KubeStorage annotates every Secret with garbage-collect-after timestamp

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2026-05-29 11:10:34 +00:00 · 2020-12-10 14:47:58 -08:00
parent b0c354637d
commit afd216308b
14 changed files with 339 additions and 305 deletions
--- a/internal/fositestorage/authorizationcode/authorizationcode_test.go
+++ b/internal/fositestorage/authorizationcode/authorizationcode_test.go
@@ -15,19 +15,21 @@ import (
 	"testing"
 	"time"

-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/runtime"
-
 	fuzz "github.com/google/gofuzz"
 	"github.com/ory/fosite"
+	"github.com/ory/fosite/handler/oauth2"
 	"github.com/ory/fosite/handler/openid"
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/require"
 	"gopkg.in/square/go-jose.v2"
 	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/clock"
 	"k8s.io/client-go/kubernetes/fake"
+	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 	kubetesting "k8s.io/client-go/testing"

 	"go.pinniped.dev/internal/fositestorage"
@@ -36,10 +38,10 @@ import (
 const namespace = "test-ns"

 var fakeNow = time.Date(2030, time.January, 1, 0, 0, 0, 0, time.UTC)
-var fakeDuration = time.Minute * 10
+var lifetime = time.Minute * 10
+var fakeNowPlusLifetimeAsString = metav1.Time{Time: fakeNow.Add(lifetime)}.Format(time.RFC3339)

 func TestAuthorizationCodeStorage(t *testing.T) {
-	ctx := context.Background()
 	secretsGVR := schema.GroupVersionResource{
 		Group:    "",
 		Version:  "v1",
@@ -55,9 +57,7 @@ func TestAuthorizationCodeStorage(t *testing.T) {
 					"storage.pinniped.dev/type": "authcode",
 				},
 				Annotations: map[string]string{
-					"storage.pinniped.dev/garbage-collect-after": metav1.Time{
-						Time: fakeNow.Add(fakeDuration),
-					}.String(),
+					"storage.pinniped.dev/garbage-collect-after": fakeNowPlusLifetimeAsString,
 				},
 			},
 			Data: map[string][]byte{
@@ -76,9 +76,7 @@ func TestAuthorizationCodeStorage(t *testing.T) {
 					"storage.pinniped.dev/type": "authcode",
 				},
 				Annotations: map[string]string{
-					"storage.pinniped.dev/garbage-collect-after": metav1.Time{
-						Time: fakeNow.Add(fakeDuration),
-					}.String(),
+					"storage.pinniped.dev/garbage-collect-after": fakeNowPlusLifetimeAsString,
 				},
 			},
 			Data: map[string][]byte{
@@ -89,9 +87,7 @@ func TestAuthorizationCodeStorage(t *testing.T) {
 		}),
 	}

-	client := fake.NewSimpleClientset()
-	secrets := client.CoreV1().Secrets(namespace)
-	storage := New(secrets, func() time.Time { return fakeNow }, fakeDuration)
+	ctx, client, _, storage := makeTestSubject()

 	request := &fosite.Request{
 		ID:          "abcd-1",
@@ -146,10 +142,7 @@ func TestAuthorizationCodeStorage(t *testing.T) {
 }

 func TestGetNotFound(t *testing.T) {
-	ctx := context.Background()
-	client := fake.NewSimpleClientset()
-	secrets := client.CoreV1().Secrets(namespace)
-	storage := New(secrets, func() time.Time { return fakeNow }, fakeDuration)
+	ctx, _, _, storage := makeTestSubject()

 	_, notFoundErr := storage.GetAuthorizeCodeSession(ctx, "non-existent-signature", nil)
 	require.EqualError(t, notFoundErr, "not_found")
@@ -157,10 +150,7 @@ func TestGetNotFound(t *testing.T) {
 }

 func TestInvalidateWhenNotFound(t *testing.T) {
-	ctx := context.Background()
-	client := fake.NewSimpleClientset()
-	secrets := client.CoreV1().Secrets(namespace)
-	storage := New(secrets, func() time.Time { return fakeNow }, fakeDuration)
+	ctx, _, _, storage := makeTestSubject()

 	notFoundErr := storage.InvalidateAuthorizeCodeSession(ctx, "non-existent-signature")
 	require.EqualError(t, notFoundErr, "not_found")
@@ -168,10 +158,7 @@ func TestInvalidateWhenNotFound(t *testing.T) {
 }

 func TestInvalidateWhenConflictOnUpdateHappens(t *testing.T) {
-	ctx := context.Background()
-	client := fake.NewSimpleClientset()
-	secrets := client.CoreV1().Secrets(namespace)
-	storage := New(secrets, func() time.Time { return fakeNow }, fakeDuration)
+	ctx, client, _, storage := makeTestSubject()

 	client.PrependReactor("update", "secrets", func(_ kubetesting.Action) (bool, runtime.Object, error) {
 		return true, nil, apierrors.NewConflict(schema.GroupResource{
@@ -192,10 +179,7 @@ func TestInvalidateWhenConflictOnUpdateHappens(t *testing.T) {
 }

 func TestWrongVersion(t *testing.T) {
-	ctx := context.Background()
-	client := fake.NewSimpleClientset()
-	secrets := client.CoreV1().Secrets(namespace)
-	storage := New(secrets, func() time.Time { return fakeNow }, fakeDuration)
+	ctx, _, secrets, storage := makeTestSubject()

 	secret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
@@ -220,10 +204,7 @@ func TestWrongVersion(t *testing.T) {
 }

 func TestNilSessionRequest(t *testing.T) {
-	ctx := context.Background()
-	client := fake.NewSimpleClientset()
-	secrets := client.CoreV1().Secrets(namespace)
-	storage := New(secrets, func() time.Time { return fakeNow }, fakeDuration)
+	ctx, _, secrets, storage := makeTestSubject()

 	secret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
@@ -248,20 +229,14 @@ func TestNilSessionRequest(t *testing.T) {
 }

 func TestCreateWithNilRequester(t *testing.T) {
-	ctx := context.Background()
-	client := fake.NewSimpleClientset()
-	secrets := client.CoreV1().Secrets(namespace)
-	storage := New(secrets, func() time.Time { return fakeNow }, fakeDuration)
+	ctx, _, _, storage := makeTestSubject()

 	err := storage.CreateAuthorizeCodeSession(ctx, "signature-doesnt-matter", nil)
 	require.EqualError(t, err, "requester must be of type fosite.Request")
 }

 func TestCreateWithWrongRequesterDataTypes(t *testing.T) {
-	ctx := context.Background()
-	client := fake.NewSimpleClientset()
-	secrets := client.CoreV1().Secrets(namespace)
-	storage := New(secrets, func() time.Time { return fakeNow }, fakeDuration)
+	ctx, _, _, storage := makeTestSubject()

 	request := &fosite.Request{
 		Session: nil,
@@ -278,6 +253,12 @@ func TestCreateWithWrongRequesterDataTypes(t *testing.T) {
 	require.EqualError(t, err, "requester's client must be of type fosite.DefaultOpenIDConnectClient")
 }

+func makeTestSubject() (context.Context, *fake.Clientset, corev1client.SecretInterface, oauth2.AuthorizeCodeStorage) {
+	client := fake.NewSimpleClientset()
+	secrets := client.CoreV1().Secrets(namespace)
+	return context.Background(), client, secrets, New(secrets, clock.NewFakeClock(fakeNow).Now, lifetime)
+}
+
 // TestFuzzAndJSONNewValidEmptyAuthorizeCodeSession asserts that we can correctly round trip our authorize code session.
 // It will detect any changes to fosite.AuthorizeRequest and guarantees that all interface types have concrete implementations.
 func TestFuzzAndJSONNewValidEmptyAuthorizeCodeSession(t *testing.T) {
@@ -378,7 +359,7 @@ func TestFuzzAndJSONNewValidEmptyAuthorizeCodeSession(t *testing.T) {
 	const name = "fuzz" // value is irrelevant
 	ctx := context.Background()
 	secrets := fake.NewSimpleClientset().CoreV1().Secrets(name)
-	storage := New(secrets, func() time.Time { return fakeNow }, fakeDuration)
+	storage := New(secrets, func() time.Time { return fakeNow }, lifetime)

 	// issue a create using the fuzzed request to confirm that marshalling works
 	err = storage.CreateAuthorizeCodeSession(ctx, name, validSession.Request)