From bccfc1cdfb5639538f7109fec000a84973204da9 Mon Sep 17 00:00:00 2001
From: jsmolar <jsmolar@redhat.com>
Date: Fri, 26 Aug 2022 13:42:50 +0200
Subject: [PATCH] Add cluster-wide API key identity tests

---
 testsuite/objects/__init__.py                 |  2 +-
 testsuite/openshift/objects/auth_config.py    |  7 ++-
 .../tests/kuadrant/authorino/conftest.py      |  5 +-
 .../authorino/identity/api_key/conftest.py    | 12 ++--
 .../clusterwide/test_all_namespace_api_key.py | 60 +++++++++++++++++++
 5 files changed, 75 insertions(+), 11 deletions(-)
 create mode 100644 testsuite/tests/kuadrant/authorino/operator/clusterwide/test_all_namespace_api_key.py

diff --git a/testsuite/objects/__init__.py b/testsuite/objects/__init__.py
index d2172062..4cd9971c 100644
--- a/testsuite/objects/__init__.py
+++ b/testsuite/objects/__init__.py
@@ -37,7 +37,7 @@ def add_oidc_identity(self, name, endpoint):
         """Adds OIDC identity provider"""
 
     @abc.abstractmethod
-    def add_api_key_identity(self, name, match_label, match_expression):
+    def add_api_key_identity(self, name, all_namespaces, match_label, match_expression):
         """Adds API Key identity"""
 
     @abc.abstractmethod
diff --git a/testsuite/openshift/objects/auth_config.py b/testsuite/openshift/objects/auth_config.py
index 2e565cc0..242959bd 100644
--- a/testsuite/openshift/objects/auth_config.py
+++ b/testsuite/openshift/objects/auth_config.py
@@ -66,11 +66,13 @@ def add_oidc_identity(self, name, endpoint):
         })
 
     @modify
-    def add_api_key_identity(self, name, match_label=None, match_expression: MatchExpression = None):
+    def add_api_key_identity(self, name, all_namespaces: bool = False,
+                             match_label=None, match_expression: MatchExpression = None):
         """
         Adds API Key identity
         Args:
             :param name: the name of API key identity
+            :param all_namespaces: a location of the API keys can be in another namespace (only works for cluster-wide)
             :param match_label: labels that are accepted by AuthConfig
             :param match_expression: instance of the MatchExpression
         """
@@ -94,7 +96,8 @@ def add_api_key_identity(self, name, match_label=None, match_expression: MatchEx
         identities.append({
             "name": name,
             "apiKey": {
-                "selector": matcher
+                "selector": matcher,
+                "allNamespaces": all_namespaces
             },
             "credentials": {
                 "in": "authorization_header",
diff --git a/testsuite/tests/kuadrant/authorino/conftest.py b/testsuite/tests/kuadrant/authorino/conftest.py
index fa9d982f..fe8d36e9 100644
--- a/testsuite/tests/kuadrant/authorino/conftest.py
+++ b/testsuite/tests/kuadrant/authorino/conftest.py
@@ -3,6 +3,7 @@
 from weakget import weakget
 
 from testsuite.httpx.auth import HttpxOidcClientAuth
+from testsuite.openshift.client import OpenShiftClient
 from testsuite.openshift.objects.api_key import APIKey
 from testsuite.openshift.objects.auth_config import AuthConfig
 from testsuite.objects import Authorino, Authorization, PreexistingAuthorino
@@ -57,9 +58,9 @@ def client(authorization, envoy):
 @pytest.fixture(scope="module")
 def create_api_key(blame, request, openshift):
     """Creates API key Secret"""
-    def _create_secret(name, label_selector, api_key):
+    def _create_secret(name, label_selector, api_key, ocp: OpenShiftClient = openshift):
         secret_name = blame(name)
-        secret = APIKey.create_instance(openshift, secret_name, label_selector, api_key)
+        secret = APIKey.create_instance(ocp, secret_name, label_selector, api_key)
         request.addfinalizer(secret.delete)
         secret.commit()
         return secret_name
diff --git a/testsuite/tests/kuadrant/authorino/identity/api_key/conftest.py b/testsuite/tests/kuadrant/authorino/identity/api_key/conftest.py
index 7604a67d..3ecd1422 100644
--- a/testsuite/tests/kuadrant/authorino/identity/api_key/conftest.py
+++ b/testsuite/tests/kuadrant/authorino/identity/api_key/conftest.py
@@ -4,12 +4,6 @@
 from testsuite.httpx.auth import HeaderApiKeyAuth
 
 
-@pytest.fixture(scope="module")
-def invalid_label_selector():
-    """Label for API key secret that is different from the one specified in AuthConfig"""
-    return "invalid_api_label"
-
-
 @pytest.fixture(scope="module")
 def api_key(create_api_key, module_label):
     """Creates API key Secret"""
@@ -24,6 +18,12 @@ def auth(api_key):
     return HeaderApiKeyAuth(api_key)
 
 
+@pytest.fixture(scope="module")
+def invalid_label_selector():
+    """Label for API key secret that is different from the one specified in AuthConfig"""
+    return "invalid_api_label"
+
+
 @pytest.fixture(scope="module")
 def invalid_api_key(create_api_key, invalid_label_selector):
     """Creates API key Secret with label that does not match any of the labelSelectors defined by AuthConfig"""
diff --git a/testsuite/tests/kuadrant/authorino/operator/clusterwide/test_all_namespace_api_key.py b/testsuite/tests/kuadrant/authorino/operator/clusterwide/test_all_namespace_api_key.py
new file mode 100644
index 00000000..ef24cfce
--- /dev/null
+++ b/testsuite/tests/kuadrant/authorino/operator/clusterwide/test_all_namespace_api_key.py
@@ -0,0 +1,60 @@
+"""
+Tests for API key identity for AuthConfig configured with all_namespaces=true for cluster-wide
+API key secret placement.
+"""
+import pytest
+
+from testsuite.httpx.auth import HeaderApiKeyAuth
+
+
+@pytest.fixture(scope="module")
+def api_key(create_api_key, module_label, openshift2):
+    """Creates API key Secret"""
+    api_key = "cluster_wide_api_key"
+    create_api_key("wide-api-key", module_label, api_key, openshift2)
+    return api_key
+
+
+@pytest.fixture(scope="module")
+def auth(api_key):
+    """Valid API Key Auth"""
+    return HeaderApiKeyAuth(api_key)
+
+
+@pytest.fixture(scope="module")
+def invalid_label_selector():
+    """Label for API key secret that is different from the one specified in AuthConfig"""
+    return "invalid_api_label"
+
+
+@pytest.fixture(scope="module")
+def invalid_api_key(create_api_key, invalid_label_selector, openshift2):
+    """Creates API key Secret with label that does not match any of the labelSelectors defined by AuthConfig"""
+    api_key = "invalid_api_key"
+    create_api_key("invalid-api-key", invalid_label_selector, api_key, openshift2)
+    return api_key
+
+
+@pytest.fixture(scope="module")
+def invalid_auth(invalid_api_key):
+    """Invalid key Auth"""
+    return HeaderApiKeyAuth(invalid_api_key)
+
+
+@pytest.fixture(scope="module")
+def authorization(authorization, module_label):
+    """Creates AuthConfig with API key identity"""
+    authorization.add_api_key_identity("api_key", all_namespaces=True, match_label=module_label)
+    return authorization
+
+
+def test_correct_auth(client, auth):
+    """Tests request with correct API key"""
+    response = client.get("/get", auth=auth)
+    assert response.status_code == 200
+
+
+def test_invalid_api_key(client, invalid_auth):
+    """Tests request with wrong API key"""
+    response = client.get("/get", auth=invalid_auth)
+    assert response.status_code == 401