Skip to content

Commit a42cd21

Browse files
openshift-merge-bot[bot]openshift-merge-bot[bot]
authored
Merge pull request #2409 from everettraven/improve/oidc-validations
CNTRLPLANE-368: improve OIDC field validations for Authentication resources
2 parents 3315d66 + 2cfc921 commit a42cd21

File tree

21 files changed

+816
-130
lines changed

21 files changed

+816
-130
lines changed

config/v1/tests/authentications.config.openshift.io/ExternalOIDC.yaml

Lines changed: 470 additions & 0 deletions
Large diffs are not rendered by default.

config/v1/types_authentication.go

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -91,6 +91,7 @@ type AuthenticationSpec struct {
9191
// +kubebuilder:validation:MaxItems=1
9292
// +openshift:enable:FeatureGate=ExternalOIDC
9393
// +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings
94+
// +optional
9495
OIDCProviders []OIDCProvider `json:"oidcProviders,omitempty"`
9596
}
9697

@@ -253,9 +254,16 @@ type TokenIssuer struct {
253254
// The Kubernetes API server determines how authentication tokens should be handled
254255
// by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.
255256
//
256-
// issuerURL must use the 'https' scheme.
257+
// Must be at least 1 character and must not exceed 512 characters in length.
258+
// Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
257259
//
258-
// +kubebuilder:validation:Pattern=`^https:\/\/[^\s]`
260+
// +kubebuilder:validation:XValidation:rule="isURL(self)",message="must be a valid URL"
261+
// +kubebuilder:validation:XValidation:rule="isURL(self) && url(self).getScheme() == 'https'",message="must use the 'https' scheme"
262+
// +kubebuilder:validation:XValidation:rule="isURL(self) && url(self).getQuery() == {}",message="must not have a query"
263+
// +kubebuilder:validation:XValidation:rule="self.find('#(.+)$') == ''",message="must not have a fragment"
264+
// +kubebuilder:validation:XValidation:rule="self.find('@') == ''",message="must not have user info"
265+
// +kubebuilder:validation:MaxLength=512
266+
// +kubebuilder:validation:MinLength=1
259267
// +required
260268
URL string `json:"issuerURL"`
261269

@@ -320,10 +328,10 @@ type TokenClaimMappings struct {
320328
// used to construct the extra attribute for the cluster identity.
321329
// When omitted, no extra attributes will be present on the cluster identity.
322330
// key values for extra mappings must be unique.
323-
// A maximum of 64 extra attribute mappings may be provided.
331+
// A maximum of 32 extra attribute mappings may be provided.
324332
//
325333
// +optional
326-
// +kubebuilder:validation:MaxItems=64
334+
// +kubebuilder:validation:MaxItems=32
327335
// +listType=map
328336
// +listMapKey=key
329337
// +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings
@@ -375,10 +383,10 @@ type TokenClaimOrExpressionMapping struct {
375383
// Precisely one of claim or expression must be set.
376384
// expression must not be specified when claim is set.
377385
// When specified, expression must be at least 1 character in length
378-
// and must not exceed 4096 characters in length.
386+
// and must not exceed 1024 characters in length.
379387
//
380388
// +optional
381-
// +kubebuilder:validation:MaxLength=4096
389+
// +kubebuilder:validation:MaxLength=1024
382390
// +kubebuilder:validation:MinLength=1
383391
Expression string `json:"expression,omitempty"`
384392
}
@@ -437,12 +445,12 @@ type ExtraMapping struct {
437445
// For example, the 'sub' claim value can be accessed as 'claims.sub'.
438446
// Nested claims can be accessed using dot notation ('claims.foo.bar').
439447
//
440-
// valueExpression must not exceed 4096 characters in length.
448+
// valueExpression must not exceed 1024 characters in length.
441449
// valueExpression must not be empty.
442450
//
443451
// +required
444452
// +kubebuilder:validation:MinLength=1
445-
// +kubebuilder:validation:MaxLength=4096
453+
// +kubebuilder:validation:MaxLength=1024
446454
ValueExpression string `json:"valueExpression"`
447455
}
448456

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml

Lines changed: 21 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -89,7 +89,7 @@ spec:
8989
used to construct the extra attribute for the cluster identity.
9090
When omitted, no extra attributes will be present on the cluster identity.
9191
key values for extra mappings must be unique.
92-
A maximum of 64 extra attribute mappings may be provided.
92+
A maximum of 32 extra attribute mappings may be provided.
9393
items:
9494
description: |-
9595
ExtraMapping allows specifying a key and CEL expression
@@ -170,16 +170,16 @@ spec:
170170
For example, the 'sub' claim value can be accessed as 'claims.sub'.
171171
Nested claims can be accessed using dot notation ('claims.foo.bar').
172172
173-
valueExpression must not exceed 4096 characters in length.
173+
valueExpression must not exceed 1024 characters in length.
174174
valueExpression must not be empty.
175-
maxLength: 4096
175+
maxLength: 1024
176176
minLength: 1
177177
type: string
178178
required:
179179
- key
180180
- valueExpression
181181
type: object
182-
maxItems: 64
182+
maxItems: 32
183183
type: array
184184
x-kubernetes-list-map-keys:
185185
- key
@@ -255,8 +255,8 @@ spec:
255255
Precisely one of claim or expression must be set.
256256
expression must not be specified when claim is set.
257257
When specified, expression must be at least 1 character in length
258-
and must not exceed 4096 characters in length.
259-
maxLength: 4096
258+
and must not exceed 1024 characters in length.
259+
maxLength: 1024
260260
minLength: 1
261261
type: string
262262
type: object
@@ -441,9 +441,22 @@ spec:
441441
The Kubernetes API server determines how authentication tokens should be handled
442442
by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.
443443
444-
issuerURL must use the 'https' scheme.
445-
pattern: ^https:\/\/[^\s]
444+
Must be at least 1 character and must not exceed 512 characters in length.
445+
Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
446+
maxLength: 512
447+
minLength: 1
446448
type: string
449+
x-kubernetes-validations:
450+
- message: must be a valid URL
451+
rule: isURL(self)
452+
- message: must use the 'https' scheme
453+
rule: isURL(self) && url(self).getScheme() == 'https'
454+
- message: must not have a query
455+
rule: isURL(self) && url(self).getQuery() == {}
456+
- message: must not have a fragment
457+
rule: self.find('#(.+)$') == ''
458+
- message: must not have user info
459+
rule: self.find('@') == ''
447460
required:
448461
- audiences
449462
- issuerURL

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml

Lines changed: 15 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -290,9 +290,22 @@ spec:
290290
The Kubernetes API server determines how authentication tokens should be handled
291291
by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.
292292
293-
issuerURL must use the 'https' scheme.
294-
pattern: ^https:\/\/[^\s]
293+
Must be at least 1 character and must not exceed 512 characters in length.
294+
Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
295+
maxLength: 512
296+
minLength: 1
295297
type: string
298+
x-kubernetes-validations:
299+
- message: must be a valid URL
300+
rule: isURL(self)
301+
- message: must use the 'https' scheme
302+
rule: isURL(self) && url(self).getScheme() == 'https'
303+
- message: must not have a query
304+
rule: isURL(self) && url(self).getQuery() == {}
305+
- message: must not have a fragment
306+
rule: self.find('#(.+)$') == ''
307+
- message: must not have user info
308+
rule: self.find('@') == ''
296309
required:
297310
- audiences
298311
- issuerURL

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml

Lines changed: 21 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -89,7 +89,7 @@ spec:
8989
used to construct the extra attribute for the cluster identity.
9090
When omitted, no extra attributes will be present on the cluster identity.
9191
key values for extra mappings must be unique.
92-
A maximum of 64 extra attribute mappings may be provided.
92+
A maximum of 32 extra attribute mappings may be provided.
9393
items:
9494
description: |-
9595
ExtraMapping allows specifying a key and CEL expression
@@ -170,16 +170,16 @@ spec:
170170
For example, the 'sub' claim value can be accessed as 'claims.sub'.
171171
Nested claims can be accessed using dot notation ('claims.foo.bar').
172172
173-
valueExpression must not exceed 4096 characters in length.
173+
valueExpression must not exceed 1024 characters in length.
174174
valueExpression must not be empty.
175-
maxLength: 4096
175+
maxLength: 1024
176176
minLength: 1
177177
type: string
178178
required:
179179
- key
180180
- valueExpression
181181
type: object
182-
maxItems: 64
182+
maxItems: 32
183183
type: array
184184
x-kubernetes-list-map-keys:
185185
- key
@@ -255,8 +255,8 @@ spec:
255255
Precisely one of claim or expression must be set.
256256
expression must not be specified when claim is set.
257257
When specified, expression must be at least 1 character in length
258-
and must not exceed 4096 characters in length.
259-
maxLength: 4096
258+
and must not exceed 1024 characters in length.
259+
maxLength: 1024
260260
minLength: 1
261261
type: string
262262
type: object
@@ -441,9 +441,22 @@ spec:
441441
The Kubernetes API server determines how authentication tokens should be handled
442442
by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.
443443
444-
issuerURL must use the 'https' scheme.
445-
pattern: ^https:\/\/[^\s]
444+
Must be at least 1 character and must not exceed 512 characters in length.
445+
Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
446+
maxLength: 512
447+
minLength: 1
446448
type: string
449+
x-kubernetes-validations:
450+
- message: must be a valid URL
451+
rule: isURL(self)
452+
- message: must use the 'https' scheme
453+
rule: isURL(self) && url(self).getScheme() == 'https'
454+
- message: must not have a query
455+
rule: isURL(self) && url(self).getQuery() == {}
456+
- message: must not have a fragment
457+
rule: self.find('#(.+)$') == ''
458+
- message: must not have user info
459+
rule: self.find('@') == ''
447460
required:
448461
- audiences
449462
- issuerURL

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml

Lines changed: 21 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -89,7 +89,7 @@ spec:
8989
used to construct the extra attribute for the cluster identity.
9090
When omitted, no extra attributes will be present on the cluster identity.
9191
key values for extra mappings must be unique.
92-
A maximum of 64 extra attribute mappings may be provided.
92+
A maximum of 32 extra attribute mappings may be provided.
9393
items:
9494
description: |-
9595
ExtraMapping allows specifying a key and CEL expression
@@ -170,16 +170,16 @@ spec:
170170
For example, the 'sub' claim value can be accessed as 'claims.sub'.
171171
Nested claims can be accessed using dot notation ('claims.foo.bar').
172172
173-
valueExpression must not exceed 4096 characters in length.
173+
valueExpression must not exceed 1024 characters in length.
174174
valueExpression must not be empty.
175-
maxLength: 4096
175+
maxLength: 1024
176176
minLength: 1
177177
type: string
178178
required:
179179
- key
180180
- valueExpression
181181
type: object
182-
maxItems: 64
182+
maxItems: 32
183183
type: array
184184
x-kubernetes-list-map-keys:
185185
- key
@@ -255,8 +255,8 @@ spec:
255255
Precisely one of claim or expression must be set.
256256
expression must not be specified when claim is set.
257257
When specified, expression must be at least 1 character in length
258-
and must not exceed 4096 characters in length.
259-
maxLength: 4096
258+
and must not exceed 1024 characters in length.
259+
maxLength: 1024
260260
minLength: 1
261261
type: string
262262
type: object
@@ -441,9 +441,22 @@ spec:
441441
The Kubernetes API server determines how authentication tokens should be handled
442442
by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.
443443
444-
issuerURL must use the 'https' scheme.
445-
pattern: ^https:\/\/[^\s]
444+
Must be at least 1 character and must not exceed 512 characters in length.
445+
Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
446+
maxLength: 512
447+
minLength: 1
446448
type: string
449+
x-kubernetes-validations:
450+
- message: must be a valid URL
451+
rule: isURL(self)
452+
- message: must use the 'https' scheme
453+
rule: isURL(self) && url(self).getScheme() == 'https'
454+
- message: must not have a query
455+
rule: isURL(self) && url(self).getQuery() == {}
456+
- message: must not have a fragment
457+
rule: self.find('#(.+)$') == ''
458+
- message: must not have user info
459+
rule: self.find('@') == ''
447460
required:
448461
- audiences
449462
- issuerURL

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml

Lines changed: 21 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -89,7 +89,7 @@ spec:
8989
used to construct the extra attribute for the cluster identity.
9090
When omitted, no extra attributes will be present on the cluster identity.
9191
key values for extra mappings must be unique.
92-
A maximum of 64 extra attribute mappings may be provided.
92+
A maximum of 32 extra attribute mappings may be provided.
9393
items:
9494
description: |-
9595
ExtraMapping allows specifying a key and CEL expression
@@ -170,16 +170,16 @@ spec:
170170
For example, the 'sub' claim value can be accessed as 'claims.sub'.
171171
Nested claims can be accessed using dot notation ('claims.foo.bar').
172172
173-
valueExpression must not exceed 4096 characters in length.
173+
valueExpression must not exceed 1024 characters in length.
174174
valueExpression must not be empty.
175-
maxLength: 4096
175+
maxLength: 1024
176176
minLength: 1
177177
type: string
178178
required:
179179
- key
180180
- valueExpression
181181
type: object
182-
maxItems: 64
182+
maxItems: 32
183183
type: array
184184
x-kubernetes-list-map-keys:
185185
- key
@@ -255,8 +255,8 @@ spec:
255255
Precisely one of claim or expression must be set.
256256
expression must not be specified when claim is set.
257257
When specified, expression must be at least 1 character in length
258-
and must not exceed 4096 characters in length.
259-
maxLength: 4096
258+
and must not exceed 1024 characters in length.
259+
maxLength: 1024
260260
minLength: 1
261261
type: string
262262
type: object
@@ -441,9 +441,22 @@ spec:
441441
The Kubernetes API server determines how authentication tokens should be handled
442442
by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.
443443
444-
issuerURL must use the 'https' scheme.
445-
pattern: ^https:\/\/[^\s]
444+
Must be at least 1 character and must not exceed 512 characters in length.
445+
Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
446+
maxLength: 512
447+
minLength: 1
446448
type: string
449+
x-kubernetes-validations:
450+
- message: must be a valid URL
451+
rule: isURL(self)
452+
- message: must use the 'https' scheme
453+
rule: isURL(self) && url(self).getScheme() == 'https'
454+
- message: must not have a query
455+
rule: isURL(self) && url(self).getQuery() == {}
456+
- message: must not have a fragment
457+
rule: self.find('#(.+)$') == ''
458+
- message: must not have user info
459+
rule: self.find('@') == ''
447460
required:
448461
- audiences
449462
- issuerURL

0 commit comments

Comments
 (0)