ApplicationAuth: support OIDC authentication mode

Author: tkan145

controllers/capabilities/applicationauth_controller.go

@@ -47,12 +47,14 @@ type AuthSecret struct {
 	UserKey        string
 	ApplicationKey string
 	ApplicationID  string
+	ClientSecret   string
 }
 
 const (
 	UserKey        = "UserKey"
 	ApplicationKey = "ApplicationKey"
 	ApplicationID  = "ApplicationID"
+	ClientSecret   = "ClientSecret"
 )
 
 // +kubebuilder:rbac:groups=capabilities.3scale.net,resources=applicationauths,verbs=get;list;watch;create;update;patch;delete
@@ -202,6 +204,8 @@ func GetAuthController(mode string, logger logr.Logger) (AuthController, error)
 		return &userKeyAuthMode{logger: logger}, nil
 	case "2":
 		return &appIDAuthMode{logger: logger}, nil
+	case "oidc":
+		return &oidcAuthMode{logger: logger}, nil
 	default:
 		return nil, fmt.Errorf("unknown authentication mode")
 	}
@@ -328,6 +332,58 @@ func (a *appIDAuthMode) SecretReferenceSource(cl client.Client, ns string, authS
 	return &AuthSecret{ApplicationKey: applicationKeyStr}, nil
 }
 
+type oidcAuthMode struct {
+	logger logr.Logger
+}
+
+func (o *oidcAuthMode) Sync(threescaleClient *threescaleapi.ThreeScaleClient, developerAccountID int64, applicationID int64, authSecret AuthSecret) error {
+	// get the existing value from the portal
+	applicationKeys, err := threescaleClient.ApplicationKeys(developerAccountID, applicationID)
+	if err != nil {
+		return err
+	}
+
+	// pre-existing keys
+	if len(applicationKeys) > 0 {
+		// Nothing to do, return early
+		if applicationKeys[0].Value == authSecret.ClientSecret {
+			return nil
+		}
+
+		// if the key is not match, delete it
+		if err := threescaleClient.DeleteApplicationKey(developerAccountID, applicationID, applicationKeys[0].Value); err != nil {
+			return err
+		}
+	}
+
+	if _, err = threescaleClient.CreateApplicationKey(developerAccountID, applicationID, authSecret.ClientSecret); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (o *oidcAuthMode) SecretReferenceSource(cl client.Client, ns string, authSectretRef *corev1.LocalObjectReference, generateSecret bool) (*AuthSecret, error) {
+	secretSource := helper.NewSecretSource(cl, ns)
+	clientSecretStr, err := secretSource.RequiredFieldValueFromRequiredSecret(authSectretRef.Name, ClientSecret)
+	if err != nil {
+		return nil, err
+	}
+
+	if clientSecretStr == "" {
+		if generateSecret {
+			clientSecretStr = rand.String(16)
+		}
+		newValues := map[string][]byte{
+			ClientSecret: []byte(clientSecretStr),
+		}
+
+		if err := updateSecret(context.Background(), cl, authSectretRef.Name, ns, newValues); err != nil {
+			return nil, err
+		}
+	}
+	return &AuthSecret{ClientSecret: clientSecretStr}, nil
+}
+
 func (r *ApplicationAuthReconciler) reconcileStatus(resource *capabilitiesv1beta1.ApplicationAuth, err error, logger logr.Logger) (ctrl.Result, error) {
 	statusReconciler := NewApplicationAuthStatusReconciler(r.BaseReconciler, resource, err)
 	statusResult, statusErr := statusReconciler.Reconcile()

controllers/capabilities/applicationauth_controller_test.go

@@ -123,6 +123,45 @@ func TestApplicationAuthReconciler_syncApplicationAuth(t *testing.T) {
 			expectedKey: "testkey",
 			wantErr:     false,
 		},
+		{
+			name: "returns error with empty client_secret with empty secret",
+			mockServer: &mockApplicationAuthServer{
+				authMode:      "oidc",
+				keys:          []string{},
+				userAccountID: appID,
+				appID:         userAccountID,
+			},
+			authMode:    "oidc",
+			authSecret:  getEmptyAuthSecret(),
+			expectedKey: "",
+			wantErr:     true,
+		},
+		{
+			name: "update existing client_secret with value from secret",
+			mockServer: &mockApplicationAuthServer{
+				authMode:      "oidc",
+				keys:          []string{"initalkey"},
+				userAccountID: appID,
+				appID:         userAccountID,
+			},
+			authMode:    "oidc",
+			authSecret:  getAuthSecret(),
+			expectedKey: "testkey",
+			wantErr:     false,
+		},
+		{
+			name: "update existing client_secret with the same value should not return error",
+			mockServer: &mockApplicationAuthServer{
+				authMode:      "oidc",
+				keys:          []string{"testkey"},
+				userAccountID: appID,
+				appID:         userAccountID,
+			},
+			authMode:    "oidc",
+			authSecret:  getAuthSecret(),
+			expectedKey: "testkey",
+			wantErr:     false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -260,6 +299,30 @@ func TestApplicationAuthReconciler_authSecretReferenceSource(t *testing.T) {
 			wantErr:        false,
 			err:            "",
 		},
+		{
+			name:           "return error when secret is empty",
+			authMode:       "oidc",
+			generateSecret: true,
+			secretData:     map[string][]byte{},
+			wantErr:        true,
+			err:            "secret field 'ClientSecret' is required in secret 'test'",
+		},
+		{
+			name:           "generate client_secret when secret is empty",
+			authMode:       "oidc",
+			generateSecret: true,
+			secretData:     map[string][]byte{"ClientSecret": []byte("")},
+			wantErr:        false,
+			err:            "",
+		},
+		{
+			name:           "use client_secret value in secret",
+			authMode:       "oidc",
+			generateSecret: true,
+			secretData:     map[string][]byte{"ClientSecret": []byte("testkey")},
+			wantErr:        false,
+			err:            "",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -317,6 +380,10 @@ func TestApplicationAuthReconciler_authSecretReferenceSource(t *testing.T) {
 					if authSecret.ApplicationKey != string(newSecret.Data["ApplicationKey"]) {
 						t.Fatalf("mismatch user_key expected = '%s', got '%s'", authSecret.ApplicationKey, newSecret.Data["ApplicationKey"])
 					}
+				case "oidc":
+					if authSecret.ClientSecret != string(newSecret.Data[ClientSecret]) {
+						t.Fatalf("mismatch user_key expected = '%s', got '%s'", authSecret.ClientSecret, newSecret.Data[ClientSecret])
+					}
 				}
 			}
 		})
@@ -373,6 +440,7 @@ func getAuthSecret() AuthSecret {
 		UserKey:        "testkey",
 		ApplicationKey: "testkey",
 		ApplicationID:  "",
+		ClientSecret:   "testkey",
 	}
 	return authSecret
 }
@@ -400,7 +468,7 @@ func (m *mockApplicationAuthServer) GetKey(mode string) string {
 	switch mode {
 	case "1":
 		return m.userKey
-	case "2":
+	case "2", "oidc":
 		return strings.Join(m.keys, ",")
 	default:
 		return ""
@@ -461,6 +529,8 @@ func (m *mockApplicationAuthServer) applicationKeysHandler(w http.ResponseWriter
 
 		if m.authMode == "2" {
 			keyLimit = 5
+		} else if m.authMode == "oidc" {
+			keyLimit = 1
 		}
 
 		// Check if the current length does not exceed 5 keys limit