More External Auth validation, tests and some fixes

api/autorest-config.yaml

@@ -1,4 +1,6 @@
 input-file: redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/hcpclusters/preview/2024-06-10-preview/openapi.json
+use:
+- "@autorest/[email protected]"
 go:
   namespace: redhatopenshift
   project-folder: ../internal

api/redhatopenshift/HcpCluster.Management/hcpCluster-models.tsp

@@ -942,7 +942,7 @@ model UsernameClaimProfile {
   /** Prefix policy is an optional field that configures how a prefix should be
    * applied to the value of the JWT claim specified in the 'claim' field.
    *
-   * Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).
+   * Allowed values are 'Prefix', 'NoPrefix', and 'None'.
    *
    * When set to 'Prefix', the value specified in the prefix field will be
    * prepended to the value of the JWT claim.
@@ -951,7 +951,7 @@ model UsernameClaimProfile {
    * When set to 'NoPrefix', no prefix will be prepended to the value
    * of the JWT claim.
    *
-   * When omitted, this means no opinion and the platform is left to choose
+   * When set to 'None', this means no opinion and the platform is left to choose
    * any prefixes that are applied which is subject to change over time.
    * Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim
    * when the claim is not 'email'.

api/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/hcpclusters/preview/2024-06-10-preview/openapi.json

@@ -3582,7 +3582,7 @@
         },
         "prefixPolicy": {
           "type": "string",
-          "description": "Prefix policy is an optional field that configures how a prefix should be\napplied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be\nprepended to the value of the JWT claim.\nThe prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value\nof the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose\nany prefixes that are applied which is subject to change over time.\nCurrently, the platform prepends `{issuerURL}#` to the value of the JWT claim\nwhen the claim is not 'email'.\nAs an example, consider the following scenario:\n`prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\nthe JWT claims include \"username\":\"userA\" and \"email\":\"userA"
+          "description": "Prefix policy is an optional field that configures how a prefix should be\napplied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and 'None'.\n\nWhen set to 'Prefix', the value specified in the prefix field will be\nprepended to the value of the JWT claim.\nThe prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value\nof the JWT claim.\n\nWhen set to 'None', this means no opinion and the platform is left to choose\nany prefixes that are applied which is subject to change over time.\nCurrently, the platform prepends `{issuerURL}#` to the value of the JWT claim\nwhen the claim is not 'email'.\nAs an example, consider the following scenario:\n`prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\nthe JWT claims include \"username\":\"userA\" and \"email\":\"userA"
         }
       },
       "required": [
@@ -3605,7 +3605,7 @@
         },
         "prefixPolicy": {
           "type": "string",
-          "description": "Prefix policy is an optional field that configures how a prefix should be\napplied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be\nprepended to the value of the JWT claim.\nThe prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value\nof the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose\nany prefixes that are applied which is subject to change over time.\nCurrently, the platform prepends `{issuerURL}#` to the value of the JWT claim\nwhen the claim is not 'email'.\nAs an example, consider the following scenario:\n`prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\nthe JWT claims include \"username\":\"userA\" and \"email\":\"userA"
+          "description": "Prefix policy is an optional field that configures how a prefix should be\napplied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and 'None'.\n\nWhen set to 'Prefix', the value specified in the prefix field will be\nprepended to the value of the JWT claim.\nThe prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value\nof the JWT claim.\n\nWhen set to 'None', this means no opinion and the platform is left to choose\nany prefixes that are applied which is subject to change over time.\nCurrently, the platform prepends `{issuerURL}#` to the value of the JWT claim\nwhen the claim is not 'email'.\nAs an example, consider the following scenario:\n`prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\nthe JWT claims include \"username\":\"userA\" and \"email\":\"userA"
         }
       }
     },

frontend/pkg/frontend/external_auth_test.go

@@ -20,6 +20,7 @@ import (
 	"encoding/json"
 	"io"
 	"net/http"
+	"strings"
 	"testing"
 	"time"
 
@@ -33,12 +34,11 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/mock/gomock"
 
+	"github.com/Azure/ARO-HCP/internal/api/arm"
 	// This will invoke the init() function in each
 	// API version package so it can register itself.
-	_ "github.com/Azure/ARO-HCP/internal/api/v20240610preview"
-
 	"github.com/Azure/ARO-HCP/internal/api"
-	"github.com/Azure/ARO-HCP/internal/api/arm"
+	_ "github.com/Azure/ARO-HCP/internal/api/v20240610preview"
 	"github.com/Azure/ARO-HCP/internal/api/v20240610preview/generated"
 	"github.com/Azure/ARO-HCP/internal/database"
 	"github.com/Azure/ARO-HCP/internal/mocks"
@@ -47,8 +47,23 @@ import (
 
 var dummyExternalAuthHREF = ocm.GenerateExternalAuthHREF(dummyClusterHREF, api.TestExternalAuthName)
 
-var dummyURL = "Spain"
-var dummyAudiences = []string{"audience1"}
+var dummyURL = "https://redhat.com"
+var dummyCA = `-----BEGIN CERTIFICATE-----
+MIICMzCCAZygAwIBAgIJALiPnVsvq8dsMA0GCSqGSIb3DQEBBQUAMFMxCzAJBgNV
+BAYTAlVTMQwwCgYDVQQIEwNmb28xDDAKBgNVBAcTA2ZvbzEMMAoGA1UEChMDZm9v
+MQwwCgYDVQQLEwNmb28xDDAKBgNVBAMTA2ZvbzAeFw0xMzAzMTkxNTQwMTlaFw0x
+ODAzMTgxNTQwMTlaMFMxCzAJBgNVBAYTAlVTMQwwCgYDVQQIEwNmb28xDDAKBgNV
+BAcTA2ZvbzEMMAoGA1UEChMDZm9vMQwwCgYDVQQLEwNmb28xDDAKBgNVBAMTA2Zv
+bzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzdGfxi9CNbMf1UUcvDQh7MYB
+OveIHyc0E0KIbhjK5FkCBU4CiZrbfHagaW7ZEcN0tt3EvpbOMxxc/ZQU2WN/s/wP
+xph0pSfsfFsTKM4RhTWD2v4fgk+xZiKd1p0+L4hTtpwnEw0uXRVd0ki6muwV5y/P
++5FHUeldq+pgTcgzuK8CAwEAAaMPMA0wCwYDVR0PBAQDAgLkMA0GCSqGSIb3DQEB
+BQUAA4GBAJiDAAtY0mQQeuxWdzLRzXmjvdSuL9GoyT3BF/jSnpxz5/58dba8pWen
+v3pj4P3w5DoOso0rzkZy2jEsEitlVM2mLSbQpMM+MUVQCQoiG6W9xuCFuxSrwPIS
+pAqEAuV4DNoxQKKWmhVv+J0ptMWD25Pnpxeq5sXzghfJnslJlQND
+-----END CERTIFICATE-----
+`
+var dummyAudiences = []string{"audience1", "audience2"}
 var dummyClaim = "4.18.0"
 
 func TestCreateExternalAuth(t *testing.T) {
@@ -64,6 +79,7 @@ func TestCreateExternalAuth(t *testing.T) {
 		Properties: &generated.ExternalAuthProperties{
 			Issuer: &generated.TokenIssuerProfile{
 				URL:       &dummyURL,
+				Ca:        &dummyCA,
 				Audiences: api.StringSliceToStringPtrSlice(dummyAudiences),
 			},
 			Claim: &generated.ExternalAuthClaimProfile{
@@ -75,15 +91,32 @@ func TestCreateExternalAuth(t *testing.T) {
 			},
 		},
 	}
+	expectedCSExternalAuth, _ := arohcpv1alpha1.NewExternalAuth().
+		ID(strings.ToLower(api.TestExternalAuthName)).
+		Issuer(arohcpv1alpha1.NewTokenIssuer().
+			URL(dummyURL).
+			CA(dummyCA).
+			Audiences(dummyAudiences...),
+		).
+		Claim(arohcpv1alpha1.NewExternalAuthClaim().
+			Mappings(arohcpv1alpha1.NewTokenClaimMappings().
+				UserName(arohcpv1alpha1.NewUsernameClaim().
+					Claim(dummyClaim).
+					Prefix("").
+					PrefixPolicy(""),
+				),
+			),
+		).Build()
 	tests := []struct {
-		name               string
-		urlPath            string
-		subscription       *arm.Subscription
-		systemData         *arm.SystemData
-		subDoc             *arm.Subscription
-		clusterDoc         *database.ResourceDocument
-		externalAuthDoc    *database.ResourceDocument
-		expectedStatusCode int
+		name                   string
+		urlPath                string
+		subscription           *arm.Subscription
+		systemData             *arm.SystemData
+		subDoc                 *arm.Subscription
+		clusterDoc             *database.ResourceDocument
+		externalAuthDoc        *database.ResourceDocument
+		expectedCSExternalAuth *arohcpv1alpha1.ExternalAuth
+		expectedStatusCode     int
 	}{
 		{
 			name:    "PUT External Auth - Create a new External Auth",
@@ -93,9 +126,10 @@ func TestCreateExternalAuth(t *testing.T) {
 				RegistrationDate: api.Ptr(time.Now().String()),
 				Properties:       nil,
 			},
-			clusterDoc:         clusterDoc,
-			externalAuthDoc:    externalAuthDoc,
-			expectedStatusCode: http.StatusCreated,
+			clusterDoc:             clusterDoc,
+			externalAuthDoc:        externalAuthDoc,
+			expectedCSExternalAuth: expectedCSExternalAuth,
+			expectedStatusCode:     http.StatusCreated,
 		},
 	}
 
@@ -130,7 +164,7 @@ func TestCreateExternalAuth(t *testing.T) {
 
 			// CreateOrUpdateExternalAuth
 			mockCSClient.EXPECT().
-				PostExternalAuth(gomock.Any(), clusterDoc.InternalID, gomock.Any()).
+				PostExternalAuth(gomock.Any(), clusterDoc.InternalID, test.expectedCSExternalAuth).
 				DoAndReturn(
 					func(ctx context.Context, clusterInternalID ocm.InternalID, externalAuth *arohcpv1alpha1.ExternalAuth) (*arohcpv1alpha1.ExternalAuth, error) {
 						builder := arohcpv1alpha1.NewExternalAuth().

frontend/pkg/frontend/node_pool_test.go

@@ -20,6 +20,7 @@ import (
 	"encoding/json"
 	"io"
 	"net/http"
+	"strings"
 	"testing"
 	"time"
 
@@ -73,6 +74,29 @@ func TestCreateNodePool(t *testing.T) {
 			},
 		},
 	}
+
+	expectedCSNodePool, _ := arohcpv1alpha1.NewNodePool().
+		ID(strings.ToLower(api.TestNodePoolName)).
+		AvailabilityZone("").
+		AzureNodePool(arohcpv1alpha1.NewAzureNodePool().
+			ResourceName(strings.ToLower(api.TestNodePoolName)).
+			VMSize(dummyVMSize).
+			EncryptionAtHost(
+				arohcpv1alpha1.NewAzureNodePoolEncryptionAtHost().
+					State(azureNodePoolEncryptionAtHostDisabled),
+			).
+			OSDiskSizeGibibytes(64).
+			OSDiskStorageAccountType("Premium_LRS"),
+		).
+		Labels(make(map[string]string)).
+		Subnet("").
+		Version(arohcpv1alpha1.NewVersion().
+			ID("openshift-v" + dummyVersionID).
+			ChannelGroup("stable"),
+		).
+		Replicas(0).
+		AutoRepair(true).Build()
+
 	tests := []struct {
 		name               string
 		urlPath            string
@@ -81,6 +105,7 @@ func TestCreateNodePool(t *testing.T) {
 		subDoc             *arm.Subscription
 		clusterDoc         *database.ResourceDocument
 		nodePoolDoc        *database.ResourceDocument
+		expectedCSNodePool *arohcpv1alpha1.NodePool
 		expectedStatusCode int
 	}{
 		{
@@ -93,6 +118,7 @@ func TestCreateNodePool(t *testing.T) {
 			},
 			clusterDoc:         clusterDoc,
 			nodePoolDoc:        nodePoolDoc,
+			expectedCSNodePool: expectedCSNodePool,
 			expectedStatusCode: http.StatusCreated,
 		},
 	}
@@ -134,7 +160,7 @@ func TestCreateNodePool(t *testing.T) {
 					Build())
 			// CreateOrUpdateNodePool
 			mockCSClient.EXPECT().
-				PostNodePool(gomock.Any(), clusterDoc.InternalID, gomock.Any()).
+				PostNodePool(gomock.Any(), clusterDoc.InternalID, expectedCSNodePool).
 				DoAndReturn(
 					func(ctx context.Context, clusterInternalID ocm.InternalID, nodePool *arohcpv1alpha1.NodePool) (*arohcpv1alpha1.NodePool, error) {
 						builder := arohcpv1alpha1.NewNodePool().