mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-06 21:47:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Lint new files from the GitHub branch

Browse Source
This commit is contained in:
Joshua Casey
2024-06-11 10:16:18 -05:00
parent bafd578866
commit 678be9902a
14 changed files with 285 additions and 286 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
internal/controller/supervisorconfig/federation_domain_watcher_test.go
View File

@@ -633,13 +633,13 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
federationDomainIssuerWithDefaultIDP(t, federationDomain1.Spec.Issuer, gitHubIdentityProvider.ObjectMeta),
federationDomainIssuerWithDefaultIDP(t, federationDomain2.Spec.Issuer, gitHubIdentityProvider.ObjectMeta),
},
wantStatusUpdates: []*configv1alpha1.FederationDomain{
wantStatusUpdates: []*supervisorconfigv1alpha1.FederationDomain{
expectedFederationDomainStatusUpdate(federationDomain1,
configv1alpha1.FederationDomainPhaseReady,
supervisorconfigv1alpha1.FederationDomainPhaseReady,
allHappyConditionsLegacyConfigurationSuccess(federationDomain1.Spec.Issuer, gitHubIdentityProvider.Name, frozenMetav1Now, 123),
),
expectedFederationDomainStatusUpdate(federationDomain2,
configv1alpha1.FederationDomainPhaseReady,
supervisorconfigv1alpha1.FederationDomainPhaseReady,
allHappyConditionsLegacyConfigurationSuccess(federationDomain2.Spec.Issuer, gitHubIdentityProvider.Name, frozenMetav1Now, 123),
),
},

57
internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher.go
View File

@@ -18,15 +18,14 @@ import (
"golang.org/x/oauth2"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/equality"
k8sapierrors "k8s.io/apimachinery/pkg/api/errors"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
errorsutil "k8s.io/apimachinery/pkg/util/errors"
k8sutilerrors "k8s.io/apimachinery/pkg/util/errors"
utilerrors "k8s.io/apimachinery/pkg/util/errors"
corev1informers "k8s.io/client-go/informers/core/v1"
"k8s.io/utils/clock"
"go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
idpinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1"
pinnipedcontroller "go.pinniped.dev/internal/controller"
@@ -106,7 +105,7 @@ func New(
withInformer(
gitHubIdentityProviderInformer,
pinnipedcontroller.SimpleFilter(func(obj metav1.Object) bool {
gitHubIDP, ok := obj.(*v1alpha1.GitHubIdentityProvider)
gitHubIDP, ok := obj.(*idpv1alpha1.GitHubIdentityProvider)
return ok && gitHubIDP.Namespace == namespace
}, pinnipedcontroller.SingletonQueue()),
controllerlib.InformerOption{},
@@ -127,7 +126,7 @@ func (c *gitHubWatcherController) Sync(ctx controllerlib.Context) error {
}
// Sort them by name just so that the logs output is consistent
slices.SortStableFunc(actualUpstreams, func(a, b *v1alpha1.GitHubIdentityProvider) int {
slices.SortStableFunc(actualUpstreams, func(a, b *idpv1alpha1.GitHubIdentityProvider) int {
return strings.Compare(a.Name, b.Name)
})
@@ -151,14 +150,14 @@ func (c *gitHubWatcherController) Sync(ctx controllerlib.Context) error {
applicationErrors = append([]error{controllerlib.ErrSyntheticRequeue}, applicationErrors...)
}
return errorsutil.NewAggregate(applicationErrors)
return utilerrors.NewAggregate(applicationErrors)
}
func (c *gitHubWatcherController) validateClientSecret(secretName string) (*metav1.Condition, string, string, error) {
secret, unableToRetrieveSecretErr := c.secretInformer.Lister().Secrets(c.namespace).Get(secretName)
// This error requires user interaction, so ignore it.
if k8sapierrors.IsNotFound(unableToRetrieveSecretErr) {
if apierrors.IsNotFound(unableToRetrieveSecretErr) {
unableToRetrieveSecretErr = nil
}
@@ -207,16 +206,16 @@ func (c *gitHubWatcherController) validateClientSecret(secretName string) (*meta
}, clientID, clientSecret, nil
}
func validateOrganizationsPolicy(organizationsSpec *v1alpha1.GitHubOrganizationsSpec) *metav1.Condition {
var policy v1alpha1.GitHubAllowedAuthOrganizationsPolicy
func validateOrganizationsPolicy(organizationsSpec *idpv1alpha1.GitHubOrganizationsSpec) *metav1.Condition {
var policy idpv1alpha1.GitHubAllowedAuthOrganizationsPolicy
if organizationsSpec.Policy != nil {
policy = *organizationsSpec.Policy
}
// Should not happen due to CRD defaulting, enum validation, and CEL validation (for recent versions of K8s only!)
// That is why the message here is very minimal
if (policy == v1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers && len(organizationsSpec.Allowed) == 0) ||
(policy == v1alpha1.GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations && len(organizationsSpec.Allowed) > 0) {
if (policy == idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers && len(organizationsSpec.Allowed) == 0) ||
(policy == idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations && len(organizationsSpec.Allowed) > 0) {
return &metav1.Condition{
Type: OrganizationsPolicyValid,
Status: metav1.ConditionTrue,
@@ -242,7 +241,7 @@ func validateOrganizationsPolicy(organizationsSpec *v1alpha1.GitHubOrganizations
}
}
func (c *gitHubWatcherController) validateUpstreamAndUpdateConditions(ctx controllerlib.Context, upstream *v1alpha1.GitHubIdentityProvider) (
func (c *gitHubWatcherController) validateUpstreamAndUpdateConditions(ctx controllerlib.Context, upstream *idpv1alpha1.GitHubIdentityProvider) (
*upstreamgithub.Provider, // If validated, returns the config
error, // This error will only refer to programmatic errors such as inability to perform a Dial or dereference a pointer, not configuration errors
) {
@@ -285,7 +284,7 @@ func (c *gitHubWatcherController) validateUpstreamAndUpdateConditions(ctx contro
// Status: metav1.ConditionFalse, never be omitted.
if len(conditions) != countExpectedConditions { // untested since all code paths return the same number of conditions
applicationErrors = append(applicationErrors, fmt.Errorf("expected %d conditions but found %d conditions", countExpectedConditions, len(conditions)))
return nil, k8sutilerrors.NewAggregate(applicationErrors)
return nil, utilerrors.NewAggregate(applicationErrors)
}
hadErrorCondition, updateStatusErr := c.updateStatus(ctx.Context, upstream, conditions)
if updateStatusErr != nil {
@@ -293,7 +292,7 @@ func (c *gitHubWatcherController) validateUpstreamAndUpdateConditions(ctx contro
}
// Any error condition means we will not add the IDP to the cache, so just return nil here
if hadErrorCondition {
return nil, k8sutilerrors.NewAggregate(applicationErrors)
return nil, utilerrors.NewAggregate(applicationErrors)
}
provider := upstreamgithub.New(
@@ -320,7 +319,7 @@ func (c *gitHubWatcherController) validateUpstreamAndUpdateConditions(ctx contro
HttpClient: httpClient,
},
)
return provider, k8sutilerrors.NewAggregate(applicationErrors)
return provider, utilerrors.NewAggregate(applicationErrors)
}
func apiBaseUrl(upstreamSpecHost string, hostURL string) string {
@@ -330,7 +329,7 @@ func apiBaseUrl(upstreamSpecHost string, hostURL string) string {
return defaultApiBaseURL
}
func validateHost(gitHubAPIConfig v1alpha1.GitHubAPIConfig) (*metav1.Condition, *endpointaddr.HostPort) {
func validateHost(gitHubAPIConfig idpv1alpha1.GitHubAPIConfig) (*metav1.Condition, *endpointaddr.HostPort) {
buildInvalidHost := func(host, reason string) *metav1.Condition {
return &metav1.Condition{
Type: HostValid,
@@ -360,7 +359,7 @@ func validateHost(gitHubAPIConfig v1alpha1.GitHubAPIConfig) (*metav1.Condition,
}, &hostPort
}
func (c *gitHubWatcherController) validateTLSConfiguration(tlsSpec *v1alpha1.TLSSpec) (*metav1.Condition, *x509.CertPool) {
func (c *gitHubWatcherController) validateTLSConfiguration(tlsSpec *idpv1alpha1.TLSSpec) (*metav1.Condition, *x509.CertPool) {
certPool, _, buildCertPoolErr := pinnipedcontroller.BuildCertPoolIDP(tlsSpec)
if buildCertPoolErr != nil {
// buildCertPoolErr is not recoverable with a resync.
@@ -428,7 +427,7 @@ func buildDialErrorMessage(tlsDialErr error) string {
return reason
}
func validateUserAndGroupAttributes(upstream *v1alpha1.GitHubIdentityProvider) (*metav1.Condition, v1alpha1.GitHubGroupNameAttribute, v1alpha1.GitHubUsernameAttribute) {
func validateUserAndGroupAttributes(upstream *idpv1alpha1.GitHubIdentityProvider) (*metav1.Condition, idpv1alpha1.GitHubGroupNameAttribute, idpv1alpha1.GitHubUsernameAttribute) {
buildInvalidCondition := func(message string) *metav1.Condition {
return &metav1.Condition{
Type: ClaimsValid,
@@ -438,14 +437,14 @@ func validateUserAndGroupAttributes(upstream *v1alpha1.GitHubIdentityProvider) (
}
}
var usernameAttribute v1alpha1.GitHubUsernameAttribute
var usernameAttribute idpv1alpha1.GitHubUsernameAttribute
if upstream.Spec.Claims.Username == nil {
return buildInvalidCondition("spec.claims.username is required"), "", ""
} else {
usernameAttribute = *upstream.Spec.Claims.Username
}
var groupNameAttribute v1alpha1.GitHubGroupNameAttribute
var groupNameAttribute idpv1alpha1.GitHubGroupNameAttribute
if upstream.Spec.Claims.Groups == nil {
return buildInvalidCondition("spec.claims.groups is required"), "", ""
} else {
@@ -453,17 +452,17 @@ func validateUserAndGroupAttributes(upstream *v1alpha1.GitHubIdentityProvider) (
}
switch usernameAttribute {
case v1alpha1.GitHubUsernameLoginAndID:
case v1alpha1.GitHubUsernameLogin:
case v1alpha1.GitHubUsernameID:
case idpv1alpha1.GitHubUsernameLoginAndID:
case idpv1alpha1.GitHubUsernameLogin:
case idpv1alpha1.GitHubUsernameID:
default:
// Should not happen due to CRD enum validation
return buildInvalidCondition(fmt.Sprintf("spec.claims.username (%q) is not valid", usernameAttribute)), "", ""
}
switch groupNameAttribute {
case v1alpha1.GitHubUseTeamNameForGroupName:
case v1alpha1.GitHubUseTeamSlugForGroupName:
case idpv1alpha1.GitHubUseTeamNameForGroupName:
case idpv1alpha1.GitHubUseTeamSlugForGroupName:
default:
// Should not happen due to CRD enum validation
return buildInvalidCondition(fmt.Sprintf("spec.claims.groups (%q) is not valid", groupNameAttribute)), "", ""
@@ -479,7 +478,7 @@ func validateUserAndGroupAttributes(upstream *v1alpha1.GitHubIdentityProvider) (
func (c *gitHubWatcherController) updateStatus(
ctx context.Context,
upstream *v1alpha1.GitHubIdentityProvider,
upstream *idpv1alpha1.GitHubIdentityProvider,
conditions []*metav1.Condition) (bool, error) {
log := c.log.WithValues("namespace", upstream.Namespace, "name", upstream.Name)
updated := upstream.DeepCopy()
@@ -492,9 +491,9 @@ func (c *gitHubWatcherController) updateStatus(
metav1.NewTime(c.clock.Now()),
)
updated.Status.Phase = v1alpha1.GitHubPhaseReady
updated.Status.Phase = idpv1alpha1.GitHubPhaseReady
if hadErrorCondition {
updated.Status.Phase = v1alpha1.GitHubPhaseError
updated.Status.Phase = idpv1alpha1.GitHubPhaseError
}
if equality.Semantic.DeepEqual(upstream, updated) {

388
internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher_test.go
View File

@@ -30,9 +30,9 @@ import (
clocktesting "k8s.io/utils/clock/testing"
"k8s.io/utils/ptr"
"go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake"
pinnipedinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions"
supervisorinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions"
"go.pinniped.dev/internal/certauthority"
pinnipedcontroller "go.pinniped.dev/internal/controller"
"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers"
@@ -49,12 +49,12 @@ import (
var (
githubIDPGVR = schema.GroupVersionResource{
Group: v1alpha1.SchemeGroupVersion.Group,
Version: v1alpha1.SchemeGroupVersion.Version,
Group: idpv1alpha1.SchemeGroupVersion.Group,
Version: idpv1alpha1.SchemeGroupVersion.Version,
Resource: "githubidentityproviders",
}
githubIDPKind = v1alpha1.SchemeGroupVersion.WithKind("GitHubIdentityProvider")
githubIDPKind = idpv1alpha1.SchemeGroupVersion.WithKind("GitHubIdentityProvider")
)
func TestController(t *testing.T) {
@@ -98,62 +98,62 @@ func TestController(t *testing.T) {
},
}
validMinimalIDP := &v1alpha1.GitHubIdentityProvider{
validMinimalIDP := &idpv1alpha1.GitHubIdentityProvider{
ObjectMeta: metav1.ObjectMeta{
Name: "minimal-idp-name",
Namespace: namespace,
UID: types.UID("minimal-uid"),
Generation: wantObservedGeneration,
},
Spec: v1alpha1.GitHubIdentityProviderSpec{
GitHubAPI: v1alpha1.GitHubAPIConfig{
Spec: idpv1alpha1.GitHubIdentityProviderSpec{
GitHubAPI: idpv1alpha1.GitHubAPIConfig{
Host: ptr.To(goodServerDomain),
TLS: &v1alpha1.TLSSpec{
TLS: &idpv1alpha1.TLSSpec{
CertificateAuthorityData: goodServerCAB64,
},
},
Client: v1alpha1.GitHubClientSpec{
Client: idpv1alpha1.GitHubClientSpec{
SecretName: goodSecret.Name,
},
// These claims are optional when using the actual Kubernetes CRD.
// However, they are required here because CRD defaulting/validation does not occur during testing.
Claims: v1alpha1.GitHubClaims{
Username: ptr.To(v1alpha1.GitHubUsernameLogin),
Groups: ptr.To(v1alpha1.GitHubUseTeamSlugForGroupName),
Claims: idpv1alpha1.GitHubClaims{
Username: ptr.To(idpv1alpha1.GitHubUsernameLogin),
Groups: ptr.To(idpv1alpha1.GitHubUseTeamSlugForGroupName),
},
AllowAuthentication: v1alpha1.GitHubAllowAuthenticationSpec{
Organizations: v1alpha1.GitHubOrganizationsSpec{
Policy: ptr.To(v1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers),
AllowAuthentication: idpv1alpha1.GitHubAllowAuthenticationSpec{
Organizations: idpv1alpha1.GitHubOrganizationsSpec{
Policy: ptr.To(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers),
},
},
},
}
validFilledOutIDP := &v1alpha1.GitHubIdentityProvider{
validFilledOutIDP := &idpv1alpha1.GitHubIdentityProvider{
ObjectMeta: metav1.ObjectMeta{
Name: "some-idp-name",
Namespace: namespace,
UID: types.UID("some-resource-uid"),
Generation: wantObservedGeneration,
},
Spec: v1alpha1.GitHubIdentityProviderSpec{
GitHubAPI: v1alpha1.GitHubAPIConfig{
Spec: idpv1alpha1.GitHubIdentityProviderSpec{
GitHubAPI: idpv1alpha1.GitHubAPIConfig{
Host: ptr.To(goodServerDomain),
TLS: &v1alpha1.TLSSpec{
TLS: &idpv1alpha1.TLSSpec{
CertificateAuthorityData: goodServerCAB64,
},
},
Claims: v1alpha1.GitHubClaims{
Username: ptr.To(v1alpha1.GitHubUsernameID),
Groups: ptr.To(v1alpha1.GitHubUseTeamNameForGroupName),
Claims: idpv1alpha1.GitHubClaims{
Username: ptr.To(idpv1alpha1.GitHubUsernameID),
Groups: ptr.To(idpv1alpha1.GitHubUseTeamNameForGroupName),
},
AllowAuthentication: v1alpha1.GitHubAllowAuthenticationSpec{
Organizations: v1alpha1.GitHubOrganizationsSpec{
Policy: ptr.To(v1alpha1.GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations),
AllowAuthentication: idpv1alpha1.GitHubAllowAuthenticationSpec{
Organizations: idpv1alpha1.GitHubOrganizationsSpec{
Policy: ptr.To(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations),
Allowed: []string{"organization1", "org2"},
},
},
Client: v1alpha1.GitHubClientSpec{
Client: idpv1alpha1.GitHubClientSpec{
SecretName: goodSecret.Name,
},
},
@@ -211,7 +211,7 @@ func TestController(t *testing.T) {
}
}
buildOrganizationsPolicyValidTrue := func(t *testing.T, policy v1alpha1.GitHubAllowedAuthOrganizationsPolicy) metav1.Condition {
buildOrganizationsPolicyValidTrue := func(t *testing.T, policy idpv1alpha1.GitHubAllowedAuthOrganizationsPolicy) metav1.Condition {
t.Helper()
return metav1.Condition{
@@ -377,12 +377,12 @@ func TestController(t *testing.T) {
wantErr string
wantLogs []string
wantResultingCache []*upstreamgithub.ProviderConfig
wantResultingUpstreams []v1alpha1.GitHubIdentityProvider
wantResultingUpstreams []idpv1alpha1.GitHubIdentityProvider
}{
{
name: "no GitHubIdentityProviders",
wantResultingCache: []*upstreamgithub.ProviderConfig{},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{},
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{},
wantLogs: []string{},
},
{
@@ -414,12 +414,12 @@ func TestController(t *testing.T) {
HttpClient: nil, // let the test runner populate this for us
},
},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validFilledOutIDP.ObjectMeta,
Spec: validFilledOutIDP.Spec,
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseReady,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseReady,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName),
@@ -470,12 +470,12 @@ func TestController(t *testing.T) {
HttpClient: nil, // let the test runner populate this for us
},
},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validMinimalIDP.ObjectMeta,
Spec: validMinimalIDP.Spec,
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseReady,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseReady,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidTrue(t, validMinimalIDP.Spec.Client.SecretName),
@@ -540,17 +540,17 @@ func TestController(t *testing.T) {
HttpClient: nil, // let the test runner populate this for us
},
},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validMinimalIDP.ObjectMeta,
Spec: func() v1alpha1.GitHubIdentityProviderSpec {
Spec: func() idpv1alpha1.GitHubIdentityProviderSpec {
githubIDP := validMinimalIDP.DeepCopy()
githubIDP.Spec.GitHubAPI.Host = ptr.To("github.com")
// don't change the CA because we are not really going to dial github.com in this test
return githubIDP.Spec
}(),
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseReady,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseReady,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidTrue(t, validMinimalIDP.Spec.Client.SecretName),
@@ -579,7 +579,7 @@ func TestController(t *testing.T) {
func() runtime.Object {
ipv6IDP := validMinimalIDP.DeepCopy()
ipv6IDP.Spec.GitHubAPI.Host = ptr.To(goodServerIPv6Domain)
ipv6IDP.Spec.GitHubAPI.TLS = &v1alpha1.TLSSpec{
ipv6IDP.Spec.GitHubAPI.TLS = &idpv1alpha1.TLSSpec{
CertificateAuthorityData: goodServerIPv6CAB64,
}
return ipv6IDP
@@ -608,20 +608,20 @@ func TestController(t *testing.T) {
HttpClient: nil, // let the test runner populate this for us
},
},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validMinimalIDP.ObjectMeta,
Spec: func() v1alpha1.GitHubIdentityProviderSpec {
Spec: func() idpv1alpha1.GitHubIdentityProviderSpec {
otherSpec := validMinimalIDP.Spec.DeepCopy()
otherSpec.GitHubAPI.Host = ptr.To(goodServerIPv6Domain)
otherSpec.GitHubAPI.TLS = &v1alpha1.TLSSpec{
otherSpec.GitHubAPI.TLS = &idpv1alpha1.TLSSpec{
CertificateAuthorityData: goodServerIPv6CAB64,
}
return *otherSpec
}(),
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseReady,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseReady,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidTrue(t, validMinimalIDP.Spec.Client.SecretName),
@@ -663,7 +663,7 @@ func TestController(t *testing.T) {
otherIDP.Spec.Client.SecretName = "other-secret-name"
// No other test happens to that this particular value passes validation
otherIDP.Spec.Claims.Username = ptr.To(v1alpha1.GitHubUsernameLoginAndID)
otherIDP.Spec.Claims.Username = ptr.To(idpv1alpha1.GitHubUsernameLoginAndID)
return otherIDP
}(),
func() runtime.Object {
@@ -717,20 +717,20 @@ func TestController(t *testing.T) {
HttpClient: nil, // let the test runner populate this for us
},
},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: func() metav1.ObjectMeta {
otherMeta := validFilledOutIDP.ObjectMeta.DeepCopy()
otherMeta.Name = "invalid-idp-name"
return *otherMeta
}(),
Spec: func() v1alpha1.GitHubIdentityProviderSpec {
Spec: func() idpv1alpha1.GitHubIdentityProviderSpec {
otherSpec := validFilledOutIDP.Spec.DeepCopy()
otherSpec.Client.SecretName = "no-secret-with-this-name"
return *otherSpec
}(),
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidFalse(
@@ -753,14 +753,14 @@ func TestController(t *testing.T) {
otherMeta.Name = "other-idp-name"
return *otherMeta
}(),
Spec: func() v1alpha1.GitHubIdentityProviderSpec {
Spec: func() idpv1alpha1.GitHubIdentityProviderSpec {
otherSpec := validFilledOutIDP.Spec.DeepCopy()
otherSpec.Client.SecretName = "other-secret-name"
otherSpec.Claims.Username = ptr.To(v1alpha1.GitHubUsernameLoginAndID)
otherSpec.Claims.Username = ptr.To(idpv1alpha1.GitHubUsernameLoginAndID)
return *otherSpec
}(),
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseReady,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseReady,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidTrue(t, "other-secret-name"),
@@ -774,8 +774,8 @@ func TestController(t *testing.T) {
{
ObjectMeta: validFilledOutIDP.ObjectMeta,
Spec: validFilledOutIDP.Spec,
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseReady,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseReady,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName),
@@ -823,16 +823,16 @@ func TestController(t *testing.T) {
return badIDP
}(),
},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validFilledOutIDP.ObjectMeta,
Spec: func() v1alpha1.GitHubIdentityProviderSpec {
Spec: func() idpv1alpha1.GitHubIdentityProviderSpec {
badSpec := validFilledOutIDP.Spec.DeepCopy()
badSpec.GitHubAPI.Host = nil
return *badSpec
}(),
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName),
@@ -864,16 +864,16 @@ func TestController(t *testing.T) {
return badIDP
}(),
},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validMinimalIDP.ObjectMeta,
Spec: func() v1alpha1.GitHubIdentityProviderSpec {
Spec: func() idpv1alpha1.GitHubIdentityProviderSpec {
badSpec := validMinimalIDP.Spec.DeepCopy()
badSpec.GitHubAPI.Host = ptr.To("https://example.com")
return *badSpec
}(),
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName),
@@ -905,16 +905,16 @@ func TestController(t *testing.T) {
return badIDP
}(),
},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validMinimalIDP.ObjectMeta,
Spec: func() v1alpha1.GitHubIdentityProviderSpec {
Spec: func() idpv1alpha1.GitHubIdentityProviderSpec {
badSpec := validMinimalIDP.Spec.DeepCopy()
badSpec.GitHubAPI.Host = ptr.To("example.com/foo")
return *badSpec
}(),
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidTrue(t, validMinimalIDP.Spec.Client.SecretName),
@@ -946,16 +946,16 @@ func TestController(t *testing.T) {
return badIDP
}(),
},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validMinimalIDP.ObjectMeta,
Spec: func() v1alpha1.GitHubIdentityProviderSpec {
Spec: func() idpv1alpha1.GitHubIdentityProviderSpec {
badSpec := validMinimalIDP.Spec.DeepCopy()
badSpec.GitHubAPI.Host = ptr.To("u:p@example.com")
return *badSpec
}(),
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidTrue(t, validMinimalIDP.Spec.Client.SecretName),
@@ -987,16 +987,16 @@ func TestController(t *testing.T) {
return badIDP
}(),
},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validMinimalIDP.ObjectMeta,
Spec: func() v1alpha1.GitHubIdentityProviderSpec {
Spec: func() idpv1alpha1.GitHubIdentityProviderSpec {
badSpec := validMinimalIDP.Spec.DeepCopy()
badSpec.GitHubAPI.Host = ptr.To("example.com?a=b")
return *badSpec
}(),
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidTrue(t, validMinimalIDP.Spec.Client.SecretName),
@@ -1028,16 +1028,16 @@ func TestController(t *testing.T) {
return badIDP
}(),
},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validMinimalIDP.ObjectMeta,
Spec: func() v1alpha1.GitHubIdentityProviderSpec {
Spec: func() idpv1alpha1.GitHubIdentityProviderSpec {
badSpec := validMinimalIDP.Spec.DeepCopy()
badSpec.GitHubAPI.Host = ptr.To("example.com#a")
return *badSpec
}(),
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidTrue(t, validMinimalIDP.Spec.Client.SecretName),
@@ -1065,24 +1065,24 @@ func TestController(t *testing.T) {
githubIdentityProviders: []runtime.Object{
func() runtime.Object {
badIDP := validFilledOutIDP.DeepCopy()
badIDP.Spec.GitHubAPI.TLS = &v1alpha1.TLSSpec{
badIDP.Spec.GitHubAPI.TLS = &idpv1alpha1.TLSSpec{
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte("foo")),
}
return badIDP
}(),
},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validFilledOutIDP.ObjectMeta,
Spec: func() v1alpha1.GitHubIdentityProviderSpec {
Spec: func() idpv1alpha1.GitHubIdentityProviderSpec {
badSpec := validFilledOutIDP.Spec.DeepCopy()
badSpec.GitHubAPI.TLS = &v1alpha1.TLSSpec{
badSpec.GitHubAPI.TLS = &idpv1alpha1.TLSSpec{
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte("foo")),
}
return *badSpec
}(),
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName),
@@ -1115,16 +1115,16 @@ func TestController(t *testing.T) {
}(),
},
wantErr: "dial tcp: lookup nowhere.bad-tld: no such host",
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validMinimalIDP.ObjectMeta,
Spec: func() v1alpha1.GitHubIdentityProviderSpec {
Spec: func() idpv1alpha1.GitHubIdentityProviderSpec {
badSpec := validMinimalIDP.Spec.DeepCopy()
badSpec.GitHubAPI.Host = ptr.To("nowhere.bad-tld")
return *badSpec
}(),
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidTrue(t, validMinimalIDP.Spec.Client.SecretName),
@@ -1156,16 +1156,16 @@ func TestController(t *testing.T) {
return badIDP
}(),
},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validMinimalIDP.ObjectMeta,
Spec: func() v1alpha1.GitHubIdentityProviderSpec {
Spec: func() idpv1alpha1.GitHubIdentityProviderSpec {
badSpec := validMinimalIDP.Spec.DeepCopy()
badSpec.GitHubAPI.Host = ptr.To("0:0:0:0:0:0:0:1:9876")
return *badSpec
}(),
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidTrue(t, validMinimalIDP.Spec.Client.SecretName),
@@ -1198,16 +1198,16 @@ func TestController(t *testing.T) {
}(),
},
wantErr: "tls: failed to verify certificate: x509: certificate signed by unknown authority",
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validFilledOutIDP.ObjectMeta,
Spec: func() v1alpha1.GitHubIdentityProviderSpec {
Spec: func() idpv1alpha1.GitHubIdentityProviderSpec {
badSpec := validFilledOutIDP.Spec.DeepCopy()
badSpec.GitHubAPI.TLS = nil
return *badSpec
}(),
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName),
@@ -1235,25 +1235,25 @@ func TestController(t *testing.T) {
githubIdentityProviders: []runtime.Object{
func() runtime.Object {
badIDP := validFilledOutIDP.DeepCopy()
badIDP.Spec.GitHubAPI.TLS = &v1alpha1.TLSSpec{
badIDP.Spec.GitHubAPI.TLS = &idpv1alpha1.TLSSpec{
CertificateAuthorityData: base64.StdEncoding.EncodeToString(unknownServerCABytes),
}
return badIDP
}(),
},
wantErr: "tls: failed to verify certificate: x509: certificate signed by unknown authority",
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validFilledOutIDP.ObjectMeta,
Spec: func() v1alpha1.GitHubIdentityProviderSpec {
Spec: func() idpv1alpha1.GitHubIdentityProviderSpec {
badSpec := validFilledOutIDP.Spec.DeepCopy()
badSpec.GitHubAPI.TLS = &v1alpha1.TLSSpec{
badSpec.GitHubAPI.TLS = &idpv1alpha1.TLSSpec{
CertificateAuthorityData: base64.StdEncoding.EncodeToString(unknownServerCABytes),
}
return *badSpec
}(),
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName),
@@ -1285,16 +1285,16 @@ func TestController(t *testing.T) {
return badIDP
}(),
},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validFilledOutIDP.ObjectMeta,
Spec: func() v1alpha1.GitHubIdentityProviderSpec {
Spec: func() idpv1alpha1.GitHubIdentityProviderSpec {
badSpec := validFilledOutIDP.Spec.DeepCopy()
badSpec.AllowAuthentication.Organizations.Policy = nil
return *badSpec
}(),
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName),
@@ -1322,20 +1322,20 @@ func TestController(t *testing.T) {
githubIdentityProviders: []runtime.Object{
func() runtime.Object {
badIDP := validFilledOutIDP.DeepCopy()
badIDP.Spec.AllowAuthentication.Organizations.Policy = ptr.To[v1alpha1.GitHubAllowedAuthOrganizationsPolicy]("a")
badIDP.Spec.AllowAuthentication.Organizations.Policy = ptr.To[idpv1alpha1.GitHubAllowedAuthOrganizationsPolicy]("a")
return badIDP
}(),
},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validFilledOutIDP.ObjectMeta,
Spec: func() v1alpha1.GitHubIdentityProviderSpec {
Spec: func() idpv1alpha1.GitHubIdentityProviderSpec {
badSpec := validFilledOutIDP.Spec.DeepCopy()
badSpec.AllowAuthentication.Organizations.Policy = ptr.To[v1alpha1.GitHubAllowedAuthOrganizationsPolicy]("a")
badSpec.AllowAuthentication.Organizations.Policy = ptr.To[idpv1alpha1.GitHubAllowedAuthOrganizationsPolicy]("a")
return *badSpec
}(),
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName),
@@ -1363,20 +1363,20 @@ func TestController(t *testing.T) {
githubIdentityProviders: []runtime.Object{
func() runtime.Object {
badIDP := validFilledOutIDP.DeepCopy()
badIDP.Spec.AllowAuthentication.Organizations.Policy = ptr.To(v1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers)
badIDP.Spec.AllowAuthentication.Organizations.Policy = ptr.To(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers)
return badIDP
}(),
},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validFilledOutIDP.ObjectMeta,
Spec: func() v1alpha1.GitHubIdentityProviderSpec {
Spec: func() idpv1alpha1.GitHubIdentityProviderSpec {
badSpec := validFilledOutIDP.Spec.DeepCopy()
badSpec.AllowAuthentication.Organizations.Policy = ptr.To(v1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers)
badSpec.AllowAuthentication.Organizations.Policy = ptr.To(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers)
return *badSpec
}(),
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName),
@@ -1408,16 +1408,16 @@ func TestController(t *testing.T) {
return badIDP
}(),
},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validFilledOutIDP.ObjectMeta,
Spec: func() v1alpha1.GitHubIdentityProviderSpec {
Spec: func() idpv1alpha1.GitHubIdentityProviderSpec {
badSpec := validFilledOutIDP.Spec.DeepCopy()
badSpec.AllowAuthentication.Organizations.Allowed = nil
return *badSpec
}(),
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName),
@@ -1449,16 +1449,16 @@ func TestController(t *testing.T) {
return badIDP
}(),
},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validFilledOutIDP.ObjectMeta,
Spec: func() v1alpha1.GitHubIdentityProviderSpec {
Spec: func() idpv1alpha1.GitHubIdentityProviderSpec {
badSpec := validFilledOutIDP.Spec.DeepCopy()
badSpec.Claims.Username = nil
return *badSpec
}(),
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedFalse(t, "spec.claims.username is required"),
buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName),
@@ -1486,20 +1486,20 @@ func TestController(t *testing.T) {
githubIdentityProviders: []runtime.Object{
func() runtime.Object {
badIDP := validFilledOutIDP.DeepCopy()
badIDP.Spec.Claims.Username = ptr.To[v1alpha1.GitHubUsernameAttribute]("a")
badIDP.Spec.Claims.Username = ptr.To[idpv1alpha1.GitHubUsernameAttribute]("a")
return badIDP
}(),
},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validFilledOutIDP.ObjectMeta,
Spec: func() v1alpha1.GitHubIdentityProviderSpec {
Spec: func() idpv1alpha1.GitHubIdentityProviderSpec {
badSpec := validFilledOutIDP.Spec.DeepCopy()
badSpec.Claims.Username = ptr.To[v1alpha1.GitHubUsernameAttribute]("a")
badSpec.Claims.Username = ptr.To[idpv1alpha1.GitHubUsernameAttribute]("a")
return *badSpec
}(),
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedFalse(t, `spec.claims.username ("a") is not valid`),
buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName),
@@ -1531,16 +1531,16 @@ func TestController(t *testing.T) {
return badIDP
}(),
},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validFilledOutIDP.ObjectMeta,
Spec: func() v1alpha1.GitHubIdentityProviderSpec {
Spec: func() idpv1alpha1.GitHubIdentityProviderSpec {
badSpec := validFilledOutIDP.Spec.DeepCopy()
badSpec.Claims.Groups = nil
return *badSpec
}(),
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedFalse(t, "spec.claims.groups is required"),
buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName),
@@ -1568,20 +1568,20 @@ func TestController(t *testing.T) {
githubIdentityProviders: []runtime.Object{
func() runtime.Object {
badIDP := validFilledOutIDP.DeepCopy()
badIDP.Spec.Claims.Groups = ptr.To[v1alpha1.GitHubGroupNameAttribute]("b")
badIDP.Spec.Claims.Groups = ptr.To[idpv1alpha1.GitHubGroupNameAttribute]("b")
return badIDP
}(),
},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validFilledOutIDP.ObjectMeta,
Spec: func() v1alpha1.GitHubIdentityProviderSpec {
Spec: func() idpv1alpha1.GitHubIdentityProviderSpec {
badSpec := validFilledOutIDP.Spec.DeepCopy()
badSpec.Claims.Groups = ptr.To[v1alpha1.GitHubGroupNameAttribute]("b")
badSpec.Claims.Groups = ptr.To[idpv1alpha1.GitHubGroupNameAttribute]("b")
return *badSpec
}(),
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedFalse(t, `spec.claims.groups ("b") is not valid`),
buildClientCredentialsSecretValidTrue(t, validFilledOutIDP.Spec.Client.SecretName),
@@ -1613,12 +1613,12 @@ func TestController(t *testing.T) {
}(),
},
githubIdentityProviders: []runtime.Object{validMinimalIDP},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validMinimalIDP.ObjectMeta,
Spec: validMinimalIDP.Spec,
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidFalse(
@@ -1656,12 +1656,12 @@ func TestController(t *testing.T) {
}(),
},
githubIdentityProviders: []runtime.Object{validMinimalIDP},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validMinimalIDP.ObjectMeta,
Spec: validMinimalIDP.Spec,
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidFalse(
@@ -1699,12 +1699,12 @@ func TestController(t *testing.T) {
}(),
},
githubIdentityProviders: []runtime.Object{validMinimalIDP},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validMinimalIDP.ObjectMeta,
Spec: validMinimalIDP.Spec,
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidFalse(
@@ -1742,12 +1742,12 @@ func TestController(t *testing.T) {
}(),
},
githubIdentityProviders: []runtime.Object{validMinimalIDP},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validMinimalIDP.ObjectMeta,
Spec: validMinimalIDP.Spec,
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidFalse(
@@ -1785,12 +1785,12 @@ func TestController(t *testing.T) {
}(),
},
githubIdentityProviders: []runtime.Object{validMinimalIDP},
wantResultingUpstreams: []v1alpha1.GitHubIdentityProvider{
wantResultingUpstreams: []idpv1alpha1.GitHubIdentityProvider{
{
ObjectMeta: validMinimalIDP.ObjectMeta,
Spec: validMinimalIDP.Spec,
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
buildClaimsValidatedTrue(t),
buildClientCredentialsSecretValidFalse(
@@ -1825,7 +1825,7 @@ func TestController(t *testing.T) {
t.Parallel()
fakeSupervisorClient := supervisorfake.NewSimpleClientset(tt.githubIdentityProviders...)
supervisorInformers := pinnipedinformers.NewSharedInformerFactory(fakeSupervisorClient, 0)
supervisorInformers := supervisorinformers.NewSharedInformerFactory(fakeSupervisorClient, 0)
fakeKubeClient := kubernetesfake.NewSimpleClientset(tt.secrets...)
kubeInformers := k8sinformers.NewSharedInformerFactoryWithOptions(fakeKubeClient, 0)
@@ -1898,7 +1898,7 @@ func TestController(t *testing.T) {
require.Equal(t, tt.wantResultingCache[i].AllowedOrganizations, actualProvider.GetAllowedOrganizations())
require.GreaterOrEqual(t, len(tt.githubIdentityProviders), i+1, "there must be at least as many input identity providers as items in the cache")
githubIDP, ok := tt.githubIdentityProviders[i].(*v1alpha1.GitHubIdentityProvider)
githubIDP, ok := tt.githubIdentityProviders[i].(*idpv1alpha1.GitHubIdentityProvider)
require.True(t, ok)
certPool, _, err := pinnipedcontroller.BuildCertPoolIDP(githubIDP.Spec.GitHubAPI.TLS)
require.NoError(t, err)
@@ -1917,7 +1917,7 @@ func TestController(t *testing.T) {
require.Len(t, tt.wantResultingUpstreams[i].Status.Conditions, countExpectedConditions)
// Do not expect any particular order in the K8s objects
var actualIDP *v1alpha1.GitHubIdentityProvider
var actualIDP *idpv1alpha1.GitHubIdentityProvider
for _, possibleMatch := range allGitHubIDPs.Items {
if possibleMatch.GetName() == tt.wantResultingUpstreams[i].Name {
actualIDP = ptr.To(possibleMatch)
@@ -1977,65 +1977,65 @@ func TestController_OnlyWantActions(t *testing.T) {
},
}
validMinimalIDP := &v1alpha1.GitHubIdentityProvider{
validMinimalIDP := &idpv1alpha1.GitHubIdentityProvider{
ObjectMeta: metav1.ObjectMeta{
Name: "minimal-idp-name",
Namespace: namespace,
UID: types.UID("minimal-uid"),
Generation: 1234,
},
Spec: v1alpha1.GitHubIdentityProviderSpec{
GitHubAPI: v1alpha1.GitHubAPIConfig{
Spec: idpv1alpha1.GitHubIdentityProviderSpec{
GitHubAPI: idpv1alpha1.GitHubAPIConfig{
Host: ptr.To(goodServerDomain),
TLS: &v1alpha1.TLSSpec{
TLS: &idpv1alpha1.TLSSpec{
CertificateAuthorityData: goodServerCAB64,
},
},
// These claims are optional when using the actual Kubernetes CRD.
// However, they are required here because CRD defaulting/validation does not occur during testing.
Claims: v1alpha1.GitHubClaims{
Username: ptr.To(v1alpha1.GitHubUsernameLogin),
Groups: ptr.To(v1alpha1.GitHubUseTeamSlugForGroupName),
Claims: idpv1alpha1.GitHubClaims{
Username: ptr.To(idpv1alpha1.GitHubUsernameLogin),
Groups: ptr.To(idpv1alpha1.GitHubUseTeamSlugForGroupName),
},
Client: v1alpha1.GitHubClientSpec{
Client: idpv1alpha1.GitHubClientSpec{
SecretName: goodSecret.Name,
},
AllowAuthentication: v1alpha1.GitHubAllowAuthenticationSpec{
Organizations: v1alpha1.GitHubOrganizationsSpec{
Policy: ptr.To(v1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers),
AllowAuthentication: idpv1alpha1.GitHubAllowAuthenticationSpec{
Organizations: idpv1alpha1.GitHubOrganizationsSpec{
Policy: ptr.To(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers),
},
},
},
}
alreadyInvalidExistingIDP := &v1alpha1.GitHubIdentityProvider{
alreadyInvalidExistingIDP := &idpv1alpha1.GitHubIdentityProvider{
ObjectMeta: metav1.ObjectMeta{
Name: "already-existing-invalid-idp-name",
Namespace: namespace,
UID: types.UID("some-resource-uid"),
Generation: 333,
},
Spec: v1alpha1.GitHubIdentityProviderSpec{
GitHubAPI: v1alpha1.GitHubAPIConfig{
Spec: idpv1alpha1.GitHubIdentityProviderSpec{
GitHubAPI: idpv1alpha1.GitHubAPIConfig{
Host: ptr.To(goodServerDomain),
TLS: &v1alpha1.TLSSpec{
TLS: &idpv1alpha1.TLSSpec{
CertificateAuthorityData: goodServerCAB64,
},
},
AllowAuthentication: v1alpha1.GitHubAllowAuthenticationSpec{
Organizations: v1alpha1.GitHubOrganizationsSpec{
Policy: ptr.To(v1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers),
AllowAuthentication: idpv1alpha1.GitHubAllowAuthenticationSpec{
Organizations: idpv1alpha1.GitHubOrganizationsSpec{
Policy: ptr.To(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers),
},
},
Claims: v1alpha1.GitHubClaims{
Groups: ptr.To(v1alpha1.GitHubUseTeamSlugForGroupName),
Claims: idpv1alpha1.GitHubClaims{
Groups: ptr.To(idpv1alpha1.GitHubUseTeamSlugForGroupName),
},
Client: v1alpha1.GitHubClientSpec{
Client: idpv1alpha1.GitHubClientSpec{
SecretName: "unknown-secret",
},
},
Status: v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseError,
Status: idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseError,
Conditions: []metav1.Condition{
{
Type: ClaimsValid,
@@ -2114,7 +2114,7 @@ func TestController_OnlyWantActions(t *testing.T) {
func() runtime.Object {
otherIDP := alreadyInvalidExistingIDP.DeepCopy()
otherIDP.Generation = 400
otherIDP.Status.Phase = v1alpha1.GitHubPhaseReady
otherIDP.Status.Phase = idpv1alpha1.GitHubPhaseReady
otherIDP.Status.Conditions[0].Status = metav1.ConditionTrue
otherIDP.Status.Conditions[0].Message = "some other message indicating that things are good"
return otherIDP
@@ -2146,8 +2146,8 @@ func TestController_OnlyWantActions(t *testing.T) {
wantActions: []coretesting.Action{
coretesting.NewUpdateSubresourceAction(githubIDPGVR, "status", namespace, func() runtime.Object {
idpWithConditions := validMinimalIDP.DeepCopy()
idpWithConditions.Status = v1alpha1.GitHubIdentityProviderStatus{
Phase: v1alpha1.GitHubPhaseReady,
idpWithConditions.Status = idpv1alpha1.GitHubIdentityProviderStatus{
Phase: idpv1alpha1.GitHubPhaseReady,
Conditions: []metav1.Condition{
{
Type: ClaimsValid,
@@ -2210,7 +2210,7 @@ func TestController_OnlyWantActions(t *testing.T) {
t.Parallel()
fakeSupervisorClient := supervisorfake.NewSimpleClientset(tt.githubIdentityProviders...)
supervisorInformers := pinnipedinformers.NewSharedInformerFactory(supervisorfake.NewSimpleClientset(tt.githubIdentityProviders...), 0)
supervisorInformers := supervisorinformers.NewSharedInformerFactory(supervisorfake.NewSimpleClientset(tt.githubIdentityProviders...), 0)
if tt.addSupervisorReactors != nil {
tt.addSupervisorReactors(fakeSupervisorClient)
@@ -2335,7 +2335,7 @@ func TestGitHubUpstreamWatcherControllerFilterSecret(t *testing.T) {
namespace,
dynamicupstreamprovider.NewDynamicUpstreamIDPProvider(),
supervisorfake.NewSimpleClientset(),
pinnipedinformers.NewSharedInformerFactory(supervisorfake.NewSimpleClientset(), 0).IDP().V1alpha1().GitHubIdentityProviders(),
supervisorinformers.NewSharedInformerFactory(supervisorfake.NewSimpleClientset(), 0).IDP().V1alpha1().GitHubIdentityProviders(),
secretInformer,
logger,
observableInformers.WithInformer,
@@ -2355,7 +2355,7 @@ func TestGitHubUpstreamWatcherControllerFilterSecret(t *testing.T) {
func TestGitHubUpstreamWatcherControllerFilterGitHubIDP(t *testing.T) {
namespace := "some-namespace"
goodIDP := &v1alpha1.GitHubIdentityProvider{
goodIDP := &idpv1alpha1.GitHubIdentityProvider{
ObjectMeta: metav1.ObjectMeta{
Namespace: namespace,
},
@@ -2397,7 +2397,7 @@ func TestGitHubUpstreamWatcherControllerFilterGitHubIDP(t *testing.T) {
var log bytes.Buffer
logger := plog.TestLogger(t, &log)
gitHubIdentityProviderInformer := pinnipedinformers.NewSharedInformerFactory(supervisorfake.NewSimpleClientset(), 0).IDP().V1alpha1().GitHubIdentityProviders()
gitHubIdentityProviderInformer := supervisorinformers.NewSharedInformerFactory(supervisorfake.NewSimpleClientset(), 0).IDP().V1alpha1().GitHubIdentityProviders()
observableInformers := testutil.NewObservableWithInformerOption()
_ = New(
@@ -2412,7 +2412,7 @@ func TestGitHubUpstreamWatcherControllerFilterGitHubIDP(t *testing.T) {
tls.Dial,
)
unrelated := &v1alpha1.GitHubIdentityProvider{}
unrelated := &idpv1alpha1.GitHubIdentityProvider{}
filter := observableInformers.GetFilterForInformer(gitHubIdentityProviderInformer)
require.Equal(t, tt.wantAdd, filter.Add(tt.idp))
require.Equal(t, tt.wantUpdate, filter.Update(unrelated, tt.idp))

4
internal/controller/utils.go
View File

@@ -13,7 +13,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/util/cert"
authv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
"go.pinniped.dev/internal/controllerlib"
)
@@ -103,7 +103,7 @@ type WithInitialEventOptionFunc func(key controllerlib.Key) controllerlib.Option
// BuildCertPoolAuth returns a PEM-encoded CA bundle from the provided spec. If the provided spec is nil, a
// nil CA bundle will be returned. If the provided spec contains a CA bundle that is not properly
// encoded, an error will be returned.
func BuildCertPoolAuth(spec *authv1alpha1.TLSSpec) (*x509.CertPool, []byte, error) {
func BuildCertPoolAuth(spec *authenticationv1alpha1.TLSSpec) (*x509.CertPool, []byte, error) {
if spec == nil {
return nil, nil, nil
}