Add test to test tokenrules pass when configuring oauthclients

Anna-Koudelkova · Anna-Koudelkova · commit 4bc8e4599a99 · 2026-03-10T23:30:10.000+01:00
diff --git a/tests/e2e/framework/common.go b/tests/e2e/framework/common.go
@@ -32,10 +32,15 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	clusterv1alpha1 "open-cluster-management.io/api/cluster/v1alpha1"
 
+	"encoding/json"
 	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 	psapi "k8s.io/pod-security-admission/api"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	dynclient "sigs.k8s.io/controller-runtime/pkg/client"
@@ -3179,3 +3184,204 @@ func (f *Framework) AssertNodeNameIsInTargetAndFactIdentifierInCM(nodes []core.N
 	}
 	return nil
 }	
+// OAuthClientConfig holds the token settings for an OAuth client so they can be restored later.
+// Pointer fields are nil when the client did not have that field set; restore will remove the field instead of setting 0.
+type OAuthClientConfig struct {
+	Name                                string
+	AccessTokenMaxAgeSeconds            *int64
+	AccessTokenInactivityTimeoutSeconds *int64
+}
+
+// GetOAuthClientConfigs lists all OAuth clients and returns their current token config (no patching).
+func (f *Framework) GetOAuthClientConfigs() ([]OAuthClientConfig, error) {
+	return getOAuthClientConfigs(f)
+}
+
+func getOAuthClientConfigs(f *Framework) ([]OAuthClientConfig, error) {
+	oauthConfig := *f.KubeConfig
+	oauthConfig.GroupVersion = &schema.GroupVersion{Group: "oauth.openshift.io", Version: "v1"}
+	oauthConfig.APIPath = "/apis"
+	oauthConfig.NegotiatedSerializer = serializer.NewCodecFactory(runtime.NewScheme())
+	restClient, err := rest.RESTClientFor(&oauthConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create REST client for oauth: %w", err)
+	}
+
+	oauthClientListBytes, err := restClient.Get().
+		Resource("oauthclients").
+		Do(context.TODO()).
+		Raw()
+	if err != nil {
+		return nil, fmt.Errorf("failed to list oauthclients: %w", err)
+	}
+
+	var oauthClientList map[string]interface{}
+	if err := json.Unmarshal(oauthClientListBytes, &oauthClientList); err != nil {
+		return nil, fmt.Errorf("failed to parse oauthclient list response: %w", err)
+	}
+
+	items, ok := oauthClientList["items"].([]interface{})
+	if !ok {
+		return nil, fmt.Errorf("failed to extract items from oauthclient list")
+	}
+
+	var configs []OAuthClientConfig
+	for _, item := range items {
+		clientObj, ok := item.(map[string]interface{})
+		if !ok {
+			continue
+		}
+		metadata, ok := clientObj["metadata"].(map[string]interface{})
+		if !ok {
+			continue
+		}
+		clientName, ok := metadata["name"].(string)
+		if !ok {
+			continue
+		}
+		var maxAge, inactivity *int64
+		if v, ok := clientObj["accessTokenMaxAgeSeconds"].(float64); ok {
+			val := int64(v)
+			maxAge = &val
+		}
+		if v, ok := clientObj["accessTokenInactivityTimeoutSeconds"].(float64); ok {
+			val := int64(v)
+			inactivity = &val
+		}
+		configs = append(configs, OAuthClientConfig{
+			Name:                                clientName,
+			AccessTokenMaxAgeSeconds:            maxAge,
+			AccessTokenInactivityTimeoutSeconds: inactivity,
+		})
+	}
+	return configs, nil
+}
+
+// UpdateOAuthClientConfigs patches every OAuth client with the given token settings and verifies the patch.
+func (f *Framework) UpdateOAuthClientConfigs(maxAgeSeconds, inactivityTimeoutSeconds int64) error {
+	return updateOAuthClientConfigs(f, maxAgeSeconds, inactivityTimeoutSeconds)
+}
+
+func updateOAuthClientConfigs(f *Framework, maxAgeSeconds, inactivityTimeoutSeconds int64) error {
+	oauthConfig := *f.KubeConfig
+	oauthConfig.GroupVersion = &schema.GroupVersion{Group: "oauth.openshift.io", Version: "v1"}
+	oauthConfig.APIPath = "/apis"
+	oauthConfig.NegotiatedSerializer = serializer.NewCodecFactory(runtime.NewScheme())
+	restClient, err := rest.RESTClientFor(&oauthConfig)
+	if err != nil {
+		return fmt.Errorf("failed to create REST client for oauth: %w", err)
+	}
+
+	oauthClientListBytes, err := restClient.Get().
+		Resource("oauthclients").
+		Do(context.TODO()).
+		Raw()
+	if err != nil {
+		return fmt.Errorf("failed to list oauthclients: %w", err)
+	}
+
+	var oauthClientList map[string]interface{}
+	if err := json.Unmarshal(oauthClientListBytes, &oauthClientList); err != nil {
+		return fmt.Errorf("failed to parse oauthclient list response: %w", err)
+	}
+
+	items, ok := oauthClientList["items"].([]interface{})
+	if !ok {
+		return fmt.Errorf("failed to extract items from oauthclient list")
+	}
+
+	for _, item := range items {
+		clientObj, ok := item.(map[string]interface{})
+		if !ok {
+			continue
+		}
+		metadata, ok := clientObj["metadata"].(map[string]interface{})
+		if !ok {
+			continue
+		}
+		clientName, ok := metadata["name"].(string)
+		if !ok {
+			continue
+		}
+
+		patch := []byte(fmt.Sprintf(`{"accessTokenMaxAgeSeconds":%d,"accessTokenInactivityTimeoutSeconds":%d}`, maxAgeSeconds, inactivityTimeoutSeconds))
+		err = restClient.Patch(types.MergePatchType).
+			Resource("oauthclients").
+			Name(clientName).
+			Body(patch).
+			Do(context.TODO()).
+			Error()
+		if err != nil {
+			return fmt.Errorf("failed to patch oauthclient %s: %w", clientName, err)
+		}
+
+		patchedClientBytes, err := restClient.Get().
+			Resource("oauthclients").
+			Name(clientName).
+			Do(context.TODO()).
+			Raw()
+		if err != nil {
+			return fmt.Errorf("failed to get patched oauthclient %s: %w", clientName, err)
+		}
+		var patchedObj map[string]interface{}
+		if err := json.Unmarshal(patchedClientBytes, &patchedObj); err != nil {
+			return fmt.Errorf("failed to parse patched oauthclient %s: %w", clientName, err)
+		}
+		gotMaxAge, ok := patchedObj["accessTokenMaxAgeSeconds"].(float64)
+		if !ok || int64(gotMaxAge) != maxAgeSeconds {
+			return fmt.Errorf("expected accessTokenMaxAgeSeconds to be %d for oauthclient %s, got %v", maxAgeSeconds, clientName, gotMaxAge)
+		}
+		gotInactivity, ok := patchedObj["accessTokenInactivityTimeoutSeconds"].(float64)
+		if !ok || int64(gotInactivity) != inactivityTimeoutSeconds {
+			return fmt.Errorf("expected accessTokenInactivityTimeoutSeconds to be %d for oauthclient %s, got %v", inactivityTimeoutSeconds, clientName, gotInactivity)
+		}
+		log.Printf("successfully patched oauthclient %s with accessTokenMaxAgeSeconds=%d and accessTokenInactivityTimeoutSeconds=%d", clientName, maxAgeSeconds, inactivityTimeoutSeconds)
+	}
+	return nil
+}
+
+// RestoreOAuthClientConfigs patches each OAuth client back to the given configs (e.g. from GetOAuthClientConfigs).
+func (f *Framework) RestoreOAuthClientConfigs(configs []OAuthClientConfig) error {
+	if len(configs) == 0 {
+		return nil
+	}
+	oauthConfig := *f.KubeConfig
+	oauthConfig.GroupVersion = &schema.GroupVersion{Group: "oauth.openshift.io", Version: "v1"}
+	oauthConfig.APIPath = "/apis"
+	oauthConfig.NegotiatedSerializer = serializer.NewCodecFactory(runtime.NewScheme())
+	restClient, err := rest.RESTClientFor(&oauthConfig)
+	if err != nil {
+		return fmt.Errorf("failed to create REST client for oauth: %w", err)
+	}
+
+	for _, cfg := range configs {
+		patchObj := make(map[string]interface{})
+		if cfg.AccessTokenMaxAgeSeconds != nil {
+			patchObj["accessTokenMaxAgeSeconds"] = *cfg.AccessTokenMaxAgeSeconds
+		} else {
+			patchObj["accessTokenMaxAgeSeconds"] = nil
+		}
+		if cfg.AccessTokenInactivityTimeoutSeconds != nil {
+			patchObj["accessTokenInactivityTimeoutSeconds"] = *cfg.AccessTokenInactivityTimeoutSeconds
+		} else {
+			patchObj["accessTokenInactivityTimeoutSeconds"] = nil
+		}
+		patch, err := json.Marshal(patchObj)
+		if err != nil {
+			return fmt.Errorf("marshal restore patch for oauthclient %s: %w", cfg.Name, err)
+		}
+		err = restClient.Patch(types.MergePatchType).
+			Resource("oauthclients").
+			Name(cfg.Name).
+			Body(patch).
+			Do(context.TODO()).
+			Error()
+		if err != nil {
+			return fmt.Errorf("failed to restore oauthclient %s: %w", cfg.Name, err)
+		}
+		log.Printf("restored oauthclient %s (maxAge=%v, inactivity=%v)",
+			cfg.Name, cfg.AccessTokenMaxAgeSeconds, cfg.AccessTokenInactivityTimeoutSeconds)
+	}
+	return nil
+}
+
diff --git a/tests/e2e/serial/main_test.go b/tests/e2e/serial/main_test.go
@@ -2487,5 +2487,99 @@ func TestStrictNodeScanConfiguration(t *testing.T) {
 			t.Fatalf("suite left PENDING state (expected to remain PENDING for 30s): phase=%s", suite.Status.Phase)
 		}
 		time.Sleep(framework.RetryInterval)
+	}
 }
+
+func TestTokenRulesPassOauthClientsConfigurable(t *testing.T) {
+	f := framework.Global
+	suiteName := framework.GetObjNameFromTest(t)
+	tp := &compv1alpha1.TailoredProfile{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      suiteName,
+			Namespace: f.OperatorNamespace,
+		},
+		Spec: compv1alpha1.TailoredProfileSpec{
+			Title:       "oauthRules",
+			Description: "oauthRules",
+			EnableRules: []compv1alpha1.RuleReferenceSpec{
+				{
+					Name:      "ocp4-oauth-or-oauthclient-token-maxage",
+					Rationale: "To be tested",
+				},
+				{
+					Name:      "ocp4-oauth-or-oauthclient-inactivity-timeout",
+					Rationale: "To be tested",
+				},
+			},
+			SetValues: []compv1alpha1.VariableValueSpec{
+				{
+					Name:      "ocp4-var-oauth-token-maxage",
+					Value:     "28800",
+					Rationale: "Set token max age to 28800 seconds",
+				},
+			},
+		},
+	}
+	createTPErr := f.Client.Create(context.TODO(), tp, nil)
+	if createTPErr != nil {
+		t.Fatal(createTPErr)
+	}
+	defer f.Client.Delete(context.TODO(), tp)
+
+	ssb := &compv1alpha1.ScanSettingBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      suiteName,
+			Namespace: f.OperatorNamespace,
+		},
+		Profiles: []compv1alpha1.NamedObjectReference{
+			{
+				APIGroup: "compliance.openshift.io/v1alpha1",
+				Kind:     "TailoredProfile",
+				Name:     suiteName,
+			},
+		},
+		SettingsRef: &compv1alpha1.NamedObjectReference{
+			APIGroup: "compliance.openshift.io/v1alpha1",
+			Kind:     "ScanSetting",
+			Name:     "default",
+		},
+	}
+	err := f.Client.Create(context.TODO(), ssb, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer f.Client.Delete(context.TODO(), ssb)
+
+	// Wait for initial scan to complete and verify non-compliant
+	if err := f.WaitForSuiteScansStatus(f.OperatorNamespace, suiteName, compv1alpha1.PhaseDone, compv1alpha1.ResultNonCompliant); err != nil {
+		t.Fatal(err)
+	}
+
+	originalConfigs, err := f.GetOAuthClientConfigs()
+	if err != nil {
+		t.Fatalf("failed to get oauth client configs: %s", err)
+	}
+	if err := f.UpdateOAuthClientConfigs(28800, 600); err != nil {
+		t.Fatalf("failed to update oauth client configs: %s", err)
+	}
+	defer func() {
+		if restoreErr := f.RestoreOAuthClientConfigs(originalConfigs); restoreErr != nil {
+			t.Logf("failed to restore oauth client configs: %v", restoreErr)
+		}
+	}()
+
+	// Re-run the suite
+	if err := f.RescanSuite(suiteName, f.OperatorNamespace); err != nil {
+		t.Fatalf("failed to rescan suite: %s", err)
+	}
+
+	// Wait for scans to restart
+	if err := f.WaitForSuiteScansStatus(f.OperatorNamespace, suiteName, compv1alpha1.PhaseRunning, compv1alpha1.ResultNotAvailable); err != nil {
+		t.Fatal(err)
+	}
+
+	// Wait for scans to complete and verify compliant
+	if err := f.WaitForSuiteScansStatus(f.OperatorNamespace, suiteName, compv1alpha1.PhaseDone, compv1alpha1.ResultCompliant); err != nil {
+		t.Fatal(err)
+	}
 }
