fix (openshift-client) : OpenShiftOAuthInterceptor should not refresh…

… on `403` response code (#4970) Do not do token refresh on HTTP_FORBIDDEN response code in order to align better with kubectl and oc Signed-off-by: Rohan Kumar <[email protected]>
fabric8io · Mar 20, 2023 · 700dab3 · 700dab3
1 parent 3710714
commit 700dab3
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 #### Bugs
 
 #### Improvements
+* Fix #4970: OpenShiftOAuthInterceptor should not refresh on `403` response code
 
 #### Dependency Upgrade
 

diff --git a/...-client/src/main/java/io/fabric8/openshift/client/internal/OpenShiftOAuthInterceptor.java b/...-client/src/main/java/io/fabric8/openshift/client/internal/OpenShiftOAuthInterceptor.java
@@ -52,7 +52,6 @@
 import java.util.Set;
 import java.util.concurrent.CompletableFuture;
 
-import static java.net.HttpURLConnection.HTTP_FORBIDDEN;
 import static java.net.HttpURLConnection.HTTP_UNAUTHORIZED;
 
 /**
@@ -195,7 +194,7 @@ private boolean shouldProceed(HttpRequest request, HttpResponse<?> response) {
     if (method.equals("POST") && RETRIABLE_RESOURCES.stream().anyMatch(url::endsWith)) {
       return false;
     }
-    return response.code() != HTTP_UNAUTHORIZED && response.code() != HTTP_FORBIDDEN;
+    return response.code() != HTTP_UNAUTHORIZED;
   }
 
 }
diff --git a/...ent/src/test/java/io/fabric8/openshift/client/internal/OpenShiftOAuthInterceptorTest.java b/...ent/src/test/java/io/fabric8/openshift/client/internal/OpenShiftOAuthInterceptorTest.java
@@ -17,6 +17,8 @@
 
 import io.fabric8.kubernetes.client.Config;
 import io.fabric8.kubernetes.client.http.HttpClient;
+import io.fabric8.kubernetes.client.http.HttpRequest;
+import io.fabric8.kubernetes.client.http.HttpResponse;
 import io.fabric8.kubernetes.client.http.StandardHttpRequest;
 import io.fabric8.kubernetes.client.http.TestHttpResponse;
 import io.fabric8.kubernetes.client.utils.TokenRefreshInterceptor;
@@ -26,10 +28,13 @@
 import java.net.HttpURLConnection;
 import java.net.URI;
 import java.util.Collections;
+import java.util.concurrent.CompletableFuture;
 
+import static java.net.HttpURLConnection.HTTP_FORBIDDEN;
+import static java.net.HttpURLConnection.HTTP_UNAUTHORIZED;
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.mockito.Mockito.RETURNS_DEEP_STUBS;
 
 class OpenShiftOAuthInterceptorTest {
 
@@ -72,8 +77,7 @@ void testTokenUsed() {
 
   @Test
   void testTokenRefreshedFromConfig() {
-    Config config = Mockito.mock(Config.class, RETURNS_DEEP_STUBS);
-    Mockito.when(config.refresh().getOauthToken()).thenReturn("token");
+    Config config = mockConfigRefresh();
 
     HttpClient client = Mockito.mock(HttpClient.class);
 
@@ -89,4 +93,54 @@ void testTokenRefreshedFromConfig() {
     Mockito.verify(config).setOauthToken("token");
   }
 
+  @Test
+  void afterFailure_whenResponseCode403_thenShouldNotRefresh() {
+    // Given
+    HttpClient client = Mockito.mock(HttpClient.class);
+    Config config = mockConfigRefresh();
+    HttpResponse<?> httpResponse = mockHttpResponse(HTTP_FORBIDDEN);
+    HttpRequest.Builder httpRequestBuilder = Mockito.mock(HttpRequest.Builder.class);
+    OpenShiftOAuthInterceptor interceptor = new OpenShiftOAuthInterceptor(client, config);
+
+    // When
+    CompletableFuture<Boolean> result = interceptor.afterFailure(httpRequestBuilder, httpResponse, null);
+
+    // Then
+    assertThat(result).isCompletedWithValue(false);
+  }
+
+  @Test
+  void afterFailure_whenResponseCode401_thenShouldRefresh() {
+    // Given
+    HttpClient client = Mockito.mock(HttpClient.class);
+    Config config = mockConfigRefresh();
+    HttpRequest.Builder httpRequestBuilder = Mockito.mock(HttpRequest.Builder.class);
+    HttpResponse<?> httpResponse = mockHttpResponse(HTTP_UNAUTHORIZED);
+    OpenShiftOAuthInterceptor interceptor = new OpenShiftOAuthInterceptor(client, config);
+
+    // When
+    CompletableFuture<Boolean> result = interceptor.afterFailure(httpRequestBuilder, httpResponse, null);
+
+    // Then
+    assertThat(result).isCompletedWithValue(true);
+  }
+
+  private Config mockConfigRefresh() {
+    Config config = Mockito.mock(Config.class);
+    Mockito.when(config.refresh()).thenReturn(config);
+    Mockito.when(config.getOauthToken()).thenReturn("token");
+    return config;
+  }
+
+  private HttpResponse<?> mockHttpResponse(int responseCode) {
+    HttpRequest httpRequest = Mockito.mock(HttpRequest.class);
+    HttpResponse<?> httpResponse = Mockito.mock(HttpResponse.class);
+    Mockito.when(httpRequest.method()).thenReturn("GET");
+    Mockito.when(httpRequest.uri())
+        .thenReturn(URI.create("http://www.example.com/apis/routes.openshift.io/namespaces/foo/routes"));
+    Mockito.when(httpResponse.request()).thenReturn(httpRequest);
+    Mockito.when(httpResponse.code()).thenReturn(responseCode);
+    return httpResponse;
+  }
+
 }