[DO NOT MERGE] fix: Handle "NULL" string as unconfigured OAuth identity provider

infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProjectFactory.java

@@ -119,9 +119,16 @@ public OpenShiftProject getOrCreate(RuntimeIdentity identity) throws Infrastruct
     Map<String, String> namespaceAnnotationsEvaluated =
         evaluateAnnotationPlaceholders(resolutionCtx);
 
+    // Use Che server SA when initWithCheServerSa is true and OAuth is configured.
+    // The string "NULL" is treated as "not configured" to handle property placeholder defaults.
+    boolean useServerSa =
+        initWithCheServerSa
+            && !isNullOrEmpty(oAuthIdentityProvider)
+            && !"NULL".equals(oAuthIdentityProvider);
+
     osProject.prepare(
         canCreateNamespace(),
-        initWithCheServerSa && !isNullOrEmpty(oAuthIdentityProvider),
+        useServerSa,
         labelNamespaces ? namespaceLabels : emptyMap(),
         annotateNamespaces ? namespaceAnnotationsEvaluated : emptyMap());
 

infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProjectFactoryTest.java

@@ -102,6 +102,7 @@ public class OpenShiftProjectFactoryTest {
   private static final String USER_ID = "2342-2559-234";
   private static final String USER_NAME = "johndoe";
   private static final String NO_OAUTH_IDENTITY_PROVIDER = null;
+  private static final String NULL_STRING_OAUTH_IDENTITY_PROVIDER = "NULL";
   private static final String OAUTH_IDENTITY_PROVIDER = "openshift-v4";
   private static final String NAMESPACE_LABEL_NAME = "component";
   private static final String NAMESPACE_LABELS = NAMESPACE_LABEL_NAME + "=workspace";
@@ -546,6 +547,7 @@ public void shouldRequireNamespacePriorExistenceIfDifferentFromDefaultAndUserDef
 
     // then
     assertEquals(toReturnProject, project);
+    // When OAuth is NOT configured (null), don't use Che server SA (false)
     verify(toReturnProject).prepare(eq(true), eq(false), any(), any());
   }
 
@@ -676,6 +678,45 @@ public void shouldCallStopWorkspaceRoleProvisionWhenIdentityProviderIsDefined()
 
     // then
     verify(serviceAccount).prepare();
+    // When OAuth IS configured, use Che server SA (true) to create projects
+    verify(toReturnProject).prepare(eq(true), eq(true), any(), any());
+  }
+
+  @Test
+  public void shouldUseCheServerSAWhenOAuthIdentityProviderIsNullString() throws Exception {
+    // given - when oAuthIdentityProvider is the string "NULL" (property placeholder default),
+    // it should be treated as if OAuth is not configured (same as null)
+    projectFactory =
+        spy(
+            new OpenShiftProjectFactory(
+                "<userid>-che",
+                true,
+                true,
+                true,
+                NAMESPACE_LABELS,
+                NAMESPACE_ANNOTATIONS,
+                true,
+                emptySet(),
+                openShiftClientFactory,
+                cheServerKubernetesClientFactory,
+                cheServerOpenshiftClientFactory,
+                preferenceManager,
+                pool,
+                authorizationChecker,
+                permissionsCleaner,
+                NULL_STRING_OAUTH_IDENTITY_PROVIDER));
+    OpenShiftProject toReturnProject = mock(OpenShiftProject.class);
+    prepareProject(toReturnProject);
+    doReturn(toReturnProject).when(projectFactory).doCreateProjectAccess(any(), any());
+
+    // when
+    RuntimeIdentity identity =
+        new RuntimeIdentityImpl("workspace123", null, USER_ID, "workspace123");
+    projectFactory.getOrCreate(identity);
+
+    // then - should NOT use Che server SA (false) when oAuthIdentityProvider="NULL"
+    // because "NULL" is treated the same as null (unconfigured)
+    verify(toReturnProject).prepare(eq(true), eq(false), any(), any());
   }
 
   @Ignore