OCPBUGS-58181: Fix nil pointer dereference in ensureRolesAssignedToManagedIdentity

[jstuever]

Add nil checks for Properties, RoleDefinitionID, and Scope fields before dereferencing role assignments. This prevents panics during retry scenarios when Azure API returns role assignments with nil properties.

Assisted-by: Claude Sonnet 4.6

Summary by CodeRabbit

• Bug Fixes

  • Improved robustness when reconciling Azure managed identity role assignments by ignoring incomplete or malformed role-assignment entries, preventing crashes during detection and cleanup.

• Tests

  • Added unit tests covering partially populated or missing role-assignment data to ensure reconciliation and cleanup complete without errors.

[openshift-ci-robot]

@jstuever: This pull request references Jira Issue OCPBUGS-58181, which is invalid:

• expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Add nil checks for Properties, RoleDefinitionID, and Scope fields before dereferencing role assignments. This prevents panics during retry scenarios when Azure API returns role assignments with nil properties.

Assisted-by: Claude Sonnet 4.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Adds defensive nil checks when iterating and cleaning up Azure role assignments for managed identities; incomplete armauthorization.RoleAssignment objects (nil Properties, RoleDefinitionID, Scope, or Name) are skipped to avoid dereference panics. Unit tests extended with cases for partially-populated role assignments.

Changes

Cohort / File(s)	Summary
Nil-safety guards for role assignments pkg/cmd/provisioning/azure/create_managed_identities.go	Added nil checks when iterating existingRoleAssignments to skip entries with Properties == nil, Properties.RoleDefinitionID == nil, Properties.Scope == nil, and checks Name where relevant during both existence detection and cleanup.
Extended tests for partial role assignments pkg/cmd/provisioning/azure/create_managed_identities_test.go	Added five table-driven tests covering partially-populated armauthorization.RoleAssignment objects (cases with nil Properties, missing RoleDefinitionID, missing Scope, and nil Name) to ensure reconciliation and cleanup paths tolerate malformed/incomplete Azure responses without panicking.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Ote Binary Stdout Contract	❓ Inconclusive	The modified files referenced in the pull request are not present in the repository.	Verify the repository contains the correct pull request changes and provide the actual file contents for assessment.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and accurately describes the main change: adding nil pointer dereference protection in the ensureRolesAssignedToManagedIdentity function.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Test file uses standard Go testing with table-driven tests, not Ginkgo. All test names are static descriptive strings with no dynamic values.
Test Structure And Quality	✅ Passed	Test uses standard Go table-driven pattern with clear test cases covering nil pointer conditions. Each case has single responsibility testing one specific nil-pointer scenario or combination.
Microshift Test Compatibility	✅ Passed	The pull request adds standard Go unit tests using table-driven patterns, not Ginkgo e2e tests. These tests do not use Ginkgo framework elements (It, Describe, Context) and are component-level unit tests for Azure role assignment logic.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The changes add unit test cases to TestEnsureRolesAssignedToManagedIdentity using Go's testing package with table-driven patterns, not Ginkgo e2e tests. No Ginkgo imports or test functions are present.
Topology-Aware Scheduling Compatibility	✅ Passed	The PR modifies Azure managed identity role assignment reconciliation logic without introducing topology-aware scheduling constraints, manifests, or policies.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds table-driven test cases to standard Go unit tests using testing package and testify, not Ginkgo e2e tests.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jstuever]

/jira refresh

[openshift-ci-robot]

@jstuever: This pull request references Jira Issue OCPBUGS-58181, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jstuever]

/jira backport release-4.21,release-4.22

[openshift-ci-robot]

@jstuever: Missing required branches for backport chain:

• openshift-4.23 OR release-4.23,

Details

In response to this:

/jira backport release-4.21,release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@jstuever: This pull request references Jira Issue OCPBUGS-58181, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Add nil checks for Properties, RoleDefinitionID, and Scope fields before dereferencing role assignments. This prevents panics during retry scenarios when Azure API returns role assignments with nil properties.

Assisted-by: Claude Sonnet 4.5

Summary by CodeRabbit

• Bug Fixes
• Improved robustness when handling Azure managed identity role assignments by adding validation checks that gracefully skip incomplete or malformed role assignment data instead of causing system failures.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/cmd/provisioning/azure/create_managed_identities.go`:
- Around line 313-316: The cleanup loop may still nil-deref
existingRoleAssignment.Name; move the guard that checks
existingRoleAssignment.Properties, RoleDefinitionID, and Scope to execute before
any dereference of existingRoleAssignment.Name and extend it to also check
existingRoleAssignment.Name != nil; specifically, in the loop that iterates
existingRoleAssignment (the cleanup loop logic where the code compares
*existingRoleAssignment.Name and later logs it), add Name to the nil checks and
run that guard before the name comparison and before logging to avoid panics.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5879ed38-c555-4581-8eb1-97770b5a6bfb

📥 Commits

Reviewing files that changed from the base of the PR and between ed39a12 and baaee2b.

📒 Files selected for processing (1)

• pkg/cmd/provisioning/azure/create_managed_identities.go

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 46.99%. Comparing base (c502923) to head (b5f8b6a).
⚠️ Report is 18 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #987      +/-   ##
==========================================
+ Coverage   46.88%   46.99%   +0.11%     
==========================================
  Files          98       98              
  Lines       12558    12641      +83     
==========================================
+ Hits         5888     5941      +53     
- Misses       6015     6043      +28     
- Partials      655      657       +2     

Files with missing lines	Coverage Δ
...md/provisioning/azure/create_managed_identities.go	55.94% <100.00%> (+0.52%)	⬆️

... and 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jstuever]

/test e2e-azure-manual-oidc

[huangmingxia]

@jstuever e2e-azure-manual-oidc job is blocked by https://issues.redhat.com/browse/OCPBUGS-77845

[jstuever]

/jira refresh

[openshift-ci-robot]

@jstuever: This pull request references Jira Issue OCPBUGS-58181, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @miyadav

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/cmd/provisioning/azure/create_managed_identities_test.go`:
- Around line 933-1063: Add a sibling table test mirroring the existing
nil-Properties/nil-RoleDefinitionID/nil-Name cases that verifies the cleanup
loop skips assignments with a nil Scope: create a case named like "Extra role
assignment with nil Scope in cleanup loop is skipped without panic" and in its
mockAzureClientWrapper call to mockRoleAssignmentsListForScopePager include a
second armauthorization.RoleAssignment whose Properties exists but has
Properties.Scope == nil (and PrincipalID/RoleDefinitionID set as needed), then
keep the mockRoleDefinitionsListPager entry identical to the others; this will
exercise the cleanup guard in create_managed_identities.go (the nil Scope branch
around lines 306-327) and ensure no panic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 8fb213fa-83ac-406c-a026-5e1303cd867a

📥 Commits

Reviewing files that changed from the base of the PR and between baaee2b and 5245d9f.

📒 Files selected for processing (2)

• pkg/cmd/provisioning/azure/create_managed_identities.go
• pkg/cmd/provisioning/azure/create_managed_identities_test.go

✅ Files skipped from review due to trivial changes (1)

• pkg/cmd/provisioning/azure/create_managed_identities.go

[dlom]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dlom, jstuever

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [dlom,jstuever]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jstuever]

/verified by e2e-azure-manual-oidc, @jstuever

[openshift-ci-robot]

@jstuever: This PR has been marked as verified by e2e-azure-manual-oidc,@jstuever.

Details

In response to this:

/verified by e2e-azure-manual-oidc, @jstuever

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 4f64270 and 2 for PR HEAD b5f8b6a in total

[jstuever]

/retest

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD edf57e9 and 1 for PR HEAD b5f8b6a in total

[jstuever]

/retest

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 5d4f959 and 0 for PR HEAD b5f8b6a in total

[openshift-merge-bot]

/hold

Revision b5f8b6a was retested 3 times: holding

[jstuever]

/retest

[jstuever]

The e2e-azure-manual-oidc test appears to be failing openshift-tests. I'm not sure this is directly related to this change. It works for me in manual testing. I'll retry a few more times hoping whatever is broken gets fixed so it can pass.

[jstuever]

/retest

[jstuever]

/skip e2e-azure-manual-oidc
This test is experiencing an unrelated issue. It is otherwise functional.

[jstuever]

/hold cancel

[jstuever]

/skip ci/prow/e2e-azure-manual-oidc

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 5d4f959 and 2 for PR HEAD b5f8b6a in total

[jstuever]

/skip ci/prow/e2e-azure-manual-oidc

[jstuever]

/override ci/prow/e2e-azure-manual-oidc

[openshift-ci]

@jstuever: Overrode contexts on behalf of jstuever: ci/prow/e2e-azure-manual-oidc

Details

In response to this:

/override ci/prow/e2e-azure-manual-oidc

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@jstuever: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[jstuever]

/override ci/prow/security

[openshift-ci]

@jstuever: Overrode contexts on behalf of jstuever: ci/prow/security

Details

In response to this:

/override ci/prow/security

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

@jstuever: Jira Issue OCPBUGS-58181: Some pull requests linked via external trackers have merged:

The following pull request, linked via external tracker, has not merged:

• openshift/cloud-credential-operator#879 is closed

All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-58181 has not been moved to the MODIFIED state.

This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload.

Details

In response to this:

Add nil checks for Properties, RoleDefinitionID, and Scope fields before dereferencing role assignments. This prevents panics during retry scenarios when Azure API returns role assignments with nil properties.

Assisted-by: Claude Sonnet 4.6

Summary by CodeRabbit

• Bug Fixes

• Improved robustness when reconciling Azure managed identity role assignments by ignoring incomplete or malformed role-assignment entries, preventing crashes during detection and cleanup.

• Tests

• Added unit tests covering partially populated or missing role-assignment data to ensure reconciliation and cleanup complete without errors.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.