config/authentication: oidc: tighten validation on CEL expression fields

as we discovered in openshift/kubernetes#2353 (comment)
that the current constraints are to loose and result
in excessive expression compile times when used up to
the limitations.

Signed-off-by: Bryce Palmer <[email protected]>

Author: everettraven

config/v1/types_authentication.go

@@ -320,10 +320,10 @@ type TokenClaimMappings struct {
 	// used to construct the extra attribute for the cluster identity.
 	// When omitted, no extra attributes will be present on the cluster identity.
 	// key values for extra mappings must be unique.
-	// A maximum of 64 extra attribute mappings may be provided.
+	// A maximum of 32 extra attribute mappings may be provided.
 	//
 	// +optional
-	// +kubebuilder:validation:MaxItems=64
+	// +kubebuilder:validation:MaxItems=32
 	// +listType=map
 	// +listMapKey=key
 	// +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings
@@ -375,10 +375,10 @@ type TokenClaimOrExpressionMapping struct {
 	// Precisely one of claim or expression must be set.
 	// expression must not be specified when claim is set.
 	// When specified, expression must be at least 1 character in length
-	// and must not exceed 4096 characters in length.
+	// and must not exceed 1024 characters in length.
 	//
 	// +optional
-	// +kubebuilder:validation:MaxLength=4096
+	// +kubebuilder:validation:MaxLength=1024
 	// +kubebuilder:validation:MinLength=1
 	Expression string `json:"expression,omitempty"`
 }
@@ -437,12 +437,12 @@ type ExtraMapping struct {
 	// For example, the 'sub' claim value can be accessed as 'claims.sub'.
 	// Nested claims can be accessed using dot notation ('claims.foo.bar').
 	//
-	// valueExpression must not exceed 4096 characters in length.
+	// valueExpression must not exceed 1024 characters in length.
 	// valueExpression must not be empty.
 	//
 	// +required
 	// +kubebuilder:validation:MinLength=1
-	// +kubebuilder:validation:MaxLength=4096
+	// +kubebuilder:validation:MaxLength=1024
 	ValueExpression string `json:"valueExpression"`
 }
 

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml

@@ -89,7 +89,7 @@ spec:
                             used to construct the extra attribute for the cluster identity.
                             When omitted, no extra attributes will be present on the cluster identity.
                             key values for extra mappings must be unique.
-                            A maximum of 64 extra attribute mappings may be provided.
+                            A maximum of 32 extra attribute mappings may be provided.
                           items:
                             description: |-
                               ExtraMapping allows specifying a key and CEL expression
@@ -170,16 +170,16 @@ spec:
                                   For example, the 'sub' claim value can be accessed as 'claims.sub'.
                                   Nested claims can be accessed using dot notation ('claims.foo.bar').
 
-                                  valueExpression must not exceed 4096 characters in length.
+                                  valueExpression must not exceed 1024 characters in length.
                                   valueExpression must not be empty.
-                                maxLength: 4096
+                                maxLength: 1024
                                 minLength: 1
                                 type: string
                             required:
                             - key
                             - valueExpression
                             type: object
-                          maxItems: 64
+                          maxItems: 32
                           type: array
                           x-kubernetes-list-map-keys:
                           - key
@@ -255,8 +255,8 @@ spec:
                                 Precisely one of claim or expression must be set.
                                 expression must not be specified when claim is set.
                                 When specified, expression must be at least 1 character in length
-                                and must not exceed 4096 characters in length.
-                              maxLength: 4096
+                                and must not exceed 1024 characters in length.
+                              maxLength: 1024
                               minLength: 1
                               type: string
                           type: object

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml

@@ -89,7 +89,7 @@ spec:
                             used to construct the extra attribute for the cluster identity.
                             When omitted, no extra attributes will be present on the cluster identity.
                             key values for extra mappings must be unique.
-                            A maximum of 64 extra attribute mappings may be provided.
+                            A maximum of 32 extra attribute mappings may be provided.
                           items:
                             description: |-
                               ExtraMapping allows specifying a key and CEL expression
@@ -170,16 +170,16 @@ spec:
                                   For example, the 'sub' claim value can be accessed as 'claims.sub'.
                                   Nested claims can be accessed using dot notation ('claims.foo.bar').
 
-                                  valueExpression must not exceed 4096 characters in length.
+                                  valueExpression must not exceed 1024 characters in length.
                                   valueExpression must not be empty.
-                                maxLength: 4096
+                                maxLength: 1024
                                 minLength: 1
                                 type: string
                             required:
                             - key
                             - valueExpression
                             type: object
-                          maxItems: 64
+                          maxItems: 32
                           type: array
                           x-kubernetes-list-map-keys:
                           - key
@@ -255,8 +255,8 @@ spec:
                                 Precisely one of claim or expression must be set.
                                 expression must not be specified when claim is set.
                                 When specified, expression must be at least 1 character in length
-                                and must not exceed 4096 characters in length.
-                              maxLength: 4096
+                                and must not exceed 1024 characters in length.
+                              maxLength: 1024
                               minLength: 1
                               type: string
                           type: object

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml

@@ -89,7 +89,7 @@ spec:
                             used to construct the extra attribute for the cluster identity.
                             When omitted, no extra attributes will be present on the cluster identity.
                             key values for extra mappings must be unique.
-                            A maximum of 64 extra attribute mappings may be provided.
+                            A maximum of 32 extra attribute mappings may be provided.
                           items:
                             description: |-
                               ExtraMapping allows specifying a key and CEL expression
@@ -170,16 +170,16 @@ spec:
                                   For example, the 'sub' claim value can be accessed as 'claims.sub'.
                                   Nested claims can be accessed using dot notation ('claims.foo.bar').
 
-                                  valueExpression must not exceed 4096 characters in length.
+                                  valueExpression must not exceed 1024 characters in length.
                                   valueExpression must not be empty.
-                                maxLength: 4096
+                                maxLength: 1024
                                 minLength: 1
                                 type: string
                             required:
                             - key
                             - valueExpression
                             type: object
-                          maxItems: 64
+                          maxItems: 32
                           type: array
                           x-kubernetes-list-map-keys:
                           - key
@@ -255,8 +255,8 @@ spec:
                                 Precisely one of claim or expression must be set.
                                 expression must not be specified when claim is set.
                                 When specified, expression must be at least 1 character in length
-                                and must not exceed 4096 characters in length.
-                              maxLength: 4096
+                                and must not exceed 1024 characters in length.
+                              maxLength: 1024
                               minLength: 1
                               type: string
                           type: object

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml

@@ -89,7 +89,7 @@ spec:
                             used to construct the extra attribute for the cluster identity.
                             When omitted, no extra attributes will be present on the cluster identity.
                             key values for extra mappings must be unique.
-                            A maximum of 64 extra attribute mappings may be provided.
+                            A maximum of 32 extra attribute mappings may be provided.
                           items:
                             description: |-
                               ExtraMapping allows specifying a key and CEL expression
@@ -170,16 +170,16 @@ spec:
                                   For example, the 'sub' claim value can be accessed as 'claims.sub'.
                                   Nested claims can be accessed using dot notation ('claims.foo.bar').
 
-                                  valueExpression must not exceed 4096 characters in length.
+                                  valueExpression must not exceed 1024 characters in length.
                                   valueExpression must not be empty.
-                                maxLength: 4096
+                                maxLength: 1024
                                 minLength: 1
                                 type: string
                             required:
                             - key
                             - valueExpression
                             type: object
-                          maxItems: 64
+                          maxItems: 32
                           type: array
                           x-kubernetes-list-map-keys:
                           - key
@@ -255,8 +255,8 @@ spec:
                                 Precisely one of claim or expression must be set.
                                 expression must not be specified when claim is set.
                                 When specified, expression must be at least 1 character in length
-                                and must not exceed 4096 characters in length.
-                              maxLength: 4096
+                                and must not exceed 1024 characters in length.
+                              maxLength: 1024
                               minLength: 1
                               type: string
                           type: object

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml

@@ -89,7 +89,7 @@ spec:
                             used to construct the extra attribute for the cluster identity.
                             When omitted, no extra attributes will be present on the cluster identity.
                             key values for extra mappings must be unique.
-                            A maximum of 64 extra attribute mappings may be provided.
+                            A maximum of 32 extra attribute mappings may be provided.
                           items:
                             description: |-
                               ExtraMapping allows specifying a key and CEL expression
@@ -170,16 +170,16 @@ spec:
                                   For example, the 'sub' claim value can be accessed as 'claims.sub'.
                                   Nested claims can be accessed using dot notation ('claims.foo.bar').
 
-                                  valueExpression must not exceed 4096 characters in length.
+                                  valueExpression must not exceed 1024 characters in length.
                                   valueExpression must not be empty.
-                                maxLength: 4096
+                                maxLength: 1024
                                 minLength: 1
                                 type: string
                             required:
                             - key
                             - valueExpression
                             type: object
-                          maxItems: 64
+                          maxItems: 32
                           type: array
                           x-kubernetes-list-map-keys:
                           - key
@@ -255,8 +255,8 @@ spec:
                                 Precisely one of claim or expression must be set.
                                 expression must not be specified when claim is set.
                                 When specified, expression must be at least 1 character in length
-                                and must not exceed 4096 characters in length.
-                              maxLength: 4096
+                                and must not exceed 1024 characters in length.
+                              maxLength: 1024
                               minLength: 1
                               type: string
                           type: object

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml

@@ -89,7 +89,7 @@ spec:
                             used to construct the extra attribute for the cluster identity.
                             When omitted, no extra attributes will be present on the cluster identity.
                             key values for extra mappings must be unique.
-                            A maximum of 64 extra attribute mappings may be provided.
+                            A maximum of 32 extra attribute mappings may be provided.
                           items:
                             description: |-
                               ExtraMapping allows specifying a key and CEL expression
@@ -170,16 +170,16 @@ spec:
                                   For example, the 'sub' claim value can be accessed as 'claims.sub'.
                                   Nested claims can be accessed using dot notation ('claims.foo.bar').
 
-                                  valueExpression must not exceed 4096 characters in length.
+                                  valueExpression must not exceed 1024 characters in length.
                                   valueExpression must not be empty.
-                                maxLength: 4096
+                                maxLength: 1024
                                 minLength: 1
                                 type: string
                             required:
                             - key
                             - valueExpression
                             type: object
-                          maxItems: 64
+                          maxItems: 32
                           type: array
                           x-kubernetes-list-map-keys:
                           - key
@@ -255,8 +255,8 @@ spec:
                                 Precisely one of claim or expression must be set.
                                 expression must not be specified when claim is set.
                                 When specified, expression must be at least 1 character in length
-                                and must not exceed 4096 characters in length.
-                              maxLength: 4096
+                                and must not exceed 1024 characters in length.
+                              maxLength: 1024
                               minLength: 1
                               type: string
                           type: object

config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml

@@ -90,7 +90,7 @@ spec:
                             used to construct the extra attribute for the cluster identity.
                             When omitted, no extra attributes will be present on the cluster identity.
                             key values for extra mappings must be unique.
-                            A maximum of 64 extra attribute mappings may be provided.
+                            A maximum of 32 extra attribute mappings may be provided.
                           items:
                             description: |-
                               ExtraMapping allows specifying a key and CEL expression
@@ -171,16 +171,16 @@ spec:
                                   For example, the 'sub' claim value can be accessed as 'claims.sub'.
                                   Nested claims can be accessed using dot notation ('claims.foo.bar').
 
-                                  valueExpression must not exceed 4096 characters in length.
+                                  valueExpression must not exceed 1024 characters in length.
                                   valueExpression must not be empty.
-                                maxLength: 4096
+                                maxLength: 1024
                                 minLength: 1
                                 type: string
                             required:
                             - key
                             - valueExpression
                             type: object
-                          maxItems: 64
+                          maxItems: 32
                           type: array
                           x-kubernetes-list-map-keys:
                           - key
@@ -256,8 +256,8 @@ spec:
                                 Precisely one of claim or expression must be set.
                                 expression must not be specified when claim is set.
                                 When specified, expression must be at least 1 character in length
-                                and must not exceed 4096 characters in length.
-                              maxLength: 4096
+                                and must not exceed 1024 characters in length.
+                              maxLength: 1024
                               minLength: 1
                               type: string
                           type: object