@@ -679,6 +679,109 @@ func TestWorkspaceAuthSubroutine_Initialize(t *testing.T) {
679679 expectError : true ,
680680 expectedResult : subroutines .OK (),
681681 },
682+ {
683+ name : "success - additional audiences are appended" ,
684+ logicalCluster : & kcpcorev1alpha1.LogicalCluster {
685+ ObjectMeta : metav1.ObjectMeta {
686+ Annotations : map [string ]string {
687+ "kcp.io/path" : "root:orgs:test-workspace" ,
688+ },
689+ },
690+ },
691+ cfg : config.Config {
692+ BaseDomain : "test.domain" ,
693+ GroupClaim : "groups" ,
694+ UserClaim : "email" ,
695+ AdditionalAudiences : []string {"extra-aud-1" , "extra-aud-2" },
696+ },
697+ setupMocks : func (m * mocks.MockClient , mgrClient * mocks.MockClient ) {
698+ mgrClient .EXPECT ().Get (mock .Anything , types.NamespacedName {Name : "account" }, mock .AnythingOfType ("*v1alpha1.AccountInfo" ), mock .Anything ).
699+ RunAndReturn (func (ctx context.Context , key client.ObjectKey , obj client.Object , opts ... client.GetOption ) error {
700+ * obj .(* accountsv1alpha1.AccountInfo ) = accountsv1alpha1.AccountInfo {
701+ ObjectMeta : metav1.ObjectMeta {Name : "account" },
702+ Spec : accountsv1alpha1.AccountInfoSpec {
703+ OIDC : & accountsv1alpha1.OIDCInfo {
704+ Clients : map [string ]accountsv1alpha1.ClientInfo {
705+ "test-workspace" : {ClientID : "test-workspace-client" },
706+ "kubectl" : {ClientID : "kubectl-client" },
707+ },
708+ },
709+ },
710+ }
711+ return nil
712+ }).Once ()
713+ m .EXPECT ().Get (mock .Anything , types.NamespacedName {Name : "test-workspace" }, mock .AnythingOfType ("*v1alpha1.WorkspaceAuthenticationConfiguration" ), mock .Anything ).
714+ Return (apierrors .NewNotFound (kcptenancyv1alphav1 .Resource ("workspaceauthenticationconfigurations" ), "test-workspace" )).Once ()
715+ m .EXPECT ().Create (mock .Anything , mock .AnythingOfType ("*v1alpha1.WorkspaceAuthenticationConfiguration" ), mock .Anything ).
716+ RunAndReturn (func (ctx context.Context , obj client.Object , opts ... client.CreateOption ) error {
717+ wac := obj .(* kcptenancyv1alphav1.WorkspaceAuthenticationConfiguration )
718+ assert .Equal (t , "test-workspace" , wac .Name )
719+ assert .ElementsMatch (t , []string {"test-workspace-client" , "kubectl-client" , "extra-aud-1" , "extra-aud-2" }, wac .Spec .JWT [0 ].Issuer .Audiences )
720+ return nil
721+ }).Once ()
722+
723+ m .EXPECT ().List (mock .Anything , mock .AnythingOfType ("*v1alpha1.WorkspaceTypeList" ), mock .Anything ).
724+ RunAndReturn (func (ctx context.Context , list client.ObjectList , opts ... client.ListOption ) error {
725+ wtList := list .(* kcptenancyv1alphav1.WorkspaceTypeList )
726+ wtList .Items = []kcptenancyv1alphav1.WorkspaceType {}
727+ return nil
728+ }).Once ()
729+ },
730+ expectError : false ,
731+ expectedResult : subroutines .OK (),
732+ },
733+ {
734+ name : "success - empty additional audiences does not change behavior" ,
735+ logicalCluster : & kcpcorev1alpha1.LogicalCluster {
736+ ObjectMeta : metav1.ObjectMeta {
737+ Annotations : map [string ]string {
738+ "kcp.io/path" : "root:orgs:test-workspace" ,
739+ },
740+ },
741+ },
742+ cfg : config.Config {
743+ BaseDomain : "test.domain" ,
744+ GroupClaim : "groups" ,
745+ UserClaim : "email" ,
746+ AdditionalAudiences : []string {},
747+ },
748+ setupMocks : func (m * mocks.MockClient , mgrClient * mocks.MockClient ) {
749+ mgrClient .EXPECT ().Get (mock .Anything , types.NamespacedName {Name : "account" }, mock .AnythingOfType ("*v1alpha1.AccountInfo" ), mock .Anything ).
750+ RunAndReturn (func (ctx context.Context , key client.ObjectKey , obj client.Object , opts ... client.GetOption ) error {
751+ * obj .(* accountsv1alpha1.AccountInfo ) = accountsv1alpha1.AccountInfo {
752+ ObjectMeta : metav1.ObjectMeta {Name : "account" },
753+ Spec : accountsv1alpha1.AccountInfoSpec {
754+ OIDC : & accountsv1alpha1.OIDCInfo {
755+ Clients : map [string ]accountsv1alpha1.ClientInfo {
756+ "test-workspace" : {ClientID : "test-workspace-client" },
757+ "kubectl" : {ClientID : "kubectl-client" },
758+ },
759+ },
760+ },
761+ }
762+ return nil
763+ }).Once ()
764+ m .EXPECT ().Get (mock .Anything , types.NamespacedName {Name : "test-workspace" }, mock .AnythingOfType ("*v1alpha1.WorkspaceAuthenticationConfiguration" ), mock .Anything ).
765+ Return (apierrors .NewNotFound (kcptenancyv1alphav1 .Resource ("workspaceauthenticationconfigurations" ), "test-workspace" )).Once ()
766+ m .EXPECT ().Create (mock .Anything , mock .AnythingOfType ("*v1alpha1.WorkspaceAuthenticationConfiguration" ), mock .Anything ).
767+ RunAndReturn (func (ctx context.Context , obj client.Object , opts ... client.CreateOption ) error {
768+ wac := obj .(* kcptenancyv1alphav1.WorkspaceAuthenticationConfiguration )
769+ assert .Equal (t , "test-workspace" , wac .Name )
770+ assert .ElementsMatch (t , []string {"test-workspace-client" , "kubectl-client" }, wac .Spec .JWT [0 ].Issuer .Audiences )
771+ assert .Len (t , wac .Spec .JWT [0 ].Issuer .Audiences , 2 )
772+ return nil
773+ }).Once ()
774+
775+ m .EXPECT ().List (mock .Anything , mock .AnythingOfType ("*v1alpha1.WorkspaceTypeList" ), mock .Anything ).
776+ RunAndReturn (func (ctx context.Context , list client.ObjectList , opts ... client.ListOption ) error {
777+ wtList := list .(* kcptenancyv1alphav1.WorkspaceTypeList )
778+ wtList .Items = []kcptenancyv1alphav1.WorkspaceType {}
779+ return nil
780+ }).Once ()
781+ },
782+ expectError : false ,
783+ expectedResult : subroutines .OK (),
784+ },
682785 }
683786
684787 for _ , tt := range tests {
0 commit comments