Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
117 changes: 117 additions & 0 deletions config/v1/tests/authentications.config.openshift.io/ExternalOIDC.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -492,6 +492,49 @@ tests:
claimMappings:
username:
claim: ""
- name: Should allow updating groups claim mapping from invalid empty value to valid value
initialCRDPatches:
- op: remove
path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/claimMappings/properties/groups/properties/claim/minLength
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: ""
updated: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "groups"
expected: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "groups"
Comment on lines +495 to +537
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove this test, an empty group claim ("") is a valid input.

- name: Should allow updating other fields if existing username claim mapping is longer than 256 characters
initialCRDPatches:
- op: remove
Expand Down Expand Up @@ -535,6 +578,80 @@ tests:
claimMappings:
username:
claim: "thisisanincrediblylongclaimnamethatwhileacceptableinjwtsisgenerallyadvisedagainstbecauseitisextremelylongandnoteasilyusablebutmaybethereisausecaseouttherethathasdecidedthattheyneedtousethisextremelylongclaimnameforsomereasoneventhoughtheyreallyshouldreconsiderthis"
- name: Should allow updating groups claim mapping from a previously invalid long value to a valid value
initialCRDPatches:
- op: remove
path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/claimMappings/properties/groups/properties/claim/maxLength
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "thisisanextremelylonggroupclaimnamethatexceedsthetypicalmaximummappinglengthandshouldfailvalidationbecauseitiswaytoobigforsaneuse"
Comment on lines +595 to +597
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

claimMappings.username is a required field, so it should be provided here.

Additionally, you added a maxLength of 256 and thisisanextremelylonggroupclaimnamethatexceedsthetypicalmaximummappinglengthandshouldfailvalidationbecauseitiswaytoobigforsaneuse is only 129 characters. For this to test what we are actually trying to test, make sure this string value is at more than 256 characters.

updated: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "groups"
expected: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "groups"
- name: Should not allow updating groups claim mapping from a previously invalid long value to a still invalid long value
initialCRDPatches:
- op: remove
path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/claimMappings/properties/groups/properties/claim/maxLength
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "thisisanextremelylonggroupclaimnamethatexceedsthetypicalmaximummappinglengthandshouldfailvalidationbecauseitiswaytoobigforsaneuse"
Comment on lines +638 to +640
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "thisisanextremelylonggroupclaimnamethatexceedsthetypicalmaximummappinglengthandshouldfailvalidationbecauseitiswaytoobigforsaneuseandstilltoolong"
expectedError: "Too long: may not be more than 256 bytes"
- name: Should allow updating other fields if issuerURL contains fragment
initialCRDPatches:
- op: remove
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -588,6 +588,209 @@ tests:
valueExpression: "claims.foo"
expectedError: "the domain of the key must consist of only lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character"
onUpdate:
- name: Should allow updating other fields if existing username claim mapping is empty string
initialCRDPatches:
- op: remove
path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/claimMappings/properties/username/properties/claim/minLength
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
username:
claim: ""
updated: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://huh.tld
audiences: ['openshift-aud']
claimMappings:
username:
claim: ""
expected: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://huh.tld
audiences: ['openshift-aud']
claimMappings:
username:
claim: ""
- name: Should allow updating groups claim mapping from previously invalid empty value to a valid value
initialCRDPatches:
- op: remove
path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/claimMappings/properties/groups/properties/claim/minLength
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: ""
updated: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "groups"
expected: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "groups"
- name: Should allow updating other fields if existing username claim mapping is longer than 256 characters
initialCRDPatches:
- op: remove
path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/claimMappings/properties/username/properties/claim/maxLength
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
username:
claim: "thisisanincrediblylongclaimnamethatwhileacceptableinjwtsisgenerallyadvisedagainstbecauseitisextremelylongandnoteasilyusablebutmaybethereisausecaseouttherethathasdecidedthattheyneedtousethisextremelylongclaimnameforsomereasoneventhoughtheyreallyshouldreconsiderthis"
updated: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://huh.tld
audiences: ['openshift-aud']
claimMappings:
username:
claim: "thisisanincrediblylongclaimnamethatwhileacceptableinjwtsisgenerallyadvisedagainstbecauseitisextremelylongandnoteasilyusablebutmaybethereisausecaseouttherethathasdecidedthattheyneedtousethisextremelylongclaimnameforsomereasoneventhoughtheyreallyshouldreconsiderthis"
expected: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://huh.tld
audiences: ['openshift-aud']
claimMappings:
username:
claim: "thisisanincrediblylongclaimnamethatwhileacceptableinjwtsisgenerallyadvisedagainstbecauseitisextremelylongandnoteasilyusablebutmaybethereisausecaseouttherethathasdecidedthattheyneedtousethisextremelylongclaimnameforsomereasoneventhoughtheyreallyshouldreconsiderthis"
- name: Should allow updating groups claim mapping from a previously invalid long value to a valid value
initialCRDPatches:
- op: remove
path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/claimMappings/properties/groups/properties/claim/maxLength
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "thisisanextremelylonggroupclaimnamethatexceedsthetypicalmaximummappinglengthandshouldfailvalidationbecauseitiswaytoobigforsaneuse"
updated: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "groups"
expected: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "groups"
- name: Should not allow updating groups claim mapping from a previously invalid long value to a still invalid long value
initialCRDPatches:
- op: remove
path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/claimMappings/properties/groups/properties/claim/maxLength
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "thisisanextremelylonggroupclaimnamethatexceedsthetypicalmaximummappinglengthandshouldfailvalidationbecauseitiswaytoobigforsaneuse"
updated: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "thisisanextremelylonggroupclaimnamethatexceedsthetypicalmaximummappinglengthandshouldfailvalidationbecauseitiswaytoobigforsaneuseandstilltoolong"
expectedError: "Too long: may not be more than 256 bytes"
Comment on lines +591 to +793
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To keep things easier to track here, lets just trust that the ratcheting test in the ExternalOIDC.yaml test file is sufficient here.

I know I said it should be added to all files, and while it doesn't hurt, it makes this PR bigger than it needs to be and I hadn't thought of that. Apologies for the churn here, I should have had better foresight here - not sure why I didn't.

- name: Updating OIDC provider with a client that's not in the status
initial: |
apiVersion: config.openshift.io/v1
Expand Down
Loading