Bug 1684402

Summary: No type validation for accessTokenMaxAgeSeconds in oauth
Product: OpenShift Container Platform Reporter: Chuan Yu <chuyu>
Component: apiserver-authAssignee: Standa Laznicka <slaznick>
Status: CLOSED ERRATA QA Contact: Chuan Yu <chuyu>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.1.0CC: aos-bugs, eparis, evb, gblomqui, mkhan, nagrawal, vlaad
Target Milestone: ---   
Target Release: 4.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: f this bug is not fixed by Friday, May 3, we will move this to 4.2. Update 5/2: All the changes for fix are done in PR, awaiting CI
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-04 10:44:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chuan Yu 2019-03-01 07:58:22 UTC 
Description of problem:
accessTokenMaxAgeSeconds in oauth configuration could only be set to positive integer number, but it could be set any characters now

Version-Release number of selected component (if applicable):
$ oc get clusterversion
NAME      VERSION     AVAILABLE   PROGRESSING   SINCE     STATUS
version   4.0.0-0.6   True        False         44m       Cluster version is 4.0.0-0.6

How reproducible:
always

Steps to Reproduce:
1.edit oauth object and set accessTokenMaxAgeSeconds to not positive integer number,

oc edit oauth cluster
spec:
  tokenConfig:
    accessTokenMaxAgeSeconds: dfadfadf
2.
3.

Actual results:
The edit successful, but the authenticaiton pod not restarted take effective.

Expected results:
Then edit oauth should failed, and prompt some hint, such as "could not be patched: unrecognized type"

Additional info:
Comment 2 Standa Laznicka 2019-03-11 09:35:57 UTC 
Resolved in https://github.com/openshift/cluster-config-operator/pull/17
Comment 5 Chuan Yu 2019-03-19 10:12:36 UTC 
Verified failed.

The accessTokenMaxAgeSeconds could be configured with negative number, such as `accessTokenMaxAgeSeconds: -86400`

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.0.0-0.nightly-2019-03-18-223058   True        False         9h      Cluster version is 4.0.0-0.nightly-2019-03-18-223058
Comment 6 Standa Laznicka 2019-03-29 07:41:22 UTC 
-86400 is a valid value: https://github.com/openshift/api/blob/master/config/v1/types_oauth.go#L55
Comment 7 Chuan Yu 2019-03-29 08:24:08 UTC 
Thanks for the clarification, it make sense, verified.
Comment 8 Standa Laznicka 2019-04-26 09:32:22 UTC 
I overlooked the fact that this is accessTokenMaxAgeSeconds and not accessTokenInactivityTimeout.

This needs fixing, will be done as a part of https://github.com/openshift/origin/pull/21922
Comment 11 Chuan Yu 2019-05-05 07:44:54 UTC 
Verified on 4.1.0-0.nightly-2019-05-04-210601
Comment 13 errata-xmlrpc 2019-06-04 10:44:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758