Add CEL validation to WorkspaceAuthenticationConfig

Signed-off-by: Nelo-T. Wallus <[email protected]>
Signed-off-by: Nelo-T. Wallus <[email protected]>

Author: ntnn

sdk/apis/tenancy/v1alpha1/types_workspaceauthentication.go

@@ -102,37 +102,59 @@ const (
 )
 
 // ClaimValidationRule provides the configuration for a single claim validation rule.
+// +kubebuilder:validation:XValidation:rule="has(self.claim) || has(self.expression)",message="either claim or expression must be specified"
+// +kubebuilder:validation:XValidation:rule="!(has(self.claim) && has(self.expression))",message="claim and expression cannot both be specified"
+// +kubebuilder:validation:XValidation:rule="(has(self.expression) && !has(self.requiredValue)) || (has(self.claim) && has(self.requiredValue))",message="requiredValue can only be specified when claim is specified"
+// +kubebuilder:validation:XValidation:rule="(has(self.expression) && has(self.message)) || (has(self.claim) && !has(self.message))",message="message can only be specified when expression is specified"
 type ClaimValidationRule struct {
-	Claim         string `json:"claim"`
-	RequiredValue string `json:"requiredValue"`
+	// +optional
+	// +kubebuilder:validation:MinLength=1
+	Claim string `json:"claim,omitempty"`
+	// +optional
+	// +kubebuilder:validation:MinLength=1
+	RequiredValue string `json:"requiredValue,omitempty"`
 
-	Expression string `json:"expression"`
-	Message    string `json:"message"`
+	// +optional
+	// +kubebuilder:validation:MinLength=1
+	Expression string `json:"expression,omitempty"`
+	// +optional
+	// +kubebuilder:validation:MinLength=1
+	Message string `json:"message,omitempty"`
 }
 
 // ClaimMappings provides the configuration for claim mapping.
 type ClaimMappings struct {
-	Username PrefixedClaimOrExpression `json:"username"`
-	Groups   PrefixedClaimOrExpression `json:"groups"`
+	Username PrefixedClaimOrExpression `json:"username,omitempty"`
+	Groups   PrefixedClaimOrExpression `json:"groups,omitempty"`
 	// +optional
 	UID ClaimOrExpression `json:"uid,omitempty"`
 	// +optional
 	Extra []ExtraMapping `json:"extra,omitempty"`
 }
 
 // PrefixedClaimOrExpression provides the configuration for a single prefixed claim or expression.
+// +kubebuilder:validation:XValidation:rule="has(self.claim) || has(self.expression)",message="either claim or expression must be specified"
+// +kubebuilder:validation:XValidation:rule="!(has(self.claim) && has(self.expression))",message="claim and expression cannot both be specified"
+// +kubebuilder:validation:XValidation:rule="!(has(self.prefix)) || has(self.claim)",message="prefix can only be specified when claim is specified"
 type PrefixedClaimOrExpression struct {
-	Claim string `json:"claim"`
+	// +optional
+	// +kubebuilder:validation:MinLength=1
+	Claim string `json:"claim,omitempty"`
 	// +optional
 	Prefix *string `json:"prefix,omitempty"`
 	// +optional
+	// +kubebuilder:validation:MinLength=1
 	Expression string `json:"expression,omitempty"`
 }
 
 // ClaimOrExpression provides the configuration for a single claim or expression.
+// +kubebuilder:validation:XValidation:rule="!(has(self.claim) && has(self.expression))",message="claim and expression cannot both be specified"
 type ClaimOrExpression struct {
-	Claim string `json:"claim"`
 	// +optional
+	// +kubebuilder:validation:MinLength=1
+	Claim string `json:"claim,omitempty"`
+	// +optional
+	// +kubebuilder:validation:MinLength=1
 	Expression string `json:"expression,omitempty"`
 }
 

test/e2e/authentication/workspace_test.go

@@ -30,6 +30,7 @@ import (
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/utils/ptr"
 
 	kcpkubernetesclientset "github.com/kcp-dev/client-go/kubernetes"
 	"github.com/kcp-dev/logicalcluster/v3"
@@ -419,6 +420,135 @@ func TestForbiddenSystemAccess(t *testing.T) {
 	}
 }
 
+func TestAcceptableWorkspaceAuthenticationConfigurations(t *testing.T) {
+	framework.Suite(t, "control-plane")
+
+	// start kcp and setup clients
+	server := kcptesting.SharedKcpServer(t)
+
+	wsPath, _ := kcptesting.NewWorkspaceFixture(t, server, logicalcluster.NewPath("root"), kcptesting.WithNamePrefix("oidc-acceptable"))
+
+	kcpConfig := server.BaseConfig(t)
+	kcpClusterClient, err := kcpclientset.NewForConfig(kcpConfig)
+	require.NoError(t, err)
+
+	testcases := map[string]struct {
+		authConfig    *tenancyv1alpha1.WorkspaceAuthenticationConfiguration
+		expectedError string
+	}{
+		"empty": {
+			authConfig:    &tenancyv1alpha1.WorkspaceAuthenticationConfiguration{},
+			expectedError: "spec.jwt: Required value",
+		},
+		"minimal-claim": {
+			authConfig: &tenancyv1alpha1.WorkspaceAuthenticationConfiguration{
+				Spec: tenancyv1alpha1.WorkspaceAuthenticationConfigurationSpec{
+					JWT: []tenancyv1alpha1.JWTAuthenticator{
+						{
+							Issuer: tenancyv1alpha1.Issuer{
+								URL: "https://example.com",
+							},
+							ClaimMappings: tenancyv1alpha1.ClaimMappings{
+								Username: tenancyv1alpha1.PrefixedClaimOrExpression{
+									Claim: "email",
+								},
+								Groups: tenancyv1alpha1.PrefixedClaimOrExpression{
+									Claim: "groups",
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		"minimal-expression": {
+			authConfig: &tenancyv1alpha1.WorkspaceAuthenticationConfiguration{
+				Spec: tenancyv1alpha1.WorkspaceAuthenticationConfigurationSpec{
+					JWT: []tenancyv1alpha1.JWTAuthenticator{
+						{
+							Issuer: tenancyv1alpha1.Issuer{
+								URL: "https://example.com",
+							},
+							ClaimMappings: tenancyv1alpha1.ClaimMappings{
+								Username: tenancyv1alpha1.PrefixedClaimOrExpression{
+									Expression: "concat('oidc:', email)",
+								},
+								Groups: tenancyv1alpha1.PrefixedClaimOrExpression{
+									Expression: "groups",
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		"claim-and-expression": {
+			authConfig: &tenancyv1alpha1.WorkspaceAuthenticationConfiguration{
+				Spec: tenancyv1alpha1.WorkspaceAuthenticationConfigurationSpec{
+					JWT: []tenancyv1alpha1.JWTAuthenticator{
+						{
+							Issuer: tenancyv1alpha1.Issuer{
+								URL: "https://example.com",
+							},
+							ClaimMappings: tenancyv1alpha1.ClaimMappings{
+								Username: tenancyv1alpha1.PrefixedClaimOrExpression{
+									Claim:      "email",
+									Expression: "concat('oidc:', email)",
+								},
+								Groups: tenancyv1alpha1.PrefixedClaimOrExpression{
+									Claim:      "roles",
+									Expression: "groups",
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedError: "claim and expression cannot both be specified",
+		},
+		"expression-and-prefix": {
+			authConfig: &tenancyv1alpha1.WorkspaceAuthenticationConfiguration{
+				Spec: tenancyv1alpha1.WorkspaceAuthenticationConfigurationSpec{
+					JWT: []tenancyv1alpha1.JWTAuthenticator{
+						{
+							Issuer: tenancyv1alpha1.Issuer{
+								URL: "https://example.com",
+							},
+							ClaimMappings: tenancyv1alpha1.ClaimMappings{
+								Username: tenancyv1alpha1.PrefixedClaimOrExpression{
+									Prefix:     ptr.To("random-prefix:"),
+									Expression: "concat('oidc:', email)",
+								},
+								Groups: tenancyv1alpha1.PrefixedClaimOrExpression{
+									Prefix:     ptr.To("group-random-prefix:"),
+									Expression: "groups",
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedError: "prefix can only be specified when claim is specified",
+		},
+	}
+
+	for name, tc := range testcases {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			t.Logf("Creating WorkspaceAuthenticationConfguration %s...", name)
+			tc.authConfig.Name = name
+			_, err := kcpClusterClient.Cluster(wsPath).TenancyV1alpha1().WorkspaceAuthenticationConfigurations().Create(t.Context(), tc.authConfig, metav1.CreateOptions{})
+			if tc.expectedError != "" {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), tc.expectedError)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
+
 func createWorkspaceAuthentication(t *testing.T, ctx context.Context, client kcpclientset.ClusterInterface, workspace logicalcluster.Path, mock *mockoidc.MockOIDC, ca *crypto.CA) string {
 	name := fmt.Sprintf("mockoidc-%d", rand.Int())