kubeguard · tamalsaha · Apr 3, 2018 · Mar 21, 2018 · Mar 21, 2018 · Mar 21, 2018
@@ -51,31 +51,45 @@ type ConduitClient struct {
 	Token string
 }
 
-func Check(name, token string) (*authv1.UserInfo, error) {
+type Authenticator struct {
+	name string
+}
+
+func New(name string) auth.Interface {
+	return &Authenticator{
+		name: name,
+	}
+}
+
+func (a Authenticator) UID() string {
+	return OrgType
+}
+
+func (a Authenticator) Check(token string) (*authv1.UserInfo, error) {
 	ctx := context.Background()
 	options := client.NewOption(_env.ProdApiServer)
 	options.UserAgent("appscode/guard")
 	/*namespace := strings.Split(name, ".")
 	if len(namespace) != 3 {
 		return Error(fmt.Sprintf("Failed to detect namespace from domain: %v", name)), http.StatusUnauthorized
 	}*/
-	options = options.BearerAuth(name, token)
+	options = options.BearerAuth(a.name, token)
 	c, err := client.New(options)
 	if err != nil {
-		return nil, errors.Wrapf(err, "failed to create oauth2/v1 api for domain %s", name)
+		return nil, errors.Wrapf(err, "failed to create oauth2/v1 api for domain %s", a.name)
 	}
 
 	user, err := c.Authentication().Conduit().WhoAmI(ctx, &dtypes.VoidRequest{})
 	if err != nil {
-		return nil, errors.Wrapf(err, "failed to load user info for domain %s", name)
+		return nil, errors.Wrapf(err, "failed to load user info for domain %s", a.name)
 	}
 
 	projects, err := c.Authentication().Project().List(ctx, &api.ProjectListRequest{
 		WithMember: false,
 		Members:    []string{user.User.Phid},
 	})
 	if err != nil {
-		return nil, errors.Wrapf(err, "failed to load user's teams for Org %s", name)
+		return nil, errors.Wrapf(err, "failed to load user's teams for Org %s", a.name)
 	}
 
 	resp := &authv1.UserInfo{

@@ -47,7 +47,7 @@ type Authenticator struct {
 	ctx         context.Context
 }
 
-func New(opts Options) (*Authenticator, error) {
+func New(opts Options) (auth.Interface, error) {
 	c := &Authenticator{
 		Options: opts,
 		ctx:     context.Background(),
@@ -65,10 +65,13 @@ func New(opts Options) (*Authenticator, error) {
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create ms graph client")
 	}
-
 	return c, nil
 }
 
+func (s Authenticator) UID() string {
+	return OrgType
+}
+
 func (s Authenticator) Check(token string) (*authv1.UserInfo, error) {
 	idToken, err := s.verifier.Verify(s.ctx, token)
 	if err != nil {

@@ -5,6 +5,7 @@ import (
 	"os"
 
 	"github.com/appscode/go/types"
+	"github.com/pkg/errors"
 	"github.com/spf13/pflag"
 	"k8s.io/api/apps/v1beta1"
 	core "k8s.io/api/core/v1"
@@ -31,18 +32,20 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
 }
 
 func (o *Options) Validate() []error {
-	return nil
-}
-
-func (o Options) IsSet() bool {
-	return o.ClientID != "" || o.ClientSecret != "" || o.TenantID != ""
+	var errs []error
+	if o.ClientSecret == "" {
+		errs = append(errs, errors.New("client secret must be non-empty"))
+	}
+	if o.ClientID == "" {
+		errs = append(errs, errors.New("azure.client-id must be non-empty"))
+	}
+	if o.TenantID == "" {
+		errs = append(errs, errors.New("azure.tenant-id must be non-empty"))
+	}
+	return errs
 }
 
 func (o Options) Apply(d *v1beta1.Deployment) (extraObjs []runtime.Object, err error) {
-	if !o.IsSet() {
-		return nil, nil // nothing to apply
-	}
-
 	container := d.Spec.Template.Spec.Containers[0]
 
 	// create auth secret
@@ -97,5 +100,8 @@ func (o Options) Apply(d *v1beta1.Deployment) (extraObjs []runtime.Object, err e
 		args = append(args, fmt.Sprintf("--azure.tenant-id=%s", o.TenantID))
 	}
 
+	container.Args = args
+	d.Spec.Template.Spec.Containers[0] = container
+
 	return extraObjs, nil
 }
@@ -0,0 +1,118 @@
+package azure
+
+import (
+	"testing"
+
+	aggregator "github.com/appscode/go/util/errors"
+	"github.com/pkg/errors"
+	"github.com/stretchr/testify/assert"
+)
+
+const (
+	empty    = ""
+	nonempty = "non-empty"
+)
+
+type optionFunc func(o Options) Options
+
+type testInfo struct {
+	testName    string
+	opts        Options
+	expectedErr []error
+}
+
+var (
+	validationErrorData = []struct {
+		testName    string
+		optsFunc    optionFunc
+		expectedErr error
+	}{
+		{
+			"azure.client-secret must be non-empty",
+			func(o Options) Options {
+				o.ClientSecret = empty
+				return o
+			},
+			errors.New("client secret must be non-empty"),
+		},
+		{
+			"azure.client-id is empty",
+			func(o Options) Options {
+				o.ClientID = empty
+				return o
+			},
+			errors.New("azure.client-id must be non-empty"),
+		},
+		{
+			"azure.tenant-id is empty",
+			func(o Options) Options {
+				o.TenantID = empty
+				return o
+			},
+			errors.New("azure.tenant-id must be non-empty"),
+		},
+	}
+)
+
+func getNonEmptyOptions() Options {
+	return Options{
+		ClientID:     nonempty,
+		ClientSecret: nonempty,
+		TenantID:     nonempty,
+	}
+}
+
+func getEmptyOptions() Options {
+	return Options{}
+}
+
+func getAllError() []error {
+	var errs []error
+	for _, d := range validationErrorData {
+		errs = append(errs, d.expectedErr)
+	}
+	return errs
+}
+
+func getTestDataForIndivitualError() []testInfo {
+	test := []testInfo{}
+	for _, d := range validationErrorData {
+		test = append(test, testInfo{
+			d.testName,
+			d.optsFunc(getNonEmptyOptions()),
+			[]error{d.expectedErr},
+		})
+	}
+
+	return test
+}
+
+func TestOptionsValidate(t *testing.T) {
+	testData := []testInfo{
+		{
+			"validation failed, all empty",
+			getEmptyOptions(),
+			getAllError(),
+		},
+		{
+			"validation passed",
+			getNonEmptyOptions(),
+			nil,
+		},
+	}
+
+	testData = append(testData, getTestDataForIndivitualError()...)
+
+	for _, test := range testData {
+		t.Run(test.testName, func(t *testing.T) {
+			errs := test.opts.Validate()
+			if test.expectedErr == nil {
+				assert.Nil(t, errs)
+			} else {
+				if assert.NotNil(t, errs, "errors expected") {
+					assert.EqualError(t, aggregator.NewAggregate(errs), aggregator.NewAggregate(test.expectedErr).Error())
+				}
+			}
+		})
+	}
+}
@@ -20,25 +20,43 @@ func init() {
 }
 
 type Authenticator struct {
-	Client  *github.Client
+	opts    Options
 	ctx     context.Context
 	OrgName string // Github organization name
 }
 
-func New(name, token string) *Authenticator {
+func New(opts Options, name string) auth.Interface {
 	g := &Authenticator{
+		opts:    opts,
 		ctx:     context.Background(),
 		OrgName: name,
 	}
-	g.Client = github.NewClient(oauth2.NewClient(g.ctx, oauth2.StaticTokenSource(
-		&oauth2.Token{AccessToken: token},
-	)))
 
 	return g
 }
 
-func (g *Authenticator) Check() (*authv1.UserInfo, error) {
-	mem, _, err := g.Client.Organizations.GetOrgMembership(g.ctx, "", g.OrgName)
+func (g Authenticator) UID() string {
+	return OrgType
+}
+
+func (g *Authenticator) Check(token string) (*authv1.UserInfo, error) {
+
+	var (
+		client *github.Client
+		err    error
+	)
+
+	if g.opts.BaseUrl != "" {
+		client, err = github.NewEnterpriseClient(g.opts.BaseUrl, "", oauth2.NewClient(g.ctx, oauth2.StaticTokenSource(
+			&oauth2.Token{AccessToken: token},
+		)))
+	} else {
+		client = github.NewClient(oauth2.NewClient(g.ctx, oauth2.StaticTokenSource(
+			&oauth2.Token{AccessToken: token},
+		)))
+	}
+
+	mem, _, err := client.Organizations.GetOrgMembership(g.ctx, "", g.OrgName)
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed to check user's membership in Org %s", g.OrgName)
 	}
@@ -52,7 +70,7 @@ func (g *Authenticator) Check() (*authv1.UserInfo, error) {
 	page := 1
 	pageSize := 25
 	for {
-		teams, _, err := g.Client.Organizations.ListUserTeams(g.ctx, &github.ListOptions{Page: page, PerPage: pageSize})
+		teams, _, err := client.Organizations.ListUserTeams(g.ctx, &github.ListOptions{Page: page, PerPage: pageSize})
 		if err != nil {
 			return nil, errors.Wrapf(err, "failed to load user's teams for Org %s", g.OrgName)
 		}