fix(authpolicy): use three-way CEL expressions in OIDC patch template

Remove when:null and selector:null from the OIDC merge patch — Kubernetes
merge patch does not reliably delete these fields, causing X-MaaS-Username
to remain restricted to sk-oai-* tokens and yielding 500 AUTH_FAILURE
refId 003 on OIDC DELETE and header-injection requests.

The patch template now uses clean three-way CEL expressions without any
when clause. The base auth-policy is unchanged (split headers approach
for non-OIDC flows).

Signed-off-by: Wen Liang <liangwen12year@gmail.com>

Author: liangwen12year

scripts/data/maas-api-authpolicy-external-oidc-patch.yaml

@@ -72,45 +72,32 @@ spec:
     response:
       success:
         headers:
-          # Override the base X-MaaS-Username / X-MaaS-Group headers so they
-          # handle API keys, OIDC JWT, and OpenShift TokenReview.
-          #
-          # API keys (Bearer sk-oai-*): identity comes from apiKeyValidation metadata — the
-          # base policy used plain selectors here. OIDC-only expressions omit that path and
-          # yield empty username → maas-api HTTP 500 AUTH_FAILURE refId 001 on /v1/models.
-          # Order: apiKeyValidation → OIDC claims → OpenShift TokenReview.
-          # No "when" clause — these headers must apply to ALL token types (API keys,
-          # OIDC JWT, OpenShift TokenReview). The three-way expression handles each case.
-          # The base policy restricts these to sk-oai-* only; merge patch must explicitly
-          # null the "when" to clear the base's restriction.
+          # Merge patch replaces the entire response block, so all headers must
+          # be re-declared. Use three-way CEL expressions (no "when" clause) so
+          # headers resolve for all token types: API keys, OIDC JWT, OpenShift
+          # TokenReview. The base policy's split X-MaaS-Username/OC approach
+          # with "when" clauses cannot survive a merge patch (when:null does not
+          # reliably clear fields), causing 500 AUTH_FAILURE refId 003.
           X-MaaS-Username:
-            when: null
             plain:
-              selector: null
               expression: >-
                 (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ?
                 auth.metadata.apiKeyValidation.username :
                 (has(auth.identity.preferred_username) ?
                 auth.identity.preferred_username :
                 (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))
-          # Never call .join on a missing path — that stringifies nil as "<nil>"
-          # and breaks maas-api JSON parsing.
           X-MaaS-Group:
-            when: null
             plain:
-              selector: null
               expression: >-
                 (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ?
                 (size(auth.metadata.apiKeyValidation.groups) > 0 ?
                 '["' + auth.metadata.apiKeyValidation.groups.join('","') + '"]' :
                 '["system:authenticated"]') :
                 (has(auth.identity.groups) && size(auth.identity.groups) > 0 ?
                 '["system:authenticated","' + auth.identity.groups.join('","') + '"]' :
-                (has(auth.identity.user.groups) && size(auth.identity.user.groups) > 0 ?
+                (has(auth.identity.user) && has(auth.identity.user.groups) && size(auth.identity.user.groups) > 0 ?
                 '["system:authenticated","' + auth.identity.user.groups.join('","') + '"]' :
                 '["system:authenticated"]'))
-          # Subscription: from API key validation (must be preserved from base policy).
-          # /v1/models reads this header to filter by subscription.
           X-MaaS-Subscription:
             when:
               - selector: request.headers.authorization