@@ -417,8 +481,388 @@ string
GlobalDatasourceStatus holds the status of the GlobalDatasource resource.
+
Library
+
+
+
Library is the Schema for the libraries API
+
+
+
+
+| Field |
+Description |
+
+
+
+
+
+metadata
+
+
+k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta
+
+
+ |
+
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+
+
+
+spec
+
+
+LibrarySpec
+
+
+ |
+
+
+
+
+
+
+name
+
+string
+
+ |
+
+ Name is the name the Library will have in Styra DAS
+ |
+
+
+
+description
+
+string
+
+ |
+
+ Description is the description of the Library
+ |
+
+
+
+subjects
+
+
+[]LibrarySubject
+
+
+ |
+
+ Subjects is the list of subjects which should have access to the system.
+ |
+
+
+
+sourceControl
+
+
+SourceControl
+
+
+ |
+
+ SourceControl is the sourcecontrol configuration for the Library
+ |
+
+
+
+datasources
+
+
+[]LibraryDatasource
+
+
+ |
+
+ Datasources is the list of datasources in the Library
+ |
+
+
+ |
+
+
+
+status
+
+
+LibraryStatus
+
+
+ |
+
+ |
+
+
+
+
LibraryDatasource
+
+
+(Appears on:LibrarySpec)
+
+
+
LibraryDatasource contains metadata of a datasource, stored in a library
+
+
+
+
+| Field |
+Description |
+
+
+
+
+
+path
+
+string
+
+ |
+
+ Path is the path within the system where the datasource should reside.
+ |
+
+
+
+description
+
+string
+
+ |
+
+ Description is a description of the datasource
+ |
+
+
+
+
LibrarySecretRef
+
+
+
LibrarySecretRef defines how to access a k8s secret for the library.
+
+
+
+
+| Field |
+Description |
+
+
+
+
+
+namespace
+
+string
+
+ |
+
+ Namespace is the namespace where the secret resides.
+ |
+
+
+
+name
+
+string
+
+ |
+
+ Name is the name of the secret.
+ |
+
+
+
+
LibrarySpec
+
+
+(Appears on:Library)
+
+
+
LibrarySpec defines the desired state of Library
+
+
+
+
+| Field |
+Description |
+
+
+
+
+
+name
+
+string
+
+ |
+
+ Name is the name the Library will have in Styra DAS
+ |
+
+
+
+description
+
+string
+
+ |
+
+ Description is the description of the Library
+ |
+
+
+
+subjects
+
+
+[]LibrarySubject
+
+
+ |
+
+ Subjects is the list of subjects which should have access to the system.
+ |
+
+
+
+sourceControl
+
+
+SourceControl
+
+
+ |
+
+ SourceControl is the sourcecontrol configuration for the Library
+ |
+
+
+
+datasources
+
+
+[]LibraryDatasource
+
+
+ |
+
+ Datasources is the list of datasources in the Library
+ |
+
+
+
+
LibraryStatus
+
+
+(Appears on:Library)
+
+
+
LibraryStatus defines the observed state of Library
+
+
LibrarySubject
+
+
+(Appears on:LibrarySpec)
+
+
+
LibrarySubject represents a subject which has been granted access to the Library.
+The subject is assigned to the LibraryViewer role.
+
+
+
+
+| Field |
+Description |
+
+
+
+
+
+kind
+
+
+LibrarySubjectKind
+
+
+ |
+
+ Kind is the LibrarySubjectKind of the subject.
+ |
+
+
+
+name
+
+string
+
+ |
+
+ Name is the name of the subject. The meaning of this field depends on the
+SubjectKind.
+ |
+
+
+
+
LibrarySubjectKind
+(string alias)
+
+(Appears on:LibrarySubject)
+
+
+
LibrarySubjectKind represents a kind of a subject.
+
+
+
+
+| Value |
+Description |
+
+
+"group" |
+LibrarySubjectKindGroup is the subject kind group.
+ |
+
"user" |
+LibrarySubjectKindUser is the subject kind user.
+ |
+
+
+
SourceControl
+
+
+(Appears on:LibrarySpec)
+
+
+
SourceControl is a struct from styra where we only use a single field
+but kept for clarity when comparing to the API
+
+
+
+
+| Field |
+Description |
+
+
+
+
+
+libraryOrigin
+
+
+GitRepo
+
+
+ |
+
+ |
+
+
+
Generated with gen-crd-api-reference-docs
-on git commit 534b87f.
+on git commit d1f19e4.
diff --git a/docs/apis/styra/v1beta1.md b/docs/apis/styra/v1beta1.md
index bc285e8..84e1563 100644
--- a/docs/apis/styra/v1beta1.md
+++ b/docs/apis/styra/v1beta1.md
@@ -1172,5 +1172,5 @@ System.
Generated with gen-crd-api-reference-docs
-on git commit d2179ec.
+on git commit d1f19e4.
diff --git a/internal/controller/styra/library_controller.go b/internal/controller/styra/library_controller.go
new file mode 100644
index 0000000..7356ec1
--- /dev/null
+++ b/internal/controller/styra/library_controller.go
@@ -0,0 +1,487 @@
+/*
+Copyright (C) 2023 Bankdata (bankdata@bankdata.dk)
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package styra
+
+import (
+ "context"
+ "fmt"
+ "net/http"
+ "path"
+
+ ctrlerr "github.com/bankdata/styra-controller/internal/errors"
+ "github.com/bankdata/styra-controller/internal/webhook"
+ "github.com/bankdata/styra-controller/pkg/styra"
+ "github.com/go-logr/logr"
+ "github.com/pkg/errors"
+
+ k8serrors "k8s.io/apimachinery/pkg/api/errors"
+ "k8s.io/apimachinery/pkg/runtime"
+ ctrl "sigs.k8s.io/controller-runtime"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+ "sigs.k8s.io/controller-runtime/pkg/log"
+
+ configv2alpha2 "github.com/bankdata/styra-controller/api/config/v2alpha2"
+ styrav1alpha1 "github.com/bankdata/styra-controller/api/styra/v1alpha1"
+)
+
+// LibraryReconciler reconciles a Library object
+type LibraryReconciler struct {
+ client.Client
+ Scheme *runtime.Scheme
+ Styra styra.ClientInterface
+ Config *configv2alpha2.ProjectConfig
+ WebhookClient webhook.Client
+}
+
+//+kubebuilder:rbac:groups=styra.bankdata.dk,resources=libraries,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=styra.bankdata.dk,resources=libraries/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=styra.bankdata.dk,resources=libraries/finalizers,verbs=update
+
+// Reconcile implements renconcile.Renconciler and has responsibility of
+// ensuring that the current state of the Library resource renconciled
+// towards the desired state.
+func (r *LibraryReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+ log := log.FromContext(ctx)
+ log.Info("Reconciliation begins")
+
+ var k8sLib styrav1alpha1.Library
+ if err := r.Get(ctx, req.NamespacedName, &k8sLib); err != nil {
+ if k8serrors.IsNotFound(err) {
+ log.Info("Could not find Library")
+ return ctrl.Result{}, nil
+ }
+ return ctrl.Result{}, errors.Wrap(err, "Could not get Library")
+ }
+
+ if !k8sLib.ObjectMeta.DeletionTimestamp.IsZero() {
+ log.Info(fmt.Sprintf("Library %s is under deletion in k8s. Ignoring it.", k8sLib.Spec.Name))
+ return ctrl.Result{}, nil
+ }
+
+ log.Info("Reconciling git credentials from default credentials")
+ gitCredential := r.Config.GetGitCredentialForRepo(k8sLib.Spec.SourceControl.LibraryOrigin.URL)
+ if gitCredential == nil {
+ log.Info("Could not find matching credentials", "url", k8sLib.Spec.SourceControl.LibraryOrigin.URL)
+ } else {
+ _, err := r.Styra.CreateUpdateSecret(
+ ctx,
+ path.Join("libraries", k8sLib.Spec.Name, "git"),
+ &styra.CreateUpdateSecretsRequest{
+ Name: gitCredential.User,
+ Secret: gitCredential.Password,
+ },
+ )
+ if err != nil {
+ return ctrl.Result{}, ctrlerr.Wrap(err, "Could not update Styra secret")
+ }
+ }
+
+ log.Info("Reconciling Library")
+ update := false
+ libResp, err := r.Styra.GetLibrary(ctx, k8sLib.Spec.Name)
+ if err != nil {
+ var httpErr *styra.HTTPError
+ if errors.As(err, &httpErr) {
+ if httpErr.StatusCode == http.StatusNotFound {
+ update = true
+ }
+ }
+ } else if r.needsUpdate(&k8sLib, libResp.LibraryEntityExpanded) {
+ update = true
+ }
+
+ if update {
+ log.Info("UpsertLibrary")
+ _, err := r.Styra.UpsertLibrary(ctx, k8sLib.Spec.Name, r.specToUpdate(&k8sLib))
+ if err != nil {
+ return ctrl.Result{}, ctrlerr.Wrap(err, "Could not upsert library")
+ }
+ }
+
+ if libResp == nil {
+ // This is often the case when a library has just been created.
+ log.Info(fmt.Sprint("Library ", k8sLib.Spec.Name, " could not be fetched. Requeueing..."))
+ return ctrl.Result{Requeue: true}, nil
+ }
+
+ if result, err := r.reconcileDatasources(ctx, log, &k8sLib, libResp.LibraryEntityExpanded); err != nil {
+ return result, ctrlerr.Wrap(err, "Could not reconcile library datasources")
+ }
+
+ if result, err := r.reconcileSubjects(ctx, log, &k8sLib); err != nil {
+ return result, err
+ }
+
+ log.Info("Reconciliation completed")
+ return ctrl.Result{}, nil
+}
+
+func (r *LibraryReconciler) specToUpdate(k8sLib *styrav1alpha1.Library) *styra.UpsertLibraryRequest {
+ if k8sLib == nil {
+ return nil
+ }
+ specs := k8sLib.Spec
+ k8sSourceControl := specs.SourceControl.LibraryOrigin
+
+ sourceControl := styra.LibraryGitRepoConfig{
+ Commit: k8sSourceControl.Commit,
+ Credentials: path.Join("libraries", specs.Name, "git"),
+ Path: k8sSourceControl.Path,
+ Reference: k8sSourceControl.Reference,
+ URL: k8sSourceControl.URL,
+ }
+
+ req := styra.UpsertLibraryRequest{
+ Description: specs.Description,
+ ReadOnly: true,
+ SourceControl: &styra.LibrarySourceControlConfig{LibraryOrigin: &sourceControl},
+ }
+
+ return &req
+}
+
+func (r *LibraryReconciler) needsUpdate(k8sLib *styrav1alpha1.Library, styraLib *styra.LibraryEntityExpanded) bool {
+ if k8sLib == nil {
+ return false
+ }
+
+ specs := k8sLib.Spec
+ if styraLib == nil ||
+ specs.Name != styraLib.ID ||
+ specs.Description != styraLib.Description ||
+ !styraLib.ReadOnly ||
+ !sameSourceControl(specs.SourceControl, styraLib.SourceControl) {
+ return true
+ }
+
+ if styraLib.SourceControl.LibraryOrigin.Credentials != path.Join("libraries", k8sLib.Spec.Name, "git") {
+ if r.Config.GetGitCredentialForRepo(specs.SourceControl.LibraryOrigin.URL) != nil {
+ return true
+ }
+ }
+
+ return false
+}
+
+func sameSourceControl(k8sLib *styrav1alpha1.SourceControl, styraLib *styra.LibrarySourceControlConfig) bool {
+ return k8sLib.LibraryOrigin.Path == styraLib.LibraryOrigin.Path &&
+ k8sLib.LibraryOrigin.Reference == styraLib.LibraryOrigin.Reference &&
+ k8sLib.LibraryOrigin.Commit == styraLib.LibraryOrigin.Commit &&
+ k8sLib.LibraryOrigin.URL == styraLib.LibraryOrigin.URL
+}
+
+// SetupWithManager sets up the controller with the Manager.
+func (r *LibraryReconciler) SetupWithManager(mgr ctrl.Manager) error {
+ return ctrl.NewControllerManagedBy(mgr).
+ For(&styrav1alpha1.Library{}).
+ Complete(r)
+}
+
+func (r *LibraryReconciler) reconcileDatasources(ctx context.Context, log logr.Logger, k8sLib *styrav1alpha1.Library,
+ styraLib *styra.LibraryEntityExpanded) (ctrl.Result, error) {
+ log.Info("Reconciling library datasources")
+
+ existingByID := map[string]styra.LibraryDatasourceConfig{}
+ if styraLib != nil {
+ for _, ds := range styraLib.DataSources {
+ if ds.ID != "" {
+ existingByID[ds.ID] = ds
+ }
+ }
+ }
+
+ expectedByID := map[string]styrav1alpha1.LibraryDatasource{}
+ if k8sLib.Spec.Datasources != nil {
+ for _, ds := range k8sLib.Spec.Datasources {
+ id := path.Join("libraries", k8sLib.Spec.Name, ds.Path)
+ expectedByID[id] = ds
+ }
+ }
+
+ // Create the missing datasources
+ for id := range expectedByID {
+ ds, exists := existingByID[id]
+ if !exists || ds.Category != "rest" {
+ log := log.WithValues("datasourceID", id)
+ log.Info("Creating or updating datasource")
+ request := &styra.UpsertDatasourceRequest{
+ Category: "rest",
+ Enabled: true,
+ }
+ _, err := r.Styra.UpsertDatasource(ctx, id, request)
+ if err != nil {
+ return ctrl.Result{}, ctrlerr.Wrap(err, "Could not create or update library datasource")
+ }
+
+ if r.WebhookClient != nil {
+ log.Info("Calling library datasource changed webhook")
+ if err := r.WebhookClient.DatasourceChanged(ctx, log, "jwt-library", ""); err != nil {
+ err = ctrlerr.Wrap(err, "could not call 'library datasource changed' webhook")
+ log.Error(err, err.Error())
+ }
+ }
+ }
+ }
+
+ // Delete the unexpected datasources
+ if styraLib == nil {
+ return ctrl.Result{}, nil
+ }
+
+ for _, ds := range styraLib.DataSources {
+ if ds.ID == "" {
+ log.Info("There exists some datasource without id?")
+ continue
+ }
+
+ if _, expected := expectedByID[ds.ID]; !expected {
+ log.Info("Deleting undeclared datasource")
+
+ if _, err := r.Styra.DeleteDatasource(ctx, ds.ID); err != nil {
+ return ctrl.Result{}, ctrlerr.Wrap(err, "Could not delete library datasource")
+ }
+ }
+ }
+
+ log.Info("Reconciled datasources")
+ return ctrl.Result{}, nil
+}
+
+func (r *LibraryReconciler) reconcileSubjects(
+ ctx context.Context,
+ log logr.Logger,
+ k8sLib *styrav1alpha1.Library,
+) (ctrl.Result, error) {
+ log.Info("Reconciling subjects for library")
+
+ // Make sure all users already exist in Styra, otherwise create them
+ if err := r.createUsersIfMissing(ctx, log, k8sLib); err != nil {
+ return ctrl.Result{}, err
+ }
+
+ // Delete Rolebindings to other roles then LibraryViewer
+ if err := r.deleteIncorrectRoleBindings(ctx, log, k8sLib); err != nil {
+ return ctrl.Result{}, err
+ }
+
+ // Create rolebinding for LibraryViewer if it is missing
+ if err := r.createRoleBindingIfMissing(ctx, log, styra.RoleLibraryViewer, k8sLib); err != nil {
+ return ctrl.Result{}, err
+ }
+
+ // Make sure the LibraryViewer rolebinding contains correct subjects
+ if err := r.updateRoleBindingIfNeeded(ctx, log, styra.RoleLibraryViewer, k8sLib); err != nil {
+ return ctrl.Result{}, err
+ }
+
+ return ctrl.Result{}, nil
+}
+
+func (r *LibraryReconciler) createUsersIfMissing(
+ ctx context.Context,
+ log logr.Logger,
+ k8sLib *styrav1alpha1.Library) error {
+ for _, subject := range k8sLib.Spec.Subjects {
+ if subject.IsUser() {
+ log := log.WithValues("user", subject.Name)
+ log.Info("Checking if user exists")
+ res, err := r.Styra.GetUser(ctx, subject.Name)
+ if err != nil {
+ return ctrlerr.Wrap(err, "Could not get user from Styra API")
+ }
+
+ if res.StatusCode == http.StatusNotFound {
+ log.Info("User does not exist in styra. Creating...")
+ _, err := r.Styra.CreateInvitation(ctx, false, subject.Name)
+ if err != nil {
+ return ctrlerr.Wrap(err, "Could not create user in Styra")
+ }
+ }
+ }
+ }
+ return nil
+}
+
+func (r *LibraryReconciler) deleteIncorrectRoleBindings(
+ ctx context.Context,
+ log logr.Logger,
+ k8sLib *styrav1alpha1.Library) error {
+ log.Info("Deleting Rolebindings to roles that are not LibraryViewers")
+ res, err := r.Styra.ListRoleBindingsV2(ctx, &styra.ListRoleBindingsV2Params{
+ ResourceKind: styra.RoleBindingKindLibrary,
+ ResourceID: k8sLib.Spec.Name,
+ })
+ if err != nil {
+ return ctrlerr.Wrap(err, "Could not get rolebindings for Library in Styra")
+ }
+
+ for _, styraRB := range res.Rolebindings {
+ if styraRB.RoleID != styra.Role("LibraryViewer") {
+ if _, err := r.Styra.DeleteRoleBindingV2(ctx, styraRB.ID); err != nil {
+ return err
+ }
+ }
+ }
+ return nil
+}
+
+func (r *LibraryReconciler) createRoleBindingIfMissing(
+ ctx context.Context,
+ log logr.Logger,
+ role styra.Role,
+ k8sLib *styrav1alpha1.Library) error {
+ res, err := r.Styra.ListRoleBindingsV2(ctx, &styra.ListRoleBindingsV2Params{
+ ResourceKind: styra.RoleBindingKindLibrary,
+ ResourceID: k8sLib.Spec.Name,
+ })
+ if err != nil {
+ return ctrlerr.Wrap(err, "Could not get rolebindings for Library in Styra")
+ }
+
+ if len(res.Rolebindings) == 0 {
+ log.Info(fmt.Sprintf("No rolebindings exist for the %s Library. Creating rolebinding.", k8sLib.Spec.Name))
+
+ k8sRolebindingSubjects := createLibraryRolebindingSubjects(
+ k8sLib.Spec.Subjects,
+ r.Config.SSO,
+ )
+
+ err := r.createRoleBinding(ctx, log, k8sLib, role, k8sRolebindingSubjects)
+ if err != nil {
+ return ctrlerr.Wrap(err, "Could not create rolebinding in Styra")
+ }
+ }
+ return nil
+}
+
+func (r *LibraryReconciler) updateRoleBindingIfNeeded(
+ ctx context.Context,
+ log logr.Logger,
+ role styra.Role,
+ k8sLib *styrav1alpha1.Library) error {
+ res, err := r.Styra.ListRoleBindingsV2(ctx, &styra.ListRoleBindingsV2Params{
+ ResourceKind: styra.RoleBindingKindLibrary,
+ ResourceID: k8sLib.Spec.Name,
+ })
+ if err != nil {
+ return ctrlerr.Wrap(err, "Could not get rolebindings for Library in Styra")
+ }
+
+ k8sRolebindingSubjects := createLibraryRolebindingSubjects(
+ k8sLib.Spec.Subjects,
+ r.Config.SSO,
+ )
+
+ // res.Rolebindings should only contain one rolebinding, for the "LibraryViewer" role
+ // Also, should contain nothing else after deleteIncorrectRoleBindings
+ for _, rb := range res.Rolebindings {
+ if rb.RoleID == role {
+ if !styra.SubjectsAreEqual(k8sRolebindingSubjects, rb.Subjects) {
+ if err := r.updateRoleBindingSubjects(ctx, log, rb.ID, k8sRolebindingSubjects); err != nil {
+ return err
+ }
+ }
+ }
+ }
+
+ return nil
+}
+
+func (r *LibraryReconciler) updateRoleBindingSubjects(
+ ctx context.Context,
+ log logr.Logger,
+ roleBindingID string,
+ subjects []*styra.Subject,
+) error {
+ log.Info("Updating rolebinding")
+
+ _, err := r.Styra.UpdateRoleBindingSubjects(
+ ctx,
+ roleBindingID,
+ &styra.UpdateRoleBindingSubjectsRequest{Subjects: subjects},
+ )
+ if err != nil {
+ return ctrlerr.Wrap(err, "Could not update Styra role binding")
+ }
+
+ log.Info("Updated rolebinding")
+ return nil
+}
+
+func createLibraryRolebindingSubjects(
+ subjects []styrav1alpha1.LibrarySubject,
+ sso *configv2alpha2.SSOConfig,
+) []*styra.Subject {
+ styraSubjectsByUserID := map[string]struct{}{}
+ styraSubjectsByClaimValue := map[string]struct{}{}
+
+ styraSubjects := []*styra.Subject{}
+
+ for _, subject := range subjects {
+ if subject.IsUser() {
+ if _, ok := styraSubjectsByUserID[subject.Name]; ok {
+ continue
+ }
+ styraSubjects = append(styraSubjects, &styra.Subject{
+ Kind: styra.SubjectKindUser,
+ ID: subject.Name,
+ })
+ styraSubjectsByUserID[subject.Name] = struct{}{}
+
+ } else if subject.Kind == styrav1alpha1.LibrarySubjectKindGroup && sso != nil {
+ if _, ok := styraSubjectsByClaimValue[subject.Name]; ok {
+ continue
+ }
+
+ styraSubjects = append(styraSubjects, &styra.Subject{
+ Kind: styra.SubjectKindClaim,
+ ClaimConfig: &styra.ClaimConfig{
+ IdentityProvider: sso.IdentityProvider,
+ Key: sso.JWTGroupsClaim,
+ Value: subject.Name,
+ },
+ })
+ styraSubjectsByClaimValue[subject.Name] = struct{}{}
+ }
+ }
+
+ return styraSubjects
+}
+
+func (r *LibraryReconciler) createRoleBinding(
+ ctx context.Context,
+ log logr.Logger,
+ k8sLib *styrav1alpha1.Library,
+ role styra.Role,
+ subjects []*styra.Subject,
+) error {
+ log.Info("Creating rolebinding")
+
+ if _, err := r.Styra.CreateRoleBinding(ctx, &styra.CreateRoleBindingRequest{
+ ResourceFilter: &styra.ResourceFilter{
+ ID: k8sLib.Spec.Name,
+ Kind: styra.RoleBindingKindLibrary,
+ },
+ RoleID: role,
+ Subjects: subjects,
+ }); err != nil {
+ return ctrlerr.Wrap(err, "Could not create rolebinding")
+ }
+
+ log.Info("Created rolebinding")
+ return nil
+}
diff --git a/pkg/styra/authz.go b/pkg/styra/authz.go
index b23dd08..15e9772 100644
--- a/pkg/styra/authz.go
+++ b/pkg/styra/authz.go
@@ -40,6 +40,9 @@ const (
// RoleSystemPolicyEditor is the Styra SystemPolicyEditor role.
RoleSystemPolicyEditor Role = "SystemPolicyEditor"
+
+ // RoleLibraryViewer is the Styra LibraryViewer role.
+ RoleLibraryViewer Role = "LibraryViewer"
)
// RoleBindingKind is the kind of the role binding.
@@ -49,6 +52,9 @@ const (
// RoleBindingKindSystem is a RoleBindingKind used when the role is for a
// System.
RoleBindingKindSystem RoleBindingKind = "system"
+ // RoleBindingKindLibrary is a RoleBindingKind used when the role is for a
+ // Library.
+ RoleBindingKindLibrary RoleBindingKind = "library"
)
// SubjectKind is the kind of a subject.
diff --git a/pkg/styra/client.go b/pkg/styra/client.go
index 9dc725e..cc2456c 100644
--- a/pkg/styra/client.go
+++ b/pkg/styra/client.go
@@ -62,6 +62,9 @@ type ClientInterface interface {
DeleteDatasource(ctx context.Context, id string) (*DeleteDatasourceResponse, error)
+ GetLibrary(ctx context.Context, id string) (*GetLibraryResponse, error)
+ UpsertLibrary(ctx context.Context, id string, request *UpsertLibraryRequest) (*UpsertLibraryResponse, error)
+
UpdateSystem(ctx context.Context, id string, request *UpdateSystemRequest) (*UpdateSystemResponse, error)
DeleteSystem(ctx context.Context, id string) (*DeleteSystemResponse, error)
diff --git a/pkg/styra/library.go b/pkg/styra/library.go
new file mode 100644
index 0000000..31d362e
--- /dev/null
+++ b/pkg/styra/library.go
@@ -0,0 +1,145 @@
+/*
+Copyright (C) 2023 Bankdata (bankdata@bankdata.dk)
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package styra
+
+import (
+ "context"
+ "encoding/json"
+ "fmt"
+ "io"
+ "net/http"
+
+ "github.com/pkg/errors"
+)
+
+const (
+ endpointV1Libraries = "/v1/libraries"
+)
+
+type getLibraryJSONResponse struct {
+ Result *LibraryEntityExpanded `json:"result"`
+}
+
+// GetLibraryResponse is the response type for calls to the
+// GET /v1/libraries/{id} endpoint in the Styra API.
+type GetLibraryResponse struct {
+ Statuscode int
+ Body []byte
+ LibraryEntityExpanded *LibraryEntityExpanded
+}
+
+// LibraryEntityExpanded is the type that defines of a Library
+type LibraryEntityExpanded struct {
+ DataSources []LibraryDatasourceConfig `json:"datasources"`
+ Description string `json:"description"`
+ ID string `json:"id"`
+ ReadOnly bool `json:"read_only"`
+ SourceControl *LibrarySourceControlConfig `json:"source_control"`
+}
+
+// LibraryDatasourceConfig defines metadata of a datasource
+type LibraryDatasourceConfig struct {
+ Category string `json:"category"`
+ ID string `json:"id"`
+}
+
+// LibrarySourceControlConfig is a struct from styra where we only use a single field
+// but kept for clarity when comparing to the API
+type LibrarySourceControlConfig struct {
+ LibraryOrigin *LibraryGitRepoConfig `json:"library_origin"`
+}
+
+// LibraryGitRepoConfig defines the Git configurations a library can be defined by
+type LibraryGitRepoConfig struct {
+ Commit string `json:"commit"`
+ Credentials string `json:"credentials"`
+ Path string `json:"path"`
+ Reference string `json:"reference"`
+ URL string `json:"url"`
+}
+
+// UpsertLibraryRequest is the request body for the
+// PUT /v1/libraries/{id} endpoint in the Styra API.
+type UpsertLibraryRequest struct {
+ Description string `json:"description"`
+ ReadOnly bool `json:"read_only"`
+ SourceControl *LibrarySourceControlConfig `json:"source_control"`
+}
+
+// UpsertLibraryResponse is the response body for the
+// PUT /v1/libraries/{id} endpoint in the Styra API.
+type UpsertLibraryResponse struct {
+ StatusCode int
+ Body []byte
+}
+
+// GetLibrary calls the GET /v1/libraries/{id} endpoint in the
+// Styra API.
+func (c *Client) GetLibrary(ctx context.Context, id string) (*GetLibraryResponse, error) {
+ res, err := c.request(ctx, http.MethodGet, fmt.Sprintf("%s/%s", endpointV1Libraries, id), nil)
+ if err != nil {
+ return nil, err
+ }
+
+ body, err := io.ReadAll(res.Body)
+ if err != nil {
+ return nil, errors.Wrap(err, "could not read body")
+ }
+
+ if res.StatusCode != http.StatusOK {
+ err := NewHTTPError(res.StatusCode, string(body))
+ return nil, err
+ }
+
+ var jsonRes getLibraryJSONResponse
+ if err := json.Unmarshal(body, &jsonRes); err != nil {
+ return nil, errors.Wrap(err, "could not unmarshal body")
+ }
+
+ return &GetLibraryResponse{
+ Statuscode: res.StatusCode,
+ Body: body,
+ LibraryEntityExpanded: jsonRes.Result,
+ }, nil
+}
+
+// UpsertLibrary calls the PUT /v1/libraries/{id} endpoint in the
+// Styra API.
+func (c *Client) UpsertLibrary(ctx context.Context, id string, request *UpsertLibraryRequest,
+) (*UpsertLibraryResponse, error) {
+ res, err := c.request(ctx, http.MethodPut, fmt.Sprintf("%s/%s", endpointV1Libraries, id), request)
+ if err != nil {
+ return nil, err
+ }
+
+ body, err := io.ReadAll(res.Body)
+ if err != nil {
+ return nil, errors.Wrap(err, "could not read body")
+ }
+
+ if res.StatusCode != http.StatusOK {
+ err := NewHTTPError(res.StatusCode, string(body))
+ return nil, err
+ }
+
+ resp := UpsertLibraryResponse{
+ StatusCode: res.StatusCode,
+ Body: body,
+ }
+
+ return &resp, nil
+}
diff --git a/pkg/styra/library_test.go b/pkg/styra/library_test.go
new file mode 100644
index 0000000..dd18d20
--- /dev/null
+++ b/pkg/styra/library_test.go
@@ -0,0 +1,245 @@
+/*
+Copyright (C) 2023 Bankdata (bankdata@bankdata.dk)
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package styra_test
+
+import (
+ "bytes"
+ "context"
+ "encoding/json"
+ "errors"
+ "io"
+ "net/http"
+
+ ginkgo "github.com/onsi/ginkgo/v2"
+ gomega "github.com/onsi/gomega"
+
+ "github.com/bankdata/styra-controller/pkg/styra"
+)
+
+var _ = ginkgo.Describe("GetLibrary", func() {
+ type test struct {
+ libraryID string
+ responseCode int
+ responseBody string
+ expectedLibraryEntityExpanded *styra.LibraryEntityExpanded
+ expectStyraErr bool
+ }
+
+ ginkgo.DescribeTable("GetLibrary", func(test test) {
+ c := newTestClient(func(r *http.Request) *http.Response {
+ gomega.Expect(r.Method).To(gomega.Equal(http.MethodGet))
+ gomega.Expect(r.URL.String()).To(gomega.Equal("http://test.com/v1/libraries/" + test.libraryID))
+
+ return &http.Response{
+ Header: make(http.Header),
+ StatusCode: test.responseCode,
+ Body: io.NopCloser(bytes.NewBufferString(test.responseBody)),
+ }
+ })
+
+ res, err := c.GetLibrary(context.Background(), test.libraryID)
+ if test.expectStyraErr {
+ gomega.Expect(res).To(gomega.BeNil())
+ target := &styra.HTTPError{}
+ gomega.Expect(errors.As(err, &target)).To(gomega.BeTrue())
+ } else {
+ gomega.Expect(err).ToNot(gomega.HaveOccurred())
+ gomega.Expect(res.Statuscode).To(gomega.Equal(test.responseCode))
+ gomega.Expect(res.LibraryEntityExpanded).To(gomega.Equal(test.expectedLibraryEntityExpanded))
+ }
+ },
+
+ ginkgo.Entry("happy path", test{
+ libraryID: "test1",
+ responseCode: http.StatusOK,
+ responseBody: `
+ {
+ "result": {
+ "id": "test1",
+ "description": "test2",
+ "read_only": true,
+ "source_control": {
+ "use_workspace_settings": false,
+ "origin": {
+ "url": "https://github.com/test.git",
+ "reference": "refs/heads/master",
+ "commit": "",
+ "credentials": "gitCreds",
+ "path": ""
+ },
+ "library_origin": {
+ "url": "https://github.com/test.git",
+ "reference": "refs/heads/master",
+ "commit": "",
+ "credentials": "path/to/creds",
+ "path": ""
+ }
+ },
+ "policies": [],
+ "datasources": []
+ }
+ }
+ `,
+ expectedLibraryEntityExpanded: &styra.LibraryEntityExpanded{
+ DataSources: []styra.LibraryDatasourceConfig{},
+ Description: "test2",
+ ID: "test1",
+ ReadOnly: true,
+ SourceControl: &styra.LibrarySourceControlConfig{
+ LibraryOrigin: &styra.LibraryGitRepoConfig{
+ Commit: "",
+ Credentials: "path/to/creds",
+ Path: "",
+ Reference: "refs/heads/master",
+ URL: "https://github.com/test.git",
+ },
+ },
+ },
+ }),
+
+ ginkgo.Entry("unexpected status code", test{
+ libraryID: "test",
+ responseCode: http.StatusInternalServerError,
+ expectStyraErr: true,
+ }),
+ )
+})
+
+var _ = ginkgo.Describe("UpsertLibrary", func() {
+
+ type test struct {
+ libraryID string
+ upsertLibraryRequest *styra.UpsertLibraryRequest
+ responseCode int
+ responseBody string
+ expectedBody []byte
+ expectStyraErr bool
+ }
+
+ ginkgo.DescribeTable("UpsertLibrary", func(test test) {
+ c := newTestClient(func(r *http.Request) *http.Response {
+ // First make sure the body is readable
+ bs, err := io.ReadAll(r.Body)
+ gomega.Expect(err).NotTo(gomega.HaveOccurred())
+
+ // Then make sure the body is encoded correctly
+ var b bytes.Buffer
+ gomega.Expect(json.NewEncoder(&b).Encode(test.upsertLibraryRequest)).To(gomega.Succeed())
+ gomega.Expect(bs).To(gomega.Equal(b.Bytes()))
+
+ // Then ensure the correct http request is made
+ gomega.Expect(r.Method).To(gomega.Equal(http.MethodPut))
+ gomega.Expect(r.URL.String()).To(gomega.Equal("http://test.com/v1/libraries/" + test.libraryID))
+
+ return &http.Response{
+ Header: make(http.Header),
+ StatusCode: test.responseCode,
+ Body: io.NopCloser(bytes.NewBufferString(test.responseBody)),
+ }
+ })
+
+ res, err := c.UpsertLibrary(context.Background(), test.libraryID, test.upsertLibraryRequest)
+ if test.expectStyraErr {
+ gomega.Expect(res).To(gomega.BeNil())
+ target := &styra.HTTPError{}
+ gomega.Expect(errors.As(err, &target)).To(gomega.BeTrue())
+ } else {
+ gomega.Expect(err).ToNot(gomega.HaveOccurred())
+ gomega.Expect(res.StatusCode).To(gomega.Equal(test.responseCode))
+ gomega.Expect(res.Body).To(gomega.Equal(test.expectedBody))
+ }
+ },
+
+ ginkgo.Entry("happy", test{
+ libraryID: "test",
+ responseCode: http.StatusOK,
+ responseBody: `expected response from styra api`,
+ upsertLibraryRequest: &styra.UpsertLibraryRequest{
+ Description: "test2",
+ ReadOnly: true,
+ SourceControl: &styra.LibrarySourceControlConfig{
+ LibraryOrigin: &styra.LibraryGitRepoConfig{
+ Commit: "",
+ Credentials: "path/to/creds",
+ Path: "",
+ Reference: "refs/heads/master",
+ URL: "https://github.com/test.git",
+ },
+ },
+ },
+ expectedBody: []byte(`expected response from styra api`)},
+ ),
+
+ ginkgo.Entry("sad", test{
+ libraryID: "test",
+ responseCode: http.StatusInternalServerError,
+ expectStyraErr: true,
+ }),
+ )
+})
+
+var _ = ginkgo.Describe("DeleteDatasource", func() {
+
+ type test struct {
+ datasourceID string
+ responseCode int
+ responseBody string
+ expectedBody []byte
+ expectStyraErr bool
+ }
+
+ ginkgo.DescribeTable("DeleteDatasource", func(test test) {
+ c := newTestClient(func(r *http.Request) *http.Response {
+ bs, err := io.ReadAll(r.Body)
+ gomega.Expect(err).NotTo(gomega.HaveOccurred())
+ gomega.Expect(bs).To(gomega.Equal([]byte("")))
+ gomega.Expect(r.Method).To(gomega.Equal(http.MethodDelete))
+ gomega.Expect(r.URL.String()).To(gomega.Equal("http://test.com/v1/datasources/" + test.datasourceID))
+
+ return &http.Response{
+ Header: make(http.Header),
+ StatusCode: test.responseCode,
+ Body: io.NopCloser(bytes.NewBufferString(test.responseBody)),
+ }
+ })
+
+ res, err := c.DeleteDatasource(context.Background(), test.datasourceID)
+ if test.expectStyraErr {
+ gomega.Expect(res).To(gomega.BeNil())
+ target := &styra.HTTPError{}
+ gomega.Expect(errors.As(err, &target)).To(gomega.BeTrue())
+ } else {
+ gomega.Expect(err).ToNot(gomega.HaveOccurred())
+ gomega.Expect(res.StatusCode).To(gomega.Equal(test.responseCode))
+ gomega.Expect(res.Body).To(gomega.Equal(test.expectedBody))
+ }
+ },
+
+ ginkgo.Entry("something", test{
+ datasourceID: "datasourceID",
+ responseCode: http.StatusOK,
+ responseBody: `expected response from styra api`,
+ expectedBody: []byte(`expected response from styra api`)},
+ ),
+
+ ginkgo.Entry("styra http error", test{
+ datasourceID: "datasourceID",
+ responseCode: http.StatusInternalServerError,
+ expectStyraErr: true,
+ }),
+ )
+})
diff --git a/pkg/styra/mocks/client_interface.go b/pkg/styra/mocks/client_interface.go
index 35b7d90..3343166 100644
--- a/pkg/styra/mocks/client_interface.go
+++ b/pkg/styra/mocks/client_interface.go
@@ -248,6 +248,32 @@ func (_m *ClientInterface) GetDatasource(ctx context.Context, id string) (*styra
return r0, r1
}
+// GetLibrary provides a mock function with given fields: ctx, id
+func (_m *ClientInterface) GetLibrary(ctx context.Context, id string) (*styra.GetLibraryResponse, error) {
+ ret := _m.Called(ctx, id)
+
+ var r0 *styra.GetLibraryResponse
+ var r1 error
+ if rf, ok := ret.Get(0).(func(context.Context, string) (*styra.GetLibraryResponse, error)); ok {
+ return rf(ctx, id)
+ }
+ if rf, ok := ret.Get(0).(func(context.Context, string) *styra.GetLibraryResponse); ok {
+ r0 = rf(ctx, id)
+ } else {
+ if ret.Get(0) != nil {
+ r0 = ret.Get(0).(*styra.GetLibraryResponse)
+ }
+ }
+
+ if rf, ok := ret.Get(1).(func(context.Context, string) error); ok {
+ r1 = rf(ctx, id)
+ } else {
+ r1 = ret.Error(1)
+ }
+
+ return r0, r1
+}
+
// GetOPAConfig provides a mock function with given fields: ctx, systemID
func (_m *ClientInterface) GetOPAConfig(ctx context.Context, systemID string) (styra.OPAConfig, error) {
ret := _m.Called(ctx, systemID)
@@ -428,6 +454,32 @@ func (_m *ClientInterface) UpsertDatasource(ctx context.Context, id string, requ
return r0, r1
}
+// UpsertLibrary provides a mock function with given fields: ctx, id, request
+func (_m *ClientInterface) UpsertLibrary(ctx context.Context, id string, request *styra.UpsertLibraryRequest) (*styra.UpsertLibraryResponse, error) {
+ ret := _m.Called(ctx, id, request)
+
+ var r0 *styra.UpsertLibraryResponse
+ var r1 error
+ if rf, ok := ret.Get(0).(func(context.Context, string, *styra.UpsertLibraryRequest) (*styra.UpsertLibraryResponse, error)); ok {
+ return rf(ctx, id, request)
+ }
+ if rf, ok := ret.Get(0).(func(context.Context, string, *styra.UpsertLibraryRequest) *styra.UpsertLibraryResponse); ok {
+ r0 = rf(ctx, id, request)
+ } else {
+ if ret.Get(0) != nil {
+ r0 = ret.Get(0).(*styra.UpsertLibraryResponse)
+ }
+ }
+
+ if rf, ok := ret.Get(1).(func(context.Context, string, *styra.UpsertLibraryRequest) error); ok {
+ r1 = rf(ctx, id, request)
+ } else {
+ r1 = ret.Error(1)
+ }
+
+ return r0, r1
+}
+
// VerifyGitConfiguration provides a mock function with given fields: ctx, request
func (_m *ClientInterface) VerifyGitConfiguration(ctx context.Context, request *styra.VerfiyGitConfigRequest) (*styra.VerfiyGitConfigResponse, error) {
ret := _m.Called(ctx, request)
diff --git a/test/integration/controller/controller_suite_test.go b/test/integration/controller/controller_suite_test.go
index 4dfc7c3..ed388ba 100644
--- a/test/integration/controller/controller_suite_test.go
+++ b/test/integration/controller/controller_suite_test.go
@@ -141,6 +141,24 @@ var _ = ginkgo.BeforeSuite(func() {
err = globalDatasourceReconciler.SetupWithManager(k8sManager)
gomega.Expect(err).NotTo(gomega.HaveOccurred())
+ libraryReconciler := &styractrls.LibraryReconciler{
+ Config: &configv2alpha2.ProjectConfig{
+ SSO: &configv2alpha2.SSOConfig{
+ IdentityProvider: "AzureAD Bankdata",
+ JWTGroupsClaim: "groups",
+ },
+ GitCredentials: []*configv2alpha2.GitCredential{
+ {User: "test-user", Password: "test-secret"},
+ },
+ },
+ Client: k8sClient,
+ Styra: styraClientMock,
+ WebhookClient: webhookMock,
+ }
+
+ err = libraryReconciler.SetupWithManager(k8sManager)
+ gomega.Expect(err).NotTo(gomega.HaveOccurred())
+
managerCtx, managerCancel = context.WithCancel(context.Background())
go func() {
defer ginkgo.GinkgoRecover()
diff --git a/test/integration/controller/globaldatasource_controller_test.go b/test/integration/controller/globaldatasource_controller_test.go
index 50023f7..b2eaa1a 100644
--- a/test/integration/controller/globaldatasource_controller_test.go
+++ b/test/integration/controller/globaldatasource_controller_test.go
@@ -1,3 +1,19 @@
+/*
+Copyright (C) 2023 Bankdata (bankdata@bankdata.dk)
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
package styra
import (
@@ -17,164 +33,164 @@ import (
"github.com/bankdata/styra-controller/pkg/styra"
)
-var _ = ginkgo.Describe("GlobalDatasourceReconciler", func() {
- ginkgo.Describe("Reconcile", ginkgo.Label("integration"), func() {
- ginkgo.It("reconciles GlobalDatasource", func() {
- key := types.NamespacedName{Name: uuid.NewString()}
-
- toCreate := &styrav1alpha1.GlobalDatasource{
- ObjectMeta: metav1.ObjectMeta{
- Name: key.Name,
- },
- Spec: styrav1alpha1.GlobalDatasourceSpec{
- Name: key.Name,
- Category: styrav1alpha1.GlobalDatasourceCategoryGitRego,
- URL: "http://test.com/test.git",
- },
+var _ = ginkgo.Describe("GlobalDatasourceReconciler.Reconcile", ginkgo.Label("integration"), func() {
+ ginkgo.It("reconciles GlobalDatasource", func() {
+ key := types.NamespacedName{Name: uuid.NewString()}
+
+ toCreate := &styrav1alpha1.GlobalDatasource{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: key.Name,
+ },
+ Spec: styrav1alpha1.GlobalDatasourceSpec{
+ Name: key.Name,
+ Category: styrav1alpha1.GlobalDatasourceCategoryGitRego,
+ URL: "http://test.com/test.git",
+ },
+ }
+
+ ctx := context.Background()
+
+ ginkgo.By("creating the datasource")
+
+ styraClientMock.On(
+ "CreateUpdateSecret",
+ mock.Anything,
+ path.Join("libraries/global", key.Name, "git"),
+ &styra.CreateUpdateSecretsRequest{
+ Name: "test-user",
+ Secret: "test-secret",
+ },
+ ).Return(&styra.CreateUpdateSecretResponse{
+ StatusCode: http.StatusOK,
+ }, nil)
+
+ styraClientMock.On(
+ "GetDatasource",
+ mock.Anything,
+ path.Join("global", key.Name),
+ ).Return(
+ nil, &styra.HTTPError{
+ StatusCode: http.StatusNotFound,
+ },
+ )
+
+ styraClientMock.On(
+ "UpsertDatasource",
+ mock.Anything,
+ path.Join("global", key.Name),
+ &styra.UpsertDatasourceRequest{
+ Category: "git/rego",
+ Enabled: true,
+ Credentials: path.Join("libraries/global", key.Name, "git"),
+ URL: "http://test.com/test.git",
+ },
+ ).Return(&styra.UpsertDatasourceResponse{}, nil)
+
+ gomega.Ω(k8sClient.Create(ctx, toCreate)).To(gomega.Succeed())
+
+ gomega.Eventually(func() bool {
+ var gds styrav1alpha1.GlobalDatasource
+ if err := k8sClient.Get(ctx, key, &gds); err != nil {
+ return false
}
+ return true
+ }, timeout, interval).Should(gomega.BeTrue())
+
+ gomega.Eventually(func() bool {
+ var (
+ createUpdateSecret int
+ getDatasource int
+ upsertDatasource int
+ )
+ for _, call := range styraClientMock.Calls {
+ switch call.Method {
+ case "CreateUpdateSecret":
+ createUpdateSecret++
+ case "GetDatasource":
+ getDatasource++
+ case "UpsertDatasource":
+ upsertDatasource++
+ }
+ }
+ return createUpdateSecret == 1 &&
+ getDatasource == 1 &&
+ upsertDatasource == 1
+ }, timeout, interval).Should(gomega.BeTrue())
- ctx := context.Background()
+ styraClientMock.AssertExpectations(ginkgo.GinkgoT())
+ resetMock(&styraClientMock.Mock)
- ginkgo.By("creating the datasource")
+ ginkgo.By("using a git credential from a secret")
- styraClientMock.On(
- "CreateUpdateSecret",
- mock.Anything,
- path.Join("libraries/global", key.Name, "git"),
- &styra.CreateUpdateSecretsRequest{
- Name: "test-user",
- Secret: "test-secret",
- },
- ).Return(&styra.CreateUpdateSecretResponse{
+ gomega.Ω(k8sClient.Create(ctx, &v1.Secret{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: key.Name,
+ Namespace: "default",
+ },
+ Data: map[string][]byte{
+ "name": []byte("test-user-2"),
+ "secret": []byte("test-secret-2"),
+ },
+ })).To(gomega.Succeed())
+
+ gomega.Eventually(func() bool {
+ var s v1.Secret
+ return k8sClient.Get(ctx, types.NamespacedName{Name: key.Name, Namespace: "default"}, &s) == nil
+ }, timeout, interval).Should(gomega.BeTrue())
+
+ styraClientMock.On(
+ "CreateUpdateSecret",
+ mock.Anything,
+ path.Join("libraries/global", key.Name, "git"),
+ &styra.CreateUpdateSecretsRequest{
+ Name: "test-user-2",
+ Secret: "test-secret-2",
+ },
+ ).Return(&styra.CreateUpdateSecretResponse{
+ StatusCode: http.StatusOK,
+ }, nil)
+
+ styraClientMock.On(
+ "GetDatasource",
+ mock.Anything,
+ path.Join("global", key.Name),
+ ).Return(
+ &styra.GetDatasourceResponse{
StatusCode: http.StatusOK,
- }, nil)
-
- styraClientMock.On(
- "GetDatasource",
- mock.Anything,
- path.Join("global", key.Name),
- ).Return(
- nil, &styra.HTTPError{
- StatusCode: http.StatusNotFound,
- },
- )
-
- styraClientMock.On(
- "UpsertDatasource",
- mock.Anything,
- path.Join("global", key.Name),
- &styra.UpsertDatasourceRequest{
+ DatasourceConfig: &styra.DatasourceConfig{
Category: "git/rego",
Enabled: true,
Credentials: path.Join("libraries/global", key.Name, "git"),
URL: "http://test.com/test.git",
},
- ).Return(&styra.UpsertDatasourceResponse{}, nil)
-
- gomega.Ω(k8sClient.Create(ctx, toCreate)).To(gomega.Succeed())
+ }, nil,
+ )
- gomega.Eventually(func() bool {
- var gds styrav1alpha1.GlobalDatasource
- if err := k8sClient.Get(ctx, key, &gds); err != nil {
- return false
- }
- return true
- }, timeout, interval).Should(gomega.BeTrue())
-
- gomega.Eventually(func() bool {
- var (
- createUpdateSecret int
- getDatasource int
- upsertDatasource int
- )
- for _, call := range styraClientMock.Calls {
- switch call.Method {
- case "CreateUpdateSecret":
- createUpdateSecret++
- case "GetDatasource":
- getDatasource++
- case "UpsertDatasource":
- upsertDatasource++
- }
- }
- return createUpdateSecret == 1 &&
- getDatasource == 1 &&
- upsertDatasource == 1
- }, timeout, interval).Should(gomega.BeTrue())
+ toCreate.Spec.CredentialsSecretRef = &styrav1alpha1.GlobalDatasourceSecretRef{
+ Name: key.Name,
+ Namespace: "default",
+ }
- styraClientMock.AssertExpectations(ginkgo.GinkgoT())
- resetMock(&styraClientMock.Mock)
+ gomega.Ω(k8sClient.Update(ctx, toCreate)).To(gomega.Succeed())
- ginkgo.By("using a git credential from a secret")
-
- gomega.Ω(k8sClient.Create(ctx, &v1.Secret{
- ObjectMeta: metav1.ObjectMeta{
- Name: key.Name,
- Namespace: "default",
- },
- Data: map[string][]byte{
- "name": []byte("test-user-2"),
- "secret": []byte("test-secret-2"),
- },
- })).To(gomega.Succeed())
-
- gomega.Eventually(func() bool {
- var s v1.Secret
- return k8sClient.Get(ctx, types.NamespacedName{Name: key.Name, Namespace: "default"}, &s) == nil
- }, timeout, interval).Should(gomega.BeTrue())
-
- styraClientMock.On(
- "CreateUpdateSecret",
- mock.Anything,
- path.Join("libraries/global", key.Name, "git"),
- &styra.CreateUpdateSecretsRequest{
- Name: "test-user-2",
- Secret: "test-secret-2",
- },
- ).Return(&styra.CreateUpdateSecretResponse{
- StatusCode: http.StatusOK,
- }, nil)
-
- styraClientMock.On(
- "GetDatasource",
- mock.Anything,
- path.Join("global", key.Name),
- ).Return(
- &styra.GetDatasourceResponse{
- StatusCode: http.StatusOK,
- DatasourceConfig: &styra.DatasourceConfig{
- Category: "git/rego",
- Enabled: true,
- Credentials: path.Join("libraries/global", key.Name, "git"),
- URL: "http://test.com/test.git",
- },
- }, nil,
+ gomega.Eventually(func() bool {
+ var (
+ createUpdateSecret int
+ getDatasource int
)
-
- toCreate.Spec.CredentialsSecretRef = &styrav1alpha1.GlobalDatasourceSecretRef{
- Name: key.Name,
- Namespace: "default",
+ for _, call := range styraClientMock.Calls {
+ switch call.Method {
+ case "CreateUpdateSecret":
+ createUpdateSecret++
+ case "GetDatasource":
+ getDatasource++
+ }
}
+ return createUpdateSecret == 1 && getDatasource == 1
+ }, timeout, interval).Should(gomega.BeTrue())
- gomega.Ω(k8sClient.Update(ctx, toCreate)).To(gomega.Succeed())
-
- gomega.Eventually(func() bool {
- var (
- createUpdateSecret int
- getDatasource int
- )
- for _, call := range styraClientMock.Calls {
- switch call.Method {
- case "CreateUpdateSecret":
- createUpdateSecret++
- case "GetDatasource":
- getDatasource++
- }
- }
- return createUpdateSecret == 1 && getDatasource == 1
- }, timeout, interval).Should(gomega.BeTrue())
+ styraClientMock.AssertExpectations(ginkgo.GinkgoT())
- styraClientMock.AssertExpectations(ginkgo.GinkgoT())
- })
+ resetMock(&styraClientMock.Mock)
})
})
diff --git a/test/integration/controller/library_controller_test.go b/test/integration/controller/library_controller_test.go
new file mode 100644
index 0000000..49577ac
--- /dev/null
+++ b/test/integration/controller/library_controller_test.go
@@ -0,0 +1,319 @@
+/*
+Copyright (C) 2023 Bankdata (bankdata@bankdata.dk)
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package styra
+
+import (
+ "context"
+ "net/http"
+ "path"
+
+ ginkgo "github.com/onsi/ginkgo/v2"
+ gomega "github.com/onsi/gomega"
+ "github.com/stretchr/testify/mock"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/apimachinery/pkg/types"
+
+ styrav1alpha1 "github.com/bankdata/styra-controller/api/styra/v1alpha1"
+ "github.com/bankdata/styra-controller/pkg/styra"
+)
+
+var _ = ginkgo.Describe("LibraryReconciler.Reconcile", ginkgo.Label("integration"), func() {
+ ginkgo.It("reconciles Library", func() {
+ key := types.NamespacedName{Name: "uuidewtring", Namespace: "default"}
+ toCreate := &styrav1alpha1.Library{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: key.Name,
+ Namespace: key.Namespace,
+ },
+ Spec: styrav1alpha1.LibrarySpec{
+ Name: key.Name,
+ Subjects: []styrav1alpha1.LibrarySubject{
+ {
+ Kind: styrav1alpha1.LibrarySubjectKindUser,
+ Name: "user1@mail.com",
+ },
+ {
+ // kind
+ Name: "user2@mail.com",
+ },
+ {
+ Kind: styrav1alpha1.LibrarySubjectKindGroup,
+ Name: "testGroup",
+ },
+ },
+ SourceControl: &styrav1alpha1.SourceControl{
+ LibraryOrigin: &styrav1alpha1.GitRepo{
+ Path: "libraries/library",
+ Reference: "refs/heads/master",
+ Commit: "commit-sha",
+ URL: "github.com",
+ },
+ },
+ Description: "description",
+ Datasources: []styrav1alpha1.LibraryDatasource{
+ {
+ Path: "oidc/sandbox",
+ Description: "desc",
+ },
+ {
+ Path: "oidc/sandbox/2",
+ Description: "desc2",
+ },
+ },
+ },
+ }
+ ctx := context.Background()
+ ginkgo.By("creating the Library")
+
+ styraClientMock.On("CreateUpdateSecret",
+ mock.Anything,
+ path.Join("libraries", key.Name, "git"),
+ &styra.CreateUpdateSecretsRequest{
+ Name: "test-user",
+ Secret: "test-secret",
+ },
+ ).Return(&styra.CreateUpdateSecretResponse{
+ StatusCode: http.StatusOK,
+ }, nil).Once()
+
+ styraClientMock.On("GetLibrary", mock.Anything, key.Name).
+ Return(nil, &styra.HTTPError{StatusCode: http.StatusNotFound}).Once()
+
+ defaultSourceControl := &styra.LibrarySourceControlConfig{
+ LibraryOrigin: &styra.LibraryGitRepoConfig{
+ Commit: "commit-sha",
+ Credentials: path.Join("libraries", key.Name, "git"),
+ Path: "libraries/library",
+ Reference: "refs/heads/master",
+ URL: "github.com",
+ },
+ }
+
+ styraClientMock.On("UpsertLibrary", mock.Anything, key.Name, &styra.UpsertLibraryRequest{
+ Description: "description",
+ ReadOnly: true,
+ SourceControl: defaultSourceControl,
+ }).Return(&styra.UpsertLibraryResponse{}, nil).Once()
+
+ // New reconciliation started
+
+ styraClientMock.On("CreateUpdateSecret",
+ mock.Anything,
+ path.Join("libraries", key.Name, "git"),
+ &styra.CreateUpdateSecretsRequest{
+ Name: "test-user",
+ Secret: "test-secret",
+ },
+ ).Return(&styra.CreateUpdateSecretResponse{
+ StatusCode: http.StatusOK,
+ }, nil).Once()
+
+ styraClientMock.On("GetLibrary", mock.Anything, key.Name).Return(&styra.GetLibraryResponse{
+ Statuscode: http.StatusOK,
+ LibraryEntityExpanded: &styra.LibraryEntityExpanded{
+ DataSources: []styra.LibraryDatasourceConfig{},
+ Description: "description",
+ ID: key.Name,
+ ReadOnly: true,
+ SourceControl: defaultSourceControl,
+ },
+ }, nil).Once()
+
+ styraClientMock.On("UpsertDatasource", mock.Anything, path.Join("libraries", key.Name, "oidc/sandbox"),
+ &styra.UpsertDatasourceRequest{
+ Category: "rest",
+ Enabled: true,
+ }).Return(&styra.UpsertDatasourceResponse{
+ StatusCode: http.StatusOK,
+ }, nil).Once()
+
+ webhookMock.On(
+ "DatasourceChanged",
+ mock.Anything,
+ mock.Anything,
+ "jwt-library",
+ "",
+ ).Return(nil).Once()
+
+ styraClientMock.On("UpsertDatasource", mock.Anything, path.Join("libraries", key.Name, "oidc/sandbox/2"),
+ &styra.UpsertDatasourceRequest{
+ Category: "rest",
+ Enabled: true,
+ }).Return(&styra.UpsertDatasourceResponse{
+ StatusCode: http.StatusOK,
+ }, nil).Once()
+
+ webhookMock.On(
+ "DatasourceChanged",
+ mock.Anything,
+ mock.Anything,
+ "jwt-library",
+ "",
+ ).Return(nil).Once()
+
+ // createUsersIfMissing:
+ styraClientMock.On("GetUser", mock.Anything, "user1@mail.com").
+ Return(&styra.GetUserResponse{
+ StatusCode: http.StatusNotFound,
+ }, nil).Once()
+
+ styraClientMock.On("CreateInvitation", mock.Anything, false, "user1@mail.com").
+ Return(&styra.CreateInvitationResponse{}, nil).Once()
+
+ styraClientMock.On("GetUser", mock.Anything, "user2@mail.com").
+ Return(&styra.GetUserResponse{
+ StatusCode: http.StatusOK,
+ }, nil).Once()
+
+ // deleteIncorrectRoleBindings:
+ styraClientMock.On("ListRoleBindingsV2", mock.Anything, &styra.ListRoleBindingsV2Params{
+ ResourceKind: styra.RoleBindingKindLibrary,
+ ResourceID: toCreate.Spec.Name,
+ }).Return(&styra.ListRoleBindingsV2Response{
+ Rolebindings: []*styra.RoleBindingConfig{},
+ }, nil).Once() //Test deletions also?
+
+ // createRoleBindingIfMissing:
+ styraClientMock.On("ListRoleBindingsV2", mock.Anything, &styra.ListRoleBindingsV2Params{
+ ResourceKind: styra.RoleBindingKindLibrary,
+ ResourceID: toCreate.Spec.Name,
+ }).Return(&styra.ListRoleBindingsV2Response{
+ Rolebindings: []*styra.RoleBindingConfig{},
+ }, nil).Once()
+
+ styraClientMock.On("CreateRoleBinding", mock.Anything, &styra.CreateRoleBindingRequest{
+ ResourceFilter: &styra.ResourceFilter{
+ ID: toCreate.Spec.Name,
+ Kind: styra.RoleBindingKindLibrary,
+ },
+ RoleID: styra.RoleLibraryViewer,
+ Subjects: []*styra.Subject{
+ {
+ ID: "user1@mail.com",
+ Kind: styra.SubjectKindUser,
+ }, {
+ ID: "user2@mail.com",
+ Kind: styra.SubjectKindUser,
+ }, {
+ Kind: styra.SubjectKindClaim,
+ ClaimConfig: &styra.ClaimConfig{
+ IdentityProvider: "AzureAD Bankdata",
+ Key: "groups",
+ Value: "testGroup",
+ },
+ },
+ },
+ }).Return(&styra.CreateRoleBindingResponse{}, nil).Once()
+
+ // updateRoleBindingIfNeeded:
+ styraClientMock.On("ListRoleBindingsV2", mock.Anything, &styra.ListRoleBindingsV2Params{
+ ResourceKind: styra.RoleBindingKindLibrary,
+ ResourceID: toCreate.Spec.Name,
+ }).Return(&styra.ListRoleBindingsV2Response{
+ Rolebindings: []*styra.RoleBindingConfig{
+ {
+ Subjects: []*styra.Subject{
+ {
+ ID: "user1@mail.com",
+ Kind: styra.SubjectKindUser,
+ }, {
+ ID: "user2@mail.com",
+ Kind: styra.SubjectKindUser,
+ }, {
+ Kind: styra.SubjectKindClaim,
+ ClaimConfig: &styra.ClaimConfig{
+ IdentityProvider: "AzureAD Bankdata",
+ Key: "groups",
+ Value: "testGroup",
+ },
+ },
+ },
+ RoleID: "LibraryViewer",
+ },
+ },
+ }, nil).Once()
+
+ gomega.Ω(k8sClient.Create(ctx, toCreate)).
+ To(gomega.Succeed())
+
+ gomega.Eventually(func() bool {
+ var k8sLib styrav1alpha1.Library
+ if err := k8sClient.Get(ctx, key, &k8sLib); err != nil {
+ return false
+ }
+ return true
+ }, timeout, interval).Should(gomega.BeTrue())
+
+ gomega.Eventually(func() bool {
+ var (
+ createUpdateSecret int
+ getLibrary int
+ upsertLibrary int
+ upsertDatasource int
+ datasourceChanged int
+ getUser int
+ createInvitation int
+ createRoleBinding int
+ listRoleBindings int
+ )
+
+ for _, call := range styraClientMock.Calls {
+ switch call.Method {
+ case "CreateUpdateSecret":
+ createUpdateSecret++
+ case "GetLibrary":
+ getLibrary++
+ case "UpsertLibrary":
+ upsertLibrary++
+ case "UpsertDatasource":
+ upsertDatasource++
+ case "GetUser":
+ getUser++
+ case "CreateInvitation":
+ createInvitation++
+ case "CreateRoleBinding":
+ createRoleBinding++
+ case "ListRoleBindingsV2":
+ listRoleBindings++
+ }
+ }
+
+ for _, call := range webhookMock.Calls {
+ switch call.Method {
+ case "DatasourceChanged":
+ datasourceChanged++
+ }
+ }
+
+ return createUpdateSecret == 2 &&
+ getLibrary == 2 &&
+ upsertLibrary == 1 &&
+ upsertDatasource == 2 &&
+ datasourceChanged == 2 &&
+ getUser == 2 &&
+ createInvitation == 1 &&
+ listRoleBindings == 3 &&
+ createRoleBinding == 1
+ }, timeout, interval).Should(gomega.BeTrue())
+
+ resetMock(&webhookMock.Mock)
+ resetMock(&styraClientMock.Mock)
+
+ styraClientMock.AssertExpectations(ginkgo.GinkgoT())
+
+ })
+})
diff --git a/test/integration/controller/system_controller_test.go b/test/integration/controller/system_controller_test.go
index 0734a1a..1fbe24b 100644
--- a/test/integration/controller/system_controller_test.go
+++ b/test/integration/controller/system_controller_test.go
@@ -1,3 +1,19 @@
+/*
+Copyright (C) 2023 Bankdata (bankdata@bankdata.dk)
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
package styra
import (
@@ -20,7 +36,6 @@ import (
)
var _ = ginkgo.Describe("SystemReconciler.Reconcile", ginkgo.Label("integration"), func() {
-
ginkgo.It("should reconcile", func() {
spec := styrav1beta1.SystemSpec{
DeletionProtection: ptr.Bool(false),
@@ -838,6 +853,7 @@ discovery:
}, timeout, interval).Should(gomega.BeTrue())
resetMock(&styraClientMock.Mock)
+ resetMock(&webhookMock.Mock)
ginkgo.By("Setting a datasource")
@@ -1193,6 +1209,7 @@ discovery:
return k8serrors.IsNotFound(err)
}, timeout, interval).Should(gomega.BeTrue())
+ resetMock(&styraClientMock.Mock)
styraClientMock.AssertExpectations(ginkgo.GinkgoT())
})
})