OCPBUGS-58181: Fix nil pointer dereference in ensureRolesAssignedToManagedIdentity

[jstuever]

Add nil checks for Properties, RoleDefinitionID, and Scope fields before dereferencing role assignments. This prevents panics during retry scenarios when Azure API returns role assignments with nil properties.

Assisted-by: Claude Sonnet 4.5

Summary by CodeRabbit

• Bug Fixes
  • Improved robustness when handling Azure managed identity role assignments by adding validation checks that gracefully skip incomplete or malformed role assignment data instead of causing system failures.

[openshift-ci-robot]

@jstuever: This pull request references Jira Issue OCPBUGS-58181, which is invalid:

• expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Add nil checks for Properties, RoleDefinitionID, and Scope fields before dereferencing role assignments. This prevents panics during retry scenarios when Azure API returns role assignments with nil properties.

Assisted-by: Claude Sonnet 4.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

This change adds defensive nil-safety checks to the role assignment validation function in the Azure managed identities provisioning module. The function now safely handles cases where role assignment data structures contain nil fields by skipping incomplete entries instead of attempting to dereference them.

Changes

Cohort / File(s)	Summary
Nil-Safety Guards for Role Assignments pkg/cmd/provisioning/azure/create_managed_identities.go	Added nil checks for Properties and nested RoleDefinitionID/Scope fields in existingRoleAssignments evaluation and processing. Incomplete entries are now logged and skipped rather than causing potential nil-pointer panics.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: fixing a nil pointer dereference in the ensureRolesAssignedToManagedIdentity function, which aligns directly with the code changes adding nil-safety guards.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	This PR modifies non-test Go files with bug fixes for nil pointer dereferences. The codebase uses standard Go testing, not Ginkgo, so this check is not applicable.
Test Structure And Quality	✅ Passed	This PR adds test code using standard Go testing package and testify/gomock, not Ginkgo. The custom check targets Ginkgo test code specifically, so it is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jstuever]

/jira refresh

[openshift-ci-robot]

@jstuever: This pull request references Jira Issue OCPBUGS-58181, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jstuever]

/jira backport release-4.21,release-4.22

[openshift-ci-robot]

@jstuever: Missing required branches for backport chain:

• openshift-4.23 OR release-4.23,

Details

In response to this:

/jira backport release-4.21,release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@jstuever: This pull request references Jira Issue OCPBUGS-58181, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Add nil checks for Properties, RoleDefinitionID, and Scope fields before dereferencing role assignments. This prevents panics during retry scenarios when Azure API returns role assignments with nil properties.

Assisted-by: Claude Sonnet 4.5

Summary by CodeRabbit

• Bug Fixes
• Improved robustness when handling Azure managed identity role assignments by adding validation checks that gracefully skip incomplete or malformed role assignment data instead of causing system failures.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jstuever

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jstuever]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/cmd/provisioning/azure/create_managed_identities.go`:
- Around line 313-316: The cleanup loop may still nil-deref
existingRoleAssignment.Name; move the guard that checks
existingRoleAssignment.Properties, RoleDefinitionID, and Scope to execute before
any dereference of existingRoleAssignment.Name and extend it to also check
existingRoleAssignment.Name != nil; specifically, in the loop that iterates
existingRoleAssignment (the cleanup loop logic where the code compares
*existingRoleAssignment.Name and later logs it), add Name to the nil checks and
run that guard before the name comparison and before logging to avoid panics.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5879ed38-c555-4581-8eb1-97770b5a6bfb

📥 Commits

Reviewing files that changed from the base of the PR and between ed39a12 and baaee2b.

📒 Files selected for processing (1)

• pkg/cmd/provisioning/azure/create_managed_identities.go

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat -n pkg/cmd/provisioning/azure/create_managed_identities.go | sed -n '300,330p'

Repository: openshift/cloud-credential-operator

Length of output: 1604

---

🏁 Script executed:

head -50 pkg/cmd/provisioning/azure/create_managed_identities.go | grep -E "^import|armauthorization"

Repository: openshift/cloud-credential-operator

Length of output: 178

---

🌐 Web query:

azure-sdk-for-go RoleAssignment armauthorization Name field type

💡 Result:

In github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization (v2 and v3), the RoleAssignment resource’s Name field is a read-only *string:

// READ-ONLY; The role assignment name.
Name *string

[1], [2]

Sources:
[1] armauthorization v3 type RoleAssignment struct on pkg.go.dev
[2] armauthorization v2 type RoleAssignment struct on pkg.go.dev

---

🏁 Script executed:

cat -n pkg/cmd/provisioning/azure/create_managed_identities.go | sed -n '305,320p'

Repository: openshift/cloud-credential-operator

Length of output: 1071

---

This still leaves a nil-deref path in the cleanup loop.

The new guard only covers Properties/RoleDefinitionID/Scope, but Line 308 dereferences *existingRoleAssignment.Name before this guard runs, and Line 314 dereferences *existingRoleAssignment.Name within the skip block. Since armauthorization.RoleAssignment.Name is a *string pointer, the malformed payloads this PR is handling can still panic. Move the guard ahead of the name comparison at Line 308 and include Name in the nil checks.

Suggested fix

 	for _, existingRoleAssignment := range existingRoleAssignments {
+		if existingRoleAssignment == nil || existingRoleAssignment.Name == nil ||
+			existingRoleAssignment.Properties == nil ||
+			existingRoleAssignment.Properties.RoleDefinitionID == nil ||
+			existingRoleAssignment.Properties.Scope == nil {
+			name := "<unknown>"
+			if existingRoleAssignment != nil && existingRoleAssignment.Name != nil {
+				name = *existingRoleAssignment.Name
+			}
+			log.Printf("Skipping role assignment %s with nil Name, Properties, RoleDefinitionID, or Scope", name)
+			continue
+		}
+
 		found := false
 		for _, shouldExistRoleAssignment := range shouldExistRoleAssignments {
-			if shouldExistRoleAssignment != nil && *shouldExistRoleAssignment.Name == *existingRoleAssignment.Name {
+			if shouldExistRoleAssignment != nil &&
+				shouldExistRoleAssignment.Name != nil &&
+				*shouldExistRoleAssignment.Name == *existingRoleAssignment.Name {
 				found = true
 			}
 		}
 		if !found {
-			if existingRoleAssignment.Properties == nil || existingRoleAssignment.Properties.RoleDefinitionID == nil || existingRoleAssignment.Properties.Scope == nil {
-				log.Printf("Skipping role assignment %s with nil Properties, RoleDefinitionID, or Scope", *existingRoleAssignment.Name)
-				continue
-			}
 			roleDefinition, err := getRoleDefinitionByID(client, *existingRoleAssignment.Properties.RoleDefinitionID)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/cmd/provisioning/azure/create_managed_identities.go` around lines 313 -
316, The cleanup loop may still nil-deref existingRoleAssignment.Name; move the
guard that checks existingRoleAssignment.Properties, RoleDefinitionID, and Scope
to execute before any dereference of existingRoleAssignment.Name and extend it
to also check existingRoleAssignment.Name != nil; specifically, in the loop that
iterates existingRoleAssignment (the cleanup loop logic where the code compares
*existingRoleAssignment.Name and later logs it), add Name to the nil checks and
run that guard before the name comparison and before logging to avoid panics.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 46.19%. Comparing base (ed39a12) to head (baaee2b).

Files with missing lines	Patch %	Lines
...md/provisioning/azure/create_managed_identities.go	0.00%	3 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #987      +/-   ##
==========================================
- Coverage   46.20%   46.19%   -0.02%     
==========================================
  Files          98       98              
  Lines       12253    12258       +5     
==========================================
  Hits         5662     5662              
- Misses       5941     5944       +3     
- Partials      650      652       +2     

Files with missing lines	Coverage Δ
...md/provisioning/azure/create_managed_identities.go	54.88% <0.00%> (-0.55%)	⬇️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jstuever]

/test e2e-azure-manual-oidc

[huangmingxia]

@jstuever e2e-azure-manual-oidc job is blocked by https://issues.redhat.com/browse/OCPBUGS-77845

[openshift-ci]

@jstuever: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-hypershift	baaee2b	link	true	/test e2e-hypershift
ci/prow/e2e-azure-manual-oidc	baaee2b	link	true	/test e2e-azure-manual-oidc

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.