feat: Configure the access token timeouts (#1418)

* feat: Configure the OAuthClient token configuration

Signed-off-by: Anatolii Bazko <abazko@redhat.com>

api/v2/checluster_types.go

@@ -387,6 +387,14 @@ type Auth struct {
 	// This field is specific to Che installations made for Kubernetes only and ignored for OpenShift.
 	// +optional
 	OAuthScope string `json:"oAuthScope,omitempty"`
+	// Inactivity timeout for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
+	// 0 means tokens for this client never time out.
+	// +optional
+	OAuthAccessTokenInactivityTimeoutSeconds *int32 `json:"oAuthAccessTokenInactivityTimeoutSeconds,omitempty"`
+	// Access token max age for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
+	// 0 means no expiration.
+	// +optional
+	OAuthAccessTokenMaxAgeSeconds *int32 `json:"oAuthAccessTokenMaxAgeSeconds,omitempty"`
 	// Identity token to be passed to upstream. There are two types of tokens supported: `id_token` and `access_token`.
 	// Default value is `id_token`.
 	// This field is specific to Che installations made for Kubernetes only and ignored for OpenShift.

api/v2/zz_generated.deepcopy.go

@@ -25,6 +25,16 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Auth) DeepCopyInto(out *Auth) {
 	*out = *in
+	if in.OAuthAccessTokenInactivityTimeoutSeconds != nil {
+		in, out := &in.OAuthAccessTokenInactivityTimeoutSeconds, &out.OAuthAccessTokenInactivityTimeoutSeconds
+		*out = new(int32)
+		**out = **in
+	}
+	if in.OAuthAccessTokenMaxAgeSeconds != nil {
+		in, out := &in.OAuthAccessTokenMaxAgeSeconds, &out.OAuthAccessTokenMaxAgeSeconds
+		*out = new(int32)
+		**out = **in
+	}
 	in.Gateway.DeepCopyInto(&out.Gateway)
 }
 

bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml

@@ -76,7 +76,7 @@ metadata:
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/eclipse-che/che-operator
     support: Eclipse Foundation
-  name: eclipse-che-preview-openshift.v7.50.0-618.next
+  name: eclipse-che-preview-openshift.v7.50.0-620.next
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -1387,7 +1387,7 @@ spec:
   maturity: stable
   provider:
     name: Eclipse Foundation
-  version: 7.50.0-618.next
+  version: 7.50.0-620.next
   webhookdefinitions:
     - admissionReviewVersions:
         - v1

bundle/next/eclipse-che-preview-openshift/manifests/org.eclipse.che_checlusters.yaml

@@ -5408,6 +5408,19 @@ spec:
                             - id_token
                             - access_token
                           type: string
+                        oAuthAccessTokenInactivityTimeoutSeconds:
+                          description: Inactivity timeout for tokens to set in the
+                            OpenShift `OAuthClient` resource used to set up identity
+                            federation on the OpenShift side. 0 means tokens for this
+                            client never time out.
+                          format: int32
+                          type: integer
+                        oAuthAccessTokenMaxAgeSeconds:
+                          description: Access token max age for tokens to set in the
+                            OpenShift `OAuthClient` resource used to set up identity
+                            federation on the OpenShift side. 0 means no expiration.
+                          format: int32
+                          type: integer
                         oAuthClientName:
                           description: Name of the OpenShift `OAuthClient` resource
                             used to set up identity federation on the OpenShift side.

config/crd/bases/org.eclipse.che_checlusters.yaml

@@ -5252,6 +5252,19 @@ spec:
                         - id_token
                         - access_token
                         type: string
+                      oAuthAccessTokenInactivityTimeoutSeconds:
+                        description: Inactivity timeout for tokens to set in the OpenShift
+                          `OAuthClient` resource used to set up identity federation
+                          on the OpenShift side. 0 means tokens for this client never
+                          time out.
+                        format: int32
+                        type: integer
+                      oAuthAccessTokenMaxAgeSeconds:
+                        description: Access token max age for tokens to set in the
+                          OpenShift `OAuthClient` resource used to set up identity
+                          federation on the OpenShift side. 0 means no expiration.
+                        format: int32
+                        type: integer
                       oAuthClientName:
                         description: Name of the OpenShift `OAuthClient` resource
                           used to set up identity federation on the OpenShift side.

deploy/deployment/kubernetes/combined.yaml

@@ -3526,6 +3526,14 @@ spec:
                         - id_token
                         - access_token
                         type: string
+                      oAuthAccessTokenInactivityTimeoutSeconds:
+                        description: Inactivity timeout for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. 0 means tokens for this client never time out.
+                        format: int32
+                        type: integer
+                      oAuthAccessTokenMaxAgeSeconds:
+                        description: Access token max age for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. 0 means no expiration.
+                        format: int32
+                        type: integer
                       oAuthClientName:
                         description: Name of the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
                         type: string

deploy/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml

@@ -3521,6 +3521,14 @@ spec:
                         - id_token
                         - access_token
                         type: string
+                      oAuthAccessTokenInactivityTimeoutSeconds:
+                        description: Inactivity timeout for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. 0 means tokens for this client never time out.
+                        format: int32
+                        type: integer
+                      oAuthAccessTokenMaxAgeSeconds:
+                        description: Access token max age for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. 0 means no expiration.
+                        format: int32
+                        type: integer
                       oAuthClientName:
                         description: Name of the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
                         type: string

deploy/deployment/openshift/combined.yaml

@@ -3526,6 +3526,14 @@ spec:
                         - id_token
                         - access_token
                         type: string
+                      oAuthAccessTokenInactivityTimeoutSeconds:
+                        description: Inactivity timeout for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. 0 means tokens for this client never time out.
+                        format: int32
+                        type: integer
+                      oAuthAccessTokenMaxAgeSeconds:
+                        description: Access token max age for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. 0 means no expiration.
+                        format: int32
+                        type: integer
                       oAuthClientName:
                         description: Name of the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
                         type: string

deploy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml

@@ -3521,6 +3521,14 @@ spec:
                         - id_token
                         - access_token
                         type: string
+                      oAuthAccessTokenInactivityTimeoutSeconds:
+                        description: Inactivity timeout for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. 0 means tokens for this client never time out.
+                        format: int32
+                        type: integer
+                      oAuthAccessTokenMaxAgeSeconds:
+                        description: Access token max age for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. 0 means no expiration.
+                        format: int32
+                        type: integer
                       oAuthClientName:
                         description: Name of the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
                         type: string

helmcharts/next/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml

@@ -3521,6 +3521,14 @@ spec:
                         - id_token
                         - access_token
                         type: string
+                      oAuthAccessTokenInactivityTimeoutSeconds:
+                        description: Inactivity timeout for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. 0 means tokens for this client never time out.
+                        format: int32
+                        type: integer
+                      oAuthAccessTokenMaxAgeSeconds:
+                        description: Access token max age for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. 0 means no expiration.
+                        format: int32
+                        type: integer
                       oAuthClientName:
                         description: Name of the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
                         type: string

pkg/deploy/identity-provider/identity_provider_reconciler.go

@@ -99,7 +99,12 @@ func syncOAuthClient(ctx *chetypes.DeployContext) (bool, error) {
 	oauthClientName = utils.GetValue(oauthClientName, ctx.CheCluster.Name+"-openshift-identity-provider-"+strings.ToLower(utils.GeneratePassword(6)))
 
 	redirectURIs := []string{"https://" + ctx.CheHost + "/oauth/callback"}
-	oauthClientSpec := GetOAuthClientSpec(oauthClientName, oauthSecret, redirectURIs)
+	oauthClientSpec := GetOAuthClientSpec(
+		oauthClientName,
+		oauthSecret,
+		redirectURIs,
+		ctx.CheCluster.Spec.Networking.Auth.OAuthAccessTokenInactivityTimeoutSeconds,
+		ctx.CheCluster.Spec.Networking.Auth.OAuthAccessTokenMaxAgeSeconds)
 	done, err := deploy.Sync(ctx, oauthClientSpec, oAuthClientDiffOpts)
 	if !done {
 		return false, err

pkg/deploy/identity-provider/identity_provider_reconciler_test.go

@@ -15,6 +15,8 @@ import (
 	"os"
 	"testing"
 
+	"k8s.io/utils/pointer"
+
 	chev2 "github.com/eclipse-che/che-operator/api/v2"
 	"github.com/eclipse-che/che-operator/pkg/common/test"
 	oauthv1 "github.com/openshift/api/oauth/v1"
@@ -27,9 +29,9 @@ import (
 )
 
 func TestFinalize(t *testing.T) {
-	oauthClient1 := GetOAuthClientSpec("test1", "secret", []string{"https://che-host/oauth/callback"})
+	oauthClient1 := GetOAuthClientSpec("test1", "secret", []string{"https://che-host/oauth/callback"}, nil, nil)
-	oauthClient2 := GetOAuthClientSpec("test2", "secret", []string{"https://che-host/oauth/callback"})
+	oauthClient2 := GetOAuthClientSpec("test2", "secret", []string{"https://che-host/oauth/callback"}, nil, nil)
-	oauthClient3 := GetOAuthClientSpec("test3", "secret", []string{"https://che-host/oauth/callback"})
+	oauthClient3 := GetOAuthClientSpec("test3", "secret", []string{"https://che-host/oauth/callback"}, nil, nil)
 	oauthClient3.ObjectMeta.Labels = map[string]string{}
 
 	checluster := &chev2.CheCluster{
@@ -55,7 +57,7 @@ func TestFinalize(t *testing.T) {
 	assert.Equal(t, 0, len(checluster.Finalizers))
 }
 
-func TestSyncOAuthClientGenerateSecret(t *testing.T) {
+func TestSyncOAuthClientShouldSyncTokenTimeout(t *testing.T) {
 	checluster := &chev2.CheCluster{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "eclipse-che",
@@ -64,7 +66,8 @@ func TestSyncOAuthClientGenerateSecret(t *testing.T) {
 		Spec: chev2.CheClusterSpec{
 			Networking: chev2.CheClusterSpecNetworking{
 				Auth: chev2.Auth{
-					OAuthClientName: "name",
+					OAuthAccessTokenInactivityTimeoutSeconds: pointer.Int32Ptr(10),
+					OAuthAccessTokenMaxAgeSeconds:            pointer.Int32Ptr(20),
 				},
 			},
 		},
@@ -74,13 +77,11 @@ func TestSyncOAuthClientGenerateSecret(t *testing.T) {
 	done, err := syncOAuthClient(ctx)
 	assert.True(t, done)
 	assert.Nil(t, err)
-	assert.Empty(t, checluster.Spec.Networking.Auth.OAuthSecret)
 
 	oauthClients, err := FindAllEclipseCheOAuthClients(ctx)
 	assert.Nil(t, err)
-	assert.Equal(t, 1, len(oauthClients))
+	assert.Equal(t, int32(10), *oauthClients[0].AccessTokenInactivityTimeoutSeconds)
-	assert.Equal(t, "name", oauthClients[0].Name)
+	assert.Equal(t, int32(20), *oauthClients[0].AccessTokenMaxAgeSeconds)
-	assert.NotEmpty(t, oauthClients[0].Secret)
 }
 
 func TestSyncOAuthClient(t *testing.T) {
@@ -178,7 +179,7 @@ func TestSyncOAuthClient(t *testing.T) {
 }
 
 func TestSyncExistedOAuthClient(t *testing.T) {
-	oauthClient := GetOAuthClientSpec("test", "secret", []string{})
+	oauthClient := GetOAuthClientSpec("test", "secret", []string{}, nil, nil)
 
 	type testCase struct {
 		name           string

pkg/deploy/identity-provider/identity_provider_util.go

@@ -23,7 +23,12 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-func GetOAuthClientSpec(name string, oauthSecret string, redirectURIs []string) *oauth.OAuthClient {
+func GetOAuthClientSpec(
+	name string,
+	secret string,
+	redirectURIs []string,
+	accessTokenInactivityTimeoutSeconds *int32,
+	accessTokenMaxAgeSeconds *int32) *oauth.OAuthClient {
 	return &oauth.OAuthClient{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "OAuthClient",
@@ -34,9 +39,11 @@ func GetOAuthClientSpec(name string, oauthSecret string, redirectURIs []string)
 			Labels: map[string]string{constants.KubernetesPartOfLabelKey: constants.CheEclipseOrg},
 		},
 
-		Secret:       oauthSecret,
+		Secret:                              secret,
-		RedirectURIs: redirectURIs,
+		RedirectURIs:                        redirectURIs,
-		GrantMethod:  oauth.GrantHandlerPrompt,
+		GrantMethod:                         oauth.GrantHandlerPrompt,
+		AccessTokenInactivityTimeoutSeconds: accessTokenInactivityTimeoutSeconds,
+		AccessTokenMaxAgeSeconds:            accessTokenMaxAgeSeconds,
 	}
 }