// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package supervisorstorage import ( "context" "encoding/json" "errors" "testing" "time" "github.com/ory/fosite" "github.com/sclevine/spec" "github.com/sclevine/spec/report" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" kubeinformers "k8s.io/client-go/informers" kubernetesfake "k8s.io/client-go/kubernetes/fake" kubetesting "k8s.io/client-go/testing" "k8s.io/utils/clock" clocktesting "k8s.io/utils/clock/testing" "go.pinniped.dev/internal/controllerlib" "go.pinniped.dev/internal/fositestorage/accesstoken" "go.pinniped.dev/internal/fositestorage/authorizationcode" "go.pinniped.dev/internal/fositestorage/refreshtoken" "go.pinniped.dev/internal/oidc/clientregistry" "go.pinniped.dev/internal/oidc/provider" "go.pinniped.dev/internal/psession" "go.pinniped.dev/internal/testutil" "go.pinniped.dev/internal/testutil/oidctestutil" ) func TestGarbageCollectorControllerInformerFilters(t *testing.T) { spec.Run(t, "informer filters", func(t *testing.T, when spec.G, it spec.S) { var ( r *require.Assertions observableWithInformerOption *testutil.ObservableWithInformerOption secretsInformerFilter controllerlib.Filter ) it.Before(func() { r = require.New(t) observableWithInformerOption = testutil.NewObservableWithInformerOption() secretsInformer := kubeinformers.NewSharedInformerFactory(nil, 0).Core().V1().Secrets() _ = GarbageCollectorController( nil, clock.RealClock{}, nil, secretsInformer, observableWithInformerOption.WithInformer, // make it possible to observe the behavior of the Filters ) secretsInformerFilter = observableWithInformerOption.GetFilterForInformer(secretsInformer) }) when("watching Secret objects", func() { var ( subject controllerlib.Filter secretWithAnnotation, otherSecret *corev1.Secret ) it.Before(func() { subject = secretsInformerFilter secretWithAnnotation = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-name", Namespace: "any-namespace", Annotations: map[string]string{ "storage.pinniped.dev/garbage-collect-after": "some timestamp", }}} otherSecret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-other-name", Namespace: "any-namespace"}} }) when("any Secret with the required annotation is added or updated", func() { it("returns true to trigger the sync function", func() { r.True(subject.Add(secretWithAnnotation)) r.True(subject.Update(secretWithAnnotation, otherSecret)) r.True(subject.Update(otherSecret, secretWithAnnotation)) }) it("returns the same singleton key", func() { r.Equal(controllerlib.Key{}, subject.Parent(secretWithAnnotation)) }) }) when("any Secret with the required annotation is deleted", func() { it("returns false to skip the sync function because it does not need to worry about secrets that are already gone", func() { r.False(subject.Delete(secretWithAnnotation)) }) }) when("any Secret without the required annotation changes", func() { it("returns false to skip the sync function", func() { r.False(subject.Add(otherSecret)) r.False(subject.Update(otherSecret, otherSecret)) r.False(subject.Delete(otherSecret)) }) }) when("any other type is passed", func() { it("returns false to skip the sync function", func() { wrongType := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "some-ns", Namespace: "some-ns"}} r.False(subject.Add(wrongType)) r.False(subject.Update(wrongType, wrongType)) r.False(subject.Delete(wrongType)) }) }) }) }, spec.Parallel(), spec.Report(report.Terminal{})) } func TestGarbageCollectorControllerSync(t *testing.T) { secretsGVR := schema.GroupVersionResource{ Group: "", Version: "v1", Resource: "secrets", } spec.Run(t, "Sync", func(t *testing.T, when spec.G, it spec.S) { const ( installedInNamespace = "some-namespace" ) var ( r *require.Assertions subject controllerlib.Controller kubeInformerClient *kubernetesfake.Clientset kubeClient *kubernetesfake.Clientset kubeInformers kubeinformers.SharedInformerFactory cancelContext context.Context cancelContextCancelFunc context.CancelFunc syncContext *controllerlib.Context fakeClock *clocktesting.FakeClock frozenNow time.Time ) // Defer starting the informers until the last possible moment so that the // nested Before's can keep adding things to the informer caches. var startInformersAndController = func(idpCache provider.DynamicUpstreamIDPProvider) { // Set this at the last second to allow for injection of server override. subject = GarbageCollectorController( idpCache, fakeClock, kubeClient, kubeInformers.Core().V1().Secrets(), controllerlib.WithInformer, ) // Set this at the last second to support calling subject.Name(). syncContext = &controllerlib.Context{ Context: cancelContext, Name: subject.Name(), Key: controllerlib.Key{ Namespace: "foo", Name: "bar", }, Queue: &testQueue{t: t}, } // Must start informers before calling TestRunSynchronously() kubeInformers.Start(cancelContext.Done()) controllerlib.TestRunSynchronously(t, subject) } it.Before(func() { r = require.New(t) cancelContext, cancelContextCancelFunc = context.WithCancel(context.Background()) kubeInformerClient = kubernetesfake.NewSimpleClientset() kubeClient = kubernetesfake.NewSimpleClientset() kubeInformers = kubeinformers.NewSharedInformerFactory(kubeInformerClient, 0) frozenNow = time.Now().UTC() fakeClock = clocktesting.NewFakeClock(frozenNow) unrelatedSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "some other unrelated secret", Namespace: installedInNamespace, }, } r.NoError(kubeInformerClient.Tracker().Add(unrelatedSecret)) r.NoError(kubeClient.Tracker().Add(unrelatedSecret)) }) it.After(func() { cancelContextCancelFunc() }) when("there are secrets without the garbage-collect-after annotation", func() { it("does not delete those secrets", func() { startInformersAndController(nil) r.NoError(controllerlib.TestSync(t, subject, *syncContext)) require.Empty(t, kubeClient.Actions()) list, err := kubeClient.CoreV1().Secrets(installedInNamespace).List(context.Background(), metav1.ListOptions{}) r.NoError(err) r.Len(list.Items, 1) r.Equal("some other unrelated secret", list.Items[0].Name) }) }) when("there are any secrets with the garbage-collect-after annotation", func() { it.Before(func() { firstExpiredSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "first expired secret", Namespace: installedInNamespace, UID: "uid-123", ResourceVersion: "rv-456", Annotations: map[string]string{ "storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339), }, }, } r.NoError(kubeInformerClient.Tracker().Add(firstExpiredSecret)) r.NoError(kubeClient.Tracker().Add(firstExpiredSecret)) secondExpiredSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "second expired secret", Namespace: installedInNamespace, UID: "uid-789", ResourceVersion: "rv-555", Annotations: map[string]string{ "storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-2 * time.Second).Format(time.RFC3339), }, }, } r.NoError(kubeInformerClient.Tracker().Add(secondExpiredSecret)) r.NoError(kubeClient.Tracker().Add(secondExpiredSecret)) unexpiredSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "unexpired secret", Namespace: installedInNamespace, Annotations: map[string]string{ "storage.pinniped.dev/garbage-collect-after": frozenNow.Add(time.Second).Format(time.RFC3339), }, }, } r.NoError(kubeInformerClient.Tracker().Add(unexpiredSecret)) r.NoError(kubeClient.Tracker().Add(unexpiredSecret)) }) it("should delete any that are past their expiration", func() { startInformersAndController(nil) r.NoError(controllerlib.TestSync(t, subject, *syncContext)) r.ElementsMatch( []kubetesting.Action{ kubetesting.NewDeleteActionWithOptions(secretsGVR, installedInNamespace, "first expired secret", testutil.NewPreconditions("uid-123", "rv-456")), kubetesting.NewDeleteActionWithOptions(secretsGVR, installedInNamespace, "second expired secret", testutil.NewPreconditions("uid-789", "rv-555")), }, kubeClient.Actions(), ) list, err := kubeClient.CoreV1().Secrets(installedInNamespace).List(context.Background(), metav1.ListOptions{}) r.NoError(err) r.Len(list.Items, 2) r.ElementsMatch([]string{"unexpired secret", "some other unrelated secret"}, []string{list.Items[0].Name, list.Items[1].Name}) }) }) when("there are valid, expired authcode secrets which contain upstream refresh tokens", func() { it.Before(func() { activeOIDCAuthcodeSession := &authorizationcode.Session{ Version: "2", Active: true, Request: &fosite.Request{ ID: "request-id-1", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, OIDC: &psession.OIDCSessionData{ UpstreamRefreshToken: "fake-upstream-refresh-token", }, }, }, }, } activeOIDCAuthcodeSessionJSON, err := json.Marshal(activeOIDCAuthcodeSession) r.NoError(err) activeOIDCAuthcodeSessionSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "activeOIDCAuthcodeSession", Namespace: installedInNamespace, UID: "uid-123", ResourceVersion: "rv-123", Annotations: map[string]string{ "storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339), }, Labels: map[string]string{ "storage.pinniped.dev/type": authorizationcode.TypeLabelValue, }, }, Data: map[string][]byte{ "pinniped-storage-data": activeOIDCAuthcodeSessionJSON, "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/" + authorizationcode.TypeLabelValue, } _, err = authorizationcode.ReadFromSecret(activeOIDCAuthcodeSessionSecret) r.NoError(err, "the test author accidentally formed an invalid authcode secret") r.NoError(kubeInformerClient.Tracker().Add(activeOIDCAuthcodeSessionSecret)) r.NoError(kubeClient.Tracker().Add(activeOIDCAuthcodeSessionSecret)) inactiveOIDCAuthcodeSession := &authorizationcode.Session{ Version: "2", Active: false, Request: &fosite.Request{ ID: "request-id-2", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, OIDC: &psession.OIDCSessionData{ UpstreamRefreshToken: "other-fake-upstream-refresh-token", }, }, }, }, } inactiveOIDCAuthcodeSessionJSON, err := json.Marshal(inactiveOIDCAuthcodeSession) r.NoError(err) inactiveOIDCAuthcodeSessionSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "inactiveOIDCAuthcodeSession", Namespace: installedInNamespace, UID: "uid-456", ResourceVersion: "rv-456", Annotations: map[string]string{ "storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339), }, Labels: map[string]string{ "storage.pinniped.dev/type": authorizationcode.TypeLabelValue, }, }, Data: map[string][]byte{ "pinniped-storage-data": inactiveOIDCAuthcodeSessionJSON, "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/" + authorizationcode.TypeLabelValue, } _, err = authorizationcode.ReadFromSecret(inactiveOIDCAuthcodeSessionSecret) r.NoError(err, "the test author accidentally formed an invalid authcode secret") r.NoError(kubeInformerClient.Tracker().Add(inactiveOIDCAuthcodeSessionSecret)) r.NoError(kubeClient.Tracker().Add(inactiveOIDCAuthcodeSessionSecret)) }) it("should revoke upstream tokens only from the active authcode secrets and delete them all", func() { happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder(). WithName("upstream-oidc-provider-name"). WithResourceUID("upstream-oidc-provider-uid"). WithRevokeTokenError(nil) idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build()) startInformersAndController(idpListerBuilder.Build()) r.NoError(controllerlib.TestSync(t, subject, *syncContext)) // The upstream refresh token is only revoked for the active authcode session. idpListerBuilder.RequireExactlyOneCallToRevokeToken(t, "upstream-oidc-provider-name", &oidctestutil.RevokeTokenArgs{ Ctx: syncContext.Context, Token: "fake-upstream-refresh-token", TokenType: provider.RefreshTokenType, }, ) // Both authcode session secrets are deleted. r.ElementsMatch( []kubetesting.Action{ kubetesting.NewDeleteActionWithOptions(secretsGVR, installedInNamespace, "activeOIDCAuthcodeSession", testutil.NewPreconditions("uid-123", "rv-123")), kubetesting.NewDeleteActionWithOptions(secretsGVR, installedInNamespace, "inactiveOIDCAuthcodeSession", testutil.NewPreconditions("uid-456", "rv-456")), }, kubeClient.Actions(), ) }) }) when("there are valid, expired authcode secrets which contain upstream access tokens", func() { it.Before(func() { activeOIDCAuthcodeSession := &authorizationcode.Session{ Version: "2", Active: true, Request: &fosite.Request{ ID: "request-id-1", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, OIDC: &psession.OIDCSessionData{ UpstreamAccessToken: "fake-upstream-access-token", }, }, }, }, } activeOIDCAuthcodeSessionJSON, err := json.Marshal(activeOIDCAuthcodeSession) r.NoError(err) activeOIDCAuthcodeSessionSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "activeOIDCAuthcodeSession", Namespace: installedInNamespace, UID: "uid-123", ResourceVersion: "rv-123", Annotations: map[string]string{ "storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339), }, Labels: map[string]string{ "storage.pinniped.dev/type": authorizationcode.TypeLabelValue, }, }, Data: map[string][]byte{ "pinniped-storage-data": activeOIDCAuthcodeSessionJSON, "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/" + authorizationcode.TypeLabelValue, } _, err = authorizationcode.ReadFromSecret(activeOIDCAuthcodeSessionSecret) r.NoError(err, "the test author accidentally formed an invalid authcode secret") r.NoError(kubeInformerClient.Tracker().Add(activeOIDCAuthcodeSessionSecret)) r.NoError(kubeClient.Tracker().Add(activeOIDCAuthcodeSessionSecret)) inactiveOIDCAuthcodeSession := &authorizationcode.Session{ Version: "2", Active: false, Request: &fosite.Request{ ID: "request-id-2", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, OIDC: &psession.OIDCSessionData{ UpstreamAccessToken: "other-fake-upstream-access-token", }, }, }, }, } inactiveOIDCAuthcodeSessionJSON, err := json.Marshal(inactiveOIDCAuthcodeSession) r.NoError(err) inactiveOIDCAuthcodeSessionSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "inactiveOIDCAuthcodeSession", Namespace: installedInNamespace, UID: "uid-456", ResourceVersion: "rv-456", Annotations: map[string]string{ "storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339), }, Labels: map[string]string{ "storage.pinniped.dev/type": authorizationcode.TypeLabelValue, }, }, Data: map[string][]byte{ "pinniped-storage-data": inactiveOIDCAuthcodeSessionJSON, "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/" + authorizationcode.TypeLabelValue, } _, err = authorizationcode.ReadFromSecret(inactiveOIDCAuthcodeSessionSecret) r.NoError(err, "the test author accidentally formed an invalid authcode secret") r.NoError(kubeInformerClient.Tracker().Add(inactiveOIDCAuthcodeSessionSecret)) r.NoError(kubeClient.Tracker().Add(inactiveOIDCAuthcodeSessionSecret)) }) it("should revoke upstream tokens only from the active authcode secrets and delete them all", func() { happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder(). WithName("upstream-oidc-provider-name"). WithResourceUID("upstream-oidc-provider-uid"). WithRevokeTokenError(nil) idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build()) startInformersAndController(idpListerBuilder.Build()) r.NoError(controllerlib.TestSync(t, subject, *syncContext)) // The upstream refresh token is only revoked for the active authcode session. idpListerBuilder.RequireExactlyOneCallToRevokeToken(t, "upstream-oidc-provider-name", &oidctestutil.RevokeTokenArgs{ Ctx: syncContext.Context, Token: "fake-upstream-access-token", TokenType: provider.AccessTokenType, }, ) // Both authcode session secrets are deleted. r.ElementsMatch( []kubetesting.Action{ kubetesting.NewDeleteActionWithOptions(secretsGVR, installedInNamespace, "activeOIDCAuthcodeSession", testutil.NewPreconditions("uid-123", "rv-123")), kubetesting.NewDeleteActionWithOptions(secretsGVR, installedInNamespace, "inactiveOIDCAuthcodeSession", testutil.NewPreconditions("uid-456", "rv-456")), }, kubeClient.Actions(), ) }) }) when("there is an invalid, expired authcode secret", func() { it.Before(func() { invalidOIDCAuthcodeSession := &authorizationcode.Session{ Version: "2", Active: true, Request: &fosite.Request{ ID: "", // it is invalid for there to be a missing request ID Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, OIDC: &psession.OIDCSessionData{ UpstreamRefreshToken: "fake-upstream-refresh-token", }, }, }, }, } invalidOIDCAuthcodeSessionJSON, err := json.Marshal(invalidOIDCAuthcodeSession) r.NoError(err) invalidOIDCAuthcodeSessionSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "invalidOIDCAuthcodeSession", Namespace: installedInNamespace, UID: "uid-123", ResourceVersion: "rv-123", Annotations: map[string]string{ "storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339), }, Labels: map[string]string{ "storage.pinniped.dev/type": authorizationcode.TypeLabelValue, }, }, Data: map[string][]byte{ "pinniped-storage-data": invalidOIDCAuthcodeSessionJSON, "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/" + authorizationcode.TypeLabelValue, } r.NoError(kubeInformerClient.Tracker().Add(invalidOIDCAuthcodeSessionSecret)) r.NoError(kubeClient.Tracker().Add(invalidOIDCAuthcodeSessionSecret)) }) it("should remove the secret without revoking any upstream tokens", func() { happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder(). WithName("upstream-oidc-provider-name"). WithResourceUID("upstream-oidc-provider-uid"). WithRevokeTokenError(nil) idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build()) startInformersAndController(idpListerBuilder.Build()) r.NoError(controllerlib.TestSync(t, subject, *syncContext)) // Nothing to revoke since we couldn't read the invalid secret. idpListerBuilder.RequireExactlyZeroCallsToRevokeToken(t) // The invalid authcode session secrets is still deleted because it is expired. r.ElementsMatch( []kubetesting.Action{ kubetesting.NewDeleteActionWithOptions(secretsGVR, installedInNamespace, "invalidOIDCAuthcodeSession", testutil.NewPreconditions("uid-123", "rv-123")), }, kubeClient.Actions(), ) }) }) when("there is a valid, expired authcode secret but its upstream name does not match any existing upstream", func() { it.Before(func() { wrongProviderNameOIDCAuthcodeSession := &authorizationcode.Session{ Version: "2", Active: true, Request: &fosite.Request{ ID: "request-id-1", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name-will-not-match", ProviderType: psession.ProviderTypeOIDC, OIDC: &psession.OIDCSessionData{ UpstreamRefreshToken: "fake-upstream-refresh-token", }, }, }, }, } wrongProviderNameOIDCAuthcodeSessionJSON, err := json.Marshal(wrongProviderNameOIDCAuthcodeSession) r.NoError(err) wrongProviderNameOIDCAuthcodeSessionSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "wrongProviderNameOIDCAuthcodeSession", Namespace: installedInNamespace, UID: "uid-123", ResourceVersion: "rv-123", Annotations: map[string]string{ "storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339), }, Labels: map[string]string{ "storage.pinniped.dev/type": authorizationcode.TypeLabelValue, }, }, Data: map[string][]byte{ "pinniped-storage-data": wrongProviderNameOIDCAuthcodeSessionJSON, "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/" + authorizationcode.TypeLabelValue, } _, err = authorizationcode.ReadFromSecret(wrongProviderNameOIDCAuthcodeSessionSecret) r.NoError(err, "the test author accidentally formed an invalid authcode secret") r.NoError(kubeInformerClient.Tracker().Add(wrongProviderNameOIDCAuthcodeSessionSecret)) r.NoError(kubeClient.Tracker().Add(wrongProviderNameOIDCAuthcodeSessionSecret)) }) it("should remove the secret without revoking any upstream tokens", func() { happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder(). WithName("upstream-oidc-provider-name"). WithResourceUID("upstream-oidc-provider-uid"). WithRevokeTokenError(nil) idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build()) startInformersAndController(idpListerBuilder.Build()) r.NoError(controllerlib.TestSync(t, subject, *syncContext)) // Nothing to revoke since we couldn't find the upstream in the cache. idpListerBuilder.RequireExactlyZeroCallsToRevokeToken(t) // The authcode session secrets is still deleted because it is expired. r.ElementsMatch( []kubetesting.Action{ kubetesting.NewDeleteActionWithOptions(secretsGVR, installedInNamespace, "wrongProviderNameOIDCAuthcodeSession", testutil.NewPreconditions("uid-123", "rv-123")), }, kubeClient.Actions(), ) }) }) when("there is a valid, expired authcode secret but its upstream UID does not match any existing upstream", func() { it.Before(func() { wrongProviderNameOIDCAuthcodeSession := &authorizationcode.Session{ Version: "2", Active: true, Request: &fosite.Request{ ID: "request-id-1", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ ProviderUID: "upstream-oidc-provider-uid-will-not-match", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, OIDC: &psession.OIDCSessionData{ UpstreamRefreshToken: "fake-upstream-refresh-token", }, }, }, }, } wrongProviderNameOIDCAuthcodeSessionJSON, err := json.Marshal(wrongProviderNameOIDCAuthcodeSession) r.NoError(err) wrongProviderNameOIDCAuthcodeSessionSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "wrongProviderNameOIDCAuthcodeSession", Namespace: installedInNamespace, UID: "uid-123", ResourceVersion: "rv-123", Annotations: map[string]string{ "storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339), }, Labels: map[string]string{ "storage.pinniped.dev/type": authorizationcode.TypeLabelValue, }, }, Data: map[string][]byte{ "pinniped-storage-data": wrongProviderNameOIDCAuthcodeSessionJSON, "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/" + authorizationcode.TypeLabelValue, } _, err = authorizationcode.ReadFromSecret(wrongProviderNameOIDCAuthcodeSessionSecret) r.NoError(err, "the test author accidentally formed an invalid authcode secret") r.NoError(kubeInformerClient.Tracker().Add(wrongProviderNameOIDCAuthcodeSessionSecret)) r.NoError(kubeClient.Tracker().Add(wrongProviderNameOIDCAuthcodeSessionSecret)) }) it("should remove the secret without revoking any upstream tokens", func() { happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder(). WithName("upstream-oidc-provider-name"). WithResourceUID("upstream-oidc-provider-uid"). WithRevokeTokenError(nil) idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build()) startInformersAndController(idpListerBuilder.Build()) r.NoError(controllerlib.TestSync(t, subject, *syncContext)) // Nothing to revoke since we couldn't find the upstream in the cache. idpListerBuilder.RequireExactlyZeroCallsToRevokeToken(t) // The authcode session secrets is still deleted because it is expired. r.ElementsMatch( []kubetesting.Action{ kubetesting.NewDeleteActionWithOptions(secretsGVR, installedInNamespace, "wrongProviderNameOIDCAuthcodeSession", testutil.NewPreconditions("uid-123", "rv-123")), }, kubeClient.Actions(), ) }) }) when("there is a valid, recently expired authcode secret but the upstream revocation fails", func() { it.Before(func() { activeOIDCAuthcodeSession := &authorizationcode.Session{ Version: "2", Active: true, Request: &fosite.Request{ ID: "request-id-1", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, OIDC: &psession.OIDCSessionData{ UpstreamRefreshToken: "fake-upstream-refresh-token", }, }, }, }, } activeOIDCAuthcodeSessionJSON, err := json.Marshal(activeOIDCAuthcodeSession) r.NoError(err) activeOIDCAuthcodeSessionSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "activeOIDCAuthcodeSession", Namespace: installedInNamespace, UID: "uid-123", ResourceVersion: "rv-123", Annotations: map[string]string{ // expired almost 4 hours ago, but not quite 4 hours "storage.pinniped.dev/garbage-collect-after": frozenNow.Add((-time.Hour * 4) + time.Second).Format(time.RFC3339), }, Labels: map[string]string{ "storage.pinniped.dev/type": authorizationcode.TypeLabelValue, }, }, Data: map[string][]byte{ "pinniped-storage-data": activeOIDCAuthcodeSessionJSON, "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/" + authorizationcode.TypeLabelValue, } _, err = authorizationcode.ReadFromSecret(activeOIDCAuthcodeSessionSecret) r.NoError(err, "the test author accidentally formed an invalid authcode secret") r.NoError(kubeInformerClient.Tracker().Add(activeOIDCAuthcodeSessionSecret)) r.NoError(kubeClient.Tracker().Add(activeOIDCAuthcodeSessionSecret)) }) it("keeps the secret for a while longer so the revocation can be retried on a future sync for retryable errors", func() { happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder(). WithName("upstream-oidc-provider-name"). WithResourceUID("upstream-oidc-provider-uid"). // make the upstream revocation fail in a retryable way WithRevokeTokenError(provider.NewRetryableRevocationError(errors.New("some retryable upstream revocation error"))) idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build()) startInformersAndController(idpListerBuilder.Build()) r.NoError(controllerlib.TestSync(t, subject, *syncContext)) // Tried to revoke it, although this revocation will fail. idpListerBuilder.RequireExactlyOneCallToRevokeToken(t, "upstream-oidc-provider-name", &oidctestutil.RevokeTokenArgs{ Ctx: syncContext.Context, Token: "fake-upstream-refresh-token", TokenType: provider.RefreshTokenType, }, ) // The authcode session secrets is not deleted. r.Empty(kubeClient.Actions()) }) it("deletes the secret for non-retryable errors", func() { happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder(). WithName("upstream-oidc-provider-name"). WithResourceUID("upstream-oidc-provider-uid"). // make the upstream revocation fail in a non-retryable way WithRevokeTokenError(errors.New("some upstream revocation error not worth retrying")) idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build()) startInformersAndController(idpListerBuilder.Build()) r.NoError(controllerlib.TestSync(t, subject, *syncContext)) // Tried to revoke it, although this revocation will fail. idpListerBuilder.RequireExactlyOneCallToRevokeToken(t, "upstream-oidc-provider-name", &oidctestutil.RevokeTokenArgs{ Ctx: syncContext.Context, Token: "fake-upstream-refresh-token", TokenType: provider.RefreshTokenType, }, ) // The authcode session secrets is still deleted because it is expired and the revocation error is not retryable. r.ElementsMatch( []kubetesting.Action{ kubetesting.NewDeleteActionWithOptions(secretsGVR, installedInNamespace, "activeOIDCAuthcodeSession", testutil.NewPreconditions("uid-123", "rv-123")), }, kubeClient.Actions(), ) }) }) when("there is a valid, long-since expired authcode secret but the upstream revocation fails", func() { it.Before(func() { activeOIDCAuthcodeSession := &authorizationcode.Session{ Version: "2", Active: true, Request: &fosite.Request{ ID: "request-id-1", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, OIDC: &psession.OIDCSessionData{ UpstreamRefreshToken: "fake-upstream-refresh-token", }, }, }, }, } activeOIDCAuthcodeSessionJSON, err := json.Marshal(activeOIDCAuthcodeSession) r.NoError(err) activeOIDCAuthcodeSessionSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "activeOIDCAuthcodeSession", Namespace: installedInNamespace, UID: "uid-123", ResourceVersion: "rv-123", Annotations: map[string]string{ // expired just over 4 hours ago "storage.pinniped.dev/garbage-collect-after": frozenNow.Add((-time.Hour * 4) - time.Second).Format(time.RFC3339), }, Labels: map[string]string{ "storage.pinniped.dev/type": authorizationcode.TypeLabelValue, }, }, Data: map[string][]byte{ "pinniped-storage-data": activeOIDCAuthcodeSessionJSON, "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/" + authorizationcode.TypeLabelValue, } _, err = authorizationcode.ReadFromSecret(activeOIDCAuthcodeSessionSecret) r.NoError(err, "the test author accidentally formed an invalid authcode secret") r.NoError(kubeInformerClient.Tracker().Add(activeOIDCAuthcodeSessionSecret)) r.NoError(kubeClient.Tracker().Add(activeOIDCAuthcodeSessionSecret)) }) it("deletes the secret because it has probably been retrying revocation for hours without success", func() { happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder(). WithName("upstream-oidc-provider-name"). WithResourceUID("upstream-oidc-provider-uid"). WithRevokeTokenError(errors.New("some upstream revocation error")) // the upstream revocation will fail idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build()) startInformersAndController(idpListerBuilder.Build()) r.NoError(controllerlib.TestSync(t, subject, *syncContext)) // Tried to revoke it, although this revocation will fail. idpListerBuilder.RequireExactlyOneCallToRevokeToken(t, "upstream-oidc-provider-name", &oidctestutil.RevokeTokenArgs{ Ctx: syncContext.Context, Token: "fake-upstream-refresh-token", TokenType: provider.RefreshTokenType, }, ) // The authcode session secrets is deleted. r.ElementsMatch( []kubetesting.Action{ kubetesting.NewDeleteActionWithOptions(secretsGVR, installedInNamespace, "activeOIDCAuthcodeSession", testutil.NewPreconditions("uid-123", "rv-123")), }, kubeClient.Actions(), ) }) }) when("there are valid, expired access token secrets which contain upstream refresh tokens", func() { it.Before(func() { offlineAccessGrantedOIDCAccessTokenSession := &accesstoken.Session{ Version: "2", Request: &fosite.Request{ GrantedScope: fosite.Arguments{"scope1", "scope2", "offline_access"}, ID: "request-id-1", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, OIDC: &psession.OIDCSessionData{ UpstreamRefreshToken: "offline-access-granted-fake-upstream-refresh-token", }, }, }, }, } offlineAccessGrantedOIDCAccessTokenSessionJSON, err := json.Marshal(offlineAccessGrantedOIDCAccessTokenSession) r.NoError(err) offlineAccessGrantedOIDCAccessTokenSessionSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "offlineAccessGrantedOIDCAccessTokenSession", Namespace: installedInNamespace, UID: "uid-123", ResourceVersion: "rv-123", Annotations: map[string]string{ "storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339), }, Labels: map[string]string{ "storage.pinniped.dev/type": accesstoken.TypeLabelValue, }, }, Data: map[string][]byte{ "pinniped-storage-data": offlineAccessGrantedOIDCAccessTokenSessionJSON, "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/" + accesstoken.TypeLabelValue, } _, err = accesstoken.ReadFromSecret(offlineAccessGrantedOIDCAccessTokenSessionSecret) r.NoError(err, "the test author accidentally formed an invalid accesstoken secret") r.NoError(kubeInformerClient.Tracker().Add(offlineAccessGrantedOIDCAccessTokenSessionSecret)) r.NoError(kubeClient.Tracker().Add(offlineAccessGrantedOIDCAccessTokenSessionSecret)) offlineAccessNotGrantedOIDCAccessTokenSession := &accesstoken.Session{ Version: "2", Request: &fosite.Request{ GrantedScope: fosite.Arguments{"scope1", "scope2"}, ID: "request-id-2", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, OIDC: &psession.OIDCSessionData{ UpstreamRefreshToken: "fake-upstream-refresh-token", }, }, }, }, } offlineAccessNotGrantedOIDCAccessTokenSessionJSON, err := json.Marshal(offlineAccessNotGrantedOIDCAccessTokenSession) r.NoError(err) offlineAccessNotGrantedOIDCAccessTokenSessionSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "offlineAccessNotGrantedOIDCAccessTokenSession", Namespace: installedInNamespace, UID: "uid-456", ResourceVersion: "rv-456", Annotations: map[string]string{ "storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339), }, Labels: map[string]string{ "storage.pinniped.dev/type": accesstoken.TypeLabelValue, }, }, Data: map[string][]byte{ "pinniped-storage-data": offlineAccessNotGrantedOIDCAccessTokenSessionJSON, "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/" + accesstoken.TypeLabelValue, } _, err = accesstoken.ReadFromSecret(offlineAccessNotGrantedOIDCAccessTokenSessionSecret) r.NoError(err, "the test author accidentally formed an invalid accesstoken secret") r.NoError(kubeInformerClient.Tracker().Add(offlineAccessNotGrantedOIDCAccessTokenSessionSecret)) r.NoError(kubeClient.Tracker().Add(offlineAccessNotGrantedOIDCAccessTokenSessionSecret)) }) it("should revoke upstream tokens only from the active authcode secrets and delete them all", func() { happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder(). WithName("upstream-oidc-provider-name"). WithResourceUID("upstream-oidc-provider-uid"). WithRevokeTokenError(nil) idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build()) startInformersAndController(idpListerBuilder.Build()) r.NoError(controllerlib.TestSync(t, subject, *syncContext)) // The upstream refresh token is only revoked for the downstream session which had offline_access granted. idpListerBuilder.RequireExactlyOneCallToRevokeToken(t, "upstream-oidc-provider-name", &oidctestutil.RevokeTokenArgs{ Ctx: syncContext.Context, Token: "fake-upstream-refresh-token", TokenType: provider.RefreshTokenType, }, ) // Both session secrets are deleted. r.ElementsMatch( []kubetesting.Action{ kubetesting.NewDeleteActionWithOptions(secretsGVR, installedInNamespace, "offlineAccessGrantedOIDCAccessTokenSession", testutil.NewPreconditions("uid-123", "rv-123")), kubetesting.NewDeleteActionWithOptions(secretsGVR, installedInNamespace, "offlineAccessNotGrantedOIDCAccessTokenSession", testutil.NewPreconditions("uid-456", "rv-456")), }, kubeClient.Actions(), ) }) }) when("there are valid, expired access token secrets which contain upstream access tokens", func() { it.Before(func() { offlineAccessGrantedOIDCAccessTokenSession := &accesstoken.Session{ Version: "2", Request: &fosite.Request{ GrantedScope: fosite.Arguments{"scope1", "scope2", "offline_access"}, ID: "request-id-1", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, OIDC: &psession.OIDCSessionData{ UpstreamAccessToken: "offline-access-granted-fake-upstream-access-token", }, }, }, }, } offlineAccessGrantedOIDCAccessTokenSessionJSON, err := json.Marshal(offlineAccessGrantedOIDCAccessTokenSession) r.NoError(err) offlineAccessGrantedOIDCAccessTokenSessionSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "offlineAccessGrantedOIDCAccessTokenSession", Namespace: installedInNamespace, UID: "uid-123", ResourceVersion: "rv-123", Annotations: map[string]string{ "storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339), }, Labels: map[string]string{ "storage.pinniped.dev/type": accesstoken.TypeLabelValue, }, }, Data: map[string][]byte{ "pinniped-storage-data": offlineAccessGrantedOIDCAccessTokenSessionJSON, "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/" + accesstoken.TypeLabelValue, } _, err = accesstoken.ReadFromSecret(offlineAccessGrantedOIDCAccessTokenSessionSecret) r.NoError(err, "the test author accidentally formed an invalid accesstoken secret") r.NoError(kubeInformerClient.Tracker().Add(offlineAccessGrantedOIDCAccessTokenSessionSecret)) r.NoError(kubeClient.Tracker().Add(offlineAccessGrantedOIDCAccessTokenSessionSecret)) offlineAccessNotGrantedOIDCAccessTokenSession := &accesstoken.Session{ Version: "2", Request: &fosite.Request{ GrantedScope: fosite.Arguments{"scope1", "scope2"}, ID: "request-id-2", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, OIDC: &psession.OIDCSessionData{ UpstreamAccessToken: "fake-upstream-access-token", }, }, }, }, } offlineAccessNotGrantedOIDCAccessTokenSessionJSON, err := json.Marshal(offlineAccessNotGrantedOIDCAccessTokenSession) r.NoError(err) offlineAccessNotGrantedOIDCAccessTokenSessionSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "offlineAccessNotGrantedOIDCAccessTokenSession", Namespace: installedInNamespace, UID: "uid-456", ResourceVersion: "rv-456", Annotations: map[string]string{ "storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339), }, Labels: map[string]string{ "storage.pinniped.dev/type": accesstoken.TypeLabelValue, }, }, Data: map[string][]byte{ "pinniped-storage-data": offlineAccessNotGrantedOIDCAccessTokenSessionJSON, "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/" + accesstoken.TypeLabelValue, } _, err = accesstoken.ReadFromSecret(offlineAccessNotGrantedOIDCAccessTokenSessionSecret) r.NoError(err, "the test author accidentally formed an invalid accesstoken secret") r.NoError(kubeInformerClient.Tracker().Add(offlineAccessNotGrantedOIDCAccessTokenSessionSecret)) r.NoError(kubeClient.Tracker().Add(offlineAccessNotGrantedOIDCAccessTokenSessionSecret)) }) it("should revoke upstream tokens only from the active authcode secrets and delete them all", func() { happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder(). WithName("upstream-oidc-provider-name"). WithResourceUID("upstream-oidc-provider-uid"). WithRevokeTokenError(nil) idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build()) startInformersAndController(idpListerBuilder.Build()) r.NoError(controllerlib.TestSync(t, subject, *syncContext)) // The upstream refresh token is only revoked for the downstream session which had offline_access granted. idpListerBuilder.RequireExactlyOneCallToRevokeToken(t, "upstream-oidc-provider-name", &oidctestutil.RevokeTokenArgs{ Ctx: syncContext.Context, Token: "fake-upstream-access-token", TokenType: provider.AccessTokenType, }, ) // Both session secrets are deleted. r.ElementsMatch( []kubetesting.Action{ kubetesting.NewDeleteActionWithOptions(secretsGVR, installedInNamespace, "offlineAccessGrantedOIDCAccessTokenSession", testutil.NewPreconditions("uid-123", "rv-123")), kubetesting.NewDeleteActionWithOptions(secretsGVR, installedInNamespace, "offlineAccessNotGrantedOIDCAccessTokenSession", testutil.NewPreconditions("uid-456", "rv-456")), }, kubeClient.Actions(), ) }) }) when("there are valid, expired refresh secrets which contain upstream refresh tokens", func() { it.Before(func() { oidcRefreshSession := &refreshtoken.Session{ Version: "2", Request: &fosite.Request{ ID: "request-id-1", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, OIDC: &psession.OIDCSessionData{ UpstreamRefreshToken: "fake-upstream-refresh-token", }, }, }, }, } oidcRefreshSessionJSON, err := json.Marshal(oidcRefreshSession) r.NoError(err) oidcRefreshSessionSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "oidcRefreshSession", Namespace: installedInNamespace, UID: "uid-123", ResourceVersion: "rv-123", Annotations: map[string]string{ "storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339), }, Labels: map[string]string{ "storage.pinniped.dev/type": refreshtoken.TypeLabelValue, }, }, Data: map[string][]byte{ "pinniped-storage-data": oidcRefreshSessionJSON, "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/" + refreshtoken.TypeLabelValue, } _, err = refreshtoken.ReadFromSecret(oidcRefreshSessionSecret) r.NoError(err, "the test author accidentally formed an invalid refresh token secret") r.NoError(kubeInformerClient.Tracker().Add(oidcRefreshSessionSecret)) r.NoError(kubeClient.Tracker().Add(oidcRefreshSessionSecret)) }) it("should revoke upstream tokens from the secrets and delete them all", func() { happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder(). WithName("upstream-oidc-provider-name"). WithResourceUID("upstream-oidc-provider-uid"). WithRevokeTokenError(nil) idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build()) startInformersAndController(idpListerBuilder.Build()) r.NoError(controllerlib.TestSync(t, subject, *syncContext)) // The upstream refresh token is revoked. idpListerBuilder.RequireExactlyOneCallToRevokeToken(t, "upstream-oidc-provider-name", &oidctestutil.RevokeTokenArgs{ Ctx: syncContext.Context, Token: "fake-upstream-refresh-token", TokenType: provider.RefreshTokenType, }, ) // The secret is deleted. r.ElementsMatch( []kubetesting.Action{ kubetesting.NewDeleteActionWithOptions(secretsGVR, installedInNamespace, "oidcRefreshSession", testutil.NewPreconditions("uid-123", "rv-123")), }, kubeClient.Actions(), ) }) }) when("there are valid, expired refresh secrets which contain upstream access tokens", func() { it.Before(func() { oidcRefreshSession := &refreshtoken.Session{ Version: "2", Request: &fosite.Request{ ID: "request-id-1", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, OIDC: &psession.OIDCSessionData{ UpstreamAccessToken: "fake-upstream-access-token", }, }, }, }, } oidcRefreshSessionJSON, err := json.Marshal(oidcRefreshSession) r.NoError(err) oidcRefreshSessionSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "oidcRefreshSession", Namespace: installedInNamespace, UID: "uid-123", ResourceVersion: "rv-123", Annotations: map[string]string{ "storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339), }, Labels: map[string]string{ "storage.pinniped.dev/type": refreshtoken.TypeLabelValue, }, }, Data: map[string][]byte{ "pinniped-storage-data": oidcRefreshSessionJSON, "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/" + refreshtoken.TypeLabelValue, } _, err = refreshtoken.ReadFromSecret(oidcRefreshSessionSecret) r.NoError(err, "the test author accidentally formed an invalid refresh token secret") r.NoError(kubeInformerClient.Tracker().Add(oidcRefreshSessionSecret)) r.NoError(kubeClient.Tracker().Add(oidcRefreshSessionSecret)) }) it("should revoke upstream tokens from the secrets and delete them all", func() { happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder(). WithName("upstream-oidc-provider-name"). WithResourceUID("upstream-oidc-provider-uid"). WithRevokeTokenError(nil) idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build()) startInformersAndController(idpListerBuilder.Build()) r.NoError(controllerlib.TestSync(t, subject, *syncContext)) // The upstream refresh token is revoked. idpListerBuilder.RequireExactlyOneCallToRevokeToken(t, "upstream-oidc-provider-name", &oidctestutil.RevokeTokenArgs{ Ctx: syncContext.Context, Token: "fake-upstream-access-token", TokenType: provider.AccessTokenType, }, ) // The secret is deleted. r.ElementsMatch( []kubetesting.Action{ kubetesting.NewDeleteActionWithOptions(secretsGVR, installedInNamespace, "oidcRefreshSession", testutil.NewPreconditions("uid-123", "rv-123")), }, kubeClient.Actions(), ) }) }) when("very little time has passed since the previous sync call", func() { it.Before(func() { // Add a secret that will expire in 20 seconds. expiredSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "expired secret", Namespace: installedInNamespace, UID: "uid-747", ResourceVersion: "rv-609", Annotations: map[string]string{ "storage.pinniped.dev/garbage-collect-after": frozenNow.Add(20 * time.Second).Format(time.RFC3339), }, }, } r.NoError(kubeInformerClient.Tracker().Add(expiredSecret)) r.NoError(kubeClient.Tracker().Add(expiredSecret)) }) it("should do nothing to avoid being super chatty since it is called for every change to any Secret, until more time has passed", func() { startInformersAndController(nil) require.Empty(t, kubeClient.Actions()) // Run sync once with the current time set to frozenTime. r.NoError(controllerlib.TestSync(t, subject, *syncContext)) require.Empty(t, kubeClient.Actions()) r.False(syncContext.Queue.(*testQueue).called) // Run sync again when not enough time has passed since the most recent run, so no delete // operations should happen even though there is an expired secret now. fakeClock.Step(29 * time.Second) r.NoError(controllerlib.TestSync(t, subject, *syncContext)) require.Empty(t, kubeClient.Actions()) r.True(syncContext.Queue.(*testQueue).called) r.Equal(controllerlib.Key{Namespace: "foo", Name: "bar"}, syncContext.Queue.(*testQueue).key) // assert key is passed through r.Equal(time.Second, syncContext.Queue.(*testQueue).duration) // assert that we get the exact requeue time syncContext.Queue = &testQueue{t: t} // reset the queue for the next sync // Step to the exact threshold and run Sync again. Now we are past the rate limiting period. fakeClock.Step(time.Second) r.NoError(controllerlib.TestSync(t, subject, *syncContext)) r.False(syncContext.Queue.(*testQueue).called) // It should have deleted the expired secret. r.ElementsMatch( []kubetesting.Action{ kubetesting.NewDeleteActionWithOptions(secretsGVR, installedInNamespace, "expired secret", testutil.NewPreconditions("uid-747", "rv-609")), }, kubeClient.Actions(), ) list, err := kubeClient.CoreV1().Secrets(installedInNamespace).List(context.Background(), metav1.ListOptions{}) r.NoError(err) r.Len(list.Items, 1) r.Equal("some other unrelated secret", list.Items[0].Name) }) }) when("there is a secret with a malformed garbage-collect-after date", func() { it.Before(func() { malformedSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "malformed secret", Namespace: installedInNamespace, Annotations: map[string]string{ "storage.pinniped.dev/garbage-collect-after": "not-a-real-date-string", }, }, } r.NoError(kubeInformerClient.Tracker().Add(malformedSecret)) r.NoError(kubeClient.Tracker().Add(malformedSecret)) expiredSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "expired secret", Namespace: installedInNamespace, UID: "uid-748", ResourceVersion: "rv-608", Annotations: map[string]string{ "storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339), }, }, } r.NoError(kubeInformerClient.Tracker().Add(expiredSecret)) r.NoError(kubeClient.Tracker().Add(expiredSecret)) }) it("does not delete that secret", func() { startInformersAndController(nil) r.NoError(controllerlib.TestSync(t, subject, *syncContext)) r.ElementsMatch( []kubetesting.Action{ kubetesting.NewDeleteActionWithOptions(secretsGVR, installedInNamespace, "expired secret", testutil.NewPreconditions("uid-748", "rv-608")), }, kubeClient.Actions(), ) list, err := kubeClient.CoreV1().Secrets(installedInNamespace).List(context.Background(), metav1.ListOptions{}) r.NoError(err) r.Len(list.Items, 2) r.ElementsMatch([]string{"malformed secret", "some other unrelated secret"}, []string{list.Items[0].Name, list.Items[1].Name}) }) }) when("the kube API delete call fails", func() { it.Before(func() { erroringSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "erroring secret", Namespace: installedInNamespace, UID: "uid-111", ResourceVersion: "rv-222", Annotations: map[string]string{ "storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339), }, }, } r.NoError(kubeInformerClient.Tracker().Add(erroringSecret)) r.NoError(kubeClient.Tracker().Add(erroringSecret)) kubeClient.PrependReactor("delete", "secrets", func(action kubetesting.Action) (bool, runtime.Object, error) { if action.(kubetesting.DeleteActionImpl).Name == "erroring secret" { return true, nil, errors.New("delete failed: some delete error") } return false, nil, nil }) expiredSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "expired secret", Namespace: installedInNamespace, UID: "uid-333", ResourceVersion: "rv-444", Annotations: map[string]string{ "storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339), }, }, } r.NoError(kubeInformerClient.Tracker().Add(expiredSecret)) r.NoError(kubeClient.Tracker().Add(expiredSecret)) }) it("ignores the error and continues on to delete the next expired Secret", func() { startInformersAndController(nil) r.NoError(controllerlib.TestSync(t, subject, *syncContext)) r.ElementsMatch( []kubetesting.Action{ kubetesting.NewDeleteActionWithOptions(secretsGVR, installedInNamespace, "erroring secret", testutil.NewPreconditions("uid-111", "rv-222")), kubetesting.NewDeleteActionWithOptions(secretsGVR, installedInNamespace, "expired secret", testutil.NewPreconditions("uid-333", "rv-444")), }, kubeClient.Actions(), ) list, err := kubeClient.CoreV1().Secrets(installedInNamespace).List(context.Background(), metav1.ListOptions{}) r.NoError(err) r.Len(list.Items, 2) r.ElementsMatch([]string{"erroring secret", "some other unrelated secret"}, []string{list.Items[0].Name, list.Items[1].Name}) }) }) }, spec.Parallel(), spec.Report(report.Terminal{})) } type testQueue struct { t *testing.T called bool key controllerlib.Key duration time.Duration controllerlib.Queue // panic if any other methods called } func (q *testQueue) AddAfter(key controllerlib.Key, duration time.Duration) { q.t.Helper() require.False(q.t, q.called, "AddAfter should only be called once") q.called = true q.key = key q.duration = duration }