diff --git a/internal/kubeclient/kubeclient.go b/internal/kubeclient/kubeclient.go index 98d0b7f6..6a9d4eb5 100644 --- a/internal/kubeclient/kubeclient.go +++ b/internal/kubeclient/kubeclient.go @@ -23,14 +23,17 @@ import ( pinnipedconciergeclientsetscheme "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/scheme" pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" pinnipedsupervisorclientsetscheme "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme" + pinnipedsupervisorvirtualclientset "go.pinniped.dev/generated/latest/client/supervisor/virtual/clientset/versioned" + pinnipedsupervisorvirtualclientsetscheme "go.pinniped.dev/generated/latest/client/supervisor/virtual/clientset/versioned/scheme" "go.pinniped.dev/internal/crypto/ptls" ) type Client struct { - Kubernetes kubernetes.Interface - Aggregation aggregatorclient.Interface - PinnipedConcierge pinnipedconciergeclientset.Interface - PinnipedSupervisor pinnipedsupervisorclientset.Interface + Kubernetes kubernetes.Interface + Aggregation aggregatorclient.Interface + PinnipedConcierge pinnipedconciergeclientset.Interface + PinnipedSupervisor pinnipedsupervisorclientset.Interface + PinnipedSupervisorVirtual pinnipedsupervisorvirtualclientset.Interface JSONConfig, ProtoConfig *restclient.Config } @@ -90,11 +93,17 @@ func New(opts ...Option) (*Client, error) { return nil, fmt.Errorf("could not initialize pinniped client: %w", err) } + // Connect to the pinniped supervisor aggregated API. + pinnipedSupervisorVirtualClient, err := pinnipedsupervisorvirtualclientset.NewForConfig(configWithWrapper(jsonKubeConfig, pinnipedsupervisorvirtualclientsetscheme.Scheme, pinnipedsupervisorvirtualclientsetscheme.Codecs, c.middlewares, c.transportWrapper)) + if err != nil { + return nil, fmt.Errorf("could not initialize pinniped client: %w", err) + } return &Client{ - Kubernetes: k8sClient, - Aggregation: aggregatorClient, - PinnipedConcierge: pinnipedConciergeClient, - PinnipedSupervisor: pinnipedSupervisorClient, + Kubernetes: k8sClient, + Aggregation: aggregatorClient, + PinnipedConcierge: pinnipedConciergeClient, + PinnipedSupervisor: pinnipedSupervisorClient, + PinnipedSupervisorVirtual: pinnipedSupervisorVirtualClient, JSONConfig: jsonKubeConfig, ProtoConfig: protoKubeConfig, diff --git a/test/integration/supervisor_oidcclientsecret_test.go b/test/integration/supervisor_oidcclientsecret_test.go new file mode 100644 index 00000000..9133f0c7 --- /dev/null +++ b/test/integration/supervisor_oidcclientsecret_test.go @@ -0,0 +1,54 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package integration + +import ( + "context" + "testing" + "time" + + "github.com/stretchr/testify/require" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth/v1alpha1" + "go.pinniped.dev/test/testlib" +) + +func TestOIDCClientSecretRequest_HappyPath_Parallel(t *testing.T) { + env := testlib.IntegrationEnv(t) + + ctx, cancel := context.WithTimeout(context.Background(), time.Minute) + defer cancel() + + client := testlib.NewVirtualSupervisorClientset(t) + + response, err := client.OauthV1alpha1().OIDCClientSecretRequests(env.SupervisorNamespace).Create(ctx, + &v1alpha1.OIDCClientSecretRequest{ + Spec: v1alpha1.OIDCClientSecretRequestSpec{ + GenerateNewSecret: true, + }, + }, metav1.CreateOptions{}) + require.NoError(t, err) + // the hardcoded values from the nonfunctional request + require.Equal(t, response.Status.TotalClientSecrets, 20) + require.Equal(t, response.Status.GeneratedSecret, "not-a-real-secret") +} + +func TestOIDCClientSecretRequest_Unauthenticated_Parallel(t *testing.T) { + env := testlib.IntegrationEnv(t) + + ctx, cancel := context.WithTimeout(context.Background(), time.Minute) + defer cancel() + + client := testlib.NewAnonymousVirtualSupervisorClientset(t) + + _, err := client.OauthV1alpha1().OIDCClientSecretRequests(env.SupervisorNamespace).Create(ctx, + &v1alpha1.OIDCClientSecretRequest{ + Spec: v1alpha1.OIDCClientSecretRequestSpec{ + GenerateNewSecret: true, + }, + }, metav1.CreateOptions{}) + require.Error(t, err) + require.Contains(t, err.Error(), "User \"system:anonymous\" cannot create resource \"oidcclientsecretrequests\"") +} diff --git a/test/testlib/client.go b/test/testlib/client.go index c5e96339..376e1462 100644 --- a/test/testlib/client.go +++ b/test/testlib/client.go @@ -1,4 +1,4 @@ -// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package testlib @@ -34,6 +34,7 @@ import ( idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned" supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" + virtualsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/virtual/clientset/versioned" "go.pinniped.dev/internal/groupsuffix" "go.pinniped.dev/internal/kubeclient" @@ -86,6 +87,18 @@ func NewSupervisorClientset(t *testing.T) supervisorclientset.Interface { return NewKubeclient(t, NewClientConfig(t)).PinnipedSupervisor } +func NewAnonymousVirtualSupervisorClientset(t *testing.T) virtualsupervisorclientset.Interface { + t.Helper() + + return NewKubeclient(t, NewAnonymousClientRestConfig(t)).PinnipedSupervisorVirtual +} + +func NewVirtualSupervisorClientset(t *testing.T) virtualsupervisorclientset.Interface { + t.Helper() + + return NewKubeclient(t, NewClientConfig(t)).PinnipedSupervisorVirtual +} + func NewConciergeClientset(t *testing.T) conciergeclientset.Interface { t.Helper()