Update OIDC timeout test, add errors timeout test, add VirtualServer test that checks OIDC timeout nginx conf values

AlexFenlon · AlexFenlon · commit 61190da258a8 · 2025-11-06T14:05:16.000Z
diff --git a/internal/configs/configmaps_test.go b/internal/configs/configmaps_test.go
@@ -394,30 +394,145 @@ func TestParseConfigMapOIDC(t *testing.T) {
 		},
 	}
 
+	nginxPlus := true
+	hasAppProtect := false
+	hasAppProtectDos := false
+	hasTLSPassthrough := false
+	directiveAutoadjustEnabled := false
+
 	for _, test := range tests {
 		t.Run(test.msg, func(t *testing.T) {
-			cfgParams := NewDefaultConfigParams(context.Background(), true)
-
-			err := parseConfigMapOIDC(nil, test.configMap, cfgParams, makeEventLogger())
-			if err != nil {
-				t.Errorf("parseConfigMapOIDC() returned unexpected error: %v", err)
+			result, configOk := ParseConfigMap(context.Background(), test.configMap, nginxPlus, hasAppProtect, hasAppProtectDos, hasTLSPassthrough, directiveAutoadjustEnabled, makeEventLogger())
+			if !configOk {
+				t.Error("want configOk true, got configOk false")
 			}
 
 			// Check only the specific fields that are set in the test expectation
 			if test.want.PKCETimeout != "" {
-				assert.Equal(t, test.want.PKCETimeout, cfgParams.OIDC.PKCETimeout)
+				assert.Equal(t, test.want.PKCETimeout, result.OIDC.PKCETimeout)
 			}
 			if test.want.IDTokenTimeout != "" {
-				assert.Equal(t, test.want.IDTokenTimeout, cfgParams.OIDC.IDTokenTimeout)
+				assert.Equal(t, test.want.IDTokenTimeout, result.OIDC.IDTokenTimeout)
 			}
 			if test.want.AccessTimeout != "" {
-				assert.Equal(t, test.want.AccessTimeout, cfgParams.OIDC.AccessTimeout)
+				assert.Equal(t, test.want.AccessTimeout, result.OIDC.AccessTimeout)
 			}
 			if test.want.RefreshTimeout != "" {
-				assert.Equal(t, test.want.RefreshTimeout, cfgParams.OIDC.RefreshTimeout)
+				assert.Equal(t, test.want.RefreshTimeout, result.OIDC.RefreshTimeout)
 			}
 			if test.want.SIDSTimeout != "" {
-				assert.Equal(t, test.want.SIDSTimeout, cfgParams.OIDC.SIDSTimeout)
+				assert.Equal(t, test.want.SIDSTimeout, result.OIDC.SIDSTimeout)
+			}
+		})
+	}
+}
+
+func TestParseConfigMapOIDCErrors(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		configMap   *v1.ConfigMap
+		expectedErr bool
+		msg         string
+	}{
+		{
+			configMap: &v1.ConfigMap{
+				Data: map[string]string{
+					"oidc-pkce-timeout": "invalid-time",
+				},
+			},
+			expectedErr: true,
+			msg:         "invalid PKCE timeout format",
+		},
+		{
+			configMap: &v1.ConfigMap{
+				Data: map[string]string{
+					"oidc-id-tokens-timeout": "abc123",
+				},
+			},
+			expectedErr: true,
+			msg:         "invalid ID token timeout format",
+		},
+		{
+			configMap: &v1.ConfigMap{
+				Data: map[string]string{
+					"oidc-access-tokens-timeout": "5x",
+				},
+			},
+			expectedErr: true,
+			msg:         "invalid access token timeout format",
+		},
+		{
+			configMap: &v1.ConfigMap{
+				Data: map[string]string{
+					"oidc-refresh-tokens-timeout": "",
+				},
+			},
+			expectedErr: true,
+			msg:         "empty refresh token timeout",
+		},
+		{
+			configMap: &v1.ConfigMap{
+				Data: map[string]string{
+					"oidc-sids-timeout": "   ",
+				},
+			},
+			expectedErr: true,
+			msg:         "whitespace-only SIDS timeout",
+		},
+		{
+			configMap: &v1.ConfigMap{
+				Data: map[string]string{
+					"oidc-pkce-timeout": "-5m",
+				},
+			},
+			expectedErr: true,
+			msg:         "negative PKCE timeout",
+		},
+		{
+			configMap: &v1.ConfigMap{
+				Data: map[string]string{
+					"oidc-id-tokens-timeout": "1.5h",
+				},
+			},
+			expectedErr: true,
+			msg:         "decimal in ID token timeout",
+		},
+		{
+			configMap: &v1.ConfigMap{
+				Data: map[string]string{
+					"oidc-access-tokens-timeout": "5minutes",
+				},
+			},
+			expectedErr: true,
+			msg:         "invalid time unit format",
+		},
+
+		{
+			configMap: &v1.ConfigMap{
+				Data: map[string]string{
+					"oidc-sids-timeout": "5s 10m",
+				},
+			},
+			expectedErr: true,
+			msg:         "multiple time values without proper format",
+		},
+	}
+
+	nginxPlus := true
+	hasAppProtect := false
+	hasAppProtectDos := false
+	hasTLSPassthrough := false
+	directiveAutoadjustEnabled := false
+
+	for _, test := range tests {
+		t.Run(test.msg, func(t *testing.T) {
+			_, configOk := ParseConfigMap(context.Background(), test.configMap, nginxPlus, hasAppProtect, hasAppProtectDos, hasTLSPassthrough, directiveAutoadjustEnabled, makeEventLogger())
+
+			if test.expectedErr && configOk {
+				t.Errorf("want configOk false, got configOk true for %s", test.msg)
+			}
+			if !test.expectedErr && !configOk {
+				t.Errorf("want configOk true, got configOk false for %s", test.msg)
 			}
 		})
 	}
diff --git a/internal/configs/virtualserver_test.go b/internal/configs/virtualserver_test.go
@@ -13,6 +13,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/nginx/kubernetes-ingress/internal/configs/version1"
 	"github.com/nginx/kubernetes-ingress/internal/configs/version2"
 	"github.com/nginx/kubernetes-ingress/internal/k8s/secrets"
 	nl "github.com/nginx/kubernetes-ingress/internal/logger"
@@ -24,6 +25,7 @@ import (
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/client-go/tools/record"
 )
 
 func createPointerFromBool(b bool) *bool {
@@ -21963,6 +21965,105 @@ func TestGenerateTimeWithDefault(t *testing.T) {
 	}
 }
 
+// TestOIDCTimeoutInMainConfig verifies that OIDC timeout values from ConfigMap appear in generated nginx.conf
+func TestOIDCTimeoutInMainConfig(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name               string
+		configMapData      map[string]string
+		expectedTimeouts   map[string]string
+		expectedDirectives []string
+	}{
+		{
+			name: "default timeouts",
+			configMapData: map[string]string{
+				"zone-sync": "true",
+			},
+			expectedTimeouts: map[string]string{
+				"PKCETimeout":    "90s",
+				"IDTokenTimeout": "1h",
+				"AccessTimeout":  "1h",
+				"RefreshTimeout": "8h",
+				"SIDSTimeout":    "8h",
+			},
+			expectedDirectives: []string{
+				"keyval_zone zone=oidc_pkce:128K        timeout=90s sync;",
+				"keyval_zone zone=oidc_id_tokens:1M     timeout=1h sync;",
+				"keyval_zone zone=oidc_access_tokens:1M timeout=1h sync;",
+				"keyval_zone zone=refresh_tokens:1M     timeout=8h sync;",
+				"keyval_zone zone=oidc_sids:1M          timeout=8h sync;",
+				"include oidc/oidc_common.conf;",
+			},
+		},
+		{
+			name: "custom timeouts",
+			configMapData: map[string]string{
+				"zone-sync":                   "true",
+				"oidc-pkce-timeout":           "2m",
+				"oidc-id-tokens-timeout":      "2h",
+				"oidc-access-tokens-timeout":  "30m",
+				"oidc-refresh-tokens-timeout": "1h",
+				"oidc-sids-timeout":           "120s",
+			},
+			expectedTimeouts: map[string]string{
+				"PKCETimeout":    "2m",
+				"IDTokenTimeout": "2h",
+				"AccessTimeout":  "30m",
+				"RefreshTimeout": "1h",
+				"SIDSTimeout":    "120s",
+			},
+			expectedDirectives: []string{
+				"keyval_zone zone=oidc_pkce:128K        timeout=2m sync;",
+				"keyval_zone zone=oidc_id_tokens:1M     timeout=2h sync;",
+				"keyval_zone zone=oidc_access_tokens:1M timeout=30m sync;",
+				"keyval_zone zone=refresh_tokens:1M     timeout=1h sync;",
+				"keyval_zone zone=oidc_sids:1M          timeout=120s sync;",
+				"include oidc/oidc_common.conf;",
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			// Parse ConfigMap
+			configMap := &api_v1.ConfigMap{Data: test.configMapData}
+			configParams, configOk := ParseConfigMap(context.Background(), configMap, true, false, false, false, false, record.NewFakeRecorder(1024))
+			if !configOk {
+				t.Error("expected configOk true, got configOk false ")
+			}
+
+			vsc := newVirtualServerConfigurator(&baseCfgParams, false, false, &StaticConfigParams{}, false, &fakeBV)
+			_, warnings := vsc.GenerateVirtualServerConfig(&virtualServerExWithOIDCTimeout, nil, nil)
+			if len(warnings) != 0 {
+				t.Errorf("Unexpected warnings: %v", warnings)
+			}
+
+			mainConfig := GenerateNginxMainConfig(&StaticConfigParams{}, configParams, &MGMTConfigParams{})
+			mainConfig.OIDC.Enable = true
+
+			templateExecutor, err := version1.NewTemplateExecutor("version1/nginx-plus.tmpl", "version1/nginx-plus.ingress.tmpl")
+			if err != nil {
+				t.Fatalf("Failed to create template executor: %v", err)
+			}
+
+			nginxConfigContent, err := templateExecutor.ExecuteMainConfigTemplate(mainConfig)
+			if err != nil {
+				t.Fatalf("Failed to execute template: %v", err)
+			}
+
+			configString := string(nginxConfigContent)
+			t.Logf("Generated nginx.conf snippet:\n%s", configString)
+
+			for _, directive := range test.expectedDirectives {
+				if !strings.Contains(configString, directive) {
+					t.Errorf("Expected directive not found: %s", directive)
+				}
+			}
+		})
+	}
+}
+
 var (
 	l             = slog.New(nic_glog.New(io.Discard, &nic_glog.Options{Level: levels.LevelInfo}))
 	ctx           = nl.ContextWithLogger(context.Background(), l)
@@ -21977,6 +22078,73 @@ var (
 		RealIPRecursive: true,
 	}
 
+	virtualServerExWithOIDCTimeout = VirtualServerEx{
+		VirtualServer: &conf_v1.VirtualServer{
+			ObjectMeta: meta_v1.ObjectMeta{
+				Name:      "oidc-app",
+				Namespace: "default",
+			},
+			Spec: conf_v1.VirtualServerSpec{
+				Host: "app.example.com",
+				Upstreams: []conf_v1.Upstream{
+					{
+						Name:    "app",
+						Service: "app-svc",
+						Port:    80,
+					},
+				},
+				Routes: []conf_v1.Route{
+					{
+						Path: "/",
+						Policies: []conf_v1.PolicyReference{
+							{
+								Name:      "oidc-policy",
+								Namespace: "default",
+							},
+						},
+						Action: &conf_v1.Action{
+							Pass: "app",
+						},
+					},
+				},
+			},
+		},
+		Policies: map[string]*conf_v1.Policy{
+			"default/oidc-policy": {
+				ObjectMeta: meta_v1.ObjectMeta{
+					Name:      "oidc-policy",
+					Namespace: "default",
+				},
+				Spec: conf_v1.PolicySpec{
+					OIDC: &conf_v1.OIDC{
+						AuthEndpoint:          "https://auth.example.com/auth",
+						TokenEndpoint:         "https://auth.example.com/token",
+						JWKSURI:               "https://auth.example.com/jwks",
+						ClientID:              "test-client-id",
+						ClientSecret:          "oidc-secret",
+						Scope:                 "openid profile email",
+						RedirectURI:           "/redirect",
+						ZoneSyncLeeway:        createPointerFromInt(20),
+						AccessTokenEnable:     true,
+						EndSessionEndpoint:    "https://auth.example.com/logout",
+						PostLogoutRedirectURI: "/_logout",
+					},
+				},
+			},
+		},
+		SecretRefs: map[string]*secrets.SecretReference{
+			"default/oidc-secret": {
+				Secret: &api_v1.Secret{
+					Type: secrets.SecretTypeOIDC,
+					Data: map[string][]byte{
+						"client-secret": []byte("super-secret-value"),
+					},
+				},
+				Path: "/etc/nginx/secrets/default_oidc-secret",
+			},
+		},
+	}
+
 	virtualServerExWithGunzipOn = VirtualServerEx{
 		VirtualServer: &conf_v1.VirtualServer{
 			ObjectMeta: meta_v1.ObjectMeta{
