fix(kubernetes-client-api): TokenRefreshInterceptor doesn't overwrite existing OAuth token with empty string

CHANGELOG.md

@@ -7,6 +7,7 @@
 * Fix #4350: SchemaSwap annotation is now repeatable and is applied multiple times if classes are used more than once in the class hierarchy.
 * Fix #3733: The authentication command from the .kube/config won't be discarded if no arguments are specified
 * Fix #4441: corrected patch base handling for the patch methods available from a Resource - resource(item).patch() will be evaluated as resource(latest).patch(item).  Also undeprecated patch(item), which is consistent with leaving patch(context, item) undeprecated as well.  For consistency with the other operations (such as edit), patch(item) will use the context item as the base when available, or the server side item when not.  This means that patch(item) is only the same as resource(item).patch() when the patch(item) is called when the context item is missing or is the same as the latest.
+* Fix #4442: TokenRefreshInterceptor doesn't overwrite existing OAuth token with empty string
 
 #### Improvements
 * Fix #4348: Introduce specific annotations for the generators

kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/utils/TokenRefreshInterceptor.java

@@ -84,7 +84,7 @@ private CompletableFuture<String> extractNewAccessTokenFrom(Config newestConfig)
   }
 
   private boolean overrideNewAccessTokenToConfig(String newAccessToken, BasicBuilder headerBuilder, Config existConfig) {
-    if (newAccessToken != null) {
+    if (Utils.isNotNullOrEmpty(newAccessToken)) {
       headerBuilder.setHeader("Authorization", "Bearer " + newAccessToken);
       existConfig.setOauthToken(newAccessToken);
 

kubernetes-client-api/src/test/java/io/fabric8/kubernetes/client/utils/TokenRefreshInterceptorTest.java

@@ -16,10 +16,14 @@
 package io.fabric8.kubernetes.client.utils;
 
 import io.fabric8.kubernetes.client.Config;
+import io.fabric8.kubernetes.client.ConfigBuilder;
 import io.fabric8.kubernetes.client.http.HttpClient;
 import io.fabric8.kubernetes.client.http.HttpRequest;
+import io.fabric8.kubernetes.client.http.StandardHttpRequest;
 import io.fabric8.kubernetes.client.http.TestHttpResponse;
+import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;
+import org.mockito.MockedStatic;
 import org.mockito.Mockito;
 
 import java.io.File;
@@ -33,7 +37,11 @@
 import static io.fabric8.kubernetes.client.Config.KUBERNETES_AUTH_SERVICEACCOUNT_TOKEN_FILE_SYSTEM_PROPERTY;
 import static io.fabric8.kubernetes.client.Config.KUBERNETES_AUTH_TRYKUBECONFIG_SYSTEM_PROPERTY;
 import static io.fabric8.kubernetes.client.Config.KUBERNETES_KUBECONFIG_FILE;
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.CALLS_REAL_METHODS;
+import static org.mockito.Mockito.mockStatic;
 
 /**
  * Ignoring for now - the token refresh should be based upon the java 11 client or the provided client library and not okhttp
@@ -89,6 +97,52 @@ void shouldAutoconfigureAfter1Minute() throws Exception {
     }
   }
 
+  @Test
+  @DisplayName("#4442 token auto refresh should not overwrite existing token when not applicable")
+  void refreshShouldNotOverwriteExistingToken() throws Exception {
+    try (MockedStatic<Config> configMock = mockStatic(Config.class, CALLS_REAL_METHODS)) {
+      // Given
+      final Config autoConfig = new ConfigBuilder(Config.empty())
+          .withOauthToken("") // empty token
+          .build();
+      configMock.when(() -> Config.autoConfigure(any())).thenReturn(autoConfig);
+      final Config config = new ConfigBuilder(Config.empty())
+          .withOauthToken("existing-token")
+          .build();
+      final TokenRefreshInterceptor tokenRefreshInterceptor = new TokenRefreshInterceptor(
+          config, null, Instant.now().minusSeconds(61));
+      // When
+      final boolean result = tokenRefreshInterceptor
+          .afterFailure(new StandardHttpRequest.Builder(), new TestHttpResponse<>().withCode(401)).get();
+      // Then
+      assertThat(result).isFalse();
+      assertThat(config).hasFieldOrPropertyWithValue("oauthToken", "existing-token");
+    }
+  }
+
+  @Test
+  @DisplayName("#4442 token auto refresh should  overwrite existing token when applicable")
+  void refreshShouldOverwriteExistingToken() throws Exception {
+    try (MockedStatic<Config> configMock = mockStatic(Config.class, CALLS_REAL_METHODS)) {
+      // Given
+      final Config autoConfig = new ConfigBuilder(Config.empty())
+          .withOauthToken("new-token")
+          .build();
+      configMock.when(() -> Config.autoConfigure(any())).thenReturn(autoConfig);
+      final Config config = new ConfigBuilder(Config.empty())
+          .withOauthToken("existing-token")
+          .build();
+      final TokenRefreshInterceptor tokenRefreshInterceptor = new TokenRefreshInterceptor(
+          config, null, Instant.now().minusSeconds(61));
+      // When
+      final boolean result = tokenRefreshInterceptor
+          .afterFailure(new StandardHttpRequest.Builder(), new TestHttpResponse<>().withCode(401)).get();
+      // Then
+      assertThat(result).isTrue();
+      assertThat(config).hasFieldOrPropertyWithValue("oauthToken", "new-token");
+    }
+  }
+
   @Test
   void shouldReloadInClusterServiceAccount() throws Exception {
     try {