From b27e3e1a8956e53d0720a7100c6cd7c40fd76303 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Thu, 17 Dec 2020 14:48:49 -0800 Subject: [PATCH] Put a Type on the Secrets that we create for FederationDomain JWKS Signed-off-by: Aram Price --- .../supervisorconfig/jwks_writer.go | 9 ++++++++ .../supervisorconfig/jwks_writer_test.go | 22 +++++++++++++++++++ test/integration/supervisor_secrets_test.go | 3 +++ 3 files changed, 34 insertions(+) diff --git a/internal/controller/supervisorconfig/jwks_writer.go b/internal/controller/supervisorconfig/jwks_writer.go index 559b1afa..5b77a93c 100644 --- a/internal/controller/supervisorconfig/jwks_writer.go +++ b/internal/controller/supervisorconfig/jwks_writer.go @@ -40,6 +40,8 @@ const ( // // Note! The value for this key will contain only public key material! jwksKey = "jwks" + + jwksSecretTypeValue = "secrets.pinniped.dev/federation-domain-jwks" ) const ( @@ -251,6 +253,7 @@ func (c *jwksWriterController) generateSecret(federationDomain *configv1alpha1.F activeJWKKey: jwkData, jwksKey: jwksData, }, + Type: jwksSecretTypeValue, } return &s, nil @@ -285,6 +288,7 @@ func (c *jwksWriterController) createOrUpdateSecret( } oldSecret.Data = newSecret.Data + oldSecret.Type = jwksSecretTypeValue _, err = secretClient.Update(ctx, oldSecret, metav1.UpdateOptions{}) return err }) @@ -322,6 +326,11 @@ func isFederationDomainControllee(obj metav1.Object) bool { // isValid returns whether the provided secret contains a valid active JWK and verification JWKS. func isValid(secret *corev1.Secret) bool { + if secret.Type != jwksSecretTypeValue { + plog.Debug("secret does not have the expected type", "expectedType", jwksSecretTypeValue, "actualType", secret.Type) + return false + } + jwkData, ok := secret.Data[activeJWKKey] if !ok { plog.Debug("secret does not contain active jwk") diff --git a/internal/controller/supervisorconfig/jwks_writer_test.go b/internal/controller/supervisorconfig/jwks_writer_test.go index 1c3d6565..d1947d98 100644 --- a/internal/controller/supervisorconfig/jwks_writer_test.go +++ b/internal/controller/supervisorconfig/jwks_writer_test.go @@ -281,6 +281,7 @@ func TestJWKSWriterControllerSync(t *testing.T) { }, }, }, + Type: "secrets.pinniped.dev/federation-domain-jwks", } s.Data = make(map[string][]byte) if activeJWKPath != "" { @@ -294,6 +295,9 @@ func TestJWKSWriterControllerSync(t *testing.T) { goodSecret := newSecret("testdata/good-jwk.json", "testdata/good-jwks.json") + secretWithWrongType := newSecret("testdata/good-jwk.json", "testdata/good-jwks.json") + secretWithWrongType.Type = "not-the-right-type" + tests := []struct { name string key controllerlib.Key @@ -407,6 +411,24 @@ func TestJWKSWriterControllerSync(t *testing.T) { kubetesting.NewGetAction(federationDomainGVR, namespace, goodFederationDomain.Name), }, }, + { + name: "wrong type in secret", + key: controllerlib.Key{Namespace: goodFederationDomain.Namespace, Name: goodFederationDomain.Name}, + federationDomains: []*configv1alpha1.FederationDomain{ + goodFederationDomainWithStatus, + }, + secrets: []*corev1.Secret{ + secretWithWrongType, + }, + wantGenerateKeyCount: 1, + wantSecretActions: []kubetesting.Action{ + kubetesting.NewGetAction(secretGVR, namespace, goodSecret.Name), + kubetesting.NewUpdateAction(secretGVR, namespace, goodSecret), + }, + wantFederationDomainActions: []kubetesting.Action{ + kubetesting.NewGetAction(federationDomainGVR, namespace, goodFederationDomain.Name), + }, + }, { name: "invalid jwk JSON in secret", key: controllerlib.Key{Namespace: goodFederationDomain.Namespace, Name: goodFederationDomain.Name}, diff --git a/test/integration/supervisor_secrets_test.go b/test/integration/supervisor_secrets_test.go index a0387ec0..25ad71dc 100644 --- a/test/integration/supervisor_secrets_test.go +++ b/test/integration/supervisor_secrets_test.go @@ -129,6 +129,9 @@ func TestSupervisorSecrets(t *testing.T) { func ensureValidJWKS(t *testing.T, secret *corev1.Secret) { t.Helper() + // Ensure the secret has the right type. + require.Equal(t, "secrets.pinniped.dev/federation-domain-jwks", secret.Type) + // Ensure the secret has an active key. jwkData, ok := secret.Data["activeJWK"] require.True(t, ok, "secret is missing active jwk")