// Copyright 2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package integration

import (
	"context"
	"fmt"
	"strings"
	"testing"
	"time"

	"github.com/stretchr/testify/require"
	corev1 "k8s.io/api/core/v1"
	k8serrors "k8s.io/apimachinery/pkg/api/errors"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/client-go/util/retry"
	"k8s.io/utils/ptr"

	"go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
	idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
	"go.pinniped.dev/internal/here"
	"go.pinniped.dev/internal/testutil"
	"go.pinniped.dev/test/testlib"
)

// Never run this test in parallel since deleting all federation domains is disruptive, see main_test.go.
func TestSupervisorFederationDomainStatus_Disruptive(t *testing.T) {
	env := testlib.IntegrationEnv(t)
	supervisorClient := testlib.NewSupervisorClientset(t)

	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
	t.Cleanup(cancel)

	temporarilyRemoveAllFederationDomainsAndDefaultTLSCertSecret(ctx, t,
		env.SupervisorNamespace, defaultTLSCertSecretName(env), supervisorClient, testlib.NewKubernetesClientset(t))

	tests := []struct {
		name string
		run  func(t *testing.T)
	}{
		{
			name: "valid spec in without explicit identity providers makes status error unless there is exactly one identity provider",
			run: func(t *testing.T) {
				// Creating FederationDomain without any explicit IDPs should put the FederationDomain into an error status.
				fd := testlib.CreateTestFederationDomain(ctx, t, v1alpha1.FederationDomainSpec{
					Issuer: "https://example.com/fake",
				}, v1alpha1.FederationDomainPhaseError)
				testlib.WaitForFederationDomainStatusConditions(ctx, t, fd.Name, replaceSomeConditions(
					allSuccessfulLegacyFederationDomainConditions("", fd.Spec),
					[]metav1.Condition{
						{
							Type: "IdentityProvidersFound", Status: "False", Reason: "LegacyConfigurationIdentityProviderNotFound",
							Message: "no resources were specified by .spec.identityProviders[].objectRef and no identity provider resources have been found: please create an identity provider resource",
						},
						{
							Type: "Ready", Status: "False", Reason: "NotReady",
							Message: "the FederationDomain is not ready: see other conditions for details",
						},
					},
				))

				// Creating an IDP should put the FederationDomain into a successful status.
				oidcIdentityProvider1 := testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
					Issuer: "https://example.cluster.local/fake-issuer-url-does-not-matter",
					Client: idpv1alpha1.OIDCClient{SecretName: "this-will-not-exist-but-does-not-matter"},
				}, idpv1alpha1.PhaseError)
				testlib.WaitForFederationDomainStatusPhase(ctx, t, fd.Name, v1alpha1.FederationDomainPhaseReady)
				testlib.WaitForFederationDomainStatusConditions(ctx, t, fd.Name,
					allSuccessfulLegacyFederationDomainConditions(oidcIdentityProvider1.Name, fd.Spec))

				// Creating a second IDP should put the FederationDomain back into an error status again.
				oidcIdentityProvider2 := testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
					Issuer: "https://example.cluster.local/fake-issuer-url-does-not-matter",
					Client: idpv1alpha1.OIDCClient{SecretName: "this-will-not-exist-but-does-not-matter"},
				}, idpv1alpha1.PhaseError)
				testlib.WaitForFederationDomainStatusPhase(ctx, t, fd.Name, v1alpha1.FederationDomainPhaseError)
				testlib.WaitForFederationDomainStatusConditions(ctx, t, fd.Name, replaceSomeConditions(
					allSuccessfulLegacyFederationDomainConditions(oidcIdentityProvider2.Name, fd.Spec),
					[]metav1.Condition{
						{
							Type: "IdentityProvidersFound", Status: "False", Reason: "IdentityProviderNotSpecified",
							Message: "no resources were specified by .spec.identityProviders[].objectRef and 2 identity provider " +
								"resources have been found: please update .spec.identityProviders to specify which identity providers " +
								"this federation domain should use",
						},
						{
							Type: "Ready", Status: "False", Reason: "NotReady",
							Message: "the FederationDomain is not ready: see other conditions for details",
						},
					},
				))
			},
		},
		{
			name: "valid spec with explicit identity providers makes status error until those identity providers all exist",
			run: func(t *testing.T) {
				oidcIDP1Meta := testlib.ObjectMetaWithRandomName(t, "upstream-oidc-idp")
				oidcIDP2Meta := testlib.ObjectMetaWithRandomName(t, "upstream-oidc-idp")
				// Creating FederationDomain with explicit IDPs that don't exist should put the FederationDomain into an error status.
				fd := testlib.CreateTestFederationDomain(ctx, t, v1alpha1.FederationDomainSpec{
					Issuer: "https://example.com/fake",
					IdentityProviders: []v1alpha1.FederationDomainIdentityProvider{
						{
							DisplayName: "idp1",
							ObjectRef: corev1.TypedLocalObjectReference{
								APIGroup: ptr.To("idp.supervisor." + env.APIGroupSuffix),
								Kind:     "OIDCIdentityProvider",
								Name:     oidcIDP1Meta.Name,
							},
							Transforms: v1alpha1.FederationDomainTransforms{},
						},
						{
							DisplayName: "idp2",
							ObjectRef: corev1.TypedLocalObjectReference{
								APIGroup: ptr.To("idp.supervisor." + env.APIGroupSuffix),
								Kind:     "OIDCIdentityProvider",
								Name:     oidcIDP2Meta.Name,
							},
							Transforms: v1alpha1.FederationDomainTransforms{},
						},
					},
				}, v1alpha1.FederationDomainPhaseError)
				testlib.WaitForFederationDomainStatusConditions(ctx, t, fd.Name, replaceSomeConditions(
					allSuccessfulFederationDomainConditions(fd.Spec),
					[]metav1.Condition{
						{
							Type: "IdentityProvidersFound", Status: "False", Reason: "IdentityProvidersObjectRefsNotFound",
							Message: here.Docf(`
								cannot find resource specified by .spec.identityProviders[0].objectRef (with name "%s")

								cannot find resource specified by .spec.identityProviders[1].objectRef (with name "%s")`,
								oidcIDP1Meta.Name, oidcIDP2Meta.Name),
						},
						{
							Type: "Ready", Status: "False", Reason: "NotReady",
							Message: "the FederationDomain is not ready: see other conditions for details",
						},
					},
				))

				// Creating the first IDP should not be enough to put the FederationDomain into a successful status.
				oidcIdentityProvider1 := testlib.CreateTestOIDCIdentityProviderWithObjectMeta(t, idpv1alpha1.OIDCIdentityProviderSpec{
					Issuer: "https://example.cluster.local/fake-issuer-url-does-not-matter",
					Client: idpv1alpha1.OIDCClient{SecretName: "this-will-not-exist-but-does-not-matter"},
				}, oidcIDP1Meta, idpv1alpha1.PhaseError)
				testlib.WaitForFederationDomainStatusPhase(ctx, t, fd.Name, v1alpha1.FederationDomainPhaseError)
				testlib.WaitForFederationDomainStatusConditions(ctx, t, fd.Name, replaceSomeConditions(
					allSuccessfulFederationDomainConditions(fd.Spec),
					[]metav1.Condition{
						{
							Type: "IdentityProvidersFound", Status: "False", Reason: "IdentityProvidersObjectRefsNotFound",
							Message: fmt.Sprintf(`cannot find resource specified by .spec.identityProviders[1].objectRef (with name "%s")`, oidcIDP2Meta.Name),
						},
						{
							Type: "Ready", Status: "False", Reason: "NotReady",
							Message: "the FederationDomain is not ready: see other conditions for details",
						},
					},
				))

				// Creating the second IDP should put the FederationDomain into a successful status.
				testlib.CreateTestOIDCIdentityProviderWithObjectMeta(t, idpv1alpha1.OIDCIdentityProviderSpec{
					Issuer: "https://example.cluster.local/fake-issuer-url-does-not-matter",
					Client: idpv1alpha1.OIDCClient{SecretName: "this-will-not-exist-but-does-not-matter"},
				}, oidcIDP2Meta, idpv1alpha1.PhaseError)
				testlib.WaitForFederationDomainStatusPhase(ctx, t, fd.Name, v1alpha1.FederationDomainPhaseReady)
				testlib.WaitForFederationDomainStatusConditions(ctx, t, fd.Name,
					allSuccessfulFederationDomainConditions(fd.Spec))

				// Removing one IDP should put the FederationDomain back into an error status again.
				oidcIDPClient := supervisorClient.IDPV1alpha1().OIDCIdentityProviders(env.SupervisorNamespace)
				err := oidcIDPClient.Delete(ctx, oidcIdentityProvider1.Name, metav1.DeleteOptions{})
				require.NoError(t, err)
				testlib.WaitForFederationDomainStatusPhase(ctx, t, fd.Name, v1alpha1.FederationDomainPhaseError)
				testlib.WaitForFederationDomainStatusConditions(ctx, t, fd.Name, replaceSomeConditions(
					allSuccessfulFederationDomainConditions(fd.Spec),
					[]metav1.Condition{
						{
							Type: "IdentityProvidersFound", Status: "False", Reason: "IdentityProvidersObjectRefsNotFound",
							Message: fmt.Sprintf(`cannot find resource specified by .spec.identityProviders[0].objectRef (with name "%s")`, oidcIDP1Meta.Name),
						},
						{
							Type: "Ready", Status: "False", Reason: "NotReady",
							Message: "the FederationDomain is not ready: see other conditions for details",
						},
					},
				))
			},
		},
		{
			name: "spec with explicit identity providers and lots of validation errors",
			run: func(t *testing.T) {
				federationDomainsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().FederationDomains(env.SupervisorNamespace)

				oidcIdentityProvider := testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
					Issuer: "https://example.cluster.local/fake-issuer-url-does-not-matter",
					Client: idpv1alpha1.OIDCClient{SecretName: "this-will-not-exist-but-does-not-matter"},
				}, idpv1alpha1.PhaseError)

				fd := testlib.CreateTestFederationDomain(ctx, t, v1alpha1.FederationDomainSpec{
					Issuer: "https://example.com/fake",
					IdentityProviders: []v1alpha1.FederationDomainIdentityProvider{
						{
							DisplayName: "not unique",
							ObjectRef: corev1.TypedLocalObjectReference{
								APIGroup: ptr.To("this is the wrong api group"),
								Kind:     "OIDCIdentityProvider",
								Name:     "will not be found",
							},
							Transforms: v1alpha1.FederationDomainTransforms{
								Constants: []v1alpha1.FederationDomainTransformsConstant{
									{Name: "foo", Type: "string", StringValue: "bar"},
								},
								Expressions: []v1alpha1.FederationDomainTransformsExpression{
									{Type: "username/v1", Expression: "this is not a valid cel expression"},
									{Type: "groups/v1", Expression: "this is also not a valid cel expression"},
									{Type: "username/v1", Expression: "username"}, // valid
									{Type: "policy/v1", Expression: "still not a valid cel expression"},
								},
								Examples: []v1alpha1.FederationDomainTransformsExample{
									{
										Username: "does not matter because expressions did not compile",
									},
								},
							},
						},
						{ // this identity provider should be valid
							DisplayName: "unique",
							ObjectRef: corev1.TypedLocalObjectReference{
								APIGroup: ptr.To("idp.supervisor." + env.APIGroupSuffix),
								Kind:     "OIDCIdentityProvider",
								Name:     oidcIdentityProvider.Name,
							},
						},
						{
							DisplayName: "not unique",
							ObjectRef: corev1.TypedLocalObjectReference{
								APIGroup: ptr.To("idp.supervisor." + env.APIGroupSuffix),
								Kind:     "this is the wrong kind",
								Name:     "also will not be found",
							},
							Transforms: v1alpha1.FederationDomainTransforms{
								Constants: []v1alpha1.FederationDomainTransformsConstant{
									{Name: "ryan", Type: "string", StringValue: "ryan"},
									{Name: "unused", Type: "stringList", StringListValue: []string{"foo", "bar"}},
									{Name: "rejectMe", Type: "string", StringValue: "rejectMeWithDefaultMessage"},
								},
								Expressions: []v1alpha1.FederationDomainTransformsExpression{
									{Type: "policy/v1", Expression: `username == strConst.ryan || username == strConst.rejectMe`, Message: "only special users allowed"},
									{Type: "policy/v1", Expression: `username != "rejectMeWithDefaultMessage"`}, // no message specified
									{Type: "username/v1", Expression: `"pre:" + username`},
									{Type: "groups/v1", Expression: `groups.map(g, "pre:" + g)`},
								},
								Examples: []v1alpha1.FederationDomainTransformsExample{
									{ // this example should pass
										Username: "ryan",
										Groups:   []string{"a", "b"},
										Expects: v1alpha1.FederationDomainTransformsExampleExpects{
											Username: "pre:ryan",
											Groups:   []string{"pre:b", "pre:a", "pre:b", "pre:a"}, // order and repeats don't matter, treated like a set
											Rejected: false,
										},
									},
									{ // this example should pass
										Username: "other",
										Expects: v1alpha1.FederationDomainTransformsExampleExpects{
											Rejected: true,
											Message:  "only special users allowed",
										},
									},
									{ // this example should fail because it expects the user to be rejected but the user was actually not rejected
										Username: "ryan",
										Groups:   []string{"a", "b"},
										Expects: v1alpha1.FederationDomainTransformsExampleExpects{
											Rejected: true,
											Message:  "this input is ignored in this case",
										},
									},
									{ // this example should fail because it expects the user not to be rejected but they were actually rejected
										Username: "other",
										Groups:   []string{"a", "b"},
										Expects: v1alpha1.FederationDomainTransformsExampleExpects{
											Username: "pre:other",
											Groups:   []string{"pre:a", "pre:b"},
											Rejected: false,
										},
									},
									{ // this example should fail because it expects the wrong rejection message
										Username: "other",
										Groups:   []string{"a", "b"},
										Expects: v1alpha1.FederationDomainTransformsExampleExpects{
											Rejected: true,
											Message:  "wrong message",
										},
									},
									{ // this example should pass even though it does not make any assertion about the rejection message
										// because the message assertions defaults to asserting the default rejection message
										Username: "rejectMeWithDefaultMessage",
										Groups:   []string{"a", "b"},
										Expects: v1alpha1.FederationDomainTransformsExampleExpects{
											Rejected: true,
										},
									},
									{ // this example should fail because it expects both the wrong username and groups
										Username: "ryan",
										Groups:   []string{"b", "a"},
										Expects: v1alpha1.FederationDomainTransformsExampleExpects{
											Username: "wrong",
											Groups:   []string{},
											Rejected: false,
										},
									},
									{ // this example should fail because it expects the wrong username only
										Username: "ryan",
										Groups:   []string{"a", "b"},
										Expects: v1alpha1.FederationDomainTransformsExampleExpects{
											Username: "wrong",
											Groups:   []string{"pre:b", "pre:a"},
											Rejected: false,
										},
									},
									{ // this example should fail because it expects the wrong groups only
										Username: "ryan",
										Groups:   []string{"b", "a"},
										Expects: v1alpha1.FederationDomainTransformsExampleExpects{
											Username: "pre:ryan",
											Groups:   []string{"wrong2", "wrong1"},
											Rejected: false,
										},
									},
									{ // this example should fail because it does not expect anything but the auth actually was successful
										Username: "ryan",
										Groups:   []string{"b", "a"},
										Expects:  v1alpha1.FederationDomainTransformsExampleExpects{},
									},
								},
							},
						},
					},
				}, v1alpha1.FederationDomainPhaseError)

				testlib.WaitForFederationDomainStatusConditions(ctx, t, fd.Name, replaceSomeConditions(
					allSuccessfulFederationDomainConditions(fd.Spec),
					[]metav1.Condition{
						{
							Type: "IdentityProvidersDisplayNamesUnique", Status: "False", Reason: "DuplicateDisplayNames",
							Message: `the names specified by .spec.identityProviders[].displayName contain duplicates: "not unique"`,
						},
						{
							Type: "IdentityProvidersFound", Status: "False", Reason: "IdentityProvidersObjectRefsNotFound",
							Message: here.Doc(
								`cannot find resource specified by .spec.identityProviders[0].objectRef (with name "will not be found")

								 cannot find resource specified by .spec.identityProviders[2].objectRef (with name "also will not be found")`,
							)},
						{
							Type: "IdentityProvidersObjectRefAPIGroupSuffixValid", Status: "False", Reason: "APIGroupUnrecognized",
							Message: fmt.Sprintf(`some API groups specified by .spec.identityProviders[].objectRef.apiGroup are not recognized `+
								`(should be "idp.supervisor.%s"): "this is the wrong api group"`, env.APIGroupSuffix),
						},
						{
							Type: "IdentityProvidersObjectRefKindValid", Status: "False", Reason: "KindUnrecognized",
							Message: `some kinds specified by .spec.identityProviders[].objectRef.kind are not recognized ` +
								`(should be one of "ActiveDirectoryIdentityProvider", "LDAPIdentityProvider", "OIDCIdentityProvider"): "this is the wrong kind"`,
						},
						{
							Type: "Ready", Status: "False", Reason: "NotReady",
							Message: "the FederationDomain is not ready: see other conditions for details",
						},
						{
							Type: "TransformsExamplesPassed", Status: "False", Reason: "TransformsExamplesFailed",
							Message: here.Doc(
								`unable to check if the examples specified by .spec.identityProviders[0].transforms.examples[] had errors because an expression was invalid

								 .spec.identityProviders[2].transforms.examples[2] example failed:
								 expected: authentication to be rejected
								 actual:   authentication was not rejected

								 .spec.identityProviders[2].transforms.examples[3] example failed:
								 expected: authentication not to be rejected
								 actual:   authentication was rejected with message "only special users allowed"

								 .spec.identityProviders[2].transforms.examples[4] example failed:
								 expected: authentication rejection message "wrong message"
								 actual:   authentication rejection message "only special users allowed"

								 .spec.identityProviders[2].transforms.examples[6] example failed:
								 expected: username "wrong"
								 actual:   username "pre:ryan"

								 .spec.identityProviders[2].transforms.examples[6] example failed:
								 expected: groups []
								 actual:   groups ["pre:a", "pre:b"]

								 .spec.identityProviders[2].transforms.examples[7] example failed:
								 expected: username "wrong"
								 actual:   username "pre:ryan"

								 .spec.identityProviders[2].transforms.examples[8] example failed:
								 expected: groups ["wrong1", "wrong2"]
								 actual:   groups ["pre:a", "pre:b"]

								 .spec.identityProviders[2].transforms.examples[9] example failed:
								 expected: username ""
								 actual:   username "pre:ryan"

								 .spec.identityProviders[2].transforms.examples[9] example failed:
								 expected: groups []
								 actual:   groups ["pre:a", "pre:b"]`,
							),
						},
						{
							Type: "TransformsExpressionsValid", Status: "False", Reason: "InvalidTransformsExpressions",
							Message: here.Doc(
								`spec.identityProvider[0].transforms.expressions[0].expression was invalid:
								 CEL expression compile error: ERROR: <input>:1:6: Syntax error: mismatched input 'is' expecting <EOF>
								  | this is not a valid cel expression
								  | .....^

								 spec.identityProvider[0].transforms.expressions[1].expression was invalid:
								 CEL expression compile error: ERROR: <input>:1:6: Syntax error: mismatched input 'is' expecting <EOF>
								  | this is also not a valid cel expression
								  | .....^

								 spec.identityProvider[0].transforms.expressions[3].expression was invalid:
								 CEL expression compile error: ERROR: <input>:1:7: Syntax error: mismatched input 'not' expecting <EOF>
								  | still not a valid cel expression
								  | ......^`,
							),
						},
					},
				))

				// Updating the FederationDomain to fix some of the problems should make some of the errors go away.
				err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
					gotFD, err := federationDomainsClient.Get(ctx, fd.Name, metav1.GetOptions{})
					require.NoError(t, err)

					gotFD.Spec.IdentityProviders[0] = v1alpha1.FederationDomainIdentityProvider{
						// Fix the display name.
						DisplayName: "now made unique",
						// Fix the objectRef.
						ObjectRef: corev1.TypedLocalObjectReference{
							APIGroup: ptr.To("idp.supervisor." + env.APIGroupSuffix),
							Kind:     "OIDCIdentityProvider",
							Name:     oidcIdentityProvider.Name,
						},
						Transforms: v1alpha1.FederationDomainTransforms{
							Constants: []v1alpha1.FederationDomainTransformsConstant{
								{Name: "foo", Type: "string", StringValue: "bar"},
							},
							Expressions: []v1alpha1.FederationDomainTransformsExpression{
								// Fix the compile errors.
								{Type: "username/v1", Expression: `"pre:" + username`},
							},
							Examples: []v1alpha1.FederationDomainTransformsExample{
								{ // this example should fail because it expects both the wrong username and groups
									Username: "ryan",
									Groups:   []string{"b", "a"},
									Expects: v1alpha1.FederationDomainTransformsExampleExpects{
										Username: "wrong",
										Groups:   []string{},
										Rejected: false,
									},
								},
							},
						},
					}

					gotFD.Spec.IdentityProviders[2].Transforms.Examples = []v1alpha1.FederationDomainTransformsExample{
						{ // this example should pass
							Username: "other",
							Expects: v1alpha1.FederationDomainTransformsExampleExpects{
								Rejected: true,
								Message:  "only special users allowed",
							},
						},
					}

					_, updateErr := federationDomainsClient.Update(ctx, gotFD, metav1.UpdateOptions{})
					return updateErr
				})
				require.NoError(t, err)

				testlib.WaitForFederationDomainStatusConditions(ctx, t, fd.Name, replaceSomeConditions(
					allSuccessfulFederationDomainConditions(fd.Spec),
					[]metav1.Condition{
						{
							Type: "IdentityProvidersFound", Status: "False", Reason: "IdentityProvidersObjectRefsNotFound",
							Message: `cannot find resource specified by .spec.identityProviders[2].objectRef (with name "also will not be found")`,
						},
						{
							Type: "IdentityProvidersObjectRefKindValid", Status: "False", Reason: "KindUnrecognized",
							Message: `some kinds specified by .spec.identityProviders[].objectRef.kind are not recognized ` +
								`(should be one of "ActiveDirectoryIdentityProvider", "LDAPIdentityProvider", "OIDCIdentityProvider"): "this is the wrong kind"`,
						},
						{
							Type: "Ready", Status: "False", Reason: "NotReady",
							Message: "the FederationDomain is not ready: see other conditions for details",
						},
						{
							Type: "TransformsExamplesPassed", Status: "False", Reason: "TransformsExamplesFailed",
							Message: here.Doc(
								`.spec.identityProviders[0].transforms.examples[0] example failed:
								 expected: username "wrong"
								 actual:   username "pre:ryan"

								 .spec.identityProviders[0].transforms.examples[0] example failed:
								 expected: groups []
								 actual:   groups ["a", "b"]`,
							),
						},
					},
				))

				// Updating the FederationDomain to fix the rest of the problems should make all the errors go away.
				err = retry.RetryOnConflict(retry.DefaultRetry, func() error {
					gotFD, err := federationDomainsClient.Get(ctx, fd.Name, metav1.GetOptions{})
					require.NoError(t, err)

					gotFD.Spec.IdentityProviders[2].ObjectRef = corev1.TypedLocalObjectReference{
						APIGroup: ptr.To("idp.supervisor." + env.APIGroupSuffix),
						Kind:     "OIDCIdentityProvider",
						Name:     oidcIdentityProvider.Name,
					}

					gotFD.Spec.IdentityProviders[0].Transforms.Examples = []v1alpha1.FederationDomainTransformsExample{
						{ // this example should pass
							Username: "ryan",
							Groups:   []string{"b", "a"},
							Expects: v1alpha1.FederationDomainTransformsExampleExpects{
								Username: "pre:ryan",
								Groups:   []string{"a", "b"},
							},
						},
					}

					_, updateErr := federationDomainsClient.Update(ctx, gotFD, metav1.UpdateOptions{})
					return updateErr
				})
				require.NoError(t, err)

				testlib.WaitForFederationDomainStatusPhase(ctx, t, fd.Name, v1alpha1.FederationDomainPhaseReady)
				testlib.WaitForFederationDomainStatusConditions(ctx, t, fd.Name, allSuccessfulFederationDomainConditions(fd.Spec))
			},
		},
	}

	for _, test := range tests {
		tt := test
		t.Run(tt.name, func(t *testing.T) {
			tt.run(t)
		})
	}
}

func TestSupervisorFederationDomainCRDValidations_Parallel(t *testing.T) {
	env := testlib.IntegrationEnv(t)
	fdClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().FederationDomains(env.SupervisorNamespace)

	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
	t.Cleanup(cancel)

	adminClient := testlib.NewKubernetesClientset(t)
	usingOldKubeVersionInCluster := testutil.KubeServerMinorVersionInBetweenInclusive(t, adminClient.Discovery(), 0, 23)
	usingReallyOldKubeVersionInCluster := testutil.KubeServerMinorVersionInBetweenInclusive(t, adminClient.Discovery(), 0, 19)

	objectMeta := testlib.ObjectMetaWithRandomName(t, "federation-domain")

	tests := []struct {
		name                 string
		fd                   *v1alpha1.FederationDomain
		wantErr              string
		wantOldKubeErr       string
		wantReallyOldKubeErr string
	}{
		{
			name: "issuer cannot be empty",
			fd: &v1alpha1.FederationDomain{
				ObjectMeta: objectMeta,
				Spec: v1alpha1.FederationDomainSpec{
					Issuer: "",
				},
			},
			wantErr: fmt.Sprintf("FederationDomain.config.supervisor.%s %q is invalid: "+
				`spec.issuer: Invalid value: "": spec.issuer in body should be at least 1 chars long`,
				env.APIGroupSuffix, objectMeta.Name),
		},
		{
			name: "IDP display names cannot be empty",
			fd: &v1alpha1.FederationDomain{
				ObjectMeta: objectMeta,
				Spec: v1alpha1.FederationDomainSpec{
					Issuer: "https://example.com",
					IdentityProviders: []v1alpha1.FederationDomainIdentityProvider{
						{
							DisplayName: "",
							ObjectRef: corev1.TypedLocalObjectReference{
								APIGroup: ptr.To("required in older versions of Kubernetes for each item in the identityProviders slice"),
							},
						},
					},
				},
			},
			wantErr: fmt.Sprintf("FederationDomain.config.supervisor.%s %q is invalid: "+
				`spec.identityProviders[0].displayName: Invalid value: "": `+
				"spec.identityProviders[0].displayName in body should be at least 1 chars long",
				env.APIGroupSuffix, objectMeta.Name),
		},
		{
			name: "IDP transform constants must have unique names",
			fd: &v1alpha1.FederationDomain{
				ObjectMeta: objectMeta,
				Spec: v1alpha1.FederationDomainSpec{
					Issuer: "https://example.com",
					IdentityProviders: []v1alpha1.FederationDomainIdentityProvider{
						{
							DisplayName: "foo",
							ObjectRef: corev1.TypedLocalObjectReference{
								APIGroup: ptr.To("required in older versions of Kubernetes for each item in the identityProviders slice"),
							},
							Transforms: v1alpha1.FederationDomainTransforms{
								Constants: []v1alpha1.FederationDomainTransformsConstant{
									{Name: "notUnique", Type: "string", StringValue: "foo"},
									{Name: "notUnique", Type: "string", StringValue: "bar"},
								},
							},
						},
					},
				},
			},
			wantOldKubeErr: fmt.Sprintf("FederationDomain.config.supervisor.%s %q is invalid: "+
				`spec.identityProviders[0].transforms.constants[1]: Duplicate value: map[string]interface {}{"name":"notUnique"}`,
				env.APIGroupSuffix, objectMeta.Name),
			wantErr: fmt.Sprintf("FederationDomain.config.supervisor.%s %q is invalid: "+
				`spec.identityProviders[0].transforms.constants[1]: Duplicate value: map[string]interface {}{"name":"notUnique"}`,
				env.APIGroupSuffix, objectMeta.Name),
		},
		{
			name: "IDP transform constant names cannot be empty",
			fd: &v1alpha1.FederationDomain{
				ObjectMeta: objectMeta,
				Spec: v1alpha1.FederationDomainSpec{
					Issuer: "https://example.com",
					IdentityProviders: []v1alpha1.FederationDomainIdentityProvider{
						{
							DisplayName: "foo",
							ObjectRef: corev1.TypedLocalObjectReference{
								APIGroup: ptr.To("required in older versions of Kubernetes for each item in the identityProviders slice"),
							},
							Transforms: v1alpha1.FederationDomainTransforms{
								Constants: []v1alpha1.FederationDomainTransformsConstant{
									{Name: "", Type: "string"},
								},
							},
						},
					},
				},
			},
			wantErr: fmt.Sprintf("FederationDomain.config.supervisor.%s %q is invalid: "+
				`spec.identityProviders[0].transforms.constants[0].name: Invalid value: "": `+
				`spec.identityProviders[0].transforms.constants[0].name in body should be at least 1 chars long`,
				env.APIGroupSuffix, objectMeta.Name),
		},
		{
			name: "IDP transform constant names cannot be more than 64 characters",
			fd: &v1alpha1.FederationDomain{
				ObjectMeta: objectMeta,
				Spec: v1alpha1.FederationDomainSpec{
					Issuer: "https://example.com",
					IdentityProviders: []v1alpha1.FederationDomainIdentityProvider{
						{
							DisplayName: "foo",
							ObjectRef: corev1.TypedLocalObjectReference{
								APIGroup: ptr.To("required in older versions of Kubernetes for each item in the identityProviders slice"),
							},
							Transforms: v1alpha1.FederationDomainTransforms{
								Constants: []v1alpha1.FederationDomainTransformsConstant{
									{Name: "12345678901234567890123456789012345678901234567890123456789012345", Type: "string"},
								},
							},
						},
					},
				},
			},
			wantReallyOldKubeErr: fmt.Sprintf("FederationDomain.config.supervisor.%s %q is invalid: "+
				`spec.identityProviders.transforms.constants.name: Invalid value: "": `+
				`spec.identityProviders.transforms.constants.name in body should be at most 64 chars long`,
				env.APIGroupSuffix, objectMeta.Name),
			wantOldKubeErr: fmt.Sprintf("FederationDomain.config.supervisor.%s %q is invalid: "+
				`spec.identityProviders.transforms.constants.name: Invalid value: "12345678901234567890123456789012345678901234567890123456789012345": `+
				`spec.identityProviders.transforms.constants.name in body should be at most 64 chars long`,
				env.APIGroupSuffix, objectMeta.Name),
			wantErr: fmt.Sprintf("FederationDomain.config.supervisor.%s %q is invalid: "+
				`spec.identityProviders[0].transforms.constants[0].name: Too long: may not be longer than 64`,
				env.APIGroupSuffix, objectMeta.Name),
		},
		{
			name: "IDP transform constant names must be a legal CEL variable name",
			fd: &v1alpha1.FederationDomain{
				ObjectMeta: objectMeta,
				Spec: v1alpha1.FederationDomainSpec{
					Issuer: "https://example.com",
					IdentityProviders: []v1alpha1.FederationDomainIdentityProvider{
						{
							DisplayName: "foo",
							ObjectRef: corev1.TypedLocalObjectReference{
								APIGroup: ptr.To("required in older versions of Kubernetes for each item in the identityProviders slice"),
							},
							Transforms: v1alpha1.FederationDomainTransforms{
								Constants: []v1alpha1.FederationDomainTransformsConstant{
									{Name: "cannot have spaces", Type: "string"},
									{Name: "1mustStartWithLetter", Type: "string"},
									{Name: "_mustStartWithLetter", Type: "string"},
									{Name: "canOnlyIncludeLettersAndNumbersAnd_", Type: "string"},
									{Name: "CanStart1_withUpperCase", Type: "string"},
								},
							},
						},
					},
				},
			},
			wantReallyOldKubeErr: fmt.Sprintf("FederationDomain.config.supervisor.%s %q is invalid: "+
				`spec.identityProviders.transforms.constants.name: Invalid value: "": `+
				`spec.identityProviders.transforms.constants.name in body should match '^[a-zA-Z][_a-zA-Z0-9]*$'`,
				env.APIGroupSuffix, objectMeta.Name),
			wantOldKubeErr: fmt.Sprintf("FederationDomain.config.supervisor.%s %q is invalid: "+
				`spec.identityProviders.transforms.constants.name: Invalid value: "cannot have spaces": `+
				`spec.identityProviders.transforms.constants.name in body should match '^[a-zA-Z][_a-zA-Z0-9]*$'`,
				env.APIGroupSuffix, objectMeta.Name),
			wantErr: fmt.Sprintf("FederationDomain.config.supervisor.%s %q is invalid: "+
				`[spec.identityProviders[0].transforms.constants[0].name: Invalid value: "cannot have spaces": `+
				`spec.identityProviders[0].transforms.constants[0].name in body should match '^[a-zA-Z][_a-zA-Z0-9]*$', `+
				`spec.identityProviders[0].transforms.constants[1].name: Invalid value: "1mustStartWithLetter": `+
				`spec.identityProviders[0].transforms.constants[1].name in body should match '^[a-zA-Z][_a-zA-Z0-9]*$', `+
				`spec.identityProviders[0].transforms.constants[2].name: Invalid value: "_mustStartWithLetter": `+
				`spec.identityProviders[0].transforms.constants[2].name in body should match '^[a-zA-Z][_a-zA-Z0-9]*$']`,
				env.APIGroupSuffix, objectMeta.Name),
		},
		{
			name: "IDP transform constant types must be one of the allowed enum strings",
			fd: &v1alpha1.FederationDomain{
				ObjectMeta: objectMeta,
				Spec: v1alpha1.FederationDomainSpec{
					Issuer: "https://example.com",
					IdentityProviders: []v1alpha1.FederationDomainIdentityProvider{
						{
							DisplayName: "foo",
							ObjectRef: corev1.TypedLocalObjectReference{
								APIGroup: ptr.To("required in older versions of Kubernetes for each item in the identityProviders slice"),
							},
							Transforms: v1alpha1.FederationDomainTransforms{
								Constants: []v1alpha1.FederationDomainTransformsConstant{
									{Name: "a", Type: "this is invalid"},
									{Name: "b", Type: "string"},
									{Name: "c", Type: "stringList"},
								},
							},
						},
					},
				},
			},
			wantErr: fmt.Sprintf("FederationDomain.config.supervisor.%s %q is invalid: "+
				`spec.identityProviders[0].transforms.constants[0].type: Unsupported value: "this is invalid": `+
				`supported values: "string", "stringList"`,
				env.APIGroupSuffix, objectMeta.Name),
		},
		{
			name: "IDP transform expression types must be one of the allowed enum strings",
			fd: &v1alpha1.FederationDomain{
				ObjectMeta: objectMeta,
				Spec: v1alpha1.FederationDomainSpec{
					Issuer: "https://example.com",
					IdentityProviders: []v1alpha1.FederationDomainIdentityProvider{
						{
							DisplayName: "foo",
							ObjectRef: corev1.TypedLocalObjectReference{
								APIGroup: ptr.To("required in older versions of Kubernetes for each item in the identityProviders slice"),
							},
							Transforms: v1alpha1.FederationDomainTransforms{
								Expressions: []v1alpha1.FederationDomainTransformsExpression{
									{Type: "this is invalid", Expression: "foo"},
									{Type: "policy/v1", Expression: "foo"},
									{Type: "username/v1", Expression: "foo"},
									{Type: "groups/v1", Expression: "foo"},
								},
							},
						},
					},
				},
			},
			wantErr: fmt.Sprintf("FederationDomain.config.supervisor.%s %q is invalid: "+
				`spec.identityProviders[0].transforms.expressions[0].type: Unsupported value: "this is invalid": `+
				`supported values: "policy/v1", "username/v1", "groups/v1"`,
				env.APIGroupSuffix, objectMeta.Name),
		},
		{
			name: "IDP transform expressions cannot be empty",
			fd: &v1alpha1.FederationDomain{
				ObjectMeta: objectMeta,
				Spec: v1alpha1.FederationDomainSpec{
					Issuer: "https://example.com",
					IdentityProviders: []v1alpha1.FederationDomainIdentityProvider{
						{
							DisplayName: "foo",
							ObjectRef: corev1.TypedLocalObjectReference{
								APIGroup: ptr.To("required in older versions of Kubernetes for each item in the identityProviders slice"),
							},
							Transforms: v1alpha1.FederationDomainTransforms{
								Expressions: []v1alpha1.FederationDomainTransformsExpression{
									{Type: "username/v1", Expression: ""},
								},
							},
						},
					},
				},
			},
			wantErr: fmt.Sprintf("FederationDomain.config.supervisor.%s %q is invalid: "+
				`spec.identityProviders[0].transforms.expressions[0].expression: Invalid value: "": `+
				`spec.identityProviders[0].transforms.expressions[0].expression in body should be at least 1 chars long`,
				env.APIGroupSuffix, objectMeta.Name),
		},
		{
			name: "IDP transform example usernames cannot be empty",
			fd: &v1alpha1.FederationDomain{
				ObjectMeta: objectMeta,
				Spec: v1alpha1.FederationDomainSpec{
					Issuer: "https://example.com",
					IdentityProviders: []v1alpha1.FederationDomainIdentityProvider{
						{
							DisplayName: "foo",
							ObjectRef: corev1.TypedLocalObjectReference{
								APIGroup: ptr.To("required in older versions of Kubernetes for each item in the identityProviders slice"),
							},
							Transforms: v1alpha1.FederationDomainTransforms{
								Examples: []v1alpha1.FederationDomainTransformsExample{
									{Username: ""},
									{Username: "non-empty"},
								},
							},
						},
					},
				},
			},
			wantErr: fmt.Sprintf("FederationDomain.config.supervisor.%s %q is invalid: "+
				`spec.identityProviders[0].transforms.examples[0].username: Invalid value: "": `+
				`spec.identityProviders[0].transforms.examples[0].username in body should be at least 1 chars long`,
				env.APIGroupSuffix, objectMeta.Name),
		},
		{
			name: "minimum valid",
			fd: &v1alpha1.FederationDomain{
				ObjectMeta: testlib.ObjectMetaWithRandomName(t, "fd"),
				Spec: v1alpha1.FederationDomainSpec{
					Issuer: "https://example.com",
				},
			},
		},
		{
			name: "minimum valid when IDPs are included",
			fd: &v1alpha1.FederationDomain{
				ObjectMeta: testlib.ObjectMetaWithRandomName(t, "fd"),
				Spec: v1alpha1.FederationDomainSpec{
					Issuer: "https://example.com",
					IdentityProviders: []v1alpha1.FederationDomainIdentityProvider{
						{
							DisplayName: "foo",
							ObjectRef: corev1.TypedLocalObjectReference{
								APIGroup: ptr.To("required in older versions of Kubernetes for each item in the identityProviders slice"),
							},
						},
					},
				},
			},
		},
		{
			name: "minimum valid when IDP has transform constants, expressions, and examples",
			fd: &v1alpha1.FederationDomain{
				ObjectMeta: testlib.ObjectMetaWithRandomName(t, "fd"),
				Spec: v1alpha1.FederationDomainSpec{
					Issuer: "https://example.com",
					IdentityProviders: []v1alpha1.FederationDomainIdentityProvider{
						{
							DisplayName: "foo",
							ObjectRef: corev1.TypedLocalObjectReference{
								APIGroup: ptr.To("required in older versions of Kubernetes for each item in the identityProviders slice"),
							},
							Transforms: v1alpha1.FederationDomainTransforms{
								Constants: []v1alpha1.FederationDomainTransformsConstant{
									{Name: "foo", Type: "string"},
								},
								Expressions: []v1alpha1.FederationDomainTransformsExpression{
									{Type: "username/v1", Expression: "foo"},
								},
								Examples: []v1alpha1.FederationDomainTransformsExample{
									{Username: "foo"},
								},
							},
						},
					},
				},
			},
		},
	}

	for _, test := range tests {
		tt := test
		t.Run(tt.name, func(t *testing.T) {
			t.Parallel()

			_, createErr := fdClient.Create(ctx, tt.fd, metav1.CreateOptions{})

			t.Cleanup(func() {
				// Delete it if it exists.
				delErr := fdClient.Delete(ctx, tt.fd.Name, metav1.DeleteOptions{})
				if !k8serrors.IsNotFound(delErr) {
					require.NoError(t, delErr)
				}
			})

			if tt.wantErr == "" && tt.wantOldKubeErr == "" && tt.wantReallyOldKubeErr == "" {
				require.NoError(t, createErr)
			} else {
				wantErr := tt.wantErr
				if usingOldKubeVersionInCluster || usingReallyOldKubeVersionInCluster {
					// Old versions of Kubernetes did not show the index where the error occurred in some of the messages,
					// so remove the indices from the expected messages when running against an old version of Kube.
					// For the above tests, it should be enough to assume that there will only be indices up to 10.
					// This is useful when the only difference in the message between old and new is the missing indices.
					// Otherwise, use wantOldKubeErr to say what the expected message should be for old versions.
					for i := 0; i < 10; i++ {
						wantErr = strings.ReplaceAll(wantErr, fmt.Sprintf("[%d]", i), "")
					}
				}
				if usingOldKubeVersionInCluster && tt.wantOldKubeErr != "" {
					// Sometimes there are other difference in older Kubernetes messages, so also allow exact
					// expectation strings for those cases in wantOldKubeErr. When provided, use it on old Kube clusters.
					wantErr = tt.wantOldKubeErr
				}
				if usingReallyOldKubeVersionInCluster && tt.wantReallyOldKubeErr != "" {
					// Sometimes there are other difference in really old Kubernetes messages, so also allow exact
					// expectation strings for those cases in wantOldKubeErr. When provided, use it on
					// really old Kube clusters.
					wantErr = tt.wantReallyOldKubeErr
				}
				require.EqualError(t, createErr, wantErr)
			}
		})
	}
}

func replaceSomeConditions(conditions []metav1.Condition, replaceWithTheseConditions []metav1.Condition) []metav1.Condition {
	cp := make([]metav1.Condition, len(conditions))
	copy(cp, conditions)
	for _, replacementCond := range replaceWithTheseConditions {
		for i, cond := range cp {
			if replacementCond.Type == cond.Type {
				cp[i] = replacementCond
				break
			}
		}
	}
	return cp
}

func allSuccessfulLegacyFederationDomainConditions(idpName string, federationDomainSpec v1alpha1.FederationDomainSpec) []metav1.Condition {
	return replaceSomeConditions(
		allSuccessfulFederationDomainConditions(federationDomainSpec),
		[]metav1.Condition{
			{
				Type: "IdentityProvidersFound", Status: "True", Reason: "LegacyConfigurationSuccess",
				Message: fmt.Sprintf(`no resources were specified by .spec.identityProviders[].objectRef but exactly one `+
					`identity provider resource has been found: using "%s" as identity provider: `+
					`please explicitly list identity providers in .spec.identityProviders `+
					`(this legacy configuration mode may be removed in a future version of Pinniped)`, idpName),
			},
		},
	)
}

func allSuccessfulFederationDomainConditions(federationDomainSpec v1alpha1.FederationDomainSpec) []metav1.Condition {
	return []metav1.Condition{
		{
			Type: "IdentityProvidersDisplayNamesUnique", Status: "True", Reason: "Success",
			Message: "the names specified by .spec.identityProviders[].displayName are unique",
		},
		{
			Type: "IdentityProvidersFound", Status: "True", Reason: "Success",
			Message: "the resources specified by .spec.identityProviders[].objectRef were found",
		},
		{
			Type: "IdentityProvidersObjectRefAPIGroupSuffixValid", Status: "True", Reason: "Success",
			Message: "the API groups specified by .spec.identityProviders[].objectRef.apiGroup are recognized",
		},
		{
			Type: "IdentityProvidersObjectRefKindValid", Status: "True", Reason: "Success",
			Message: "the kinds specified by .spec.identityProviders[].objectRef.kind are recognized",
		},
		{
			Type: "IssuerIsUnique", Status: "True", Reason: "Success",
			Message: "spec.issuer is unique among all FederationDomains",
		},
		{
			Type: "IssuerURLValid", Status: "True", Reason: "Success",
			Message: "spec.issuer is a valid URL",
		},
		{
			Type: "OneTLSSecretPerIssuerHostname", Status: "True", Reason: "Success",
			Message: "all FederationDomains are using the same TLS secret when using the same hostname in the spec.issuer URL",
		},
		{
			Type: "Ready", Status: "True", Reason: "Success",
			Message: fmt.Sprintf("the FederationDomain is ready and its endpoints are available: "+
				"the discovery endpoint is %s/.well-known/openid-configuration", federationDomainSpec.Issuer),
		},
		{
			Type: "TransformsExamplesPassed", Status: "True", Reason: "Success",
			Message: "the examples specified by .spec.identityProviders[].transforms.examples[] had no errors",
		},
		{
			Type: "TransformsExpressionsValid", Status: "True", Reason: "Success",
			Message: "the expressions specified by .spec.identityProviders[].transforms.expressions[] are valid",
		},
	}
}