Skip to content

[WIP]: CNTRLPLANE-311: Add missing fields to auth config #2304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
ShazaAldawamneh wants to merge 12 commits into from
Closed

[WIP]: CNTRLPLANE-311: Add missing fields to auth config #2304

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
33a4888
Add missing fields to auth config
ShazaAldawamneh May 2, 2025
ed9dbb9
Refine API validations, improve GoDocs, and align with CEL and union …
ShazaAldawamneh May 6, 2025
2d755b7
added tests for new auth config fields and created a feature-gate for…
ShazaAldawamneh May 9, 2025
b332d86
added fields behind the feature gate
ShazaAldawamneh May 12, 2025
fe519ad
made adjusments to cover review comments
ShazaAldawamneh May 13, 2025
d3fdd66
made adjusments to cover review comments
ShazaAldawamneh May 13, 2025
6e58323
fixing tests
ShazaAldawamneh May 16, 2025
68078a5
REBASING
ShazaAldawamneh Sep 18, 2025
64513cf
REBASING
ShazaAldawamneh Sep 18, 2025
a7238c7
REBASING
ShazaAldawamneh Sep 18, 2025
902caae
REBASING
ShazaAldawamneh Sep 18, 2025
9d04280
fixing failed tests
ShazaAldawamneh Sep 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
330 changes: 330 additions & 0 deletions config/v1/tests/authentications.config.openshift.io/ExternalOIDCAuthConfig.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,330 @@
apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
name: "Authentication"
crdName: authentications.config.openshift.io
featureGates:
- ExternalOIDCWithNewAuthConfigFields
tests:
onCreate:
# DiscoveryURL Tests
- name: Valid discoveryURL
initial: |
apiVersion: config.openshift.io/v1
kind: TokenIssuer
spec:
issuerURL: https://auth.example.com/
audiences: ['openshift-aud']
discoveryURL: https://auth.example.com/.well-known/openid-configuration

- name: discoveryURL must be a valid URL
initial: |
apiVersion: config.openshift.io/v1
kind: TokenIssuer
spec:
issuerURL: https://auth.example.com/
audiences: ['openshift-aud']
discoveryURL: not-a-valid-url
error: "discoveryURL must be a valid URL"

- name: discoveryURL must not contain user info
initial: |
apiVersion: config.openshift.io/v1
kind: TokenIssuer
spec:
issuerURL: https://auth.example.com/
audiences: ['openshift-aud']
discoveryURL: https://user:[email protected]/
error: "discoveryURL must not contain user info"

- name: discoveryURL exceeds max length
initial: |
apiVersion: config.openshift.io/v1
kind: TokenIssuer
spec:
issuerURL: https://auth.example.com/
audiences: ['openshift-aud']
discoveryURL: "https://auth.example.com/$(printf 'a%.0s' {1..2050})"
error: "discoveryURL: Too long"

- name: discoveryURL must not contain fragment
initial: |
apiVersion: config.openshift.io/v1
kind: TokenIssuer
spec:
issuerURL: https://auth.example.com/
audiences: ['openshift-aud']
discoveryURL: https://auth.example.com/#fragment
error: "discoveryURL must not contain a fragment"

- name: discoveryURL must use https
initial: |
apiVersion: config.openshift.io/v1
kind: TokenIssuer
spec:
issuerURL: https://auth.example.com/
audiences: ['openshift-aud']
discoveryURL: http://auth.example.com/invalid
error: "discoveryURL must use https scheme"

- name: discoveryURL must not contain query
initial: |
apiVersion: config.openshift.io/v1
kind: TokenIssuer
spec:
issuerURL: https://auth.example.com/
audiences: ['openshift-aud']
discoveryURL: https://auth.example.com/path?foo=bar
error: "discoveryURL must not contain query parameters"

- name: discoveryURL must be different from URL
initial: |
apiVersion: config.openshift.io/v1
kind: TokenIssuer
spec:
issuerURL: https://auth.example.com/
audiences: ['openshift-aud']
discoveryURL: https://auth.example.com/
error: "discoveryURL must be different from URL"

# AudienceMatchPolicy Tests

- name: Valid AudienceMatchPolicy
initial: |
apiVersion: config.openshift.io/v1
kind: TokenIssuer
spec:
issuerURL: https://auth.example.com
audiences: ['openshift-aud']
audienceMatchPolicy: MatchAny

- name: Invalid AudienceMatchPolicy
initial: |
apiVersion: config.openshift.io/v1
kind: TokenIssuer
spec:
issuerURL: https://auth.example.com
audiences: ['openshift-aud']
audienceMatchPolicy: InvalidPolicy
error: "audienceMatchPolicy: Unsupported value"

# TokenClaimValidationRule Tests
- name: Valid RequiredClaim rule
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://auth.example.com
audiences: ['openshift-aud']
claimValidationRules:
- type: RequiredClaim
requiredClaim:
claim: "role"
requiredValue: "admin"

- name: Missing requiredClaim when type is RequiredClaim
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://auth.example.com
audiences: ['openshift-aud']
claimValidationRules:
- type: RequiredClaim
expectedError: "requiredClaim must be set when type is 'RequiredClaim'"

- name: Valid ExpressionRule configuration
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimValidationRules:
- type: Expression
expressionRule:
expression: "claims.email.endsWith('@example.com')"
message: "email must be from example.com"
expected: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimValidationRules:
- type: Expression
expressionRule:
expression: "claims.email.endsWith('@example.com')"
message: "email must be from example.com"

- name: Missing expressionRule for Expression type
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimValidationRules:
- type: Expression
expectedError: "expressionRule must be set when type is 'Expression', and forbidden otherwise"

- name: Expression too long
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimValidationRules:
- type: Expression
expressionRule:
expression: "{{longExpression}}"
replacements:
longExpression: "{{'x' * 5000}}"
expectedError: "expression: Too long: must have at most 4096 characters"

- name: Empty expression in expressionRule
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimValidationRules:
- type: Expression
expressionRule:
expression: ""
message: "must not be empty"
expectedError: "expression: Invalid value: \"\": validation failed: value length must be at least 1"

# TokenUserValidationRule Tests

- name: Valid TokenUserValidationRule with expression and message
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
userValidationRules:
- expression: "user.username.startsWith('admin')"
message: "Only admin users are allowed"
expected: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
userValidationRules:
- expression: "user.username.startsWith('admin')"
message: "Only admin users are allowed"

- name: Missing expression in TokenUserValidationRule
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
userValidationRules:
- message: "Should never reach here"
expectedError: "expression: Required value"

- name: Expression too long in TokenUserValidationRule
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
userValidationRules:
- expression: "{{longExpression}}"
message: "This expression is too long"
replacements:
longExpression: "{{'x' * 5000}}"
expectedError: "expression: Too long: must have at most 4096 characters"

- name: Empty expression in TokenUserValidationRule
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
userValidationRules:
- expression: ""
message: "Empty expressions are invalid"
expectedError: "expression: Invalid value: \"\": validation failed: value length must be at least 1"

- name: Valid TokenUserValidationRule with expression only
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
userValidationRules:
- expression: "user.groups.exists(g, g == 'admins')"
expected: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
userValidationRules:
- expression: "user.groups.exists(g, g == 'admins')"

Loading