Skip to content

CNTRLPLANE-368: improve OIDC field validations for Authentication resources #2409

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Aug 7, 2025
Merged

CNTRLPLANE-368: improve OIDC field validations for Authentication resources #2409

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ff3355d
config/authentication: oidc: tighten validation on CEL expression fields
everettraven Jul 17, 2025
2cfc921
config/authentication: improve issuerURL validations
everettraven Jul 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
470 changes: 470 additions & 0 deletions config/v1/tests/authentications.config.openshift.io/ExternalOIDC.yaml
View file
Open in desktop

Large diffs are not rendered by default.

24 changes: 16 additions & 8 deletions config/v1/types_authentication.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,7 @@ type AuthenticationSpec struct {
// +kubebuilder:validation:MaxItems=1
// +openshift:enable:FeatureGate=ExternalOIDC
// +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings
// +optional
OIDCProviders []OIDCProvider `json:"oidcProviders,omitempty"`
}

Expand Down Expand Up @@ -253,9 +254,16 @@ type TokenIssuer struct {
// The Kubernetes API server determines how authentication tokens should be handled
// by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.
//
// issuerURL must use the 'https' scheme.
// Must be at least 1 character and must not exceed 512 characters in length.
// Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
//
// +kubebuilder:validation:Pattern=`^https:\/\/[^\s]`
// +kubebuilder:validation:XValidation:rule="isURL(self)",message="must be a valid URL"
// +kubebuilder:validation:XValidation:rule="isURL(self) && url(self).getScheme() == 'https'",message="must use the 'https' scheme"
// +kubebuilder:validation:XValidation:rule="isURL(self) && url(self).getQuery() == {}",message="must not have a query"
// +kubebuilder:validation:XValidation:rule="self.find('#(.+)$') == ''",message="must not have a fragment"
// +kubebuilder:validation:XValidation:rule="self.find('@') == ''",message="must not have user info"
// +kubebuilder:validation:MaxLength=512
// +kubebuilder:validation:MinLength=1
// +required
URL string `json:"issuerURL"`

Expand Down Expand Up @@ -320,10 +328,10 @@ type TokenClaimMappings struct {
// used to construct the extra attribute for the cluster identity.
// When omitted, no extra attributes will be present on the cluster identity.
// key values for extra mappings must be unique.
// A maximum of 64 extra attribute mappings may be provided.
// A maximum of 32 extra attribute mappings may be provided.
//
// +optional
// +kubebuilder:validation:MaxItems=64
// +kubebuilder:validation:MaxItems=32
// +listType=map
// +listMapKey=key
// +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings
Expand Down Expand Up @@ -375,10 +383,10 @@ type TokenClaimOrExpressionMapping struct {
// Precisely one of claim or expression must be set.
// expression must not be specified when claim is set.
// When specified, expression must be at least 1 character in length
// and must not exceed 4096 characters in length.
// and must not exceed 1024 characters in length.
//
// +optional
// +kubebuilder:validation:MaxLength=4096
// +kubebuilder:validation:MaxLength=1024
// +kubebuilder:validation:MinLength=1
Expression string `json:"expression,omitempty"`
}
Expand Down Expand Up @@ -437,12 +445,12 @@ type ExtraMapping struct {
// For example, the 'sub' claim value can be accessed as 'claims.sub'.
// Nested claims can be accessed using dot notation ('claims.foo.bar').
//
// valueExpression must not exceed 4096 characters in length.
// valueExpression must not exceed 1024 characters in length.
// valueExpression must not be empty.
//
// +required
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=4096
// +kubebuilder:validation:MaxLength=1024
ValueExpression string `json:"valueExpression"`
}

Expand Down
29 changes: 21 additions & 8 deletions ...-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ spec:
used to construct the extra attribute for the cluster identity.
When omitted, no extra attributes will be present on the cluster identity.
key values for extra mappings must be unique.
A maximum of 64 extra attribute mappings may be provided.
A maximum of 32 extra attribute mappings may be provided.
items:
description: |-
ExtraMapping allows specifying a key and CEL expression
Expand Down Expand Up @@ -170,16 +170,16 @@ spec:
For example, the 'sub' claim value can be accessed as 'claims.sub'.
Nested claims can be accessed using dot notation ('claims.foo.bar').

valueExpression must not exceed 4096 characters in length.
valueExpression must not exceed 1024 characters in length.
valueExpression must not be empty.
maxLength: 4096
maxLength: 1024
minLength: 1
type: string
required:
- key
- valueExpression
type: object
maxItems: 64
maxItems: 32
type: array
x-kubernetes-list-map-keys:
- key
Expand Down Expand Up @@ -255,8 +255,8 @@ spec:
Precisely one of claim or expression must be set.
expression must not be specified when claim is set.
When specified, expression must be at least 1 character in length
and must not exceed 4096 characters in length.
maxLength: 4096
and must not exceed 1024 characters in length.
maxLength: 1024
minLength: 1
type: string
type: object
Expand Down Expand Up @@ -441,9 +441,22 @@ spec:
The Kubernetes API server determines how authentication tokens should be handled
by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.

issuerURL must use the 'https' scheme.
pattern: ^https:\/\/[^\s]
Must be at least 1 character and must not exceed 512 characters in length.
Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
maxLength: 512
minLength: 1
type: string
x-kubernetes-validations:
- message: must be a valid URL
rule: isURL(self)
- message: must use the 'https' scheme
rule: isURL(self) && url(self).getScheme() == 'https'
- message: must not have a query
rule: isURL(self) && url(self).getQuery() == {}
- message: must not have a fragment
rule: self.find('#(.+)$') == ''
- message: must not have user info
rule: self.find('@') == ''
required:
- audiences
- issuerURL
Expand Down
17 changes: 15 additions & 2 deletions ...ated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -290,9 +290,22 @@ spec:
The Kubernetes API server determines how authentication tokens should be handled
by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.

issuerURL must use the 'https' scheme.
pattern: ^https:\/\/[^\s]
Must be at least 1 character and must not exceed 512 characters in length.
Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
maxLength: 512
minLength: 1
type: string
x-kubernetes-validations:
- message: must be a valid URL
rule: isURL(self)
- message: must use the 'https' scheme
rule: isURL(self) && url(self).getScheme() == 'https'
- message: must not have a query
rule: isURL(self) && url(self).getQuery() == {}
- message: must not have a fragment
rule: self.find('#(.+)$') == ''
- message: must not have user info
rule: self.find('@') == ''
required:
- audiences
- issuerURL
Expand Down
29 changes: 21 additions & 8 deletions ...ifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ spec:
used to construct the extra attribute for the cluster identity.
When omitted, no extra attributes will be present on the cluster identity.
key values for extra mappings must be unique.
A maximum of 64 extra attribute mappings may be provided.
A maximum of 32 extra attribute mappings may be provided.
items:
description: |-
ExtraMapping allows specifying a key and CEL expression
Expand Down Expand Up @@ -170,16 +170,16 @@ spec:
For example, the 'sub' claim value can be accessed as 'claims.sub'.
Nested claims can be accessed using dot notation ('claims.foo.bar').

valueExpression must not exceed 4096 characters in length.
valueExpression must not exceed 1024 characters in length.
valueExpression must not be empty.
maxLength: 4096
maxLength: 1024
minLength: 1
type: string
required:
- key
- valueExpression
type: object
maxItems: 64
maxItems: 32
type: array
x-kubernetes-list-map-keys:
- key
Expand Down Expand Up @@ -255,8 +255,8 @@ spec:
Precisely one of claim or expression must be set.
expression must not be specified when claim is set.
When specified, expression must be at least 1 character in length
and must not exceed 4096 characters in length.
maxLength: 4096
and must not exceed 1024 characters in length.
maxLength: 1024
minLength: 1
type: string
type: object
Expand Down Expand Up @@ -441,9 +441,22 @@ spec:
The Kubernetes API server determines how authentication tokens should be handled
by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.

issuerURL must use the 'https' scheme.
pattern: ^https:\/\/[^\s]
Must be at least 1 character and must not exceed 512 characters in length.
Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
maxLength: 512
minLength: 1
type: string
x-kubernetes-validations:
- message: must be a valid URL
rule: isURL(self)
- message: must use the 'https' scheme
rule: isURL(self) && url(self).getScheme() == 'https'
- message: must not have a query
rule: isURL(self) && url(self).getQuery() == {}
- message: must not have a fragment
rule: self.find('#(.+)$') == ''
- message: must not have user info
rule: self.find('@') == ''
required:
- audiences
- issuerURL
Expand Down
29 changes: 21 additions & 8 deletions ...fests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ spec:
used to construct the extra attribute for the cluster identity.
When omitted, no extra attributes will be present on the cluster identity.
key values for extra mappings must be unique.
A maximum of 64 extra attribute mappings may be provided.
A maximum of 32 extra attribute mappings may be provided.
items:
description: |-
ExtraMapping allows specifying a key and CEL expression
Expand Down Expand Up @@ -170,16 +170,16 @@ spec:
For example, the 'sub' claim value can be accessed as 'claims.sub'.
Nested claims can be accessed using dot notation ('claims.foo.bar').

valueExpression must not exceed 4096 characters in length.
valueExpression must not exceed 1024 characters in length.
valueExpression must not be empty.
maxLength: 4096
maxLength: 1024
minLength: 1
type: string
required:
- key
- valueExpression
type: object
maxItems: 64
maxItems: 32
type: array
x-kubernetes-list-map-keys:
- key
Expand Down Expand Up @@ -255,8 +255,8 @@ spec:
Precisely one of claim or expression must be set.
expression must not be specified when claim is set.
When specified, expression must be at least 1 character in length
and must not exceed 4096 characters in length.
maxLength: 4096
and must not exceed 1024 characters in length.
maxLength: 1024
minLength: 1
type: string
type: object
Expand Down Expand Up @@ -441,9 +441,22 @@ spec:
The Kubernetes API server determines how authentication tokens should be handled
by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.

issuerURL must use the 'https' scheme.
pattern: ^https:\/\/[^\s]
Must be at least 1 character and must not exceed 512 characters in length.
Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
maxLength: 512
minLength: 1
type: string
x-kubernetes-validations:
- message: must be a valid URL
rule: isURL(self)
- message: must use the 'https' scheme
rule: isURL(self) && url(self).getScheme() == 'https'
- message: must not have a query
rule: isURL(self) && url(self).getQuery() == {}
- message: must not have a fragment
rule: self.find('#(.+)$') == ''
- message: must not have user info
rule: self.find('@') == ''
required:
- audiences
- issuerURL
Expand Down
29 changes: 21 additions & 8 deletions ...nifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ spec:
used to construct the extra attribute for the cluster identity.
When omitted, no extra attributes will be present on the cluster identity.
key values for extra mappings must be unique.
A maximum of 64 extra attribute mappings may be provided.
A maximum of 32 extra attribute mappings may be provided.
items:
description: |-
ExtraMapping allows specifying a key and CEL expression
Expand Down Expand Up @@ -170,16 +170,16 @@ spec:
For example, the 'sub' claim value can be accessed as 'claims.sub'.
Nested claims can be accessed using dot notation ('claims.foo.bar').

valueExpression must not exceed 4096 characters in length.
valueExpression must not exceed 1024 characters in length.
valueExpression must not be empty.
maxLength: 4096
maxLength: 1024
minLength: 1
type: string
required:
- key
- valueExpression
type: object
maxItems: 64
maxItems: 32
type: array
x-kubernetes-list-map-keys:
- key
Expand Down Expand Up @@ -255,8 +255,8 @@ spec:
Precisely one of claim or expression must be set.
expression must not be specified when claim is set.
When specified, expression must be at least 1 character in length
and must not exceed 4096 characters in length.
maxLength: 4096
and must not exceed 1024 characters in length.
maxLength: 1024
minLength: 1
type: string
type: object
Expand Down Expand Up @@ -441,9 +441,22 @@ spec:
The Kubernetes API server determines how authentication tokens should be handled
by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.

issuerURL must use the 'https' scheme.
pattern: ^https:\/\/[^\s]
Must be at least 1 character and must not exceed 512 characters in length.
Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
maxLength: 512
minLength: 1
type: string
x-kubernetes-validations:
- message: must be a valid URL
rule: isURL(self)
- message: must use the 'https' scheme
rule: isURL(self) && url(self).getScheme() == 'https'
- message: must not have a query
rule: isURL(self) && url(self).getQuery() == {}
- message: must not have a fragment
rule: self.find('#(.+)$') == ''
- message: must not have user info
rule: self.find('@') == ''
required:
- audiences
- issuerURL
Expand Down
Loading