diff --git a/.gitignore b/.gitignore
index 7f02333db7abed1b675b7a1f1c62c2615ff3f630..6692c40756cb7d38bb4ea8c6ec05b91fc25594c0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,8 +5,6 @@
*.dll
*.so
*.dylib
-bin/*
-Dockerfile.cross
# Test binary, build with `go test -c`
*.test
@@ -20,7 +18,88 @@ Dockerfile.cross
# editor and IDE paraphernalia
.idea
-.vscode
*.swp
*.swo
*~
+secrets
+.vscode
+# Temporary Build Files
+build/_output
+build/_test
+# Created by https://www.gitignore.io/api/go,vim,emacs,visualstudiocode
+### Emacs ###
+# -*- mode: gitignore; -*-
+*~
+\#*\#
+/.emacs.desktop
+/.emacs.desktop.lock
+*.elc
+auto-save-list
+tramp
+.\#*
+# Org-mode
+.org-id-locations
+*_archive
+# flymake-mode
+*_flymake.*
+# eshell files
+/eshell/history
+/eshell/lastdir
+# elpa packages
+/elpa/
+# reftex files
+*.rel
+# AUCTeX auto folder
+/auto/
+# cask packages
+.cask/
+dist/
+# Flycheck
+flycheck_*.el
+# server auth directory
+/server/
+# projectiles files
+.projectile
+projectile-bookmarks.eld
+# directory configuration
+.dir-locals.el
+# saveplace
+places
+# url cache
+url/cache/
+# cedet
+ede-projects.el
+# smex
+smex-items
+# company-statistics
+company-statistics-cache.el
+# anaconda-mode
+anaconda-mode/
+### Go ###
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+# Test binary, build with 'go test -c'
+*.test
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+### Vim ###
+# swap
+.sw[a-p]
+.*.sw[a-p]
+# session
+Session.vim
+# temporary
+.netrwhist
+# auto-generated tag files
+tags
+### VisualStudioCode ###
+.vscode/*
+.history
+# End of https://www.gitignore.io/api/go,vim,emacs,visualstudiocode
+__*
+sensitive.sh
+bin/*
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100755
index 0000000000000000000000000000000000000000..c48de3af47ea8b79b7463d531570d45aa802631e
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,25 @@
+include:
+ - project: 'paas-tools/infrastructure-ci'
+ file: 'docker-images-ci-templates/DockerImages.gitlab-ci.yml'
+
+variables:
+ CLUSTER_NAME: authz-operator-ci
+ KC_ISSUER_URL: "https://keycloak-dev.cern.ch/auth/realms/cern"
+ AUTHZAPI_URL: "https://authorization-service-api-dev.web.cern.ch"
+
+stages:
+ - build
+ - test
+
+Test:
+ stage: test
+ image: gitlab-registry.cern.ch/paas-tools/operators/operator-sdk-client:v1.2.0
+ script:
+ # To debug paas-site-operator configuration, allow to start a pipeline manually with a variable CI_INTERACTIVE_DEBUG.
+ # The job then waits instead of running tests, allowing to use the Gitlab CI "Debug" to run
+ # tests interactively instead.
+ - if [ -n "${CI_INTERACTIVE_DEBUG}" ]; then sleep infinity; fi
+ # Run go tests
+ - go test -v -mod=vendor ./.../tests -v
+ # Run e2e tests TODO: Re-do tests after SDK upgrade, see: https://gitlab.cern.ch/paas-tools/operators/authz-operator/-/jobs/10762230
+ # - source run-tests.sh
diff --git a/.operator-ci.helm_values_file.template b/.operator-ci.helm_values_file.template
new file mode 100755
index 0000000000000000000000000000000000000000..e93b39205f37d97291020e6e8e5295dadf823bc6
--- /dev/null
+++ b/.operator-ci.helm_values_file.template
@@ -0,0 +1,4 @@
+authz-operator:
+ source:
+ targetRevision: '${CI_COMMIT_SHA}'
+ image: gitlab-registry.cern.chpaas-tools/operators/authz-operator:'${CI_COMMIT_REF_NAME}'
diff --git a/Dockerfile b/Dockerfile
index c389c0981af8da9fd792a3a702525e08c86bf301..155e763ff4d2b7bdd24edf4ac209dd95a923aec5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,33 +1,21 @@
# Build the manager binary
-FROM golang:1.20 as builder
-ARG TARGETOS
-ARG TARGETARCH
+FROM golang:1.15 as builder
WORKDIR /workspace
-# Copy the Go Modules manifests
-COPY go.mod go.mod
-COPY go.sum go.sum
-# cache deps before building and copying source so that we don't need to re-download as much
-# and so that source changes don't invalidate our downloaded layer
-RUN go mod download
-
-# Copy the go source
-COPY cmd/main.go cmd/main.go
-COPY api/ api/
-COPY internal/controller/ internal/controller/
+# NB: modified from sdk-generated Dockerfile (since we vendor modules): copy the full gitlab project contents
+COPY . .
# Build
-# the GOARCH has not a default value to allow the binary be built according to the host where the command
-# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
-# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
-# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
-RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/main.go
+# NB: modified from sdk-generated Dockerfile (since we vendor modules): added -mod=vendor
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -mod=vendor -o operator cmd/operator/operator.go && \
+ CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -mod=vendor -o softdelete cmd/softdeletion/lifecycle-delete.go
# Use distroless as minimal base image to package the manager binary
# Refer to https://github.com/GoogleContainerTools/distroless for more details
FROM gcr.io/distroless/static:nonroot
WORKDIR /
-COPY --from=builder /workspace/manager .
-USER 65532:65532
+COPY --from=builder /workspace/operator /bin/
+COPY --from=builder /workspace/softdelete /bin/
+USER nonroot:nonroot
-ENTRYPOINT ["/manager"]
+CMD ["/bin/operator"]
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000000000000000000000000000000000000..a5cdc02a0e0d9cf8b4ebd44ac59e6fc1021ddc63
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,204 @@
+ Copyright 2020-2021 CERN
+
+
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/README.md b/README.md
index 72f5ed5ad63af9994604c8f62c272d76b24e0375..60dd34f4f7efa2b4f8bcb609795ff6e7aee1a49b 100644
--- a/README.md
+++ b/README.md
@@ -1,94 +1,260 @@
# authz-operator
-// TODO(user): Add simple overview of use/purpose
-## Description
-// TODO(user): An in-depth paragraph about your project and overview of use
+An operator to register k8s apps with the CERN Authorization Service, including
+Application and SSO (OIDC) registrations, and lifecycle policy enforcement,
+such as ownership transfer or expiration when the owner leaves CERN.
-## Getting Started
-You’ll need a Kubernetes cluster to run against. You can use [KIND](https://sigs.k8s.io/kind) to get a local cluster for testing, or run against a remote cluster.
-**Note:** Your controller will automatically use the current context in your kubeconfig file (i.e. whatever cluster `kubectl cluster-info` shows).
+## APIs
-### Running on the cluster
-1. Install Instances of Custom Resources:
+The authz-operator exposes several CRDs.
-```sh
-kubectl apply -f config/samples/
-```
+For interaction with the [CERN Authorization Service API (AuthzAPI)](https://auth.docs.cern.ch):
+- `ApplicationRegistration`
+- `OIDCReturnUri`
+- `BootstrapApplicationRole`
-2. Build and push your image to the location specified by `IMG`:
+For managing lifecycle of OKD4 projects from `ApplicationRegistration`:
+- `ProjectLifecyclePolicy`
-```sh
-make docker-build docker-push IMG=<some-registry>/authz-operator:tag
-```
+### ApplicationRegistration
-3. Deploy the controller to the cluster with the image specified by `IMG`:
+The ApplicationRegistration creates and maintains the Application and OIDC registration objects in the AuthzAPI.
+Once the objects are created in the AuthzAPI, they're linked to this CR by the `ID` fields in its status.
-```sh
-make deploy IMG=<some-registry>/authz-operator:tag
-```
+The information in the Spec is the source of truth for these objects, meaning that changes in those fields
+from Authz will be overwritten by the operator.
+Fields labelled "initial*" only initialize and don't maintain their value.
+Such a field is the application owner, for which the source of truth is the AuthzAPI (to allow for lifecycle actions).
-### Uninstall CRDs
-To delete the CRDs from the cluster:
+The Status fetches the last-known state of the linked objects in the AuthzAPI.
+It is also the place to look for errors reported by the API.
+The CRD was designed without the "conditions" pattern in mind, but is planned to be redesigned,
+to better convey the relevant information.
-```sh
-make uninstall
-```
+Only 1 `ApplicationRegistration` is expect to exist per OKD project/namespace.
+Since the project is the administrative/ownership domain in our services, it has a direct correspondence
+with the concept of an Application in the Authorization service.
-### Undeploy controller
-UnDeploy the controller from the cluster:
+Note that for performance reasons, we run 2 instances of the `ApplicationRegistrationReconciler` operating in different modes:
-```sh
-make undeploy
-```
+- the foreground instance processes regular Kubernetes resource events and applies changes to the Authz API.
+ However it does not *read* state from the Authz API if the state in Kubernetes is consistent.
+ This instance of the reconciler thus returns quickly in most cases.
+ With every reconcile, it requests a refresh of the `ApplicationRegistration` state from the background reconciler
+- the background instance only processes requests to fully refresh an `ApplicationRegistration`'s status
+ when requested by another controller (the foreground reconciler, or the lifecycle controller when it finds that
+ an `ApplicationRegistration`'s status is out of sync with the Authz API). These requests are received via an event channel.
-## Contributing
-// TODO(user): Add detailed information on how you would like others to contribute to this project
+This foreground/background separation is necessary because it takes too long to refresh status with each reconciliation
+(controller default `SyncPeriod` is 10h, and re-sync all `ApplicationRegistration` on `webeos` cluster with 5k `ApplicationRegistration` would take >20m
+during which time site creation from webservices portal fails, because it times out waiting for `ApplicationRegistration` to be `Created` - cf. INC3490535).
+We went with 2 instances of the `ApplicationRegistrationReconciler` operating in different modes, rather than 2 separate controllers, to allow
+the foreground/background separation while minimizing changes to the existing logic.
-### How it works
-This project aims to follow the Kubernetes [Operator pattern](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/).
-It uses [Controllers](https://kubernetes.io/docs/concepts/architecture/controller/),
-which provide a reconcile function responsible for synchronizing resources until the desired state is reached on the cluster.
+### OIDCReturnUri
-### Test It Out
-1. Install the CRDs into the cluster:
+OIDC return URIs are the valid addresses where the Identity Provider (keycloak) is allowed to redirect the user
+after successful authentication.
+For this reason they're also referred to as "redirect URIs".
+They are registered for each OIDC registration, and can be multiple.
+To better express this multiplicity and make them dynamically adjustable, they are expressed with a separate CR.
-```sh
-make install
-```
+In a project with only an ApplicationRegistration the OIDC registration will initially have no redirect URIs
+(and thus be non-functional).
+Adding an `OIDCReturnURI` will trigger the Application controller to include it in the OIDC registration.
+The OIDCReturnURIs in the project are maintained in sync with the values in the AuthzAPI.
-2. Run your controller (this will run in the foreground, so switch to a new terminal if you want to leave it running):
+### BootstrapApplicationRole
-```sh
-make run
-```
+BootstrapApplicationRole creates but does not maintain Roles to the existing Application in the same namespace in the AuthzAPI.
-**NOTE:** You can also run this in one step by running: `make install run`
+Each Role is bound to the Application (without an Application, Role doesn't make sense), and once the role is created in the AuthzAPI, the role `ID` is stored in the status and no further action is made from the controller.
+Details on motivation can be seen [here](docs/design/bootstrap_application_role_crd.md).
-### Modifying the API definitions
-If you are editing the API definitions, generate the manifests such as CRs or CRDs using:
-```sh
-make manifests
-```
+### Synchronization of lifecycle-related application properties
+
+Applications at CERN have an ownership "lifecycle" policy.
+It involves automatically updating resource ownership (owner & admin group) when somebody leaves the Organization
+and automatically deleting leftover resources linked to terminated computing accounts.
+The source of truth for the Owner and whether an application still exists is the AuthzAPI.
+
+Although not an API, the operator includes a controller that enforces the lifecycle policy.
+The operator periodically checks ownership status for each `ApplicationRegistration` at the AuthzAPI
+and, if ownership has changed or the linked Application has been deleted, updates the `ApplicationRegistration`'s `.status` with the updated information.
+
+A stress test was conducted for around 2500 `ApplicationRegistrations` and the average reconciliation time is around 2min30sec.
+Given this information the default reconciliation time for lifecycle has been set to 5minutes.
+
+### ProjectLifecyclePolicy
+
+The `ProjectLifecyclePolicy` CR controls how the authz-operator applies changes to lifecycle-related properties
+of the application in the AuthzAPI to the OKD project/namespace containing an `ApplicationRegistration`:
+
+- manages a `rolebinding` granting admin permissions on the project to the owner/administrator group declared
+ in the Application Portal.
+ **Important note: the authz-operator serviceaccount MUST itself be granted this cluster role so it can grant it to other users!**
+- whether to delete the OKD project when the Application is deleted from the AuthzAPI
+- maintain `ConsoleLinks` so the OKD console will show information and link to the Application's
+ management page in the Application Portal
+- can propagate changes to the application's `Description` in the Application Portal to the OKD project's
+ description
+
+We expect exactly one `ProjectLifecyclePolicy` per OKD project/namespace. Behavior is undefined if multiple CRs exist.
+
+# Setup & Deployment
+
+## Configuration
+
+The authz-operator is configured with a set of environment variables:
+
+ env var | example | description
+ --- | --- | ---
+`CLUSTER_NAME` | `okd4-prod1` | Name of the k8s cluster where the operator is deployed. Used in the `ApplicationRegistration` naming convention.
+`AUTHZAPI_URL` | `https://authorization-service-api.web.cern.ch` | API base URL for interacting with the Authorization service
+`KC_ISSUER_URL` | `https://auth.cern.ch/auth/realms/cern` | Identity provider (keycloak) issuer URL to fetch API access tokens from
+`KC_CLIENT_ID` | `authz-operator-okd4-prod` | For OAuth client credentials flow to get API access token
+`KC_CLIENT_SECRET` | `0789a3b8-fc2c-49d4-bfc9-eb1943f5977b` | For OAuth client credentials flow to get API access token
+`LIFECYCLE_RECONCILE_PERIOD_MIN` | `5` | Time in minutes between periodic reconciliations of all ApplicationRegistrations with the lifecycle controller, if no value is set, the default will be set, which is 5 minutes
+`AUTHZ_APPLICATIONS_PER_PAGE` | `1000` | Number of Applications per Page when retrieving all Applications in method `GetMyApplications`, if no value is set, the AuthzAPI default will be used (As of May/2021 is 1K Applications)
+
+For Internal tests to work, two extra environment variables need to be set:
+
+env var | description
+--- | ---
+`SVC_ACCOUNT_ID` | This is the `OwnerID` provided by the Auth API, should be found in the CI vars, to retrieve it, go to the [AuthAPI Documentation](https://authorization-service-api-dev.web.cern.ch/) (This will not work for production credentials) and get an Application owned by the Service account by ID, and the value should be returned as `OwnerID`
+`MANAGER_ID` | The `ID` of our Manager Application, should be found in the CI vars and not change
+
+In Helm deployments, these values correspond to parameters explained in [deploy/values.yaml](deploy/values.yaml)
+
+## Deployment
+
+Standard deployment is with the [Helm chart](deploy).
+
+For a new deployment we need to [create new keycloack credentials](#keycloak-cred)
+
+### <a name="keycloak-cred"></a> Create Keycloak credentials
+
+The authz-operator's deployment needs to be known to the CERN Authorization service (AuthzSvc) as an Application.
+The AuthzSvc supports the concept of a "manager" for each Application.
+That's the role this operator plays for the resources it creates/manages from the AuthzSvc perspective.
-**NOTE:** Run `make --help` for more information on all potential `make` targets
+The cluster admin needs to register an Application at the CERN Application portal and setup the OAuth client credentials flow:
+1. [Create a new application](https://application-portal.web.cern.ch/)
+ - An appropriate admin group should be specified
+2. Create an OIDC registration with client credentials
+ - Edit the Application -> SSO Registration
+ - New OIDC registration
+ - Set a random redirectURI eg "https://example.cern.ch"
+ - Advanced Options -> check "My application will need to get tokens using its own client ID and secret"
+3. Request group memberships:
+ - `authorization-service-identity-readers`
+ - `authorization-service-applications-managers`
-More information can be found via the [Kubebuilder Documentation](https://book.kubebuilder.io/introduction.html)
+### Images
-## License
+Gitlab CI is set up to automatically tag images in this repo's registry whenever any branch is pushed.
-Copyright 2024 CERN.
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
+# Development
- http://www.apache.org/licenses/LICENSE-2.0
+## Design
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+For design documentation regarding `Application Role CRD, see
+[here](docs/design/application_role_crd.md).
+### Discussions with Authorization service
+
+[Support applications managed by another service](https://its.cern.ch/jira/browse/MALTIAM-646)
+- Add `application.managerId`
+- Define which properties can be modified on the authz / operator side
+
+[Support blocking applications](https://its.cern.ch/jira/browse/MALTIAM-723) (security)
+- Resources lifecycle
+
+### OIDC: where is the SoT?
+
+We discussed if OIDC-related information (esp `redirectURIs`) should be a new CRD or part of AppReg: [discussion](#53)
+Especially, if `redirectURIs` should be read from this operator's CRDs at all, or directly from an external source.
+
+### Supporting only a core OIDC flow type
+
+This operator automates the most often-encountered cases, as a convenience, without wresting control from the end user.
+Therefore, marginal use cases don't need to be automated.
+With this reasoning, we don't support defining the OIDC flow type, because the only flow type supported by this operator
+will be the authentication code.
+
+Similar for `UserConsentRequired`: this is only relevant for content hosted outside of CERN, for which we don't care now.
+
+#### Other OIDC flows
+
+The user can always create a separate Application in the AuthzAPI from the UI and have fine-grained control over the OIDC details.
+
+### `redirectURIs`
+#### webeos
+
+single redirectURI that can be generated at creation of the ApplicationRegistration
+(just include it in the webeos project template) mysite
+=> mysite.web.cern.ch/oidcsso/whatever (decided by the webeos-config-operator)
+=> set ApplicationRegistration.spec.RedirectURI at project creation
+
+#### PaaS / general use case
+
+multiple hostnames, default `/*` (or user-specified) return path
+=> Route + annotation; we'll need a separate operator (PaasSite operator?)
+to update ApplicationRegistration.spec.RedirectURI base on changes to routes
+
+### SAML
+
+It is possible to create a SAML registration after the OIDC registration for the same application;
+therefore we're not complicating the Drupal use case with this decision.
+
+## Running tests locally
+
+```bash
+# Export secrets as env vars
+export CLUSTER_NAME="test1"
+export KC_ISSUER_URL="https://keycloak-dev.cern.ch/auth/realms/cern"
+export AUTHZAPI_URL="https://authorization-service-api-dev.web.cern.ch"
+export KUBECONFIG=
+# Secrets
+export KC_CLIENT_ID=
+export KC_CLIENT_SECRET=
+./run-tests.sh
+```
+
+## Debugging on existing dev cluster
+
+Uses:
+- manual tests
+- run one of the okd4-install integration test packages (but ony one, we cannot switch use cases and run the whole suite)
+- attach vscode's debugger to running operator process
+
+```bash
+export CLUSTER_NAME=<...>
+export KUBECONFIG=<...>
+export KC_ISSUER_URL="https://keycloak-qa.cern.ch/auth/realms/cern"
+export AUTHZAPI_URL="https://authorization-service-api-qa.web.cern.ch"
+# Secrets
+export KC_CLIENT_ID=$(oc get secret -n openshift-cern-authz-operator operator-keycloak-credentials -o json | jq -r '.data.CLIENT_ID' | base64 -d)
+export KC_CLIENT_SECRET=$(oc get secret -n openshift-cern-authz-operator operator-keycloak-credentials -o json | jq -r '.data.CLIENT_SECRET' | base64 -d)
+# disable argocd and in-cluster operator (to undo, run the same with --replicas=1)
+# alternatively, keep argocd running but set `replicas: 0` in ` oc edit application/authz-operator -n openshift-cern-argocd`
+for r in deploy/argocd-server sts/argocd-application-controller; do oc scale $r -n openshift-cern-argocd --replicas=0; done
+oc scale deploy/authz-operator -n openshift-cern-authz-operator --replicas=0
+
+# If changes to CRDs...
+# make manifests && oc replace -f config/crd/bases
+
+# build & run...
+make
+bin/manager --zap-log-level=3 # use 6 for debug logs, 8 for trace logs
+
+# run integration tests from okd4-install
+# E.g. if okd4-install is checked out in ~/git/okd4-install
+docker run --rm registry.cern.ch/paas-tools/okd4-install -v ~/git/okd4-install:/project -v ${KUBECONFIG:-~/.kube/kubeconfig}:/root/.kube/config -w /project -e CI_JOB_ID=${RANDOM} bats -tpr tests/1-common/1-authz-operator.bats
+
+# When done with testing, restart argocd to put things back as they were
+for r in deploy/argocd-server sts/argocd-application-controller; do oc scale $r -n openshift-cern-argocd --replicas=1; done
+```
diff --git a/api/v1alpha1/applicationregistration_types.go b/api/v1alpha1/applicationregistration_types.go
index 437c1208aec7ff738726de1b205831da451724be..a173cd3a343db62cf5ae649a3f42b940c6e3ad9b 100644
--- a/api/v1alpha1/applicationregistration_types.go
+++ b/api/v1alpha1/applicationregistration_types.go
@@ -1,5 +1,5 @@
/*
-Copyright 2024 CERN.
+
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -20,28 +20,136 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
-// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!
-// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.
+type ResourceCategoryType string
-// ApplicationRegistrationSpec defines the desired state of ApplicationRegistration
-type ApplicationRegistrationSpec struct {
- // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
- // Important: Run "make" to regenerate code after modifying this file
+const (
+ // The application portal defines these 4 values
+ ResourceCategoryUndefined ResourceCategoryType = "Undefined"
+ ResourceCategoryTest ResourceCategoryType = "Test"
+ ResourceCategoryPersonal ResourceCategoryType = "Personal"
+ ResourceCategoryOfficial ResourceCategoryType = "Official"
+)
+
+type ProvisioningStatusType string
+
+const (
+ // Provisioning is still in progress (including any potentially transient errors
+ // from the Authorization API where reconciliation will be reattempted, like
+ // the API not responding or 5xx HTTP errors)
+ ProvisioningStatusCreating ProvisioningStatusType = "Creating"
+ // Provisioning has failed and won't be retried; look at ErrorMessage for details.
+ // It is set for permanent errors, such as name conflicts, invalid initialOwner, 4xx HTTP errors.
+ ProvisioningStatusProvisioningError ProvisioningStatusType = "ProvisioningError"
+ // Application successfully registered in authz API
+ ProvisioningStatusCreated ProvisioningStatusType = "Created"
+ // Application was registered in authz API once, but now does not exist in authz API anymore
+ ProvisioningStatusDeletedFromAPI ProvisioningStatusType = "DeletedFromAPI"
+)
- // Foo is an example field of ApplicationRegistration. Edit applicationregistration_types.go to remove/update
- Foo string `json:"foo,omitempty"`
+// ApplicationRegistrationSpec defines the desired state of ApplicationRegistration.
+// For details for fields set on the Authz API, see https://authorization-service-api.web.cern.ch/swagger/index.html
+type ApplicationRegistrationSpec struct {
+ // ApplicationName is used to construct the Application's "display name" following a naming convention:
+ // `Web frameworks site <applicationName> (<instance>)` (see also https://gitlab.cern.ch/paas-tools/operators/authz-operator/issues/5 ).
+ // +kubebuilder:validation:Required
+ // +kubebuilder:validation:MinLength=1
+ ApplicationName string `json:"applicationName" valid:"matches(^[0-9a-z_\\-]+$),length(1|100)"`
+ // Description defines the purpose of the App.
+ // As of August 2023, the pattern used matches the expected API pattern from the Auth Service.
+ // +kubebuilder:validation:Required
+ // +kubebuilder:validation:Pattern=`\w+`
+ Description string `json:"description"`
+ // HomePage points to the app's homepage
+ // +optional
+ HomePage string `json:"homePage,omitempty"`
+ // InitialOwner is the owner defined at creation time; can then be modified at the application portal
+ // +kubebuilder:validation:Required
+ InitialOwner `json:"initialOwner"`
+ // InitialResourceCategory sets the desired resourceCategory on creation of the application registration
+ // in the application portal. After creation, the category is managed by the owner in the portal.
+ // - Default: "Test" (see https://gitlab.cern.ch/webservices/webframeworks-planning/-/issues/888 )
+ // +kubebuilder:validation:Enum="Test";"Personal";"Official"
+ // +kubebuilder:default:="Test"
+ InitialResourceCategory ResourceCategoryType `json:"initialResourceCategory"`
+ // DisplayName is the user-facing name of the ApplicationRegistration as stored in the Authzsvc API
+ // +optional
+ DisplayName string `json:"displayName,omitempty"`
+ // ApplicationIdentifier is the client ID for keycloak. It is auto-generated by the operator following a naming convention,
+ // Name convention: `webframeworks-<instance>-<applicationName>` (see also https://gitlab.cern.ch/paas-tools/operators/authz-operator/issues/5 )
+ // +optional
+ ApplicationIdentifier string `json:"applicationIdentifier,omitempty" valid:"matches(^[a-z][0-9a-z_\\-][0-9a-z_\\-]+$),length(3|127)"`
}
// ApplicationRegistrationStatus defines the observed state of ApplicationRegistration
type ApplicationRegistrationStatus struct {
- // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
- // Important: Run "make" to regenerate code after modifying this file
+ // Creating: provisioning is still in progress (including any potentially transient errors
+ // from the Authorization API where reconciliation will be reattempted, like
+ // the API not responding or 5xx HTTP errors).
+ // ProvisioningError: provisioning has failed and won't be retried; look at ErrorMessage for details;
+ // it is set for permanent errors, such as name conflicts, invalid initialOwner, 4xx HTTP errors.
+ // Created: application successfully registered in authz API.
+ // DeletedFromAPI: application was registered in authz API once, but now does not exist in authz API anymore.
+ // +kubebuilder:validation:Enum="Created";"Creating";"ProvisioningError";"DeletedFromAPI"
+ ProvisioningStatus ProvisioningStatusType `json:"provisioningStatus,omitempty"`
+
+ // ErrorMessage will be set in the event of a terminal error reconciling (or provisioning) the
+ // ApplicationRegistration with a human-readable message.
+ // This won't be set for transient errors where reconciliation will be reattempted.
+ // Error messages originating from the API returned as-is
+ // +optional
+ ErrorMessage string `json:"errorMessage,omitempty"`
+ // ErrorReason will be set in the event of a terminal error reconciling (or provisioning) the
+ // ApplicationRegistration with a machine-readable message.
+ // This won't be set for transient errors where reconciliation will be reattempted.
+ // +optional
+ // +kubebuilder:validation:Enum={"ApplicationAlreadyExists","InvalidSpec","k8sAPIClientError", "AuthzAPIClientError","AuthzAPIError","AuthzAPIPermanentError","AuthzAPIInvalidResponse","OwnerNotFound","AuthzsvcApiError","Creating","InvalidOwner","AssociatedApplicationNotFound"}
+ ErrorReason string `json:"errorReason,omitempty"`
+
+ // ID is the Unique Identifier of the AplicationRegistration in the Authzsvc API, (This name didn't expect multiple IDs on the Status, therefore the generic ID name)
+ // +optional
+ ID string `json:"id,omitempty"`
+ // CurrentOwnerUsername is the current owner's UPN read from the Application Portal
+ // +optional
+ CurrentOwnerUsername string `json:"currentOwnerUsername,omitempty"`
+ // CurrentAdminGroup is read from the Application Portal
+ // +optional
+ CurrentAdminGroup string `json:"currentAdminGroup,omitempty"`
+ // CurrentResourceCategory is read from the Application Portal
+ // +optional
+ CurrentResourceCategory ResourceCategoryType `json:"currentResourceCategory,omitempty"`
+ // CurrentDescription is read from the Application Portal
+ // +optional
+ CurrentDescription string `json:"currentDescription,omitempty"`
+ // CurrentEnabledStatus shows whether the application is currently enabled
+ // +optional
+ CurrentEnabledStatus bool `json:"currentEnabledStatus,omitempty"`
+ // CurrentDepartement indicates which CERN department the project owner belongs to
+ // +optional
+ CurrentGroup string `json:"currentGroup,omitempty"`
+ // CurrentGroup indicates which CERN group the project owner belongs to
+ // +optional
+ CurrentDepartment string `json:"currentDepartment,omitempty"`
+ // RegistrationID is the identity of the oidc registration of the application in the Authorization service API
+ // +optional
+ RegistrationID string `json:"registrationId,omitempty"`
+ // OIDCEnabled is a flag to know if the OIDC credentials are enabled
+ // +optional
+ OIDCEnabled bool `json:"OIDCEnabled,omitempty"`
+ // +optional
+ TokenExchangePermissions `json:"tokenExchangePermissions,omitempty"`
+ // ClientCredentialsSecret is the name of the k8s secret holding the OIDC client credentials
+ // +optional
+ ClientCredentialsSecret string `json:"clientCredentialsSecret,omitempty"`
+ // RedirectURIs is the URI where users will be redirected after authenticating to the IdP during the OIDC flows
+ // +optional
+ RedirectURIs []string `json:"redirectURIs,omitempty"`
}
-//+kubebuilder:object:root=true
-//+kubebuilder:subresource:status
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
-// ApplicationRegistration is the Schema for the applicationregistrations API
+// ApplicationRegistration creates and maintains the Application and OIDC registration objects in the AuthzAPI.
+// More info: https://gitlab.cern.ch/paas-tools/operators/authz-operator#applicationregistration
type ApplicationRegistration struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -50,7 +158,7 @@ type ApplicationRegistration struct {
Status ApplicationRegistrationStatus `json:"status,omitempty"`
}
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
// ApplicationRegistrationList contains a list of ApplicationRegistration
type ApplicationRegistrationList struct {
@@ -62,3 +170,49 @@ type ApplicationRegistrationList struct {
func init() {
SchemeBuilder.Register(&ApplicationRegistration{}, &ApplicationRegistrationList{})
}
+
+// InitialOwner is the owner of the resource at creation time
+type InitialOwner struct {
+ // username is the owner's CERN username
+ // +kubebuilder:validation:Required
+ // +kubebuilder:validation:MinLength=1
+ Username string `json:"username"`
+}
+
+// AppRole is the Application role created by default together with the application.
+type AppRole struct {
+ Name string `json:"name"`
+ Required bool `json:"required"`
+ ApplyToAllUsers bool `json:"applyToAllUsers"`
+ Description string `json:"description"`
+ DisplayName string `json:"displayName"`
+ MinLoA int `json:"minimumLevelOfAssurance"`
+}
+
+type OIDCFlowType string
+
+const (
+ OIDCFlowImplicit OIDCFlowType = "Implicit"
+ OIDCFlowAuthorizationCode OIDCFlowType = "AuthorizationCode"
+ OIDCFlowClientCredentials OIDCFlowType = "ClientCredentials"
+)
+
+// TokenExchangePermissions lists applications for which token exchange permissions have been requested or allowed
+type TokenExchangePermissions struct {
+ // requests are the Application identifiers for which token exchange permissions are requested
+ // +optional
+ Requests []string `json:"requests,omitempty"`
+ // allowed are the Application identifiers for which token exchange is allowed (has been granted by the corresponding application)
+ // +optional
+ Allowed []string `json:"allowed,omitempty"`
+}
+
+// DisplayNameConvention implements the naming convention {ApplicationName -> DisplayName}
+func (a ApplicationRegistration) DisplayNameConvention(clusterInstanceName string) string {
+ return "Web frameworks site " + a.Spec.ApplicationName + " (" + clusterInstanceName + ")"
+}
+
+// ApplicationIdentifierConvention implements the naming convention {ApplicationName -> ApplicationIdentifier}
+func (a ApplicationRegistration) ApplicationIdentifierConvention(clusterInstanceName string) string {
+ return "webframeworks-" + clusterInstanceName + "-" + a.Spec.ApplicationName
+}
diff --git a/api/v1alpha1/bootstrapapplicationrole_types.go b/api/v1alpha1/bootstrapapplicationrole_types.go
index 9b6593c79c48bb5986fbc26dbfcd7dd0d258458a..5179c4277d8331d8f8ce32544bb51ce796f62252 100644
--- a/api/v1alpha1/bootstrapapplicationrole_types.go
+++ b/api/v1alpha1/bootstrapapplicationrole_types.go
@@ -1,5 +1,5 @@
/*
-Copyright 2024 CERN.
+
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -20,28 +20,85 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
-// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!
-// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.
+// Strings for BootstrapApplicationRoleStatus.Conditions
+const (
+ // Condition Types
+ ConditionTypeRoleCreation string = "RoleCreated"
+ // Conditions
+ ConditionRoleBootstrappedSuccessfully string = "RoleBootstrappedSuccessfully"
+ ConditionRoleCreating string = "RoleCreating"
+ ConditionRoleAlreadyExists string = "RoleAlreadyExists"
+ ConditionRoleCreationError string = "RoleCreationError"
+ ConditionGroupLinkError string = "GroupLinkError"
+ ConditionWaitingForLinkedGroups string = "WaitingForLinkedGroups"
+)
+
+// List of Messages for Status
+const (
+ StatusMessageCreatedSuccesfully string = "Created successfully"
+ StatusMessageAlreadyExists string = "Already existed"
+ StatusMessageMissingGroups string = "Missing Groups: "
+ StatusMessageGroupLinkError string = "Failed to link the following Groups: "
+ StatusMessageWaitingNextReconciliation string = "Awaiting next reconciliation"
+)
// BootstrapApplicationRoleSpec defines the desired state of BootstrapApplicationRole
type BootstrapApplicationRoleSpec struct {
- // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
- // Important: Run "make" to regenerate code after modifying this file
+ // The equivalent of "Role Identifier" of the Role in the Application Portal
+ // This field will be
+ // The Name field must start with a lowercase letter, can contain only lowercase letters, numbers, dashes and underscores, and must be between 3 and 64 characters long.
+ // +kubebuilder:validation:Required
+ Name string `json:"name"`
+
+ // DisplayName represents the "Role Name" of the Role in the Application Portal
+ // This field is required in order for the Role to be created
+ // +kubebuilder:validation:Required
+ DisplayName string `json:"displayName"`
+
+ // Description of the ApplicationRegistration, represents the "Description" in the Application Portal
+ // Brief description, required for Role creation
+ // +kubebuilder:validation:Required
+ Description string `json:"description"`
+
+ // Flag to know if the role is required to access the Application
+ // +kubebuilder:validation:Required
+ RoleRequired bool `json:"required"`
+
+ // MultifactorRequired allows to enable multifactor authentication
+ // (From Application Portal): If checked, users must authenticate with Multifactor Authentication to be granted this role
+ // +kubebuilder:validation:Required
+ MultifactorRequired bool `json:"multifactorRequired"`
+
+ // (From Application Portal): if checked, this role will applied to all authenticated users, regardless of them belonging to any group or not.
+ // Use this option to define a role that is based only on the value of the Minimum Level of Assurance and/or usage of Multifactor authentication.
+ // +kubebuilder:validation:Required
+ ApplyToAllUsers bool `json:"applyToAllUsers"`
+
+ // Level of assurance defines the accepted authentication providers, ranging from CERN identities (highest) to social accounts (public, therefore lowest)
+ // Default: 4
+ // +kubebuilder:validation:Required
+ MinLevelOfAssurance int `json:"minLevelOfAssurance"`
- // Foo is an example field of BootstrapApplicationRole. Edit bootstrapapplicationrole_types.go to remove/update
- Foo string `json:"foo,omitempty"`
+ // List of CERN Groups that are going to be bound to the created Application Role
+ // +kubebuilder:validation:Optional
+ LinkedGroups []string `json:"linkedGroups"`
}
// BootstrapApplicationRoleStatus defines the observed state of BootstrapApplicationRole
type BootstrapApplicationRoleStatus struct {
- // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
- // Important: Run "make" to regenerate code after modifying this file
+ // +kubebuilder:validation:type=string
+ // +optional
+ RoleID string `json:"id"`
+ // +kubebuilder:validation:type=array
+ // +optional
+ Conditions []metav1.Condition `json:"conditions,omitempty"`
}
-//+kubebuilder:object:root=true
-//+kubebuilder:subresource:status
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
-// BootstrapApplicationRole is the Schema for the bootstrapapplicationroles API
+// BootstrapApplicationRole creates but does not maintain Roles to the existing Application in the same namespace in the AuthzAPI.
+// More info: https://gitlab.cern.ch/paas-tools/operators/authz-operator#bootstrapapplicationrole
type BootstrapApplicationRole struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -50,7 +107,7 @@ type BootstrapApplicationRole struct {
Status BootstrapApplicationRoleStatus `json:"status,omitempty"`
}
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
// BootstrapApplicationRoleList contains a list of BootstrapApplicationRole
type BootstrapApplicationRoleList struct {
diff --git a/api/v1alpha1/groupversion_info.go b/api/v1alpha1/groupversion_info.go
index 9cfa3f157243b63d6086c59090ead0b13aa51122..3f2bf2a9c34ad67c357e7d652c169256e137b3d6 100644
--- a/api/v1alpha1/groupversion_info.go
+++ b/api/v1alpha1/groupversion_info.go
@@ -1,5 +1,5 @@
/*
-Copyright 2024 CERN.
+
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
diff --git a/api/v1alpha1/oidcreturnuri_types.go b/api/v1alpha1/oidcreturnuri_types.go
index 80c1d425b122f3c5a16ca34798321e62426b5937..1b82c6c64bbc953b0732e6740ffe6f5395791ca1 100644
--- a/api/v1alpha1/oidcreturnuri_types.go
+++ b/api/v1alpha1/oidcreturnuri_types.go
@@ -1,5 +1,5 @@
/*
-Copyright 2024 CERN.
+
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -20,28 +20,21 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
-// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!
-// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.
-
// OidcReturnURISpec defines the desired state of OidcReturnURI
type OidcReturnURISpec struct {
- // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
- // Important: Run "make" to regenerate code after modifying this file
-
- // Foo is an example field of OidcReturnURI. Edit oidcreturnuri_types.go to remove/update
- Foo string `json:"foo,omitempty"`
+ // RedirectURI is an OIDC redirect URI for the ApplicationRegistration in the same namespace
+ RedirectURI string `json:"redirectURI,omitempty" valid:"url"`
}
// OidcReturnURIStatus defines the observed state of OidcReturnURI
type OidcReturnURIStatus struct {
- // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
- // Important: Run "make" to regenerate code after modifying this file
}
-//+kubebuilder:object:root=true
-//+kubebuilder:subresource:status
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
-// OidcReturnURI is the Schema for the oidcreturnuris API
+// OIDC return URIs are the valid addresses where the Identity Provider (keycloak) is allowed to redirect the user after successful authentication.
+// More info: https://gitlab.cern.ch/paas-tools/operators/authz-operator#oidcreturnuri
type OidcReturnURI struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -50,7 +43,7 @@ type OidcReturnURI struct {
Status OidcReturnURIStatus `json:"status,omitempty"`
}
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
// OidcReturnURIList contains a list of OidcReturnURI
type OidcReturnURIList struct {
@@ -62,3 +55,22 @@ type OidcReturnURIList struct {
func init() {
SchemeBuilder.Register(&OidcReturnURI{}, &OidcReturnURIList{})
}
+
+// SameSet asserts whether 2 []string contain the same elements, disregarding order/multiplicity (set equality)
+func SameSet(a []string, b []string) bool {
+ contains := func(a []string, b []string) bool {
+ m := make(map[string]bool, len(a))
+ for _, i := range a {
+ m[i] = true
+ }
+ same := true
+ for _, i := range b {
+ if !m[i] {
+ same = false
+ break
+ }
+ }
+ return same
+ }
+ return contains(a, b) && contains(b, a)
+}
diff --git a/api/v1alpha1/projectlifecyclepolicy_types.go b/api/v1alpha1/projectlifecyclepolicy_types.go
index f954778e7e063f5b38126f8f1814f23752a70b58..b67e9cc54fee40206d2460129d5f5f8428c4f463 100644
--- a/api/v1alpha1/projectlifecyclepolicy_types.go
+++ b/api/v1alpha1/projectlifecyclepolicy_types.go
@@ -1,5 +1,5 @@
/*
-Copyright 2024 CERN.
+
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -20,28 +20,89 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
-// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!
-// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.
+type AppDeletionPolicyType string
+
+const (
+ // AppDeletionPolicyDeleteNamespace deletes parent namespace when an ApplicationRegistration's status.provisioningStatus becomes DeletedFromAPI
+ AppDeletionPolicyDeleteNamespace AppDeletionPolicyType = "DeleteNamespace"
+ // AppDeletionPolicyIgnoreAndPreserveNamespace does nothing when an ApplicationRegistration's status.provisioningStatus becomes DeletedFromAPI
+ AppDeletionPolicyIgnoreAndPreserveNamespace AppDeletionPolicyType = "IgnoreAndPreserveNamespace"
+ // AppDeletionPolicyBlockAndDeleteAfterGracePeriod will mark the namespace as "soft deleted", having a behavior similar to blocked, when an ApplicationRegistration's status.provisioningStatus becomes DeletedFromAPI
+ // Operator should block website similar to normal block procedure: https://okd-internal.docs.cern.ch/operations/project-blocking/
+ // More info: https://gitlab.cern.ch/webservices/webframeworks-planning/-/issues/1115
+ AppDeletionPolicyBlockAndDeleteAfterGracePeriod AppDeletionPolicyType = "BlockAndDeleteAfterGracePeriod"
+)
+
+// strings for the conditions in status
+const (
+ // Type of the Condition in ProjectLifecyclePolicy status that indicates if policy was successfully applied
+ ConditionTypeAppliedProjectLifecyclePolicy string = "AppliedProjectLifecyclePolicy"
+ // Reason for the Condition in ProjectLifecyclePolicy status when policy was successfully applied
+ ConditionReasonSuccessful string = "Successful"
+ // Reason for the Condition in ProjectLifecyclePolicy status when policy was NOT successfully applied
+ // because the conditions are not met for us to be able to do something.
+ ConditionReasonCannotApply string = "CannotApply"
+ // Reason for the Condition in ProjectLifecyclePolicy status when policy was NOT successfully applied
+ // because we tried but someting went wrong.
+ // NB: we could have a separate value for each failure case, but not worth the effort for the projectLifecyclePolicy.
+ ConditionReasonFailed string = "Failed"
+)
// ProjectLifecyclePolicySpec defines the desired state of ProjectLifecyclePolicy
type ProjectLifecyclePolicySpec struct {
- // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
- // Important: Run "make" to regenerate code after modifying this file
- // Foo is an example field of ProjectLifecyclePolicy. Edit projectlifecyclepolicy_types.go to remove/update
- Foo string `json:"foo,omitempty"`
+ // The ClusterRole that should be granted to the Application's owner and administrator group
+ // in the RoleBinding identified by ApplicationOwnerRoleBindingName.
+ // The authz-operator serviceaccount MUST itself have this cluster role so it can grant it to other users!
+ // If not specified, then no RoleBinding is created.
+ // +optional
+ ApplicationOwnerClusterRole string `json:"applicationOwnerClusterRole,omitempty"`
+
+ // Name of a RoleBinding whose members should be set to the value of ApplicationRegistration's status.CurrentOwnerUsername
+ // and (if present) status.CurrentAdminGroup.
+ // Any other member will be removed from the RoleBinding.
+ // +kubebuilder:default:="application-owner"
+ ApplicationOwnerRoleBindingName string `json:"applicationOwnerRoleBindingName"`
+
+ // Policy when the ApplicationRegistration's status.provisioningStatus becomes DeletedFromAPI,
+ // i.e. the application was deleted from the Application Portal.
+ // If DeleteNamespace, the parent namespace/project containing the ApplicationRegistration is deleted.
+ // +kubebuilder:validation:Enum="IgnoreAndPreserveNamespace";"DeleteNamespace";"BlockAndDeleteAfterGracePeriod"
+ // +kubebuilder:default:="IgnoreAndPreserveNamespace"
+ ApplicationDeletedFromAuthApiPolicy AppDeletionPolicyType `json:"applicationDeletedFromAuthApiPolicy"`
+
+ // Generate a link to the application's management page in the application portal.
+ // This is created as a ConsoleLink in the NamespaceDashboard (the only type of link
+ // that can be specified per namespace).
+ // +optional
+ ApplicationPortalManagementLink bool `json:"applicationPortalConsoleLink,omitempty"`
+
+ // Generate a link showing current application's category in the app portal
+ // with link to the application's management page to update category.
+ // This is created as a ConsoleLink in the NamespaceDashboard (the only type of link
+ // that can be specified per namespace).
+ // +optional
+ ApplicationCategoryLink bool `json:"applicationCategoryLink,omitempty"`
+
+ // Sync the parent Openshift project's metadata (annotations and labels) with the information from the Application Portal.
+ // Description goes to the standard Openshift annotation for project description. Owner, Admin Group and category are
+ // exposed with custom labels.
+ // +optional
+ // +kubebuilder:default:=true
+ SyncProjectMetadata bool `json:"syncProjectMetadata,omitempty"`
}
// ProjectLifecyclePolicyStatus defines the observed state of ProjectLifecyclePolicy
type ProjectLifecyclePolicyStatus struct {
- // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
- // Important: Run "make" to regenerate code after modifying this file
+ // Conditions represent the latest available observations of an object's state
+ Conditions []metav1.Condition `json:"conditions"`
}
-//+kubebuilder:object:root=true
-//+kubebuilder:subresource:status
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
-// ProjectLifecyclePolicy is the Schema for the projectlifecyclepolicies API
+// ProjectLifecyclePolicy controls how the authz-operator applies changes to lifecycle-related properties of the application in the AuthzAPI to the OKD project/namespace containing an `ApplicationRegistration`.
+// More info: https://gitlab.cern.ch/paas-tools/operators/authz-operator#projectlifecyclepolicy
type ProjectLifecyclePolicy struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -50,7 +111,7 @@ type ProjectLifecyclePolicy struct {
Status ProjectLifecyclePolicyStatus `json:"status,omitempty"`
}
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
// ProjectLifecyclePolicyList contains a list of ProjectLifecyclePolicy
type ProjectLifecyclePolicyList struct {
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index 7f4960b46e5f89b49b1f18b90abe86f29ce43103..f21e0aca090ebc6557fb3592ec7854ab12781901 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -2,7 +2,7 @@
// +build !ignore_autogenerated
/*
-Copyright 2024 CERN.
+
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -22,16 +22,32 @@ limitations under the License.
package v1alpha1
import (
+ "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AppRole) DeepCopyInto(out *AppRole) {
+ *out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AppRole.
+func (in *AppRole) DeepCopy() *AppRole {
+ if in == nil {
+ return nil
+ }
+ out := new(AppRole)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ApplicationRegistration) DeepCopyInto(out *ApplicationRegistration) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
out.Spec = in.Spec
- out.Status = in.Status
+ in.Status.DeepCopyInto(&out.Status)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationRegistration.
@@ -87,6 +103,7 @@ func (in *ApplicationRegistrationList) DeepCopyObject() runtime.Object {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ApplicationRegistrationSpec) DeepCopyInto(out *ApplicationRegistrationSpec) {
*out = *in
+ out.InitialOwner = in.InitialOwner
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationRegistrationSpec.
@@ -102,6 +119,12 @@ func (in *ApplicationRegistrationSpec) DeepCopy() *ApplicationRegistrationSpec {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ApplicationRegistrationStatus) DeepCopyInto(out *ApplicationRegistrationStatus) {
*out = *in
+ in.TokenExchangePermissions.DeepCopyInto(&out.TokenExchangePermissions)
+ if in.RedirectURIs != nil {
+ in, out := &in.RedirectURIs, &out.RedirectURIs
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationRegistrationStatus.
@@ -119,8 +142,8 @@ func (in *BootstrapApplicationRole) DeepCopyInto(out *BootstrapApplicationRole)
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
- out.Spec = in.Spec
- out.Status = in.Status
+ in.Spec.DeepCopyInto(&out.Spec)
+ in.Status.DeepCopyInto(&out.Status)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BootstrapApplicationRole.
@@ -176,6 +199,11 @@ func (in *BootstrapApplicationRoleList) DeepCopyObject() runtime.Object {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *BootstrapApplicationRoleSpec) DeepCopyInto(out *BootstrapApplicationRoleSpec) {
*out = *in
+ if in.LinkedGroups != nil {
+ in, out := &in.LinkedGroups, &out.LinkedGroups
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BootstrapApplicationRoleSpec.
@@ -191,6 +219,13 @@ func (in *BootstrapApplicationRoleSpec) DeepCopy() *BootstrapApplicationRoleSpec
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *BootstrapApplicationRoleStatus) DeepCopyInto(out *BootstrapApplicationRoleStatus) {
*out = *in
+ if in.Conditions != nil {
+ in, out := &in.Conditions, &out.Conditions
+ *out = make([]v1.Condition, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BootstrapApplicationRoleStatus.
@@ -203,6 +238,21 @@ func (in *BootstrapApplicationRoleStatus) DeepCopy() *BootstrapApplicationRoleSt
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InitialOwner) DeepCopyInto(out *InitialOwner) {
+ *out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InitialOwner.
+func (in *InitialOwner) DeepCopy() *InitialOwner {
+ if in == nil {
+ return nil
+ }
+ out := new(InitialOwner)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OidcReturnURI) DeepCopyInto(out *OidcReturnURI) {
*out = *in
@@ -298,7 +348,7 @@ func (in *ProjectLifecyclePolicy) DeepCopyInto(out *ProjectLifecyclePolicy) {
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
out.Spec = in.Spec
- out.Status = in.Status
+ in.Status.DeepCopyInto(&out.Status)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProjectLifecyclePolicy.
@@ -369,6 +419,13 @@ func (in *ProjectLifecyclePolicySpec) DeepCopy() *ProjectLifecyclePolicySpec {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ProjectLifecyclePolicyStatus) DeepCopyInto(out *ProjectLifecyclePolicyStatus) {
*out = *in
+ if in.Conditions != nil {
+ in, out := &in.Conditions, &out.Conditions
+ *out = make([]v1.Condition, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProjectLifecyclePolicyStatus.
@@ -380,3 +437,28 @@ func (in *ProjectLifecyclePolicyStatus) DeepCopy() *ProjectLifecyclePolicyStatus
in.DeepCopyInto(out)
return out
}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenExchangePermissions) DeepCopyInto(out *TokenExchangePermissions) {
+ *out = *in
+ if in.Requests != nil {
+ in, out := &in.Requests, &out.Requests
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+ if in.Allowed != nil {
+ in, out := &in.Allowed, &out.Allowed
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenExchangePermissions.
+func (in *TokenExchangePermissions) DeepCopy() *TokenExchangePermissions {
+ if in == nil {
+ return nil
+ }
+ out := new(TokenExchangePermissions)
+ in.DeepCopyInto(out)
+ return out
+}
diff --git a/docs/design/bootstrap_application_role_crd.md b/docs/design/bootstrap_application_role_crd.md
new file mode 100644
index 0000000000000000000000000000000000000000..a4f5a2e64bf53b9c6bf8d384e988ef3ac78f5de9
--- /dev/null
+++ b/docs/design/bootstrap_application_role_crd.md
@@ -0,0 +1,149 @@
+# BootstrapApplicationRole design proposal
+
+## Motivation
+
+Currently we need to create Application roles in Authz, as well any linkage between the roles and groups.
+See the following:
+- have the ability to create inital roles on ApplicationRegistration creation, this would replace ApplicationRegistration's `initialRoles` field.
+- need to have roles created at website creation on [Drupal](https://gitlab.cern.ch/webservices/webframeworks-planning/-/issues/219)
+
+The goal of `BootstrapApplicationRole` is to automate the creation of new roles, as well any required linkage with CERN Groups.
+Given it is `Bootstrap`, the goal is to set up an initial role and link it with groups in the app portal, on which the operator will never touch after, since the owner will manage it through the Application Portal.
+
+### Specification
+
+`BootstrapApplicationRoles`, like Applications, are identified by a unique name (For BootstrapApplicationRoles is `name` in the AuthzAPI, represented as `Role Identifier` in the Application Portal).
+A `BootstrapApplicationRole` may contain a list of CERN Groups, defined as `LinkedGroups` in the `spec`, to be linked with, each group can be identified as well with a single value (`groupIdentifier`).
+
+The `BootstrapApplicationRole` behavior will follow the following points.
+
+- It will create the `ApplicationRole` in the AuthzAPI once and **never** retrieve information from the AuthzAPI to the CR.
+- If changed/deleted in the AuthzAPI, any changes made in the AuthzAPI will be ignored.
+- If the CR is deleted, nothing will be done.
+
+If a `BootstrapApplicationRole` with the given `name` identifier exists in AuthzAPI, the `BootstrapApplicationRole` will do nothing.
+If it doesn't exist, it will be created.
+
+The `BootstrapApplicationRole` will only be created after all the requested `LinkedGroups` are found to exist: we won't modify anything once the role is created.
+
+Only 1 ApplicationRegistration is expected to exist per namespace,
+and is selected implicitly for the all these CustomResources to refer to.
+More ApplicationRegistrations in the project is *undefined behavior*.
+
+
+### CRDs
+
+This sample demonstrates the CRD design and how it would be configured for an application admininstator role:
+
+```yaml
+kind: BootstrapApplicationRole
+metadata:
+ # The resource's name is also the Role's identifier.
+ # Note: this is only possible because we assume a single Authz Application per namespace, therefore avoiding name collisions
+ name: administrator
+spec:
+ linkedGroups:
+ - Group1
+ - Group2
+ ## All the Spec fiels are based on the requirements from the API
+ # The equivalent of Role Name in the Application portal
+ displayName: "Application administrator"
+ # Brief description, required for Role creation
+ description: "Bearers of this role have administrator privileges in the application" #These fields are the ones asked from the ApplicationPortal
+ # Required to know if the role is required to access my application
+ roleRequired: false
+ # (From Application Portal): If checked, users must authenticate with Multifactor Authentication to be granted this role.
+ multifactorRequired: false
+ # (From Application Portal): if checked, this role will applied to all authenticated users, regardless of them belonging to any group or not. Use this option to define a role that is based only on the value of the Minimum Level of Assurance and/or usage of Multifactor authentication.
+ applyToAllUsers: false
+ # Level of assurance defines the accepted authentication providers, ranging from CERN identities (highest) to social accounts (public, therefore lowest)
+ # Default: 4
+ minLevelOfAssurance: 4 # CERN/EduGAIN
+status:
+ # Authz internal object ID of the associated Role
+ roleID: f4eb7b1a-70ad-41fe-91b7-021bdd341eef
+
+ conditions:
+ # Would be based on "github.com/operator-framework/operator-lib/status", struct:
+ # Condition struct {
+ # Type ConditionType `json:"type"`
+ # Status corev1.ConditionStatus `json:"status"`
+ # Reason ConditionReason `json:"reason,omitempty"`
+ # Message string `json:"message,omitempty"`
+ # LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"` }
+ # The spec is only used to create a new role.
+ # status: false if AuthzAPI returns unexpected error
+ - type: RoleCreated
+ status: true
+ reason: {RoleBootstrappedSuccessfully, RoleCreating, RoleAlreadyExists,RoleCreationError,GroupLinkError, WaitingForLinkedGroups}
+ Message: ""
+ LastTransitionTime: time
+```
+
+## ApplicationRole Reconcile pseudocode
+
+```golang
+func reconcile(){
+ // The watch would give us the BootstrapApplicationRole to reconcile
+ var applicationRole
+ // Get ApplicationList of the same namespace and validate that there is only one
+ applicationList := getApplicationList(applicationRole.namespace)
+ if len(applicationList) == 0{
+ // do nothing if there is no ApplicationRegistration.
+ log("No ApplicationRegistration found in namespace, nothing to do")
+ }
+ // it only makes sense that we have exactly one ApplicationRegistration in the namespace.
+ // Behavior is undefined is there are more than one.
+ // Just take the first one.
+ appreg := applicationList.Items[0]
+
+ // No need to check deletion timestamp since we won't have a finalizer and no extra work needed when applicationRole deleted
+
+ if applicationRole.Status == "" {
+ applicationRole.Status.Condition["RoleCreated"].Status = false
+ applicationRole.Status.Condition["RoleCreated"].Reason = "RoleCreating"
+ }
+
+ // Check if Role has been created, only if not we do something
+ if !applicationRole.Status.Condition["RoleCreated"].Status {
+ // First we check if role exists
+ // (Option 2 is try to create and check if identifier already exists, however error code is a bit generic (400) to parse, maybe with message "The identifier is already used by an existing account or application." although prone to failures)
+ exists, err := getRole(applicationRole, appreg); err != nil{
+ // Error will be from the API call itself, so we just return error and try again
+ return err
+ }
+ // If the Role exists, there will be nothing else to do, therefore no further reconciliation
+ if exists{
+ applicationRole.Status.Condition["RoleCreated"].Status = true
+ applicationRole.Status.Condition["RoleCreated"].Reason = "RoleAlreadyExists"
+ // Stop reconcile and do nothing else
+ return nil
+ }
+ // Check if Groups exist
+ groupIDs, exist, err := getGroupsFromAPI(applicationRole.Spec.LinkedGroups)
+ if !exist{
+ applicationRole.Status.Condition["RoleCreated"].Status = false
+ applicationRole.Status.Condition["RoleCreated"].Reason = "WaitingForLinkedGroups"
+ applicationRole.Status.Condition["RoleCreated"].Message = "ListOfMissingGroups" // Message will be filled with all the missing Groups
+ // This will requeue ***with exponential back-off*** the CR to check if the groups already exist
+ return err
+ }
+ appID, err := createApplicationRoleInAuthzAPI(applicationRole, appreg); err != nil{
+ // Based on error, restart reconcile
+ applicationRole.Status.Condition["RoleCreated"].Status = false
+ applicationRole.Status.Condition["RoleCreated"].Reason = "RoleCreationError"
+ return err
+ }
+ err := LinkGroupsToRole(appID, groupIDs)
+ if err !=nil{
+ // Based on error, restart reconcile
+ applicationRole.Status.Condition["RoleCreated"].Status = false
+ applicationRole.Status.Condition["RoleCreated"].Reason = "GroupLinkError"
+ return err
+ }
+ applicationRole.Status.Condition["RoleCreated"].Status = true
+ applicationRole.Status.Condition["RoleCreated"].Reason = "RoleBootstrappedSuccessfully"
+ }
+ // If already in "RoleCreated", nothing to do
+}
+```
diff --git a/docs/design/bootstrap_cern_group_crd.md b/docs/design/bootstrap_cern_group_crd.md
new file mode 100644
index 0000000000000000000000000000000000000000..ec1f81618a8555273acbb7d5e07538ce65f05ab8
--- /dev/null
+++ b/docs/design/bootstrap_cern_group_crd.md
@@ -0,0 +1,94 @@
+
+# Why?
+
+We need to be able to **only** create new CERN Groups through the AuthzAPI, this will be defined with `BootstrapCERNGroup` CRD and a controller to reconcile it.
+Given it is `Bootstrap`, the goal is to create a group in the app portal, on which the operator will never touch after since it's expected that the site owner will manage the Group on the Application Portal.
+
+Only 1 ApplicationRegistration is expected to exist per namespace,
+and is selected implicitly for the all these CustomResources to refer to.
+More ApplicationRegistrations in the project is *undefined behavior*.
+
+
+## CERNGroup CRD
+
+```yaml
+kind: BootstrapCERNGroups
+metadata:
+ # The resource's name is also the Group's identifier.
+ # Note: this is only possible because we assume a single Authz Application per namespace, therefore avoiding name collisions (Same as ApplicationRole)
+ name: {$WEBSITE_NAME}-admin-group
+spec:
+ # All the fields bellow are the ones required to create a new Group, we can remove some to have them defaulted with a value (Ex: `selfSubscritiptionType: "Closed"` )
+ # GroupIdentifier and displayName are two string names to give when creating a Group, we may use metadata.name for both these fields, otherwise we should give these as extra fields on the spec
+ # TODO: Confirm that these are sufficient, creating as an user gets `401` , "message": "You are not allowed to change this group due to synchronization constraints."
+ # owner can be retrieved from ApplicationRegistration ?
+ owner: TODO
+ public: "True"
+ description: "This is the admin group of $WEBSITE"
+ # administratorId to be checked if required and if we want to implement in case of optional
+ administratorId:
+ approvalRequired: "true"
+ selfSubscriptionType: "Closed" # Three types available , [ Closed, Open, CernUsers ]
+ privacyType: "Admins" # Three types available , [ Open, Members, Admins ]
+ syncType: "Slave" # There are 4 types, [ Slave, SlaveWithPlaceholders, Master, SyncError ], slave is default, TODO: check what each type means
+status:
+ # Authz internal object ID of the associated Role
+ groupID: fcsda12412-70ad-41fe-91b7-erg241csao91
+ # All available status conditions shown together with errors, deviating from the example
+ status:
+ conditions:
+ - type: GroupCreated
+ status: true
+ reason: {GroupBootstrappedSuccessfully,GroupCreating, GroupAlreadyExists ,ErrorCreating , GroupCreated}
+ Message: ""
+ LastTransitionTime: time
+```
+
+## CERNGroup Reconcile pseudocode
+
+```golang
+func reconcile(){
+ // The watch would give us the CERNGroup to reconcile
+ var cernGroup
+ // Get ApplicationList of the same namespace and validate that there is only one
+ applicationList := getApplicationList(applicationRole.namespace)
+ if len(applicationList) == 0{
+ // do nothing if there is no ApplicationRegistration.
+ log("No ApplicationRegistration found in namespace, nothing to do")
+ }
+ // it only makes sense that we have exactly one ApplicationRegistration in the namespace.
+ // Behavior is undefined is there are more than one.u
+ // Just take the first one.
+ appreg := applicationList.Items[0]
+ // No need to check deletion timestamp since we won't have a finalizer and no extra work needed when applicationRole deleted
+ if cernGroup.Status == ""{
+ cernGroup.Status.Condition["GroupCreated"].Status = false
+ cernGroup.Status.Condition["GroupCreated"].Reason = "GroupCreating"
+ }
+ // Check if group has been created
+ if !cernGroup.Status.Condition["GroupCreated"].Status {
+ // First we check if group exists
+ exists, err := getGroup(cernGroup, appreg); err != nil{
+ // Error will be from the API call itself, so we just return error and try again
+ return err
+ }
+ // If the Group exists, there will be nothing else to do, therefore no further reconciliation
+ if exists{
+ cernGroup.Status.Condition["GroupCreated"].Status = true
+ cernGroup.Status.Condition["GroupCreated"].Reason = "GroupAlreadyExists"
+ // Stop reconcile and do nothing else
+ return nil
+ }
+ // createGroup will create the Group in API, and in case it fails, will return error
+ err := createGroup(cernGroup); err != nil{::
+ // Based on error, this will likely be triggered by errors in the AuthzAPI call, we restart reconcile in this case to try again
+ cernGroup.Status.Condition["GroupCreated"].Status= false
+ cernGroup.Status.Condition["GroupCreated"].Reason = "GroupCreationError"
+ return err
+ }
+ cernGroup.Status.Condition["GroupCreated"].Status = true
+ cernGroup.Status.Condition["GroupCreated"].Reason = "GroupBootstrappedSuccessfully"
+ }
+ // If has been created, nothing to do
+}
+```
diff --git a/docs/design/managed_application_role_crd.md b/docs/design/managed_application_role_crd.md
new file mode 100644
index 0000000000000000000000000000000000000000..128127a970ec898ae83c1651de5c26830bb60bc7
--- /dev/null
+++ b/docs/design/managed_application_role_crd.md
@@ -0,0 +1,172 @@
+## IMPORTANT: This document is incomplete as we have yet no use case for this CRD therefore some parts of the behavior/spec are to be defined
+
+# ManagedApplicationRole design proposal
+
+
+## Motivation
+
+Currently we need to create Application roles in Authz, as well any linkage between the roles and groups.
+See the following:
+- have the ability to fully define in-cluster the desired state in Authz, so OKD is the source of truth for the role definitions (with a specific webframeworks UI for role management).
+ While we initially decided to not replicate the role-management functionality of the Application Portal, we are reconsidering following [an incident where ApplicationRegistrations were deleted](https://gitlab.cern.ch/paas-tools/okd4-install/-/blob/bdef0cf1857e668ce5cc4478cea8cc149559d33d/docs/troubleshooting/recover-deleted-appregs.md)
+- need to have roles created at website creation on [Drupal](https://gitlab.cern.ch/webservices/webframeworks-planning/-/issues/219)
+
+The goal of `ManagedApplicationRole` is to fully manage new roles, as well any required linkage with CERN Groups.
+
+### Specification
+
+`ManagedApplicationRoles`, like Applications, are identified by a single value (For ApplicationRoles is `name` in the AuthzAPI).
+A `ManagedApplicationRole` may contain a list of CERN Groups, defined as `LinkedGroups` in the `spec`, to be linked with, each group can be identified as well with a single value (`groupIdentifier`).
+
+The `ManagedApplicationRole` behavior will be based on the following:
+- The `ManagedApplicationRole` will be fully managed by the CR's spec.
+- There is a **need** for ownership information to be stored in the AuthzAPI to enable recreation/migration between clusters.
+- If deleted or changed in the AuthzAPI, the resource will be reacreated as described in the `Spec`.
+- If the CR is deleted, the Role will be deleted from the AuthzAPI (this is not extended to CERN Groups).
+- If while creating, already exists in the API, validate that we are owners/administrators in order to enforce `Spec`, otherwise go to error state?
+
+If a ManagedApplicationRole with the given `name` exists in AuthzAPI, it will be *recreated* and values will be overwritten.
+If it doesn't exist, it will be created.
+
+The `ManagedApplicationRole` will only be created after guaranteing that all the `LinkedGroups` exist.
+
+Only 1 ApplicationRegistration is expected to exist per namespace,
+and is selected implicitly for the all these CustomResources to refer to.
+More ApplicationRegistrations in the project is *undefined behavior*.
+
+
+### CRDs
+
+This sample demonstrates the CRD design and how it would be configured for an application admininstator role:
+
+```yaml
+kind: ManagedApplicationRole
+metadata:
+ # The resource's name is also the Role's identifier.
+ # Note: this is only possible because we assume a single Authz Application per namespace, therefore avoiding name collisions
+ name: administrator
+spec:
+ linkedGroups:
+ - Group1
+ - Group2
+ ## All the Spec fiels are based on the requirements from the API
+ # The equivalent of Role Name in the Application portal
+ displayName: "Application administrator"
+ # Brief description, required for Role creation
+ description: "Bearers of this role have administrator privileges in the application" #These fields are the ones asked from the ApplicationPortal
+ # Required to know if the role is required to access my application
+ roleRequired: false
+ # (From Application Portal): If checked, users must authenticate with Multifactor Authentication to be granted this role.
+ multifactorRequired: false
+ # (From Application Portal): if checked, this role will applied to all authenticated users, regardless of them belonging to any group or not. Use this option to define a role that is based only on the value of the Minimum Level of Assurance and/or usage of Multifactor authentication.
+ applyToAllUsers: false
+ # Level of assurance defines the accepted authentication providers, ranging from CERN identities (highest) to social accounts (public, therefore lowest)
+ # Default: 4
+ minLevelOfAssurance: 4 # CERN/EduGAIN
+status:
+ conditions:
+ # Would be based on "github.com/operator-framework/operator-lib/status", struct:
+ # Condition struct {
+ # Type ConditionType `json:"type"`
+ # Status corev1.ConditionStatus `json:"status"`
+ # Reason ConditionReason `json:"reason,omitempty"`
+ # Message string `json:"message,omitempty"`
+ # LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"` }
+ # The spec is only used to create a new role.
+ # status: false if AuthzAPI returns unexpected error
+ - type: SyncedRole
+ status: true
+ reason: {RoleCreating,RoleAlreadyExists,RoleErrorUpdating, RoleCreationError}
+ Message: ""
+ LastTransitionTime: time
+ - type : LinkedGroupsFound
+ #if groups not found, set to false
+ status: true
+ # if false, maybe list the groups that are missing here?
+ reason: {}
+```
+
+## ApplicationRole Reconcile pseudocode
+
+```golang
+func reconcile(){
+ // The watch would give us the ManagedApplicationRole to reconcile
+ var applicationRole
+ // Get ApplicationList of the same namespace and validate that there is only one
+ applicationList := getApplicationList(applicationRole.namespace)
+ if len(applicationList) == 0{
+ // do nothing if there is no ApplicationRegistration.
+ log("No ApplicationRegistration found in namespace, nothing to do")
+ }
+ // it only makes sense that we have exactly one ApplicationRegistration in the namespace.
+ // Behavior is undefined is there are more than one.
+ // Just take the first one.
+ appreg := applicationList.Items[0]
+
+ // First check if there is a deletion timestamp
+ if applicationRole.GetDeletionTimestamp() != nil{
+ if !applicationRole.Spec.CreateOnly{
+ err := deleteApplicationRoleInAuthzAPI(applicationRole)
+ if err != nil{
+ // Error deleting, we re-do reconciliation
+ return err
+ }
+ }
+ removeApplicationRoleFinalizer(applicationRole)
+ }
+
+ if applicationRole.Status == ""{
+ applicationRole.Status["SyncedRole"].Status = false
+ applicationRole.Status["SyncedRole"].Reason = "RoleCreating"
+ }
+
+ // This IF would be wrapped inside a function
+ if applicationRole.Status["SyncedRole"].Reason == "RoleCreating" || applicationRole.Status["SyncedRole"].Reason == "RoleCreationError" {
+ // First fetch Role and confirm we are owners/admins in case it exists, otherwise we will create and be owners/admins
+ existsAndNotAdmin, err := getApplicationRole(applicationRole, appreg); err != nil{
+ // Based on error, restart reconcile
+ applicationRole.Status["SyncedRole"].Status = false
+ applicationRole.Status["SyncedRole"].Reason = "RoleCreationError"
+ return err
+ }
+ if existsAndNotAdmin{
+ // this is a permanent error, so no reconciliation will be made again
+ applicationRole.Status["SyncedRole"].Status = false
+ applicationRole.Status["SyncedRole"].Reason = "RoleCreationError"
+ return nil
+ }
+ groupIDs, exist, err := getGroupsFromAPI(applicationRole.Spec.LinkedGroups)
+ if !exist{
+ applicationRole.Status.Condition.Type["LinkedGroupsFound"].Status = false
+ // We will not requeue and proceed with Role creation, the LinkedGroups will be retried on `enforceSpec`
+ }else{
+ applicationRole.Status.Condition.Type["LinkedGroupsFound"].Status = true
+ }
+ // create Role will check if the Role is in API:
+ // If not in API, just create, otherwise will override *IF* we are owners/administrators
+ appID, err := createRole(applicationRole, appreg); err != nil{
+ // Based on error, restart reconcile
+ applicationRole.Status.Condition.Reason = "RoleCreationError"
+ return err
+ }
+ if applicationRole.Status.Condition["LinkedGroupsFound"].Status{
+ err := LinkGroupsToRole(appID, groupIDs)
+ if err !=nil{
+ // Based on error, restart reconcile
+ applicationRole.Status.Condition.Reason = "RoleCreationError"
+ }
+ }
+ applicationRole.Status.Condition["SyncedRole"].Status = true
+ applicationRole.Status.Condition.Reason = "RoleCreated"
+ }
+
+ err != enforceSpecOnAuthzAPI(applicationRole.Spec)
+ if err != nil{
+ applicationRole.Status.Condition["SyncedRole"].Reason = "RoleErrorUpdating"
+ applicationRole.Status.Condition["SyncedRole"].Status = false
+ return err
+ }
+ applicationRole.Status.Condition["SyncedRole"].Status = true
+ applicationRole.Status.Condition["SyncedRole"].Reason = "RoleCreated"
+}
+```
diff --git a/docs/design/managed_cern_group_crd.md b/docs/design/managed_cern_group_crd.md
new file mode 100644
index 0000000000000000000000000000000000000000..cb7bd34947ad0f4c380435b00664949660c941ff
--- /dev/null
+++ b/docs/design/managed_cern_group_crd.md
@@ -0,0 +1,95 @@
+## IMPORTANT: This document is incomplete as we have yet no use case for this CRD therefore some parts of the behavior/spec are to be defined
+
+# Why?
+
+We need to be able to create and **manage** new CERN Groups through the AuthzAPI, this will be defined with `ManagedCERNGroup` CRD and a controller to reconcile it.
+
+
+The `ManagedCernGroup`, like in `ManagedApplicationRole`, will have the behavior based on the following:
+- The `ManagedCernGroup` will be fully managed by the CR's spec.
+- There is a **need** for ownership information to be stored in the AuthzAPI to enable recreation/migration between clusters.
+- If deleted or changed in the AuthzAPI, the resource will be reacreated as described in the `Spec`.
+- If the CR is deleted, the Group will be deleted from the AuthzAPI (?) //TODO: Confirm this action once completed
+- If while creating, already exists in the API, validate that we are owners/administrators in order to enforce `Spec`, otherwise go to error state?
+
+
+Only 1 ApplicationRegistration is expected to exist per namespace,
+and is selected implicitly for the all these CustomResources to refer to.
+More ApplicationRegistrations in the project is *undefined behavior*.
+
+
+## CERNGroup CRD
+
+```yaml
+kind: ManagedCernGroup
+metadata:
+ # The resource's name is also the Group's identifier.
+ # Note: this is only possible because we assume a single Authz Application per namespace, therefore avoiding name collisions (Same as ApplicationRole)
+ name: {$WEBSITE_NAME}-admin-group
+spec:
+# All the fields bellow are the ones required to create a new Group, we can remove some to have them defaulted with a value (Ex: `selfSubscritiptionType: "Closed"` )
+ # TODO: Confirm that these are sufficient, creating as an user gets `401`
+ # owner can be retrieved from ApplicationRegistration ?
+ owner: TODO
+ public: "True"
+ description: "This is the admin group of $WEBSITE"
+ # administratorId to be checked if required and if we want to implement in case of optional
+ administratorId:
+ approvalRequired: "true"
+ selfSubscriptionType: "Closed" # Three types available , [ Closed, Open, CernUsers ]
+ privacyType: "Admins" # Three types available , [ Open, Members, Admins ]
+ syncType: "Slave" # There are 4 types, [ Slave, SlaveWithPlaceholders, Master, SyncError ], slave is default, TODO: check what each type means"
+status:
+ # Authz internal object ID of the associated Role
+ groupID: fcsda12412-70ad-41fe-91b7-erg241csao91
+ # All available status conditions shown together with errors, deviating from the example
+ status:
+ conditions:
+ - type: CreatedGroup
+ status: true
+ reason: {Creating, ErrorCreating}
+ - type: SyncedGroup
+ status: true
+ reason: {ErrorUpdating}
+ Message: ""
+ LastTransitionTime: time
+```
+
+## CERNGroup Reconcile pseudocode
+
+```golang
+func reconcile(){
+ // The watch would give us the CernGroup to reconcile
+ var cernGroup
+ // First check if there is a deletion timestamp
+ if cernGroup.GetDeletionTimestamp() != nil{
+ err := deleteGroupLink(cernGroup)
+ if err != nil{
+ // Error happened during AuthzAPI call, let's retry
+ return err
+ }
+ removeFinalizer(cernGroup)
+ }
+ if !cernGroup.Status.Condition["CreatedGroup"].Status {
+ // createGroup will check if the Group is in API
+ // If not in API: create it
+ // If in API, confirm that is owned by the same CR, then force spec
+ err := createGroup(cernGroup); err != nil{
+ // Based on error, restart reconcile
+ cernGroup.Status.Condition["CreatedGroup"].status = false
+ cernGroup.Status.Condition["CreatedGroup"].reason = "GroupCreationError"
+ return err
+ }
+ cernGroup.Status.Condition["CreatedGroup"].reason = ""
+ cernGroup.Status.Condition["CreatedGroup"].status = true
+ }
+ err != enforceSpecOnAuthzAPI(cernGroup.Spec)
+ if err != nil{
+ cernGroup.Status.Condition["SyncedGroup"].status= false
+ cernGroup.Status.Condition["SyncedGroup"].reason= "ErrorUpdating"
+ return err
+ }
+ cernGroup.Status.Condition["SyncedGroup"].status= true
+ cernGroup.Status.Condition["SyncedGroup"].reason= ""
+}
+```
diff --git a/docs/notes/OperatorDescription.md b/docs/notes/OperatorDescription.md
new file mode 100755
index 0000000000000000000000000000000000000000..b7952741593c8e39acee596600261f1b2400908a
--- /dev/null
+++ b/docs/notes/OperatorDescription.md
@@ -0,0 +1,25 @@
+Operator for SSO registration:
+
+
+
+```graphviz
+graph graphname {
+ Keycloak [style="rounded,filled"]
+ Authorization_Service_API [style="rounded,filled"]
+
+ Authorization_Service_API -- SSO_Operator[color="orange"];
+ SSO_Operator -- Keycloak [color="blue"];
+ Authorization_Service_API -- Swagger[color="orange"];
+ Authorization_Service_API -- Application_Portal[color="orange"];
+ Swagger -- Keycloak[color="blue"];
+ Application_Portal -- Keycloak[color="blue"];
+ }
+```
+
+The grey elements are services.
+The white elements are clients.
+The lines represent communcation channels.
+
+
+The workflow of **Swagger** and the **Application Portal** are similar to the **SSO Registration Operator** when it comes to communicating with the **Authorization Service API**.
+They first communicate with **Keycloak**, where they retrieve a token that is then used on requests with the **Authorization Service API** .
diff --git a/docs/notes/api-notes.md b/docs/notes/api-notes.md
new file mode 100755
index 0000000000000000000000000000000000000000..56d2493a18a3ff2f2f0bc398bf4f5223aaa64dfb
--- /dev/null
+++ b/docs/notes/api-notes.md
@@ -0,0 +1,52 @@
+API notes
+---
+
+# Web UI breakdown
+
+## Add an Application
+
+* Note: OPTIONS -> "preflighted" requests (check if it's safe to send the actual req)
+Also [discover verbs for resource](http://zacstewart.com/2012/04/14/http-options-method.html)
+
+init
+- get apiToken
+- get Request/my (get all requests created by me)
+- get Application/my (get all apps owned/admin by me)
+- get `Request/to_approve`
+
+groups
+- get Group?filter=...
+- get Group/{groupId}
+
+submit
+- post Application
+
+## Edit app
+
+- get Application/{appId}
+- get Application/{appId}/roles
+- get Registration/{appId}
+- get Identity/{identityId}
+- get Group/{appId}
+
+SSOReg
+- get Registration/Providers -> OIDC
+- post Registration/{appId}/{authId} -> includes regist secret
+- get Registration/{regId}/secret ?
+
+RoleReg
+- bunch of GETs
+- POST Application/{appId}/roles
+
+GroupXRole
+- get Application/{appId}/roles/{roleId}
+- get Application/{appId}/roles/{roleId}/groups
+- post Application/{appId}/roles/{roleId}/groups/{groupId}
+
+## OIDC Registration
+
+token exchange permissions
+- get api/v1.0/Registration/{providerId}/search?filter=registrationName%3Astartswith%3Aauthoriza&sort=registrationName
+- PUT api/v1.0/Registration/{regId}/token-exchange-request/{allowedRegId}
+- get api/v1.0/Registration/{regId}/token-exchange-permission/allowed
+- get api/v1.0/Registration/{regId}/token-exchange-permission/granted
diff --git a/docs/notes/curl_keycloak b/docs/notes/curl_keycloak
new file mode 100755
index 0000000000000000000000000000000000000000..ea4ee2214c8f3b86db4dd7aa802f4da5b4f4d8e0
--- /dev/null
+++ b/docs/notes/curl_keycloak
@@ -0,0 +1 @@
+curl -XPOST https://keycloak-dev.cern.ch/auth/realms/cern/protocol/openid-connect/token -d "grant_type=client_credentials&client_id=testauthbroker&client_secret=b40098d5-0cdc-482b-a4a3-f11508446321"
diff --git a/internal/apicache/apicache_impl.go b/internal/apicache/apicache_impl.go
new file mode 100644
index 0000000000000000000000000000000000000000..82f0b2fff897c563c74ae3840ad11aaab1a4a911
--- /dev/null
+++ b/internal/apicache/apicache_impl.go
@@ -0,0 +1,95 @@
+package apicache
+
+import (
+ cache "github.com/pmylund/go-cache"
+ "gitlab.cern.ch/paas-tools/operators/authz-operator/internal/authzapireq"
+)
+
+func (c *AuthzCache) LookupUserId(username string) (string, error) {
+ var user authzapireq.APIIdentity
+ obj, exists := c.IdentityCache.Get(username)
+ if !exists {
+ user, err := c.AuthzClient.GetIdentity(username)
+ if err != nil {
+ return "", err
+ }
+ // store it in the cache. Collisions between user ID and Name excluded as Authz API accepts either name or ID in API URL paths.
+ c.IdentityCache.Set(user.ID, user, cache.DefaultExpiration)
+ c.IdentityCache.Set(user.Upn, user, cache.DefaultExpiration)
+ } else {
+ user = obj.(authzapireq.APIIdentity)
+ }
+ return user.ID, nil
+}
+
+func (c *AuthzCache) GetIdentity(id string) (authzapireq.APIIdentity, error) {
+ var user authzapireq.APIIdentity
+ obj, exists := c.IdentityCache.Get(id)
+ if !exists {
+ // does not exists in cache, ask Authz API
+ user, err := c.AuthzClient.GetIdentity(id)
+ if err != nil {
+ return user, err
+ }
+
+ // store it in the cache. Collisions between user ID and Name excluded as Authz API accepts either name or ID in API URL paths.
+ c.IdentityCache.Set(user.ID, user, cache.DefaultExpiration)
+ c.IdentityCache.Set(user.Upn, user, cache.DefaultExpiration)
+ } else {
+ user = obj.(authzapireq.APIIdentity)
+ }
+ return user, nil
+}
+
+func (c *AuthzCache) LookupGroupId(groupname string) (string, error) {
+ var group authzapireq.APIGroup
+ obj, exists := c.IdentityCache.Get(groupname)
+ if !exists {
+ group, err := c.AuthzClient.GetGroup(groupname)
+ if err != nil {
+ return "", err
+ }
+ // store it in the cache. Collisions between group ID and Name excluded as Authz API accepts either name or ID in API URL paths.
+ c.GroupCache.Set(group.ID, group, cache.DefaultExpiration)
+ c.GroupCache.Set(group.GroupIdentifier, group, cache.DefaultExpiration)
+ } else {
+ group = obj.(authzapireq.APIGroup)
+ }
+ return group.ID, nil
+}
+
+func (c *AuthzCache) GetGroup(id string) (authzapireq.APIGroup, error) {
+ var group authzapireq.APIGroup
+ obj, exists := c.GroupCache.Get(id)
+ if !exists {
+ // does not exists in cache, ask Authz API
+ group, err := c.AuthzClient.GetGroup(id)
+ if err != nil {
+ return group, err
+ }
+
+ // store it in the cache
+ c.GroupCache.Set(id, group, cache.DefaultExpiration)
+ } else {
+ group = obj.(authzapireq.APIGroup)
+ }
+ return group, nil
+}
+
+func (c *AuthzCache) GetLoA(id string) (string, error) {
+ var loa string
+ obj, exists := c.LoACache.Get(id)
+ if !exists {
+ // does not exists in cache, ask Authz API
+ loa, err := c.AuthzClient.GetLoA(id)
+ if err != nil {
+ return loa, err
+ }
+
+ // store it in the cache
+ c.LoACache.Set(id, loa, cache.DefaultExpiration)
+ } else {
+ loa = obj.(string)
+ }
+ return loa, nil
+}
diff --git a/internal/apicache/apicache_interface.go b/internal/apicache/apicache_interface.go
new file mode 100644
index 0000000000000000000000000000000000000000..0c3a290ac19c36d6e90f64bb786848ce4a9543d3
--- /dev/null
+++ b/internal/apicache/apicache_interface.go
@@ -0,0 +1,53 @@
+package apicache
+
+import (
+ "time"
+
+ "gitlab.cern.ch/paas-tools/operators/authz-operator/internal/authzapireq"
+
+ "github.com/go-logr/logr"
+
+ cache "github.com/pmylund/go-cache"
+)
+
+// ApiCacheClient will allow to access any of the required API caches
+type AuthzAPICache interface {
+ GetIdentity(id string) (authzapireq.APIIdentity, error)
+ GetGroup(id string) (authzapireq.APIGroup, error)
+
+ LookupUserId(name string) (string, error)
+ LookupGroupId(name string) (string, error)
+
+ // Applications and Roles are never cached since they should be reconciled ASAP
+}
+
+// AuthzCache is an meta cache object containing all required caches
+type AuthzCache struct {
+ logr.Logger
+ // AuthzClient will be used to communicate with Authz API
+ AuthzClient authzapireq.AuthzClient
+ // GroupCache is the Cache of Groups in Authz
+ GroupCache cache.Cache
+ // IdentityCache is the Cache of Identities in Authz
+ IdentityCache cache.Cache
+ // LoACache is the Cache of Assurances Levels in Authz
+ LoACache cache.Cache
+}
+
+// NewAuthzCacheClient will return a custom cache containing all the required caches
+func NewApiCacheClient(log logr.Logger, authz authzapireq.AuthzClient) AuthzCache {
+ // user and group metadata can be cached for up to one week
+ // since this information changes infrequently
+ IdentityCache := cache.New(7*24*time.Hour, 1*time.Hour)
+ GroupCache := cache.New(7*24*time.Hour, 1*time.Hour)
+ // LoA levels can be cached forever, we don't expect them to change
+ LoACache := cache.New(cache.NoExpiration, cache.NoExpiration)
+
+ return AuthzCache{
+ Logger: log,
+ AuthzClient: authz,
+ GroupCache: *GroupCache,
+ IdentityCache: *IdentityCache,
+ LoACache: *LoACache,
+ }
+}
diff --git a/internal/authzapireq/access_token.go b/internal/authzapireq/access_token.go
new file mode 100755
index 0000000000000000000000000000000000000000..9886590d5452f4ef0e76f4fd4a5d49377e7a572b
--- /dev/null
+++ b/internal/authzapireq/access_token.go
@@ -0,0 +1,101 @@
+package authzapireq
+
+import (
+ "encoding/json"
+ "net/url"
+ "os"
+ "strings"
+
+ "github.com/coreos/go-oidc"
+ "golang.org/x/oauth2"
+ "golang.org/x/oauth2/clientcredentials"
+)
+
+// AccessToken returns a signed token claiming the client's identity and potentially a specific audience,
+// with a token exchange in that case. If a valid token exists, it reuses it.
+//
+// TODO(fborgesa): we shouldn't return the base64 encoded string, but a parsed JSON. Check with
+// [JWT](https://pkg.go.dev/gopkg.in/square/go-jose.v2/jwt) package
+func getAccessToken(audience string, clientID, clientSecret string, provider *oidc.Provider, verifier *oidc.IDTokenVerifier) (oauth2.Token, error) {
+ // Initialize
+ var err error
+ getToken := func(c clientcredentials.Config) (oauth2.Token, error) {
+ client := c.Client(oauth2.NoContext)
+ resp, err := client.PostForm(c.TokenURL, valuesFromConfig(c))
+ if err != nil || resp.StatusCode > 201 {
+ return oauth2.Token{}, err
+ }
+ defer resp.Body.Close()
+ var token oauth2.Token
+ json.NewDecoder(resp.Body).Decode(&token)
+ _, err = verifier.Verify(oauth2.NoContext, token.AccessToken)
+ if err != nil {
+ return oauth2.Token{}, err
+ }
+ return token, nil
+ }
+
+ var audiencedToken oauth2.Token
+ endpointParams := url.Values{"grant_type": {"client_credentials"}}
+ if audience != "" {
+ endpointParams["audience"] = []string{audience}
+ }
+ audiencedToken, err = getToken(clientcredentials.Config{
+ ClientID: clientID,
+ ClientSecret: clientSecret,
+ TokenURL: urlJoin(os.Getenv("KC_ISSUER_URL"), TokenURL),
+ EndpointParams: endpointParams,
+ })
+ if err != nil {
+ return oauth2.Token{}, err
+ }
+ return audiencedToken, nil
+}
+
+func valuesFromConfig(c clientcredentials.Config) url.Values {
+ v := url.Values{}
+ if c.EndpointParams != nil {
+ v = c.EndpointParams
+ }
+ if c.ClientID != "" {
+ v.Set("client_id", c.ClientID)
+ }
+ if c.ClientSecret != "" {
+ v.Set("client_secret", c.ClientSecret)
+ }
+ return v
+}
+
+type tokenCache struct {
+ Token oauth2.Token
+ provider *oidc.Provider
+ verifier *oidc.IDTokenVerifier
+}
+
+func (tc *tokenCache) init(c *AuthzClientHTTP) (err error) {
+ tc.provider, err = oidc.NewProvider(oauth2.NoContext, c.issuerURL.String())
+ if err != nil {
+ return err
+ }
+ tc.verifier = tc.provider.Verifier(&oidc.Config{ClientID: c.clientID, SkipClientIDCheck: true})
+ tc.Token, err = getAccessToken("authorization-service-api",
+ c.clientID, c.clientSecret, tc.provider, tc.verifier)
+ return err
+}
+
+func (tc *tokenCache) refresh(c *AuthzClientHTTP) error {
+ _, err := tc.verifier.Verify(oauth2.NoContext, tc.Token.AccessToken)
+ if err != nil {
+ if strings.Contains(err.Error(), "oidc: token is expired") {
+ c.Logger.Info(err.Error() + " and will be refreshed")
+ err = nil
+ }
+ token, err := getAccessToken("authorization-service-api",
+ c.clientID, c.clientSecret, tc.provider, tc.verifier)
+ if err != nil {
+ return err
+ }
+ tc.Token = token
+ }
+ return err
+}
diff --git a/internal/authzapireq/authzclient_impl.go b/internal/authzapireq/authzclient_impl.go
new file mode 100644
index 0000000000000000000000000000000000000000..af2a22ae8076204824ca4279886fd426958ee974
--- /dev/null
+++ b/internal/authzapireq/authzclient_impl.go
@@ -0,0 +1,399 @@
+package authzapireq
+
+import (
+ "bytes"
+ "encoding/json"
+ "errors"
+ "fmt"
+ "io"
+ "io/ioutil"
+ "net/http"
+ "net/url"
+
+ "github.com/go-logr/logr"
+)
+
+// AuthzClientHTTP is an http client authorized to talk with the authzsvc API
+type AuthzClientHTTP struct {
+ http.Client
+ logr.Logger
+ tokenCache
+ clientID string
+ clientSecret string
+ issuerURL url.URL
+ authzURL url.URL
+ // managerID is the Application ID of this client in the Authzsvc API
+ managerID string
+ // oidcProviderID is the requested ID for Creating OIDC credentials in application
+ oidcProviderID string
+ // applicationsPerPage defines how many Applications are retrieved per page when fetching multple applications through pagination
+ applicationsPerPage string
+}
+
+func (c *AuthzClientHTTP) IssuerURL() string { return c.issuerURL.String() }
+
+// ManagerID returns the API ID of this AuthzAPI client's Application registration
+func (c *AuthzClientHTTP) ManagerID() string {
+ if c.managerID == "" {
+ managerIDApp, err := c.getApp(Application.Cat("?filter=applicationIdentifier:" + c.clientID))
+ if err != nil || managerIDApp.IdentityID == "" {
+ c.Logger.Error(err, "Failed to get manager ID")
+ return ""
+ }
+ c.managerID = managerIDApp.IdentityID
+ }
+ return c.managerID
+}
+
+// OidcProviderID returns the API ID of this AuthzAPI client's Application registration
+func (c *AuthzClientHTTP) OidcProviderID() string {
+ if c.oidcProviderID == "" {
+ oidcProviderID, err := c.GetRegistrationProvider("openid_connect")
+ if err != nil || oidcProviderID == "" {
+ c.Logger.Error(err, "Failed to get OIDC Provider ID")
+ return ""
+ }
+ c.oidcProviderID = oidcProviderID
+ }
+ return c.oidcProviderID
+}
+
+// Post authorized req to Authzsvc API
+// Errors: what happens if the accessToken is empty? It's the caller's problem.
+func (c *AuthzClientHTTP) Post(cmd AuthzAPI, body io.Reader) (resp *http.Response, err error) {
+ req, err := http.NewRequest("POST", join(c.authzURL, cmd), body)
+ if err != nil {
+ return nil, err
+ }
+ c.addHeaders(req)
+ c.Logger.V(6).Info("POSTing to Authz API", "url", req.URL)
+ return c.Do(req)
+}
+
+// Get authorized req from Authzsvc API
+func (c *AuthzClientHTTP) Get(cmd AuthzAPI, body io.Reader) (resp *http.Response, err error) {
+ req, err := http.NewRequest("GET", join(c.authzURL, cmd), body)
+ if err != nil {
+ return nil, err
+ }
+ c.addHeaders(req)
+ c.Logger.V(6).Info("GETting from Authz API", "url", req.URL)
+ return c.Do(req)
+}
+
+// Put authorized req from Authzsvc API
+func (c *AuthzClientHTTP) Put(cmd AuthzAPI, body io.Reader) (resp *http.Response, err error) {
+ req, err := http.NewRequest("PUT", join(c.authzURL, cmd), body)
+ if err != nil {
+ return nil, err
+ }
+ c.addHeaders(req)
+ c.Logger.V(6).Info("PUTting to Authz API", "url", req.URL)
+ return c.Do(req)
+}
+
+// Delete authorized req from Authzsvc API
+func (c *AuthzClientHTTP) Delete(cmd AuthzAPI, body io.Reader) (resp *http.Response, err error) {
+ req, err := http.NewRequest("DELETE", join(c.authzURL, cmd), body)
+ if err != nil {
+ return nil, err
+ }
+ c.addHeaders(req)
+ c.Logger.V(6).Info("DELETEing from Authz API", "url", req.URL)
+ return c.Do(req)
+}
+
+// GetIdentity returns information about a user account
+func (c *AuthzClientHTTP) GetIdentity(id string) (APIIdentity, error) {
+ var user APIIdentity
+ if id == "" {
+ return user, fmt.Errorf("GetIdentity: no identifier specified")
+ }
+ httpResponse, err := c.Get(Identity.Join("/"+id), nil)
+ if err != nil {
+ return user, err
+ }
+ respBody, err := ioutil.ReadAll(httpResponse.Body)
+ if err != nil {
+ return user, err
+ }
+
+ switch {
+ case httpResponse.StatusCode == 401:
+ return user, ErrUnauthorized
+ case httpResponse.StatusCode == 404:
+ return user, ErrNotFound
+ case httpResponse.StatusCode > 201:
+ return user, StatusCodeErr(httpResponse, respBody, nil)
+ }
+
+ resp := struct {
+ Message string `json:"message"`
+ Data APIIdentity `json:"data"`
+ }{}
+ err = json.Unmarshal(respBody, &resp)
+
+ return resp.Data, nil
+}
+
+// GetGroup returns information about a group
+func (c *AuthzClientHTTP) GetGroup(id string) (APIGroup, error) {
+ var group APIGroup
+ if id == "" {
+ return group, fmt.Errorf("GetGroup: no identifier specified")
+ }
+ httpResponse, err := c.Get(Group.Join("/"+id), nil)
+ if err != nil {
+ return group, err
+ }
+ respBody, err := ioutil.ReadAll(httpResponse.Body)
+ if err != nil {
+ return group, err
+ }
+
+ switch {
+ case httpResponse.StatusCode == 401:
+ return group, ErrUnauthorized
+ case httpResponse.StatusCode == 404:
+ return group, ErrNotFound
+ case httpResponse.StatusCode > 201:
+ return group, StatusCodeErr(httpResponse, respBody, nil)
+ }
+
+ resp := struct {
+ Message string `json:"message"`
+ Data APIGroup `json:"data"`
+ }{}
+ err = json.Unmarshal(respBody, &resp)
+
+ return resp.Data, nil
+}
+
+// GetApplicationByAppID queries the API for the Application with the given applicationIdentifier
+func (c *AuthzClientHTTP) GetApplicationByAppID(appID string) (APIApplication, error) {
+ apiApp, err := c.getApp(Application.Cat("?filter=applicationIdentifier:" + appID))
+ if err != nil {
+ return APIApplication{}, err
+ }
+ return apiApp, err
+}
+
+// GetRole validates if Role already exists on an ApplicationRegistration in the API
+func (c *AuthzClientHTTP) GetRole(id string, role string) (bool, error) {
+ apiHTTP, err := c.Get(Application.Join(id).Join("roles"), nil)
+ if err != nil {
+ return false, err
+ }
+
+ respBody, err := ioutil.ReadAll(apiHTTP.Body)
+ if err != nil {
+ return false, err
+ }
+
+ message := struct {
+ Msg string `json:"message"`
+ Data []APIRole `json:"data"`
+ }{}
+ err = json.Unmarshal(respBody, &message)
+ if err != nil {
+ return false, err
+ }
+ // Check if there's an ApplicationRole DisplayName matching the one requested to be created
+ for _, reg := range message.Data {
+ if reg.Name == role {
+ // We could add the ID in the Status but there is no reason to since we won't be taking any actions at this point
+ return true, nil
+ }
+ }
+ return false, nil
+}
+
+// GetMyApplications will retrieve all the applications in the API (Note: this call is expensive as it has to go through all the pages)
+func (c *AuthzClientHTTP) GetMyApplications() ([]APIApplication, error) {
+ var appList []APIApplication
+ nextPage := MyApplication
+ // Allow custom number of Applications per Page if env set
+ if c.applicationsPerPage != "" {
+ nextPage = MyApplication.Limit(c.applicationsPerPage)
+ if nextPage == "" {
+ return nil, fmt.Errorf("Failed to add query to page when retrievign 'AUTHZ_APPLICATIONS_PER_PAGE' variable.")
+ }
+ }
+ for nextPage != "" {
+ // Default Applications per page is 1000.
+ resp, err := c.Get(AuthzAPI(nextPage), nil)
+ if err != nil {
+ return nil, err
+ }
+ // We have "consumed" the page, and therefore we set it to nil so we don't go through it again
+ nextPage = ""
+ switch {
+ case resp.StatusCode == 401:
+ return nil, ErrUnauthorized
+ case resp.StatusCode == 404:
+ return nil, ErrNotFound
+ case resp.StatusCode >= 500:
+ return nil, fmt.Errorf("Internal Server Error on API while retrieving AppList: %v", StatusCodeErr(resp, nil, nil))
+ case resp.StatusCode >= 400:
+ return nil, fmt.Errorf("Client error while retrieving AppList: %v", StatusCodeErr(resp, nil, nil))
+ }
+ apps, err := ioutil.ReadAll(resp.Body)
+ if err != nil {
+ return nil, err
+ }
+
+ // make sure to instantiate a fresh struct for unmarshalling each page
+ apiAppList := struct {
+ Msg string `json:"message"`
+ PaginationLinks APIPage `json:"pagination"`
+ APIApp []APIApplication `json:"data"`
+ }{}
+ err = json.Unmarshal(apps, &apiAppList)
+ switch {
+ case err != nil:
+ return nil, err
+ case apiAppList.Msg != "":
+ return nil, errors.New(apiAppList.Msg)
+ case apiAppList.PaginationLinks.Next != nil:
+ nextPage = AuthzAPI(*apiAppList.PaginationLinks.Next)
+ }
+ appList = append(appList, apiAppList.APIApp...)
+ }
+ return appList, nil
+}
+
+// GetRegistrationProvider queries the API for the Registration provider with the given identifier
+func (c *AuthzClientHTTP) GetRegistrationProvider(providerID string) (string, error) {
+ return c.getID(RegistrationProviders.Cat("?filter=authenticationProviderIdentifier:" + providerID + "&field=id"))
+}
+
+// GetLoA queries the API for the Level of Assurance with the given level
+func (c *AuthzClientHTTP) GetLoA(level string) (string, error) {
+ return c.getID(LevelofAssurance.Cat("?filter=value:" + level + "&field=id"))
+}
+
+// CreateApplicationRole creates a new Role for a Specific Application
+func (c *AuthzClientHTTP) CreateApplicationRole(role APIRole, applicationID string) (string, error) {
+ type jsonID struct {
+ Id string `json:"id"`
+ DisplayName string `json:"displayName"`
+ }
+ appRole := struct {
+ Roles jsonID `json:"data"`
+ }{}
+ jsonBody, err := json.Marshal(role)
+ if err != nil {
+ return "", err
+ }
+ apiHTTP, err := c.Post(Application.Join(applicationID).Join("roles"), bytes.NewBuffer(jsonBody))
+ if err != nil {
+ return "", err
+ }
+ respBody, err := ioutil.ReadAll(apiHTTP.Body)
+ if err != nil {
+ return "", err
+ }
+ switch {
+ case apiHTTP.StatusCode == 401:
+ return "", ErrUnauthorized
+ case apiHTTP.StatusCode > 201:
+ return "", StatusCodeErr(apiHTTP, respBody, nil)
+ }
+ err = json.Unmarshal(respBody, &appRole)
+ if err != nil {
+ return "", err
+ }
+ return appRole.Roles.Id, nil
+}
+
+// LinkGroupToAppRole links an existing Group to an existing Role in an existing Application
+func (c *AuthzClientHTTP) LinkGroupToAppRole(groupID string, roleID string, appID string) error {
+ apiHTTP, err := c.Post(Application.Join(appID).Join("roles").Join(roleID).Join("groups").Join(groupID), nil)
+ if err != nil {
+ return err
+ }
+ respBody, err := ioutil.ReadAll(apiHTTP.Body)
+ if err != nil {
+ return err
+ }
+ switch {
+ case apiHTTP.StatusCode == 401:
+ return ErrUnauthorized
+ case apiHTTP.StatusCode > 201:
+ return StatusCodeErr(apiHTTP, respBody, nil)
+ }
+ return nil
+}
+
+func (c *AuthzClientHTTP) getApp(req AuthzAPI) (APIApplication, error) {
+ resp, err := c.Get(req, nil)
+ if err != nil {
+ return APIApplication{}, err
+ }
+ respBody, err := ioutil.ReadAll(resp.Body)
+ if err != nil {
+ return APIApplication{}, err
+ }
+ apiApp, err := APIApplicationHTTP(respBody)
+ switch {
+ case resp.StatusCode == 401:
+ return APIApplication{}, ErrUnauthorized
+ case resp.StatusCode > 201:
+ return APIApplication{}, StatusCodeErr(resp, respBody, nil)
+ case err != nil:
+ return APIApplication{}, err
+ case apiApp.ID == "":
+ return APIApplication{}, ErrNotFound
+ }
+ return apiApp, err
+}
+
+func (c *AuthzClientHTTP) getID(req AuthzAPI) (string, error) {
+ app, err := c.getApp(req)
+ return app.ID, err
+}
+
+func (c *AuthzClientHTTP) addHeaders(req *http.Request) {
+ req.Header.Set("Content-Type", appJSON)
+ req.Header.Set("accept", "*/*")
+ req.Header.Set("Authorization", "Bearer "+c.accessToken())
+}
+
+// accessToken needs to handle the errors and come back with a string
+func (c *AuthzClientHTTP) accessToken() string {
+ // initialize cache if empty
+ if c.token() == "" {
+ err := c.tokenCache.init(c)
+ if err != nil {
+ c.Logger.Error(err, "Failed to get Access Token")
+ return ""
+ }
+ }
+ // check if cached token has expired and refresh
+ err := c.tokenCache.refresh(c)
+ if err != nil {
+ c.Logger.Error(err, "Failed to get Access Token")
+ return ""
+ }
+
+ return c.token()
+}
+
+func (c *AuthzClientHTTP) token() string {
+ return c.tokenCache.Token.AccessToken
+}
+
+func (c *AuthzClientHTTP) RefreshClientSecret(regID string) error {
+ resp, err := c.Post(Registration.Join(regID).Join(c.OidcProviderID()).Join("invoke/client-secret"), nil)
+ if err != nil {
+ return err
+ }
+ respBody, err := ioutil.ReadAll(resp.Body)
+ switch {
+ case err != nil:
+ return err
+ case resp.StatusCode > 201:
+ return StatusCodeErr(resp, respBody, nil)
+ }
+ return nil
+}
diff --git a/internal/authzapireq/authzclient_interface.go b/internal/authzapireq/authzclient_interface.go
new file mode 100644
index 0000000000000000000000000000000000000000..c23e155ea32c66ba0be8421a85c8dbb9d4ad83e2
--- /dev/null
+++ b/internal/authzapireq/authzclient_interface.go
@@ -0,0 +1,78 @@
+package authzapireq
+
+import (
+ "fmt"
+ "io"
+ "net/http"
+ "net/url"
+ "os"
+
+ "github.com/go-logr/logr"
+)
+
+// AuthzClient provides methods to access the AuthzAPI
+type AuthzClient interface {
+ // Post authorized req to Authzsvc API
+ Post(cmd AuthzAPI, body io.Reader) (resp *http.Response, err error)
+ // Get authorized req from Authzsvc API
+ Get(cmd AuthzAPI, body io.Reader) (resp *http.Response, err error)
+ // Put authorized req from Authzsvc API
+ Put(cmd AuthzAPI, body io.Reader) (resp *http.Response, err error)
+ // Delete authorized req from Authzsvc API
+ Delete(cmd AuthzAPI, body io.Reader) (resp *http.Response, err error)
+ // GetMyApplications will retrieve all the applications in the API (Note: this call is expensive as it has to go through all the pages)
+ GetMyApplications() ([]APIApplication, error)
+ // GetRole validates if Role already exists on an ApplicationRegistration in the API
+ GetRole(id string, role string) (bool, error)
+ // GetApplicationByAppID queries the API for the Application with the given applicationIdentifier
+ GetApplicationByAppID(appID string) (APIApplication, error)
+ // GetLoA queries the Authzsvc API for the ID of the Level of Assurance with the given level
+ // this method is also available through the AuthZ apicache
+ GetLoA(level string) (string, error)
+ // CreateApplicationRole creates a new Role for a Specific Application
+ CreateApplicationRole(role APIRole, applicationID string) (string, error)
+ // LinkGroupToAppRole links an existing Group to an existing Role in an existing Application
+ LinkGroupToAppRole(groupID string, roleID string, appID string) error
+ // GetIdentity returns information about a user account - this method is also available through the AuthZ apicache
+ GetIdentity(id string) (APIIdentity, error)
+ // GetGroup returns information about a group - this method is also available through the AuthZ apicache
+ GetGroup(id string) (APIGroup, error)
+ // ManagerID returns the API ID of this AuthzAPI client's Application registration
+ ManagerID() string
+ // OidcProviderID returns the OIDC Provider ID on the Authzsvc API
+ OidcProviderID() string
+ IssuerURL() string
+ RefreshClientSecret(regID string) error
+}
+
+// NewAuthzClient creates a client for the Authzsvc API configured with environment variables
+func NewAuthzClient(log logr.Logger) (AuthzClient, error) {
+ issURL, err := url.Parse(os.Getenv("KC_ISSUER_URL"))
+ if err != nil {
+ return &AuthzClientHTTP{}, err
+ }
+ authURL, err := url.Parse(os.Getenv("AUTHZAPI_URL"))
+ if err != nil {
+ return &AuthzClientHTTP{}, err
+ }
+ cid := os.Getenv("KC_CLIENT_ID")
+ csecret := os.Getenv("KC_CLIENT_SECRET")
+ err = checkEmpty(issURL.String(), "KC_ISSUER_URL", checkEmpty(authURL.String(), "AUTHZAPI_URL",
+ checkEmpty(cid, "KC_CLIENT_ID", checkEmpty(csecret, "KC_CLIENT_SECRET", nil))))
+ return &AuthzClientHTTP{
+ Logger: log,
+ clientID: cid,
+ clientSecret: csecret,
+ issuerURL: *issURL,
+ authzURL: *authURL,
+ applicationsPerPage: os.Getenv("AUTHZ_APPLICATIONS_PER_PAGE"),
+ }, err
+}
+
+func checkEmpty(s, name string, chainedErr error) (err error) {
+ err = chainedErr
+ if s == "" {
+ err = fmt.Errorf("%s empty or undefined\n%v", name, chainedErr)
+ }
+ return
+}
diff --git a/internal/authzapireq/consts_types.go b/internal/authzapireq/consts_types.go
new file mode 100644
index 0000000000000000000000000000000000000000..0dc6a1a27e7ec193bf56b10a7e5f816ff0d373fe
--- /dev/null
+++ b/internal/authzapireq/consts_types.go
@@ -0,0 +1,386 @@
+package authzapireq
+
+import (
+ "encoding/json"
+ "errors"
+ "fmt"
+ "net/http"
+ "net/url"
+ "path"
+ "time"
+
+ "golang.org/x/oauth2"
+)
+
+const (
+ tokenExchangeGrantType = "urn:ietf:params:oauth:grant-type:token-exchange"
+ // access_token | refresh_token
+ requestedTokenType = "urn:ietf:params:oauth:token-type:access_token"
+ // subjectTokenType seems useless
+ //subjectTokenType = "urn:ietf:params:oauth:token-type:access_token"
+ appJSON = "application/json"
+ //TokenURL contains sub-path to retrieve access token
+ TokenURL = "api-access/token"
+ //Audience contains the audience on which the operator communicates with
+ Audience = "authorization-service-api"
+)
+
+// Exported API error conditions
+var (
+ // When HTTP 404 isn't enough
+ ErrNotFound = errors.New("NotFound")
+ ErrUnauthorized = errors.New("Unauthorized")
+ ErrExistsInAuthzNotInCluster = errors.New("Application exists in API but not in Cluster")
+)
+
+// +kubebuilder:rbac:groups=webservices.cern.ch,resources=applications,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=webservices.cern.ch,resources=applications/status,verbs=get;update;patch
+
+// AccessTokenArgs is the only way we found to make arguments to accessToken both keywords and optional,
+// at the expense of an extra type...
+type AccessTokenArgs struct {
+ Audience string
+ ExistingToken oauth2.Token
+}
+
+// AuthzAPI represents API endpoints in the Authzsvc API
+type AuthzAPI string
+
+const (
+ apiV = "api/v1.0/"
+ // Application [GET,POST]
+ Application AuthzAPI = apiV + "Application"
+ MyApplication AuthzAPI = apiV + "Application/my"
+ Group AuthzAPI = apiV + "Group"
+ RegistrationProviders AuthzAPI = apiV + "Registration/providers"
+ Identity AuthzAPI = apiV + "Identity"
+ Registration AuthzAPI = apiV + "Registration"
+ LevelofAssurance AuthzAPI = apiV + "LevelOfAssurance"
+)
+
+// StatusCodeErr documents an API error with the HTTP request and response
+func StatusCodeErr(resp *http.Response, respBody []uint8, requestData []byte) error {
+ apiMsg, _ := HTTPMsg(respBody)
+ if requestData != nil {
+ return fmt.Errorf("%s %s \ndata: %s\nResponse %d: %s", resp.Request.Method, resp.Request.URL.RequestURI(), requestData, resp.StatusCode, apiMsg)
+ }
+ return fmt.Errorf("%s %s\nResponse %d: %s", resp.Request.Method, resp.Request.URL.RequestURI(), resp.StatusCode, apiMsg)
+}
+
+func join(p url.URL, api AuthzAPI) string {
+ p.Path = path.Join(p.Path, string(api))
+ unescapedPath, err := url.PathUnescape(p.String())
+ if err != nil {
+ unescapedPath = ""
+ }
+ return unescapedPath
+}
+
+func urlJoin(receivedURL string, extra string) string {
+ u, err := url.Parse(receivedURL)
+ if err != nil {
+ return ""
+ }
+ u.Path = path.Join(u.Path, extra)
+ return u.String()
+}
+
+// Cat simply appends the given string
+func (api AuthzAPI) Cat(param string) AuthzAPI {
+ return AuthzAPI(string(api) + param)
+}
+
+// Join does a path.Join with the given string
+func (api AuthzAPI) Join(p string) AuthzAPI {
+ return AuthzAPI(path.Join(string(api), p))
+}
+
+// Limit adds Limit query to AuthzAPI endpoint
+func (api AuthzAPI) Limit(l string) AuthzAPI {
+ urlObj, err := url.Parse(string(api))
+ if err != nil {
+ return ""
+ }
+ qs := urlObj.Query()
+ qs.Set("limit", l)
+ urlObj.RawQuery = qs.Encode()
+ return AuthzAPI(urlObj.String())
+}
+
+// AuthzAPI response types
+
+// APIApplication contains all the relevant fields to parse JSON responses from the Authzsvc API that should be compared against and ApplicationRegistration
+type APIApplication struct {
+ AppID string `json:"applicationIdentifier"`
+ DisplayName string `json:"displayName"`
+ Description string `json:"description"`
+ OwnerID string `json:"ownerId"`
+ ManagerID string `json:"managerId"`
+ IdentityID string `json:"identityId"`
+ AdministratorsID *string `json:"administratorsId"`
+ HomePage string `json:"homePage"`
+ Category string `json:"resourceCategory"`
+ Blocked bool `json:"blocked"`
+ ID string `json:"id"`
+ CreateTime string `json:"creationTime"`
+ ModTime string `json:"modificationTime"`
+ // OIDC fields
+ ClientID string `json:"clientId"`
+ ClientSecret string `json:"secret"`
+ RegistrationID string `json:"registrationId"`
+ // Internal fields
+ // OwnerUPN is the Owner username, it is named OwnerUPN to match the naming on the Authzsvc API
+ OwnerUPN string `json:"-"`
+ // DisplayName of the Administrators group
+ AdministratorsDisplayName string `json:"-"`
+}
+
+// APIRegistration parses a JSON response from the Authzsvc API containing an OIDC Data
+type APIRegistration struct {
+ RegistrationID string
+ // Attributes we recognise
+ ClientID string `json:"clientId"`
+ ClientSecret string `json:"secret"`
+ RedirectURIs []string `json:"redirectUris"`
+ ImplicitFlowEnabled bool `json:"implicitFlowEnabled"`
+ ConsentRequired bool `json:"consentRequired"`
+ Enabled bool `json:"enabled"`
+ DefaultClientScopes []string `json:"defaultClientScopes"`
+ OptionalClientScopes []string `json:"optionalClientScopes"`
+ // Additional attributes
+ WebOrigins []string `json:"webOrigins"`
+ ClientAuthenticatorType string `json:"clientAuthenticatorType"`
+ DirectAccessGrantsEnabled bool `json:"directAccessGrantsEnabled"`
+ PublicClient bool `json:"publicClient"`
+ ServiceAccountsEnabled bool `json:"serviceAccountsEnabled"`
+ StandardFlowEnabled bool `json:"standardFlowEnabled"`
+ SurrogateAuthRequired bool `json:"surrogateAuthRequired"`
+ FullScopeAllowed bool `json:"fullScopeAllowed"`
+ FrontchannelLogout bool `json:"frontchannelLogout"`
+}
+
+type APIGroup struct {
+ // UUID of the group
+ ID string `json:"id"`
+ // human-readable identifier of the group ("name")
+ GroupIdentifier string `json:"groupIdentifier"`
+
+ // the following fields are available but are currently not needed:
+
+ // AdministratorsID string `json:"administratorsId"`
+ // ApprovalRequired bool `json:"approvalRequired"`
+ // AutoReassign bool `json:"autoReassign"`
+ // Blocked bool `json:"blocked"`
+ // CreationTime time.Time `json:"creationTime"`
+ // Description string `json:"description"`
+ // DisplayName string `json:"displayName"`
+ // Dynamic bool `json:"dynamic"`
+ // DynamicGroupType string `json:"dynamicGroupType"`
+ // IsComputingGroup bool `json:"isComputingGroup"`
+ // MemberIdentityIds []string `json:"memberIdentityIds"`
+ // OwnerID string `json:"ownerId"`
+ // PendingAction bool `json:"pendingAction"`
+ // PrivacyType string `json:"privacyType"`
+ // Public bool `json:"public"`
+ // Reassignable bool `json:"reassignable"`
+ // RemoveNonActiveMembers bool `json:"removeNonActiveMembers"`
+ // ResourceCategory string `json:"resourceCategory"`
+ // SecurityIssues bool `json:"securityIssues"`
+ // SelfSubscriptionType string `json:"selfSubscriptionType"`
+ // Source string `json:"source"`
+ // SyncType string `json:"syncType"`
+}
+
+type APIRole struct {
+ Name string `json:"name"`
+ DisplayName string `json:"displayName"`
+ Description string `json:"description"`
+ ApplicationID string `json:"applicationId"`
+ ApplyToAllUsers bool `json:"applyToAllUsers"`
+ MinimumLoaID string `json:"minimumLoaId"`
+ Required bool `json:"required"`
+ RoleId string `json:"id"`
+}
+
+type APIPage struct {
+ Total int `json:"total"`
+ Offset int `json:"offset"`
+ Limit int `json:"limit"`
+ Next *string `json:"next"`
+ Links APIPageLink `json:"links"`
+}
+type APIPageLink struct {
+ Current string `json:"current"`
+ Next string `json:"next"`
+ Last string `json:"last"`
+}
+
+type APIIdentity struct {
+ // ExternalEmail interface{} `json:"externalEmail"`
+ PrimaryAccountEmail string `json:"primaryAccountEmail"`
+ Type string `json:"type"`
+ Upn string `json:"upn"`
+ DisplayName string `json:"displayName"`
+ PersonID string `json:"personId"`
+ SupervisorID string `json:"supervisorId"`
+ DirectResponsibleID string `json:"directResponsibleId"`
+ // Source string `json:"source"`
+ // Unconfirmed bool `json:"unconfirmed"`
+ // UnconfirmedEmail interface{} `json:"unconfirmedEmail"`
+ PrimaryAccountID string `json:"primaryAccountId"`
+ UID int `json:"uid"`
+ Gid int `json:"gid"`
+ ResourceCategory string `json:"resourceCategory"`
+ Reassignable bool `json:"reassignable"`
+ // AutoReassign bool `json:"autoReassign"`
+ // PendingAction bool `json:"pendingAction"`
+ // Blocked bool `json:"blocked"`
+ // SecurityIssues bool `json:"securityIssues"`
+ // BlockingReason string `json:"blockingReason"`
+ // BlockingTime interface{} `json:"blockingTime"`
+ // BlockingDeadline interface{} `json:"blockingDeadline"`
+ // ExpirationDeadline interface{} `json:"expirationDeadline"`
+ ID string `json:"id"`
+ CreationTime time.Time `json:"creationTime"`
+ // Room string `json:"room"`
+ // Floor string `json:"floor"`
+ // Building string `json:"building"`
+ // EndClass time.Time `json:"endClass"`
+ // LastName string `json:"lastName"`
+ // BirthDate time.Time `json:"birthDate"`
+ CernClass string `json:"cernClass"`
+ CernGroup string `json:"cernGroup"`
+ // FirstName string `json:"firstName"`
+ // ActiveUser bool `json:"activeUser"`
+ // StartClass time.Time `json:"startClass"`
+ CernSection string `json:"cernSection"`
+ Description string `json:"description"`
+ CernPersonID string `json:"cernPersonId"`
+ InstituteName string `json:"instituteName"`
+ CernDepartment string `json:"cernDepartment"`
+ // EdhAuthPwdExpiry time.Time `json:"edhAuthPwdExpiry"`
+ // EduPersonUniqueID string `json:"eduPersonUniqueID"`
+ // InstituteAbbreviation string `json:"instituteAbbreviation"`
+ // PreferredCernLanguage string `json:"preferredCernLanguage"`
+ // ComputingRulesAccepted time.Time `json:"computingRulesAccepted"`
+ // ComputingRulesValidUntil time.Time `json:"computingRulesValidUntil"`
+ // ComputingRulesAcceptedFlag bool `json:"computingRulesAcceptedFlag"`
+}
+
+// APIApplicationHTTP creates an APIApplication from the JSON contained in an API GET/POST Application request.
+// If there is no parseable Application inside, returns an empty object and no error.
+func APIApplicationHTTP(respBody []uint8) (APIApplication, error) {
+ // The response might be wrapped in a list.
+ // Initially we assume it's not, but if we discover there's a list, we'll use this func instead
+ unmarshalList := func() (APIApplication, error) {
+ appList, err := APIApplicationListHTTP(respBody)
+ switch {
+ case err != nil:
+ return APIApplication{}, err
+ case len(appList) == 0:
+ return APIApplication{}, nil
+ case len(appList) > 1:
+ return APIApplication{}, errors.New("Multiple Applications in HTTP response")
+ }
+ return appList[0], nil
+ }
+ apiApplication := struct {
+ Msg string `json:"message"`
+ APIApplication APIApplication `json:"data"`
+ }{}
+ err := json.Unmarshal(respBody, &apiApplication) // Unmarshal single
+ if err != nil {
+ // Check if we tried to unmarshal a list
+ if unmarshalErr, ok := err.(*json.UnmarshalTypeError); ok {
+ if unmarshalErr.Field == "data" && unmarshalErr.Value == "array" {
+ return unmarshalList()
+ }
+ }
+ return APIApplication{}, err
+ } else if apiApplication.Msg != "" {
+ return APIApplication{}, errors.New(apiApplication.Msg)
+ }
+ return apiApplication.APIApplication, nil
+}
+
+// APIApplicationHTTP creates an APIApplication List from the JSON contained in an API GET/POST Application request.
+// If there is no parseable Application inside, returns an empty object and no error.
+func APIApplicationListHTTP(respBody []uint8) ([]APIApplication, error) {
+ // The response might be wrapped in a list.
+ // Initially we assume it's not, but if we discover there's a list, we'll use this func instead
+ apiApplicationList := struct {
+ Msg string `json:"message"`
+ APIApplication []APIApplication `json:"data"`
+ }{}
+ err := json.Unmarshal(respBody, &apiApplicationList)
+ switch {
+ case err != nil:
+ return []APIApplication{}, err
+ case apiApplicationList.Msg != "":
+ return []APIApplication{}, errors.New(apiApplicationList.Msg)
+ case len(apiApplicationList.APIApplication) == 0:
+ return []APIApplication{}, nil
+ }
+ return apiApplicationList.APIApplication, nil
+
+}
+
+// APIRegistrationHTTP creates an APIRegistration from the JSON contained in an API GET/POST Registration request
+func APIRegistrationHTTP(respBody []uint8) (APIRegistration, error) {
+ type APIRegistrationResp struct {
+ RegistrationID string `json:"registrationId"`
+ RegistrationData APIRegistration `json:"registration"`
+ }
+
+ // The response might be wrapped in a list.
+ // Initially we assume it's not, but if we discover there's a list, we'll use this func instead
+ unmarshalList := func() (APIRegistration, error) {
+ respJSON := struct {
+ Msg string `json:"message"`
+ Data []APIRegistrationResp `json:"data"`
+ }{}
+ err := json.Unmarshal(respBody, &respJSON)
+ switch {
+ case err != nil:
+ return APIRegistration{}, err
+ case respJSON.Msg != "":
+ return APIRegistration{}, errors.New(respJSON.Msg)
+ case len(respJSON.Data) == 0:
+ return APIRegistration{}, nil
+ case len(respJSON.Data) > 1:
+ return APIRegistration{}, errors.New("Multiple Registrations in HTTP response")
+ }
+ respJSON.Data[0].RegistrationData.RegistrationID = respJSON.Data[0].RegistrationID
+ return respJSON.Data[0].RegistrationData, nil
+ }
+ respJSON := struct {
+ Msg string `json:"message"`
+ Data APIRegistrationResp `json:"data"`
+ }{}
+ err := json.Unmarshal(respBody, &respJSON) // Unmarshal single
+ if err != nil {
+ // Check if we tried to unmarshal a list
+ if unmarshalErr, ok := err.(*json.UnmarshalTypeError); ok {
+ if unmarshalErr.Field == "data" && unmarshalErr.Value == "array" {
+ return unmarshalList()
+ }
+ }
+ return APIRegistration{}, err
+ } else if respJSON.Msg != "" {
+ return APIRegistration{}, errors.New(respJSON.Msg)
+ }
+ respJSON.Data.RegistrationData.RegistrationID = respJSON.Data.RegistrationID
+ return respJSON.Data.RegistrationData, nil
+}
+
+// HTTPMsg returns the `message` field of an HTTP response
+func HTTPMsg(respBody []uint8) (string, error) {
+ var msg struct {
+ Msg string `json:"message"`
+ }
+ err := json.Unmarshal(respBody, &msg)
+ if err != nil {
+ return "", err
+ }
+ return msg.Msg, nil
+}
diff --git a/internal/controller/application_logic.go b/internal/controller/application_logic.go
new file mode 100644
index 0000000000000000000000000000000000000000..14f3095e83d76d63b3c95638e2b231afeb5154e8
--- /dev/null
+++ b/internal/controller/application_logic.go
@@ -0,0 +1,758 @@
+package controller
+
+// API user flows go here
+
+import (
+ "bytes"
+ "context"
+ "crypto/sha256"
+ "encoding/base64"
+ "encoding/json"
+ "errors"
+ "fmt"
+ "io/ioutil"
+ "os"
+ "strconv"
+
+ "github.com/asaskevich/govalidator"
+ "github.com/go-logr/logr"
+ webservicesv1alpha1 "gitlab.cern.ch/paas-tools/operators/authz-operator/api/v1alpha1"
+ "gitlab.cern.ch/paas-tools/operators/authz-operator/internal/apicache"
+ "gitlab.cern.ch/paas-tools/operators/authz-operator/internal/authzapireq"
+ v1 "k8s.io/api/core/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/apimachinery/pkg/types"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+ "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+)
+
+const (
+ // deleteFromApiFinalizer string that indicates we need to delete application from authz API if the ApplicationRegistration is deleted
+ deleteFromApiFinalizer = "webservices.cern.ch/delete-app-from-authz-api"
+ k8sSecretOIDCClientSecret = "oidc-client-secret"
+)
+
+// ensureAPIAppAndSyncStatus first either creates a new Application in the AuthzAPI or we adopt ownership of an existing one with the same ApplicationIdentifier
+// then it updates the Status with information from the AuthzAPI
+func (r *ApplicationRegistrationReconciler) ensureAPIAppAndSyncStatus(log logr.Logger, app *webservicesv1alpha1.ApplicationRegistration) (transientErr reconcileError) {
+ createInAuthzOrAdopt := func() (authzapireq.APIApplication, reconcileError) {
+ apiApp, err := r.createAppInAuthz(app.Spec)
+ if err != nil {
+ switch err.Unwrap() {
+ case ErrApplicationAlreadyExists:
+ log.Info("Adopt ownership: Application with the same applicationIdentifier already exists in the AuthzAPI, adopting it")
+ case ErrApplicationConflict:
+ log.Error(err, "Application not managed by us")
+ return authzapireq.APIApplication{}, err
+ default:
+ return authzapireq.APIApplication{}, err
+ }
+ }
+ return apiApp, nil
+ }
+ apiApp, err := createInAuthzOrAdopt()
+ if err != nil {
+ r.setProvisioningStatus(log, &app.Status, err)
+ if err.IsRetryable() {
+ return err
+ }
+ // In case of non-retriable error we've already updated the resource status to reflect a permanent failure.
+ // There is no point in retrying later, so we now want the caller to just commit the
+ // changes to the CR in the Kubernetes API and successfully complete reconciliation.
+ return nil
+ }
+
+ owner, err2 := r.AuthzApiCache.GetIdentity(apiApp.OwnerID)
+ if err2 != nil {
+ log.Error(err, fmt.Sprintf("Failed to retrieve metadata of app owner '%s'", apiApp.OwnerID))
+ return newApplicationError(err2, ErrInvalidOwner)
+ }
+ updateAppStatus(&app.Status, apiApp, owner, log)
+ return nil
+}
+
+// ensureAPIOIDCandSyncStatus creates a new OIDC registration in the AuthzAPI for the owned Application or adopts the existing one,
+// then updates the Status with info from the AuthzAPI
+func (r *ApplicationRegistrationReconciler) ensureAPIOIDCandSyncStatus(log logr.Logger, app *webservicesv1alpha1.ApplicationRegistration) (transientErr reconcileError) {
+ createInAuthzOrAdopt := func() (authzapireq.APIRegistration, reconcileError) {
+ apiReg, err := r.fetchOIDCReg(app.Status.ID, false)
+ switch {
+ case err != nil && err.IsRetryable():
+ return authzapireq.APIRegistration{}, err
+ case apiReg.RegistrationID != "":
+ log.Info("Adopting OIDC Registration that already exists in the AuthzAPI")
+ // TODO (alossent 31-May-23): this code path is not working for some reason, in status the state remains Creating and the registrationId is missing.
+ return apiReg, err
+ }
+ apiReg, err = r.createOIDCinAuthz(*app)
+ return apiReg, err
+ }
+ apiReg, err := createInAuthzOrAdopt()
+ _, transientErr = r.ensureK8sClientSecret(context.TODO(), app.Namespace, apiReg)
+ updateAppStatusOIDC(&app.Status, apiReg)
+ if err != nil {
+ r.setProvisioningStatus(log, &app.Status, err)
+ if err.IsRetryable() {
+ transientErr = err
+ return
+ }
+ }
+ return
+}
+
+// syncAPIAppStatus retrieves the Application from the API and syncs the information in the Status. It checks if the API version needs changes and performs them.
+func (r *ApplicationRegistrationReconciler) syncAPIAppStatus(log logr.Logger, app *webservicesv1alpha1.ApplicationRegistration) (update bool, authzUpdate bool, transientErr reconcileError) {
+ retrieveFromAuthzHandle := func(appID string) (authzapireq.APIApplication, reconcileError) {
+ apiApp, err := r.fetchOwnedApp(appID)
+ if err != nil {
+ log.Error(err, fmt.Sprintf("%v Failed to fetch owned Application", err.Unwrap()))
+ return authzapireq.APIApplication{}, err
+ }
+ if apiApp == (authzapireq.APIApplication{}) {
+ log.Info("Associated Application not found in Authz API!")
+ return authzapireq.APIApplication{}, newApplicationError(nil, ErrAssociatedAppNotFound)
+ }
+ return apiApp, err
+ }
+ apiApp, err := retrieveFromAuthzHandle(app.Status.ID)
+ if err != nil {
+ r.setProvisioningStatus(log, &app.Status, err)
+ update = true
+ if err.IsRetryable() {
+ return
+ }
+ err = nil
+ return
+ }
+ owner, err2 := r.AuthzApiCache.GetIdentity(apiApp.OwnerID)
+ if err2 != nil {
+ log.Error(err, fmt.Sprintf("Failed to retrieve metadata of app owner '%s'", apiApp.OwnerID))
+ return
+ }
+ update = updateAppStatus(&app.Status, apiApp, owner, log)
+ // TODO: the following has several issues as of April 2021 and was disabled.
+ // See https://gitlab.cern.ch/webservices/webframeworks-planning/-/issues/367 for follow-up work.
+ // This tries to use the AppReg's spec as source of truth for
+ // a number of attributes like display name and description.
+ // However there are several issues:
+ // 1. the way it's done, enforceSpec will reset other values users may have set in the portal like admin group!
+ // It should _merge_ what it wants to set with the other existing attributes retrieved from
+ // the app in the portal.
+ // 2. enforceSpec incorrectly pushes to authz API some attributes that we explicitly do NOT want OKD to be the SoT,
+ // like ownerID. This makes it impossible to change the owner from the app portal.
+ // 3. it's not clear what the SoT for description should be. There is no way for users to update
+ // description in the appReg, if we want OKD to be the SoT then we need a mechanism to propagate
+ // changes from the OKD project description to the appReg spec, which doesn't exist.
+ // 4. the same logic is not currently applied by the lifecycle controller syncing changes from AuthZ API.
+ // By commenting this out, we effectively use the Authz API as the SoT for everything.
+ // Follow-up required to clarify the SoT for attributes where it's not clear, like description, display name etc.
+ // and properly document them.
+ /*
+ if !appspecMatchesAuthz(app.Spec, apiApp) {
+ authzUpdate = true
+ if err := r.enforceSpec(app.Spec, app.Status.ID); err != nil {
+ log.Error(err, "Couldn't enforce the Application's Spec on the AuthzAPI")
+ r.ensureErrorMsg(log, &app.Status, err)
+ update = true
+ if err.Temporary() {
+ return
+ }
+ err = nil
+ return
+ }
+ }
+ */
+ return
+}
+
+// syncAPIOIDCStatus retrieves the OIDC from the API and syncs the information in the Status.
+// It checks the redirectURIs and updates the API if they're not equal.
+func (r *ApplicationRegistrationReconciler) syncAPIOIDCStatus(log logr.Logger, app *webservicesv1alpha1.ApplicationRegistration, desiredOidcUris []string) (update bool, authzUpdate bool, transientErr reconcileError) {
+ apiReg, err := r.fetchOIDCReg(app.Status.ID, true)
+ if err != nil {
+ update = r.setProvisioningStatus(log, &app.Status, err)
+ if err.IsRetryable() {
+ update = false
+ transientErr = err
+ }
+ return
+ }
+ update, transientErr = r.ensureK8sClientSecret(context.TODO(), app.Namespace, apiReg)
+ if update {
+ log.Info("OIDC client secret is updated")
+ }
+ update = updateAppStatusOIDC(&app.Status, apiReg) || update
+
+ // Check redirectURIs and update on API if needed
+ if err := func() reconcileError {
+ if !webservicesv1alpha1.SameSet(desiredOidcUris, apiReg.RedirectURIs) {
+ log.Info("Updating OIDC redirect URIs in Authzsvc")
+ authzUpdate = true
+ return r.enforceOIDCRedirectURIs(app)
+ }
+ return nil
+ }(); err != nil {
+ log.Error(err, "Couldn't enforce the redirectURIs on the AuthzAPI")
+ r.setProvisioningStatus(log, &app.Status, err)
+ update = true
+ if err.IsRetryable() {
+ return
+ }
+ err = nil
+ return
+ }
+ return
+}
+
+// ensureK8sClientSecret creates the k8s secret holding the OIDC client secret and updates it if necessary
+func (r *ApplicationRegistrationReconciler) ensureK8sClientSecret(ctx context.Context, namespace string, apiReg authzapireq.APIRegistration) (update bool, transientErr reconcileError) {
+ k8sSecret := &v1.Secret{ObjectMeta: metav1.ObjectMeta{Name: k8sSecretOIDCClientSecret, Namespace: namespace}}
+
+ op, err := controllerutil.CreateOrUpdate(ctx, r.Client, k8sSecret, func() error {
+ if k8sSecret.Data == nil {
+ k8sSecret.Data = make(map[string][]byte)
+ }
+
+ k8sSecret.Data["clientID"] = []byte(apiReg.ClientID)
+ k8sSecret.Data["clientSecret"] = []byte(apiReg.ClientSecret)
+ k8sSecret.Data["issuerURL"] = []byte(r.Authz.IssuerURL())
+
+ // Most Oauth clients (httpd module, oauth2 proxy...) expect a cookie secret to encrypt cookies.
+ // It is thus useful that we generate such a secret in order to provide a complete configuration
+ // for oauth clients to use.
+ // Generating a random secret would not be deterministic; re-using the OIDC application
+ // secret as the cookie encryption secret sounds interesting
+ // but is not of the appropriate length for the oauth2 proxy image.
+ // So we will hash the clientSecret to generate
+ // a 24 character string that can be used
+ // for the OIDC cookie secret
+ hasher := sha256.New()
+ hasher.Write([]byte(apiReg.ClientSecret))
+ sha := base64.URLEncoding.EncodeToString(hasher.Sum(nil))
+ k8sSecret.Data["suggestedCookieSecret"] = []byte(sha[:24])
+
+ return nil
+ })
+
+ if err != nil {
+ transientErr = newApplicationError(err, ErrClientK8s)
+ }
+ update = (op != controllerutil.OperationResultNone)
+ return
+}
+
+// fetchOwnedApp tries to fetch any associated Application from the AuthzAPI and returns an empty Application if it doesn't find it
+func (r *ApplicationRegistrationReconciler) fetchOwnedApp(appID string) (authzapireq.APIApplication, reconcileError) {
+ if appID != "" {
+ apiAppHTTP, err := r.Authz.Get(authzapireq.Application.Join(appID), nil)
+ if err != nil {
+ return authzapireq.APIApplication{}, newApplicationError(err, ErrClientAuthz)
+ }
+ respBody, err := ioutil.ReadAll(apiAppHTTP.Body)
+ if err != nil {
+ return authzapireq.APIApplication{}, newApplicationError(err, ErrAuthzAPIPermanent)
+ }
+ switch {
+ // Unauthorized, we can treat this as if the application didn't exist
+ case apiAppHTTP.StatusCode == 401:
+ return authzapireq.APIApplication{}, newApplicationError(err, ErrAuthzAPIUnauthorized)
+ // Not Found, this isnt considered an error, we just return an empty application
+ case apiAppHTTP.StatusCode == 404:
+ return authzapireq.APIApplication{}, nil
+ case apiAppHTTP.StatusCode > 201:
+ return authzapireq.APIApplication{}, newApplicationError(
+ authzapireq.StatusCodeErr(apiAppHTTP, respBody, nil), ErrAuthzAPITemp)
+ }
+ apiApp, err := authzapireq.APIApplicationHTTP(respBody)
+ if err != nil {
+ return authzapireq.APIApplication{}, newApplicationError(err, ErrAuthzInvalidResponse)
+ }
+ apiApp, err = resolveOwnerAndAdministratorIDs(r.AuthzApiCache, apiApp)
+ if err != nil {
+ if errors.Is(err, authzapireq.ErrNotFound) {
+ return authzapireq.APIApplication{}, newApplicationError(nil, ErrInvalidOwner)
+ }
+ return authzapireq.APIApplication{}, newApplicationError(err, ErrTemporary)
+ }
+ return apiApp, nil
+ }
+ return authzapireq.APIApplication{}, nil
+}
+
+// resolveOwnerAndAdministratorIDs is a helper function that populates the human-readable
+// OwnerUPN and AdministratorsDisplayName fields.
+func resolveOwnerAndAdministratorIDs(authzApiCache apicache.AuthzCache, app authzapireq.APIApplication) (authzapireq.APIApplication, error) {
+ // Get Person Name by ID
+ owner, err := authzApiCache.GetIdentity(app.OwnerID)
+ if err != nil {
+ return app, err
+ }
+ app.OwnerUPN = owner.Upn
+
+ // Get Group Name by ID
+ groupName := ""
+ if app.AdministratorsID != nil {
+ group, err := authzApiCache.GetGroup(*app.AdministratorsID)
+ if err != nil {
+ return app, err
+ }
+ groupName = group.GroupIdentifier
+ }
+ app.AdministratorsDisplayName = groupName
+
+ return app, nil
+}
+
+// fetchOIDCReg tries to fetch any associated OIDC registration from the AuthzAPI and returns an empty Registration if it doesn't find it
+func (r *ApplicationRegistrationReconciler) fetchOIDCReg(appID string, fetchSecret bool) (authzapireq.APIRegistration, reconcileError) {
+ apiOIDCHTTP, err := r.Authz.Get(authzapireq.Registration.Join(appID), nil)
+ if err != nil {
+ return authzapireq.APIRegistration{}, newApplicationError(err, ErrClientAuthz)
+ }
+ respBody, err := ioutil.ReadAll(apiOIDCHTTP.Body)
+ if err != nil {
+ return authzapireq.APIRegistration{}, newApplicationError(err, ErrAuthzInvalidResponse)
+ }
+ switch {
+ case apiOIDCHTTP.StatusCode == 404:
+ return authzapireq.APIRegistration{}, nil
+ case apiOIDCHTTP.StatusCode > 201:
+ return authzapireq.APIRegistration{}, newApplicationError(authzapireq.StatusCodeErr(apiOIDCHTTP, respBody, nil), ErrAuthzAPITemp)
+ }
+ apiReg, err := authzapireq.APIRegistrationHTTP(respBody)
+ if err != nil {
+ return authzapireq.APIRegistration{}, newApplicationError(err, ErrAuthzInvalidResponse)
+ }
+
+ if fetchSecret && apiReg.RegistrationID != "" {
+ apiSecretHTTP, err := r.Authz.Get(authzapireq.Registration.Join(apiReg.RegistrationID).Join("secret"), nil)
+ switch {
+ case err != nil:
+ return authzapireq.APIRegistration{}, newApplicationError(err, ErrClientAuthz)
+ case apiSecretHTTP.StatusCode > 201:
+ return authzapireq.APIRegistration{}, newApplicationError(authzapireq.StatusCodeErr(apiSecretHTTP, respBody, nil), ErrAuthzAPITemp)
+ }
+ respBody, err := ioutil.ReadAll(apiSecretHTTP.Body)
+ if err != nil {
+ return authzapireq.APIRegistration{}, newApplicationError(err, ErrClientAuthz) // TODO: Confirm Type of Error
+ }
+ apiSecret, err := authzapireq.APIApplicationHTTP(respBody)
+ if err != nil {
+ return authzapireq.APIRegistration{}, newApplicationError(err, ErrAuthzInvalidResponse)
+ }
+ apiReg.ClientSecret = apiSecret.ClientSecret
+ }
+ return apiReg, nil
+}
+
+// updateAppStatus updates Application-related status values and reports if anything was changed
+// Note: this defines the mapping between Status and Authzsvc API
+func updateAppStatus(app *webservicesv1alpha1.ApplicationRegistrationStatus, apiApp authzapireq.APIApplication, owner authzapireq.APIIdentity, log logr.Logger) bool {
+ updated := false
+
+ if app.ID != apiApp.ID {
+ log.WithValues("app.Id", app.ID, "apiApp.ID", apiApp.ID).V(8).Info("app.ID does not match apiApp.ID")
+ app.ID = apiApp.ID
+ updated = true
+ }
+ if app.CurrentOwnerUsername != apiApp.OwnerUPN {
+ log.WithValues("app.CurrentOwnerUsername", app.CurrentOwnerUsername, "apiApp.OwnerUPN", apiApp.OwnerUPN).V(8).Info("app.CurrentOwnerUsername does not match apiApp.OwnerUPN")
+ app.CurrentOwnerUsername = apiApp.OwnerUPN
+ updated = true
+ }
+ if app.CurrentAdminGroup != apiApp.AdministratorsDisplayName {
+ log.WithValues("app.CurrentAdminGroup", app.CurrentAdminGroup, "apiApp.AdministratorsDisplayName", apiApp.AdministratorsDisplayName).V(8).Info("app.CurrentAdminGroup does not match apiApp.Admin")
+ app.CurrentAdminGroup = apiApp.AdministratorsDisplayName
+ updated = true
+ }
+ if !(app.CurrentEnabledStatus == !apiApp.Blocked) {
+ log.WithValues("app.CurrentEnabledStatus", app.CurrentEnabledStatus, "!apiApp.Blocked", !apiApp.Blocked).V(8).Info("app.CurrentEnabledStatus does not match !apiApp.Blocked")
+ app.CurrentEnabledStatus = !apiApp.Blocked
+ updated = true
+ }
+ if app.CurrentDescription != apiApp.Description {
+ log.WithValues("app.CurrentDescription", app.CurrentDescription, "apiApp.Description", apiApp.Description).V(8).Info("app.CurrentDescription does not match apiApp.Description")
+ app.CurrentDescription = apiApp.Description
+ updated = true
+ }
+ if string(app.CurrentResourceCategory) != apiApp.Category {
+ log.WithValues("app.CurrentResourceCategory", string(app.CurrentResourceCategory), "apiApp.Category", apiApp.Category).V(8).Info("app.CurrentResourceCategory does not match apiApp.Category")
+ app.CurrentResourceCategory = webservicesv1alpha1.ResourceCategoryType(apiApp.Category)
+ updated = true
+ }
+ if app.CurrentDepartment != owner.CernDepartment {
+ log.WithValues("app.CurrentDepartment", string(app.CurrentDepartment), "owner.CernDepartment", owner.CernDepartment).V(8).Info("app.CurrentDepartment does not match")
+ app.CurrentDepartment = owner.CernDepartment
+ updated = true
+ }
+ if app.CurrentGroup != owner.CernGroup {
+ log.WithValues("app.CurrentGroup", string(app.CurrentGroup), "owner.CernGroup", owner.CernGroup).V(8).Info("app.CurrentGroup does not match")
+ app.CurrentGroup = owner.CernGroup
+ updated = true
+ }
+ return updated
+}
+
+// updateAppStatusOIDC updates OIDC Registration- related status values (those that can be modified) and reports if anything was changed
+func updateAppStatusOIDC(appStatus *webservicesv1alpha1.ApplicationRegistrationStatus, apiReg authzapireq.APIRegistration) (update bool) {
+ if !(appStatus.OIDCEnabled == apiReg.Enabled &&
+ appStatus.ClientCredentialsSecret == k8sSecretOIDCClientSecret &&
+ webservicesv1alpha1.SameSet(appStatus.RedirectURIs, apiReg.RedirectURIs)) {
+ appStatus.RegistrationID = apiReg.RegistrationID
+ appStatus.OIDCEnabled = apiReg.Enabled
+ appStatus.ClientCredentialsSecret = k8sSecretOIDCClientSecret
+ appStatus.RedirectURIs = apiReg.RedirectURIs
+ return true
+ }
+ return false
+}
+
+// createAppInAuthz: creates the ApplicationRegistration at the Authzsvc API
+// Return POST response (equivalent to GET Application/{appID})
+func (r *ApplicationRegistrationReconciler) createAppInAuthz(appSpec webservicesv1alpha1.ApplicationRegistrationSpec) (authzapireq.APIApplication, reconcileError) {
+ signalAdoptApp := func(appCreationErrMsg string) (authzapireq.APIApplication, reconcileError) {
+ // If creation returned a 400 error, it may be because an app already exists with that name,
+ // in which case we try to adopt it. But it may also have failed for other reasons.
+ // Verify if it already exists
+ existingAPIApp, err := r.Authz.GetApplicationByAppID(appSpec.ApplicationIdentifier)
+ if err != nil {
+ switch {
+ case errors.Is(err, authzapireq.ErrNotFound):
+ // NOTE: if POST returns 400, but the condition to adopt isn't met, does this mean the Application is invalid?
+ // If yes, it should be a permanent error
+ return authzapireq.APIApplication{}, newApplicationError(errors.New("Failed to create the Application due to invalid input,"+
+ " and it does not look like this is due to a name conflict as we could not find an existing application with the same identifier."+
+ " The error returned by the Authz API was: "+appCreationErrMsg), ErrTemporary)
+ case errors.Is(err, authzapireq.ErrUnauthorized):
+ return authzapireq.APIApplication{}, newApplicationError(nil, ErrApplicationConflict)
+ }
+ return authzapireq.APIApplication{}, newApplicationError(err, ErrTemporary)
+ }
+ if existingAPIApp.AppID != appSpec.ApplicationIdentifier {
+ return authzapireq.APIApplication{}, newApplicationError(errors.New("application with conflicting identifiers already exists,"+
+ " but when trying to adopt it, the applicationIdentifiers don't match"), ErrTemporary)
+ }
+ // Obtain names of Owner and Administrator group
+ existingAPIApp, err = resolveOwnerAndAdministratorIDs(r.AuthzApiCache, existingAPIApp)
+ switch {
+ case errors.Is(err, authzapireq.ErrNotFound):
+ return existingAPIApp, newApplicationError(nil, ErrInvalidOwner)
+ case err != nil:
+ return existingAPIApp, newApplicationError(err, ErrTemporary)
+ }
+ return existingAPIApp, newApplicationError(nil, ErrApplicationAlreadyExists)
+ }
+ appJSON, sortedErr := r._createJSONBasedOnSpec(appSpec)
+ if sortedErr != nil {
+ return authzapireq.APIApplication{}, sortedErr
+ }
+ apiAppHTTP, err := r.Authz.Post(authzapireq.Application, bytes.NewBuffer(appJSON))
+ if err != nil {
+ return authzapireq.APIApplication{}, newApplicationError(err, ErrClientAuthz)
+ }
+ respBody, err := ioutil.ReadAll(apiAppHTTP.Body)
+ if err != nil {
+ return authzapireq.APIApplication{}, newApplicationError(err, ErrAuthzInvalidResponse)
+ }
+ switch {
+ // Adopt application: 400 might mean an Application with the given identifier already exists
+ case apiAppHTTP.StatusCode == 400:
+ return signalAdoptApp(string(respBody))
+ case apiAppHTTP.StatusCode > 201:
+ return authzapireq.APIApplication{}, newApplicationError(authzapireq.StatusCodeErr(apiAppHTTP, respBody, appJSON), ErrAuthzAPITemp)
+ }
+ apiApp, err := authzapireq.APIApplicationHTTP(respBody)
+ if err != nil {
+ return authzapireq.APIApplication{}, newApplicationError(err, ErrAuthzInvalidResponse)
+ }
+ // Obtain names of Owner and Administrator group
+ apiApp, err = resolveOwnerAndAdministratorIDs(r.AuthzApiCache, apiApp)
+ switch {
+ case errors.Is(err, authzapireq.ErrNotFound):
+ return apiApp, newApplicationError(nil, ErrInvalidOwner)
+ case err != nil:
+ return apiApp, newApplicationError(err, ErrTemporary)
+ }
+ return apiApp, nil
+}
+
+// createOIDCinAuthz: creates the Registration for the Application at the Authzsvc API
+func (r *ApplicationRegistrationReconciler) createOIDCinAuthz(app webservicesv1alpha1.ApplicationRegistration) (authzapireq.APIRegistration, reconcileError) {
+ jsonBody, err := r._createJSONRegistration(app)
+ if err != nil {
+ return authzapireq.APIRegistration{}, newApplicationError(err, ErrTemporary)
+ }
+ apiRegHTTP, err := r.Authz.Post(authzapireq.Registration.Join(app.Status.ID).Join(r.Authz.OidcProviderID()), bytes.NewBuffer(jsonBody))
+ if err != nil {
+ return authzapireq.APIRegistration{}, newApplicationError(err, ErrClientAuthz)
+ }
+ respBody, err := ioutil.ReadAll(apiRegHTTP.Body)
+ if err != nil {
+ return authzapireq.APIRegistration{}, newApplicationError(err, ErrAuthzInvalidResponse)
+ }
+ switch {
+ case apiRegHTTP.StatusCode == 400:
+ return authzapireq.APIRegistration{}, newApplicationError(authzapireq.StatusCodeErr(apiRegHTTP, respBody, jsonBody), ErrAuthzAPIPermanent)
+ case apiRegHTTP.StatusCode > 201:
+ return authzapireq.APIRegistration{}, newApplicationError(authzapireq.StatusCodeErr(apiRegHTTP, respBody, jsonBody), ErrAuthzAPITemp)
+ }
+ apiReg, err := authzapireq.APIRegistrationHTTP(respBody)
+ if err != nil {
+ return authzapireq.APIRegistration{}, newApplicationError(err, ErrAuthzInvalidResponse)
+ }
+ return apiReg, nil
+}
+
+// fetchOIDCfromAuthz tries to fetch any associated Registration from the AuthzAPI and returns an empty Registration if it doesn't find it
+func (r *ApplicationRegistrationReconciler) fetchOIDCfromAuthz(regID string) (authzapireq.APIRegistration, reconcileError) {
+ if regID != "" {
+ apiAppHTTP, err := r.Authz.Get(authzapireq.Registration.Join(regID), nil)
+ if err != nil {
+ return authzapireq.APIRegistration{}, newApplicationError(err, ErrClientAuthz)
+ }
+ respBody, err := ioutil.ReadAll(apiAppHTTP.Body)
+ if err != nil {
+ return authzapireq.APIRegistration{}, newApplicationError(err, ErrAuthzInvalidResponse)
+ }
+ switch {
+ // Unauthorized, we can treat this as if the application didn't exist
+ case apiAppHTTP.StatusCode == 401:
+ return authzapireq.APIRegistration{}, newApplicationError(err, ErrAuthzAPIUnauthorized)
+ // Not Found, this isnt considered an error, we just return an empty application
+ case apiAppHTTP.StatusCode == 404:
+ return authzapireq.APIRegistration{}, nil
+ case apiAppHTTP.StatusCode > 201:
+ return authzapireq.APIRegistration{}, newApplicationError(
+ authzapireq.StatusCodeErr(apiAppHTTP, respBody, nil), ErrAuthzAPITemp)
+ }
+ regID, err := authzapireq.APIRegistrationHTTP(respBody)
+ if err != nil {
+ return authzapireq.APIRegistration{}, newApplicationError(err, ErrAuthzInvalidResponse)
+ }
+ return regID, nil
+ }
+ return authzapireq.APIRegistration{}, nil
+}
+
+// enforceSpec patches (HTTP PUT) the existing ApplicationRegistration definition in the Authzsvc API with the info from the spec
+func (r *ApplicationRegistrationReconciler) enforceSpec(appSpec webservicesv1alpha1.ApplicationRegistrationSpec, appID string) reconcileError {
+ appJSON, sortedErr := r._createJSONBasedOnSpec(appSpec)
+ if sortedErr != nil {
+ return sortedErr
+ }
+ apiAppHTTP, err := r.Authz.Put(authzapireq.Application.Join(appID), bytes.NewBuffer(appJSON))
+ if err != nil {
+ return newApplicationError(err, ErrTemporary)
+ }
+ respBody, err := ioutil.ReadAll(apiAppHTTP.Body)
+ if err != nil {
+ return newApplicationError(err, ErrAuthzInvalidResponse)
+ }
+ switch {
+ case apiAppHTTP.StatusCode == 404:
+ return newApplicationError(authzapireq.StatusCodeErr(apiAppHTTP, respBody, appJSON), ErrAssociatedAppNotFound)
+ case apiAppHTTP.StatusCode == 405:
+ // TODO #39 check StatusCode (405 not allowed)
+ return newApplicationError(authzapireq.StatusCodeErr(apiAppHTTP, respBody, appJSON), ErrAuthzAPIPermanent)
+ case apiAppHTTP.StatusCode > 201:
+ return newApplicationError(authzapireq.StatusCodeErr(apiAppHTTP, respBody, appJSON), ErrAuthzAPITemp)
+ }
+ return nil
+}
+
+func (r *ApplicationRegistrationReconciler) enforceOIDCRedirectURIs(app *webservicesv1alpha1.ApplicationRegistration) reconcileError {
+ jsonBody, err := r._createJSONRegistration(*app)
+ if err != nil {
+ return newApplicationError(err, ErrTemporary) //TODO Better error type
+ }
+ apiRegHTTP, err := r.Authz.Put(authzapireq.Registration.Join(app.Status.RegistrationID), bytes.NewBuffer(jsonBody))
+ if err != nil {
+ return newApplicationError(err, ErrClientAuthz)
+ }
+ respBody, err := ioutil.ReadAll(apiRegHTTP.Body)
+ if err != nil {
+ return newApplicationError(err, ErrAuthzInvalidResponse)
+ }
+ switch {
+ case apiRegHTTP.StatusCode == 400:
+ return newApplicationError(authzapireq.StatusCodeErr(apiRegHTTP, respBody, jsonBody), ErrAuthzAPIPermanent)
+ case apiRegHTTP.StatusCode > 201:
+ return newApplicationError(authzapireq.StatusCodeErr(apiRegHTTP, respBody, jsonBody), ErrAuthzAPITemp)
+ }
+ _, err = authzapireq.APIRegistrationHTTP(respBody)
+ if err != nil {
+ return newApplicationError(err, ErrAuthzInvalidResponse)
+ }
+ return nil
+}
+
+// appspecMatchesAuthz checks if {authzApp == appSpec}. It does the inverse of _createJSONBasedOnSpec.
+func appspecMatchesAuthz(appSpec webservicesv1alpha1.ApplicationRegistrationSpec, apiApp authzapireq.APIApplication) bool {
+ return apiApp.AppID == appSpec.ApplicationIdentifier &&
+ apiApp.DisplayName == appSpec.DisplayName &&
+ apiApp.HomePage == appSpec.HomePage &&
+ apiApp.Description == appSpec.Description
+}
+
+// APIApplicationAppSpec transforms the AppSpec to an APIApplication to POST
+func APIApplicationAppSpec(appspec webservicesv1alpha1.ApplicationRegistrationSpec, ownerID string) (apiApp authzapireq.APIApplication, err error) {
+ // TODO: define better based on use
+ return authzapireq.APIApplication{
+ AppID: appspec.ApplicationIdentifier,
+ DisplayName: appspec.DisplayName,
+ HomePage: appspec.HomePage,
+ OwnerID: ownerID,
+ Description: appspec.Description,
+ }, nil
+}
+
+func (r *ApplicationRegistrationReconciler) fetchOIDCRedirectURIs(namespace string) ([]string, reconcileError) {
+ oidcRedirectURIs := &webservicesv1alpha1.OidcReturnURIList{}
+ if err := r.List(context.TODO(), oidcRedirectURIs, &client.ListOptions{Namespace: namespace}); err != nil {
+ return nil, newApplicationError(err, ErrClientK8s)
+ }
+ redirectURIs := make([]string, len(oidcRedirectURIs.Items))
+ for i, uri := range oidcRedirectURIs.Items {
+ redirectURIs[i] = uri.Spec.RedirectURI
+ }
+ return redirectURIs, nil
+}
+
+func (r *ApplicationRegistrationReconciler) _createJSONBasedOnSpec(appSpec webservicesv1alpha1.ApplicationRegistrationSpec) ([]byte, reconcileError) {
+ ownerID, err := r.AuthzApiCache.LookupUserId(appSpec.InitialOwner.Username)
+ if err != nil {
+ if errors.Is(err, authzapireq.ErrNotFound) {
+ return nil, newApplicationError(nil, ErrInvalidOwner)
+ }
+ return nil, newApplicationError(err, ErrTemporary)
+ }
+ appJSON, err := json.Marshal(map[string]string{
+ "description": appSpec.Description,
+ "homePage": appSpec.HomePage,
+ "ownerId": ownerID,
+ "managerId": r.Authz.ManagerID(),
+ "displayName": appSpec.DisplayName,
+ "applicationIdentifier": appSpec.ApplicationIdentifier,
+ "resourceCategory": string(appSpec.InitialResourceCategory),
+ })
+ if err != nil {
+ return nil, newApplicationError(err, ErrTemporary)
+ }
+ return appJSON, nil
+}
+
+func (r *ApplicationRegistrationReconciler) _createJSONRegistration(app webservicesv1alpha1.ApplicationRegistration) ([]byte, error) {
+ redirectURIs, err := r.fetchOIDCRedirectURIs(app.Namespace)
+ if err != nil {
+ return nil, err
+ }
+ jsonData := map[string]interface{}{
+ "consentRequired": false,
+ "implicitFlowEnabled": false,
+ "redirectUris": redirectURIs,
+ }
+ return json.Marshal(jsonData)
+}
+
+func (r *ApplicationRegistrationReconciler) _createJSONAppRole(role webservicesv1alpha1.AppRole, appID string) ([]byte, error) {
+ loaID, err := r.Authz.GetLoA(strconv.Itoa(role.MinLoA))
+ if err != nil {
+ return nil, err // Sort AuthzAPI errors?
+ }
+ jsonData := map[string]interface{}{
+ "applicationId": appID,
+ "applyToAllUsers": role.ApplyToAllUsers,
+ "description": role.Description,
+ "displayName": role.DisplayName,
+ "minimumLoaId": loaID,
+ "name": role.Name,
+ "required": role.Required,
+ }
+ return json.Marshal(jsonData)
+}
+
+func validateSpec(appSpec webservicesv1alpha1.ApplicationRegistrationSpec) error {
+ _, err := govalidator.ValidateStruct(appSpec)
+ if err != nil {
+ return err
+ }
+ _, err = govalidator.ValidateStruct(appSpec.InitialOwner)
+ return err
+}
+
+// deleteApplicationFromAuthz deletes the application from the AuthzAPI and handles the error conditions
+func (r *ApplicationRegistrationReconciler) deleteApplicationFromAuthz(ownedAppID string) reconcileError {
+ httpResponse, err := r.Authz.Delete(authzapireq.Application.Join(ownedAppID), nil)
+ if err != nil {
+ return newApplicationError(err, ErrAuthzAPITemp)
+ }
+ respBody, err := ioutil.ReadAll(httpResponse.Body)
+ if err != nil {
+ return newApplicationError(err, ErrAuthzInvalidResponse)
+ }
+ switch {
+ case httpResponse.StatusCode > 201:
+ return newApplicationError(authzapireq.StatusCodeErr(httpResponse, respBody, nil), ErrAuthzAPITemp)
+ }
+ return nil
+}
+
+// ensureSpecHasAppIdAndName initializes spec.applicationIdentifier and spec.displayName from convention,
+// then returns if it needs to be updated.
+func ensureSpecHasAppIdAndName(log logr.Logger, app *webservicesv1alpha1.ApplicationRegistration) (update bool) {
+ if app.Spec.ApplicationIdentifier == "" || app.Spec.DisplayName == "" {
+ log.Info("Initializing AppReg Spec")
+ app.Spec.ApplicationIdentifier = app.ApplicationIdentifierConvention(os.Getenv("CLUSTER_NAME"))
+ app.Spec.DisplayName = app.DisplayNameConvention(os.Getenv("CLUSTER_NAME"))
+ update = true
+ }
+ return
+}
+
+// ensureStatusInit ensures that the status have been initialized, returns true if it is required an update
+func ensureStatusInit(app *webservicesv1alpha1.ApplicationRegistration) (update bool) {
+ if app.Status.ProvisioningStatus == "" {
+ app.Status.ProvisioningStatus = webservicesv1alpha1.ProvisioningStatusCreating
+ return true
+ }
+ return false
+}
+
+// THIS MUST BE THE ONLY PLACE SETTING PROVISIONINGSTATUS! (other than initialization)
+// Sets the ProvisioningStatus and error messages (when applicable) based on error conditions:
+// - if no error, then ProvisioningStatus is `Created` and we remove any error message
+// - if retryable (temporary/transient) error, we don't change the status (TODO: possibly show the error in a dedicated Condition)
+// - if error is ErrAssociatedAppNotFound then ProvisioningStatus is "DeletedFromAPI" (see reconcileError.ProvisioningError())
+// - for other non-retryable (permanent) errors, set ProvisioningStatus to "ProvisioningError" and show errors messages in status
+func (r *ApplicationRegistrationReconciler) setProvisioningStatus(log logr.Logger, appStatus *webservicesv1alpha1.ApplicationRegistrationStatus, statusErr reconcileError) (update bool) {
+ if statusErr == nil {
+ if appStatus.ProvisioningStatus != webservicesv1alpha1.ProvisioningStatusCreated {
+ appStatus.ProvisioningStatus = webservicesv1alpha1.ProvisioningStatusCreated
+ appStatus.ErrorReason = ""
+ appStatus.ErrorMessage = ""
+ return true
+ }
+ return false
+ }
+ if statusErr.IsRetryable() {
+ // TODO add Condition.OutOfSync
+ //appStatus.ProvisioningStatus = webservicesv1alpha1.ProvisioningStatusCreating
+ // NOTE these are only for debugging, otherwise temporary errors shouldn't fill this in
+ //appStatus.ErrorReason = statusErr.Unwrap().Error()
+ //appStatus.ErrorMessage = statusErr.Error()
+ //return true
+ return false
+ }
+ log.Info("Updating ProvisioningStatus with permanent error: " + statusErr.Error())
+ appStatus.ProvisioningStatus = statusErr.ProvisioningError()
+ appStatus.ErrorReason = statusErr.Unwrap().Error()
+ appStatus.ErrorMessage = statusErr.Error()
+ return true
+}
+
+func namespacedName(app *webservicesv1alpha1.ApplicationRegistration) types.NamespacedName {
+ return types.NamespacedName{
+ Name: app.ObjectMeta.Name,
+ Namespace: app.ObjectMeta.Namespace,
+ }
+}
diff --git a/internal/controller/applicationregistration_controller.go b/internal/controller/applicationregistration_controller.go
index 9980a43af023ea455cf70178b1ec271c4635bf3e..cf1a4c81c1623b4ae3a8f04a54d920ddd3f54931 100644
--- a/internal/controller/applicationregistration_controller.go
+++ b/internal/controller/applicationregistration_controller.go
@@ -1,5 +1,5 @@
/*
-Copyright 2024 CERN.
+
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -18,45 +18,321 @@ package controller
import (
"context"
+ "fmt"
+ "sync"
+ "github.com/go-logr/logr"
+ apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
- "sigs.k8s.io/controller-runtime/pkg/log"
+ "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+ "sigs.k8s.io/controller-runtime/pkg/event"
+ "sigs.k8s.io/controller-runtime/pkg/handler"
+ "sigs.k8s.io/controller-runtime/pkg/reconcile"
+ "sigs.k8s.io/controller-runtime/pkg/source"
webservicesv1alpha1 "gitlab.cern.ch/paas-tools/operators/authz-operator/api/v1alpha1"
+ "gitlab.cern.ch/paas-tools/operators/authz-operator/internal/apicache"
+ "gitlab.cern.ch/paas-tools/operators/authz-operator/internal/authzapireq"
+)
+
+type AppStatusRefreshMode string
+
+const (
+ // With mode AppStatusRefreshModeSynchronous, each Reconcile talks to the Authz API, compares and
+ // updates the ApplicationRegistration state in Kubernetes. Reconcile() is slow in this mode.
+ AppStatusRefreshModeSynchronous AppStatusRefreshMode = "RefreshSynchronously"
+ // With mode AppStatusRefreshModeAsync, Reconcile() only talks talks to the Authz API if
+ // the state in Kubernetes requires performing some change in the API (e.g. register a new application,
+ // update OIDC return URIs). If the state in Kubernetes is consistent, then Reconcile won't make any
+ // call to the Authz API. Instead, it will request an asynchronous refresh via FullResyncRequests.
+ // This allows Reconcile() to return very fast in most cases, while still propagating changes to the Authz API
+ // quickly when something has changed in Kubernetes.
+ AppStatusRefreshModeAsync AppStatusRefreshMode = "DelegateRefreshToBackgroundReconciler"
)
// ApplicationRegistrationReconciler reconciles a ApplicationRegistration object
type ApplicationRegistrationReconciler struct {
client.Client
- Scheme *runtime.Scheme
-}
-
-//+kubebuilder:rbac:groups=webservices.cern.ch,resources=applicationregistrations,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=webservices.cern.ch,resources=applicationregistrations/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=webservices.cern.ch,resources=applicationregistrations/finalizers,verbs=update
-
-// Reconcile is part of the main kubernetes reconciliation loop which aims to
-// move the current state of the cluster closer to the desired state.
-// TODO(user): Modify the Reconcile function to compare the state specified by
-// the ApplicationRegistration object against the actual cluster state, and then
-// perform operations to make the cluster state reflect the state specified by
-// the user.
-//
-// For more details, check Reconcile and its Result here:
-// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.15.0/pkg/reconcile
-func (r *ApplicationRegistrationReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
- _ = log.FromContext(ctx)
-
- // TODO(user): your logic here
+ Log logr.Logger
+ Scheme *runtime.Scheme
+ Authz authzapireq.AuthzClient
+ AuthzApiCache apicache.AuthzCache
- return ctrl.Result{}, nil
+ // see the AppStatusRefreshMode constants for explanations
+ appStatusRefreshBehavior AppStatusRefreshMode
+ // AppStatusRefreshRequests channel is used to request an asynchronous full (slow) reconciliation with authz API.
+ // It receives sync requests from the foreground instance of the reconciler (in AppStatusRefreshModeAsync mode),
+ // as well as sync requests from the Lifecycle controller (when syncing all apps with Authz API and finding some apps that need update).
+ // The background instance of the reconciler uses mode AppStatusRefreshModeSynchronous and performs the full sync
+ // on ApplicationRegistration received through this channel.
+ AppStatusRefreshRequests chan event.GenericEvent
+ // Because we'll run concurrent instances of the reconciler with different modes,
+ // we need to synchronize them so they do not work on the same ApplicationRegistration resource
+ // at the same time. This synchronization is required because the Reconcile() implementation is not re-entrant
+ // when it has to make changes to the Authz API.
+ ReconcilerProcessingInProgress map[string]bool
+ ReconcilerSyncMutex *sync.Mutex
}
-// SetupWithManager sets up the controller with the Manager.
-func (r *ApplicationRegistrationReconciler) SetupWithManager(mgr ctrl.Manager) error {
+func (r *ApplicationRegistrationReconciler) SetupWithManagerForForeground(mgr ctrl.Manager) error {
+ r.appStatusRefreshBehavior = AppStatusRefreshModeAsync
return ctrl.NewControllerManagedBy(mgr).
+ Named("applicationregistration_foreground"). // Must be compatible with a Prometheus metric name i.e. alphanum + underscore
For(&webservicesv1alpha1.ApplicationRegistration{}).
+ Watches(&source.Kind{Type: &webservicesv1alpha1.OidcReturnURI{}}, handler.EnqueueRequestsFromMapFunc(
+ func(a client.Object) []reconcile.Request {
+ log := r.Log.WithValues("Source", "OIDCReturnURI event handler", "Namespace", a.GetNamespace())
+ // Fetch the Applications in the same namespace
+ applications := &webservicesv1alpha1.ApplicationRegistrationList{}
+ if err := mgr.GetClient().List(context.TODO(), applications, &client.ListOptions{Namespace: a.GetNamespace()}); err != nil {
+ if apierrors.IsNotFound(err) {
+ log.Info("Application not found in namespace")
+ } else {
+ log.Error(err, "Couldn't list Applications in namespace")
+ }
+ return []reconcile.Request{}
+ }
+ requests := make([]reconcile.Request, len(applications.Items))
+ for i, a := range applications.Items {
+ requests[i].Name = a.GetName()
+ requests[i].Namespace = a.GetNamespace()
+ }
+ return requests
+ }),
+ ).
+ Complete(r)
+}
+
+func (r *ApplicationRegistrationReconciler) SetupWithManagerForBackground(mgr ctrl.Manager) error {
+ r.appStatusRefreshBehavior = AppStatusRefreshModeSynchronous
+ return ctrl.NewControllerManagedBy(mgr).
+ Named("applicationregistration_background"). // Must be compatible with a Prometheus metric name i.e. alphanum + underscore
+ For(&webservicesv1alpha1.ApplicationRegistration{}). // TODO: this watches ApplicationRegistrations, we don't want to but this is a requirement until we update operator-sdk, then we can remove this.
+ Watches(
+ // this source enables the foreground reconciler and the lifecycle controller to send reconcile requests for
+ // ApplicationRegistration resources that should be synced with Authz API in the background.
+ &source.Channel{Source: r.AppStatusRefreshRequests},
+ &handler.EnqueueRequestForObject{},
+ ).
Complete(r)
}
+
+// +kubebuilder:rbac:groups=webservices.cern.ch,resources=applicationregistrations,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=webservices.cern.ch,resources=applicationregistrations/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=webservices.cern.ch,resources=oidcreturnuris,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=webservices.cern.ch,resources=oidcreturnuris/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=webservices.cern.ch,resources=secrets,verbs=create;delete;get;list;watch
+
+func (r *ApplicationRegistrationReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+ log := r.Log.WithValues("reconcilerMode", r.appStatusRefreshBehavior, "applicationregistration", req.NamespacedName)
+ log.V(3).Info("Reconciling ApplicationRegistration")
+
+ // Because we run multiple instances of the reconciler, we must avoid that the same resource is processed
+ // by both controllers!
+ if !r.acquire(req) {
+ // simply requeue, we'll try again later
+ log.V(8).Info("Another controller is already processing this resource")
+ return ctrl.Result{Requeue: true}, nil
+ }
+ defer r.release(req)
+
+ // Fetch the Application
+ application := &webservicesv1alpha1.ApplicationRegistration{}
+ if err := r.Get(ctx, req.NamespacedName, application); err != nil {
+ if apierrors.IsNotFound(err) {
+ return ctrl.Result{}, nil
+ }
+ return ctrl.Result{}, err
+ }
+ // Deletions: On resource deletion, it deletes from Authzsvc API. If it doesn't exist there, it removes the finalizer
+ if application.GetDeletionTimestamp() != nil {
+ if controllerutil.ContainsFinalizer(application, deleteFromApiFinalizer) {
+ return r.cleanupApplicationRegistration(ctx, log, application)
+ }
+ return ctrl.Result{}, nil
+ }
+
+ handleRetryableErr := func(transientErr reconcileError, logstrFmt string) (ctrl.Result, error) {
+ if transientErr.IsRetryable() {
+ log.Error(transientErr, fmt.Sprintf(logstrFmt, transientErr.Unwrap()))
+ r.setProvisioningStatus(log, &application.Status, transientErr)
+ _, err := r.updateCRStatusorFailReconcile(ctx, log, application)
+ // Error is returned to the controller to record it in the metrics, despite the extra log message generated
+ return ctrl.Result{}, err
+ }
+ log.Error(transientErr, "Sanity check failed: Permanent error marked as transient!"+fmt.Sprintf(logstrFmt, transientErr.Unwrap()))
+ return ctrl.Result{}, nil
+ }
+
+ // # Init
+
+ if update := ensureSpecHasAppIdAndName(log, application); update {
+ return r.updateCRorFailReconcile(ctx, log, application)
+ }
+ if err := validateSpec(application.Spec); err != nil {
+ appErr := newApplicationError(err, ErrInvalidSpec)
+ log.Error(err, fmt.Sprintf("%v failed to validate Application spec", appErr.Unwrap()))
+ r.setProvisioningStatus(log, &application.Status, appErr)
+ return r.updateCRStatusorFailReconcile(ctx, log, application)
+ }
+ if update := ensureStatusInit(application); update {
+ log.Info("Initializing AppReg Status")
+ return r.updateCRStatusorFailReconcile(ctx, log, application)
+ }
+
+ // no API application associated yet?
+ if application.Status.ID == "" {
+ log.Info("Ensuring a matching Application in the AuthzAPI")
+ if transientErr := r.ensureAPIAppAndSyncStatus(log, application); transientErr != nil {
+ return handleRetryableErr(transientErr, "%v retrying to ensure Application in the AuthzAPI")
+ }
+ return r.updateCRStatusorFailReconcile(ctx, log, application)
+ }
+
+ log = log.WithValues("appID", application.Status.ID)
+
+ // Checking OIDC credentials
+ if application.Status.RegistrationID == "" {
+ log.Info("Ensuring OIDC registration in the AuthzAPI")
+ if transientErr := r.ensureAPIOIDCandSyncStatus(log, application); transientErr != nil {
+ return handleRetryableErr(transientErr, "%v retrying to ensure OIDC registration in the AuthzAPI")
+ }
+ return r.updateCRStatusorFailReconcile(ctx, log, application)
+ }
+
+ syncStatusInForeground := false
+
+ // Check if OIDC return URIs in applicationregistration status are in sync with OIDCReturnURI resources
+ desiredRedirectURIs, err := r.fetchOIDCRedirectURIs(application.Namespace)
+ if err != nil {
+ return ctrl.Result{Requeue: true}, err
+ }
+ // sync immediately (in foreground) to update OIDC return URIs when needed
+ if application.Status.ProvisioningStatus == webservicesv1alpha1.ProvisioningStatusCreated &&
+ !webservicesv1alpha1.SameSet(desiredRedirectURIs, application.Status.RedirectURIs) {
+ syncStatusInForeground = true
+ }
+
+ // Sync immediately (in foreground) if this is a newly registered ApplicationRegistration and we haven't synced data yet
+ if application.Status.CurrentOwnerUsername == "" {
+ syncStatusInForeground = true
+ }
+
+ // we have an API application, and we need to reflect the API application's data (owner, admin group etc.) in the
+ // ApplicationRegistration's Status. This is an expensive operation.
+
+ // Depending on the reconciler mode, we may skip this part and delegate to background reconciler.
+ if r.appStatusRefreshBehavior == AppStatusRefreshModeAsync && !syncStatusInForeground {
+ log.V(8).Info("Skipping refresh of ApplicationRegistration status and delegating to background reconciler")
+ r.AppStatusRefreshRequests <- event.GenericEvent{
+ Object: application,
+ }
+ // and nothing else to do
+ return ctrl.Result{}, nil
+ }
+
+ // else proceed with synchronous refresh of application status
+ update, authzUpdate, transientErr := r.syncAPIAppStatus(log, application)
+ switch {
+ case transientErr != nil:
+ return handleRetryableErr(transientErr, "%v retrying to sync Application with the AuthzAPI")
+ case authzUpdate:
+ _, err := r.updateCRStatusorFailReconcile(ctx, log, application)
+ return ctrl.Result{Requeue: true}, err
+ case update:
+ log.Info("Synced AppReg with AuthzAPI Application")
+ return r.updateCRStatusorFailReconcile(ctx, log, application)
+ }
+
+ update, authzUpdate, transientErr = r.syncAPIOIDCStatus(log, application, desiredRedirectURIs)
+ switch {
+ case transientErr != nil:
+ return handleRetryableErr(transientErr, "%v retrying to sync OIDC with the AuthzAPI")
+ case authzUpdate:
+ _, err := r.updateCRStatusorFailReconcile(ctx, log, application)
+ return ctrl.Result{Requeue: true}, err
+ case update:
+ log.Info("Synced AppReg with AuthzAPI OIDC Registration")
+ return r.updateCRStatusorFailReconcile(ctx, log, application)
+ }
+
+ // Signal steady state
+ if update := r.setProvisioningStatus(log, &application.Status, nil); update {
+ return r.updateCRStatusorFailReconcile(ctx, log, application)
+ }
+ return ctrl.Result{}, nil
+}
+
+// cleanupApplicationRegistration deletes all associated resources (in particular AuthzAPI objects), and if they're gone it clears the finalizer
+func (r *ApplicationRegistrationReconciler) cleanupApplicationRegistration(ctx context.Context, log logr.Logger, app *webservicesv1alpha1.ApplicationRegistration) (
+ reconcile.Result, error) {
+ // 1. Get the associated Application from the API
+ ownedApp, err := r.fetchOwnedApp(app.Status.ID)
+ if err != nil {
+ log.Error(err, fmt.Sprintf("%v unable to check for the owned Application", ErrAuthzAPITemp))
+ return reconcile.Result{Requeue: true}, r.deleteApplicationFromAuthz(app.Status.ID)
+ }
+ // 2. If there isn't any, remove finalizer
+ if ownedApp.ID == "" {
+ log.Info("Deleting ApplicationRegistration")
+ controllerutil.RemoveFinalizer(app, deleteFromApiFinalizer)
+ return r.updateCRorFailReconcile(ctx, log, app)
+ }
+ // 3. Delete the associated Application and requeue
+ log.Info("Deleting the associated Application from the AuthzAPI")
+ if err := r.deleteApplicationFromAuthz(ownedApp.ID); err != nil {
+ log.Error(err, fmt.Sprintf("%v can't delete owned Application from the AuthzAPI", err.Unwrap()))
+ }
+ // NOTE: Requeue because we need to confirm deletion from the AuthzAPI
+ return reconcile.Result{Requeue: true}, nil
+}
+
+// updateCRorFailReconcile tries to update the Custom Resource and logs any error
+func (r *ApplicationRegistrationReconciler) updateCRorFailReconcile(ctx context.Context, log logr.Logger, app *webservicesv1alpha1.ApplicationRegistration) (
+ reconcile.Result, error) {
+ if err := r.Update(ctx, app); err != nil {
+ log.Error(err, fmt.Sprintf("%v failed to update the application", ErrClientK8s))
+ return reconcile.Result{Requeue: true}, nil
+ }
+ return reconcile.Result{}, nil
+}
+
+// updateCRStatusorFailReconcile tries to update the Custom Resource Status and logs any error
+func (r *ApplicationRegistrationReconciler) updateCRStatusorFailReconcile(ctx context.Context, log logr.Logger, app *webservicesv1alpha1.ApplicationRegistration) (
+ reconcile.Result, error) {
+ if err := r.Status().Update(ctx, app); err != nil {
+ log.Error(err, fmt.Sprintf("%v failed to update the application status", ErrClientK8s))
+ return reconcile.Result{Requeue: true}, nil
+ }
+ return reconcile.Result{}, nil
+}
+
+// Acquire checks if a Request is already being processed and marks it as such
+func (r *ApplicationRegistrationReconciler) acquire(req ctrl.Request) bool {
+ // Lock the mutex to access the processed map
+ mutex := r.ReconcilerSyncMutex
+ processingInProgress := r.ReconcilerProcessingInProgress
+ mutex.Lock()
+ defer mutex.Unlock()
+ key := req.NamespacedName.String()
+ // Check if the Request is already being processed
+ if processingInProgress[key] {
+ return false
+ }
+ // Mark the Request as being processed
+ processingInProgress[key] = true
+ return true
+}
+
+// Release removes a Request key from the processingInProgress map
+func (r *ApplicationRegistrationReconciler) release(req ctrl.Request) {
+ mutex := r.ReconcilerSyncMutex
+ processingInProgress := r.ReconcilerProcessingInProgress
+ // Lock the mutex to access the processed map
+ mutex.Lock()
+ defer mutex.Unlock()
+ // Remove the key from the processed map
+ delete(processingInProgress, req.NamespacedName.String())
+}
diff --git a/internal/controller/bootstrapapplicationrole_controller.go b/internal/controller/bootstrapapplicationrole_controller.go
index 227884bf1845a83b5c2e6603a848dd4a5966320e..151de51a056b9c9bdd70e4a45456fabdca1464f3 100644
--- a/internal/controller/bootstrapapplicationrole_controller.go
+++ b/internal/controller/bootstrapapplicationrole_controller.go
@@ -1,5 +1,5 @@
/*
-Copyright 2024 CERN.
+
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -18,45 +18,194 @@ package controller
import (
"context"
+ "strconv"
+ "github.com/go-logr/logr"
+ apierrors "k8s.io/apimachinery/pkg/api/errors"
+ "k8s.io/apimachinery/pkg/api/meta"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
- "sigs.k8s.io/controller-runtime/pkg/log"
webservicesv1alpha1 "gitlab.cern.ch/paas-tools/operators/authz-operator/api/v1alpha1"
+ "gitlab.cern.ch/paas-tools/operators/authz-operator/internal/apicache"
+ "gitlab.cern.ch/paas-tools/operators/authz-operator/internal/authzapireq"
)
// BootstrapApplicationRoleReconciler reconciles a BootstrapApplicationRole object
type BootstrapApplicationRoleReconciler struct {
client.Client
- Scheme *runtime.Scheme
-}
-
-//+kubebuilder:rbac:groups=webservices.cern.ch,resources=bootstrapapplicationroles,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=webservices.cern.ch,resources=bootstrapapplicationroles/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=webservices.cern.ch,resources=bootstrapapplicationroles/finalizers,verbs=update
-
-// Reconcile is part of the main kubernetes reconciliation loop which aims to
-// move the current state of the cluster closer to the desired state.
-// TODO(user): Modify the Reconcile function to compare the state specified by
-// the BootstrapApplicationRole object against the actual cluster state, and then
-// perform operations to make the cluster state reflect the state specified by
-// the user.
-//
-// For more details, check Reconcile and its Result here:
-// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.15.0/pkg/reconcile
+ Log logr.Logger
+ Scheme *runtime.Scheme
+ Authz authzapireq.AuthzClient
+ AuthzApiCache apicache.AuthzCache
+}
+
+// +kubebuilder:rbac:groups=webservices.cern.ch,resources=bootstrapapplicationroles,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=webservices.cern.ch,resources=bootstrapapplicationroles/status,verbs=get;update;patch
+
func (r *BootstrapApplicationRoleReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
- _ = log.FromContext(ctx)
+ log := r.Log.WithValues("bootstrapapplicationrole", req.NamespacedName)
+
+ // Fetch the BootstratpApplicationRole
+ applicationRole := webservicesv1alpha1.BootstrapApplicationRole{}
+ if err := r.Get(ctx, req.NamespacedName, &applicationRole); err != nil {
+ if apierrors.IsNotFound(err) {
+ return ctrl.Result{}, nil
+ }
+ return ctrl.Result{}, err
+ }
- // TODO(user): your logic here
+ // If the role has been created already, nothing to do since we never touch an existing role
+ if meta.IsStatusConditionTrue(applicationRole.Status.Conditions, webservicesv1alpha1.ConditionTypeRoleCreation) {
+ log.V(6).Info("Application Role has been bootstrapped successfully, nothing else to do")
+ return ctrl.Result{}, nil
+ }
- return ctrl.Result{}, nil
+ applicationRegistrationList := &webservicesv1alpha1.ApplicationRegistrationList{}
+ if err := r.List(ctx, applicationRegistrationList, &client.ListOptions{Namespace: req.NamespacedName.Namespace}); err != nil {
+ log.Error(err, "Not able to retrieve ApplicationRegistration List")
+ return ctrl.Result{}, err
+ }
+ // If no ApplicationRegistration present, do nothing
+ if len(applicationRegistrationList.Items) == 0 {
+ log.V(6).Info("No ApplicationRegistration found in namespace, retrying ...")
+ return ctrl.Result{Requeue: true}, nil
+ }
+ // it only makes sense that we have exactly one ApplicationRegistration in the namespace.
+ // Behavior is undefined is there are more than one.
+ // Just take the first one.
+ appreg := applicationRegistrationList.Items[0]
+
+ // Check if ApplicationRegistration is ready (Status has an ID)
+ if appreg.Status.ProvisioningStatus != webservicesv1alpha1.ProvisioningStatusCreated {
+ log.V(6).Info("ApplicationRegistration has not been created, retrying ...")
+ return ctrl.Result{Requeue: true}, nil
+ }
+
+ // Checking if AppRole exists on API
+ roleExists, err := r.Authz.GetRole(appreg.Status.ID, applicationRole.Spec.Name)
+ if err != nil {
+ return ctrl.Result{}, err
+ }
+ // Check if Role exists, there will be nothing else to do, therfore no further reconciliation
+ if roleExists {
+ return r.updateBootstrapApplicationRoleStatus(log, ctx, applicationRole, webservicesv1alpha1.ConditionRoleAlreadyExists, metav1.ConditionTrue, webservicesv1alpha1.StatusMessageAlreadyExists, true)
+ }
+ // Start Status if empty
+ if len(applicationRole.Status.Conditions) == 0 {
+ return r.updateBootstrapApplicationRoleStatus(log, ctx, applicationRole, webservicesv1alpha1.ConditionRoleCreating, metav1.ConditionFalse, webservicesv1alpha1.StatusMessageWaitingNextReconciliation, true)
+ }
+
+ // Check if Groups exist
+ groupIDs, missingGroups, err := r.getGroupsFromAPI(applicationRole.Spec.LinkedGroups)
+ if err != nil {
+ return r.updateBootstrapApplicationRoleStatusForGroup(log, ctx, applicationRole, webservicesv1alpha1.ConditionWaitingForLinkedGroups, missingGroups, metav1.ConditionFalse, webservicesv1alpha1.StatusMessageMissingGroups, true)
+ }
+ if len(missingGroups) > 0 {
+ // Use specific method that is similar to updateBootstrapApplicationRoleStatus but allows to set `missingGroups` in the message
+ return r.updateBootstrapApplicationRoleStatusForGroup(log, ctx, applicationRole, webservicesv1alpha1.ConditionWaitingForLinkedGroups, missingGroups, metav1.ConditionFalse, webservicesv1alpha1.StatusMessageMissingGroups, true)
+ }
+ // We create the ApplicationRole now that the requirements have been met, and Update the value on the Status
+ newRole, err := r._createAuthzAppRole(applicationRole.Spec, appreg.Status.ID)
+ if err != nil {
+ return r.updateBootstrapApplicationRoleStatus(log, ctx, applicationRole, webservicesv1alpha1.ConditionRoleCreationError, metav1.ConditionFalse, webservicesv1alpha1.StatusMessageWaitingNextReconciliation, true)
+ }
+ applicationRole.Status.RoleID, err = r.Authz.CreateApplicationRole(newRole, appreg.Status.ID)
+ if err != nil {
+ return r.updateBootstrapApplicationRoleStatus(log, ctx, applicationRole, webservicesv1alpha1.ConditionRoleCreationError, metav1.ConditionFalse, webservicesv1alpha1.StatusMessageWaitingNextReconciliation, true)
+ }
+ failedGroups, err := r.linkGroupsToRole(appreg, applicationRole, groupIDs)
+ if err != nil {
+ // We don't requeue on failed Group linkage, ApplicationRole is considered bootstrapped
+ return r.updateBootstrapApplicationRoleStatusForGroup(log, ctx, applicationRole, webservicesv1alpha1.ConditionGroupLinkError, failedGroups, metav1.ConditionTrue, webservicesv1alpha1.StatusMessageGroupLinkError, false)
+ }
+ return r.updateBootstrapApplicationRoleStatus(log, ctx, applicationRole, webservicesv1alpha1.ConditionRoleBootstrappedSuccessfully, metav1.ConditionTrue, webservicesv1alpha1.StatusMessageCreatedSuccesfully, false)
}
-// SetupWithManager sets up the controller with the Manager.
func (r *BootstrapApplicationRoleReconciler) SetupWithManager(mgr ctrl.Manager) error {
return ctrl.NewControllerManagedBy(mgr).
For(&webservicesv1alpha1.BootstrapApplicationRole{}).
Complete(r)
}
+
+func (r *BootstrapApplicationRoleReconciler) updateBootstrapApplicationRoleStatusForGroup(log logr.Logger, ctx context.Context, appRole webservicesv1alpha1.BootstrapApplicationRole, condition string, missingGroups []string, status metav1.ConditionStatus, message string, requeue bool) (ctrl.Result, error) {
+ for _, group := range missingGroups {
+ message += group + "; "
+ }
+ meta.SetStatusCondition(&appRole.Status.Conditions, metav1.Condition{
+ Type: webservicesv1alpha1.ConditionTypeRoleCreation,
+ Status: status,
+ Reason: condition,
+ Message: message,
+ })
+ if err := r.Status().Update(ctx, &appRole); err != nil {
+ log.Error(err, "Failed to update ApplicationRole Status")
+ return ctrl.Result{}, err
+ }
+ return ctrl.Result{Requeue: requeue}, nil
+}
+func (r *BootstrapApplicationRoleReconciler) updateBootstrapApplicationRoleStatus(log logr.Logger, ctx context.Context, appRole webservicesv1alpha1.BootstrapApplicationRole, condition string, status metav1.ConditionStatus, message string, requeue bool) (ctrl.Result, error) {
+ meta.SetStatusCondition(&appRole.Status.Conditions, metav1.Condition{
+ Type: webservicesv1alpha1.ConditionTypeRoleCreation,
+ Status: status,
+ Reason: condition,
+ Message: message,
+ })
+ if err := r.Status().Update(ctx, &appRole); err != nil {
+ log.Error(err, "Failed to update ApplicationRole Status")
+ return ctrl.Result{}, err
+ }
+ return ctrl.Result{Requeue: requeue}, nil
+}
+
+// getGroupsFromAPI validates if ALL Groups exist or not
+func (r *BootstrapApplicationRoleReconciler) getGroupsFromAPI(linkedGroups []string) ([]string, []string, error) {
+ var missingGroups []string
+ var groupIDs []string
+ for _, group := range linkedGroups {
+ group, err := r.AuthzApiCache.GetGroup(group)
+ if err == authzapireq.ErrNotFound {
+ missingGroups = append(missingGroups, group.ID)
+ continue
+ }
+ if err != nil {
+ return nil, missingGroups, err
+ }
+
+ groupIDs = append(groupIDs, group.ID)
+ }
+ return groupIDs, missingGroups, nil
+}
+
+// linkGroupsToRole links all the groups in Spec.LinkedGroups with the ApplicationRole
+func (r *BootstrapApplicationRoleReconciler) linkGroupsToRole(appReg webservicesv1alpha1.ApplicationRegistration, appRole webservicesv1alpha1.BootstrapApplicationRole, groupIDs []string) ([]string, error) {
+ failedToLinkGroups := groupIDs
+ appID := appReg.Status.ID
+ for _, group := range groupIDs {
+ err := r.Authz.LinkGroupToAppRole(group, appRole.Status.RoleID, appID)
+ if err != nil {
+ return failedToLinkGroups, err
+ }
+ failedToLinkGroups = failedToLinkGroups[1:]
+ }
+ return failedToLinkGroups, nil
+}
+
+func (r *BootstrapApplicationRoleReconciler) _createAuthzAppRole(role webservicesv1alpha1.BootstrapApplicationRoleSpec, appID string) (authzapireq.APIRole, error) {
+ loaID, err := r.Authz.GetLoA(strconv.Itoa(role.MinLevelOfAssurance))
+ if err != nil {
+ return authzapireq.APIRole{}, err // Sort AuthzAPI errors?
+ }
+ newRole := authzapireq.APIRole{
+ ApplicationID: appID,
+ ApplyToAllUsers: role.ApplyToAllUsers,
+ Description: role.Description,
+ DisplayName: role.DisplayName,
+ MinimumLoaID: loaID,
+ Name: role.Name,
+ Required: role.RoleRequired,
+ }
+ return newRole, nil
+}
diff --git a/internal/controller/error_types.go b/internal/controller/error_types.go
new file mode 100644
index 0000000000000000000000000000000000000000..884ab57ed637965c67416ec66d2929455a56e5a8
--- /dev/null
+++ b/internal/controller/error_types.go
@@ -0,0 +1,92 @@
+package controller
+
+import (
+ "errors"
+ "fmt"
+
+ webservicesv1alpha1 "gitlab.cern.ch/paas-tools/operators/authz-operator/api/v1alpha1"
+)
+
+// ErrorConditions
+var (
+ // Generic temporary error
+ ErrTemporary = errors.New("TemporaryError")
+ ErrApplicationAlreadyExists = errors.New("ApplicationAlreadyExists")
+ ErrInvalidSpec = errors.New("InvalidSpec")
+ ErrClientK8s = errors.New("k8sAPIClientError")
+ ErrClientAuthz = errors.New("AuthzAPIClientError")
+ ErrAuthzAPITemp = errors.New("AuthzAPIError")
+ ErrAuthzAPIPermanent = errors.New("AuthzAPIPermanentError")
+ ErrAuthzInvalidResponse = errors.New("AuthzAPIInvalidResponse")
+ ErrAuthzAPIUnauthorized = errors.New("AuthzAPIUnauthorized")
+ ErrApplicationConflict = errors.New("ApplicationConflict")
+ ErrAssociatedAppNotFound = errors.New("AssociatedApplicationNotFound")
+ ErrInvalidOwner = errors.New("InvalidOwner")
+ ErrUnsupportedChangeInAuthz = errors.New("UnsupportedChangeInAuthz")
+ ErrGroupDoesntExist = errors.New("GroupDoesntExistError")
+)
+
+type reconcileError interface {
+ error
+ Wrap(msg string) reconcileError
+ Unwrap() error
+ IsRetryable() bool
+ ProvisioningError() webservicesv1alpha1.ProvisioningStatusType
+}
+
+// applicationError wraps an error condition and gives it more context from where it occurred
+type applicationError struct {
+ innerException error
+ errorCondition error
+}
+
+func newApplicationError(inner, condition error) reconcileError {
+ return &applicationError{
+ innerException: inner,
+ errorCondition: condition,
+ }
+}
+
+func (e *applicationError) Wrap(msg string) reconcileError {
+ return newApplicationError(fmt.Errorf("%s: %w", msg, e.innerException), e.errorCondition)
+}
+
+func (e *applicationError) Unwrap() error { return e.errorCondition }
+func (e *applicationError) Error() string {
+ if e.innerException == nil {
+ return e.errorCondition.Error()
+ }
+ return e.innerException.Error()
+}
+
+// IsRetryable returns if the error condition is temporary or permanent
+func (e *applicationError) IsRetryable() bool {
+ // NOTE: List all permanent errors
+ switch e.errorCondition {
+ case ErrApplicationAlreadyExists:
+ return false
+ case ErrInvalidSpec:
+ return false
+ case ErrAuthzAPIPermanent:
+ return false
+ case ErrAssociatedAppNotFound:
+ return false
+ case ErrApplicationConflict:
+ return false
+ case ErrInvalidOwner:
+ return false
+ case ErrUnsupportedChangeInAuthz:
+ return false
+ default:
+ return true
+ }
+}
+
+func (e *applicationError) ProvisioningError() webservicesv1alpha1.ProvisioningStatusType {
+ switch e.errorCondition {
+ case ErrAssociatedAppNotFound:
+ return webservicesv1alpha1.ProvisioningStatusDeletedFromAPI
+ default:
+ return webservicesv1alpha1.ProvisioningStatusProvisioningError
+ }
+}
diff --git a/internal/controller/lifecycle_controller.go b/internal/controller/lifecycle_controller.go
new file mode 100644
index 0000000000000000000000000000000000000000..6d2afa120e2d88cf54767f9fb262cf4c93a32e93
--- /dev/null
+++ b/internal/controller/lifecycle_controller.go
@@ -0,0 +1,154 @@
+/*
+
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+ "context"
+
+ "github.com/go-logr/logr"
+ webservicesv1alpha1 "gitlab.cern.ch/paas-tools/operators/authz-operator/api/v1alpha1"
+ "gitlab.cern.ch/paas-tools/operators/authz-operator/internal/apicache"
+ "gitlab.cern.ch/paas-tools/operators/authz-operator/internal/authzapireq"
+
+ "k8s.io/apimachinery/pkg/runtime"
+ ctrl "sigs.k8s.io/controller-runtime"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+ "sigs.k8s.io/controller-runtime/pkg/controller"
+ "sigs.k8s.io/controller-runtime/pkg/event"
+ "sigs.k8s.io/controller-runtime/pkg/handler"
+ "sigs.k8s.io/controller-runtime/pkg/source"
+)
+
+// LifecycleReconciler reconciles a Lifecycle object
+type LifecycleReconciler struct {
+ client.Client
+ Log logr.Logger
+ Scheme *runtime.Scheme
+ Authz authzapireq.AuthzClient
+ AuthzApiCache apicache.AuthzCache
+ // LifecycleEvents channel is to send reconcile requests to the ApplicationRegistration controller
+ LifecycleEvents chan event.GenericEvent
+ // SyncAllAppsEvents channel is used to trigger a sync of all applications (from a timer)
+ SyncAllAppsEvents chan event.GenericEvent
+}
+
+// the Reconcile method syncs all apps with AuthZ API
+func (r *LifecycleReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+ r.Log.V(3).Info("Starting sync of all apps with Authz API")
+ // Get all managed applications
+ apiAppList, err := r.Authz.GetMyApplications()
+ if err != nil {
+ r.Log.V(3).Error(err, "Error fetching applications from Authz API")
+ return ctrl.Result{}, err
+ }
+ if len(apiAppList) == 0 {
+ r.Log.V(3).Info("Got a empty list of applications from Authz API. This is suspicious, skipping sync of all apps to protect user applications from possible glitch in Authz API.")
+ return ctrl.Result{}, nil
+ }
+ // Get all Apps on Cluster
+ currentAppList, err := r.fetchApplicationsOnCluster()
+ if err != nil {
+ r.Log.V(3).Error(err, "Error fetching applicationregistrations from cluster")
+ return ctrl.Result{}, err
+ }
+ // Index List for fast retrieval
+ indexedCurrentAppList := indexAppListByAppId(currentAppList)
+ // See difference between lists and update currentAppList based on apiApplist
+ r.reconcileAppsOutOfSync(apiAppList, indexedCurrentAppList)
+ r.Log.V(3).Info("Completed sync of all apps with Authz API")
+ return ctrl.Result{}, nil
+}
+
+func (r *LifecycleReconciler) SetupWithManager(mgr ctrl.Manager) error {
+ c, err := controller.New("lifecycle-controller", mgr, controller.Options{Reconciler: r})
+ if err != nil {
+ return err
+ }
+ return c.Watch(
+ &source.Channel{Source: r.SyncAllAppsEvents},
+ &handler.EnqueueRequestForObject{},
+ )
+}
+
+func (r *LifecycleReconciler) fetchApplicationsOnCluster() (webservicesv1alpha1.ApplicationRegistrationList, error) {
+ applicationList := &webservicesv1alpha1.ApplicationRegistrationList{}
+ err := r.Client.List(context.TODO(), applicationList)
+ if err != nil {
+ return webservicesv1alpha1.ApplicationRegistrationList{}, err
+ }
+ return *applicationList, nil
+}
+
+// reconcileAppsOutOfSync receives a list of Application from the API(apiAppList) and ensures that the correspondent applications(currentAppList)
+// in the cluster has the same information. If there's a mismatch, ask the ApplicationRegistration controller to reconcile that application.
+func (r *LifecycleReconciler) reconcileAppsOutOfSync(apiAppList []authzapireq.APIApplication, currentAppList map[string]webservicesv1alpha1.ApplicationRegistration) {
+ // This Loop will go through each Application in the API:
+ // If Application from API exists in the cluster, it will updated it if necessary, if they don't exist on the cluster it will log
+ // If it doesn't exist in the API but in the clsuter, it will updated or deleted them from the cluster if it's status is different from "Creating"
+ for _, application := range apiAppList {
+ appReg, exists := currentAppList[application.ID]
+ log := r.Log.WithValues("applicationID", application.ID)
+ if exists {
+ delete(currentAppList, application.ID)
+ application, err := resolveOwnerAndAdministratorIDs(r.AuthzApiCache, application)
+ if err != nil {
+ log.V(6).WithValues("groupID", application.AdministratorsID).WithValues("ownerID", application.OwnerID).Error(err, "Failed to resolve Owner or Admin Group Name")
+ continue // cannot properly determine if app is in sync without this information
+ }
+ owner, err := r.AuthzApiCache.GetIdentity(application.OwnerID)
+ if err != nil {
+ log.V(6).WithValues("ownerID", application.OwnerID).Error(err, "Failed to look up owner information")
+ continue // cannot properly determine if app is in sync without this information
+ }
+ // this lets us know if the status needs to be updated. We will NOT actually
+ // update the ApplicationRegistration status here, instead we request a full reconcile
+ // of the ApplicationRegistration if a status update is needed.
+ updated := updateAppStatus(&appReg.Status, application, owner, log)
+ if updated {
+ log.WithValues("applicationregistration", namespacedName(&appReg).String()).V(3).Info("Requesting reconciliation because app status is not in sync with latest data from Authz API")
+ // ask ApplicationRegistration controller to reconcile this application registration
+ r.LifecycleEvents <- event.GenericEvent{
+ Object: &appReg,
+ }
+ }
+ } else {
+ // Application exists on API but probably does not belong to this Cluster, we don't have
+ // a matching ApplicationRegistration
+ log.V(6).Info("No ApplicationRegistration found in cluster for this applicationID, skipping")
+ }
+ }
+ // Applications that were not found in apiAppList.
+ // If they do not already have `DeletedFromAPI` status, request a reconcile to update the status
+ for _, elem := range currentAppList {
+ if elem.Status.ProvisioningStatus != webservicesv1alpha1.ProvisioningStatusDeletedFromAPI {
+ r.Log.WithValues("applicationregistration", namespacedName(&elem).String()).V(3).Info("Requesting reconciliation because app has been deleted from Authz API")
+ // ask ApplicationRegistration controller to reconcile this application registration
+ r.LifecycleEvents <- event.GenericEvent{
+ Object: &elem,
+ }
+ }
+ }
+}
+
+// Converts ApplicationRegistrationList into Map using App.ID as index
+func indexAppListByAppId(list webservicesv1alpha1.ApplicationRegistrationList) map[string]webservicesv1alpha1.ApplicationRegistration {
+ data := make(map[string]webservicesv1alpha1.ApplicationRegistration)
+ for _, app := range list.Items {
+ data[app.Status.ID] = app
+ }
+ return data
+}
diff --git a/internal/controller/projectlifecyclepolicy_controller.go b/internal/controller/projectlifecyclepolicy_controller.go
index 0aabc64828916bc27a4fbca97ffe1b772db7275c..94c89cfbcbfdd16a3dc707118dca8cc969db1a34 100644
--- a/internal/controller/projectlifecyclepolicy_controller.go
+++ b/internal/controller/projectlifecyclepolicy_controller.go
@@ -1,5 +1,5 @@
/*
-Copyright 2024 CERN.
+
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -18,45 +18,518 @@ package controller
import (
"context"
+ "fmt"
+ "time"
+ "github.com/go-logr/logr"
+ apierrors "k8s.io/apimachinery/pkg/api/errors"
+ "k8s.io/apimachinery/pkg/api/meta"
"k8s.io/apimachinery/pkg/runtime"
+ "k8s.io/apimachinery/pkg/types"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
- "sigs.k8s.io/controller-runtime/pkg/log"
+ "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+ "sigs.k8s.io/controller-runtime/pkg/handler"
+ "sigs.k8s.io/controller-runtime/pkg/reconcile"
+ "sigs.k8s.io/controller-runtime/pkg/source"
webservicesv1alpha1 "gitlab.cern.ch/paas-tools/operators/authz-operator/api/v1alpha1"
+
+ corev1 "k8s.io/api/core/v1"
+ rbacv1 "k8s.io/api/rbac/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+ // for ConsoleLink. See https://sdk.operatorframework.io/docs/building-operators/golang/advanced-topics/#register-with-the-managers-scheme
+ // Use go get github.com/openshift/api@release-4.6
+ "github.com/openshift/api/annotations"
+ consolev1 "github.com/openshift/api/console/v1"
+)
+
+// Variables used in function `ensureProjectMetadata`
+const (
+ labelOwner string = "lifecycle.webservices.cern.ch/owner"
+ labelResourceCategory string = "lifecycle.webservices.cern.ch/resourceCategory"
+ labelAdminGroup string = "lifecycle.webservices.cern.ch/adminGroup"
+ labelDepartment string = "lifecycle.webservices.cern.ch/cernDepartment"
+ labelGroup string = "lifecycle.webservices.cern.ch/cernGroup"
+ // Blocked label and annotations as described here: https://okd-internal.docs.cern.ch/operations/project-blocking/
+ LabelBlockedNamespace string = "okd.cern.ch/project-blocked"
+ // Annotation that defines when the project should be deleted
+ AnnotationDeleteNamespaceTimestamp string = "lifecycle.webservices.cern.ch/delete-namespace-after"
+ AnnotationBlockedNamespaceReason string = "okd.cern.ch/blocked-reason"
+ AnnotationBlockedNamespaceTimestamp string = "okd.cern.ch/blocked-timestamp"
+ AnnotationLifecycleBlockedReason string = "PendingDeletionAfterLifecycleDeletedApplication"
+ // deleteNamespaceAfter is the time that the project will be blocked before deletion, deletion date set on annotation BlockAndDeleteAfterGracePeriod
+ // This value is used to set the annotationDeleteNamespaceTimestamp, currently we set to 720h (24h x 30days)
+ deleteNamespaceAfter time.Duration = time.Hour * 720
)
// ProjectLifecyclePolicyReconciler reconciles a ProjectLifecyclePolicy object
type ProjectLifecyclePolicyReconciler struct {
client.Client
+ Log logr.Logger
Scheme *runtime.Scheme
+ // Base URL to generate a link to manage an application in the Application Portal.
+ // The application ID will be appended to the base URL to generate to full URL.
+ ApplicationPortalBaseUrl string
+ // The text to show in the NamespaceDashboard ConsoleLink providing the general-purpose link from the OKD console
+ // to the application's management page in the Application Portal.
+ ApplicationPortalLinkText string
+ // The text to show in the NamespaceDashboard ConsoleLink providing info about the current application category
+ // in the Application Portal when category is Undefined
+ ApplicationCategoryUndefinedLinkText string
+ // The text to show in the NamespaceDashboard ConsoleLink providing info about the current application category
+ // in the Application Portal when category is Test
+ ApplicationCategoryTestLinkText string
+ // The text to show in the NamespaceDashboard ConsoleLink providing info about the current application category
+ // in the Application Portal when category is Personal
+ ApplicationCategoryPersonalLinkText string
+ // The text to show in the NamespaceDashboard ConsoleLink providing info about the current application category
+ // in the Application Portal when category is Official
+ ApplicationCategoryOfficialLinkText string
}
-//+kubebuilder:rbac:groups=webservices.cern.ch,resources=projectlifecyclepolicies,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=webservices.cern.ch,resources=projectlifecyclepolicies/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=webservices.cern.ch,resources=projectlifecyclepolicies/finalizers,verbs=update
+// +kubebuilder:rbac:groups=webservices.cern.ch,resources=projectlifecyclepolicies,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=webservices.cern.ch,resources=projectlifecyclepolicies/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=,resources=namespaces,verbs=get;list;watch;create;update;patch;delete
-// Reconcile is part of the main kubernetes reconciliation loop which aims to
-// move the current state of the cluster closer to the desired state.
-// TODO(user): Modify the Reconcile function to compare the state specified by
-// the ProjectLifecyclePolicy object against the actual cluster state, and then
-// perform operations to make the cluster state reflect the state specified by
-// the user.
-//
-// For more details, check Reconcile and its Result here:
-// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.15.0/pkg/reconcile
func (r *ProjectLifecyclePolicyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
- _ = log.FromContext(ctx)
+ log := r.Log.WithValues("projectlifecyclepolicy", req.NamespacedName)
+
+ log.V(3).Info("Reconciling ProjectLifecyclePolicy")
+
+ // Fetch the ProjectLifecyclePolicy instance
+ policy := &webservicesv1alpha1.ProjectLifecyclePolicy{}
+ err := r.Get(ctx, req.NamespacedName, policy)
+ if err != nil {
+ if apierrors.IsNotFound(err) {
+ // Request object not found, could have been deleted after reconcile request.
+ // Owned objects are automatically garbage collected. For additional cleanup logic use finalizers.
+ // Return and don't requeue
+ log.V(3).Info("ProjectLifecyclePolicy resource not found. Ignoring since object must be deleted.")
+ return ctrl.Result{}, nil
+ }
+ // Error reading the object - requeue the request.
+ log.Error(err, "Failed to get ProjectLifecyclePolicy.")
+ return ctrl.Result{}, err
+ }
+
+ // we don't need a finalizer. Do nothing if resource is being deleted.
+ if policy.GetDeletionTimestamp() != nil {
+ log.V(5).Info("ProjectLifecyclePolicy is being deleted, nothing to do")
+ return ctrl.Result{}, nil
+ }
+
+ // retrieve ApplicationRegistration in same namespace
+ applications := &webservicesv1alpha1.ApplicationRegistrationList{}
+ if err := r.List(ctx, applications, &client.ListOptions{Namespace: req.Namespace}); err != nil {
+ if apierrors.IsNotFound(err) {
+ // cannot do anything if there is no ApplicationRegistration.
+ err := r.logInfoAndSetCannotApplyStatus(ctx, log, policy, "No ApplicationRegistration found in namespace")
+ return ctrl.Result{}, err
+ } else {
+ r.logErrorAndSetFailedStatus(ctx, log, policy, err, "Couldn't list Applications in namespace")
+ return ctrl.Result{}, err
+ }
+ }
+
+ if len(applications.Items) == 0 {
+ // cannot do anything if there is no ApplicationRegistration.
+ err := r.logInfoAndSetCannotApplyStatus(ctx, log, policy, "No ApplicationRegistration found in namespace")
+ return ctrl.Result{}, err
+ }
+
+ // it only makes sense that we have exactly one ApplicationRegistration in the namespace.
+ // Behavior is undefined is there are more than one.
+ // Just take the first one.
+ appreg := applications.Items[0]
+
+ // SAFEGUARD: do nothing if ApplicationRegistration is being deleted.
+ // This is very important because of the project deletion policy: without this safeguard
+ // deleting an ApplicationRegistration would automatically delete the parent namespace and this is
+ // not the intended behavior.
+ // We want to react to removal of applications from the Application Portal _initiated by the portal_,
+ // not ones initiated by deleting the ApplicationRegistration resource.
+ if appreg.GetDeletionTimestamp() != nil {
+ err := r.logInfoAndSetCannotApplyStatus(ctx, log, policy, "ApplicationRegistration is being deleted")
+ return ctrl.Result{}, err
+ }
+
+ if appreg.Status.ProvisioningStatus == webservicesv1alpha1.ProvisioningStatusDeletedFromAPI {
+ switch policy.Spec.ApplicationDeletedFromAuthApiPolicy {
+ case webservicesv1alpha1.AppDeletionPolicyBlockAndDeleteAfterGracePeriod:
+ // soft-delete ApplicationRegistration's parent namespace if project lifecycle policy says so
+ // soft-deletion means the namespace will be set as blocked and another component will delete the namespace on a later time (30d as of Jan/2023)
+ // We never automatically undo the blocking, it can only be done manually following these steps: https://okd-internal.docs.cern.ch/operations/project-blocking/
+ namespace := &corev1.Namespace{}
+ err = r.Get(ctx, types.NamespacedName{Name: req.Namespace}, namespace)
+ if err != nil {
+ r.logErrorAndSetFailedStatus(ctx, log, policy, err, "Failed to retrieve parent namespace following deletion of the application from API")
+ return ctrl.Result{}, err
+ }
+ softDeleteProject(log, namespace)
+ if err := r.Update(ctx, namespace); err != nil {
+ r.logErrorAndSetFailedStatus(ctx, log, policy, err, "Failed to update parent namespace following deletion of the application from API")
+ return ctrl.Result{}, err
+ }
+ case webservicesv1alpha1.AppDeletionPolicyDeleteNamespace:
+ // delete the ApplicationRegistration's parent namespace if project lifecycle policy says so.
+ namespace := &corev1.Namespace{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: appreg.Namespace,
+ },
+ }
+ log.Info("Deleting parent namespace because project lifecycle policy is DeleteNamespace and ApplicationRegistration status was DeletedFromAPI")
+ if err := r.Delete(ctx, namespace); err != nil {
+ r.logErrorAndSetFailedStatus(ctx, log, policy, err, "Failed to delete parent namespace following deletiong of the application")
+ return ctrl.Result{}, err
+ }
+ // no point in continuing reconciliation since namespace is being deleted
+ return ctrl.Result{}, nil
+ case webservicesv1alpha1.AppDeletionPolicyIgnoreAndPreserveNamespace:
+ // leave namespace as-is, nothing else to do if DeletedFromAPI
+ log.V(5).Info("Ignoring parent namespace because project lifecycle policy is IgnoreAndPreserveNamespace and ApplicationRegistration status was DeletedFromAPI")
+ default:
+ log.Error(nil, fmt.Sprintf("ApplicationDeletedFromAuthApiPolicy \"%s\" not expected.", policy.Spec.ApplicationDeletedFromAuthApiPolicy))
+ }
+ err = r.logSuccessfulInfoOnStatus(ctx, log, policy, "ApplicationRegistration deleted from the API")
+ return ctrl.Result{}, err
+ }
- // TODO(user): your logic here
+ // if the ApplicationRegistration is not in "Created" state, then nothing useful for us to do
+ if appreg.Status.ProvisioningStatus != webservicesv1alpha1.ProvisioningStatusCreated {
+ err := r.logInfoAndSetCannotApplyStatus(ctx, log, policy, "ApplicationRegistration status is not Created")
+ return ctrl.Result{}, err
+ }
+
+ // if user updated application's Description in app portal,
+ // or changed ownership, adminGroup or Resoruce category,
+ // propagate this change to the Openshift project metadata
+ if err := r.ensureProjectMetadata(*policy, appreg); err != nil {
+ r.logErrorAndSetFailedStatus(ctx, log, policy, err, "Failed to sync project description")
+ return ctrl.Result{}, err
+ }
+
+ // Create/update rolebinding that will grant permissions in the OKD project to the owner and administrator group
+ // defined in the Application Portal.
+ // If the rolebinding exists already, we take ownership of it. It is typically necessary for the project
+ // template that creates the ProjectLifecyclePolicy to _also_ pre-create the rolebinding, so the creator
+ // of the project immediately has access without having to wait for the ProjectLifecyclePolicy to reconcile.
+ if err := r.ensureOwnerRoleBinding(*policy, appreg); err != nil {
+ r.logErrorAndSetFailedStatus(ctx, log, policy, err, "Failed to apply owner RoleBinding")
+ return ctrl.Result{}, err
+ }
+
+ // create/update consolelinks
+ appManagementUrl := r.ApplicationPortalBaseUrl + appreg.Status.ID
+ // Link1: General-purpose link to application management
+ // controlled by policy.Spec.ApplicationPortalManagementLink
+ if err := r.ensureConsoleLink(*policy, policy.Namespace+"-application-management",
+ r.ApplicationPortalLinkText, appManagementUrl, policy.Spec.ApplicationPortalManagementLink); err != nil {
+ r.logErrorAndSetFailedStatus(ctx, log, policy, err, "Failed to apply ConsoleLink for application management")
+ return ctrl.Result{}, err
+ }
+ // Link2: explanation about current application category and link to application management to change it.
+ // controlled by policy.Spec.ApplicationCategoryLink
+ var categoryLinkText string
+ switch category := appreg.Status.CurrentResourceCategory; category {
+ case webservicesv1alpha1.ResourceCategoryTest:
+ categoryLinkText = r.ApplicationCategoryTestLinkText
+ case webservicesv1alpha1.ResourceCategoryOfficial:
+ categoryLinkText = r.ApplicationCategoryOfficialLinkText
+ case webservicesv1alpha1.ResourceCategoryPersonal:
+ categoryLinkText = r.ApplicationCategoryPersonalLinkText
+ default:
+ // Undefined or empty string
+ categoryLinkText = r.ApplicationCategoryUndefinedLinkText
+ }
+ if err := r.ensureConsoleLink(*policy, policy.Namespace+"-category-management",
+ categoryLinkText, appManagementUrl, policy.Spec.ApplicationCategoryLink); err != nil {
+ r.logErrorAndSetFailedStatus(ctx, log, policy, err, "Failed to set ConsoleLink for category management")
+ return ctrl.Result{}, err
+ }
+
+ // Update the Status of the ProjectLifecyclePolicy to indicate successful sync
+ if err := r.logSuccessfulInfoOnStatus(ctx, log, policy, "Awaiting next reconciliation"); err != nil {
+ log.Error(err, "Failed to update ProjectLifecyclePolicy Status")
+ return ctrl.Result{}, err
+ }
return ctrl.Result{}, nil
}
-// SetupWithManager sets up the controller with the Manager.
func (r *ProjectLifecyclePolicyReconciler) SetupWithManager(mgr ctrl.Manager) error {
return ctrl.NewControllerManagedBy(mgr).
For(&webservicesv1alpha1.ProjectLifecyclePolicy{}).
+ // With Owns RoleBinding, this will watch for any event to any RoleBinding in the cluster.
+ // When the rolebinding is owned by a ProjectLifecyclePolicy, it will create a reconcile Request to the
+ // owner ProjectLifecyclePolicy
+ Owns(&rbacv1.RoleBinding{}).
+ // Since the project lifecycle policy is driven by the ApplicationRegistration's
+ // status, we want to reconcile whenever there's a change in an
+ // ApplicationRegistration in the same namespace (we expect only one such ApplicationRegistration)
+ Watches(&source.Kind{Type: &webservicesv1alpha1.ApplicationRegistration{}}, handler.EnqueueRequestsFromMapFunc(
+ func(a client.Object) []reconcile.Request {
+ namespace := a.GetNamespace()
+ log := r.Log.WithValues("Source", "ApplicationRegistration watch", "Namespace", namespace)
+ // Fetch the ProjectLifecyclePolicies in the same namespace
+ policies := &webservicesv1alpha1.ProjectLifecyclePolicyList{}
+ if err := mgr.GetClient().List(context.TODO(), policies, &client.ListOptions{Namespace: namespace}); err != nil {
+ if apierrors.IsNotFound(err) {
+ log.V(5).Info("No ProjectLifecyclePolicy found in namespace")
+ } else {
+ log.Error(err, "Couldn't list ProjectLifecyclePolicies in namespace")
+ }
+ return []reconcile.Request{}
+ }
+ // reconcile all ProjectLifecyclePolicies found in the namespace of the ApplicationRegistration,
+ // but it only makes sense that we have exactly one
+ requests := make([]reconcile.Request, len(policies.Items))
+ for i, p := range policies.Items {
+ requests[i].Name = p.GetName()
+ requests[i].Namespace = p.GetNamespace()
+ }
+ return requests
+ }),
+ ).
Complete(r)
}
+
+// updates the CR Status to indicate a failure.
+func (r *ProjectLifecyclePolicyReconciler) logErrorAndSetFailedStatus(ctx context.Context, log logr.Logger, policy *webservicesv1alpha1.ProjectLifecyclePolicy, err error, message string) {
+ log.Error(err, message)
+ meta.SetStatusCondition(&policy.Status.Conditions, metav1.Condition{
+ Type: webservicesv1alpha1.ConditionTypeAppliedProjectLifecyclePolicy,
+ Status: metav1.ConditionFalse,
+ Reason: webservicesv1alpha1.ConditionReasonFailed,
+ Message: message,
+ })
+ // try to update status in API, but ignore error if we couldn't since we have an error already
+ r.Status().Update(ctx, policy)
+}
+
+// updates the CR Status to indicate a situation that prevents applying the ProjectLifecyclePolicy.
+func (r *ProjectLifecyclePolicyReconciler) logInfoAndSetCannotApplyStatus(ctx context.Context, log logr.Logger, policy *webservicesv1alpha1.ProjectLifecyclePolicy, message string) error {
+ // use V(5) since it can be a permanent condition, so not very interesting to log again and again
+ log.V(5).Info(message)
+ meta.SetStatusCondition(&policy.Status.Conditions, metav1.Condition{
+ Type: webservicesv1alpha1.ConditionTypeAppliedProjectLifecyclePolicy,
+ Status: metav1.ConditionFalse,
+ Reason: webservicesv1alpha1.ConditionReasonCannotApply,
+ Message: message,
+ })
+ // try to update status in API, return error if we couldn't
+ return r.Status().Update(ctx, policy)
+}
+
+// updates the CR Status to indicate a situation where ApplicationRegistration has been deleted from API
+func (r *ProjectLifecyclePolicyReconciler) logSuccessfulInfoOnStatus(ctx context.Context, log logr.Logger, policy *webservicesv1alpha1.ProjectLifecyclePolicy, message string) error {
+ // use V(5) since it can be a permanent condition, so not very interesting to log again and again
+ log.V(5).Info(message)
+ meta.SetStatusCondition(&policy.Status.Conditions, metav1.Condition{
+ Type: webservicesv1alpha1.ConditionTypeAppliedProjectLifecyclePolicy,
+ Status: metav1.ConditionTrue,
+ Reason: webservicesv1alpha1.ConditionReasonSuccessful,
+ Message: message,
+ })
+ // try to update status in API, return error if we couldn't
+ return r.Status().Update(ctx, policy)
+}
+
+func (r *ProjectLifecyclePolicyReconciler) ensureProjectMetadata(policy webservicesv1alpha1.ProjectLifecyclePolicy, appreg webservicesv1alpha1.ApplicationRegistration) error {
+ if !policy.Spec.SyncProjectMetadata {
+ // nothing to do
+ return nil
+ }
+
+ namespace := corev1.Namespace{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: appreg.Namespace,
+ },
+ }
+
+ // This function is an auxiliary function from controller runtime that it will either
+ // create or update an object but before doing it, it will always run MutateFn, the function specified below.
+ // Does nothing if there's no actual change to the resource (here, the namespace)
+ _, err := controllerutil.CreateOrUpdate(context.TODO(), r.Client, &namespace, func() error {
+ // Mutate function that sets the desired state of the RoleBinding resource.
+ ModifyProjectMetadata(policy, appreg, &namespace)
+ return nil
+ })
+ return err
+}
+
+// ModifyProjectMetadata sets the desired value for the namespace annotation and adds custom labels, CurrentOwner, CurrentAdminGroup and ResourceCategory, to the Openshift project
+func ModifyProjectMetadata(policy webservicesv1alpha1.ProjectLifecyclePolicy, appreg webservicesv1alpha1.ApplicationRegistration, namespace *corev1.Namespace) {
+ //Set Annotations
+ a := namespace.Annotations
+ if a == nil {
+ a = make(map[string]string)
+ }
+ a[annotations.OpenShiftDescription] = appreg.Status.CurrentDescription
+ namespace.SetAnnotations(a)
+ //Set Labels
+ labels := namespace.Labels
+ if labels == nil {
+ labels = make(map[string]string)
+ }
+ labels[labelOwner] = appreg.Status.CurrentOwnerUsername
+ labels[labelResourceCategory] = string(appreg.Status.CurrentResourceCategory)
+ labels[labelAdminGroup] = appreg.Status.CurrentAdminGroup
+ labels[labelGroup] = appreg.Status.CurrentGroup
+ labels[labelDepartment] = appreg.Status.CurrentDepartment
+ namespace.SetLabels(labels)
+}
+
+func (r *ProjectLifecyclePolicyReconciler) ensureOwnerRoleBinding(policy webservicesv1alpha1.ProjectLifecyclePolicy, appreg webservicesv1alpha1.ApplicationRegistration) error {
+ if policy.Spec.ApplicationOwnerClusterRole == "" || policy.Spec.ApplicationOwnerRoleBindingName == "" {
+ // nothing to do
+ return nil
+ }
+
+ var ownerRolebinding rbacv1.RoleBinding
+ // We have to do this part here as MutateFn cannot mutate object
+ // name and/or object namespace
+ ownerRolebinding.Namespace = policy.Namespace
+ ownerRolebinding.Name = policy.Spec.ApplicationOwnerRoleBindingName
+
+ // This function is an auxiliary function from controller runtime that it will either
+ // create or update an object but before doing it, it will always run MutateFn, the function specified below
+ _, err := controllerutil.CreateOrUpdate(context.TODO(), r.Client, &ownerRolebinding, func() error {
+ // Mutate function that sets the desired state of the RoleBinding resource.
+ ModifyOwnerRoleBinding(policy, appreg, &ownerRolebinding)
+
+ // The ProjectLifecyclePolicy should be the owner-controller of that RoleBinding for
+ // 1. automatic garbage collection of the roleBinding
+ // 2. automatic reconciliation of the owner if the roleBinding is modified (see `Owns`
+ // in SetupWithManager)
+ return controllerutil.SetControllerReference(&policy, &ownerRolebinding, r.Scheme)
+ })
+ return err
+}
+
+// Function that sets the desired state of the RoleBinding resource.
+func ModifyOwnerRoleBinding(policy webservicesv1alpha1.ProjectLifecyclePolicy, appreg webservicesv1alpha1.ApplicationRegistration, ownerRolebinding *rbacv1.RoleBinding) {
+ ownerRolebinding.RoleRef = rbacv1.RoleRef{
+ APIGroup: rbacv1.SchemeGroupVersion.Group,
+ Kind: "ClusterRole",
+ Name: policy.Spec.ApplicationOwnerClusterRole,
+ }
+ // reset any existing member
+ ownerRolebinding.Subjects = []rbacv1.Subject{}
+ // there's always a owner
+ ownerRolebinding.Subjects = append(ownerRolebinding.Subjects, rbacv1.Subject{
+ APIGroup: rbacv1.SchemeGroupVersion.Group,
+ Kind: rbacv1.UserKind,
+ Name: appreg.Status.CurrentOwnerUsername,
+ })
+ // specifying an e-group as a subject works thanks to https://gitlab.cern.ch/paas-tools/okd4-deployment/egroup-sync,
+ // which autodetects groups used in RoleBindings and syncs them with e-groups
+ if appreg.Status.CurrentAdminGroup != "" {
+ ownerRolebinding.Subjects = append(ownerRolebinding.Subjects, rbacv1.Subject{
+ APIGroup: rbacv1.SchemeGroupVersion.Group,
+ Kind: rbacv1.GroupKind,
+ Name: appreg.Status.CurrentAdminGroup,
+ })
+ }
+}
+
+func (r *ProjectLifecyclePolicyReconciler) ensureConsoleLink(
+ policy webservicesv1alpha1.ProjectLifecyclePolicy,
+ consoleLinkName string,
+ consoleLinkText string,
+ consoleLinkHref string,
+ present bool) error {
+
+ var consoleLink consolev1.ConsoleLink
+ consoleLink.Name = consoleLinkName
+
+ if !present {
+ // delete existing link if it exists
+ if err := r.Get(context.TODO(), types.NamespacedName{Name: consoleLink.Name}, &consoleLink); err != nil {
+ if apierrors.IsNotFound(err) {
+ // it isn't there, we're all good then
+ return nil
+ } else {
+ return err
+ }
+ }
+ if err := r.Delete(context.TODO(), &consoleLink); err != nil {
+ return err
+ }
+ // if we deleted successfully
+ return nil
+ }
+
+ // case present == true
+
+ // get the policy's parent namespace (for ownership of the ConsoleLink)
+ var namespace corev1.Namespace
+ if err := r.Get(context.TODO(), types.NamespacedName{Name: policy.Namespace}, &namespace); err != nil {
+ return err
+ }
+
+ // This function is an auxiliary function from controller runtime that it will either
+ // create or update an object but before doing it, it will always run MutateFn, the function specified below
+ _, err := controllerutil.CreateOrUpdate(context.TODO(), r.Client, &consoleLink, func() error {
+ // Mutate function that sets the desired state of the RoleBinding resource.
+ modifyConsoleLink(policy, consoleLinkText, consoleLinkHref, &consoleLink)
+
+ // Set the policy's namespace as the owner of the ConsoleLink so
+ // it gets garbage-collected automatically when namespace is deleted.
+ return controllerutil.SetOwnerReference(&namespace, &consoleLink, r.Scheme)
+ })
+ return err
+}
+
+func modifyConsoleLink(policy webservicesv1alpha1.ProjectLifecyclePolicy,
+ consoleLinkText string,
+ consoleLinkHref string,
+ consoleLink *consolev1.ConsoleLink) {
+ // this is the only location we can configure per namespace
+ consoleLink.Spec.Location = consolev1.NamespaceDashboard
+ consoleLink.Spec.NamespaceDashboard = &consolev1.NamespaceDashboardSpec{
+ Namespaces: []string{policy.Namespace},
+ }
+ consoleLink.Spec.Href = consoleLinkHref
+ consoleLink.Spec.Text = consoleLinkText
+}
+
+func softDeleteProject(log logr.Logger, namespace *corev1.Namespace) {
+ // Initialization of labels and annotations to confirm they are not nil
+ labels := namespace.Labels
+ if labels == nil {
+ labels = make(map[string]string)
+ }
+ annotations := namespace.Annotations
+ if annotations == nil {
+ annotations = make(map[string]string)
+ }
+ // If the label and annotation are set, there's nothing to do
+ if labels[LabelBlockedNamespace] == "true" && annotations[AnnotationBlockedNamespaceReason] == AnnotationLifecycleBlockedReason {
+ log.V(5).Info("Project already blocked and set to be deleted after grace period")
+ return
+ }
+ log.Info("Blocking parent namespace because project lifecycle policy is BlockAndDeleteAfterGracePeriod and ApplicationRegistration status was DeletedFromAPI")
+ // Retrieve time for the annotations below
+ currentTime := time.Now()
+ // Set Blocked Annotation timestamp unless namespace was already blocked, in which case we keep the timestamp of the earlier blocking.
+ if namespace.Labels[LabelBlockedNamespace] != "true" || annotations[AnnotationBlockedNamespaceTimestamp] == "" {
+ // RFC3339 is the same as ISO8601
+ annotations[AnnotationBlockedNamespaceTimestamp] = currentTime.Format(time.RFC3339)
+ }
+ // Dedicated annotation for cleanup mechanism
+ deletionTimestamp := currentTime.Add(deleteNamespaceAfter)
+ // RFC3339 is the same as ISO8601
+ annotations[AnnotationDeleteNamespaceTimestamp] = deletionTimestamp.Format(time.RFC3339)
+ // The PendingDeletionAfterLifecycleDeletedApplication reason supersedes any other reason for namespace blocking.
+ // This exact reason must be present together with the annotationDeleteNamespaceTimestamp for projects to be deleted at the end of the grace period.
+ annotations[AnnotationBlockedNamespaceReason] = AnnotationLifecycleBlockedReason
+ namespace.SetAnnotations(annotations)
+
+ // Set blocked label to make applications/websites unavailable
+ // https://okd-internal.docs.cern.ch/operations/project-blocking/
+ // The logic is only valid when the labels are set only after the annotations
+ labels[LabelBlockedNamespace] = "true"
+ namespace.SetLabels(labels)
+}