CMP-3818: Add test to test tokenrules pass when configuring oauthclients

[Anna-Koudelkova]

In the upstream content testing we apply remediation for rules ocp4-oauth-or-oauthclient-token-maxage and ocp4-oauth-or-oauthclient-inactivity-timeout by patching it on cluster level. Both rules should be passing if client do not set the value on a cluster level, but set the values for all oauthclients individually.
This PR should add test to see if both rules are passing when the values are set per each client.

2026/01/26 13:04:23 All scans in ComplianceSuite have finished (test-token-rules-pass-oauth-clients-configurable)
--- PASS: TestTokenRulesPassOauthClientsConfigurable (86.17s)
PASS
...
ok  	github.com/ComplianceAsCode/compliance-operator/tests/e2e/serial	298.255s

Note: I have run into some issues while trying to make this testcase work - mainly because I understood the description of the rule ocp4-oauth-or-oauthclient-token-maxage that for it to pass it is enough to set the values for all oauth clients - and I can set whatever value I want. Which is not true - the values set need to correspond with the value in the corresponding variable ocp4-var-oauth-token-maxage. If the values from the variable and from the oauth clients mismatch, the rule would FAIL. Is this the expected behavior?

[openshift-ci-robot]

@Anna-Koudelkova: This pull request references CMP-3818 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

In the upstream content testing we apply remediation for rules ocp4-oauth-or-oauthclient-token-maxage and ocp4-oauth-or-oauthclient-inactivity-timeout by patching it on cluster level. Both rules should be passing if client do not set the value on a cluster level, but set the values for all oauthclients individually.
This PR should add test to see if both rules are passing when the values are set per each client.

... And currently it is still failing on token-maxage rule. It should be fine, the values are set, but for some reason, it does not cooperate with me today... WIP

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[github-actions]

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1058-37580fe525f028af04115a34449964a412881073

[Anna-Koudelkova]

Currently this does not work correctly even after multiple rescans and I am not sure if the problem is the test case itself. Posting some logs just so I do not loose it during the treasure hunt ( meaning: while chasing the fix):

$ oc get ccr
NAME                                                                                       STATUS   SEVERITY
test-token-rules-pass-oauth-clients-configurable-oauth-or-oauthclient-inactivity-timeout   PASS     medium
test-token-rules-pass-oauth-clients-configurable-oauth-or-oauthclient-token-maxage         FAIL     medium

$ oc get oauthclients -ojson | jq -r '.items[] | { accessTokenMaxAgeSeconds: .accessTokenMaxAgeSeconds}'
{
  "accessTokenMaxAgeSeconds": 28800
}
{
  "accessTokenMaxAgeSeconds": 28800
}
{
  "accessTokenMaxAgeSeconds": 28800
}
{
  "accessTokenMaxAgeSeconds": 28800
}

$ oc get oauth cluster -ojsonpath='{.spec.tokenConfig.accessTokenMaxAgeSeconds}'

$ oc get oauthclients -o json | jq -r '.items[] | "\(.metadata.name): \(.accessTokenMaxAgeSeconds)"'
console: 28800
openshift-browser-client: 28800
openshift-challenging-client: 28800
openshift-cli-client: 28800

$ oc get variable ocp4-var-oauth-token-maxage -o jsonpath='{.value}'
86400

ok, but after I patch the value to the one expected by the variable and rescan, it is passing - is this expected?

$  oc get oauthclients -ojson | jq -r '.items[] | { accessTokenMaxAgeSeconds: .accessTokenMaxAgeSeconds}'
{
  "accessTokenMaxAgeSeconds": 86400
}
{
  "accessTokenMaxAgeSeconds": 86400
}
{
  "accessTokenMaxAgeSeconds": 86400
}
{
  "accessTokenMaxAgeSeconds": 86400
}

$ oc get ccr
NAME                                                                                       STATUS   SEVERITY
test-token-rules-pass-oauth-clients-configurable-oauth-or-oauthclient-inactivity-timeout   PASS     medium
test-token-rules-pass-oauth-clients-configurable-oauth-or-oauthclient-token-maxage         PASS     medium

[github-actions]

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1058-b29f1077a8da6e8335f223af1d28f89810d825a4

[github-actions]

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1058-17972bc8f22253c81e4fc245d1956a4d20091410

[github-actions]

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1058-e4a63ec49bf4afcc517ae25b719b91b5996ecb10

[rhmdnd]

A couple suggestions on reducing calls and a potential approach to cleaning up after the test is done, since we're dealing with a cluster-wide setting.

[rhmdnd]

We could put the "accessTokenInactivityTimeoutSeconds":%d in here, too and save on a second patch and verify call, which would cut the function length by about half.

[rhmdnd]

Since this is patch a cluster-wide configuration option, we could do something like:

originalConfigs := getOAuthClientConfigs()

if err := f.PatchAllOAuthClients(28800, 600); err != nil {
  t.Fatalf("failed to patch oauthclients: %s", err)
}

defer restoreOAuthClientConfigs(originalConfigs)

The defer would make sure the original values are set back to what they were, in case those updates fail other tests for some reason. The defer function might need to poll to verify the configs are updated, but we're doing that already in the PatchAllOAuthClients function.

[Anna-Koudelkova]

Oh! Thanks a lot, defer step was definitely missing. I ended up combining the getOauthclientConfigs() with PatchAllOauthClients() into one, not really sure if that is acceptable or not, please let me know if that is not the right way to do it - I really appreciate your feedback.

[rhmdnd]

/retest-required

[Anna-Koudelkova]

Passing with the new changes however I am unsure about smashing getOauthclientConfigs() and PatchAllOauthClients() together and would much appreciate kind reviewers guidance once more. Thanks a lot!

=== RUN   TestTokenRulesPassOauthClientsConfigurable
2026/03/03 15:55:06 waiting until suite test-token-rules-pass-oauth-clients-configurable reaches target status 'DONE'. Current status: RUNNING
2026/03/03 15:55:11 waiting until suite test-token-rules-pass-oauth-clients-configurable reaches target status 'DONE'. Current status: RUNNING
2026/03/03 15:55:16 waiting until suite test-token-rules-pass-oauth-clients-configurable reaches target status 'DONE'. Current status: RUNNING
2026/03/03 15:55:21 waiting until suite test-token-rules-pass-oauth-clients-configurable reaches target status 'DONE'. Current status: RUNNING
2026/03/03 15:55:26 waiting until suite test-token-rules-pass-oauth-clients-configurable reaches target status 'DONE'. Current status: AGGREGATING
2026/03/03 15:55:31 waiting until suite test-token-rules-pass-oauth-clients-configurable reaches target status 'DONE'. Current status: AGGREGATING
2026/03/03 15:55:41 ComplianceScan ready (DONE)
2026/03/03 15:55:41 All scans in ComplianceSuite have finished (test-token-rules-pass-oauth-clients-configurable)
2026/03/03 15:55:42 successfully patched oauthclient console with accessTokenMaxAgeSeconds=28800 and accessTokenInactivityTimeoutSeconds=600
2026/03/03 15:55:42 successfully patched oauthclient openshift-browser-client with accessTokenMaxAgeSeconds=28800 and accessTokenInactivityTimeoutSeconds=600
2026/03/03 15:55:42 successfully patched oauthclient openshift-challenging-client with accessTokenMaxAgeSeconds=28800 and accessTokenInactivityTimeoutSeconds=600
2026/03/03 15:55:42 successfully patched oauthclient openshift-cli-client with accessTokenMaxAgeSeconds=28800 and accessTokenInactivityTimeoutSeconds=600
2026/03/03 15:55:43 Triggered rescan for scan test-token-rules-pass-oauth-clients-configurable
2026/03/03 15:55:53 ComplianceScan ready (RUNNING)
2026/03/03 15:55:53 All scans in ComplianceSuite have finished (test-token-rules-pass-oauth-clients-configurable)
2026/03/03 15:55:58 waiting until suite test-token-rules-pass-oauth-clients-configurable reaches target status 'DONE'. Current status: RUNNING
2026/03/03 15:56:03 waiting until suite test-token-rules-pass-oauth-clients-configurable reaches target status 'DONE'. Current status: RUNNING
2026/03/03 15:56:08 waiting until suite test-token-rules-pass-oauth-clients-configurable reaches target status 'DONE'. Current status: AGGREGATING
2026/03/03 15:56:18 ComplianceScan ready (DONE)
2026/03/03 15:56:18 All scans in ComplianceSuite have finished (test-token-rules-pass-oauth-clients-configurable)
2026/03/03 15:56:19 restored oauthclient console to accessTokenMaxAgeSeconds=0, accessTokenInactivityTimeoutSeconds=0
2026/03/03 15:56:19 restored oauthclient openshift-browser-client to accessTokenMaxAgeSeconds=0, accessTokenInactivityTimeoutSeconds=0
2026/03/03 15:56:19 restored oauthclient openshift-challenging-client to accessTokenMaxAgeSeconds=0, accessTokenInactivityTimeoutSeconds=0
2026/03/03 15:56:19 restored oauthclient openshift-cli-client to accessTokenMaxAgeSeconds=0, accessTokenInactivityTimeoutSeconds=0
--- PASS: TestTokenRulesPassOauthClientsConfigurable (78.75s)

[github-actions]

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1058-0ed69d99dc672c063a13f65ddd6080abcbed95a7

[github-actions]

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1058-d151d26f9df951f536c617aafca02bbcd35112f5

[rhmdnd]

Looks great! Approving pending testing feedback.

/lgtm
/approve

[rhmdnd]

If an OAuth client doesn't have maxAge or inactivity set, the config passed back to the restore function will set them to 0 instead of leaving them unset.
For example:

# before test
OAuth Config:
  name: foo

# during test
OAuth Config:
  name: foo
  maxAge: 28800
  inactivity: 600

# after restore
OAuth Config:
  name: foo
  maxAge: 0
  inactivity: 0

So the restore would set the values to 0 rather than removing them. The question is whether the OAuth server treats an unset value the same as 0.

Either way, this is probably fine given we don't test OAuth outside of this case, but wanted to mention it as a potential edge case in the restoration flow.

[rhmdnd]

To your question about combining these. The primary reason behind my previous comment was to advocate for a single patch call for two values instead of two separate patch calls per config (which you've implemented).

I'm not opposed to what you've done here, since it saves off the original configs and patches each client into the same loop.

Alternatively, we could have a getOAuthClientConfigs and an updateOAuthClientConfigs separately, but in that case we'd be iterating the list of configs three times (getting the original values, updating the clients for the test, restoring the original values) as opposed to just twice (getting the original values and setting the test-specific values, then restoring the original values).

I could go either way - it's up to you how you'd like to structure it and whatever make sense to you organizationally.

[Anna-Koudelkova]

Ok, if the decision is up to me and there is no stylistic preference (and the cost of iterating can be disregarded), I have split it again to two functions (getOAuthClientConfigs and updateOAuthClientConfigs - that is what looks "clearer" to my brain. 🙂

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Anna-Koudelkova, rhmdnd

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Anna-Koudelkova,rhmdnd]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rhmdnd]

Clean e2e test runs across parallel and serial suites 🎉 - just needs a rebase.

[openshift-ci]

New changes are detected. LGTM label has been removed.

[github-actions]

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1058-9d1136cd5dad8e63587a89e5b5efd02c0e4cb7d0

[github-actions]

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1058-4bc8e4599a995834ce1b5638fefe1e9eedc8f67e

[Anna-Koudelkova]

/retest

[openshift-ci]

@Anna-Koudelkova: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-rosa	4bc8e45	link	true	/test e2e-rosa
ci/prow/e2e-aws-parallel-arm	4bc8e45	link	true	/test e2e-aws-parallel-arm

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.