fixup! address review comments

everettraven · everettraven · commit bca83171c1f2 · 2025-07-24T12:15:07.000-04:00
Signed-off-by: Bryce Palmer &lt;bpalmer@redhat.com&gt;
diff --git a/test/extended/authentication/keycloak_client.go b/test/extended/authentication/keycloak_client.go
@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"crypto/tls"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -43,11 +42,15 @@ func keycloakClientFor(keycloakURL string) (*keycloakClient, error) {
 	}, nil
 }
 
+type group struct {
+	Name string `json:"name"`
+}
+
 func (kc *keycloakClient) CreateGroup(name string) error {
 	groupURL := kc.adminURL.JoinPath("groups")
 
-	group := map[string]interface{}{
-		"name": name,
+	group := group{
+		Name: name,
 	}
 
 	groupBytes, err := json.Marshal(group)
@@ -69,20 +72,41 @@ func (kc *keycloakClient) CreateGroup(name string) error {
 	return nil
 }
 
+type user struct {
+	Username      string       `json:"username"`
+	Email         string       `json:"email"`
+	Enabled       bool         `json:"enabled"`
+	EmailVerified bool         `json:"emailVerified"`
+	Groups        []string     `json:"groups"`
+	Credentials   []credential `json:"credentials"`
+}
+
+type credential struct {
+	Temporary bool           `json:"temporary"`
+	Type      credentialType `json:"type"`
+	Value     string         `json:"value"`
+}
+
+type credentialType string
+
+const (
+	credentialTypePassword credentialType = "password"
+)
+
 func (kc *keycloakClient) CreateUser(username, password string, groups ...string) error {
 	userURL := kc.adminURL.JoinPath("users")
 
-	user := map[string]interface{}{
-		"username":      username,
-		"email":         fmt.Sprintf("%s@payload.openshift.io", username),
-		"enabled":       true,
-		"emailVerified": true,
-		"groups":        groups,
-		"credentials": []map[string]interface{}{
+	user := user{
+		Username:      username,
+		Email:         fmt.Sprintf("%s@payload.openshift.io", username),
+		Enabled:       true,
+		EmailVerified: true,
+		Groups:        groups,
+		Credentials: []credential{
 			{
-				"temporary": false,
-				"type":      "password",
-				"value":     password,
+				Temporary: true,
+				Type:      credentialTypePassword,
+				Value:     password,
 			},
 		},
 	}
@@ -106,14 +130,18 @@ func (kc *keycloakClient) CreateUser(username, password string, groups ...string
 	return nil
 }
 
+type authenticationResponse struct {
+	AccessToken string `json:"access_token"`
+	IDToken     string `json:"id_token"`
+}
+
 func (kc *keycloakClient) Authenticate(clientID, username, password string) error {
-	data := url.Values{
-		"username":   []string{username},
-		"password":   []string{password},
-		"grant_type": []string{"password"},
-		"client_id":  []string{clientID},
-		"scope":      []string{"openid"},
-	}
+	data := url.Values{}
+	data.Set("username", username)
+	data.Set("password", password)
+	data.Set("grant_type", "password")
+	data.Set("client_id", clientID)
+	data.Set("scope", "openid")
 
 	tokenURL := *kc.adminURL
 	tokenURL.Path = fmt.Sprintf("/realms/%s/protocol/openid-connect/token", kc.realm)
@@ -124,38 +152,15 @@ func (kc *keycloakClient) Authenticate(clientID, username, password string) erro
 	}
 	defer resp.Body.Close()
 
-	respBody := map[string]interface{}{}
-	respBodyData, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return fmt.Errorf("reading response data: %w", err)
-	}
+	respBody := &authenticationResponse{}
 
-	err = json.Unmarshal(respBodyData, &respBody)
+	err = json.NewDecoder(resp.Body).Decode(respBody)
 	if err != nil {
-		return fmt.Errorf("unmarshalling response body %s: %w", respBodyData, err)
-	}
-
-	accessTokenData, ok := respBody["access_token"]
-	if !ok {
-		return errors.New("unable to extract access token from the response body: access_token field is missing")
-	}
-
-	accessToken, ok := accessTokenData.(string)
-	if !ok {
-		return fmt.Errorf("expected accessToken to be of type string but was %T", accessTokenData)
-	}
-	kc.accessToken = accessToken
-
-	idTokenData, ok := respBody["id_token"]
-	if !ok {
-		return errors.New("unable to extract id token from the response body: id_token field is missing")
+		return fmt.Errorf("unmarshalling response data: %w", err)
 	}
 
-	idToken, ok := idTokenData.(string)
-	if !ok {
-		return fmt.Errorf("expected idToken to be of type string but was %T", idTokenData)
-	}
-	kc.idToken = idToken
+	kc.accessToken = respBody.AccessToken
+	kc.idToken = respBody.IDToken
 
 	return nil
 }
@@ -191,41 +196,66 @@ func (kc *keycloakClient) ConfigureClient(clientId string) error {
 		return fmt.Errorf("getting client %q: %w", clientId, err)
 	}
 
-	id, ok := client["id"]
-	if !ok {
-		return fmt.Errorf("client %q doesn't have 'id'", clientId)
-	}
-
-	idStr, ok := id.(string)
-	if !ok {
-		return fmt.Errorf("client %q 'id' is not of type string: %T", clientId, id)
-	}
-
-	if err := kc.CreateClientGroupMapper(idStr, "test-groups-mapper", "groups"); err != nil {
+	if err := kc.CreateClientGroupMapper(client.ID, "test-groups-mapper", "groups"); err != nil {
 		return fmt.Errorf("creating group mapper for client %q: %w", clientId, err)
 	}
 
-	if err := kc.CreateClientAudienceMapper(idStr, "test-aud-mapper"); err != nil {
+	if err := kc.CreateClientAudienceMapper(client.ID, "test-aud-mapper"); err != nil {
 		return fmt.Errorf("creating audience mapper for client %q: %w", clientId, err)
 	}
 
 	return nil
 }
 
+type groupMapper struct {
+	Name           string            `json:"name"`
+	Protocol       protocol          `json:"protocol"`
+	ProtocolMapper protocolMapper    `json:"protocolMapper"`
+	Config         groupMapperConfig `json:"config"`
+}
+
+type protocol string
+
+const (
+	protocolOpenIDConnect protocol = "openid-connect"
+)
+
+type protocolMapper string
+
+const (
+	protocolMapperOpenIDConnectGroupMembership protocolMapper = "oidc-group-membership-mapper"
+	protocolMapperOpenIDConnectAudience        protocolMapper = "oidc-audience-mapper"
+)
+
+type groupMapperConfig struct {
+	FullPath           booleanString `json:"full.path"`
+	IDTokenClaim       booleanString `json:"id.token.claim"`
+	AccessTokenClaim   booleanString `json:"access.token.claim"`
+	UserInfoTokenClaim booleanString `json:"userinfo.token.claim"`
+	ClaimName          string        `json:"claim.name"`
+}
+
+type booleanString string
+
+const (
+	booleanStringTrue  booleanString = "true"
+	booleanStringFalse booleanString = "false"
+)
+
 func (kc *keycloakClient) CreateClientGroupMapper(clientId, name, claim string) error {
 	mappersURL := *kc.adminURL
 	mappersURL.Path += fmt.Sprintf("/clients/%s/protocol-mappers/models", clientId)
 
-	mapper := map[string]interface{}{
-		"name":           name,
-		"protocol":       "openid-connect",
-		"protocolMapper": "oidc-group-membership-mapper", // protocol-mapper type provided by Keycloak
-		"config": map[string]string{
-			"full.path":            "false",
-			"id.token.claim":       "true",
-			"access.token.claim":   "true",
-			"userinfo.token.claim": "true",
-			"claim.name":           claim,
+	mapper := &groupMapper{
+		Name:           name,
+		Protocol:       protocolOpenIDConnect,
+		ProtocolMapper: protocolMapperOpenIDConnectGroupMembership,
+		Config: groupMapperConfig{
+			FullPath:           booleanStringFalse,
+			IDTokenClaim:       booleanStringTrue,
+			AccessTokenClaim:   booleanStringTrue,
+			UserInfoTokenClaim: booleanStringTrue,
+			ClaimName:          claim,
 		},
 	}
 
@@ -249,21 +279,36 @@ func (kc *keycloakClient) CreateClientGroupMapper(clientId, name, claim string)
 	return nil
 }
 
+type audienceMapper struct {
+	Name           string               `json:"name"`
+	Protocol       protocol             `json:"protocol"`
+	ProtocolMapper protocolMapper       `json:"protocolMapper"`
+	Config         audienceMapperConfig `json:"config"`
+}
+
+type audienceMapperConfig struct {
+	IDTokenClaim            booleanString `json:"id.token.claim"`
+	AccessTokenClaim        booleanString `json:"access.token.claim"`
+	IntrospectionTokenClaim booleanString `json:"introspection.token.claim"`
+	IncludedClientAudience  string        `json:"included.client.audience"`
+	IncludedCustomAudience  string        `json:"included.custom.audience"`
+	LightweightClaim        booleanString `json:"lightweight.claim"`
+}
+
 func (kc *keycloakClient) CreateClientAudienceMapper(clientId, name string) error {
 	mappersURL := *kc.adminURL
 	mappersURL.Path += fmt.Sprintf("/clients/%s/protocol-mappers/models", clientId)
 
-	mapper := map[string]interface{}{
-		"name":           name,
-		"protocol":       "openid-connect",
-		"protocolMapper": "oidc-audience-mapper", // protocol-mapper type provided by Keycloak
-		"config": map[string]string{
-			"id.token.claim":            "false",
-			"access.token.claim":        "true",
-			"introspection.token.claim": "true",
-			"included.client.audience":  "admin-cli",
-			"included.custom.audience":  "",
-			"lightweight.claim":         "false",
+	mapper := &audienceMapper{
+		Name:           name,
+		Protocol:       protocolOpenIDConnect,
+		ProtocolMapper: protocolMapperOpenIDConnectAudience,
+		Config: audienceMapperConfig{
+			IDTokenClaim:            booleanStringFalse,
+			AccessTokenClaim:        booleanStringTrue,
+			IntrospectionTokenClaim: booleanStringTrue,
+			IncludedClientAudience:  "admin-cli",
+			LightweightClaim:        booleanStringFalse,
 		},
 	}
 
@@ -287,8 +332,13 @@ func (kc *keycloakClient) CreateClientAudienceMapper(clientId, name string) erro
 	return nil
 }
 
+type client struct {
+	ClientID string `json:"clientID"`
+	ID       string `json:"id"`
+}
+
 // ListClients retrieves all clients
-func (kc *keycloakClient) ListClients() ([]map[string]interface{}, error) {
+func (kc *keycloakClient) ListClients() ([]client, error) {
 	clientsURL := *kc.adminURL
 	clientsURL.Path += "/clients"
 
@@ -298,29 +348,28 @@ func (kc *keycloakClient) ListClients() ([]map[string]interface{}, error) {
 	}
 	defer resp.Body.Close()
 
-	respBytes, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return nil, err
-	}
 	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("listing clients failed: %s: %s", resp.Status, respBytes)
+		return nil, fmt.Errorf("listing clients failed: %s", resp.Status)
 	}
 
-	clients := []map[string]interface{}{}
-	err = json.Unmarshal(respBytes, &clients)
+	clients := []client{}
+	err = json.NewDecoder(resp.Body).Decode(&clients)
+	if err != nil {
+		return nil, fmt.Errorf("unmarshalling response data: %w", err)
+	}
 
 	return clients, err
 }
 
-func (kc *keycloakClient) GetClientByClientID(clientID string) (map[string]interface{}, error) {
+func (kc *keycloakClient) GetClientByClientID(clientID string) (*client, error) {
 	clients, err := kc.ListClients()
 	if err != nil {
 		return nil, err
 	}
 
 	for _, c := range clients {
-		if c["clientId"].(string) == clientID {
-			return c, nil
+		if c.ClientID == clientID {
+			return &c, nil
 		}
 	}
 
diff --git a/test/extended/authentication/oidc.go b/test/extended/authentication/oidc.go
@@ -3,7 +3,6 @@ package authentication
 import (
 	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"strings"
 	"time"
@@ -17,6 +16,8 @@ import (
 	authnv1 "k8s.io/api/authentication/v1"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/util/errors"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/rand"
@@ -64,7 +65,7 @@ var _ = g.Describe("[sig-auth][Suite:openshift/auth/external-oidc][Serial][Slow]
 		keycloakCli, err = keycloakClientFor(kcURL)
 		o.Expect(err).NotTo(o.HaveOccurred(), "should not encounter an error creating a keycloak client")
 
-		// First authenticate as the admin keyloak user so we can add new groups and users
+		// First authenticate as the admin keycloak user so we can add new groups and users
 		err = keycloakCli.Authenticate("admin-cli", keycloakAdminUsername, keycloakAdminPassword)
 		o.Expect(err).NotTo(o.HaveOccurred(), "should not encounter an error authenticating as keycloak admin")
 
@@ -379,12 +380,10 @@ func removeResources(ctx context.Context, removalFuncs ...removalFunc) error {
 			continue
 		}
 		err := removal(ctx)
-		if err != nil && !apierrors.IsNotFound(err) {
-			errs = append(errs, err)
-		}
+		errs = append(errs, err)
 	}
 
-	return errors.Join(errs...)
+	return errors.FilterOut(errors.NewAggregate(errs), apierrors.IsNotFound)
 }
 
 func configureOIDCAuthentication(ctx context.Context, client *exutil.CLI, keycloakNS string, modifier func(*configv1.OIDCProvider)) (*configv1.Authentication, *configv1.Authentication, error) {
@@ -508,7 +507,7 @@ func resetAuthentication(ctx context.Context, client *exutil.CLI, original *conf
 func waitForRollout(ctx context.Context, client *exutil.CLI) {
 	kasCli := client.AdminOperatorClient().OperatorV1().KubeAPIServers()
 
-	// First wait for KAS to flip to progessing
+	// First wait for KAS to flip to progressing
 	o.Eventually(func(gomega o.Gomega) {
 		kas, err := kasCli.Get(ctx, "cluster", metav1.GetOptions{})
 		gomega.Expect(err).NotTo(o.HaveOccurred(), "should not encounter an error fetching the KAS")
