openshift · ShazaAldawamneh · May 2, 2025 · May 6, 2025 · May 9, 2025
diff --git a/config/v1/tests/authentications.config.openshift.io/ExternalOIDCAuthConfig.yaml b/config/v1/tests/authentications.config.openshift.io/ExternalOIDCAuthConfig.yaml
@@ -0,0 +1,330 @@
+apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
+name: "Authentication"
+crdName: authentications.config.openshift.io
+featureGates:
+- ExternalOIDCWithNewAuthConfigFields
+tests:
+  onCreate:
+    # DiscoveryURL Tests
+    - name: Valid discoveryURL
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: TokenIssuer
+        spec:
+          issuerURL: https://auth.example.com/
+          audiences: ['openshift-aud']
+          discoveryURL: https://auth.example.com/.well-known/openid-configuration
+
+    - name: discoveryURL must be a valid URL
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: TokenIssuer
+        spec:
+          issuerURL: https://auth.example.com/
+          audiences: ['openshift-aud']
+          discoveryURL: not-a-valid-url
+      error: "discoveryURL must be a valid URL"
+
+    - name: discoveryURL must not contain user info
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: TokenIssuer
+        spec:
+          issuerURL: https://auth.example.com/
+          audiences: ['openshift-aud']
+          discoveryURL: https://user:[email protected]/
+      error: "discoveryURL must not contain user info"
+
+    - name: discoveryURL exceeds max length
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: TokenIssuer
+        spec:
+          issuerURL: https://auth.example.com/
+          audiences: ['openshift-aud']
+          discoveryURL: "https://auth.example.com/$(printf 'a%.0s' {1..2050})"
+      error: "discoveryURL: Too long"
+
+    - name: discoveryURL must not contain fragment
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: TokenIssuer
+        spec:
+          issuerURL: https://auth.example.com/
+          audiences: ['openshift-aud']
+          discoveryURL: https://auth.example.com/#fragment
+      error: "discoveryURL must not contain a fragment"
+
+    - name: discoveryURL must use https
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: TokenIssuer
+        spec:
+          issuerURL: https://auth.example.com/
+          audiences: ['openshift-aud']
+          discoveryURL: http://auth.example.com/invalid
+      error: "discoveryURL must use https scheme"
+
+    - name: discoveryURL must not contain query
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: TokenIssuer
+        spec:
+          issuerURL: https://auth.example.com/
+          audiences: ['openshift-aud']
+          discoveryURL: https://auth.example.com/path?foo=bar
+      error: "discoveryURL must not contain query parameters"
+
+    - name: discoveryURL must be different from URL
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: TokenIssuer
+        spec:
+          issuerURL: https://auth.example.com/
+          audiences: ['openshift-aud']
+          discoveryURL: https://auth.example.com/
+      error: "discoveryURL must be different from URL"
+
+    # AudienceMatchPolicy Tests
+
+    - name: Valid AudienceMatchPolicy
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: TokenIssuer
+        spec:
+          issuerURL: https://auth.example.com
+          audiences: ['openshift-aud']
+          audienceMatchPolicy: MatchAny
+
+    - name: Invalid AudienceMatchPolicy
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: TokenIssuer
+        spec:
+          issuerURL: https://auth.example.com
+          audiences: ['openshift-aud']
+          audienceMatchPolicy: InvalidPolicy
+      error: "audienceMatchPolicy: Unsupported value"
+
+    # TokenClaimValidationRule Tests
+    - name: Valid RequiredClaim rule
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://auth.example.com
+              audiences: ['openshift-aud']
+            claimValidationRules:
+              - type: RequiredClaim
+                requiredClaim:
+                  claim: "role"
+                  requiredValue: "admin"
+
+    - name: Missing requiredClaim when type is RequiredClaim
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://auth.example.com
+              audiences: ['openshift-aud']
+            claimValidationRules:
+              - type: RequiredClaim
+      expectedError: "requiredClaim must be set when type is 'RequiredClaim'"
+
+    - name: Valid ExpressionRule configuration
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimValidationRules:
+              - type: Expression
+                expressionRule:
+                  expression: "claims.email.endsWith('@example.com')"
+                  message: "email must be from example.com"
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimValidationRules:
+              - type: Expression
+                expressionRule:
+                  expression: "claims.email.endsWith('@example.com')"
+                  message: "email must be from example.com"
+
+    - name: Missing expressionRule for Expression type
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimValidationRules:
+              - type: Expression
+      expectedError: "expressionRule must be set when type is 'Expression', and forbidden otherwise"
+
+    - name: Expression too long
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimValidationRules:
+              - type: Expression
+                expressionRule:
+                  expression: "{{longExpression}}"
+      replacements:
+        longExpression: "{{'x' * 5000}}"
+      expectedError: "expression: Too long: must have at most 4096 characters"
+
+    - name: Empty expression in expressionRule
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimValidationRules:
+              - type: Expression
+                expressionRule:
+                  expression: ""
+                  message: "must not be empty"
+      expectedError: "expression: Invalid value: \"\": validation failed: value length must be at least 1"
+
+    # TokenUserValidationRule Tests
+
+    - name: Valid TokenUserValidationRule with expression and message
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+            - name: myoidc
+              issuer:
+                issuerURL: https://meh.tld
+                audiences: ['openshift-aud']
+              userValidationRules:
+                - expression: "user.username.startsWith('admin')"
+                  message: "Only admin users are allowed"
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+            - name: myoidc
+              issuer:
+                issuerURL: https://meh.tld
+                audiences: ['openshift-aud']
+              userValidationRules:
+                - expression: "user.username.startsWith('admin')"
+                  message: "Only admin users are allowed"
+
+    - name: Missing expression in TokenUserValidationRule
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+            - name: myoidc
+              issuer:
+                issuerURL: https://meh.tld
+                audiences: ['openshift-aud']
+              userValidationRules:
+                - message: "Should never reach here"
+      expectedError: "expression: Required value"
+
+    - name: Expression too long in TokenUserValidationRule
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+            - name: myoidc
+              issuer:
+                issuerURL: https://meh.tld
+                audiences: ['openshift-aud']
+              userValidationRules:
+                - expression: "{{longExpression}}"
+                  message: "This expression is too long"
+      replacements:
+        longExpression: "{{'x' * 5000}}"
+      expectedError: "expression: Too long: must have at most 4096 characters"
+
+    - name: Empty expression in TokenUserValidationRule
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+            - name: myoidc
+              issuer:
+                issuerURL: https://meh.tld
+                audiences: ['openshift-aud']
+              userValidationRules:
+                - expression: ""
+                  message: "Empty expressions are invalid"
+      expectedError: "expression: Invalid value: \"\": validation failed: value length must be at least 1"
+
+    - name: Valid TokenUserValidationRule with expression only
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+            - name: myoidc
+              issuer:
+                issuerURL: https://meh.tld
+                audiences: ['openshift-aud']
+              userValidationRules:
+                - expression: "user.groups.exists(g, g == 'admins')"
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+            - name: myoidc
+              issuer:
+                issuerURL: https://meh.tld
+                audiences: ['openshift-aud']
+              userValidationRules:
+                - expression: "user.groups.exists(g, g == 'admins')"
+