fix the rest of parallel tests working with old token format

test/extended/authorization/scopes.go

@@ -59,8 +59,9 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() {
 				t.Fatalf("unexpected error: %v", err)
 			}
 
+			whoamiOnlyTokenStr, sha256WhoamiOnlyTokenStr := exutil.GenerateOAuthTokenPair()
 			whoamiOnlyToken := &oauthv1.OAuthAccessToken{
-				ObjectMeta:  metav1.ObjectMeta{Name: "whoami-token-plus-some-padding-here-to-make-the-limit-" + oc.Namespace()},
+				ObjectMeta:  metav1.ObjectMeta{Name: sha256WhoamiOnlyTokenStr},
 				ClientName:  "openshift-challenging-client",
 				ExpiresIn:   200,
 				Scopes:      []string{scope.UserInfo},
@@ -74,7 +75,7 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() {
 			oc.AddResourceToDelete(oauthv1.GroupVersion.WithResource("oauthaccesstokens"), whoamiOnlyToken)
 
 			whoamiConfig := rest.AnonymousClientConfig(oc.AdminConfig())
-			whoamiConfig.BearerToken = whoamiOnlyToken.Name
+			whoamiConfig.BearerToken = whoamiOnlyTokenStr
 
 			if _, err := buildv1client.NewForConfigOrDie(whoamiConfig).BuildV1().Builds(projectName).List(context.Background(), metav1.ListOptions{}); !kapierrors.IsForbidden(err) {
 				t.Fatalf("unexpected error: %v", err)
@@ -155,8 +156,9 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() {
 				t.Fatalf("unexpected error: %v", err)
 			}
 
+			nonEscalatingEditTokenStr, sha256NonEscalatingEditTokenStr := exutil.GenerateOAuthTokenPair()
 			nonEscalatingEditToken := &oauthv1.OAuthAccessToken{
-				ObjectMeta:  metav1.ObjectMeta{Name: "non-escalating-edit-plus-some-padding-here-to-make-the-limit-" + oc.Namespace()},
+				ObjectMeta:  metav1.ObjectMeta{Name: sha256NonEscalatingEditTokenStr},
 				ClientName:  "openshift-challenging-client",
 				ExpiresIn:   200,
 				Scopes:      []string{scope.ClusterRoleIndicator + "edit:*"},
@@ -170,7 +172,7 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() {
 			oc.AddResourceToDelete(oauthv1.GroupVersion.WithResource("oauthaccesstokens"), nonEscalatingEditToken)
 
 			nonEscalatingEditConfig := rest.AnonymousClientConfig(oc.AdminConfig())
-			nonEscalatingEditConfig.BearerToken = nonEscalatingEditToken.Name
+			nonEscalatingEditConfig.BearerToken = nonEscalatingEditTokenStr
 			nonEscalatingEditClient, err := kclientset.NewForConfig(nonEscalatingEditConfig)
 			if err != nil {
 				t.Fatalf("unexpected error: %v", err)
@@ -180,8 +182,9 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() {
 				t.Fatalf("unexpected error: %v", err)
 			}
 
+			escalatingEditTokenStr, sha256EscalatingEditToken := exutil.GenerateOAuthTokenPair()
 			escalatingEditToken := &oauthv1.OAuthAccessToken{
-				ObjectMeta:  metav1.ObjectMeta{Name: "escalating-edit-plus-some-padding-here-to-make-the-limit-" + oc.Namespace()},
+				ObjectMeta:  metav1.ObjectMeta{Name: sha256EscalatingEditToken},
 				ClientName:  "openshift-challenging-client",
 				ExpiresIn:   200,
 				Scopes:      []string{scope.ClusterRoleIndicator + "edit:*:!"},
@@ -195,7 +198,7 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() {
 			oc.AddResourceToDelete(oauthv1.GroupVersion.WithResource("oauthaccesstokens"), escalatingEditToken)
 
 			escalatingEditConfig := rest.AnonymousClientConfig(oc.AdminConfig())
-			escalatingEditConfig.BearerToken = escalatingEditToken.Name
+			escalatingEditConfig.BearerToken = escalatingEditTokenStr
 			escalatingEditClient, err := kclientset.NewForConfig(escalatingEditConfig)
 			if err != nil {
 				t.Fatalf("unexpected error: %v", err)
@@ -308,7 +311,7 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() {
 					name: "no scopes",
 					fail: true,
 					obj: &oauthv1.OAuthAccessToken{
-						ObjectMeta:  metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()},
+						ObjectMeta:  metav1.ObjectMeta{Name: "sha256~tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()},
 						ClientName:  client.Name,
 						UserName:    "name",
 						UserUID:     "uid",
@@ -319,7 +322,7 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() {
 					name: "denied literal",
 					fail: true,
 					obj: &oauthv1.OAuthAccessToken{
-						ObjectMeta:  metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()},
+						ObjectMeta:  metav1.ObjectMeta{Name: "sha256~tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()},
 						ClientName:  client.Name,
 						UserName:    "name",
 						UserUID:     "uid",
@@ -331,7 +334,7 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() {
 					name: "denied role",
 					fail: true,
 					obj: &oauthv1.OAuthAccessToken{
-						ObjectMeta:  metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()},
+						ObjectMeta:  metav1.ObjectMeta{Name: "sha256~tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()},
 						ClientName:  client.Name,
 						UserName:    "name",
 						UserUID:     "uid",
@@ -342,7 +345,7 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() {
 				{
 					name: "ok role",
 					obj: &oauthv1.OAuthAccessToken{
-						ObjectMeta:  metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()},
+						ObjectMeta:  metav1.ObjectMeta{Name: "sha256~tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()},
 						ClientName:  client.Name,
 						UserName:    "name",
 						UserUID:     "uid",
@@ -374,7 +377,7 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() {
 					name: "no scopes",
 					fail: true,
 					obj: &oauthv1.OAuthAuthorizeToken{
-						ObjectMeta:  metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()},
+						ObjectMeta:  metav1.ObjectMeta{Name: "sha256~tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()},
 						ClientName:  client.Name,
 						ExpiresIn:   86400,
 						UserName:    "name",
@@ -386,7 +389,7 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() {
 					name: "denied literal",
 					fail: true,
 					obj: &oauthv1.OAuthAuthorizeToken{
-						ObjectMeta:  metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()},
+						ObjectMeta:  metav1.ObjectMeta{Name: "sha256~tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()},
 						ClientName:  client.Name,
 						ExpiresIn:   86400,
 						UserName:    "name",
@@ -399,7 +402,7 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() {
 					name: "denied role",
 					fail: true,
 					obj: &oauthv1.OAuthAuthorizeToken{
-						ObjectMeta:  metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()},
+						ObjectMeta:  metav1.ObjectMeta{Name: "sha256~tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()},
 						ClientName:  client.Name,
 						ExpiresIn:   86400,
 						UserName:    "name",
@@ -411,7 +414,7 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() {
 				{
 					name: "ok role",
 					obj: &oauthv1.OAuthAuthorizeToken{
-						ObjectMeta:  metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()},
+						ObjectMeta:  metav1.ObjectMeta{Name: "sha256~tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()},
 						ClientName:  client.Name,
 						ExpiresIn:   86400,
 						UserName:    "name",

test/extended/cli/mustgather.go

@@ -131,11 +131,11 @@ var _ = g.Describe("[sig-cli] oc adm must-gather", func() {
 		}
 
 		// makes some tokens that should not show in the audit logs
-		const tokenName = "must-gather-audit-logs-token-plus-some-padding-here-to-make-the-limit"
+		_, sha256TokenName := exutil.GenerateOAuthTokenPair()
 		oauthClient := oauthv1client.NewForConfigOrDie(oc.AdminConfig())
 		_, err1 := oauthClient.OAuthAccessTokens().Create(context.Background(), &oauthv1.OAuthAccessToken{
 			ObjectMeta: metav1.ObjectMeta{
-				Name: tokenName,
+				Name: sha256TokenName,
 			},
 			ClientName:  "openshift-challenging-client",
 			ExpiresIn:   30,
@@ -147,7 +147,7 @@ var _ = g.Describe("[sig-cli] oc adm must-gather", func() {
 		o.Expect(err1).NotTo(o.HaveOccurred())
 		_, err2 := oauthClient.OAuthAuthorizeTokens().Create(context.Background(), &oauthv1.OAuthAuthorizeToken{
 			ObjectMeta: metav1.ObjectMeta{
-				Name: tokenName,
+				Name: sha256TokenName,
 			},
 			ClientName:  "openshift-challenging-client",
 			ExpiresIn:   30,
@@ -241,7 +241,7 @@ var _ = g.Describe("[sig-cli] oc adm must-gather", func() {
 						// - if on 4.6 but not upgraded => disable check
 						// - if on 4.6 and we have been upgraded from older release => keep the check.
 						if upgradedFrom45 {
-							for _, token := range []string{"oauthaccesstokens", "oauthauthorizetokens", tokenName} {
+							for _, token := range []string{"oauthaccesstokens", "oauthauthorizetokens", sha256TokenName} {
 								o.Expect(text).NotTo(o.ContainSubstring(token))
 							}
 						}

test/extended/oauth/client_secret.go

@@ -20,7 +20,7 @@ import (
 	exutil "github.com/openshift/origin/test/extended/util"
 )
 
-const authzTokenName string = "oauth-client-with-plus-with-more-than-thirty-two-characters-in-this-very-long-name"
+var authzToken, sha256AuthzToken = exutil.GenerateOAuthTokenPair()
 
 var _ = g.Describe("[sig-auth][Feature:OAuthServer]", func() {
 	defer g.GinkgoRecover()
@@ -65,7 +65,7 @@ var _ = g.Describe("[sig-auth][Feature:OAuthServer]", func() {
 				g.By("create synthetic authz token")
 				oauthAuthorizeToken, err := oc.AdminOauthClient().OauthV1().OAuthAuthorizeTokens().Create(ctx, &oauthv1.OAuthAuthorizeToken{
 					ObjectMeta: metav1.ObjectMeta{
-						Name: authzTokenName,
+						Name: sha256AuthzToken,
 					},
 					ClientName:          oauthClient.Name,
 					ExpiresIn:           100000000,
@@ -108,7 +108,7 @@ var _ = g.Describe("[sig-auth][Feature:OAuthServer]", func() {
 func queryClientAuthRequest(host string) *http.Request {
 	req, err := http.NewRequest("POST", "https://"+host+"/oauth/token?"+
 		"grant_type=authorization_code&"+
-		"code="+authzTokenName+"&"+
+		"code="+authzToken+"&"+
 		"client_id=oauth-client-with-plus&"+
 		"client_secret=secret%2Bwith%2Bplus",
 		nil)
@@ -120,7 +120,7 @@ func queryClientAuthRequest(host string) *http.Request {
 func bodyClientAuthRequest(host string) *http.Request {
 	req, err := http.NewRequest("POST", "https://"+host+"/oauth/token",
 		bytes.NewBufferString("grant_type=authorization_code&"+
-			"code="+authzTokenName+"&"+
+			"code="+authzToken+"&"+
 			"client_id=oauth-client-with-plus&"+
 			"client_secret=secret%2Bwith%2Bplus",
 		),
@@ -133,7 +133,7 @@ func bodyClientAuthRequest(host string) *http.Request {
 func headerClientAuthRequest(host string) *http.Request {
 	req, err := http.NewRequest("POST", "https://"+host+"/oauth/token",
 		bytes.NewBufferString("grant_type=authorization_code&"+
-			"code="+authzTokenName,
+			"code="+authzToken,
 		),
 	)
 	o.Expect(err).NotTo(o.HaveOccurred())

test/extended/oauth/token.go

@@ -27,42 +27,6 @@ var _ = g.Describe("[sig-auth][Feature:OAuthServer] OAuth Authenticator", func()
 	oc := exutil.NewCLI("oauth-access-token-e2e-test")
 	ctx := context.Background()
 
-	g.It(fmt.Sprintf("accepts classic non-prefixed access tokens"), func() {
-		user, err := oc.AdminUserClient().UserV1().Users().Create(ctx, &userv1.User{
-			TypeMeta: metav1.TypeMeta{},
-			ObjectMeta: metav1.ObjectMeta{
-				Name: "oauth-access-token-e2e-test-user-classical",
-			},
-			FullName: "test user",
-		}, metav1.CreateOptions{})
-		o.Expect(err).NotTo(o.HaveOccurred())
-		oc.AddResourceToDelete(userv1.GroupVersion.WithResource("users"), user)
-
-		g.By("creating a classic oauth access token")
-		token := base64.RawURLEncoding.EncodeToString([]byte(uuid.New()))
-		classicTokenObject, err := oc.AdminOauthClient().OauthV1().OAuthAccessTokens().Create(ctx, &oauthv1.OAuthAccessToken{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: token,
-			},
-			UserName:    user.Name,
-			UserUID:     string(user.UID),
-			ClientName:  "openshift-challenging-client",
-			Scopes:      []string{"user:info"},
-			RedirectURI: "https://127.0.0.1:12000/oauth/token/implicit",
-		}, metav1.CreateOptions{})
-		o.Expect(err).NotTo(o.HaveOccurred())
-		oc.AddResourceToDelete(oauthv1.GroupVersion.WithResource("oauthaccesstokens"), classicTokenObject)
-
-		g.By("authenticating using the classic access token as bearer token")
-		gotUser, err := whoamiWithToken(token, oc)
-		o.Expect(err).NotTo(o.HaveOccurred())
-		o.Expect(gotUser.Name).To(o.Equal(user.Name))
-
-		g.By("not-authenticating using a sha256 prefixed access token as bearer token")
-		_, err = whoamiWithToken("sha256~"+token, oc)
-		o.Expect(errors.IsUnauthorized(err)).To(o.BeTrue())
-	})
-
 	g.It(fmt.Sprintf("accepts sha256 access tokens"), func() {
 		user, err := oc.AdminUserClient().UserV1().Users().Create(ctx, &userv1.User{
 			TypeMeta: metav1.TypeMeta{},

test/extended/project/project.go

@@ -19,7 +19,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/rand"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
@@ -572,8 +571,9 @@ func GetScopedClientForUser(oc *exutil.CLI, username string, scopes []string) (*
 		return nil, err
 	}
 
+	tokenStr, sha256TokenStr := exutil.GenerateOAuthTokenPair()
 	token := &oauthv1.OAuthAccessToken{
-		ObjectMeta:  metav1.ObjectMeta{Name: fmt.Sprintf("%s-token-plus-some-padding-here-to-make-the-limit-%d", username, rand.Int())},
+		ObjectMeta:  metav1.ObjectMeta{Name: sha256TokenStr},
 		ClientName:  "openshift-challenging-client",
 		ExpiresIn:   86400,
 		Scopes:      scopes,
@@ -587,6 +587,6 @@ func GetScopedClientForUser(oc *exutil.CLI, username string, scopes []string) (*
 	oc.AddResourceToDelete(oauthv1.GroupVersion.WithResource("oauthaccesstokens"), token)
 
 	scopedConfig := rest.AnonymousClientConfig(oc.AdminConfig())
-	scopedConfig.BearerToken = token.Name
+	scopedConfig.BearerToken = tokenStr
 	return scopedConfig, nil
 }