@platform-mesh/portal-server-lib 0.5.43 → 0.5.45

package/src/portal-options/services/kcp-k8s.service.spec.ts

@@ -1,115 +1,170 @@
+import { K8sRequestContext, K8sResourceDescriptor } from '../models/k8s.js';
 import { KcpKubernetesService } from './kcp-k8s.service.js';
 import type { Request } from 'express';
 
-jest.mock('@kubernetes/client-node', () => {
-  const makeApiClient = jest.fn(() => ({}));
-  const getCurrentCluster = jest.fn().mockReturnValue({
-    server: 'https://kcp.example.com/base',
-    name: 'test-cluster',
-  });
-  return {
-    CustomObjectsApi: jest.fn(),
-    KubeConfig: jest.fn().mockImplementation(() => ({
-      loadFromFile: jest.fn(),
-      addUser: jest.fn(),
-      addContext: jest.fn(),
-      setCurrentContext: jest.fn(),
-      getCurrentCluster,
-      makeApiClient,
-    })),
-  };
-});
+const mockListClusterCustomObject = jest.fn();
+const mockReadNamespacedSecret = jest.fn();
+const mockMakeApiClient = jest.fn();
+const mockGetCurrentCluster = jest.fn();
+const mockLoadFromFile = jest.fn();
+const mockAddUser = jest.fn();
+const mockAddContext = jest.fn();
+const mockSetCurrentContext = jest.fn();
+
+jest.mock('@kubernetes/client-node', () => ({
+  CustomObjectsApi: jest.fn().mockImplementation(() => ({
+    listClusterCustomObject: mockListClusterCustomObject,
+  })),
+  CoreV1Api: jest.fn().mockImplementation(() => ({
+    readNamespacedSecret: mockReadNamespacedSecret,
+  })),
+  KubeConfig: jest.fn().mockImplementation(() => ({
+    loadFromFile: mockLoadFromFile,
+    addUser: mockAddUser,
+    addContext: mockAddContext,
+    setCurrentContext: mockSetCurrentContext,
+    getCurrentCluster: mockGetCurrentCluster,
+    makeApiClient: mockMakeApiClient,
+  })),
+}));
 
 jest.mock('../utils/domain.js', () => ({
   getOrganization: jest.fn(() => 'org-1'),
 }));
 
+jest.mock('@kubernetes/client-node/dist/gen/middleware.js', () => ({
+  PromiseMiddlewareWrapper: class {
+    constructor(public options: any) {}
+  },
+}));
+
 describe('KcpKubernetesService', () => {
   const OLD_ENV = process.env;
 
   beforeEach(() => {
-    jest.resetModules();
-    process.env = { ...OLD_ENV, KUBECONFIG_KCP: '/tmp/kcp.kubeconfig' };
+    jest.clearAllMocks();
+    process.env = {
+      ...OLD_ENV,
+      KUBECONFIG_KCP: '/tmp/kcp.kubeconfig',
+      BASE_DOMAINS_DEFAULT: 'example.com',
+    };
+
+    mockGetCurrentCluster.mockReturnValue({
+      server: 'https://kcp.example.com/base',
+      name: 'test-cluster',
+    });
+
+    mockMakeApiClient.mockReturnValue({
+      listClusterCustomObject: mockListClusterCustomObject,
+      readNamespacedSecret: mockReadNamespacedSecret,
+    });
   });
 
   afterAll(() => {
     process.env = OLD_ENV;
   });
 
-  it('initializes k8s client and baseUrl from kubeconfig', () => {
-    const svc = new KcpKubernetesService();
-    expect(svc.getKcpK8sApiClient()).toBeDefined();
-    expect(svc.getKcpWorkspaceUrl('org1', 'acc1').toString()).toBe(
-      'https://kcp.example.com/clusters/root:orgs:org1:acc1',
-    );
-  });
+  describe('initialization', () => {
+    it('initializes k8s client and baseUrl from kubeconfig', () => {
+      const svc = new KcpKubernetesService();
+      expect(svc.getKcpK8sCustomObjectsApiOIDCUser()).toBeDefined();
+      expect(svc.getKcpWorkspaceUrl('org1', 'acc1').toString()).toBe(
+        'https://kcp.example.com/clusters/root:orgs:org1:acc1',
+      );
+    });
 
-  it('builds workspace url without account', () => {
-    const svc = new KcpKubernetesService();
-    expect(svc.getKcpWorkspaceUrl('org1', '').toString()).toBe(
-      'https://kcp.example.com/clusters/root:orgs:org1',
-    );
-  });
+    it('calls kubeconfig methods for OIDC user setup', () => {
+      new KcpKubernetesService();
+      expect(mockLoadFromFile).toHaveBeenCalledWith('/tmp/kcp.kubeconfig');
+      expect(mockAddUser).toHaveBeenCalledWith({ name: 'oidc' });
+      expect(mockAddContext).toHaveBeenCalledWith({
+        name: 'oidc',
+        user: 'oidc',
+        cluster: 'test-cluster',
+      });
+      expect(mockSetCurrentContext).toHaveBeenCalledWith('oidc');
+    });
 
-  it('builds virtual workspace url with account', () => {
-    const svc = new KcpKubernetesService();
-    expect(svc.getKcpVirtualWorkspaceUrl('orgX', 'accY').toString()).toBe(
-      'https://kcp.example.com/services/contentconfigurations/clusters/root:orgs:orgX:accY',
-    );
+    it('creates multiple API clients', () => {
+      new KcpKubernetesService();
+      expect(mockMakeApiClient).toHaveBeenCalledTimes(3);
+    });
   });
 
-  it('builds virtual workspace url without account', () => {
-    const svc = new KcpKubernetesService();
-    expect(svc.getKcpVirtualWorkspaceUrl('orgX', '').toString()).toBe(
-      'https://kcp.example.com/services/contentconfigurations/clusters/root:orgs:orgX',
-    );
+  describe('getters', () => {
+    it('returns custom objects API for OIDC user', () => {
+      const svc = new KcpKubernetesService();
+      const api = svc.getKcpK8sCustomObjectsApiOIDCUser();
+      expect(api).toBeDefined();
+    });
+
+    it('returns custom objects API', () => {
+      const svc = new KcpKubernetesService();
+      const api = svc.getKcpK8sCustomObjectsApi();
+      expect(api).toBeDefined();
+    });
+
+    it('returns core v1 API', () => {
+      const svc = new KcpKubernetesService();
+      const api = svc.getKcpK8sCoreV1Api();
+      expect(api).toBeDefined();
+    });
   });
 
-  describe('KcpKubernetesService - getKcpWorkspacePublicUrl', () => {
-    const ORIGINAL_ENV = process.env;
+  describe('workspace URL building', () => {
+    it('builds workspace url with organization and account', () => {
+      const svc = new KcpKubernetesService();
+      expect(svc.getKcpWorkspaceUrl('org1', 'acc1').toString()).toBe(
+        'https://kcp.example.com/clusters/root:orgs:org1:acc1',
+      );
+    });
 
-    beforeEach(() => {
-      jest.resetModules();
-      process.env = { ...ORIGINAL_ENV };
-      process.env.BASE_DOMAINS_DEFAULT = 'example.com';
-      process.env.KUBECONFIG_KCP = __filename; // loadFromFile is called; path must exist
+    it('builds workspace url without account', () => {
+      const svc = new KcpKubernetesService();
+      expect(svc.getKcpWorkspaceUrl('org1', '').toString()).toBe(
+        'https://kcp.example.com/clusters/root:orgs:org1',
+      );
     });
 
-    afterEach(() => {
-      process.env = ORIGINAL_ENV;
-      jest.restoreAllMocks();
+    it('builds workspace url without organization', () => {
+      const svc = new KcpKubernetesService();
+      expect(svc.getKcpWorkspaceUrl('', '').toString()).toBe(
+        'https://kcp.example.com/clusters/root:orgs',
+      );
     });
 
-    const createService = () => {
-      // Mock KubeConfig internals to avoid reading real kubeconfig/server
-      const loadFromFile = jest.fn();
-      const addUser = jest.fn();
-      const addContext = jest.fn();
-      const setCurrentContext = jest.fn();
-      const getCurrentCluster = jest.fn(
-        () => ({ name: 'c', server: 'https://kcp.internal' }) as any,
+    it('builds workspace url with only organization', () => {
+      const svc = new KcpKubernetesService();
+      expect(svc.getKcpWorkspaceUrl('orgX').toString()).toBe(
+        'https://kcp.example.com/clusters/root:orgs:orgX',
       );
-      const makeApiClient = jest.fn(() => ({}));
+    });
 
-      jest.doMock('@kubernetes/client-node', () => {
-        return {
-          KubeConfig: jest.fn().mockImplementation(() => ({
-            loadFromFile,
-            addUser,
-            addContext,
-            setCurrentContext,
-            getCurrentCluster,
-            makeApiClient,
-          })),
-          CustomObjectsApi: jest.fn(),
-        };
-      });
+    it('builds workspace url without parameters', () => {
+      const svc = new KcpKubernetesService();
+      expect(svc.getKcpWorkspaceUrl().toString()).toBe(
+        'https://kcp.example.com/clusters/root:orgs',
+      );
+    });
+  });
 
-      // Re-require module to use mocked client-node
-      const { KcpKubernetesService: Svc } = require('./kcp-k8s.service');
-      return new Svc() as KcpKubernetesService;
-    };
+  describe('virtual workspace URL building', () => {
+    it('builds virtual workspace url with account', () => {
+      const svc = new KcpKubernetesService();
+      expect(svc.getKcpVirtualWorkspaceUrl('orgX', 'accY').toString()).toBe(
+        'https://kcp.example.com/services/contentconfigurations/clusters/root:orgs:orgX:accY',
+      );
+    });
+
+    it('builds virtual workspace url without account', () => {
+      const svc = new KcpKubernetesService();
+      expect(svc.getKcpVirtualWorkspaceUrl('orgX', '').toString()).toBe(
+        'https://kcp.example.com/services/contentconfigurations/clusters/root:orgs:orgX',
+      );
+    });
+  });
 
+  describe('getKcpWorkspacePublicUrl', () => {
     const makeReq = (overrides: Partial<Request> = {}): Request =>
       ({
         headers: {},
@@ -118,7 +173,7 @@ describe('KcpKubernetesService', () => {
       }) as unknown as Request;
 
     it('builds URL with organization and account from query', () => {
-      const svc = createService();
+      const svc = new KcpKubernetesService();
       const req = makeReq({
         query: { 'core_platform-mesh_io_account': 'acc-1' } as any,
         headers: { host: 'kcp.api.example.com' } as any,
@@ -130,18 +185,20 @@ describe('KcpKubernetesService', () => {
       );
     });
 
-    it('omits port for standard ports 80/443 and empty', () => {
-      const svc = createService();
-
-      let req = makeReq({
+    it('omits port for standard port 80', () => {
+      const svc = new KcpKubernetesService();
+      const req = makeReq({
         query: { 'core_platform-mesh_io_account': 'acc' } as any,
         headers: { host: 'kcp.api.example.com:80' } as any,
       });
       expect(svc.getKcpWorkspacePublicUrl(req)).toBe(
         'https://kcp.api.example.com/clusters/root:orgs:org-1:acc',
       );
+    });
 
-      req = makeReq({
+    it('omits port for standard port 443', () => {
+      const svc = new KcpKubernetesService();
+      const req = makeReq({
         query: { 'core_platform-mesh_io_account': 'acc' } as any,
         headers: {
           'x-forwarded-port': '443',
@@ -151,8 +208,11 @@ describe('KcpKubernetesService', () => {
       expect(svc.getKcpWorkspacePublicUrl(req)).toBe(
         'https://kcp.api.example.com/clusters/root:orgs:org-1:acc',
       );
+    });
 
-      req = makeReq({
+    it('omits port when no port provided', () => {
+      const svc = new KcpKubernetesService();
+      const req = makeReq({
         query: { 'core_platform-mesh_io_account': 'acc' } as any,
         headers: { host: 'kcp.api.example.com' } as any,
       });
@@ -162,7 +222,7 @@ describe('KcpKubernetesService', () => {
     });
 
     it('appends non-standard port from x-forwarded-port', () => {
-      const svc = createService();
+      const svc = new KcpKubernetesService();
       const req = makeReq({
         query: { 'core_platform-mesh_io_account': 'acc' } as any,
         headers: {
@@ -177,8 +237,24 @@ describe('KcpKubernetesService', () => {
       );
     });
 
+    it('handles x-forwarded-port as array', () => {
+      const svc = new KcpKubernetesService();
+      const req = makeReq({
+        query: { 'core_platform-mesh_io_account': 'acc' } as any,
+        headers: {
+          'x-forwarded-port': ['9000', '8000'],
+          host: 'kcp.api.example.com',
+        } as any,
+      });
+
+      const url = svc.getKcpWorkspacePublicUrl(req);
+      expect(url).toBe(
+        'https://kcp.api.example.com:9000/clusters/root:orgs:org-1:acc',
+      );
+    });
+
     it('falls back to port from host header when x-forwarded-port not present', () => {
-      const svc = createService();
+      const svc = new KcpKubernetesService();
       const req = makeReq({
         query: { 'core_platform-mesh_io_account': 'acc' } as any,
         headers: { host: 'kcp.api.example.com:3000' } as any,
@@ -192,7 +268,7 @@ describe('KcpKubernetesService', () => {
 
     it('uses FRONTEND_PORT env when provided', () => {
       process.env.FRONTEND_PORT = '4200';
-      const svc = createService();
+      const svc = new KcpKubernetesService();
       const req = makeReq({
         query: { 'core_platform-mesh_io_account': 'acc' } as any,
         headers: { host: 'kcp.api.example.com' } as any,
@@ -203,5 +279,342 @@ describe('KcpKubernetesService', () => {
         'https://kcp.api.example.com:4200/clusters/root:orgs:org-1:acc',
       );
     });
+
+    it('prioritizes FRONTEND_PORT over x-forwarded-port', () => {
+      process.env.FRONTEND_PORT = '5000';
+      const svc = new KcpKubernetesService();
+      const req = makeReq({
+        query: { 'core_platform-mesh_io_account': 'acc' } as any,
+        headers: {
+          'x-forwarded-port': '8080',
+          host: 'kcp.api.example.com',
+        } as any,
+      });
+
+      const url = svc.getKcpWorkspacePublicUrl(req);
+      expect(url).toBe(
+        'https://kcp.api.example.com:5000/clusters/root:orgs:org-1:acc',
+      );
+    });
+
+    it('builds URL without account when not in query', () => {
+      const svc = new KcpKubernetesService();
+      const req = makeReq({
+        query: {} as any,
+        headers: { host: 'kcp.api.example.com' } as any,
+      });
+
+      const url = svc.getKcpWorkspacePublicUrl(req);
+      expect(url).toBe('https://kcp.api.example.com/clusters/root:orgs:org-1');
+    });
+  });
+
+  describe('listClusterCustomObject', () => {
+    it('calls API with correct workspace URL and parameters', async () => {
+      const svc = new KcpKubernetesService();
+      const gvr: K8sResourceDescriptor = {
+        group: 'apps',
+        version: 'v1',
+        plural: 'deployments',
+        name: 'my-deployment',
+      };
+      const context: K8sRequestContext = {
+        organization: 'test-org',
+        'core_platform-mesh_io_account': 'test-account',
+      };
+
+      mockListClusterCustomObject.mockResolvedValue({ data: {} });
+
+      await svc.listClusterCustomObject(gvr, context);
+
+      expect(mockListClusterCustomObject).toHaveBeenCalledWith(
+        gvr,
+        expect.objectContaining({
+          middleware: expect.any(Array),
+        }),
+      );
+    });
+
+    it('builds correct URL path in middleware', async () => {
+      const svc = new KcpKubernetesService();
+      const gvr: K8sResourceDescriptor = {
+        group: 'batch',
+        version: 'v1',
+        plural: 'jobs',
+        name: 'test-job',
+      };
+      const context: K8sRequestContext = {
+        organization: 'org1',
+        'core_platform-mesh_io_account': 'acc1',
+      };
+
+      let capturedContext: any;
+      mockListClusterCustomObject.mockImplementation(
+        async (gvrParam, options) => {
+          const middleware = options.middleware[0];
+          const mockContext = {
+            setUrl: jest.fn(),
+          };
+          capturedContext = mockContext;
+          await middleware.options.pre(mockContext);
+          return { data: {} };
+        },
+      );
+
+      await svc.listClusterCustomObject(gvr, context);
+
+      expect(capturedContext.setUrl).toHaveBeenCalledWith(
+        'https://kcp.example.com/clusters/root:orgs:org1:acc1/apis/batch/v1/jobs/test-job',
+      );
+    });
+
+    it('handles context without account', async () => {
+      const svc = new KcpKubernetesService();
+      const gvr: K8sResourceDescriptor = {
+        group: 'core',
+        version: 'v1',
+        plural: 'pods',
+        name: 'my-pod',
+      };
+      const context: K8sRequestContext = {
+        organization: 'org2',
+      };
+
+      let capturedContext: any;
+      mockListClusterCustomObject.mockImplementation(
+        async (gvrParam, options) => {
+          const middleware = options.middleware[0];
+          const mockContext = {
+            setUrl: jest.fn(),
+          };
+          capturedContext = mockContext;
+          await middleware.options.pre(mockContext);
+          return { data: {} };
+        },
+      );
+
+      await svc.listClusterCustomObject(gvr, context);
+
+      expect(capturedContext.setUrl).toHaveBeenCalledWith(
+        'https://kcp.example.com/clusters/root:orgs:org2/apis/core/v1/pods/my-pod',
+      );
+    });
+  });
+
+  describe('listClusterCustomObjectInKcpVirtualWorkspace', () => {
+    it('calls OIDC API with correct virtual workspace URL and token', async () => {
+      const svc = new KcpKubernetesService();
+      const gvr: K8sResourceDescriptor = {
+        group: 'networking.k8s.io',
+        version: 'v1',
+        plural: 'ingresses',
+        name: undefined,
+      };
+      const context: K8sRequestContext = {
+        organization: 'virtual-org',
+        'core_platform-mesh_io_account': 'virtual-acc',
+      };
+      const token = 'test-bearer-token';
+
+      mockListClusterCustomObject.mockResolvedValue({ data: [] });
+
+      await svc.listClusterCustomObjectInKcpVirtualWorkspace(
+        gvr,
+        context,
+        token,
+      );
+
+      expect(mockListClusterCustomObject).toHaveBeenCalled();
+    });
+
+    it('sets Authorization header with Bearer token', async () => {
+      const svc = new KcpKubernetesService();
+      const gvr: K8sResourceDescriptor = {
+        group: 'apps',
+        version: 'v1',
+        plural: 'statefulsets',
+        name: undefined,
+      };
+      const context: K8sRequestContext = {
+        organization: 'auth-org',
+        'core_platform-mesh_io_account': 'auth-acc',
+      };
+      const token = 'my-secret-token';
+
+      let capturedContext: any;
+      mockListClusterCustomObject.mockImplementation(
+        async (gvrParam, options) => {
+          const middleware = options.middleware[0];
+          const mockContext = {
+            setUrl: jest.fn(),
+            setHeaderParam: jest.fn(),
+          };
+          capturedContext = mockContext;
+          await middleware.options.pre(mockContext);
+          return { data: [] };
+        },
+      );
+
+      await svc.listClusterCustomObjectInKcpVirtualWorkspace(
+        gvr,
+        context,
+        token,
+      );
+
+      expect(capturedContext.setHeaderParam).toHaveBeenCalledWith(
+        'Authorization',
+        'Bearer my-secret-token',
+      );
+    });
+
+    it('builds correct virtual workspace URL path', async () => {
+      const svc = new KcpKubernetesService();
+      const gvr: K8sResourceDescriptor = {
+        group: 'rbac.authorization.k8s.io',
+        version: 'v1',
+        plural: 'roles',
+        name: undefined,
+      };
+      const context: K8sRequestContext = {
+        organization: 'rbac-org',
+        'core_platform-mesh_io_account': 'rbac-acc',
+      };
+
+      let capturedContext: any;
+      mockListClusterCustomObject.mockImplementation(
+        async (gvrParam, options) => {
+          const middleware = options.middleware[0];
+          const mockContext = {
+            setUrl: jest.fn(),
+            setHeaderParam: jest.fn(),
+          };
+          capturedContext = mockContext;
+          await middleware.options.pre(mockContext);
+          return { data: [] };
+        },
+      );
+
+      await svc.listClusterCustomObjectInKcpVirtualWorkspace(
+        gvr,
+        context,
+        'token',
+      );
+
+      expect(capturedContext.setUrl).toHaveBeenCalledWith(
+        'https://kcp.example.com/services/contentconfigurations/clusters/root:orgs:rbac-org:rbac-acc/apis/rbac.authorization.k8s.io/v1/roles',
+      );
+    });
+  });
+
+  describe('getClientSecret', () => {
+    it('retrieves and decodes client secret successfully', async () => {
+      const svc = new KcpKubernetesService();
+      const orgName = 'test-org';
+      const encodedSecret = Buffer.from('my-secret-value').toString('base64');
+
+      mockReadNamespacedSecret.mockResolvedValue({
+        data: {
+          client_secret: encodedSecret,
+        },
+      });
+
+      const result = await svc.getClientSecret(orgName);
+
+      expect(result).toBe('my-secret-value');
+      expect(mockReadNamespacedSecret).toHaveBeenCalledWith(
+        {
+          namespace: 'default',
+          name: 'portal-client-secret-test-org-test-org',
+        },
+        expect.objectContaining({
+          middleware: expect.any(Array),
+        }),
+      );
+    });
+
+    it('builds correct secret name and namespace', async () => {
+      const svc = new KcpKubernetesService();
+      const orgName = 'my-company';
+
+      mockReadNamespacedSecret.mockResolvedValue({
+        data: {
+          client_secret: Buffer.from('secret').toString('base64'),
+        },
+      });
+
+      await svc.getClientSecret(orgName);
+
+      expect(mockReadNamespacedSecret).toHaveBeenCalledWith(
+        {
+          namespace: 'default',
+          name: 'portal-client-secret-my-company-my-company',
+        },
+        expect.any(Object),
+      );
+    });
+
+    it('uses correct workspace URL in middleware', async () => {
+      const svc = new KcpKubernetesService();
+      const orgName = 'url-org';
+
+      let capturedContext: any;
+      mockReadNamespacedSecret.mockImplementation(async (params, options) => {
+        const middleware = options.middleware[0];
+        const mockContext = {
+          setUrl: jest.fn(),
+        };
+        capturedContext = mockContext;
+        await middleware.options.pre(mockContext);
+        return {
+          data: {
+            client_secret: Buffer.from('test').toString('base64'),
+          },
+        };
+      });
+
+      await svc.getClientSecret(orgName);
+
+      expect(capturedContext.setUrl).toHaveBeenCalledWith(
+        'https://kcp.example.com/clusters/root:orgs/api/v1/namespaces/default/secrets/portal-client-secret-url-org-url-org',
+      );
+    });
+
+    it('throws error when secret retrieval fails', async () => {
+      const svc = new KcpKubernetesService();
+      const orgName = 'fail-org';
+      const error = new Error('Secret not found');
+
+      mockReadNamespacedSecret.mockRejectedValue(error);
+
+      await expect(svc.getClientSecret(orgName)).rejects.toThrow(
+        'Secret not found',
+      );
+    });
+
+    it('logs error with secret name when retrieval fails', async () => {
+      const svc = new KcpKubernetesService();
+      const orgName = 'error-org';
+      const error = {
+        response: {
+          body: { message: 'Not found' },
+        },
+      };
+
+      mockReadNamespacedSecret.mockRejectedValue(error);
+
+      await expect(svc.getClientSecret(orgName)).rejects.toEqual(error);
+    });
+
+    it('handles error without response body', async () => {
+      const svc = new KcpKubernetesService();
+      const orgName = 'no-response-org';
+      const error = new Error('Network error');
+
+      mockReadNamespacedSecret.mockRejectedValue(error);
+
+      await expect(svc.getClientSecret(orgName)).rejects.toThrow(
+        'Network error',
+      );
+    });
   });
 });