From e03e344dcd617a56c96d2b48a237b4f30a93c6cd Mon Sep 17 00:00:00 2001
From: aram price <pricear@vmware.com>
Date: Mon, 14 Dec 2020 19:35:45 -0800
Subject: [PATCH] SecretHelper depends less on OIDCProvider

This should allow the helper to be more generic so that it can be used
with the SupervisorSecretsController
---
 cmd/pinniped-supervisor/main.go               | 20 +++++------
 .../generator/secret_helper.go                | 35 +++++++++++--------
 .../generator/secret_helper_test.go           | 18 +++++-----
 3 files changed, 39 insertions(+), 34 deletions(-)

diff --git a/cmd/pinniped-supervisor/main.go b/cmd/pinniped-supervisor/main.go
index bc142a65..d973ed27 100644
--- a/cmd/pinniped-supervisor/main.go
+++ b/cmd/pinniped-supervisor/main.go
@@ -18,7 +18,6 @@ import (
 	"go.pinniped.dev/internal/secret"
 
 	appsv1 "k8s.io/api/apps/v1"
-	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/clock"
 	kubeinformers "k8s.io/client-go/informers"
@@ -30,7 +29,6 @@ import (
 	"k8s.io/klog/v2"
 	"k8s.io/klog/v2/klogr"
 
-	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1"
 	pinnipedclientset "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned"
 	pinnipedinformers "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions"
 	"go.pinniped.dev/internal/config/supervisor"
@@ -168,9 +166,9 @@ func startControllers(
 					"pinniped-oidc-provider-hmac-key-",
 					cfg.Labels,
 					rand.Reader,
-					func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
-						plog.Debug("setting hmac secret", "issuer", parent.Spec.Issuer)
-						secretCache.SetTokenHMACKey(parent.Spec.Issuer, child.Data[generator.SymmetricSecretDataKey])
+					func(oidcProviderIssuer string, symmetricKey []byte) {
+						plog.Debug("setting hmac secret", "issuer", oidcProviderIssuer)
+						secretCache.SetTokenHMACKey(oidcProviderIssuer, symmetricKey)
 					},
 				),
 				kubeClient,
@@ -186,9 +184,9 @@ func startControllers(
 					"pinniped-oidc-provider-upstream-state-signature-key-",
 					cfg.Labels,
 					rand.Reader,
-					func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
-						plog.Debug("setting state signature key", "issuer", parent.Spec.Issuer)
-						secretCache.SetStateEncoderHashKey(parent.Spec.Issuer, child.Data[generator.SymmetricSecretDataKey])
+					func(oidcProviderIssuer string, symmetricKey []byte) {
+						plog.Debug("setting state signature key", "issuer", oidcProviderIssuer)
+						secretCache.SetStateEncoderHashKey(oidcProviderIssuer, symmetricKey)
 					},
 				),
 				kubeClient,
@@ -204,9 +202,9 @@ func startControllers(
 					"pinniped-oidc-provider-upstream-state-encryption-key-",
 					cfg.Labels,
 					rand.Reader,
-					func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
-						plog.Debug("setting state encryption key", "issuer", parent.Spec.Issuer)
-						secretCache.SetStateEncoderBlockKey(parent.Spec.Issuer, child.Data[generator.SymmetricSecretDataKey])
+					func(oidcProviderIssuer string, symmetricKey []byte) {
+						plog.Debug("setting state encryption key", "issuer", oidcProviderIssuer)
+						secretCache.SetStateEncoderBlockKey(oidcProviderIssuer, symmetricKey)
 					},
 				),
 				kubeClient,
diff --git a/internal/controller/supervisorconfig/generator/secret_helper.go b/internal/controller/supervisorconfig/generator/secret_helper.go
index 54ba49f5..cfbcb5a7 100644
--- a/internal/controller/supervisorconfig/generator/secret_helper.go
+++ b/internal/controller/supervisorconfig/generator/secret_helper.go
@@ -43,21 +43,21 @@ func NewSymmetricSecretHelper(
 	namePrefix string,
 	labels map[string]string,
 	rand io.Reader,
-	notifyFunc func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret),
+	updateCacheFunc func(cacheKey string, cacheValue []byte),
 ) SecretHelper {
 	return &symmetricSecretHelper{
-		namePrefix: namePrefix,
-		labels:     labels,
-		rand:       rand,
-		notifyFunc: notifyFunc,
+		namePrefix:      namePrefix,
+		labels:          labels,
+		rand:            rand,
+		updateCacheFunc: updateCacheFunc,
 	}
 }
 
 type symmetricSecretHelper struct {
-	namePrefix string
-	labels     map[string]string
-	rand       io.Reader
-	notifyFunc func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret)
+	namePrefix      string
+	labels          map[string]string
+	rand            io.Reader
+	updateCacheFunc func(cacheKey string, cacheValue []byte)
 }
 
 func (s *symmetricSecretHelper) NamePrefix() string { return s.namePrefix }
@@ -90,16 +90,16 @@ func (s *symmetricSecretHelper) Generate(parent *configv1alpha1.OIDCProvider) (*
 }
 
 // IsValid implements SecretHelper.IsValid().
-func (s *symmetricSecretHelper) IsValid(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) bool {
-	if !metav1.IsControlledBy(child, parent) {
+func (s *symmetricSecretHelper) IsValid(parent *configv1alpha1.OIDCProvider, secret *corev1.Secret) bool {
+	if !metav1.IsControlledBy(secret, parent) {
 		return false
 	}
 
-	if child.Type != SymmetricSecretType {
+	if secret.Type != SymmetricSecretType {
 		return false
 	}
 
-	key, ok := child.Data[SymmetricSecretDataKey]
+	key, ok := secret.Data[SymmetricSecretDataKey]
 	if !ok {
 		return false
 	}
@@ -111,6 +111,11 @@ func (s *symmetricSecretHelper) IsValid(parent *configv1alpha1.OIDCProvider, chi
 }
 
 // Notify implements SecretHelper.Notify().
-func (s *symmetricSecretHelper) Notify(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
-	s.notifyFunc(parent, child)
+func (s *symmetricSecretHelper) Notify(op *configv1alpha1.OIDCProvider, secret *corev1.Secret) {
+	var cacheKey string
+	if op != nil {
+		cacheKey = op.Spec.Issuer
+	}
+
+	s.updateCacheFunc(cacheKey, secret.Data[SymmetricSecretDataKey])
 }
diff --git a/internal/controller/supervisorconfig/generator/secret_helper_test.go b/internal/controller/supervisorconfig/generator/secret_helper_test.go
index b0330626..ffe89241 100644
--- a/internal/controller/supervisorconfig/generator/secret_helper_test.go
+++ b/internal/controller/supervisorconfig/generator/secret_helper_test.go
@@ -23,12 +23,14 @@ func TestSymmetricSecretHHelper(t *testing.T) {
 		"some-label-key-2": "some-label-value-2",
 	}
 	randSource := strings.NewReader(keyWith32Bytes)
-	var notifyParent *configv1alpha1.OIDCProvider
-	var notifyChild *corev1.Secret
-	h := NewSymmetricSecretHelper("some-name-prefix-", labels, randSource, func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
-		require.True(t, notifyParent == nil && notifyChild == nil, "expected notify func not to have been called yet")
-		notifyParent = parent
-		notifyChild = child
+	// var notifyParent *configv1alpha1.OIDCProvider
+	// var notifyChild *corev1.Secret
+	var oidcProviderIssuerValue string
+	var symmetricKeyValue []byte
+	h := NewSymmetricSecretHelper("some-name-prefix-", labels, randSource, func(oidcProviderIssuer string, symmetricKey []byte) {
+		require.True(t, oidcProviderIssuer == "" && symmetricKeyValue == nil, "expected notify func not to have been called yet")
+		oidcProviderIssuerValue = oidcProviderIssuer
+		symmetricKeyValue = symmetricKey
 	})
 
 	parent := &configv1alpha1.OIDCProvider{
@@ -61,8 +63,8 @@ func TestSymmetricSecretHHelper(t *testing.T) {
 	require.True(t, h.IsValid(parent, child))
 
 	h.Notify(parent, child)
-	require.Equal(t, parent, notifyParent)
-	require.Equal(t, child, notifyChild)
+	require.Equal(t, parent.Spec.Issuer, oidcProviderIssuerValue)
+	require.Equal(t, child.Data[SymmetricSecretDataKey], symmetricKeyValue)
 }
 
 func TestSymmetricSecretHHelperIsValid(t *testing.T) {