openshift
diff --git a/‎config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml‎
Lines changed: 101 additions & 0 deletions b/‎config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml‎
Lines changed: 101 additions & 0 deletions
diff --git a/‎config/v1/types_authentication.go‎
Lines changed: 5 additions & 4 deletions b/‎config/v1/types_authentication.go‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml‎
Lines changed: 13 additions & 4 deletions b/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml‎
Lines changed: 13 additions & 4 deletions
diff --git a/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml‎
Lines changed: 3 additions & 4 deletions b/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml‎
Lines changed: 3 additions & 4 deletions
diff --git a/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml‎
Lines changed: 13 additions & 4 deletions b/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml‎
Lines changed: 13 additions & 4 deletions
diff --git a/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml‎
Lines changed: 3 additions & 4 deletions b/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml‎
Lines changed: 3 additions & 4 deletions
diff --git a/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml‎
Lines changed: 13 additions & 4 deletions b/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml‎
Lines changed: 13 additions & 4 deletions
@@ -617,6 +617,107 @@ tests:
                 claim: "preferred_username"
               groups:
                 claim: ""
+    - name: Cannot set prefixPolicy to Prefix when using username expression
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                expression: "claims.sub"
+                prefixPolicy: Prefix
+                prefix:
+                  prefixString: "myoidc:"
+      expectedError: "prefixPolicy must not be set to 'Prefix' when expression is set"
+
+    - name: Can set prefixPolicy to NoPrefix when using username expression
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                expression: "claims.sub"
+                prefixPolicy: NoPrefix
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                expression: "claims.sub"
+                prefixPolicy: NoPrefix
+    
+    - name: Cannot set prefix to non-empty value when using groups expression
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                claim: "preferred_username"
+              groups:
+                expression: "claims.groups"
+                prefix: "oidc-group:"
+      expectedError: "prefix must not be set to a non-empty value when expression is set"
+
+    - name: Can set prefix to empty string when using groups expression
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                claim: "preferred_username"
+              groups:
+                expression: "claims.groups"
+                prefix: ""
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                claim: "preferred_username"
+              groups:
+                expression: "claims.groups"
+                prefix: ""
   onUpdate:
     - name: Should allow updating other fields if existing username claim mapping is longer than 256 characters
       initialCRDPatches:
 
@@ -618,6 +618,7 @@ type OIDCClientReference struct {
 // +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC,rule="has(self.claim)",message="claim is required"
 // +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUIDAndExtraClaimMappings,rule="has(self.claim)",message="claim is required"
 // +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="has(self.claim) ? !has(self.expression) : has(self.expression)",message="precisely one of claim or expression must be set"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="has(self.expression) && size(self.expression) > 0 ? !has(self.prefixPolicy) || self.prefixPolicy != 'Prefix' : true",message="prefixPolicy must not be set to 'Prefix' when expression is set"
 type UsernameClaimMapping struct {
 	// claim is an optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.
 	// claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled.
@@ -650,11 +651,9 @@ type UsernameClaimMapping struct {
 	// Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).
 	//
 	// When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim.
-	//
 	// The prefix field must be set when prefixPolicy is 'Prefix'.
-	//
+	// Must not be set to 'Prefix' when expression is set.
 	// When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.
-	//
 	// When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time.
 	// Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'.
 	//
@@ -710,12 +709,14 @@ type UsernamePrefix struct {
 
 // PrefixedClaimMapping configures a claim mapping
 // that allows for an optional prefix.
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="has(self.expression) && size(self.expression) > 0 ? (!has(self.prefix) || size(self.prefix) == 0) : true",message="prefix must not be set to a non-empty value when expression is set"
 type PrefixedClaimMapping struct {
 	TokenClaimMapping `json:",inline"`
 
 	// prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.
 	//
-	// When omitted (""), no prefix is applied to the cluster identity attribute.
+	// When omitted or set to an empty string (""), no prefix is applied to the cluster identity attribute.
+	// Must not be set to a non-empty value when expression is set.
 	//
 	// Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c".
 	//
 
@@ -212,12 +212,18 @@ spec:
                               description: |-
                                 prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.
 
-                                When omitted (""), no prefix is applied to the cluster identity attribute.
+                                When omitted or set to an empty string (""), no prefix is applied to the cluster identity attribute.
+                                Must not be set to a non-empty value when expression is set.
 
                                 Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c".
                               type: string
                           type: object
                           x-kubernetes-validations:
+                          - message: prefix must not be set to a non-empty value when
+                              expression is set
+                            rule: 'has(self.expression) && size(self.expression) >
+                              0 ? (!has(self.prefix) || size(self.prefix) == 0) :
+                              true'
                           - message: expression must not be set if claim is specified
                               and is not an empty string
                             rule: '(size(self.?claim.orValue("")) > 0) ? !has(self.expression)
@@ -316,11 +322,9 @@ spec:
                                 Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).
 
                                 When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim.
-
                                 The prefix field must be set when prefixPolicy is 'Prefix'.
-
+                                Must not be set to 'Prefix' when expression is set.
                                 When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.
-
                                 When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time.
                                 Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'.
 
@@ -341,6 +345,11 @@ spec:
                           - message: precisely one of claim or expression must be
                               set
                             rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)'
+                          - message: prefixPolicy must not be set to 'Prefix' when
+                              expression is set
+                            rule: 'has(self.expression) && size(self.expression) >
+                              0 ? !has(self.prefixPolicy) || self.prefixPolicy !=
+                              ''Prefix'' : true'
                           - message: prefix must be set if prefixPolicy is 'Prefix',
                               but must remain unset otherwise
                             rule: 'has(self.prefixPolicy) && self.prefixPolicy ==
 
@@ -199,7 +199,8 @@ spec:
                               description: |-
                                 prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.
 
-                                When omitted (""), no prefix is applied to the cluster identity attribute.
+                                When omitted or set to an empty string (""), no prefix is applied to the cluster identity attribute.
+                                Must not be set to a non-empty value when expression is set.
 
                                 Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c".
                               type: string
@@ -288,11 +289,9 @@ spec:
                                 Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).
 
                                 When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim.
-
                                 The prefix field must be set when prefixPolicy is 'Prefix'.
-
+                                Must not be set to 'Prefix' when expression is set.
                                 When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.
-
                                 When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time.
                                 Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'.
 
 
@@ -212,12 +212,18 @@ spec:
                               description: |-
                                 prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.
 
-                                When omitted (""), no prefix is applied to the cluster identity attribute.
+                                When omitted or set to an empty string (""), no prefix is applied to the cluster identity attribute.
+                                Must not be set to a non-empty value when expression is set.
 
                                 Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c".
                               type: string
                           type: object
                           x-kubernetes-validations:
+                          - message: prefix must not be set to a non-empty value when
+                              expression is set
+                            rule: 'has(self.expression) && size(self.expression) >
+                              0 ? (!has(self.prefix) || size(self.prefix) == 0) :
+                              true'
                           - message: expression must not be set if claim is specified
                               and is not an empty string
                             rule: '(size(self.?claim.orValue("")) > 0) ? !has(self.expression)
@@ -316,11 +322,9 @@ spec:
                                 Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).
 
                                 When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim.
-
                                 The prefix field must be set when prefixPolicy is 'Prefix'.
-
+                                Must not be set to 'Prefix' when expression is set.
                                 When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.
-
                                 When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time.
                                 Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'.
 
@@ -341,6 +345,11 @@ spec:
                           - message: precisely one of claim or expression must be
                               set
                             rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)'
+                          - message: prefixPolicy must not be set to 'Prefix' when
+                              expression is set
+                            rule: 'has(self.expression) && size(self.expression) >
+                              0 ? !has(self.prefixPolicy) || self.prefixPolicy !=
+                              ''Prefix'' : true'
                           - message: prefix must be set if prefixPolicy is 'Prefix',
                               but must remain unset otherwise
                             rule: 'has(self.prefixPolicy) && self.prefixPolicy ==
 
@@ -199,7 +199,8 @@ spec:
                               description: |-
                                 prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.
 
-                                When omitted (""), no prefix is applied to the cluster identity attribute.
+                                When omitted or set to an empty string (""), no prefix is applied to the cluster identity attribute.
+                                Must not be set to a non-empty value when expression is set.
 
                                 Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c".
                               type: string
@@ -288,11 +289,9 @@ spec:
                                 Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).
 
                                 When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim.
-
                                 The prefix field must be set when prefixPolicy is 'Prefix'.
-
+                                Must not be set to 'Prefix' when expression is set.
                                 When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.
-
                                 When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time.
                                 Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'.
 
 
@@ -212,12 +212,18 @@ spec:
                               description: |-
                                 prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.
 
-                                When omitted (""), no prefix is applied to the cluster identity attribute.
+                                When omitted or set to an empty string (""), no prefix is applied to the cluster identity attribute.
+                                Must not be set to a non-empty value when expression is set.
 
                                 Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c".
                               type: string
                           type: object
                           x-kubernetes-validations:
+                          - message: prefix must not be set to a non-empty value when
+                              expression is set
+                            rule: 'has(self.expression) && size(self.expression) >
+                              0 ? (!has(self.prefix) || size(self.prefix) == 0) :
+                              true'
                           - message: expression must not be set if claim is specified
                               and is not an empty string
                             rule: '(size(self.?claim.orValue("")) > 0) ? !has(self.expression)
@@ -316,11 +322,9 @@ spec:
                                 Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).
 
                                 When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim.
-
                                 The prefix field must be set when prefixPolicy is 'Prefix'.
-
+                                Must not be set to 'Prefix' when expression is set.
                                 When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.
-
                                 When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time.
                                 Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'.
 
@@ -341,6 +345,11 @@ spec:
                           - message: precisely one of claim or expression must be
                               set
                             rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)'
+                          - message: prefixPolicy must not be set to 'Prefix' when
+                              expression is set
+                            rule: 'has(self.expression) && size(self.expression) >
+                              0 ? !has(self.prefixPolicy) || self.prefixPolicy !=
+                              ''Prefix'' : true'
                           - message: prefix must be set if prefixPolicy is 'Prefix',
                               but must remain unset otherwise
                             rule: 'has(self.prefixPolicy) && self.prefixPolicy ==