alpha1.GitHubUsernameLogin), - Groups: ptr.To(v1alpha1.GitHubUseTeamSlugForGroupName), + Claims: idpv1alpha1.GitHubClaims{ + Username: ptr.To(idpv1alpha1.GitHubUsernameLogin), + Groups: ptr.To(idpv1alpha1.GitHubUseTeamSlugForGroupName), }, - AllowAuthentication: v1alpha1.GitHubAllowAuthenticationSpec{ - Organizations: v1alpha1.GitHubOrganizationsSpec{ - Policy: ptr.To(v1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers), + AllowAuthentication: idpv1alpha1.GitHubAllowAuthenticationSpec{ + Organizations: idpv1alpha1.GitHubOrganizationsSpec{ + Policy: ptr.To(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers), }, }, }, } - validFilledOutIDP := &v1alpha1.GitHubIdentityProvider{ + validFilledOutIDP := &idpv1alpha1.GitHubIdentityProvider{ ObjectMeta: metav1.ObjectMeta{ Name: "some-idp-name", Namespace: namespace, UID: types.UID("some-resource-uid"), Generation: wantObservedGeneration, }, - Spec: v1alpha1.GitHubIdentityProviderSpec{ - GitHubAPI: v1alpha1.GitHubAPIConfig{ + Spec: idpv1alpha1.GitHubIdentityProviderSpec{ + GitHubAPI: idpv1alpha1.GitHubAPIConfig{ Host: ptr.To(goodServerDomain), - TLS: &v1alpha1.TLSSpec{ + TLS: &idpv1alpha1.TLSSpec{ CertificateAuthorityData: goodServerCAB64, }, }, - Claims: v1alpha1.GitHubClaims{ - Username: ptr.To(v1alpha1.GitHubUsernameID), - Groups: ptr.To(v1alpha1.GitHubUseTeamNameForGroupName), + Claims: idpv1alpha1.GitHubClaims{ + Username: ptr.To(idpv1alpha1.GitHubUsernameID), + Groups: ptr.To(idpv1alpha1.GitHubUseTeamNameForGroupName), }, - AllowAuthentication: v1alpha1.GitHubAllowAuthenticationSpec{ - Organizations: v1alpha1.GitHubOrganizationsSpec{ - Policy: ptr.To(v1alpha1.GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations), + AllowAuthentication: idpv1alpha1.GitHubAllowAuthenticationSpec{ + Organizations: idpv1alpha1.GitHubOrganizationsSpec{ + Policy: ptr.To(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations), Allowed: []string{"organization1", "org2"}, }, }, - Client: v1alpha1.GitHubClientSpec{ + Client: idpv1alpha1.GitHubClientSpec{ SecretName: goodSecret.Name, }, }, @@ -211,7 +211,7 @@ func TestController(t *testing.T) { } } - buildOrganizationsPolicyValidTrue := func(t *testing.T, policy v1alpha1.GitHubAllowedAuthOrganizationsPolicy) metav1.Condition { + buildOrganizationsPolicyValidTrue := func(t *testing.T, policy idpv1alpha1.GitHubAllowedAuthOrganizationsPolicy) metav1.Condition { t.Helper() return metav1.Condition{ @@ -377,12 +377,12 @@ func TestController(t *testing.T) { wantErr string wantLogs []string wantResultingCache []*upstreamgithub.ProviderConfig - wantResultingUpstreams []v1alpha1.GitHubIdentityProvider + wantResultingUpstreams []idpv1alpha1.GitHubIdentityProvider }{ { name: "no GitHubIdentityProviders", wantResultingCache: []*upstreamgithub.ProviderConfig{}, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{}, + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{}, wantLogs: []string{}, }, { @@ -414,12 +414,12 @@ func TestController(t *testing.T) { HttpClient: nil, // let the test runner populate this for us }, }, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validFilledOutIDP.ObjectMeta, Spec: validFilledOutIDP.Spec, - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseReady, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseReady, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName), @@ -470,12 +470,12 @@ func TestController(t *testing.T) { HttpClient: nil, // let the test runner populate this for us }, }, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validMinimalIDP.ObjectMeta, Spec: validMinimalIDP.Spec, - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseReady, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseReady, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidTrue(t, validMinimalIDP.Spec.Client.SecretName), @@ -540,17 +540,17 @@ func TestController(t *testing.T) { HttpClient: nil, // let the test runner populate this for us }, }, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validMinimalIDP.ObjectMeta, - Spec: func() v1alpha1.GitHubIdentityProviderSpec { + Spec: func() idpv1alpha1.GitHubIdentityProviderSpec { githubIDP := validMinimalIDP.DeepCopy() githubIDP.Spec.GitHubAPI.Host = ptr.To("github.com") // don't change the CA because we are not really going to dial github.com in this test return githubIDP.Spec }(), - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseReady, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseReady, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidTrue(t, validMinimalIDP.Spec.Client.SecretName), @@ -579,7 +579,7 @@ func TestController(t *testing.T) { func() runtime.Object { ipv6IDP := validMinimalIDP.DeepCopy() ipv6IDP.Spec.GitHubAPI.Host = ptr.To(goodServerIPv6Domain) - ipv6IDP.Spec.GitHubAPI.TLS = &v1alpha1.TLSSpec{ + ipv6IDP.Spec.GitHubAPI.TLS = &idpv1alpha1.TLSSpec{ CertificateAuthorityData: goodServerIPv6CAB64, } return ipv6IDP @@ -608,20 +608,20 @@ func TestController(t *testing.T) { HttpClient: nil, // let the test runner populate this for us }, }, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validMinimalIDP.ObjectMeta, - Spec: func() v1alpha1.GitHubIdentityProviderSpec { + Spec: func() idpv1alpha1.GitHubIdentityProviderSpec { otherSpec := validMinimalIDP.Spec.DeepCopy() otherSpec.GitHubAPI.Host = ptr.To(goodServerIPv6Domain) - otherSpec.GitHubAPI.TLS = &v1alpha1.TLSSpec{ + otherSpec.GitHubAPI.TLS = &idpv1alpha1.TLSSpec{ CertificateAuthorityData: goodServerIPv6CAB64, } return *otherSpec }(), - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseReady, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseReady, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidTrue(t, validMinimalIDP.Spec.Client.SecretName), @@ -663,7 +663,7 @@ func TestController(t *testing.T) { otherIDP.Spec.Client.SecretName = "other-secret-name" // No other test happens to that this particular value passes validation - otherIDP.Spec.Claims.Username = ptr.To(v1alpha1.GitHubUsernameLoginAndID) + otherIDP.Spec.Claims.Username = ptr.To(idpv1alpha1.GitHubUsernameLoginAndID) return otherIDP }(), func() runtime.Object { @@ -717,20 +717,20 @@ func TestController(t *testing.T) { HttpClient: nil, // let the test runner populate this for us }, }, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: func() metav1.ObjectMeta { otherMeta := validFilledOutIDP.ObjectMeta.DeepCopy() otherMeta.Name = "invalid-idp-name" return *otherMeta }(), - Spec: func() v1alpha1.GitHubIdentityProviderSpec { + Spec: func() idpv1alpha1.GitHubIdentityProviderSpec { otherSpec := validFilledOutIDP.Spec.DeepCopy() otherSpec.Client.SecretName = "no-secret-with-this-name" return *otherSpec }(), - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidFalse( @@ -753,14 +753,14 @@ func TestController(t *testing.T) { otherMeta.Name = "other-idp-name" return *otherMeta }(), - Spec: func() v1alpha1.GitHubIdentityProviderSpec { + Spec: func() idpv1alpha1.GitHubIdentityProviderSpec { otherSpec := validFilledOutIDP.Spec.DeepCopy() otherSpec.Client.SecretName = "other-secret-name" - otherSpec.Claims.Username = ptr.To(v1alpha1.GitHubUsernameLoginAndID) + otherSpec.Claims.Username = ptr.To(idpv1alpha1.GitHubUsernameLoginAndID) return *otherSpec }(), - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseReady, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseReady, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidTrue(t, "other-secret-name"), @@ -774,8 +774,8 @@ func TestController(t *testing.T) { { ObjectMeta: validFilledOutIDP.ObjectMeta, Spec: validFilledOutIDP.Spec, - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseReady, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseReady, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName), @@ -823,16 +823,16 @@ func TestController(t *testing.T) { return badIDP }(), }, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validFilledOutIDP.ObjectMeta, - Spec: func() v1alpha1.GitHubIdentityProviderSpec { + Spec: func() idpv1alpha1.GitHubIdentityProviderSpec { badSpec := validFilledOutIDP.Spec.DeepCopy() badSpec.GitHubAPI.Host = nil return *badSpec }(), - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName), @@ -864,16 +864,16 @@ func TestController(t *testing.T) { return badIDP }(), }, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validMinimalIDP.ObjectMeta, - Spec: func() v1alpha1.GitHubIdentityProviderSpec { + Spec: func() idpv1alpha1.GitHubIdentityProviderSpec { badSpec := validMinimalIDP.Spec.DeepCopy() badSpec.GitHubAPI.Host = ptr.To("https://example.com") return *badSpec }(), - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName), @@ -905,16 +905,16 @@ func TestController(t *testing.T) { return badIDP }(), }, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validMinimalIDP.ObjectMeta, - Spec: func() v1alpha1.GitHubIdentityProviderSpec { + Spec: func() idpv1alpha1.GitHubIdentityProviderSpec { badSpec := validMinimalIDP.Spec.DeepCopy() badSpec.GitHubAPI.Host = ptr.To("example.com/foo") return *badSpec }(), - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidTrue(t, validMinimalIDP.Spec.Client.SecretName), @@ -946,16 +946,16 @@ func TestController(t *testing.T) { return badIDP }(), }, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validMinimalIDP.ObjectMeta, - Spec: func() v1alpha1.GitHubIdentityProviderSpec { + Spec: func() idpv1alpha1.GitHubIdentityProviderSpec { badSpec := validMinimalIDP.Spec.DeepCopy() badSpec.GitHubAPI.Host = ptr.To("u:p@example.com") return *badSpec }(), - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidTrue(t, validMinimalIDP.Spec.Client.SecretName), @@ -987,16 +987,16 @@ func TestController(t *testing.T) { return badIDP }(), }, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validMinimalIDP.ObjectMeta, - Spec: func() v1alpha1.GitHubIdentityProviderSpec { + Spec: func() idpv1alpha1.GitHubIdentityProviderSpec { badSpec := validMinimalIDP.Spec.DeepCopy() badSpec.GitHubAPI.Host = ptr.To("example.com?a=b") return *badSpec }(), - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidTrue(t, validMinimalIDP.Spec.Client.SecretName), @@ -1028,16 +1028,16 @@ func TestController(t *testing.T) { return badIDP }(), }, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validMinimalIDP.ObjectMeta, - Spec: func() v1alpha1.GitHubIdentityProviderSpec { + Spec: func() idpv1alpha1.GitHubIdentityProviderSpec { badSpec := validMinimalIDP.Spec.DeepCopy() badSpec.GitHubAPI.Host = ptr.To("example.com#a") return *badSpec }(), - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidTrue(t, validMinimalIDP.Spec.Client.SecretName), @@ -1065,24 +1065,24 @@ func TestController(t *testing.T) { githubIdentityProviders: []runtime.Object{ func() runtime.Object { badIDP := validFilledOutIDP.DeepCopy() - badIDP.Spec.GitHubAPI.TLS = &v1alpha1.TLSSpec{ + badIDP.Spec.GitHubAPI.TLS = &idpv1alpha1.TLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte("foo")), } return badIDP }(), }, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validFilledOutIDP.ObjectMeta, - Spec: func() v1alpha1.GitHubIdentityProviderSpec { + Spec: func() idpv1alpha1.GitHubIdentityProviderSpec { badSpec := validFilledOutIDP.Spec.DeepCopy() - badSpec.GitHubAPI.TLS = &v1alpha1.TLSSpec{ + badSpec.GitHubAPI.TLS = &idpv1alpha1.TLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte("foo")), } return *badSpec }(), - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName), @@ -1115,16 +1115,16 @@ func TestController(t *testing.T) { }(), }, wantErr: "dial tcp: lookup nowhere.bad-tld: no such host", - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validMinimalIDP.ObjectMeta, - Spec: func() v1alpha1.GitHubIdentityProviderSpec { + Spec: func() idpv1alpha1.GitHubIdentityProviderSpec { badSpec := validMinimalIDP.Spec.DeepCopy() badSpec.GitHubAPI.Host = ptr.To("nowhere.bad-tld") return *badSpec }(), - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidTrue(t, validMinimalIDP.Spec.Client.SecretName), @@ -1156,16 +1156,16 @@ func TestController(t *testing.T) { return badIDP }(), }, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validMinimalIDP.ObjectMeta, - Spec: func() v1alpha1.GitHubIdentityProviderSpec { + Spec: func() idpv1alpha1.GitHubIdentityProviderSpec { badSpec := validMinimalIDP.Spec.DeepCopy() badSpec.GitHubAPI.Host = ptr.To("0:0:0:0:0:0:0:1:9876") return *badSpec }(), - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidTrue(t, validMinimalIDP.Spec.Client.SecretName), @@ -1198,16 +1198,16 @@ func TestController(t *testing.T) { }(), }, wantErr: "tls: failed to verify certificate: x509: certificate signed by unknown authority", - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validFilledOutIDP.ObjectMeta, - Spec: func() v1alpha1.GitHubIdentityProviderSpec { + Spec: func() idpv1alpha1.GitHubIdentityProviderSpec { badSpec := validFilledOutIDP.Spec.DeepCopy() badSpec.GitHubAPI.TLS = nil return *badSpec }(), - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName), @@ -1235,25 +1235,25 @@ func TestController(t *testing.T) { githubIdentityProviders: []runtime.Object{ func() runtime.Object { badIDP := validFilledOutIDP.DeepCopy() - badIDP.Spec.GitHubAPI.TLS = &v1alpha1.TLSSpec{ + badIDP.Spec.GitHubAPI.TLS = &idpv1alpha1.TLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString(unknownServerCABytes), } return badIDP }(), }, wantErr: "tls: failed to verify certificate: x509: certificate signed by unknown authority", - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validFilledOutIDP.ObjectMeta, - Spec: func() v1alpha1.GitHubIdentityProviderSpec { + Spec: func() idpv1alpha1.GitHubIdentityProviderSpec { badSpec := validFilledOutIDP.Spec.DeepCopy() - badSpec.GitHubAPI.TLS = &v1alpha1.TLSSpec{ + badSpec.GitHubAPI.TLS = &idpv1alpha1.TLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString(unknownServerCABytes), } return *badSpec }(), - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName), @@ -1285,16 +1285,16 @@ func TestController(t *testing.T) { return badIDP }(), }, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validFilledOutIDP.ObjectMeta, - Spec: func() v1alpha1.GitHubIdentityProviderSpec { + Spec: func() idpv1alpha1.GitHubIdentityProviderSpec { badSpec := validFilledOutIDP.Spec.DeepCopy() badSpec.AllowAuthentication.Organizations.Policy = nil return *badSpec }(), - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName), @@ -1322,20 +1322,20 @@ func TestController(t *testing.T) { githubIdentityProviders: []runtime.Object{ func() runtime.Object { badIDP := validFilledOutIDP.DeepCopy() - badIDP.Spec.AllowAuthentication.Organizations.Policy = ptr.To[v1alpha1.GitHubAllowedAuthOrganizationsPolicy]("a") + badIDP.Spec.AllowAuthentication.Organizations.Policy = ptr.To[idpv1alpha1.GitHubAllowedAuthOrganizationsPolicy]("a") return badIDP }(), }, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validFilledOutIDP.ObjectMeta, - Spec: func() v1alpha1.GitHubIdentityProviderSpec { + Spec: func() idpv1alpha1.GitHubIdentityProviderSpec { badSpec := validFilledOutIDP.Spec.DeepCopy() - badSpec.AllowAuthentication.Organizations.Policy = ptr.To[v1alpha1.GitHubAllowedAuthOrganizationsPolicy]("a") + badSpec.AllowAuthentication.Organizations.Policy = ptr.To[idpv1alpha1.GitHubAllowedAuthOrganizationsPolicy]("a") return *badSpec }(), - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName), @@ -1363,20 +1363,20 @@ func TestController(t *testing.T) { githubIdentityProviders: []runtime.Object{ func() runtime.Object { badIDP := validFilledOutIDP.DeepCopy() - badIDP.Spec.AllowAuthentication.Organizations.Policy = ptr.To(v1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers) + badIDP.Spec.AllowAuthentication.Organizations.Policy = ptr.To(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers) return badIDP }(), }, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validFilledOutIDP.ObjectMeta, - Spec: func() v1alpha1.GitHubIdentityProviderSpec { + Spec: func() idpv1alpha1.GitHubIdentityProviderSpec { badSpec := validFilledOutIDP.Spec.DeepCopy() - badSpec.AllowAuthentication.Organizations.Policy = ptr.To(v1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers) + badSpec.AllowAuthentication.Organizations.Policy = ptr.To(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers) return *badSpec }(), - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName), @@ -1408,16 +1408,16 @@ func TestController(t *testing.T) { return badIDP }(), }, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validFilledOutIDP.ObjectMeta, - Spec: func() v1alpha1.GitHubIdentityProviderSpec { + Spec: func() idpv1alpha1.GitHubIdentityProviderSpec { badSpec := validFilledOutIDP.Spec.DeepCopy() badSpec.AllowAuthentication.Organizations.Allowed = nil return *badSpec }(), - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName), @@ -1449,16 +1449,16 @@ func TestController(t *testing.T) { return badIDP }(), }, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validFilledOutIDP.ObjectMeta, - Spec: func() v1alpha1.GitHubIdentityProviderSpec { + Spec: func() idpv1alpha1.GitHubIdentityProviderSpec { badSpec := validFilledOutIDP.Spec.DeepCopy() badSpec.Claims.Username = nil return *badSpec }(), - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedFalse(t, "spec.claims.username is required"), buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName), @@ -1486,20 +1486,20 @@ func TestController(t *testing.T) { githubIdentityProviders: []runtime.Object{ func() runtime.Object { badIDP := validFilledOutIDP.DeepCopy() - badIDP.Spec.Claims.Username = ptr.To[v1alpha1.GitHubUsernameAttribute]("a") + badIDP.Spec.Claims.Username = ptr.To[idpv1alpha1.GitHubUsernameAttribute]("a") return badIDP }(), }, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validFilledOutIDP.ObjectMeta, - Spec: func() v1alpha1.GitHubIdentityProviderSpec { + Spec: func() idpv1alpha1.GitHubIdentityProviderSpec { badSpec := validFilledOutIDP.Spec.DeepCopy() - badSpec.Claims.Username = ptr.To[v1alpha1.GitHubUsernameAttribute]("a") + badSpec.Claims.Username = ptr.To[idpv1alpha1.GitHubUsernameAttribute]("a") return *badSpec }(), - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedFalse(t, `spec.claims.username ("a") is not valid`), buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName), @@ -1531,16 +1531,16 @@ func TestController(t *testing.T) { return badIDP }(), }, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validFilledOutIDP.ObjectMeta, - Spec: func() v1alpha1.GitHubIdentityProviderSpec { + Spec: func() idpv1alpha1.GitHubIdentityProviderSpec { badSpec := validFilledOutIDP.Spec.DeepCopy() badSpec.Claims.Groups = nil return *badSpec }(), - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedFalse(t, "spec.claims.groups is required"), buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName), @@ -1568,20 +1568,20 @@ func TestController(t *testing.T) { githubIdentityProviders: []runtime.Object{ func() runtime.Object { badIDP := validFilledOutIDP.DeepCopy() - badIDP.Spec.Claims.Groups = ptr.To[v1alpha1.GitHubGroupNameAttribute]("b") + badIDP.Spec.Claims.Groups = ptr.To[idpv1alpha1.GitHubGroupNameAttribute]("b") return badIDP }(), }, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validFilledOutIDP.ObjectMeta, - Spec: func() v1alpha1.GitHubIdentityProviderSpec { + Spec: func() idpv1alpha1.GitHubIdentityProviderSpec { badSpec := validFilledOutIDP.Spec.DeepCopy() - badSpec.Claims.Groups = ptr.To[v1alpha1.GitHubGroupNameAttribute]("b") + badSpec.Claims.Groups = ptr.To[idpv1alpha1.GitHubGroupNameAttribute]("b") return *badSpec }(), - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedFalse(t, `spec.claims.groups ("b") is not valid`), buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName), @@ -1613,12 +1613,12 @@ func TestController(t *testing.T) { }(), }, githubIdentityProviders: []runtime.Object{validMinimalIDP}, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validMinimalIDP.ObjectMeta, Spec: validMinimalIDP.Spec, - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidFalse( @@ -1656,12 +1656,12 @@ func TestController(t *testing.T) { }(), }, githubIdentityProviders: []runtime.Object{validMinimalIDP}, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validMinimalIDP.ObjectMeta, Spec: validMinimalIDP.Spec, - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidFalse( @@ -1699,12 +1699,12 @@ func TestController(t *testing.T) { }(), }, githubIdentityProviders: []runtime.Object{validMinimalIDP}, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validMinimalIDP.ObjectMeta, Spec: validMinimalIDP.Spec, - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidFalse( @@ -1742,12 +1742,12 @@ func TestController(t *testing.T) { }(), }, githubIdentityProviders: []runtime.Object{validMinimalIDP}, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validMinimalIDP.ObjectMeta, Spec: validMinimalIDP.Spec, - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidFalse( @@ -1785,12 +1785,12 @@ func TestController(t *testing.T) { }(), }, githubIdentityProviders: []runtime.Object{validMinimalIDP}, - wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{ + wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{ { ObjectMeta: validMinimalIDP.ObjectMeta, Spec: validMinimalIDP.Spec, - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ buildClaimsValidatedTrue(t), buildClientCredentialsSecretValidFalse( @@ -1825,7 +1825,7 @@ func TestController(t *testing.T) { t.Parallel() fakeSupervisorClient := supervisorfake.NewSimpleClientset(tt.githubIdentityProviders...) - supervisorInformers := pinnipedinformers.NewSharedInformerFactory(fakeSupervisorClient, 0) + supervisorInformers := supervisorinformers.NewSharedInformerFactory(fakeSupervisorClient, 0) fakeKubeClient := kubernetesfake.NewSimpleClientset(tt.secrets...) kubeInformers := k8sinformers.NewSharedInformerFactoryWithOptions(fakeKubeClient, 0) @@ -1898,7 +1898,7 @@ func TestController(t *testing.T) { require.Equal(t, tt.wantResultingCache[i].AllowedOrganizations, actualProvider.GetAllowedOrganizations()) require.GreaterOrEqual(t, len(tt.githubIdentityProviders), i+1, "there must be at least as many input identity providers as items in the cache") - githubIDP, ok := tt.githubIdentityProviders[i].(*v1alpha1.GitHubIdentityProvider) + githubIDP, ok := tt.githubIdentityProviders[i].(*idpv1alpha1.GitHubIdentityProvider) require.True(t, ok) certPool, _, err := pinnipedcontroller.BuildCertPoolIDP(githubIDP.Spec.GitHubAPI.TLS) require.NoError(t, err) @@ -1917,7 +1917,7 @@ func TestController(t *testing.T) { require.Len(t, tt.wantResultingUpstreams[i].Status.Conditions, countExpectedConditions) // Do not expect any particular order in the K8s objects - var actualIDP *v1alpha1.GitHubIdentityProvider + var actualIDP *idpv1alpha1.GitHubIdentityProvider for _, possibleMatch := range allGitHubIDPs.Items { if possibleMatch.GetName() == tt.wantResultingUpstreams[i].Name { actualIDP = ptr.To(possibleMatch) @@ -1977,65 +1977,65 @@ func TestController_OnlyWantActions(t *testing.T) { }, } - validMinimalIDP := &v1alpha1.GitHubIdentityProvider{ + validMinimalIDP := &idpv1alpha1.GitHubIdentityProvider{ ObjectMeta: metav1.ObjectMeta{ Name: "minimal-idp-name", Namespace: namespace, UID: types.UID("minimal-uid"), Generation: 1234, }, - Spec: v1alpha1.GitHubIdentityProviderSpec{ - GitHubAPI: v1alpha1.GitHubAPIConfig{ + Spec: idpv1alpha1.GitHubIdentityProviderSpec{ + GitHubAPI: idpv1alpha1.GitHubAPIConfig{ Host: ptr.To(goodServerDomain), - TLS: &v1alpha1.TLSSpec{ + TLS: &idpv1alpha1.TLSSpec{ CertificateAuthorityData: goodServerCAB64, }, }, // These claims are optional when using the actual Kubernetes CRD. // However, they are required here because CRD defaulting/validation does not occur during testing. - Claims: v1alpha1.GitHubClaims{ - Username: ptr.To(v1alpha1.GitHubUsernameLogin), - Groups: ptr.To(v1alpha1.GitHubUseTeamSlugForGroupName), + Claims: idpv1alpha1.GitHubClaims{ + Username: ptr.To(idpv1alpha1.GitHubUsernameLogin), + Groups: ptr.To(idpv1alpha1.GitHubUseTeamSlugForGroupName), }, - Client: v1alpha1.GitHubClientSpec{ + Client: idpv1alpha1.GitHubClientSpec{ SecretName: goodSecret.Name, }, - AllowAuthentication: v1alpha1.GitHubAllowAuthenticationSpec{ - Organizations: v1alpha1.GitHubOrganizationsSpec{ - Policy: ptr.To(v1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers), + AllowAuthentication: idpv1alpha1.GitHubAllowAuthenticationSpec{ + Organizations: idpv1alpha1.GitHubOrganizationsSpec{ + Policy: ptr.To(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers), }, }, }, } - alreadyInvalidExistingIDP := &v1alpha1.GitHubIdentityProvider{ + alreadyInvalidExistingIDP := &idpv1alpha1.GitHubIdentityProvider{ ObjectMeta: metav1.ObjectMeta{ Name: "already-existing-invalid-idp-name", Namespace: namespace, UID: types.UID("some-resource-uid"), Generation: 333, }, - Spec: v1alpha1.GitHubIdentityProviderSpec{ - GitHubAPI: v1alpha1.GitHubAPIConfig{ + Spec: idpv1alpha1.GitHubIdentityProviderSpec{ + GitHubAPI: idpv1alpha1.GitHubAPIConfig{ Host: ptr.To(goodServerDomain), - TLS: &v1alpha1.TLSSpec{ + TLS: &idpv1alpha1.TLSSpec{ CertificateAuthorityData: goodServerCAB64, }, }, - AllowAuthentication: v1alpha1.GitHubAllowAuthenticationSpec{ - Organizations: v1alpha1.GitHubOrganizationsSpec{ - Policy: ptr.To(v1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers), + AllowAuthentication: idpv1alpha1.GitHubAllowAuthenticationSpec{ + Organizations: idpv1alpha1.GitHubOrganizationsSpec{ + Policy: ptr.To(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers), }, }, - Claims: v1alpha1.GitHubClaims{ - Groups: ptr.To(v1alpha1.GitHubUseTeamSlugForGroupName), + Claims: idpv1alpha1.GitHubClaims{ + Groups: ptr.To(idpv1alpha1.GitHubUseTeamSlugForGroupName), }, - Client: v1alpha1.GitHubClientSpec{ + Client: idpv1alpha1.GitHubClientSpec{ SecretName: "unknown-secret", }, }, - Status: v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseError, + Status: idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseError, Conditions: []metav1.Condition{ { Type: ClaimsValid, @@ -2114,7 +2114,7 @@ func TestController_OnlyWantActions(t *testing.T) { func() runtime.Object { otherIDP := alreadyInvalidExistingIDP.DeepCopy() otherIDP.Generation = 400 - otherIDP.Status.Phase = v1alpha1.GitHubPhaseReady + otherIDP.Status.Phase = idpv1alpha1.GitHubPhaseReady otherIDP.Status.Conditions[0].Status = metav1.ConditionTrue otherIDP.Status.Conditions[0].Message = "some other message indicating that things are good" return otherIDP @@ -2146,8 +2146,8 @@ func TestController_OnlyWantActions(t *testing.T) { wantActions: []coretesting.Action{ coretesting.NewUpdateSubresourceAction(githubIDPGVR, "status", namespace, func() runtime.Object { idpWithConditions := validMinimalIDP.DeepCopy() - idpWithConditions.Status = v1alpha1.GitHubIdentityProviderStatus{ - Phase: v1alpha1.GitHubPhaseReady, + idpWithConditions.Status = idpv1alpha1.GitHubIdentityProviderStatus{ + Phase: idpv1alpha1.GitHubPhaseReady, Conditions: []metav1.Condition{ { Type: ClaimsValid, @@ -2210,7 +2210,7 @@ func TestController_OnlyWantActions(t *testing.T) { t.Parallel() fakeSupervisorClient := supervisorfake.NewSimpleClientset(tt.githubIdentityProviders...) - supervisorInformers := pinnipedinformers.NewSharedInformerFactory(supervisorfake.NewSimpleClientset(tt.githubIdentityProviders...), 0) + supervisorInformers := supervisorinformers.NewSharedInformerFactory(supervisorfake.NewSimpleClientset(tt.githubIdentityProviders...), 0) if tt.addSupervisorReactors != nil { tt.addSupervisorReactors(fakeSupervisorClient) @@ -2335,7 +2335,7 @@ func TestGitHubUpstreamWatcherControllerFilterSecret(t *testing.T) { namespace, dynamicupstreamprovider.NewDynamicUpstreamIDPProvider(), supervisorfake.NewSimpleClientset(), - pinnipedinformers.NewSharedInformerFactory(supervisorfake.NewSimpleClientset(), 0).IDP().V1alpha1().GitHubIdentityProviders(), + supervisorinformers.NewSharedInformerFactory(supervisorfake.NewSimpleClientset(), 0).IDP().V1alpha1().GitHubIdentityProviders(), secretInformer, logger, observableInformers.WithInformer, @@ -2355,7 +2355,7 @@ func TestGitHubUpstreamWatcherControllerFilterSecret(t *testing.T) { func TestGitHubUpstreamWatcherControllerFilterGitHubIDP(t *testing.T) { namespace := "some-namespace" - goodIDP := &v1alpha1.GitHubIdentityProvider{ + goodIDP := &idpv1alpha1.GitHubIdentityProvider{ ObjectMeta: metav1.ObjectMeta{ Namespace: namespace, }, @@ -2397,7 +2397,7 @@ func TestGitHubUpstreamWatcherControllerFilterGitHubIDP(t *testing.T) { var log bytes.Buffer logger := plog.TestLogger(t, &log) - gitHubIdentityProviderInformer := pinnipedinformers.NewSharedInformerFactory(supervisorfake.NewSimpleClientset(), 0).IDP().V1alpha1().GitHubIdentityProviders() + gitHubIdentityProviderInformer := supervisorinformers.NewSharedInformerFactory(supervisorfake.NewSimpleClientset(), 0).IDP().V1alpha1().GitHubIdentityProviders() observableInformers := testutil.NewObservableWithInformerOption() _ = New( @@ -2412,7 +2412,7 @@ func TestGitHubUpstreamWatcherControllerFilterGitHubIDP(t *testing.T) { tls.Dial, ) - unrelated := &v1alpha1.GitHubIdentityProvider{} + unrelated := &idpv1alpha1.GitHubIdentityProvider{} filter := observableInformers.GetFilterForInformer(gitHubIdentityProviderInformer) require.Equal(t, tt.wantAdd, filter.Add(tt.idp)) require.Equal(t, tt.wantUpdate, filter.Update(unrelated, tt.idp)) diff --git a/internal/controller/utils.go b/internal/controller/utils.go index 5b84ba109..e280cce68 100644 --- a/internal/controller/utils.go +++ b/internal/controller/utils.go @@ -13,7 +13,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/util/cert" - authv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" "go.pinniped.dev/internal/controllerlib" ) @@ -103,7 +103,7 @@ type WithInitialEventOptionFunc func(key controllerlib.Key) controllerlib.Option // BuildCertPoolAuth returns a PEM-encoded CA bundle from the provided spec. If the provided spec is nil, a // nil CA bundle will be returned. If the provided spec contains a CA bundle that is not properly // encoded, an error will be returned. -func BuildCertPoolAuth(spec *authv1alpha1.TLSSpec) (*x509.CertPool, []byte, error) { +func BuildCertPoolAuth(spec *authenticationv1alpha1.TLSSpec) (*x509.CertPool, []byte, error) { if spec == nil { return nil, nil, nil } diff --git a/internal/federationdomain/endpoints/callback/callback_handler_test.go b/internal/federationdomain/endpoints/callback/callback_handler_test.go index 8859d7ebe..2dd34d078 100644 --- a/internal/federationdomain/endpoints/callback/callback_handler_test.go +++ b/internal/federationdomain/endpoints/callback/callback_handler_test.go @@ -242,7 +242,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamPKCEChallenge string wantDownstreamPKCEChallengeMethod string wantDownstreamCustomSessionData *psession.CustomSessionData - wantDownstreamAdditionalClaims map[string]interface{} + wantDownstreamAdditionalClaims map[string]any wantOIDCAuthcodeExchangeCall *expectedOIDCAuthcodeExchange wantGitHubAuthcodeExchangeCall *expectedGitHubAuthcodeExchange }{ @@ -795,7 +795,7 @@ func TestCallbackEndpoint(t *testing.T) { { name: "upstream IDP's configured groups claim in the ID token is a slice of interfaces", idps: testidplister.NewUpstreamIDPListerBuilder().WithOIDC( - happyOIDCUpstream().WithIDTokenClaim(oidcUpstreamGroupsClaim, []interface{}{"group1", "group2"}).Build(), + happyOIDCUpstream().WithIDTokenClaim(oidcUpstreamGroupsClaim, []any{"group1", "group2"}).Build(), ), method: http.MethodGet, path: newRequestPath().WithState(happyOIDCState).String(), @@ -1675,7 +1675,7 @@ func TestCallbackEndpoint(t *testing.T) { { name: "upstream ID token contains groups claim where one element is invalid", idps: testidplister.NewUpstreamIDPListerBuilder().WithOIDC( - happyOIDCUpstream().WithIDTokenClaim(oidcUpstreamGroupsClaim, []interface{}{"foo", 7}).Build(), + happyOIDCUpstream().WithIDTokenClaim(oidcUpstreamGroupsClaim, []any{"foo", 7}).Build(), ), method: http.MethodGet, path: newRequestPath().WithState(happyOIDCState).String(), diff --git a/internal/federationdomain/endpoints/token/token_handler_test.go b/internal/federationdomain/endpoints/token/token_handler_test.go index 577d7442f..1d07aded5 100644 --- a/internal/federationdomain/endpoints/token/token_handler_test.go +++ b/internal/federationdomain/endpoints/token/token_handler_test.go @@ -305,7 +305,7 @@ type tokenEndpointResponseExpectedValues struct { wantUpstreamOIDCValidateTokenCall *expectedOIDCUpstreamValidateTokens wantCustomSessionDataStored *psession.CustomSessionData wantWarnings []RecordedWarning - wantAdditionalClaims map[string]interface{} + wantAdditionalClaims map[string]any // The expected lifetime of the ID tokens issued by authcode exchange and refresh, but not token exchange. // When zero, will assume that the test wants the default value for ID token lifetime. wantIDTokenLifetimeSeconds int diff --git a/internal/federationdomain/resolvedprovider/resolvedgithub/resolved_github_provider.go b/internal/federationdomain/resolvedprovider/resolvedgithub/resolved_github_provider.go index eb846b3e4..9bec7de01 100644 --- a/internal/federationdomain/resolvedprovider/resolvedgithub/resolved_github_provider.go +++ b/internal/federationdomain/resolvedprovider/resolvedgithub/resolved_github_provider.go @@ -58,14 +58,14 @@ func (p *FederationDomainResolvedGitHubIdentityProvider) GetTransforms() *idtran return p.Transforms } -func (p *FederationDomainResolvedGitHubIdentityProvider) CloneIDPSpecificSessionDataFromSession(session *psession.CustomSessionData) interface{} { +func (p *FederationDomainResolvedGitHubIdentityProvider) CloneIDPSpecificSessionDataFromSession(session *psession.CustomSessionData) any { if session.GitHub == nil { return nil } return session.GitHub.Clone() } -func (p *FederationDomainResolvedGitHubIdentityProvider) ApplyIDPSpecificSessionDataToSession(session *psession.CustomSessionData, idpSpecificSessionData interface{}) { +func (p *FederationDomainResolvedGitHubIdentityProvider) ApplyIDPSpecificSessionDataToSession(session *psession.CustomSessionData, idpSpecificSessionData any) { session.GitHub = idpSpecificSessionData.(*psession.GitHubSessionData) } diff --git a/internal/federationdomain/upstreamprovider/upstream_provider.go b/internal/federationdomain/upstreamprovider/upstream_provider.go index 5ca624892..070de4594 100644 --- a/internal/federationdomain/upstreamprovider/upstream_provider.go +++ b/internal/federationdomain/upstreamprovider/upstream_provider.go @@ -10,7 +10,7 @@ import ( "golang.org/x/oauth2" "k8s.io/apimachinery/pkg/types" - "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" + idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" "go.pinniped.dev/internal/authenticators" "go.pinniped.dev/internal/setutil" "go.pinniped.dev/pkg/oidcclient/nonce" @@ -162,12 +162,12 @@ type UpstreamGithubIdentityProviderI interface { // GetUsernameAttribute returns the attribute from the GitHub API user response to use for the downstream username. // See https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user. // Note that this is a constructed value - do not expect that the result will exactly match one of the JSON fields. - GetUsernameAttribute() v1alpha1.GitHubUsernameAttribute + GetUsernameAttribute() idpv1alpha1.GitHubUsernameAttribute // GetGroupNameAttribute returns the attribute from the GitHub API team response to use for the downstream group names. // See https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user. // Note that this is a constructed value - do not expect that the result will exactly match one of the JSON fields. - GetGroupNameAttribute() v1alpha1.GitHubGroupNameAttribute + GetGroupNameAttribute() idpv1alpha1.GitHubGroupNameAttribute // GetAllowedOrganizations returns a list of organizations configured to allow authentication. // If this list has contents, a user must have membership in at least one of these organizations to log in, diff --git a/internal/testutil/oidctestutil/testgithubprovider.go b/internal/testutil/oidctestutil/testgithubprovider.go index aa8d1bc76..dea7fa9ff 100644 --- a/internal/testutil/oidctestutil/testgithubprovider.go +++ b/internal/testutil/oidctestutil/testgithubprovider.go @@ -8,7 +8,7 @@ import ( "k8s.io/apimachinery/pkg/types" - "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" + idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" "go.pinniped.dev/internal/federationdomain/upstreamprovider" "go.pinniped.dev/internal/idtransform" "go.pinniped.dev/internal/setutil" @@ -37,8 +37,8 @@ type TestUpstreamGitHubIdentityProviderBuilder struct { scopes []string displayNameForFederationDomain string transformsForFederationDomain *idtransform.TransformationPipeline - usernameAttribute v1alpha1.GitHubUsernameAttribute - groupNameAttribute v1alpha1.GitHubGroupNameAttribute + usernameAttribute idpv1alpha1.GitHubUsernameAttribute + groupNameAttribute idpv1alpha1.GitHubGroupNameAttribute allowedOrganizations *setutil.CaseInsensitiveSet authorizationURL string authcodeExchangeErr error @@ -72,12 +72,12 @@ func (u *TestUpstreamGitHubIdentityProviderBuilder) WithDisplayNameForFederation return u } -func (u *TestUpstreamGitHubIdentityProviderBuilder) WithUsernameAttribute(value v1alpha1.GitHubUsernameAttribute) *TestUpstreamGitHubIdentityProviderBuilder { +func (u *TestUpstreamGitHubIdentityProviderBuilder) WithUsernameAttribute(value idpv1alpha1.GitHubUsernameAttribute) *TestUpstreamGitHubIdentityProviderBuilder { u.usernameAttribute = value return u } -func (u *TestUpstreamGitHubIdentityProviderBuilder) WithGroupNameAttribute(value v1alpha1.GitHubGroupNameAttribute) *TestUpstreamGitHubIdentityProviderBuilder { +func (u *TestUpstreamGitHubIdentityProviderBuilder) WithGroupNameAttribute(value idpv1alpha1.GitHubGroupNameAttribute) *TestUpstreamGitHubIdentityProviderBuilder { u.groupNameAttribute = value return u } @@ -163,8 +163,8 @@ type TestUpstreamGitHubIdentityProvider struct { Scopes []string DisplayNameForFederationDomain string TransformsForFederationDomain *idtransform.TransformationPipeline - UsernameAttribute v1alpha1.GitHubUsernameAttribute - GroupNameAttribute v1alpha1.GitHubGroupNameAttribute + UsernameAttribute idpv1alpha1.GitHubUsernameAttribute + GroupNameAttribute idpv1alpha1.GitHubGroupNameAttribute AllowedOrganizations *setutil.CaseInsensitiveSet AuthorizationURL string GetUserFunc func(ctx context.Context, accessToken string) (*upstreamprovider.GitHubUser, error) @@ -195,11 +195,11 @@ func (u *TestUpstreamGitHubIdentityProvider) GetClientID() string { return u.ClientID } -func (u *TestUpstreamGitHubIdentityProvider) GetUsernameAttribute() v1alpha1.GitHubUsernameAttribute { +func (u *TestUpstreamGitHubIdentityProvider) GetUsernameAttribute() idpv1alpha1.GitHubUsernameAttribute { return u.UsernameAttribute } -func (u *TestUpstreamGitHubIdentityProvider) GetGroupNameAttribute() v1alpha1.GitHubGroupNameAttribute { +func (u *TestUpstreamGitHubIdentityProvider) GetGroupNameAttribute() idpv1alpha1.GitHubGroupNameAttribute { return u.GroupNameAttribute } diff --git a/internal/upstreamgithub/upstreamgithub.go b/internal/upstreamgithub/upstreamgithub.go index 6660787a1..dc8e2e56b 100644 --- a/internal/upstreamgithub/upstreamgithub.go +++ b/internal/upstreamgithub/upstreamgithub.go @@ -13,7 +13,7 @@ import ( "golang.org/x/oauth2" "k8s.io/apimachinery/pkg/types" - supervisoridpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" + idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" "go.pinniped.dev/internal/federationdomain/downstreamsubject" "go.pinniped.dev/internal/federationdomain/upstreamprovider" "go.pinniped.dev/internal/githubclient" @@ -31,8 +31,8 @@ type ProviderConfig struct { // or https://HOSTNAME/api/v3/ for Enterprise Server. APIBaseURL string - UsernameAttribute supervisoridpv1alpha1.GitHubUsernameAttribute - GroupNameAttribute supervisoridpv1alpha1.GitHubGroupNameAttribute + UsernameAttribute idpv1alpha1.GitHubUsernameAttribute + GroupNameAttribute idpv1alpha1.GitHubGroupNameAttribute // AllowedOrganizations, when empty, means to allow users from all orgs. AllowedOrganizations *setutil.CaseInsensitiveSet @@ -82,11 +82,11 @@ func (p *Provider) GetScopes() []string { return p.c.OAuth2Config.Scopes } -func (p *Provider) GetUsernameAttribute() supervisoridpv1alpha1.GitHubUsernameAttribute { +func (p *Provider) GetUsernameAttribute() idpv1alpha1.GitHubUsernameAttribute { return p.c.UsernameAttribute } -func (p *Provider) GetGroupNameAttribute() supervisoridpv1alpha1.GitHubGroupNameAttribute { +func (p *Provider) GetGroupNameAttribute() idpv1alpha1.GitHubGroupNameAttribute { return p.c.GroupNameAttribute } @@ -131,11 +131,11 @@ func (p *Provider) GetUser(ctx context.Context, accessToken string, idpDisplayNa githubUser.DownstreamSubject = downstreamsubject.GitHub(p.c.APIBaseURL, idpDisplayName, userInfo.Login, userInfo.ID) switch p.c.UsernameAttribute { - case supervisoridpv1alpha1.GitHubUsernameLoginAndID: + case idpv1alpha1.GitHubUsernameLoginAndID: githubUser.Username = fmt.Sprintf("%s:%s", userInfo.Login, userInfo.ID) - case supervisoridpv1alpha1.GitHubUsernameLogin: + case idpv1alpha1.GitHubUsernameLogin: githubUser.Username = userInfo.Login - case supervisoridpv1alpha1.GitHubUsernameID: + case idpv1alpha1.GitHubUsernameID: githubUser.Username = userInfo.ID default: return nil, fmt.Errorf("bad configuration: unknown GitHub username attribute: %s", p.c.UsernameAttribute) @@ -172,9 +172,9 @@ func (p *Provider) GetUser(ctx context.Context, accessToken string, idpDisplayNa downstreamGroup := "" switch p.c.GroupNameAttribute { - case supervisoridpv1alpha1.GitHubUseTeamNameForGroupName: + case idpv1alpha1.GitHubUseTeamNameForGroupName: downstreamGroup = fmt.Sprintf("%s/%s", team.Org, team.Name) - case supervisoridpv1alpha1.GitHubUseTeamSlugForGroupName: + case idpv1alpha1.GitHubUseTeamSlugForGroupName: downstreamGroup = fmt.Sprintf("%s/%s", team.Org, team.Slug) default: return nil, fmt.Errorf("bad configuration: unknown GitHub group name attribute: %s", p.c.GroupNameAttribute) diff --git a/internal/upstreamgithub/upstreamgithub_test.go b/internal/upstreamgithub/upstreamgithub_test.go index f2dd1263d..a1b9af26c 100644 --- a/internal/upstreamgithub/upstreamgithub_test.go +++ b/internal/upstreamgithub/upstreamgithub_test.go @@ -19,7 +19,7 @@ import ( "k8s.io/apimachinery/pkg/util/rand" "k8s.io/client-go/util/cert" - supervisoridpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" + idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" "go.pinniped.dev/internal/federationdomain/upstreamprovider" "go.pinniped.dev/internal/githubclient" "go.pinniped.dev/internal/mocks/mockgithubclient" @@ -78,8 +78,8 @@ func TestGitHubProvider(t *testing.T) { require.Equal(t, types.UID("resource-uid-12345"), subject.GetResourceUID()) require.Equal(t, "fake-client-id", subject.GetClientID()) require.Equal(t, "fake-client-id", subject.GetClientID()) - require.Equal(t, supervisoridpv1alpha1.GitHubUsernameAttribute("fake-username-attribute"), subject.GetUsernameAttribute()) - require.Equal(t, supervisoridpv1alpha1.GitHubGroupNameAttribute("fake-group-name-attribute"), subject.GetGroupNameAttribute()) + require.Equal(t, idpv1alpha1.GitHubUsernameAttribute("fake-username-attribute"), subject.GetUsernameAttribute()) + require.Equal(t, idpv1alpha1.GitHubGroupNameAttribute("fake-group-name-attribute"), subject.GetGroupNameAttribute()) require.Equal(t, setutil.NewCaseInsensitiveSet("fake-org", "fake-org2"), subject.GetAllowedOrganizations()) require.Equal(t, "https://fake-authorization-url", subject.GetAuthorizationURL()) require.Equal(t, &http.Client{ @@ -213,7 +213,7 @@ func TestGetUser(t *testing.T) { providerConfig: ProviderConfig{ APIBaseURL: "https://some-url", HttpClient: someHttpClient, - UsernameAttribute: supervisoridpv1alpha1.GitHubUsernameLoginAndID, + UsernameAttribute: idpv1alpha1.GitHubUsernameLoginAndID, }, buildMockResponses: func(mockGitHubInterface *mockgithubclient.MockGitHubInterface) { mockGitHubInterface.EXPECT().GetUserInfo(someContext).Return(&githubclient.UserInfo{ @@ -233,7 +233,7 @@ func TestGetUser(t *testing.T) { providerConfig: ProviderConfig{ APIBaseURL: "https://some-url", HttpClient: someHttpClient, - UsernameAttribute: supervisoridpv1alpha1.GitHubUsernameLogin, + UsernameAttribute: idpv1alpha1.GitHubUsernameLogin, }, buildMockResponses: func(mockGitHubInterface *mockgithubclient.MockGitHubInterface) { mockGitHubInterface.EXPECT().GetUserInfo(someContext).Return(&githubclient.UserInfo{ @@ -253,7 +253,7 @@ func TestGetUser(t *testing.T) { providerConfig: ProviderConfig{ APIBaseURL: "https://some-url", HttpClient: someHttpClient, - UsernameAttribute: supervisoridpv1alpha1.GitHubUsernameID, + UsernameAttribute: idpv1alpha1.GitHubUsernameID, }, buildMockResponses: func(mockGitHubInterface *mockgithubclient.MockGitHubInterface) { mockGitHubInterface.EXPECT().GetUserInfo(someContext).Return(&githubclient.UserInfo{ @@ -273,7 +273,7 @@ func TestGetUser(t *testing.T) { providerConfig: ProviderConfig{ APIBaseURL: "https://some-url", HttpClient: someHttpClient, - UsernameAttribute: supervisoridpv1alpha1.GitHubUsernameLoginAndID, + UsernameAttribute: idpv1alpha1.GitHubUsernameLoginAndID, AllowedOrganizations: setutil.NewCaseInsensitiveSet("ALLOWED-ORG1", "ALLOWED-ORG2"), }, buildMockResponses: func(mockGitHubInterface *mockgithubclient.MockGitHubInterface) { @@ -294,7 +294,7 @@ func TestGetUser(t *testing.T) { providerConfig: ProviderConfig{ APIBaseURL: "https://some-url", HttpClient: someHttpClient, - UsernameAttribute: supervisoridpv1alpha1.GitHubUsernameID, + UsernameAttribute: idpv1alpha1.GitHubUsernameID, AllowedOrganizations: setutil.NewCaseInsensitiveSet("allowed-org"), }, buildMockResponses: func(mockGitHubInterface *mockgithubclient.MockGitHubInterface) { @@ -311,9 +311,9 @@ func TestGetUser(t *testing.T) { providerConfig: ProviderConfig{ APIBaseURL: "https://some-url", HttpClient: someHttpClient, - UsernameAttribute: supervisoridpv1alpha1.GitHubUsernameLoginAndID, + UsernameAttribute: idpv1alpha1.GitHubUsernameLoginAndID, AllowedOrganizations: setutil.NewCaseInsensitiveSet("allowed-org1", "allowed-org2"), - GroupNameAttribute: supervisoridpv1alpha1.GitHubUseTeamNameForGroupName, + GroupNameAttribute: idpv1alpha1.GitHubUseTeamNameForGroupName, }, buildMockResponses: func(mockGitHubInterface *mockgithubclient.MockGitHubInterface) { mockGitHubInterface.EXPECT().GetUserInfo(someContext).Return(&githubclient.UserInfo{ @@ -350,9 +350,9 @@ func TestGetUser(t *testing.T) { providerConfig: ProviderConfig{ APIBaseURL: "https://some-url", HttpClient: someHttpClient, - UsernameAttribute: supervisoridpv1alpha1.GitHubUsernameLoginAndID, + UsernameAttribute: idpv1alpha1.GitHubUsernameLoginAndID, AllowedOrganizations: setutil.NewCaseInsensitiveSet("allowed-org1", "allowed-org2"), - GroupNameAttribute: supervisoridpv1alpha1.GitHubUseTeamSlugForGroupName, + GroupNameAttribute: idpv1alpha1.GitHubUseTeamSlugForGroupName, }, buildMockResponses: func(mockGitHubInterface *mockgithubclient.MockGitHubInterface) { mockGitHubInterface.EXPECT().GetUserInfo(someContext).Return(&githubclient.UserInfo{ @@ -409,7 +409,7 @@ func TestGetUser(t *testing.T) { providerConfig: ProviderConfig{ APIBaseURL: "https://some-url", HttpClient: someHttpClient, - UsernameAttribute: supervisoridpv1alpha1.GitHubUsernameLoginAndID, + UsernameAttribute: idpv1alpha1.GitHubUsernameLoginAndID, }, buildMockResponses: func(mockGitHubInterface *mockgithubclient.MockGitHubInterface) { mockGitHubInterface.EXPECT().GetUserInfo(someContext).Return(&githubclient.UserInfo{}, nil) @@ -422,7 +422,7 @@ func TestGetUser(t *testing.T) { providerConfig: ProviderConfig{ APIBaseURL: "https://some-url", HttpClient: someHttpClient, - UsernameAttribute: supervisoridpv1alpha1.GitHubUsernameLoginAndID, + UsernameAttribute: idpv1alpha1.GitHubUsernameLoginAndID, }, buildMockResponses: func(mockGitHubInterface *mockgithubclient.MockGitHubInterface) { mockGitHubInterface.EXPECT().GetUserInfo(someContext).Return(&githubclient.UserInfo{}, nil) @@ -451,7 +451,7 @@ func TestGetUser(t *testing.T) { providerConfig: ProviderConfig{ APIBaseURL: "https://some-url", HttpClient: someHttpClient, - UsernameAttribute: supervisoridpv1alpha1.GitHubUsernameLoginAndID, + UsernameAttribute: idpv1alpha1.GitHubUsernameLoginAndID, GroupNameAttribute: "this-is-not-legal-value-from-the-enum", }, buildMockResponses: func(mockGitHubInterface *mockgithubclient.MockGitHubInterface) { diff --git a/test/integration/e2e_test.go b/test/integration/e2e_test.go index 4175f69fc..66aa863a2 100644 --- a/test/integration/e2e_test.go +++ b/test/integration/e2e_test.go @@ -399,7 +399,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { _, err = ptyFile.WriteString(authCode + "\n") require.NoError(t, err) - // Read all of the remaining output from the subprocess until EOF. + // Read all the remaining output from the subprocess until EOF. t.Logf("waiting for kubectl to output namespace list") // Read all output from the subprocess until EOF. // Ignore any errors returned because there is always an error on linux. @@ -487,7 +487,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { kubectlCmd.Env = slices.Concat(os.Environ(), env.ProxyEnv()) var kubectlStdoutPipe io.ReadCloser if runtime.GOOS != "darwin" { - // For some unknown reason this breaks the pty library on some MacOS machines. + // For some unknown reason this breaks the pty library on some macOS machines. // The problem doesn't reproduce for everyone, so this is just a workaround. kubectlStdoutPipe, err = kubectlCmd.StdoutPipe() require.NoError(t, err) @@ -529,7 +529,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { _, err = ptyFile.WriteString(authCode + "\n") require.NoError(t, err) - // Read all of the remaining output from the subprocess until EOF. + // Read all the remaining output from the subprocess until EOF. t.Logf("waiting for kubectl to output namespace list") // Read all output from the subprocess until EOF. // Ignore any errors returned because there is always an error on linux. @@ -539,10 +539,10 @@ func TestE2EFullIntegration_Browser(t *testing.T) { kubectlStdOutOutputBytes, _ := io.ReadAll(kubectlStdoutPipe) requireKubectlGetNamespaceOutput(t, env, string(kubectlStdOutOutputBytes)) } else { - // On MacOS check that the pty (stdout+stderr+stdin) of the CLI contains the expected output. + // On macOS check that the pty (stdout+stderr+stdin) of the CLI contains the expected output. requireKubectlGetNamespaceOutput(t, env, string(kubectlPtyOutputBytes)) } - // Due to the GOOS check in the code above, on MacOS the pty will include stdout, and other platforms it will not. + // Due to the GOOS check in the code above, on macOS the pty will include stdout, and other platforms it will not. // This warning message is supposed to be printed by the CLI on stderr. require.Contains(t, string(kubectlPtyOutputBytes), "Access token from identity provider has lifetime of less than 3 hours. Expect frequent prompts to log in.") @@ -1253,8 +1253,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) { ).Name, }, }, idpv1alpha1.GitHubPhaseReady) - testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady) - testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady) + testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, supervisorconfigv1alpha1.FederationDomainPhaseReady) + testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady) // Use a specific session cache for this test. sessionCachePath := tempDir + "/test-sessions.yaml" @@ -1582,7 +1582,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { ) require.NoError(t, err) - // Wait for the status conditions to have observed the current spec generation so we can be sure that the + // Wait for the status conditions to have observed the current spec generation, so we can be sure that the // controller has observed our latest update. testlib.RequireEventually(t, func(requireEventually *require.Assertions) { fd, err := federationDomainsClient.Get(testCtx, federationDomain.Name, metav1.GetOptions{}) diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go index b41fa4099..442985c8a 100644 --- a/test/integration/supervisor_login_test.go +++ b/test/integration/supervisor_login_test.go @@ -76,7 +76,7 @@ type supervisorLoginTestcase struct { // Optionally specify the identityProviders part of the FederationDomain's spec by returning it from this function. // Also return the displayName of the IDP that should be used during authentication (or empty string for no IDP name in the auth request). // This function takes the name of the IDP CR which was returned by createIDP() as as argument. - federationDomainIDPs func(t *testing.T, idpName string) (idps []configv1alpha1.FederationDomainIdentityProvider, useIDPDisplayName string) + federationDomainIDPs func(t *testing.T, idpName string) (idps []supervisorconfigv1alpha1.FederationDomainIdentityProvider, useIDPDisplayName string) // Optionally create an OIDCClient CR for the test to use. Return the client ID and client secret for the // test to use. When not set, the test will default to using the "pinniped-cli" static client with no secret. @@ -119,7 +119,7 @@ type supervisorLoginTestcase struct { wantDownstreamIDTokenGroups []string // The expected ID token additional claims, which will be nested under claim "additionalClaims", // for the original ID token and the refreshed ID token. - wantDownstreamIDTokenAdditionalClaims map[string]interface{} + wantDownstreamIDTokenAdditionalClaims map[string]any // The expected ID token lifetime, as calculated by token claim 'exp' subtracting token claim 'iat'. // ID tokens issued through authcode exchange or token refresh should have the configured lifetime (or default if not configured). // ID tokens issued through a token exchange should have the default lifetime. @@ -814,7 +814,7 @@ func TestSupervisorLogin_Browser(t *testing.T) { requestAuthorizationUsingCLIPasswordFlow(t, downstreamAuthorizeURL, env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login - "incorrect", // password to present to server during login + "incorrect", // password to present to server during login httpClient, true, ) @@ -2358,9 +2358,9 @@ func supervisorLoginGithubTestcases( } return testlib.CreateTestGitHubIdentityProvider(t, spec, idpv1alpha1.GitHubPhaseReady).Name }, - federationDomainIDPs: func(t *testing.T, idpName string) ([]configv1alpha1.FederationDomainIdentityProvider, string) { + federationDomainIDPs: func(t *testing.T, idpName string) ([]supervisorconfigv1alpha1.FederationDomainIdentityProvider, string) { displayName := "some-github-identity-provider-name" - return []configv1alpha1.FederationDomainIdentityProvider{ + return []supervisorconfigv1alpha1.FederationDomainIdentityProvider{ { DisplayName: displayName, ObjectRef: corev1.TypedLocalObjectReference{ @@ -2392,7 +2392,7 @@ func supervisorLoginGithubTestcases( } } -func wantGroupsInAdditionalClaimsIfGroupsExist(additionalClaims map[string]interface{}, wantGroupsAdditionalClaimName string, wantGroups []string) map[string]interface{} { +func wantGroupsInAdditionalClaimsIfGroupsExist(additionalClaims map[string]any, wantGroupsAdditionalClaimName string, wantGroups []string) map[string]any { if len(wantGroups) > 0 { var wantGroupsAnyType []any for _, group := range wantGroups { diff --git a/test/testlib/client.go b/test/testlib/client.go index 748ddd98f..504ef0bdf 100644 --- a/test/testlib/client.go +++ b/test/testlib/client.go @@ -620,7 +620,7 @@ func CreateTestGitHubIdentityProviderWithObjectMeta(t *testing.T, spec idpv1alph t.Cleanup(func() { t.Logf("cleaning up test GitHubIdentityProvider %s/%s", created.Namespace, created.Name) err := upstreams.Delete(context.Background(), created.Name, metav1.DeleteOptions{}) - notFound := k8serrors.IsNotFound(err) + notFound := apierrors.IsNotFound(err) // It's okay if it is not found, because it might have been deleted by another part of this test. if !notFound { require.NoErrorf(t, err, "could not cleanup test GitHubIdentityProvider %s/%s", created.Namespace, created.Name)