revert: restore when:null in OIDC patch template

Revert 1dfb2e6. Removing when:null broke OIDC completely — JSON merge
patch merges objects recursively, so without when:null the base policy's
sk-oai-* restriction on X-MaaS-Username persists through the merge,
causing all OIDC requests to get 500 AUTH_FAILURE.

The when:null approach is correct per RFC 7386 (null removes keys).
The previous run proved it works (123/126 tests passed).

Signed-off-by: Wen Liang <liangwen12year@gmail.com>

Author: liangwen12year

scripts/data/maas-api-authpolicy-external-oidc-patch.yaml

@@ -72,32 +72,45 @@ spec:
     response:
       success:
         headers:
-          # Merge patch replaces the entire response block, so all headers must
-          # be re-declared. Use three-way CEL expressions (no "when" clause) so
-          # headers resolve for all token types: API keys, OIDC JWT, OpenShift
-          # TokenReview. The base policy's split X-MaaS-Username/OC approach
-          # with "when" clauses cannot survive a merge patch (when:null does not
-          # reliably clear fields), causing 500 AUTH_FAILURE refId 003.
+          # Override the base X-MaaS-Username / X-MaaS-Group headers so they
+          # handle API keys, OIDC JWT, and OpenShift TokenReview.
+          #
+          # API keys (Bearer sk-oai-*): identity comes from apiKeyValidation metadata — the
+          # base policy used plain selectors here. OIDC-only expressions omit that path and
+          # yield empty username → maas-api HTTP 500 AUTH_FAILURE refId 001 on /v1/models.
+          # Order: apiKeyValidation → OIDC claims → OpenShift TokenReview.
+          # No "when" clause — these headers must apply to ALL token types (API keys,
+          # OIDC JWT, OpenShift TokenReview). The three-way expression handles each case.
+          # The base policy restricts these to sk-oai-* only; merge patch must explicitly
+          # null the "when" to clear the base's restriction.
           X-MaaS-Username:
+            when: null
             plain:
+              selector: null
               expression: >-
                 (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ?
                 auth.metadata.apiKeyValidation.username :
                 (has(auth.identity.preferred_username) ?
                 auth.identity.preferred_username :
                 (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))
+          # Never call .join on a missing path — that stringifies nil as "<nil>"
+          # and breaks maas-api JSON parsing.
           X-MaaS-Group:
+            when: null
             plain:
+              selector: null
               expression: >-
                 (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ?
                 (size(auth.metadata.apiKeyValidation.groups) > 0 ?
                 '["' + auth.metadata.apiKeyValidation.groups.join('","') + '"]' :
                 '["system:authenticated"]') :
                 (has(auth.identity.groups) && size(auth.identity.groups) > 0 ?
                 '["system:authenticated","' + auth.identity.groups.join('","') + '"]' :
-                (has(auth.identity.user) && has(auth.identity.user.groups) && size(auth.identity.user.groups) > 0 ?
+                (has(auth.identity.user.groups) && size(auth.identity.user.groups) > 0 ?
                 '["system:authenticated","' + auth.identity.user.groups.join('","') + '"]' :
                 '["system:authenticated"]'))
+          # Subscription: from API key validation (must be preserved from base policy).
+          # /v1/models reads this header to filter by subscription.
           X-MaaS-Subscription:
             when:
               - selector: request.headers.authorization