Renew Bridge installations

Issue: [sc-16285]

Author: cbandy

internal/bridge/client.go

@@ -19,6 +19,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -32,6 +33,8 @@ import (
 
 const defaultAPI = "https://api.crunchybridge.com"
 
+var errAuthentication = errors.New("authentication failed")
+
 type Client struct {
 	http.Client
 	wait.Backoff
@@ -179,6 +182,38 @@ func (c *Client) doWithRetry(
 	return response, err
 }
 
+func (c *Client) CreateAuthObject(ctx context.Context, authn AuthObject) (AuthObject, error) {
+	var result AuthObject
+
+	response, err := c.doWithRetry(ctx, "POST", "/vendor/operator/auth-objects", nil, http.Header{
+		"Accept":        []string{"application/json"},
+		"Authorization": []string{"Bearer " + authn.Secret},
+	})
+
+	if err == nil {
+		defer response.Body.Close()
+		body, _ := io.ReadAll(response.Body)
+
+		switch {
+		// 2xx, Successful
+		case response.StatusCode >= 200 && response.StatusCode < 300:
+			if err = json.Unmarshal(body, &result); err != nil {
+				err = fmt.Errorf("%w: %s", err, body)
+			}
+
+		// 401, Unauthorized
+		case response.StatusCode == 401:
+			err = fmt.Errorf("%w: %s", errAuthentication, body)
+
+		default:
+			//nolint:goerr113 // This is intentionally dynamic.
+			err = fmt.Errorf("%v: %s", response.Status, body)
+		}
+	}
+
+	return result, err
+}
+
 func (c *Client) CreateInstallation(ctx context.Context) (Installation, error) {
 	var result Installation
 
@@ -188,20 +223,18 @@ func (c *Client) CreateInstallation(ctx context.Context) (Installation, error) {
 
 	if err == nil {
 		defer response.Body.Close()
-
-		var body bytes.Buffer
-		_, _ = io.Copy(&body, response.Body)
+		body, _ := io.ReadAll(response.Body)
 
 		switch {
 		// 2xx, Successful
-		case 200 <= response.StatusCode && response.StatusCode < 300:
-			if err = json.Unmarshal(body.Bytes(), &result); err != nil {
-				err = fmt.Errorf("%w: %v", err, body.String())
+		case response.StatusCode >= 200 && response.StatusCode < 300:
+			if err = json.Unmarshal(body, &result); err != nil {
+				err = fmt.Errorf("%w: %s", err, body)
 			}
 
 		default:
 			//nolint:goerr113 // This is intentionally dynamic.
-			err = fmt.Errorf("%v: %v", response.Status, body.String())
+			err = fmt.Errorf("%v: %s", response.Status, body)
 		}
 	}
 

internal/bridge/client_test.go

@@ -405,6 +405,87 @@ func TestClientDoWithRetry(t *testing.T) {
 	})
 }
 
+func TestClientCreateAuthObject(t *testing.T) {
+	t.Run("Arguments", func(t *testing.T) {
+		var requests []http.Request
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			body, _ := io.ReadAll(r.Body)
+			assert.Equal(t, len(body), 0)
+			requests = append(requests, *r)
+		}))
+		t.Cleanup(server.Close)
+
+		client := NewClient(server.URL, "")
+		assert.Equal(t, client.BaseURL.String(), server.URL)
+
+		ctx := context.Background()
+		_, _ = client.CreateAuthObject(ctx, AuthObject{Secret: "sesame"})
+
+		assert.Equal(t, len(requests), 1)
+		assert.Equal(t, requests[0].Header.Get("Authorization"), "Bearer sesame")
+	})
+
+	t.Run("Unauthorized", func(t *testing.T) {
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusUnauthorized)
+			_, _ = w.Write([]byte(`some info`))
+		}))
+		t.Cleanup(server.Close)
+
+		client := NewClient(server.URL, "")
+		assert.Equal(t, client.BaseURL.String(), server.URL)
+
+		_, err := client.CreateAuthObject(context.Background(), AuthObject{})
+		assert.ErrorContains(t, err, "authentication")
+		assert.ErrorContains(t, err, "some info")
+		assert.ErrorIs(t, err, errAuthentication)
+	})
+
+	t.Run("ErrorResponse", func(t *testing.T) {
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusNotFound)
+			_, _ = w.Write([]byte(`some message`))
+		}))
+		t.Cleanup(server.Close)
+
+		client := NewClient(server.URL, "")
+		assert.Equal(t, client.BaseURL.String(), server.URL)
+
+		_, err := client.CreateAuthObject(context.Background(), AuthObject{})
+		assert.ErrorContains(t, err, "404 Not Found")
+		assert.ErrorContains(t, err, "some message")
+	})
+
+	t.Run("NoResponseBody", func(t *testing.T) {
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusOK)
+		}))
+		t.Cleanup(server.Close)
+
+		client := NewClient(server.URL, "")
+		assert.Equal(t, client.BaseURL.String(), server.URL)
+
+		_, err := client.CreateAuthObject(context.Background(), AuthObject{})
+		assert.ErrorContains(t, err, "unexpected end")
+		assert.ErrorContains(t, err, "JSON")
+	})
+
+	t.Run("ResponseNotJSON", func(t *testing.T) {
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusOK)
+			_, _ = w.Write([]byte(`asdf`))
+		}))
+		t.Cleanup(server.Close)
+
+		client := NewClient(server.URL, "")
+		assert.Equal(t, client.BaseURL.String(), server.URL)
+
+		_, err := client.CreateAuthObject(context.Background(), AuthObject{})
+		assert.ErrorContains(t, err, "invalid")
+		assert.ErrorContains(t, err, "asdf")
+	})
+}
+
 func TestClientCreateInstallation(t *testing.T) {
 	t.Run("ErrorResponse", func(t *testing.T) {
 		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

internal/bridge/installation.go

@@ -18,12 +18,14 @@ package bridge
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"sync"
 	"time"
 
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
 	corev1apply "k8s.io/client-go/applyconfigurations/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -65,6 +67,9 @@ type InstallationReconciler struct {
 		Patch(context.Context, client.Object, client.Patch, ...client.PatchOption) error
 	}
 
+	// Refresh is the frequency at which AuthObjects should be renewed.
+	Refresh time.Duration
+
 	// SecretRef is the name of the corev1.Secret in which to store Bridge tokens.
 	SecretRef client.ObjectKey
 
@@ -79,6 +84,7 @@ func ManagedInstallationReconciler(m manager.Manager, newClient func() *Client)
 		Owner:     naming.ControllerBridge,
 		Reader:    kubernetes,
 		Writer:    kubernetes,
+		Refresh:   2 * time.Hour,
 		SecretRef: naming.AsObjectKey(naming.OperatorConfigurationSecret()),
 		NewClient: newClient,
 	}
@@ -119,7 +125,7 @@ func (r *InstallationReconciler) Reconcile(
 		// make it so.
 		secret.Namespace, secret.Name = request.Namespace, request.Name
 
-		err = r.reconcile(ctx, secret)
+		result.RequeueAfter, err = r.reconcile(ctx, secret)
 	}
 
 	// TODO: Check for corev1.NamespaceTerminatingCause after
@@ -134,10 +140,14 @@ func (r *InstallationReconciler) Reconcile(
 	return result, err
 }
 
-func (r *InstallationReconciler) reconcile(ctx context.Context, read *corev1.Secret) error {
+// reconcile looks for an Installation in read and stores it or another in
+// the [self] singleton after a successful response from the Bridge API.
+func (r *InstallationReconciler) reconcile(
+	ctx context.Context, read *corev1.Secret) (next time.Duration, err error,
+) {
 	write, err := corev1apply.ExtractSecret(read, string(r.Owner))
 	if err != nil {
-		return err
+		return 0, err
 	}
 
 	// We GET-extract-PATCH the Secret and do not build it up from scratch.
@@ -157,24 +167,30 @@ func (r *InstallationReconciler) reconcile(ctx context.Context, read *corev1.Sec
 	// Secret which triggers another reconcile.
 	if len(installation.ID) == 0 {
 		if len(self.ID) == 0 {
-			return r.register(ctx, write)
+			return 0, r.register(ctx, write)
 		}
 
 		data := map[string][]byte{}
 		data[KeyBridgeToken], _ = json.Marshal(self.Installation) //nolint:errchkjson
 
-		return r.persist(ctx, write.WithData(data))
+		return 0, r.persist(ctx, write.WithData(data))
 	}
 
-	// When the Secret has an Installation, store it in memory.
-	// TODO: Validate it first; perhaps refresh the AuthObject.
-	if len(self.ID) == 0 {
-		self.Lock()
-		self.Installation = installation
-		self.Unlock()
+	// Read the timestamp from the Secret, if any.
+	var touched time.Time
+	if yaml.Unmarshal(read.Data[KeyBridgeLocalTime], &touched) != nil {
+		touched = time.Time{}
+	}
+
+	// Refresh the AuthObject when there is no Installation in memory,
+	// there is no timestamp, or the timestamp is far away. This writes to
+	// the Secret which triggers another reconcile.
+	if len(self.ID) == 0 || time.Since(touched) > r.Refresh || time.Until(touched) > r.Refresh {
+		return 0, r.refresh(ctx, installation, write)
 	}
 
-	return nil
+	// Trigger another reconcile one interval after the stored timestamp.
+	return wait.Jitter(time.Until(touched.Add(r.Refresh)), 0.1), nil
 }
 
 // persist uses Server-Side Apply to write config to Kubernetes. The Name and
@@ -198,6 +214,52 @@ func (r *InstallationReconciler) persist(
 	return err
 }
 
+// refresh calls the Bridge API to refresh the AuthObject of installation. It
+// combines the result with installation and stores that in the [self] singleton
+// and the write object in Kubernetes. The Name and Namespace fields of the
+// latter cannot be nil.
+func (r *InstallationReconciler) refresh(
+	ctx context.Context, installation Installation,
+	write *corev1apply.SecretApplyConfiguration,
+) error {
+	result, err := r.NewClient().CreateAuthObject(ctx, installation.AuthObject)
+
+	// An authentication error means the installation is irrecoverably expired.
+	// Remove it from the singleton and move it to a dated entry in the Secret.
+	if err != nil && errors.Is(err, errAuthentication) {
+		self.Lock()
+		self.Installation = Installation{}
+		self.Unlock()
+
+		keyExpiration := KeyBridgeToken +
+			installation.AuthObject.ExpiresAt.UTC().Format("--2006-01-02")
+
+		data := make(map[string][]byte, 2)
+		data[KeyBridgeToken] = nil
+		data[keyExpiration], _ = json.Marshal(installation) //nolint:errchkjson
+
+		return r.persist(ctx, write.WithData(data))
+	}
+
+	if err == nil {
+		installation.AuthObject = result
+
+		// Store the new value in the singleton.
+		self.Lock()
+		self.Installation = installation
+		self.Unlock()
+
+		// Store the new value in the Secret along with the current time.
+		data := make(map[string][]byte, 2)
+		data[KeyBridgeLocalTime], _ = metav1.Now().MarshalJSON()
+		data[KeyBridgeToken], _ = json.Marshal(installation) //nolint:errchkjson
+
+		err = r.persist(ctx, write.WithData(data))
+	}
+
+	return err
+}
+
 // register calls the Bridge API to register a new Installation. It stores the
 // result in the [self] singleton and the write object in Kubernetes. The Name
 // and Namespace fields of the latter cannot be nil.

internal/bridge/installation_test.go

@@ -22,8 +22,10 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"testing"
+	"time"
 
 	"gotest.tools/v3/assert"
+	cmpopt "gotest.tools/v3/assert/opt"
 	corev1 "k8s.io/api/core/v1"
 	corev1apply "k8s.io/client-go/applyconfigurations/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -127,8 +129,9 @@ func TestInstallationReconcile(t *testing.T) {
 			}
 
 			ctx := context.Background()
-			err := reconciler.reconcile(ctx, secret)
+			next, err := reconciler.reconcile(ctx, secret)
 			assert.NilError(t, err)
+			assert.Assert(t, next == 0)
 
 			// It calls the API.
 			assert.Equal(t, len(requests), 1)
@@ -178,7 +181,7 @@ func TestInstallationReconcile(t *testing.T) {
 			}
 
 			ctx := context.Background()
-			err := reconciler.reconcile(ctx, secret)
+			_, err := reconciler.reconcile(ctx, secret)
 			assert.Equal(t, err, expected, "expected a Kubernetes error")
 
 			// It stores the API result in memory.
@@ -227,8 +230,9 @@ func TestInstallationReconcile(t *testing.T) {
 				}
 
 				ctx := context.Background()
-				err := reconciler.reconcile(ctx, secret)
+				next, err := reconciler.reconcile(ctx, secret)
 				assert.NilError(t, err)
+				assert.Assert(t, next == 0)
 
 				assert.Equal(t, self.ID, "asdf", "expected no change to memory")
 
@@ -254,15 +258,15 @@ func TestInstallationReconcile(t *testing.T) {
 			}
 
 			ctx := context.Background()
-			err := reconciler.reconcile(ctx, secret)
+			_, err := reconciler.reconcile(ctx, secret)
 			assert.Equal(t, err, expected, "expected a Kubernetes error")
 			assert.Equal(t, self.ID, "asdf", "expected no change to memory")
 		})
 	})
 
 	// Scenario:
 	//   When there is a Secret but no Installation in memory,
-	//   Then Reconcile should store it in memory.
+	//   Then Reconcile should verify it in the API and store it in memory.
 	//
 	t.Run("Restart", func(t *testing.T) {
 		var reconciler *InstallationReconciler
@@ -271,18 +275,228 @@ func TestInstallationReconcile(t *testing.T) {
 		beforeEach := func() {
 			reconciler = new(InstallationReconciler)
 			secret = new(corev1.Secret)
-			secret.Data = map[string][]byte{KeyBridgeToken: []byte(`{"id":"xyz"}`)}
+			secret.Data = map[string][]byte{
+				KeyBridgeToken: []byte(`{
+					"id":"xyz", "auth_object":{
+						"secret":"abc",
+						"expires_at":"2020-10-28T05:06:07Z"
+					}
+				}`),
+			}
 			self.Installation = Installation{}
 		}
 
-		t.Run("ItLoads", func(t *testing.T) {
+		t.Run("ItVerifies", func(t *testing.T) {
 			beforeEach()
 
+			// API double; spy on requests.
+			var requests []http.Request
+			{
+				server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+					requests = append(requests, *r)
+					_ = json.NewEncoder(w).Encode(map[string]any{"secret": "def"})
+				}))
+				t.Cleanup(server.Close)
+
+				reconciler.NewClient = func() *Client {
+					c := NewClient(server.URL, "")
+					c.Backoff.Steps = 1
+					assert.Equal(t, c.BaseURL.String(), server.URL)
+					return c
+				}
+			}
+
+			// Kubernetes double; spy on SSA patches.
+			var applies []string
+			{
+				reconciler.Writer = runtime.ClientPatch(func(ctx context.Context, obj client.Object, patch client.Patch, opts ...client.PatchOption) error {
+					assert.Equal(t, string(patch.Type()), "application/apply-patch+yaml")
+
+					data, err := patch.Data(obj)
+					applies = append(applies, string(data))
+					return err
+				})
+			}
+
 			ctx := context.Background()
-			err := reconciler.reconcile(ctx, secret)
+			next, err := reconciler.reconcile(ctx, secret)
 			assert.NilError(t, err)
+			assert.Assert(t, next == 0)
 
+			assert.Equal(t, len(requests), 1)
+			assert.Equal(t, requests[0].Header.Get("Authorization"), "Bearer abc")
+			assert.Equal(t, requests[0].Method, "POST")
+			assert.Equal(t, requests[0].URL.Path, "/vendor/operator/auth-objects")
+
+			// It stores the result in memory.
 			assert.Equal(t, self.ID, "xyz")
+			assert.Equal(t, self.AuthObject.Secret, "def")
+
+			// It stores the memory in Kubernetes.
+			assert.Equal(t, len(applies), 1)
+			assert.Assert(t, cmp.Contains(applies[0], `"kind":"Secret"`))
+
+			var decoded corev1.Secret
+			assert.NilError(t, yaml.Unmarshal([]byte(applies[0]), &decoded))
+			assert.Assert(t, cmp.Contains(string(decoded.Data["bridge-token"]), `"id":"xyz"`))
+			assert.Assert(t, cmp.Contains(string(decoded.Data["bridge-token"]), `"secret":"def"`))
+		})
+
+		t.Run("Expired", func(t *testing.T) {
+			beforeEach()
+
+			// API double; authentication error.
+			{
+				server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+					w.WriteHeader(http.StatusUnauthorized)
+				}))
+				t.Cleanup(server.Close)
+
+				reconciler.NewClient = func() *Client {
+					c := NewClient(server.URL, "")
+					c.Backoff.Steps = 1
+					assert.Equal(t, c.BaseURL.String(), server.URL)
+					return c
+				}
+			}
+
+			// Kubernetes double; spy on SSA patches.
+			var applies []string
+			{
+				reconciler.Writer = runtime.ClientPatch(func(ctx context.Context, obj client.Object, patch client.Patch, opts ...client.PatchOption) error {
+					assert.Equal(t, string(patch.Type()), "application/apply-patch+yaml")
+
+					data, err := patch.Data(obj)
+					applies = append(applies, string(data))
+					return err
+				})
+			}
+
+			ctx := context.Background()
+			next, err := reconciler.reconcile(ctx, secret)
+			assert.NilError(t, err)
+			assert.Assert(t, next == 0)
+
+			assert.DeepEqual(t, self.Installation, Installation{})
+
+			// It archives the expired one.
+			assert.Equal(t, len(applies), 1)
+			assert.Assert(t, cmp.Contains(applies[0], `"kind":"Secret"`))
+
+			var decoded corev1.Secret
+			assert.NilError(t, yaml.Unmarshal([]byte(applies[0]), &decoded))
+			assert.Equal(t, len(decoded.Data["bridge-token"]), 0)
+
+			archived := string(decoded.Data["bridge-token--2020-10-28"])
+			assert.Assert(t, cmp.Contains(archived, `"id":"xyz"`))
+			assert.Assert(t, cmp.Contains(archived, `"secret":"abc"`))
+		})
+	})
+
+	// Scenario:
+	//   When there is an Installation in the Secret and in memory,
+	//   Then Reconcile should refresh it periodically.
+	//
+	t.Run("Refresh", func(t *testing.T) {
+		var reconciler *InstallationReconciler
+		var secret *corev1.Secret
+
+		beforeEach := func(timestamp []byte) {
+			reconciler = new(InstallationReconciler)
+			reconciler.Refresh = time.Minute
+
+			secret = new(corev1.Secret)
+			secret.Data = map[string][]byte{
+				KeyBridgeToken:     []byte(`{"id":"ddd", "auth_object":{"secret":"eee"}}`),
+				KeyBridgeLocalTime: timestamp,
+			}
+
+			self.Installation = Installation{ID: "ddd"}
+		}
+
+		for _, tt := range []struct {
+			Name      string
+			Timestamp []byte
+		}{
+			{Name: "NoTimestamp", Timestamp: nil},
+			{Name: "BadTimestamp", Timestamp: []byte(`asdf`)},
+			{Name: "OldTimestamp", Timestamp: []byte(`"2020-10-10T20:20:20Z"`)},
+			{Name: "FutureTimestamp", Timestamp: []byte(`"2030-10-10T20:20:20Z"`)},
+		} {
+			t.Run(tt.Name, func(t *testing.T) {
+				beforeEach(tt.Timestamp)
+
+				// API double; spy on requests.
+				var requests []http.Request
+				{
+					server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+						requests = append(requests, *r)
+						_ = json.NewEncoder(w).Encode(map[string]any{"secret": "fresh"})
+					}))
+					t.Cleanup(server.Close)
+
+					reconciler.NewClient = func() *Client {
+						c := NewClient(server.URL, "")
+						c.Backoff.Steps = 1
+						assert.Equal(t, c.BaseURL.String(), server.URL)
+						return c
+					}
+				}
+
+				// Kubernetes double; spy on SSA patches.
+				var applies []string
+				{
+					reconciler.Writer = runtime.ClientPatch(func(ctx context.Context, obj client.Object, patch client.Patch, opts ...client.PatchOption) error {
+						assert.Equal(t, string(patch.Type()), "application/apply-patch+yaml")
+
+						data, err := patch.Data(obj)
+						applies = append(applies, string(data))
+						return err
+					})
+				}
+
+				ctx := context.Background()
+				next, err := reconciler.reconcile(ctx, secret)
+				assert.NilError(t, err)
+				assert.Assert(t, next == 0)
+
+				assert.Equal(t, len(requests), 1)
+				assert.Equal(t, requests[0].Header.Get("Authorization"), "Bearer eee")
+				assert.Equal(t, requests[0].Method, "POST")
+				assert.Equal(t, requests[0].URL.Path, "/vendor/operator/auth-objects")
+
+				// It stores the result in memory.
+				assert.Equal(t, self.ID, "ddd")
+				assert.Equal(t, self.AuthObject.Secret, "fresh")
+
+				// It stores the memory in Kubernetes.
+				assert.Equal(t, len(applies), 1)
+				assert.Assert(t, cmp.Contains(applies[0], `"kind":"Secret"`))
+
+				var decoded corev1.Secret
+				assert.NilError(t, yaml.Unmarshal([]byte(applies[0]), &decoded))
+				assert.Assert(t, cmp.Contains(string(decoded.Data["bridge-token"]), `"id":"ddd"`))
+				assert.Assert(t, cmp.Contains(string(decoded.Data["bridge-token"]), `"secret":"fresh"`))
+			})
+		}
+
+		t.Run("CurrentTimestamp", func(t *testing.T) {
+			current := time.Now().Add(-15 * time.Minute)
+			currentJSON, _ := current.UTC().MarshalJSON()
+
+			beforeEach(currentJSON)
+			reconciler.Refresh = time.Hour
+
+			// Any API calls would panic because no spies are configured here.
+
+			ctx := context.Background()
+			next, err := reconciler.reconcile(ctx, secret)
+			assert.NilError(t, err)
+
+			// The next reconcile is scheduled around (60 - 15 =) 45 minutes
+			// from now, plus or minus (60 * 10% =) 6 minutes of jitter.
+			assert.DeepEqual(t, next, 45*time.Minute,
+				cmpopt.DurationWithThreshold(6*time.Minute))
 		})
 	})
 }