[OIDC] Update issuerURI validation logic (#186)

anandsyncs · web-flow · commit 5e913db7480d · 2025-06-12T17:08:31.000+02:00
# Summary

This pull request updates the validation logic for MongoDB versions in
OIDC provider issuerURI validation and modifies corresponding test cases
to reflect the changes. The main focus is on removing support for
specific MongoDB 7.x versions in the duplicate issuer validation logic,
ensuring compatibility with MongoDB 8.0+ only.


## Proof of Work

New tests pass
diff --git a/api/v1/mdb/mongodb_types.go b/api/v1/mdb/mongodb_types.go
@@ -1071,7 +1071,7 @@ type OIDCProviderConfig struct {
 
 	// Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
 	// Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
-	// For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
+	// For MongoDB 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
 	// For other MongoDB versions, the issuerURI itself must be unique.
 	// +kubebuilder:validation:Required
 	IssuerURI string `json:"issuerURI"`
diff --git a/api/v1/mdb/mongodb_validation.go b/api/v1/mdb/mongodb_validation.go
@@ -2,6 +2,7 @@ package mdb
 
 import (
 	"errors"
+	"strconv"
 	"strings"
 
 	"k8s.io/apimachinery/pkg/runtime"
@@ -150,18 +151,18 @@ func oidcProviderConfigUniqueIssuerURIValidation(configs []OIDCProviderConfig) f
 			return v1.ValidationSuccess()
 		}
 
-		// Check if version supports duplicate issuers (7.0, 7.3, or 8.0+)
+		// Check if version supports duplicate issuers (8.0+)
 		versionParts := strings.Split(strings.TrimSuffix(d.Version, "-ent"), ".")
-		supportsMultipleIssuers := false
-		if len(versionParts) >= 2 {
+		supportsMultipleIssuerURIs := false
+		if len(versionParts) >= 1 {
 			major := versionParts[0]
-			minor := versionParts[1]
-			if major == "8" || (major == "7" && (minor == "0" || minor == "3")) {
-				supportsMultipleIssuers = true
+			majorVersion, err := strconv.Atoi(major)
+			if err == nil && majorVersion >= 8 {
+				supportsMultipleIssuerURIs = true
 			}
 		}
 
-		if supportsMultipleIssuers {
+		if supportsMultipleIssuerURIs {
 			// Track issuer+audience combinations
 			issuerAudienceCombos := make(map[string]string)
 			for _, config := range configs {
diff --git a/api/v1/mdb/mongodb_validation_test.go b/api/v1/mdb/mongodb_validation_test.go
@@ -506,8 +506,8 @@ func TestOIDCProviderConfigUniqueIssuerURIValidation(t *testing.T) {
 		expectedResult v1.ValidationResult
 	}{
 		{
-			name:         "MongoDB 6.0 with duplicate issuer URIs - error",
-			mongoVersion: "6.0.0",
+			name:         "MongoDB 7.0.11 with duplicate issuer URIs - error",
+			mongoVersion: "7.0.11",
 			configs: []OIDCProviderConfig{
 				{
 					ConfigurationName: "config1",
@@ -524,25 +524,8 @@ func TestOIDCProviderConfigUniqueIssuerURIValidation(t *testing.T) {
 				"config1", "config2", "https://provider.com"),
 		},
 		{
-			name:         "MongoDB 7.0 with unique issuer+audience combinations",
-			mongoVersion: "7.0.0",
-			configs: []OIDCProviderConfig{
-				{
-					ConfigurationName: "config1",
-					IssuerURI:         "https://provider.com",
-					Audience:          "audience1",
-				},
-				{
-					ConfigurationName: "config2",
-					IssuerURI:         "https://provider.com",
-					Audience:          "audience2",
-				},
-			},
-			expectedResult: v1.ValidationSuccess(),
-		},
-		{
-			name:         "MongoDB 7.0 with duplicate issuer+audience combinations - warning",
-			mongoVersion: "7.0.0",
+			name:         "MongoDB 8.0 with duplicate issuer+audience combinations - warning",
+			mongoVersion: "8.0.0",
 			configs: []OIDCProviderConfig{
 				{
 					ConfigurationName: "config1",
@@ -558,23 +541,6 @@ func TestOIDCProviderConfigUniqueIssuerURIValidation(t *testing.T) {
 			expectedResult: v1.ValidationWarning("OIDC provider configs %q and %q have duplicate IssuerURI and Audience combination",
 				"config1", "config2"),
 		},
-		{
-			name:         "MongoDB 7.3 with unique issuer+audience combinations",
-			mongoVersion: "7.3.0",
-			configs: []OIDCProviderConfig{
-				{
-					ConfigurationName: "config1",
-					IssuerURI:         "https://provider.com",
-					Audience:          "audience1",
-				},
-				{
-					ConfigurationName: "config2",
-					IssuerURI:         "https://provider.com",
-					Audience:          "audience2",
-				},
-			},
-			expectedResult: v1.ValidationSuccess(),
-		},
 		{
 			name:         "MongoDB 8.0 with unique issuer+audience combinations",
 			mongoVersion: "8.0.0",
@@ -594,16 +560,16 @@ func TestOIDCProviderConfigUniqueIssuerURIValidation(t *testing.T) {
 		},
 		{
 			name:         "MongoDB enterprise version with -ent suffix",
-			mongoVersion: "7.0.0-ent",
+			mongoVersion: "7.0.11-ent",
 			configs: []OIDCProviderConfig{
 				{
 					ConfigurationName: "config1",
-					IssuerURI:         "https://provider.com",
+					IssuerURI:         "https://provider-1.com",
 					Audience:          "audience1",
 				},
 				{
 					ConfigurationName: "config2",
-					IssuerURI:         "https://provider.com",
+					IssuerURI:         "https://provider-2.com",
 					Audience:          "audience2",
 				},
 			},
diff --git a/config/crd/bases/mongodb.com_mongodb.yaml b/config/crd/bases/mongodb.com_mongodb.yaml
@@ -1573,7 +1573,7 @@ spec:
                               description: |-
                                 Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
                                 Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
-                                For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
+                                For MongoDB 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
                                 For other MongoDB versions, the issuerURI itself must be unique.
                               type: string
                             requestedScopes:
diff --git a/config/crd/bases/mongodb.com_mongodbmulticluster.yaml b/config/crd/bases/mongodb.com_mongodbmulticluster.yaml
@@ -833,7 +833,7 @@ spec:
                               description: |-
                                 Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
                                 Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
-                                For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
+                                For MongoDB 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
                                 For other MongoDB versions, the issuerURI itself must be unique.
                               type: string
                             requestedScopes:
diff --git a/config/crd/bases/mongodb.com_opsmanagers.yaml b/config/crd/bases/mongodb.com_opsmanagers.yaml
@@ -895,7 +895,7 @@ spec:
                                   description: |-
                                     Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
                                     Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
-                                    For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
+                                    For MongoDB 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
                                     For other MongoDB versions, the issuerURI itself must be unique.
                                   type: string
                                 requestedScopes:
diff --git a/helm_chart/crds/mongodb.com_mongodb.yaml b/helm_chart/crds/mongodb.com_mongodb.yaml
@@ -1573,7 +1573,7 @@ spec:
                               description: |-
                                 Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
                                 Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
-                                For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
+                                For MongoDB 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
                                 For other MongoDB versions, the issuerURI itself must be unique.
                               type: string
                             requestedScopes:
diff --git a/helm_chart/crds/mongodb.com_mongodbmulticluster.yaml b/helm_chart/crds/mongodb.com_mongodbmulticluster.yaml
@@ -833,7 +833,7 @@ spec:
                               description: |-
                                 Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
                                 Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
-                                For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
+                                For MongoDB 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
                                 For other MongoDB versions, the issuerURI itself must be unique.
                               type: string
                             requestedScopes:
diff --git a/helm_chart/crds/mongodb.com_opsmanagers.yaml b/helm_chart/crds/mongodb.com_opsmanagers.yaml
@@ -895,7 +895,7 @@ spec:
                                   description: |-
                                     Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
                                     Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
-                                    For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
+                                    For MongoDB 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
                                     For other MongoDB versions, the issuerURI itself must be unique.
                                   type: string
                                 requestedScopes:
diff --git a/public/crds.yaml b/public/crds.yaml
@@ -1573,7 +1573,7 @@ spec:
                               description: |-
                                 Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
                                 Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
-                                For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
+                                For MongoDB 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
                                 For other MongoDB versions, the issuerURI itself must be unique.
                               type: string
                             requestedScopes:
@@ -4208,7 +4208,7 @@ spec:
                               description: |-
                                 Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
                                 Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
-                                For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
+                                For MongoDB 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
                                 For other MongoDB versions, the issuerURI itself must be unique.
                               type: string
                             requestedScopes:
@@ -5854,7 +5854,7 @@ spec:
                                   description: |-
                                     Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
                                     Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
-                                    For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
+                                    For MongoDB 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
                                     For other MongoDB versions, the issuerURI itself must be unique.
                                   type: string
                                 requestedScopes:
