[WIP]CNTRLPLANE-2260:test/e2e: migrate tokenreviews test to OTE framework

cmd/oauth-apiserver-tests-ext/dependencymagnet.go

@@ -0,0 +1,8 @@
+// This file imports test packages to ensure they are included in the build.
+// These imports are necessary to register Ginkgo tests with the OpenShift Tests Extension framework.
+package main
+
+import (
+	// Import test packages to register Ginkgo tests
+	_ "github.com/openshift/oauth-apiserver/test/e2e"
+)

cmd/oauth-apiserver-tests-ext/main.go

@@ -1,27 +1,34 @@
 package main
 
 import (
-	"context"
+	"fmt"
 	"os"
 
 	"github.com/spf13/cobra"
 	"k8s.io/component-base/cli"
+	"k8s.io/klog/v2"
 
 	otecmd "github.com/openshift-eng/openshift-tests-extension/pkg/cmd"
 	oteextension "github.com/openshift-eng/openshift-tests-extension/pkg/extension"
+	oteginkgo "github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo"
 	"github.com/openshift/oauth-apiserver/pkg/version"
-
-	"k8s.io/klog/v2"
 )
 
 func main() {
-	command := newOperatorTestCommand(context.Background())
-	code := cli.Run(command)
+	cmd, err := newOperatorTestCommand()
+	if err != nil {
+		klog.Fatal(err)
+	}
+
+	code := cli.Run(cmd)
 	os.Exit(code)
 }
 
-func newOperatorTestCommand(ctx context.Context) *cobra.Command {
-	registry := prepareOperatorTestsRegistry()
+func newOperatorTestCommand() (*cobra.Command, error) {
+	registry, err := prepareOperatorTestsRegistry()
+	if err != nil {
+		return nil, fmt.Errorf("failed to prepare test registry: %w", err)
+	}
 
 	cmd := &cobra.Command{
 		Use:   "oauth-apiserver-tests-ext",
@@ -42,13 +49,35 @@ func newOperatorTestCommand(ctx context.Context) *cobra.Command {
 
 	cmd.AddCommand(otecmd.DefaultExtensionCommands(registry)...)
 
-	return cmd
+	return cmd, nil
 }
 
-func prepareOperatorTestsRegistry() *oteextension.Registry {
+// prepareOperatorTestsRegistry creates the OTE registry for this component.
+//
+// Note:
+//
+// This method must be called before adding the registry to the OTE framework.
+func prepareOperatorTestsRegistry() (*oteextension.Registry, error) {
 	registry := oteextension.NewRegistry()
 	extension := oteextension.NewExtension("openshift", "payload", "oauth-apiserver")
 
+	// The following suite runs tests that verify the component's behaviour.
+	// This suite is executed only on pull requests targeting this repository.
+	// Tests tagged with both [Component] and [Serial] are included in this suite.
+	extension.AddSuite(oteextension.Suite{
+		Name:        "openshift/oauth-apiserver/component/serial",
+		Parallelism: 1,
+		Qualifiers: []string{
+			`name.contains("[Component]") && name.contains("[Serial]")`,
+		},
+	})
+
+	specs, err := oteginkgo.BuildExtensionTestSpecsFromOpenShiftGinkgoSuite()
+	if err != nil {
+		return nil, fmt.Errorf("couldn't build extension test specs from ginkgo: %w", err)
+	}
+
+	extension.AddSpecs(specs)
 	registry.Register(extension)
-	return registry
+	return registry, nil
 }

go.mod

@@ -8,6 +8,7 @@ require (
 	github.com/google/go-cmp v0.7.0
 	github.com/google/uuid v1.6.0
 	github.com/jteeuwen/go-bindata v3.0.8-0.20151023091102-a0ff2567cfb7+incompatible
+	github.com/onsi/ginkgo/v2 v2.24.0
 	github.com/openshift-eng/openshift-tests-extension v0.0.0-20250804142706-7b3ab438a292
 	github.com/openshift/api v0.0.0-20250812222054-88b2b21555f3
 	github.com/openshift/apiserver-library-go v0.0.0-20250710132015-f0d44ef6e53b
@@ -54,6 +55,7 @@ require (
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
@@ -74,7 +76,6 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/onsi/ginkgo/v2 v2.24.0 // indirect
 	github.com/onsi/gomega v1.38.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/profile v1.7.0 // indirect

test/e2e/e2e.go

@@ -0,0 +1,89 @@
+package e2e
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"io/ioutil"
+	"net/http"
+	"testing"
+
+	g "github.com/onsi/ginkgo/v2"
+	"github.com/stretchr/testify/require"
+
+	kauthenticationv1 "k8s.io/api/authentication/v1"
+
+	oauthv1client "github.com/openshift/client-go/oauth/clientset/versioned/typed/oauth/v1"
+	userclient "github.com/openshift/client-go/user/clientset/versioned"
+)
+
+var _ = g.Describe("[sig-auth] OAuth", func() {
+	g.It("should successfully review valid and invalid tokens [apigroup:oauth.openshift.io]", func(ctx context.Context) {
+		testTokenReviewsGinkgo(g.GinkgoTB())
+	})
+})
+
+func testTokenReviewsGinkgo(t testing.TB) {
+	// Type assert to *testing.T for compatibility with existing helper functions
+	tt, ok := t.(*testing.T)
+	if !ok {
+		t.Fatal("test context is not *testing.T")
+	}
+
+	adminConfig := NewClientConfigForTest(tt)
+	trashBin := NewResourceTrashbin(tt, adminConfig)
+	defer trashBin.Empty(tt)
+
+	userClient, err := userclient.NewForConfig(adminConfig)
+	require.NoError(t, err)
+	oauthClient, err := oauthv1client.NewForConfig(adminConfig)
+	require.NoError(t, err)
+
+	user := createTestUser(tt, trashBin, userClient)
+	createTestOAuthClient(tt, trashBin, oauthClient.OAuthClients())
+	accessToken := createTestAccessToken(tt, trashBin, oauthClient.OAuthAccessTokens(), user.Name, string(user.UID))
+
+	pforwardCancel := PortForwardSvc(tt, "openshift-oauth-apiserver", "api", "11443:443")
+	defer pforwardCancel()
+
+	insecureClient := http.Client{
+		Transport: &http.Transport{
+			Proxy: http.ProxyFromEnvironment,
+			TLSClientConfig: &tls.Config{
+				// we'll be reaching service-ca signed endpoints, service-ca
+				// certs are not a part of kubeconfig's ca bundle
+				InsecureSkipVerify: true,
+			},
+		},
+	}
+
+	// test token review for a token that should not exist in the cluster
+	failedReviewReq := createTokenReviewRequestForToken(tt, "notaveryrandomnameforanything")
+	resp, err := insecureClient.Do(failedReviewReq)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	respBodyBytes, err := ioutil.ReadAll(resp.Body)
+	require.NoError(t, err)
+
+	tokenReviewResp := &kauthenticationv1.TokenReview{}
+	err = json.Unmarshal(respBodyBytes, tokenReviewResp)
+	require.NoError(t, err)
+
+	require.False(t, tokenReviewResp.Status.Authenticated)
+
+	// test token review for a token that we previously created
+	successfulReviewReq := createTokenReviewRequestForToken(tt, accessToken.Name)
+	resp, err = insecureClient.Do(successfulReviewReq)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	respBodyBytes, err = ioutil.ReadAll(resp.Body)
+	require.NoError(t, err)
+
+	tokenReviewResp = &kauthenticationv1.TokenReview{}
+	err = json.Unmarshal(respBodyBytes, tokenReviewResp)
+	require.NoError(t, err)
+
+	require.True(t, tokenReviewResp.Status.Authenticated)
+}