Provision client object if it does not exist

cmd/main.go

@@ -151,7 +151,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	authenticator, prefix, option, err := config.LoadConfiguration(
+	authenticator, prefix, option, provisioning, err := config.LoadConfiguration(
 		context.Background(),
 		mgr.GetAPIReader(),
 		mgr.GetScheme(),
@@ -205,7 +205,7 @@ func main() {
 		Client: watchClient,
 		Scheme: mgr.GetScheme(),
 		Authn:  authentication.NewBearerTokenAuthenticator(authenticator),
-		Authz:  authorization.NewBasicAuthorizer(watchClient, prefix),
+		Authz:  authorization.NewBasicAuthorizer(watchClient, prefix, provisioning.Enabled),
 		Attr: authorization.NewMetadataAttributesGetter(authorization.MetadataAttributesGetterConfig{
 			NamespaceKey: "jumpstarter-namespace",
 			ResourceKey:  "jumpstarter-kind",

internal/authorization/basic.go

@@ -5,17 +5,25 @@ import (
 	"slices"
 
 	jumpstarterdevv1alpha1 "github.com/jumpstarter-dev/jumpstarter-controller/api/v1alpha1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 type BasicAuthorizer struct {
-	reader client.Reader
-	prefix string
+	client       client.Client
+	prefix       string
+	provisioning bool
 }
 
-func NewBasicAuthorizer(reader client.Reader, prefix string) authorizer.Authorizer {
-	return &BasicAuthorizer{reader: reader, prefix: prefix}
+func NewBasicAuthorizer(client client.Client, prefix string, provisioning bool) authorizer.Authorizer {
+	return &BasicAuthorizer{
+		client:       client,
+		prefix:       prefix,
+		provisioning: provisioning,
+	}
 }
 
 func (b *BasicAuthorizer) Authorize(
@@ -25,7 +33,7 @@ func (b *BasicAuthorizer) Authorize(
 	switch attributes.GetResource() {
 	case "Exporter":
 		var e jumpstarterdevv1alpha1.Exporter
-		if err := b.reader.Get(ctx, client.ObjectKey{
+		if err := b.client.Get(ctx, client.ObjectKey{
 			Namespace: attributes.GetNamespace(),
 			Name:      attributes.GetName(),
 		}, &e); err != nil {
@@ -38,12 +46,29 @@ func (b *BasicAuthorizer) Authorize(
 		}
 	case "Client":
 		var c jumpstarterdevv1alpha1.Client
-		if err := b.reader.Get(ctx, client.ObjectKey{
+		err := b.client.Get(ctx, client.ObjectKey{
 			Namespace: attributes.GetNamespace(),
 			Name:      attributes.GetName(),
-		}, &c); err != nil {
-			return authorizer.DecisionDeny, "failed to get client", err
+		}, &c)
+		if err != nil {
+			if apierrors.IsNotFound(err) && b.provisioning {
+				c = jumpstarterdevv1alpha1.Client{
+					ObjectMeta: metav1.ObjectMeta{
+						Namespace: attributes.GetNamespace(),
+						Name:      attributes.GetName(),
+					},
+					Spec: jumpstarterdevv1alpha1.ClientSpec{
+						Username: ptr.To(attributes.GetUser().GetName()),
+					},
+				}
+				if err := b.client.Create(ctx, &c); err != nil {
+					return authorizer.DecisionDeny, "failed to provision client", err
+				}
+			} else {
+				return authorizer.DecisionDeny, "failed to get client", err
+			}
 		}
+
 		if slices.Contains(c.Usernames(b.prefix), attributes.GetUser().GetName()) {
 			return authorizer.DecisionAllow, "", nil
 		} else {

internal/authorization/metadata.go

@@ -2,6 +2,10 @@ package authorization
 
 import (
 	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"regexp"
+	"strings"
 
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
@@ -12,6 +16,12 @@ import (
 
 var _ = ContextAttributesGetter(&MetadataAttributesGetter{})
 
+var (
+	invalidChar       = regexp.MustCompile("[^-a-zA-Z0-9]")
+	multipleHyphen    = regexp.MustCompile("-+")
+	surroundingHyphen = regexp.MustCompile("^-|-$")
+)
+
 type MetadataAttributesGetterConfig struct {
 	NamespaceKey string
 	ResourceKey  string
@@ -28,6 +38,25 @@ func NewMetadataAttributesGetter(config MetadataAttributesGetterConfig) *Metadat
 	}
 }
 
+func normalizeName(name string) string {
+	hash := sha256.Sum256([]byte(name))
+
+	sanitized := strings.ToLower(name)
+	sanitized = invalidChar.ReplaceAllString(sanitized, "-")
+	sanitized = multipleHyphen.ReplaceAllString(sanitized, "-")
+	sanitized = surroundingHyphen.ReplaceAllString(sanitized, "")
+
+	if len(sanitized) > 37 {
+		sanitized = sanitized[:37]
+	}
+
+	return strings.Join([]string{
+		"oidc",
+		sanitized,
+		hex.EncodeToString(hash[:3]),
+	}, "-")
+}
+
 func (b *MetadataAttributesGetter) ContextAttributes(
 	ctx context.Context,
 	userInfo user.Info,
@@ -52,6 +81,10 @@ func (b *MetadataAttributesGetter) ContextAttributes(
 		return nil, err
 	}
 
+	if name == "" {
+		name = normalizeName(userInfo.GetName())
+	}
+
 	return authorizer.AttributesRecord{
 		User:      userInfo,
 		Namespace: namespace,

internal/authorization/metadata_test.go

@@ -0,0 +1,47 @@
+package authorization
+
+import (
+	"strings"
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/validation"
+)
+
+func TestNormalizeName(t *testing.T) {
+	testcases := []struct {
+		input  string
+		output string
+	}{
+		{
+			input:  "foo",
+			output: "oidc-foo-2c26b4",
+		},
+		{
+			input:  "foo@example.com",
+			output: "oidc-foo-example-com-321ba1",
+		},
+		{
+			input:  "foo@@@@@example.com",
+			output: "oidc-foo-example-com-5ac340",
+		},
+		{
+			input:  "@foo@example.com@",
+			output: "oidc-foo-example-com-5be6ea",
+		},
+		{
+			input:  strings.Repeat("foo", 30),
+			output: "oidc-foofoofoofoofoofoofoofoofoofoofoofoof-4ac4a7",
+		},
+	}
+	for _, testcase := range testcases {
+		result := normalizeName(testcase.input)
+		if validation.IsDNS1123Subdomain(result) != nil {
+			t.Errorf("normalizing the name %s does not produce a valid RFC1123 subdomain, but %s",
+				testcase.input, result)
+		}
+		if result != testcase.output {
+			t.Errorf("normalizing the name %s does not produce the expected output %s, but %s",
+				testcase.input, testcase.output, result)
+		}
+	}
+}

internal/config/config.go

@@ -22,10 +22,10 @@ func LoadConfiguration(
 	key client.ObjectKey,
 	signer *oidc.Signer,
 	certificateAuthority string,
-) (authenticator.Token, string, grpc.ServerOption, error) {
+) (authenticator.Token, string, grpc.ServerOption, *Provisioning, error) {
 	var configmap corev1.ConfigMap
 	if err := client.Get(ctx, key, &configmap); err != nil {
-		return nil, "", nil, err
+		return nil, "", nil, nil, err
 	}
 
 	rawAuthenticationConfiguration, ok := configmap.Data["authentication"]
@@ -40,24 +40,24 @@ func LoadConfiguration(
 			certificateAuthority,
 		)
 		if err != nil {
-			return nil, "", nil, err
+			return nil, "", nil, nil, err
 		}
 
 		return authenticator, prefix, grpc.KeepaliveEnforcementPolicy(keepalive.EnforcementPolicy{
 			MinTime:             1 * time.Second,
 			PermitWithoutStream: true,
-		}), nil
+		}), &Provisioning{Enabled: false}, nil
 	}
 
 	rawConfig, ok := configmap.Data["config"]
 	if !ok {
-		return nil, "", nil, fmt.Errorf("LoadConfiguration: missing config section")
+		return nil, "", nil, nil, fmt.Errorf("LoadConfiguration: missing config section")
 	}
 
 	var config Config
 	err := yaml.UnmarshalStrict([]byte(rawConfig), &config)
 	if err != nil {
-		return nil, "", nil, err
+		return nil, "", nil, nil, err
 	}
 
 	authenticator, prefix, err := LoadAuthenticationConfiguration(
@@ -68,13 +68,13 @@ func LoadConfiguration(
 		certificateAuthority,
 	)
 	if err != nil {
-		return nil, "", nil, err
+		return nil, "", nil, nil, err
 	}
 
 	serverOptions, err := LoadGrpcConfiguration(config.Grpc)
 	if err != nil {
-		return nil, "", nil, err
+		return nil, "", nil, nil, err
 	}
 
-	return authenticator, prefix, serverOptions, nil
+	return authenticator, prefix, serverOptions, &config.Provisioning, nil
 }

internal/config/types.go

@@ -6,6 +6,7 @@ import (
 
 type Config struct {
 	Authentication Authentication `json:"authentication"`
+	Provisioning   Provisioning   `json:"provisioning"`
 	Grpc           Grpc           `json:"grpc"`
 }
 
@@ -14,6 +15,10 @@ type Authentication struct {
 	JWT      []apiserverv1beta1.JWTAuthenticator `json:"jwt"`
 }
 
+type Provisioning struct {
+	Enabled bool `json:"enabled"`
+}
+
 type Internal struct {
 	Prefix string `json:"prefix"`
 }