CNTRLPLANE-2552: Add support for CEL expression claim mappings for username and groups

[ShazaAldawamneh]

This PR updates to support the newly introduced feature-gated fields in the Authentication configuration API added by openshift/api#2719. It bumps the openshift/api dependency to consume the updated API types and ensures the new fields are correctly pulled into the CAO APIs.
The implementation ensures that the new behaviour is strictly gated and only activated when the TechPreview feature gate is explicitly enabled.

Summary by CodeRabbit

• New Features

  • Expression-based claim mappings for username, groups, UID and extras, controllable via a feature gate.

• Improvements

  • CEL-based compilation/validation for mappings and rules with upstream-parity checks; enforces email_verified usage when email is used and improves error propagation for invalid configurations.

• Tests

  • Expanded test coverage for many valid and invalid expression-mapping and prefix/validation scenarios.

• Chores

  • Updated Go module dependencies.

[openshift-ci-robot]

@ShazaAldawamneh: This pull request references CNTRLPLANE-2552 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR updates to support the newly introduced feature-gated fields in the Authentication configuration API added by openshift/api#2719. It bumps the openshift/api dependency to consume the updated API types and ensures the new fields are correctly pulled into the CAO APIs.
The implementation ensures that the new behaviour is strictly gated and only activated when the TechPreview feature gate is explicitly enabled.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds feature-gate aware CEL expression support and upstream-parity validations to External OIDC claim mapping generation. CEL expressions for username/groups and claim validation rules are compiled and inspected (email_verified checks); compilation results are propagated and errors can block JWT authenticator construction. Tests expanded for expression and error cases.

Changes

Cohort / File(s)	Summary
Dependency updates go.mod	Added direct dependency github.com/google/cel-go v0.26.0, updated github.com/openshift/api to v0.0.0-20260304122341-cf5d8996109f, added google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb in require and removed corresponding indirect entries.
Controller: CEL, feature gates & mapping logic pkg/controllers/externaloidc/externaloidc_controller.go	Introduced CEL compilation/validation and upstream-parity checks during claim mapping generation. Updated many generator/validator function signatures to return CEL compilation results and errors. Added validateEmailVerifiedUsage and CEL AST inspection helpers (usesEmailClaim, usesEmailVerifiedClaim, anyUsesEmailVerifiedClaim, hasSelectExp, isIdentOperand, isConstField). Propagated CEL results/errors into JWTAuthenticator construction.
Tests: expression & error cases pkg/controllers/externaloidc/externaloidc_controller_test.go	Expanded test matrix with invalid/valid CEL expression cases, mutual-exclusion errors for claim vs expression, prefix-related constraint tests, and cases exercising validation rules and UID/Extra mapping generation.

Sequence Diagram

sequenceDiagram
    rect rgba(220,220,255,0.5)
    participant Controller as External OIDC Controller
    end
    rect rgba(220,255,220,0.5)
    participant FG as Feature Gate System
    participant Validator as CEL Validator
    participant Generator as Mapping Generators
    participant Auth as JWT Authenticator Builder
    end

    Controller->>FG: Check feature gates (UpstreamParity, AdditionalClaimMappings)
    alt UpstreamParity enabled
        Controller->>Generator: generateUsernameClaimMapping(spec, featureGates)
        Generator->>Validator: compile/validate CEL expr (if provided)
        Validator-->>Generator: compilation result / error
        Generator-->>Controller: PrefixedClaimOrExpression + compilation result or error

        Controller->>Generator: generateGroupsClaimMapping(spec, featureGates)
        Generator->>Validator: compile/validate CEL expr (if provided)
        Validator-->>Generator: compilation result / error
        Generator-->>Controller: PrefixedClaimOrExpression + compilation result or error

        Controller->>Generator: generateClaimValidationRules(...)
        Generator->>Validator: compile/validate rule expressions
        Validator-->>Generator: compilation results / errors
        Generator-->>Controller: rules + compilation results
    else UpstreamParity disabled
        Controller->>Generator: generate legacy claim mappings
        Generator-->>Controller: mappings
    end

    alt AdditionalClaimMappings enabled
        Controller->>Generator: generate UID/Extra mappings
        Generator-->>Controller: additional mappings
    end

    Controller->>Auth: Build JWTAuthenticator with mappings + CEL compilation results
    Auth-->>Controller: success or propagated error

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 7 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 19.05% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (7 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: adding CEL expression support for claim mappings in username and groups fields, which aligns with the substantial code changes in the controller file.
Stable And Deterministic Test Names	✅ Passed	All test names are stable and deterministic with no dynamic values embedded in titles.
Test Structure And Quality	✅ Passed	The custom check instructions are for Ginkgo test code, but this repository uses standard Go table-driven tests with testing.T and t.Run(). No Ginkgo tests exist.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added to test/e2e/ directory; only unit test changes in externaloidc_controller_test.go.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Test changes are unit tests using Go's standard testing package, not Ginkgo e2e tests, so SNO compatibility requirement does not apply.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds unit tests using Go's standard testing package, not Ginkgo e2e tests. No Ginkgo patterns (It, Describe, Context, When) found.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can enforce grammar and style rules using `languagetool`.

Configure the reviews.tools.languagetool setting to enable/disable rules and categories. Refer to the LanguageTool Community to learn more.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ShazaAldawamneh
Once this PR has been reviewed and has the lgtm label, please assign liouk for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@ShazaAldawamneh: This pull request references CNTRLPLANE-2552 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR updates to support the newly introduced feature-gated fields in the Authentication configuration API added by openshift/api#2719. It bumps the openshift/api dependency to consume the updated API types and ensures the new fields are correctly pulled into the CAO APIs.
The implementation ensures that the new behaviour is strictly gated and only activated when the TechPreview feature gate is explicitly enabled.

Summary by CodeRabbit

• New Features

• Enhanced external OIDC authentication with expression-based claim mappings for usernames and groups.

• Added support for additional claim mappings including UID and Extra fields.

• Improved validation and error handling for claim mapping configurations.

• Tests

• Added test coverage for expression-based claim mapping scenarios and configuration validation error cases.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/controllers/externaloidc/externaloidc_controller_test.go`:
- Around line 1219-1326: The feature-gate slices are inverted in the test cases:
NewFeatureGate(enabled, disabled) is being called with the gates in the disabled
slice, so the features are actually turned off. Fix the four cases ("auth config
with username expression mapping", "auth config with groups expression mapping",
"auth config with username claim and expression both set, error", "auth config
with groups claim and expression both set, error") by passing the gates
FeatureGateExternalOIDCWithAdditionalClaimMappings and
FeatureGateExternalOIDCWithUpstreamParity in the first (enabled) slice to
NewFeatureGate (and the second slice should be empty), so the expression-mapping
and error paths exercise the intended feature gates.

In `@pkg/controllers/externaloidc/externaloidc_controller.go`:
- Around line 310-315: The early return in generateUsernameClaimMapping skips
CEL compilation and the claim/expression exclusivity checks, allowing invalid
claim+expression combos and empty Claim values; update
generateUsernameClaimMapping (and the similar block around the groups handling)
to mirror generateUIDClaimMapping: when the feature gate allows Expression and
usernameClaimMapping.Expression is set, compile/validate the CEL expression
(handle and return compilation errors) and run the same exclusivity logic that
ensures Claim and Expression are not both set and Claim is not left empty;
ensure any path that returns an apiserverv1beta1.PrefixedClaimOrExpression
validates the expression and enforces the mutual-exclusivity rules before
returning.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 10e30e31-927a-452f-9da1-31bb2b1f4057

📥 Commits

Reviewing files that changed from the base of the PR and between 4e58b32 and 90e7dfd.

⛔ Files ignored due to path filters (14)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/api/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/features.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/features.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/machine/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/operator/v1alpha1/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1alpha1/types_clusterapi.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (3)

• go.mod
• pkg/controllers/externaloidc/externaloidc_controller.go
• pkg/controllers/externaloidc/externaloidc_controller_test.go

[ehearne-redhat]

@ShazaAldawamneh - looks like those failing tests are broken. You'll probably need to re-run those once you know the tests are stable again.

[openshift-ci-robot]

@ShazaAldawamneh: This pull request references CNTRLPLANE-2552 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR updates to support the newly introduced feature-gated fields in the Authentication configuration API added by openshift/api#2719. It bumps the openshift/api dependency to consume the updated API types and ensures the new fields are correctly pulled into the CAO APIs.
The implementation ensures that the new behaviour is strictly gated and only activated when the TechPreview feature gate is explicitly enabled.

Summary by CodeRabbit

• New Features

• Expression-based claim mappings for usernames and groups, plus support for additional mappings (UID, Extra).

• Improvements

• Stricter validation and clearer error handling for claim mapping configurations to prevent invalid or conflicting setups.

• Tests

• Added tests covering expression-based mappings and validation/error cases.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

🧹 Nitpick comments (1)

pkg/controllers/externaloidc/externaloidc_controller.go (1)

374-379: Groups mapping lacks the explicit claim validation that username mapping has; consider adding defense-in-depth validation.

Unlike generateUsernameClaimMapping which rejects an empty claim (lines 327-329), generateGroupsClaimMapping silently accepts whatever is in the claim field, including empty string. When the feature gate is disabled and a configuration contains only an expression (with empty claim), the expression is ignored without warning.

While the CRD validation layer should prevent such configurations from being created (line 362 of types_authentication.go requires claim when the feature gate is disabled), adding explicit validation in the controller—similar to username mapping—would provide consistency and defense-in-depth. This is particularly relevant given that groups mappings can be configured with expressions when the feature gate is enabled.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controllers/externaloidc/externaloidc_controller.go` around lines 374 -
379, The groups mapping handler (generateGroupsClaimMapping) currently assigns
out.Claim = groupsMapping.Claim without validating it's non-empty; add the same
defense-in-depth check used by generateUsernameClaimMapping to reject an empty
claim when the expression feature gate is disabled. Detect the feature gate
state and if disabled and groupsMapping.Claim is empty return an error (or the
same validation error path used by generateUsernameClaimMapping) instead of
silently accepting it, keeping the existing assignment of out.Prefix and return
behavior otherwise.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/controllers/externaloidc/externaloidc_controller.go`:
- Around line 374-379: The groups mapping handler (generateGroupsClaimMapping)
currently assigns out.Claim = groupsMapping.Claim without validating it's
non-empty; add the same defense-in-depth check used by
generateUsernameClaimMapping to reject an empty claim when the expression
feature gate is disabled. Detect the feature gate state and if disabled and
groupsMapping.Claim is empty return an error (or the same validation error path
used by generateUsernameClaimMapping) instead of silently accepting it, keeping
the existing assignment of out.Prefix and return behavior otherwise.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 0d13552e-d253-4056-b6c4-5a1b11494c65

📥 Commits

Reviewing files that changed from the base of the PR and between 90e7dfd and cf47254.

📒 Files selected for processing (2)

• pkg/controllers/externaloidc/externaloidc_controller.go
• pkg/controllers/externaloidc/externaloidc_controller_test.go

[ehearne-redhat]

Looks good to me. I'll leave @everettraven give the lgtm . :)

[openshift-ci-robot]

@ShazaAldawamneh: This pull request references CNTRLPLANE-2552 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR updates to support the newly introduced feature-gated fields in the Authentication configuration API added by openshift/api#2719. It bumps the openshift/api dependency to consume the updated API types and ensures the new fields are correctly pulled into the CAO APIs.
The implementation ensures that the new behaviour is strictly gated and only activated when the TechPreview feature gate is explicitly enabled.

Summary by CodeRabbit

• New Features

• Expression-based claim mappings for usernames and groups, plus support for additional mappings (UID, Extra), governed by a feature gate.

• Improvements

• Stronger validation and clearer error handling for claim mapping configurations, including checks requiring email_verified when email is used.

• Tests

• Added tests covering valid/invalid expression mappings and related validation/error cases.

• Chores

• Bumped OpenShift API dependency version.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

pkg/controllers/externaloidc/externaloidc_controller.go (2)

364-385: ⚠️ Potential issue | 🟠 Major

generateGroupsClaimMapping still accepts disabled or empty configs.

If Expression is set while upstream parity is off, or if both Claim and Expression are empty, this helper falls through and returns Claim: "". That makes the gate non-strict and can serialize an invalid groups mapping; mirror the username path by rejecting gated-off expressions and requiring a non-empty claim on the non-expression path.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controllers/externaloidc/externaloidc_controller.go` around lines 364 -
385, In generateGroupsClaimMapping, reject cases where Expression is set while
the FeatureGate features.FeatureGateExternalOIDCWithUpstreamParity is disabled
and also require a non-empty Claim when not using an Expression (i.e., do not
fall through to return Claim:""). Specifically, in function
generateGroupsClaimMapping validate that if feature gate is disabled and
groupsMapping.Expression != "" you return an error (similar message to the
username path), and when choosing the non-expression path ensure
groupsMapping.Claim is non-empty (return a clear error if both Claim and
Expression are empty); continue to validate CEL expressions via
validateCELExpression(authenticationcel.ClaimMappingExpression{...}) when the
gate allows expressions.

---

318-330: ⚠️ Potential issue | 🟠 Major

Reject prefix configuration on expression mappings instead of dropping it.

Both expression branches return before any prefix validation runs, so username.prefix* / groups.prefix can be set in the CR and then silently disappear from the rendered JWTAuthenticator. Please fail fast on those combinations rather than accepting and rewriting the input.

Also applies to: 338-358, 366-378

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controllers/externaloidc/externaloidc_controller.go` around lines 318 -
330, When a ClaimMapping uses an Expression we must reject any prefix settings
instead of returning early and dropping them; update the blocks that handle
usernameClaimMapping.Expression (and the analogous groups mapping branches) to
check for a non-empty Prefix field (e.g. usernameClaimMapping.Prefix and
groupsClaimMapping.Prefix) before validating the CEL expression and return an
error like "prefix must not be set when expression is used" if present; keep the
CEL validation via validateCELExpression and the existing out.Expression
assignment but only after this prefix check, and apply the same change to the
other expression branches referenced (the ones around the handling of groups
mapping and the additional blocks at the other ranges).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/controllers/externaloidc/externaloidc_controller.go`:
- Around line 198-201: validateEmailVerifiedUsage currently inspects
claimMappings.Extra unconditionally which allows gated-out Extra mappings to
satisfy the email_verified requirement; update the check so Extra is only
considered when the additional-claim-mappings feature is actually enabled
(FeatureGateExternalOIDCWithAdditionalClaimMappings) or when ClaimMappings was
generated with Extra present. Concretely, modify validateEmailVerifiedUsage to
accept a flag or check the feature gate and only scan claimMappings.Extra (and
any Extra-derived expressions) when
FeatureGateExternalOIDCWithAdditionalClaimMappings is true (or when
generateClaimMappings produced out.Extra); keep existing checks for
claimMappings.Username/Email/ClaimValidationRules intact. Reference:
validateEmailVerifiedUsage, generateClaimMappings,
FeatureGateExternalOIDCWithAdditionalClaimMappings, provider.ClaimMappings,
claimMappings.Extra.

---

Duplicate comments:
In `@pkg/controllers/externaloidc/externaloidc_controller.go`:
- Around line 364-385: In generateGroupsClaimMapping, reject cases where
Expression is set while the FeatureGate
features.FeatureGateExternalOIDCWithUpstreamParity is disabled and also require
a non-empty Claim when not using an Expression (i.e., do not fall through to
return Claim:""). Specifically, in function generateGroupsClaimMapping validate
that if feature gate is disabled and groupsMapping.Expression != "" you return
an error (similar message to the username path), and when choosing the
non-expression path ensure groupsMapping.Claim is non-empty (return a clear
error if both Claim and Expression are empty); continue to validate CEL
expressions via
validateCELExpression(authenticationcel.ClaimMappingExpression{...}) when the
gate allows expressions.
- Around line 318-330: When a ClaimMapping uses an Expression we must reject any
prefix settings instead of returning early and dropping them; update the blocks
that handle usernameClaimMapping.Expression (and the analogous groups mapping
branches) to check for a non-empty Prefix field (e.g.
usernameClaimMapping.Prefix and groupsClaimMapping.Prefix) before validating the
CEL expression and return an error like "prefix must not be set when expression
is used" if present; keep the CEL validation via validateCELExpression and the
existing out.Expression assignment but only after this prefix check, and apply
the same change to the other expression branches referenced (the ones around the
handling of groups mapping and the additional blocks at the other ranges).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ca5658f7-01a3-4bff-aecf-a37dd1b753f1

📥 Commits

Reviewing files that changed from the base of the PR and between cf47254 and f1cf468.

📒 Files selected for processing (1)

• pkg/controllers/externaloidc/externaloidc_controller.go

[openshift-ci-robot]

@ShazaAldawamneh: This pull request references CNTRLPLANE-2552 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR updates to support the newly introduced feature-gated fields in the Authentication configuration API added by openshift/api#2719. It bumps the openshift/api dependency to consume the updated API types and ensures the new fields are correctly pulled into the CAO APIs.
The implementation ensures that the new behaviour is strictly gated and only activated when the TechPreview feature gate is explicitly enabled.

Summary by CodeRabbit

• New Features

• Expression-based claim mappings for username, groups, UID and extras, controllable via a feature gate.

• Improvements

• CEL-based validation for mappings and rules with upstream-parity checks; enforces email_verified usage when email is used and improves error propagation for invalid configs.

• Tests

• Expanded tests covering many valid and invalid expression-mapping scenarios and prefix/validation rules.

• Chores

• Updated OpenShift API dependency version.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

🧹 Nitpick comments (1)

pkg/controllers/externaloidc/externaloidc_controller.go (1)

680-688: Prefer usernameResult as the single source of truth in validateEmailVerifiedUsage.

Passing both the raw expression string and compilation result is redundant. This can be simplified to reduce future drift risk.

♻️ Proposed refactor

 func validateEmailVerifiedUsage(
-	usernameExpression string,
 	usernameResult *authenticationcel.CompilationResult,
 	extraResults []authenticationcel.CompilationResult,
 	claimValidationResults []authenticationcel.CompilationResult,
 ) error {
-	if usernameExpression == "" || usernameResult == nil {
+	if usernameResult == nil {
 		return nil
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controllers/externaloidc/externaloidc_controller.go` around lines 680 -
688, The function validateEmailVerifiedUsage currently accepts both
usernameExpression and usernameResult which is redundant and risks drift; change
validateEmailVerifiedUsage to take only usernameResult (remove the
usernameExpression parameter), derive the original expression string from
usernameResult (use the field/method on authenticationcel.CompilationResult that
holds the source/expr) and update all callers to pass the compilation result
only; ensure any logic that checks for empty expression uses the value obtained
from usernameResult and keep the rest of validation unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/controllers/externaloidc/externaloidc_controller.go`:
- Around line 680-688: The function validateEmailVerifiedUsage currently accepts
both usernameExpression and usernameResult which is redundant and risks drift;
change validateEmailVerifiedUsage to take only usernameResult (remove the
usernameExpression parameter), derive the original expression string from
usernameResult (use the field/method on authenticationcel.CompilationResult that
holds the source/expr) and update all callers to pass the compilation result
only; ensure any logic that checks for empty expression uses the value obtained
from usernameResult and keep the rest of validation unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8433bee6-cfb0-4b39-bcc2-ba25bb0b7d93

📥 Commits

Reviewing files that changed from the base of the PR and between f1cf468 and f6232af.

📒 Files selected for processing (2)

• pkg/controllers/externaloidc/externaloidc_controller.go
• pkg/controllers/externaloidc/externaloidc_controller_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/controllers/externaloidc/externaloidc_controller_test.go

[ehearne-redhat]

As far as I can tell, the changes look good to me. However, you may need to run go mod tidy and go mod vendor to fix https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_cluster-authentication-operator/850/pull-ci-openshift-cluster-authentication-operator-master-verify-deps/2032238944069881856 .

< 	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
`go.mod` content is incorrect - did you run `go mod tidy`?

It still looks like the tests are broken. :)

[openshift-ci-robot]

@ShazaAldawamneh: This pull request references CNTRLPLANE-2552 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR updates to support the newly introduced feature-gated fields in the Authentication configuration API added by openshift/api#2719. It bumps the openshift/api dependency to consume the updated API types and ensures the new fields are correctly pulled into the CAO APIs.
The implementation ensures that the new behaviour is strictly gated and only activated when the TechPreview feature gate is explicitly enabled.

Summary by CodeRabbit

• New Features

• Expression-based claim mappings for username, groups, UID and extras, controllable via a feature gate.

• Improvements

• CEL-based compilation/validation for mappings and rules with upstream-parity checks; enforces email_verified usage when email is used and improves error propagation for invalid configurations.

• Tests

• Expanded test coverage for many valid and invalid expression-mapping and prefix/validation scenarios.

• Chores

• Updated Go module dependencies.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[everettraven]

Another handful of comments. Overall I think this is pretty good.

A couple of the comments are more nit-like suggestions that I'll leave it up to you whether or not you want to take. I'm not strongly opinionated enough on the nits to require the changes be made to merge this PR.

[everettraven]

We don't need a TODO comment here for this. Instead, can you create a Jira ticket to track that we need to do this and remove this comment?

[openshift-ci]

@ShazaAldawamneh: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-operator-disruptive	f1cf468	link	true	/test e2e-gcp-operator-disruptive
ci/prow/e2e-aws-operator-encryption-perf-serial-ote-1of2	5ddf230	link	false	/test e2e-aws-operator-encryption-perf-serial-ote-1of2
ci/prow/e2e-aws-operator-encryption-rotation-serial-ote-1of2	5ddf230	link	false	/test e2e-aws-operator-encryption-rotation-serial-ote-1of2
ci/prow/e2e-aws-operator-parallel-ote	5ddf230	link	false	/test e2e-aws-operator-parallel-ote
ci/prow/e2e-aws-operator-serial-ote	5ddf230	link	false	/test e2e-aws-operator-serial-ote
ci/prow/e2e-agnostic	5ddf230	link	true	/test e2e-agnostic
ci/prow/e2e-aws-operator-encryption-serial-ote-1of2	5ddf230	link	false	/test e2e-aws-operator-encryption-serial-ote-1of2
ci/prow/e2e-aws-operator-encryption-perf-serial-ote-2of2	5ddf230	link	false	/test e2e-aws-operator-encryption-perf-serial-ote-2of2
ci/prow/e2e-aws-operator-encryption-serial-ote-2of2	5ddf230	link	false	/test e2e-aws-operator-encryption-serial-ote-2of2
ci/prow/e2e-aws-operator-encryption-kms-serial-ote-2of2	5ddf230	link	false	/test e2e-aws-operator-encryption-kms-serial-ote-2of2
ci/prow/e2e-aws-operator-encryption-kms-serial-ote-1of2	5ddf230	link	false	/test e2e-aws-operator-encryption-kms-serial-ote-1of2
ci/prow/e2e-aws-operator-encryption-rotation-serial-ote-2of2	5ddf230	link	false	/test e2e-aws-operator-encryption-rotation-serial-ote-2of2

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.