fix: enhance HelmRelease handling in realm subroutine and tests (#144)

* fix: enhance HelmRelease handling in realm subroutine and tests

* chore: change the implementation to make the invitation controller more idempotent

* fix: update GOLANGCI_LINT_VERSION to v2.5.0 and improve error handling in invite subroutine

Author: aaronschweig

Taskfile.yaml

@@ -8,7 +8,7 @@ vars:
   CRD_DIRECTORY: config/crd/bases
   KCP_APIGEN_VERSION: v0.21.0
   KCP_VERSION: 0.26.1
-  GOLANGCI_LINT_VERSION: v2.4.0
+  GOLANGCI_LINT_VERSION: v2.5.0
   GOARCH:
     sh: go env GOARCH
   GOOS:

internal/subroutine/authorization_model_test.go

@@ -220,7 +220,7 @@ func TestAuthorizationModelProcess(t *testing.T) {
 						Contents: extensionModel,
 					},
 					{
-						Name:     "internal_core_types_namespaces.fga",
+						Name: "internal_core_types_namespaces.fga",
 						Contents: `module namespaces
 
 extend type core_platform-mesh_io_account

internal/subroutine/invite/subroutine.go

@@ -43,6 +43,11 @@ type keycloakUser struct {
 	Enabled         bool     `json:"enabled,omitempty"`
 }
 
+type keycloakClient struct {
+	ID       string `json:"id,omitempty"`
+	ClientID string `json:"clientId,omitempty"`
+}
+
 func New(ctx context.Context, cfg *config.Config, mgr mcmanager.Manager, pwd string) (*subroutine, error) {
 
 	issuer := fmt.Sprintf("%s/realms/master", cfg.Invite.KeycloakBaseURL)
@@ -181,6 +186,33 @@ func (s *subroutine) Process(ctx context.Context, instance runtimeobject.Runtime
 
 	log.Debug().Str("email", invite.Spec.Email).Str("id", newUser.ID).Msg("User created")
 
+	clientQueryParams := url.Values{
+		"clientId": {realm},
+	}
+
+	res, err = s.keycloak.Get(fmt.Sprintf("%s/admin/realms/%s/clients?%s", s.keycloakBaseURL, realm, clientQueryParams.Encode()))
+	if err != nil {
+		log.Err(err).Msg("Failed to verify client exists")
+		return ctrl.Result{}, errors.NewOperatorError(err, true, false)
+	}
+	defer res.Body.Close() //nolint:errcheck
+
+	if res.StatusCode != http.StatusOK {
+		return ctrl.Result{}, errors.NewOperatorError(fmt.Errorf("failed to verify client exists: %s", res.Status), true, false)
+	}
+
+	var clients []keycloakClient
+	if err = json.NewDecoder(res.Body).Decode(&clients); err != nil {
+		return ctrl.Result{}, errors.NewOperatorError(err, true, false)
+	}
+
+	if len(clients) == 0 {
+		log.Info().Str("clientId", realm).Msg("Client does not exist yet, requeuing")
+		return ctrl.Result{}, errors.NewOperatorError(fmt.Errorf("client %s does not exist yet", realm), true, false)
+	}
+
+	log.Debug().Str("clientId", realm).Msg("Client verified")
+
 	queryParams := url.Values{
 		"redirect_uri": {fmt.Sprintf("https://%s.%s/", realm, s.baseDomain)},
 		"client_id":    {realm},

internal/subroutine/invite/subroutine_test.go

@@ -98,6 +98,15 @@ func TestSubroutineProcess(t *testing.T) {
 					user["id"] = "1234"
 					users = append(users, user)
 				})
+				mux.HandleFunc("GET /admin/realms/acme/clients", func(w http.ResponseWriter, r *http.Request) {
+					w.Header().Set("Content-Type", "application/json")
+					w.WriteHeader(http.StatusOK)
+					clients := []map[string]any{
+						{"id": "client-uuid", "clientId": "acme"},
+					}
+					err := json.NewEncoder(w).Encode(&clients)
+					assert.NoError(t, err)
+				})
 				mux.HandleFunc("PUT /admin/realms/acme/users/{id}/execute-actions-email", func(w http.ResponseWriter, r *http.Request) {
 					w.Header().Set("Content-Type", "application/json")
 					w.WriteHeader(http.StatusNoContent)
@@ -186,11 +195,130 @@ func TestSubroutineProcess(t *testing.T) {
 			},
 			expectErr: true,
 			setupK8sMocks: func(m *mocks.MockClient) {
-				// Simulate k8s Get failure (AccountInfo missing)
 				m.EXPECT().Get(mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(fmt.Errorf("accountinfo not found"))
 			},
 			setupKeycloakMocks: func(mux *http.ServeMux) {
-				// No Keycloak calls expected when AccountInfo fetch fails.
+			},
+		},
+		{
+			desc: "error verifying client (500 from Keycloak)",
+			obj: &v1alpha1.Invite{
+				Spec: v1alpha1.InviteSpec{
+					Email: "[email protected]",
+				},
+			},
+			expectErr: true,
+			setupK8sMocks: func(m *mocks.MockClient) {
+				m.EXPECT().Get(mock.Anything, mock.Anything, mock.Anything, mock.Anything).RunAndReturn(
+					func(ctx context.Context, nn types.NamespacedName, o client.Object, opts ...client.GetOption) error {
+						accountInfo := &accountsv1alpha1.AccountInfo{
+							Spec: accountsv1alpha1.AccountInfoSpec{
+								Organization: accountsv1alpha1.AccountLocation{
+									Name: "acme",
+								},
+							},
+						}
+						*o.(*accountsv1alpha1.AccountInfo) = *accountInfo
+						return nil
+					},
+				)
+			},
+			setupKeycloakMocks: func(mux *http.ServeMux) {
+				users := []map[string]any{}
+				mux.HandleFunc("GET /admin/realms/acme/users", func(w http.ResponseWriter, r *http.Request) {
+					w.Header().Set("Content-Type", "application/json")
+					w.WriteHeader(http.StatusOK)
+					err := json.NewEncoder(w).Encode(&users)
+					assert.NoError(t, err)
+				})
+				mux.HandleFunc("POST /admin/realms/acme/users", func(w http.ResponseWriter, r *http.Request) {
+					w.Header().Set("Content-Type", "application/json")
+					w.WriteHeader(http.StatusCreated)
+					user := map[string]any{}
+					err := json.NewDecoder(r.Body).Decode(&user)
+					assert.NoError(t, err)
+					user["id"] = "1234"
+					users = append(users, user)
+				})
+				mux.HandleFunc("GET /admin/realms/acme/clients", func(w http.ResponseWriter, r *http.Request) {
+					w.WriteHeader(http.StatusInternalServerError)
+					_, _ = w.Write([]byte(`{"error":"boom"}`))
+				})
+			},
+		},
+		{
+			desc: "client does not exist yet, should requeue",
+			obj: &v1alpha1.Invite{
+				Spec: v1alpha1.InviteSpec{
+					Email: "[email protected]",
+				},
+			},
+			expectErr: true,
+			setupK8sMocks: func(m *mocks.MockClient) {
+				m.EXPECT().Get(mock.Anything, mock.Anything, mock.Anything, mock.Anything).RunAndReturn(
+					func(ctx context.Context, nn types.NamespacedName, o client.Object, opts ...client.GetOption) error {
+						accountInfo := &accountsv1alpha1.AccountInfo{
+							Spec: accountsv1alpha1.AccountInfoSpec{
+								Organization: accountsv1alpha1.AccountLocation{
+									Name: "acme",
+								},
+							},
+						}
+						*o.(*accountsv1alpha1.AccountInfo) = *accountInfo
+						return nil
+					},
+				)
+			},
+			setupKeycloakMocks: func(mux *http.ServeMux) {
+				users := []map[string]any{}
+				mux.HandleFunc("GET /admin/realms/acme/users", func(w http.ResponseWriter, r *http.Request) {
+					w.Header().Set("Content-Type", "application/json")
+					w.WriteHeader(http.StatusOK)
+					err := json.NewEncoder(w).Encode(&users)
+					assert.NoError(t, err)
+				})
+				mux.HandleFunc("POST /admin/realms/acme/users", func(w http.ResponseWriter, r *http.Request) {
+					w.Header().Set("Content-Type", "application/json")
+					w.WriteHeader(http.StatusCreated)
+					user := map[string]any{}
+					err := json.NewDecoder(r.Body).Decode(&user)
+					assert.NoError(t, err)
+					user["id"] = "1234"
+					users = append(users, user)
+				})
+				mux.HandleFunc("GET /admin/realms/acme/clients", func(w http.ResponseWriter, r *http.Request) {
+					w.Header().Set("Content-Type", "application/json")
+					w.WriteHeader(http.StatusOK)
+					clients := []map[string]any{}
+					err := json.NewEncoder(w).Encode(&clients)
+					assert.NoError(t, err)
+				})
+			},
+		},
+		{
+			desc: "organization name is empty in AccountInfo",
+			obj: &v1alpha1.Invite{
+				Spec: v1alpha1.InviteSpec{
+					Email: "[email protected]",
+				},
+			},
+			expectErr: true,
+			setupK8sMocks: func(m *mocks.MockClient) {
+				m.EXPECT().Get(mock.Anything, mock.Anything, mock.Anything, mock.Anything).RunAndReturn(
+					func(ctx context.Context, nn types.NamespacedName, o client.Object, opts ...client.GetOption) error {
+						accountInfo := &accountsv1alpha1.AccountInfo{
+							Spec: accountsv1alpha1.AccountInfoSpec{
+								Organization: accountsv1alpha1.AccountLocation{
+									Name: "",
+								},
+							},
+						}
+						*o.(*accountsv1alpha1.AccountInfo) = *accountInfo
+						return nil
+					},
+				)
+			},
+			setupKeycloakMocks: func(mux *http.ServeMux) {
 			},
 		},
 	}