Merge pull request #1419 from vmware-tanzu/multiple_idps_and_transformations

Support multiple IDPs and identity transformations on Supervisor FederationDomains
This commit is contained in:
Ryan Richard 2023-09-13 14:26:23 -07:00 committed by GitHub
commit 06d456fc87
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
201 changed files with 19254 additions and 4113 deletions

View File

@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@ -8,14 +8,17 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// +kubebuilder:validation:Enum=Success;Duplicate;Invalid;SameIssuerHostMustUseSameSecret
type FederationDomainStatusCondition string
type FederationDomainPhase string
const (
SuccessFederationDomainStatusCondition = FederationDomainStatusCondition("Success")
DuplicateFederationDomainStatusCondition = FederationDomainStatusCondition("Duplicate")
SameIssuerHostMustUseSameSecretFederationDomainStatusCondition = FederationDomainStatusCondition("SameIssuerHostMustUseSameSecret")
InvalidFederationDomainStatusCondition = FederationDomainStatusCondition("Invalid")
// FederationDomainPhasePending is the default phase for newly-created FederationDomain resources.
FederationDomainPhasePending FederationDomainPhase = "Pending"
// FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state.
FederationDomainPhaseReady FederationDomainPhase = "Ready"
// FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state.
FederationDomainPhaseError FederationDomainPhase = "Error"
)
// FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
@ -42,6 +45,157 @@ type FederationDomainTLSSpec struct {
SecretName string `json:"secretName,omitempty"`
}
// FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
// the transform expressions. This is a union type, and Type is the discriminator field.
type FederationDomainTransformsConstant struct {
// Name determines the name of the constant. It must be a valid identifier name.
// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=64
Name string `json:"name"`
// Type determines the type of the constant, and indicates which other field should be non-empty.
// +kubebuilder:validation:Enum=string;stringList
Type string `json:"type"`
// StringValue should hold the value when Type is "string", and is otherwise ignored.
// +optional
StringValue string `json:"stringValue,omitempty"`
// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
// +optional
StringListValue []string `json:"stringListValue,omitempty"`
}
// FederationDomainTransformsExpression defines a transform expression.
type FederationDomainTransformsExpression struct {
// Type determines the type of the expression. It must be one of the supported types.
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
Type string `json:"type"`
// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
// +kubebuilder:validation:MinLength=1
Expression string `json:"expression"`
// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
// an authentication attempt. When empty, a default message will be used.
// +optional
Message string `json:"message,omitempty"`
}
// FederationDomainTransformsExample defines a transform example.
type FederationDomainTransformsExample struct {
// Username is the input username.
// +kubebuilder:validation:MinLength=1
Username string `json:"username"`
// Groups is the input list of group names.
// +optional
Groups []string `json:"groups,omitempty"`
// Expects is the expected output of the entire sequence of transforms when they are run against the
// input Username and Groups.
Expects FederationDomainTransformsExampleExpects `json:"expects"`
}
// FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
type FederationDomainTransformsExampleExpects struct {
// Username is the expected username after the transformations have been applied.
// +optional
Username string `json:"username,omitempty"`
// Groups is the expected list of group names after the transformations have been applied.
// +optional
Groups []string `json:"groups,omitempty"`
// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
// after the transformations have been applied. True means that it is expected that the authentication would be
// rejected. The default value of false means that it is expected that the authentication would not be rejected
// by any policy expression.
// +optional
Rejected bool `json:"rejected,omitempty"`
// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
// then Message will be treated as the default error message for authentication attempts which are rejected by a
// policy. When Rejected is false, then Message is the expected error message for some other non-policy
// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
// +optional
Message string `json:"message,omitempty"`
}
// FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
type FederationDomainTransforms struct {
// Constants defines constant variables and their values which will be made available to the transform expressions.
// +patchMergeKey=name
// +patchStrategy=merge
// +listType=map
// +listMapKey=name
// +optional
Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`
// Expressions are an optional list of transforms and policies to be executed in the order given during every
// authentication attempt, including during every session refresh.
// Each is a CEL expression. It may use the basic CEL language as defined in
// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
// https://github.com/google/cel-go/tree/master/ext#strings.
//
// The username and groups extracted from the identity provider, and the constants defined in this CR, are
// available as variables in all expressions. The username is provided via a variable called `username` and
// the list of group names is provided via a variable called `groups` (which may be an empty list).
// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
// and `strListConst.varName` for string list constants.
//
// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
// and the authentication attempt is rejected.
// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
// username or group names.
// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
// groups list.
// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
// After each expression, the new (potentially changed) username or groups get passed to the following expression.
//
// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
// and group names have been decided for that authentication attempt.
//
// +optional
Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`
// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
// expected. Examples define sample input identities which are then run through the expression list, and the
// results are compared to the expected results. If any example in this list fails, then this
// identity provider will not be available for use within this FederationDomain, and the error(s) will be
// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
// expressions, and also act as living documentation for other administrators to better understand the expressions.
// +optional
Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
}
// FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
type FederationDomainIdentityProvider struct {
// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
// disruptive change for those users.
// +kubebuilder:validation:MinLength=1
DisplayName string `json:"displayName"`
// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
// If the reference cannot be resolved then the identity provider will not be made available.
// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`
// Transforms is an optional way to specify transformations to be applied during user authentication and
// session refresh.
// +optional
Transforms FederationDomainTransforms `json:"transforms,omitempty"`
}
// FederationDomainSpec is a struct that describes an OIDC Provider.
type FederationDomainSpec struct {
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
@ -55,9 +209,35 @@ type FederationDomainSpec struct {
// +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"`
// TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
// +optional
TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
// IdentityProviders is the list of identity providers available for use by this FederationDomain.
//
// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
// extract a normalized user identity. Normalized user identities include a username and a list of group names.
// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
// accidental conflicts when multiple identity providers have different users with the same username (e.g.
// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
// disallow the authentication unless the user belongs to a specific group in the identity provider.
//
// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
// explicitly list the identity provider using this IdentityProviders field.
//
// +optional
IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
}
// FederationDomainSecrets holds information about this OIDC Provider's secrets.
@ -86,20 +266,17 @@ type FederationDomainSecrets struct {
// FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
type FederationDomainStatus struct {
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
// represent success or failure.
// +optional
Status FederationDomainStatusCondition `json:"status,omitempty"`
// Phase summarizes the overall status of the FederationDomain.
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase FederationDomainPhase `json:"phase,omitempty"`
// Message provides human-readable details about the Status.
// +optional
Message string `json:"message,omitempty"`
// LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
// around some undesirable behavior with respect to the empty metav1.Time value (see
// https://github.com/kubernetes/kubernetes/issues/86811).
// +optional
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
// Conditions represent the observations of an FederationDomain's current state.
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
// Secrets contains information about this OIDC Provider's secrets.
// +optional
@ -111,7 +288,7 @@ type FederationDomainStatus struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type FederationDomain struct {

View File

@ -8,14 +8,14 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
type OIDCClientPhase string
const (
// PhasePending is the default phase for newly-created OIDCClient resources.
PhasePending OIDCClientPhase = "Pending"
// OIDCClientPhasePending is the default phase for newly-created OIDCClient resources.
OIDCClientPhasePending OIDCClientPhase = "Pending"
// PhaseReady is the phase for an OIDCClient resource in a healthy state.
PhaseReady OIDCClientPhase = "Ready"
// OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state.
OIDCClientPhaseReady OIDCClientPhase = "Ready"
// PhaseError is the phase for an OIDCClient in an unhealthy state.
PhaseError OIDCClientPhase = "Error"
// OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state.
OIDCClientPhaseError OIDCClientPhase = "Error"
)
// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`

View File

@ -21,7 +21,7 @@ spec:
- jsonPath: .spec.issuer
name: Issuer
type: string
- jsonPath: .status.status
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
@ -47,6 +47,263 @@ spec:
spec:
description: Spec of the OIDC provider.
properties:
identityProviders:
description: "IdentityProviders is the list of identity providers
available for use by this FederationDomain. \n An identity provider
CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes
how to connect to a server, how to talk in a specific protocol for
authentication, and how to use the schema of that server/protocol
to extract a normalized user identity. Normalized user identities
include a username and a list of group names. In contrast, IdentityProviders
describes how to use that normalized identity in those Kubernetes
clusters which belong to this FederationDomain. Each entry in IdentityProviders
can be configured with arbitrary transformations on that normalized
identity. For example, a transformation can add a prefix to all
usernames to help avoid accidental conflicts when multiple identity
providers have different users with the same username (e.g. \"idp1:ryan\"
versus \"idp2:ryan\"). Each entry in IdentityProviders can also
implement arbitrary authentication rejection policies. Even though
a user was able to authenticate with the identity provider, a policy
can disallow the authentication to the Kubernetes clusters that
belong to this FederationDomain. For example, a policy could disallow
the authentication unless the user belongs to a specific group in
the identity provider. \n For backwards compatibility with versions
of Pinniped which predate support for multiple identity providers,
an empty IdentityProviders list will cause the FederationDomain
to use all available identity providers which exist in the same
namespace, but also to reject all authentication requests when there
is more than one identity provider currently defined. In this backwards
compatibility mode, the name of the identity provider resource (e.g.
the Name of an OIDCIdentityProvider resource) will be used as the
name of the identity provider in this FederationDomain. This mode
is provided to make upgrading from older versions easier. However,
instead of relying on this backwards compatibility mode, please
consider this mode to be deprecated and please instead explicitly
list the identity provider using this IdentityProviders field."
items:
description: FederationDomainIdentityProvider describes how an identity
provider is made available in this FederationDomain.
properties:
displayName:
description: DisplayName is the name of this identity provider
as it will appear to clients. This name ends up in the kubeconfig
of end users, so changing the name of an identity provider
that is in use by end users will be a disruptive change for
those users.
minLength: 1
type: string
objectRef:
description: ObjectRef is a reference to a Pinniped identity
provider resource. A valid reference is required. If the reference
cannot be resolved then the identity provider will not be
made available. Must refer to a resource of one of the Pinniped
identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider,
ActiveDirectoryIdentityProvider.
properties:
apiGroup:
description: APIGroup is the group for the resource being
referenced. If APIGroup is not specified, the specified
Kind must be in the core API group. For any other third-party
types, APIGroup is required.
type: string
kind:
description: Kind is the type of resource being referenced
type: string
name:
description: Name is the name of resource being referenced
type: string
required:
- kind
- name
type: object
transforms:
description: Transforms is an optional way to specify transformations
to be applied during user authentication and session refresh.
properties:
constants:
description: Constants defines constant variables and their
values which will be made available to the transform expressions.
items:
description: FederationDomainTransformsConstant defines
a constant variable and its value which will be made
available to the transform expressions. This is a union
type, and Type is the discriminator field.
properties:
name:
description: Name determines the name of the constant.
It must be a valid identifier name.
maxLength: 64
minLength: 1
pattern: ^[a-zA-Z][_a-zA-Z0-9]*$
type: string
stringListValue:
description: StringListValue should hold the value
when Type is "stringList", and is otherwise ignored.
items:
type: string
type: array
stringValue:
description: StringValue should hold the value when
Type is "string", and is otherwise ignored.
type: string
type:
description: Type determines the type of the constant,
and indicates which other field should be non-empty.
enum:
- string
- stringList
type: string
required:
- name
- type
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
examples:
description: Examples can optionally be used to ensure that
the sequence of transformation expressions are working
as expected. Examples define sample input identities which
are then run through the expression list, and the results
are compared to the expected results. If any example in
this list fails, then this identity provider will not
be available for use within this FederationDomain, and
the error(s) will be added to the FederationDomain status.
This can be used to help guard against programming mistakes
in the expressions, and also act as living documentation
for other administrators to better understand the expressions.
items:
description: FederationDomainTransformsExample defines
a transform example.
properties:
expects:
description: Expects is the expected output of the
entire sequence of transforms when they are run
against the input Username and Groups.
properties:
groups:
description: Groups is the expected list of group
names after the transformations have been applied.
items:
type: string
type: array
message:
description: Message is the expected error message
of the transforms. When Rejected is true, then
Message is the expected message for the policy
which rejected the authentication attempt. When
Rejected is true and Message is blank, then
Message will be treated as the default error
message for authentication attempts which are
rejected by a policy. When Rejected is false,
then Message is the expected error message for
some other non-policy transformation error,
such as a runtime error. When Rejected is false,
there is no default expected Message.
type: string
rejected:
description: Rejected is a boolean that indicates
whether authentication is expected to be rejected
by a policy expression after the transformations
have been applied. True means that it is expected
that the authentication would be rejected. The
default value of false means that it is expected
that the authentication would not be rejected
by any policy expression.
type: boolean
username:
description: Username is the expected username
after the transformations have been applied.
type: string
type: object
groups:
description: Groups is the input list of group names.
items:
type: string
type: array
username:
description: Username is the input username.
minLength: 1
type: string
required:
- expects
- username
type: object
type: array
expressions:
description: "Expressions are an optional list of transforms
and policies to be executed in the order given during
every authentication attempt, including during every session
refresh. Each is a CEL expression. It may use the basic
CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md
plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
\n The username and groups extracted from the identity
provider, and the constants defined in this CR, are available
as variables in all expressions. The username is provided
via a variable called `username` and the list of group
names is provided via a variable called `groups` (which
may be an empty list). Each user-provided constants is
provided via a variable named `strConst.varName` for string
constants and `strListConst.varName` for string list constants.
\n The only allowed types for expressions are currently
policy/v1, username/v1, and groups/v1. Each policy/v1
must return a boolean, and when it returns false, no more
expressions from the list are evaluated and the authentication
attempt is rejected. Transformations of type policy/v1
do not return usernames or group names, and therefore
cannot change the username or group names. Each username/v1
transform must return the new username (a string), which
can be the same as the old username. Transformations of
type username/v1 do not return group names, and therefore
cannot change the group names. Each groups/v1 transform
must return the new groups list (list of strings), which
can be the same as the old groups list. Transformations
of type groups/v1 do not return usernames, and therefore
cannot change the usernames. After each expression, the
new (potentially changed) username or groups get passed
to the following expression. \n Any compilation or static
type-checking failure of any expression will cause an
error status on the FederationDomain. During an authentication
attempt, any unexpected runtime evaluation errors (e.g.
division by zero) cause the authentication attempt to
fail. When all expressions evaluate successfully, then
the (potentially changed) username and group names have
been decided for that authentication attempt."
items:
description: FederationDomainTransformsExpression defines
a transform expression.
properties:
expression:
description: Expression is a CEL expression that will
be evaluated based on the Type during an authentication.
minLength: 1
type: string
message:
description: Message is only used when Type is policy/v1.
It defines an error message to be used when the
policy rejects an authentication attempt. When empty,
a default message will be used.
type: string
type:
description: Type determines the type of the expression.
It must be one of the supported types.
enum:
- policy/v1
- username/v1
- groups/v1
type: string
required:
- expression
- type
type: object
type: array
type: object
required:
- displayName
- objectRef
type: object
type: array
issuer:
description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
Metadata document, as well as the identifier that it will use for
@ -59,8 +316,8 @@ spec:
minLength: 1
type: string
tls:
description: TLS configures how this FederationDomain is served over
Transport Layer Security (TLS).
description: TLS specifies a secret which will contain Transport Layer
Security (TLS) configuration for the FederationDomain.
properties:
secretName:
description: "SecretName is an optional name of a Secret in the
@ -91,14 +348,86 @@ spec:
status:
description: Status of the OIDC provider.
properties:
lastUpdateTime:
description: LastUpdateTime holds the time at which the Status was
last updated. It is a pointer to get around some undesirable behavior
with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
conditions:
description: Conditions represent the observations of an FederationDomain's
current state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: Message provides human-readable details about the Status.
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the FederationDomain.
enum:
- Pending
- Ready
- Error
type: string
secrets:
description: Secrets contains information about this OIDC Provider's
@ -145,15 +474,6 @@ spec:
type: string
type: object
type: object
status:
description: Status holds an enum that describes the state of this
OIDC Provider. Note that this Status can represent success or failure.
enum:
- Success
- Duplicate
- Invalid
- SameIssuerHostMustUseSameSecret
type: string
type: object
required:
- spec

View File

@ -652,6 +652,37 @@ FederationDomain describes the configuration of an OIDC provider.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
==== FederationDomainIdentityProvider
FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainspec[$$FederationDomainSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`displayName`* __string__ | DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a disruptive change for those users.
| *`objectRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. If the reference cannot be resolved then the identity provider will not be made available. Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
| *`transforms`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]__ | Transforms is an optional way to specify transformations to be applied during user authentication and session refresh.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainphase"]
==== FederationDomainPhase (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainsecrets"]
@ -689,7 +720,10 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
| Field | Description
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
|===
@ -706,25 +740,12 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainstatuscondition[$$FederationDomainStatusCondition$$]__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
| *`message`* __string__ | Message provides human-readable details about the Status.
| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
| *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainstatuscondition"]
==== FederationDomainStatusCondition (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintlsspec"]
==== FederationDomainTLSSpec
@ -746,6 +767,106 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
==== FederationDomainTransforms
FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
| *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
==== FederationDomainTransformsConstant
FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name.
| *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty.
| *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored.
| *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
==== FederationDomainTransformsExample
FederationDomainTransformsExample defines a transform example.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __string__ | Username is the input username.
| *`groups`* __string array__ | Groups is the input list of group names.
| *`expects`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects[$$FederationDomainTransformsExampleExpects$$]__ | Expects is the expected output of the entire sequence of transforms when they are run against the input Username and Groups.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
==== FederationDomainTransformsExampleExpects
FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __string__ | Username is the expected username after the transformations have been applied.
| *`groups`* __string array__ | Groups is the expected list of group names after the transformations have been applied.
| *`rejected`* __boolean__ | Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression after the transformations have been applied. True means that it is expected that the authentication would be rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression.
| *`message`* __string__ | Message is the expected error message of the transforms. When Rejected is true, then Message is the expected message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, then Message will be treated as the default error message for authentication attempts which are rejected by a policy. When Rejected is false, then Message is the expected error message for some other non-policy transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
==== FederationDomainTransformsExpression
FederationDomainTransformsExpression defines a transform expression.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types.
| *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication.
| *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects an authentication attempt. When empty, a default message will be used.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-granttype"]
==== GrantType (string)

View File

@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@ -8,14 +8,17 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// +kubebuilder:validation:Enum=Success;Duplicate;Invalid;SameIssuerHostMustUseSameSecret
type FederationDomainStatusCondition string
type FederationDomainPhase string
const (
SuccessFederationDomainStatusCondition = FederationDomainStatusCondition("Success")
DuplicateFederationDomainStatusCondition = FederationDomainStatusCondition("Duplicate")
SameIssuerHostMustUseSameSecretFederationDomainStatusCondition = FederationDomainStatusCondition("SameIssuerHostMustUseSameSecret")
InvalidFederationDomainStatusCondition = FederationDomainStatusCondition("Invalid")
// FederationDomainPhasePending is the default phase for newly-created FederationDomain resources.
FederationDomainPhasePending FederationDomainPhase = "Pending"
// FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state.
FederationDomainPhaseReady FederationDomainPhase = "Ready"
// FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state.
FederationDomainPhaseError FederationDomainPhase = "Error"
)
// FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
@ -42,6 +45,157 @@ type FederationDomainTLSSpec struct {
SecretName string `json:"secretName,omitempty"`
}
// FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
// the transform expressions. This is a union type, and Type is the discriminator field.
type FederationDomainTransformsConstant struct {
// Name determines the name of the constant. It must be a valid identifier name.
// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=64
Name string `json:"name"`
// Type determines the type of the constant, and indicates which other field should be non-empty.
// +kubebuilder:validation:Enum=string;stringList
Type string `json:"type"`
// StringValue should hold the value when Type is "string", and is otherwise ignored.
// +optional
StringValue string `json:"stringValue,omitempty"`
// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
// +optional
StringListValue []string `json:"stringListValue,omitempty"`
}
// FederationDomainTransformsExpression defines a transform expression.
type FederationDomainTransformsExpression struct {
// Type determines the type of the expression. It must be one of the supported types.
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
Type string `json:"type"`
// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
// +kubebuilder:validation:MinLength=1
Expression string `json:"expression"`
// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
// an authentication attempt. When empty, a default message will be used.
// +optional
Message string `json:"message,omitempty"`
}
// FederationDomainTransformsExample defines a transform example.
type FederationDomainTransformsExample struct {
// Username is the input username.
// +kubebuilder:validation:MinLength=1
Username string `json:"username"`
// Groups is the input list of group names.
// +optional
Groups []string `json:"groups,omitempty"`
// Expects is the expected output of the entire sequence of transforms when they are run against the
// input Username and Groups.
Expects FederationDomainTransformsExampleExpects `json:"expects"`
}
// FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
type FederationDomainTransformsExampleExpects struct {
// Username is the expected username after the transformations have been applied.
// +optional
Username string `json:"username,omitempty"`
// Groups is the expected list of group names after the transformations have been applied.
// +optional
Groups []string `json:"groups,omitempty"`
// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
// after the transformations have been applied. True means that it is expected that the authentication would be
// rejected. The default value of false means that it is expected that the authentication would not be rejected
// by any policy expression.
// +optional
Rejected bool `json:"rejected,omitempty"`
// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
// then Message will be treated as the default error message for authentication attempts which are rejected by a
// policy. When Rejected is false, then Message is the expected error message for some other non-policy
// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
// +optional
Message string `json:"message,omitempty"`
}
// FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
type FederationDomainTransforms struct {
// Constants defines constant variables and their values which will be made available to the transform expressions.
// +patchMergeKey=name
// +patchStrategy=merge
// +listType=map
// +listMapKey=name
// +optional
Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`
// Expressions are an optional list of transforms and policies to be executed in the order given during every
// authentication attempt, including during every session refresh.
// Each is a CEL expression. It may use the basic CEL language as defined in
// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
// https://github.com/google/cel-go/tree/master/ext#strings.
//
// The username and groups extracted from the identity provider, and the constants defined in this CR, are
// available as variables in all expressions. The username is provided via a variable called `username` and
// the list of group names is provided via a variable called `groups` (which may be an empty list).
// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
// and `strListConst.varName` for string list constants.
//
// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
// and the authentication attempt is rejected.
// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
// username or group names.
// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
// groups list.
// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
// After each expression, the new (potentially changed) username or groups get passed to the following expression.
//
// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
// and group names have been decided for that authentication attempt.
//
// +optional
Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`
// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
// expected. Examples define sample input identities which are then run through the expression list, and the
// results are compared to the expected results. If any example in this list fails, then this
// identity provider will not be available for use within this FederationDomain, and the error(s) will be
// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
// expressions, and also act as living documentation for other administrators to better understand the expressions.
// +optional
Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
}
// FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
type FederationDomainIdentityProvider struct {
// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
// disruptive change for those users.
// +kubebuilder:validation:MinLength=1
DisplayName string `json:"displayName"`
// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
// If the reference cannot be resolved then the identity provider will not be made available.
// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`
// Transforms is an optional way to specify transformations to be applied during user authentication and
// session refresh.
// +optional
Transforms FederationDomainTransforms `json:"transforms,omitempty"`
}
// FederationDomainSpec is a struct that describes an OIDC Provider.
type FederationDomainSpec struct {
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
@ -55,9 +209,35 @@ type FederationDomainSpec struct {
// +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"`
// TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
// +optional
TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
// IdentityProviders is the list of identity providers available for use by this FederationDomain.
//
// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
// extract a normalized user identity. Normalized user identities include a username and a list of group names.
// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
// accidental conflicts when multiple identity providers have different users with the same username (e.g.
// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
// disallow the authentication unless the user belongs to a specific group in the identity provider.
//
// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
// explicitly list the identity provider using this IdentityProviders field.
//
// +optional
IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
}
// FederationDomainSecrets holds information about this OIDC Provider's secrets.
@ -86,20 +266,17 @@ type FederationDomainSecrets struct {
// FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
type FederationDomainStatus struct {
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
// represent success or failure.
// +optional
Status FederationDomainStatusCondition `json:"status,omitempty"`
// Phase summarizes the overall status of the FederationDomain.
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase FederationDomainPhase `json:"phase,omitempty"`
// Message provides human-readable details about the Status.
// +optional
Message string `json:"message,omitempty"`
// LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
// around some undesirable behavior with respect to the empty metav1.Time value (see
// https://github.com/kubernetes/kubernetes/issues/86811).
// +optional
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
// Conditions represent the observations of an FederationDomain's current state.
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
// Secrets contains information about this OIDC Provider's secrets.
// +optional
@ -111,7 +288,7 @@ type FederationDomainStatus struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type FederationDomain struct {

View File

@ -8,14 +8,14 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
type OIDCClientPhase string
const (
// PhasePending is the default phase for newly-created OIDCClient resources.
PhasePending OIDCClientPhase = "Pending"
// OIDCClientPhasePending is the default phase for newly-created OIDCClient resources.
OIDCClientPhasePending OIDCClientPhase = "Pending"
// PhaseReady is the phase for an OIDCClient resource in a healthy state.
PhaseReady OIDCClientPhase = "Ready"
// OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state.
OIDCClientPhaseReady OIDCClientPhase = "Ready"
// PhaseError is the phase for an OIDCClient in an unhealthy state.
PhaseError OIDCClientPhase = "Error"
// OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state.
OIDCClientPhaseError OIDCClientPhase = "Error"
)
// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`

View File

@ -41,6 +41,24 @@ func (in *FederationDomain) DeepCopyObject() runtime.Object {
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainIdentityProvider) DeepCopyInto(out *FederationDomainIdentityProvider) {
*out = *in
in.ObjectRef.DeepCopyInto(&out.ObjectRef)
in.Transforms.DeepCopyInto(&out.Transforms)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainIdentityProvider.
func (in *FederationDomainIdentityProvider) DeepCopy() *FederationDomainIdentityProvider {
if in == nil {
return nil
}
out := new(FederationDomainIdentityProvider)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainList) DeepCopyInto(out *FederationDomainList) {
*out = *in
@ -102,6 +120,13 @@ func (in *FederationDomainSpec) DeepCopyInto(out *FederationDomainSpec) {
*out = new(FederationDomainTLSSpec)
**out = **in
}
if in.IdentityProviders != nil {
in, out := &in.IdentityProviders, &out.IdentityProviders
*out = make([]FederationDomainIdentityProvider, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
@ -118,9 +143,12 @@ func (in *FederationDomainSpec) DeepCopy() *FederationDomainSpec {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
*out = *in
if in.LastUpdateTime != nil {
in, out := &in.LastUpdateTime, &out.LastUpdateTime
*out = (*in).DeepCopy()
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]v1.Condition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
out.Secrets = in.Secrets
return
@ -152,6 +180,121 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransforms) DeepCopyInto(out *FederationDomainTransforms) {
*out = *in
if in.Constants != nil {
in, out := &in.Constants, &out.Constants
*out = make([]FederationDomainTransformsConstant, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.Expressions != nil {
in, out := &in.Expressions, &out.Expressions
*out = make([]FederationDomainTransformsExpression, len(*in))
copy(*out, *in)
}
if in.Examples != nil {
in, out := &in.Examples, &out.Examples
*out = make([]FederationDomainTransformsExample, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransforms.
func (in *FederationDomainTransforms) DeepCopy() *FederationDomainTransforms {
if in == nil {
return nil
}
out := new(FederationDomainTransforms)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsConstant) DeepCopyInto(out *FederationDomainTransformsConstant) {
*out = *in
if in.StringListValue != nil {
in, out := &in.StringListValue, &out.StringListValue
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsConstant.
func (in *FederationDomainTransformsConstant) DeepCopy() *FederationDomainTransformsConstant {
if in == nil {
return nil
}
out := new(FederationDomainTransformsConstant)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExample) DeepCopyInto(out *FederationDomainTransformsExample) {
*out = *in
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
}
in.Expects.DeepCopyInto(&out.Expects)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExample.
func (in *FederationDomainTransformsExample) DeepCopy() *FederationDomainTransformsExample {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExample)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExampleExpects) DeepCopyInto(out *FederationDomainTransformsExampleExpects) {
*out = *in
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExampleExpects.
func (in *FederationDomainTransformsExampleExpects) DeepCopy() *FederationDomainTransformsExampleExpects {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExampleExpects)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExpression) DeepCopyInto(out *FederationDomainTransformsExpression) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExpression.
func (in *FederationDomainTransformsExpression) DeepCopy() *FederationDomainTransformsExpression {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExpression)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCClient) DeepCopyInto(out *OIDCClient) {
*out = *in

View File

@ -21,7 +21,7 @@ spec:
- jsonPath: .spec.issuer
name: Issuer
type: string
- jsonPath: .status.status
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
@ -47,6 +47,263 @@ spec:
spec:
description: Spec of the OIDC provider.
properties:
identityProviders:
description: "IdentityProviders is the list of identity providers
available for use by this FederationDomain. \n An identity provider
CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes
how to connect to a server, how to talk in a specific protocol for
authentication, and how to use the schema of that server/protocol
to extract a normalized user identity. Normalized user identities
include a username and a list of group names. In contrast, IdentityProviders
describes how to use that normalized identity in those Kubernetes
clusters which belong to this FederationDomain. Each entry in IdentityProviders
can be configured with arbitrary transformations on that normalized
identity. For example, a transformation can add a prefix to all
usernames to help avoid accidental conflicts when multiple identity
providers have different users with the same username (e.g. \"idp1:ryan\"
versus \"idp2:ryan\"). Each entry in IdentityProviders can also
implement arbitrary authentication rejection policies. Even though
a user was able to authenticate with the identity provider, a policy
can disallow the authentication to the Kubernetes clusters that
belong to this FederationDomain. For example, a policy could disallow
the authentication unless the user belongs to a specific group in
the identity provider. \n For backwards compatibility with versions
of Pinniped which predate support for multiple identity providers,
an empty IdentityProviders list will cause the FederationDomain
to use all available identity providers which exist in the same
namespace, but also to reject all authentication requests when there
is more than one identity provider currently defined. In this backwards
compatibility mode, the name of the identity provider resource (e.g.
the Name of an OIDCIdentityProvider resource) will be used as the
name of the identity provider in this FederationDomain. This mode
is provided to make upgrading from older versions easier. However,
instead of relying on this backwards compatibility mode, please
consider this mode to be deprecated and please instead explicitly
list the identity provider using this IdentityProviders field."
items:
description: FederationDomainIdentityProvider describes how an identity
provider is made available in this FederationDomain.
properties:
displayName:
description: DisplayName is the name of this identity provider
as it will appear to clients. This name ends up in the kubeconfig
of end users, so changing the name of an identity provider
that is in use by end users will be a disruptive change for
those users.
minLength: 1
type: string
objectRef:
description: ObjectRef is a reference to a Pinniped identity
provider resource. A valid reference is required. If the reference
cannot be resolved then the identity provider will not be
made available. Must refer to a resource of one of the Pinniped
identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider,
ActiveDirectoryIdentityProvider.
properties:
apiGroup:
description: APIGroup is the group for the resource being
referenced. If APIGroup is not specified, the specified
Kind must be in the core API group. For any other third-party
types, APIGroup is required.
type: string
kind:
description: Kind is the type of resource being referenced
type: string
name:
description: Name is the name of resource being referenced
type: string
required:
- kind
- name
type: object
transforms:
description: Transforms is an optional way to specify transformations
to be applied during user authentication and session refresh.
properties:
constants:
description: Constants defines constant variables and their
values which will be made available to the transform expressions.
items:
description: FederationDomainTransformsConstant defines
a constant variable and its value which will be made
available to the transform expressions. This is a union
type, and Type is the discriminator field.
properties:
name:
description: Name determines the name of the constant.
It must be a valid identifier name.
maxLength: 64
minLength: 1
pattern: ^[a-zA-Z][_a-zA-Z0-9]*$
type: string
stringListValue:
description: StringListValue should hold the value
when Type is "stringList", and is otherwise ignored.
items:
type: string
type: array
stringValue:
description: StringValue should hold the value when
Type is "string", and is otherwise ignored.
type: string
type:
description: Type determines the type of the constant,
and indicates which other field should be non-empty.
enum:
- string
- stringList
type: string
required:
- name
- type
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
examples:
description: Examples can optionally be used to ensure that
the sequence of transformation expressions are working
as expected. Examples define sample input identities which
are then run through the expression list, and the results
are compared to the expected results. If any example in
this list fails, then this identity provider will not
be available for use within this FederationDomain, and
the error(s) will be added to the FederationDomain status.
This can be used to help guard against programming mistakes
in the expressions, and also act as living documentation
for other administrators to better understand the expressions.
items:
description: FederationDomainTransformsExample defines
a transform example.
properties:
expects:
description: Expects is the expected output of the
entire sequence of transforms when they are run
against the input Username and Groups.
properties:
groups:
description: Groups is the expected list of group
names after the transformations have been applied.
items:
type: string
type: array
message:
description: Message is the expected error message
of the transforms. When Rejected is true, then
Message is the expected message for the policy
which rejected the authentication attempt. When
Rejected is true and Message is blank, then
Message will be treated as the default error
message for authentication attempts which are
rejected by a policy. When Rejected is false,
then Message is the expected error message for
some other non-policy transformation error,
such as a runtime error. When Rejected is false,
there is no default expected Message.
type: string
rejected:
description: Rejected is a boolean that indicates
whether authentication is expected to be rejected
by a policy expression after the transformations
have been applied. True means that it is expected
that the authentication would be rejected. The
default value of false means that it is expected
that the authentication would not be rejected
by any policy expression.
type: boolean
username:
description: Username is the expected username
after the transformations have been applied.
type: string
type: object
groups:
description: Groups is the input list of group names.
items:
type: string
type: array
username:
description: Username is the input username.
minLength: 1
type: string
required:
- expects
- username
type: object
type: array
expressions:
description: "Expressions are an optional list of transforms
and policies to be executed in the order given during
every authentication attempt, including during every session
refresh. Each is a CEL expression. It may use the basic
CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md
plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
\n The username and groups extracted from the identity
provider, and the constants defined in this CR, are available
as variables in all expressions. The username is provided
via a variable called `username` and the list of group
names is provided via a variable called `groups` (which
may be an empty list). Each user-provided constants is
provided via a variable named `strConst.varName` for string
constants and `strListConst.varName` for string list constants.
\n The only allowed types for expressions are currently
policy/v1, username/v1, and groups/v1. Each policy/v1
must return a boolean, and when it returns false, no more
expressions from the list are evaluated and the authentication
attempt is rejected. Transformations of type policy/v1
do not return usernames or group names, and therefore
cannot change the username or group names. Each username/v1
transform must return the new username (a string), which
can be the same as the old username. Transformations of
type username/v1 do not return group names, and therefore
cannot change the group names. Each groups/v1 transform
must return the new groups list (list of strings), which
can be the same as the old groups list. Transformations
of type groups/v1 do not return usernames, and therefore
cannot change the usernames. After each expression, the
new (potentially changed) username or groups get passed
to the following expression. \n Any compilation or static
type-checking failure of any expression will cause an
error status on the FederationDomain. During an authentication
attempt, any unexpected runtime evaluation errors (e.g.
division by zero) cause the authentication attempt to
fail. When all expressions evaluate successfully, then
the (potentially changed) username and group names have
been decided for that authentication attempt."
items:
description: FederationDomainTransformsExpression defines
a transform expression.
properties:
expression:
description: Expression is a CEL expression that will
be evaluated based on the Type during an authentication.
minLength: 1
type: string
message:
description: Message is only used when Type is policy/v1.
It defines an error message to be used when the
policy rejects an authentication attempt. When empty,
a default message will be used.
type: string
type:
description: Type determines the type of the expression.
It must be one of the supported types.
enum:
- policy/v1
- username/v1
- groups/v1
type: string
required:
- expression
- type
type: object
type: array
type: object
required:
- displayName
- objectRef
type: object
type: array
issuer:
description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
Metadata document, as well as the identifier that it will use for
@ -59,8 +316,8 @@ spec:
minLength: 1
type: string
tls:
description: TLS configures how this FederationDomain is served over
Transport Layer Security (TLS).
description: TLS specifies a secret which will contain Transport Layer
Security (TLS) configuration for the FederationDomain.
properties:
secretName:
description: "SecretName is an optional name of a Secret in the
@ -91,14 +348,86 @@ spec:
status:
description: Status of the OIDC provider.
properties:
lastUpdateTime:
description: LastUpdateTime holds the time at which the Status was
last updated. It is a pointer to get around some undesirable behavior
with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
conditions:
description: Conditions represent the observations of an FederationDomain's
current state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
type FooStatus struct{ // Represents the observations of a foo's
current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: Message provides human-readable details about the Status.
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the FederationDomain.
enum:
- Pending
- Ready
- Error
type: string
secrets:
description: Secrets contains information about this OIDC Provider's
@ -145,15 +474,6 @@ spec:
type: string
type: object
type: object
status:
description: Status holds an enum that describes the state of this
OIDC Provider. Note that this Status can represent success or failure.
enum:
- Success
- Duplicate
- Invalid
- SameIssuerHostMustUseSameSecret
type: string
type: object
required:
- spec

View File

@ -652,6 +652,37 @@ FederationDomain describes the configuration of an OIDC provider.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
==== FederationDomainIdentityProvider
FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainspec[$$FederationDomainSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`displayName`* __string__ | DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a disruptive change for those users.
| *`objectRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. If the reference cannot be resolved then the identity provider will not be made available. Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
| *`transforms`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]__ | Transforms is an optional way to specify transformations to be applied during user authentication and session refresh.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainphase"]
==== FederationDomainPhase (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainsecrets"]
@ -689,7 +720,10 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
| Field | Description
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
|===
@ -706,25 +740,12 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainstatuscondition[$$FederationDomainStatusCondition$$]__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
| *`message`* __string__ | Message provides human-readable details about the Status.
| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
| *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainstatuscondition"]
==== FederationDomainStatusCondition (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintlsspec"]
==== FederationDomainTLSSpec
@ -746,6 +767,106 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
==== FederationDomainTransforms
FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
| *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
==== FederationDomainTransformsConstant
FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name.
| *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty.
| *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored.
| *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
==== FederationDomainTransformsExample
FederationDomainTransformsExample defines a transform example.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __string__ | Username is the input username.
| *`groups`* __string array__ | Groups is the input list of group names.
| *`expects`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects[$$FederationDomainTransformsExampleExpects$$]__ | Expects is the expected output of the entire sequence of transforms when they are run against the input Username and Groups.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
==== FederationDomainTransformsExampleExpects
FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __string__ | Username is the expected username after the transformations have been applied.
| *`groups`* __string array__ | Groups is the expected list of group names after the transformations have been applied.
| *`rejected`* __boolean__ | Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression after the transformations have been applied. True means that it is expected that the authentication would be rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression.
| *`message`* __string__ | Message is the expected error message of the transforms. When Rejected is true, then Message is the expected message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, then Message will be treated as the default error message for authentication attempts which are rejected by a policy. When Rejected is false, then Message is the expected error message for some other non-policy transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
==== FederationDomainTransformsExpression
FederationDomainTransformsExpression defines a transform expression.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types.
| *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication.
| *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects an authentication attempt. When empty, a default message will be used.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-granttype"]
==== GrantType (string)

View File

@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@ -8,14 +8,17 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// +kubebuilder:validation:Enum=Success;Duplicate;Invalid;SameIssuerHostMustUseSameSecret
type FederationDomainStatusCondition string
type FederationDomainPhase string
const (
SuccessFederationDomainStatusCondition = FederationDomainStatusCondition("Success")
DuplicateFederationDomainStatusCondition = FederationDomainStatusCondition("Duplicate")
SameIssuerHostMustUseSameSecretFederationDomainStatusCondition = FederationDomainStatusCondition("SameIssuerHostMustUseSameSecret")
InvalidFederationDomainStatusCondition = FederationDomainStatusCondition("Invalid")
// FederationDomainPhasePending is the default phase for newly-created FederationDomain resources.
FederationDomainPhasePending FederationDomainPhase = "Pending"
// FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state.
FederationDomainPhaseReady FederationDomainPhase = "Ready"
// FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state.
FederationDomainPhaseError FederationDomainPhase = "Error"
)
// FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
@ -42,6 +45,157 @@ type FederationDomainTLSSpec struct {
SecretName string `json:"secretName,omitempty"`
}
// FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
// the transform expressions. This is a union type, and Type is the discriminator field.
type FederationDomainTransformsConstant struct {
// Name determines the name of the constant. It must be a valid identifier name.
// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=64
Name string `json:"name"`
// Type determines the type of the constant, and indicates which other field should be non-empty.
// +kubebuilder:validation:Enum=string;stringList
Type string `json:"type"`
// StringValue should hold the value when Type is "string", and is otherwise ignored.
// +optional
StringValue string `json:"stringValue,omitempty"`
// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
// +optional
StringListValue []string `json:"stringListValue,omitempty"`
}
// FederationDomainTransformsExpression defines a transform expression.
type FederationDomainTransformsExpression struct {
// Type determines the type of the expression. It must be one of the supported types.
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
Type string `json:"type"`
// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
// +kubebuilder:validation:MinLength=1
Expression string `json:"expression"`
// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
// an authentication attempt. When empty, a default message will be used.
// +optional
Message string `json:"message,omitempty"`
}
// FederationDomainTransformsExample defines a transform example.
type FederationDomainTransformsExample struct {
// Username is the input username.
// +kubebuilder:validation:MinLength=1
Username string `json:"username"`
// Groups is the input list of group names.
// +optional
Groups []string `json:"groups,omitempty"`
// Expects is the expected output of the entire sequence of transforms when they are run against the
// input Username and Groups.
Expects FederationDomainTransformsExampleExpects `json:"expects"`
}
// FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
type FederationDomainTransformsExampleExpects struct {
// Username is the expected username after the transformations have been applied.
// +optional
Username string `json:"username,omitempty"`
// Groups is the expected list of group names after the transformations have been applied.
// +optional
Groups []string `json:"groups,omitempty"`
// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
// after the transformations have been applied. True means that it is expected that the authentication would be
// rejected. The default value of false means that it is expected that the authentication would not be rejected
// by any policy expression.
// +optional
Rejected bool `json:"rejected,omitempty"`
// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
// then Message will be treated as the default error message for authentication attempts which are rejected by a
// policy. When Rejected is false, then Message is the expected error message for some other non-policy
// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
// +optional
Message string `json:"message,omitempty"`
}
// FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
type FederationDomainTransforms struct {
// Constants defines constant variables and their values which will be made available to the transform expressions.
// +patchMergeKey=name
// +patchStrategy=merge
// +listType=map
// +listMapKey=name
// +optional
Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`
// Expressions are an optional list of transforms and policies to be executed in the order given during every
// authentication attempt, including during every session refresh.
// Each is a CEL expression. It may use the basic CEL language as defined in
// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
// https://github.com/google/cel-go/tree/master/ext#strings.
//
// The username and groups extracted from the identity provider, and the constants defined in this CR, are
// available as variables in all expressions. The username is provided via a variable called `username` and
// the list of group names is provided via a variable called `groups` (which may be an empty list).
// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
// and `strListConst.varName` for string list constants.
//
// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
// and the authentication attempt is rejected.
// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
// username or group names.
// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
// groups list.
// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
// After each expression, the new (potentially changed) username or groups get passed to the following expression.
//
// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
// and group names have been decided for that authentication attempt.
//
// +optional
Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`
// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
// expected. Examples define sample input identities which are then run through the expression list, and the
// results are compared to the expected results. If any example in this list fails, then this
// identity provider will not be available for use within this FederationDomain, and the error(s) will be
// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
// expressions, and also act as living documentation for other administrators to better understand the expressions.
// +optional
Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
}
// FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
type FederationDomainIdentityProvider struct {
// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
// disruptive change for those users.
// +kubebuilder:validation:MinLength=1
DisplayName string `json:"displayName"`
// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
// If the reference cannot be resolved then the identity provider will not be made available.
// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`
// Transforms is an optional way to specify transformations to be applied during user authentication and
// session refresh.
// +optional
Transforms FederationDomainTransforms `json:"transforms,omitempty"`
}
// FederationDomainSpec is a struct that describes an OIDC Provider.
type FederationDomainSpec struct {
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
@ -55,9 +209,35 @@ type FederationDomainSpec struct {
// +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"`
// TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
// +optional
TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
// IdentityProviders is the list of identity providers available for use by this FederationDomain.
//
// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
// extract a normalized user identity. Normalized user identities include a username and a list of group names.
// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
// accidental conflicts when multiple identity providers have different users with the same username (e.g.
// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
// disallow the authentication unless the user belongs to a specific group in the identity provider.
//
// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
// explicitly list the identity provider using this IdentityProviders field.
//
// +optional
IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
}
// FederationDomainSecrets holds information about this OIDC Provider's secrets.
@ -86,20 +266,17 @@ type FederationDomainSecrets struct {
// FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
type FederationDomainStatus struct {
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
// represent success or failure.
// +optional
Status FederationDomainStatusCondition `json:"status,omitempty"`
// Phase summarizes the overall status of the FederationDomain.
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase FederationDomainPhase `json:"phase,omitempty"`
// Message provides human-readable details about the Status.
// +optional
Message string `json:"message,omitempty"`
// LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
// around some undesirable behavior with respect to the empty metav1.Time value (see
// https://github.com/kubernetes/kubernetes/issues/86811).
// +optional
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
// Conditions represent the observations of an FederationDomain's current state.
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
// Secrets contains information about this OIDC Provider's secrets.
// +optional
@ -111,7 +288,7 @@ type FederationDomainStatus struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type FederationDomain struct {

View File

@ -8,14 +8,14 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
type OIDCClientPhase string
const (
// PhasePending is the default phase for newly-created OIDCClient resources.
PhasePending OIDCClientPhase = "Pending"
// OIDCClientPhasePending is the default phase for newly-created OIDCClient resources.
OIDCClientPhasePending OIDCClientPhase = "Pending"
// PhaseReady is the phase for an OIDCClient resource in a healthy state.
PhaseReady OIDCClientPhase = "Ready"
// OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state.
OIDCClientPhaseReady OIDCClientPhase = "Ready"
// PhaseError is the phase for an OIDCClient in an unhealthy state.
PhaseError OIDCClientPhase = "Error"
// OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state.
OIDCClientPhaseError OIDCClientPhase = "Error"
)
// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`

View File

@ -41,6 +41,24 @@ func (in *FederationDomain) DeepCopyObject() runtime.Object {
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainIdentityProvider) DeepCopyInto(out *FederationDomainIdentityProvider) {
*out = *in
in.ObjectRef.DeepCopyInto(&out.ObjectRef)
in.Transforms.DeepCopyInto(&out.Transforms)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainIdentityProvider.
func (in *FederationDomainIdentityProvider) DeepCopy() *FederationDomainIdentityProvider {
if in == nil {
return nil
}
out := new(FederationDomainIdentityProvider)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainList) DeepCopyInto(out *FederationDomainList) {
*out = *in
@ -102,6 +120,13 @@ func (in *FederationDomainSpec) DeepCopyInto(out *FederationDomainSpec) {
*out = new(FederationDomainTLSSpec)
**out = **in
}
if in.IdentityProviders != nil {
in, out := &in.IdentityProviders, &out.IdentityProviders
*out = make([]FederationDomainIdentityProvider, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
@ -118,9 +143,12 @@ func (in *FederationDomainSpec) DeepCopy() *FederationDomainSpec {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
*out = *in
if in.LastUpdateTime != nil {
in, out := &in.LastUpdateTime, &out.LastUpdateTime
*out = (*in).DeepCopy()
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]v1.Condition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
out.Secrets = in.Secrets
return
@ -152,6 +180,121 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransforms) DeepCopyInto(out *FederationDomainTransforms) {
*out = *in
if in.Constants != nil {
in, out := &in.Constants, &out.Constants
*out = make([]FederationDomainTransformsConstant, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.Expressions != nil {
in, out := &in.Expressions, &out.Expressions
*out = make([]FederationDomainTransformsExpression, len(*in))
copy(*out, *in)
}
if in.Examples != nil {
in, out := &in.Examples, &out.Examples
*out = make([]FederationDomainTransformsExample, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransforms.
func (in *FederationDomainTransforms) DeepCopy() *FederationDomainTransforms {
if in == nil {
return nil
}
out := new(FederationDomainTransforms)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsConstant) DeepCopyInto(out *FederationDomainTransformsConstant) {
*out = *in
if in.StringListValue != nil {
in, out := &in.StringListValue, &out.StringListValue
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsConstant.
func (in *FederationDomainTransformsConstant) DeepCopy() *FederationDomainTransformsConstant {
if in == nil {
return nil
}
out := new(FederationDomainTransformsConstant)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExample) DeepCopyInto(out *FederationDomainTransformsExample) {
*out = *in
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
}
in.Expects.DeepCopyInto(&out.Expects)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExample.
func (in *FederationDomainTransformsExample) DeepCopy() *FederationDomainTransformsExample {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExample)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExampleExpects) DeepCopyInto(out *FederationDomainTransformsExampleExpects) {
*out = *in
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExampleExpects.
func (in *FederationDomainTransformsExampleExpects) DeepCopy() *FederationDomainTransformsExampleExpects {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExampleExpects)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExpression) DeepCopyInto(out *FederationDomainTransformsExpression) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExpression.
func (in *FederationDomainTransformsExpression) DeepCopy() *FederationDomainTransformsExpression {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExpression)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCClient) DeepCopyInto(out *OIDCClient) {
*out = *in

View File

@ -21,7 +21,7 @@ spec:
- jsonPath: .spec.issuer
name: Issuer
type: string
- jsonPath: .status.status
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
@ -47,6 +47,263 @@ spec:
spec:
description: Spec of the OIDC provider.
properties:
identityProviders:
description: "IdentityProviders is the list of identity providers
available for use by this FederationDomain. \n An identity provider
CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes
how to connect to a server, how to talk in a specific protocol for
authentication, and how to use the schema of that server/protocol
to extract a normalized user identity. Normalized user identities
include a username and a list of group names. In contrast, IdentityProviders
describes how to use that normalized identity in those Kubernetes
clusters which belong to this FederationDomain. Each entry in IdentityProviders
can be configured with arbitrary transformations on that normalized
identity. For example, a transformation can add a prefix to all
usernames to help avoid accidental conflicts when multiple identity
providers have different users with the same username (e.g. \"idp1:ryan\"
versus \"idp2:ryan\"). Each entry in IdentityProviders can also
implement arbitrary authentication rejection policies. Even though
a user was able to authenticate with the identity provider, a policy
can disallow the authentication to the Kubernetes clusters that
belong to this FederationDomain. For example, a policy could disallow
the authentication unless the user belongs to a specific group in
the identity provider. \n For backwards compatibility with versions
of Pinniped which predate support for multiple identity providers,
an empty IdentityProviders list will cause the FederationDomain
to use all available identity providers which exist in the same
namespace, but also to reject all authentication requests when there
is more than one identity provider currently defined. In this backwards
compatibility mode, the name of the identity provider resource (e.g.
the Name of an OIDCIdentityProvider resource) will be used as the
name of the identity provider in this FederationDomain. This mode
is provided to make upgrading from older versions easier. However,
instead of relying on this backwards compatibility mode, please
consider this mode to be deprecated and please instead explicitly
list the identity provider using this IdentityProviders field."
items:
description: FederationDomainIdentityProvider describes how an identity
provider is made available in this FederationDomain.
properties:
displayName:
description: DisplayName is the name of this identity provider
as it will appear to clients. This name ends up in the kubeconfig
of end users, so changing the name of an identity provider
that is in use by end users will be a disruptive change for
those users.
minLength: 1
type: string
objectRef:
description: ObjectRef is a reference to a Pinniped identity
provider resource. A valid reference is required. If the reference
cannot be resolved then the identity provider will not be
made available. Must refer to a resource of one of the Pinniped
identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider,
ActiveDirectoryIdentityProvider.
properties:
apiGroup:
description: APIGroup is the group for the resource being
referenced. If APIGroup is not specified, the specified
Kind must be in the core API group. For any other third-party
types, APIGroup is required.
type: string
kind:
description: Kind is the type of resource being referenced
type: string
name:
description: Name is the name of resource being referenced
type: string
required:
- kind
- name
type: object
transforms:
description: Transforms is an optional way to specify transformations
to be applied during user authentication and session refresh.
properties:
constants:
description: Constants defines constant variables and their
values which will be made available to the transform expressions.
items:
description: FederationDomainTransformsConstant defines
a constant variable and its value which will be made
available to the transform expressions. This is a union
type, and Type is the discriminator field.
properties:
name:
description: Name determines the name of the constant.
It must be a valid identifier name.
maxLength: 64
minLength: 1
pattern: ^[a-zA-Z][_a-zA-Z0-9]*$
type: string
stringListValue:
description: StringListValue should hold the value
when Type is "stringList", and is otherwise ignored.
items:
type: string
type: array
stringValue:
description: StringValue should hold the value when
Type is "string", and is otherwise ignored.
type: string
type:
description: Type determines the type of the constant,
and indicates which other field should be non-empty.
enum:
- string
- stringList
type: string
required:
- name
- type
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
examples:
description: Examples can optionally be used to ensure that
the sequence of transformation expressions are working
as expected. Examples define sample input identities which
are then run through the expression list, and the results
are compared to the expected results. If any example in
this list fails, then this identity provider will not
be available for use within this FederationDomain, and
the error(s) will be added to the FederationDomain status.
This can be used to help guard against programming mistakes
in the expressions, and also act as living documentation
for other administrators to better understand the expressions.
items:
description: FederationDomainTransformsExample defines
a transform example.
properties:
expects:
description: Expects is the expected output of the
entire sequence of transforms when they are run
against the input Username and Groups.
properties:
groups:
description: Groups is the expected list of group
names after the transformations have been applied.
items:
type: string
type: array
message:
description: Message is the expected error message
of the transforms. When Rejected is true, then
Message is the expected message for the policy
which rejected the authentication attempt. When
Rejected is true and Message is blank, then
Message will be treated as the default error
message for authentication attempts which are
rejected by a policy. When Rejected is false,
then Message is the expected error message for
some other non-policy transformation error,
such as a runtime error. When Rejected is false,
there is no default expected Message.
type: string
rejected:
description: Rejected is a boolean that indicates
whether authentication is expected to be rejected
by a policy expression after the transformations
have been applied. True means that it is expected
that the authentication would be rejected. The
default value of false means that it is expected
that the authentication would not be rejected
by any policy expression.
type: boolean
username:
description: Username is the expected username
after the transformations have been applied.
type: string
type: object
groups:
description: Groups is the input list of group names.
items:
type: string
type: array
username:
description: Username is the input username.
minLength: 1
type: string
required:
- expects
- username
type: object
type: array
expressions:
description: "Expressions are an optional list of transforms
and policies to be executed in the order given during
every authentication attempt, including during every session
refresh. Each is a CEL expression. It may use the basic
CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md
plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
\n The username and groups extracted from the identity
provider, and the constants defined in this CR, are available
as variables in all expressions. The username is provided
via a variable called `username` and the list of group
names is provided via a variable called `groups` (which
may be an empty list). Each user-provided constants is
provided via a variable named `strConst.varName` for string
constants and `strListConst.varName` for string list constants.
\n The only allowed types for expressions are currently
policy/v1, username/v1, and groups/v1. Each policy/v1
must return a boolean, and when it returns false, no more
expressions from the list are evaluated and the authentication
attempt is rejected. Transformations of type policy/v1
do not return usernames or group names, and therefore
cannot change the username or group names. Each username/v1
transform must return the new username (a string), which
can be the same as the old username. Transformations of
type username/v1 do not return group names, and therefore
cannot change the group names. Each groups/v1 transform
must return the new groups list (list of strings), which
can be the same as the old groups list. Transformations
of type groups/v1 do not return usernames, and therefore
cannot change the usernames. After each expression, the
new (potentially changed) username or groups get passed
to the following expression. \n Any compilation or static
type-checking failure of any expression will cause an
error status on the FederationDomain. During an authentication
attempt, any unexpected runtime evaluation errors (e.g.
division by zero) cause the authentication attempt to
fail. When all expressions evaluate successfully, then
the (potentially changed) username and group names have
been decided for that authentication attempt."
items:
description: FederationDomainTransformsExpression defines
a transform expression.
properties:
expression:
description: Expression is a CEL expression that will
be evaluated based on the Type during an authentication.
minLength: 1
type: string
message:
description: Message is only used when Type is policy/v1.
It defines an error message to be used when the
policy rejects an authentication attempt. When empty,
a default message will be used.
type: string
type:
description: Type determines the type of the expression.
It must be one of the supported types.
enum:
- policy/v1
- username/v1
- groups/v1
type: string
required:
- expression
- type
type: object
type: array
type: object
required:
- displayName
- objectRef
type: object
type: array
issuer:
description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
Metadata document, as well as the identifier that it will use for
@ -59,8 +316,8 @@ spec:
minLength: 1
type: string
tls:
description: TLS configures how this FederationDomain is served over
Transport Layer Security (TLS).
description: TLS specifies a secret which will contain Transport Layer
Security (TLS) configuration for the FederationDomain.
properties:
secretName:
description: "SecretName is an optional name of a Secret in the
@ -91,14 +348,86 @@ spec:
status:
description: Status of the OIDC provider.
properties:
lastUpdateTime:
description: LastUpdateTime holds the time at which the Status was
last updated. It is a pointer to get around some undesirable behavior
with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
conditions:
description: Conditions represent the observations of an FederationDomain's
current state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
type FooStatus struct{ // Represents the observations of a foo's
current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: Message provides human-readable details about the Status.
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the FederationDomain.
enum:
- Pending
- Ready
- Error
type: string
secrets:
description: Secrets contains information about this OIDC Provider's
@ -145,15 +474,6 @@ spec:
type: string
type: object
type: object
status:
description: Status holds an enum that describes the state of this
OIDC Provider. Note that this Status can represent success or failure.
enum:
- Success
- Duplicate
- Invalid
- SameIssuerHostMustUseSameSecret
type: string
type: object
required:
- spec

View File

@ -652,6 +652,37 @@ FederationDomain describes the configuration of an OIDC provider.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
==== FederationDomainIdentityProvider
FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainspec[$$FederationDomainSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`displayName`* __string__ | DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a disruptive change for those users.
| *`objectRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. If the reference cannot be resolved then the identity provider will not be made available. Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
| *`transforms`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]__ | Transforms is an optional way to specify transformations to be applied during user authentication and session refresh.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainphase"]
==== FederationDomainPhase (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainsecrets"]
@ -689,7 +720,10 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
| Field | Description
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
|===
@ -706,25 +740,12 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainstatuscondition[$$FederationDomainStatusCondition$$]__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
| *`message`* __string__ | Message provides human-readable details about the Status.
| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
| *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainstatuscondition"]
==== FederationDomainStatusCondition (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintlsspec"]
==== FederationDomainTLSSpec
@ -746,6 +767,106 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
==== FederationDomainTransforms
FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
| *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
==== FederationDomainTransformsConstant
FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name.
| *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty.
| *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored.
| *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
==== FederationDomainTransformsExample
FederationDomainTransformsExample defines a transform example.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __string__ | Username is the input username.
| *`groups`* __string array__ | Groups is the input list of group names.
| *`expects`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects[$$FederationDomainTransformsExampleExpects$$]__ | Expects is the expected output of the entire sequence of transforms when they are run against the input Username and Groups.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
==== FederationDomainTransformsExampleExpects
FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __string__ | Username is the expected username after the transformations have been applied.
| *`groups`* __string array__ | Groups is the expected list of group names after the transformations have been applied.
| *`rejected`* __boolean__ | Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression after the transformations have been applied. True means that it is expected that the authentication would be rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression.
| *`message`* __string__ | Message is the expected error message of the transforms. When Rejected is true, then Message is the expected message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, then Message will be treated as the default error message for authentication attempts which are rejected by a policy. When Rejected is false, then Message is the expected error message for some other non-policy transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
==== FederationDomainTransformsExpression
FederationDomainTransformsExpression defines a transform expression.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types.
| *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication.
| *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects an authentication attempt. When empty, a default message will be used.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-granttype"]
==== GrantType (string)

View File

@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@ -8,14 +8,17 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// +kubebuilder:validation:Enum=Success;Duplicate;Invalid;SameIssuerHostMustUseSameSecret
type FederationDomainStatusCondition string
type FederationDomainPhase string
const (
SuccessFederationDomainStatusCondition = FederationDomainStatusCondition("Success")
DuplicateFederationDomainStatusCondition = FederationDomainStatusCondition("Duplicate")
SameIssuerHostMustUseSameSecretFederationDomainStatusCondition = FederationDomainStatusCondition("SameIssuerHostMustUseSameSecret")
InvalidFederationDomainStatusCondition = FederationDomainStatusCondition("Invalid")
// FederationDomainPhasePending is the default phase for newly-created FederationDomain resources.
FederationDomainPhasePending FederationDomainPhase = "Pending"
// FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state.
FederationDomainPhaseReady FederationDomainPhase = "Ready"
// FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state.
FederationDomainPhaseError FederationDomainPhase = "Error"
)
// FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
@ -42,6 +45,157 @@ type FederationDomainTLSSpec struct {
SecretName string `json:"secretName,omitempty"`
}
// FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
// the transform expressions. This is a union type, and Type is the discriminator field.
type FederationDomainTransformsConstant struct {
// Name determines the name of the constant. It must be a valid identifier name.
// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=64
Name string `json:"name"`
// Type determines the type of the constant, and indicates which other field should be non-empty.
// +kubebuilder:validation:Enum=string;stringList
Type string `json:"type"`
// StringValue should hold the value when Type is "string", and is otherwise ignored.
// +optional
StringValue string `json:"stringValue,omitempty"`
// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
// +optional
StringListValue []string `json:"stringListValue,omitempty"`
}
// FederationDomainTransformsExpression defines a transform expression.
type FederationDomainTransformsExpression struct {
// Type determines the type of the expression. It must be one of the supported types.
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
Type string `json:"type"`
// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
// +kubebuilder:validation:MinLength=1
Expression string `json:"expression"`
// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
// an authentication attempt. When empty, a default message will be used.
// +optional
Message string `json:"message,omitempty"`
}
// FederationDomainTransformsExample defines a transform example.
type FederationDomainTransformsExample struct {
// Username is the input username.
// +kubebuilder:validation:MinLength=1
Username string `json:"username"`
// Groups is the input list of group names.
// +optional
Groups []string `json:"groups,omitempty"`
// Expects is the expected output of the entire sequence of transforms when they are run against the
// input Username and Groups.
Expects FederationDomainTransformsExampleExpects `json:"expects"`
}
// FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
type FederationDomainTransformsExampleExpects struct {
// Username is the expected username after the transformations have been applied.
// +optional
Username string `json:"username,omitempty"`
// Groups is the expected list of group names after the transformations have been applied.
// +optional
Groups []string `json:"groups,omitempty"`
// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
// after the transformations have been applied. True means that it is expected that the authentication would be
// rejected. The default value of false means that it is expected that the authentication would not be rejected
// by any policy expression.
// +optional
Rejected bool `json:"rejected,omitempty"`
// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
// then Message will be treated as the default error message for authentication attempts which are rejected by a
// policy. When Rejected is false, then Message is the expected error message for some other non-policy
// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
// +optional
Message string `json:"message,omitempty"`
}
// FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
type FederationDomainTransforms struct {
// Constants defines constant variables and their values which will be made available to the transform expressions.
// +patchMergeKey=name
// +patchStrategy=merge
// +listType=map
// +listMapKey=name
// +optional
Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`
// Expressions are an optional list of transforms and policies to be executed in the order given during every
// authentication attempt, including during every session refresh.
// Each is a CEL expression. It may use the basic CEL language as defined in
// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
// https://github.com/google/cel-go/tree/master/ext#strings.
//
// The username and groups extracted from the identity provider, and the constants defined in this CR, are
// available as variables in all expressions. The username is provided via a variable called `username` and
// the list of group names is provided via a variable called `groups` (which may be an empty list).
// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
// and `strListConst.varName` for string list constants.
//
// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
// and the authentication attempt is rejected.
// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
// username or group names.
// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
// groups list.
// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
// After each expression, the new (potentially changed) username or groups get passed to the following expression.
//
// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
// and group names have been decided for that authentication attempt.
//
// +optional
Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`
// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
// expected. Examples define sample input identities which are then run through the expression list, and the
// results are compared to the expected results. If any example in this list fails, then this
// identity provider will not be available for use within this FederationDomain, and the error(s) will be
// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
// expressions, and also act as living documentation for other administrators to better understand the expressions.
// +optional
Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
}
// FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
type FederationDomainIdentityProvider struct {
// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
// disruptive change for those users.
// +kubebuilder:validation:MinLength=1
DisplayName string `json:"displayName"`
// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
// If the reference cannot be resolved then the identity provider will not be made available.
// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`
// Transforms is an optional way to specify transformations to be applied during user authentication and
// session refresh.
// +optional
Transforms FederationDomainTransforms `json:"transforms,omitempty"`
}
// FederationDomainSpec is a struct that describes an OIDC Provider.
type FederationDomainSpec struct {
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
@ -55,9 +209,35 @@ type FederationDomainSpec struct {
// +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"`
// TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
// +optional
TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
// IdentityProviders is the list of identity providers available for use by this FederationDomain.
//
// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
// extract a normalized user identity. Normalized user identities include a username and a list of group names.
// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
// accidental conflicts when multiple identity providers have different users with the same username (e.g.
// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
// disallow the authentication unless the user belongs to a specific group in the identity provider.
//
// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
// explicitly list the identity provider using this IdentityProviders field.
//
// +optional
IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
}
// FederationDomainSecrets holds information about this OIDC Provider's secrets.
@ -86,20 +266,17 @@ type FederationDomainSecrets struct {
// FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
type FederationDomainStatus struct {
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
// represent success or failure.
// +optional
Status FederationDomainStatusCondition `json:"status,omitempty"`
// Phase summarizes the overall status of the FederationDomain.
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase FederationDomainPhase `json:"phase,omitempty"`
// Message provides human-readable details about the Status.
// +optional
Message string `json:"message,omitempty"`
// LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
// around some undesirable behavior with respect to the empty metav1.Time value (see
// https://github.com/kubernetes/kubernetes/issues/86811).
// +optional
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
// Conditions represent the observations of an FederationDomain's current state.
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
// Secrets contains information about this OIDC Provider's secrets.
// +optional
@ -111,7 +288,7 @@ type FederationDomainStatus struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type FederationDomain struct {

View File

@ -8,14 +8,14 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
type OIDCClientPhase string
const (
// PhasePending is the default phase for newly-created OIDCClient resources.
PhasePending OIDCClientPhase = "Pending"
// OIDCClientPhasePending is the default phase for newly-created OIDCClient resources.
OIDCClientPhasePending OIDCClientPhase = "Pending"
// PhaseReady is the phase for an OIDCClient resource in a healthy state.
PhaseReady OIDCClientPhase = "Ready"
// OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state.
OIDCClientPhaseReady OIDCClientPhase = "Ready"
// PhaseError is the phase for an OIDCClient in an unhealthy state.
PhaseError OIDCClientPhase = "Error"
// OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state.
OIDCClientPhaseError OIDCClientPhase = "Error"
)
// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`

View File

@ -41,6 +41,24 @@ func (in *FederationDomain) DeepCopyObject() runtime.Object {
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainIdentityProvider) DeepCopyInto(out *FederationDomainIdentityProvider) {
*out = *in
in.ObjectRef.DeepCopyInto(&out.ObjectRef)
in.Transforms.DeepCopyInto(&out.Transforms)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainIdentityProvider.
func (in *FederationDomainIdentityProvider) DeepCopy() *FederationDomainIdentityProvider {
if in == nil {
return nil
}
out := new(FederationDomainIdentityProvider)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainList) DeepCopyInto(out *FederationDomainList) {
*out = *in
@ -102,6 +120,13 @@ func (in *FederationDomainSpec) DeepCopyInto(out *FederationDomainSpec) {
*out = new(FederationDomainTLSSpec)
**out = **in
}
if in.IdentityProviders != nil {
in, out := &in.IdentityProviders, &out.IdentityProviders
*out = make([]FederationDomainIdentityProvider, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
@ -118,9 +143,12 @@ func (in *FederationDomainSpec) DeepCopy() *FederationDomainSpec {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
*out = *in
if in.LastUpdateTime != nil {
in, out := &in.LastUpdateTime, &out.LastUpdateTime
*out = (*in).DeepCopy()
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]v1.Condition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
out.Secrets = in.Secrets
return
@ -152,6 +180,121 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransforms) DeepCopyInto(out *FederationDomainTransforms) {
*out = *in
if in.Constants != nil {
in, out := &in.Constants, &out.Constants
*out = make([]FederationDomainTransformsConstant, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.Expressions != nil {
in, out := &in.Expressions, &out.Expressions
*out = make([]FederationDomainTransformsExpression, len(*in))
copy(*out, *in)
}
if in.Examples != nil {
in, out := &in.Examples, &out.Examples
*out = make([]FederationDomainTransformsExample, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransforms.
func (in *FederationDomainTransforms) DeepCopy() *FederationDomainTransforms {
if in == nil {
return nil
}
out := new(FederationDomainTransforms)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsConstant) DeepCopyInto(out *FederationDomainTransformsConstant) {
*out = *in
if in.StringListValue != nil {
in, out := &in.StringListValue, &out.StringListValue
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsConstant.
func (in *FederationDomainTransformsConstant) DeepCopy() *FederationDomainTransformsConstant {
if in == nil {
return nil
}
out := new(FederationDomainTransformsConstant)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExample) DeepCopyInto(out *FederationDomainTransformsExample) {
*out = *in
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
}
in.Expects.DeepCopyInto(&out.Expects)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExample.
func (in *FederationDomainTransformsExample) DeepCopy() *FederationDomainTransformsExample {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExample)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExampleExpects) DeepCopyInto(out *FederationDomainTransformsExampleExpects) {
*out = *in
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExampleExpects.
func (in *FederationDomainTransformsExampleExpects) DeepCopy() *FederationDomainTransformsExampleExpects {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExampleExpects)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExpression) DeepCopyInto(out *FederationDomainTransformsExpression) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExpression.
func (in *FederationDomainTransformsExpression) DeepCopy() *FederationDomainTransformsExpression {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExpression)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCClient) DeepCopyInto(out *OIDCClient) {
*out = *in

View File

@ -21,7 +21,7 @@ spec:
- jsonPath: .spec.issuer
name: Issuer
type: string
- jsonPath: .status.status
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
@ -47,6 +47,263 @@ spec:
spec:
description: Spec of the OIDC provider.
properties:
identityProviders:
description: "IdentityProviders is the list of identity providers
available for use by this FederationDomain. \n An identity provider
CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes
how to connect to a server, how to talk in a specific protocol for
authentication, and how to use the schema of that server/protocol
to extract a normalized user identity. Normalized user identities
include a username and a list of group names. In contrast, IdentityProviders
describes how to use that normalized identity in those Kubernetes
clusters which belong to this FederationDomain. Each entry in IdentityProviders
can be configured with arbitrary transformations on that normalized
identity. For example, a transformation can add a prefix to all
usernames to help avoid accidental conflicts when multiple identity
providers have different users with the same username (e.g. \"idp1:ryan\"
versus \"idp2:ryan\"). Each entry in IdentityProviders can also
implement arbitrary authentication rejection policies. Even though
a user was able to authenticate with the identity provider, a policy
can disallow the authentication to the Kubernetes clusters that
belong to this FederationDomain. For example, a policy could disallow
the authentication unless the user belongs to a specific group in
the identity provider. \n For backwards compatibility with versions
of Pinniped which predate support for multiple identity providers,
an empty IdentityProviders list will cause the FederationDomain
to use all available identity providers which exist in the same
namespace, but also to reject all authentication requests when there
is more than one identity provider currently defined. In this backwards
compatibility mode, the name of the identity provider resource (e.g.
the Name of an OIDCIdentityProvider resource) will be used as the
name of the identity provider in this FederationDomain. This mode
is provided to make upgrading from older versions easier. However,
instead of relying on this backwards compatibility mode, please
consider this mode to be deprecated and please instead explicitly
list the identity provider using this IdentityProviders field."
items:
description: FederationDomainIdentityProvider describes how an identity
provider is made available in this FederationDomain.
properties:
displayName:
description: DisplayName is the name of this identity provider
as it will appear to clients. This name ends up in the kubeconfig
of end users, so changing the name of an identity provider
that is in use by end users will be a disruptive change for
those users.
minLength: 1
type: string
objectRef:
description: ObjectRef is a reference to a Pinniped identity
provider resource. A valid reference is required. If the reference
cannot be resolved then the identity provider will not be
made available. Must refer to a resource of one of the Pinniped
identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider,
ActiveDirectoryIdentityProvider.
properties:
apiGroup:
description: APIGroup is the group for the resource being
referenced. If APIGroup is not specified, the specified
Kind must be in the core API group. For any other third-party
types, APIGroup is required.
type: string
kind:
description: Kind is the type of resource being referenced
type: string
name:
description: Name is the name of resource being referenced
type: string
required:
- kind
- name
type: object
transforms:
description: Transforms is an optional way to specify transformations
to be applied during user authentication and session refresh.
properties:
constants:
description: Constants defines constant variables and their
values which will be made available to the transform expressions.
items:
description: FederationDomainTransformsConstant defines
a constant variable and its value which will be made
available to the transform expressions. This is a union
type, and Type is the discriminator field.
properties:
name:
description: Name determines the name of the constant.
It must be a valid identifier name.
maxLength: 64
minLength: 1
pattern: ^[a-zA-Z][_a-zA-Z0-9]*$
type: string
stringListValue:
description: StringListValue should hold the value
when Type is "stringList", and is otherwise ignored.
items:
type: string
type: array
stringValue:
description: StringValue should hold the value when
Type is "string", and is otherwise ignored.
type: string
type:
description: Type determines the type of the constant,
and indicates which other field should be non-empty.
enum:
- string
- stringList
type: string
required:
- name
- type
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
examples:
description: Examples can optionally be used to ensure that
the sequence of transformation expressions are working
as expected. Examples define sample input identities which
are then run through the expression list, and the results
are compared to the expected results. If any example in
this list fails, then this identity provider will not
be available for use within this FederationDomain, and
the error(s) will be added to the FederationDomain status.
This can be used to help guard against programming mistakes
in the expressions, and also act as living documentation
for other administrators to better understand the expressions.
items:
description: FederationDomainTransformsExample defines
a transform example.
properties:
expects:
description: Expects is the expected output of the
entire sequence of transforms when they are run
against the input Username and Groups.
properties:
groups:
description: Groups is the expected list of group
names after the transformations have been applied.
items:
type: string
type: array
message:
description: Message is the expected error message
of the transforms. When Rejected is true, then
Message is the expected message for the policy
which rejected the authentication attempt. When
Rejected is true and Message is blank, then
Message will be treated as the default error
message for authentication attempts which are
rejected by a policy. When Rejected is false,
then Message is the expected error message for
some other non-policy transformation error,
such as a runtime error. When Rejected is false,
there is no default expected Message.
type: string
rejected:
description: Rejected is a boolean that indicates
whether authentication is expected to be rejected
by a policy expression after the transformations
have been applied. True means that it is expected
that the authentication would be rejected. The
default value of false means that it is expected
that the authentication would not be rejected
by any policy expression.
type: boolean
username:
description: Username is the expected username
after the transformations have been applied.
type: string
type: object
groups:
description: Groups is the input list of group names.
items:
type: string
type: array
username:
description: Username is the input username.
minLength: 1
type: string
required:
- expects
- username
type: object
type: array
expressions:
description: "Expressions are an optional list of transforms
and policies to be executed in the order given during
every authentication attempt, including during every session
refresh. Each is a CEL expression. It may use the basic
CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md
plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
\n The username and groups extracted from the identity
provider, and the constants defined in this CR, are available
as variables in all expressions. The username is provided
via a variable called `username` and the list of group
names is provided via a variable called `groups` (which
may be an empty list). Each user-provided constants is
provided via a variable named `strConst.varName` for string
constants and `strListConst.varName` for string list constants.
\n The only allowed types for expressions are currently
policy/v1, username/v1, and groups/v1. Each policy/v1
must return a boolean, and when it returns false, no more
expressions from the list are evaluated and the authentication
attempt is rejected. Transformations of type policy/v1
do not return usernames or group names, and therefore
cannot change the username or group names. Each username/v1
transform must return the new username (a string), which
can be the same as the old username. Transformations of
type username/v1 do not return group names, and therefore
cannot change the group names. Each groups/v1 transform
must return the new groups list (list of strings), which
can be the same as the old groups list. Transformations
of type groups/v1 do not return usernames, and therefore
cannot change the usernames. After each expression, the
new (potentially changed) username or groups get passed
to the following expression. \n Any compilation or static
type-checking failure of any expression will cause an
error status on the FederationDomain. During an authentication
attempt, any unexpected runtime evaluation errors (e.g.
division by zero) cause the authentication attempt to
fail. When all expressions evaluate successfully, then
the (potentially changed) username and group names have
been decided for that authentication attempt."
items:
description: FederationDomainTransformsExpression defines
a transform expression.
properties:
expression:
description: Expression is a CEL expression that will
be evaluated based on the Type during an authentication.
minLength: 1
type: string
message:
description: Message is only used when Type is policy/v1.
It defines an error message to be used when the
policy rejects an authentication attempt. When empty,
a default message will be used.
type: string
type:
description: Type determines the type of the expression.
It must be one of the supported types.
enum:
- policy/v1
- username/v1
- groups/v1
type: string
required:
- expression
- type
type: object
type: array
type: object
required:
- displayName
- objectRef
type: object
type: array
issuer:
description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
Metadata document, as well as the identifier that it will use for
@ -59,8 +316,8 @@ spec:
minLength: 1
type: string
tls:
description: TLS configures how this FederationDomain is served over
Transport Layer Security (TLS).
description: TLS specifies a secret which will contain Transport Layer
Security (TLS) configuration for the FederationDomain.
properties:
secretName:
description: "SecretName is an optional name of a Secret in the
@ -91,14 +348,86 @@ spec:
status:
description: Status of the OIDC provider.
properties:
lastUpdateTime:
description: LastUpdateTime holds the time at which the Status was
last updated. It is a pointer to get around some undesirable behavior
with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
conditions:
description: Conditions represent the observations of an FederationDomain's
current state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: Message provides human-readable details about the Status.
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the FederationDomain.
enum:
- Pending
- Ready
- Error
type: string
secrets:
description: Secrets contains information about this OIDC Provider's
@ -145,15 +474,6 @@ spec:
type: string
type: object
type: object
status:
description: Status holds an enum that describes the state of this
OIDC Provider. Note that this Status can represent success or failure.
enum:
- Success
- Duplicate
- Invalid
- SameIssuerHostMustUseSameSecret
type: string
type: object
required:
- spec

View File

@ -652,6 +652,37 @@ FederationDomain describes the configuration of an OIDC provider.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
==== FederationDomainIdentityProvider
FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainspec[$$FederationDomainSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`displayName`* __string__ | DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a disruptive change for those users.
| *`objectRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. If the reference cannot be resolved then the identity provider will not be made available. Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
| *`transforms`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]__ | Transforms is an optional way to specify transformations to be applied during user authentication and session refresh.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainphase"]
==== FederationDomainPhase (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainsecrets"]
@ -689,7 +720,10 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
| Field | Description
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
|===
@ -706,25 +740,12 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainstatuscondition[$$FederationDomainStatusCondition$$]__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
| *`message`* __string__ | Message provides human-readable details about the Status.
| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
| *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainstatuscondition"]
==== FederationDomainStatusCondition (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintlsspec"]
==== FederationDomainTLSSpec
@ -746,6 +767,106 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
==== FederationDomainTransforms
FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
| *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
==== FederationDomainTransformsConstant
FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name.
| *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty.
| *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored.
| *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
==== FederationDomainTransformsExample
FederationDomainTransformsExample defines a transform example.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __string__ | Username is the input username.
| *`groups`* __string array__ | Groups is the input list of group names.
| *`expects`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects[$$FederationDomainTransformsExampleExpects$$]__ | Expects is the expected output of the entire sequence of transforms when they are run against the input Username and Groups.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
==== FederationDomainTransformsExampleExpects
FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __string__ | Username is the expected username after the transformations have been applied.
| *`groups`* __string array__ | Groups is the expected list of group names after the transformations have been applied.
| *`rejected`* __boolean__ | Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression after the transformations have been applied. True means that it is expected that the authentication would be rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression.
| *`message`* __string__ | Message is the expected error message of the transforms. When Rejected is true, then Message is the expected message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, then Message will be treated as the default error message for authentication attempts which are rejected by a policy. When Rejected is false, then Message is the expected error message for some other non-policy transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
==== FederationDomainTransformsExpression
FederationDomainTransformsExpression defines a transform expression.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types.
| *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication.
| *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects an authentication attempt. When empty, a default message will be used.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-granttype"]
==== GrantType (string)

View File

@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@ -8,14 +8,17 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// +kubebuilder:validation:Enum=Success;Duplicate;Invalid;SameIssuerHostMustUseSameSecret
type FederationDomainStatusCondition string
type FederationDomainPhase string
const (
SuccessFederationDomainStatusCondition = FederationDomainStatusCondition("Success")
DuplicateFederationDomainStatusCondition = FederationDomainStatusCondition("Duplicate")
SameIssuerHostMustUseSameSecretFederationDomainStatusCondition = FederationDomainStatusCondition("SameIssuerHostMustUseSameSecret")
InvalidFederationDomainStatusCondition = FederationDomainStatusCondition("Invalid")
// FederationDomainPhasePending is the default phase for newly-created FederationDomain resources.
FederationDomainPhasePending FederationDomainPhase = "Pending"
// FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state.
FederationDomainPhaseReady FederationDomainPhase = "Ready"
// FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state.
FederationDomainPhaseError FederationDomainPhase = "Error"
)
// FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
@ -42,6 +45,157 @@ type FederationDomainTLSSpec struct {
SecretName string `json:"secretName,omitempty"`
}
// FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
// the transform expressions. This is a union type, and Type is the discriminator field.
type FederationDomainTransformsConstant struct {
// Name determines the name of the constant. It must be a valid identifier name.
// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=64
Name string `json:"name"`
// Type determines the type of the constant, and indicates which other field should be non-empty.
// +kubebuilder:validation:Enum=string;stringList
Type string `json:"type"`
// StringValue should hold the value when Type is "string", and is otherwise ignored.
// +optional
StringValue string `json:"stringValue,omitempty"`
// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
// +optional
StringListValue []string `json:"stringListValue,omitempty"`
}
// FederationDomainTransformsExpression defines a transform expression.
type FederationDomainTransformsExpression struct {
// Type determines the type of the expression. It must be one of the supported types.
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
Type string `json:"type"`
// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
// +kubebuilder:validation:MinLength=1
Expression string `json:"expression"`
// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
// an authentication attempt. When empty, a default message will be used.
// +optional
Message string `json:"message,omitempty"`
}
// FederationDomainTransformsExample defines a transform example.
type FederationDomainTransformsExample struct {
// Username is the input username.
// +kubebuilder:validation:MinLength=1
Username string `json:"username"`
// Groups is the input list of group names.
// +optional
Groups []string `json:"groups,omitempty"`
// Expects is the expected output of the entire sequence of transforms when they are run against the
// input Username and Groups.
Expects FederationDomainTransformsExampleExpects `json:"expects"`
}
// FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
type FederationDomainTransformsExampleExpects struct {
// Username is the expected username after the transformations have been applied.
// +optional
Username string `json:"username,omitempty"`
// Groups is the expected list of group names after the transformations have been applied.
// +optional
Groups []string `json:"groups,omitempty"`
// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
// after the transformations have been applied. True means that it is expected that the authentication would be
// rejected. The default value of false means that it is expected that the authentication would not be rejected
// by any policy expression.
// +optional
Rejected bool `json:"rejected,omitempty"`
// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
// then Message will be treated as the default error message for authentication attempts which are rejected by a
// policy. When Rejected is false, then Message is the expected error message for some other non-policy
// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
// +optional
Message string `json:"message,omitempty"`
}
// FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
type FederationDomainTransforms struct {
// Constants defines constant variables and their values which will be made available to the transform expressions.
// +patchMergeKey=name
// +patchStrategy=merge
// +listType=map
// +listMapKey=name
// +optional
Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`
// Expressions are an optional list of transforms and policies to be executed in the order given during every
// authentication attempt, including during every session refresh.
// Each is a CEL expression. It may use the basic CEL language as defined in
// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
// https://github.com/google/cel-go/tree/master/ext#strings.
//
// The username and groups extracted from the identity provider, and the constants defined in this CR, are
// available as variables in all expressions. The username is provided via a variable called `username` and
// the list of group names is provided via a variable called `groups` (which may be an empty list).
// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
// and `strListConst.varName` for string list constants.
//
// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
// and the authentication attempt is rejected.
// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
// username or group names.
// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
// groups list.
// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
// After each expression, the new (potentially changed) username or groups get passed to the following expression.
//
// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
// and group names have been decided for that authentication attempt.
//
// +optional
Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`
// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
// expected. Examples define sample input identities which are then run through the expression list, and the
// results are compared to the expected results. If any example in this list fails, then this
// identity provider will not be available for use within this FederationDomain, and the error(s) will be
// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
// expressions, and also act as living documentation for other administrators to better understand the expressions.
// +optional
Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
}
// FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
type FederationDomainIdentityProvider struct {
// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
// disruptive change for those users.
// +kubebuilder:validation:MinLength=1
DisplayName string `json:"displayName"`
// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
// If the reference cannot be resolved then the identity provider will not be made available.
// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`
// Transforms is an optional way to specify transformations to be applied during user authentication and
// session refresh.
// +optional
Transforms FederationDomainTransforms `json:"transforms,omitempty"`
}
// FederationDomainSpec is a struct that describes an OIDC Provider.
type FederationDomainSpec struct {
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
@ -55,9 +209,35 @@ type FederationDomainSpec struct {
// +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"`
// TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
// +optional
TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
// IdentityProviders is the list of identity providers available for use by this FederationDomain.
//
// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
// extract a normalized user identity. Normalized user identities include a username and a list of group names.
// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
// accidental conflicts when multiple identity providers have different users with the same username (e.g.
// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
// disallow the authentication unless the user belongs to a specific group in the identity provider.
//
// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
// explicitly list the identity provider using this IdentityProviders field.
//
// +optional
IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
}
// FederationDomainSecrets holds information about this OIDC Provider's secrets.
@ -86,20 +266,17 @@ type FederationDomainSecrets struct {
// FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
type FederationDomainStatus struct {
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
// represent success or failure.
// +optional
Status FederationDomainStatusCondition `json:"status,omitempty"`
// Phase summarizes the overall status of the FederationDomain.
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase FederationDomainPhase `json:"phase,omitempty"`
// Message provides human-readable details about the Status.
// +optional
Message string `json:"message,omitempty"`
// LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
// around some undesirable behavior with respect to the empty metav1.Time value (see
// https://github.com/kubernetes/kubernetes/issues/86811).
// +optional
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
// Conditions represent the observations of an FederationDomain's current state.
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
// Secrets contains information about this OIDC Provider's secrets.
// +optional
@ -111,7 +288,7 @@ type FederationDomainStatus struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type FederationDomain struct {

View File

@ -8,14 +8,14 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
type OIDCClientPhase string
const (
// PhasePending is the default phase for newly-created OIDCClient resources.
PhasePending OIDCClientPhase = "Pending"
// OIDCClientPhasePending is the default phase for newly-created OIDCClient resources.
OIDCClientPhasePending OIDCClientPhase = "Pending"
// PhaseReady is the phase for an OIDCClient resource in a healthy state.
PhaseReady OIDCClientPhase = "Ready"
// OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state.
OIDCClientPhaseReady OIDCClientPhase = "Ready"
// PhaseError is the phase for an OIDCClient in an unhealthy state.
PhaseError OIDCClientPhase = "Error"
// OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state.
OIDCClientPhaseError OIDCClientPhase = "Error"
)
// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`

View File

@ -41,6 +41,24 @@ func (in *FederationDomain) DeepCopyObject() runtime.Object {
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainIdentityProvider) DeepCopyInto(out *FederationDomainIdentityProvider) {
*out = *in
in.ObjectRef.DeepCopyInto(&out.ObjectRef)
in.Transforms.DeepCopyInto(&out.Transforms)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainIdentityProvider.
func (in *FederationDomainIdentityProvider) DeepCopy() *FederationDomainIdentityProvider {
if in == nil {
return nil
}
out := new(FederationDomainIdentityProvider)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainList) DeepCopyInto(out *FederationDomainList) {
*out = *in
@ -102,6 +120,13 @@ func (in *FederationDomainSpec) DeepCopyInto(out *FederationDomainSpec) {
*out = new(FederationDomainTLSSpec)
**out = **in
}
if in.IdentityProviders != nil {
in, out := &in.IdentityProviders, &out.IdentityProviders
*out = make([]FederationDomainIdentityProvider, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
@ -118,9 +143,12 @@ func (in *FederationDomainSpec) DeepCopy() *FederationDomainSpec {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
*out = *in
if in.LastUpdateTime != nil {
in, out := &in.LastUpdateTime, &out.LastUpdateTime
*out = (*in).DeepCopy()
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]v1.Condition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
out.Secrets = in.Secrets
return
@ -152,6 +180,121 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransforms) DeepCopyInto(out *FederationDomainTransforms) {
*out = *in
if in.Constants != nil {
in, out := &in.Constants, &out.Constants
*out = make([]FederationDomainTransformsConstant, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.Expressions != nil {
in, out := &in.Expressions, &out.Expressions
*out = make([]FederationDomainTransformsExpression, len(*in))
copy(*out, *in)
}
if in.Examples != nil {
in, out := &in.Examples, &out.Examples
*out = make([]FederationDomainTransformsExample, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransforms.
func (in *FederationDomainTransforms) DeepCopy() *FederationDomainTransforms {
if in == nil {
return nil
}
out := new(FederationDomainTransforms)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsConstant) DeepCopyInto(out *FederationDomainTransformsConstant) {
*out = *in
if in.StringListValue != nil {
in, out := &in.StringListValue, &out.StringListValue
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsConstant.
func (in *FederationDomainTransformsConstant) DeepCopy() *FederationDomainTransformsConstant {
if in == nil {
return nil
}
out := new(FederationDomainTransformsConstant)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExample) DeepCopyInto(out *FederationDomainTransformsExample) {
*out = *in
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
}
in.Expects.DeepCopyInto(&out.Expects)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExample.
func (in *FederationDomainTransformsExample) DeepCopy() *FederationDomainTransformsExample {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExample)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExampleExpects) DeepCopyInto(out *FederationDomainTransformsExampleExpects) {
*out = *in
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExampleExpects.
func (in *FederationDomainTransformsExampleExpects) DeepCopy() *FederationDomainTransformsExampleExpects {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExampleExpects)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExpression) DeepCopyInto(out *FederationDomainTransformsExpression) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExpression.
func (in *FederationDomainTransformsExpression) DeepCopy() *FederationDomainTransformsExpression {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExpression)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCClient) DeepCopyInto(out *OIDCClient) {
*out = *in

View File

@ -21,7 +21,7 @@ spec:
- jsonPath: .spec.issuer
name: Issuer
type: string
- jsonPath: .status.status
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
@ -47,6 +47,263 @@ spec:
spec:
description: Spec of the OIDC provider.
properties:
identityProviders:
description: "IdentityProviders is the list of identity providers
available for use by this FederationDomain. \n An identity provider
CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes
how to connect to a server, how to talk in a specific protocol for
authentication, and how to use the schema of that server/protocol
to extract a normalized user identity. Normalized user identities
include a username and a list of group names. In contrast, IdentityProviders
describes how to use that normalized identity in those Kubernetes
clusters which belong to this FederationDomain. Each entry in IdentityProviders
can be configured with arbitrary transformations on that normalized
identity. For example, a transformation can add a prefix to all
usernames to help avoid accidental conflicts when multiple identity
providers have different users with the same username (e.g. \"idp1:ryan\"
versus \"idp2:ryan\"). Each entry in IdentityProviders can also
implement arbitrary authentication rejection policies. Even though
a user was able to authenticate with the identity provider, a policy
can disallow the authentication to the Kubernetes clusters that
belong to this FederationDomain. For example, a policy could disallow
the authentication unless the user belongs to a specific group in
the identity provider. \n For backwards compatibility with versions
of Pinniped which predate support for multiple identity providers,
an empty IdentityProviders list will cause the FederationDomain
to use all available identity providers which exist in the same
namespace, but also to reject all authentication requests when there
is more than one identity provider currently defined. In this backwards
compatibility mode, the name of the identity provider resource (e.g.
the Name of an OIDCIdentityProvider resource) will be used as the
name of the identity provider in this FederationDomain. This mode
is provided to make upgrading from older versions easier. However,
instead of relying on this backwards compatibility mode, please
consider this mode to be deprecated and please instead explicitly
list the identity provider using this IdentityProviders field."
items:
description: FederationDomainIdentityProvider describes how an identity
provider is made available in this FederationDomain.
properties:
displayName:
description: DisplayName is the name of this identity provider
as it will appear to clients. This name ends up in the kubeconfig
of end users, so changing the name of an identity provider
that is in use by end users will be a disruptive change for
those users.
minLength: 1
type: string
objectRef:
description: ObjectRef is a reference to a Pinniped identity
provider resource. A valid reference is required. If the reference
cannot be resolved then the identity provider will not be
made available. Must refer to a resource of one of the Pinniped
identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider,
ActiveDirectoryIdentityProvider.
properties:
apiGroup:
description: APIGroup is the group for the resource being
referenced. If APIGroup is not specified, the specified
Kind must be in the core API group. For any other third-party
types, APIGroup is required.
type: string
kind:
description: Kind is the type of resource being referenced
type: string
name:
description: Name is the name of resource being referenced
type: string
required:
- kind
- name
type: object
transforms:
description: Transforms is an optional way to specify transformations
to be applied during user authentication and session refresh.
properties:
constants:
description: Constants defines constant variables and their
values which will be made available to the transform expressions.
items:
description: FederationDomainTransformsConstant defines
a constant variable and its value which will be made
available to the transform expressions. This is a union
type, and Type is the discriminator field.
properties:
name:
description: Name determines the name of the constant.
It must be a valid identifier name.
maxLength: 64
minLength: 1
pattern: ^[a-zA-Z][_a-zA-Z0-9]*$
type: string
stringListValue:
description: StringListValue should hold the value
when Type is "stringList", and is otherwise ignored.
items:
type: string
type: array
stringValue:
description: StringValue should hold the value when
Type is "string", and is otherwise ignored.
type: string
type:
description: Type determines the type of the constant,
and indicates which other field should be non-empty.
enum:
- string
- stringList
type: string
required:
- name
- type
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
examples:
description: Examples can optionally be used to ensure that
the sequence of transformation expressions are working
as expected. Examples define sample input identities which
are then run through the expression list, and the results
are compared to the expected results. If any example in
this list fails, then this identity provider will not
be available for use within this FederationDomain, and
the error(s) will be added to the FederationDomain status.
This can be used to help guard against programming mistakes
in the expressions, and also act as living documentation
for other administrators to better understand the expressions.
items:
description: FederationDomainTransformsExample defines
a transform example.
properties:
expects:
description: Expects is the expected output of the
entire sequence of transforms when they are run
against the input Username and Groups.
properties:
groups:
description: Groups is the expected list of group
names after the transformations have been applied.
items:
type: string
type: array
message:
description: Message is the expected error message
of the transforms. When Rejected is true, then
Message is the expected message for the policy
which rejected the authentication attempt. When
Rejected is true and Message is blank, then
Message will be treated as the default error
message for authentication attempts which are
rejected by a policy. When Rejected is false,
then Message is the expected error message for
some other non-policy transformation error,
such as a runtime error. When Rejected is false,
there is no default expected Message.
type: string
rejected:
description: Rejected is a boolean that indicates
whether authentication is expected to be rejected
by a policy expression after the transformations
have been applied. True means that it is expected
that the authentication would be rejected. The
default value of false means that it is expected
that the authentication would not be rejected
by any policy expression.
type: boolean
username:
description: Username is the expected username
after the transformations have been applied.
type: string
type: object
groups:
description: Groups is the input list of group names.
items:
type: string
type: array
username:
description: Username is the input username.
minLength: 1
type: string
required:
- expects
- username
type: object
type: array
expressions:
description: "Expressions are an optional list of transforms
and policies to be executed in the order given during
every authentication attempt, including during every session
refresh. Each is a CEL expression. It may use the basic
CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md
plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
\n The username and groups extracted from the identity
provider, and the constants defined in this CR, are available
as variables in all expressions. The username is provided
via a variable called `username` and the list of group
names is provided via a variable called `groups` (which
may be an empty list). Each user-provided constants is
provided via a variable named `strConst.varName` for string
constants and `strListConst.varName` for string list constants.
\n The only allowed types for expressions are currently
policy/v1, username/v1, and groups/v1. Each policy/v1
must return a boolean, and when it returns false, no more
expressions from the list are evaluated and the authentication
attempt is rejected. Transformations of type policy/v1
do not return usernames or group names, and therefore
cannot change the username or group names. Each username/v1
transform must return the new username (a string), which
can be the same as the old username. Transformations of
type username/v1 do not return group names, and therefore
cannot change the group names. Each groups/v1 transform
must return the new groups list (list of strings), which
can be the same as the old groups list. Transformations
of type groups/v1 do not return usernames, and therefore
cannot change the usernames. After each expression, the
new (potentially changed) username or groups get passed
to the following expression. \n Any compilation or static
type-checking failure of any expression will cause an
error status on the FederationDomain. During an authentication
attempt, any unexpected runtime evaluation errors (e.g.
division by zero) cause the authentication attempt to
fail. When all expressions evaluate successfully, then
the (potentially changed) username and group names have
been decided for that authentication attempt."
items:
description: FederationDomainTransformsExpression defines
a transform expression.
properties:
expression:
description: Expression is a CEL expression that will
be evaluated based on the Type during an authentication.
minLength: 1
type: string
message:
description: Message is only used when Type is policy/v1.
It defines an error message to be used when the
policy rejects an authentication attempt. When empty,
a default message will be used.
type: string
type:
description: Type determines the type of the expression.
It must be one of the supported types.
enum:
- policy/v1
- username/v1
- groups/v1
type: string
required:
- expression
- type
type: object
type: array
type: object
required:
- displayName
- objectRef
type: object
type: array
issuer:
description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
Metadata document, as well as the identifier that it will use for
@ -59,8 +316,8 @@ spec:
minLength: 1
type: string
tls:
description: TLS configures how this FederationDomain is served over
Transport Layer Security (TLS).
description: TLS specifies a secret which will contain Transport Layer
Security (TLS) configuration for the FederationDomain.
properties:
secretName:
description: "SecretName is an optional name of a Secret in the
@ -91,14 +348,86 @@ spec:
status:
description: Status of the OIDC provider.
properties:
lastUpdateTime:
description: LastUpdateTime holds the time at which the Status was
last updated. It is a pointer to get around some undesirable behavior
with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
conditions:
description: Conditions represent the observations of an FederationDomain's
current state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: Message provides human-readable details about the Status.
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the FederationDomain.
enum:
- Pending
- Ready
- Error
type: string
secrets:
description: Secrets contains information about this OIDC Provider's
@ -145,15 +474,6 @@ spec:
type: string
type: object
type: object
status:
description: Status holds an enum that describes the state of this
OIDC Provider. Note that this Status can represent success or failure.
enum:
- Success
- Duplicate
- Invalid
- SameIssuerHostMustUseSameSecret
type: string
type: object
required:
- spec

View File

@ -650,6 +650,37 @@ FederationDomain describes the configuration of an OIDC provider.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
==== FederationDomainIdentityProvider
FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainspec[$$FederationDomainSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`displayName`* __string__ | DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a disruptive change for those users.
| *`objectRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. If the reference cannot be resolved then the identity provider will not be made available. Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
| *`transforms`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]__ | Transforms is an optional way to specify transformations to be applied during user authentication and session refresh.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainphase"]
==== FederationDomainPhase (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainsecrets"]
@ -687,7 +718,10 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
| Field | Description
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
|===
@ -704,25 +738,12 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainstatuscondition[$$FederationDomainStatusCondition$$]__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
| *`message`* __string__ | Message provides human-readable details about the Status.
| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
| *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainstatuscondition"]
==== FederationDomainStatusCondition (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintlsspec"]
==== FederationDomainTLSSpec
@ -744,6 +765,106 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
==== FederationDomainTransforms
FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
| *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
==== FederationDomainTransformsConstant
FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name.
| *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty.
| *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored.
| *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
==== FederationDomainTransformsExample
FederationDomainTransformsExample defines a transform example.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __string__ | Username is the input username.
| *`groups`* __string array__ | Groups is the input list of group names.
| *`expects`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects[$$FederationDomainTransformsExampleExpects$$]__ | Expects is the expected output of the entire sequence of transforms when they are run against the input Username and Groups.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
==== FederationDomainTransformsExampleExpects
FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __string__ | Username is the expected username after the transformations have been applied.
| *`groups`* __string array__ | Groups is the expected list of group names after the transformations have been applied.
| *`rejected`* __boolean__ | Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression after the transformations have been applied. True means that it is expected that the authentication would be rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression.
| *`message`* __string__ | Message is the expected error message of the transforms. When Rejected is true, then Message is the expected message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, then Message will be treated as the default error message for authentication attempts which are rejected by a policy. When Rejected is false, then Message is the expected error message for some other non-policy transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
==== FederationDomainTransformsExpression
FederationDomainTransformsExpression defines a transform expression.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types.
| *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication.
| *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects an authentication attempt. When empty, a default message will be used.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-granttype"]
==== GrantType (string)

View File

@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@ -8,14 +8,17 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// +kubebuilder:validation:Enum=Success;Duplicate;Invalid;SameIssuerHostMustUseSameSecret
type FederationDomainStatusCondition string
type FederationDomainPhase string
const (
SuccessFederationDomainStatusCondition = FederationDomainStatusCondition("Success")
DuplicateFederationDomainStatusCondition = FederationDomainStatusCondition("Duplicate")
SameIssuerHostMustUseSameSecretFederationDomainStatusCondition = FederationDomainStatusCondition("SameIssuerHostMustUseSameSecret")
InvalidFederationDomainStatusCondition = FederationDomainStatusCondition("Invalid")
// FederationDomainPhasePending is the default phase for newly-created FederationDomain resources.
FederationDomainPhasePending FederationDomainPhase = "Pending"
// FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state.
FederationDomainPhaseReady FederationDomainPhase = "Ready"
// FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state.
FederationDomainPhaseError FederationDomainPhase = "Error"
)
// FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
@ -42,6 +45,157 @@ type FederationDomainTLSSpec struct {
SecretName string `json:"secretName,omitempty"`
}
// FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
// the transform expressions. This is a union type, and Type is the discriminator field.
type FederationDomainTransformsConstant struct {
// Name determines the name of the constant. It must be a valid identifier name.
// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=64
Name string `json:"name"`
// Type determines the type of the constant, and indicates which other field should be non-empty.
// +kubebuilder:validation:Enum=string;stringList
Type string `json:"type"`
// StringValue should hold the value when Type is "string", and is otherwise ignored.
// +optional
StringValue string `json:"stringValue,omitempty"`
// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
// +optional
StringListValue []string `json:"stringListValue,omitempty"`
}
// FederationDomainTransformsExpression defines a transform expression.
type FederationDomainTransformsExpression struct {
// Type determines the type of the expression. It must be one of the supported types.
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
Type string `json:"type"`
// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
// +kubebuilder:validation:MinLength=1
Expression string `json:"expression"`
// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
// an authentication attempt. When empty, a default message will be used.
// +optional
Message string `json:"message,omitempty"`
}
// FederationDomainTransformsExample defines a transform example.
type FederationDomainTransformsExample struct {
// Username is the input username.
// +kubebuilder:validation:MinLength=1
Username string `json:"username"`
// Groups is the input list of group names.
// +optional
Groups []string `json:"groups,omitempty"`
// Expects is the expected output of the entire sequence of transforms when they are run against the
// input Username and Groups.
Expects FederationDomainTransformsExampleExpects `json:"expects"`
}
// FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
type FederationDomainTransformsExampleExpects struct {
// Username is the expected username after the transformations have been applied.
// +optional
Username string `json:"username,omitempty"`
// Groups is the expected list of group names after the transformations have been applied.
// +optional
Groups []string `json:"groups,omitempty"`
// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
// after the transformations have been applied. True means that it is expected that the authentication would be
// rejected. The default value of false means that it is expected that the authentication would not be rejected
// by any policy expression.
// +optional
Rejected bool `json:"rejected,omitempty"`
// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
// then Message will be treated as the default error message for authentication attempts which are rejected by a
// policy. When Rejected is false, then Message is the expected error message for some other non-policy
// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
// +optional
Message string `json:"message,omitempty"`
}
// FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
type FederationDomainTransforms struct {
// Constants defines constant variables and their values which will be made available to the transform expressions.
// +patchMergeKey=name
// +patchStrategy=merge
// +listType=map
// +listMapKey=name
// +optional
Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`
// Expressions are an optional list of transforms and policies to be executed in the order given during every
// authentication attempt, including during every session refresh.
// Each is a CEL expression. It may use the basic CEL language as defined in
// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
// https://github.com/google/cel-go/tree/master/ext#strings.
//
// The username and groups extracted from the identity provider, and the constants defined in this CR, are
// available as variables in all expressions. The username is provided via a variable called `username` and
// the list of group names is provided via a variable called `groups` (which may be an empty list).
// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
// and `strListConst.varName` for string list constants.
//
// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
// and the authentication attempt is rejected.
// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
// username or group names.
// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
// groups list.
// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
// After each expression, the new (potentially changed) username or groups get passed to the following expression.
//
// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
// and group names have been decided for that authentication attempt.
//
// +optional
Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`
// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
// expected. Examples define sample input identities which are then run through the expression list, and the
// results are compared to the expected results. If any example in this list fails, then this
// identity provider will not be available for use within this FederationDomain, and the error(s) will be
// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
// expressions, and also act as living documentation for other administrators to better understand the expressions.
// +optional
Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
}
// FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
type FederationDomainIdentityProvider struct {
// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
// disruptive change for those users.
// +kubebuilder:validation:MinLength=1
DisplayName string `json:"displayName"`
// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
// If the reference cannot be resolved then the identity provider will not be made available.
// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`
// Transforms is an optional way to specify transformations to be applied during user authentication and
// session refresh.
// +optional
Transforms FederationDomainTransforms `json:"transforms,omitempty"`
}
// FederationDomainSpec is a struct that describes an OIDC Provider.
type FederationDomainSpec struct {
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
@ -55,9 +209,35 @@ type FederationDomainSpec struct {
// +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"`
// TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
// +optional
TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
// IdentityProviders is the list of identity providers available for use by this FederationDomain.
//
// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
// extract a normalized user identity. Normalized user identities include a username and a list of group names.
// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
// accidental conflicts when multiple identity providers have different users with the same username (e.g.
// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
// disallow the authentication unless the user belongs to a specific group in the identity provider.
//
// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
// explicitly list the identity provider using this IdentityProviders field.
//
// +optional
IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
}
// FederationDomainSecrets holds information about this OIDC Provider's secrets.
@ -86,20 +266,17 @@ type FederationDomainSecrets struct {
// FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
type FederationDomainStatus struct {
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
// represent success or failure.
// +optional
Status FederationDomainStatusCondition `json:"status,omitempty"`
// Phase summarizes the overall status of the FederationDomain.
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase FederationDomainPhase `json:"phase,omitempty"`
// Message provides human-readable details about the Status.
// +optional
Message string `json:"message,omitempty"`
// LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
// around some undesirable behavior with respect to the empty metav1.Time value (see
// https://github.com/kubernetes/kubernetes/issues/86811).
// +optional
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
// Conditions represent the observations of an FederationDomain's current state.
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
// Secrets contains information about this OIDC Provider's secrets.
// +optional
@ -111,7 +288,7 @@ type FederationDomainStatus struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type FederationDomain struct {

View File

@ -8,14 +8,14 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
type OIDCClientPhase string
const (
// PhasePending is the default phase for newly-created OIDCClient resources.
PhasePending OIDCClientPhase = "Pending"
// OIDCClientPhasePending is the default phase for newly-created OIDCClient resources.
OIDCClientPhasePending OIDCClientPhase = "Pending"
// PhaseReady is the phase for an OIDCClient resource in a healthy state.
PhaseReady OIDCClientPhase = "Ready"
// OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state.
OIDCClientPhaseReady OIDCClientPhase = "Ready"
// PhaseError is the phase for an OIDCClient in an unhealthy state.
PhaseError OIDCClientPhase = "Error"
// OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state.
OIDCClientPhaseError OIDCClientPhase = "Error"
)
// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`

View File

@ -41,6 +41,24 @@ func (in *FederationDomain) DeepCopyObject() runtime.Object {
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainIdentityProvider) DeepCopyInto(out *FederationDomainIdentityProvider) {
*out = *in
in.ObjectRef.DeepCopyInto(&out.ObjectRef)
in.Transforms.DeepCopyInto(&out.Transforms)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainIdentityProvider.
func (in *FederationDomainIdentityProvider) DeepCopy() *FederationDomainIdentityProvider {
if in == nil {
return nil
}
out := new(FederationDomainIdentityProvider)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainList) DeepCopyInto(out *FederationDomainList) {
*out = *in
@ -102,6 +120,13 @@ func (in *FederationDomainSpec) DeepCopyInto(out *FederationDomainSpec) {
*out = new(FederationDomainTLSSpec)
**out = **in
}
if in.IdentityProviders != nil {
in, out := &in.IdentityProviders, &out.IdentityProviders
*out = make([]FederationDomainIdentityProvider, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
@ -118,9 +143,12 @@ func (in *FederationDomainSpec) DeepCopy() *FederationDomainSpec {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
*out = *in
if in.LastUpdateTime != nil {
in, out := &in.LastUpdateTime, &out.LastUpdateTime
*out = (*in).DeepCopy()
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]v1.Condition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
out.Secrets = in.Secrets
return
@ -152,6 +180,121 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransforms) DeepCopyInto(out *FederationDomainTransforms) {
*out = *in
if in.Constants != nil {
in, out := &in.Constants, &out.Constants
*out = make([]FederationDomainTransformsConstant, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.Expressions != nil {
in, out := &in.Expressions, &out.Expressions
*out = make([]FederationDomainTransformsExpression, len(*in))
copy(*out, *in)
}
if in.Examples != nil {
in, out := &in.Examples, &out.Examples
*out = make([]FederationDomainTransformsExample, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransforms.
func (in *FederationDomainTransforms) DeepCopy() *FederationDomainTransforms {
if in == nil {
return nil
}
out := new(FederationDomainTransforms)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsConstant) DeepCopyInto(out *FederationDomainTransformsConstant) {
*out = *in
if in.StringListValue != nil {
in, out := &in.StringListValue, &out.StringListValue
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsConstant.
func (in *FederationDomainTransformsConstant) DeepCopy() *FederationDomainTransformsConstant {
if in == nil {
return nil
}
out := new(FederationDomainTransformsConstant)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExample) DeepCopyInto(out *FederationDomainTransformsExample) {
*out = *in
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
}
in.Expects.DeepCopyInto(&out.Expects)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExample.
func (in *FederationDomainTransformsExample) DeepCopy() *FederationDomainTransformsExample {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExample)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExampleExpects) DeepCopyInto(out *FederationDomainTransformsExampleExpects) {
*out = *in
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExampleExpects.
func (in *FederationDomainTransformsExampleExpects) DeepCopy() *FederationDomainTransformsExampleExpects {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExampleExpects)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExpression) DeepCopyInto(out *FederationDomainTransformsExpression) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExpression.
func (in *FederationDomainTransformsExpression) DeepCopy() *FederationDomainTransformsExpression {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExpression)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCClient) DeepCopyInto(out *OIDCClient) {
*out = *in

View File

@ -21,7 +21,7 @@ spec:
- jsonPath: .spec.issuer
name: Issuer
type: string
- jsonPath: .status.status
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
@ -47,6 +47,263 @@ spec:
spec:
description: Spec of the OIDC provider.
properties:
identityProviders:
description: "IdentityProviders is the list of identity providers
available for use by this FederationDomain. \n An identity provider
CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes
how to connect to a server, how to talk in a specific protocol for
authentication, and how to use the schema of that server/protocol
to extract a normalized user identity. Normalized user identities
include a username and a list of group names. In contrast, IdentityProviders
describes how to use that normalized identity in those Kubernetes
clusters which belong to this FederationDomain. Each entry in IdentityProviders
can be configured with arbitrary transformations on that normalized
identity. For example, a transformation can add a prefix to all
usernames to help avoid accidental conflicts when multiple identity
providers have different users with the same username (e.g. \"idp1:ryan\"
versus \"idp2:ryan\"). Each entry in IdentityProviders can also
implement arbitrary authentication rejection policies. Even though
a user was able to authenticate with the identity provider, a policy
can disallow the authentication to the Kubernetes clusters that
belong to this FederationDomain. For example, a policy could disallow
the authentication unless the user belongs to a specific group in
the identity provider. \n For backwards compatibility with versions
of Pinniped which predate support for multiple identity providers,
an empty IdentityProviders list will cause the FederationDomain
to use all available identity providers which exist in the same
namespace, but also to reject all authentication requests when there
is more than one identity provider currently defined. In this backwards
compatibility mode, the name of the identity provider resource (e.g.
the Name of an OIDCIdentityProvider resource) will be used as the
name of the identity provider in this FederationDomain. This mode
is provided to make upgrading from older versions easier. However,
instead of relying on this backwards compatibility mode, please
consider this mode to be deprecated and please instead explicitly
list the identity provider using this IdentityProviders field."
items:
description: FederationDomainIdentityProvider describes how an identity
provider is made available in this FederationDomain.
properties:
displayName:
description: DisplayName is the name of this identity provider
as it will appear to clients. This name ends up in the kubeconfig
of end users, so changing the name of an identity provider
that is in use by end users will be a disruptive change for
those users.
minLength: 1
type: string
objectRef:
description: ObjectRef is a reference to a Pinniped identity
provider resource. A valid reference is required. If the reference
cannot be resolved then the identity provider will not be
made available. Must refer to a resource of one of the Pinniped
identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider,
ActiveDirectoryIdentityProvider.
properties:
apiGroup:
description: APIGroup is the group for the resource being
referenced. If APIGroup is not specified, the specified
Kind must be in the core API group. For any other third-party
types, APIGroup is required.
type: string
kind:
description: Kind is the type of resource being referenced
type: string
name:
description: Name is the name of resource being referenced
type: string
required:
- kind
- name
type: object
transforms:
description: Transforms is an optional way to specify transformations
to be applied during user authentication and session refresh.
properties:
constants:
description: Constants defines constant variables and their
values which will be made available to the transform expressions.
items:
description: FederationDomainTransformsConstant defines
a constant variable and its value which will be made
available to the transform expressions. This is a union
type, and Type is the discriminator field.
properties:
name:
description: Name determines the name of the constant.
It must be a valid identifier name.
maxLength: 64
minLength: 1
pattern: ^[a-zA-Z][_a-zA-Z0-9]*$
type: string
stringListValue:
description: StringListValue should hold the value
when Type is "stringList", and is otherwise ignored.
items:
type: string
type: array
stringValue:
description: StringValue should hold the value when
Type is "string", and is otherwise ignored.
type: string
type:
description: Type determines the type of the constant,
and indicates which other field should be non-empty.
enum:
- string
- stringList
type: string
required:
- name
- type
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
examples:
description: Examples can optionally be used to ensure that
the sequence of transformation expressions are working
as expected. Examples define sample input identities which
are then run through the expression list, and the results
are compared to the expected results. If any example in
this list fails, then this identity provider will not
be available for use within this FederationDomain, and
the error(s) will be added to the FederationDomain status.
This can be used to help guard against programming mistakes
in the expressions, and also act as living documentation
for other administrators to better understand the expressions.
items:
description: FederationDomainTransformsExample defines
a transform example.
properties:
expects:
description: Expects is the expected output of the
entire sequence of transforms when they are run
against the input Username and Groups.
properties:
groups:
description: Groups is the expected list of group
names after the transformations have been applied.
items:
type: string
type: array
message:
description: Message is the expected error message
of the transforms. When Rejected is true, then
Message is the expected message for the policy
which rejected the authentication attempt. When
Rejected is true and Message is blank, then
Message will be treated as the default error
message for authentication attempts which are
rejected by a policy. When Rejected is false,
then Message is the expected error message for
some other non-policy transformation error,
such as a runtime error. When Rejected is false,
there is no default expected Message.
type: string
rejected:
description: Rejected is a boolean that indicates
whether authentication is expected to be rejected
by a policy expression after the transformations
have been applied. True means that it is expected
that the authentication would be rejected. The
default value of false means that it is expected
that the authentication would not be rejected
by any policy expression.
type: boolean
username:
description: Username is the expected username
after the transformations have been applied.
type: string
type: object
groups:
description: Groups is the input list of group names.
items:
type: string
type: array
username:
description: Username is the input username.
minLength: 1
type: string
required:
- expects
- username
type: object
type: array
expressions:
description: "Expressions are an optional list of transforms
and policies to be executed in the order given during
every authentication attempt, including during every session
refresh. Each is a CEL expression. It may use the basic
CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md
plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
\n The username and groups extracted from the identity
provider, and the constants defined in this CR, are available
as variables in all expressions. The username is provided
via a variable called `username` and the list of group
names is provided via a variable called `groups` (which
may be an empty list). Each user-provided constants is
provided via a variable named `strConst.varName` for string
constants and `strListConst.varName` for string list constants.
\n The only allowed types for expressions are currently
policy/v1, username/v1, and groups/v1. Each policy/v1
must return a boolean, and when it returns false, no more
expressions from the list are evaluated and the authentication
attempt is rejected. Transformations of type policy/v1
do not return usernames or group names, and therefore
cannot change the username or group names. Each username/v1
transform must return the new username (a string), which
can be the same as the old username. Transformations of
type username/v1 do not return group names, and therefore
cannot change the group names. Each groups/v1 transform
must return the new groups list (list of strings), which
can be the same as the old groups list. Transformations
of type groups/v1 do not return usernames, and therefore
cannot change the usernames. After each expression, the
new (potentially changed) username or groups get passed
to the following expression. \n Any compilation or static
type-checking failure of any expression will cause an
error status on the FederationDomain. During an authentication
attempt, any unexpected runtime evaluation errors (e.g.
division by zero) cause the authentication attempt to
fail. When all expressions evaluate successfully, then
the (potentially changed) username and group names have
been decided for that authentication attempt."
items:
description: FederationDomainTransformsExpression defines
a transform expression.
properties:
expression:
description: Expression is a CEL expression that will
be evaluated based on the Type during an authentication.
minLength: 1
type: string
message:
description: Message is only used when Type is policy/v1.
It defines an error message to be used when the
policy rejects an authentication attempt. When empty,
a default message will be used.
type: string
type:
description: Type determines the type of the expression.
It must be one of the supported types.
enum:
- policy/v1
- username/v1
- groups/v1
type: string
required:
- expression
- type
type: object
type: array
type: object
required:
- displayName
- objectRef
type: object
type: array
issuer:
description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
Metadata document, as well as the identifier that it will use for
@ -59,8 +316,8 @@ spec:
minLength: 1
type: string
tls:
description: TLS configures how this FederationDomain is served over
Transport Layer Security (TLS).
description: TLS specifies a secret which will contain Transport Layer
Security (TLS) configuration for the FederationDomain.
properties:
secretName:
description: "SecretName is an optional name of a Secret in the
@ -91,14 +348,86 @@ spec:
status:
description: Status of the OIDC provider.
properties:
lastUpdateTime:
description: LastUpdateTime holds the time at which the Status was
last updated. It is a pointer to get around some undesirable behavior
with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
conditions:
description: Conditions represent the observations of an FederationDomain's
current state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: Message provides human-readable details about the Status.
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the FederationDomain.
enum:
- Pending
- Ready
- Error
type: string
secrets:
description: Secrets contains information about this OIDC Provider's
@ -145,15 +474,6 @@ spec:
type: string
type: object
type: object
status:
description: Status holds an enum that describes the state of this
OIDC Provider. Note that this Status can represent success or failure.
enum:
- Success
- Duplicate
- Invalid
- SameIssuerHostMustUseSameSecret
type: string
type: object
required:
- spec

View File

@ -650,6 +650,37 @@ FederationDomain describes the configuration of an OIDC provider.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
==== FederationDomainIdentityProvider
FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainspec[$$FederationDomainSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`displayName`* __string__ | DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a disruptive change for those users.
| *`objectRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. If the reference cannot be resolved then the identity provider will not be made available. Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
| *`transforms`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]__ | Transforms is an optional way to specify transformations to be applied during user authentication and session refresh.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainphase"]
==== FederationDomainPhase (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainsecrets"]
@ -687,7 +718,10 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
| Field | Description
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
|===
@ -704,25 +738,12 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainstatuscondition[$$FederationDomainStatusCondition$$]__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
| *`message`* __string__ | Message provides human-readable details about the Status.
| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
| *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainstatuscondition"]
==== FederationDomainStatusCondition (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintlsspec"]
==== FederationDomainTLSSpec
@ -744,6 +765,106 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
==== FederationDomainTransforms
FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
| *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
==== FederationDomainTransformsConstant
FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name.
| *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty.
| *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored.
| *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
==== FederationDomainTransformsExample
FederationDomainTransformsExample defines a transform example.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __string__ | Username is the input username.
| *`groups`* __string array__ | Groups is the input list of group names.
| *`expects`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects[$$FederationDomainTransformsExampleExpects$$]__ | Expects is the expected output of the entire sequence of transforms when they are run against the input Username and Groups.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
==== FederationDomainTransformsExampleExpects
FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __string__ | Username is the expected username after the transformations have been applied.
| *`groups`* __string array__ | Groups is the expected list of group names after the transformations have been applied.
| *`rejected`* __boolean__ | Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression after the transformations have been applied. True means that it is expected that the authentication would be rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression.
| *`message`* __string__ | Message is the expected error message of the transforms. When Rejected is true, then Message is the expected message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, then Message will be treated as the default error message for authentication attempts which are rejected by a policy. When Rejected is false, then Message is the expected error message for some other non-policy transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
==== FederationDomainTransformsExpression
FederationDomainTransformsExpression defines a transform expression.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types.
| *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication.
| *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects an authentication attempt. When empty, a default message will be used.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-granttype"]
==== GrantType (string)

View File

@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@ -8,14 +8,17 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// +kubebuilder:validation:Enum=Success;Duplicate;Invalid;SameIssuerHostMustUseSameSecret
type FederationDomainStatusCondition string
type FederationDomainPhase string
const (
SuccessFederationDomainStatusCondition = FederationDomainStatusCondition("Success")
DuplicateFederationDomainStatusCondition = FederationDomainStatusCondition("Duplicate")
SameIssuerHostMustUseSameSecretFederationDomainStatusCondition = FederationDomainStatusCondition("SameIssuerHostMustUseSameSecret")
InvalidFederationDomainStatusCondition = FederationDomainStatusCondition("Invalid")
// FederationDomainPhasePending is the default phase for newly-created FederationDomain resources.
FederationDomainPhasePending FederationDomainPhase = "Pending"
// FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state.
FederationDomainPhaseReady FederationDomainPhase = "Ready"
// FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state.
FederationDomainPhaseError FederationDomainPhase = "Error"
)
// FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
@ -42,6 +45,157 @@ type FederationDomainTLSSpec struct {
SecretName string `json:"secretName,omitempty"`
}
// FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
// the transform expressions. This is a union type, and Type is the discriminator field.
type FederationDomainTransformsConstant struct {
// Name determines the name of the constant. It must be a valid identifier name.
// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=64
Name string `json:"name"`
// Type determines the type of the constant, and indicates which other field should be non-empty.
// +kubebuilder:validation:Enum=string;stringList
Type string `json:"type"`
// StringValue should hold the value when Type is "string", and is otherwise ignored.
// +optional
StringValue string `json:"stringValue,omitempty"`
// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
// +optional
StringListValue []string `json:"stringListValue,omitempty"`
}
// FederationDomainTransformsExpression defines a transform expression.
type FederationDomainTransformsExpression struct {
// Type determines the type of the expression. It must be one of the supported types.
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
Type string `json:"type"`
// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
// +kubebuilder:validation:MinLength=1
Expression string `json:"expression"`
// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
// an authentication attempt. When empty, a default message will be used.
// +optional
Message string `json:"message,omitempty"`
}
// FederationDomainTransformsExample defines a transform example.
type FederationDomainTransformsExample struct {
// Username is the input username.
// +kubebuilder:validation:MinLength=1
Username string `json:"username"`
// Groups is the input list of group names.
// +optional
Groups []string `json:"groups,omitempty"`
// Expects is the expected output of the entire sequence of transforms when they are run against the
// input Username and Groups.
Expects FederationDomainTransformsExampleExpects `json:"expects"`
}
// FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
type FederationDomainTransformsExampleExpects struct {
// Username is the expected username after the transformations have been applied.
// +optional
Username string `json:"username,omitempty"`
// Groups is the expected list of group names after the transformations have been applied.
// +optional
Groups []string `json:"groups,omitempty"`
// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
// after the transformations have been applied. True means that it is expected that the authentication would be
// rejected. The default value of false means that it is expected that the authentication would not be rejected
// by any policy expression.
// +optional
Rejected bool `json:"rejected,omitempty"`
// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
// then Message will be treated as the default error message for authentication attempts which are rejected by a
// policy. When Rejected is false, then Message is the expected error message for some other non-policy
// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
// +optional
Message string `json:"message,omitempty"`
}
// FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
type FederationDomainTransforms struct {
// Constants defines constant variables and their values which will be made available to the transform expressions.
// +patchMergeKey=name
// +patchStrategy=merge
// +listType=map
// +listMapKey=name
// +optional
Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`
// Expressions are an optional list of transforms and policies to be executed in the order given during every
// authentication attempt, including during every session refresh.
// Each is a CEL expression. It may use the basic CEL language as defined in
// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
// https://github.com/google/cel-go/tree/master/ext#strings.
//
// The username and groups extracted from the identity provider, and the constants defined in this CR, are
// available as variables in all expressions. The username is provided via a variable called `username` and
// the list of group names is provided via a variable called `groups` (which may be an empty list).
// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
// and `strListConst.varName` for string list constants.
//
// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
// and the authentication attempt is rejected.
// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
// username or group names.
// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
// groups list.
// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
// After each expression, the new (potentially changed) username or groups get passed to the following expression.
//
// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
// and group names have been decided for that authentication attempt.
//
// +optional
Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`
// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
// expected. Examples define sample input identities which are then run through the expression list, and the
// results are compared to the expected results. If any example in this list fails, then this
// identity provider will not be available for use within this FederationDomain, and the error(s) will be
// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
// expressions, and also act as living documentation for other administrators to better understand the expressions.
// +optional
Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
}
// FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
type FederationDomainIdentityProvider struct {
// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
// disruptive change for those users.
// +kubebuilder:validation:MinLength=1
DisplayName string `json:"displayName"`
// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
// If the reference cannot be resolved then the identity provider will not be made available.
// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`
// Transforms is an optional way to specify transformations to be applied during user authentication and
// session refresh.
// +optional
Transforms FederationDomainTransforms `json:"transforms,omitempty"`
}
// FederationDomainSpec is a struct that describes an OIDC Provider.
type FederationDomainSpec struct {
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
@ -55,9 +209,35 @@ type FederationDomainSpec struct {
// +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"`
// TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
// +optional
TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
// IdentityProviders is the list of identity providers available for use by this FederationDomain.
//
// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
// extract a normalized user identity. Normalized user identities include a username and a list of group names.
// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
// accidental conflicts when multiple identity providers have different users with the same username (e.g.
// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
// disallow the authentication unless the user belongs to a specific group in the identity provider.
//
// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
// explicitly list the identity provider using this IdentityProviders field.
//
// +optional
IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
}
// FederationDomainSecrets holds information about this OIDC Provider's secrets.
@ -86,20 +266,17 @@ type FederationDomainSecrets struct {
// FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
type FederationDomainStatus struct {
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
// represent success or failure.
// +optional
Status FederationDomainStatusCondition `json:"status,omitempty"`
// Phase summarizes the overall status of the FederationDomain.
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase FederationDomainPhase `json:"phase,omitempty"`
// Message provides human-readable details about the Status.
// +optional
Message string `json:"message,omitempty"`
// LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
// around some undesirable behavior with respect to the empty metav1.Time value (see
// https://github.com/kubernetes/kubernetes/issues/86811).
// +optional
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
// Conditions represent the observations of an FederationDomain's current state.
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
// Secrets contains information about this OIDC Provider's secrets.
// +optional
@ -111,7 +288,7 @@ type FederationDomainStatus struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type FederationDomain struct {

View File

@ -8,14 +8,14 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
type OIDCClientPhase string
const (
// PhasePending is the default phase for newly-created OIDCClient resources.
PhasePending OIDCClientPhase = "Pending"
// OIDCClientPhasePending is the default phase for newly-created OIDCClient resources.
OIDCClientPhasePending OIDCClientPhase = "Pending"
// PhaseReady is the phase for an OIDCClient resource in a healthy state.
PhaseReady OIDCClientPhase = "Ready"
// OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state.
OIDCClientPhaseReady OIDCClientPhase = "Ready"
// PhaseError is the phase for an OIDCClient in an unhealthy state.
PhaseError OIDCClientPhase = "Error"
// OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state.
OIDCClientPhaseError OIDCClientPhase = "Error"
)
// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`

View File

@ -41,6 +41,24 @@ func (in *FederationDomain) DeepCopyObject() runtime.Object {
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainIdentityProvider) DeepCopyInto(out *FederationDomainIdentityProvider) {
*out = *in
in.ObjectRef.DeepCopyInto(&out.ObjectRef)
in.Transforms.DeepCopyInto(&out.Transforms)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainIdentityProvider.
func (in *FederationDomainIdentityProvider) DeepCopy() *FederationDomainIdentityProvider {
if in == nil {
return nil
}
out := new(FederationDomainIdentityProvider)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainList) DeepCopyInto(out *FederationDomainList) {
*out = *in
@ -102,6 +120,13 @@ func (in *FederationDomainSpec) DeepCopyInto(out *FederationDomainSpec) {
*out = new(FederationDomainTLSSpec)
**out = **in
}
if in.IdentityProviders != nil {
in, out := &in.IdentityProviders, &out.IdentityProviders
*out = make([]FederationDomainIdentityProvider, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
@ -118,9 +143,12 @@ func (in *FederationDomainSpec) DeepCopy() *FederationDomainSpec {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
*out = *in
if in.LastUpdateTime != nil {
in, out := &in.LastUpdateTime, &out.LastUpdateTime
*out = (*in).DeepCopy()
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]v1.Condition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
out.Secrets = in.Secrets
return
@ -152,6 +180,121 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransforms) DeepCopyInto(out *FederationDomainTransforms) {
*out = *in
if in.Constants != nil {
in, out := &in.Constants, &out.Constants
*out = make([]FederationDomainTransformsConstant, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.Expressions != nil {
in, out := &in.Expressions, &out.Expressions
*out = make([]FederationDomainTransformsExpression, len(*in))
copy(*out, *in)
}
if in.Examples != nil {
in, out := &in.Examples, &out.Examples
*out = make([]FederationDomainTransformsExample, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransforms.
func (in *FederationDomainTransforms) DeepCopy() *FederationDomainTransforms {
if in == nil {
return nil
}
out := new(FederationDomainTransforms)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsConstant) DeepCopyInto(out *FederationDomainTransformsConstant) {
*out = *in
if in.StringListValue != nil {
in, out := &in.StringListValue, &out.StringListValue
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsConstant.
func (in *FederationDomainTransformsConstant) DeepCopy() *FederationDomainTransformsConstant {
if in == nil {
return nil
}
out := new(FederationDomainTransformsConstant)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExample) DeepCopyInto(out *FederationDomainTransformsExample) {
*out = *in
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
}
in.Expects.DeepCopyInto(&out.Expects)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExample.
func (in *FederationDomainTransformsExample) DeepCopy() *FederationDomainTransformsExample {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExample)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExampleExpects) DeepCopyInto(out *FederationDomainTransformsExampleExpects) {
*out = *in
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExampleExpects.
func (in *FederationDomainTransformsExampleExpects) DeepCopy() *FederationDomainTransformsExampleExpects {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExampleExpects)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExpression) DeepCopyInto(out *FederationDomainTransformsExpression) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExpression.
func (in *FederationDomainTransformsExpression) DeepCopy() *FederationDomainTransformsExpression {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExpression)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCClient) DeepCopyInto(out *OIDCClient) {
*out = *in

View File

@ -21,7 +21,7 @@ spec:
- jsonPath: .spec.issuer
name: Issuer
type: string
- jsonPath: .status.status
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
@ -47,6 +47,263 @@ spec:
spec:
description: Spec of the OIDC provider.
properties:
identityProviders:
description: "IdentityProviders is the list of identity providers
available for use by this FederationDomain. \n An identity provider
CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes
how to connect to a server, how to talk in a specific protocol for
authentication, and how to use the schema of that server/protocol
to extract a normalized user identity. Normalized user identities
include a username and a list of group names. In contrast, IdentityProviders
describes how to use that normalized identity in those Kubernetes
clusters which belong to this FederationDomain. Each entry in IdentityProviders
can be configured with arbitrary transformations on that normalized
identity. For example, a transformation can add a prefix to all
usernames to help avoid accidental conflicts when multiple identity
providers have different users with the same username (e.g. \"idp1:ryan\"
versus \"idp2:ryan\"). Each entry in IdentityProviders can also
implement arbitrary authentication rejection policies. Even though
a user was able to authenticate with the identity provider, a policy
can disallow the authentication to the Kubernetes clusters that
belong to this FederationDomain. For example, a policy could disallow
the authentication unless the user belongs to a specific group in
the identity provider. \n For backwards compatibility with versions
of Pinniped which predate support for multiple identity providers,
an empty IdentityProviders list will cause the FederationDomain
to use all available identity providers which exist in the same
namespace, but also to reject all authentication requests when there
is more than one identity provider currently defined. In this backwards
compatibility mode, the name of the identity provider resource (e.g.
the Name of an OIDCIdentityProvider resource) will be used as the
name of the identity provider in this FederationDomain. This mode
is provided to make upgrading from older versions easier. However,
instead of relying on this backwards compatibility mode, please
consider this mode to be deprecated and please instead explicitly
list the identity provider using this IdentityProviders field."
items:
description: FederationDomainIdentityProvider describes how an identity
provider is made available in this FederationDomain.
properties:
displayName:
description: DisplayName is the name of this identity provider
as it will appear to clients. This name ends up in the kubeconfig
of end users, so changing the name of an identity provider
that is in use by end users will be a disruptive change for
those users.
minLength: 1
type: string
objectRef:
description: ObjectRef is a reference to a Pinniped identity
provider resource. A valid reference is required. If the reference
cannot be resolved then the identity provider will not be
made available. Must refer to a resource of one of the Pinniped
identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider,
ActiveDirectoryIdentityProvider.
properties:
apiGroup:
description: APIGroup is the group for the resource being
referenced. If APIGroup is not specified, the specified
Kind must be in the core API group. For any other third-party
types, APIGroup is required.
type: string
kind:
description: Kind is the type of resource being referenced
type: string
name:
description: Name is the name of resource being referenced
type: string
required:
- kind
- name
type: object
transforms:
description: Transforms is an optional way to specify transformations
to be applied during user authentication and session refresh.
properties:
constants:
description: Constants defines constant variables and their
values which will be made available to the transform expressions.
items:
description: FederationDomainTransformsConstant defines
a constant variable and its value which will be made
available to the transform expressions. This is a union
type, and Type is the discriminator field.
properties:
name:
description: Name determines the name of the constant.
It must be a valid identifier name.
maxLength: 64
minLength: 1
pattern: ^[a-zA-Z][_a-zA-Z0-9]*$
type: string
stringListValue:
description: StringListValue should hold the value
when Type is "stringList", and is otherwise ignored.
items:
type: string
type: array
stringValue:
description: StringValue should hold the value when
Type is "string", and is otherwise ignored.
type: string
type:
description: Type determines the type of the constant,
and indicates which other field should be non-empty.
enum:
- string
- stringList
type: string
required:
- name
- type
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
examples:
description: Examples can optionally be used to ensure that
the sequence of transformation expressions are working
as expected. Examples define sample input identities which
are then run through the expression list, and the results
are compared to the expected results. If any example in
this list fails, then this identity provider will not
be available for use within this FederationDomain, and
the error(s) will be added to the FederationDomain status.
This can be used to help guard against programming mistakes
in the expressions, and also act as living documentation
for other administrators to better understand the expressions.
items:
description: FederationDomainTransformsExample defines
a transform example.
properties:
expects:
description: Expects is the expected output of the
entire sequence of transforms when they are run
against the input Username and Groups.
properties:
groups:
description: Groups is the expected list of group
names after the transformations have been applied.
items:
type: string
type: array
message:
description: Message is the expected error message
of the transforms. When Rejected is true, then
Message is the expected message for the policy
which rejected the authentication attempt. When
Rejected is true and Message is blank, then
Message will be treated as the default error
message for authentication attempts which are
rejected by a policy. When Rejected is false,
then Message is the expected error message for
some other non-policy transformation error,
such as a runtime error. When Rejected is false,
there is no default expected Message.
type: string
rejected:
description: Rejected is a boolean that indicates
whether authentication is expected to be rejected
by a policy expression after the transformations
have been applied. True means that it is expected
that the authentication would be rejected. The
default value of false means that it is expected
that the authentication would not be rejected
by any policy expression.
type: boolean
username:
description: Username is the expected username
after the transformations have been applied.
type: string
type: object
groups:
description: Groups is the input list of group names.
items:
type: string
type: array
username:
description: Username is the input username.
minLength: 1
type: string
required:
- expects
- username
type: object
type: array
expressions:
description: "Expressions are an optional list of transforms
and policies to be executed in the order given during
every authentication attempt, including during every session
refresh. Each is a CEL expression. It may use the basic
CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md
plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
\n The username and groups extracted from the identity
provider, and the constants defined in this CR, are available
as variables in all expressions. The username is provided
via a variable called `username` and the list of group
names is provided via a variable called `groups` (which
may be an empty list). Each user-provided constants is
provided via a variable named `strConst.varName` for string
constants and `strListConst.varName` for string list constants.
\n The only allowed types for expressions are currently
policy/v1, username/v1, and groups/v1. Each policy/v1
must return a boolean, and when it returns false, no more
expressions from the list are evaluated and the authentication
attempt is rejected. Transformations of type policy/v1
do not return usernames or group names, and therefore
cannot change the username or group names. Each username/v1
transform must return the new username (a string), which
can be the same as the old username. Transformations of
type username/v1 do not return group names, and therefore
cannot change the group names. Each groups/v1 transform
must return the new groups list (list of strings), which
can be the same as the old groups list. Transformations
of type groups/v1 do not return usernames, and therefore
cannot change the usernames. After each expression, the
new (potentially changed) username or groups get passed
to the following expression. \n Any compilation or static
type-checking failure of any expression will cause an
error status on the FederationDomain. During an authentication
attempt, any unexpected runtime evaluation errors (e.g.
division by zero) cause the authentication attempt to
fail. When all expressions evaluate successfully, then
the (potentially changed) username and group names have
been decided for that authentication attempt."
items:
description: FederationDomainTransformsExpression defines
a transform expression.
properties:
expression:
description: Expression is a CEL expression that will
be evaluated based on the Type during an authentication.
minLength: 1
type: string
message:
description: Message is only used when Type is policy/v1.
It defines an error message to be used when the
policy rejects an authentication attempt. When empty,
a default message will be used.
type: string
type:
description: Type determines the type of the expression.
It must be one of the supported types.
enum:
- policy/v1
- username/v1
- groups/v1
type: string
required:
- expression
- type
type: object
type: array
type: object
required:
- displayName
- objectRef
type: object
type: array
issuer:
description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
Metadata document, as well as the identifier that it will use for
@ -59,8 +316,8 @@ spec:
minLength: 1
type: string
tls:
description: TLS configures how this FederationDomain is served over
Transport Layer Security (TLS).
description: TLS specifies a secret which will contain Transport Layer
Security (TLS) configuration for the FederationDomain.
properties:
secretName:
description: "SecretName is an optional name of a Secret in the
@ -91,14 +348,86 @@ spec:
status:
description: Status of the OIDC provider.
properties:
lastUpdateTime:
description: LastUpdateTime holds the time at which the Status was
last updated. It is a pointer to get around some undesirable behavior
with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
conditions:
description: Conditions represent the observations of an FederationDomain's
current state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: Message provides human-readable details about the Status.
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the FederationDomain.
enum:
- Pending
- Ready
- Error
type: string
secrets:
description: Secrets contains information about this OIDC Provider's
@ -145,15 +474,6 @@ spec:
type: string
type: object
type: object
status:
description: Status holds an enum that describes the state of this
OIDC Provider. Note that this Status can represent success or failure.
enum:
- Success
- Duplicate
- Invalid
- SameIssuerHostMustUseSameSecret
type: string
type: object
required:
- spec

View File

@ -650,6 +650,37 @@ FederationDomain describes the configuration of an OIDC provider.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
==== FederationDomainIdentityProvider
FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainspec[$$FederationDomainSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`displayName`* __string__ | DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a disruptive change for those users.
| *`objectRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. If the reference cannot be resolved then the identity provider will not be made available. Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
| *`transforms`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]__ | Transforms is an optional way to specify transformations to be applied during user authentication and session refresh.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainphase"]
==== FederationDomainPhase (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainsecrets"]
@ -687,7 +718,10 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
| Field | Description
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
|===
@ -704,25 +738,12 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainstatuscondition[$$FederationDomainStatusCondition$$]__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
| *`message`* __string__ | Message provides human-readable details about the Status.
| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
| *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainstatuscondition"]
==== FederationDomainStatusCondition (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintlsspec"]
==== FederationDomainTLSSpec
@ -744,6 +765,106 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
==== FederationDomainTransforms
FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
| *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
==== FederationDomainTransformsConstant
FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name.
| *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty.
| *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored.
| *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
==== FederationDomainTransformsExample
FederationDomainTransformsExample defines a transform example.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __string__ | Username is the input username.
| *`groups`* __string array__ | Groups is the input list of group names.
| *`expects`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects[$$FederationDomainTransformsExampleExpects$$]__ | Expects is the expected output of the entire sequence of transforms when they are run against the input Username and Groups.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
==== FederationDomainTransformsExampleExpects
FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __string__ | Username is the expected username after the transformations have been applied.
| *`groups`* __string array__ | Groups is the expected list of group names after the transformations have been applied.
| *`rejected`* __boolean__ | Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression after the transformations have been applied. True means that it is expected that the authentication would be rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression.
| *`message`* __string__ | Message is the expected error message of the transforms. When Rejected is true, then Message is the expected message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, then Message will be treated as the default error message for authentication attempts which are rejected by a policy. When Rejected is false, then Message is the expected error message for some other non-policy transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
==== FederationDomainTransformsExpression
FederationDomainTransformsExpression defines a transform expression.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types.
| *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication.
| *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects an authentication attempt. When empty, a default message will be used.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-granttype"]
==== GrantType (string)

View File

@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@ -8,14 +8,17 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// +kubebuilder:validation:Enum=Success;Duplicate;Invalid;SameIssuerHostMustUseSameSecret
type FederationDomainStatusCondition string
type FederationDomainPhase string
const (
SuccessFederationDomainStatusCondition = FederationDomainStatusCondition("Success")
DuplicateFederationDomainStatusCondition = FederationDomainStatusCondition("Duplicate")
SameIssuerHostMustUseSameSecretFederationDomainStatusCondition = FederationDomainStatusCondition("SameIssuerHostMustUseSameSecret")
InvalidFederationDomainStatusCondition = FederationDomainStatusCondition("Invalid")
// FederationDomainPhasePending is the default phase for newly-created FederationDomain resources.
FederationDomainPhasePending FederationDomainPhase = "Pending"
// FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state.
FederationDomainPhaseReady FederationDomainPhase = "Ready"
// FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state.
FederationDomainPhaseError FederationDomainPhase = "Error"
)
// FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
@ -42,6 +45,157 @@ type FederationDomainTLSSpec struct {
SecretName string `json:"secretName,omitempty"`
}
// FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
// the transform expressions. This is a union type, and Type is the discriminator field.
type FederationDomainTransformsConstant struct {
// Name determines the name of the constant. It must be a valid identifier name.
// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=64
Name string `json:"name"`
// Type determines the type of the constant, and indicates which other field should be non-empty.
// +kubebuilder:validation:Enum=string;stringList
Type string `json:"type"`
// StringValue should hold the value when Type is "string", and is otherwise ignored.
// +optional
StringValue string `json:"stringValue,omitempty"`
// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
// +optional
StringListValue []string `json:"stringListValue,omitempty"`
}
// FederationDomainTransformsExpression defines a transform expression.
type FederationDomainTransformsExpression struct {
// Type determines the type of the expression. It must be one of the supported types.
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
Type string `json:"type"`
// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
// +kubebuilder:validation:MinLength=1
Expression string `json:"expression"`
// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
// an authentication attempt. When empty, a default message will be used.
// +optional
Message string `json:"message,omitempty"`
}
// FederationDomainTransformsExample defines a transform example.
type FederationDomainTransformsExample struct {
// Username is the input username.
// +kubebuilder:validation:MinLength=1
Username string `json:"username"`
// Groups is the input list of group names.
// +optional
Groups []string `json:"groups,omitempty"`
// Expects is the expected output of the entire sequence of transforms when they are run against the
// input Username and Groups.
Expects FederationDomainTransformsExampleExpects `json:"expects"`
}
// FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
type FederationDomainTransformsExampleExpects struct {
// Username is the expected username after the transformations have been applied.
// +optional
Username string `json:"username,omitempty"`
// Groups is the expected list of group names after the transformations have been applied.
// +optional
Groups []string `json:"groups,omitempty"`
// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
// after the transformations have been applied. True means that it is expected that the authentication would be
// rejected. The default value of false means that it is expected that the authentication would not be rejected
// by any policy expression.
// +optional
Rejected bool `json:"rejected,omitempty"`
// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
// then Message will be treated as the default error message for authentication attempts which are rejected by a
// policy. When Rejected is false, then Message is the expected error message for some other non-policy
// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
// +optional
Message string `json:"message,omitempty"`
}
// FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
type FederationDomainTransforms struct {
// Constants defines constant variables and their values which will be made available to the transform expressions.
// +patchMergeKey=name
// +patchStrategy=merge
// +listType=map
// +listMapKey=name
// +optional
Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`
// Expressions are an optional list of transforms and policies to be executed in the order given during every
// authentication attempt, including during every session refresh.
// Each is a CEL expression. It may use the basic CEL language as defined in
// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
// https://github.com/google/cel-go/tree/master/ext#strings.
//
// The username and groups extracted from the identity provider, and the constants defined in this CR, are
// available as variables in all expressions. The username is provided via a variable called `username` and
// the list of group names is provided via a variable called `groups` (which may be an empty list).
// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
// and `strListConst.varName` for string list constants.
//
// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
// and the authentication attempt is rejected.
// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
// username or group names.
// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
// groups list.
// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
// After each expression, the new (potentially changed) username or groups get passed to the following expression.
//
// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
// and group names have been decided for that authentication attempt.
//
// +optional
Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`
// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
// expected. Examples define sample input identities which are then run through the expression list, and the
// results are compared to the expected results. If any example in this list fails, then this
// identity provider will not be available for use within this FederationDomain, and the error(s) will be
// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
// expressions, and also act as living documentation for other administrators to better understand the expressions.
// +optional
Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
}
// FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
type FederationDomainIdentityProvider struct {
// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
// disruptive change for those users.
// +kubebuilder:validation:MinLength=1
DisplayName string `json:"displayName"`
// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
// If the reference cannot be resolved then the identity provider will not be made available.
// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`
// Transforms is an optional way to specify transformations to be applied during user authentication and
// session refresh.
// +optional
Transforms FederationDomainTransforms `json:"transforms,omitempty"`
}
// FederationDomainSpec is a struct that describes an OIDC Provider.
type FederationDomainSpec struct {
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
@ -55,9 +209,35 @@ type FederationDomainSpec struct {
// +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"`
// TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
// +optional
TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
// IdentityProviders is the list of identity providers available for use by this FederationDomain.
//
// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
// extract a normalized user identity. Normalized user identities include a username and a list of group names.
// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
// accidental conflicts when multiple identity providers have different users with the same username (e.g.
// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
// disallow the authentication unless the user belongs to a specific group in the identity provider.
//
// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
// explicitly list the identity provider using this IdentityProviders field.
//
// +optional
IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
}
// FederationDomainSecrets holds information about this OIDC Provider's secrets.
@ -86,20 +266,17 @@ type FederationDomainSecrets struct {
// FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
type FederationDomainStatus struct {
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
// represent success or failure.
// +optional
Status FederationDomainStatusCondition `json:"status,omitempty"`
// Phase summarizes the overall status of the FederationDomain.
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase FederationDomainPhase `json:"phase,omitempty"`
// Message provides human-readable details about the Status.
// +optional
Message string `json:"message,omitempty"`
// LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
// around some undesirable behavior with respect to the empty metav1.Time value (see
// https://github.com/kubernetes/kubernetes/issues/86811).
// +optional
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
// Conditions represent the observations of an FederationDomain's current state.
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
// Secrets contains information about this OIDC Provider's secrets.
// +optional
@ -111,7 +288,7 @@ type FederationDomainStatus struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type FederationDomain struct {

View File

@ -8,14 +8,14 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
type OIDCClientPhase string
const (
// PhasePending is the default phase for newly-created OIDCClient resources.
PhasePending OIDCClientPhase = "Pending"
// OIDCClientPhasePending is the default phase for newly-created OIDCClient resources.
OIDCClientPhasePending OIDCClientPhase = "Pending"
// PhaseReady is the phase for an OIDCClient resource in a healthy state.
PhaseReady OIDCClientPhase = "Ready"
// OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state.
OIDCClientPhaseReady OIDCClientPhase = "Ready"
// PhaseError is the phase for an OIDCClient in an unhealthy state.
PhaseError OIDCClientPhase = "Error"
// OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state.
OIDCClientPhaseError OIDCClientPhase = "Error"
)
// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`

View File

@ -41,6 +41,24 @@ func (in *FederationDomain) DeepCopyObject() runtime.Object {
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainIdentityProvider) DeepCopyInto(out *FederationDomainIdentityProvider) {
*out = *in
in.ObjectRef.DeepCopyInto(&out.ObjectRef)
in.Transforms.DeepCopyInto(&out.Transforms)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainIdentityProvider.
func (in *FederationDomainIdentityProvider) DeepCopy() *FederationDomainIdentityProvider {
if in == nil {
return nil
}
out := new(FederationDomainIdentityProvider)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainList) DeepCopyInto(out *FederationDomainList) {
*out = *in
@ -102,6 +120,13 @@ func (in *FederationDomainSpec) DeepCopyInto(out *FederationDomainSpec) {
*out = new(FederationDomainTLSSpec)
**out = **in
}
if in.IdentityProviders != nil {
in, out := &in.IdentityProviders, &out.IdentityProviders
*out = make([]FederationDomainIdentityProvider, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
@ -118,9 +143,12 @@ func (in *FederationDomainSpec) DeepCopy() *FederationDomainSpec {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
*out = *in
if in.LastUpdateTime != nil {
in, out := &in.LastUpdateTime, &out.LastUpdateTime
*out = (*in).DeepCopy()
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]v1.Condition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
out.Secrets = in.Secrets
return
@ -152,6 +180,121 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransforms) DeepCopyInto(out *FederationDomainTransforms) {
*out = *in
if in.Constants != nil {
in, out := &in.Constants, &out.Constants
*out = make([]FederationDomainTransformsConstant, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.Expressions != nil {
in, out := &in.Expressions, &out.Expressions
*out = make([]FederationDomainTransformsExpression, len(*in))
copy(*out, *in)
}
if in.Examples != nil {
in, out := &in.Examples, &out.Examples
*out = make([]FederationDomainTransformsExample, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransforms.
func (in *FederationDomainTransforms) DeepCopy() *FederationDomainTransforms {
if in == nil {
return nil
}
out := new(FederationDomainTransforms)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsConstant) DeepCopyInto(out *FederationDomainTransformsConstant) {
*out = *in
if in.StringListValue != nil {
in, out := &in.StringListValue, &out.StringListValue
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsConstant.
func (in *FederationDomainTransformsConstant) DeepCopy() *FederationDomainTransformsConstant {
if in == nil {
return nil
}
out := new(FederationDomainTransformsConstant)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExample) DeepCopyInto(out *FederationDomainTransformsExample) {
*out = *in
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
}
in.Expects.DeepCopyInto(&out.Expects)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExample.
func (in *FederationDomainTransformsExample) DeepCopy() *FederationDomainTransformsExample {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExample)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExampleExpects) DeepCopyInto(out *FederationDomainTransformsExampleExpects) {
*out = *in
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExampleExpects.
func (in *FederationDomainTransformsExampleExpects) DeepCopy() *FederationDomainTransformsExampleExpects {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExampleExpects)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExpression) DeepCopyInto(out *FederationDomainTransformsExpression) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExpression.
func (in *FederationDomainTransformsExpression) DeepCopy() *FederationDomainTransformsExpression {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExpression)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCClient) DeepCopyInto(out *OIDCClient) {
*out = *in

View File

@ -21,7 +21,7 @@ spec:
- jsonPath: .spec.issuer
name: Issuer
type: string
- jsonPath: .status.status
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
@ -47,6 +47,263 @@ spec:
spec:
description: Spec of the OIDC provider.
properties:
identityProviders:
description: "IdentityProviders is the list of identity providers
available for use by this FederationDomain. \n An identity provider
CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes
how to connect to a server, how to talk in a specific protocol for
authentication, and how to use the schema of that server/protocol
to extract a normalized user identity. Normalized user identities
include a username and a list of group names. In contrast, IdentityProviders
describes how to use that normalized identity in those Kubernetes
clusters which belong to this FederationDomain. Each entry in IdentityProviders
can be configured with arbitrary transformations on that normalized
identity. For example, a transformation can add a prefix to all
usernames to help avoid accidental conflicts when multiple identity
providers have different users with the same username (e.g. \"idp1:ryan\"
versus \"idp2:ryan\"). Each entry in IdentityProviders can also
implement arbitrary authentication rejection policies. Even though
a user was able to authenticate with the identity provider, a policy
can disallow the authentication to the Kubernetes clusters that
belong to this FederationDomain. For example, a policy could disallow
the authentication unless the user belongs to a specific group in
the identity provider. \n For backwards compatibility with versions
of Pinniped which predate support for multiple identity providers,
an empty IdentityProviders list will cause the FederationDomain
to use all available identity providers which exist in the same
namespace, but also to reject all authentication requests when there
is more than one identity provider currently defined. In this backwards
compatibility mode, the name of the identity provider resource (e.g.
the Name of an OIDCIdentityProvider resource) will be used as the
name of the identity provider in this FederationDomain. This mode
is provided to make upgrading from older versions easier. However,
instead of relying on this backwards compatibility mode, please
consider this mode to be deprecated and please instead explicitly
list the identity provider using this IdentityProviders field."
items:
description: FederationDomainIdentityProvider describes how an identity
provider is made available in this FederationDomain.
properties:
displayName:
description: DisplayName is the name of this identity provider
as it will appear to clients. This name ends up in the kubeconfig
of end users, so changing the name of an identity provider
that is in use by end users will be a disruptive change for
those users.
minLength: 1
type: string
objectRef:
description: ObjectRef is a reference to a Pinniped identity
provider resource. A valid reference is required. If the reference
cannot be resolved then the identity provider will not be
made available. Must refer to a resource of one of the Pinniped
identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider,
ActiveDirectoryIdentityProvider.
properties:
apiGroup:
description: APIGroup is the group for the resource being
referenced. If APIGroup is not specified, the specified
Kind must be in the core API group. For any other third-party
types, APIGroup is required.
type: string
kind:
description: Kind is the type of resource being referenced
type: string
name:
description: Name is the name of resource being referenced
type: string
required:
- kind
- name
type: object
transforms:
description: Transforms is an optional way to specify transformations
to be applied during user authentication and session refresh.
properties:
constants:
description: Constants defines constant variables and their
values which will be made available to the transform expressions.
items:
description: FederationDomainTransformsConstant defines
a constant variable and its value which will be made
available to the transform expressions. This is a union
type, and Type is the discriminator field.
properties:
name:
description: Name determines the name of the constant.
It must be a valid identifier name.
maxLength: 64
minLength: 1
pattern: ^[a-zA-Z][_a-zA-Z0-9]*$
type: string
stringListValue:
description: StringListValue should hold the value
when Type is "stringList", and is otherwise ignored.
items:
type: string
type: array
stringValue:
description: StringValue should hold the value when
Type is "string", and is otherwise ignored.
type: string
type:
description: Type determines the type of the constant,
and indicates which other field should be non-empty.
enum:
- string
- stringList
type: string
required:
- name
- type
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
examples:
description: Examples can optionally be used to ensure that
the sequence of transformation expressions are working
as expected. Examples define sample input identities which
are then run through the expression list, and the results
are compared to the expected results. If any example in
this list fails, then this identity provider will not
be available for use within this FederationDomain, and
the error(s) will be added to the FederationDomain status.
This can be used to help guard against programming mistakes
in the expressions, and also act as living documentation
for other administrators to better understand the expressions.
items:
description: FederationDomainTransformsExample defines
a transform example.
properties:
expects:
description: Expects is the expected output of the
entire sequence of transforms when they are run
against the input Username and Groups.
properties:
groups:
description: Groups is the expected list of group
names after the transformations have been applied.
items:
type: string
type: array
message:
description: Message is the expected error message
of the transforms. When Rejected is true, then
Message is the expected message for the policy
which rejected the authentication attempt. When
Rejected is true and Message is blank, then
Message will be treated as the default error
message for authentication attempts which are
rejected by a policy. When Rejected is false,
then Message is the expected error message for
some other non-policy transformation error,
such as a runtime error. When Rejected is false,
there is no default expected Message.
type: string
rejected:
description: Rejected is a boolean that indicates
whether authentication is expected to be rejected
by a policy expression after the transformations
have been applied. True means that it is expected
that the authentication would be rejected. The
default value of false means that it is expected
that the authentication would not be rejected
by any policy expression.
type: boolean
username:
description: Username is the expected username
after the transformations have been applied.
type: string
type: object
groups:
description: Groups is the input list of group names.
items:
type: string
type: array
username:
description: Username is the input username.
minLength: 1
type: string
required:
- expects
- username
type: object
type: array
expressions:
description: "Expressions are an optional list of transforms
and policies to be executed in the order given during
every authentication attempt, including during every session
refresh. Each is a CEL expression. It may use the basic
CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md
plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
\n The username and groups extracted from the identity
provider, and the constants defined in this CR, are available
as variables in all expressions. The username is provided
via a variable called `username` and the list of group
names is provided via a variable called `groups` (which
may be an empty list). Each user-provided constants is
provided via a variable named `strConst.varName` for string
constants and `strListConst.varName` for string list constants.
\n The only allowed types for expressions are currently
policy/v1, username/v1, and groups/v1. Each policy/v1
must return a boolean, and when it returns false, no more
expressions from the list are evaluated and the authentication
attempt is rejected. Transformations of type policy/v1
do not return usernames or group names, and therefore
cannot change the username or group names. Each username/v1
transform must return the new username (a string), which
can be the same as the old username. Transformations of
type username/v1 do not return group names, and therefore
cannot change the group names. Each groups/v1 transform
must return the new groups list (list of strings), which
can be the same as the old groups list. Transformations
of type groups/v1 do not return usernames, and therefore
cannot change the usernames. After each expression, the
new (potentially changed) username or groups get passed
to the following expression. \n Any compilation or static
type-checking failure of any expression will cause an
error status on the FederationDomain. During an authentication
attempt, any unexpected runtime evaluation errors (e.g.
division by zero) cause the authentication attempt to
fail. When all expressions evaluate successfully, then
the (potentially changed) username and group names have
been decided for that authentication attempt."
items:
description: FederationDomainTransformsExpression defines
a transform expression.
properties:
expression:
description: Expression is a CEL expression that will
be evaluated based on the Type during an authentication.
minLength: 1
type: string
message:
description: Message is only used when Type is policy/v1.
It defines an error message to be used when the
policy rejects an authentication attempt. When empty,
a default message will be used.
type: string
type:
description: Type determines the type of the expression.
It must be one of the supported types.
enum:
- policy/v1
- username/v1
- groups/v1
type: string
required:
- expression
- type
type: object
type: array
type: object
required:
- displayName
- objectRef
type: object
type: array
issuer:
description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
Metadata document, as well as the identifier that it will use for
@ -59,8 +316,8 @@ spec:
minLength: 1
type: string
tls:
description: TLS configures how this FederationDomain is served over
Transport Layer Security (TLS).
description: TLS specifies a secret which will contain Transport Layer
Security (TLS) configuration for the FederationDomain.
properties:
secretName:
description: "SecretName is an optional name of a Secret in the
@ -91,14 +348,86 @@ spec:
status:
description: Status of the OIDC provider.
properties:
lastUpdateTime:
description: LastUpdateTime holds the time at which the Status was
last updated. It is a pointer to get around some undesirable behavior
with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
conditions:
description: Conditions represent the observations of an FederationDomain's
current state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: Message provides human-readable details about the Status.
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the FederationDomain.
enum:
- Pending
- Ready
- Error
type: string
secrets:
description: Secrets contains information about this OIDC Provider's
@ -145,15 +474,6 @@ spec:
type: string
type: object
type: object
status:
description: Status holds an enum that describes the state of this
OIDC Provider. Note that this Status can represent success or failure.
enum:
- Success
- Duplicate
- Invalid
- SameIssuerHostMustUseSameSecret
type: string
type: object
required:
- spec

View File

@ -650,6 +650,37 @@ FederationDomain describes the configuration of an OIDC provider.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
==== FederationDomainIdentityProvider
FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainspec[$$FederationDomainSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`displayName`* __string__ | DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a disruptive change for those users.
| *`objectRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. If the reference cannot be resolved then the identity provider will not be made available. Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
| *`transforms`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]__ | Transforms is an optional way to specify transformations to be applied during user authentication and session refresh.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainphase"]
==== FederationDomainPhase (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainsecrets"]
@ -687,7 +718,10 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
| Field | Description
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
|===
@ -704,25 +738,12 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainstatuscondition[$$FederationDomainStatusCondition$$]__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
| *`message`* __string__ | Message provides human-readable details about the Status.
| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
| *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainstatuscondition"]
==== FederationDomainStatusCondition (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintlsspec"]
==== FederationDomainTLSSpec
@ -744,6 +765,106 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
==== FederationDomainTransforms
FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
| *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
==== FederationDomainTransformsConstant
FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name.
| *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty.
| *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored.
| *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
==== FederationDomainTransformsExample
FederationDomainTransformsExample defines a transform example.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __string__ | Username is the input username.
| *`groups`* __string array__ | Groups is the input list of group names.
| *`expects`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects[$$FederationDomainTransformsExampleExpects$$]__ | Expects is the expected output of the entire sequence of transforms when they are run against the input Username and Groups.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
==== FederationDomainTransformsExampleExpects
FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __string__ | Username is the expected username after the transformations have been applied.
| *`groups`* __string array__ | Groups is the expected list of group names after the transformations have been applied.
| *`rejected`* __boolean__ | Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression after the transformations have been applied. True means that it is expected that the authentication would be rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression.
| *`message`* __string__ | Message is the expected error message of the transforms. When Rejected is true, then Message is the expected message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, then Message will be treated as the default error message for authentication attempts which are rejected by a policy. When Rejected is false, then Message is the expected error message for some other non-policy transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
==== FederationDomainTransformsExpression
FederationDomainTransformsExpression defines a transform expression.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types.
| *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication.
| *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects an authentication attempt. When empty, a default message will be used.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-granttype"]
==== GrantType (string)

View File

@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@ -8,14 +8,17 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// +kubebuilder:validation:Enum=Success;Duplicate;Invalid;SameIssuerHostMustUseSameSecret
type FederationDomainStatusCondition string
type FederationDomainPhase string
const (
SuccessFederationDomainStatusCondition = FederationDomainStatusCondition("Success")
DuplicateFederationDomainStatusCondition = FederationDomainStatusCondition("Duplicate")
SameIssuerHostMustUseSameSecretFederationDomainStatusCondition = FederationDomainStatusCondition("SameIssuerHostMustUseSameSecret")
InvalidFederationDomainStatusCondition = FederationDomainStatusCondition("Invalid")
// FederationDomainPhasePending is the default phase for newly-created FederationDomain resources.
FederationDomainPhasePending FederationDomainPhase = "Pending"
// FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state.
FederationDomainPhaseReady FederationDomainPhase = "Ready"
// FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state.
FederationDomainPhaseError FederationDomainPhase = "Error"
)
// FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
@ -42,6 +45,157 @@ type FederationDomainTLSSpec struct {
SecretName string `json:"secretName,omitempty"`
}
// FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
// the transform expressions. This is a union type, and Type is the discriminator field.
type FederationDomainTransformsConstant struct {
// Name determines the name of the constant. It must be a valid identifier name.
// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=64
Name string `json:"name"`
// Type determines the type of the constant, and indicates which other field should be non-empty.
// +kubebuilder:validation:Enum=string;stringList
Type string `json:"type"`
// StringValue should hold the value when Type is "string", and is otherwise ignored.
// +optional
StringValue string `json:"stringValue,omitempty"`
// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
// +optional
StringListValue []string `json:"stringListValue,omitempty"`
}
// FederationDomainTransformsExpression defines a transform expression.
type FederationDomainTransformsExpression struct {
// Type determines the type of the expression. It must be one of the supported types.
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
Type string `json:"type"`
// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
// +kubebuilder:validation:MinLength=1
Expression string `json:"expression"`
// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
// an authentication attempt. When empty, a default message will be used.
// +optional
Message string `json:"message,omitempty"`
}
// FederationDomainTransformsExample defines a transform example.
type FederationDomainTransformsExample struct {
// Username is the input username.
// +kubebuilder:validation:MinLength=1
Username string `json:"username"`
// Groups is the input list of group names.
// +optional
Groups []string `json:"groups,omitempty"`
// Expects is the expected output of the entire sequence of transforms when they are run against the
// input Username and Groups.
Expects FederationDomainTransformsExampleExpects `json:"expects"`
}
// FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
type FederationDomainTransformsExampleExpects struct {
// Username is the expected username after the transformations have been applied.
// +optional
Username string `json:"username,omitempty"`
// Groups is the expected list of group names after the transformations have been applied.
// +optional
Groups []string `json:"groups,omitempty"`
// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
// after the transformations have been applied. True means that it is expected that the authentication would be
// rejected. The default value of false means that it is expected that the authentication would not be rejected
// by any policy expression.
// +optional
Rejected bool `json:"rejected,omitempty"`
// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
// then Message will be treated as the default error message for authentication attempts which are rejected by a
// policy. When Rejected is false, then Message is the expected error message for some other non-policy
// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
// +optional
Message string `json:"message,omitempty"`
}
// FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
type FederationDomainTransforms struct {
// Constants defines constant variables and their values which will be made available to the transform expressions.
// +patchMergeKey=name
// +patchStrategy=merge
// +listType=map
// +listMapKey=name
// +optional
Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`
// Expressions are an optional list of transforms and policies to be executed in the order given during every
// authentication attempt, including during every session refresh.
// Each is a CEL expression. It may use the basic CEL language as defined in
// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
// https://github.com/google/cel-go/tree/master/ext#strings.
//
// The username and groups extracted from the identity provider, and the constants defined in this CR, are
// available as variables in all expressions. The username is provided via a variable called `username` and
// the list of group names is provided via a variable called `groups` (which may be an empty list).
// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
// and `strListConst.varName` for string list constants.
//
// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
// and the authentication attempt is rejected.
// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
// username or group names.
// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
// groups list.
// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
// After each expression, the new (potentially changed) username or groups get passed to the following expression.
//
// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
// and group names have been decided for that authentication attempt.
//
// +optional
Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`
// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
// expected. Examples define sample input identities which are then run through the expression list, and the
// results are compared to the expected results. If any example in this list fails, then this
// identity provider will not be available for use within this FederationDomain, and the error(s) will be
// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
// expressions, and also act as living documentation for other administrators to better understand the expressions.
// +optional
Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
}
// FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
type FederationDomainIdentityProvider struct {
// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
// disruptive change for those users.
// +kubebuilder:validation:MinLength=1
DisplayName string `json:"displayName"`
// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
// If the reference cannot be resolved then the identity provider will not be made available.
// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`
// Transforms is an optional way to specify transformations to be applied during user authentication and
// session refresh.
// +optional
Transforms FederationDomainTransforms `json:"transforms,omitempty"`
}
// FederationDomainSpec is a struct that describes an OIDC Provider.
type FederationDomainSpec struct {
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
@ -55,9 +209,35 @@ type FederationDomainSpec struct {
// +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"`
// TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
// +optional
TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
// IdentityProviders is the list of identity providers available for use by this FederationDomain.
//
// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
// extract a normalized user identity. Normalized user identities include a username and a list of group names.
// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
// accidental conflicts when multiple identity providers have different users with the same username (e.g.
// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
// disallow the authentication unless the user belongs to a specific group in the identity provider.
//
// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
// explicitly list the identity provider using this IdentityProviders field.
//
// +optional
IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
}
// FederationDomainSecrets holds information about this OIDC Provider's secrets.
@ -86,20 +266,17 @@ type FederationDomainSecrets struct {
// FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
type FederationDomainStatus struct {
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
// represent success or failure.
// +optional
Status FederationDomainStatusCondition `json:"status,omitempty"`
// Phase summarizes the overall status of the FederationDomain.
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase FederationDomainPhase `json:"phase,omitempty"`
// Message provides human-readable details about the Status.
// +optional
Message string `json:"message,omitempty"`
// LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
// around some undesirable behavior with respect to the empty metav1.Time value (see
// https://github.com/kubernetes/kubernetes/issues/86811).
// +optional
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
// Conditions represent the observations of an FederationDomain's current state.
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
// Secrets contains information about this OIDC Provider's secrets.
// +optional
@ -111,7 +288,7 @@ type FederationDomainStatus struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type FederationDomain struct {

View File

@ -8,14 +8,14 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
type OIDCClientPhase string
const (
// PhasePending is the default phase for newly-created OIDCClient resources.
PhasePending OIDCClientPhase = "Pending"
// OIDCClientPhasePending is the default phase for newly-created OIDCClient resources.
OIDCClientPhasePending OIDCClientPhase = "Pending"
// PhaseReady is the phase for an OIDCClient resource in a healthy state.
PhaseReady OIDCClientPhase = "Ready"
// OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state.
OIDCClientPhaseReady OIDCClientPhase = "Ready"
// PhaseError is the phase for an OIDCClient in an unhealthy state.
PhaseError OIDCClientPhase = "Error"
// OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state.
OIDCClientPhaseError OIDCClientPhase = "Error"
)
// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`

View File

@ -41,6 +41,24 @@ func (in *FederationDomain) DeepCopyObject() runtime.Object {
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainIdentityProvider) DeepCopyInto(out *FederationDomainIdentityProvider) {
*out = *in
in.ObjectRef.DeepCopyInto(&out.ObjectRef)
in.Transforms.DeepCopyInto(&out.Transforms)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainIdentityProvider.
func (in *FederationDomainIdentityProvider) DeepCopy() *FederationDomainIdentityProvider {
if in == nil {
return nil
}
out := new(FederationDomainIdentityProvider)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainList) DeepCopyInto(out *FederationDomainList) {
*out = *in
@ -102,6 +120,13 @@ func (in *FederationDomainSpec) DeepCopyInto(out *FederationDomainSpec) {
*out = new(FederationDomainTLSSpec)
**out = **in
}
if in.IdentityProviders != nil {
in, out := &in.IdentityProviders, &out.IdentityProviders
*out = make([]FederationDomainIdentityProvider, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
@ -118,9 +143,12 @@ func (in *FederationDomainSpec) DeepCopy() *FederationDomainSpec {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
*out = *in
if in.LastUpdateTime != nil {
in, out := &in.LastUpdateTime, &out.LastUpdateTime
*out = (*in).DeepCopy()
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]v1.Condition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
out.Secrets = in.Secrets
return
@ -152,6 +180,121 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransforms) DeepCopyInto(out *FederationDomainTransforms) {
*out = *in
if in.Constants != nil {
in, out := &in.Constants, &out.Constants
*out = make([]FederationDomainTransformsConstant, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.Expressions != nil {
in, out := &in.Expressions, &out.Expressions
*out = make([]FederationDomainTransformsExpression, len(*in))
copy(*out, *in)
}
if in.Examples != nil {
in, out := &in.Examples, &out.Examples
*out = make([]FederationDomainTransformsExample, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransforms.
func (in *FederationDomainTransforms) DeepCopy() *FederationDomainTransforms {
if in == nil {
return nil
}
out := new(FederationDomainTransforms)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsConstant) DeepCopyInto(out *FederationDomainTransformsConstant) {
*out = *in
if in.StringListValue != nil {
in, out := &in.StringListValue, &out.StringListValue
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsConstant.
func (in *FederationDomainTransformsConstant) DeepCopy() *FederationDomainTransformsConstant {
if in == nil {
return nil
}
out := new(FederationDomainTransformsConstant)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExample) DeepCopyInto(out *FederationDomainTransformsExample) {
*out = *in
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
}
in.Expects.DeepCopyInto(&out.Expects)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExample.
func (in *FederationDomainTransformsExample) DeepCopy() *FederationDomainTransformsExample {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExample)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExampleExpects) DeepCopyInto(out *FederationDomainTransformsExampleExpects) {
*out = *in
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExampleExpects.
func (in *FederationDomainTransformsExampleExpects) DeepCopy() *FederationDomainTransformsExampleExpects {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExampleExpects)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExpression) DeepCopyInto(out *FederationDomainTransformsExpression) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExpression.
func (in *FederationDomainTransformsExpression) DeepCopy() *FederationDomainTransformsExpression {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExpression)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCClient) DeepCopyInto(out *OIDCClient) {
*out = *in

View File

@ -21,7 +21,7 @@ spec:
- jsonPath: .spec.issuer
name: Issuer
type: string
- jsonPath: .status.status
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
@ -47,6 +47,263 @@ spec:
spec:
description: Spec of the OIDC provider.
properties:
identityProviders:
description: "IdentityProviders is the list of identity providers
available for use by this FederationDomain. \n An identity provider
CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes
how to connect to a server, how to talk in a specific protocol for
authentication, and how to use the schema of that server/protocol
to extract a normalized user identity. Normalized user identities
include a username and a list of group names. In contrast, IdentityProviders
describes how to use that normalized identity in those Kubernetes
clusters which belong to this FederationDomain. Each entry in IdentityProviders
can be configured with arbitrary transformations on that normalized
identity. For example, a transformation can add a prefix to all
usernames to help avoid accidental conflicts when multiple identity
providers have different users with the same username (e.g. \"idp1:ryan\"
versus \"idp2:ryan\"). Each entry in IdentityProviders can also
implement arbitrary authentication rejection policies. Even though
a user was able to authenticate with the identity provider, a policy
can disallow the authentication to the Kubernetes clusters that
belong to this FederationDomain. For example, a policy could disallow
the authentication unless the user belongs to a specific group in
the identity provider. \n For backwards compatibility with versions
of Pinniped which predate support for multiple identity providers,
an empty IdentityProviders list will cause the FederationDomain
to use all available identity providers which exist in the same
namespace, but also to reject all authentication requests when there
is more than one identity provider currently defined. In this backwards
compatibility mode, the name of the identity provider resource (e.g.
the Name of an OIDCIdentityProvider resource) will be used as the
name of the identity provider in this FederationDomain. This mode
is provided to make upgrading from older versions easier. However,
instead of relying on this backwards compatibility mode, please
consider this mode to be deprecated and please instead explicitly
list the identity provider using this IdentityProviders field."
items:
description: FederationDomainIdentityProvider describes how an identity
provider is made available in this FederationDomain.
properties:
displayName:
description: DisplayName is the name of this identity provider
as it will appear to clients. This name ends up in the kubeconfig
of end users, so changing the name of an identity provider
that is in use by end users will be a disruptive change for
those users.
minLength: 1
type: string
objectRef:
description: ObjectRef is a reference to a Pinniped identity
provider resource. A valid reference is required. If the reference
cannot be resolved then the identity provider will not be
made available. Must refer to a resource of one of the Pinniped
identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider,
ActiveDirectoryIdentityProvider.
properties:
apiGroup:
description: APIGroup is the group for the resource being
referenced. If APIGroup is not specified, the specified
Kind must be in the core API group. For any other third-party
types, APIGroup is required.
type: string
kind:
description: Kind is the type of resource being referenced
type: string
name:
description: Name is the name of resource being referenced
type: string
required:
- kind
- name
type: object
transforms:
description: Transforms is an optional way to specify transformations
to be applied during user authentication and session refresh.
properties:
constants:
description: Constants defines constant variables and their
values which will be made available to the transform expressions.
items:
description: FederationDomainTransformsConstant defines
a constant variable and its value which will be made
available to the transform expressions. This is a union
type, and Type is the discriminator field.
properties:
name:
description: Name determines the name of the constant.
It must be a valid identifier name.
maxLength: 64
minLength: 1
pattern: ^[a-zA-Z][_a-zA-Z0-9]*$
type: string
stringListValue:
description: StringListValue should hold the value
when Type is "stringList", and is otherwise ignored.
items:
type: string
type: array
stringValue:
description: StringValue should hold the value when
Type is "string", and is otherwise ignored.
type: string
type:
description: Type determines the type of the constant,
and indicates which other field should be non-empty.
enum:
- string
- stringList
type: string
required:
- name
- type
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
examples:
description: Examples can optionally be used to ensure that
the sequence of transformation expressions are working
as expected. Examples define sample input identities which
are then run through the expression list, and the results
are compared to the expected results. If any example in
this list fails, then this identity provider will not
be available for use within this FederationDomain, and
the error(s) will be added to the FederationDomain status.
This can be used to help guard against programming mistakes
in the expressions, and also act as living documentation
for other administrators to better understand the expressions.
items:
description: FederationDomainTransformsExample defines
a transform example.
properties:
expects:
description: Expects is the expected output of the
entire sequence of transforms when they are run
against the input Username and Groups.
properties:
groups:
description: Groups is the expected list of group
names after the transformations have been applied.
items:
type: string
type: array
message:
description: Message is the expected error message
of the transforms. When Rejected is true, then
Message is the expected message for the policy
which rejected the authentication attempt. When
Rejected is true and Message is blank, then
Message will be treated as the default error
message for authentication attempts which are
rejected by a policy. When Rejected is false,
then Message is the expected error message for
some other non-policy transformation error,
such as a runtime error. When Rejected is false,
there is no default expected Message.
type: string
rejected:
description: Rejected is a boolean that indicates
whether authentication is expected to be rejected
by a policy expression after the transformations
have been applied. True means that it is expected
that the authentication would be rejected. The
default value of false means that it is expected
that the authentication would not be rejected
by any policy expression.
type: boolean
username:
description: Username is the expected username
after the transformations have been applied.
type: string
type: object
groups:
description: Groups is the input list of group names.
items:
type: string
type: array
username:
description: Username is the input username.
minLength: 1
type: string
required:
- expects
- username
type: object
type: array
expressions:
description: "Expressions are an optional list of transforms
and policies to be executed in the order given during
every authentication attempt, including during every session
refresh. Each is a CEL expression. It may use the basic
CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md
plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
\n The username and groups extracted from the identity
provider, and the constants defined in this CR, are available
as variables in all expressions. The username is provided
via a variable called `username` and the list of group
names is provided via a variable called `groups` (which
may be an empty list). Each user-provided constants is
provided via a variable named `strConst.varName` for string
constants and `strListConst.varName` for string list constants.
\n The only allowed types for expressions are currently
policy/v1, username/v1, and groups/v1. Each policy/v1
must return a boolean, and when it returns false, no more
expressions from the list are evaluated and the authentication
attempt is rejected. Transformations of type policy/v1
do not return usernames or group names, and therefore
cannot change the username or group names. Each username/v1
transform must return the new username (a string), which
can be the same as the old username. Transformations of
type username/v1 do not return group names, and therefore
cannot change the group names. Each groups/v1 transform
must return the new groups list (list of strings), which
can be the same as the old groups list. Transformations
of type groups/v1 do not return usernames, and therefore
cannot change the usernames. After each expression, the
new (potentially changed) username or groups get passed
to the following expression. \n Any compilation or static
type-checking failure of any expression will cause an
error status on the FederationDomain. During an authentication
attempt, any unexpected runtime evaluation errors (e.g.
division by zero) cause the authentication attempt to
fail. When all expressions evaluate successfully, then
the (potentially changed) username and group names have
been decided for that authentication attempt."
items:
description: FederationDomainTransformsExpression defines
a transform expression.
properties:
expression:
description: Expression is a CEL expression that will
be evaluated based on the Type during an authentication.
minLength: 1
type: string
message:
description: Message is only used when Type is policy/v1.
It defines an error message to be used when the
policy rejects an authentication attempt. When empty,
a default message will be used.
type: string
type:
description: Type determines the type of the expression.
It must be one of the supported types.
enum:
- policy/v1
- username/v1
- groups/v1
type: string
required:
- expression
- type
type: object
type: array
type: object
required:
- displayName
- objectRef
type: object
type: array
issuer:
description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
Metadata document, as well as the identifier that it will use for
@ -59,8 +316,8 @@ spec:
minLength: 1
type: string
tls:
description: TLS configures how this FederationDomain is served over
Transport Layer Security (TLS).
description: TLS specifies a secret which will contain Transport Layer
Security (TLS) configuration for the FederationDomain.
properties:
secretName:
description: "SecretName is an optional name of a Secret in the
@ -91,14 +348,86 @@ spec:
status:
description: Status of the OIDC provider.
properties:
lastUpdateTime:
description: LastUpdateTime holds the time at which the Status was
last updated. It is a pointer to get around some undesirable behavior
with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
conditions:
description: Conditions represent the observations of an FederationDomain's
current state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: Message provides human-readable details about the Status.
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the FederationDomain.
enum:
- Pending
- Ready
- Error
type: string
secrets:
description: Secrets contains information about this OIDC Provider's
@ -145,15 +474,6 @@ spec:
type: string
type: object
type: object
status:
description: Status holds an enum that describes the state of this
OIDC Provider. Note that this Status can represent success or failure.
enum:
- Success
- Duplicate
- Invalid
- SameIssuerHostMustUseSameSecret
type: string
type: object
required:
- spec

View File

@ -1,4 +1,5 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

View File

@ -1,4 +1,5 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

View File

@ -1,4 +1,5 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

View File

@ -1,4 +1,5 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

View File

@ -1,4 +1,5 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

View File

@ -1,4 +1,5 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

View File

@ -1,4 +1,5 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

View File

@ -1,4 +1,5 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

View File

@ -1,4 +1,5 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

View File

@ -1,4 +1,5 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

View File

@ -1,4 +1,5 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

View File

@ -1,4 +1,5 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

View File

@ -1,4 +1,5 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

View File

@ -1,4 +1,5 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

View File

@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@ -8,14 +8,17 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// +kubebuilder:validation:Enum=Success;Duplicate;Invalid;SameIssuerHostMustUseSameSecret
type FederationDomainStatusCondition string
type FederationDomainPhase string
const (
SuccessFederationDomainStatusCondition = FederationDomainStatusCondition("Success")
DuplicateFederationDomainStatusCondition = FederationDomainStatusCondition("Duplicate")
SameIssuerHostMustUseSameSecretFederationDomainStatusCondition = FederationDomainStatusCondition("SameIssuerHostMustUseSameSecret")
InvalidFederationDomainStatusCondition = FederationDomainStatusCondition("Invalid")
// FederationDomainPhasePending is the default phase for newly-created FederationDomain resources.
FederationDomainPhasePending FederationDomainPhase = "Pending"
// FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state.
FederationDomainPhaseReady FederationDomainPhase = "Ready"
// FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state.
FederationDomainPhaseError FederationDomainPhase = "Error"
)
// FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
@ -42,6 +45,157 @@ type FederationDomainTLSSpec struct {
SecretName string `json:"secretName,omitempty"`
}
// FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
// the transform expressions. This is a union type, and Type is the discriminator field.
type FederationDomainTransformsConstant struct {
// Name determines the name of the constant. It must be a valid identifier name.
// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=64
Name string `json:"name"`
// Type determines the type of the constant, and indicates which other field should be non-empty.
// +kubebuilder:validation:Enum=string;stringList
Type string `json:"type"`
// StringValue should hold the value when Type is "string", and is otherwise ignored.
// +optional
StringValue string `json:"stringValue,omitempty"`
// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
// +optional
StringListValue []string `json:"stringListValue,omitempty"`
}
// FederationDomainTransformsExpression defines a transform expression.
type FederationDomainTransformsExpression struct {
// Type determines the type of the expression. It must be one of the supported types.
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
Type string `json:"type"`
// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
// +kubebuilder:validation:MinLength=1
Expression string `json:"expression"`
// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
// an authentication attempt. When empty, a default message will be used.
// +optional
Message string `json:"message,omitempty"`
}
// FederationDomainTransformsExample defines a transform example.
type FederationDomainTransformsExample struct {
// Username is the input username.
// +kubebuilder:validation:MinLength=1
Username string `json:"username"`
// Groups is the input list of group names.
// +optional
Groups []string `json:"groups,omitempty"`
// Expects is the expected output of the entire sequence of transforms when they are run against the
// input Username and Groups.
Expects FederationDomainTransformsExampleExpects `json:"expects"`
}
// FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
type FederationDomainTransformsExampleExpects struct {
// Username is the expected username after the transformations have been applied.
// +optional
Username string `json:"username,omitempty"`
// Groups is the expected list of group names after the transformations have been applied.
// +optional
Groups []string `json:"groups,omitempty"`
// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
// after the transformations have been applied. True means that it is expected that the authentication would be
// rejected. The default value of false means that it is expected that the authentication would not be rejected
// by any policy expression.
// +optional
Rejected bool `json:"rejected,omitempty"`
// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
// then Message will be treated as the default error message for authentication attempts which are rejected by a
// policy. When Rejected is false, then Message is the expected error message for some other non-policy
// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
// +optional
Message string `json:"message,omitempty"`
}
// FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
type FederationDomainTransforms struct {
// Constants defines constant variables and their values which will be made available to the transform expressions.
// +patchMergeKey=name
// +patchStrategy=merge
// +listType=map
// +listMapKey=name
// +optional
Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`
// Expressions are an optional list of transforms and policies to be executed in the order given during every
// authentication attempt, including during every session refresh.
// Each is a CEL expression. It may use the basic CEL language as defined in
// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
// https://github.com/google/cel-go/tree/master/ext#strings.
//
// The username and groups extracted from the identity provider, and the constants defined in this CR, are
// available as variables in all expressions. The username is provided via a variable called `username` and
// the list of group names is provided via a variable called `groups` (which may be an empty list).
// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
// and `strListConst.varName` for string list constants.
//
// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
// and the authentication attempt is rejected.
// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
// username or group names.
// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
// groups list.
// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
// After each expression, the new (potentially changed) username or groups get passed to the following expression.
//
// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
// and group names have been decided for that authentication attempt.
//
// +optional
Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`
// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
// expected. Examples define sample input identities which are then run through the expression list, and the
// results are compared to the expected results. If any example in this list fails, then this
// identity provider will not be available for use within this FederationDomain, and the error(s) will be
// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
// expressions, and also act as living documentation for other administrators to better understand the expressions.
// +optional
Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
}
// FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
type FederationDomainIdentityProvider struct {
// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
// disruptive change for those users.
// +kubebuilder:validation:MinLength=1
DisplayName string `json:"displayName"`
// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
// If the reference cannot be resolved then the identity provider will not be made available.
// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`
// Transforms is an optional way to specify transformations to be applied during user authentication and
// session refresh.
// +optional
Transforms FederationDomainTransforms `json:"transforms,omitempty"`
}
// FederationDomainSpec is a struct that describes an OIDC Provider.
type FederationDomainSpec struct {
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
@ -55,9 +209,35 @@ type FederationDomainSpec struct {
// +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"`
// TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
// +optional
TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
// IdentityProviders is the list of identity providers available for use by this FederationDomain.
//
// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
// extract a normalized user identity. Normalized user identities include a username and a list of group names.
// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
// accidental conflicts when multiple identity providers have different users with the same username (e.g.
// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
// disallow the authentication unless the user belongs to a specific group in the identity provider.
//
// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
// explicitly list the identity provider using this IdentityProviders field.
//
// +optional
IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
}
// FederationDomainSecrets holds information about this OIDC Provider's secrets.
@ -86,20 +266,17 @@ type FederationDomainSecrets struct {
// FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
type FederationDomainStatus struct {
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
// represent success or failure.
// +optional
Status FederationDomainStatusCondition `json:"status,omitempty"`
// Phase summarizes the overall status of the FederationDomain.
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase FederationDomainPhase `json:"phase,omitempty"`
// Message provides human-readable details about the Status.
// +optional
Message string `json:"message,omitempty"`
// LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
// around some undesirable behavior with respect to the empty metav1.Time value (see
// https://github.com/kubernetes/kubernetes/issues/86811).
// +optional
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
// Conditions represent the observations of an FederationDomain's current state.
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
// Secrets contains information about this OIDC Provider's secrets.
// +optional
@ -111,7 +288,7 @@ type FederationDomainStatus struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type FederationDomain struct {

View File

@ -8,14 +8,14 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
type OIDCClientPhase string
const (
// PhasePending is the default phase for newly-created OIDCClient resources.
PhasePending OIDCClientPhase = "Pending"
// OIDCClientPhasePending is the default phase for newly-created OIDCClient resources.
OIDCClientPhasePending OIDCClientPhase = "Pending"
// PhaseReady is the phase for an OIDCClient resource in a healthy state.
PhaseReady OIDCClientPhase = "Ready"
// OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state.
OIDCClientPhaseReady OIDCClientPhase = "Ready"
// PhaseError is the phase for an OIDCClient in an unhealthy state.
PhaseError OIDCClientPhase = "Error"
// OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state.
OIDCClientPhaseError OIDCClientPhase = "Error"
)
// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`

View File

@ -1,4 +1,5 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
@ -40,6 +41,24 @@ func (in *FederationDomain) DeepCopyObject() runtime.Object {
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainIdentityProvider) DeepCopyInto(out *FederationDomainIdentityProvider) {
*out = *in
in.ObjectRef.DeepCopyInto(&out.ObjectRef)
in.Transforms.DeepCopyInto(&out.Transforms)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainIdentityProvider.
func (in *FederationDomainIdentityProvider) DeepCopy() *FederationDomainIdentityProvider {
if in == nil {
return nil
}
out := new(FederationDomainIdentityProvider)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainList) DeepCopyInto(out *FederationDomainList) {
*out = *in
@ -101,6 +120,13 @@ func (in *FederationDomainSpec) DeepCopyInto(out *FederationDomainSpec) {
*out = new(FederationDomainTLSSpec)
**out = **in
}
if in.IdentityProviders != nil {
in, out := &in.IdentityProviders, &out.IdentityProviders
*out = make([]FederationDomainIdentityProvider, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
@ -117,9 +143,12 @@ func (in *FederationDomainSpec) DeepCopy() *FederationDomainSpec {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
*out = *in
if in.LastUpdateTime != nil {
in, out := &in.LastUpdateTime, &out.LastUpdateTime
*out = (*in).DeepCopy()
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]v1.Condition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
out.Secrets = in.Secrets
return
@ -151,6 +180,121 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransforms) DeepCopyInto(out *FederationDomainTransforms) {
*out = *in
if in.Constants != nil {
in, out := &in.Constants, &out.Constants
*out = make([]FederationDomainTransformsConstant, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.Expressions != nil {
in, out := &in.Expressions, &out.Expressions
*out = make([]FederationDomainTransformsExpression, len(*in))
copy(*out, *in)
}
if in.Examples != nil {
in, out := &in.Examples, &out.Examples
*out = make([]FederationDomainTransformsExample, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransforms.
func (in *FederationDomainTransforms) DeepCopy() *FederationDomainTransforms {
if in == nil {
return nil
}
out := new(FederationDomainTransforms)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsConstant) DeepCopyInto(out *FederationDomainTransformsConstant) {
*out = *in
if in.StringListValue != nil {
in, out := &in.StringListValue, &out.StringListValue
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsConstant.
func (in *FederationDomainTransformsConstant) DeepCopy() *FederationDomainTransformsConstant {
if in == nil {
return nil
}
out := new(FederationDomainTransformsConstant)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExample) DeepCopyInto(out *FederationDomainTransformsExample) {
*out = *in
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
}
in.Expects.DeepCopyInto(&out.Expects)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExample.
func (in *FederationDomainTransformsExample) DeepCopy() *FederationDomainTransformsExample {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExample)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExampleExpects) DeepCopyInto(out *FederationDomainTransformsExampleExpects) {
*out = *in
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExampleExpects.
func (in *FederationDomainTransformsExampleExpects) DeepCopy() *FederationDomainTransformsExampleExpects {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExampleExpects)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FederationDomainTransformsExpression) DeepCopyInto(out *FederationDomainTransformsExpression) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExpression.
func (in *FederationDomainTransformsExpression) DeepCopy() *FederationDomainTransformsExpression {
if in == nil {
return nil
}
out := new(FederationDomainTransformsExpression)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCClient) DeepCopyInto(out *OIDCClient) {
*out = *in

View File

@ -1,4 +1,5 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

View File

@ -1,4 +1,5 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

2
go.mod
View File

@ -20,6 +20,7 @@ require (
github.com/go-logr/zapr v1.2.4
github.com/gofrs/flock v0.8.1
github.com/golang/mock v1.6.0
github.com/google/cel-go v0.16.0
github.com/google/go-cmp v0.5.9
github.com/google/gofuzz v1.2.0
github.com/google/uuid v1.3.1
@ -90,7 +91,6 @@ require (
github.com/golang/glog v1.1.0 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.3 // indirect
github.com/google/cel-go v0.16.0 // indirect
github.com/google/gnostic-models v0.6.8 // indirect
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 // indirect

View File

@ -1,6 +1,6 @@
#!/usr/bin/env bash
# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
#
@ -17,7 +17,9 @@ echo -n "PINNIPED_TEST_GOLAND_RUNNER=true;"
printenv | grep PINNIPED_TEST_ | sed 's/=.*//g' | grep -v CLUSTER_CAPABILITY_YAML | while read -r var ; do
echo -n "${var}="
echo -n "${!var}" | tr -d '\n'
# Goland will treat semicolons as key/value pair separators.
# Within a value, a semicolon needs to be escaped with a backslash for Goland.
echo -n "${!var}" | sed 's/;/\\;/g' | tr -d '\n'
echo -n ";"
done

View File

@ -40,6 +40,9 @@ if [[ "${#KUBE_VERSIONS[@]}" -ne 1 ]]; then
exit 1
fi
# Add this to the git config inside the container to avoid permission errors when running this script on linux.
git config --global --add safe.directory /work
# Link the root directory into GOPATH since that is where output ends up.
GOPATH_ROOT="${GOPATH}/src/${BASE_PKG}"
mkdir -p "$(dirname "${GOPATH_ROOT}")"

View File

@ -1,6 +1,6 @@
#!/usr/bin/env bash
# Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
# Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
#
@ -81,7 +81,7 @@ while (("$#")); do
done
if [[ "$use_oidc_upstream" == "no" && "$use_ldap_upstream" == "no" && "$use_ad_upstream" == "no" ]]; then
log_error "Error: Please use --oidc, --ldap, or --ad to specify which type of upstream identity provider(s) you would like"
log_error "Error: Please use --oidc, --ldap, or --ad to specify which type(s) of upstream identity provider(s) you would like. May use one or multiple."
exit 1
fi
@ -103,42 +103,6 @@ audience="my-workload-cluster-$(openssl rand -hex 4)"
issuer_host="pinniped-supervisor-clusterip.supervisor.svc.cluster.local"
issuer="https://$issuer_host/some/path"
# Create a CA and TLS serving certificates for the Supervisor.
step certificate create \
"Supervisor CA" "$root_ca_crt_path" "$root_ca_key_path" \
--profile root-ca \
--no-password --insecure --force
step certificate create \
"$issuer_host" "$tls_crt_path" "$tls_key_path" \
--profile leaf \
--not-after 8760h \
--ca "$root_ca_crt_path" --ca-key "$root_ca_key_path" \
--no-password --insecure --force
# Put the TLS certificate into a Secret for the Supervisor.
kubectl create secret tls -n "$PINNIPED_TEST_SUPERVISOR_NAMESPACE" my-federation-domain-tls --cert "$tls_crt_path" --key "$tls_key_path" \
--dry-run=client --output yaml | kubectl apply -f -
# Make a FederationDomain using the TLS Secret from above.
cat <<EOF | kubectl apply --namespace "$PINNIPED_TEST_SUPERVISOR_NAMESPACE" -f -
apiVersion: config.supervisor.pinniped.dev/v1alpha1
kind: FederationDomain
metadata:
name: my-federation-domain
spec:
issuer: $issuer
tls:
secretName: my-federation-domain-tls
EOF
echo "Waiting for FederationDomain to initialize..."
# Sleeping is a race, but that's probably good enough for the purposes of this script.
sleep 5
# Test that the federation domain is working before we proceed.
echo "Fetching FederationDomain discovery info..."
https_proxy="$PINNIPED_TEST_PROXY" curl -fLsS --cacert "$root_ca_crt_path" "$issuer/.well-known/openid-configuration" | jq .
if [[ "$use_oidc_upstream" == "yes" ]]; then
# Make an OIDCIdentityProvider which uses Dex to provide identity.
cat <<EOF | kubectl apply --namespace "$PINNIPED_TEST_SUPERVISOR_NAMESPACE" -f -
@ -254,6 +218,140 @@ EOF
--dry-run=client --output yaml | kubectl apply -f -
fi
# Create a CA and TLS serving certificates for the Supervisor's FederationDomain.
if [[ ! -f "$root_ca_crt_path" ]]; then
step certificate create \
"Supervisor CA" "$root_ca_crt_path" "$root_ca_key_path" \
--profile root-ca \
--no-password --insecure --force
fi
if [[ ! -f "$tls_crt_path" || ! -f "$tls_key_path" ]]; then
step certificate create \
"$issuer_host" "$tls_crt_path" "$tls_key_path" \
--profile leaf \
--not-after 8760h \
--ca "$root_ca_crt_path" --ca-key "$root_ca_key_path" \
--no-password --insecure --force
fi
# Put the TLS certificate into a Secret for the Supervisor's FederationDomain.
kubectl create secret tls -n "$PINNIPED_TEST_SUPERVISOR_NAMESPACE" my-federation-domain-tls --cert "$tls_crt_path" --key "$tls_key_path" \
--dry-run=client --output yaml | kubectl apply -f -
# Make a FederationDomain using the TLS Secret and identity providers from above in a temp file.
fd_file="/tmp/federationdomain.yaml"
cat << EOF > $fd_file
apiVersion: config.supervisor.pinniped.dev/v1alpha1
kind: FederationDomain
metadata:
name: my-federation-domain
spec:
issuer: $issuer
tls:
secretName: my-federation-domain-tls
identityProviders:
EOF
if [[ "$use_oidc_upstream" == "yes" ]]; then
# Indenting the heredoc by 4 spaces to make it indented the correct amount in the FederationDomain below.
cat << EOF >> $fd_file
- displayName: "My OIDC IDP 🚀"
objectRef:
apiGroup: idp.supervisor.pinniped.dev
kind: OIDCIdentityProvider
name: my-oidc-provider
transforms:
expressions:
- type: username/v1
expression: '"oidc:" + username'
- type: groups/v1 # the pinny user doesn't belong to any groups in Dex, so this isn't strictly needed, but doesn't hurt
expression: 'groups.map(group, "oidc:" + group)'
examples:
- username: ryan@example.com
groups: [ a, b ]
expects:
username: oidc:ryan@example.com
groups: [ oidc:a, oidc:b ]
EOF
fi
if [[ "$use_ldap_upstream" == "yes" ]]; then
# Indenting the heredoc by 4 spaces to make it indented the correct amount in the FederationDomain below.
cat << EOF >> $fd_file
- displayName: "My LDAP IDP 🚀"
objectRef:
apiGroup: idp.supervisor.pinniped.dev
kind: LDAPIdentityProvider
name: my-ldap-provider
transforms: # these are contrived to exercise all the available features
constants:
- name: prefix
type: string
stringValue: "ldap:"
- name: onlyIncludeGroupsWithThisPrefix
type: string
stringValue: "ball-" # pinny belongs to ball-game-players in openldap
- name: mustBelongToOneOfThese
type: stringList
stringListValue: [ ball-admins, seals ] # pinny belongs to seals in openldap
- name: additionalAdmins
type: stringList
stringListValue: [ pinny.ldap@example.com, ryan@example.com ] # pinny's email address in openldap
expressions:
- type: policy/v1
expression: 'groups.exists(g, g in strListConst.mustBelongToOneOfThese)'
message: "Only users in certain kube groups are allowed to authenticate"
- type: groups/v1
expression: 'username in strListConst.additionalAdmins ? groups + ["ball-admins"] : groups'
- type: groups/v1
expression: 'groups.filter(group, group.startsWith(strConst.onlyIncludeGroupsWithThisPrefix))'
- type: username/v1
expression: 'strConst.prefix + username'
- type: groups/v1
expression: 'groups.map(group, strConst.prefix + group)'
examples:
- username: ryan@example.com
groups: [ ball-developers, seals, non-ball-group ] # allowed to auth because belongs to seals
expects:
username: ldap:ryan@example.com
groups: [ ldap:ball-developers, ldap:ball-admins ] # gets ball-admins because of username, others dropped because they lack "ball-" prefix
- username: someone_else@example.com
groups: [ ball-developers, ball-admins, non-ball-group ] # allowed to auth because belongs to ball-admins
expects:
username: ldap:someone_else@example.com
groups: [ ldap:ball-developers, ldap:ball-admins ] # seals dropped because it lacks prefix
- username: paul@example.com
groups: [ not-ball-admins-group, not-seals-group ] # reject because does not belong to any of the required groups
expects:
rejected: true
message: "Only users in certain kube groups are allowed to authenticate"
EOF
fi
if [[ "$use_ad_upstream" == "yes" ]]; then
# Indenting the heredoc by 4 spaces to make it indented the correct amount in the FederationDomain below.
cat << EOF >> $fd_file
- displayName: "My AD IDP"
objectRef:
apiGroup: idp.supervisor.pinniped.dev
kind: ActiveDirectoryIdentityProvider
name: my-ad-provider
EOF
fi
# Apply the FederationDomain from the file created above.
kubectl apply --namespace "$PINNIPED_TEST_SUPERVISOR_NAMESPACE" -f "$fd_file"
echo "Waiting for FederationDomain to initialize or update..."
kubectl wait --for=condition=Ready FederationDomain/my-federation-domain -n "$PINNIPED_TEST_SUPERVISOR_NAMESPACE"
# Test that the federation domain is working before we proceed.
echo "Fetching FederationDomain discovery info via command: https_proxy=\"$PINNIPED_TEST_PROXY\" curl -fLsS --cacert \"$root_ca_crt_path\" \"$issuer/.well-known/openid-configuration\""
https_proxy="$PINNIPED_TEST_PROXY" curl -fLsS --cacert "$root_ca_crt_path" "$issuer/.well-known/openid-configuration" | jq .
if [[ "$OSTYPE" == "darwin"* ]]; then
certificateAuthorityData=$(cat "$root_ca_crt_path" | base64)
else
@ -275,7 +373,7 @@ spec:
certificateAuthorityData: $certificateAuthorityData
EOF
echo "Waiting for JWTAuthenticator to initialize..."
echo "Waiting for JWTAuthenticator to initialize or update..."
# Sleeping is a race, but that's probably good enough for the purposes of this script.
sleep 5
@ -288,12 +386,24 @@ while [[ -z "$(kubectl get credentialissuer pinniped-concierge-config -o=jsonpat
sleep 2
done
# Use the CLI to get the kubeconfig. Tell it that you don't want the browser to automatically open for logins.
# Use the CLI to get the kubeconfig. Tell it that you don't want the browser to automatically open for browser-based
# flows so we can open our own browser with the proxy settings. Generate a kubeconfig for each IDP.
flow_arg=""
if [[ -n "$use_flow" ]]; then
flow_arg="--upstream-identity-provider-flow $use_flow"
fi
https_proxy="$PINNIPED_TEST_PROXY" no_proxy="127.0.0.1" ./pinniped get kubeconfig --oidc-skip-browser $flow_arg >kubeconfig
if [[ "$use_oidc_upstream" == "yes" ]]; then
https_proxy="$PINNIPED_TEST_PROXY" no_proxy="127.0.0.1" \
./pinniped get kubeconfig --oidc-skip-browser $flow_arg --upstream-identity-provider-type oidc >kubeconfig-oidc.yaml
fi
if [[ "$use_ldap_upstream" == "yes" ]]; then
https_proxy="$PINNIPED_TEST_PROXY" no_proxy="127.0.0.1" \
./pinniped get kubeconfig --oidc-skip-browser $flow_arg --upstream-identity-provider-type ldap >kubeconfig-ldap.yaml
fi
if [[ "$use_ad_upstream" == "yes" ]]; then
https_proxy="$PINNIPED_TEST_PROXY" no_proxy="127.0.0.1" \
./pinniped get kubeconfig --oidc-skip-browser $flow_arg --upstream-identity-provider-type activedirectory >kubeconfig-ad.yaml
fi
# Clear the local CLI cache to ensure that the kubectl command below will need to perform a fresh login.
rm -f "$HOME/.config/pinniped/sessions.yaml"
@ -304,37 +414,48 @@ echo "Ready! 🚀"
if [[ "$use_oidc_upstream" == "yes" || "$use_flow" == "browser_authcode" ]]; then
echo
echo "To be able to access the login URL shown below, start Chrome like this:"
echo "To be able to access the Supervisor URL during login, start Chrome like this:"
echo " open -a \"Google Chrome\" --args --proxy-server=\"$PINNIPED_TEST_PROXY\""
echo "Note that Chrome must be fully quit before being started with --proxy-server."
echo "Then open the login URL shown below in that new Chrome window."
echo
echo "When prompted for username and password, use these values:"
echo
fi
if [[ "$use_oidc_upstream" == "yes" ]]; then
echo " Username: $PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME"
echo " Password: $PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_PASSWORD"
echo " OIDC Username: $PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME"
echo " OIDC Password: $PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_PASSWORD"
echo
fi
if [[ "$use_ldap_upstream" == "yes" ]]; then
echo " Username: $PINNIPED_TEST_LDAP_USER_CN"
echo " Password: $PINNIPED_TEST_LDAP_USER_PASSWORD"
echo " LDAP Username: $PINNIPED_TEST_LDAP_USER_CN"
echo " LDAP Password: $PINNIPED_TEST_LDAP_USER_PASSWORD"
echo
fi
if [[ "$use_ad_upstream" == "yes" ]]; then
echo " Username: $PINNIPED_TEST_AD_USER_USER_PRINCIPAL_NAME"
echo " Password: $PINNIPED_TEST_AD_USER_PASSWORD"
echo " AD Username: $PINNIPED_TEST_AD_USER_USER_PRINCIPAL_NAME"
echo " AD Password: $PINNIPED_TEST_AD_USER_PASSWORD"
echo
fi
# Perform a login using the kubectl plugin. This should print the URL to be followed for the Dex login page
# if using an OIDC upstream, or should prompt on the CLI for username/password if using an LDAP upstream.
echo
echo "Running: PINNIPED_DEBUG=true https_proxy=\"$PINNIPED_TEST_PROXY\" no_proxy=\"127.0.0.1\" kubectl --kubeconfig ./kubeconfig get pods -A"
PINNIPED_DEBUG=true https_proxy="$PINNIPED_TEST_PROXY" no_proxy="127.0.0.1" kubectl --kubeconfig ./kubeconfig get pods -A
# Print the identity of the currently logged in user. The CLI has cached your tokens, and will automatically refresh
# your short-lived credentials whenever they expire, so you should not be prompted to log in again for the rest of the day.
echo
echo "Running: PINNIPED_DEBUG=true https_proxy=\"$PINNIPED_TEST_PROXY\" no_proxy=\"127.0.0.1\" ./pinniped whoami --kubeconfig ./kubeconfig"
PINNIPED_DEBUG=true https_proxy="$PINNIPED_TEST_PROXY" no_proxy="127.0.0.1" ./pinniped whoami --kubeconfig ./kubeconfig
# Echo the commands that may be used to login and print the identity of the currently logged in user.
# Once the CLI has cached your tokens, it will automatically refresh your short-lived credentials whenever
# they expire, so you should not be prompted to log in again for the rest of the day.
if [[ "$use_oidc_upstream" == "yes" ]]; then
echo "To log in using OIDC, run:"
echo "PINNIPED_DEBUG=true https_proxy=\"$PINNIPED_TEST_PROXY\" no_proxy=\"127.0.0.1\" ./pinniped whoami --kubeconfig ./kubeconfig-oidc.yaml"
echo
fi
if [[ "$use_ldap_upstream" == "yes" ]]; then
echo "To log in using LDAP, run:"
echo "PINNIPED_DEBUG=true https_proxy=\"$PINNIPED_TEST_PROXY\" no_proxy=\"127.0.0.1\" ./pinniped whoami --kubeconfig ./kubeconfig-ldap.yaml"
echo
fi
if [[ "$use_ad_upstream" == "yes" ]]; then
echo "To log in using AD, run:"
echo "PINNIPED_DEBUG=true https_proxy=\"$PINNIPED_TEST_PROXY\" no_proxy=\"127.0.0.1\" ./pinniped whoami --kubeconfig ./kubeconfig-ad.yaml"
echo
fi

View File

@ -0,0 +1,359 @@
// Copyright 2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Package celtransformer is an implementation of upstream-to-downstream identity transformations
// and policies using CEL scripts.
//
// The CEL language is documented in https://github.com/google/cel-spec/blob/master/doc/langdef.md
// with optional extensions documented in https://github.com/google/cel-go/tree/master/ext.
package celtransformer
import (
"context"
"fmt"
"reflect"
"regexp"
"strings"
"time"
"github.com/google/cel-go/cel"
"github.com/google/cel-go/common/types/ref"
"github.com/google/cel-go/ext"
"go.pinniped.dev/internal/idtransform"
)
const (
usernameVariableName = "username"
groupsVariableName = "groups"
constStringVariableName = "strConst"
constStringListVariableName = "strListConst"
DefaultPolicyRejectedAuthMessage = "authentication was rejected by a configured policy"
)
// CELTransformer can compile any number of transformation expression pipelines.
// Each compiled pipeline can be cached in memory for later thread-safe evaluation.
type CELTransformer struct {
compiler *cel.Env
maxExpressionRuntime time.Duration
}
// NewCELTransformer returns a CELTransformer.
// A running process should only need one instance of a CELTransformer.
func NewCELTransformer(maxExpressionRuntime time.Duration) (*CELTransformer, error) {
env, err := newEnv()
if err != nil {
return nil, err
}
return &CELTransformer{compiler: env, maxExpressionRuntime: maxExpressionRuntime}, nil
}
// TransformationConstants can be used to make more variables available to compiled CEL expressions for convenience.
type TransformationConstants struct {
// A map of variable names to their string values. If a key "x" has value "123", then it will be available
// to CEL expressions as the variable `strConst.x` with value `"123"`.
StringConstants map[string]string
// A map of variable names to their string list values. If a key "x" has value []string{"123","456"},
// then it will be available to CEL expressions as the variable `strListConst.x` with value `["123","456"]`.
StringListConstants map[string][]string
}
// Valid identifiers in CEL expressions are defined as [_a-zA-Z][_a-zA-Z0-9]* by the CEL language spec.
var validIdentifiersRegexp = regexp.MustCompile(`^[_a-zA-Z][_a-zA-Z0-9]*$`)
func (t *TransformationConstants) validateVariableNames() error {
const errFormat = "%q is an invalid const variable name (must match [_a-zA-Z][_a-zA-Z0-9]*)"
for k := range t.StringConstants {
if !validIdentifiersRegexp.MatchString(k) {
return fmt.Errorf(errFormat, k)
}
}
for k := range t.StringListConstants {
if !validIdentifiersRegexp.MatchString(k) {
return fmt.Errorf(errFormat, k)
}
}
return nil
}
// CompileTransformation compiles a CEL-based identity transformation expression.
// The compiled transform can be cached in memory and executed repeatedly and in a thread-safe way.
// The caller must not modify the consts param struct after calling this function to allow
// the returned IdentityTransformation to use it as a thread-safe read-only structure.
func (c *CELTransformer) CompileTransformation(t CELTransformation, consts *TransformationConstants) (idtransform.IdentityTransformation, error) {
if consts == nil {
consts = &TransformationConstants{}
}
if err := consts.validateVariableNames(); err != nil {
return nil, err
}
return t.compile(c, consts)
}
// CELTransformation can be compiled into an IdentityTransformation.
type CELTransformation interface {
compile(transformer *CELTransformer, consts *TransformationConstants) (idtransform.IdentityTransformation, error)
}
var _ CELTransformation = (*UsernameTransformation)(nil)
var _ CELTransformation = (*GroupsTransformation)(nil)
var _ CELTransformation = (*AllowAuthenticationPolicy)(nil)
// UsernameTransformation is a CEL expression that can transform a username (or leave it unchanged).
// It implements CELTransformation.
type UsernameTransformation struct {
Expression string
}
// GroupsTransformation is a CEL expression that can transform a list of group names (or leave it unchanged).
// It implements CELTransformation.
type GroupsTransformation struct {
Expression string
}
// AllowAuthenticationPolicy is a CEL expression that can allow the authentication to proceed by returning true.
// It implements CELTransformation. When the CEL expression returns false, the authentication is rejected and the
// RejectedAuthenticationMessage is used. When RejectedAuthenticationMessage is empty, a default message will be
// used for rejected authentications.
type AllowAuthenticationPolicy struct {
Expression string
RejectedAuthenticationMessage string
}
func compileProgram(transformer *CELTransformer, expectedExpressionType *cel.Type, expr string) (cel.Program, error) {
if strings.TrimSpace(expr) == "" {
return nil, fmt.Errorf("cannot compile empty CEL expression")
}
// compile does both parsing and type checking. The parsing phase indicates whether the expression is
// syntactically valid and expands any macros present within the environment. Parsing and checking are
// more computationally expensive than evaluation, so parsing and checking are done in advance.
ast, issues := transformer.compiler.Compile(expr)
if issues != nil {
return nil, fmt.Errorf("CEL expression compile error: %s", issues.String())
}
// The compiler's type checker has determined the type of the expression's result.
// Check that it matches the type that we expect.
if ast.OutputType().String() != expectedExpressionType.String() {
return nil, fmt.Errorf("CEL expression should return type %q but returns type %q", expectedExpressionType, ast.OutputType())
}
// The cel.Program is stateless, thread-safe, and cachable.
program, err := transformer.compiler.Program(ast,
cel.InterruptCheckFrequency(100), // Kubernetes uses 100 here, so we'll copy that setting.
cel.EvalOptions(cel.OptOptimize), // Optimize certain things now rather than at evaluation time.
)
if err != nil {
return nil, fmt.Errorf("CEL expression program construction error: %w", err)
}
return program, nil
}
func (t *UsernameTransformation) compile(transformer *CELTransformer, consts *TransformationConstants) (idtransform.IdentityTransformation, error) {
program, err := compileProgram(transformer, cel.StringType, t.Expression)
if err != nil {
return nil, err
}
return &compiledUsernameTransformation{
baseCompiledTransformation: &baseCompiledTransformation{
program: program,
consts: consts,
sourceExpr: t,
maxExpressionRuntime: transformer.maxExpressionRuntime,
},
}, nil
}
func (t *GroupsTransformation) compile(transformer *CELTransformer, consts *TransformationConstants) (idtransform.IdentityTransformation, error) {
program, err := compileProgram(transformer, cel.ListType(cel.StringType), t.Expression)
if err != nil {
return nil, err
}
return &compiledGroupsTransformation{
baseCompiledTransformation: &baseCompiledTransformation{
program: program,
consts: consts,
sourceExpr: t,
maxExpressionRuntime: transformer.maxExpressionRuntime,
},
}, nil
}
func (t *AllowAuthenticationPolicy) compile(transformer *CELTransformer, consts *TransformationConstants) (idtransform.IdentityTransformation, error) {
program, err := compileProgram(transformer, cel.BoolType, t.Expression)
if err != nil {
return nil, err
}
return &compiledAllowAuthenticationPolicy{
baseCompiledTransformation: &baseCompiledTransformation{
program: program,
consts: consts,
sourceExpr: t,
maxExpressionRuntime: transformer.maxExpressionRuntime,
},
rejectedAuthenticationMessage: t.RejectedAuthenticationMessage,
}, nil
}
// Base type for common aspects of compiled transformations.
type baseCompiledTransformation struct {
program cel.Program
consts *TransformationConstants
sourceExpr CELTransformation
maxExpressionRuntime time.Duration
}
// Implements idtransform.IdentityTransformation.
type compiledUsernameTransformation struct {
*baseCompiledTransformation
}
// Implements idtransform.IdentityTransformation.
type compiledGroupsTransformation struct {
*baseCompiledTransformation
}
// Implements idtransform.IdentityTransformation.
type compiledAllowAuthenticationPolicy struct {
*baseCompiledTransformation
rejectedAuthenticationMessage string
}
func (c *baseCompiledTransformation) evalProgram(ctx context.Context, username string, groups []string) (ref.Val, error) {
// Limit the runtime of a CEL expression to avoid accidental very expensive expressions.
timeoutCtx, cancel := context.WithTimeout(ctx, c.maxExpressionRuntime)
defer cancel()
// Evaluation is thread-safe and side effect free. Many inputs can be sent to the same cel.Program
// and if fields are present in the input, but not referenced in the expression, they are ignored.
// The argument to Eval may either be an `interpreter.Activation` or a `map[string]interface{}`.
val, _, err := c.program.ContextEval(timeoutCtx, map[string]interface{}{
usernameVariableName: username,
groupsVariableName: groups,
constStringVariableName: c.consts.StringConstants,
constStringListVariableName: c.consts.StringListConstants,
})
return val, err
}
func (c *compiledUsernameTransformation) Evaluate(ctx context.Context, username string, groups []string) (*idtransform.TransformationResult, error) {
val, err := c.evalProgram(ctx, username, groups)
if err != nil {
return nil, err
}
nativeValue, err := val.ConvertToNative(reflect.TypeOf(""))
if err != nil {
return nil, fmt.Errorf("could not convert expression result to string: %w", err)
}
stringValue, ok := nativeValue.(string)
if !ok {
return nil, fmt.Errorf("could not convert expression result to string")
}
return &idtransform.TransformationResult{
Username: stringValue,
Groups: groups, // groups are not modified by username transformations
AuthenticationAllowed: true,
}, nil
}
func (c *compiledGroupsTransformation) Evaluate(ctx context.Context, username string, groups []string) (*idtransform.TransformationResult, error) {
val, err := c.evalProgram(ctx, username, groups)
if err != nil {
return nil, err
}
nativeValue, err := val.ConvertToNative(reflect.TypeOf([]string{}))
if err != nil {
return nil, fmt.Errorf("could not convert expression result to []string: %w", err)
}
stringSliceValue, ok := nativeValue.([]string)
if !ok {
return nil, fmt.Errorf("could not convert expression result to []string")
}
return &idtransform.TransformationResult{
Username: username, // username is not modified by groups transformations
Groups: stringSliceValue,
AuthenticationAllowed: true,
}, nil
}
func (c *compiledAllowAuthenticationPolicy) Evaluate(ctx context.Context, username string, groups []string) (*idtransform.TransformationResult, error) {
val, err := c.evalProgram(ctx, username, groups)
if err != nil {
return nil, err
}
nativeValue, err := val.ConvertToNative(reflect.TypeOf(true))
if err != nil {
return nil, fmt.Errorf("could not convert expression result to bool: %w", err)
}
boolValue, ok := nativeValue.(bool)
if !ok {
return nil, fmt.Errorf("could not convert expression result to bool")
}
result := &idtransform.TransformationResult{
Username: username, // username is not modified by policies
Groups: groups, // groups are not modified by policies
AuthenticationAllowed: boolValue,
}
if !boolValue {
if len(c.rejectedAuthenticationMessage) == 0 {
result.RejectedAuthenticationMessage = DefaultPolicyRejectedAuthMessage
} else {
result.RejectedAuthenticationMessage = c.rejectedAuthenticationMessage
}
}
return result, nil
}
type CELTransformationSource struct {
Expr CELTransformation
Consts *TransformationConstants
}
func (c *compiledUsernameTransformation) Source() interface{} {
return &CELTransformationSource{Expr: c.sourceExpr, Consts: c.consts}
}
func (c *compiledGroupsTransformation) Source() interface{} {
return &CELTransformationSource{Expr: c.sourceExpr, Consts: c.consts}
}
func (c *compiledAllowAuthenticationPolicy) Source() interface{} {
return &CELTransformationSource{Expr: c.sourceExpr, Consts: c.consts}
}
func newEnv() (*cel.Env, error) {
// Note that Kubernetes uses CEL in several places, which are helpful to see as an example of
// how to configure the CEL compiler for production usage. Examples:
// https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/compiler.go
// https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/compilation.go
return cel.NewEnv(
// Declare our variable without giving them values yet. By declaring them here, the type is known during
// the parsing/checking phase.
cel.Variable(usernameVariableName, cel.StringType),
cel.Variable(groupsVariableName, cel.ListType(cel.StringType)),
cel.Variable(constStringVariableName, cel.MapType(cel.StringType, cel.StringType)),
cel.Variable(constStringListVariableName, cel.MapType(cel.StringType, cel.ListType(cel.StringType))),
// Enable the strings extensions.
// See https://github.com/google/cel-go/tree/master/ext#strings
// CEL also has other extensions for bas64 encoding/decoding and for math that we could choose to enable.
// See https://github.com/google/cel-go/tree/master/ext
// Kubernetes adds more extensions for extra regexp helpers, URLs, and extra list helpers that we could also
// consider enabling. Note that if we added their regexp extension, then we would also need to add
// cel.OptimizeRegex(library.ExtensionLibRegexOptimizations...) as an option when we call cel.Program.
// See https://github.com/kubernetes/kubernetes/tree/master/staging/src/k8s.io/apiserver/pkg/cel/library
ext.Strings(),
// Just in case someone converts a string to a timestamp, make any time operations which do not include
// an explicit timezone argument default to UTC.
cel.DefaultUTCTimeZone(true),
// Check list and map literal entry types during type-checking.
cel.HomogeneousAggregateLiterals(),
// Check for collisions in declarations now instead of later.
cel.EagerlyValidateDeclarations(true),
)
}

View File

@ -0,0 +1,900 @@
// Copyright 2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package celtransformer
import (
"context"
"fmt"
"runtime"
"sort"
"sync"
"testing"
"time"
"github.com/stretchr/testify/require"
"go.pinniped.dev/internal/here"
"go.pinniped.dev/internal/idtransform"
)
func TestTransformer(t *testing.T) {
var veryLargeGroupList []string
for i := 0; i < 10000; i++ {
veryLargeGroupList = append(veryLargeGroupList, fmt.Sprintf("g%d", i))
}
alreadyCancelledContext, cancel := context.WithCancel(context.Background())
cancel()
tests := []struct {
name string
username string
groups []string
transforms []CELTransformation
consts *TransformationConstants
ctx context.Context
wantUsername string
wantGroups []string
wantAuthRejected bool
wantAuthRejectedMessage string
wantCompileErr string
wantEvaluationErr string
}{
{
name: "empty transforms list does not change the identity and allows auth",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{},
wantUsername: "ryan",
wantGroups: []string{"admins", "developers", "other"},
},
{
name: "simple transforms which do not change the identity and allows auth",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&UsernameTransformation{Expression: `username`},
&GroupsTransformation{Expression: `groups`},
&AllowAuthenticationPolicy{Expression: `true`},
},
wantUsername: "ryan",
wantGroups: []string{"admins", "developers", "other"},
},
{
name: "transformations run in the order that they are given and accumulate results",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&UsernameTransformation{Expression: `"a:" + username`},
&UsernameTransformation{Expression: `"b:" + username`},
&GroupsTransformation{Expression: `groups.map(g, "a:" + g)`},
&GroupsTransformation{Expression: `groups.map(g, "b:" + g)`},
},
wantUsername: "b:a:ryan",
wantGroups: []string{"b:a:admins", "b:a:developers", "b:a:other"},
},
{
name: "policies which return false cause the pipeline to stop running and return a rejected auth result",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&UsernameTransformation{Expression: `"a:" + username`},
&AllowAuthenticationPolicy{Expression: `true`, RejectedAuthenticationMessage: `Everyone is allowed`},
&GroupsTransformation{Expression: `groups.map(g, "a:" + g)`},
&AllowAuthenticationPolicy{Expression: `username == "admin"`, RejectedAuthenticationMessage: `Only the username "admin" is allowed`},
&GroupsTransformation{Expression: `groups.map(g, "b:" + g)`}, // does not get evaluated
},
wantUsername: "a:ryan",
wantGroups: []string{"a:admins", "a:developers", "a:other"},
wantAuthRejected: true,
wantAuthRejectedMessage: `Only the username "admin" is allowed`,
},
{
name: "policies without a RejectedAuthenticationMessage get a default message",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&AllowAuthenticationPolicy{Expression: `username == "admin"`, RejectedAuthenticationMessage: ""},
},
wantUsername: "ryan",
wantGroups: []string{"admins", "developers", "other"},
wantAuthRejected: true,
wantAuthRejectedMessage: `authentication was rejected by a configured policy`,
},
{
name: "any transformations can use the username and group variables",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&AllowAuthenticationPolicy{Expression: `groups[0] == "admins" && username == "ryan"`},
&GroupsTransformation{Expression: `groups + [username]`},
&UsernameTransformation{Expression: `groups[2]`}, // changes the username to "other"
&GroupsTransformation{Expression: `groups + [username + "2"]`}, // by the time this expression runs, the username was already changed to "other"
},
wantUsername: "other",
wantGroups: []string{"admins", "developers", "other", "other2", "ryan"},
},
{
name: "any transformation can use the provided constants as variables",
username: "ryan",
groups: []string{"admins", "developers", "other"},
consts: &TransformationConstants{
StringConstants: map[string]string{
"x": "abc",
"y": "def",
},
StringListConstants: map[string][]string{
"x": {"uvw", "xyz"},
"y": {"123", "456"},
},
},
transforms: []CELTransformation{
&UsernameTransformation{Expression: `strConst.x + strListConst.x[0]`},
&GroupsTransformation{Expression: `[strConst.x, strConst.y, strListConst.x[1], strListConst.y[0]]`},
&AllowAuthenticationPolicy{Expression: `strConst.x == "abc"`},
},
wantUsername: "abcuvw",
wantGroups: []string{"123", "abc", "def", "xyz"},
},
{
name: "the CEL string extensions are enabled for use in the expressions",
username: " ryan ",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&GroupsTransformation{Expression: `groups.map(g, g.replace("mins", "ministrators"))`},
&UsernameTransformation{Expression: `username.upperAscii()`},
&AllowAuthenticationPolicy{Expression: `(username.lowerAscii()).trim() == "ryan"`, RejectedAuthenticationMessage: `Silly example`},
&UsernameTransformation{Expression: `username.trim()`},
},
wantUsername: "RYAN",
wantGroups: []string{"administrators", "developers", "other"},
},
{
name: "UTC is the default time zone for time operations",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&UsernameTransformation{Expression: `string(timestamp("2023-01-16T10:00:20.021-08:00").getHours())`},
},
// Without the compiler option cel.DefaultUTCTimeZone, this result would be 10.
// With the option, this result is the original hour from the timestamp string (10), plus the effect
// of the timezone (8), to move the hour into the UTC time zone.
wantUsername: "18",
wantGroups: []string{"admins", "developers", "other"},
},
{
name: "the default UTC time zone for time operations can be overridden by passing the time zone as an argument to the operation",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&UsernameTransformation{Expression: `string(timestamp("2023-01-16T10:00:20.021-08:00").getHours("US/Mountain"))`},
},
// This is the hour of the timestamp in Mountain time, which is one time zone over from Pacific (-08:00),
// hence it is one larger than the original "10" from the timestamp string.
wantUsername: "11",
wantGroups: []string{"admins", "developers", "other"},
},
{
name: "quick expressions are finished by CEL before CEL even looks at the cancel context",
username: "ryan",
groups: veryLargeGroupList,
transforms: []CELTransformation{
&GroupsTransformation{Expression: `["one group"]`},
},
ctx: alreadyCancelledContext,
wantUsername: "ryan",
wantGroups: []string{"one group"},
},
//
// Unit tests to demonstrate practical examples of useful CEL expressions.
//
{
name: "can prefix username and all groups",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&UsernameTransformation{Expression: `"username_prefix:" + username`},
&GroupsTransformation{Expression: `groups.map(g, "group_prefix:" + g)`},
},
wantUsername: "username_prefix:ryan",
wantGroups: []string{"group_prefix:admins", "group_prefix:developers", "group_prefix:other"},
},
{
name: "can suffix username and all groups",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&UsernameTransformation{Expression: `username + ":username_suffix"`},
&GroupsTransformation{Expression: `groups.map(g, g + ":group_suffix")`},
},
wantUsername: "ryan:username_suffix",
wantGroups: []string{"admins:group_suffix", "developers:group_suffix", "other:group_suffix"},
},
{
name: "can change case of username and all groups",
username: "rYan 🚀",
groups: []string{"aDmins", "dEvelopers", "oTher"},
transforms: []CELTransformation{
&UsernameTransformation{Expression: `username.lowerAscii()`},
&GroupsTransformation{Expression: `groups.map(g, g.upperAscii())`},
},
wantUsername: "ryan 🚀",
wantGroups: []string{"ADMINS", "DEVELOPERS", "OTHER"},
},
{
name: "can replace whitespace",
username: " r\ty a n \n",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&UsernameTransformation{Expression: `username.replace(" ", "").replace("\n", "").replace("\t", "")`},
},
wantUsername: "ryan",
wantGroups: []string{"admins", "developers", "other"},
},
{
name: "can use regex on strings: when the regex matches",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&UsernameTransformation{Expression: `username.matches("^r[abcy].n$") ? "ryan-modified" : username`},
},
wantUsername: "ryan-modified",
wantGroups: []string{"admins", "developers", "other"},
},
{
name: "can use regex on strings: when the regex does not match",
username: "olive",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&UsernameTransformation{Expression: `username.matches("^r[abcy].n$") ? "ryan-modified" : username`},
},
wantUsername: "olive",
wantGroups: []string{"admins", "developers", "other"},
},
{
name: "can filter groups based on an allow list",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&GroupsTransformation{Expression: `groups.filter(g, g in ["admins", "developers"])`},
},
wantUsername: "ryan",
wantGroups: []string{"admins", "developers"},
},
{
name: "can filter groups based on an allow list provided as a const",
username: "ryan",
groups: []string{"admins", "developers", "other"},
consts: &TransformationConstants{
StringListConstants: map[string][]string{"allowedGroups": {"admins", "developers"}},
},
transforms: []CELTransformation{
&GroupsTransformation{Expression: `groups.filter(g, g in strListConst.allowedGroups)`},
},
wantUsername: "ryan",
wantGroups: []string{"admins", "developers"},
},
{
name: "can filter groups based on a disallow list",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&GroupsTransformation{Expression: `groups.filter(g, !(g in ["admins", "developers"]))`},
},
wantUsername: "ryan",
wantGroups: []string{"other"},
},
{
name: "can filter groups based on a disallowed prefixes",
username: "ryan",
groups: []string{"disallowed1:admins", "disallowed2:developers", "other"},
transforms: []CELTransformation{
&GroupsTransformation{Expression: `groups.filter(group, !(["disallowed1:", "disallowed2:"].exists(prefix, group.startsWith(prefix))))`},
},
wantUsername: "ryan",
wantGroups: []string{"other"},
},
{
name: "can filter groups based on a disallowed prefixes provided as a const",
username: "ryan",
groups: []string{"disallowed1:admins", "disallowed2:developers", "other"},
consts: &TransformationConstants{
StringListConstants: map[string][]string{"disallowedPrefixes": {"disallowed1:", "disallowed2:"}},
},
transforms: []CELTransformation{
&GroupsTransformation{Expression: `groups.filter(group, !(strListConst.disallowedPrefixes.exists(prefix, group.startsWith(prefix))))`},
},
wantUsername: "ryan",
wantGroups: []string{"other"},
},
{
name: "can add a group",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&GroupsTransformation{Expression: `groups + ["new-group"]`},
},
wantUsername: "ryan",
wantGroups: []string{"admins", "developers", "new-group", "other"},
},
{
name: "a nil passed as groups will be converted to an empty list",
username: "ryan",
groups: nil,
transforms: []CELTransformation{
&GroupsTransformation{Expression: `groups`},
},
wantUsername: "ryan",
wantGroups: []string{},
},
{
name: "a nil passed as groups will be converted to an empty list and can be used with CEL operators",
username: "ryan",
groups: nil,
transforms: []CELTransformation{
&GroupsTransformation{Expression: `groups == [] ? ["the-groups-list-was-an-empty-list"] : ["the-groups-list-was-not-an-empty-list"]`},
},
wantUsername: "ryan",
wantGroups: []string{"the-groups-list-was-an-empty-list"},
},
{
name: "an empty list of groups is allowed",
username: "ryan",
groups: []string{},
transforms: []CELTransformation{
&GroupsTransformation{Expression: `groups`},
},
wantUsername: "ryan",
wantGroups: []string{},
},
{
name: "can add a group from a const",
username: "ryan",
groups: []string{"admins", "developers", "other"},
consts: &TransformationConstants{
StringConstants: map[string]string{"groupToAlwaysAdd": "new-group"},
},
transforms: []CELTransformation{
&GroupsTransformation{Expression: `groups + [strConst.groupToAlwaysAdd]`},
},
wantUsername: "ryan",
wantGroups: []string{"admins", "developers", "new-group", "other"},
},
{
name: "can add a group but only if they already belong to another group - when the user does belong to that other group",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&GroupsTransformation{Expression: `"other" in groups ? groups + ["new-group"] : groups`},
},
wantUsername: "ryan",
wantGroups: []string{"admins", "developers", "new-group", "other"},
},
{
name: "can add a group but only if they already belong to another group - when the user does NOT belong to that other group",
username: "ryan",
groups: []string{"admins", "developers"},
transforms: []CELTransformation{
&GroupsTransformation{Expression: `"other" in groups ? groups + ["new-group"] : groups`},
},
wantUsername: "ryan",
wantGroups: []string{"admins", "developers"},
},
{
name: "can rename a group",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&GroupsTransformation{Expression: `groups.map(g, g == "other" ? "other-renamed" : g)`},
},
wantUsername: "ryan",
wantGroups: []string{"admins", "developers", "other-renamed"},
},
{
name: "can reject auth based on belonging to one group - when the user meets the criteria",
username: "ryan",
groups: []string{"admins", "developers", "other", "super-admins"},
transforms: []CELTransformation{
&AllowAuthenticationPolicy{Expression: `"super-admins" in groups`, RejectedAuthenticationMessage: `Only users who belong to the "super-admins" group are allowed`},
},
wantUsername: "ryan",
wantGroups: []string{"admins", "developers", "other", "super-admins"},
},
{
name: "can reject auth based on belonging to one group - when the user does NOT meet the criteria",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&AllowAuthenticationPolicy{Expression: `"super-admins" in groups`, RejectedAuthenticationMessage: `Only users who belong to the "super-admins" group are allowed`},
},
wantUsername: "ryan",
wantGroups: []string{"admins", "developers", "other"},
wantAuthRejected: true,
wantAuthRejectedMessage: `Only users who belong to the "super-admins" group are allowed`,
},
{
name: "can reject auth unless the user belongs to any one of the groups in a list - when the user meets the criteria",
username: "ryan",
groups: []string{"admins", "developers", "foobar", "other"},
transforms: []CELTransformation{
&AllowAuthenticationPolicy{Expression: `groups.exists(g, g in ["foobar", "foobaz", "foobat"])`, RejectedAuthenticationMessage: `Only users who belong to any of the groups in a list are allowed`},
},
wantUsername: "ryan",
wantGroups: []string{"admins", "developers", "foobar", "other"},
},
{
name: "can reject auth unless the user belongs to any one of the groups in a list - when the user does NOT meet the criteria",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&AllowAuthenticationPolicy{Expression: `groups.exists(g, g in ["foobar", "foobaz", "foobat"])`, RejectedAuthenticationMessage: `Only users who belong to any of the groups in a list are allowed`},
},
wantUsername: "ryan",
wantGroups: []string{"admins", "developers", "other"},
wantAuthRejected: true,
wantAuthRejectedMessage: `Only users who belong to any of the groups in a list are allowed`,
},
{
name: "can reject auth unless the user belongs to all of the groups in a list - when the user meets the criteria",
username: "ryan",
groups: []string{"admins", "developers", "other", "foobar", "foobaz", "foobat"},
transforms: []CELTransformation{
&AllowAuthenticationPolicy{Expression: `["foobar", "foobaz", "foobat"].all(g, g in groups)`, RejectedAuthenticationMessage: `Only users who belong to all groups in a list are allowed`},
},
wantUsername: "ryan",
wantGroups: []string{"admins", "developers", "foobar", "foobat", "foobaz", "other"},
},
{
name: "can reject auth unless the user belongs to all of the groups in a list - when the user does NOT meet the criteria",
username: "ryan",
groups: []string{"admins", "developers", "other", "foobaz", "foobat"},
transforms: []CELTransformation{
&AllowAuthenticationPolicy{Expression: `["foobar", "foobaz", "foobat"].all(g, g in groups)`, RejectedAuthenticationMessage: `Only users who belong to all groups in a list are allowed`},
},
wantUsername: "ryan",
wantGroups: []string{"admins", "developers", "other", "foobaz", "foobat"},
wantAuthRejected: true,
wantAuthRejectedMessage: `Only users who belong to all groups in a list are allowed`,
},
{
name: "can reject auth if the user belongs to any groups in a disallowed groups list - when the user meets the criteria",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&AllowAuthenticationPolicy{Expression: `!groups.exists(g, g in ["foobar", "foobaz"])`, RejectedAuthenticationMessage: `Only users who do not belong to any of the groups in a list are allowed`},
},
wantUsername: "ryan",
wantGroups: []string{"admins", "developers", "other"},
},
{
name: "can reject auth if the user belongs to any groups in a disallowed groups list - when the user does NOT meet the criteria",
username: "ryan",
groups: []string{"admins", "developers", "other", "foobaz"},
transforms: []CELTransformation{
&AllowAuthenticationPolicy{Expression: `!groups.exists(g, g in ["foobar", "foobaz"])`, RejectedAuthenticationMessage: `Only users who do not belong to any of the groups in a list are allowed`},
},
wantUsername: "ryan",
wantGroups: []string{"admins", "developers", "other", "foobaz"},
wantAuthRejected: true,
wantAuthRejectedMessage: `Only users who do not belong to any of the groups in a list are allowed`,
},
{
name: "can reject auth unless the username is in an allowed users list - when the user meets the criteria",
username: "foobaz",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&AllowAuthenticationPolicy{Expression: `username in ["foobar", "foobaz"]`, RejectedAuthenticationMessage: `Only certain usernames allowed`},
},
wantUsername: "foobaz",
wantGroups: []string{"admins", "developers", "other"},
},
{
name: "can reject auth unless the username is in an allowed users list - when the user does NOT meet the criteria",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&AllowAuthenticationPolicy{Expression: `username in ["foobar", "foobaz"]`, RejectedAuthenticationMessage: `Only certain usernames allowed`},
},
wantUsername: "ryan",
wantGroups: []string{"admins", "developers", "other"},
wantAuthRejected: true,
wantAuthRejectedMessage: `Only certain usernames allowed`,
},
//
// Error cases
//
{
name: "username transformation returns an empty string as the new username",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&UsernameTransformation{Expression: `""`},
},
wantEvaluationErr: "identity transformation returned an empty username, which is not allowed",
},
{
name: "username transformation returns a string containing only whitespace as the new username",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&UsernameTransformation{Expression: `" \n \t "`},
},
wantEvaluationErr: "identity transformation returned an empty username, which is not allowed",
},
{
name: "username transformation compiles to return null, which is not a string so it has the wrong type",
transforms: []CELTransformation{
&UsernameTransformation{Expression: `null`},
},
wantCompileErr: `CEL expression should return type "string" but returns type "null_type"`,
},
{
name: "groups transformation compiles to return null, which is not a string so it has the wrong type",
transforms: []CELTransformation{
&GroupsTransformation{Expression: `null`},
},
wantCompileErr: `CEL expression should return type "list(string)" but returns type "null_type"`,
},
{
name: "policy transformation compiles to return null, which is not a string so it has the wrong type",
transforms: []CELTransformation{
&AllowAuthenticationPolicy{Expression: `null`},
},
wantCompileErr: `CEL expression should return type "bool" but returns type "null_type"`,
},
{
name: "username transformation has empty expression",
transforms: []CELTransformation{
&UsernameTransformation{Expression: ``},
},
wantCompileErr: `cannot compile empty CEL expression`,
},
{
name: "groups transformation has empty expression",
transforms: []CELTransformation{
&GroupsTransformation{Expression: ``},
},
wantCompileErr: `cannot compile empty CEL expression`,
},
{
name: "policy transformation has empty expression",
transforms: []CELTransformation{
&AllowAuthenticationPolicy{Expression: ``},
},
wantCompileErr: `cannot compile empty CEL expression`,
},
{
name: "username transformation has expression which contains only whitespace",
transforms: []CELTransformation{
&UsernameTransformation{Expression: " \n\t "},
},
wantCompileErr: `cannot compile empty CEL expression`,
},
{
name: "groups transformation has expression which contains only whitespace",
transforms: []CELTransformation{
&GroupsTransformation{Expression: " \n\t "},
},
wantCompileErr: `cannot compile empty CEL expression`,
},
{
name: "policy transformation has expression which contains only whitespace",
transforms: []CELTransformation{
&AllowAuthenticationPolicy{Expression: " \n\t "},
},
wantCompileErr: `cannot compile empty CEL expression`,
},
{
name: "slow username transformation expressions are canceled by the cancel context after partial evaluation",
username: "ryan",
groups: veryLargeGroupList,
transforms: []CELTransformation{
&UsernameTransformation{Expression: `groups.filter(x, groups.all(x, true))[0]`},
},
ctx: alreadyCancelledContext,
wantEvaluationErr: `identity transformation at index 0: operation interrupted`,
},
{
name: "slow groups transformation expressions are canceled by the cancel context after partial evaluation",
username: "ryan",
groups: veryLargeGroupList,
transforms: []CELTransformation{
&GroupsTransformation{Expression: `groups.filter(x, groups.all(x, true))`},
},
ctx: alreadyCancelledContext,
wantEvaluationErr: `identity transformation at index 0: operation interrupted`,
},
{
name: "slow policy expressions are canceled by the cancel context after partial evaluation",
username: "ryan",
groups: veryLargeGroupList,
transforms: []CELTransformation{
&UsernameTransformation{Expression: "username"},
&AllowAuthenticationPolicy{Expression: `groups.all(x, groups.all(x, true))`}, // this is the slow one
},
ctx: alreadyCancelledContext,
wantEvaluationErr: `identity transformation at index 1: operation interrupted`,
},
{
name: "slow transformation expressions are canceled and the rest of the expressions do not run",
username: "ryan",
groups: veryLargeGroupList,
transforms: []CELTransformation{
&UsernameTransformation{Expression: `username`}, // quick expressions are allowed to run even though the context is cancelled
&UsernameTransformation{Expression: `groups.filter(x, groups.all(x, true))[0]`},
&UsernameTransformation{Expression: `groups.filter(x, groups.all(x, true))[0]`},
&UsernameTransformation{Expression: `groups.filter(x, groups.all(x, true))[0]`},
},
ctx: alreadyCancelledContext,
wantEvaluationErr: `identity transformation at index 1: operation interrupted`,
},
{
name: "slow username transformation expressions are canceled after a maximum allowed duration",
username: "ryan",
groups: veryLargeGroupList,
transforms: []CELTransformation{
// On my laptop, evaluating this expression would take ~20 seconds if we allowed it to evaluate to completion.
&UsernameTransformation{Expression: `groups.filter(x, groups.all(x, true))[0]`},
},
wantEvaluationErr: `identity transformation at index 0: operation interrupted`,
},
{
name: "slow groups transformation expressions are canceled after a maximum allowed duration",
username: "ryan",
groups: veryLargeGroupList,
transforms: []CELTransformation{
// On my laptop, evaluating this expression would take ~20 seconds if we allowed it to evaluate to completion.
&GroupsTransformation{Expression: `groups.filter(x, groups.all(x, true))`},
},
wantEvaluationErr: `identity transformation at index 0: operation interrupted`,
},
{
name: "slow policy transformation expressions are canceled after a maximum allowed duration",
username: "ryan",
groups: veryLargeGroupList,
transforms: []CELTransformation{
// On my laptop, evaluating this expression would take ~20 seconds if we allowed it to evaluate to completion.
&AllowAuthenticationPolicy{Expression: `groups.all(x, groups.all(x, true))`},
},
wantEvaluationErr: `identity transformation at index 0: operation interrupted`,
},
{
name: "compile errors are returned by the compile step for a username transform",
transforms: []CELTransformation{
&UsernameTransformation{Expression: `foobar.junk()`},
},
wantCompileErr: here.Doc(`
CEL expression compile error: ERROR: <input>:1:1: undeclared reference to 'foobar' (in container '')
| foobar.junk()
| ^
ERROR: <input>:1:12: undeclared reference to 'junk' (in container '')
| foobar.junk()
| ...........^`,
),
},
{
name: "compile errors are returned by the compile step for a groups transform",
transforms: []CELTransformation{
&GroupsTransformation{Expression: `foobar.junk()`},
},
wantCompileErr: here.Doc(`
CEL expression compile error: ERROR: <input>:1:1: undeclared reference to 'foobar' (in container '')
| foobar.junk()
| ^
ERROR: <input>:1:12: undeclared reference to 'junk' (in container '')
| foobar.junk()
| ...........^`,
),
},
{
name: "compile errors are returned by the compile step for a policy",
transforms: []CELTransformation{
&AllowAuthenticationPolicy{Expression: `foobar.junk()`},
},
wantCompileErr: here.Doc(`
CEL expression compile error: ERROR: <input>:1:1: undeclared reference to 'foobar' (in container '')
| foobar.junk()
| ^
ERROR: <input>:1:12: undeclared reference to 'junk' (in container '')
| foobar.junk()
| ...........^`,
),
},
{
name: "evaluation errors stop the pipeline and return an error",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&UsernameTransformation{Expression: "username"},
&AllowAuthenticationPolicy{Expression: `1 / 0 == 7`},
},
wantEvaluationErr: `identity transformation at index 1: division by zero`,
},
{
name: "HomogeneousAggregateLiterals compiler setting is enabled to help the user avoid type mistakes in expressions",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&GroupsTransformation{Expression: `groups.all(g, g in ["admins", 1])`},
},
wantCompileErr: here.Doc(`
CEL expression compile error: ERROR: <input>:1:31: expected type 'string' but found 'int'
| groups.all(g, g in ["admins", 1])
| ..............................^`,
),
},
{
name: "when an expression's type cannot be determined at compile time, e.g. due to the use of dynamic types",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&GroupsTransformation{Expression: `groups.map(g, {"admins": dyn(1), "developers":"a"}[g])`},
},
wantCompileErr: `CEL expression should return type "list(string)" but returns type "list(dyn)"`,
},
{
name: "using string constants which were not were provided",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&UsernameTransformation{Expression: `strConst.x`},
},
wantEvaluationErr: `identity transformation at index 0: no such key: x`,
},
{
name: "using string list constants which were not were provided",
username: "ryan",
groups: []string{"admins", "developers", "other"},
transforms: []CELTransformation{
&GroupsTransformation{Expression: `strListConst.x`},
},
wantEvaluationErr: `identity transformation at index 0: no such key: x`,
},
{
name: "using an illegal name for a string constant",
username: "ryan",
groups: []string{"admins", "developers", "other"},
consts: &TransformationConstants{StringConstants: map[string]string{" illegal": "a"}},
transforms: []CELTransformation{
&UsernameTransformation{Expression: `username`},
},
wantCompileErr: `" illegal" is an invalid const variable name (must match [_a-zA-Z][_a-zA-Z0-9]*)`,
},
{
name: "using an illegal name for a stringList constant",
username: "ryan",
groups: []string{"admins", "developers", "other"},
consts: &TransformationConstants{StringListConstants: map[string][]string{" illegal": {"a"}}},
transforms: []CELTransformation{
&UsernameTransformation{Expression: `username`},
},
wantCompileErr: `" illegal" is an invalid const variable name (must match [_a-zA-Z][_a-zA-Z0-9]*)`,
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
transformer, err := NewCELTransformer(100 * time.Millisecond)
require.NoError(t, err)
pipeline := idtransform.NewTransformationPipeline()
expectedPipelineSource := []interface{}{}
for _, transform := range tt.transforms {
compiledTransform, err := transformer.CompileTransformation(transform, tt.consts)
if tt.wantCompileErr != "" {
require.EqualError(t, err, tt.wantCompileErr)
return // the rest of the test doesn't make sense when there was a compile error
}
require.NoError(t, err, "got an unexpected compile error")
pipeline.AppendTransformation(compiledTransform)
expectedTransformSource := &CELTransformationSource{
Expr: transform,
Consts: tt.consts,
}
if expectedTransformSource.Consts == nil {
expectedTransformSource.Consts = &TransformationConstants{}
}
expectedPipelineSource = append(expectedPipelineSource, expectedTransformSource)
}
ctx := context.Background()
if tt.ctx != nil {
ctx = tt.ctx
}
result, err := pipeline.Evaluate(ctx, tt.username, tt.groups)
if tt.wantEvaluationErr != "" {
require.EqualError(t, err, tt.wantEvaluationErr)
return // the rest of the test doesn't make sense when there was an evaluation error
}
require.NoError(t, err, "got an unexpected evaluation error")
require.Equal(t, tt.wantUsername, result.Username)
require.Equal(t, tt.wantGroups, result.Groups)
require.Equal(t, !tt.wantAuthRejected, result.AuthenticationAllowed, "AuthenticationAllowed had unexpected value")
require.Equal(t, tt.wantAuthRejectedMessage, result.RejectedAuthenticationMessage)
require.Equal(t, expectedPipelineSource, pipeline.Source())
})
}
}
func TestTypicalPerformanceAndThreadSafety(t *testing.T) {
t.Parallel()
transformer, err := NewCELTransformer(5 * time.Second) // CI workers can be slow, so allow slow transforms
require.NoError(t, err)
pipeline := idtransform.NewTransformationPipeline()
var compiledTransform idtransform.IdentityTransformation
compiledTransform, err = transformer.CompileTransformation(&UsernameTransformation{Expression: `"username_prefix:" + username`}, nil)
require.NoError(t, err)
pipeline.AppendTransformation(compiledTransform)
compiledTransform, err = transformer.CompileTransformation(&GroupsTransformation{Expression: `groups.map(g, "group_prefix:" + g)`}, nil)
require.NoError(t, err)
pipeline.AppendTransformation(compiledTransform)
compiledTransform, err = transformer.CompileTransformation(&AllowAuthenticationPolicy{Expression: `username == "username_prefix:ryan"`}, nil)
require.NoError(t, err)
pipeline.AppendTransformation(compiledTransform)
var groups []string
var wantGroups []string
for i := 0; i < 100; i++ {
groups = append(groups, fmt.Sprintf("g%d", i))
wantGroups = append(wantGroups, fmt.Sprintf("group_prefix:g%d", i))
}
sort.Strings(wantGroups)
// Before looking at performance, check that the behavior of the function is correct.
result, err := pipeline.Evaluate(context.Background(), "ryan", groups)
require.NoError(t, err)
require.Equal(t, "username_prefix:ryan", result.Username)
require.Equal(t, wantGroups, result.Groups)
require.True(t, result.AuthenticationAllowed)
require.Empty(t, result.RejectedAuthenticationMessage)
// This loop is meant to give a sense of typical runtime of CEL expressions which transforms a username
// and 100 group names. It is not meant to be a pass/fail test or scientific benchmark test.
iterations := 1000
start := time.Now()
for i := 0; i < iterations; i++ {
_, _ = pipeline.Evaluate(context.Background(), "ryan", groups)
}
elapsed := time.Since(start)
t.Logf("TestTypicalPerformanceAndThreadSafety %d iterations of Evaluate took %s; average runtime %s", iterations, elapsed, elapsed/time.Duration(iterations))
// On my laptop this prints: TestTypicalPerformanceAndThreadSafety 1000 iterations of Evaluate took 257.981421ms; average runtime 257.981µs
// Now use the transformations pipeline from different goroutines at the same time. Hopefully the race detector
// will complain if this is not thread safe in some way. Use the pipeline enough that it will be very likely that
// there will be several parallel invocations of the Evaluate function. Every invocation should also yield the
// exact same result, since they are all using the same inputs. This assumes that the unit tests are run using
// the race detector.
var wg sync.WaitGroup
numGoroutines := runtime.NumCPU() / 2
t.Logf("Running tight loops in %d simultaneous goroutines", numGoroutines)
for i := 0; i < numGoroutines; i++ {
wg.Add(1) // increment WaitGroup counter for each goroutine
go func() {
defer wg.Done() // decrement WaitGroup counter when this goroutine finishes
for j := 0; j < iterations*2; j++ {
localResult, localErr := pipeline.Evaluate(context.Background(), "ryan", groups)
require.NoError(t, localErr)
require.Equal(t, "username_prefix:ryan", localResult.Username)
require.Equal(t, wantGroups, localResult.Groups)
require.True(t, localResult.AuthenticationAllowed)
require.Empty(t, localResult.RejectedAuthenticationMessage)
}
}()
}
wg.Wait() // wait for the counter to reach zero, indicating the all goroutines are finished
}

View File

@ -11,7 +11,7 @@ import (
"k8s.io/apiserver/pkg/server/dynamiccertificates"
"go.pinniped.dev/internal/certauthority"
"go.pinniped.dev/internal/issuer"
"go.pinniped.dev/internal/clientcertissuer"
)
// ca is a type capable of issuing certificates.
@ -21,7 +21,7 @@ type ca struct {
// New creates a ClientCertIssuer, ready to issue certs whenever
// the given CertKeyContentProvider has a keypair to provide.
func New(provider dynamiccertificates.CertKeyContentProvider) issuer.ClientCertIssuer {
func New(provider dynamiccertificates.CertKeyContentProvider) clientcertissuer.ClientCertIssuer {
return &ca{
provider: provider,
}

View File

@ -9,8 +9,8 @@ import (
"github.com/stretchr/testify/require"
"go.pinniped.dev/internal/clientcertissuer"
"go.pinniped.dev/internal/dynamiccert"
"go.pinniped.dev/internal/issuer"
"go.pinniped.dev/internal/testutil"
)
@ -116,7 +116,7 @@ func TestCAIssuePEM(t *testing.T) {
}
}
func issuePEM(provider dynamiccert.Provider, ca issuer.ClientCertIssuer, caCrt, caKey []byte) ([]byte, []byte, error) {
func issuePEM(provider dynamiccert.Provider, ca clientcertissuer.ClientCertIssuer, caCrt, caKey []byte) ([]byte, []byte, error) {
// if setting fails, look at that error
if caCrt != nil || caKey != nil {
if err := provider.SetCertKeyContent(caCrt, caKey); err != nil {

View File

@ -1,7 +1,7 @@
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package issuer
package clientcertissuer
import (
"fmt"

View File

@ -1,7 +1,7 @@
// Copyright 2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package issuer
package clientcertissuer
import (
"errors"

View File

@ -15,8 +15,8 @@ import (
"k8s.io/apiserver/pkg/registry/rest"
genericapiserver "k8s.io/apiserver/pkg/server"
"go.pinniped.dev/internal/clientcertissuer"
"go.pinniped.dev/internal/controllerinit"
"go.pinniped.dev/internal/issuer"
"go.pinniped.dev/internal/plog"
"go.pinniped.dev/internal/pversion"
"go.pinniped.dev/internal/registry/credentialrequest"
@ -30,7 +30,7 @@ type Config struct {
type ExtraConfig struct {
Authenticator credentialrequest.TokenCredentialRequestAuthenticator
Issuer issuer.ClientCertIssuer
Issuer clientcertissuer.ClientCertIssuer
BuildControllersPostStartHook controllerinit.RunnerBuilder
Scheme *runtime.Scheme
NegotiatedSerializer runtime.NegotiatedSerializer

View File

@ -23,6 +23,7 @@ import (
conciergeopenapi "go.pinniped.dev/generated/latest/client/concierge/openapi"
"go.pinniped.dev/internal/certauthority/dynamiccertauthority"
"go.pinniped.dev/internal/clientcertissuer"
"go.pinniped.dev/internal/concierge/apiserver"
conciergescheme "go.pinniped.dev/internal/concierge/scheme"
"go.pinniped.dev/internal/config/concierge"
@ -33,7 +34,6 @@ import (
"go.pinniped.dev/internal/downward"
"go.pinniped.dev/internal/dynamiccert"
"go.pinniped.dev/internal/here"
"go.pinniped.dev/internal/issuer"
"go.pinniped.dev/internal/kubeclient"
"go.pinniped.dev/internal/plog"
"go.pinniped.dev/internal/pversion"
@ -159,7 +159,7 @@ func (a *App) runServer(ctx context.Context) error {
return fmt.Errorf("could not prepare controllers: %w", err)
}
certIssuer := issuer.ClientCertIssuers{
certIssuer := clientcertissuer.ClientCertIssuers{
dynamiccertauthority.New(dynamicSigningCertProvider), // attempt to use the real Kube CA if possible
dynamiccertauthority.New(impersonationProxySigningCertProvider), // fallback to our internal CA if we need to
}
@ -194,7 +194,7 @@ func (a *App) runServer(ctx context.Context) error {
func getAggregatedAPIServerConfig(
dynamicCertProvider dynamiccert.Private,
authenticator credentialrequest.TokenCredentialRequestAuthenticator,
issuer issuer.ClientCertIssuer,
issuer clientcertissuer.ClientCertIssuer,
buildControllers controllerinit.RunnerBuilder,
apiGroupSuffix string,
aggregatedAPIServerPort int64,

View File

@ -67,11 +67,11 @@ func mergeIDPCondition(existing *[]v1.Condition, new *v1.Condition) bool {
}
// MergeConfigConditions merges conditions into conditionsToUpdate. If returns true if it merged any error conditions.
func MergeConfigConditions(conditions []*v1.Condition, observedGeneration int64, conditionsToUpdate *[]v1.Condition, log plog.MinLogger) bool {
func MergeConfigConditions(conditions []*v1.Condition, observedGeneration int64, conditionsToUpdate *[]v1.Condition, log plog.MinLogger, now v1.Time) bool {
hadErrorCondition := false
for i := range conditions {
cond := conditions[i].DeepCopy()
cond.LastTransitionTime = v1.Now()
cond.LastTransitionTime = now
cond.ObservedGeneration = observedGeneration
if mergeConfigCondition(conditionsToUpdate, cond) {
log.Info("updated condition", "type", cond.Type, "status", cond.Status, "reason", cond.Reason, "message", cond.Message)

View File

@ -26,7 +26,7 @@ import (
"go.pinniped.dev/internal/controller/conditionsutil"
"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers"
"go.pinniped.dev/internal/controllerlib"
"go.pinniped.dev/internal/oidc/provider"
"go.pinniped.dev/internal/federationdomain/upstreamprovider"
"go.pinniped.dev/internal/plog"
"go.pinniped.dev/internal/upstreamldap"
)
@ -225,7 +225,7 @@ func (s *activeDirectoryUpstreamGenericLDAPStatus) Conditions() []metav1.Conditi
// UpstreamActiveDirectoryIdentityProviderICache is a thread safe cache that holds a list of validated upstream LDAP IDP configurations.
type UpstreamActiveDirectoryIdentityProviderICache interface {
SetActiveDirectoryIdentityProviders([]provider.UpstreamLDAPIdentityProviderI)
SetActiveDirectoryIdentityProviders([]upstreamprovider.UpstreamLDAPIdentityProviderI)
}
type activeDirectoryWatcherController struct {
@ -299,7 +299,7 @@ func (c *activeDirectoryWatcherController) Sync(ctx controllerlib.Context) error
}
requeue := false
validatedUpstreams := make([]provider.UpstreamLDAPIdentityProviderI, 0, len(actualUpstreams))
validatedUpstreams := make([]upstreamprovider.UpstreamLDAPIdentityProviderI, 0, len(actualUpstreams))
for _, upstream := range actualUpstreams {
valid, requestedRequeue := c.validateUpstream(ctx.Context, upstream)
if valid != nil {
@ -318,7 +318,7 @@ func (c *activeDirectoryWatcherController) Sync(ctx controllerlib.Context) error
return nil
}
func (c *activeDirectoryWatcherController) validateUpstream(ctx context.Context, upstream *v1alpha1.ActiveDirectoryIdentityProvider) (p provider.UpstreamLDAPIdentityProviderI, requeue bool) {
func (c *activeDirectoryWatcherController) validateUpstream(ctx context.Context, upstream *v1alpha1.ActiveDirectoryIdentityProvider) (p upstreamprovider.UpstreamLDAPIdentityProviderI, requeue bool) {
spec := upstream.Spec
adUpstreamImpl := &activeDirectoryUpstreamGenericLDAPImpl{activeDirectoryIdentityProvider: *upstream}
@ -344,7 +344,7 @@ func (c *activeDirectoryWatcherController) validateUpstream(ctx context.Context,
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){
"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID"),
},
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
pwdLastSetAttribute: attributeUnchangedSinceLogin(pwdLastSetAttribute),
userAccountControlAttribute: validUserAccountControl,
userAccountControlComputedAttribute: validComputedUserAccountControl,
@ -445,7 +445,7 @@ func getDomainFromDistinguishedName(distinguishedName string) (string, error) {
}
//nolint:gochecknoglobals // this needs to be a global variable so that tests can check pointer equality
var validUserAccountControl = func(entry *ldap.Entry, _ provider.RefreshAttributes) error {
var validUserAccountControl = func(entry *ldap.Entry, _ upstreamprovider.RefreshAttributes) error {
userAccountControl, err := strconv.Atoi(entry.GetAttributeValue(userAccountControlAttribute))
if err != nil {
return err
@ -459,7 +459,7 @@ var validUserAccountControl = func(entry *ldap.Entry, _ provider.RefreshAttribut
}
//nolint:gochecknoglobals // this needs to be a global variable so that tests can check pointer equality
var validComputedUserAccountControl = func(entry *ldap.Entry, _ provider.RefreshAttributes) error {
var validComputedUserAccountControl = func(entry *ldap.Entry, _ upstreamprovider.RefreshAttributes) error {
userAccountControl, err := strconv.Atoi(entry.GetAttributeValue(userAccountControlComputedAttribute))
if err != nil {
return err
@ -473,8 +473,8 @@ var validComputedUserAccountControl = func(entry *ldap.Entry, _ provider.Refresh
}
//nolint:gochecknoglobals // this needs to be a global variable so that tests can check pointer equality
var attributeUnchangedSinceLogin = func(attribute string) func(*ldap.Entry, provider.RefreshAttributes) error {
return func(entry *ldap.Entry, storedAttributes provider.RefreshAttributes) error {
var attributeUnchangedSinceLogin = func(attribute string) func(*ldap.Entry, upstreamprovider.RefreshAttributes) error {
return func(entry *ldap.Entry, storedAttributes upstreamprovider.RefreshAttributes) error {
prevAttributeValue := storedAttributes.AdditionalAttributes[attribute]
newValues := entry.GetRawAttributeValues(attribute)

View File

@ -29,8 +29,9 @@ import (
"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers"
"go.pinniped.dev/internal/controllerlib"
"go.pinniped.dev/internal/endpointaddr"
"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
"go.pinniped.dev/internal/federationdomain/upstreamprovider"
"go.pinniped.dev/internal/mocks/mockldapconn"
"go.pinniped.dev/internal/oidc/provider"
"go.pinniped.dev/internal/testutil"
"go.pinniped.dev/internal/upstreamldap"
)
@ -229,7 +230,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
GroupNameAttribute: testGroupSearchNameAttrName,
},
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
"userAccountControl": validUserAccountControl,
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
@ -572,7 +573,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
GroupNameAttribute: testGroupSearchNameAttrName,
},
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
"userAccountControl": validUserAccountControl,
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
@ -642,7 +643,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
GroupNameAttribute: "sAMAccountName",
},
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
"userAccountControl": validUserAccountControl,
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
@ -715,7 +716,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
GroupNameAttribute: testGroupSearchNameAttrName,
},
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
"userAccountControl": validUserAccountControl,
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
@ -795,7 +796,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
GroupNameAttribute: testGroupSearchNameAttrName,
},
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
"userAccountControl": validUserAccountControl,
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
@ -859,7 +860,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
GroupNameAttribute: testGroupSearchNameAttrName,
},
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
"userAccountControl": validUserAccountControl,
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
@ -1010,7 +1011,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
GroupNameAttribute: testGroupSearchNameAttrName,
},
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
"userAccountControl": validUserAccountControl,
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
@ -1160,7 +1161,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
GroupNameAttribute: testGroupSearchNameAttrName,
},
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
"userAccountControl": validUserAccountControl,
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
@ -1232,7 +1233,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
GroupNameAttribute: testGroupSearchNameAttrName,
},
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
"userAccountControl": validUserAccountControl,
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
@ -1499,7 +1500,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
},
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
GroupAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"sAMAccountName": groupSAMAccountNameWithDomainSuffix},
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
"userAccountControl": validUserAccountControl,
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
@ -1559,7 +1560,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
GroupNameAttribute: testGroupSearchNameAttrName,
},
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
"userAccountControl": validUserAccountControl,
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
@ -1623,7 +1624,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
GroupNameAttribute: testGroupSearchNameAttrName,
},
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
"userAccountControl": validUserAccountControl,
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
@ -1687,7 +1688,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
GroupNameAttribute: testGroupSearchNameAttrName,
},
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
"userAccountControl": validUserAccountControl,
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
@ -1899,7 +1900,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
GroupNameAttribute: testGroupSearchNameAttrName,
},
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
"userAccountControl": validUserAccountControl,
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
@ -1962,7 +1963,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
SkipGroupRefresh: true,
},
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
"userAccountControl": validUserAccountControl,
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
@ -2009,8 +2010,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
pinnipedInformers := pinnipedinformers.NewSharedInformerFactory(fakePinnipedClient, 0)
fakeKubeClient := fake.NewSimpleClientset(tt.inputSecrets...)
kubeInformers := informers.NewSharedInformerFactory(fakeKubeClient, 0)
cache := provider.NewDynamicUpstreamIDPProvider()
cache.SetActiveDirectoryIdentityProviders([]provider.UpstreamLDAPIdentityProviderI{
cache := dynamicupstreamprovider.NewDynamicUpstreamIDPProvider()
cache.SetActiveDirectoryIdentityProviders([]upstreamprovider.UpstreamLDAPIdentityProviderI{
upstreamldap.New(upstreamldap.ProviderConfig{Name: "initial-entry"}),
})
@ -2104,8 +2105,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
expectedRefreshAttributeChecks := copyOfExpectedValueForResultingCache.RefreshAttributeChecks
actualRefreshAttributeChecks := actualConfig.RefreshAttributeChecks
copyOfExpectedValueForResultingCache.RefreshAttributeChecks = map[string]func(*ldap.Entry, provider.RefreshAttributes) error{}
actualConfig.RefreshAttributeChecks = map[string]func(*ldap.Entry, provider.RefreshAttributes) error{}
copyOfExpectedValueForResultingCache.RefreshAttributeChecks = map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{}
actualConfig.RefreshAttributeChecks = map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{}
require.Equal(t, len(expectedRefreshAttributeChecks), len(actualRefreshAttributeChecks))
for k, v := range expectedRefreshAttributeChecks {
require.NotNil(t, actualRefreshAttributeChecks[k])
@ -2354,7 +2355,7 @@ func TestValidUserAccountControl(t *testing.T) {
for _, test := range tests {
tt := test
t.Run(tt.name, func(t *testing.T) {
err := validUserAccountControl(tt.entry, provider.RefreshAttributes{})
err := validUserAccountControl(tt.entry, upstreamprovider.RefreshAttributes{})
if tt.wantErr != "" {
require.Error(t, err)
@ -2415,7 +2416,7 @@ func TestValidComputedUserAccountControl(t *testing.T) {
for _, test := range tests {
tt := test
t.Run(tt.name, func(t *testing.T) {
err := validComputedUserAccountControl(tt.entry, provider.RefreshAttributes{})
err := validComputedUserAccountControl(tt.entry, upstreamprovider.RefreshAttributes{})
if tt.wantErr != "" {
require.Error(t, err)
@ -2490,7 +2491,7 @@ func TestAttributeUnchangedSinceLogin(t *testing.T) {
tt := test
t.Run(tt.name, func(t *testing.T) {
initialValRawEncoded := base64.RawURLEncoding.EncodeToString([]byte(initialVal))
err := attributeUnchangedSinceLogin(attributeName)(tt.entry, provider.RefreshAttributes{AdditionalAttributes: map[string]string{attributeName: initialValRawEncoded}})
err := attributeUnchangedSinceLogin(attributeName)(tt.entry, upstreamprovider.RefreshAttributes{AdditionalAttributes: map[string]string{attributeName: initialValRawEncoded}})
if tt.wantErr != "" {
require.Error(t, err)
require.Equal(t, tt.wantErr, err.Error())

View File

@ -20,7 +20,7 @@ import (
"go.pinniped.dev/internal/controller/conditionsutil"
"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers"
"go.pinniped.dev/internal/controllerlib"
"go.pinniped.dev/internal/oidc/provider"
"go.pinniped.dev/internal/federationdomain/upstreamprovider"
"go.pinniped.dev/internal/plog"
"go.pinniped.dev/internal/upstreamldap"
)
@ -133,7 +133,7 @@ func (s *ldapUpstreamGenericLDAPStatus) Conditions() []metav1.Condition {
// UpstreamLDAPIdentityProviderICache is a thread safe cache that holds a list of validated upstream LDAP IDP configurations.
type UpstreamLDAPIdentityProviderICache interface {
SetLDAPIdentityProviders([]provider.UpstreamLDAPIdentityProviderI)
SetLDAPIdentityProviders([]upstreamprovider.UpstreamLDAPIdentityProviderI)
}
type ldapWatcherController struct {
@ -207,7 +207,7 @@ func (c *ldapWatcherController) Sync(ctx controllerlib.Context) error {
}
requeue := false
validatedUpstreams := make([]provider.UpstreamLDAPIdentityProviderI, 0, len(actualUpstreams))
validatedUpstreams := make([]upstreamprovider.UpstreamLDAPIdentityProviderI, 0, len(actualUpstreams))
for _, upstream := range actualUpstreams {
valid, requestedRequeue := c.validateUpstream(ctx.Context, upstream)
if valid != nil {
@ -226,7 +226,7 @@ func (c *ldapWatcherController) Sync(ctx controllerlib.Context) error {
return nil
}
func (c *ldapWatcherController) validateUpstream(ctx context.Context, upstream *v1alpha1.LDAPIdentityProvider) (p provider.UpstreamLDAPIdentityProviderI, requeue bool) {
func (c *ldapWatcherController) validateUpstream(ctx context.Context, upstream *v1alpha1.LDAPIdentityProvider) (p upstreamprovider.UpstreamLDAPIdentityProviderI, requeue bool) {
spec := upstream.Spec
config := &upstreamldap.ProviderConfig{

View File

@ -28,8 +28,9 @@ import (
"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers"
"go.pinniped.dev/internal/controllerlib"
"go.pinniped.dev/internal/endpointaddr"
"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
"go.pinniped.dev/internal/federationdomain/upstreamprovider"
"go.pinniped.dev/internal/mocks/mockldapconn"
"go.pinniped.dev/internal/oidc/provider"
"go.pinniped.dev/internal/testutil"
"go.pinniped.dev/internal/upstreamldap"
)
@ -1138,8 +1139,8 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
pinnipedInformers := pinnipedinformers.NewSharedInformerFactory(fakePinnipedClient, 0)
fakeKubeClient := fake.NewSimpleClientset(tt.inputSecrets...)
kubeInformers := informers.NewSharedInformerFactory(fakeKubeClient, 0)
cache := provider.NewDynamicUpstreamIDPProvider()
cache.SetLDAPIdentityProviders([]provider.UpstreamLDAPIdentityProviderI{
cache := dynamicupstreamprovider.NewDynamicUpstreamIDPProvider()
cache.SetLDAPIdentityProviders([]upstreamprovider.UpstreamLDAPIdentityProviderI{
upstreamldap.New(upstreamldap.ProviderConfig{Name: "initial-entry"}),
})

View File

@ -21,7 +21,7 @@ import (
pinnipedcontroller "go.pinniped.dev/internal/controller"
"go.pinniped.dev/internal/controller/conditionsutil"
"go.pinniped.dev/internal/controllerlib"
"go.pinniped.dev/internal/oidc/oidcclientvalidator"
"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
"go.pinniped.dev/internal/oidcclientsecretstorage"
"go.pinniped.dev/internal/plog"
)
@ -133,11 +133,12 @@ func (c *oidcClientWatcherController) updateStatus(
) error {
updated := upstream.DeepCopy()
hadErrorCondition := conditionsutil.MergeConfigConditions(conditions, upstream.Generation, &updated.Status.Conditions, plog.New())
hadErrorCondition := conditionsutil.MergeConfigConditions(conditions,
upstream.Generation, &updated.Status.Conditions, plog.New(), metav1.Now())
updated.Status.Phase = v1alpha1.PhaseReady
updated.Status.Phase = v1alpha1.OIDCClientPhaseReady
if hadErrorCondition {
updated.Status.Phase = v1alpha1.PhaseError
updated.Status.Phase = v1alpha1.OIDCClientPhaseError
}
updated.Status.TotalClientSecrets = int32(totalClientSecrets)

View File

@ -34,8 +34,8 @@ import (
"go.pinniped.dev/internal/controller/conditionsutil"
"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers"
"go.pinniped.dev/internal/controllerlib"
"go.pinniped.dev/internal/federationdomain/upstreamprovider"
"go.pinniped.dev/internal/net/phttp"
"go.pinniped.dev/internal/oidc/provider"
"go.pinniped.dev/internal/plog"
"go.pinniped.dev/internal/upstreamoidc"
)
@ -91,10 +91,10 @@ var (
// UpstreamOIDCIdentityProviderICache is a thread safe cache that holds a list of validated upstream OIDC IDP configurations.
type UpstreamOIDCIdentityProviderICache interface {
SetOIDCIdentityProviders([]provider.UpstreamOIDCIdentityProviderI)
SetOIDCIdentityProviders([]upstreamprovider.UpstreamOIDCIdentityProviderI)
}
// lruValidatorCache caches the *oidc.Provider associated with a particular issuer/TLS configuration.
// lruValidatorCache caches the *coreosoidc.Provider associated with a particular issuer/TLS configuration.
type lruValidatorCache struct{ cache *cache.Expiring }
type lruValidatorCacheEntry struct {
@ -175,13 +175,13 @@ func (c *oidcWatcherController) Sync(ctx controllerlib.Context) error {
}
requeue := false
validatedUpstreams := make([]provider.UpstreamOIDCIdentityProviderI, 0, len(actualUpstreams))
validatedUpstreams := make([]upstreamprovider.UpstreamOIDCIdentityProviderI, 0, len(actualUpstreams))
for _, upstream := range actualUpstreams {
valid := c.validateUpstream(ctx, upstream)
if valid == nil {
requeue = true
} else {
validatedUpstreams = append(validatedUpstreams, provider.UpstreamOIDCIdentityProviderI(valid))
validatedUpstreams = append(validatedUpstreams, upstreamprovider.UpstreamOIDCIdentityProviderI(valid))
}
}
c.cache.SetOIDCIdentityProviders(validatedUpstreams)

View File

@ -28,7 +28,8 @@ import (
pinnipedinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions"
"go.pinniped.dev/internal/certauthority"
"go.pinniped.dev/internal/controllerlib"
"go.pinniped.dev/internal/oidc/provider"
"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
"go.pinniped.dev/internal/federationdomain/upstreamprovider"
"go.pinniped.dev/internal/plog"
"go.pinniped.dev/internal/testutil"
"go.pinniped.dev/internal/testutil/oidctestutil"
@ -80,8 +81,8 @@ func TestOIDCUpstreamWatcherControllerFilterSecret(t *testing.T) {
pinnipedInformers := pinnipedinformers.NewSharedInformerFactory(fakePinnipedClient, 0)
fakeKubeClient := fake.NewSimpleClientset()
kubeInformers := informers.NewSharedInformerFactory(fakeKubeClient, 0)
cache := provider.NewDynamicUpstreamIDPProvider()
cache.SetOIDCIdentityProviders([]provider.UpstreamOIDCIdentityProviderI{
cache := dynamicupstreamprovider.NewDynamicUpstreamIDPProvider()
cache.SetOIDCIdentityProviders([]upstreamprovider.UpstreamOIDCIdentityProviderI{
&upstreamoidc.ProviderConfig{Name: "initial-entry"},
})
secretInformer := kubeInformers.Core().V1().Secrets()
@ -1415,8 +1416,8 @@ oidc: issuer did not match the issuer returned by provider, expected "` + testIs
fakeKubeClient := fake.NewSimpleClientset(tt.inputSecrets...)
kubeInformers := informers.NewSharedInformerFactory(fakeKubeClient, 0)
testLog := testlogger.NewLegacy(t) //nolint:staticcheck // old test with lots of log statements
cache := provider.NewDynamicUpstreamIDPProvider()
cache.SetOIDCIdentityProviders([]provider.UpstreamOIDCIdentityProviderI{
cache := dynamicupstreamprovider.NewDynamicUpstreamIDPProvider()
cache.SetOIDCIdentityProviders([]upstreamprovider.UpstreamOIDCIdentityProviderI{
&upstreamoidc.ProviderConfig{Name: "initial-entry"},
})

View File

@ -16,7 +16,7 @@ import (
"go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
"go.pinniped.dev/internal/constable"
"go.pinniped.dev/internal/oidc/provider"
"go.pinniped.dev/internal/federationdomain/upstreamprovider"
"go.pinniped.dev/internal/plog"
"go.pinniped.dev/internal/upstreamldap"
)
@ -365,7 +365,7 @@ func validateAndSetLDAPServerConnectivityAndSearchBase(
return ldapConnectionValidCondition, searchBaseFoundCondition
}
func EvaluateConditions(conditions GradatedConditions, config *upstreamldap.ProviderConfig) (provider.UpstreamLDAPIdentityProviderI, bool) {
func EvaluateConditions(conditions GradatedConditions, config *upstreamldap.ProviderConfig) (upstreamprovider.UpstreamLDAPIdentityProviderI, bool) {
for _, gradatedCondition := range conditions.gradatedConditions {
if gradatedCondition.condition.Status != metav1.ConditionTrue && gradatedCondition.isFatal {
// Invalid provider, so do not load it into the cache.

View File

@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package supervisorstorage
@ -21,12 +21,13 @@ import (
pinnipedcontroller "go.pinniped.dev/internal/controller"
"go.pinniped.dev/internal/controllerlib"
"go.pinniped.dev/internal/crud"
"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
"go.pinniped.dev/internal/federationdomain/upstreamprovider"
"go.pinniped.dev/internal/fositestorage/accesstoken"
"go.pinniped.dev/internal/fositestorage/authorizationcode"
"go.pinniped.dev/internal/fositestorage/openidconnect"
"go.pinniped.dev/internal/fositestorage/pkce"
"go.pinniped.dev/internal/fositestorage/refreshtoken"
"go.pinniped.dev/internal/oidc/provider"
"go.pinniped.dev/internal/plog"
"go.pinniped.dev/internal/psession"
)
@ -43,7 +44,7 @@ type garbageCollectorController struct {
// UpstreamOIDCIdentityProviderICache is a thread safe cache that holds a list of validated upstream OIDC IDP configurations.
type UpstreamOIDCIdentityProviderICache interface {
GetOIDCIdentityProviders() []provider.UpstreamOIDCIdentityProviderI
GetOIDCIdentityProviders() []upstreamprovider.UpstreamOIDCIdentityProviderI
}
func GarbageCollectorController(
@ -143,7 +144,7 @@ func (c *garbageCollectorController) Sync(ctx controllerlib.Context) error {
// cleaning them out of etcd storage.
fourHoursAgo := frozenClock.Now().Add(-4 * time.Hour)
nowIsLessThanFourHoursBeyondSecretGCTime := garbageCollectAfterTime.After(fourHoursAgo)
if errors.As(revokeErr, &provider.RetryableRevocationError{}) && nowIsLessThanFourHoursBeyondSecretGCTime {
if errors.As(revokeErr, &dynamicupstreamprovider.RetryableRevocationError{}) && nowIsLessThanFourHoursBeyondSecretGCTime {
// Hasn't been very long since secret expired, so skip deletion to try revocation again later.
plog.Trace("garbage collector keeping Secret to retry upstream OIDC token revocation later", logKV(secret)...)
continue
@ -244,7 +245,7 @@ func (c *garbageCollectorController) tryRevokeUpstreamOIDCToken(ctx context.Cont
}
// Try to find the provider that was originally used to create the stored session.
var foundOIDCIdentityProviderI provider.UpstreamOIDCIdentityProviderI
var foundOIDCIdentityProviderI upstreamprovider.UpstreamOIDCIdentityProviderI
for _, p := range c.idpCache.GetOIDCIdentityProviders() {
if p.GetName() == customSessionData.ProviderName && p.GetResourceUID() == customSessionData.ProviderUID {
foundOIDCIdentityProviderI = p
@ -260,7 +261,7 @@ func (c *garbageCollectorController) tryRevokeUpstreamOIDCToken(ctx context.Cont
upstreamAccessToken := customSessionData.OIDC.UpstreamAccessToken
if upstreamRefreshToken != "" {
err := foundOIDCIdentityProviderI.RevokeToken(ctx, upstreamRefreshToken, provider.RefreshTokenType)
err := foundOIDCIdentityProviderI.RevokeToken(ctx, upstreamRefreshToken, upstreamprovider.RefreshTokenType)
if err != nil {
return err
}
@ -268,7 +269,7 @@ func (c *garbageCollectorController) tryRevokeUpstreamOIDCToken(ctx context.Cont
}
if upstreamAccessToken != "" {
err := foundOIDCIdentityProviderI.RevokeToken(ctx, upstreamAccessToken, provider.AccessTokenType)
err := foundOIDCIdentityProviderI.RevokeToken(ctx, upstreamAccessToken, upstreamprovider.AccessTokenType)
if err != nil {
return err
}

View File

@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package supervisorstorage
@ -25,11 +25,12 @@ import (
clocktesting "k8s.io/utils/clock/testing"
"go.pinniped.dev/internal/controllerlib"
"go.pinniped.dev/internal/federationdomain/clientregistry"
"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
"go.pinniped.dev/internal/federationdomain/upstreamprovider"
"go.pinniped.dev/internal/fositestorage/accesstoken"
"go.pinniped.dev/internal/fositestorage/authorizationcode"
"go.pinniped.dev/internal/fositestorage/refreshtoken"
"go.pinniped.dev/internal/oidc/clientregistry"
"go.pinniped.dev/internal/oidc/provider"
"go.pinniped.dev/internal/psession"
"go.pinniped.dev/internal/testutil"
"go.pinniped.dev/internal/testutil/oidctestutil"
@ -137,7 +138,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
// Defer starting the informers until the last possible moment so that the
// nested Before's can keep adding things to the informer caches.
var startInformersAndController = func(idpCache provider.DynamicUpstreamIDPProvider) {
var startInformersAndController = func(idpCache dynamicupstreamprovider.DynamicUpstreamIDPProvider) {
// Set this at the last second to allow for injection of server override.
subject = GarbageCollectorController(
idpCache,
@ -263,7 +264,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
when("there are valid, expired authcode secrets which contain upstream refresh tokens", func() {
it.Before(func() {
activeOIDCAuthcodeSession := &authorizationcode.Session{
Version: "4",
Version: "5",
Active: true,
Request: &fosite.Request{
ID: "request-id-1",
@ -308,7 +309,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
r.NoError(kubeClient.Tracker().Add(activeOIDCAuthcodeSessionSecret))
inactiveOIDCAuthcodeSession := &authorizationcode.Session{
Version: "4",
Version: "5",
Active: false,
Request: &fosite.Request{
ID: "request-id-2",
@ -360,7 +361,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
WithRevokeTokenError(nil)
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
startInformersAndController(idpListerBuilder.Build())
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
// The upstream refresh token is only revoked for the active authcode session.
@ -369,7 +370,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
&oidctestutil.RevokeTokenArgs{
Ctx: syncContext.Context,
Token: "fake-upstream-refresh-token",
TokenType: provider.RefreshTokenType,
TokenType: upstreamprovider.RefreshTokenType,
},
)
@ -387,7 +388,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
when("there are valid, expired authcode secrets which contain upstream access tokens", func() {
it.Before(func() {
activeOIDCAuthcodeSession := &authorizationcode.Session{
Version: "4",
Version: "5",
Active: true,
Request: &fosite.Request{
ID: "request-id-1",
@ -432,7 +433,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
r.NoError(kubeClient.Tracker().Add(activeOIDCAuthcodeSessionSecret))
inactiveOIDCAuthcodeSession := &authorizationcode.Session{
Version: "4",
Version: "5",
Active: false,
Request: &fosite.Request{
ID: "request-id-2",
@ -484,7 +485,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
WithRevokeTokenError(nil)
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
startInformersAndController(idpListerBuilder.Build())
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
// The upstream refresh token is only revoked for the active authcode session.
@ -493,7 +494,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
&oidctestutil.RevokeTokenArgs{
Ctx: syncContext.Context,
Token: "fake-upstream-access-token",
TokenType: provider.AccessTokenType,
TokenType: upstreamprovider.AccessTokenType,
},
)
@ -511,7 +512,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
when("there is an invalid, expired authcode secret", func() {
it.Before(func() {
invalidOIDCAuthcodeSession := &authorizationcode.Session{
Version: "4",
Version: "5",
Active: true,
Request: &fosite.Request{
ID: "", // it is invalid for there to be a missing request ID
@ -561,7 +562,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
WithRevokeTokenError(nil)
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
startInformersAndController(idpListerBuilder.Build())
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
// Nothing to revoke since we couldn't read the invalid secret.
@ -580,7 +581,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
when("there is a valid, expired authcode secret but its upstream name does not match any existing upstream", func() {
it.Before(func() {
wrongProviderNameOIDCAuthcodeSession := &authorizationcode.Session{
Version: "4",
Version: "5",
Active: true,
Request: &fosite.Request{
ID: "request-id-1",
@ -632,7 +633,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
WithRevokeTokenError(nil)
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
startInformersAndController(idpListerBuilder.Build())
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
// Nothing to revoke since we couldn't find the upstream in the cache.
@ -651,7 +652,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
when("there is a valid, expired authcode secret but its upstream UID does not match any existing upstream", func() {
it.Before(func() {
wrongProviderNameOIDCAuthcodeSession := &authorizationcode.Session{
Version: "4",
Version: "5",
Active: true,
Request: &fosite.Request{
ID: "request-id-1",
@ -703,7 +704,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
WithRevokeTokenError(nil)
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
startInformersAndController(idpListerBuilder.Build())
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
// Nothing to revoke since we couldn't find the upstream in the cache.
@ -722,7 +723,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
when("there is a valid, recently expired authcode secret but the upstream revocation fails", func() {
it.Before(func() {
activeOIDCAuthcodeSession := &authorizationcode.Session{
Version: "4",
Version: "5",
Active: true,
Request: &fosite.Request{
ID: "request-id-1",
@ -773,10 +774,10 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
WithName("upstream-oidc-provider-name").
WithResourceUID("upstream-oidc-provider-uid").
// make the upstream revocation fail in a retryable way
WithRevokeTokenError(provider.NewRetryableRevocationError(errors.New("some retryable upstream revocation error")))
WithRevokeTokenError(dynamicupstreamprovider.NewRetryableRevocationError(errors.New("some retryable upstream revocation error")))
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
startInformersAndController(idpListerBuilder.Build())
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
// Tried to revoke it, although this revocation will fail.
@ -785,7 +786,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
&oidctestutil.RevokeTokenArgs{
Ctx: syncContext.Context,
Token: "fake-upstream-refresh-token",
TokenType: provider.RefreshTokenType,
TokenType: upstreamprovider.RefreshTokenType,
},
)
@ -801,7 +802,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
WithRevokeTokenError(errors.New("some upstream revocation error not worth retrying"))
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
startInformersAndController(idpListerBuilder.Build())
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
// Tried to revoke it, although this revocation will fail.
@ -810,7 +811,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
&oidctestutil.RevokeTokenArgs{
Ctx: syncContext.Context,
Token: "fake-upstream-refresh-token",
TokenType: provider.RefreshTokenType,
TokenType: upstreamprovider.RefreshTokenType,
},
)
@ -827,7 +828,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
when("there is a valid, long-since expired authcode secret but the upstream revocation fails", func() {
it.Before(func() {
activeOIDCAuthcodeSession := &authorizationcode.Session{
Version: "4",
Version: "5",
Active: true,
Request: &fosite.Request{
ID: "request-id-1",
@ -880,7 +881,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
WithRevokeTokenError(errors.New("some upstream revocation error")) // the upstream revocation will fail
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
startInformersAndController(idpListerBuilder.Build())
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
// Tried to revoke it, although this revocation will fail.
@ -889,7 +890,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
&oidctestutil.RevokeTokenArgs{
Ctx: syncContext.Context,
Token: "fake-upstream-refresh-token",
TokenType: provider.RefreshTokenType,
TokenType: upstreamprovider.RefreshTokenType,
},
)
@ -906,7 +907,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
when("there are valid, expired access token secrets which contain upstream refresh tokens", func() {
it.Before(func() {
offlineAccessGrantedOIDCAccessTokenSession := &accesstoken.Session{
Version: "4",
Version: "5",
Request: &fosite.Request{
GrantedScope: fosite.Arguments{"scope1", "scope2", "offline_access"},
ID: "request-id-1",
@ -951,7 +952,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
r.NoError(kubeClient.Tracker().Add(offlineAccessGrantedOIDCAccessTokenSessionSecret))
offlineAccessNotGrantedOIDCAccessTokenSession := &accesstoken.Session{
Version: "4",
Version: "5",
Request: &fosite.Request{
GrantedScope: fosite.Arguments{"scope1", "scope2"},
ID: "request-id-2",
@ -1003,7 +1004,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
WithRevokeTokenError(nil)
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
startInformersAndController(idpListerBuilder.Build())
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
// The upstream refresh token is only revoked for the downstream session which had offline_access granted.
@ -1012,7 +1013,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
&oidctestutil.RevokeTokenArgs{
Ctx: syncContext.Context,
Token: "fake-upstream-refresh-token",
TokenType: provider.RefreshTokenType,
TokenType: upstreamprovider.RefreshTokenType,
},
)
@ -1030,7 +1031,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
when("there are valid, expired access token secrets which contain upstream access tokens", func() {
it.Before(func() {
offlineAccessGrantedOIDCAccessTokenSession := &accesstoken.Session{
Version: "4",
Version: "5",
Request: &fosite.Request{
GrantedScope: fosite.Arguments{"scope1", "scope2", "offline_access"},
ID: "request-id-1",
@ -1075,7 +1076,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
r.NoError(kubeClient.Tracker().Add(offlineAccessGrantedOIDCAccessTokenSessionSecret))
offlineAccessNotGrantedOIDCAccessTokenSession := &accesstoken.Session{
Version: "4",
Version: "5",
Request: &fosite.Request{
GrantedScope: fosite.Arguments{"scope1", "scope2"},
ID: "request-id-2",
@ -1127,7 +1128,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
WithRevokeTokenError(nil)
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
startInformersAndController(idpListerBuilder.Build())
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
// The upstream refresh token is only revoked for the downstream session which had offline_access granted.
@ -1136,7 +1137,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
&oidctestutil.RevokeTokenArgs{
Ctx: syncContext.Context,
Token: "fake-upstream-access-token",
TokenType: provider.AccessTokenType,
TokenType: upstreamprovider.AccessTokenType,
},
)
@ -1154,7 +1155,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
when("there are valid, expired refresh secrets which contain upstream refresh tokens", func() {
it.Before(func() {
oidcRefreshSession := &refreshtoken.Session{
Version: "4",
Version: "5",
Request: &fosite.Request{
ID: "request-id-1",
Client: &clientregistry.Client{},
@ -1205,7 +1206,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
WithRevokeTokenError(nil)
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
startInformersAndController(idpListerBuilder.Build())
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
// The upstream refresh token is revoked.
@ -1214,7 +1215,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
&oidctestutil.RevokeTokenArgs{
Ctx: syncContext.Context,
Token: "fake-upstream-refresh-token",
TokenType: provider.RefreshTokenType,
TokenType: upstreamprovider.RefreshTokenType,
},
)
@ -1231,7 +1232,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
when("there are valid, expired refresh secrets which contain upstream access tokens", func() {
it.Before(func() {
oidcRefreshSession := &refreshtoken.Session{
Version: "4",
Version: "5",
Request: &fosite.Request{
ID: "request-id-1",
Client: &clientregistry.Client{},
@ -1282,7 +1283,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
WithRevokeTokenError(nil)
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
startInformersAndController(idpListerBuilder.Build())
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
// The upstream refresh token is revoked.
@ -1291,7 +1292,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
&oidctestutil.RevokeTokenArgs{
Ctx: syncContext.Context,
Token: "fake-upstream-access-token",
TokenType: provider.AccessTokenType,
TokenType: upstreamprovider.AccessTokenType,
},
)

View File

@ -1,4 +1,4 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package controller
@ -18,6 +18,16 @@ func NameAndNamespaceExactMatchFilterFactory(name, namespace string) controllerl
}, nil)
}
// MatchAnythingIgnoringUpdatesFilter returns a controllerlib.Filter that allows all objects but ignores updates.
func MatchAnythingIgnoringUpdatesFilter(parentFunc controllerlib.ParentFunc) controllerlib.Filter {
return controllerlib.FilterFuncs{
AddFunc: func(object metav1.Object) bool { return true },
UpdateFunc: func(oldObj, newObj metav1.Object) bool { return false },
DeleteFunc: func(object metav1.Object) bool { return true },
ParentFunc: parentFunc,
}
}
// MatchAnythingFilter returns a controllerlib.Filter that allows all objects.
func MatchAnythingFilter(parentFunc controllerlib.ParentFunc) controllerlib.Filter {
return SimpleFilter(func(object metav1.Object) bool { return true }, parentFunc)

View File

@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Package controllermanager provides an entrypoint into running all of the controllers that run as

View File

@ -1,4 +1,4 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Package clientregistry defines Pinniped's OAuth2/OIDC clients.
@ -18,7 +18,7 @@ import (
configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
supervisorclient "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
"go.pinniped.dev/internal/oidc/oidcclientvalidator"
"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
"go.pinniped.dev/internal/oidcclientsecretstorage"
"go.pinniped.dev/internal/plog"
)

View File

@ -1,4 +1,4 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package clientregistry
@ -21,7 +21,7 @@ import (
configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake"
"go.pinniped.dev/internal/oidc/oidcclientvalidator"
"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
"go.pinniped.dev/internal/oidcclientsecretstorage"
"go.pinniped.dev/internal/testutil"
)

View File

@ -1,4 +1,4 @@
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Package csp defines helpers related to HTML Content Security Policies.

View File

@ -1,4 +1,4 @@
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package csp

View File

@ -1,4 +1,4 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package csrftoken

View File

@ -1,4 +1,4 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package csrftoken

View File

@ -5,6 +5,7 @@
package downstreamsession
import (
"context"
"errors"
"fmt"
"net/url"
@ -19,8 +20,9 @@ import (
oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
"go.pinniped.dev/internal/authenticators"
"go.pinniped.dev/internal/constable"
"go.pinniped.dev/internal/oidc"
"go.pinniped.dev/internal/oidc/provider"
"go.pinniped.dev/internal/federationdomain/oidc"
"go.pinniped.dev/internal/federationdomain/upstreamprovider"
"go.pinniped.dev/internal/idtransform"
"go.pinniped.dev/internal/plog"
"go.pinniped.dev/internal/psession"
"go.pinniped.dev/pkg/oidcclient/oidctypes"
@ -38,6 +40,9 @@ const (
requiredClaimEmptyErr = constable.Error("required claim in upstream ID token is empty")
emailVerifiedClaimInvalidFormatErr = constable.Error("email_verified claim in upstream ID token has invalid format")
emailVerifiedClaimFalseErr = constable.Error("email_verified claim in upstream ID token has false value")
idTransformUnexpectedErr = constable.Error("configured identity transformation or policy resulted in unexpected error")
idpNameSubjectQueryParam = "idpName"
)
// MakeDownstreamSession creates a downstream OIDC session.
@ -82,13 +87,17 @@ func MakeDownstreamSession(
}
func MakeDownstreamLDAPOrADCustomSessionData(
ldapUpstream provider.UpstreamLDAPIdentityProviderI,
ldapUpstream upstreamprovider.UpstreamLDAPIdentityProviderI,
idpType psession.ProviderType,
authenticateResponse *authenticators.Response,
username string,
untransformedUpstreamUsername string,
untransformedUpstreamGroups []string,
) *psession.CustomSessionData {
customSessionData := &psession.CustomSessionData{
Username: username,
UpstreamUsername: untransformedUpstreamUsername,
UpstreamGroups: untransformedUpstreamGroups,
ProviderUID: ldapUpstream.GetResourceUID(),
ProviderName: ldapUpstream.GetName(),
ProviderType: idpType,
@ -112,9 +121,11 @@ func MakeDownstreamLDAPOrADCustomSessionData(
}
func MakeDownstreamOIDCCustomSessionData(
oidcUpstream provider.UpstreamOIDCIdentityProviderI,
oidcUpstream upstreamprovider.UpstreamOIDCIdentityProviderI,
token *oidctypes.Token,
username string,
untransformedUpstreamUsername string,
untransformedUpstreamGroups []string,
) (*psession.CustomSessionData, error) {
upstreamSubject, err := ExtractStringClaimValue(oidcapi.IDTokenClaimSubject, oidcUpstream.GetName(), token.IDToken.Claims)
if err != nil {
@ -127,6 +138,8 @@ func MakeDownstreamOIDCCustomSessionData(
customSessionData := &psession.CustomSessionData{
Username: username,
UpstreamUsername: untransformedUpstreamUsername,
UpstreamGroups: untransformedUpstreamGroups,
ProviderUID: oidcUpstream.GetResourceUID(),
ProviderName: oidcUpstream.GetName(),
ProviderType: psession.ProviderTypeOIDC,
@ -200,10 +213,11 @@ func AutoApproveScopes(authorizeRequester fosite.AuthorizeRequester) {
// GetDownstreamIdentityFromUpstreamIDToken returns the mapped subject, username, and group names, in that order.
func GetDownstreamIdentityFromUpstreamIDToken(
upstreamIDPConfig provider.UpstreamOIDCIdentityProviderI,
upstreamIDPConfig upstreamprovider.UpstreamOIDCIdentityProviderI,
idTokenClaims map[string]interface{},
idpDisplayName string,
) (string, string, []string, error) {
subject, username, err := getSubjectAndUsernameFromUpstreamIDToken(upstreamIDPConfig, idTokenClaims)
subject, username, err := getSubjectAndUsernameFromUpstreamIDToken(upstreamIDPConfig, idTokenClaims, idpDisplayName)
if err != nil {
return "", "", nil, err
}
@ -218,7 +232,7 @@ func GetDownstreamIdentityFromUpstreamIDToken(
// MapAdditionalClaimsFromUpstreamIDToken returns the additionalClaims mapped from the upstream token, if any.
func MapAdditionalClaimsFromUpstreamIDToken(
upstreamIDPConfig provider.UpstreamOIDCIdentityProviderI,
upstreamIDPConfig upstreamprovider.UpstreamOIDCIdentityProviderI,
idTokenClaims map[string]interface{},
) map[string]interface{} {
mapped := make(map[string]interface{}, len(upstreamIDPConfig.GetAdditionalClaimMappings()))
@ -237,9 +251,34 @@ func MapAdditionalClaimsFromUpstreamIDToken(
return mapped
}
func ApplyIdentityTransformations(
ctx context.Context,
identityTransforms *idtransform.TransformationPipeline,
username string,
groups []string,
) (string, []string, error) {
transformationResult, err := identityTransforms.Evaluate(ctx, username, groups)
if err != nil {
plog.Error("unexpected identity transformation error during authentication", err, "inputUsername", username)
return "", nil, idTransformUnexpectedErr
}
if !transformationResult.AuthenticationAllowed {
plog.Debug("authentication rejected by configured policy", "inputUsername", username, "inputGroups", groups)
return "", nil, fmt.Errorf("configured identity policy rejected this authentication: %s", transformationResult.RejectedAuthenticationMessage)
}
plog.Debug("identity transformation successfully applied during authentication",
"originalUsername", username,
"newUsername", transformationResult.Username,
"originalGroups", groups,
"newGroups", transformationResult.Groups,
)
return transformationResult.Username, transformationResult.Groups, nil
}
func getSubjectAndUsernameFromUpstreamIDToken(
upstreamIDPConfig provider.UpstreamOIDCIdentityProviderI,
upstreamIDPConfig upstreamprovider.UpstreamOIDCIdentityProviderI,
idTokenClaims map[string]interface{},
idpDisplayName string,
) (string, string, error) {
// The spec says the "sub" claim is only unique per issuer,
// so we will prepend the issuer string to make it globally unique.
@ -251,11 +290,11 @@ func getSubjectAndUsernameFromUpstreamIDToken(
if err != nil {
return "", "", err
}
subject := downstreamSubjectFromUpstreamOIDC(upstreamIssuer, upstreamSubject)
subject := downstreamSubjectFromUpstreamOIDC(upstreamIssuer, upstreamSubject, idpDisplayName)
usernameClaimName := upstreamIDPConfig.GetUsernameClaim()
if usernameClaimName == "" {
return subject, subject, nil
return subject, downstreamUsernameFromUpstreamOIDCSubject(upstreamIssuer, upstreamSubject), nil
}
// If the upstream username claim is configured to be the special "email" claim and the upstream "email_verified"
@ -323,27 +362,41 @@ func ExtractStringClaimValue(claimName string, upstreamIDPName string, idTokenCl
return valueAsString, nil
}
func DownstreamSubjectFromUpstreamLDAP(ldapUpstream provider.UpstreamLDAPIdentityProviderI, authenticateResponse *authenticators.Response) string {
func DownstreamSubjectFromUpstreamLDAP(
ldapUpstream upstreamprovider.UpstreamLDAPIdentityProviderI,
authenticateResponse *authenticators.Response,
idpDisplayName string,
) string {
ldapURL := *ldapUpstream.GetURL()
return DownstreamLDAPSubject(authenticateResponse.User.GetUID(), ldapURL)
return DownstreamLDAPSubject(authenticateResponse.User.GetUID(), ldapURL, idpDisplayName)
}
func DownstreamLDAPSubject(uid string, ldapURL url.URL) string {
func DownstreamLDAPSubject(uid string, ldapURL url.URL, idpDisplayName string) string {
q := ldapURL.Query()
q.Set(idpNameSubjectQueryParam, idpDisplayName)
q.Set(oidcapi.IDTokenClaimSubject, uid)
ldapURL.RawQuery = q.Encode()
return ldapURL.String()
}
func downstreamSubjectFromUpstreamOIDC(upstreamIssuerAsString string, upstreamSubject string) string {
return fmt.Sprintf("%s?%s=%s", upstreamIssuerAsString, oidcapi.IDTokenClaimSubject, url.QueryEscape(upstreamSubject))
func downstreamSubjectFromUpstreamOIDC(upstreamIssuerAsString string, upstreamSubject string, idpDisplayName string) string {
return fmt.Sprintf("%s?%s=%s&%s=%s", upstreamIssuerAsString,
idpNameSubjectQueryParam, url.QueryEscape(idpDisplayName),
oidcapi.IDTokenClaimSubject, url.QueryEscape(upstreamSubject),
)
}
func downstreamUsernameFromUpstreamOIDCSubject(upstreamIssuerAsString string, upstreamSubject string) string {
return fmt.Sprintf("%s?%s=%s", upstreamIssuerAsString,
oidcapi.IDTokenClaimSubject, url.QueryEscape(upstreamSubject),
)
}
// GetGroupsFromUpstreamIDToken returns mapped group names coerced into a slice of strings.
// It returns nil when there is no configured groups claim name, or then when the configured claim name is not found
// in the provided map of claims. It returns an error when the claim exists but its value cannot be parsed.
func GetGroupsFromUpstreamIDToken(
upstreamIDPConfig provider.UpstreamOIDCIdentityProviderI,
upstreamIDPConfig upstreamprovider.UpstreamOIDCIdentityProviderI,
idTokenClaims map[string]interface{},
) ([]string, error) {
groupsClaimName := upstreamIDPConfig.GetGroupsClaim()

View File

@ -0,0 +1,274 @@
// Copyright 2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package downstreamsession
import (
"context"
"net/url"
"testing"
"time"
"github.com/stretchr/testify/require"
"go.pinniped.dev/internal/celtransformer"
"go.pinniped.dev/internal/idtransform"
"go.pinniped.dev/internal/testutil/oidctestutil"
)
func TestMapAdditionalClaimsFromUpstreamIDToken(t *testing.T) {
tests := []struct {
name string
additionalClaimMappings map[string]string
upstreamClaims map[string]interface{}
wantClaims map[string]interface{}
}{
{
name: "happy path",
additionalClaimMappings: map[string]string{
"email": "notification_email",
},
upstreamClaims: map[string]interface{}{
"notification_email": "test@example.com",
},
wantClaims: map[string]interface{}{
"email": "test@example.com",
},
},
{
name: "missing",
additionalClaimMappings: map[string]string{
"email": "email",
},
upstreamClaims: map[string]interface{}{},
wantClaims: map[string]interface{}{},
},
{
name: "complex",
additionalClaimMappings: map[string]string{
"complex": "complex",
},
upstreamClaims: map[string]interface{}{
"complex": map[string]string{
"subClaim": "subValue",
},
},
wantClaims: map[string]interface{}{
"complex": map[string]string{
"subClaim": "subValue",
},
},
},
}
for _, test := range tests {
test := test
t.Run(test.name, func(t *testing.T) {
t.Parallel()
idp := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().
WithAdditionalClaimMappings(test.additionalClaimMappings).
Build()
actual := MapAdditionalClaimsFromUpstreamIDToken(idp, test.upstreamClaims)
require.Equal(t, test.wantClaims, actual)
})
}
}
func TestApplyIdentityTransformations(t *testing.T) {
tests := []struct {
name string
transforms []celtransformer.CELTransformation
username string
groups []string
wantUsername string
wantGroups []string
wantErr string
}{
{
name: "unexpected errors",
transforms: []celtransformer.CELTransformation{
&celtransformer.UsernameTransformation{Expression: `""`},
},
username: "ryan",
groups: []string{"a", "b"},
wantErr: "configured identity transformation or policy resulted in unexpected error",
},
{
name: "auth disallowed by policy with implicit rejection message",
transforms: []celtransformer.CELTransformation{
&celtransformer.AllowAuthenticationPolicy{Expression: `false`},
},
username: "ryan",
groups: []string{"a", "b"},
wantErr: "configured identity policy rejected this authentication: authentication was rejected by a configured policy",
},
{
name: "auth disallowed by policy with explicit rejection message",
transforms: []celtransformer.CELTransformation{
&celtransformer.AllowAuthenticationPolicy{
Expression: `false`,
RejectedAuthenticationMessage: "this is the stated reason",
},
},
username: "ryan",
groups: []string{"a", "b"},
wantErr: "configured identity policy rejected this authentication: this is the stated reason",
},
{
name: "successful auth",
transforms: []celtransformer.CELTransformation{
&celtransformer.UsernameTransformation{Expression: `"pre:" + username`},
&celtransformer.GroupsTransformation{Expression: `groups.map(g, "pre:" + g)`},
},
username: "ryan",
groups: []string{"a", "b"},
wantUsername: "pre:ryan",
wantGroups: []string{"pre:a", "pre:b"},
},
}
for _, test := range tests {
tt := test
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
transformer, err := celtransformer.NewCELTransformer(5 * time.Second)
require.NoError(t, err)
pipeline := idtransform.NewTransformationPipeline()
for _, transform := range tt.transforms {
compiledTransform, err := transformer.CompileTransformation(transform, nil)
require.NoError(t, err)
pipeline.AppendTransformation(compiledTransform)
}
gotUsername, gotGroups, err := ApplyIdentityTransformations(context.Background(), pipeline, tt.username, tt.groups)
if tt.wantErr != "" {
require.EqualError(t, err, tt.wantErr)
require.Empty(t, gotUsername)
require.Nil(t, gotGroups)
} else {
require.NoError(t, err)
require.Equal(t, tt.wantUsername, gotUsername)
require.Equal(t, tt.wantGroups, gotGroups)
}
})
}
}
func TestDownstreamLDAPSubject(t *testing.T) {
tests := []struct {
name string
uid string
ldapURL string
idpDisplayName string
wantSubject string
}{
{
name: "simple display name",
uid: "some uid",
ldapURL: "ldaps://server.example.com:1234",
idpDisplayName: "simpleName",
wantSubject: "ldaps://server.example.com:1234?idpName=simpleName&sub=some+uid",
},
{
name: "interesting display name",
uid: "some uid",
ldapURL: "ldaps://server.example.com:1234",
idpDisplayName: "this is a 👍 display name that 🦭 can handle",
wantSubject: "ldaps://server.example.com:1234?idpName=this+is+a+%F0%9F%91%8D+display+name+that+%F0%9F%A6%AD+can+handle&sub=some+uid",
},
{
name: "url already has query",
uid: "some uid",
ldapURL: "ldaps://server.example.com:1234?a=1&b=%F0%9F%A6%AD",
idpDisplayName: "some name",
wantSubject: "ldaps://server.example.com:1234?a=1&b=%F0%9F%A6%AD&idpName=some+name&sub=some+uid",
},
}
for _, test := range tests {
test := test
t.Run(test.name, func(t *testing.T) {
t.Parallel()
url, err := url.Parse(test.ldapURL)
require.NoError(t, err)
actual := DownstreamLDAPSubject(test.uid, *url, test.idpDisplayName)
require.Equal(t, test.wantSubject, actual)
})
}
}
func TestDownstreamSubjectFromUpstreamOIDC(t *testing.T) {
tests := []struct {
name string
upstreamIssuerAsString string
upstreamSubject string
idpDisplayName string
wantSubject string
}{
{
name: "simple display name",
upstreamIssuerAsString: "https://server.example.com:1234/path",
upstreamSubject: "some subject",
idpDisplayName: "simpleName",
wantSubject: "https://server.example.com:1234/path?idpName=simpleName&sub=some+subject",
},
{
name: "interesting display name",
upstreamIssuerAsString: "https://server.example.com:1234/path",
upstreamSubject: "some subject",
idpDisplayName: "this is a 👍 display name that 🦭 can handle",
wantSubject: "https://server.example.com:1234/path?idpName=this+is+a+%F0%9F%91%8D+display+name+that+%F0%9F%A6%AD+can+handle&sub=some+subject",
},
}
for _, test := range tests {
test := test
t.Run(test.name, func(t *testing.T) {
t.Parallel()
actual := downstreamSubjectFromUpstreamOIDC(test.upstreamIssuerAsString, test.upstreamSubject, test.idpDisplayName)
require.Equal(t, test.wantSubject, actual)
})
}
}
func TestDownstreamUsernameFromUpstreamOIDCSubject(t *testing.T) {
tests := []struct {
name string
upstreamIssuerAsString string
upstreamSubject string
wantSubject string
}{
{
name: "simple upstreamSubject",
upstreamIssuerAsString: "https://server.example.com:1234/path",
upstreamSubject: "some subject",
wantSubject: "https://server.example.com:1234/path?sub=some+subject",
},
{
name: "interesting upstreamSubject",
upstreamIssuerAsString: "https://server.example.com:1234/path",
upstreamSubject: "this is a 👍 subject that 🦭 can handle",
wantSubject: "https://server.example.com:1234/path?sub=this+is+a+%F0%9F%91%8D+subject+that+%F0%9F%A6%AD+can+handle",
},
}
for _, test := range tests {
test := test
t.Run(test.name, func(t *testing.T) {
t.Parallel()
actual := downstreamUsernameFromUpstreamOIDCSubject(test.upstreamIssuerAsString, test.upstreamSubject)
require.Equal(t, test.wantSubject, actual)
})
}
}

View File

@ -1,4 +1,4 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Package dynamiccodec provides a type that can encode information using a just-in-time signing and
@ -10,7 +10,7 @@ import (
"github.com/gorilla/securecookie"
"go.pinniped.dev/internal/oidc"
"go.pinniped.dev/internal/federationdomain/oidc"
)
var _ oidc.Codec = &Codec{}

View File

@ -1,4 +1,4 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package dynamiccodec

View File

@ -1,7 +1,7 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package provider
package dynamictlscertprovider
import (
"crypto/tls"

Some files were not shown because too many files have changed in this diff Show More