Skip to content

Commit 41f570e

Browse files
lioukliouk
committed
e2e-oidc: update test to expect admission-time validation error of invalid CEL expression
1 parent 11e57aa commit 41f570e

File tree

1 file changed

+49
-22
lines changed

1 file changed

+49
-22
lines changed

test/e2e-oidc/external_oidc_test.go

Lines changed: 49 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,8 @@ func TestExternalOIDCWithKeycloak(t *testing.T) {
6161
testCtx, cancel := context.WithCancel(context.Background())
6262
defer cancel()
6363

64+
func TestExternalOIDCWithKeycloak(t *testing.T) {
65+
testCtx := t.Context()
6466
testClient, err := newTestClient(t, testCtx)
6567
require.NoError(t, err)
6668

@@ -150,26 +152,12 @@ func TestExternalOIDCWithKeycloak(t *testing.T) {
150152
require.NoError(t, waitErr, "failed to wait for auth configmap to get deleted: %v", err)
151153
})
152154

153-
t.Run("invalid OIDC config degrades auth operator", func(t *testing.T) {
155+
t.Run("invalid CEL expression rejects auth CR admission", func(t *testing.T) {
154156
for _, tt := range []struct {
155157
name string
156158
specUpdate func(*configv1.AuthenticationSpec)
157159
requireFeatureGates []configv1.FeatureGateName
158160
}{
159-
{
160-
name: "invalid issuer CA bundle",
161-
specUpdate: func(s *configv1.AuthenticationSpec) {
162-
s.OIDCProviders[0].Issuer.CertificateAuthority.Name = "invalid-ca-bundle"
163-
},
164-
requireFeatureGates: []configv1.FeatureGateName{},
165-
},
166-
{
167-
name: "invalid issuer URL",
168-
specUpdate: func(s *configv1.AuthenticationSpec) {
169-
s.OIDCProviders[0].Issuer.URL = "https://invalid-idp.testing"
170-
},
171-
requireFeatureGates: []configv1.FeatureGateName{},
172-
},
173161
{
174162
name: "uncompilable CEL expression for uid claim mapping",
175163
specUpdate: func(s *configv1.AuthenticationSpec) {
@@ -198,13 +186,47 @@ func TestExternalOIDCWithKeycloak(t *testing.T) {
198186
t.Skipf("skipping as required feature gate %q is not enabled", fg)
199187
}
200188
}
189+
_, err := testClient.updateAuthResource(t, testCtx, testSpec, tt.specUpdate)
190+
require.Error(t, err, "uncompilable CEL expression should return in admission error")
191+
})
192+
}
193+
})
194+
195+
t.Run("invalid OIDC config degrades auth operator", func(t *testing.T) {
196+
for _, tt := range []struct {
197+
name string
198+
specUpdate func(*configv1.AuthenticationSpec)
199+
requireFeatureGates []configv1.FeatureGateName
200+
}{
201+
{
202+
name: "invalid issuer CA bundle",
203+
specUpdate: func(s *configv1.AuthenticationSpec) {
204+
s.OIDCProviders[0].Issuer.CertificateAuthority.Name = "invalid-ca-bundle"
205+
},
206+
requireFeatureGates: []configv1.FeatureGateName{},
207+
},
208+
{
209+
name: "invalid issuer URL",
210+
specUpdate: func(s *configv1.AuthenticationSpec) {
211+
s.OIDCProviders[0].Issuer.URL = "https://invalid-idp.testing"
212+
},
213+
requireFeatureGates: []configv1.FeatureGateName{},
214+
},
215+
} {
216+
t.Run(tt.name, func(t *testing.T) {
217+
for _, fg := range tt.requireFeatureGates {
218+
if !featureGateEnabled(testCtx, testClient.configClient, fg) {
219+
t.Skipf("skipping as required feature gate %q is not enabled", fg)
220+
}
221+
}
201222

202223
err := testClient.authResourceRollback(testCtx, origAuthSpec)
203224
require.NoError(t, err, "failed to roll back auth resource")
204225

205226
testClient.checkPreconditions(t, testCtx, typeOAuth, operatorAvailable, nil)
206227

207-
testClient.updateAuthResource(t, testCtx, testSpec, tt.specUpdate)
228+
_, err = testClient.updateAuthResource(t, testCtx, testSpec, tt.specUpdate)
229+
require.NoError(t, err, "failed to update authentication/cluster")
208230

209231
require.NoError(t, test.WaitForClusterOperatorDegraded(t, testClient.configClient.ConfigV1(), "authentication"))
210232

@@ -237,13 +259,14 @@ func TestExternalOIDCWithKeycloak(t *testing.T) {
237259
testClient.checkPreconditions(t, testCtx, nil, operatorAvailable, operatorAvailable)
238260

239261
kasOriginalRevision := testClient.kasLatestAvailableRevision(t, testCtx)
240-
auth := testClient.updateAuthResource(t, testCtx, testSpec, func(baseSpec *configv1.AuthenticationSpec) {
262+
auth, err := testClient.updateAuthResource(t, testCtx, testSpec, func(baseSpec *configv1.AuthenticationSpec) {
241263
baseSpec.OIDCProviders[0].ClaimMappings.Username = configv1.UsernameClaimMapping{
242264
Claim: tt.claim,
243265
PrefixPolicy: tt.prefixPolicy,
244266
Prefix: tt.prefix,
245267
}
246268
})
269+
require.NoError(t, err, "failed to update authentication/cluster")
247270

248271
require.NoError(t, test.WaitForClusterOperatorStatusAlwaysAvailable(t, testCtx, testClient.configClient.ConfigV1(), "authentication"))
249272
require.NoError(t, test.WaitForClusterOperatorStatusAlwaysAvailable(t, testCtx, testClient.configClient.ConfigV1(), "kube-apiserver"))
@@ -288,13 +311,14 @@ func TestExternalOIDCWithKeycloak(t *testing.T) {
288311
testClient.checkPreconditions(t, testCtx, nil, operatorAvailable, operatorAvailable)
289312

290313
kasOriginalRevision := testClient.kasLatestAvailableRevision(t, testCtx)
291-
auth := testClient.updateAuthResource(t, testCtx, testSpec, func(baseSpec *configv1.AuthenticationSpec) {
314+
auth, err := testClient.updateAuthResource(t, testCtx, testSpec, func(baseSpec *configv1.AuthenticationSpec) {
292315
baseSpec.OIDCProviders[0].ClaimMappings.Username = configv1.UsernameClaimMapping{
293316
Claim: "unknown",
294317
PrefixPolicy: configv1.NoPrefix,
295318
Prefix: nil,
296319
}
297320
})
321+
require.NoError(t, err, "failed to update authentication/cluster")
298322

299323
require.NoError(t, test.WaitForClusterOperatorStatusAlwaysAvailable(t, testCtx, testClient.configClient.ConfigV1(), "authentication"))
300324
require.NoError(t, test.WaitForClusterOperatorStatusAlwaysAvailable(t, testCtx, testClient.configClient.ConfigV1(), "kube-apiserver"))
@@ -559,21 +583,24 @@ func (tc *testClient) getAuth(t *testing.T, ctx context.Context) *configv1.Authe
559583
}
560584

561585
// updateAuthResource deep-copies the baseSpec, applies updates to the copy and persists them in the auth resource
562-
func (tc *testClient) updateAuthResource(t *testing.T, ctx context.Context, baseSpec *configv1.AuthenticationSpec, updateAuthSpec func(baseSpec *configv1.AuthenticationSpec)) *configv1.Authentication {
586+
func (tc *testClient) updateAuthResource(t *testing.T, ctx context.Context, baseSpec *configv1.AuthenticationSpec, updateAuthSpec func(baseSpec *configv1.AuthenticationSpec)) (*configv1.Authentication, error) {
563587
auth := tc.getAuth(t, ctx)
564588
if updateAuthSpec == nil {
565-
return auth
589+
return auth, nil
566590
}
567591

568592
spec := baseSpec.DeepCopy()
569593
updateAuthSpec(spec)
570594

571595
auth.Spec = *spec
572596
auth, err := tc.configClient.ConfigV1().Authentications().Update(ctx, auth, metav1.UpdateOptions{})
573-
require.NoError(t, err, "failed to update authentication/cluster")
597+
if err != nil {
598+
return nil, err
599+
}
600+
574601
require.True(t, equality.Semantic.DeepEqual(auth.Spec, *spec))
575602

576-
return auth
603+
return auth, nil
577604
}
578605

579606
func (tc *testClient) checkPreconditions(t *testing.T, ctx context.Context, authType *configv1.AuthenticationType, caoStatus []configv1.ClusterOperatorStatusCondition, kasoStatus []configv1.ClusterOperatorStatusCondition) {

0 commit comments

Comments
 (0)