ApplicationAuth: support OIDC authentication mode

Author: tkan145

controllers/capabilities/applicationauth_controller.go

@@ -47,12 +47,14 @@ type AuthSecret struct {
 	UserKey        string
 	ApplicationKey string
 	ApplicationID  string
+	ClientSecret   string
 }
 
 const (
 	UserKey        = "UserKey"
 	ApplicationKey = "ApplicationKey"
 	ApplicationID  = "ApplicationID"
+	ClientSecret   = "ClientSecret"
 )
 
 // +kubebuilder:rbac:groups=capabilities.3scale.net,resources=applicationauths,verbs=get;list;watch;create;update;patch;delete
@@ -248,6 +250,29 @@ func syncApplicationAuth(
 				return fmt.Errorf("error sync applicationAuth for developerAccountID: %d, applicationID: %d, error: %w", developerAccountID, applicationID, err)
 			}
 		}
+	case "oidc":
+		// get the existing value from the portal
+		applicationKeys, err := threescaleClient.ApplicationKeys(developerAccountID, applicationID)
+		if err != nil {
+			return err
+		}
+
+		// pre-existing keys
+		if len(applicationKeys) > 0 {
+			// Nothing to do, return early
+			if applicationKeys[0].Value == authSecret.ClientSecret {
+				return nil
+			}
+
+			// if the key is not match, delete it
+			if err := threescaleClient.DeleteApplicationKey(developerAccountID, applicationID, applicationKeys[0].Value); err != nil {
+				return err
+			}
+		}
+
+		if _, err = threescaleClient.CreateApplicationKey(developerAccountID, applicationID, authSecret.ClientSecret); err != nil {
+			return err
+		}
 	}
 
 	return nil
@@ -304,6 +329,25 @@ func authSecretReferenceSource(cl client.Client, ns string, authSectretRef *core
 			}
 		}
 		return &AuthSecret{ApplicationKey: applicationKeyStr}, nil
+	case "oidc":
+		clientSecretStr, err := secretSource.RequiredFieldValueFromRequiredSecret(authSectretRef.Name, ClientSecret)
+		if err != nil {
+			return nil, err
+		}
+
+		if clientSecretStr == "" {
+			if generateSecret {
+				clientSecretStr = rand.String(16)
+			}
+			newValues := map[string][]byte{
+				ClientSecret: []byte(clientSecretStr),
+			}
+
+			if err := updateSecret(context.Background(), cl, authSectretRef.Name, ns, newValues); err != nil {
+				return nil, err
+			}
+		}
+		return &AuthSecret{ClientSecret: clientSecretStr}, nil
 	default:
 		return nil, fmt.Errorf("unknown authentication mode")
 	}

controllers/capabilities/applicationauth_controller_test.go

@@ -151,10 +151,51 @@ func TestApplicationAuthReconciler_syncApplicationAuth(t *testing.T) {
 			expectedKey: "testkey1,testkey2,testkey3",
 			wantErr:     false,
 		},
+		{
+			name: "returns error with empty client_secret with empty secret",
+			mockServer: &mockApplicationAuthServer{
+				authMode:      "oidc",
+				keys:          []string{},
+				userAccountID: appID,
+				appID:         userAccountID,
+			},
+			authMode:    "oidc",
+			authSecret:  getEmptyAuthSecret(),
+			expectedKey: "",
+			wantErr:     true,
+		},
+		{
+			name: "update existing client_secret with value from secret",
+			mockServer: &mockApplicationAuthServer{
+				authMode:      "oidc",
+				keys:          []string{"initalkey"},
+				userAccountID: appID,
+				appID:         userAccountID,
+			},
+			authMode:    "oidc",
+			authSecret:  getAuthSecret(),
+			expectedKey: "testkey",
+			wantErr:     false,
+		},
+		{
+			name: "update existing client_secret with the same value should not return error",
+			mockServer: &mockApplicationAuthServer{
+				authMode:      "oidc",
+				keys:          []string{"testkey"},
+				userAccountID: appID,
+				appID:         userAccountID,
+			},
+			authMode:    "oidc",
+			authSecret:  getAuthSecret(),
+			expectedKey: "testkey",
+			wantErr:     false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			srv := tt.mockServer.GetServer()
+			defer srv.Close()
+
 			ap, _ := threescaleapi.NewAdminPortalFromStr(srv.URL)
 			threescaleClient := threescaleapi.NewThreeScale(ap, "test", srv.Client())
 
@@ -236,6 +277,30 @@ func TestApplicationAuthReconciler_authSecretReferenceSource(t *testing.T) {
 			wantErr:        false,
 			err:            "",
 		},
+		{
+			name:           "return error when secret is empty",
+			authMode:       "oidc",
+			generateSecret: true,
+			secretData:     map[string][]byte{},
+			wantErr:        true,
+			err:            "secret field 'ClientSecret' is required in secret 'test'",
+		},
+		{
+			name:           "generate client_secret when secret is empty",
+			authMode:       "oidc",
+			generateSecret: true,
+			secretData:     map[string][]byte{"ClientSecret": []byte("")},
+			wantErr:        false,
+			err:            "",
+		},
+		{
+			name:           "use client_secret value in secret",
+			authMode:       "oidc",
+			generateSecret: true,
+			secretData:     map[string][]byte{"ClientSecret": []byte("testkey")},
+			wantErr:        false,
+			err:            "",
+		},
 		{
 			name:           "return error with unknown authMode",
 			authMode:       "unknown",
@@ -293,6 +358,10 @@ func TestApplicationAuthReconciler_authSecretReferenceSource(t *testing.T) {
 					if authSecret.ApplicationKey != string(newSecret.Data["ApplicationKey"]) {
 						t.Fatalf("mismatch user_key expected = '%s', got '%s'", authSecret.ApplicationKey, newSecret.Data["ApplicationKey"])
 					}
+				case "oidc":
+					if authSecret.ClientSecret != string(newSecret.Data[ClientSecret]) {
+						t.Fatalf("mismatch user_key expected = '%s', got '%s'", authSecret.ClientSecret, newSecret.Data[ClientSecret])
+					}
 				}
 			}
 		})
@@ -349,6 +418,7 @@ func getAuthSecret() AuthSecret {
 		UserKey:        "testkey",
 		ApplicationKey: "testkey",
 		ApplicationID:  "",
+		ClientSecret:   "testkey",
 	}
 	return authSecret
 }
@@ -376,7 +446,7 @@ func (m *mockApplicationAuthServer) GetKey(mode string) string {
 	switch mode {
 	case "1":
 		return m.userKey
-	case "2":
+	case "2", "oidc":
 		return strings.Join(m.keys, ",")
 	default:
 		return ""
@@ -437,6 +507,8 @@ func (m *mockApplicationAuthServer) applicationKeysHandler(w http.ResponseWriter
 
 		if m.authMode == "2" {
 			keyLimit = 5
+		} else if m.authMode == "oidc" {
+			keyLimit = 1
 		}
 
 		// Check if the current lenght does not exceed 5 keys limit