@platform-mesh/portal-server-lib 0.5.44 → 0.5.46

package/src/portal-options/auth-config-provider.spec.ts

@@ -1,101 +1,523 @@
 import { PMAuthConfigProvider } from './auth-config-provider.js';
-import { HttpException } from '@nestjs/common';
-import {
-  DiscoveryService,
-  EnvAuthConfigService,
-} from '@openmfp/portal-server-lib';
+import { IdentityProviderConfiguration } from './models/k8s.js';
+import { KcpKubernetesService } from './services/kcp-k8s.service.js';
+import * as domainUtils from './utils/domain.js';
+import { HttpException, HttpStatus } from '@nestjs/common';
+import { DiscoveryService } from '@openmfp/portal-server-lib';
 import type { Request } from 'express';
 import { mock } from 'jest-mock-extended';
 
 jest.mock('@kubernetes/client-node', () => {
+  const mockReadNamespacedSecret = jest.fn();
   class KubeConfig {
     loadFromDefault = jest.fn();
     loadFromFile = jest.fn();
     getCurrentCluster = jest.fn().mockReturnValue({
-      server: 'https://k8s.example.com/base',
+      server: 'https://k8s.example.com',
       name: 'test-cluster',
     });
-    makeApiClient = jest.fn();
+    makeApiClient = jest.fn().mockReturnValue({
+      readNamespacedSecret: mockReadNamespacedSecret,
+    });
     addUser = jest.fn();
     addContext = jest.fn();
     setCurrentContext = jest.fn();
   }
+  class CoreV1Api {}
   class CustomObjectsApi {}
-  return { KubeConfig, CustomObjectsApi };
+  return { KubeConfig, CoreV1Api, CustomObjectsApi, mockReadNamespacedSecret };
 });
 
+jest.mock('@kubernetes/client-node/dist/gen/middleware.js', () => ({
+  PromiseMiddlewareWrapper: class {},
+}));
+
 describe('PMAuthConfigProvider', () => {
   let provider: PMAuthConfigProvider;
   let discoveryService: jest.Mocked<DiscoveryService>;
-  let envAuthConfigService: jest.Mocked<EnvAuthConfigService>;
+  let kcpKubernetesService: jest.Mocked<KcpKubernetesService>;
+  let mockRequest: Request;
+
+  const mockOidcDiscovery = {
+    authorization_endpoint: 'https://auth.example.com/authorize',
+    token_endpoint: 'https://auth.example.com/token',
+    issuer: 'https://auth.example.com',
+    end_session_endpoint: 'https://auth.example.com/logout',
+  };
 
   beforeEach(() => {
     discoveryService = mock<DiscoveryService>();
-    envAuthConfigService = mock<EnvAuthConfigService>();
-    provider = new PMAuthConfigProvider(discoveryService);
-    jest.resetModules();
+    kcpKubernetesService = mock<KcpKubernetesService>();
+    provider = new PMAuthConfigProvider(discoveryService, kcpKubernetesService);
+
+    mockRequest = { hostname: 'org1.example.com' } as Request;
+
     process.env = {
-      AUTH_SERVER_URL_DEFAULT: 'authUrl',
-      TOKEN_URL_DEFAULT: 'tokenUrl',
       BASE_DOMAINS_DEFAULT: 'example.com',
-      OIDC_CLIENT_ID_DEFAULT: 'client123',
-      OIDC_CLIENT_SECRET_DEFAULT: 'secret123',
+      AUTH_SERVER_URL_DEFAULT: 'https://default-auth.com/authorize',
+      TOKEN_URL_DEFAULT: 'https://default-auth.com/token',
     };
-    provider['getClientSecret'] = jest.fn().mockResolvedValue('secret');
+
+    jest
+      .spyOn(domainUtils, 'getDiscoveryEndpoint')
+      .mockReturnValue(
+        'https://oidc.example.com/.well-known/openid-configuration',
+      );
+    jest.spyOn(domainUtils, 'getOrganization').mockReturnValue('org1');
+
+    discoveryService.getOIDC.mockResolvedValue(mockOidcDiscovery);
   });
 
-  it('should delegate to EnvAuthConfigService if available', async () => {
-    const req = { hostname: 'foo.example.com' } as Request;
-    const expected = {
-      idpName: 'idp',
-      baseDomain: 'example.com',
-      oauthServerUrl: 'url',
-      oauthTokenUrl: 'token',
-      clientId: 'cid',
-      clientSecret: 'secret',
-      oidcIssuerUrl: 'issuer',
-    };
-    envAuthConfigService.getAuthConfig.mockResolvedValue(expected);
+  afterEach(() => {
+    jest.clearAllMocks();
+  });
+
+  describe('getAuthConfig', () => {
+    it('should return auth config for regular organization', async () => {
+      const mockIdpConfig: IdentityProviderConfiguration = {
+        status: {
+          managedClients: {
+            org1: {
+              clientId: 'client-org1',
+            },
+          },
+        },
+      } as IdentityProviderConfiguration;
+
+      kcpKubernetesService.listClusterCustomObject.mockResolvedValue(
+        mockIdpConfig,
+      );
+      kcpKubernetesService.getClientSecret.mockResolvedValue('secret-org1');
+
+      const result = await provider.getAuthConfig(mockRequest);
+
+      expect(result).toEqual({
+        idpName: 'org1',
+        baseDomain: 'example.com',
+        clientId: 'client-org1',
+        clientSecret: 'secret-org1',
+        oauthServerUrl: 'https://auth.example.com/authorize',
+        oauthTokenUrl: 'https://auth.example.com/token',
+        oidcIssuerUrl: 'https://auth.example.com',
+        endSessionUrl: 'https://auth.example.com/logout',
+      });
+    });
+
+    it('should handle welcome organization', async () => {
+      jest.spyOn(domainUtils, 'getOrganization').mockReturnValue('welcome');
+
+      const { mockReadNamespacedSecret } = require('@kubernetes/client-node');
+      mockReadNamespacedSecret.mockResolvedValue({
+        data: {
+          'attribute.client_secret':
+            Buffer.from('welcome-secret').toString('base64'),
+        },
+      });
+
+      const result = await provider.getAuthConfig(mockRequest);
+
+      expect(result.clientId).toBe('welcome');
+      expect(result.clientSecret).toBe('welcome-secret');
+      expect(
+        kcpKubernetesService.listClusterCustomObject,
+      ).not.toHaveBeenCalled();
+    });
+
+    it('should fall back to default auth URLs when OIDC discovery fails', async () => {
+      discoveryService.getOIDC.mockResolvedValue(null);
+
+      const mockIdpConfig: IdentityProviderConfiguration = {
+        status: {
+          managedClients: {
+            org1: {
+              clientId: 'client-org1',
+            },
+          },
+        },
+      } as IdentityProviderConfiguration;
+
+      kcpKubernetesService.listClusterCustomObject.mockResolvedValue(
+        mockIdpConfig,
+      );
+      kcpKubernetesService.getClientSecret.mockResolvedValue('secret-org1');
+
+      const result = await provider.getAuthConfig(mockRequest);
+
+      expect(result.oauthServerUrl).toBe('https://default-auth.com/authorize');
+      expect(result.oauthTokenUrl).toBe('https://default-auth.com/token');
+      expect(result.oidcIssuerUrl).toBeUndefined();
+      expect(result.endSessionUrl).toBeUndefined();
+    });
+
+    it('should throw HttpException when oauthServerUrl is missing', async () => {
+      discoveryService.getOIDC.mockResolvedValue(null);
+      process.env.AUTH_SERVER_URL_DEFAULT = '';
+
+      const mockIdpConfig: IdentityProviderConfiguration = {
+        status: {
+          managedClients: {
+            org1: {
+              clientId: 'client-org1',
+            },
+          },
+        },
+      } as IdentityProviderConfiguration;
+
+      kcpKubernetesService.listClusterCustomObject.mockResolvedValue(
+        mockIdpConfig,
+      );
+      kcpKubernetesService.getClientSecret.mockResolvedValue('secret-org1');
+
+      await expect(provider.getAuthConfig(mockRequest)).rejects.toThrow(
+        HttpException,
+      );
+      await expect(provider.getAuthConfig(mockRequest)).rejects.toMatchObject({
+        status: HttpStatus.NOT_FOUND,
+      });
+    });
+
+    it('should throw HttpException when oauthTokenUrl is missing', async () => {
+      discoveryService.getOIDC.mockResolvedValue(null);
+      process.env.TOKEN_URL_DEFAULT = '';
+
+      const mockIdpConfig: IdentityProviderConfiguration = {
+        status: {
+          managedClients: {
+            org1: {
+              clientId: 'client-org1',
+            },
+          },
+        },
+      } as IdentityProviderConfiguration;
+
+      kcpKubernetesService.listClusterCustomObject.mockResolvedValue(
+        mockIdpConfig,
+      );
+      kcpKubernetesService.getClientSecret.mockResolvedValue('secret-org1');
+
+      await expect(provider.getAuthConfig(mockRequest)).rejects.toThrow(
+        HttpException,
+      );
+    });
+
+    it('should throw HttpException when clientId is missing', async () => {
+      const mockIdpConfig: IdentityProviderConfiguration = {
+        status: {
+          managedClients: {
+            org1: {
+              clientId: '',
+            },
+          },
+        },
+      } as IdentityProviderConfiguration;
 
-    const result = await provider.getAuthConfig(req);
+      kcpKubernetesService.listClusterCustomObject.mockResolvedValue(
+        mockIdpConfig,
+      );
+      kcpKubernetesService.getClientSecret.mockResolvedValue('secret-org1');
 
-    expect(result).toEqual({
-      baseDomain: 'example.com',
-      clientId: 'foo',
-      clientSecret: 'secret',
-      idpName: 'foo',
-      oauthServerUrl: 'authUrl',
-      oauthTokenUrl: 'tokenUrl',
+      await expect(provider.getAuthConfig(mockRequest)).rejects.toThrow(
+        HttpException,
+      );
+    });
+
+    it('should throw HttpException when clientSecret is missing', async () => {
+      const mockIdpConfig: IdentityProviderConfiguration = {
+        status: {
+          managedClients: {
+            org1: {
+              clientId: 'client-org1',
+            },
+          },
+        },
+      } as IdentityProviderConfiguration;
+
+      kcpKubernetesService.listClusterCustomObject.mockResolvedValue(
+        mockIdpConfig,
+      );
+      kcpKubernetesService.getClientSecret.mockResolvedValue('');
+
+      await expect(provider.getAuthConfig(mockRequest)).rejects.toThrow(
+        HttpException,
+      );
+    });
+
+    it('should include error details in HttpException', async () => {
+      discoveryService.getOIDC.mockResolvedValue(null);
+      process.env.AUTH_SERVER_URL_DEFAULT = '';
+
+      const mockIdpConfig: IdentityProviderConfiguration = {
+        status: {
+          managedClients: {
+            org1: {
+              clientId: 'client-org1',
+            },
+          },
+        },
+      } as IdentityProviderConfiguration;
+
+      kcpKubernetesService.listClusterCustomObject.mockResolvedValue(
+        mockIdpConfig,
+      );
+      kcpKubernetesService.getClientSecret.mockResolvedValue('secret-org1');
+
+      try {
+        await provider.getAuthConfig(mockRequest);
+        fail('Should have thrown HttpException');
+      } catch (error) {
+        expect(error).toBeInstanceOf(HttpException);
+        const response = (error as HttpException).getResponse() as any;
+        expect(response.message).toBe('Default auth configuration incomplete.');
+        expect(response.error).toContain("oauthServerUrl: ''");
+        expect(response.error).toContain('has client secret: true');
+      }
+    });
+
+    it('should call getDiscoveryEndpoint with request', async () => {
+      const mockIdpConfig: IdentityProviderConfiguration = {
+        status: {
+          managedClients: {
+            org1: {
+              clientId: 'client-org1',
+            },
+          },
+        },
+      } as IdentityProviderConfiguration;
+
+      kcpKubernetesService.listClusterCustomObject.mockResolvedValue(
+        mockIdpConfig,
+      );
+      kcpKubernetesService.getClientSecret.mockResolvedValue('secret-org1');
+
+      await provider.getAuthConfig(mockRequest);
+
+      expect(domainUtils.getDiscoveryEndpoint).toHaveBeenCalledWith(
+        mockRequest,
+      );
+    });
+
+    it('should call getOrganization with request', async () => {
+      const mockIdpConfig: IdentityProviderConfiguration = {
+        status: {
+          managedClients: {
+            org1: {
+              clientId: 'client-org1',
+            },
+          },
+        },
+      } as IdentityProviderConfiguration;
+
+      kcpKubernetesService.listClusterCustomObject.mockResolvedValue(
+        mockIdpConfig,
+      );
+      kcpKubernetesService.getClientSecret.mockResolvedValue('secret-org1');
+
+      await provider.getAuthConfig(mockRequest);
+
+      expect(domainUtils.getOrganization).toHaveBeenCalledWith(mockRequest);
+    });
+
+    it('should call discoveryService with OIDC URL', async () => {
+      const mockIdpConfig: IdentityProviderConfiguration = {
+        status: {
+          managedClients: {
+            org1: {
+              clientId: 'client-org1',
+            },
+          },
+        },
+      } as IdentityProviderConfiguration;
+
+      kcpKubernetesService.listClusterCustomObject.mockResolvedValue(
+        mockIdpConfig,
+      );
+      kcpKubernetesService.getClientSecret.mockResolvedValue('secret-org1');
+
+      await provider.getAuthConfig(mockRequest);
+
+      expect(discoveryService.getOIDC).toHaveBeenCalledWith(
+        'https://oidc.example.com/.well-known/openid-configuration',
+      );
     });
   });
 
-  it('should fall back to default configuration if EnvAuthConfigService throws', async () => {
-    const req = { hostname: 'foo.example.com' } as Request;
-    envAuthConfigService.getAuthConfig.mockRejectedValue(new Error('fail'));
-    discoveryService.getOIDC.mockResolvedValue({
-      authorization_endpoint: 'authUrl',
-      token_endpoint: 'tokenUrl',
-      issuer: 'issuer',
-      end_session_endpoint: 'endSessionUrl',
+  describe('readClientId', () => {
+    it('should read client ID from identity provider configuration', async () => {
+      const mockIdpConfig: IdentityProviderConfiguration = {
+        status: {
+          managedClients: {
+            org1: {
+              clientId: 'client-org1',
+            },
+          },
+        },
+      } as IdentityProviderConfiguration;
+
+      kcpKubernetesService.listClusterCustomObject.mockResolvedValue(
+        mockIdpConfig,
+      );
+      kcpKubernetesService.getClientSecret.mockResolvedValue('secret-org1');
+
+      await provider.getAuthConfig(mockRequest);
+
+      expect(kcpKubernetesService.listClusterCustomObject).toHaveBeenCalledWith(
+        {
+          group: 'core.platform-mesh.io',
+          version: 'v1alpha1',
+          plural: 'identityproviderconfigurations',
+          name: 'org1',
+        },
+        {
+          organization: 'org1',
+        },
+      );
     });
 
-    const result = await provider.getAuthConfig(req);
+    it('should handle missing managedClients', async () => {
+      const mockIdpConfig: IdentityProviderConfiguration = {
+        status: {
+          managedClients: {},
+        },
+      } as IdentityProviderConfiguration;
 
-    expect(result).toMatchObject({
-      baseDomain: 'example.com',
-      oauthServerUrl: 'authUrl',
-      oauthTokenUrl: 'tokenUrl',
-      clientId: 'foo',
-      clientSecret: 'secret',
+      kcpKubernetesService.listClusterCustomObject.mockResolvedValue(
+        mockIdpConfig,
+      );
+      kcpKubernetesService.getClientSecret.mockResolvedValue('secret-org1');
+
+      await expect(provider.getAuthConfig(mockRequest)).rejects.toThrow();
     });
   });
 
-  it('should throw if default configuration incomplete', async () => {
-    const req = { hostname: 'foo.example.com' } as Request;
-    envAuthConfigService.getAuthConfig.mockRejectedValue(new Error('fail'));
-    discoveryService.getOIDC.mockResolvedValue(null);
-    process.env = {};
+  describe('getWelcomeClientSecret', () => {
+    it('should read welcome client secret from Kubernetes secret', async () => {
+      jest.spyOn(domainUtils, 'getOrganization').mockReturnValue('welcome');
+
+      const { mockReadNamespacedSecret } = require('@kubernetes/client-node');
+      const secretValue = 'my-welcome-secret';
+      mockReadNamespacedSecret.mockResolvedValue({
+        data: {
+          'attribute.client_secret':
+            Buffer.from(secretValue).toString('base64'),
+        },
+      });
+
+      const result = await provider.getAuthConfig(mockRequest);
 
-    await expect(provider.getAuthConfig(req)).rejects.toThrow(HttpException);
+      expect(mockReadNamespacedSecret).toHaveBeenCalledWith({
+        namespace: 'platform-mesh-system',
+        name: 'portal-client-secret-welcome',
+      });
+      expect(result.clientSecret).toBe(secretValue);
+    });
+
+    it('should decode base64 secret correctly', async () => {
+      jest.spyOn(domainUtils, 'getOrganization').mockReturnValue('welcome');
+
+      const { mockReadNamespacedSecret } = require('@kubernetes/client-node');
+      const secretValue = 'special-chars-@#$%';
+      mockReadNamespacedSecret.mockResolvedValue({
+        data: {
+          'attribute.client_secret':
+            Buffer.from(secretValue).toString('base64'),
+        },
+      });
+
+      const result = await provider.getAuthConfig(mockRequest);
+
+      expect(result.clientSecret).toBe(secretValue);
+    });
+
+    it('should throw error when secret read fails', async () => {
+      jest.spyOn(domainUtils, 'getOrganization').mockReturnValue('welcome');
+
+      const { mockReadNamespacedSecret } = require('@kubernetes/client-node');
+      const error = new Error('Secret not found');
+      mockReadNamespacedSecret.mockRejectedValue(error);
+
+      const consoleSpy = jest.spyOn(console, 'error').mockImplementation();
+
+      await expect(provider.getAuthConfig(mockRequest)).rejects.toThrow(
+        'Secret not found',
+      );
+      expect(consoleSpy).toHaveBeenCalled();
+
+      consoleSpy.mockRestore();
+    });
+
+    it('should log error with response body if available', async () => {
+      jest.spyOn(domainUtils, 'getOrganization').mockReturnValue('welcome');
+
+      const { mockReadNamespacedSecret } = require('@kubernetes/client-node');
+      const error: any = new Error('Secret not found');
+      error.response = { body: { message: 'Not found in namespace' } };
+      mockReadNamespacedSecret.mockRejectedValue(error);
+
+      const consoleSpy = jest.spyOn(console, 'error').mockImplementation();
+
+      await expect(provider.getAuthConfig(mockRequest)).rejects.toThrow();
+      expect(consoleSpy).toHaveBeenCalledWith(
+        'Failed to fetch secret portal-client-secret-welcome:',
+        { message: 'Not found in namespace' },
+      );
+
+      consoleSpy.mockRestore();
+    });
+  });
+
+  describe('edge cases', () => {
+    it('should handle undefined OIDC discovery endpoints', async () => {
+      discoveryService.getOIDC.mockResolvedValue({
+        authorization_endpoint: undefined,
+        token_endpoint: undefined,
+        issuer: undefined,
+        end_session_endpoint: undefined,
+      } as any);
+
+      const mockIdpConfig: IdentityProviderConfiguration = {
+        status: {
+          managedClients: {
+            org1: {
+              clientId: 'client-org1',
+            },
+          },
+        },
+      } as IdentityProviderConfiguration;
+
+      kcpKubernetesService.listClusterCustomObject.mockResolvedValue(
+        mockIdpConfig,
+      );
+      kcpKubernetesService.getClientSecret.mockResolvedValue('secret-org1');
+
+      const result = await provider.getAuthConfig(mockRequest);
+
+      expect(result.oauthServerUrl).toBe('https://default-auth.com/authorize');
+      expect(result.oauthTokenUrl).toBe('https://default-auth.com/token');
+    });
+
+    it('should handle null clientSecret in error message', async () => {
+      const mockIdpConfig: IdentityProviderConfiguration = {
+        status: {
+          managedClients: {
+            org1: {
+              clientId: 'client-org1',
+            },
+          },
+        },
+      } as IdentityProviderConfiguration;
+
+      kcpKubernetesService.listClusterCustomObject.mockResolvedValue(
+        mockIdpConfig,
+      );
+      kcpKubernetesService.getClientSecret.mockResolvedValue(null as any);
+
+      try {
+        await provider.getAuthConfig(mockRequest);
+        fail('Should have thrown');
+      } catch (error) {
+        const response = (error as HttpException).getResponse() as any;
+        expect(response.error).toContain('has client secret: false');
+      }
+    });
   });
 });

package/src/portal-options/auth-config-provider.ts

@@ -1,3 +1,8 @@
+import {
+  IdentityProviderConfiguration,
+  K8sResourceDescriptor,
+} from './models/k8s.js';
+import { KcpKubernetesService } from './services/kcp-k8s.service.js';
 import { getDiscoveryEndpoint, getOrganization } from './utils/domain.js';
 import { CoreV1Api, KubeConfig } from '@kubernetes/client-node';
 import { HttpException, HttpStatus, Injectable } from '@nestjs/common';
@@ -10,20 +15,23 @@ import type { Request } from 'express';
 
 @Injectable()
 export class PMAuthConfigProvider implements AuthConfigService {
-  private k8sApi: CoreV1Api;
-
-  constructor(private discoveryService: DiscoveryService) {
-    const kc = new KubeConfig();
-    kc.loadFromDefault();
-    this.k8sApi = kc.makeApiClient(CoreV1Api);
-  }
+  constructor(
+    private discoveryService: DiscoveryService,
+    private kcpKubernetesService: KcpKubernetesService,
+  ) {}
 
   async getAuthConfig(request: Request): Promise<ServerAuthVariables> {
     const oidcUrl = getDiscoveryEndpoint(request);
-    const clientId = getOrganization(request);
+    const org = getOrganization(request);
+
+    const clientId =
+      org === 'welcome' ? 'welcome' : await this.readClientId(org);
+    const clientSecret =
+      org === 'welcome'
+        ? await this.getWelcomeClientSecret(org)
+        : await this.kcpKubernetesService.getClientSecret(org);
 
     const baseDomain = process.env['BASE_DOMAINS_DEFAULT'];
-    const clientSecret = await this.getClientSecret(clientId);
     const oidc = await this.discoveryService.getOIDC(oidcUrl);
     const oauthServerUrl =
       oidc?.authorization_endpoint ?? process.env['AUTH_SERVER_URL_DEFAULT'];
@@ -45,7 +53,7 @@ export class PMAuthConfigProvider implements AuthConfigService {
     }
 
     return {
-      idpName: clientId,
+      idpName: org,
       baseDomain,
       clientId,
       clientSecret,
@@ -56,12 +64,33 @@ export class PMAuthConfigProvider implements AuthConfigService {
     };
   }
 
-  private async getClientSecret(orgName: string) {
+  private async readClientId(orgName: string): Promise<string> {
+    const k8sResourceDescriptor: K8sResourceDescriptor = {
+      group: 'core.platform-mesh.io',
+      version: 'v1alpha1',
+      plural: 'identityproviderconfigurations',
+      name: orgName,
+    };
+
+    const result: IdentityProviderConfiguration =
+      await this.kcpKubernetesService.listClusterCustomObject(
+        k8sResourceDescriptor,
+        {
+          organization: orgName,
+        },
+      );
+    return result.status.managedClients[orgName].clientId;
+  }
+
+  private async getWelcomeClientSecret(orgName: string) {
     const secretName = `portal-client-secret-${orgName}`;
     const namespace = 'platform-mesh-system';
 
+    const kc = new KubeConfig();
+    kc.loadFromDefault();
+    const k8sApi = kc.makeApiClient(CoreV1Api);
     try {
-      const res = await this.k8sApi.readNamespacedSecret({
+      const res = await k8sApi.readNamespacedSecret({
         namespace,
         name: secretName,
       });

package/src/portal-options/models/k8s.ts

@@ -0,0 +1,27 @@
+export interface K8sResourceDescriptor {
+  group: string;
+  version: string;
+  plural: string;
+  name?: string;
+  namespace?: string;
+  labelSelector?: string;
+}
+
+export interface K8sRequestContext extends Record<string, any> {
+  organization: string;
+  'core_platform-mesh_io_account'?: string;
+}
+
+export interface IdentityProviderConfiguration {
+  status: {
+    managedClients: {
+      [key: string]: {
+        clientId: string;
+        secretRef?: {
+          name: string;
+          namespace: string;
+        };
+      };
+    };
+  };
+}