CNTRLPLANE-311: adding auth config missing fields to API #2487
Conversation
Signed-off-by: Shaza Aldawamneh <[email protected]>
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Hello @ShazaAldawamneh! Some important instructions when contributing to openshift/api: |
ShazaAldawamneh
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@ShazaAldawamneh: This pull request references CNTRLPLANE-311 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
size/XXL
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml
Outdated
Show resolved
Hide resolved
config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml
Show resolved
Hide resolved
config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml
Outdated
Show resolved
Hide resolved
Signed-off-by: Shaza Aldawamneh <[email protected]>
config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml
Outdated
Show resolved
Hide resolved
Signed-off-by: Shaza Aldawamneh <[email protected]>
Signed-off-by: Shaza Aldawamneh <[email protected]>
Signed-off-by: Shaza Aldawamneh <[email protected]>
ShazaAldawamneh
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/assign |
There was a problem hiding this comment.
For all of the CEL expression fields, can we also get a PR up against openshift/kubernetes similar to openshift/kubernetes#2353 to show that we are going to be adding admission time validation for the newly added CEL expression fields?
| username: | ||
| claim: "preferred_username" | ||
| - name: discoveryURL exceeds max length by one (2049 chars, should fail) |
There was a problem hiding this comment.
While more testing is always nice, I do think having many of these will make this file unnecessarily large and make the experience of making any changes to the tests in the future painful.
Lets just trust that the max length validations markers work as expected and drop any tests that are doing an explicit valid/not-valid check on length alone.
| // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? (isURL(self) && url(self).getScheme() == 'https') : true",message="discoveryURL must be a valid https URL" | ||
| // +kubebuilder:validation:XValidation:rule="self.matches('^[^?]*$')",message="discoveryURL must not contain query parameters" | ||
| // +kubebuilder:validation:XValidation:rule="self.matches('^[^#]*$')",message="discoveryURL must not contain fragments" | ||
| // +kubebuilder:validation:XValidation:rule="self.matches('^[^@]*$')",message="discoveryURL must not contain user info" |
There was a problem hiding this comment.
Is this robust enough of a regular expression to effectively capture this?
As-is this seems like it would match URLs like https://en.wikipedia.org/wiki/@_(album) which doesn't contain any userinfo in the URL but does contain the @ symbol as part of the path and is technically a valid URL.
There was a problem hiding this comment.
@everettraven Honestly, I’m not sure what the best replacement would be. any suggestions ?
There was a problem hiding this comment.
user info seems to be generally parsed from somestring:someotherstring@hostname, maybe you can do something like ^https:\/\/.+:.+@{1}.+\/.+?
That should ensure we are only attempting to match the general user info pattern between the https:// prefix and the {hostname}/ values and allow anything in the path.
Quickly testing on https://regexr.com/ shows that it would match on https://testuser:[email protected]/some/path/@value but not https://example.com/some/path/@value or https://example.com:7784/some/path/@value which is what I think we want.
It would be good to make sure we have a few tests exercising this behavior to make sure it isn't matching something that should be valid.
| // | ||
| // +required | ||
| // +kubebuilder:validation:MinLength=1 | ||
| // +kubebuilder:validation:MaxLength=4096 |
| // | ||
| // If the expression evaluates to false, the token is rejected. | ||
| // See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. | ||
| // At least one rule must evaluate to true for the token to be considered valid. |
There was a problem hiding this comment.
This isn't a list, so we should move this to where the list is defined.
| // +optional | ||
| // +kubebuilder:validation:MinLength=1 | ||
| // +kubebuilder:validation:MaxLength=256 |
There was a problem hiding this comment.
Same comments as the previous message field for token claim validations.
| // +kubebuilder:validation:MaxItems=64 | ||
| // +optional |
There was a problem hiding this comment.
Include this information in the GoDoc please.
| // +kubebuilder:validation:MaxItems=64 | ||
| // +optional | ||
| // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity | ||
| UserValidationRules []TokenUserValidationRule `json:"userValidationRules,omitempty"` |
There was a problem hiding this comment.
What other constraints are there? Looking at the upstream validations, it looks like there is a uniqueness constraint on the CEL expression, we should enforce this as well.
|
@ShazaAldawamneh: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
openshift-merge-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
| // message allows configuring the human-readable message that is returned | ||
| // from the Kubernetes API server when a token fails validation based on | ||
| // the CEL expression defined in 'expression'. This field is optional. |
There was a problem hiding this comment.
I don't think this is quite true. Reading https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-authentication-configuration it looks like this is the message that is logged by the Kubernetes API server.
It isn't included in anything returned to the caller.
No description provided.