Renew Bridge installations

Issue: [sc-16285]

Author: cbandy

internal/bridge/client.go

@@ -19,6 +19,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -32,6 +33,8 @@ import (
 
 const defaultAPI = "https://api.crunchybridge.com"
 
+var errAuthentication = errors.New("authentication failed")
+
 type Client struct {
 	http.Client
 	wait.Backoff
@@ -179,6 +182,38 @@ func (c *Client) doWithRetry(
 	return response, err
 }
 
+func (c *Client) CreateAuthObject(ctx context.Context, authn AuthObject) (AuthObject, error) {
+	var result AuthObject
+
+	response, err := c.doWithRetry(ctx, "POST", "/vendor/operator/auth-objects", nil, http.Header{
+		"Accept":        []string{"application/json"},
+		"Authorization": []string{"Bearer " + authn.Secret},
+	})
+
+	if err == nil {
+		defer response.Body.Close()
+		body, _ := io.ReadAll(response.Body)
+
+		switch {
+		// 2xx, Successful
+		case response.StatusCode >= 200 && response.StatusCode < 300:
+			if err = json.Unmarshal(body, &result); err != nil {
+				err = fmt.Errorf("%w: %s", err, body)
+			}
+
+		// 401, Unauthorized
+		case response.StatusCode == 401:
+			err = fmt.Errorf("%w: %s", errAuthentication, body)
+
+		default:
+			//nolint:goerr113 // This is intentionally dynamic.
+			err = fmt.Errorf("%v: %s", response.Status, body)
+		}
+	}
+
+	return result, err
+}
+
 func (c *Client) CreateInstallation(ctx context.Context) (Installation, error) {
 	var result Installation
 
@@ -188,20 +223,18 @@ func (c *Client) CreateInstallation(ctx context.Context) (Installation, error) {
 
 	if err == nil {
 		defer response.Body.Close()
-
-		var body bytes.Buffer
-		_, _ = io.Copy(&body, response.Body)
+		body, _ := io.ReadAll(response.Body)
 
 		switch {
 		// 2xx, Successful
-		case 200 <= response.StatusCode && response.StatusCode < 300:
-			if err = json.Unmarshal(body.Bytes(), &result); err != nil {
-				err = fmt.Errorf("%w: %v", err, body.String())
+		case response.StatusCode >= 200 && response.StatusCode < 300:
+			if err = json.Unmarshal(body, &result); err != nil {
+				err = fmt.Errorf("%w: %s", err, body)
 			}
 
 		default:
 			//nolint:goerr113 // This is intentionally dynamic.
-			err = fmt.Errorf("%v: %v", response.Status, body.String())
+			err = fmt.Errorf("%v: %s", response.Status, body)
 		}
 	}
 

internal/bridge/client_test.go

@@ -405,6 +405,87 @@ func TestClientDoWithRetry(t *testing.T) {
 	})
 }
 
+func TestClientCreateAuthObject(t *testing.T) {
+	t.Run("Arguments", func(t *testing.T) {
+		var requests []http.Request
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			body, _ := io.ReadAll(r.Body)
+			assert.Equal(t, len(body), 0)
+			requests = append(requests, *r)
+		}))
+		t.Cleanup(server.Close)
+
+		client := NewClient(server.URL, "")
+		assert.Equal(t, client.BaseURL.String(), server.URL)
+
+		ctx := context.Background()
+		_, _ = client.CreateAuthObject(ctx, AuthObject{Secret: "sesame"})
+
+		assert.Equal(t, len(requests), 1)
+		assert.Equal(t, requests[0].Header.Get("Authorization"), "Bearer sesame")
+	})
+
+	t.Run("Unauthorized", func(t *testing.T) {
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusUnauthorized)
+			_, _ = w.Write([]byte(`some info`))
+		}))
+		t.Cleanup(server.Close)
+
+		client := NewClient(server.URL, "")
+		assert.Equal(t, client.BaseURL.String(), server.URL)
+
+		_, err := client.CreateAuthObject(context.Background(), AuthObject{})
+		assert.ErrorContains(t, err, "authentication")
+		assert.ErrorContains(t, err, "some info")
+		assert.ErrorIs(t, err, errAuthentication)
+	})
+
+	t.Run("ErrorResponse", func(t *testing.T) {
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusNotFound)
+			_, _ = w.Write([]byte(`some message`))
+		}))
+		t.Cleanup(server.Close)
+
+		client := NewClient(server.URL, "")
+		assert.Equal(t, client.BaseURL.String(), server.URL)
+
+		_, err := client.CreateAuthObject(context.Background(), AuthObject{})
+		assert.ErrorContains(t, err, "404 Not Found")
+		assert.ErrorContains(t, err, "some message")
+	})
+
+	t.Run("NoResponseBody", func(t *testing.T) {
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusOK)
+		}))
+		t.Cleanup(server.Close)
+
+		client := NewClient(server.URL, "")
+		assert.Equal(t, client.BaseURL.String(), server.URL)
+
+		_, err := client.CreateAuthObject(context.Background(), AuthObject{})
+		assert.ErrorContains(t, err, "unexpected end")
+		assert.ErrorContains(t, err, "JSON")
+	})
+
+	t.Run("ResponseNotJSON", func(t *testing.T) {
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusOK)
+			_, _ = w.Write([]byte(`asdf`))
+		}))
+		t.Cleanup(server.Close)
+
+		client := NewClient(server.URL, "")
+		assert.Equal(t, client.BaseURL.String(), server.URL)
+
+		_, err := client.CreateAuthObject(context.Background(), AuthObject{})
+		assert.ErrorContains(t, err, "invalid")
+		assert.ErrorContains(t, err, "asdf")
+	})
+}
+
 func TestClientCreateInstallation(t *testing.T) {
 	t.Run("ErrorResponse", func(t *testing.T) {
 		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

internal/bridge/installation.go

@@ -18,12 +18,14 @@ package bridge
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"sync"
 	"time"
 
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
 	corev1apply "k8s.io/client-go/applyconfigurations/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -65,6 +67,9 @@ type InstallationReconciler struct {
 		Patch(context.Context, client.Object, client.Patch, ...client.PatchOption) error
 	}
 
+	// Refresh is the frequency at which AuthObjects should be renewed.
+	Refresh time.Duration
+
 	// SecretRef is the name of the corev1.Secret in which to store Bridge tokens.
 	SecretRef client.ObjectKey
 
@@ -79,6 +84,7 @@ func ManagedInstallationReconciler(m manager.Manager, newClient func() *Client)
 		Owner:     naming.ControllerBridge,
 		Reader:    kubernetes,
 		Writer:    kubernetes,
+		Refresh:   2 * time.Hour,
 		SecretRef: naming.AsObjectKey(naming.OperatorConfigurationSecret()),
 		NewClient: newClient,
 	}
@@ -119,7 +125,7 @@ func (r *InstallationReconciler) Reconcile(
 		// make it so.
 		secret.Namespace, secret.Name = request.Namespace, request.Name
 
-		err = r.reconcile(ctx, secret)
+		result.RequeueAfter, err = r.reconcile(ctx, secret)
 	}
 
 	// TODO: Check for corev1.NamespaceTerminatingCause after
@@ -134,10 +140,14 @@ func (r *InstallationReconciler) Reconcile(
 	return result, err
 }
 
-func (r *InstallationReconciler) reconcile(ctx context.Context, read *corev1.Secret) error {
+// reconcile looks for an Installation in read and stores it or another in
+// the [self] singleton after a successful response from the Bridge API.
+func (r *InstallationReconciler) reconcile(
+	ctx context.Context, read *corev1.Secret) (next time.Duration, err error,
+) {
 	write, err := corev1apply.ExtractSecret(read, string(r.Owner))
 	if err != nil {
-		return err
+		return 0, err
 	}
 
 	// We GET-extract-PATCH the Secret and do not build it up from scratch.
@@ -157,24 +167,30 @@ func (r *InstallationReconciler) reconcile(ctx context.Context, read *corev1.Sec
 	// Secret which triggers another reconcile.
 	if len(installation.ID) == 0 {
 		if len(self.ID) == 0 {
-			return r.register(ctx, write)
+			return 0, r.register(ctx, write)
 		}
 
 		data := map[string][]byte{}
 		data[KeyBridgeToken], _ = json.Marshal(self.Installation) //nolint:errchkjson
 
-		return r.persist(ctx, write.WithData(data))
+		return 0, r.persist(ctx, write.WithData(data))
 	}
 
-	// When the Secret has an Installation, store it in memory.
-	// TODO: Validate it first; perhaps refresh the AuthObject.
-	if len(self.ID) == 0 {
-		self.Lock()
-		self.Installation = installation
-		self.Unlock()
+	// Read the timestamp from the Secret, if any.
+	var touched time.Time
+	if yaml.Unmarshal(read.Data[KeyBridgeLocalTime], &touched) != nil {
+		touched = time.Time{}
+	}
+
+	// Refresh the AuthObject when there is no Installation in memory,
+	// there is no timestamp, or the timestamp is far away. This writes to
+	// the Secret which triggers another reconcile.
+	if len(self.ID) == 0 || time.Since(touched) > r.Refresh || time.Until(touched) > r.Refresh {
+		return 0, r.refresh(ctx, installation, write)
 	}
 
-	return nil
+	// Trigger another reconcile one interval after the stored timestamp.
+	return wait.Jitter(time.Until(touched.Add(r.Refresh)), 0.1), nil
 }
 
 // persist uses Server-Side Apply to write config to Kubernetes. The Name and
@@ -198,6 +214,52 @@ func (r *InstallationReconciler) persist(
 	return err
 }
 
+// refresh calls the Bridge API to refresh the AuthObject of installation. It
+// combines the result with installation and stores that in the [self] singleton
+// and the write object in Kubernetes. The Name and Namespace fields of the
+// latter cannot be nil.
+func (r *InstallationReconciler) refresh(
+	ctx context.Context, installation Installation,
+	write *corev1apply.SecretApplyConfiguration,
+) error {
+	result, err := r.NewClient().CreateAuthObject(ctx, installation.AuthObject)
+
+	// An authentication error means the installation is irrecoverably expired.
+	// Remove it from the singleton and move it to a dated entry in the Secret.
+	if err != nil && errors.Is(err, errAuthentication) {
+		self.Lock()
+		self.Installation = Installation{}
+		self.Unlock()
+
+		keyExpiration := KeyBridgeToken +
+			installation.AuthObject.ExpiresAt.UTC().Format("--2006-01-02")
+
+		data := make(map[string][]byte, 2)
+		data[KeyBridgeToken] = nil
+		data[keyExpiration], _ = json.Marshal(installation) //nolint:errchkjson
+
+		return r.persist(ctx, write.WithData(data))
+	}
+
+	if err == nil {
+		installation.AuthObject = result
+
+		// Store the new value in the singleton.
+		self.Lock()
+		self.Installation = installation
+		self.Unlock()
+
+		// Store the new value in the Secret along with the current time.
+		data := make(map[string][]byte, 2)
+		data[KeyBridgeLocalTime], _ = metav1.Now().MarshalJSON()
+		data[KeyBridgeToken], _ = json.Marshal(installation) //nolint:errchkjson
+
+		err = r.persist(ctx, write.WithData(data))
+	}
+
+	return err
+}
+
 // register calls the Bridge API to register a new Installation. It stores the
 // result in the [self] singleton and the write object in Kubernetes. The Name
 // and Namespace fields of the latter cannot be nil.