Skip to content

CNTRLPLANE-311: adding auth config missing fields to API #2487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

CNTRLPLANE-311: adding auth config missing fields to API #2487

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
9da6c1f
adding auth config missing fields
ShazaAldawamneh Sep 19, 2025
8e0ef94
adding auth config missing fields
ShazaAldawamneh Sep 23, 2025
1fa3639
fixing tests
ShazaAldawamneh Sep 26, 2025
e12527d
fixing tests
ShazaAldawamneh Sep 29, 2025
582db23
fixing tests
ShazaAldawamneh Oct 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
364 changes: 364 additions & 0 deletions config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,364 @@

apiVersion: apiextensions.k8s.io/v1
name: "Authentication"
crdName: authentications.config.openshift.io
featureGates:
- ExternalOIDCWithNewAuthConfigFields
tests:
onCreate:
- name: Valid discoveryURL
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld/
audiences: ['openshift-aud']
discoveryURL: https://auth.example.com/.well-known/openid-configuration

- name: discoveryURL must be a valid URL
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld/
audiences: ['openshift-aud']
discoveryURL: not-a-valid-url
error: "discoveryURL must be a valid URL"

- name: discoveryURL must not contain user info
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld/
audiences: ['openshift-aud']
discoveryURL: https://user:[email protected]/
error: "discoveryURL must not contain user info"

- name: discoveryURL exceeds max length
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld/
audiences: ['openshift-aud']
discoveryURL: "https://auth.example.com/$(printf 'a%.0s' {1..2050})"
error: "discoveryURL: Too long"

- name: discoveryURL must not contain fragment
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld/
audiences: ['openshift-aud']
discoveryURL: https://auth.example.com/#fragment
error: "discoveryURL must not contain a fragment"

- name: discoveryURL must use https
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld/
audiences: ['openshift-aud']
discoveryURL: http://auth.example.com/invalid
error: "discoveryURL must use https scheme"

- name: discoveryURL must not contain query
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld/
audiences: ['openshift-aud']
discoveryURL: https://auth.example.com/path?foo=bar
error: "discoveryURL must not contain query parameters"

- name: discoveryURL must be different from URL
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld/
audiences: ['openshift-aud']
discoveryURL: https://auth.example.com/
error: "discoveryURL must be different from URL"

- name: Valid AudienceMatchPolicy
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
audienceMatchPolicy: MatchAny

- name: Invalid AudienceMatchPolicy
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
audienceMatchPolicy: InvalidPolicy
error: "audienceMatchPolicy: Unsupported value"

- name: Valid RequiredClaim rule
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimValidationRules:
- type: RequiredClaim
requiredClaim:
claim: "role"
requiredValue: "admin"

- name: Missing requiredClaim when type is RequiredClaim
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimValidationRules:
- type: RequiredClaim
expectedError: "requiredClaim must be set when type is 'RequiredClaim'"

- name: Valid ExpressionRule configuration
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimValidationRules:
- type: Expression
expressionRule:
expression: "claims.email.endsWith('@example.com')"
message: "email must be from example.com"
expected: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimValidationRules:
- type: Expression
expressionRule:
expression: "claims.email.endsWith('@example.com')"
message: "email must be from example.com"

- name: Missing expressionRule for Expression type
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimValidationRules:
- type: Expression
expectedError: "expressionRule must be set when type is 'Expression', and forbidden otherwise"

- name: Expression too long
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimValidationRules:
- type: Expression
expressionRule:
expression: "{{longExpression}}"
replacements:
longExpression: "{{'x' * 5000}}"
expectedError: "expression: Too long: must have at most 4096 characters"

- name: Empty expression in expressionRule
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimValidationRules:
- type: Expression
expressionRule:
expression: ""
message: "must not be empty"
expectedError: "expression: Invalid value: \"\": validation failed: value length must be at least 1"

- name: Valid TokenUserValidationRule with expression and message
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
userValidationRules:
- expression: "user.username.startsWith('admin')"
message: "Only admin users are allowed"
expected: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
userValidationRules:
- expression: "user.username.startsWith('admin')"
message: "Only admin users are allowed"

- name: Missing expression in TokenUserValidationRule
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
userValidationRules:
- message: "Should never reach here"
expectedError: "expression: Required value"

- name: Expression too long in TokenUserValidationRule
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
userValidationRules:
- expression: "{{longExpression}}"
message: "This expression is too long"
replacements:
longExpression: "{{'x' * 5000}}"
expectedError: "expression: Too long: must have at most 4096 characters"

- name: Empty expression in TokenUserValidationRule
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
userValidationRules:
- expression: ""
message: "Empty expressions are invalid"
expectedError: "expression: Invalid value: \"\": validation failed: value length must be at least 1"

- name: Valid TokenUserValidationRule with expression only
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
userValidationRules:
- expression: "user.groups.exists(g, g == 'admins')"
expected: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
userValidationRules:
- expression: "user.groups.exists(g, g == 'admins')"
Loading