Merge pull request #1419 from vmware-tanzu/multiple_idps_and_transformations
Support multiple IDPs and identity transformations on Supervisor FederationDomains
This commit is contained in:
commit
06d456fc87
@ -1,4 +1,4 @@
|
||||
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package v1alpha1
|
||||
@ -8,14 +8,17 @@ import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
// +kubebuilder:validation:Enum=Success;Duplicate;Invalid;SameIssuerHostMustUseSameSecret
|
||||
type FederationDomainStatusCondition string
|
||||
type FederationDomainPhase string
|
||||
|
||||
const (
|
||||
SuccessFederationDomainStatusCondition = FederationDomainStatusCondition("Success")
|
||||
DuplicateFederationDomainStatusCondition = FederationDomainStatusCondition("Duplicate")
|
||||
SameIssuerHostMustUseSameSecretFederationDomainStatusCondition = FederationDomainStatusCondition("SameIssuerHostMustUseSameSecret")
|
||||
InvalidFederationDomainStatusCondition = FederationDomainStatusCondition("Invalid")
|
||||
// FederationDomainPhasePending is the default phase for newly-created FederationDomain resources.
|
||||
FederationDomainPhasePending FederationDomainPhase = "Pending"
|
||||
|
||||
// FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state.
|
||||
FederationDomainPhaseReady FederationDomainPhase = "Ready"
|
||||
|
||||
// FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state.
|
||||
FederationDomainPhaseError FederationDomainPhase = "Error"
|
||||
)
|
||||
|
||||
// FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
|
||||
@ -42,6 +45,157 @@ type FederationDomainTLSSpec struct {
|
||||
SecretName string `json:"secretName,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
|
||||
// the transform expressions. This is a union type, and Type is the discriminator field.
|
||||
type FederationDomainTransformsConstant struct {
|
||||
// Name determines the name of the constant. It must be a valid identifier name.
|
||||
// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
// +kubebuilder:validation:MaxLength=64
|
||||
Name string `json:"name"`
|
||||
|
||||
// Type determines the type of the constant, and indicates which other field should be non-empty.
|
||||
// +kubebuilder:validation:Enum=string;stringList
|
||||
Type string `json:"type"`
|
||||
|
||||
// StringValue should hold the value when Type is "string", and is otherwise ignored.
|
||||
// +optional
|
||||
StringValue string `json:"stringValue,omitempty"`
|
||||
|
||||
// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|
||||
// +optional
|
||||
StringListValue []string `json:"stringListValue,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExpression defines a transform expression.
|
||||
type FederationDomainTransformsExpression struct {
|
||||
// Type determines the type of the expression. It must be one of the supported types.
|
||||
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
|
||||
Type string `json:"type"`
|
||||
|
||||
// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Expression string `json:"expression"`
|
||||
|
||||
// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
|
||||
// an authentication attempt. When empty, a default message will be used.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExample defines a transform example.
|
||||
type FederationDomainTransformsExample struct {
|
||||
// Username is the input username.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Username string `json:"username"`
|
||||
|
||||
// Groups is the input list of group names.
|
||||
// +optional
|
||||
Groups []string `json:"groups,omitempty"`
|
||||
|
||||
// Expects is the expected output of the entire sequence of transforms when they are run against the
|
||||
// input Username and Groups.
|
||||
Expects FederationDomainTransformsExampleExpects `json:"expects"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
|
||||
type FederationDomainTransformsExampleExpects struct {
|
||||
// Username is the expected username after the transformations have been applied.
|
||||
// +optional
|
||||
Username string `json:"username,omitempty"`
|
||||
|
||||
// Groups is the expected list of group names after the transformations have been applied.
|
||||
// +optional
|
||||
Groups []string `json:"groups,omitempty"`
|
||||
|
||||
// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
|
||||
// after the transformations have been applied. True means that it is expected that the authentication would be
|
||||
// rejected. The default value of false means that it is expected that the authentication would not be rejected
|
||||
// by any policy expression.
|
||||
// +optional
|
||||
Rejected bool `json:"rejected,omitempty"`
|
||||
|
||||
// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
|
||||
// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
|
||||
// then Message will be treated as the default error message for authentication attempts which are rejected by a
|
||||
// policy. When Rejected is false, then Message is the expected error message for some other non-policy
|
||||
// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
|
||||
type FederationDomainTransforms struct {
|
||||
// Constants defines constant variables and their values which will be made available to the transform expressions.
|
||||
// +patchMergeKey=name
|
||||
// +patchStrategy=merge
|
||||
// +listType=map
|
||||
// +listMapKey=name
|
||||
// +optional
|
||||
Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`
|
||||
|
||||
// Expressions are an optional list of transforms and policies to be executed in the order given during every
|
||||
// authentication attempt, including during every session refresh.
|
||||
// Each is a CEL expression. It may use the basic CEL language as defined in
|
||||
// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
|
||||
// https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
//
|
||||
// The username and groups extracted from the identity provider, and the constants defined in this CR, are
|
||||
// available as variables in all expressions. The username is provided via a variable called `username` and
|
||||
// the list of group names is provided via a variable called `groups` (which may be an empty list).
|
||||
// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
|
||||
// and `strListConst.varName` for string list constants.
|
||||
//
|
||||
// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
|
||||
// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
|
||||
// and the authentication attempt is rejected.
|
||||
// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
|
||||
// username or group names.
|
||||
// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
|
||||
// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
|
||||
// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
|
||||
// groups list.
|
||||
// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
|
||||
// After each expression, the new (potentially changed) username or groups get passed to the following expression.
|
||||
//
|
||||
// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
|
||||
// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
|
||||
// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
|
||||
// and group names have been decided for that authentication attempt.
|
||||
//
|
||||
// +optional
|
||||
Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`
|
||||
|
||||
// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
|
||||
// expected. Examples define sample input identities which are then run through the expression list, and the
|
||||
// results are compared to the expected results. If any example in this list fails, then this
|
||||
// identity provider will not be available for use within this FederationDomain, and the error(s) will be
|
||||
// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
|
||||
// expressions, and also act as living documentation for other administrators to better understand the expressions.
|
||||
// +optional
|
||||
Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
|
||||
type FederationDomainIdentityProvider struct {
|
||||
// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
|
||||
// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
|
||||
// disruptive change for those users.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
DisplayName string `json:"displayName"`
|
||||
|
||||
// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
|
||||
// If the reference cannot be resolved then the identity provider will not be made available.
|
||||
// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
|
||||
// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
|
||||
ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`
|
||||
|
||||
// Transforms is an optional way to specify transformations to be applied during user authentication and
|
||||
// session refresh.
|
||||
// +optional
|
||||
Transforms FederationDomainTransforms `json:"transforms,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainSpec is a struct that describes an OIDC Provider.
|
||||
type FederationDomainSpec struct {
|
||||
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
|
||||
@ -55,9 +209,35 @@ type FederationDomainSpec struct {
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Issuer string `json:"issuer"`
|
||||
|
||||
// TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
|
||||
// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
|
||||
// +optional
|
||||
TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
|
||||
|
||||
// IdentityProviders is the list of identity providers available for use by this FederationDomain.
|
||||
//
|
||||
// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
|
||||
// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
|
||||
// extract a normalized user identity. Normalized user identities include a username and a list of group names.
|
||||
// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
|
||||
// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
|
||||
// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
|
||||
// accidental conflicts when multiple identity providers have different users with the same username (e.g.
|
||||
// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
|
||||
// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
|
||||
// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
|
||||
// disallow the authentication unless the user belongs to a specific group in the identity provider.
|
||||
//
|
||||
// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
|
||||
// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
|
||||
// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
|
||||
// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
|
||||
// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
|
||||
// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
|
||||
// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
|
||||
// explicitly list the identity provider using this IdentityProviders field.
|
||||
//
|
||||
// +optional
|
||||
IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainSecrets holds information about this OIDC Provider's secrets.
|
||||
@ -86,20 +266,17 @@ type FederationDomainSecrets struct {
|
||||
|
||||
// FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
|
||||
type FederationDomainStatus struct {
|
||||
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
|
||||
// represent success or failure.
|
||||
// +optional
|
||||
Status FederationDomainStatusCondition `json:"status,omitempty"`
|
||||
// Phase summarizes the overall status of the FederationDomain.
|
||||
// +kubebuilder:default=Pending
|
||||
// +kubebuilder:validation:Enum=Pending;Ready;Error
|
||||
Phase FederationDomainPhase `json:"phase,omitempty"`
|
||||
|
||||
// Message provides human-readable details about the Status.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
|
||||
// LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
|
||||
// around some undesirable behavior with respect to the empty metav1.Time value (see
|
||||
// https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
// +optional
|
||||
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
|
||||
// Conditions represent the observations of an FederationDomain's current state.
|
||||
// +patchMergeKey=type
|
||||
// +patchStrategy=merge
|
||||
// +listType=map
|
||||
// +listMapKey=type
|
||||
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
|
||||
|
||||
// Secrets contains information about this OIDC Provider's secrets.
|
||||
// +optional
|
||||
@ -111,7 +288,7 @@ type FederationDomainStatus struct {
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:resource:categories=pinniped
|
||||
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
|
||||
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
|
||||
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
|
||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||
// +kubebuilder:subresource:status
|
||||
type FederationDomain struct {
|
||||
|
@ -8,14 +8,14 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
type OIDCClientPhase string
|
||||
|
||||
const (
|
||||
// PhasePending is the default phase for newly-created OIDCClient resources.
|
||||
PhasePending OIDCClientPhase = "Pending"
|
||||
// OIDCClientPhasePending is the default phase for newly-created OIDCClient resources.
|
||||
OIDCClientPhasePending OIDCClientPhase = "Pending"
|
||||
|
||||
// PhaseReady is the phase for an OIDCClient resource in a healthy state.
|
||||
PhaseReady OIDCClientPhase = "Ready"
|
||||
// OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state.
|
||||
OIDCClientPhaseReady OIDCClientPhase = "Ready"
|
||||
|
||||
// PhaseError is the phase for an OIDCClient in an unhealthy state.
|
||||
PhaseError OIDCClientPhase = "Error"
|
||||
// OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state.
|
||||
OIDCClientPhaseError OIDCClientPhase = "Error"
|
||||
)
|
||||
|
||||
// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`
|
||||
|
@ -21,7 +21,7 @@ spec:
|
||||
- jsonPath: .spec.issuer
|
||||
name: Issuer
|
||||
type: string
|
||||
- jsonPath: .status.status
|
||||
- jsonPath: .status.phase
|
||||
name: Status
|
||||
type: string
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
@ -47,6 +47,263 @@ spec:
|
||||
spec:
|
||||
description: Spec of the OIDC provider.
|
||||
properties:
|
||||
identityProviders:
|
||||
description: "IdentityProviders is the list of identity providers
|
||||
available for use by this FederationDomain. \n An identity provider
|
||||
CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes
|
||||
how to connect to a server, how to talk in a specific protocol for
|
||||
authentication, and how to use the schema of that server/protocol
|
||||
to extract a normalized user identity. Normalized user identities
|
||||
include a username and a list of group names. In contrast, IdentityProviders
|
||||
describes how to use that normalized identity in those Kubernetes
|
||||
clusters which belong to this FederationDomain. Each entry in IdentityProviders
|
||||
can be configured with arbitrary transformations on that normalized
|
||||
identity. For example, a transformation can add a prefix to all
|
||||
usernames to help avoid accidental conflicts when multiple identity
|
||||
providers have different users with the same username (e.g. \"idp1:ryan\"
|
||||
versus \"idp2:ryan\"). Each entry in IdentityProviders can also
|
||||
implement arbitrary authentication rejection policies. Even though
|
||||
a user was able to authenticate with the identity provider, a policy
|
||||
can disallow the authentication to the Kubernetes clusters that
|
||||
belong to this FederationDomain. For example, a policy could disallow
|
||||
the authentication unless the user belongs to a specific group in
|
||||
the identity provider. \n For backwards compatibility with versions
|
||||
of Pinniped which predate support for multiple identity providers,
|
||||
an empty IdentityProviders list will cause the FederationDomain
|
||||
to use all available identity providers which exist in the same
|
||||
namespace, but also to reject all authentication requests when there
|
||||
is more than one identity provider currently defined. In this backwards
|
||||
compatibility mode, the name of the identity provider resource (e.g.
|
||||
the Name of an OIDCIdentityProvider resource) will be used as the
|
||||
name of the identity provider in this FederationDomain. This mode
|
||||
is provided to make upgrading from older versions easier. However,
|
||||
instead of relying on this backwards compatibility mode, please
|
||||
consider this mode to be deprecated and please instead explicitly
|
||||
list the identity provider using this IdentityProviders field."
|
||||
items:
|
||||
description: FederationDomainIdentityProvider describes how an identity
|
||||
provider is made available in this FederationDomain.
|
||||
properties:
|
||||
displayName:
|
||||
description: DisplayName is the name of this identity provider
|
||||
as it will appear to clients. This name ends up in the kubeconfig
|
||||
of end users, so changing the name of an identity provider
|
||||
that is in use by end users will be a disruptive change for
|
||||
those users.
|
||||
minLength: 1
|
||||
type: string
|
||||
objectRef:
|
||||
description: ObjectRef is a reference to a Pinniped identity
|
||||
provider resource. A valid reference is required. If the reference
|
||||
cannot be resolved then the identity provider will not be
|
||||
made available. Must refer to a resource of one of the Pinniped
|
||||
identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider,
|
||||
ActiveDirectoryIdentityProvider.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup is the group for the resource being
|
||||
referenced. If APIGroup is not specified, the specified
|
||||
Kind must be in the core API group. For any other third-party
|
||||
types, APIGroup is required.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind is the type of resource being referenced
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of resource being referenced
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
transforms:
|
||||
description: Transforms is an optional way to specify transformations
|
||||
to be applied during user authentication and session refresh.
|
||||
properties:
|
||||
constants:
|
||||
description: Constants defines constant variables and their
|
||||
values which will be made available to the transform expressions.
|
||||
items:
|
||||
description: FederationDomainTransformsConstant defines
|
||||
a constant variable and its value which will be made
|
||||
available to the transform expressions. This is a union
|
||||
type, and Type is the discriminator field.
|
||||
properties:
|
||||
name:
|
||||
description: Name determines the name of the constant.
|
||||
It must be a valid identifier name.
|
||||
maxLength: 64
|
||||
minLength: 1
|
||||
pattern: ^[a-zA-Z][_a-zA-Z0-9]*$
|
||||
type: string
|
||||
stringListValue:
|
||||
description: StringListValue should hold the value
|
||||
when Type is "stringList", and is otherwise ignored.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
stringValue:
|
||||
description: StringValue should hold the value when
|
||||
Type is "string", and is otherwise ignored.
|
||||
type: string
|
||||
type:
|
||||
description: Type determines the type of the constant,
|
||||
and indicates which other field should be non-empty.
|
||||
enum:
|
||||
- string
|
||||
- stringList
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-map-keys:
|
||||
- name
|
||||
x-kubernetes-list-type: map
|
||||
examples:
|
||||
description: Examples can optionally be used to ensure that
|
||||
the sequence of transformation expressions are working
|
||||
as expected. Examples define sample input identities which
|
||||
are then run through the expression list, and the results
|
||||
are compared to the expected results. If any example in
|
||||
this list fails, then this identity provider will not
|
||||
be available for use within this FederationDomain, and
|
||||
the error(s) will be added to the FederationDomain status.
|
||||
This can be used to help guard against programming mistakes
|
||||
in the expressions, and also act as living documentation
|
||||
for other administrators to better understand the expressions.
|
||||
items:
|
||||
description: FederationDomainTransformsExample defines
|
||||
a transform example.
|
||||
properties:
|
||||
expects:
|
||||
description: Expects is the expected output of the
|
||||
entire sequence of transforms when they are run
|
||||
against the input Username and Groups.
|
||||
properties:
|
||||
groups:
|
||||
description: Groups is the expected list of group
|
||||
names after the transformations have been applied.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
message:
|
||||
description: Message is the expected error message
|
||||
of the transforms. When Rejected is true, then
|
||||
Message is the expected message for the policy
|
||||
which rejected the authentication attempt. When
|
||||
Rejected is true and Message is blank, then
|
||||
Message will be treated as the default error
|
||||
message for authentication attempts which are
|
||||
rejected by a policy. When Rejected is false,
|
||||
then Message is the expected error message for
|
||||
some other non-policy transformation error,
|
||||
such as a runtime error. When Rejected is false,
|
||||
there is no default expected Message.
|
||||
type: string
|
||||
rejected:
|
||||
description: Rejected is a boolean that indicates
|
||||
whether authentication is expected to be rejected
|
||||
by a policy expression after the transformations
|
||||
have been applied. True means that it is expected
|
||||
that the authentication would be rejected. The
|
||||
default value of false means that it is expected
|
||||
that the authentication would not be rejected
|
||||
by any policy expression.
|
||||
type: boolean
|
||||
username:
|
||||
description: Username is the expected username
|
||||
after the transformations have been applied.
|
||||
type: string
|
||||
type: object
|
||||
groups:
|
||||
description: Groups is the input list of group names.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
username:
|
||||
description: Username is the input username.
|
||||
minLength: 1
|
||||
type: string
|
||||
required:
|
||||
- expects
|
||||
- username
|
||||
type: object
|
||||
type: array
|
||||
expressions:
|
||||
description: "Expressions are an optional list of transforms
|
||||
and policies to be executed in the order given during
|
||||
every authentication attempt, including during every session
|
||||
refresh. Each is a CEL expression. It may use the basic
|
||||
CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md
|
||||
plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
\n The username and groups extracted from the identity
|
||||
provider, and the constants defined in this CR, are available
|
||||
as variables in all expressions. The username is provided
|
||||
via a variable called `username` and the list of group
|
||||
names is provided via a variable called `groups` (which
|
||||
may be an empty list). Each user-provided constants is
|
||||
provided via a variable named `strConst.varName` for string
|
||||
constants and `strListConst.varName` for string list constants.
|
||||
\n The only allowed types for expressions are currently
|
||||
policy/v1, username/v1, and groups/v1. Each policy/v1
|
||||
must return a boolean, and when it returns false, no more
|
||||
expressions from the list are evaluated and the authentication
|
||||
attempt is rejected. Transformations of type policy/v1
|
||||
do not return usernames or group names, and therefore
|
||||
cannot change the username or group names. Each username/v1
|
||||
transform must return the new username (a string), which
|
||||
can be the same as the old username. Transformations of
|
||||
type username/v1 do not return group names, and therefore
|
||||
cannot change the group names. Each groups/v1 transform
|
||||
must return the new groups list (list of strings), which
|
||||
can be the same as the old groups list. Transformations
|
||||
of type groups/v1 do not return usernames, and therefore
|
||||
cannot change the usernames. After each expression, the
|
||||
new (potentially changed) username or groups get passed
|
||||
to the following expression. \n Any compilation or static
|
||||
type-checking failure of any expression will cause an
|
||||
error status on the FederationDomain. During an authentication
|
||||
attempt, any unexpected runtime evaluation errors (e.g.
|
||||
division by zero) cause the authentication attempt to
|
||||
fail. When all expressions evaluate successfully, then
|
||||
the (potentially changed) username and group names have
|
||||
been decided for that authentication attempt."
|
||||
items:
|
||||
description: FederationDomainTransformsExpression defines
|
||||
a transform expression.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is a CEL expression that will
|
||||
be evaluated based on the Type during an authentication.
|
||||
minLength: 1
|
||||
type: string
|
||||
message:
|
||||
description: Message is only used when Type is policy/v1.
|
||||
It defines an error message to be used when the
|
||||
policy rejects an authentication attempt. When empty,
|
||||
a default message will be used.
|
||||
type: string
|
||||
type:
|
||||
description: Type determines the type of the expression.
|
||||
It must be one of the supported types.
|
||||
enum:
|
||||
- policy/v1
|
||||
- username/v1
|
||||
- groups/v1
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
required:
|
||||
- displayName
|
||||
- objectRef
|
||||
type: object
|
||||
type: array
|
||||
issuer:
|
||||
description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
|
||||
Metadata document, as well as the identifier that it will use for
|
||||
@ -59,8 +316,8 @@ spec:
|
||||
minLength: 1
|
||||
type: string
|
||||
tls:
|
||||
description: TLS configures how this FederationDomain is served over
|
||||
Transport Layer Security (TLS).
|
||||
description: TLS specifies a secret which will contain Transport Layer
|
||||
Security (TLS) configuration for the FederationDomain.
|
||||
properties:
|
||||
secretName:
|
||||
description: "SecretName is an optional name of a Secret in the
|
||||
@ -91,14 +348,86 @@ spec:
|
||||
status:
|
||||
description: Status of the OIDC provider.
|
||||
properties:
|
||||
lastUpdateTime:
|
||||
description: LastUpdateTime holds the time at which the Status was
|
||||
last updated. It is a pointer to get around some undesirable behavior
|
||||
with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
conditions:
|
||||
description: Conditions represent the observations of an FederationDomain's
|
||||
current state.
|
||||
items:
|
||||
description: "Condition contains details for one aspect of the current
|
||||
state of this API Resource. --- This struct is intended for direct
|
||||
use as an array at the field path .status.conditions. For example,
|
||||
\n type FooStatus struct{ // Represents the observations of a
|
||||
foo's current state. // Known .status.conditions.type are: \"Available\",
|
||||
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
|
||||
// +listType=map // +listMapKey=type Conditions []metav1.Condition
|
||||
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
|
||||
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: lastTransitionTime is the last time the condition
|
||||
transitioned from one status to another. This should be when
|
||||
the underlying condition changed. If that is not known, then
|
||||
using the time when the API field changed is acceptable.
|
||||
format: date-time
|
||||
type: string
|
||||
message:
|
||||
description: Message provides human-readable details about the Status.
|
||||
description: message is a human readable message indicating
|
||||
details about the transition. This may be an empty string.
|
||||
maxLength: 32768
|
||||
type: string
|
||||
observedGeneration:
|
||||
description: observedGeneration represents the .metadata.generation
|
||||
that the condition was set based upon. For instance, if .metadata.generation
|
||||
is currently 12, but the .status.conditions[x].observedGeneration
|
||||
is 9, the condition is out of date with respect to the current
|
||||
state of the instance.
|
||||
format: int64
|
||||
minimum: 0
|
||||
type: integer
|
||||
reason:
|
||||
description: reason contains a programmatic identifier indicating
|
||||
the reason for the condition's last transition. Producers
|
||||
of specific condition types may define expected values and
|
||||
meanings for this field, and whether the values are considered
|
||||
a guaranteed API. The value should be a CamelCase string.
|
||||
This field may not be empty.
|
||||
maxLength: 1024
|
||||
minLength: 1
|
||||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||||
type: string
|
||||
status:
|
||||
description: status of the condition, one of True, False, Unknown.
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
- Unknown
|
||||
type: string
|
||||
type:
|
||||
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
||||
--- Many .condition.type values are consistent across resources
|
||||
like Available, but because arbitrary conditions can be useful
|
||||
(see .node.status.conditions), the ability to deconflict is
|
||||
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||||
maxLength: 316
|
||||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||||
type: string
|
||||
required:
|
||||
- lastTransitionTime
|
||||
- message
|
||||
- reason
|
||||
- status
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-map-keys:
|
||||
- type
|
||||
x-kubernetes-list-type: map
|
||||
phase:
|
||||
default: Pending
|
||||
description: Phase summarizes the overall status of the FederationDomain.
|
||||
enum:
|
||||
- Pending
|
||||
- Ready
|
||||
- Error
|
||||
type: string
|
||||
secrets:
|
||||
description: Secrets contains information about this OIDC Provider's
|
||||
@ -145,15 +474,6 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
status:
|
||||
description: Status holds an enum that describes the state of this
|
||||
OIDC Provider. Note that this Status can represent success or failure.
|
||||
enum:
|
||||
- Success
|
||||
- Duplicate
|
||||
- Invalid
|
||||
- SameIssuerHostMustUseSameSecret
|
||||
type: string
|
||||
type: object
|
||||
required:
|
||||
- spec
|
||||
|
153
generated/1.21/README.adoc
generated
153
generated/1.21/README.adoc
generated
@ -652,6 +652,37 @@ FederationDomain describes the configuration of an OIDC provider.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
|
||||
==== FederationDomainIdentityProvider
|
||||
|
||||
FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainspec[$$FederationDomainSpec$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`displayName`* __string__ | DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a disruptive change for those users.
|
||||
| *`objectRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. If the reference cannot be resolved then the identity provider will not be made available. Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
|
||||
| *`transforms`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]__ | Transforms is an optional way to specify transformations to be applied during user authentication and session refresh.
|
||||
|===
|
||||
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainphase"]
|
||||
==== FederationDomainPhase (string)
|
||||
|
||||
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
|
||||
****
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainsecrets"]
|
||||
@ -689,7 +720,10 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
|
||||
| Field | Description
|
||||
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
|
||||
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
|
||||
| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
|
||||
An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
|
||||
For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
|
||||
|===
|
||||
|
||||
|
||||
@ -706,25 +740,12 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainstatuscondition[$$FederationDomainStatusCondition$$]__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
|
||||
| *`message`* __string__ | Message provides human-readable details about the Status.
|
||||
| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
|
||||
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
|
||||
| *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainstatuscondition"]
|
||||
==== FederationDomainStatusCondition (string)
|
||||
|
||||
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
|
||||
****
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintlsspec"]
|
||||
==== FederationDomainTLSSpec
|
||||
|
||||
@ -746,6 +767,106 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
|
||||
==== FederationDomainTransforms
|
||||
|
||||
FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
|
||||
| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
|
||||
The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
|
||||
Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
|
||||
| *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
|
||||
==== FederationDomainTransformsConstant
|
||||
|
||||
FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name.
|
||||
| *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty.
|
||||
| *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored.
|
||||
| *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
|
||||
==== FederationDomainTransformsExample
|
||||
|
||||
FederationDomainTransformsExample defines a transform example.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`username`* __string__ | Username is the input username.
|
||||
| *`groups`* __string array__ | Groups is the input list of group names.
|
||||
| *`expects`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects[$$FederationDomainTransformsExampleExpects$$]__ | Expects is the expected output of the entire sequence of transforms when they are run against the input Username and Groups.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
|
||||
==== FederationDomainTransformsExampleExpects
|
||||
|
||||
FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`username`* __string__ | Username is the expected username after the transformations have been applied.
|
||||
| *`groups`* __string array__ | Groups is the expected list of group names after the transformations have been applied.
|
||||
| *`rejected`* __boolean__ | Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression after the transformations have been applied. True means that it is expected that the authentication would be rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression.
|
||||
| *`message`* __string__ | Message is the expected error message of the transforms. When Rejected is true, then Message is the expected message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, then Message will be treated as the default error message for authentication attempts which are rejected by a policy. When Rejected is false, then Message is the expected error message for some other non-policy transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
|
||||
==== FederationDomainTransformsExpression
|
||||
|
||||
FederationDomainTransformsExpression defines a transform expression.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types.
|
||||
| *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication.
|
||||
| *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects an authentication attempt. When empty, a default message will be used.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-granttype"]
|
||||
==== GrantType (string)
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package v1alpha1
|
||||
@ -8,14 +8,17 @@ import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
// +kubebuilder:validation:Enum=Success;Duplicate;Invalid;SameIssuerHostMustUseSameSecret
|
||||
type FederationDomainStatusCondition string
|
||||
type FederationDomainPhase string
|
||||
|
||||
const (
|
||||
SuccessFederationDomainStatusCondition = FederationDomainStatusCondition("Success")
|
||||
DuplicateFederationDomainStatusCondition = FederationDomainStatusCondition("Duplicate")
|
||||
SameIssuerHostMustUseSameSecretFederationDomainStatusCondition = FederationDomainStatusCondition("SameIssuerHostMustUseSameSecret")
|
||||
InvalidFederationDomainStatusCondition = FederationDomainStatusCondition("Invalid")
|
||||
// FederationDomainPhasePending is the default phase for newly-created FederationDomain resources.
|
||||
FederationDomainPhasePending FederationDomainPhase = "Pending"
|
||||
|
||||
// FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state.
|
||||
FederationDomainPhaseReady FederationDomainPhase = "Ready"
|
||||
|
||||
// FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state.
|
||||
FederationDomainPhaseError FederationDomainPhase = "Error"
|
||||
)
|
||||
|
||||
// FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
|
||||
@ -42,6 +45,157 @@ type FederationDomainTLSSpec struct {
|
||||
SecretName string `json:"secretName,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
|
||||
// the transform expressions. This is a union type, and Type is the discriminator field.
|
||||
type FederationDomainTransformsConstant struct {
|
||||
// Name determines the name of the constant. It must be a valid identifier name.
|
||||
// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
// +kubebuilder:validation:MaxLength=64
|
||||
Name string `json:"name"`
|
||||
|
||||
// Type determines the type of the constant, and indicates which other field should be non-empty.
|
||||
// +kubebuilder:validation:Enum=string;stringList
|
||||
Type string `json:"type"`
|
||||
|
||||
// StringValue should hold the value when Type is "string", and is otherwise ignored.
|
||||
// +optional
|
||||
StringValue string `json:"stringValue,omitempty"`
|
||||
|
||||
// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|
||||
// +optional
|
||||
StringListValue []string `json:"stringListValue,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExpression defines a transform expression.
|
||||
type FederationDomainTransformsExpression struct {
|
||||
// Type determines the type of the expression. It must be one of the supported types.
|
||||
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
|
||||
Type string `json:"type"`
|
||||
|
||||
// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Expression string `json:"expression"`
|
||||
|
||||
// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
|
||||
// an authentication attempt. When empty, a default message will be used.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExample defines a transform example.
|
||||
type FederationDomainTransformsExample struct {
|
||||
// Username is the input username.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Username string `json:"username"`
|
||||
|
||||
// Groups is the input list of group names.
|
||||
// +optional
|
||||
Groups []string `json:"groups,omitempty"`
|
||||
|
||||
// Expects is the expected output of the entire sequence of transforms when they are run against the
|
||||
// input Username and Groups.
|
||||
Expects FederationDomainTransformsExampleExpects `json:"expects"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
|
||||
type FederationDomainTransformsExampleExpects struct {
|
||||
// Username is the expected username after the transformations have been applied.
|
||||
// +optional
|
||||
Username string `json:"username,omitempty"`
|
||||
|
||||
// Groups is the expected list of group names after the transformations have been applied.
|
||||
// +optional
|
||||
Groups []string `json:"groups,omitempty"`
|
||||
|
||||
// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
|
||||
// after the transformations have been applied. True means that it is expected that the authentication would be
|
||||
// rejected. The default value of false means that it is expected that the authentication would not be rejected
|
||||
// by any policy expression.
|
||||
// +optional
|
||||
Rejected bool `json:"rejected,omitempty"`
|
||||
|
||||
// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
|
||||
// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
|
||||
// then Message will be treated as the default error message for authentication attempts which are rejected by a
|
||||
// policy. When Rejected is false, then Message is the expected error message for some other non-policy
|
||||
// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
|
||||
type FederationDomainTransforms struct {
|
||||
// Constants defines constant variables and their values which will be made available to the transform expressions.
|
||||
// +patchMergeKey=name
|
||||
// +patchStrategy=merge
|
||||
// +listType=map
|
||||
// +listMapKey=name
|
||||
// +optional
|
||||
Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`
|
||||
|
||||
// Expressions are an optional list of transforms and policies to be executed in the order given during every
|
||||
// authentication attempt, including during every session refresh.
|
||||
// Each is a CEL expression. It may use the basic CEL language as defined in
|
||||
// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
|
||||
// https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
//
|
||||
// The username and groups extracted from the identity provider, and the constants defined in this CR, are
|
||||
// available as variables in all expressions. The username is provided via a variable called `username` and
|
||||
// the list of group names is provided via a variable called `groups` (which may be an empty list).
|
||||
// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
|
||||
// and `strListConst.varName` for string list constants.
|
||||
//
|
||||
// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
|
||||
// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
|
||||
// and the authentication attempt is rejected.
|
||||
// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
|
||||
// username or group names.
|
||||
// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
|
||||
// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
|
||||
// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
|
||||
// groups list.
|
||||
// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
|
||||
// After each expression, the new (potentially changed) username or groups get passed to the following expression.
|
||||
//
|
||||
// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
|
||||
// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
|
||||
// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
|
||||
// and group names have been decided for that authentication attempt.
|
||||
//
|
||||
// +optional
|
||||
Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`
|
||||
|
||||
// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
|
||||
// expected. Examples define sample input identities which are then run through the expression list, and the
|
||||
// results are compared to the expected results. If any example in this list fails, then this
|
||||
// identity provider will not be available for use within this FederationDomain, and the error(s) will be
|
||||
// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
|
||||
// expressions, and also act as living documentation for other administrators to better understand the expressions.
|
||||
// +optional
|
||||
Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
|
||||
type FederationDomainIdentityProvider struct {
|
||||
// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
|
||||
// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
|
||||
// disruptive change for those users.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
DisplayName string `json:"displayName"`
|
||||
|
||||
// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
|
||||
// If the reference cannot be resolved then the identity provider will not be made available.
|
||||
// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
|
||||
// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
|
||||
ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`
|
||||
|
||||
// Transforms is an optional way to specify transformations to be applied during user authentication and
|
||||
// session refresh.
|
||||
// +optional
|
||||
Transforms FederationDomainTransforms `json:"transforms,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainSpec is a struct that describes an OIDC Provider.
|
||||
type FederationDomainSpec struct {
|
||||
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
|
||||
@ -55,9 +209,35 @@ type FederationDomainSpec struct {
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Issuer string `json:"issuer"`
|
||||
|
||||
// TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
|
||||
// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
|
||||
// +optional
|
||||
TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
|
||||
|
||||
// IdentityProviders is the list of identity providers available for use by this FederationDomain.
|
||||
//
|
||||
// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
|
||||
// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
|
||||
// extract a normalized user identity. Normalized user identities include a username and a list of group names.
|
||||
// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
|
||||
// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
|
||||
// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
|
||||
// accidental conflicts when multiple identity providers have different users with the same username (e.g.
|
||||
// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
|
||||
// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
|
||||
// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
|
||||
// disallow the authentication unless the user belongs to a specific group in the identity provider.
|
||||
//
|
||||
// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
|
||||
// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
|
||||
// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
|
||||
// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
|
||||
// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
|
||||
// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
|
||||
// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
|
||||
// explicitly list the identity provider using this IdentityProviders field.
|
||||
//
|
||||
// +optional
|
||||
IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainSecrets holds information about this OIDC Provider's secrets.
|
||||
@ -86,20 +266,17 @@ type FederationDomainSecrets struct {
|
||||
|
||||
// FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
|
||||
type FederationDomainStatus struct {
|
||||
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
|
||||
// represent success or failure.
|
||||
// +optional
|
||||
Status FederationDomainStatusCondition `json:"status,omitempty"`
|
||||
// Phase summarizes the overall status of the FederationDomain.
|
||||
// +kubebuilder:default=Pending
|
||||
// +kubebuilder:validation:Enum=Pending;Ready;Error
|
||||
Phase FederationDomainPhase `json:"phase,omitempty"`
|
||||
|
||||
// Message provides human-readable details about the Status.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
|
||||
// LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
|
||||
// around some undesirable behavior with respect to the empty metav1.Time value (see
|
||||
// https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
// +optional
|
||||
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
|
||||
// Conditions represent the observations of an FederationDomain's current state.
|
||||
// +patchMergeKey=type
|
||||
// +patchStrategy=merge
|
||||
// +listType=map
|
||||
// +listMapKey=type
|
||||
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
|
||||
|
||||
// Secrets contains information about this OIDC Provider's secrets.
|
||||
// +optional
|
||||
@ -111,7 +288,7 @@ type FederationDomainStatus struct {
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:resource:categories=pinniped
|
||||
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
|
||||
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
|
||||
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
|
||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||
// +kubebuilder:subresource:status
|
||||
type FederationDomain struct {
|
||||
|
@ -8,14 +8,14 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
type OIDCClientPhase string
|
||||
|
||||
const (
|
||||
// PhasePending is the default phase for newly-created OIDCClient resources.
|
||||
PhasePending OIDCClientPhase = "Pending"
|
||||
// OIDCClientPhasePending is the default phase for newly-created OIDCClient resources.
|
||||
OIDCClientPhasePending OIDCClientPhase = "Pending"
|
||||
|
||||
// PhaseReady is the phase for an OIDCClient resource in a healthy state.
|
||||
PhaseReady OIDCClientPhase = "Ready"
|
||||
// OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state.
|
||||
OIDCClientPhaseReady OIDCClientPhase = "Ready"
|
||||
|
||||
// PhaseError is the phase for an OIDCClient in an unhealthy state.
|
||||
PhaseError OIDCClientPhase = "Error"
|
||||
// OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state.
|
||||
OIDCClientPhaseError OIDCClientPhase = "Error"
|
||||
)
|
||||
|
||||
// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`
|
||||
|
@ -41,6 +41,24 @@ func (in *FederationDomain) DeepCopyObject() runtime.Object {
|
||||
return nil
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainIdentityProvider) DeepCopyInto(out *FederationDomainIdentityProvider) {
|
||||
*out = *in
|
||||
in.ObjectRef.DeepCopyInto(&out.ObjectRef)
|
||||
in.Transforms.DeepCopyInto(&out.Transforms)
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainIdentityProvider.
|
||||
func (in *FederationDomainIdentityProvider) DeepCopy() *FederationDomainIdentityProvider {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainIdentityProvider)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainList) DeepCopyInto(out *FederationDomainList) {
|
||||
*out = *in
|
||||
@ -102,6 +120,13 @@ func (in *FederationDomainSpec) DeepCopyInto(out *FederationDomainSpec) {
|
||||
*out = new(FederationDomainTLSSpec)
|
||||
**out = **in
|
||||
}
|
||||
if in.IdentityProviders != nil {
|
||||
in, out := &in.IdentityProviders, &out.IdentityProviders
|
||||
*out = make([]FederationDomainIdentityProvider, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
@ -118,9 +143,12 @@ func (in *FederationDomainSpec) DeepCopy() *FederationDomainSpec {
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
|
||||
*out = *in
|
||||
if in.LastUpdateTime != nil {
|
||||
in, out := &in.LastUpdateTime, &out.LastUpdateTime
|
||||
*out = (*in).DeepCopy()
|
||||
if in.Conditions != nil {
|
||||
in, out := &in.Conditions, &out.Conditions
|
||||
*out = make([]v1.Condition, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
out.Secrets = in.Secrets
|
||||
return
|
||||
@ -152,6 +180,121 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec {
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransforms) DeepCopyInto(out *FederationDomainTransforms) {
|
||||
*out = *in
|
||||
if in.Constants != nil {
|
||||
in, out := &in.Constants, &out.Constants
|
||||
*out = make([]FederationDomainTransformsConstant, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
if in.Expressions != nil {
|
||||
in, out := &in.Expressions, &out.Expressions
|
||||
*out = make([]FederationDomainTransformsExpression, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
if in.Examples != nil {
|
||||
in, out := &in.Examples, &out.Examples
|
||||
*out = make([]FederationDomainTransformsExample, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransforms.
|
||||
func (in *FederationDomainTransforms) DeepCopy() *FederationDomainTransforms {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransforms)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsConstant) DeepCopyInto(out *FederationDomainTransformsConstant) {
|
||||
*out = *in
|
||||
if in.StringListValue != nil {
|
||||
in, out := &in.StringListValue, &out.StringListValue
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsConstant.
|
||||
func (in *FederationDomainTransformsConstant) DeepCopy() *FederationDomainTransformsConstant {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsConstant)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExample) DeepCopyInto(out *FederationDomainTransformsExample) {
|
||||
*out = *in
|
||||
if in.Groups != nil {
|
||||
in, out := &in.Groups, &out.Groups
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
in.Expects.DeepCopyInto(&out.Expects)
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExample.
|
||||
func (in *FederationDomainTransformsExample) DeepCopy() *FederationDomainTransformsExample {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExample)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExampleExpects) DeepCopyInto(out *FederationDomainTransformsExampleExpects) {
|
||||
*out = *in
|
||||
if in.Groups != nil {
|
||||
in, out := &in.Groups, &out.Groups
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExampleExpects.
|
||||
func (in *FederationDomainTransformsExampleExpects) DeepCopy() *FederationDomainTransformsExampleExpects {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExampleExpects)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExpression) DeepCopyInto(out *FederationDomainTransformsExpression) {
|
||||
*out = *in
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExpression.
|
||||
func (in *FederationDomainTransformsExpression) DeepCopy() *FederationDomainTransformsExpression {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExpression)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *OIDCClient) DeepCopyInto(out *OIDCClient) {
|
||||
*out = *in
|
||||
|
@ -21,7 +21,7 @@ spec:
|
||||
- jsonPath: .spec.issuer
|
||||
name: Issuer
|
||||
type: string
|
||||
- jsonPath: .status.status
|
||||
- jsonPath: .status.phase
|
||||
name: Status
|
||||
type: string
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
@ -47,6 +47,263 @@ spec:
|
||||
spec:
|
||||
description: Spec of the OIDC provider.
|
||||
properties:
|
||||
identityProviders:
|
||||
description: "IdentityProviders is the list of identity providers
|
||||
available for use by this FederationDomain. \n An identity provider
|
||||
CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes
|
||||
how to connect to a server, how to talk in a specific protocol for
|
||||
authentication, and how to use the schema of that server/protocol
|
||||
to extract a normalized user identity. Normalized user identities
|
||||
include a username and a list of group names. In contrast, IdentityProviders
|
||||
describes how to use that normalized identity in those Kubernetes
|
||||
clusters which belong to this FederationDomain. Each entry in IdentityProviders
|
||||
can be configured with arbitrary transformations on that normalized
|
||||
identity. For example, a transformation can add a prefix to all
|
||||
usernames to help avoid accidental conflicts when multiple identity
|
||||
providers have different users with the same username (e.g. \"idp1:ryan\"
|
||||
versus \"idp2:ryan\"). Each entry in IdentityProviders can also
|
||||
implement arbitrary authentication rejection policies. Even though
|
||||
a user was able to authenticate with the identity provider, a policy
|
||||
can disallow the authentication to the Kubernetes clusters that
|
||||
belong to this FederationDomain. For example, a policy could disallow
|
||||
the authentication unless the user belongs to a specific group in
|
||||
the identity provider. \n For backwards compatibility with versions
|
||||
of Pinniped which predate support for multiple identity providers,
|
||||
an empty IdentityProviders list will cause the FederationDomain
|
||||
to use all available identity providers which exist in the same
|
||||
namespace, but also to reject all authentication requests when there
|
||||
is more than one identity provider currently defined. In this backwards
|
||||
compatibility mode, the name of the identity provider resource (e.g.
|
||||
the Name of an OIDCIdentityProvider resource) will be used as the
|
||||
name of the identity provider in this FederationDomain. This mode
|
||||
is provided to make upgrading from older versions easier. However,
|
||||
instead of relying on this backwards compatibility mode, please
|
||||
consider this mode to be deprecated and please instead explicitly
|
||||
list the identity provider using this IdentityProviders field."
|
||||
items:
|
||||
description: FederationDomainIdentityProvider describes how an identity
|
||||
provider is made available in this FederationDomain.
|
||||
properties:
|
||||
displayName:
|
||||
description: DisplayName is the name of this identity provider
|
||||
as it will appear to clients. This name ends up in the kubeconfig
|
||||
of end users, so changing the name of an identity provider
|
||||
that is in use by end users will be a disruptive change for
|
||||
those users.
|
||||
minLength: 1
|
||||
type: string
|
||||
objectRef:
|
||||
description: ObjectRef is a reference to a Pinniped identity
|
||||
provider resource. A valid reference is required. If the reference
|
||||
cannot be resolved then the identity provider will not be
|
||||
made available. Must refer to a resource of one of the Pinniped
|
||||
identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider,
|
||||
ActiveDirectoryIdentityProvider.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup is the group for the resource being
|
||||
referenced. If APIGroup is not specified, the specified
|
||||
Kind must be in the core API group. For any other third-party
|
||||
types, APIGroup is required.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind is the type of resource being referenced
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of resource being referenced
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
transforms:
|
||||
description: Transforms is an optional way to specify transformations
|
||||
to be applied during user authentication and session refresh.
|
||||
properties:
|
||||
constants:
|
||||
description: Constants defines constant variables and their
|
||||
values which will be made available to the transform expressions.
|
||||
items:
|
||||
description: FederationDomainTransformsConstant defines
|
||||
a constant variable and its value which will be made
|
||||
available to the transform expressions. This is a union
|
||||
type, and Type is the discriminator field.
|
||||
properties:
|
||||
name:
|
||||
description: Name determines the name of the constant.
|
||||
It must be a valid identifier name.
|
||||
maxLength: 64
|
||||
minLength: 1
|
||||
pattern: ^[a-zA-Z][_a-zA-Z0-9]*$
|
||||
type: string
|
||||
stringListValue:
|
||||
description: StringListValue should hold the value
|
||||
when Type is "stringList", and is otherwise ignored.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
stringValue:
|
||||
description: StringValue should hold the value when
|
||||
Type is "string", and is otherwise ignored.
|
||||
type: string
|
||||
type:
|
||||
description: Type determines the type of the constant,
|
||||
and indicates which other field should be non-empty.
|
||||
enum:
|
||||
- string
|
||||
- stringList
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-map-keys:
|
||||
- name
|
||||
x-kubernetes-list-type: map
|
||||
examples:
|
||||
description: Examples can optionally be used to ensure that
|
||||
the sequence of transformation expressions are working
|
||||
as expected. Examples define sample input identities which
|
||||
are then run through the expression list, and the results
|
||||
are compared to the expected results. If any example in
|
||||
this list fails, then this identity provider will not
|
||||
be available for use within this FederationDomain, and
|
||||
the error(s) will be added to the FederationDomain status.
|
||||
This can be used to help guard against programming mistakes
|
||||
in the expressions, and also act as living documentation
|
||||
for other administrators to better understand the expressions.
|
||||
items:
|
||||
description: FederationDomainTransformsExample defines
|
||||
a transform example.
|
||||
properties:
|
||||
expects:
|
||||
description: Expects is the expected output of the
|
||||
entire sequence of transforms when they are run
|
||||
against the input Username and Groups.
|
||||
properties:
|
||||
groups:
|
||||
description: Groups is the expected list of group
|
||||
names after the transformations have been applied.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
message:
|
||||
description: Message is the expected error message
|
||||
of the transforms. When Rejected is true, then
|
||||
Message is the expected message for the policy
|
||||
which rejected the authentication attempt. When
|
||||
Rejected is true and Message is blank, then
|
||||
Message will be treated as the default error
|
||||
message for authentication attempts which are
|
||||
rejected by a policy. When Rejected is false,
|
||||
then Message is the expected error message for
|
||||
some other non-policy transformation error,
|
||||
such as a runtime error. When Rejected is false,
|
||||
there is no default expected Message.
|
||||
type: string
|
||||
rejected:
|
||||
description: Rejected is a boolean that indicates
|
||||
whether authentication is expected to be rejected
|
||||
by a policy expression after the transformations
|
||||
have been applied. True means that it is expected
|
||||
that the authentication would be rejected. The
|
||||
default value of false means that it is expected
|
||||
that the authentication would not be rejected
|
||||
by any policy expression.
|
||||
type: boolean
|
||||
username:
|
||||
description: Username is the expected username
|
||||
after the transformations have been applied.
|
||||
type: string
|
||||
type: object
|
||||
groups:
|
||||
description: Groups is the input list of group names.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
username:
|
||||
description: Username is the input username.
|
||||
minLength: 1
|
||||
type: string
|
||||
required:
|
||||
- expects
|
||||
- username
|
||||
type: object
|
||||
type: array
|
||||
expressions:
|
||||
description: "Expressions are an optional list of transforms
|
||||
and policies to be executed in the order given during
|
||||
every authentication attempt, including during every session
|
||||
refresh. Each is a CEL expression. It may use the basic
|
||||
CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md
|
||||
plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
\n The username and groups extracted from the identity
|
||||
provider, and the constants defined in this CR, are available
|
||||
as variables in all expressions. The username is provided
|
||||
via a variable called `username` and the list of group
|
||||
names is provided via a variable called `groups` (which
|
||||
may be an empty list). Each user-provided constants is
|
||||
provided via a variable named `strConst.varName` for string
|
||||
constants and `strListConst.varName` for string list constants.
|
||||
\n The only allowed types for expressions are currently
|
||||
policy/v1, username/v1, and groups/v1. Each policy/v1
|
||||
must return a boolean, and when it returns false, no more
|
||||
expressions from the list are evaluated and the authentication
|
||||
attempt is rejected. Transformations of type policy/v1
|
||||
do not return usernames or group names, and therefore
|
||||
cannot change the username or group names. Each username/v1
|
||||
transform must return the new username (a string), which
|
||||
can be the same as the old username. Transformations of
|
||||
type username/v1 do not return group names, and therefore
|
||||
cannot change the group names. Each groups/v1 transform
|
||||
must return the new groups list (list of strings), which
|
||||
can be the same as the old groups list. Transformations
|
||||
of type groups/v1 do not return usernames, and therefore
|
||||
cannot change the usernames. After each expression, the
|
||||
new (potentially changed) username or groups get passed
|
||||
to the following expression. \n Any compilation or static
|
||||
type-checking failure of any expression will cause an
|
||||
error status on the FederationDomain. During an authentication
|
||||
attempt, any unexpected runtime evaluation errors (e.g.
|
||||
division by zero) cause the authentication attempt to
|
||||
fail. When all expressions evaluate successfully, then
|
||||
the (potentially changed) username and group names have
|
||||
been decided for that authentication attempt."
|
||||
items:
|
||||
description: FederationDomainTransformsExpression defines
|
||||
a transform expression.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is a CEL expression that will
|
||||
be evaluated based on the Type during an authentication.
|
||||
minLength: 1
|
||||
type: string
|
||||
message:
|
||||
description: Message is only used when Type is policy/v1.
|
||||
It defines an error message to be used when the
|
||||
policy rejects an authentication attempt. When empty,
|
||||
a default message will be used.
|
||||
type: string
|
||||
type:
|
||||
description: Type determines the type of the expression.
|
||||
It must be one of the supported types.
|
||||
enum:
|
||||
- policy/v1
|
||||
- username/v1
|
||||
- groups/v1
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
required:
|
||||
- displayName
|
||||
- objectRef
|
||||
type: object
|
||||
type: array
|
||||
issuer:
|
||||
description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
|
||||
Metadata document, as well as the identifier that it will use for
|
||||
@ -59,8 +316,8 @@ spec:
|
||||
minLength: 1
|
||||
type: string
|
||||
tls:
|
||||
description: TLS configures how this FederationDomain is served over
|
||||
Transport Layer Security (TLS).
|
||||
description: TLS specifies a secret which will contain Transport Layer
|
||||
Security (TLS) configuration for the FederationDomain.
|
||||
properties:
|
||||
secretName:
|
||||
description: "SecretName is an optional name of a Secret in the
|
||||
@ -91,14 +348,86 @@ spec:
|
||||
status:
|
||||
description: Status of the OIDC provider.
|
||||
properties:
|
||||
lastUpdateTime:
|
||||
description: LastUpdateTime holds the time at which the Status was
|
||||
last updated. It is a pointer to get around some undesirable behavior
|
||||
with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
conditions:
|
||||
description: Conditions represent the observations of an FederationDomain's
|
||||
current state.
|
||||
items:
|
||||
description: "Condition contains details for one aspect of the current
|
||||
state of this API Resource. --- This struct is intended for direct
|
||||
use as an array at the field path .status.conditions. For example,
|
||||
type FooStatus struct{ // Represents the observations of a foo's
|
||||
current state. // Known .status.conditions.type are: \"Available\",
|
||||
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
|
||||
// +listType=map // +listMapKey=type Conditions []metav1.Condition
|
||||
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
|
||||
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: lastTransitionTime is the last time the condition
|
||||
transitioned from one status to another. This should be when
|
||||
the underlying condition changed. If that is not known, then
|
||||
using the time when the API field changed is acceptable.
|
||||
format: date-time
|
||||
type: string
|
||||
message:
|
||||
description: Message provides human-readable details about the Status.
|
||||
description: message is a human readable message indicating
|
||||
details about the transition. This may be an empty string.
|
||||
maxLength: 32768
|
||||
type: string
|
||||
observedGeneration:
|
||||
description: observedGeneration represents the .metadata.generation
|
||||
that the condition was set based upon. For instance, if .metadata.generation
|
||||
is currently 12, but the .status.conditions[x].observedGeneration
|
||||
is 9, the condition is out of date with respect to the current
|
||||
state of the instance.
|
||||
format: int64
|
||||
minimum: 0
|
||||
type: integer
|
||||
reason:
|
||||
description: reason contains a programmatic identifier indicating
|
||||
the reason for the condition's last transition. Producers
|
||||
of specific condition types may define expected values and
|
||||
meanings for this field, and whether the values are considered
|
||||
a guaranteed API. The value should be a CamelCase string.
|
||||
This field may not be empty.
|
||||
maxLength: 1024
|
||||
minLength: 1
|
||||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||||
type: string
|
||||
status:
|
||||
description: status of the condition, one of True, False, Unknown.
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
- Unknown
|
||||
type: string
|
||||
type:
|
||||
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
||||
--- Many .condition.type values are consistent across resources
|
||||
like Available, but because arbitrary conditions can be useful
|
||||
(see .node.status.conditions), the ability to deconflict is
|
||||
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||||
maxLength: 316
|
||||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||||
type: string
|
||||
required:
|
||||
- lastTransitionTime
|
||||
- message
|
||||
- reason
|
||||
- status
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-map-keys:
|
||||
- type
|
||||
x-kubernetes-list-type: map
|
||||
phase:
|
||||
default: Pending
|
||||
description: Phase summarizes the overall status of the FederationDomain.
|
||||
enum:
|
||||
- Pending
|
||||
- Ready
|
||||
- Error
|
||||
type: string
|
||||
secrets:
|
||||
description: Secrets contains information about this OIDC Provider's
|
||||
@ -145,15 +474,6 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
status:
|
||||
description: Status holds an enum that describes the state of this
|
||||
OIDC Provider. Note that this Status can represent success or failure.
|
||||
enum:
|
||||
- Success
|
||||
- Duplicate
|
||||
- Invalid
|
||||
- SameIssuerHostMustUseSameSecret
|
||||
type: string
|
||||
type: object
|
||||
required:
|
||||
- spec
|
||||
|
153
generated/1.22/README.adoc
generated
153
generated/1.22/README.adoc
generated
@ -652,6 +652,37 @@ FederationDomain describes the configuration of an OIDC provider.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
|
||||
==== FederationDomainIdentityProvider
|
||||
|
||||
FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainspec[$$FederationDomainSpec$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`displayName`* __string__ | DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a disruptive change for those users.
|
||||
| *`objectRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. If the reference cannot be resolved then the identity provider will not be made available. Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
|
||||
| *`transforms`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]__ | Transforms is an optional way to specify transformations to be applied during user authentication and session refresh.
|
||||
|===
|
||||
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainphase"]
|
||||
==== FederationDomainPhase (string)
|
||||
|
||||
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
|
||||
****
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainsecrets"]
|
||||
@ -689,7 +720,10 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
|
||||
| Field | Description
|
||||
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
|
||||
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
|
||||
| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
|
||||
An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
|
||||
For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
|
||||
|===
|
||||
|
||||
|
||||
@ -706,25 +740,12 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainstatuscondition[$$FederationDomainStatusCondition$$]__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
|
||||
| *`message`* __string__ | Message provides human-readable details about the Status.
|
||||
| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
|
||||
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
|
||||
| *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainstatuscondition"]
|
||||
==== FederationDomainStatusCondition (string)
|
||||
|
||||
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
|
||||
****
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintlsspec"]
|
||||
==== FederationDomainTLSSpec
|
||||
|
||||
@ -746,6 +767,106 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
|
||||
==== FederationDomainTransforms
|
||||
|
||||
FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
|
||||
| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
|
||||
The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
|
||||
Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
|
||||
| *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
|
||||
==== FederationDomainTransformsConstant
|
||||
|
||||
FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name.
|
||||
| *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty.
|
||||
| *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored.
|
||||
| *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
|
||||
==== FederationDomainTransformsExample
|
||||
|
||||
FederationDomainTransformsExample defines a transform example.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`username`* __string__ | Username is the input username.
|
||||
| *`groups`* __string array__ | Groups is the input list of group names.
|
||||
| *`expects`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects[$$FederationDomainTransformsExampleExpects$$]__ | Expects is the expected output of the entire sequence of transforms when they are run against the input Username and Groups.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
|
||||
==== FederationDomainTransformsExampleExpects
|
||||
|
||||
FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`username`* __string__ | Username is the expected username after the transformations have been applied.
|
||||
| *`groups`* __string array__ | Groups is the expected list of group names after the transformations have been applied.
|
||||
| *`rejected`* __boolean__ | Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression after the transformations have been applied. True means that it is expected that the authentication would be rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression.
|
||||
| *`message`* __string__ | Message is the expected error message of the transforms. When Rejected is true, then Message is the expected message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, then Message will be treated as the default error message for authentication attempts which are rejected by a policy. When Rejected is false, then Message is the expected error message for some other non-policy transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
|
||||
==== FederationDomainTransformsExpression
|
||||
|
||||
FederationDomainTransformsExpression defines a transform expression.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types.
|
||||
| *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication.
|
||||
| *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects an authentication attempt. When empty, a default message will be used.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-granttype"]
|
||||
==== GrantType (string)
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package v1alpha1
|
||||
@ -8,14 +8,17 @@ import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
// +kubebuilder:validation:Enum=Success;Duplicate;Invalid;SameIssuerHostMustUseSameSecret
|
||||
type FederationDomainStatusCondition string
|
||||
type FederationDomainPhase string
|
||||
|
||||
const (
|
||||
SuccessFederationDomainStatusCondition = FederationDomainStatusCondition("Success")
|
||||
DuplicateFederationDomainStatusCondition = FederationDomainStatusCondition("Duplicate")
|
||||
SameIssuerHostMustUseSameSecretFederationDomainStatusCondition = FederationDomainStatusCondition("SameIssuerHostMustUseSameSecret")
|
||||
InvalidFederationDomainStatusCondition = FederationDomainStatusCondition("Invalid")
|
||||
// FederationDomainPhasePending is the default phase for newly-created FederationDomain resources.
|
||||
FederationDomainPhasePending FederationDomainPhase = "Pending"
|
||||
|
||||
// FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state.
|
||||
FederationDomainPhaseReady FederationDomainPhase = "Ready"
|
||||
|
||||
// FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state.
|
||||
FederationDomainPhaseError FederationDomainPhase = "Error"
|
||||
)
|
||||
|
||||
// FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
|
||||
@ -42,6 +45,157 @@ type FederationDomainTLSSpec struct {
|
||||
SecretName string `json:"secretName,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
|
||||
// the transform expressions. This is a union type, and Type is the discriminator field.
|
||||
type FederationDomainTransformsConstant struct {
|
||||
// Name determines the name of the constant. It must be a valid identifier name.
|
||||
// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
// +kubebuilder:validation:MaxLength=64
|
||||
Name string `json:"name"`
|
||||
|
||||
// Type determines the type of the constant, and indicates which other field should be non-empty.
|
||||
// +kubebuilder:validation:Enum=string;stringList
|
||||
Type string `json:"type"`
|
||||
|
||||
// StringValue should hold the value when Type is "string", and is otherwise ignored.
|
||||
// +optional
|
||||
StringValue string `json:"stringValue,omitempty"`
|
||||
|
||||
// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|
||||
// +optional
|
||||
StringListValue []string `json:"stringListValue,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExpression defines a transform expression.
|
||||
type FederationDomainTransformsExpression struct {
|
||||
// Type determines the type of the expression. It must be one of the supported types.
|
||||
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
|
||||
Type string `json:"type"`
|
||||
|
||||
// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Expression string `json:"expression"`
|
||||
|
||||
// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
|
||||
// an authentication attempt. When empty, a default message will be used.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExample defines a transform example.
|
||||
type FederationDomainTransformsExample struct {
|
||||
// Username is the input username.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Username string `json:"username"`
|
||||
|
||||
// Groups is the input list of group names.
|
||||
// +optional
|
||||
Groups []string `json:"groups,omitempty"`
|
||||
|
||||
// Expects is the expected output of the entire sequence of transforms when they are run against the
|
||||
// input Username and Groups.
|
||||
Expects FederationDomainTransformsExampleExpects `json:"expects"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
|
||||
type FederationDomainTransformsExampleExpects struct {
|
||||
// Username is the expected username after the transformations have been applied.
|
||||
// +optional
|
||||
Username string `json:"username,omitempty"`
|
||||
|
||||
// Groups is the expected list of group names after the transformations have been applied.
|
||||
// +optional
|
||||
Groups []string `json:"groups,omitempty"`
|
||||
|
||||
// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
|
||||
// after the transformations have been applied. True means that it is expected that the authentication would be
|
||||
// rejected. The default value of false means that it is expected that the authentication would not be rejected
|
||||
// by any policy expression.
|
||||
// +optional
|
||||
Rejected bool `json:"rejected,omitempty"`
|
||||
|
||||
// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
|
||||
// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
|
||||
// then Message will be treated as the default error message for authentication attempts which are rejected by a
|
||||
// policy. When Rejected is false, then Message is the expected error message for some other non-policy
|
||||
// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
|
||||
type FederationDomainTransforms struct {
|
||||
// Constants defines constant variables and their values which will be made available to the transform expressions.
|
||||
// +patchMergeKey=name
|
||||
// +patchStrategy=merge
|
||||
// +listType=map
|
||||
// +listMapKey=name
|
||||
// +optional
|
||||
Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`
|
||||
|
||||
// Expressions are an optional list of transforms and policies to be executed in the order given during every
|
||||
// authentication attempt, including during every session refresh.
|
||||
// Each is a CEL expression. It may use the basic CEL language as defined in
|
||||
// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
|
||||
// https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
//
|
||||
// The username and groups extracted from the identity provider, and the constants defined in this CR, are
|
||||
// available as variables in all expressions. The username is provided via a variable called `username` and
|
||||
// the list of group names is provided via a variable called `groups` (which may be an empty list).
|
||||
// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
|
||||
// and `strListConst.varName` for string list constants.
|
||||
//
|
||||
// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
|
||||
// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
|
||||
// and the authentication attempt is rejected.
|
||||
// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
|
||||
// username or group names.
|
||||
// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
|
||||
// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
|
||||
// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
|
||||
// groups list.
|
||||
// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
|
||||
// After each expression, the new (potentially changed) username or groups get passed to the following expression.
|
||||
//
|
||||
// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
|
||||
// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
|
||||
// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
|
||||
// and group names have been decided for that authentication attempt.
|
||||
//
|
||||
// +optional
|
||||
Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`
|
||||
|
||||
// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
|
||||
// expected. Examples define sample input identities which are then run through the expression list, and the
|
||||
// results are compared to the expected results. If any example in this list fails, then this
|
||||
// identity provider will not be available for use within this FederationDomain, and the error(s) will be
|
||||
// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
|
||||
// expressions, and also act as living documentation for other administrators to better understand the expressions.
|
||||
// +optional
|
||||
Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
|
||||
type FederationDomainIdentityProvider struct {
|
||||
// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
|
||||
// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
|
||||
// disruptive change for those users.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
DisplayName string `json:"displayName"`
|
||||
|
||||
// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
|
||||
// If the reference cannot be resolved then the identity provider will not be made available.
|
||||
// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
|
||||
// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
|
||||
ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`
|
||||
|
||||
// Transforms is an optional way to specify transformations to be applied during user authentication and
|
||||
// session refresh.
|
||||
// +optional
|
||||
Transforms FederationDomainTransforms `json:"transforms,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainSpec is a struct that describes an OIDC Provider.
|
||||
type FederationDomainSpec struct {
|
||||
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
|
||||
@ -55,9 +209,35 @@ type FederationDomainSpec struct {
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Issuer string `json:"issuer"`
|
||||
|
||||
// TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
|
||||
// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
|
||||
// +optional
|
||||
TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
|
||||
|
||||
// IdentityProviders is the list of identity providers available for use by this FederationDomain.
|
||||
//
|
||||
// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
|
||||
// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
|
||||
// extract a normalized user identity. Normalized user identities include a username and a list of group names.
|
||||
// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
|
||||
// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
|
||||
// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
|
||||
// accidental conflicts when multiple identity providers have different users with the same username (e.g.
|
||||
// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
|
||||
// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
|
||||
// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
|
||||
// disallow the authentication unless the user belongs to a specific group in the identity provider.
|
||||
//
|
||||
// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
|
||||
// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
|
||||
// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
|
||||
// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
|
||||
// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
|
||||
// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
|
||||
// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
|
||||
// explicitly list the identity provider using this IdentityProviders field.
|
||||
//
|
||||
// +optional
|
||||
IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainSecrets holds information about this OIDC Provider's secrets.
|
||||
@ -86,20 +266,17 @@ type FederationDomainSecrets struct {
|
||||
|
||||
// FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
|
||||
type FederationDomainStatus struct {
|
||||
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
|
||||
// represent success or failure.
|
||||
// +optional
|
||||
Status FederationDomainStatusCondition `json:"status,omitempty"`
|
||||
// Phase summarizes the overall status of the FederationDomain.
|
||||
// +kubebuilder:default=Pending
|
||||
// +kubebuilder:validation:Enum=Pending;Ready;Error
|
||||
Phase FederationDomainPhase `json:"phase,omitempty"`
|
||||
|
||||
// Message provides human-readable details about the Status.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
|
||||
// LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
|
||||
// around some undesirable behavior with respect to the empty metav1.Time value (see
|
||||
// https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
// +optional
|
||||
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
|
||||
// Conditions represent the observations of an FederationDomain's current state.
|
||||
// +patchMergeKey=type
|
||||
// +patchStrategy=merge
|
||||
// +listType=map
|
||||
// +listMapKey=type
|
||||
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
|
||||
|
||||
// Secrets contains information about this OIDC Provider's secrets.
|
||||
// +optional
|
||||
@ -111,7 +288,7 @@ type FederationDomainStatus struct {
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:resource:categories=pinniped
|
||||
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
|
||||
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
|
||||
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
|
||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||
// +kubebuilder:subresource:status
|
||||
type FederationDomain struct {
|
||||
|
@ -8,14 +8,14 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
type OIDCClientPhase string
|
||||
|
||||
const (
|
||||
// PhasePending is the default phase for newly-created OIDCClient resources.
|
||||
PhasePending OIDCClientPhase = "Pending"
|
||||
// OIDCClientPhasePending is the default phase for newly-created OIDCClient resources.
|
||||
OIDCClientPhasePending OIDCClientPhase = "Pending"
|
||||
|
||||
// PhaseReady is the phase for an OIDCClient resource in a healthy state.
|
||||
PhaseReady OIDCClientPhase = "Ready"
|
||||
// OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state.
|
||||
OIDCClientPhaseReady OIDCClientPhase = "Ready"
|
||||
|
||||
// PhaseError is the phase for an OIDCClient in an unhealthy state.
|
||||
PhaseError OIDCClientPhase = "Error"
|
||||
// OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state.
|
||||
OIDCClientPhaseError OIDCClientPhase = "Error"
|
||||
)
|
||||
|
||||
// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`
|
||||
|
@ -41,6 +41,24 @@ func (in *FederationDomain) DeepCopyObject() runtime.Object {
|
||||
return nil
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainIdentityProvider) DeepCopyInto(out *FederationDomainIdentityProvider) {
|
||||
*out = *in
|
||||
in.ObjectRef.DeepCopyInto(&out.ObjectRef)
|
||||
in.Transforms.DeepCopyInto(&out.Transforms)
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainIdentityProvider.
|
||||
func (in *FederationDomainIdentityProvider) DeepCopy() *FederationDomainIdentityProvider {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainIdentityProvider)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainList) DeepCopyInto(out *FederationDomainList) {
|
||||
*out = *in
|
||||
@ -102,6 +120,13 @@ func (in *FederationDomainSpec) DeepCopyInto(out *FederationDomainSpec) {
|
||||
*out = new(FederationDomainTLSSpec)
|
||||
**out = **in
|
||||
}
|
||||
if in.IdentityProviders != nil {
|
||||
in, out := &in.IdentityProviders, &out.IdentityProviders
|
||||
*out = make([]FederationDomainIdentityProvider, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
@ -118,9 +143,12 @@ func (in *FederationDomainSpec) DeepCopy() *FederationDomainSpec {
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
|
||||
*out = *in
|
||||
if in.LastUpdateTime != nil {
|
||||
in, out := &in.LastUpdateTime, &out.LastUpdateTime
|
||||
*out = (*in).DeepCopy()
|
||||
if in.Conditions != nil {
|
||||
in, out := &in.Conditions, &out.Conditions
|
||||
*out = make([]v1.Condition, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
out.Secrets = in.Secrets
|
||||
return
|
||||
@ -152,6 +180,121 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec {
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransforms) DeepCopyInto(out *FederationDomainTransforms) {
|
||||
*out = *in
|
||||
if in.Constants != nil {
|
||||
in, out := &in.Constants, &out.Constants
|
||||
*out = make([]FederationDomainTransformsConstant, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
if in.Expressions != nil {
|
||||
in, out := &in.Expressions, &out.Expressions
|
||||
*out = make([]FederationDomainTransformsExpression, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
if in.Examples != nil {
|
||||
in, out := &in.Examples, &out.Examples
|
||||
*out = make([]FederationDomainTransformsExample, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransforms.
|
||||
func (in *FederationDomainTransforms) DeepCopy() *FederationDomainTransforms {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransforms)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsConstant) DeepCopyInto(out *FederationDomainTransformsConstant) {
|
||||
*out = *in
|
||||
if in.StringListValue != nil {
|
||||
in, out := &in.StringListValue, &out.StringListValue
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsConstant.
|
||||
func (in *FederationDomainTransformsConstant) DeepCopy() *FederationDomainTransformsConstant {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsConstant)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExample) DeepCopyInto(out *FederationDomainTransformsExample) {
|
||||
*out = *in
|
||||
if in.Groups != nil {
|
||||
in, out := &in.Groups, &out.Groups
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
in.Expects.DeepCopyInto(&out.Expects)
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExample.
|
||||
func (in *FederationDomainTransformsExample) DeepCopy() *FederationDomainTransformsExample {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExample)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExampleExpects) DeepCopyInto(out *FederationDomainTransformsExampleExpects) {
|
||||
*out = *in
|
||||
if in.Groups != nil {
|
||||
in, out := &in.Groups, &out.Groups
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExampleExpects.
|
||||
func (in *FederationDomainTransformsExampleExpects) DeepCopy() *FederationDomainTransformsExampleExpects {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExampleExpects)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExpression) DeepCopyInto(out *FederationDomainTransformsExpression) {
|
||||
*out = *in
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExpression.
|
||||
func (in *FederationDomainTransformsExpression) DeepCopy() *FederationDomainTransformsExpression {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExpression)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *OIDCClient) DeepCopyInto(out *OIDCClient) {
|
||||
*out = *in
|
||||
|
@ -21,7 +21,7 @@ spec:
|
||||
- jsonPath: .spec.issuer
|
||||
name: Issuer
|
||||
type: string
|
||||
- jsonPath: .status.status
|
||||
- jsonPath: .status.phase
|
||||
name: Status
|
||||
type: string
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
@ -47,6 +47,263 @@ spec:
|
||||
spec:
|
||||
description: Spec of the OIDC provider.
|
||||
properties:
|
||||
identityProviders:
|
||||
description: "IdentityProviders is the list of identity providers
|
||||
available for use by this FederationDomain. \n An identity provider
|
||||
CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes
|
||||
how to connect to a server, how to talk in a specific protocol for
|
||||
authentication, and how to use the schema of that server/protocol
|
||||
to extract a normalized user identity. Normalized user identities
|
||||
include a username and a list of group names. In contrast, IdentityProviders
|
||||
describes how to use that normalized identity in those Kubernetes
|
||||
clusters which belong to this FederationDomain. Each entry in IdentityProviders
|
||||
can be configured with arbitrary transformations on that normalized
|
||||
identity. For example, a transformation can add a prefix to all
|
||||
usernames to help avoid accidental conflicts when multiple identity
|
||||
providers have different users with the same username (e.g. \"idp1:ryan\"
|
||||
versus \"idp2:ryan\"). Each entry in IdentityProviders can also
|
||||
implement arbitrary authentication rejection policies. Even though
|
||||
a user was able to authenticate with the identity provider, a policy
|
||||
can disallow the authentication to the Kubernetes clusters that
|
||||
belong to this FederationDomain. For example, a policy could disallow
|
||||
the authentication unless the user belongs to a specific group in
|
||||
the identity provider. \n For backwards compatibility with versions
|
||||
of Pinniped which predate support for multiple identity providers,
|
||||
an empty IdentityProviders list will cause the FederationDomain
|
||||
to use all available identity providers which exist in the same
|
||||
namespace, but also to reject all authentication requests when there
|
||||
is more than one identity provider currently defined. In this backwards
|
||||
compatibility mode, the name of the identity provider resource (e.g.
|
||||
the Name of an OIDCIdentityProvider resource) will be used as the
|
||||
name of the identity provider in this FederationDomain. This mode
|
||||
is provided to make upgrading from older versions easier. However,
|
||||
instead of relying on this backwards compatibility mode, please
|
||||
consider this mode to be deprecated and please instead explicitly
|
||||
list the identity provider using this IdentityProviders field."
|
||||
items:
|
||||
description: FederationDomainIdentityProvider describes how an identity
|
||||
provider is made available in this FederationDomain.
|
||||
properties:
|
||||
displayName:
|
||||
description: DisplayName is the name of this identity provider
|
||||
as it will appear to clients. This name ends up in the kubeconfig
|
||||
of end users, so changing the name of an identity provider
|
||||
that is in use by end users will be a disruptive change for
|
||||
those users.
|
||||
minLength: 1
|
||||
type: string
|
||||
objectRef:
|
||||
description: ObjectRef is a reference to a Pinniped identity
|
||||
provider resource. A valid reference is required. If the reference
|
||||
cannot be resolved then the identity provider will not be
|
||||
made available. Must refer to a resource of one of the Pinniped
|
||||
identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider,
|
||||
ActiveDirectoryIdentityProvider.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup is the group for the resource being
|
||||
referenced. If APIGroup is not specified, the specified
|
||||
Kind must be in the core API group. For any other third-party
|
||||
types, APIGroup is required.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind is the type of resource being referenced
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of resource being referenced
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
transforms:
|
||||
description: Transforms is an optional way to specify transformations
|
||||
to be applied during user authentication and session refresh.
|
||||
properties:
|
||||
constants:
|
||||
description: Constants defines constant variables and their
|
||||
values which will be made available to the transform expressions.
|
||||
items:
|
||||
description: FederationDomainTransformsConstant defines
|
||||
a constant variable and its value which will be made
|
||||
available to the transform expressions. This is a union
|
||||
type, and Type is the discriminator field.
|
||||
properties:
|
||||
name:
|
||||
description: Name determines the name of the constant.
|
||||
It must be a valid identifier name.
|
||||
maxLength: 64
|
||||
minLength: 1
|
||||
pattern: ^[a-zA-Z][_a-zA-Z0-9]*$
|
||||
type: string
|
||||
stringListValue:
|
||||
description: StringListValue should hold the value
|
||||
when Type is "stringList", and is otherwise ignored.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
stringValue:
|
||||
description: StringValue should hold the value when
|
||||
Type is "string", and is otherwise ignored.
|
||||
type: string
|
||||
type:
|
||||
description: Type determines the type of the constant,
|
||||
and indicates which other field should be non-empty.
|
||||
enum:
|
||||
- string
|
||||
- stringList
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-map-keys:
|
||||
- name
|
||||
x-kubernetes-list-type: map
|
||||
examples:
|
||||
description: Examples can optionally be used to ensure that
|
||||
the sequence of transformation expressions are working
|
||||
as expected. Examples define sample input identities which
|
||||
are then run through the expression list, and the results
|
||||
are compared to the expected results. If any example in
|
||||
this list fails, then this identity provider will not
|
||||
be available for use within this FederationDomain, and
|
||||
the error(s) will be added to the FederationDomain status.
|
||||
This can be used to help guard against programming mistakes
|
||||
in the expressions, and also act as living documentation
|
||||
for other administrators to better understand the expressions.
|
||||
items:
|
||||
description: FederationDomainTransformsExample defines
|
||||
a transform example.
|
||||
properties:
|
||||
expects:
|
||||
description: Expects is the expected output of the
|
||||
entire sequence of transforms when they are run
|
||||
against the input Username and Groups.
|
||||
properties:
|
||||
groups:
|
||||
description: Groups is the expected list of group
|
||||
names after the transformations have been applied.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
message:
|
||||
description: Message is the expected error message
|
||||
of the transforms. When Rejected is true, then
|
||||
Message is the expected message for the policy
|
||||
which rejected the authentication attempt. When
|
||||
Rejected is true and Message is blank, then
|
||||
Message will be treated as the default error
|
||||
message for authentication attempts which are
|
||||
rejected by a policy. When Rejected is false,
|
||||
then Message is the expected error message for
|
||||
some other non-policy transformation error,
|
||||
such as a runtime error. When Rejected is false,
|
||||
there is no default expected Message.
|
||||
type: string
|
||||
rejected:
|
||||
description: Rejected is a boolean that indicates
|
||||
whether authentication is expected to be rejected
|
||||
by a policy expression after the transformations
|
||||
have been applied. True means that it is expected
|
||||
that the authentication would be rejected. The
|
||||
default value of false means that it is expected
|
||||
that the authentication would not be rejected
|
||||
by any policy expression.
|
||||
type: boolean
|
||||
username:
|
||||
description: Username is the expected username
|
||||
after the transformations have been applied.
|
||||
type: string
|
||||
type: object
|
||||
groups:
|
||||
description: Groups is the input list of group names.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
username:
|
||||
description: Username is the input username.
|
||||
minLength: 1
|
||||
type: string
|
||||
required:
|
||||
- expects
|
||||
- username
|
||||
type: object
|
||||
type: array
|
||||
expressions:
|
||||
description: "Expressions are an optional list of transforms
|
||||
and policies to be executed in the order given during
|
||||
every authentication attempt, including during every session
|
||||
refresh. Each is a CEL expression. It may use the basic
|
||||
CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md
|
||||
plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
\n The username and groups extracted from the identity
|
||||
provider, and the constants defined in this CR, are available
|
||||
as variables in all expressions. The username is provided
|
||||
via a variable called `username` and the list of group
|
||||
names is provided via a variable called `groups` (which
|
||||
may be an empty list). Each user-provided constants is
|
||||
provided via a variable named `strConst.varName` for string
|
||||
constants and `strListConst.varName` for string list constants.
|
||||
\n The only allowed types for expressions are currently
|
||||
policy/v1, username/v1, and groups/v1. Each policy/v1
|
||||
must return a boolean, and when it returns false, no more
|
||||
expressions from the list are evaluated and the authentication
|
||||
attempt is rejected. Transformations of type policy/v1
|
||||
do not return usernames or group names, and therefore
|
||||
cannot change the username or group names. Each username/v1
|
||||
transform must return the new username (a string), which
|
||||
can be the same as the old username. Transformations of
|
||||
type username/v1 do not return group names, and therefore
|
||||
cannot change the group names. Each groups/v1 transform
|
||||
must return the new groups list (list of strings), which
|
||||
can be the same as the old groups list. Transformations
|
||||
of type groups/v1 do not return usernames, and therefore
|
||||
cannot change the usernames. After each expression, the
|
||||
new (potentially changed) username or groups get passed
|
||||
to the following expression. \n Any compilation or static
|
||||
type-checking failure of any expression will cause an
|
||||
error status on the FederationDomain. During an authentication
|
||||
attempt, any unexpected runtime evaluation errors (e.g.
|
||||
division by zero) cause the authentication attempt to
|
||||
fail. When all expressions evaluate successfully, then
|
||||
the (potentially changed) username and group names have
|
||||
been decided for that authentication attempt."
|
||||
items:
|
||||
description: FederationDomainTransformsExpression defines
|
||||
a transform expression.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is a CEL expression that will
|
||||
be evaluated based on the Type during an authentication.
|
||||
minLength: 1
|
||||
type: string
|
||||
message:
|
||||
description: Message is only used when Type is policy/v1.
|
||||
It defines an error message to be used when the
|
||||
policy rejects an authentication attempt. When empty,
|
||||
a default message will be used.
|
||||
type: string
|
||||
type:
|
||||
description: Type determines the type of the expression.
|
||||
It must be one of the supported types.
|
||||
enum:
|
||||
- policy/v1
|
||||
- username/v1
|
||||
- groups/v1
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
required:
|
||||
- displayName
|
||||
- objectRef
|
||||
type: object
|
||||
type: array
|
||||
issuer:
|
||||
description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
|
||||
Metadata document, as well as the identifier that it will use for
|
||||
@ -59,8 +316,8 @@ spec:
|
||||
minLength: 1
|
||||
type: string
|
||||
tls:
|
||||
description: TLS configures how this FederationDomain is served over
|
||||
Transport Layer Security (TLS).
|
||||
description: TLS specifies a secret which will contain Transport Layer
|
||||
Security (TLS) configuration for the FederationDomain.
|
||||
properties:
|
||||
secretName:
|
||||
description: "SecretName is an optional name of a Secret in the
|
||||
@ -91,14 +348,86 @@ spec:
|
||||
status:
|
||||
description: Status of the OIDC provider.
|
||||
properties:
|
||||
lastUpdateTime:
|
||||
description: LastUpdateTime holds the time at which the Status was
|
||||
last updated. It is a pointer to get around some undesirable behavior
|
||||
with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
conditions:
|
||||
description: Conditions represent the observations of an FederationDomain's
|
||||
current state.
|
||||
items:
|
||||
description: "Condition contains details for one aspect of the current
|
||||
state of this API Resource. --- This struct is intended for direct
|
||||
use as an array at the field path .status.conditions. For example,
|
||||
type FooStatus struct{ // Represents the observations of a foo's
|
||||
current state. // Known .status.conditions.type are: \"Available\",
|
||||
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
|
||||
// +listType=map // +listMapKey=type Conditions []metav1.Condition
|
||||
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
|
||||
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: lastTransitionTime is the last time the condition
|
||||
transitioned from one status to another. This should be when
|
||||
the underlying condition changed. If that is not known, then
|
||||
using the time when the API field changed is acceptable.
|
||||
format: date-time
|
||||
type: string
|
||||
message:
|
||||
description: Message provides human-readable details about the Status.
|
||||
description: message is a human readable message indicating
|
||||
details about the transition. This may be an empty string.
|
||||
maxLength: 32768
|
||||
type: string
|
||||
observedGeneration:
|
||||
description: observedGeneration represents the .metadata.generation
|
||||
that the condition was set based upon. For instance, if .metadata.generation
|
||||
is currently 12, but the .status.conditions[x].observedGeneration
|
||||
is 9, the condition is out of date with respect to the current
|
||||
state of the instance.
|
||||
format: int64
|
||||
minimum: 0
|
||||
type: integer
|
||||
reason:
|
||||
description: reason contains a programmatic identifier indicating
|
||||
the reason for the condition's last transition. Producers
|
||||
of specific condition types may define expected values and
|
||||
meanings for this field, and whether the values are considered
|
||||
a guaranteed API. The value should be a CamelCase string.
|
||||
This field may not be empty.
|
||||
maxLength: 1024
|
||||
minLength: 1
|
||||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||||
type: string
|
||||
status:
|
||||
description: status of the condition, one of True, False, Unknown.
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
- Unknown
|
||||
type: string
|
||||
type:
|
||||
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
||||
--- Many .condition.type values are consistent across resources
|
||||
like Available, but because arbitrary conditions can be useful
|
||||
(see .node.status.conditions), the ability to deconflict is
|
||||
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||||
maxLength: 316
|
||||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||||
type: string
|
||||
required:
|
||||
- lastTransitionTime
|
||||
- message
|
||||
- reason
|
||||
- status
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-map-keys:
|
||||
- type
|
||||
x-kubernetes-list-type: map
|
||||
phase:
|
||||
default: Pending
|
||||
description: Phase summarizes the overall status of the FederationDomain.
|
||||
enum:
|
||||
- Pending
|
||||
- Ready
|
||||
- Error
|
||||
type: string
|
||||
secrets:
|
||||
description: Secrets contains information about this OIDC Provider's
|
||||
@ -145,15 +474,6 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
status:
|
||||
description: Status holds an enum that describes the state of this
|
||||
OIDC Provider. Note that this Status can represent success or failure.
|
||||
enum:
|
||||
- Success
|
||||
- Duplicate
|
||||
- Invalid
|
||||
- SameIssuerHostMustUseSameSecret
|
||||
type: string
|
||||
type: object
|
||||
required:
|
||||
- spec
|
||||
|
153
generated/1.23/README.adoc
generated
153
generated/1.23/README.adoc
generated
@ -652,6 +652,37 @@ FederationDomain describes the configuration of an OIDC provider.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
|
||||
==== FederationDomainIdentityProvider
|
||||
|
||||
FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainspec[$$FederationDomainSpec$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`displayName`* __string__ | DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a disruptive change for those users.
|
||||
| *`objectRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. If the reference cannot be resolved then the identity provider will not be made available. Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
|
||||
| *`transforms`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]__ | Transforms is an optional way to specify transformations to be applied during user authentication and session refresh.
|
||||
|===
|
||||
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainphase"]
|
||||
==== FederationDomainPhase (string)
|
||||
|
||||
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
|
||||
****
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainsecrets"]
|
||||
@ -689,7 +720,10 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
|
||||
| Field | Description
|
||||
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
|
||||
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
|
||||
| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
|
||||
An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
|
||||
For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
|
||||
|===
|
||||
|
||||
|
||||
@ -706,25 +740,12 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainstatuscondition[$$FederationDomainStatusCondition$$]__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
|
||||
| *`message`* __string__ | Message provides human-readable details about the Status.
|
||||
| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
|
||||
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
|
||||
| *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainstatuscondition"]
|
||||
==== FederationDomainStatusCondition (string)
|
||||
|
||||
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
|
||||
****
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintlsspec"]
|
||||
==== FederationDomainTLSSpec
|
||||
|
||||
@ -746,6 +767,106 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
|
||||
==== FederationDomainTransforms
|
||||
|
||||
FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
|
||||
| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
|
||||
The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
|
||||
Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
|
||||
| *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
|
||||
==== FederationDomainTransformsConstant
|
||||
|
||||
FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name.
|
||||
| *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty.
|
||||
| *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored.
|
||||
| *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
|
||||
==== FederationDomainTransformsExample
|
||||
|
||||
FederationDomainTransformsExample defines a transform example.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`username`* __string__ | Username is the input username.
|
||||
| *`groups`* __string array__ | Groups is the input list of group names.
|
||||
| *`expects`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects[$$FederationDomainTransformsExampleExpects$$]__ | Expects is the expected output of the entire sequence of transforms when they are run against the input Username and Groups.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
|
||||
==== FederationDomainTransformsExampleExpects
|
||||
|
||||
FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`username`* __string__ | Username is the expected username after the transformations have been applied.
|
||||
| *`groups`* __string array__ | Groups is the expected list of group names after the transformations have been applied.
|
||||
| *`rejected`* __boolean__ | Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression after the transformations have been applied. True means that it is expected that the authentication would be rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression.
|
||||
| *`message`* __string__ | Message is the expected error message of the transforms. When Rejected is true, then Message is the expected message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, then Message will be treated as the default error message for authentication attempts which are rejected by a policy. When Rejected is false, then Message is the expected error message for some other non-policy transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
|
||||
==== FederationDomainTransformsExpression
|
||||
|
||||
FederationDomainTransformsExpression defines a transform expression.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types.
|
||||
| *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication.
|
||||
| *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects an authentication attempt. When empty, a default message will be used.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-granttype"]
|
||||
==== GrantType (string)
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package v1alpha1
|
||||
@ -8,14 +8,17 @@ import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
// +kubebuilder:validation:Enum=Success;Duplicate;Invalid;SameIssuerHostMustUseSameSecret
|
||||
type FederationDomainStatusCondition string
|
||||
type FederationDomainPhase string
|
||||
|
||||
const (
|
||||
SuccessFederationDomainStatusCondition = FederationDomainStatusCondition("Success")
|
||||
DuplicateFederationDomainStatusCondition = FederationDomainStatusCondition("Duplicate")
|
||||
SameIssuerHostMustUseSameSecretFederationDomainStatusCondition = FederationDomainStatusCondition("SameIssuerHostMustUseSameSecret")
|
||||
InvalidFederationDomainStatusCondition = FederationDomainStatusCondition("Invalid")
|
||||
// FederationDomainPhasePending is the default phase for newly-created FederationDomain resources.
|
||||
FederationDomainPhasePending FederationDomainPhase = "Pending"
|
||||
|
||||
// FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state.
|
||||
FederationDomainPhaseReady FederationDomainPhase = "Ready"
|
||||
|
||||
// FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state.
|
||||
FederationDomainPhaseError FederationDomainPhase = "Error"
|
||||
)
|
||||
|
||||
// FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
|
||||
@ -42,6 +45,157 @@ type FederationDomainTLSSpec struct {
|
||||
SecretName string `json:"secretName,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
|
||||
// the transform expressions. This is a union type, and Type is the discriminator field.
|
||||
type FederationDomainTransformsConstant struct {
|
||||
// Name determines the name of the constant. It must be a valid identifier name.
|
||||
// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
// +kubebuilder:validation:MaxLength=64
|
||||
Name string `json:"name"`
|
||||
|
||||
// Type determines the type of the constant, and indicates which other field should be non-empty.
|
||||
// +kubebuilder:validation:Enum=string;stringList
|
||||
Type string `json:"type"`
|
||||
|
||||
// StringValue should hold the value when Type is "string", and is otherwise ignored.
|
||||
// +optional
|
||||
StringValue string `json:"stringValue,omitempty"`
|
||||
|
||||
// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|
||||
// +optional
|
||||
StringListValue []string `json:"stringListValue,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExpression defines a transform expression.
|
||||
type FederationDomainTransformsExpression struct {
|
||||
// Type determines the type of the expression. It must be one of the supported types.
|
||||
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
|
||||
Type string `json:"type"`
|
||||
|
||||
// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Expression string `json:"expression"`
|
||||
|
||||
// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
|
||||
// an authentication attempt. When empty, a default message will be used.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExample defines a transform example.
|
||||
type FederationDomainTransformsExample struct {
|
||||
// Username is the input username.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Username string `json:"username"`
|
||||
|
||||
// Groups is the input list of group names.
|
||||
// +optional
|
||||
Groups []string `json:"groups,omitempty"`
|
||||
|
||||
// Expects is the expected output of the entire sequence of transforms when they are run against the
|
||||
// input Username and Groups.
|
||||
Expects FederationDomainTransformsExampleExpects `json:"expects"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
|
||||
type FederationDomainTransformsExampleExpects struct {
|
||||
// Username is the expected username after the transformations have been applied.
|
||||
// +optional
|
||||
Username string `json:"username,omitempty"`
|
||||
|
||||
// Groups is the expected list of group names after the transformations have been applied.
|
||||
// +optional
|
||||
Groups []string `json:"groups,omitempty"`
|
||||
|
||||
// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
|
||||
// after the transformations have been applied. True means that it is expected that the authentication would be
|
||||
// rejected. The default value of false means that it is expected that the authentication would not be rejected
|
||||
// by any policy expression.
|
||||
// +optional
|
||||
Rejected bool `json:"rejected,omitempty"`
|
||||
|
||||
// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
|
||||
// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
|
||||
// then Message will be treated as the default error message for authentication attempts which are rejected by a
|
||||
// policy. When Rejected is false, then Message is the expected error message for some other non-policy
|
||||
// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
|
||||
type FederationDomainTransforms struct {
|
||||
// Constants defines constant variables and their values which will be made available to the transform expressions.
|
||||
// +patchMergeKey=name
|
||||
// +patchStrategy=merge
|
||||
// +listType=map
|
||||
// +listMapKey=name
|
||||
// +optional
|
||||
Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`
|
||||
|
||||
// Expressions are an optional list of transforms and policies to be executed in the order given during every
|
||||
// authentication attempt, including during every session refresh.
|
||||
// Each is a CEL expression. It may use the basic CEL language as defined in
|
||||
// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
|
||||
// https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
//
|
||||
// The username and groups extracted from the identity provider, and the constants defined in this CR, are
|
||||
// available as variables in all expressions. The username is provided via a variable called `username` and
|
||||
// the list of group names is provided via a variable called `groups` (which may be an empty list).
|
||||
// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
|
||||
// and `strListConst.varName` for string list constants.
|
||||
//
|
||||
// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
|
||||
// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
|
||||
// and the authentication attempt is rejected.
|
||||
// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
|
||||
// username or group names.
|
||||
// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
|
||||
// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
|
||||
// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
|
||||
// groups list.
|
||||
// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
|
||||
// After each expression, the new (potentially changed) username or groups get passed to the following expression.
|
||||
//
|
||||
// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
|
||||
// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
|
||||
// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
|
||||
// and group names have been decided for that authentication attempt.
|
||||
//
|
||||
// +optional
|
||||
Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`
|
||||
|
||||
// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
|
||||
// expected. Examples define sample input identities which are then run through the expression list, and the
|
||||
// results are compared to the expected results. If any example in this list fails, then this
|
||||
// identity provider will not be available for use within this FederationDomain, and the error(s) will be
|
||||
// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
|
||||
// expressions, and also act as living documentation for other administrators to better understand the expressions.
|
||||
// +optional
|
||||
Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
|
||||
type FederationDomainIdentityProvider struct {
|
||||
// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
|
||||
// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
|
||||
// disruptive change for those users.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
DisplayName string `json:"displayName"`
|
||||
|
||||
// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
|
||||
// If the reference cannot be resolved then the identity provider will not be made available.
|
||||
// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
|
||||
// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
|
||||
ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`
|
||||
|
||||
// Transforms is an optional way to specify transformations to be applied during user authentication and
|
||||
// session refresh.
|
||||
// +optional
|
||||
Transforms FederationDomainTransforms `json:"transforms,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainSpec is a struct that describes an OIDC Provider.
|
||||
type FederationDomainSpec struct {
|
||||
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
|
||||
@ -55,9 +209,35 @@ type FederationDomainSpec struct {
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Issuer string `json:"issuer"`
|
||||
|
||||
// TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
|
||||
// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
|
||||
// +optional
|
||||
TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
|
||||
|
||||
// IdentityProviders is the list of identity providers available for use by this FederationDomain.
|
||||
//
|
||||
// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
|
||||
// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
|
||||
// extract a normalized user identity. Normalized user identities include a username and a list of group names.
|
||||
// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
|
||||
// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
|
||||
// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
|
||||
// accidental conflicts when multiple identity providers have different users with the same username (e.g.
|
||||
// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
|
||||
// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
|
||||
// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
|
||||
// disallow the authentication unless the user belongs to a specific group in the identity provider.
|
||||
//
|
||||
// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
|
||||
// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
|
||||
// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
|
||||
// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
|
||||
// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
|
||||
// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
|
||||
// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
|
||||
// explicitly list the identity provider using this IdentityProviders field.
|
||||
//
|
||||
// +optional
|
||||
IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainSecrets holds information about this OIDC Provider's secrets.
|
||||
@ -86,20 +266,17 @@ type FederationDomainSecrets struct {
|
||||
|
||||
// FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
|
||||
type FederationDomainStatus struct {
|
||||
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
|
||||
// represent success or failure.
|
||||
// +optional
|
||||
Status FederationDomainStatusCondition `json:"status,omitempty"`
|
||||
// Phase summarizes the overall status of the FederationDomain.
|
||||
// +kubebuilder:default=Pending
|
||||
// +kubebuilder:validation:Enum=Pending;Ready;Error
|
||||
Phase FederationDomainPhase `json:"phase,omitempty"`
|
||||
|
||||
// Message provides human-readable details about the Status.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
|
||||
// LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
|
||||
// around some undesirable behavior with respect to the empty metav1.Time value (see
|
||||
// https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
// +optional
|
||||
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
|
||||
// Conditions represent the observations of an FederationDomain's current state.
|
||||
// +patchMergeKey=type
|
||||
// +patchStrategy=merge
|
||||
// +listType=map
|
||||
// +listMapKey=type
|
||||
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
|
||||
|
||||
// Secrets contains information about this OIDC Provider's secrets.
|
||||
// +optional
|
||||
@ -111,7 +288,7 @@ type FederationDomainStatus struct {
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:resource:categories=pinniped
|
||||
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
|
||||
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
|
||||
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
|
||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||
// +kubebuilder:subresource:status
|
||||
type FederationDomain struct {
|
||||
|
@ -8,14 +8,14 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
type OIDCClientPhase string
|
||||
|
||||
const (
|
||||
// PhasePending is the default phase for newly-created OIDCClient resources.
|
||||
PhasePending OIDCClientPhase = "Pending"
|
||||
// OIDCClientPhasePending is the default phase for newly-created OIDCClient resources.
|
||||
OIDCClientPhasePending OIDCClientPhase = "Pending"
|
||||
|
||||
// PhaseReady is the phase for an OIDCClient resource in a healthy state.
|
||||
PhaseReady OIDCClientPhase = "Ready"
|
||||
// OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state.
|
||||
OIDCClientPhaseReady OIDCClientPhase = "Ready"
|
||||
|
||||
// PhaseError is the phase for an OIDCClient in an unhealthy state.
|
||||
PhaseError OIDCClientPhase = "Error"
|
||||
// OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state.
|
||||
OIDCClientPhaseError OIDCClientPhase = "Error"
|
||||
)
|
||||
|
||||
// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`
|
||||
|
@ -41,6 +41,24 @@ func (in *FederationDomain) DeepCopyObject() runtime.Object {
|
||||
return nil
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainIdentityProvider) DeepCopyInto(out *FederationDomainIdentityProvider) {
|
||||
*out = *in
|
||||
in.ObjectRef.DeepCopyInto(&out.ObjectRef)
|
||||
in.Transforms.DeepCopyInto(&out.Transforms)
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainIdentityProvider.
|
||||
func (in *FederationDomainIdentityProvider) DeepCopy() *FederationDomainIdentityProvider {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainIdentityProvider)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainList) DeepCopyInto(out *FederationDomainList) {
|
||||
*out = *in
|
||||
@ -102,6 +120,13 @@ func (in *FederationDomainSpec) DeepCopyInto(out *FederationDomainSpec) {
|
||||
*out = new(FederationDomainTLSSpec)
|
||||
**out = **in
|
||||
}
|
||||
if in.IdentityProviders != nil {
|
||||
in, out := &in.IdentityProviders, &out.IdentityProviders
|
||||
*out = make([]FederationDomainIdentityProvider, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
@ -118,9 +143,12 @@ func (in *FederationDomainSpec) DeepCopy() *FederationDomainSpec {
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
|
||||
*out = *in
|
||||
if in.LastUpdateTime != nil {
|
||||
in, out := &in.LastUpdateTime, &out.LastUpdateTime
|
||||
*out = (*in).DeepCopy()
|
||||
if in.Conditions != nil {
|
||||
in, out := &in.Conditions, &out.Conditions
|
||||
*out = make([]v1.Condition, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
out.Secrets = in.Secrets
|
||||
return
|
||||
@ -152,6 +180,121 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec {
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransforms) DeepCopyInto(out *FederationDomainTransforms) {
|
||||
*out = *in
|
||||
if in.Constants != nil {
|
||||
in, out := &in.Constants, &out.Constants
|
||||
*out = make([]FederationDomainTransformsConstant, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
if in.Expressions != nil {
|
||||
in, out := &in.Expressions, &out.Expressions
|
||||
*out = make([]FederationDomainTransformsExpression, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
if in.Examples != nil {
|
||||
in, out := &in.Examples, &out.Examples
|
||||
*out = make([]FederationDomainTransformsExample, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransforms.
|
||||
func (in *FederationDomainTransforms) DeepCopy() *FederationDomainTransforms {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransforms)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsConstant) DeepCopyInto(out *FederationDomainTransformsConstant) {
|
||||
*out = *in
|
||||
if in.StringListValue != nil {
|
||||
in, out := &in.StringListValue, &out.StringListValue
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsConstant.
|
||||
func (in *FederationDomainTransformsConstant) DeepCopy() *FederationDomainTransformsConstant {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsConstant)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExample) DeepCopyInto(out *FederationDomainTransformsExample) {
|
||||
*out = *in
|
||||
if in.Groups != nil {
|
||||
in, out := &in.Groups, &out.Groups
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
in.Expects.DeepCopyInto(&out.Expects)
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExample.
|
||||
func (in *FederationDomainTransformsExample) DeepCopy() *FederationDomainTransformsExample {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExample)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExampleExpects) DeepCopyInto(out *FederationDomainTransformsExampleExpects) {
|
||||
*out = *in
|
||||
if in.Groups != nil {
|
||||
in, out := &in.Groups, &out.Groups
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExampleExpects.
|
||||
func (in *FederationDomainTransformsExampleExpects) DeepCopy() *FederationDomainTransformsExampleExpects {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExampleExpects)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExpression) DeepCopyInto(out *FederationDomainTransformsExpression) {
|
||||
*out = *in
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExpression.
|
||||
func (in *FederationDomainTransformsExpression) DeepCopy() *FederationDomainTransformsExpression {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExpression)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *OIDCClient) DeepCopyInto(out *OIDCClient) {
|
||||
*out = *in
|
||||
|
@ -21,7 +21,7 @@ spec:
|
||||
- jsonPath: .spec.issuer
|
||||
name: Issuer
|
||||
type: string
|
||||
- jsonPath: .status.status
|
||||
- jsonPath: .status.phase
|
||||
name: Status
|
||||
type: string
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
@ -47,6 +47,263 @@ spec:
|
||||
spec:
|
||||
description: Spec of the OIDC provider.
|
||||
properties:
|
||||
identityProviders:
|
||||
description: "IdentityProviders is the list of identity providers
|
||||
available for use by this FederationDomain. \n An identity provider
|
||||
CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes
|
||||
how to connect to a server, how to talk in a specific protocol for
|
||||
authentication, and how to use the schema of that server/protocol
|
||||
to extract a normalized user identity. Normalized user identities
|
||||
include a username and a list of group names. In contrast, IdentityProviders
|
||||
describes how to use that normalized identity in those Kubernetes
|
||||
clusters which belong to this FederationDomain. Each entry in IdentityProviders
|
||||
can be configured with arbitrary transformations on that normalized
|
||||
identity. For example, a transformation can add a prefix to all
|
||||
usernames to help avoid accidental conflicts when multiple identity
|
||||
providers have different users with the same username (e.g. \"idp1:ryan\"
|
||||
versus \"idp2:ryan\"). Each entry in IdentityProviders can also
|
||||
implement arbitrary authentication rejection policies. Even though
|
||||
a user was able to authenticate with the identity provider, a policy
|
||||
can disallow the authentication to the Kubernetes clusters that
|
||||
belong to this FederationDomain. For example, a policy could disallow
|
||||
the authentication unless the user belongs to a specific group in
|
||||
the identity provider. \n For backwards compatibility with versions
|
||||
of Pinniped which predate support for multiple identity providers,
|
||||
an empty IdentityProviders list will cause the FederationDomain
|
||||
to use all available identity providers which exist in the same
|
||||
namespace, but also to reject all authentication requests when there
|
||||
is more than one identity provider currently defined. In this backwards
|
||||
compatibility mode, the name of the identity provider resource (e.g.
|
||||
the Name of an OIDCIdentityProvider resource) will be used as the
|
||||
name of the identity provider in this FederationDomain. This mode
|
||||
is provided to make upgrading from older versions easier. However,
|
||||
instead of relying on this backwards compatibility mode, please
|
||||
consider this mode to be deprecated and please instead explicitly
|
||||
list the identity provider using this IdentityProviders field."
|
||||
items:
|
||||
description: FederationDomainIdentityProvider describes how an identity
|
||||
provider is made available in this FederationDomain.
|
||||
properties:
|
||||
displayName:
|
||||
description: DisplayName is the name of this identity provider
|
||||
as it will appear to clients. This name ends up in the kubeconfig
|
||||
of end users, so changing the name of an identity provider
|
||||
that is in use by end users will be a disruptive change for
|
||||
those users.
|
||||
minLength: 1
|
||||
type: string
|
||||
objectRef:
|
||||
description: ObjectRef is a reference to a Pinniped identity
|
||||
provider resource. A valid reference is required. If the reference
|
||||
cannot be resolved then the identity provider will not be
|
||||
made available. Must refer to a resource of one of the Pinniped
|
||||
identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider,
|
||||
ActiveDirectoryIdentityProvider.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup is the group for the resource being
|
||||
referenced. If APIGroup is not specified, the specified
|
||||
Kind must be in the core API group. For any other third-party
|
||||
types, APIGroup is required.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind is the type of resource being referenced
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of resource being referenced
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
transforms:
|
||||
description: Transforms is an optional way to specify transformations
|
||||
to be applied during user authentication and session refresh.
|
||||
properties:
|
||||
constants:
|
||||
description: Constants defines constant variables and their
|
||||
values which will be made available to the transform expressions.
|
||||
items:
|
||||
description: FederationDomainTransformsConstant defines
|
||||
a constant variable and its value which will be made
|
||||
available to the transform expressions. This is a union
|
||||
type, and Type is the discriminator field.
|
||||
properties:
|
||||
name:
|
||||
description: Name determines the name of the constant.
|
||||
It must be a valid identifier name.
|
||||
maxLength: 64
|
||||
minLength: 1
|
||||
pattern: ^[a-zA-Z][_a-zA-Z0-9]*$
|
||||
type: string
|
||||
stringListValue:
|
||||
description: StringListValue should hold the value
|
||||
when Type is "stringList", and is otherwise ignored.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
stringValue:
|
||||
description: StringValue should hold the value when
|
||||
Type is "string", and is otherwise ignored.
|
||||
type: string
|
||||
type:
|
||||
description: Type determines the type of the constant,
|
||||
and indicates which other field should be non-empty.
|
||||
enum:
|
||||
- string
|
||||
- stringList
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-map-keys:
|
||||
- name
|
||||
x-kubernetes-list-type: map
|
||||
examples:
|
||||
description: Examples can optionally be used to ensure that
|
||||
the sequence of transformation expressions are working
|
||||
as expected. Examples define sample input identities which
|
||||
are then run through the expression list, and the results
|
||||
are compared to the expected results. If any example in
|
||||
this list fails, then this identity provider will not
|
||||
be available for use within this FederationDomain, and
|
||||
the error(s) will be added to the FederationDomain status.
|
||||
This can be used to help guard against programming mistakes
|
||||
in the expressions, and also act as living documentation
|
||||
for other administrators to better understand the expressions.
|
||||
items:
|
||||
description: FederationDomainTransformsExample defines
|
||||
a transform example.
|
||||
properties:
|
||||
expects:
|
||||
description: Expects is the expected output of the
|
||||
entire sequence of transforms when they are run
|
||||
against the input Username and Groups.
|
||||
properties:
|
||||
groups:
|
||||
description: Groups is the expected list of group
|
||||
names after the transformations have been applied.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
message:
|
||||
description: Message is the expected error message
|
||||
of the transforms. When Rejected is true, then
|
||||
Message is the expected message for the policy
|
||||
which rejected the authentication attempt. When
|
||||
Rejected is true and Message is blank, then
|
||||
Message will be treated as the default error
|
||||
message for authentication attempts which are
|
||||
rejected by a policy. When Rejected is false,
|
||||
then Message is the expected error message for
|
||||
some other non-policy transformation error,
|
||||
such as a runtime error. When Rejected is false,
|
||||
there is no default expected Message.
|
||||
type: string
|
||||
rejected:
|
||||
description: Rejected is a boolean that indicates
|
||||
whether authentication is expected to be rejected
|
||||
by a policy expression after the transformations
|
||||
have been applied. True means that it is expected
|
||||
that the authentication would be rejected. The
|
||||
default value of false means that it is expected
|
||||
that the authentication would not be rejected
|
||||
by any policy expression.
|
||||
type: boolean
|
||||
username:
|
||||
description: Username is the expected username
|
||||
after the transformations have been applied.
|
||||
type: string
|
||||
type: object
|
||||
groups:
|
||||
description: Groups is the input list of group names.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
username:
|
||||
description: Username is the input username.
|
||||
minLength: 1
|
||||
type: string
|
||||
required:
|
||||
- expects
|
||||
- username
|
||||
type: object
|
||||
type: array
|
||||
expressions:
|
||||
description: "Expressions are an optional list of transforms
|
||||
and policies to be executed in the order given during
|
||||
every authentication attempt, including during every session
|
||||
refresh. Each is a CEL expression. It may use the basic
|
||||
CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md
|
||||
plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
\n The username and groups extracted from the identity
|
||||
provider, and the constants defined in this CR, are available
|
||||
as variables in all expressions. The username is provided
|
||||
via a variable called `username` and the list of group
|
||||
names is provided via a variable called `groups` (which
|
||||
may be an empty list). Each user-provided constants is
|
||||
provided via a variable named `strConst.varName` for string
|
||||
constants and `strListConst.varName` for string list constants.
|
||||
\n The only allowed types for expressions are currently
|
||||
policy/v1, username/v1, and groups/v1. Each policy/v1
|
||||
must return a boolean, and when it returns false, no more
|
||||
expressions from the list are evaluated and the authentication
|
||||
attempt is rejected. Transformations of type policy/v1
|
||||
do not return usernames or group names, and therefore
|
||||
cannot change the username or group names. Each username/v1
|
||||
transform must return the new username (a string), which
|
||||
can be the same as the old username. Transformations of
|
||||
type username/v1 do not return group names, and therefore
|
||||
cannot change the group names. Each groups/v1 transform
|
||||
must return the new groups list (list of strings), which
|
||||
can be the same as the old groups list. Transformations
|
||||
of type groups/v1 do not return usernames, and therefore
|
||||
cannot change the usernames. After each expression, the
|
||||
new (potentially changed) username or groups get passed
|
||||
to the following expression. \n Any compilation or static
|
||||
type-checking failure of any expression will cause an
|
||||
error status on the FederationDomain. During an authentication
|
||||
attempt, any unexpected runtime evaluation errors (e.g.
|
||||
division by zero) cause the authentication attempt to
|
||||
fail. When all expressions evaluate successfully, then
|
||||
the (potentially changed) username and group names have
|
||||
been decided for that authentication attempt."
|
||||
items:
|
||||
description: FederationDomainTransformsExpression defines
|
||||
a transform expression.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is a CEL expression that will
|
||||
be evaluated based on the Type during an authentication.
|
||||
minLength: 1
|
||||
type: string
|
||||
message:
|
||||
description: Message is only used when Type is policy/v1.
|
||||
It defines an error message to be used when the
|
||||
policy rejects an authentication attempt. When empty,
|
||||
a default message will be used.
|
||||
type: string
|
||||
type:
|
||||
description: Type determines the type of the expression.
|
||||
It must be one of the supported types.
|
||||
enum:
|
||||
- policy/v1
|
||||
- username/v1
|
||||
- groups/v1
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
required:
|
||||
- displayName
|
||||
- objectRef
|
||||
type: object
|
||||
type: array
|
||||
issuer:
|
||||
description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
|
||||
Metadata document, as well as the identifier that it will use for
|
||||
@ -59,8 +316,8 @@ spec:
|
||||
minLength: 1
|
||||
type: string
|
||||
tls:
|
||||
description: TLS configures how this FederationDomain is served over
|
||||
Transport Layer Security (TLS).
|
||||
description: TLS specifies a secret which will contain Transport Layer
|
||||
Security (TLS) configuration for the FederationDomain.
|
||||
properties:
|
||||
secretName:
|
||||
description: "SecretName is an optional name of a Secret in the
|
||||
@ -91,14 +348,86 @@ spec:
|
||||
status:
|
||||
description: Status of the OIDC provider.
|
||||
properties:
|
||||
lastUpdateTime:
|
||||
description: LastUpdateTime holds the time at which the Status was
|
||||
last updated. It is a pointer to get around some undesirable behavior
|
||||
with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
conditions:
|
||||
description: Conditions represent the observations of an FederationDomain's
|
||||
current state.
|
||||
items:
|
||||
description: "Condition contains details for one aspect of the current
|
||||
state of this API Resource. --- This struct is intended for direct
|
||||
use as an array at the field path .status.conditions. For example,
|
||||
\n type FooStatus struct{ // Represents the observations of a
|
||||
foo's current state. // Known .status.conditions.type are: \"Available\",
|
||||
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
|
||||
// +listType=map // +listMapKey=type Conditions []metav1.Condition
|
||||
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
|
||||
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: lastTransitionTime is the last time the condition
|
||||
transitioned from one status to another. This should be when
|
||||
the underlying condition changed. If that is not known, then
|
||||
using the time when the API field changed is acceptable.
|
||||
format: date-time
|
||||
type: string
|
||||
message:
|
||||
description: Message provides human-readable details about the Status.
|
||||
description: message is a human readable message indicating
|
||||
details about the transition. This may be an empty string.
|
||||
maxLength: 32768
|
||||
type: string
|
||||
observedGeneration:
|
||||
description: observedGeneration represents the .metadata.generation
|
||||
that the condition was set based upon. For instance, if .metadata.generation
|
||||
is currently 12, but the .status.conditions[x].observedGeneration
|
||||
is 9, the condition is out of date with respect to the current
|
||||
state of the instance.
|
||||
format: int64
|
||||
minimum: 0
|
||||
type: integer
|
||||
reason:
|
||||
description: reason contains a programmatic identifier indicating
|
||||
the reason for the condition's last transition. Producers
|
||||
of specific condition types may define expected values and
|
||||
meanings for this field, and whether the values are considered
|
||||
a guaranteed API. The value should be a CamelCase string.
|
||||
This field may not be empty.
|
||||
maxLength: 1024
|
||||
minLength: 1
|
||||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||||
type: string
|
||||
status:
|
||||
description: status of the condition, one of True, False, Unknown.
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
- Unknown
|
||||
type: string
|
||||
type:
|
||||
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
||||
--- Many .condition.type values are consistent across resources
|
||||
like Available, but because arbitrary conditions can be useful
|
||||
(see .node.status.conditions), the ability to deconflict is
|
||||
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||||
maxLength: 316
|
||||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||||
type: string
|
||||
required:
|
||||
- lastTransitionTime
|
||||
- message
|
||||
- reason
|
||||
- status
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-map-keys:
|
||||
- type
|
||||
x-kubernetes-list-type: map
|
||||
phase:
|
||||
default: Pending
|
||||
description: Phase summarizes the overall status of the FederationDomain.
|
||||
enum:
|
||||
- Pending
|
||||
- Ready
|
||||
- Error
|
||||
type: string
|
||||
secrets:
|
||||
description: Secrets contains information about this OIDC Provider's
|
||||
@ -145,15 +474,6 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
status:
|
||||
description: Status holds an enum that describes the state of this
|
||||
OIDC Provider. Note that this Status can represent success or failure.
|
||||
enum:
|
||||
- Success
|
||||
- Duplicate
|
||||
- Invalid
|
||||
- SameIssuerHostMustUseSameSecret
|
||||
type: string
|
||||
type: object
|
||||
required:
|
||||
- spec
|
||||
|
153
generated/1.24/README.adoc
generated
153
generated/1.24/README.adoc
generated
@ -652,6 +652,37 @@ FederationDomain describes the configuration of an OIDC provider.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
|
||||
==== FederationDomainIdentityProvider
|
||||
|
||||
FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainspec[$$FederationDomainSpec$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`displayName`* __string__ | DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a disruptive change for those users.
|
||||
| *`objectRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. If the reference cannot be resolved then the identity provider will not be made available. Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
|
||||
| *`transforms`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]__ | Transforms is an optional way to specify transformations to be applied during user authentication and session refresh.
|
||||
|===
|
||||
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainphase"]
|
||||
==== FederationDomainPhase (string)
|
||||
|
||||
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
|
||||
****
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainsecrets"]
|
||||
@ -689,7 +720,10 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
|
||||
| Field | Description
|
||||
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
|
||||
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
|
||||
| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
|
||||
An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
|
||||
For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
|
||||
|===
|
||||
|
||||
|
||||
@ -706,25 +740,12 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainstatuscondition[$$FederationDomainStatusCondition$$]__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
|
||||
| *`message`* __string__ | Message provides human-readable details about the Status.
|
||||
| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
|
||||
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
|
||||
| *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainstatuscondition"]
|
||||
==== FederationDomainStatusCondition (string)
|
||||
|
||||
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
|
||||
****
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintlsspec"]
|
||||
==== FederationDomainTLSSpec
|
||||
|
||||
@ -746,6 +767,106 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
|
||||
==== FederationDomainTransforms
|
||||
|
||||
FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
|
||||
| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
|
||||
The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
|
||||
Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
|
||||
| *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
|
||||
==== FederationDomainTransformsConstant
|
||||
|
||||
FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name.
|
||||
| *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty.
|
||||
| *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored.
|
||||
| *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
|
||||
==== FederationDomainTransformsExample
|
||||
|
||||
FederationDomainTransformsExample defines a transform example.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`username`* __string__ | Username is the input username.
|
||||
| *`groups`* __string array__ | Groups is the input list of group names.
|
||||
| *`expects`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects[$$FederationDomainTransformsExampleExpects$$]__ | Expects is the expected output of the entire sequence of transforms when they are run against the input Username and Groups.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
|
||||
==== FederationDomainTransformsExampleExpects
|
||||
|
||||
FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`username`* __string__ | Username is the expected username after the transformations have been applied.
|
||||
| *`groups`* __string array__ | Groups is the expected list of group names after the transformations have been applied.
|
||||
| *`rejected`* __boolean__ | Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression after the transformations have been applied. True means that it is expected that the authentication would be rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression.
|
||||
| *`message`* __string__ | Message is the expected error message of the transforms. When Rejected is true, then Message is the expected message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, then Message will be treated as the default error message for authentication attempts which are rejected by a policy. When Rejected is false, then Message is the expected error message for some other non-policy transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
|
||||
==== FederationDomainTransformsExpression
|
||||
|
||||
FederationDomainTransformsExpression defines a transform expression.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types.
|
||||
| *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication.
|
||||
| *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects an authentication attempt. When empty, a default message will be used.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-granttype"]
|
||||
==== GrantType (string)
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package v1alpha1
|
||||
@ -8,14 +8,17 @@ import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
// +kubebuilder:validation:Enum=Success;Duplicate;Invalid;SameIssuerHostMustUseSameSecret
|
||||
type FederationDomainStatusCondition string
|
||||
type FederationDomainPhase string
|
||||
|
||||
const (
|
||||
SuccessFederationDomainStatusCondition = FederationDomainStatusCondition("Success")
|
||||
DuplicateFederationDomainStatusCondition = FederationDomainStatusCondition("Duplicate")
|
||||
SameIssuerHostMustUseSameSecretFederationDomainStatusCondition = FederationDomainStatusCondition("SameIssuerHostMustUseSameSecret")
|
||||
InvalidFederationDomainStatusCondition = FederationDomainStatusCondition("Invalid")
|
||||
// FederationDomainPhasePending is the default phase for newly-created FederationDomain resources.
|
||||
FederationDomainPhasePending FederationDomainPhase = "Pending"
|
||||
|
||||
// FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state.
|
||||
FederationDomainPhaseReady FederationDomainPhase = "Ready"
|
||||
|
||||
// FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state.
|
||||
FederationDomainPhaseError FederationDomainPhase = "Error"
|
||||
)
|
||||
|
||||
// FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
|
||||
@ -42,6 +45,157 @@ type FederationDomainTLSSpec struct {
|
||||
SecretName string `json:"secretName,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
|
||||
// the transform expressions. This is a union type, and Type is the discriminator field.
|
||||
type FederationDomainTransformsConstant struct {
|
||||
// Name determines the name of the constant. It must be a valid identifier name.
|
||||
// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
// +kubebuilder:validation:MaxLength=64
|
||||
Name string `json:"name"`
|
||||
|
||||
// Type determines the type of the constant, and indicates which other field should be non-empty.
|
||||
// +kubebuilder:validation:Enum=string;stringList
|
||||
Type string `json:"type"`
|
||||
|
||||
// StringValue should hold the value when Type is "string", and is otherwise ignored.
|
||||
// +optional
|
||||
StringValue string `json:"stringValue,omitempty"`
|
||||
|
||||
// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|
||||
// +optional
|
||||
StringListValue []string `json:"stringListValue,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExpression defines a transform expression.
|
||||
type FederationDomainTransformsExpression struct {
|
||||
// Type determines the type of the expression. It must be one of the supported types.
|
||||
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
|
||||
Type string `json:"type"`
|
||||
|
||||
// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Expression string `json:"expression"`
|
||||
|
||||
// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
|
||||
// an authentication attempt. When empty, a default message will be used.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExample defines a transform example.
|
||||
type FederationDomainTransformsExample struct {
|
||||
// Username is the input username.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Username string `json:"username"`
|
||||
|
||||
// Groups is the input list of group names.
|
||||
// +optional
|
||||
Groups []string `json:"groups,omitempty"`
|
||||
|
||||
// Expects is the expected output of the entire sequence of transforms when they are run against the
|
||||
// input Username and Groups.
|
||||
Expects FederationDomainTransformsExampleExpects `json:"expects"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
|
||||
type FederationDomainTransformsExampleExpects struct {
|
||||
// Username is the expected username after the transformations have been applied.
|
||||
// +optional
|
||||
Username string `json:"username,omitempty"`
|
||||
|
||||
// Groups is the expected list of group names after the transformations have been applied.
|
||||
// +optional
|
||||
Groups []string `json:"groups,omitempty"`
|
||||
|
||||
// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
|
||||
// after the transformations have been applied. True means that it is expected that the authentication would be
|
||||
// rejected. The default value of false means that it is expected that the authentication would not be rejected
|
||||
// by any policy expression.
|
||||
// +optional
|
||||
Rejected bool `json:"rejected,omitempty"`
|
||||
|
||||
// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
|
||||
// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
|
||||
// then Message will be treated as the default error message for authentication attempts which are rejected by a
|
||||
// policy. When Rejected is false, then Message is the expected error message for some other non-policy
|
||||
// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
|
||||
type FederationDomainTransforms struct {
|
||||
// Constants defines constant variables and their values which will be made available to the transform expressions.
|
||||
// +patchMergeKey=name
|
||||
// +patchStrategy=merge
|
||||
// +listType=map
|
||||
// +listMapKey=name
|
||||
// +optional
|
||||
Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`
|
||||
|
||||
// Expressions are an optional list of transforms and policies to be executed in the order given during every
|
||||
// authentication attempt, including during every session refresh.
|
||||
// Each is a CEL expression. It may use the basic CEL language as defined in
|
||||
// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
|
||||
// https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
//
|
||||
// The username and groups extracted from the identity provider, and the constants defined in this CR, are
|
||||
// available as variables in all expressions. The username is provided via a variable called `username` and
|
||||
// the list of group names is provided via a variable called `groups` (which may be an empty list).
|
||||
// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
|
||||
// and `strListConst.varName` for string list constants.
|
||||
//
|
||||
// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
|
||||
// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
|
||||
// and the authentication attempt is rejected.
|
||||
// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
|
||||
// username or group names.
|
||||
// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
|
||||
// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
|
||||
// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
|
||||
// groups list.
|
||||
// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
|
||||
// After each expression, the new (potentially changed) username or groups get passed to the following expression.
|
||||
//
|
||||
// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
|
||||
// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
|
||||
// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
|
||||
// and group names have been decided for that authentication attempt.
|
||||
//
|
||||
// +optional
|
||||
Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`
|
||||
|
||||
// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
|
||||
// expected. Examples define sample input identities which are then run through the expression list, and the
|
||||
// results are compared to the expected results. If any example in this list fails, then this
|
||||
// identity provider will not be available for use within this FederationDomain, and the error(s) will be
|
||||
// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
|
||||
// expressions, and also act as living documentation for other administrators to better understand the expressions.
|
||||
// +optional
|
||||
Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
|
||||
type FederationDomainIdentityProvider struct {
|
||||
// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
|
||||
// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
|
||||
// disruptive change for those users.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
DisplayName string `json:"displayName"`
|
||||
|
||||
// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
|
||||
// If the reference cannot be resolved then the identity provider will not be made available.
|
||||
// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
|
||||
// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
|
||||
ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`
|
||||
|
||||
// Transforms is an optional way to specify transformations to be applied during user authentication and
|
||||
// session refresh.
|
||||
// +optional
|
||||
Transforms FederationDomainTransforms `json:"transforms,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainSpec is a struct that describes an OIDC Provider.
|
||||
type FederationDomainSpec struct {
|
||||
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
|
||||
@ -55,9 +209,35 @@ type FederationDomainSpec struct {
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Issuer string `json:"issuer"`
|
||||
|
||||
// TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
|
||||
// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
|
||||
// +optional
|
||||
TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
|
||||
|
||||
// IdentityProviders is the list of identity providers available for use by this FederationDomain.
|
||||
//
|
||||
// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
|
||||
// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
|
||||
// extract a normalized user identity. Normalized user identities include a username and a list of group names.
|
||||
// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
|
||||
// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
|
||||
// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
|
||||
// accidental conflicts when multiple identity providers have different users with the same username (e.g.
|
||||
// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
|
||||
// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
|
||||
// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
|
||||
// disallow the authentication unless the user belongs to a specific group in the identity provider.
|
||||
//
|
||||
// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
|
||||
// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
|
||||
// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
|
||||
// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
|
||||
// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
|
||||
// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
|
||||
// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
|
||||
// explicitly list the identity provider using this IdentityProviders field.
|
||||
//
|
||||
// +optional
|
||||
IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainSecrets holds information about this OIDC Provider's secrets.
|
||||
@ -86,20 +266,17 @@ type FederationDomainSecrets struct {
|
||||
|
||||
// FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
|
||||
type FederationDomainStatus struct {
|
||||
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
|
||||
// represent success or failure.
|
||||
// +optional
|
||||
Status FederationDomainStatusCondition `json:"status,omitempty"`
|
||||
// Phase summarizes the overall status of the FederationDomain.
|
||||
// +kubebuilder:default=Pending
|
||||
// +kubebuilder:validation:Enum=Pending;Ready;Error
|
||||
Phase FederationDomainPhase `json:"phase,omitempty"`
|
||||
|
||||
// Message provides human-readable details about the Status.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
|
||||
// LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
|
||||
// around some undesirable behavior with respect to the empty metav1.Time value (see
|
||||
// https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
// +optional
|
||||
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
|
||||
// Conditions represent the observations of an FederationDomain's current state.
|
||||
// +patchMergeKey=type
|
||||
// +patchStrategy=merge
|
||||
// +listType=map
|
||||
// +listMapKey=type
|
||||
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
|
||||
|
||||
// Secrets contains information about this OIDC Provider's secrets.
|
||||
// +optional
|
||||
@ -111,7 +288,7 @@ type FederationDomainStatus struct {
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:resource:categories=pinniped
|
||||
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
|
||||
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
|
||||
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
|
||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||
// +kubebuilder:subresource:status
|
||||
type FederationDomain struct {
|
||||
|
@ -8,14 +8,14 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
type OIDCClientPhase string
|
||||
|
||||
const (
|
||||
// PhasePending is the default phase for newly-created OIDCClient resources.
|
||||
PhasePending OIDCClientPhase = "Pending"
|
||||
// OIDCClientPhasePending is the default phase for newly-created OIDCClient resources.
|
||||
OIDCClientPhasePending OIDCClientPhase = "Pending"
|
||||
|
||||
// PhaseReady is the phase for an OIDCClient resource in a healthy state.
|
||||
PhaseReady OIDCClientPhase = "Ready"
|
||||
// OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state.
|
||||
OIDCClientPhaseReady OIDCClientPhase = "Ready"
|
||||
|
||||
// PhaseError is the phase for an OIDCClient in an unhealthy state.
|
||||
PhaseError OIDCClientPhase = "Error"
|
||||
// OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state.
|
||||
OIDCClientPhaseError OIDCClientPhase = "Error"
|
||||
)
|
||||
|
||||
// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`
|
||||
|
@ -41,6 +41,24 @@ func (in *FederationDomain) DeepCopyObject() runtime.Object {
|
||||
return nil
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainIdentityProvider) DeepCopyInto(out *FederationDomainIdentityProvider) {
|
||||
*out = *in
|
||||
in.ObjectRef.DeepCopyInto(&out.ObjectRef)
|
||||
in.Transforms.DeepCopyInto(&out.Transforms)
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainIdentityProvider.
|
||||
func (in *FederationDomainIdentityProvider) DeepCopy() *FederationDomainIdentityProvider {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainIdentityProvider)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainList) DeepCopyInto(out *FederationDomainList) {
|
||||
*out = *in
|
||||
@ -102,6 +120,13 @@ func (in *FederationDomainSpec) DeepCopyInto(out *FederationDomainSpec) {
|
||||
*out = new(FederationDomainTLSSpec)
|
||||
**out = **in
|
||||
}
|
||||
if in.IdentityProviders != nil {
|
||||
in, out := &in.IdentityProviders, &out.IdentityProviders
|
||||
*out = make([]FederationDomainIdentityProvider, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
@ -118,9 +143,12 @@ func (in *FederationDomainSpec) DeepCopy() *FederationDomainSpec {
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
|
||||
*out = *in
|
||||
if in.LastUpdateTime != nil {
|
||||
in, out := &in.LastUpdateTime, &out.LastUpdateTime
|
||||
*out = (*in).DeepCopy()
|
||||
if in.Conditions != nil {
|
||||
in, out := &in.Conditions, &out.Conditions
|
||||
*out = make([]v1.Condition, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
out.Secrets = in.Secrets
|
||||
return
|
||||
@ -152,6 +180,121 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec {
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransforms) DeepCopyInto(out *FederationDomainTransforms) {
|
||||
*out = *in
|
||||
if in.Constants != nil {
|
||||
in, out := &in.Constants, &out.Constants
|
||||
*out = make([]FederationDomainTransformsConstant, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
if in.Expressions != nil {
|
||||
in, out := &in.Expressions, &out.Expressions
|
||||
*out = make([]FederationDomainTransformsExpression, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
if in.Examples != nil {
|
||||
in, out := &in.Examples, &out.Examples
|
||||
*out = make([]FederationDomainTransformsExample, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransforms.
|
||||
func (in *FederationDomainTransforms) DeepCopy() *FederationDomainTransforms {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransforms)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsConstant) DeepCopyInto(out *FederationDomainTransformsConstant) {
|
||||
*out = *in
|
||||
if in.StringListValue != nil {
|
||||
in, out := &in.StringListValue, &out.StringListValue
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsConstant.
|
||||
func (in *FederationDomainTransformsConstant) DeepCopy() *FederationDomainTransformsConstant {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsConstant)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExample) DeepCopyInto(out *FederationDomainTransformsExample) {
|
||||
*out = *in
|
||||
if in.Groups != nil {
|
||||
in, out := &in.Groups, &out.Groups
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
in.Expects.DeepCopyInto(&out.Expects)
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExample.
|
||||
func (in *FederationDomainTransformsExample) DeepCopy() *FederationDomainTransformsExample {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExample)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExampleExpects) DeepCopyInto(out *FederationDomainTransformsExampleExpects) {
|
||||
*out = *in
|
||||
if in.Groups != nil {
|
||||
in, out := &in.Groups, &out.Groups
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExampleExpects.
|
||||
func (in *FederationDomainTransformsExampleExpects) DeepCopy() *FederationDomainTransformsExampleExpects {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExampleExpects)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExpression) DeepCopyInto(out *FederationDomainTransformsExpression) {
|
||||
*out = *in
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExpression.
|
||||
func (in *FederationDomainTransformsExpression) DeepCopy() *FederationDomainTransformsExpression {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExpression)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *OIDCClient) DeepCopyInto(out *OIDCClient) {
|
||||
*out = *in
|
||||
|
@ -21,7 +21,7 @@ spec:
|
||||
- jsonPath: .spec.issuer
|
||||
name: Issuer
|
||||
type: string
|
||||
- jsonPath: .status.status
|
||||
- jsonPath: .status.phase
|
||||
name: Status
|
||||
type: string
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
@ -47,6 +47,263 @@ spec:
|
||||
spec:
|
||||
description: Spec of the OIDC provider.
|
||||
properties:
|
||||
identityProviders:
|
||||
description: "IdentityProviders is the list of identity providers
|
||||
available for use by this FederationDomain. \n An identity provider
|
||||
CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes
|
||||
how to connect to a server, how to talk in a specific protocol for
|
||||
authentication, and how to use the schema of that server/protocol
|
||||
to extract a normalized user identity. Normalized user identities
|
||||
include a username and a list of group names. In contrast, IdentityProviders
|
||||
describes how to use that normalized identity in those Kubernetes
|
||||
clusters which belong to this FederationDomain. Each entry in IdentityProviders
|
||||
can be configured with arbitrary transformations on that normalized
|
||||
identity. For example, a transformation can add a prefix to all
|
||||
usernames to help avoid accidental conflicts when multiple identity
|
||||
providers have different users with the same username (e.g. \"idp1:ryan\"
|
||||
versus \"idp2:ryan\"). Each entry in IdentityProviders can also
|
||||
implement arbitrary authentication rejection policies. Even though
|
||||
a user was able to authenticate with the identity provider, a policy
|
||||
can disallow the authentication to the Kubernetes clusters that
|
||||
belong to this FederationDomain. For example, a policy could disallow
|
||||
the authentication unless the user belongs to a specific group in
|
||||
the identity provider. \n For backwards compatibility with versions
|
||||
of Pinniped which predate support for multiple identity providers,
|
||||
an empty IdentityProviders list will cause the FederationDomain
|
||||
to use all available identity providers which exist in the same
|
||||
namespace, but also to reject all authentication requests when there
|
||||
is more than one identity provider currently defined. In this backwards
|
||||
compatibility mode, the name of the identity provider resource (e.g.
|
||||
the Name of an OIDCIdentityProvider resource) will be used as the
|
||||
name of the identity provider in this FederationDomain. This mode
|
||||
is provided to make upgrading from older versions easier. However,
|
||||
instead of relying on this backwards compatibility mode, please
|
||||
consider this mode to be deprecated and please instead explicitly
|
||||
list the identity provider using this IdentityProviders field."
|
||||
items:
|
||||
description: FederationDomainIdentityProvider describes how an identity
|
||||
provider is made available in this FederationDomain.
|
||||
properties:
|
||||
displayName:
|
||||
description: DisplayName is the name of this identity provider
|
||||
as it will appear to clients. This name ends up in the kubeconfig
|
||||
of end users, so changing the name of an identity provider
|
||||
that is in use by end users will be a disruptive change for
|
||||
those users.
|
||||
minLength: 1
|
||||
type: string
|
||||
objectRef:
|
||||
description: ObjectRef is a reference to a Pinniped identity
|
||||
provider resource. A valid reference is required. If the reference
|
||||
cannot be resolved then the identity provider will not be
|
||||
made available. Must refer to a resource of one of the Pinniped
|
||||
identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider,
|
||||
ActiveDirectoryIdentityProvider.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup is the group for the resource being
|
||||
referenced. If APIGroup is not specified, the specified
|
||||
Kind must be in the core API group. For any other third-party
|
||||
types, APIGroup is required.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind is the type of resource being referenced
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of resource being referenced
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
transforms:
|
||||
description: Transforms is an optional way to specify transformations
|
||||
to be applied during user authentication and session refresh.
|
||||
properties:
|
||||
constants:
|
||||
description: Constants defines constant variables and their
|
||||
values which will be made available to the transform expressions.
|
||||
items:
|
||||
description: FederationDomainTransformsConstant defines
|
||||
a constant variable and its value which will be made
|
||||
available to the transform expressions. This is a union
|
||||
type, and Type is the discriminator field.
|
||||
properties:
|
||||
name:
|
||||
description: Name determines the name of the constant.
|
||||
It must be a valid identifier name.
|
||||
maxLength: 64
|
||||
minLength: 1
|
||||
pattern: ^[a-zA-Z][_a-zA-Z0-9]*$
|
||||
type: string
|
||||
stringListValue:
|
||||
description: StringListValue should hold the value
|
||||
when Type is "stringList", and is otherwise ignored.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
stringValue:
|
||||
description: StringValue should hold the value when
|
||||
Type is "string", and is otherwise ignored.
|
||||
type: string
|
||||
type:
|
||||
description: Type determines the type of the constant,
|
||||
and indicates which other field should be non-empty.
|
||||
enum:
|
||||
- string
|
||||
- stringList
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-map-keys:
|
||||
- name
|
||||
x-kubernetes-list-type: map
|
||||
examples:
|
||||
description: Examples can optionally be used to ensure that
|
||||
the sequence of transformation expressions are working
|
||||
as expected. Examples define sample input identities which
|
||||
are then run through the expression list, and the results
|
||||
are compared to the expected results. If any example in
|
||||
this list fails, then this identity provider will not
|
||||
be available for use within this FederationDomain, and
|
||||
the error(s) will be added to the FederationDomain status.
|
||||
This can be used to help guard against programming mistakes
|
||||
in the expressions, and also act as living documentation
|
||||
for other administrators to better understand the expressions.
|
||||
items:
|
||||
description: FederationDomainTransformsExample defines
|
||||
a transform example.
|
||||
properties:
|
||||
expects:
|
||||
description: Expects is the expected output of the
|
||||
entire sequence of transforms when they are run
|
||||
against the input Username and Groups.
|
||||
properties:
|
||||
groups:
|
||||
description: Groups is the expected list of group
|
||||
names after the transformations have been applied.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
message:
|
||||
description: Message is the expected error message
|
||||
of the transforms. When Rejected is true, then
|
||||
Message is the expected message for the policy
|
||||
which rejected the authentication attempt. When
|
||||
Rejected is true and Message is blank, then
|
||||
Message will be treated as the default error
|
||||
message for authentication attempts which are
|
||||
rejected by a policy. When Rejected is false,
|
||||
then Message is the expected error message for
|
||||
some other non-policy transformation error,
|
||||
such as a runtime error. When Rejected is false,
|
||||
there is no default expected Message.
|
||||
type: string
|
||||
rejected:
|
||||
description: Rejected is a boolean that indicates
|
||||
whether authentication is expected to be rejected
|
||||
by a policy expression after the transformations
|
||||
have been applied. True means that it is expected
|
||||
that the authentication would be rejected. The
|
||||
default value of false means that it is expected
|
||||
that the authentication would not be rejected
|
||||
by any policy expression.
|
||||
type: boolean
|
||||
username:
|
||||
description: Username is the expected username
|
||||
after the transformations have been applied.
|
||||
type: string
|
||||
type: object
|
||||
groups:
|
||||
description: Groups is the input list of group names.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
username:
|
||||
description: Username is the input username.
|
||||
minLength: 1
|
||||
type: string
|
||||
required:
|
||||
- expects
|
||||
- username
|
||||
type: object
|
||||
type: array
|
||||
expressions:
|
||||
description: "Expressions are an optional list of transforms
|
||||
and policies to be executed in the order given during
|
||||
every authentication attempt, including during every session
|
||||
refresh. Each is a CEL expression. It may use the basic
|
||||
CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md
|
||||
plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
\n The username and groups extracted from the identity
|
||||
provider, and the constants defined in this CR, are available
|
||||
as variables in all expressions. The username is provided
|
||||
via a variable called `username` and the list of group
|
||||
names is provided via a variable called `groups` (which
|
||||
may be an empty list). Each user-provided constants is
|
||||
provided via a variable named `strConst.varName` for string
|
||||
constants and `strListConst.varName` for string list constants.
|
||||
\n The only allowed types for expressions are currently
|
||||
policy/v1, username/v1, and groups/v1. Each policy/v1
|
||||
must return a boolean, and when it returns false, no more
|
||||
expressions from the list are evaluated and the authentication
|
||||
attempt is rejected. Transformations of type policy/v1
|
||||
do not return usernames or group names, and therefore
|
||||
cannot change the username or group names. Each username/v1
|
||||
transform must return the new username (a string), which
|
||||
can be the same as the old username. Transformations of
|
||||
type username/v1 do not return group names, and therefore
|
||||
cannot change the group names. Each groups/v1 transform
|
||||
must return the new groups list (list of strings), which
|
||||
can be the same as the old groups list. Transformations
|
||||
of type groups/v1 do not return usernames, and therefore
|
||||
cannot change the usernames. After each expression, the
|
||||
new (potentially changed) username or groups get passed
|
||||
to the following expression. \n Any compilation or static
|
||||
type-checking failure of any expression will cause an
|
||||
error status on the FederationDomain. During an authentication
|
||||
attempt, any unexpected runtime evaluation errors (e.g.
|
||||
division by zero) cause the authentication attempt to
|
||||
fail. When all expressions evaluate successfully, then
|
||||
the (potentially changed) username and group names have
|
||||
been decided for that authentication attempt."
|
||||
items:
|
||||
description: FederationDomainTransformsExpression defines
|
||||
a transform expression.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is a CEL expression that will
|
||||
be evaluated based on the Type during an authentication.
|
||||
minLength: 1
|
||||
type: string
|
||||
message:
|
||||
description: Message is only used when Type is policy/v1.
|
||||
It defines an error message to be used when the
|
||||
policy rejects an authentication attempt. When empty,
|
||||
a default message will be used.
|
||||
type: string
|
||||
type:
|
||||
description: Type determines the type of the expression.
|
||||
It must be one of the supported types.
|
||||
enum:
|
||||
- policy/v1
|
||||
- username/v1
|
||||
- groups/v1
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
required:
|
||||
- displayName
|
||||
- objectRef
|
||||
type: object
|
||||
type: array
|
||||
issuer:
|
||||
description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
|
||||
Metadata document, as well as the identifier that it will use for
|
||||
@ -59,8 +316,8 @@ spec:
|
||||
minLength: 1
|
||||
type: string
|
||||
tls:
|
||||
description: TLS configures how this FederationDomain is served over
|
||||
Transport Layer Security (TLS).
|
||||
description: TLS specifies a secret which will contain Transport Layer
|
||||
Security (TLS) configuration for the FederationDomain.
|
||||
properties:
|
||||
secretName:
|
||||
description: "SecretName is an optional name of a Secret in the
|
||||
@ -91,14 +348,86 @@ spec:
|
||||
status:
|
||||
description: Status of the OIDC provider.
|
||||
properties:
|
||||
lastUpdateTime:
|
||||
description: LastUpdateTime holds the time at which the Status was
|
||||
last updated. It is a pointer to get around some undesirable behavior
|
||||
with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
conditions:
|
||||
description: Conditions represent the observations of an FederationDomain's
|
||||
current state.
|
||||
items:
|
||||
description: "Condition contains details for one aspect of the current
|
||||
state of this API Resource. --- This struct is intended for direct
|
||||
use as an array at the field path .status.conditions. For example,
|
||||
\n type FooStatus struct{ // Represents the observations of a
|
||||
foo's current state. // Known .status.conditions.type are: \"Available\",
|
||||
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
|
||||
// +listType=map // +listMapKey=type Conditions []metav1.Condition
|
||||
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
|
||||
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: lastTransitionTime is the last time the condition
|
||||
transitioned from one status to another. This should be when
|
||||
the underlying condition changed. If that is not known, then
|
||||
using the time when the API field changed is acceptable.
|
||||
format: date-time
|
||||
type: string
|
||||
message:
|
||||
description: Message provides human-readable details about the Status.
|
||||
description: message is a human readable message indicating
|
||||
details about the transition. This may be an empty string.
|
||||
maxLength: 32768
|
||||
type: string
|
||||
observedGeneration:
|
||||
description: observedGeneration represents the .metadata.generation
|
||||
that the condition was set based upon. For instance, if .metadata.generation
|
||||
is currently 12, but the .status.conditions[x].observedGeneration
|
||||
is 9, the condition is out of date with respect to the current
|
||||
state of the instance.
|
||||
format: int64
|
||||
minimum: 0
|
||||
type: integer
|
||||
reason:
|
||||
description: reason contains a programmatic identifier indicating
|
||||
the reason for the condition's last transition. Producers
|
||||
of specific condition types may define expected values and
|
||||
meanings for this field, and whether the values are considered
|
||||
a guaranteed API. The value should be a CamelCase string.
|
||||
This field may not be empty.
|
||||
maxLength: 1024
|
||||
minLength: 1
|
||||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||||
type: string
|
||||
status:
|
||||
description: status of the condition, one of True, False, Unknown.
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
- Unknown
|
||||
type: string
|
||||
type:
|
||||
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
||||
--- Many .condition.type values are consistent across resources
|
||||
like Available, but because arbitrary conditions can be useful
|
||||
(see .node.status.conditions), the ability to deconflict is
|
||||
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||||
maxLength: 316
|
||||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||||
type: string
|
||||
required:
|
||||
- lastTransitionTime
|
||||
- message
|
||||
- reason
|
||||
- status
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-map-keys:
|
||||
- type
|
||||
x-kubernetes-list-type: map
|
||||
phase:
|
||||
default: Pending
|
||||
description: Phase summarizes the overall status of the FederationDomain.
|
||||
enum:
|
||||
- Pending
|
||||
- Ready
|
||||
- Error
|
||||
type: string
|
||||
secrets:
|
||||
description: Secrets contains information about this OIDC Provider's
|
||||
@ -145,15 +474,6 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
status:
|
||||
description: Status holds an enum that describes the state of this
|
||||
OIDC Provider. Note that this Status can represent success or failure.
|
||||
enum:
|
||||
- Success
|
||||
- Duplicate
|
||||
- Invalid
|
||||
- SameIssuerHostMustUseSameSecret
|
||||
type: string
|
||||
type: object
|
||||
required:
|
||||
- spec
|
||||
|
153
generated/1.25/README.adoc
generated
153
generated/1.25/README.adoc
generated
@ -650,6 +650,37 @@ FederationDomain describes the configuration of an OIDC provider.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
|
||||
==== FederationDomainIdentityProvider
|
||||
|
||||
FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainspec[$$FederationDomainSpec$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`displayName`* __string__ | DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a disruptive change for those users.
|
||||
| *`objectRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. If the reference cannot be resolved then the identity provider will not be made available. Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
|
||||
| *`transforms`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]__ | Transforms is an optional way to specify transformations to be applied during user authentication and session refresh.
|
||||
|===
|
||||
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainphase"]
|
||||
==== FederationDomainPhase (string)
|
||||
|
||||
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
|
||||
****
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainsecrets"]
|
||||
@ -687,7 +718,10 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
|
||||
| Field | Description
|
||||
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
|
||||
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
|
||||
| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
|
||||
An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
|
||||
For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
|
||||
|===
|
||||
|
||||
|
||||
@ -704,25 +738,12 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainstatuscondition[$$FederationDomainStatusCondition$$]__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
|
||||
| *`message`* __string__ | Message provides human-readable details about the Status.
|
||||
| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
|
||||
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
|
||||
| *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainstatuscondition"]
|
||||
==== FederationDomainStatusCondition (string)
|
||||
|
||||
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
|
||||
****
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintlsspec"]
|
||||
==== FederationDomainTLSSpec
|
||||
|
||||
@ -744,6 +765,106 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
|
||||
==== FederationDomainTransforms
|
||||
|
||||
FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
|
||||
| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
|
||||
The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
|
||||
Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
|
||||
| *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
|
||||
==== FederationDomainTransformsConstant
|
||||
|
||||
FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name.
|
||||
| *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty.
|
||||
| *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored.
|
||||
| *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
|
||||
==== FederationDomainTransformsExample
|
||||
|
||||
FederationDomainTransformsExample defines a transform example.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`username`* __string__ | Username is the input username.
|
||||
| *`groups`* __string array__ | Groups is the input list of group names.
|
||||
| *`expects`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects[$$FederationDomainTransformsExampleExpects$$]__ | Expects is the expected output of the entire sequence of transforms when they are run against the input Username and Groups.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
|
||||
==== FederationDomainTransformsExampleExpects
|
||||
|
||||
FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`username`* __string__ | Username is the expected username after the transformations have been applied.
|
||||
| *`groups`* __string array__ | Groups is the expected list of group names after the transformations have been applied.
|
||||
| *`rejected`* __boolean__ | Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression after the transformations have been applied. True means that it is expected that the authentication would be rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression.
|
||||
| *`message`* __string__ | Message is the expected error message of the transforms. When Rejected is true, then Message is the expected message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, then Message will be treated as the default error message for authentication attempts which are rejected by a policy. When Rejected is false, then Message is the expected error message for some other non-policy transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
|
||||
==== FederationDomainTransformsExpression
|
||||
|
||||
FederationDomainTransformsExpression defines a transform expression.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types.
|
||||
| *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication.
|
||||
| *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects an authentication attempt. When empty, a default message will be used.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-granttype"]
|
||||
==== GrantType (string)
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package v1alpha1
|
||||
@ -8,14 +8,17 @@ import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
// +kubebuilder:validation:Enum=Success;Duplicate;Invalid;SameIssuerHostMustUseSameSecret
|
||||
type FederationDomainStatusCondition string
|
||||
type FederationDomainPhase string
|
||||
|
||||
const (
|
||||
SuccessFederationDomainStatusCondition = FederationDomainStatusCondition("Success")
|
||||
DuplicateFederationDomainStatusCondition = FederationDomainStatusCondition("Duplicate")
|
||||
SameIssuerHostMustUseSameSecretFederationDomainStatusCondition = FederationDomainStatusCondition("SameIssuerHostMustUseSameSecret")
|
||||
InvalidFederationDomainStatusCondition = FederationDomainStatusCondition("Invalid")
|
||||
// FederationDomainPhasePending is the default phase for newly-created FederationDomain resources.
|
||||
FederationDomainPhasePending FederationDomainPhase = "Pending"
|
||||
|
||||
// FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state.
|
||||
FederationDomainPhaseReady FederationDomainPhase = "Ready"
|
||||
|
||||
// FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state.
|
||||
FederationDomainPhaseError FederationDomainPhase = "Error"
|
||||
)
|
||||
|
||||
// FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
|
||||
@ -42,6 +45,157 @@ type FederationDomainTLSSpec struct {
|
||||
SecretName string `json:"secretName,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
|
||||
// the transform expressions. This is a union type, and Type is the discriminator field.
|
||||
type FederationDomainTransformsConstant struct {
|
||||
// Name determines the name of the constant. It must be a valid identifier name.
|
||||
// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
// +kubebuilder:validation:MaxLength=64
|
||||
Name string `json:"name"`
|
||||
|
||||
// Type determines the type of the constant, and indicates which other field should be non-empty.
|
||||
// +kubebuilder:validation:Enum=string;stringList
|
||||
Type string `json:"type"`
|
||||
|
||||
// StringValue should hold the value when Type is "string", and is otherwise ignored.
|
||||
// +optional
|
||||
StringValue string `json:"stringValue,omitempty"`
|
||||
|
||||
// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|
||||
// +optional
|
||||
StringListValue []string `json:"stringListValue,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExpression defines a transform expression.
|
||||
type FederationDomainTransformsExpression struct {
|
||||
// Type determines the type of the expression. It must be one of the supported types.
|
||||
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
|
||||
Type string `json:"type"`
|
||||
|
||||
// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Expression string `json:"expression"`
|
||||
|
||||
// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
|
||||
// an authentication attempt. When empty, a default message will be used.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExample defines a transform example.
|
||||
type FederationDomainTransformsExample struct {
|
||||
// Username is the input username.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Username string `json:"username"`
|
||||
|
||||
// Groups is the input list of group names.
|
||||
// +optional
|
||||
Groups []string `json:"groups,omitempty"`
|
||||
|
||||
// Expects is the expected output of the entire sequence of transforms when they are run against the
|
||||
// input Username and Groups.
|
||||
Expects FederationDomainTransformsExampleExpects `json:"expects"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
|
||||
type FederationDomainTransformsExampleExpects struct {
|
||||
// Username is the expected username after the transformations have been applied.
|
||||
// +optional
|
||||
Username string `json:"username,omitempty"`
|
||||
|
||||
// Groups is the expected list of group names after the transformations have been applied.
|
||||
// +optional
|
||||
Groups []string `json:"groups,omitempty"`
|
||||
|
||||
// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
|
||||
// after the transformations have been applied. True means that it is expected that the authentication would be
|
||||
// rejected. The default value of false means that it is expected that the authentication would not be rejected
|
||||
// by any policy expression.
|
||||
// +optional
|
||||
Rejected bool `json:"rejected,omitempty"`
|
||||
|
||||
// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
|
||||
// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
|
||||
// then Message will be treated as the default error message for authentication attempts which are rejected by a
|
||||
// policy. When Rejected is false, then Message is the expected error message for some other non-policy
|
||||
// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
|
||||
type FederationDomainTransforms struct {
|
||||
// Constants defines constant variables and their values which will be made available to the transform expressions.
|
||||
// +patchMergeKey=name
|
||||
// +patchStrategy=merge
|
||||
// +listType=map
|
||||
// +listMapKey=name
|
||||
// +optional
|
||||
Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`
|
||||
|
||||
// Expressions are an optional list of transforms and policies to be executed in the order given during every
|
||||
// authentication attempt, including during every session refresh.
|
||||
// Each is a CEL expression. It may use the basic CEL language as defined in
|
||||
// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
|
||||
// https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
//
|
||||
// The username and groups extracted from the identity provider, and the constants defined in this CR, are
|
||||
// available as variables in all expressions. The username is provided via a variable called `username` and
|
||||
// the list of group names is provided via a variable called `groups` (which may be an empty list).
|
||||
// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
|
||||
// and `strListConst.varName` for string list constants.
|
||||
//
|
||||
// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
|
||||
// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
|
||||
// and the authentication attempt is rejected.
|
||||
// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
|
||||
// username or group names.
|
||||
// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
|
||||
// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
|
||||
// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
|
||||
// groups list.
|
||||
// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
|
||||
// After each expression, the new (potentially changed) username or groups get passed to the following expression.
|
||||
//
|
||||
// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
|
||||
// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
|
||||
// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
|
||||
// and group names have been decided for that authentication attempt.
|
||||
//
|
||||
// +optional
|
||||
Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`
|
||||
|
||||
// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
|
||||
// expected. Examples define sample input identities which are then run through the expression list, and the
|
||||
// results are compared to the expected results. If any example in this list fails, then this
|
||||
// identity provider will not be available for use within this FederationDomain, and the error(s) will be
|
||||
// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
|
||||
// expressions, and also act as living documentation for other administrators to better understand the expressions.
|
||||
// +optional
|
||||
Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
|
||||
type FederationDomainIdentityProvider struct {
|
||||
// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
|
||||
// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
|
||||
// disruptive change for those users.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
DisplayName string `json:"displayName"`
|
||||
|
||||
// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
|
||||
// If the reference cannot be resolved then the identity provider will not be made available.
|
||||
// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
|
||||
// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
|
||||
ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`
|
||||
|
||||
// Transforms is an optional way to specify transformations to be applied during user authentication and
|
||||
// session refresh.
|
||||
// +optional
|
||||
Transforms FederationDomainTransforms `json:"transforms,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainSpec is a struct that describes an OIDC Provider.
|
||||
type FederationDomainSpec struct {
|
||||
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
|
||||
@ -55,9 +209,35 @@ type FederationDomainSpec struct {
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Issuer string `json:"issuer"`
|
||||
|
||||
// TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
|
||||
// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
|
||||
// +optional
|
||||
TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
|
||||
|
||||
// IdentityProviders is the list of identity providers available for use by this FederationDomain.
|
||||
//
|
||||
// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
|
||||
// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
|
||||
// extract a normalized user identity. Normalized user identities include a username and a list of group names.
|
||||
// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
|
||||
// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
|
||||
// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
|
||||
// accidental conflicts when multiple identity providers have different users with the same username (e.g.
|
||||
// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
|
||||
// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
|
||||
// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
|
||||
// disallow the authentication unless the user belongs to a specific group in the identity provider.
|
||||
//
|
||||
// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
|
||||
// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
|
||||
// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
|
||||
// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
|
||||
// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
|
||||
// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
|
||||
// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
|
||||
// explicitly list the identity provider using this IdentityProviders field.
|
||||
//
|
||||
// +optional
|
||||
IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainSecrets holds information about this OIDC Provider's secrets.
|
||||
@ -86,20 +266,17 @@ type FederationDomainSecrets struct {
|
||||
|
||||
// FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
|
||||
type FederationDomainStatus struct {
|
||||
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
|
||||
// represent success or failure.
|
||||
// +optional
|
||||
Status FederationDomainStatusCondition `json:"status,omitempty"`
|
||||
// Phase summarizes the overall status of the FederationDomain.
|
||||
// +kubebuilder:default=Pending
|
||||
// +kubebuilder:validation:Enum=Pending;Ready;Error
|
||||
Phase FederationDomainPhase `json:"phase,omitempty"`
|
||||
|
||||
// Message provides human-readable details about the Status.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
|
||||
// LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
|
||||
// around some undesirable behavior with respect to the empty metav1.Time value (see
|
||||
// https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
// +optional
|
||||
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
|
||||
// Conditions represent the observations of an FederationDomain's current state.
|
||||
// +patchMergeKey=type
|
||||
// +patchStrategy=merge
|
||||
// +listType=map
|
||||
// +listMapKey=type
|
||||
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
|
||||
|
||||
// Secrets contains information about this OIDC Provider's secrets.
|
||||
// +optional
|
||||
@ -111,7 +288,7 @@ type FederationDomainStatus struct {
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:resource:categories=pinniped
|
||||
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
|
||||
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
|
||||
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
|
||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||
// +kubebuilder:subresource:status
|
||||
type FederationDomain struct {
|
||||
|
@ -8,14 +8,14 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
type OIDCClientPhase string
|
||||
|
||||
const (
|
||||
// PhasePending is the default phase for newly-created OIDCClient resources.
|
||||
PhasePending OIDCClientPhase = "Pending"
|
||||
// OIDCClientPhasePending is the default phase for newly-created OIDCClient resources.
|
||||
OIDCClientPhasePending OIDCClientPhase = "Pending"
|
||||
|
||||
// PhaseReady is the phase for an OIDCClient resource in a healthy state.
|
||||
PhaseReady OIDCClientPhase = "Ready"
|
||||
// OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state.
|
||||
OIDCClientPhaseReady OIDCClientPhase = "Ready"
|
||||
|
||||
// PhaseError is the phase for an OIDCClient in an unhealthy state.
|
||||
PhaseError OIDCClientPhase = "Error"
|
||||
// OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state.
|
||||
OIDCClientPhaseError OIDCClientPhase = "Error"
|
||||
)
|
||||
|
||||
// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`
|
||||
|
@ -41,6 +41,24 @@ func (in *FederationDomain) DeepCopyObject() runtime.Object {
|
||||
return nil
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainIdentityProvider) DeepCopyInto(out *FederationDomainIdentityProvider) {
|
||||
*out = *in
|
||||
in.ObjectRef.DeepCopyInto(&out.ObjectRef)
|
||||
in.Transforms.DeepCopyInto(&out.Transforms)
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainIdentityProvider.
|
||||
func (in *FederationDomainIdentityProvider) DeepCopy() *FederationDomainIdentityProvider {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainIdentityProvider)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainList) DeepCopyInto(out *FederationDomainList) {
|
||||
*out = *in
|
||||
@ -102,6 +120,13 @@ func (in *FederationDomainSpec) DeepCopyInto(out *FederationDomainSpec) {
|
||||
*out = new(FederationDomainTLSSpec)
|
||||
**out = **in
|
||||
}
|
||||
if in.IdentityProviders != nil {
|
||||
in, out := &in.IdentityProviders, &out.IdentityProviders
|
||||
*out = make([]FederationDomainIdentityProvider, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
@ -118,9 +143,12 @@ func (in *FederationDomainSpec) DeepCopy() *FederationDomainSpec {
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
|
||||
*out = *in
|
||||
if in.LastUpdateTime != nil {
|
||||
in, out := &in.LastUpdateTime, &out.LastUpdateTime
|
||||
*out = (*in).DeepCopy()
|
||||
if in.Conditions != nil {
|
||||
in, out := &in.Conditions, &out.Conditions
|
||||
*out = make([]v1.Condition, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
out.Secrets = in.Secrets
|
||||
return
|
||||
@ -152,6 +180,121 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec {
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransforms) DeepCopyInto(out *FederationDomainTransforms) {
|
||||
*out = *in
|
||||
if in.Constants != nil {
|
||||
in, out := &in.Constants, &out.Constants
|
||||
*out = make([]FederationDomainTransformsConstant, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
if in.Expressions != nil {
|
||||
in, out := &in.Expressions, &out.Expressions
|
||||
*out = make([]FederationDomainTransformsExpression, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
if in.Examples != nil {
|
||||
in, out := &in.Examples, &out.Examples
|
||||
*out = make([]FederationDomainTransformsExample, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransforms.
|
||||
func (in *FederationDomainTransforms) DeepCopy() *FederationDomainTransforms {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransforms)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsConstant) DeepCopyInto(out *FederationDomainTransformsConstant) {
|
||||
*out = *in
|
||||
if in.StringListValue != nil {
|
||||
in, out := &in.StringListValue, &out.StringListValue
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsConstant.
|
||||
func (in *FederationDomainTransformsConstant) DeepCopy() *FederationDomainTransformsConstant {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsConstant)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExample) DeepCopyInto(out *FederationDomainTransformsExample) {
|
||||
*out = *in
|
||||
if in.Groups != nil {
|
||||
in, out := &in.Groups, &out.Groups
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
in.Expects.DeepCopyInto(&out.Expects)
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExample.
|
||||
func (in *FederationDomainTransformsExample) DeepCopy() *FederationDomainTransformsExample {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExample)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExampleExpects) DeepCopyInto(out *FederationDomainTransformsExampleExpects) {
|
||||
*out = *in
|
||||
if in.Groups != nil {
|
||||
in, out := &in.Groups, &out.Groups
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExampleExpects.
|
||||
func (in *FederationDomainTransformsExampleExpects) DeepCopy() *FederationDomainTransformsExampleExpects {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExampleExpects)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExpression) DeepCopyInto(out *FederationDomainTransformsExpression) {
|
||||
*out = *in
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExpression.
|
||||
func (in *FederationDomainTransformsExpression) DeepCopy() *FederationDomainTransformsExpression {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExpression)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *OIDCClient) DeepCopyInto(out *OIDCClient) {
|
||||
*out = *in
|
||||
|
@ -21,7 +21,7 @@ spec:
|
||||
- jsonPath: .spec.issuer
|
||||
name: Issuer
|
||||
type: string
|
||||
- jsonPath: .status.status
|
||||
- jsonPath: .status.phase
|
||||
name: Status
|
||||
type: string
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
@ -47,6 +47,263 @@ spec:
|
||||
spec:
|
||||
description: Spec of the OIDC provider.
|
||||
properties:
|
||||
identityProviders:
|
||||
description: "IdentityProviders is the list of identity providers
|
||||
available for use by this FederationDomain. \n An identity provider
|
||||
CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes
|
||||
how to connect to a server, how to talk in a specific protocol for
|
||||
authentication, and how to use the schema of that server/protocol
|
||||
to extract a normalized user identity. Normalized user identities
|
||||
include a username and a list of group names. In contrast, IdentityProviders
|
||||
describes how to use that normalized identity in those Kubernetes
|
||||
clusters which belong to this FederationDomain. Each entry in IdentityProviders
|
||||
can be configured with arbitrary transformations on that normalized
|
||||
identity. For example, a transformation can add a prefix to all
|
||||
usernames to help avoid accidental conflicts when multiple identity
|
||||
providers have different users with the same username (e.g. \"idp1:ryan\"
|
||||
versus \"idp2:ryan\"). Each entry in IdentityProviders can also
|
||||
implement arbitrary authentication rejection policies. Even though
|
||||
a user was able to authenticate with the identity provider, a policy
|
||||
can disallow the authentication to the Kubernetes clusters that
|
||||
belong to this FederationDomain. For example, a policy could disallow
|
||||
the authentication unless the user belongs to a specific group in
|
||||
the identity provider. \n For backwards compatibility with versions
|
||||
of Pinniped which predate support for multiple identity providers,
|
||||
an empty IdentityProviders list will cause the FederationDomain
|
||||
to use all available identity providers which exist in the same
|
||||
namespace, but also to reject all authentication requests when there
|
||||
is more than one identity provider currently defined. In this backwards
|
||||
compatibility mode, the name of the identity provider resource (e.g.
|
||||
the Name of an OIDCIdentityProvider resource) will be used as the
|
||||
name of the identity provider in this FederationDomain. This mode
|
||||
is provided to make upgrading from older versions easier. However,
|
||||
instead of relying on this backwards compatibility mode, please
|
||||
consider this mode to be deprecated and please instead explicitly
|
||||
list the identity provider using this IdentityProviders field."
|
||||
items:
|
||||
description: FederationDomainIdentityProvider describes how an identity
|
||||
provider is made available in this FederationDomain.
|
||||
properties:
|
||||
displayName:
|
||||
description: DisplayName is the name of this identity provider
|
||||
as it will appear to clients. This name ends up in the kubeconfig
|
||||
of end users, so changing the name of an identity provider
|
||||
that is in use by end users will be a disruptive change for
|
||||
those users.
|
||||
minLength: 1
|
||||
type: string
|
||||
objectRef:
|
||||
description: ObjectRef is a reference to a Pinniped identity
|
||||
provider resource. A valid reference is required. If the reference
|
||||
cannot be resolved then the identity provider will not be
|
||||
made available. Must refer to a resource of one of the Pinniped
|
||||
identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider,
|
||||
ActiveDirectoryIdentityProvider.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup is the group for the resource being
|
||||
referenced. If APIGroup is not specified, the specified
|
||||
Kind must be in the core API group. For any other third-party
|
||||
types, APIGroup is required.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind is the type of resource being referenced
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of resource being referenced
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
transforms:
|
||||
description: Transforms is an optional way to specify transformations
|
||||
to be applied during user authentication and session refresh.
|
||||
properties:
|
||||
constants:
|
||||
description: Constants defines constant variables and their
|
||||
values which will be made available to the transform expressions.
|
||||
items:
|
||||
description: FederationDomainTransformsConstant defines
|
||||
a constant variable and its value which will be made
|
||||
available to the transform expressions. This is a union
|
||||
type, and Type is the discriminator field.
|
||||
properties:
|
||||
name:
|
||||
description: Name determines the name of the constant.
|
||||
It must be a valid identifier name.
|
||||
maxLength: 64
|
||||
minLength: 1
|
||||
pattern: ^[a-zA-Z][_a-zA-Z0-9]*$
|
||||
type: string
|
||||
stringListValue:
|
||||
description: StringListValue should hold the value
|
||||
when Type is "stringList", and is otherwise ignored.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
stringValue:
|
||||
description: StringValue should hold the value when
|
||||
Type is "string", and is otherwise ignored.
|
||||
type: string
|
||||
type:
|
||||
description: Type determines the type of the constant,
|
||||
and indicates which other field should be non-empty.
|
||||
enum:
|
||||
- string
|
||||
- stringList
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-map-keys:
|
||||
- name
|
||||
x-kubernetes-list-type: map
|
||||
examples:
|
||||
description: Examples can optionally be used to ensure that
|
||||
the sequence of transformation expressions are working
|
||||
as expected. Examples define sample input identities which
|
||||
are then run through the expression list, and the results
|
||||
are compared to the expected results. If any example in
|
||||
this list fails, then this identity provider will not
|
||||
be available for use within this FederationDomain, and
|
||||
the error(s) will be added to the FederationDomain status.
|
||||
This can be used to help guard against programming mistakes
|
||||
in the expressions, and also act as living documentation
|
||||
for other administrators to better understand the expressions.
|
||||
items:
|
||||
description: FederationDomainTransformsExample defines
|
||||
a transform example.
|
||||
properties:
|
||||
expects:
|
||||
description: Expects is the expected output of the
|
||||
entire sequence of transforms when they are run
|
||||
against the input Username and Groups.
|
||||
properties:
|
||||
groups:
|
||||
description: Groups is the expected list of group
|
||||
names after the transformations have been applied.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
message:
|
||||
description: Message is the expected error message
|
||||
of the transforms. When Rejected is true, then
|
||||
Message is the expected message for the policy
|
||||
which rejected the authentication attempt. When
|
||||
Rejected is true and Message is blank, then
|
||||
Message will be treated as the default error
|
||||
message for authentication attempts which are
|
||||
rejected by a policy. When Rejected is false,
|
||||
then Message is the expected error message for
|
||||
some other non-policy transformation error,
|
||||
such as a runtime error. When Rejected is false,
|
||||
there is no default expected Message.
|
||||
type: string
|
||||
rejected:
|
||||
description: Rejected is a boolean that indicates
|
||||
whether authentication is expected to be rejected
|
||||
by a policy expression after the transformations
|
||||
have been applied. True means that it is expected
|
||||
that the authentication would be rejected. The
|
||||
default value of false means that it is expected
|
||||
that the authentication would not be rejected
|
||||
by any policy expression.
|
||||
type: boolean
|
||||
username:
|
||||
description: Username is the expected username
|
||||
after the transformations have been applied.
|
||||
type: string
|
||||
type: object
|
||||
groups:
|
||||
description: Groups is the input list of group names.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
username:
|
||||
description: Username is the input username.
|
||||
minLength: 1
|
||||
type: string
|
||||
required:
|
||||
- expects
|
||||
- username
|
||||
type: object
|
||||
type: array
|
||||
expressions:
|
||||
description: "Expressions are an optional list of transforms
|
||||
and policies to be executed in the order given during
|
||||
every authentication attempt, including during every session
|
||||
refresh. Each is a CEL expression. It may use the basic
|
||||
CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md
|
||||
plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
\n The username and groups extracted from the identity
|
||||
provider, and the constants defined in this CR, are available
|
||||
as variables in all expressions. The username is provided
|
||||
via a variable called `username` and the list of group
|
||||
names is provided via a variable called `groups` (which
|
||||
may be an empty list). Each user-provided constants is
|
||||
provided via a variable named `strConst.varName` for string
|
||||
constants and `strListConst.varName` for string list constants.
|
||||
\n The only allowed types for expressions are currently
|
||||
policy/v1, username/v1, and groups/v1. Each policy/v1
|
||||
must return a boolean, and when it returns false, no more
|
||||
expressions from the list are evaluated and the authentication
|
||||
attempt is rejected. Transformations of type policy/v1
|
||||
do not return usernames or group names, and therefore
|
||||
cannot change the username or group names. Each username/v1
|
||||
transform must return the new username (a string), which
|
||||
can be the same as the old username. Transformations of
|
||||
type username/v1 do not return group names, and therefore
|
||||
cannot change the group names. Each groups/v1 transform
|
||||
must return the new groups list (list of strings), which
|
||||
can be the same as the old groups list. Transformations
|
||||
of type groups/v1 do not return usernames, and therefore
|
||||
cannot change the usernames. After each expression, the
|
||||
new (potentially changed) username or groups get passed
|
||||
to the following expression. \n Any compilation or static
|
||||
type-checking failure of any expression will cause an
|
||||
error status on the FederationDomain. During an authentication
|
||||
attempt, any unexpected runtime evaluation errors (e.g.
|
||||
division by zero) cause the authentication attempt to
|
||||
fail. When all expressions evaluate successfully, then
|
||||
the (potentially changed) username and group names have
|
||||
been decided for that authentication attempt."
|
||||
items:
|
||||
description: FederationDomainTransformsExpression defines
|
||||
a transform expression.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is a CEL expression that will
|
||||
be evaluated based on the Type during an authentication.
|
||||
minLength: 1
|
||||
type: string
|
||||
message:
|
||||
description: Message is only used when Type is policy/v1.
|
||||
It defines an error message to be used when the
|
||||
policy rejects an authentication attempt. When empty,
|
||||
a default message will be used.
|
||||
type: string
|
||||
type:
|
||||
description: Type determines the type of the expression.
|
||||
It must be one of the supported types.
|
||||
enum:
|
||||
- policy/v1
|
||||
- username/v1
|
||||
- groups/v1
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
required:
|
||||
- displayName
|
||||
- objectRef
|
||||
type: object
|
||||
type: array
|
||||
issuer:
|
||||
description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
|
||||
Metadata document, as well as the identifier that it will use for
|
||||
@ -59,8 +316,8 @@ spec:
|
||||
minLength: 1
|
||||
type: string
|
||||
tls:
|
||||
description: TLS configures how this FederationDomain is served over
|
||||
Transport Layer Security (TLS).
|
||||
description: TLS specifies a secret which will contain Transport Layer
|
||||
Security (TLS) configuration for the FederationDomain.
|
||||
properties:
|
||||
secretName:
|
||||
description: "SecretName is an optional name of a Secret in the
|
||||
@ -91,14 +348,86 @@ spec:
|
||||
status:
|
||||
description: Status of the OIDC provider.
|
||||
properties:
|
||||
lastUpdateTime:
|
||||
description: LastUpdateTime holds the time at which the Status was
|
||||
last updated. It is a pointer to get around some undesirable behavior
|
||||
with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
conditions:
|
||||
description: Conditions represent the observations of an FederationDomain's
|
||||
current state.
|
||||
items:
|
||||
description: "Condition contains details for one aspect of the current
|
||||
state of this API Resource. --- This struct is intended for direct
|
||||
use as an array at the field path .status.conditions. For example,
|
||||
\n type FooStatus struct{ // Represents the observations of a
|
||||
foo's current state. // Known .status.conditions.type are: \"Available\",
|
||||
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
|
||||
// +listType=map // +listMapKey=type Conditions []metav1.Condition
|
||||
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
|
||||
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: lastTransitionTime is the last time the condition
|
||||
transitioned from one status to another. This should be when
|
||||
the underlying condition changed. If that is not known, then
|
||||
using the time when the API field changed is acceptable.
|
||||
format: date-time
|
||||
type: string
|
||||
message:
|
||||
description: Message provides human-readable details about the Status.
|
||||
description: message is a human readable message indicating
|
||||
details about the transition. This may be an empty string.
|
||||
maxLength: 32768
|
||||
type: string
|
||||
observedGeneration:
|
||||
description: observedGeneration represents the .metadata.generation
|
||||
that the condition was set based upon. For instance, if .metadata.generation
|
||||
is currently 12, but the .status.conditions[x].observedGeneration
|
||||
is 9, the condition is out of date with respect to the current
|
||||
state of the instance.
|
||||
format: int64
|
||||
minimum: 0
|
||||
type: integer
|
||||
reason:
|
||||
description: reason contains a programmatic identifier indicating
|
||||
the reason for the condition's last transition. Producers
|
||||
of specific condition types may define expected values and
|
||||
meanings for this field, and whether the values are considered
|
||||
a guaranteed API. The value should be a CamelCase string.
|
||||
This field may not be empty.
|
||||
maxLength: 1024
|
||||
minLength: 1
|
||||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||||
type: string
|
||||
status:
|
||||
description: status of the condition, one of True, False, Unknown.
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
- Unknown
|
||||
type: string
|
||||
type:
|
||||
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
||||
--- Many .condition.type values are consistent across resources
|
||||
like Available, but because arbitrary conditions can be useful
|
||||
(see .node.status.conditions), the ability to deconflict is
|
||||
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||||
maxLength: 316
|
||||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||||
type: string
|
||||
required:
|
||||
- lastTransitionTime
|
||||
- message
|
||||
- reason
|
||||
- status
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-map-keys:
|
||||
- type
|
||||
x-kubernetes-list-type: map
|
||||
phase:
|
||||
default: Pending
|
||||
description: Phase summarizes the overall status of the FederationDomain.
|
||||
enum:
|
||||
- Pending
|
||||
- Ready
|
||||
- Error
|
||||
type: string
|
||||
secrets:
|
||||
description: Secrets contains information about this OIDC Provider's
|
||||
@ -145,15 +474,6 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
status:
|
||||
description: Status holds an enum that describes the state of this
|
||||
OIDC Provider. Note that this Status can represent success or failure.
|
||||
enum:
|
||||
- Success
|
||||
- Duplicate
|
||||
- Invalid
|
||||
- SameIssuerHostMustUseSameSecret
|
||||
type: string
|
||||
type: object
|
||||
required:
|
||||
- spec
|
||||
|
153
generated/1.26/README.adoc
generated
153
generated/1.26/README.adoc
generated
@ -650,6 +650,37 @@ FederationDomain describes the configuration of an OIDC provider.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
|
||||
==== FederationDomainIdentityProvider
|
||||
|
||||
FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainspec[$$FederationDomainSpec$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`displayName`* __string__ | DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a disruptive change for those users.
|
||||
| *`objectRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. If the reference cannot be resolved then the identity provider will not be made available. Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
|
||||
| *`transforms`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]__ | Transforms is an optional way to specify transformations to be applied during user authentication and session refresh.
|
||||
|===
|
||||
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainphase"]
|
||||
==== FederationDomainPhase (string)
|
||||
|
||||
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
|
||||
****
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainsecrets"]
|
||||
@ -687,7 +718,10 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
|
||||
| Field | Description
|
||||
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
|
||||
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
|
||||
| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
|
||||
An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
|
||||
For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
|
||||
|===
|
||||
|
||||
|
||||
@ -704,25 +738,12 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainstatuscondition[$$FederationDomainStatusCondition$$]__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
|
||||
| *`message`* __string__ | Message provides human-readable details about the Status.
|
||||
| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
|
||||
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
|
||||
| *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainstatuscondition"]
|
||||
==== FederationDomainStatusCondition (string)
|
||||
|
||||
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
|
||||
****
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintlsspec"]
|
||||
==== FederationDomainTLSSpec
|
||||
|
||||
@ -744,6 +765,106 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
|
||||
==== FederationDomainTransforms
|
||||
|
||||
FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
|
||||
| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
|
||||
The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
|
||||
Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
|
||||
| *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
|
||||
==== FederationDomainTransformsConstant
|
||||
|
||||
FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name.
|
||||
| *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty.
|
||||
| *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored.
|
||||
| *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
|
||||
==== FederationDomainTransformsExample
|
||||
|
||||
FederationDomainTransformsExample defines a transform example.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`username`* __string__ | Username is the input username.
|
||||
| *`groups`* __string array__ | Groups is the input list of group names.
|
||||
| *`expects`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects[$$FederationDomainTransformsExampleExpects$$]__ | Expects is the expected output of the entire sequence of transforms when they are run against the input Username and Groups.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
|
||||
==== FederationDomainTransformsExampleExpects
|
||||
|
||||
FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`username`* __string__ | Username is the expected username after the transformations have been applied.
|
||||
| *`groups`* __string array__ | Groups is the expected list of group names after the transformations have been applied.
|
||||
| *`rejected`* __boolean__ | Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression after the transformations have been applied. True means that it is expected that the authentication would be rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression.
|
||||
| *`message`* __string__ | Message is the expected error message of the transforms. When Rejected is true, then Message is the expected message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, then Message will be treated as the default error message for authentication attempts which are rejected by a policy. When Rejected is false, then Message is the expected error message for some other non-policy transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
|
||||
==== FederationDomainTransformsExpression
|
||||
|
||||
FederationDomainTransformsExpression defines a transform expression.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types.
|
||||
| *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication.
|
||||
| *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects an authentication attempt. When empty, a default message will be used.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-granttype"]
|
||||
==== GrantType (string)
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package v1alpha1
|
||||
@ -8,14 +8,17 @@ import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
// +kubebuilder:validation:Enum=Success;Duplicate;Invalid;SameIssuerHostMustUseSameSecret
|
||||
type FederationDomainStatusCondition string
|
||||
type FederationDomainPhase string
|
||||
|
||||
const (
|
||||
SuccessFederationDomainStatusCondition = FederationDomainStatusCondition("Success")
|
||||
DuplicateFederationDomainStatusCondition = FederationDomainStatusCondition("Duplicate")
|
||||
SameIssuerHostMustUseSameSecretFederationDomainStatusCondition = FederationDomainStatusCondition("SameIssuerHostMustUseSameSecret")
|
||||
InvalidFederationDomainStatusCondition = FederationDomainStatusCondition("Invalid")
|
||||
// FederationDomainPhasePending is the default phase for newly-created FederationDomain resources.
|
||||
FederationDomainPhasePending FederationDomainPhase = "Pending"
|
||||
|
||||
// FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state.
|
||||
FederationDomainPhaseReady FederationDomainPhase = "Ready"
|
||||
|
||||
// FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state.
|
||||
FederationDomainPhaseError FederationDomainPhase = "Error"
|
||||
)
|
||||
|
||||
// FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
|
||||
@ -42,6 +45,157 @@ type FederationDomainTLSSpec struct {
|
||||
SecretName string `json:"secretName,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
|
||||
// the transform expressions. This is a union type, and Type is the discriminator field.
|
||||
type FederationDomainTransformsConstant struct {
|
||||
// Name determines the name of the constant. It must be a valid identifier name.
|
||||
// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
// +kubebuilder:validation:MaxLength=64
|
||||
Name string `json:"name"`
|
||||
|
||||
// Type determines the type of the constant, and indicates which other field should be non-empty.
|
||||
// +kubebuilder:validation:Enum=string;stringList
|
||||
Type string `json:"type"`
|
||||
|
||||
// StringValue should hold the value when Type is "string", and is otherwise ignored.
|
||||
// +optional
|
||||
StringValue string `json:"stringValue,omitempty"`
|
||||
|
||||
// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|
||||
// +optional
|
||||
StringListValue []string `json:"stringListValue,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExpression defines a transform expression.
|
||||
type FederationDomainTransformsExpression struct {
|
||||
// Type determines the type of the expression. It must be one of the supported types.
|
||||
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
|
||||
Type string `json:"type"`
|
||||
|
||||
// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Expression string `json:"expression"`
|
||||
|
||||
// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
|
||||
// an authentication attempt. When empty, a default message will be used.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExample defines a transform example.
|
||||
type FederationDomainTransformsExample struct {
|
||||
// Username is the input username.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Username string `json:"username"`
|
||||
|
||||
// Groups is the input list of group names.
|
||||
// +optional
|
||||
Groups []string `json:"groups,omitempty"`
|
||||
|
||||
// Expects is the expected output of the entire sequence of transforms when they are run against the
|
||||
// input Username and Groups.
|
||||
Expects FederationDomainTransformsExampleExpects `json:"expects"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
|
||||
type FederationDomainTransformsExampleExpects struct {
|
||||
// Username is the expected username after the transformations have been applied.
|
||||
// +optional
|
||||
Username string `json:"username,omitempty"`
|
||||
|
||||
// Groups is the expected list of group names after the transformations have been applied.
|
||||
// +optional
|
||||
Groups []string `json:"groups,omitempty"`
|
||||
|
||||
// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
|
||||
// after the transformations have been applied. True means that it is expected that the authentication would be
|
||||
// rejected. The default value of false means that it is expected that the authentication would not be rejected
|
||||
// by any policy expression.
|
||||
// +optional
|
||||
Rejected bool `json:"rejected,omitempty"`
|
||||
|
||||
// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
|
||||
// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
|
||||
// then Message will be treated as the default error message for authentication attempts which are rejected by a
|
||||
// policy. When Rejected is false, then Message is the expected error message for some other non-policy
|
||||
// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
|
||||
type FederationDomainTransforms struct {
|
||||
// Constants defines constant variables and their values which will be made available to the transform expressions.
|
||||
// +patchMergeKey=name
|
||||
// +patchStrategy=merge
|
||||
// +listType=map
|
||||
// +listMapKey=name
|
||||
// +optional
|
||||
Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`
|
||||
|
||||
// Expressions are an optional list of transforms and policies to be executed in the order given during every
|
||||
// authentication attempt, including during every session refresh.
|
||||
// Each is a CEL expression. It may use the basic CEL language as defined in
|
||||
// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
|
||||
// https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
//
|
||||
// The username and groups extracted from the identity provider, and the constants defined in this CR, are
|
||||
// available as variables in all expressions. The username is provided via a variable called `username` and
|
||||
// the list of group names is provided via a variable called `groups` (which may be an empty list).
|
||||
// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
|
||||
// and `strListConst.varName` for string list constants.
|
||||
//
|
||||
// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
|
||||
// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
|
||||
// and the authentication attempt is rejected.
|
||||
// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
|
||||
// username or group names.
|
||||
// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
|
||||
// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
|
||||
// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
|
||||
// groups list.
|
||||
// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
|
||||
// After each expression, the new (potentially changed) username or groups get passed to the following expression.
|
||||
//
|
||||
// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
|
||||
// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
|
||||
// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
|
||||
// and group names have been decided for that authentication attempt.
|
||||
//
|
||||
// +optional
|
||||
Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`
|
||||
|
||||
// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
|
||||
// expected. Examples define sample input identities which are then run through the expression list, and the
|
||||
// results are compared to the expected results. If any example in this list fails, then this
|
||||
// identity provider will not be available for use within this FederationDomain, and the error(s) will be
|
||||
// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
|
||||
// expressions, and also act as living documentation for other administrators to better understand the expressions.
|
||||
// +optional
|
||||
Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
|
||||
type FederationDomainIdentityProvider struct {
|
||||
// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
|
||||
// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
|
||||
// disruptive change for those users.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
DisplayName string `json:"displayName"`
|
||||
|
||||
// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
|
||||
// If the reference cannot be resolved then the identity provider will not be made available.
|
||||
// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
|
||||
// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
|
||||
ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`
|
||||
|
||||
// Transforms is an optional way to specify transformations to be applied during user authentication and
|
||||
// session refresh.
|
||||
// +optional
|
||||
Transforms FederationDomainTransforms `json:"transforms,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainSpec is a struct that describes an OIDC Provider.
|
||||
type FederationDomainSpec struct {
|
||||
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
|
||||
@ -55,9 +209,35 @@ type FederationDomainSpec struct {
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Issuer string `json:"issuer"`
|
||||
|
||||
// TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
|
||||
// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
|
||||
// +optional
|
||||
TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
|
||||
|
||||
// IdentityProviders is the list of identity providers available for use by this FederationDomain.
|
||||
//
|
||||
// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
|
||||
// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
|
||||
// extract a normalized user identity. Normalized user identities include a username and a list of group names.
|
||||
// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
|
||||
// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
|
||||
// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
|
||||
// accidental conflicts when multiple identity providers have different users with the same username (e.g.
|
||||
// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
|
||||
// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
|
||||
// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
|
||||
// disallow the authentication unless the user belongs to a specific group in the identity provider.
|
||||
//
|
||||
// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
|
||||
// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
|
||||
// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
|
||||
// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
|
||||
// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
|
||||
// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
|
||||
// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
|
||||
// explicitly list the identity provider using this IdentityProviders field.
|
||||
//
|
||||
// +optional
|
||||
IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainSecrets holds information about this OIDC Provider's secrets.
|
||||
@ -86,20 +266,17 @@ type FederationDomainSecrets struct {
|
||||
|
||||
// FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
|
||||
type FederationDomainStatus struct {
|
||||
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
|
||||
// represent success or failure.
|
||||
// +optional
|
||||
Status FederationDomainStatusCondition `json:"status,omitempty"`
|
||||
// Phase summarizes the overall status of the FederationDomain.
|
||||
// +kubebuilder:default=Pending
|
||||
// +kubebuilder:validation:Enum=Pending;Ready;Error
|
||||
Phase FederationDomainPhase `json:"phase,omitempty"`
|
||||
|
||||
// Message provides human-readable details about the Status.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
|
||||
// LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
|
||||
// around some undesirable behavior with respect to the empty metav1.Time value (see
|
||||
// https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
// +optional
|
||||
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
|
||||
// Conditions represent the observations of an FederationDomain's current state.
|
||||
// +patchMergeKey=type
|
||||
// +patchStrategy=merge
|
||||
// +listType=map
|
||||
// +listMapKey=type
|
||||
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
|
||||
|
||||
// Secrets contains information about this OIDC Provider's secrets.
|
||||
// +optional
|
||||
@ -111,7 +288,7 @@ type FederationDomainStatus struct {
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:resource:categories=pinniped
|
||||
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
|
||||
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
|
||||
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
|
||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||
// +kubebuilder:subresource:status
|
||||
type FederationDomain struct {
|
||||
|
@ -8,14 +8,14 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
type OIDCClientPhase string
|
||||
|
||||
const (
|
||||
// PhasePending is the default phase for newly-created OIDCClient resources.
|
||||
PhasePending OIDCClientPhase = "Pending"
|
||||
// OIDCClientPhasePending is the default phase for newly-created OIDCClient resources.
|
||||
OIDCClientPhasePending OIDCClientPhase = "Pending"
|
||||
|
||||
// PhaseReady is the phase for an OIDCClient resource in a healthy state.
|
||||
PhaseReady OIDCClientPhase = "Ready"
|
||||
// OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state.
|
||||
OIDCClientPhaseReady OIDCClientPhase = "Ready"
|
||||
|
||||
// PhaseError is the phase for an OIDCClient in an unhealthy state.
|
||||
PhaseError OIDCClientPhase = "Error"
|
||||
// OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state.
|
||||
OIDCClientPhaseError OIDCClientPhase = "Error"
|
||||
)
|
||||
|
||||
// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`
|
||||
|
@ -41,6 +41,24 @@ func (in *FederationDomain) DeepCopyObject() runtime.Object {
|
||||
return nil
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainIdentityProvider) DeepCopyInto(out *FederationDomainIdentityProvider) {
|
||||
*out = *in
|
||||
in.ObjectRef.DeepCopyInto(&out.ObjectRef)
|
||||
in.Transforms.DeepCopyInto(&out.Transforms)
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainIdentityProvider.
|
||||
func (in *FederationDomainIdentityProvider) DeepCopy() *FederationDomainIdentityProvider {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainIdentityProvider)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainList) DeepCopyInto(out *FederationDomainList) {
|
||||
*out = *in
|
||||
@ -102,6 +120,13 @@ func (in *FederationDomainSpec) DeepCopyInto(out *FederationDomainSpec) {
|
||||
*out = new(FederationDomainTLSSpec)
|
||||
**out = **in
|
||||
}
|
||||
if in.IdentityProviders != nil {
|
||||
in, out := &in.IdentityProviders, &out.IdentityProviders
|
||||
*out = make([]FederationDomainIdentityProvider, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
@ -118,9 +143,12 @@ func (in *FederationDomainSpec) DeepCopy() *FederationDomainSpec {
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
|
||||
*out = *in
|
||||
if in.LastUpdateTime != nil {
|
||||
in, out := &in.LastUpdateTime, &out.LastUpdateTime
|
||||
*out = (*in).DeepCopy()
|
||||
if in.Conditions != nil {
|
||||
in, out := &in.Conditions, &out.Conditions
|
||||
*out = make([]v1.Condition, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
out.Secrets = in.Secrets
|
||||
return
|
||||
@ -152,6 +180,121 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec {
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransforms) DeepCopyInto(out *FederationDomainTransforms) {
|
||||
*out = *in
|
||||
if in.Constants != nil {
|
||||
in, out := &in.Constants, &out.Constants
|
||||
*out = make([]FederationDomainTransformsConstant, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
if in.Expressions != nil {
|
||||
in, out := &in.Expressions, &out.Expressions
|
||||
*out = make([]FederationDomainTransformsExpression, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
if in.Examples != nil {
|
||||
in, out := &in.Examples, &out.Examples
|
||||
*out = make([]FederationDomainTransformsExample, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransforms.
|
||||
func (in *FederationDomainTransforms) DeepCopy() *FederationDomainTransforms {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransforms)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsConstant) DeepCopyInto(out *FederationDomainTransformsConstant) {
|
||||
*out = *in
|
||||
if in.StringListValue != nil {
|
||||
in, out := &in.StringListValue, &out.StringListValue
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsConstant.
|
||||
func (in *FederationDomainTransformsConstant) DeepCopy() *FederationDomainTransformsConstant {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsConstant)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExample) DeepCopyInto(out *FederationDomainTransformsExample) {
|
||||
*out = *in
|
||||
if in.Groups != nil {
|
||||
in, out := &in.Groups, &out.Groups
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
in.Expects.DeepCopyInto(&out.Expects)
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExample.
|
||||
func (in *FederationDomainTransformsExample) DeepCopy() *FederationDomainTransformsExample {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExample)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExampleExpects) DeepCopyInto(out *FederationDomainTransformsExampleExpects) {
|
||||
*out = *in
|
||||
if in.Groups != nil {
|
||||
in, out := &in.Groups, &out.Groups
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExampleExpects.
|
||||
func (in *FederationDomainTransformsExampleExpects) DeepCopy() *FederationDomainTransformsExampleExpects {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExampleExpects)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExpression) DeepCopyInto(out *FederationDomainTransformsExpression) {
|
||||
*out = *in
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExpression.
|
||||
func (in *FederationDomainTransformsExpression) DeepCopy() *FederationDomainTransformsExpression {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExpression)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *OIDCClient) DeepCopyInto(out *OIDCClient) {
|
||||
*out = *in
|
||||
|
@ -21,7 +21,7 @@ spec:
|
||||
- jsonPath: .spec.issuer
|
||||
name: Issuer
|
||||
type: string
|
||||
- jsonPath: .status.status
|
||||
- jsonPath: .status.phase
|
||||
name: Status
|
||||
type: string
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
@ -47,6 +47,263 @@ spec:
|
||||
spec:
|
||||
description: Spec of the OIDC provider.
|
||||
properties:
|
||||
identityProviders:
|
||||
description: "IdentityProviders is the list of identity providers
|
||||
available for use by this FederationDomain. \n An identity provider
|
||||
CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes
|
||||
how to connect to a server, how to talk in a specific protocol for
|
||||
authentication, and how to use the schema of that server/protocol
|
||||
to extract a normalized user identity. Normalized user identities
|
||||
include a username and a list of group names. In contrast, IdentityProviders
|
||||
describes how to use that normalized identity in those Kubernetes
|
||||
clusters which belong to this FederationDomain. Each entry in IdentityProviders
|
||||
can be configured with arbitrary transformations on that normalized
|
||||
identity. For example, a transformation can add a prefix to all
|
||||
usernames to help avoid accidental conflicts when multiple identity
|
||||
providers have different users with the same username (e.g. \"idp1:ryan\"
|
||||
versus \"idp2:ryan\"). Each entry in IdentityProviders can also
|
||||
implement arbitrary authentication rejection policies. Even though
|
||||
a user was able to authenticate with the identity provider, a policy
|
||||
can disallow the authentication to the Kubernetes clusters that
|
||||
belong to this FederationDomain. For example, a policy could disallow
|
||||
the authentication unless the user belongs to a specific group in
|
||||
the identity provider. \n For backwards compatibility with versions
|
||||
of Pinniped which predate support for multiple identity providers,
|
||||
an empty IdentityProviders list will cause the FederationDomain
|
||||
to use all available identity providers which exist in the same
|
||||
namespace, but also to reject all authentication requests when there
|
||||
is more than one identity provider currently defined. In this backwards
|
||||
compatibility mode, the name of the identity provider resource (e.g.
|
||||
the Name of an OIDCIdentityProvider resource) will be used as the
|
||||
name of the identity provider in this FederationDomain. This mode
|
||||
is provided to make upgrading from older versions easier. However,
|
||||
instead of relying on this backwards compatibility mode, please
|
||||
consider this mode to be deprecated and please instead explicitly
|
||||
list the identity provider using this IdentityProviders field."
|
||||
items:
|
||||
description: FederationDomainIdentityProvider describes how an identity
|
||||
provider is made available in this FederationDomain.
|
||||
properties:
|
||||
displayName:
|
||||
description: DisplayName is the name of this identity provider
|
||||
as it will appear to clients. This name ends up in the kubeconfig
|
||||
of end users, so changing the name of an identity provider
|
||||
that is in use by end users will be a disruptive change for
|
||||
those users.
|
||||
minLength: 1
|
||||
type: string
|
||||
objectRef:
|
||||
description: ObjectRef is a reference to a Pinniped identity
|
||||
provider resource. A valid reference is required. If the reference
|
||||
cannot be resolved then the identity provider will not be
|
||||
made available. Must refer to a resource of one of the Pinniped
|
||||
identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider,
|
||||
ActiveDirectoryIdentityProvider.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup is the group for the resource being
|
||||
referenced. If APIGroup is not specified, the specified
|
||||
Kind must be in the core API group. For any other third-party
|
||||
types, APIGroup is required.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind is the type of resource being referenced
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of resource being referenced
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
transforms:
|
||||
description: Transforms is an optional way to specify transformations
|
||||
to be applied during user authentication and session refresh.
|
||||
properties:
|
||||
constants:
|
||||
description: Constants defines constant variables and their
|
||||
values which will be made available to the transform expressions.
|
||||
items:
|
||||
description: FederationDomainTransformsConstant defines
|
||||
a constant variable and its value which will be made
|
||||
available to the transform expressions. This is a union
|
||||
type, and Type is the discriminator field.
|
||||
properties:
|
||||
name:
|
||||
description: Name determines the name of the constant.
|
||||
It must be a valid identifier name.
|
||||
maxLength: 64
|
||||
minLength: 1
|
||||
pattern: ^[a-zA-Z][_a-zA-Z0-9]*$
|
||||
type: string
|
||||
stringListValue:
|
||||
description: StringListValue should hold the value
|
||||
when Type is "stringList", and is otherwise ignored.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
stringValue:
|
||||
description: StringValue should hold the value when
|
||||
Type is "string", and is otherwise ignored.
|
||||
type: string
|
||||
type:
|
||||
description: Type determines the type of the constant,
|
||||
and indicates which other field should be non-empty.
|
||||
enum:
|
||||
- string
|
||||
- stringList
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-map-keys:
|
||||
- name
|
||||
x-kubernetes-list-type: map
|
||||
examples:
|
||||
description: Examples can optionally be used to ensure that
|
||||
the sequence of transformation expressions are working
|
||||
as expected. Examples define sample input identities which
|
||||
are then run through the expression list, and the results
|
||||
are compared to the expected results. If any example in
|
||||
this list fails, then this identity provider will not
|
||||
be available for use within this FederationDomain, and
|
||||
the error(s) will be added to the FederationDomain status.
|
||||
This can be used to help guard against programming mistakes
|
||||
in the expressions, and also act as living documentation
|
||||
for other administrators to better understand the expressions.
|
||||
items:
|
||||
description: FederationDomainTransformsExample defines
|
||||
a transform example.
|
||||
properties:
|
||||
expects:
|
||||
description: Expects is the expected output of the
|
||||
entire sequence of transforms when they are run
|
||||
against the input Username and Groups.
|
||||
properties:
|
||||
groups:
|
||||
description: Groups is the expected list of group
|
||||
names after the transformations have been applied.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
message:
|
||||
description: Message is the expected error message
|
||||
of the transforms. When Rejected is true, then
|
||||
Message is the expected message for the policy
|
||||
which rejected the authentication attempt. When
|
||||
Rejected is true and Message is blank, then
|
||||
Message will be treated as the default error
|
||||
message for authentication attempts which are
|
||||
rejected by a policy. When Rejected is false,
|
||||
then Message is the expected error message for
|
||||
some other non-policy transformation error,
|
||||
such as a runtime error. When Rejected is false,
|
||||
there is no default expected Message.
|
||||
type: string
|
||||
rejected:
|
||||
description: Rejected is a boolean that indicates
|
||||
whether authentication is expected to be rejected
|
||||
by a policy expression after the transformations
|
||||
have been applied. True means that it is expected
|
||||
that the authentication would be rejected. The
|
||||
default value of false means that it is expected
|
||||
that the authentication would not be rejected
|
||||
by any policy expression.
|
||||
type: boolean
|
||||
username:
|
||||
description: Username is the expected username
|
||||
after the transformations have been applied.
|
||||
type: string
|
||||
type: object
|
||||
groups:
|
||||
description: Groups is the input list of group names.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
username:
|
||||
description: Username is the input username.
|
||||
minLength: 1
|
||||
type: string
|
||||
required:
|
||||
- expects
|
||||
- username
|
||||
type: object
|
||||
type: array
|
||||
expressions:
|
||||
description: "Expressions are an optional list of transforms
|
||||
and policies to be executed in the order given during
|
||||
every authentication attempt, including during every session
|
||||
refresh. Each is a CEL expression. It may use the basic
|
||||
CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md
|
||||
plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
\n The username and groups extracted from the identity
|
||||
provider, and the constants defined in this CR, are available
|
||||
as variables in all expressions. The username is provided
|
||||
via a variable called `username` and the list of group
|
||||
names is provided via a variable called `groups` (which
|
||||
may be an empty list). Each user-provided constants is
|
||||
provided via a variable named `strConst.varName` for string
|
||||
constants and `strListConst.varName` for string list constants.
|
||||
\n The only allowed types for expressions are currently
|
||||
policy/v1, username/v1, and groups/v1. Each policy/v1
|
||||
must return a boolean, and when it returns false, no more
|
||||
expressions from the list are evaluated and the authentication
|
||||
attempt is rejected. Transformations of type policy/v1
|
||||
do not return usernames or group names, and therefore
|
||||
cannot change the username or group names. Each username/v1
|
||||
transform must return the new username (a string), which
|
||||
can be the same as the old username. Transformations of
|
||||
type username/v1 do not return group names, and therefore
|
||||
cannot change the group names. Each groups/v1 transform
|
||||
must return the new groups list (list of strings), which
|
||||
can be the same as the old groups list. Transformations
|
||||
of type groups/v1 do not return usernames, and therefore
|
||||
cannot change the usernames. After each expression, the
|
||||
new (potentially changed) username or groups get passed
|
||||
to the following expression. \n Any compilation or static
|
||||
type-checking failure of any expression will cause an
|
||||
error status on the FederationDomain. During an authentication
|
||||
attempt, any unexpected runtime evaluation errors (e.g.
|
||||
division by zero) cause the authentication attempt to
|
||||
fail. When all expressions evaluate successfully, then
|
||||
the (potentially changed) username and group names have
|
||||
been decided for that authentication attempt."
|
||||
items:
|
||||
description: FederationDomainTransformsExpression defines
|
||||
a transform expression.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is a CEL expression that will
|
||||
be evaluated based on the Type during an authentication.
|
||||
minLength: 1
|
||||
type: string
|
||||
message:
|
||||
description: Message is only used when Type is policy/v1.
|
||||
It defines an error message to be used when the
|
||||
policy rejects an authentication attempt. When empty,
|
||||
a default message will be used.
|
||||
type: string
|
||||
type:
|
||||
description: Type determines the type of the expression.
|
||||
It must be one of the supported types.
|
||||
enum:
|
||||
- policy/v1
|
||||
- username/v1
|
||||
- groups/v1
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
required:
|
||||
- displayName
|
||||
- objectRef
|
||||
type: object
|
||||
type: array
|
||||
issuer:
|
||||
description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
|
||||
Metadata document, as well as the identifier that it will use for
|
||||
@ -59,8 +316,8 @@ spec:
|
||||
minLength: 1
|
||||
type: string
|
||||
tls:
|
||||
description: TLS configures how this FederationDomain is served over
|
||||
Transport Layer Security (TLS).
|
||||
description: TLS specifies a secret which will contain Transport Layer
|
||||
Security (TLS) configuration for the FederationDomain.
|
||||
properties:
|
||||
secretName:
|
||||
description: "SecretName is an optional name of a Secret in the
|
||||
@ -91,14 +348,86 @@ spec:
|
||||
status:
|
||||
description: Status of the OIDC provider.
|
||||
properties:
|
||||
lastUpdateTime:
|
||||
description: LastUpdateTime holds the time at which the Status was
|
||||
last updated. It is a pointer to get around some undesirable behavior
|
||||
with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
conditions:
|
||||
description: Conditions represent the observations of an FederationDomain's
|
||||
current state.
|
||||
items:
|
||||
description: "Condition contains details for one aspect of the current
|
||||
state of this API Resource. --- This struct is intended for direct
|
||||
use as an array at the field path .status.conditions. For example,
|
||||
\n type FooStatus struct{ // Represents the observations of a
|
||||
foo's current state. // Known .status.conditions.type are: \"Available\",
|
||||
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
|
||||
// +listType=map // +listMapKey=type Conditions []metav1.Condition
|
||||
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
|
||||
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: lastTransitionTime is the last time the condition
|
||||
transitioned from one status to another. This should be when
|
||||
the underlying condition changed. If that is not known, then
|
||||
using the time when the API field changed is acceptable.
|
||||
format: date-time
|
||||
type: string
|
||||
message:
|
||||
description: Message provides human-readable details about the Status.
|
||||
description: message is a human readable message indicating
|
||||
details about the transition. This may be an empty string.
|
||||
maxLength: 32768
|
||||
type: string
|
||||
observedGeneration:
|
||||
description: observedGeneration represents the .metadata.generation
|
||||
that the condition was set based upon. For instance, if .metadata.generation
|
||||
is currently 12, but the .status.conditions[x].observedGeneration
|
||||
is 9, the condition is out of date with respect to the current
|
||||
state of the instance.
|
||||
format: int64
|
||||
minimum: 0
|
||||
type: integer
|
||||
reason:
|
||||
description: reason contains a programmatic identifier indicating
|
||||
the reason for the condition's last transition. Producers
|
||||
of specific condition types may define expected values and
|
||||
meanings for this field, and whether the values are considered
|
||||
a guaranteed API. The value should be a CamelCase string.
|
||||
This field may not be empty.
|
||||
maxLength: 1024
|
||||
minLength: 1
|
||||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||||
type: string
|
||||
status:
|
||||
description: status of the condition, one of True, False, Unknown.
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
- Unknown
|
||||
type: string
|
||||
type:
|
||||
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
||||
--- Many .condition.type values are consistent across resources
|
||||
like Available, but because arbitrary conditions can be useful
|
||||
(see .node.status.conditions), the ability to deconflict is
|
||||
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||||
maxLength: 316
|
||||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||||
type: string
|
||||
required:
|
||||
- lastTransitionTime
|
||||
- message
|
||||
- reason
|
||||
- status
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-map-keys:
|
||||
- type
|
||||
x-kubernetes-list-type: map
|
||||
phase:
|
||||
default: Pending
|
||||
description: Phase summarizes the overall status of the FederationDomain.
|
||||
enum:
|
||||
- Pending
|
||||
- Ready
|
||||
- Error
|
||||
type: string
|
||||
secrets:
|
||||
description: Secrets contains information about this OIDC Provider's
|
||||
@ -145,15 +474,6 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
status:
|
||||
description: Status holds an enum that describes the state of this
|
||||
OIDC Provider. Note that this Status can represent success or failure.
|
||||
enum:
|
||||
- Success
|
||||
- Duplicate
|
||||
- Invalid
|
||||
- SameIssuerHostMustUseSameSecret
|
||||
type: string
|
||||
type: object
|
||||
required:
|
||||
- spec
|
||||
|
153
generated/1.27/README.adoc
generated
153
generated/1.27/README.adoc
generated
@ -650,6 +650,37 @@ FederationDomain describes the configuration of an OIDC provider.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
|
||||
==== FederationDomainIdentityProvider
|
||||
|
||||
FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainspec[$$FederationDomainSpec$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`displayName`* __string__ | DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a disruptive change for those users.
|
||||
| *`objectRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. If the reference cannot be resolved then the identity provider will not be made available. Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
|
||||
| *`transforms`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]__ | Transforms is an optional way to specify transformations to be applied during user authentication and session refresh.
|
||||
|===
|
||||
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainphase"]
|
||||
==== FederationDomainPhase (string)
|
||||
|
||||
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
|
||||
****
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainsecrets"]
|
||||
@ -687,7 +718,10 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
|
||||
| Field | Description
|
||||
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
|
||||
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
|
||||
| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
|
||||
An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
|
||||
For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
|
||||
|===
|
||||
|
||||
|
||||
@ -704,25 +738,12 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainstatuscondition[$$FederationDomainStatusCondition$$]__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
|
||||
| *`message`* __string__ | Message provides human-readable details about the Status.
|
||||
| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
|
||||
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
|
||||
| *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainstatuscondition"]
|
||||
==== FederationDomainStatusCondition (string)
|
||||
|
||||
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
|
||||
****
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintlsspec"]
|
||||
==== FederationDomainTLSSpec
|
||||
|
||||
@ -744,6 +765,106 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
|
||||
==== FederationDomainTransforms
|
||||
|
||||
FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
|
||||
| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
|
||||
The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
|
||||
Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
|
||||
| *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
|
||||
==== FederationDomainTransformsConstant
|
||||
|
||||
FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name.
|
||||
| *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty.
|
||||
| *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored.
|
||||
| *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
|
||||
==== FederationDomainTransformsExample
|
||||
|
||||
FederationDomainTransformsExample defines a transform example.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`username`* __string__ | Username is the input username.
|
||||
| *`groups`* __string array__ | Groups is the input list of group names.
|
||||
| *`expects`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects[$$FederationDomainTransformsExampleExpects$$]__ | Expects is the expected output of the entire sequence of transforms when they are run against the input Username and Groups.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
|
||||
==== FederationDomainTransformsExampleExpects
|
||||
|
||||
FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`username`* __string__ | Username is the expected username after the transformations have been applied.
|
||||
| *`groups`* __string array__ | Groups is the expected list of group names after the transformations have been applied.
|
||||
| *`rejected`* __boolean__ | Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression after the transformations have been applied. True means that it is expected that the authentication would be rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression.
|
||||
| *`message`* __string__ | Message is the expected error message of the transforms. When Rejected is true, then Message is the expected message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, then Message will be treated as the default error message for authentication attempts which are rejected by a policy. When Rejected is false, then Message is the expected error message for some other non-policy transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
|
||||
==== FederationDomainTransformsExpression
|
||||
|
||||
FederationDomainTransformsExpression defines a transform expression.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types.
|
||||
| *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication.
|
||||
| *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects an authentication attempt. When empty, a default message will be used.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-granttype"]
|
||||
==== GrantType (string)
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package v1alpha1
|
||||
@ -8,14 +8,17 @@ import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
// +kubebuilder:validation:Enum=Success;Duplicate;Invalid;SameIssuerHostMustUseSameSecret
|
||||
type FederationDomainStatusCondition string
|
||||
type FederationDomainPhase string
|
||||
|
||||
const (
|
||||
SuccessFederationDomainStatusCondition = FederationDomainStatusCondition("Success")
|
||||
DuplicateFederationDomainStatusCondition = FederationDomainStatusCondition("Duplicate")
|
||||
SameIssuerHostMustUseSameSecretFederationDomainStatusCondition = FederationDomainStatusCondition("SameIssuerHostMustUseSameSecret")
|
||||
InvalidFederationDomainStatusCondition = FederationDomainStatusCondition("Invalid")
|
||||
// FederationDomainPhasePending is the default phase for newly-created FederationDomain resources.
|
||||
FederationDomainPhasePending FederationDomainPhase = "Pending"
|
||||
|
||||
// FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state.
|
||||
FederationDomainPhaseReady FederationDomainPhase = "Ready"
|
||||
|
||||
// FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state.
|
||||
FederationDomainPhaseError FederationDomainPhase = "Error"
|
||||
)
|
||||
|
||||
// FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
|
||||
@ -42,6 +45,157 @@ type FederationDomainTLSSpec struct {
|
||||
SecretName string `json:"secretName,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
|
||||
// the transform expressions. This is a union type, and Type is the discriminator field.
|
||||
type FederationDomainTransformsConstant struct {
|
||||
// Name determines the name of the constant. It must be a valid identifier name.
|
||||
// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
// +kubebuilder:validation:MaxLength=64
|
||||
Name string `json:"name"`
|
||||
|
||||
// Type determines the type of the constant, and indicates which other field should be non-empty.
|
||||
// +kubebuilder:validation:Enum=string;stringList
|
||||
Type string `json:"type"`
|
||||
|
||||
// StringValue should hold the value when Type is "string", and is otherwise ignored.
|
||||
// +optional
|
||||
StringValue string `json:"stringValue,omitempty"`
|
||||
|
||||
// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|
||||
// +optional
|
||||
StringListValue []string `json:"stringListValue,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExpression defines a transform expression.
|
||||
type FederationDomainTransformsExpression struct {
|
||||
// Type determines the type of the expression. It must be one of the supported types.
|
||||
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
|
||||
Type string `json:"type"`
|
||||
|
||||
// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Expression string `json:"expression"`
|
||||
|
||||
// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
|
||||
// an authentication attempt. When empty, a default message will be used.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExample defines a transform example.
|
||||
type FederationDomainTransformsExample struct {
|
||||
// Username is the input username.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Username string `json:"username"`
|
||||
|
||||
// Groups is the input list of group names.
|
||||
// +optional
|
||||
Groups []string `json:"groups,omitempty"`
|
||||
|
||||
// Expects is the expected output of the entire sequence of transforms when they are run against the
|
||||
// input Username and Groups.
|
||||
Expects FederationDomainTransformsExampleExpects `json:"expects"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
|
||||
type FederationDomainTransformsExampleExpects struct {
|
||||
// Username is the expected username after the transformations have been applied.
|
||||
// +optional
|
||||
Username string `json:"username,omitempty"`
|
||||
|
||||
// Groups is the expected list of group names after the transformations have been applied.
|
||||
// +optional
|
||||
Groups []string `json:"groups,omitempty"`
|
||||
|
||||
// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
|
||||
// after the transformations have been applied. True means that it is expected that the authentication would be
|
||||
// rejected. The default value of false means that it is expected that the authentication would not be rejected
|
||||
// by any policy expression.
|
||||
// +optional
|
||||
Rejected bool `json:"rejected,omitempty"`
|
||||
|
||||
// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
|
||||
// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
|
||||
// then Message will be treated as the default error message for authentication attempts which are rejected by a
|
||||
// policy. When Rejected is false, then Message is the expected error message for some other non-policy
|
||||
// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
|
||||
type FederationDomainTransforms struct {
|
||||
// Constants defines constant variables and their values which will be made available to the transform expressions.
|
||||
// +patchMergeKey=name
|
||||
// +patchStrategy=merge
|
||||
// +listType=map
|
||||
// +listMapKey=name
|
||||
// +optional
|
||||
Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`
|
||||
|
||||
// Expressions are an optional list of transforms and policies to be executed in the order given during every
|
||||
// authentication attempt, including during every session refresh.
|
||||
// Each is a CEL expression. It may use the basic CEL language as defined in
|
||||
// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
|
||||
// https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
//
|
||||
// The username and groups extracted from the identity provider, and the constants defined in this CR, are
|
||||
// available as variables in all expressions. The username is provided via a variable called `username` and
|
||||
// the list of group names is provided via a variable called `groups` (which may be an empty list).
|
||||
// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
|
||||
// and `strListConst.varName` for string list constants.
|
||||
//
|
||||
// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
|
||||
// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
|
||||
// and the authentication attempt is rejected.
|
||||
// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
|
||||
// username or group names.
|
||||
// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
|
||||
// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
|
||||
// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
|
||||
// groups list.
|
||||
// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
|
||||
// After each expression, the new (potentially changed) username or groups get passed to the following expression.
|
||||
//
|
||||
// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
|
||||
// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
|
||||
// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
|
||||
// and group names have been decided for that authentication attempt.
|
||||
//
|
||||
// +optional
|
||||
Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`
|
||||
|
||||
// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
|
||||
// expected. Examples define sample input identities which are then run through the expression list, and the
|
||||
// results are compared to the expected results. If any example in this list fails, then this
|
||||
// identity provider will not be available for use within this FederationDomain, and the error(s) will be
|
||||
// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
|
||||
// expressions, and also act as living documentation for other administrators to better understand the expressions.
|
||||
// +optional
|
||||
Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
|
||||
type FederationDomainIdentityProvider struct {
|
||||
// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
|
||||
// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
|
||||
// disruptive change for those users.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
DisplayName string `json:"displayName"`
|
||||
|
||||
// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
|
||||
// If the reference cannot be resolved then the identity provider will not be made available.
|
||||
// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
|
||||
// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
|
||||
ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`
|
||||
|
||||
// Transforms is an optional way to specify transformations to be applied during user authentication and
|
||||
// session refresh.
|
||||
// +optional
|
||||
Transforms FederationDomainTransforms `json:"transforms,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainSpec is a struct that describes an OIDC Provider.
|
||||
type FederationDomainSpec struct {
|
||||
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
|
||||
@ -55,9 +209,35 @@ type FederationDomainSpec struct {
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Issuer string `json:"issuer"`
|
||||
|
||||
// TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
|
||||
// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
|
||||
// +optional
|
||||
TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
|
||||
|
||||
// IdentityProviders is the list of identity providers available for use by this FederationDomain.
|
||||
//
|
||||
// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
|
||||
// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
|
||||
// extract a normalized user identity. Normalized user identities include a username and a list of group names.
|
||||
// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
|
||||
// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
|
||||
// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
|
||||
// accidental conflicts when multiple identity providers have different users with the same username (e.g.
|
||||
// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
|
||||
// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
|
||||
// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
|
||||
// disallow the authentication unless the user belongs to a specific group in the identity provider.
|
||||
//
|
||||
// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
|
||||
// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
|
||||
// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
|
||||
// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
|
||||
// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
|
||||
// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
|
||||
// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
|
||||
// explicitly list the identity provider using this IdentityProviders field.
|
||||
//
|
||||
// +optional
|
||||
IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainSecrets holds information about this OIDC Provider's secrets.
|
||||
@ -86,20 +266,17 @@ type FederationDomainSecrets struct {
|
||||
|
||||
// FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
|
||||
type FederationDomainStatus struct {
|
||||
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
|
||||
// represent success or failure.
|
||||
// +optional
|
||||
Status FederationDomainStatusCondition `json:"status,omitempty"`
|
||||
// Phase summarizes the overall status of the FederationDomain.
|
||||
// +kubebuilder:default=Pending
|
||||
// +kubebuilder:validation:Enum=Pending;Ready;Error
|
||||
Phase FederationDomainPhase `json:"phase,omitempty"`
|
||||
|
||||
// Message provides human-readable details about the Status.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
|
||||
// LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
|
||||
// around some undesirable behavior with respect to the empty metav1.Time value (see
|
||||
// https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
// +optional
|
||||
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
|
||||
// Conditions represent the observations of an FederationDomain's current state.
|
||||
// +patchMergeKey=type
|
||||
// +patchStrategy=merge
|
||||
// +listType=map
|
||||
// +listMapKey=type
|
||||
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
|
||||
|
||||
// Secrets contains information about this OIDC Provider's secrets.
|
||||
// +optional
|
||||
@ -111,7 +288,7 @@ type FederationDomainStatus struct {
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:resource:categories=pinniped
|
||||
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
|
||||
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
|
||||
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
|
||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||
// +kubebuilder:subresource:status
|
||||
type FederationDomain struct {
|
||||
|
@ -8,14 +8,14 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
type OIDCClientPhase string
|
||||
|
||||
const (
|
||||
// PhasePending is the default phase for newly-created OIDCClient resources.
|
||||
PhasePending OIDCClientPhase = "Pending"
|
||||
// OIDCClientPhasePending is the default phase for newly-created OIDCClient resources.
|
||||
OIDCClientPhasePending OIDCClientPhase = "Pending"
|
||||
|
||||
// PhaseReady is the phase for an OIDCClient resource in a healthy state.
|
||||
PhaseReady OIDCClientPhase = "Ready"
|
||||
// OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state.
|
||||
OIDCClientPhaseReady OIDCClientPhase = "Ready"
|
||||
|
||||
// PhaseError is the phase for an OIDCClient in an unhealthy state.
|
||||
PhaseError OIDCClientPhase = "Error"
|
||||
// OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state.
|
||||
OIDCClientPhaseError OIDCClientPhase = "Error"
|
||||
)
|
||||
|
||||
// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`
|
||||
|
@ -41,6 +41,24 @@ func (in *FederationDomain) DeepCopyObject() runtime.Object {
|
||||
return nil
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainIdentityProvider) DeepCopyInto(out *FederationDomainIdentityProvider) {
|
||||
*out = *in
|
||||
in.ObjectRef.DeepCopyInto(&out.ObjectRef)
|
||||
in.Transforms.DeepCopyInto(&out.Transforms)
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainIdentityProvider.
|
||||
func (in *FederationDomainIdentityProvider) DeepCopy() *FederationDomainIdentityProvider {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainIdentityProvider)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainList) DeepCopyInto(out *FederationDomainList) {
|
||||
*out = *in
|
||||
@ -102,6 +120,13 @@ func (in *FederationDomainSpec) DeepCopyInto(out *FederationDomainSpec) {
|
||||
*out = new(FederationDomainTLSSpec)
|
||||
**out = **in
|
||||
}
|
||||
if in.IdentityProviders != nil {
|
||||
in, out := &in.IdentityProviders, &out.IdentityProviders
|
||||
*out = make([]FederationDomainIdentityProvider, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
@ -118,9 +143,12 @@ func (in *FederationDomainSpec) DeepCopy() *FederationDomainSpec {
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
|
||||
*out = *in
|
||||
if in.LastUpdateTime != nil {
|
||||
in, out := &in.LastUpdateTime, &out.LastUpdateTime
|
||||
*out = (*in).DeepCopy()
|
||||
if in.Conditions != nil {
|
||||
in, out := &in.Conditions, &out.Conditions
|
||||
*out = make([]v1.Condition, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
out.Secrets = in.Secrets
|
||||
return
|
||||
@ -152,6 +180,121 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec {
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransforms) DeepCopyInto(out *FederationDomainTransforms) {
|
||||
*out = *in
|
||||
if in.Constants != nil {
|
||||
in, out := &in.Constants, &out.Constants
|
||||
*out = make([]FederationDomainTransformsConstant, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
if in.Expressions != nil {
|
||||
in, out := &in.Expressions, &out.Expressions
|
||||
*out = make([]FederationDomainTransformsExpression, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
if in.Examples != nil {
|
||||
in, out := &in.Examples, &out.Examples
|
||||
*out = make([]FederationDomainTransformsExample, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransforms.
|
||||
func (in *FederationDomainTransforms) DeepCopy() *FederationDomainTransforms {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransforms)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsConstant) DeepCopyInto(out *FederationDomainTransformsConstant) {
|
||||
*out = *in
|
||||
if in.StringListValue != nil {
|
||||
in, out := &in.StringListValue, &out.StringListValue
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsConstant.
|
||||
func (in *FederationDomainTransformsConstant) DeepCopy() *FederationDomainTransformsConstant {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsConstant)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExample) DeepCopyInto(out *FederationDomainTransformsExample) {
|
||||
*out = *in
|
||||
if in.Groups != nil {
|
||||
in, out := &in.Groups, &out.Groups
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
in.Expects.DeepCopyInto(&out.Expects)
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExample.
|
||||
func (in *FederationDomainTransformsExample) DeepCopy() *FederationDomainTransformsExample {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExample)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExampleExpects) DeepCopyInto(out *FederationDomainTransformsExampleExpects) {
|
||||
*out = *in
|
||||
if in.Groups != nil {
|
||||
in, out := &in.Groups, &out.Groups
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExampleExpects.
|
||||
func (in *FederationDomainTransformsExampleExpects) DeepCopy() *FederationDomainTransformsExampleExpects {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExampleExpects)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExpression) DeepCopyInto(out *FederationDomainTransformsExpression) {
|
||||
*out = *in
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExpression.
|
||||
func (in *FederationDomainTransformsExpression) DeepCopy() *FederationDomainTransformsExpression {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExpression)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *OIDCClient) DeepCopyInto(out *OIDCClient) {
|
||||
*out = *in
|
||||
|
@ -21,7 +21,7 @@ spec:
|
||||
- jsonPath: .spec.issuer
|
||||
name: Issuer
|
||||
type: string
|
||||
- jsonPath: .status.status
|
||||
- jsonPath: .status.phase
|
||||
name: Status
|
||||
type: string
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
@ -47,6 +47,263 @@ spec:
|
||||
spec:
|
||||
description: Spec of the OIDC provider.
|
||||
properties:
|
||||
identityProviders:
|
||||
description: "IdentityProviders is the list of identity providers
|
||||
available for use by this FederationDomain. \n An identity provider
|
||||
CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes
|
||||
how to connect to a server, how to talk in a specific protocol for
|
||||
authentication, and how to use the schema of that server/protocol
|
||||
to extract a normalized user identity. Normalized user identities
|
||||
include a username and a list of group names. In contrast, IdentityProviders
|
||||
describes how to use that normalized identity in those Kubernetes
|
||||
clusters which belong to this FederationDomain. Each entry in IdentityProviders
|
||||
can be configured with arbitrary transformations on that normalized
|
||||
identity. For example, a transformation can add a prefix to all
|
||||
usernames to help avoid accidental conflicts when multiple identity
|
||||
providers have different users with the same username (e.g. \"idp1:ryan\"
|
||||
versus \"idp2:ryan\"). Each entry in IdentityProviders can also
|
||||
implement arbitrary authentication rejection policies. Even though
|
||||
a user was able to authenticate with the identity provider, a policy
|
||||
can disallow the authentication to the Kubernetes clusters that
|
||||
belong to this FederationDomain. For example, a policy could disallow
|
||||
the authentication unless the user belongs to a specific group in
|
||||
the identity provider. \n For backwards compatibility with versions
|
||||
of Pinniped which predate support for multiple identity providers,
|
||||
an empty IdentityProviders list will cause the FederationDomain
|
||||
to use all available identity providers which exist in the same
|
||||
namespace, but also to reject all authentication requests when there
|
||||
is more than one identity provider currently defined. In this backwards
|
||||
compatibility mode, the name of the identity provider resource (e.g.
|
||||
the Name of an OIDCIdentityProvider resource) will be used as the
|
||||
name of the identity provider in this FederationDomain. This mode
|
||||
is provided to make upgrading from older versions easier. However,
|
||||
instead of relying on this backwards compatibility mode, please
|
||||
consider this mode to be deprecated and please instead explicitly
|
||||
list the identity provider using this IdentityProviders field."
|
||||
items:
|
||||
description: FederationDomainIdentityProvider describes how an identity
|
||||
provider is made available in this FederationDomain.
|
||||
properties:
|
||||
displayName:
|
||||
description: DisplayName is the name of this identity provider
|
||||
as it will appear to clients. This name ends up in the kubeconfig
|
||||
of end users, so changing the name of an identity provider
|
||||
that is in use by end users will be a disruptive change for
|
||||
those users.
|
||||
minLength: 1
|
||||
type: string
|
||||
objectRef:
|
||||
description: ObjectRef is a reference to a Pinniped identity
|
||||
provider resource. A valid reference is required. If the reference
|
||||
cannot be resolved then the identity provider will not be
|
||||
made available. Must refer to a resource of one of the Pinniped
|
||||
identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider,
|
||||
ActiveDirectoryIdentityProvider.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup is the group for the resource being
|
||||
referenced. If APIGroup is not specified, the specified
|
||||
Kind must be in the core API group. For any other third-party
|
||||
types, APIGroup is required.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind is the type of resource being referenced
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of resource being referenced
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
transforms:
|
||||
description: Transforms is an optional way to specify transformations
|
||||
to be applied during user authentication and session refresh.
|
||||
properties:
|
||||
constants:
|
||||
description: Constants defines constant variables and their
|
||||
values which will be made available to the transform expressions.
|
||||
items:
|
||||
description: FederationDomainTransformsConstant defines
|
||||
a constant variable and its value which will be made
|
||||
available to the transform expressions. This is a union
|
||||
type, and Type is the discriminator field.
|
||||
properties:
|
||||
name:
|
||||
description: Name determines the name of the constant.
|
||||
It must be a valid identifier name.
|
||||
maxLength: 64
|
||||
minLength: 1
|
||||
pattern: ^[a-zA-Z][_a-zA-Z0-9]*$
|
||||
type: string
|
||||
stringListValue:
|
||||
description: StringListValue should hold the value
|
||||
when Type is "stringList", and is otherwise ignored.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
stringValue:
|
||||
description: StringValue should hold the value when
|
||||
Type is "string", and is otherwise ignored.
|
||||
type: string
|
||||
type:
|
||||
description: Type determines the type of the constant,
|
||||
and indicates which other field should be non-empty.
|
||||
enum:
|
||||
- string
|
||||
- stringList
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-map-keys:
|
||||
- name
|
||||
x-kubernetes-list-type: map
|
||||
examples:
|
||||
description: Examples can optionally be used to ensure that
|
||||
the sequence of transformation expressions are working
|
||||
as expected. Examples define sample input identities which
|
||||
are then run through the expression list, and the results
|
||||
are compared to the expected results. If any example in
|
||||
this list fails, then this identity provider will not
|
||||
be available for use within this FederationDomain, and
|
||||
the error(s) will be added to the FederationDomain status.
|
||||
This can be used to help guard against programming mistakes
|
||||
in the expressions, and also act as living documentation
|
||||
for other administrators to better understand the expressions.
|
||||
items:
|
||||
description: FederationDomainTransformsExample defines
|
||||
a transform example.
|
||||
properties:
|
||||
expects:
|
||||
description: Expects is the expected output of the
|
||||
entire sequence of transforms when they are run
|
||||
against the input Username and Groups.
|
||||
properties:
|
||||
groups:
|
||||
description: Groups is the expected list of group
|
||||
names after the transformations have been applied.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
message:
|
||||
description: Message is the expected error message
|
||||
of the transforms. When Rejected is true, then
|
||||
Message is the expected message for the policy
|
||||
which rejected the authentication attempt. When
|
||||
Rejected is true and Message is blank, then
|
||||
Message will be treated as the default error
|
||||
message for authentication attempts which are
|
||||
rejected by a policy. When Rejected is false,
|
||||
then Message is the expected error message for
|
||||
some other non-policy transformation error,
|
||||
such as a runtime error. When Rejected is false,
|
||||
there is no default expected Message.
|
||||
type: string
|
||||
rejected:
|
||||
description: Rejected is a boolean that indicates
|
||||
whether authentication is expected to be rejected
|
||||
by a policy expression after the transformations
|
||||
have been applied. True means that it is expected
|
||||
that the authentication would be rejected. The
|
||||
default value of false means that it is expected
|
||||
that the authentication would not be rejected
|
||||
by any policy expression.
|
||||
type: boolean
|
||||
username:
|
||||
description: Username is the expected username
|
||||
after the transformations have been applied.
|
||||
type: string
|
||||
type: object
|
||||
groups:
|
||||
description: Groups is the input list of group names.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
username:
|
||||
description: Username is the input username.
|
||||
minLength: 1
|
||||
type: string
|
||||
required:
|
||||
- expects
|
||||
- username
|
||||
type: object
|
||||
type: array
|
||||
expressions:
|
||||
description: "Expressions are an optional list of transforms
|
||||
and policies to be executed in the order given during
|
||||
every authentication attempt, including during every session
|
||||
refresh. Each is a CEL expression. It may use the basic
|
||||
CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md
|
||||
plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
\n The username and groups extracted from the identity
|
||||
provider, and the constants defined in this CR, are available
|
||||
as variables in all expressions. The username is provided
|
||||
via a variable called `username` and the list of group
|
||||
names is provided via a variable called `groups` (which
|
||||
may be an empty list). Each user-provided constants is
|
||||
provided via a variable named `strConst.varName` for string
|
||||
constants and `strListConst.varName` for string list constants.
|
||||
\n The only allowed types for expressions are currently
|
||||
policy/v1, username/v1, and groups/v1. Each policy/v1
|
||||
must return a boolean, and when it returns false, no more
|
||||
expressions from the list are evaluated and the authentication
|
||||
attempt is rejected. Transformations of type policy/v1
|
||||
do not return usernames or group names, and therefore
|
||||
cannot change the username or group names. Each username/v1
|
||||
transform must return the new username (a string), which
|
||||
can be the same as the old username. Transformations of
|
||||
type username/v1 do not return group names, and therefore
|
||||
cannot change the group names. Each groups/v1 transform
|
||||
must return the new groups list (list of strings), which
|
||||
can be the same as the old groups list. Transformations
|
||||
of type groups/v1 do not return usernames, and therefore
|
||||
cannot change the usernames. After each expression, the
|
||||
new (potentially changed) username or groups get passed
|
||||
to the following expression. \n Any compilation or static
|
||||
type-checking failure of any expression will cause an
|
||||
error status on the FederationDomain. During an authentication
|
||||
attempt, any unexpected runtime evaluation errors (e.g.
|
||||
division by zero) cause the authentication attempt to
|
||||
fail. When all expressions evaluate successfully, then
|
||||
the (potentially changed) username and group names have
|
||||
been decided for that authentication attempt."
|
||||
items:
|
||||
description: FederationDomainTransformsExpression defines
|
||||
a transform expression.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is a CEL expression that will
|
||||
be evaluated based on the Type during an authentication.
|
||||
minLength: 1
|
||||
type: string
|
||||
message:
|
||||
description: Message is only used when Type is policy/v1.
|
||||
It defines an error message to be used when the
|
||||
policy rejects an authentication attempt. When empty,
|
||||
a default message will be used.
|
||||
type: string
|
||||
type:
|
||||
description: Type determines the type of the expression.
|
||||
It must be one of the supported types.
|
||||
enum:
|
||||
- policy/v1
|
||||
- username/v1
|
||||
- groups/v1
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
required:
|
||||
- displayName
|
||||
- objectRef
|
||||
type: object
|
||||
type: array
|
||||
issuer:
|
||||
description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
|
||||
Metadata document, as well as the identifier that it will use for
|
||||
@ -59,8 +316,8 @@ spec:
|
||||
minLength: 1
|
||||
type: string
|
||||
tls:
|
||||
description: TLS configures how this FederationDomain is served over
|
||||
Transport Layer Security (TLS).
|
||||
description: TLS specifies a secret which will contain Transport Layer
|
||||
Security (TLS) configuration for the FederationDomain.
|
||||
properties:
|
||||
secretName:
|
||||
description: "SecretName is an optional name of a Secret in the
|
||||
@ -91,14 +348,86 @@ spec:
|
||||
status:
|
||||
description: Status of the OIDC provider.
|
||||
properties:
|
||||
lastUpdateTime:
|
||||
description: LastUpdateTime holds the time at which the Status was
|
||||
last updated. It is a pointer to get around some undesirable behavior
|
||||
with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
conditions:
|
||||
description: Conditions represent the observations of an FederationDomain's
|
||||
current state.
|
||||
items:
|
||||
description: "Condition contains details for one aspect of the current
|
||||
state of this API Resource. --- This struct is intended for direct
|
||||
use as an array at the field path .status.conditions. For example,
|
||||
\n type FooStatus struct{ // Represents the observations of a
|
||||
foo's current state. // Known .status.conditions.type are: \"Available\",
|
||||
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
|
||||
// +listType=map // +listMapKey=type Conditions []metav1.Condition
|
||||
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
|
||||
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: lastTransitionTime is the last time the condition
|
||||
transitioned from one status to another. This should be when
|
||||
the underlying condition changed. If that is not known, then
|
||||
using the time when the API field changed is acceptable.
|
||||
format: date-time
|
||||
type: string
|
||||
message:
|
||||
description: Message provides human-readable details about the Status.
|
||||
description: message is a human readable message indicating
|
||||
details about the transition. This may be an empty string.
|
||||
maxLength: 32768
|
||||
type: string
|
||||
observedGeneration:
|
||||
description: observedGeneration represents the .metadata.generation
|
||||
that the condition was set based upon. For instance, if .metadata.generation
|
||||
is currently 12, but the .status.conditions[x].observedGeneration
|
||||
is 9, the condition is out of date with respect to the current
|
||||
state of the instance.
|
||||
format: int64
|
||||
minimum: 0
|
||||
type: integer
|
||||
reason:
|
||||
description: reason contains a programmatic identifier indicating
|
||||
the reason for the condition's last transition. Producers
|
||||
of specific condition types may define expected values and
|
||||
meanings for this field, and whether the values are considered
|
||||
a guaranteed API. The value should be a CamelCase string.
|
||||
This field may not be empty.
|
||||
maxLength: 1024
|
||||
minLength: 1
|
||||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||||
type: string
|
||||
status:
|
||||
description: status of the condition, one of True, False, Unknown.
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
- Unknown
|
||||
type: string
|
||||
type:
|
||||
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
||||
--- Many .condition.type values are consistent across resources
|
||||
like Available, but because arbitrary conditions can be useful
|
||||
(see .node.status.conditions), the ability to deconflict is
|
||||
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||||
maxLength: 316
|
||||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||||
type: string
|
||||
required:
|
||||
- lastTransitionTime
|
||||
- message
|
||||
- reason
|
||||
- status
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-map-keys:
|
||||
- type
|
||||
x-kubernetes-list-type: map
|
||||
phase:
|
||||
default: Pending
|
||||
description: Phase summarizes the overall status of the FederationDomain.
|
||||
enum:
|
||||
- Pending
|
||||
- Ready
|
||||
- Error
|
||||
type: string
|
||||
secrets:
|
||||
description: Secrets contains information about this OIDC Provider's
|
||||
@ -145,15 +474,6 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
status:
|
||||
description: Status holds an enum that describes the state of this
|
||||
OIDC Provider. Note that this Status can represent success or failure.
|
||||
enum:
|
||||
- Success
|
||||
- Duplicate
|
||||
- Invalid
|
||||
- SameIssuerHostMustUseSameSecret
|
||||
type: string
|
||||
type: object
|
||||
required:
|
||||
- spec
|
||||
|
153
generated/1.28/README.adoc
generated
153
generated/1.28/README.adoc
generated
@ -650,6 +650,37 @@ FederationDomain describes the configuration of an OIDC provider.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
|
||||
==== FederationDomainIdentityProvider
|
||||
|
||||
FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainspec[$$FederationDomainSpec$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`displayName`* __string__ | DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a disruptive change for those users.
|
||||
| *`objectRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. If the reference cannot be resolved then the identity provider will not be made available. Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
|
||||
| *`transforms`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]__ | Transforms is an optional way to specify transformations to be applied during user authentication and session refresh.
|
||||
|===
|
||||
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainphase"]
|
||||
==== FederationDomainPhase (string)
|
||||
|
||||
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
|
||||
****
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainsecrets"]
|
||||
@ -687,7 +718,10 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
|
||||
| Field | Description
|
||||
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
|
||||
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
|
||||
| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
|
||||
An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
|
||||
For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
|
||||
|===
|
||||
|
||||
|
||||
@ -704,25 +738,12 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainstatuscondition[$$FederationDomainStatusCondition$$]__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
|
||||
| *`message`* __string__ | Message provides human-readable details about the Status.
|
||||
| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
|
||||
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
|
||||
| *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainstatuscondition"]
|
||||
==== FederationDomainStatusCondition (string)
|
||||
|
||||
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainstatus[$$FederationDomainStatus$$]
|
||||
****
|
||||
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintlsspec"]
|
||||
==== FederationDomainTLSSpec
|
||||
|
||||
@ -744,6 +765,106 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
|
||||
==== FederationDomainTransforms
|
||||
|
||||
FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
|
||||
| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
|
||||
The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
|
||||
Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
|
||||
| *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
|
||||
==== FederationDomainTransformsConstant
|
||||
|
||||
FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name.
|
||||
| *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty.
|
||||
| *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored.
|
||||
| *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
|
||||
==== FederationDomainTransformsExample
|
||||
|
||||
FederationDomainTransformsExample defines a transform example.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`username`* __string__ | Username is the input username.
|
||||
| *`groups`* __string array__ | Groups is the input list of group names.
|
||||
| *`expects`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects[$$FederationDomainTransformsExampleExpects$$]__ | Expects is the expected output of the entire sequence of transforms when they are run against the input Username and Groups.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
|
||||
==== FederationDomainTransformsExampleExpects
|
||||
|
||||
FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`username`* __string__ | Username is the expected username after the transformations have been applied.
|
||||
| *`groups`* __string array__ | Groups is the expected list of group names after the transformations have been applied.
|
||||
| *`rejected`* __boolean__ | Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression after the transformations have been applied. True means that it is expected that the authentication would be rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression.
|
||||
| *`message`* __string__ | Message is the expected error message of the transforms. When Rejected is true, then Message is the expected message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, then Message will be treated as the default error message for authentication attempts which are rejected by a policy. When Rejected is false, then Message is the expected error message for some other non-policy transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
|
||||
==== FederationDomainTransformsExpression
|
||||
|
||||
FederationDomainTransformsExpression defines a transform expression.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransforms[$$FederationDomainTransforms$$]
|
||||
****
|
||||
|
||||
[cols="25a,75a", options="header"]
|
||||
|===
|
||||
| Field | Description
|
||||
| *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types.
|
||||
| *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication.
|
||||
| *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects an authentication attempt. When empty, a default message will be used.
|
||||
|===
|
||||
|
||||
|
||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-granttype"]
|
||||
==== GrantType (string)
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package v1alpha1
|
||||
@ -8,14 +8,17 @@ import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
// +kubebuilder:validation:Enum=Success;Duplicate;Invalid;SameIssuerHostMustUseSameSecret
|
||||
type FederationDomainStatusCondition string
|
||||
type FederationDomainPhase string
|
||||
|
||||
const (
|
||||
SuccessFederationDomainStatusCondition = FederationDomainStatusCondition("Success")
|
||||
DuplicateFederationDomainStatusCondition = FederationDomainStatusCondition("Duplicate")
|
||||
SameIssuerHostMustUseSameSecretFederationDomainStatusCondition = FederationDomainStatusCondition("SameIssuerHostMustUseSameSecret")
|
||||
InvalidFederationDomainStatusCondition = FederationDomainStatusCondition("Invalid")
|
||||
// FederationDomainPhasePending is the default phase for newly-created FederationDomain resources.
|
||||
FederationDomainPhasePending FederationDomainPhase = "Pending"
|
||||
|
||||
// FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state.
|
||||
FederationDomainPhaseReady FederationDomainPhase = "Ready"
|
||||
|
||||
// FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state.
|
||||
FederationDomainPhaseError FederationDomainPhase = "Error"
|
||||
)
|
||||
|
||||
// FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
|
||||
@ -42,6 +45,157 @@ type FederationDomainTLSSpec struct {
|
||||
SecretName string `json:"secretName,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
|
||||
// the transform expressions. This is a union type, and Type is the discriminator field.
|
||||
type FederationDomainTransformsConstant struct {
|
||||
// Name determines the name of the constant. It must be a valid identifier name.
|
||||
// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
// +kubebuilder:validation:MaxLength=64
|
||||
Name string `json:"name"`
|
||||
|
||||
// Type determines the type of the constant, and indicates which other field should be non-empty.
|
||||
// +kubebuilder:validation:Enum=string;stringList
|
||||
Type string `json:"type"`
|
||||
|
||||
// StringValue should hold the value when Type is "string", and is otherwise ignored.
|
||||
// +optional
|
||||
StringValue string `json:"stringValue,omitempty"`
|
||||
|
||||
// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|
||||
// +optional
|
||||
StringListValue []string `json:"stringListValue,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExpression defines a transform expression.
|
||||
type FederationDomainTransformsExpression struct {
|
||||
// Type determines the type of the expression. It must be one of the supported types.
|
||||
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
|
||||
Type string `json:"type"`
|
||||
|
||||
// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Expression string `json:"expression"`
|
||||
|
||||
// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
|
||||
// an authentication attempt. When empty, a default message will be used.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExample defines a transform example.
|
||||
type FederationDomainTransformsExample struct {
|
||||
// Username is the input username.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Username string `json:"username"`
|
||||
|
||||
// Groups is the input list of group names.
|
||||
// +optional
|
||||
Groups []string `json:"groups,omitempty"`
|
||||
|
||||
// Expects is the expected output of the entire sequence of transforms when they are run against the
|
||||
// input Username and Groups.
|
||||
Expects FederationDomainTransformsExampleExpects `json:"expects"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
|
||||
type FederationDomainTransformsExampleExpects struct {
|
||||
// Username is the expected username after the transformations have been applied.
|
||||
// +optional
|
||||
Username string `json:"username,omitempty"`
|
||||
|
||||
// Groups is the expected list of group names after the transformations have been applied.
|
||||
// +optional
|
||||
Groups []string `json:"groups,omitempty"`
|
||||
|
||||
// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
|
||||
// after the transformations have been applied. True means that it is expected that the authentication would be
|
||||
// rejected. The default value of false means that it is expected that the authentication would not be rejected
|
||||
// by any policy expression.
|
||||
// +optional
|
||||
Rejected bool `json:"rejected,omitempty"`
|
||||
|
||||
// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
|
||||
// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
|
||||
// then Message will be treated as the default error message for authentication attempts which are rejected by a
|
||||
// policy. When Rejected is false, then Message is the expected error message for some other non-policy
|
||||
// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
|
||||
type FederationDomainTransforms struct {
|
||||
// Constants defines constant variables and their values which will be made available to the transform expressions.
|
||||
// +patchMergeKey=name
|
||||
// +patchStrategy=merge
|
||||
// +listType=map
|
||||
// +listMapKey=name
|
||||
// +optional
|
||||
Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`
|
||||
|
||||
// Expressions are an optional list of transforms and policies to be executed in the order given during every
|
||||
// authentication attempt, including during every session refresh.
|
||||
// Each is a CEL expression. It may use the basic CEL language as defined in
|
||||
// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
|
||||
// https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
//
|
||||
// The username and groups extracted from the identity provider, and the constants defined in this CR, are
|
||||
// available as variables in all expressions. The username is provided via a variable called `username` and
|
||||
// the list of group names is provided via a variable called `groups` (which may be an empty list).
|
||||
// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
|
||||
// and `strListConst.varName` for string list constants.
|
||||
//
|
||||
// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
|
||||
// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
|
||||
// and the authentication attempt is rejected.
|
||||
// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
|
||||
// username or group names.
|
||||
// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
|
||||
// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
|
||||
// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
|
||||
// groups list.
|
||||
// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
|
||||
// After each expression, the new (potentially changed) username or groups get passed to the following expression.
|
||||
//
|
||||
// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
|
||||
// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
|
||||
// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
|
||||
// and group names have been decided for that authentication attempt.
|
||||
//
|
||||
// +optional
|
||||
Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`
|
||||
|
||||
// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
|
||||
// expected. Examples define sample input identities which are then run through the expression list, and the
|
||||
// results are compared to the expected results. If any example in this list fails, then this
|
||||
// identity provider will not be available for use within this FederationDomain, and the error(s) will be
|
||||
// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
|
||||
// expressions, and also act as living documentation for other administrators to better understand the expressions.
|
||||
// +optional
|
||||
Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
|
||||
type FederationDomainIdentityProvider struct {
|
||||
// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
|
||||
// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
|
||||
// disruptive change for those users.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
DisplayName string `json:"displayName"`
|
||||
|
||||
// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
|
||||
// If the reference cannot be resolved then the identity provider will not be made available.
|
||||
// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
|
||||
// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
|
||||
ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`
|
||||
|
||||
// Transforms is an optional way to specify transformations to be applied during user authentication and
|
||||
// session refresh.
|
||||
// +optional
|
||||
Transforms FederationDomainTransforms `json:"transforms,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainSpec is a struct that describes an OIDC Provider.
|
||||
type FederationDomainSpec struct {
|
||||
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
|
||||
@ -55,9 +209,35 @@ type FederationDomainSpec struct {
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Issuer string `json:"issuer"`
|
||||
|
||||
// TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
|
||||
// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
|
||||
// +optional
|
||||
TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
|
||||
|
||||
// IdentityProviders is the list of identity providers available for use by this FederationDomain.
|
||||
//
|
||||
// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
|
||||
// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
|
||||
// extract a normalized user identity. Normalized user identities include a username and a list of group names.
|
||||
// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
|
||||
// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
|
||||
// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
|
||||
// accidental conflicts when multiple identity providers have different users with the same username (e.g.
|
||||
// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
|
||||
// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
|
||||
// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
|
||||
// disallow the authentication unless the user belongs to a specific group in the identity provider.
|
||||
//
|
||||
// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
|
||||
// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
|
||||
// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
|
||||
// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
|
||||
// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
|
||||
// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
|
||||
// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
|
||||
// explicitly list the identity provider using this IdentityProviders field.
|
||||
//
|
||||
// +optional
|
||||
IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainSecrets holds information about this OIDC Provider's secrets.
|
||||
@ -86,20 +266,17 @@ type FederationDomainSecrets struct {
|
||||
|
||||
// FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
|
||||
type FederationDomainStatus struct {
|
||||
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
|
||||
// represent success or failure.
|
||||
// +optional
|
||||
Status FederationDomainStatusCondition `json:"status,omitempty"`
|
||||
// Phase summarizes the overall status of the FederationDomain.
|
||||
// +kubebuilder:default=Pending
|
||||
// +kubebuilder:validation:Enum=Pending;Ready;Error
|
||||
Phase FederationDomainPhase `json:"phase,omitempty"`
|
||||
|
||||
// Message provides human-readable details about the Status.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
|
||||
// LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
|
||||
// around some undesirable behavior with respect to the empty metav1.Time value (see
|
||||
// https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
// +optional
|
||||
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
|
||||
// Conditions represent the observations of an FederationDomain's current state.
|
||||
// +patchMergeKey=type
|
||||
// +patchStrategy=merge
|
||||
// +listType=map
|
||||
// +listMapKey=type
|
||||
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
|
||||
|
||||
// Secrets contains information about this OIDC Provider's secrets.
|
||||
// +optional
|
||||
@ -111,7 +288,7 @@ type FederationDomainStatus struct {
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:resource:categories=pinniped
|
||||
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
|
||||
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
|
||||
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
|
||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||
// +kubebuilder:subresource:status
|
||||
type FederationDomain struct {
|
||||
|
@ -8,14 +8,14 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
type OIDCClientPhase string
|
||||
|
||||
const (
|
||||
// PhasePending is the default phase for newly-created OIDCClient resources.
|
||||
PhasePending OIDCClientPhase = "Pending"
|
||||
// OIDCClientPhasePending is the default phase for newly-created OIDCClient resources.
|
||||
OIDCClientPhasePending OIDCClientPhase = "Pending"
|
||||
|
||||
// PhaseReady is the phase for an OIDCClient resource in a healthy state.
|
||||
PhaseReady OIDCClientPhase = "Ready"
|
||||
// OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state.
|
||||
OIDCClientPhaseReady OIDCClientPhase = "Ready"
|
||||
|
||||
// PhaseError is the phase for an OIDCClient in an unhealthy state.
|
||||
PhaseError OIDCClientPhase = "Error"
|
||||
// OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state.
|
||||
OIDCClientPhaseError OIDCClientPhase = "Error"
|
||||
)
|
||||
|
||||
// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`
|
||||
|
@ -41,6 +41,24 @@ func (in *FederationDomain) DeepCopyObject() runtime.Object {
|
||||
return nil
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainIdentityProvider) DeepCopyInto(out *FederationDomainIdentityProvider) {
|
||||
*out = *in
|
||||
in.ObjectRef.DeepCopyInto(&out.ObjectRef)
|
||||
in.Transforms.DeepCopyInto(&out.Transforms)
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainIdentityProvider.
|
||||
func (in *FederationDomainIdentityProvider) DeepCopy() *FederationDomainIdentityProvider {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainIdentityProvider)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainList) DeepCopyInto(out *FederationDomainList) {
|
||||
*out = *in
|
||||
@ -102,6 +120,13 @@ func (in *FederationDomainSpec) DeepCopyInto(out *FederationDomainSpec) {
|
||||
*out = new(FederationDomainTLSSpec)
|
||||
**out = **in
|
||||
}
|
||||
if in.IdentityProviders != nil {
|
||||
in, out := &in.IdentityProviders, &out.IdentityProviders
|
||||
*out = make([]FederationDomainIdentityProvider, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
@ -118,9 +143,12 @@ func (in *FederationDomainSpec) DeepCopy() *FederationDomainSpec {
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
|
||||
*out = *in
|
||||
if in.LastUpdateTime != nil {
|
||||
in, out := &in.LastUpdateTime, &out.LastUpdateTime
|
||||
*out = (*in).DeepCopy()
|
||||
if in.Conditions != nil {
|
||||
in, out := &in.Conditions, &out.Conditions
|
||||
*out = make([]v1.Condition, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
out.Secrets = in.Secrets
|
||||
return
|
||||
@ -152,6 +180,121 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec {
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransforms) DeepCopyInto(out *FederationDomainTransforms) {
|
||||
*out = *in
|
||||
if in.Constants != nil {
|
||||
in, out := &in.Constants, &out.Constants
|
||||
*out = make([]FederationDomainTransformsConstant, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
if in.Expressions != nil {
|
||||
in, out := &in.Expressions, &out.Expressions
|
||||
*out = make([]FederationDomainTransformsExpression, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
if in.Examples != nil {
|
||||
in, out := &in.Examples, &out.Examples
|
||||
*out = make([]FederationDomainTransformsExample, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransforms.
|
||||
func (in *FederationDomainTransforms) DeepCopy() *FederationDomainTransforms {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransforms)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsConstant) DeepCopyInto(out *FederationDomainTransformsConstant) {
|
||||
*out = *in
|
||||
if in.StringListValue != nil {
|
||||
in, out := &in.StringListValue, &out.StringListValue
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsConstant.
|
||||
func (in *FederationDomainTransformsConstant) DeepCopy() *FederationDomainTransformsConstant {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsConstant)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExample) DeepCopyInto(out *FederationDomainTransformsExample) {
|
||||
*out = *in
|
||||
if in.Groups != nil {
|
||||
in, out := &in.Groups, &out.Groups
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
in.Expects.DeepCopyInto(&out.Expects)
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExample.
|
||||
func (in *FederationDomainTransformsExample) DeepCopy() *FederationDomainTransformsExample {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExample)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExampleExpects) DeepCopyInto(out *FederationDomainTransformsExampleExpects) {
|
||||
*out = *in
|
||||
if in.Groups != nil {
|
||||
in, out := &in.Groups, &out.Groups
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExampleExpects.
|
||||
func (in *FederationDomainTransformsExampleExpects) DeepCopy() *FederationDomainTransformsExampleExpects {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExampleExpects)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExpression) DeepCopyInto(out *FederationDomainTransformsExpression) {
|
||||
*out = *in
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExpression.
|
||||
func (in *FederationDomainTransformsExpression) DeepCopy() *FederationDomainTransformsExpression {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExpression)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *OIDCClient) DeepCopyInto(out *OIDCClient) {
|
||||
*out = *in
|
||||
|
@ -21,7 +21,7 @@ spec:
|
||||
- jsonPath: .spec.issuer
|
||||
name: Issuer
|
||||
type: string
|
||||
- jsonPath: .status.status
|
||||
- jsonPath: .status.phase
|
||||
name: Status
|
||||
type: string
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
@ -47,6 +47,263 @@ spec:
|
||||
spec:
|
||||
description: Spec of the OIDC provider.
|
||||
properties:
|
||||
identityProviders:
|
||||
description: "IdentityProviders is the list of identity providers
|
||||
available for use by this FederationDomain. \n An identity provider
|
||||
CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes
|
||||
how to connect to a server, how to talk in a specific protocol for
|
||||
authentication, and how to use the schema of that server/protocol
|
||||
to extract a normalized user identity. Normalized user identities
|
||||
include a username and a list of group names. In contrast, IdentityProviders
|
||||
describes how to use that normalized identity in those Kubernetes
|
||||
clusters which belong to this FederationDomain. Each entry in IdentityProviders
|
||||
can be configured with arbitrary transformations on that normalized
|
||||
identity. For example, a transformation can add a prefix to all
|
||||
usernames to help avoid accidental conflicts when multiple identity
|
||||
providers have different users with the same username (e.g. \"idp1:ryan\"
|
||||
versus \"idp2:ryan\"). Each entry in IdentityProviders can also
|
||||
implement arbitrary authentication rejection policies. Even though
|
||||
a user was able to authenticate with the identity provider, a policy
|
||||
can disallow the authentication to the Kubernetes clusters that
|
||||
belong to this FederationDomain. For example, a policy could disallow
|
||||
the authentication unless the user belongs to a specific group in
|
||||
the identity provider. \n For backwards compatibility with versions
|
||||
of Pinniped which predate support for multiple identity providers,
|
||||
an empty IdentityProviders list will cause the FederationDomain
|
||||
to use all available identity providers which exist in the same
|
||||
namespace, but also to reject all authentication requests when there
|
||||
is more than one identity provider currently defined. In this backwards
|
||||
compatibility mode, the name of the identity provider resource (e.g.
|
||||
the Name of an OIDCIdentityProvider resource) will be used as the
|
||||
name of the identity provider in this FederationDomain. This mode
|
||||
is provided to make upgrading from older versions easier. However,
|
||||
instead of relying on this backwards compatibility mode, please
|
||||
consider this mode to be deprecated and please instead explicitly
|
||||
list the identity provider using this IdentityProviders field."
|
||||
items:
|
||||
description: FederationDomainIdentityProvider describes how an identity
|
||||
provider is made available in this FederationDomain.
|
||||
properties:
|
||||
displayName:
|
||||
description: DisplayName is the name of this identity provider
|
||||
as it will appear to clients. This name ends up in the kubeconfig
|
||||
of end users, so changing the name of an identity provider
|
||||
that is in use by end users will be a disruptive change for
|
||||
those users.
|
||||
minLength: 1
|
||||
type: string
|
||||
objectRef:
|
||||
description: ObjectRef is a reference to a Pinniped identity
|
||||
provider resource. A valid reference is required. If the reference
|
||||
cannot be resolved then the identity provider will not be
|
||||
made available. Must refer to a resource of one of the Pinniped
|
||||
identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider,
|
||||
ActiveDirectoryIdentityProvider.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup is the group for the resource being
|
||||
referenced. If APIGroup is not specified, the specified
|
||||
Kind must be in the core API group. For any other third-party
|
||||
types, APIGroup is required.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind is the type of resource being referenced
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of resource being referenced
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
transforms:
|
||||
description: Transforms is an optional way to specify transformations
|
||||
to be applied during user authentication and session refresh.
|
||||
properties:
|
||||
constants:
|
||||
description: Constants defines constant variables and their
|
||||
values which will be made available to the transform expressions.
|
||||
items:
|
||||
description: FederationDomainTransformsConstant defines
|
||||
a constant variable and its value which will be made
|
||||
available to the transform expressions. This is a union
|
||||
type, and Type is the discriminator field.
|
||||
properties:
|
||||
name:
|
||||
description: Name determines the name of the constant.
|
||||
It must be a valid identifier name.
|
||||
maxLength: 64
|
||||
minLength: 1
|
||||
pattern: ^[a-zA-Z][_a-zA-Z0-9]*$
|
||||
type: string
|
||||
stringListValue:
|
||||
description: StringListValue should hold the value
|
||||
when Type is "stringList", and is otherwise ignored.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
stringValue:
|
||||
description: StringValue should hold the value when
|
||||
Type is "string", and is otherwise ignored.
|
||||
type: string
|
||||
type:
|
||||
description: Type determines the type of the constant,
|
||||
and indicates which other field should be non-empty.
|
||||
enum:
|
||||
- string
|
||||
- stringList
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-map-keys:
|
||||
- name
|
||||
x-kubernetes-list-type: map
|
||||
examples:
|
||||
description: Examples can optionally be used to ensure that
|
||||
the sequence of transformation expressions are working
|
||||
as expected. Examples define sample input identities which
|
||||
are then run through the expression list, and the results
|
||||
are compared to the expected results. If any example in
|
||||
this list fails, then this identity provider will not
|
||||
be available for use within this FederationDomain, and
|
||||
the error(s) will be added to the FederationDomain status.
|
||||
This can be used to help guard against programming mistakes
|
||||
in the expressions, and also act as living documentation
|
||||
for other administrators to better understand the expressions.
|
||||
items:
|
||||
description: FederationDomainTransformsExample defines
|
||||
a transform example.
|
||||
properties:
|
||||
expects:
|
||||
description: Expects is the expected output of the
|
||||
entire sequence of transforms when they are run
|
||||
against the input Username and Groups.
|
||||
properties:
|
||||
groups:
|
||||
description: Groups is the expected list of group
|
||||
names after the transformations have been applied.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
message:
|
||||
description: Message is the expected error message
|
||||
of the transforms. When Rejected is true, then
|
||||
Message is the expected message for the policy
|
||||
which rejected the authentication attempt. When
|
||||
Rejected is true and Message is blank, then
|
||||
Message will be treated as the default error
|
||||
message for authentication attempts which are
|
||||
rejected by a policy. When Rejected is false,
|
||||
then Message is the expected error message for
|
||||
some other non-policy transformation error,
|
||||
such as a runtime error. When Rejected is false,
|
||||
there is no default expected Message.
|
||||
type: string
|
||||
rejected:
|
||||
description: Rejected is a boolean that indicates
|
||||
whether authentication is expected to be rejected
|
||||
by a policy expression after the transformations
|
||||
have been applied. True means that it is expected
|
||||
that the authentication would be rejected. The
|
||||
default value of false means that it is expected
|
||||
that the authentication would not be rejected
|
||||
by any policy expression.
|
||||
type: boolean
|
||||
username:
|
||||
description: Username is the expected username
|
||||
after the transformations have been applied.
|
||||
type: string
|
||||
type: object
|
||||
groups:
|
||||
description: Groups is the input list of group names.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
username:
|
||||
description: Username is the input username.
|
||||
minLength: 1
|
||||
type: string
|
||||
required:
|
||||
- expects
|
||||
- username
|
||||
type: object
|
||||
type: array
|
||||
expressions:
|
||||
description: "Expressions are an optional list of transforms
|
||||
and policies to be executed in the order given during
|
||||
every authentication attempt, including during every session
|
||||
refresh. Each is a CEL expression. It may use the basic
|
||||
CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md
|
||||
plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
\n The username and groups extracted from the identity
|
||||
provider, and the constants defined in this CR, are available
|
||||
as variables in all expressions. The username is provided
|
||||
via a variable called `username` and the list of group
|
||||
names is provided via a variable called `groups` (which
|
||||
may be an empty list). Each user-provided constants is
|
||||
provided via a variable named `strConst.varName` for string
|
||||
constants and `strListConst.varName` for string list constants.
|
||||
\n The only allowed types for expressions are currently
|
||||
policy/v1, username/v1, and groups/v1. Each policy/v1
|
||||
must return a boolean, and when it returns false, no more
|
||||
expressions from the list are evaluated and the authentication
|
||||
attempt is rejected. Transformations of type policy/v1
|
||||
do not return usernames or group names, and therefore
|
||||
cannot change the username or group names. Each username/v1
|
||||
transform must return the new username (a string), which
|
||||
can be the same as the old username. Transformations of
|
||||
type username/v1 do not return group names, and therefore
|
||||
cannot change the group names. Each groups/v1 transform
|
||||
must return the new groups list (list of strings), which
|
||||
can be the same as the old groups list. Transformations
|
||||
of type groups/v1 do not return usernames, and therefore
|
||||
cannot change the usernames. After each expression, the
|
||||
new (potentially changed) username or groups get passed
|
||||
to the following expression. \n Any compilation or static
|
||||
type-checking failure of any expression will cause an
|
||||
error status on the FederationDomain. During an authentication
|
||||
attempt, any unexpected runtime evaluation errors (e.g.
|
||||
division by zero) cause the authentication attempt to
|
||||
fail. When all expressions evaluate successfully, then
|
||||
the (potentially changed) username and group names have
|
||||
been decided for that authentication attempt."
|
||||
items:
|
||||
description: FederationDomainTransformsExpression defines
|
||||
a transform expression.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is a CEL expression that will
|
||||
be evaluated based on the Type during an authentication.
|
||||
minLength: 1
|
||||
type: string
|
||||
message:
|
||||
description: Message is only used when Type is policy/v1.
|
||||
It defines an error message to be used when the
|
||||
policy rejects an authentication attempt. When empty,
|
||||
a default message will be used.
|
||||
type: string
|
||||
type:
|
||||
description: Type determines the type of the expression.
|
||||
It must be one of the supported types.
|
||||
enum:
|
||||
- policy/v1
|
||||
- username/v1
|
||||
- groups/v1
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
required:
|
||||
- displayName
|
||||
- objectRef
|
||||
type: object
|
||||
type: array
|
||||
issuer:
|
||||
description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
|
||||
Metadata document, as well as the identifier that it will use for
|
||||
@ -59,8 +316,8 @@ spec:
|
||||
minLength: 1
|
||||
type: string
|
||||
tls:
|
||||
description: TLS configures how this FederationDomain is served over
|
||||
Transport Layer Security (TLS).
|
||||
description: TLS specifies a secret which will contain Transport Layer
|
||||
Security (TLS) configuration for the FederationDomain.
|
||||
properties:
|
||||
secretName:
|
||||
description: "SecretName is an optional name of a Secret in the
|
||||
@ -91,14 +348,86 @@ spec:
|
||||
status:
|
||||
description: Status of the OIDC provider.
|
||||
properties:
|
||||
lastUpdateTime:
|
||||
description: LastUpdateTime holds the time at which the Status was
|
||||
last updated. It is a pointer to get around some undesirable behavior
|
||||
with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
conditions:
|
||||
description: Conditions represent the observations of an FederationDomain's
|
||||
current state.
|
||||
items:
|
||||
description: "Condition contains details for one aspect of the current
|
||||
state of this API Resource. --- This struct is intended for direct
|
||||
use as an array at the field path .status.conditions. For example,
|
||||
\n type FooStatus struct{ // Represents the observations of a
|
||||
foo's current state. // Known .status.conditions.type are: \"Available\",
|
||||
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
|
||||
// +listType=map // +listMapKey=type Conditions []metav1.Condition
|
||||
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
|
||||
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: lastTransitionTime is the last time the condition
|
||||
transitioned from one status to another. This should be when
|
||||
the underlying condition changed. If that is not known, then
|
||||
using the time when the API field changed is acceptable.
|
||||
format: date-time
|
||||
type: string
|
||||
message:
|
||||
description: Message provides human-readable details about the Status.
|
||||
description: message is a human readable message indicating
|
||||
details about the transition. This may be an empty string.
|
||||
maxLength: 32768
|
||||
type: string
|
||||
observedGeneration:
|
||||
description: observedGeneration represents the .metadata.generation
|
||||
that the condition was set based upon. For instance, if .metadata.generation
|
||||
is currently 12, but the .status.conditions[x].observedGeneration
|
||||
is 9, the condition is out of date with respect to the current
|
||||
state of the instance.
|
||||
format: int64
|
||||
minimum: 0
|
||||
type: integer
|
||||
reason:
|
||||
description: reason contains a programmatic identifier indicating
|
||||
the reason for the condition's last transition. Producers
|
||||
of specific condition types may define expected values and
|
||||
meanings for this field, and whether the values are considered
|
||||
a guaranteed API. The value should be a CamelCase string.
|
||||
This field may not be empty.
|
||||
maxLength: 1024
|
||||
minLength: 1
|
||||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||||
type: string
|
||||
status:
|
||||
description: status of the condition, one of True, False, Unknown.
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
- Unknown
|
||||
type: string
|
||||
type:
|
||||
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
||||
--- Many .condition.type values are consistent across resources
|
||||
like Available, but because arbitrary conditions can be useful
|
||||
(see .node.status.conditions), the ability to deconflict is
|
||||
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||||
maxLength: 316
|
||||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||||
type: string
|
||||
required:
|
||||
- lastTransitionTime
|
||||
- message
|
||||
- reason
|
||||
- status
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-map-keys:
|
||||
- type
|
||||
x-kubernetes-list-type: map
|
||||
phase:
|
||||
default: Pending
|
||||
description: Phase summarizes the overall status of the FederationDomain.
|
||||
enum:
|
||||
- Pending
|
||||
- Ready
|
||||
- Error
|
||||
type: string
|
||||
secrets:
|
||||
description: Secrets contains information about this OIDC Provider's
|
||||
@ -145,15 +474,6 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
status:
|
||||
description: Status holds an enum that describes the state of this
|
||||
OIDC Provider. Note that this Status can represent success or failure.
|
||||
enum:
|
||||
- Success
|
||||
- Duplicate
|
||||
- Invalid
|
||||
- SameIssuerHostMustUseSameSecret
|
||||
type: string
|
||||
type: object
|
||||
required:
|
||||
- spec
|
||||
|
@ -1,4 +1,5 @@
|
||||
//go:build !ignore_autogenerated
|
||||
// +build !ignore_autogenerated
|
||||
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
@ -1,4 +1,5 @@
|
||||
//go:build !ignore_autogenerated
|
||||
// +build !ignore_autogenerated
|
||||
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
@ -1,4 +1,5 @@
|
||||
//go:build !ignore_autogenerated
|
||||
// +build !ignore_autogenerated
|
||||
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
@ -1,4 +1,5 @@
|
||||
//go:build !ignore_autogenerated
|
||||
// +build !ignore_autogenerated
|
||||
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
@ -1,4 +1,5 @@
|
||||
//go:build !ignore_autogenerated
|
||||
// +build !ignore_autogenerated
|
||||
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
@ -1,4 +1,5 @@
|
||||
//go:build !ignore_autogenerated
|
||||
// +build !ignore_autogenerated
|
||||
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
@ -1,4 +1,5 @@
|
||||
//go:build !ignore_autogenerated
|
||||
// +build !ignore_autogenerated
|
||||
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
@ -1,4 +1,5 @@
|
||||
//go:build !ignore_autogenerated
|
||||
// +build !ignore_autogenerated
|
||||
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
@ -1,4 +1,5 @@
|
||||
//go:build !ignore_autogenerated
|
||||
// +build !ignore_autogenerated
|
||||
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
@ -1,4 +1,5 @@
|
||||
//go:build !ignore_autogenerated
|
||||
// +build !ignore_autogenerated
|
||||
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
@ -1,4 +1,5 @@
|
||||
//go:build !ignore_autogenerated
|
||||
// +build !ignore_autogenerated
|
||||
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
@ -1,4 +1,5 @@
|
||||
//go:build !ignore_autogenerated
|
||||
// +build !ignore_autogenerated
|
||||
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
@ -1,4 +1,5 @@
|
||||
//go:build !ignore_autogenerated
|
||||
// +build !ignore_autogenerated
|
||||
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
@ -1,4 +1,5 @@
|
||||
//go:build !ignore_autogenerated
|
||||
// +build !ignore_autogenerated
|
||||
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
@ -1,4 +1,4 @@
|
||||
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package v1alpha1
|
||||
@ -8,14 +8,17 @@ import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
// +kubebuilder:validation:Enum=Success;Duplicate;Invalid;SameIssuerHostMustUseSameSecret
|
||||
type FederationDomainStatusCondition string
|
||||
type FederationDomainPhase string
|
||||
|
||||
const (
|
||||
SuccessFederationDomainStatusCondition = FederationDomainStatusCondition("Success")
|
||||
DuplicateFederationDomainStatusCondition = FederationDomainStatusCondition("Duplicate")
|
||||
SameIssuerHostMustUseSameSecretFederationDomainStatusCondition = FederationDomainStatusCondition("SameIssuerHostMustUseSameSecret")
|
||||
InvalidFederationDomainStatusCondition = FederationDomainStatusCondition("Invalid")
|
||||
// FederationDomainPhasePending is the default phase for newly-created FederationDomain resources.
|
||||
FederationDomainPhasePending FederationDomainPhase = "Pending"
|
||||
|
||||
// FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state.
|
||||
FederationDomainPhaseReady FederationDomainPhase = "Ready"
|
||||
|
||||
// FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state.
|
||||
FederationDomainPhaseError FederationDomainPhase = "Error"
|
||||
)
|
||||
|
||||
// FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
|
||||
@ -42,6 +45,157 @@ type FederationDomainTLSSpec struct {
|
||||
SecretName string `json:"secretName,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
|
||||
// the transform expressions. This is a union type, and Type is the discriminator field.
|
||||
type FederationDomainTransformsConstant struct {
|
||||
// Name determines the name of the constant. It must be a valid identifier name.
|
||||
// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
// +kubebuilder:validation:MaxLength=64
|
||||
Name string `json:"name"`
|
||||
|
||||
// Type determines the type of the constant, and indicates which other field should be non-empty.
|
||||
// +kubebuilder:validation:Enum=string;stringList
|
||||
Type string `json:"type"`
|
||||
|
||||
// StringValue should hold the value when Type is "string", and is otherwise ignored.
|
||||
// +optional
|
||||
StringValue string `json:"stringValue,omitempty"`
|
||||
|
||||
// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
|
||||
// +optional
|
||||
StringListValue []string `json:"stringListValue,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExpression defines a transform expression.
|
||||
type FederationDomainTransformsExpression struct {
|
||||
// Type determines the type of the expression. It must be one of the supported types.
|
||||
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
|
||||
Type string `json:"type"`
|
||||
|
||||
// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Expression string `json:"expression"`
|
||||
|
||||
// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
|
||||
// an authentication attempt. When empty, a default message will be used.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExample defines a transform example.
|
||||
type FederationDomainTransformsExample struct {
|
||||
// Username is the input username.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Username string `json:"username"`
|
||||
|
||||
// Groups is the input list of group names.
|
||||
// +optional
|
||||
Groups []string `json:"groups,omitempty"`
|
||||
|
||||
// Expects is the expected output of the entire sequence of transforms when they are run against the
|
||||
// input Username and Groups.
|
||||
Expects FederationDomainTransformsExampleExpects `json:"expects"`
|
||||
}
|
||||
|
||||
// FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
|
||||
type FederationDomainTransformsExampleExpects struct {
|
||||
// Username is the expected username after the transformations have been applied.
|
||||
// +optional
|
||||
Username string `json:"username,omitempty"`
|
||||
|
||||
// Groups is the expected list of group names after the transformations have been applied.
|
||||
// +optional
|
||||
Groups []string `json:"groups,omitempty"`
|
||||
|
||||
// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
|
||||
// after the transformations have been applied. True means that it is expected that the authentication would be
|
||||
// rejected. The default value of false means that it is expected that the authentication would not be rejected
|
||||
// by any policy expression.
|
||||
// +optional
|
||||
Rejected bool `json:"rejected,omitempty"`
|
||||
|
||||
// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
|
||||
// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
|
||||
// then Message will be treated as the default error message for authentication attempts which are rejected by a
|
||||
// policy. When Rejected is false, then Message is the expected error message for some other non-policy
|
||||
// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
|
||||
type FederationDomainTransforms struct {
|
||||
// Constants defines constant variables and their values which will be made available to the transform expressions.
|
||||
// +patchMergeKey=name
|
||||
// +patchStrategy=merge
|
||||
// +listType=map
|
||||
// +listMapKey=name
|
||||
// +optional
|
||||
Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`
|
||||
|
||||
// Expressions are an optional list of transforms and policies to be executed in the order given during every
|
||||
// authentication attempt, including during every session refresh.
|
||||
// Each is a CEL expression. It may use the basic CEL language as defined in
|
||||
// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
|
||||
// https://github.com/google/cel-go/tree/master/ext#strings.
|
||||
//
|
||||
// The username and groups extracted from the identity provider, and the constants defined in this CR, are
|
||||
// available as variables in all expressions. The username is provided via a variable called `username` and
|
||||
// the list of group names is provided via a variable called `groups` (which may be an empty list).
|
||||
// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
|
||||
// and `strListConst.varName` for string list constants.
|
||||
//
|
||||
// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
|
||||
// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
|
||||
// and the authentication attempt is rejected.
|
||||
// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
|
||||
// username or group names.
|
||||
// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
|
||||
// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
|
||||
// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
|
||||
// groups list.
|
||||
// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
|
||||
// After each expression, the new (potentially changed) username or groups get passed to the following expression.
|
||||
//
|
||||
// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
|
||||
// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
|
||||
// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
|
||||
// and group names have been decided for that authentication attempt.
|
||||
//
|
||||
// +optional
|
||||
Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`
|
||||
|
||||
// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
|
||||
// expected. Examples define sample input identities which are then run through the expression list, and the
|
||||
// results are compared to the expected results. If any example in this list fails, then this
|
||||
// identity provider will not be available for use within this FederationDomain, and the error(s) will be
|
||||
// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
|
||||
// expressions, and also act as living documentation for other administrators to better understand the expressions.
|
||||
// +optional
|
||||
Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
|
||||
type FederationDomainIdentityProvider struct {
|
||||
// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
|
||||
// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
|
||||
// disruptive change for those users.
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
DisplayName string `json:"displayName"`
|
||||
|
||||
// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
|
||||
// If the reference cannot be resolved then the identity provider will not be made available.
|
||||
// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
|
||||
// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
|
||||
ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`
|
||||
|
||||
// Transforms is an optional way to specify transformations to be applied during user authentication and
|
||||
// session refresh.
|
||||
// +optional
|
||||
Transforms FederationDomainTransforms `json:"transforms,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainSpec is a struct that describes an OIDC Provider.
|
||||
type FederationDomainSpec struct {
|
||||
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
|
||||
@ -55,9 +209,35 @@ type FederationDomainSpec struct {
|
||||
// +kubebuilder:validation:MinLength=1
|
||||
Issuer string `json:"issuer"`
|
||||
|
||||
// TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
|
||||
// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
|
||||
// +optional
|
||||
TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
|
||||
|
||||
// IdentityProviders is the list of identity providers available for use by this FederationDomain.
|
||||
//
|
||||
// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
|
||||
// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
|
||||
// extract a normalized user identity. Normalized user identities include a username and a list of group names.
|
||||
// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
|
||||
// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
|
||||
// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
|
||||
// accidental conflicts when multiple identity providers have different users with the same username (e.g.
|
||||
// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
|
||||
// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
|
||||
// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
|
||||
// disallow the authentication unless the user belongs to a specific group in the identity provider.
|
||||
//
|
||||
// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
|
||||
// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
|
||||
// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
|
||||
// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
|
||||
// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
|
||||
// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
|
||||
// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
|
||||
// explicitly list the identity provider using this IdentityProviders field.
|
||||
//
|
||||
// +optional
|
||||
IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
|
||||
}
|
||||
|
||||
// FederationDomainSecrets holds information about this OIDC Provider's secrets.
|
||||
@ -86,20 +266,17 @@ type FederationDomainSecrets struct {
|
||||
|
||||
// FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
|
||||
type FederationDomainStatus struct {
|
||||
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
|
||||
// represent success or failure.
|
||||
// +optional
|
||||
Status FederationDomainStatusCondition `json:"status,omitempty"`
|
||||
// Phase summarizes the overall status of the FederationDomain.
|
||||
// +kubebuilder:default=Pending
|
||||
// +kubebuilder:validation:Enum=Pending;Ready;Error
|
||||
Phase FederationDomainPhase `json:"phase,omitempty"`
|
||||
|
||||
// Message provides human-readable details about the Status.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty"`
|
||||
|
||||
// LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
|
||||
// around some undesirable behavior with respect to the empty metav1.Time value (see
|
||||
// https://github.com/kubernetes/kubernetes/issues/86811).
|
||||
// +optional
|
||||
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
|
||||
// Conditions represent the observations of an FederationDomain's current state.
|
||||
// +patchMergeKey=type
|
||||
// +patchStrategy=merge
|
||||
// +listType=map
|
||||
// +listMapKey=type
|
||||
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
|
||||
|
||||
// Secrets contains information about this OIDC Provider's secrets.
|
||||
// +optional
|
||||
@ -111,7 +288,7 @@ type FederationDomainStatus struct {
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:resource:categories=pinniped
|
||||
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
|
||||
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
|
||||
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
|
||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||
// +kubebuilder:subresource:status
|
||||
type FederationDomain struct {
|
||||
|
@ -8,14 +8,14 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
type OIDCClientPhase string
|
||||
|
||||
const (
|
||||
// PhasePending is the default phase for newly-created OIDCClient resources.
|
||||
PhasePending OIDCClientPhase = "Pending"
|
||||
// OIDCClientPhasePending is the default phase for newly-created OIDCClient resources.
|
||||
OIDCClientPhasePending OIDCClientPhase = "Pending"
|
||||
|
||||
// PhaseReady is the phase for an OIDCClient resource in a healthy state.
|
||||
PhaseReady OIDCClientPhase = "Ready"
|
||||
// OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state.
|
||||
OIDCClientPhaseReady OIDCClientPhase = "Ready"
|
||||
|
||||
// PhaseError is the phase for an OIDCClient in an unhealthy state.
|
||||
PhaseError OIDCClientPhase = "Error"
|
||||
// OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state.
|
||||
OIDCClientPhaseError OIDCClientPhase = "Error"
|
||||
)
|
||||
|
||||
// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`
|
||||
|
@ -1,4 +1,5 @@
|
||||
//go:build !ignore_autogenerated
|
||||
// +build !ignore_autogenerated
|
||||
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
@ -40,6 +41,24 @@ func (in *FederationDomain) DeepCopyObject() runtime.Object {
|
||||
return nil
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainIdentityProvider) DeepCopyInto(out *FederationDomainIdentityProvider) {
|
||||
*out = *in
|
||||
in.ObjectRef.DeepCopyInto(&out.ObjectRef)
|
||||
in.Transforms.DeepCopyInto(&out.Transforms)
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainIdentityProvider.
|
||||
func (in *FederationDomainIdentityProvider) DeepCopy() *FederationDomainIdentityProvider {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainIdentityProvider)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainList) DeepCopyInto(out *FederationDomainList) {
|
||||
*out = *in
|
||||
@ -101,6 +120,13 @@ func (in *FederationDomainSpec) DeepCopyInto(out *FederationDomainSpec) {
|
||||
*out = new(FederationDomainTLSSpec)
|
||||
**out = **in
|
||||
}
|
||||
if in.IdentityProviders != nil {
|
||||
in, out := &in.IdentityProviders, &out.IdentityProviders
|
||||
*out = make([]FederationDomainIdentityProvider, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
@ -117,9 +143,12 @@ func (in *FederationDomainSpec) DeepCopy() *FederationDomainSpec {
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
|
||||
*out = *in
|
||||
if in.LastUpdateTime != nil {
|
||||
in, out := &in.LastUpdateTime, &out.LastUpdateTime
|
||||
*out = (*in).DeepCopy()
|
||||
if in.Conditions != nil {
|
||||
in, out := &in.Conditions, &out.Conditions
|
||||
*out = make([]v1.Condition, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
out.Secrets = in.Secrets
|
||||
return
|
||||
@ -151,6 +180,121 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec {
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransforms) DeepCopyInto(out *FederationDomainTransforms) {
|
||||
*out = *in
|
||||
if in.Constants != nil {
|
||||
in, out := &in.Constants, &out.Constants
|
||||
*out = make([]FederationDomainTransformsConstant, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
if in.Expressions != nil {
|
||||
in, out := &in.Expressions, &out.Expressions
|
||||
*out = make([]FederationDomainTransformsExpression, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
if in.Examples != nil {
|
||||
in, out := &in.Examples, &out.Examples
|
||||
*out = make([]FederationDomainTransformsExample, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransforms.
|
||||
func (in *FederationDomainTransforms) DeepCopy() *FederationDomainTransforms {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransforms)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsConstant) DeepCopyInto(out *FederationDomainTransformsConstant) {
|
||||
*out = *in
|
||||
if in.StringListValue != nil {
|
||||
in, out := &in.StringListValue, &out.StringListValue
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsConstant.
|
||||
func (in *FederationDomainTransformsConstant) DeepCopy() *FederationDomainTransformsConstant {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsConstant)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExample) DeepCopyInto(out *FederationDomainTransformsExample) {
|
||||
*out = *in
|
||||
if in.Groups != nil {
|
||||
in, out := &in.Groups, &out.Groups
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
in.Expects.DeepCopyInto(&out.Expects)
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExample.
|
||||
func (in *FederationDomainTransformsExample) DeepCopy() *FederationDomainTransformsExample {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExample)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExampleExpects) DeepCopyInto(out *FederationDomainTransformsExampleExpects) {
|
||||
*out = *in
|
||||
if in.Groups != nil {
|
||||
in, out := &in.Groups, &out.Groups
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExampleExpects.
|
||||
func (in *FederationDomainTransformsExampleExpects) DeepCopy() *FederationDomainTransformsExampleExpects {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExampleExpects)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *FederationDomainTransformsExpression) DeepCopyInto(out *FederationDomainTransformsExpression) {
|
||||
*out = *in
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExpression.
|
||||
func (in *FederationDomainTransformsExpression) DeepCopy() *FederationDomainTransformsExpression {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(FederationDomainTransformsExpression)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *OIDCClient) DeepCopyInto(out *OIDCClient) {
|
||||
*out = *in
|
||||
|
@ -1,4 +1,5 @@
|
||||
//go:build !ignore_autogenerated
|
||||
// +build !ignore_autogenerated
|
||||
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
@ -1,4 +1,5 @@
|
||||
//go:build !ignore_autogenerated
|
||||
// +build !ignore_autogenerated
|
||||
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
2
go.mod
2
go.mod
@ -20,6 +20,7 @@ require (
|
||||
github.com/go-logr/zapr v1.2.4
|
||||
github.com/gofrs/flock v0.8.1
|
||||
github.com/golang/mock v1.6.0
|
||||
github.com/google/cel-go v0.16.0
|
||||
github.com/google/go-cmp v0.5.9
|
||||
github.com/google/gofuzz v1.2.0
|
||||
github.com/google/uuid v1.3.1
|
||||
@ -90,7 +91,6 @@ require (
|
||||
github.com/golang/glog v1.1.0 // indirect
|
||||
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
|
||||
github.com/golang/protobuf v1.5.3 // indirect
|
||||
github.com/google/cel-go v0.16.0 // indirect
|
||||
github.com/google/gnostic-models v0.6.8 // indirect
|
||||
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
|
||||
github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 // indirect
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
||||
# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
#
|
||||
@ -17,7 +17,9 @@ echo -n "PINNIPED_TEST_GOLAND_RUNNER=true;"
|
||||
|
||||
printenv | grep PINNIPED_TEST_ | sed 's/=.*//g' | grep -v CLUSTER_CAPABILITY_YAML | while read -r var ; do
|
||||
echo -n "${var}="
|
||||
echo -n "${!var}" | tr -d '\n'
|
||||
# Goland will treat semicolons as key/value pair separators.
|
||||
# Within a value, a semicolon needs to be escaped with a backslash for Goland.
|
||||
echo -n "${!var}" | sed 's/;/\\;/g' | tr -d '\n'
|
||||
echo -n ";"
|
||||
done
|
||||
|
||||
|
@ -40,6 +40,9 @@ if [[ "${#KUBE_VERSIONS[@]}" -ne 1 ]]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Add this to the git config inside the container to avoid permission errors when running this script on linux.
|
||||
git config --global --add safe.directory /work
|
||||
|
||||
# Link the root directory into GOPATH since that is where output ends up.
|
||||
GOPATH_ROOT="${GOPATH}/src/${BASE_PKG}"
|
||||
mkdir -p "$(dirname "${GOPATH_ROOT}")"
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
|
||||
# Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
#
|
||||
@ -81,7 +81,7 @@ while (("$#")); do
|
||||
done
|
||||
|
||||
if [[ "$use_oidc_upstream" == "no" && "$use_ldap_upstream" == "no" && "$use_ad_upstream" == "no" ]]; then
|
||||
log_error "Error: Please use --oidc, --ldap, or --ad to specify which type of upstream identity provider(s) you would like"
|
||||
log_error "Error: Please use --oidc, --ldap, or --ad to specify which type(s) of upstream identity provider(s) you would like. May use one or multiple."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
@ -103,42 +103,6 @@ audience="my-workload-cluster-$(openssl rand -hex 4)"
|
||||
issuer_host="pinniped-supervisor-clusterip.supervisor.svc.cluster.local"
|
||||
issuer="https://$issuer_host/some/path"
|
||||
|
||||
# Create a CA and TLS serving certificates for the Supervisor.
|
||||
step certificate create \
|
||||
"Supervisor CA" "$root_ca_crt_path" "$root_ca_key_path" \
|
||||
--profile root-ca \
|
||||
--no-password --insecure --force
|
||||
step certificate create \
|
||||
"$issuer_host" "$tls_crt_path" "$tls_key_path" \
|
||||
--profile leaf \
|
||||
--not-after 8760h \
|
||||
--ca "$root_ca_crt_path" --ca-key "$root_ca_key_path" \
|
||||
--no-password --insecure --force
|
||||
|
||||
# Put the TLS certificate into a Secret for the Supervisor.
|
||||
kubectl create secret tls -n "$PINNIPED_TEST_SUPERVISOR_NAMESPACE" my-federation-domain-tls --cert "$tls_crt_path" --key "$tls_key_path" \
|
||||
--dry-run=client --output yaml | kubectl apply -f -
|
||||
|
||||
# Make a FederationDomain using the TLS Secret from above.
|
||||
cat <<EOF | kubectl apply --namespace "$PINNIPED_TEST_SUPERVISOR_NAMESPACE" -f -
|
||||
apiVersion: config.supervisor.pinniped.dev/v1alpha1
|
||||
kind: FederationDomain
|
||||
metadata:
|
||||
name: my-federation-domain
|
||||
spec:
|
||||
issuer: $issuer
|
||||
tls:
|
||||
secretName: my-federation-domain-tls
|
||||
EOF
|
||||
|
||||
echo "Waiting for FederationDomain to initialize..."
|
||||
# Sleeping is a race, but that's probably good enough for the purposes of this script.
|
||||
sleep 5
|
||||
|
||||
# Test that the federation domain is working before we proceed.
|
||||
echo "Fetching FederationDomain discovery info..."
|
||||
https_proxy="$PINNIPED_TEST_PROXY" curl -fLsS --cacert "$root_ca_crt_path" "$issuer/.well-known/openid-configuration" | jq .
|
||||
|
||||
if [[ "$use_oidc_upstream" == "yes" ]]; then
|
||||
# Make an OIDCIdentityProvider which uses Dex to provide identity.
|
||||
cat <<EOF | kubectl apply --namespace "$PINNIPED_TEST_SUPERVISOR_NAMESPACE" -f -
|
||||
@ -254,6 +218,140 @@ EOF
|
||||
--dry-run=client --output yaml | kubectl apply -f -
|
||||
fi
|
||||
|
||||
# Create a CA and TLS serving certificates for the Supervisor's FederationDomain.
|
||||
if [[ ! -f "$root_ca_crt_path" ]]; then
|
||||
step certificate create \
|
||||
"Supervisor CA" "$root_ca_crt_path" "$root_ca_key_path" \
|
||||
--profile root-ca \
|
||||
--no-password --insecure --force
|
||||
fi
|
||||
if [[ ! -f "$tls_crt_path" || ! -f "$tls_key_path" ]]; then
|
||||
step certificate create \
|
||||
"$issuer_host" "$tls_crt_path" "$tls_key_path" \
|
||||
--profile leaf \
|
||||
--not-after 8760h \
|
||||
--ca "$root_ca_crt_path" --ca-key "$root_ca_key_path" \
|
||||
--no-password --insecure --force
|
||||
fi
|
||||
|
||||
# Put the TLS certificate into a Secret for the Supervisor's FederationDomain.
|
||||
kubectl create secret tls -n "$PINNIPED_TEST_SUPERVISOR_NAMESPACE" my-federation-domain-tls --cert "$tls_crt_path" --key "$tls_key_path" \
|
||||
--dry-run=client --output yaml | kubectl apply -f -
|
||||
|
||||
# Make a FederationDomain using the TLS Secret and identity providers from above in a temp file.
|
||||
fd_file="/tmp/federationdomain.yaml"
|
||||
cat << EOF > $fd_file
|
||||
apiVersion: config.supervisor.pinniped.dev/v1alpha1
|
||||
kind: FederationDomain
|
||||
metadata:
|
||||
name: my-federation-domain
|
||||
spec:
|
||||
issuer: $issuer
|
||||
tls:
|
||||
secretName: my-federation-domain-tls
|
||||
identityProviders:
|
||||
EOF
|
||||
|
||||
if [[ "$use_oidc_upstream" == "yes" ]]; then
|
||||
# Indenting the heredoc by 4 spaces to make it indented the correct amount in the FederationDomain below.
|
||||
cat << EOF >> $fd_file
|
||||
|
||||
- displayName: "My OIDC IDP 🚀"
|
||||
objectRef:
|
||||
apiGroup: idp.supervisor.pinniped.dev
|
||||
kind: OIDCIdentityProvider
|
||||
name: my-oidc-provider
|
||||
transforms:
|
||||
expressions:
|
||||
- type: username/v1
|
||||
expression: '"oidc:" + username'
|
||||
- type: groups/v1 # the pinny user doesn't belong to any groups in Dex, so this isn't strictly needed, but doesn't hurt
|
||||
expression: 'groups.map(group, "oidc:" + group)'
|
||||
examples:
|
||||
- username: ryan@example.com
|
||||
groups: [ a, b ]
|
||||
expects:
|
||||
username: oidc:ryan@example.com
|
||||
groups: [ oidc:a, oidc:b ]
|
||||
EOF
|
||||
fi
|
||||
|
||||
if [[ "$use_ldap_upstream" == "yes" ]]; then
|
||||
# Indenting the heredoc by 4 spaces to make it indented the correct amount in the FederationDomain below.
|
||||
cat << EOF >> $fd_file
|
||||
|
||||
- displayName: "My LDAP IDP 🚀"
|
||||
objectRef:
|
||||
apiGroup: idp.supervisor.pinniped.dev
|
||||
kind: LDAPIdentityProvider
|
||||
name: my-ldap-provider
|
||||
transforms: # these are contrived to exercise all the available features
|
||||
constants:
|
||||
- name: prefix
|
||||
type: string
|
||||
stringValue: "ldap:"
|
||||
- name: onlyIncludeGroupsWithThisPrefix
|
||||
type: string
|
||||
stringValue: "ball-" # pinny belongs to ball-game-players in openldap
|
||||
- name: mustBelongToOneOfThese
|
||||
type: stringList
|
||||
stringListValue: [ ball-admins, seals ] # pinny belongs to seals in openldap
|
||||
- name: additionalAdmins
|
||||
type: stringList
|
||||
stringListValue: [ pinny.ldap@example.com, ryan@example.com ] # pinny's email address in openldap
|
||||
expressions:
|
||||
- type: policy/v1
|
||||
expression: 'groups.exists(g, g in strListConst.mustBelongToOneOfThese)'
|
||||
message: "Only users in certain kube groups are allowed to authenticate"
|
||||
- type: groups/v1
|
||||
expression: 'username in strListConst.additionalAdmins ? groups + ["ball-admins"] : groups'
|
||||
- type: groups/v1
|
||||
expression: 'groups.filter(group, group.startsWith(strConst.onlyIncludeGroupsWithThisPrefix))'
|
||||
- type: username/v1
|
||||
expression: 'strConst.prefix + username'
|
||||
- type: groups/v1
|
||||
expression: 'groups.map(group, strConst.prefix + group)'
|
||||
examples:
|
||||
- username: ryan@example.com
|
||||
groups: [ ball-developers, seals, non-ball-group ] # allowed to auth because belongs to seals
|
||||
expects:
|
||||
username: ldap:ryan@example.com
|
||||
groups: [ ldap:ball-developers, ldap:ball-admins ] # gets ball-admins because of username, others dropped because they lack "ball-" prefix
|
||||
- username: someone_else@example.com
|
||||
groups: [ ball-developers, ball-admins, non-ball-group ] # allowed to auth because belongs to ball-admins
|
||||
expects:
|
||||
username: ldap:someone_else@example.com
|
||||
groups: [ ldap:ball-developers, ldap:ball-admins ] # seals dropped because it lacks prefix
|
||||
- username: paul@example.com
|
||||
groups: [ not-ball-admins-group, not-seals-group ] # reject because does not belong to any of the required groups
|
||||
expects:
|
||||
rejected: true
|
||||
message: "Only users in certain kube groups are allowed to authenticate"
|
||||
EOF
|
||||
fi
|
||||
|
||||
if [[ "$use_ad_upstream" == "yes" ]]; then
|
||||
# Indenting the heredoc by 4 spaces to make it indented the correct amount in the FederationDomain below.
|
||||
cat << EOF >> $fd_file
|
||||
|
||||
- displayName: "My AD IDP"
|
||||
objectRef:
|
||||
apiGroup: idp.supervisor.pinniped.dev
|
||||
kind: ActiveDirectoryIdentityProvider
|
||||
name: my-ad-provider
|
||||
EOF
|
||||
fi
|
||||
|
||||
# Apply the FederationDomain from the file created above.
|
||||
kubectl apply --namespace "$PINNIPED_TEST_SUPERVISOR_NAMESPACE" -f "$fd_file"
|
||||
|
||||
echo "Waiting for FederationDomain to initialize or update..."
|
||||
kubectl wait --for=condition=Ready FederationDomain/my-federation-domain -n "$PINNIPED_TEST_SUPERVISOR_NAMESPACE"
|
||||
|
||||
# Test that the federation domain is working before we proceed.
|
||||
echo "Fetching FederationDomain discovery info via command: https_proxy=\"$PINNIPED_TEST_PROXY\" curl -fLsS --cacert \"$root_ca_crt_path\" \"$issuer/.well-known/openid-configuration\""
|
||||
https_proxy="$PINNIPED_TEST_PROXY" curl -fLsS --cacert "$root_ca_crt_path" "$issuer/.well-known/openid-configuration" | jq .
|
||||
|
||||
if [[ "$OSTYPE" == "darwin"* ]]; then
|
||||
certificateAuthorityData=$(cat "$root_ca_crt_path" | base64)
|
||||
else
|
||||
@ -275,7 +373,7 @@ spec:
|
||||
certificateAuthorityData: $certificateAuthorityData
|
||||
EOF
|
||||
|
||||
echo "Waiting for JWTAuthenticator to initialize..."
|
||||
echo "Waiting for JWTAuthenticator to initialize or update..."
|
||||
# Sleeping is a race, but that's probably good enough for the purposes of this script.
|
||||
sleep 5
|
||||
|
||||
@ -288,12 +386,24 @@ while [[ -z "$(kubectl get credentialissuer pinniped-concierge-config -o=jsonpat
|
||||
sleep 2
|
||||
done
|
||||
|
||||
# Use the CLI to get the kubeconfig. Tell it that you don't want the browser to automatically open for logins.
|
||||
# Use the CLI to get the kubeconfig. Tell it that you don't want the browser to automatically open for browser-based
|
||||
# flows so we can open our own browser with the proxy settings. Generate a kubeconfig for each IDP.
|
||||
flow_arg=""
|
||||
if [[ -n "$use_flow" ]]; then
|
||||
flow_arg="--upstream-identity-provider-flow $use_flow"
|
||||
fi
|
||||
https_proxy="$PINNIPED_TEST_PROXY" no_proxy="127.0.0.1" ./pinniped get kubeconfig --oidc-skip-browser $flow_arg >kubeconfig
|
||||
if [[ "$use_oidc_upstream" == "yes" ]]; then
|
||||
https_proxy="$PINNIPED_TEST_PROXY" no_proxy="127.0.0.1" \
|
||||
./pinniped get kubeconfig --oidc-skip-browser $flow_arg --upstream-identity-provider-type oidc >kubeconfig-oidc.yaml
|
||||
fi
|
||||
if [[ "$use_ldap_upstream" == "yes" ]]; then
|
||||
https_proxy="$PINNIPED_TEST_PROXY" no_proxy="127.0.0.1" \
|
||||
./pinniped get kubeconfig --oidc-skip-browser $flow_arg --upstream-identity-provider-type ldap >kubeconfig-ldap.yaml
|
||||
fi
|
||||
if [[ "$use_ad_upstream" == "yes" ]]; then
|
||||
https_proxy="$PINNIPED_TEST_PROXY" no_proxy="127.0.0.1" \
|
||||
./pinniped get kubeconfig --oidc-skip-browser $flow_arg --upstream-identity-provider-type activedirectory >kubeconfig-ad.yaml
|
||||
fi
|
||||
|
||||
# Clear the local CLI cache to ensure that the kubectl command below will need to perform a fresh login.
|
||||
rm -f "$HOME/.config/pinniped/sessions.yaml"
|
||||
@ -304,37 +414,48 @@ echo "Ready! 🚀"
|
||||
|
||||
if [[ "$use_oidc_upstream" == "yes" || "$use_flow" == "browser_authcode" ]]; then
|
||||
echo
|
||||
echo "To be able to access the login URL shown below, start Chrome like this:"
|
||||
echo "To be able to access the Supervisor URL during login, start Chrome like this:"
|
||||
echo " open -a \"Google Chrome\" --args --proxy-server=\"$PINNIPED_TEST_PROXY\""
|
||||
echo "Note that Chrome must be fully quit before being started with --proxy-server."
|
||||
echo "Then open the login URL shown below in that new Chrome window."
|
||||
echo
|
||||
echo "When prompted for username and password, use these values:"
|
||||
echo
|
||||
fi
|
||||
|
||||
if [[ "$use_oidc_upstream" == "yes" ]]; then
|
||||
echo " Username: $PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME"
|
||||
echo " Password: $PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_PASSWORD"
|
||||
echo " OIDC Username: $PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME"
|
||||
echo " OIDC Password: $PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_PASSWORD"
|
||||
echo
|
||||
fi
|
||||
|
||||
if [[ "$use_ldap_upstream" == "yes" ]]; then
|
||||
echo " Username: $PINNIPED_TEST_LDAP_USER_CN"
|
||||
echo " Password: $PINNIPED_TEST_LDAP_USER_PASSWORD"
|
||||
echo " LDAP Username: $PINNIPED_TEST_LDAP_USER_CN"
|
||||
echo " LDAP Password: $PINNIPED_TEST_LDAP_USER_PASSWORD"
|
||||
echo
|
||||
fi
|
||||
|
||||
if [[ "$use_ad_upstream" == "yes" ]]; then
|
||||
echo " Username: $PINNIPED_TEST_AD_USER_USER_PRINCIPAL_NAME"
|
||||
echo " Password: $PINNIPED_TEST_AD_USER_PASSWORD"
|
||||
echo " AD Username: $PINNIPED_TEST_AD_USER_USER_PRINCIPAL_NAME"
|
||||
echo " AD Password: $PINNIPED_TEST_AD_USER_PASSWORD"
|
||||
echo
|
||||
fi
|
||||
|
||||
# Perform a login using the kubectl plugin. This should print the URL to be followed for the Dex login page
|
||||
# if using an OIDC upstream, or should prompt on the CLI for username/password if using an LDAP upstream.
|
||||
echo
|
||||
echo "Running: PINNIPED_DEBUG=true https_proxy=\"$PINNIPED_TEST_PROXY\" no_proxy=\"127.0.0.1\" kubectl --kubeconfig ./kubeconfig get pods -A"
|
||||
PINNIPED_DEBUG=true https_proxy="$PINNIPED_TEST_PROXY" no_proxy="127.0.0.1" kubectl --kubeconfig ./kubeconfig get pods -A
|
||||
|
||||
# Print the identity of the currently logged in user. The CLI has cached your tokens, and will automatically refresh
|
||||
# your short-lived credentials whenever they expire, so you should not be prompted to log in again for the rest of the day.
|
||||
echo
|
||||
echo "Running: PINNIPED_DEBUG=true https_proxy=\"$PINNIPED_TEST_PROXY\" no_proxy=\"127.0.0.1\" ./pinniped whoami --kubeconfig ./kubeconfig"
|
||||
PINNIPED_DEBUG=true https_proxy="$PINNIPED_TEST_PROXY" no_proxy="127.0.0.1" ./pinniped whoami --kubeconfig ./kubeconfig
|
||||
# Echo the commands that may be used to login and print the identity of the currently logged in user.
|
||||
# Once the CLI has cached your tokens, it will automatically refresh your short-lived credentials whenever
|
||||
# they expire, so you should not be prompted to log in again for the rest of the day.
|
||||
if [[ "$use_oidc_upstream" == "yes" ]]; then
|
||||
echo "To log in using OIDC, run:"
|
||||
echo "PINNIPED_DEBUG=true https_proxy=\"$PINNIPED_TEST_PROXY\" no_proxy=\"127.0.0.1\" ./pinniped whoami --kubeconfig ./kubeconfig-oidc.yaml"
|
||||
echo
|
||||
fi
|
||||
if [[ "$use_ldap_upstream" == "yes" ]]; then
|
||||
echo "To log in using LDAP, run:"
|
||||
echo "PINNIPED_DEBUG=true https_proxy=\"$PINNIPED_TEST_PROXY\" no_proxy=\"127.0.0.1\" ./pinniped whoami --kubeconfig ./kubeconfig-ldap.yaml"
|
||||
echo
|
||||
fi
|
||||
if [[ "$use_ad_upstream" == "yes" ]]; then
|
||||
echo "To log in using AD, run:"
|
||||
echo "PINNIPED_DEBUG=true https_proxy=\"$PINNIPED_TEST_PROXY\" no_proxy=\"127.0.0.1\" ./pinniped whoami --kubeconfig ./kubeconfig-ad.yaml"
|
||||
echo
|
||||
fi
|
||||
|
359
internal/celtransformer/celformer.go
Normal file
359
internal/celtransformer/celformer.go
Normal file
@ -0,0 +1,359 @@
|
||||
// Copyright 2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
// Package celtransformer is an implementation of upstream-to-downstream identity transformations
|
||||
// and policies using CEL scripts.
|
||||
//
|
||||
// The CEL language is documented in https://github.com/google/cel-spec/blob/master/doc/langdef.md
|
||||
// with optional extensions documented in https://github.com/google/cel-go/tree/master/ext.
|
||||
package celtransformer
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"reflect"
|
||||
"regexp"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/google/cel-go/cel"
|
||||
"github.com/google/cel-go/common/types/ref"
|
||||
"github.com/google/cel-go/ext"
|
||||
|
||||
"go.pinniped.dev/internal/idtransform"
|
||||
)
|
||||
|
||||
const (
|
||||
usernameVariableName = "username"
|
||||
groupsVariableName = "groups"
|
||||
constStringVariableName = "strConst"
|
||||
constStringListVariableName = "strListConst"
|
||||
|
||||
DefaultPolicyRejectedAuthMessage = "authentication was rejected by a configured policy"
|
||||
)
|
||||
|
||||
// CELTransformer can compile any number of transformation expression pipelines.
|
||||
// Each compiled pipeline can be cached in memory for later thread-safe evaluation.
|
||||
type CELTransformer struct {
|
||||
compiler *cel.Env
|
||||
maxExpressionRuntime time.Duration
|
||||
}
|
||||
|
||||
// NewCELTransformer returns a CELTransformer.
|
||||
// A running process should only need one instance of a CELTransformer.
|
||||
func NewCELTransformer(maxExpressionRuntime time.Duration) (*CELTransformer, error) {
|
||||
env, err := newEnv()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &CELTransformer{compiler: env, maxExpressionRuntime: maxExpressionRuntime}, nil
|
||||
}
|
||||
|
||||
// TransformationConstants can be used to make more variables available to compiled CEL expressions for convenience.
|
||||
type TransformationConstants struct {
|
||||
// A map of variable names to their string values. If a key "x" has value "123", then it will be available
|
||||
// to CEL expressions as the variable `strConst.x` with value `"123"`.
|
||||
StringConstants map[string]string
|
||||
// A map of variable names to their string list values. If a key "x" has value []string{"123","456"},
|
||||
// then it will be available to CEL expressions as the variable `strListConst.x` with value `["123","456"]`.
|
||||
StringListConstants map[string][]string
|
||||
}
|
||||
|
||||
// Valid identifiers in CEL expressions are defined as [_a-zA-Z][_a-zA-Z0-9]* by the CEL language spec.
|
||||
var validIdentifiersRegexp = regexp.MustCompile(`^[_a-zA-Z][_a-zA-Z0-9]*$`)
|
||||
|
||||
func (t *TransformationConstants) validateVariableNames() error {
|
||||
const errFormat = "%q is an invalid const variable name (must match [_a-zA-Z][_a-zA-Z0-9]*)"
|
||||
for k := range t.StringConstants {
|
||||
if !validIdentifiersRegexp.MatchString(k) {
|
||||
return fmt.Errorf(errFormat, k)
|
||||
}
|
||||
}
|
||||
for k := range t.StringListConstants {
|
||||
if !validIdentifiersRegexp.MatchString(k) {
|
||||
return fmt.Errorf(errFormat, k)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// CompileTransformation compiles a CEL-based identity transformation expression.
|
||||
// The compiled transform can be cached in memory and executed repeatedly and in a thread-safe way.
|
||||
// The caller must not modify the consts param struct after calling this function to allow
|
||||
// the returned IdentityTransformation to use it as a thread-safe read-only structure.
|
||||
func (c *CELTransformer) CompileTransformation(t CELTransformation, consts *TransformationConstants) (idtransform.IdentityTransformation, error) {
|
||||
if consts == nil {
|
||||
consts = &TransformationConstants{}
|
||||
}
|
||||
if err := consts.validateVariableNames(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return t.compile(c, consts)
|
||||
}
|
||||
|
||||
// CELTransformation can be compiled into an IdentityTransformation.
|
||||
type CELTransformation interface {
|
||||
compile(transformer *CELTransformer, consts *TransformationConstants) (idtransform.IdentityTransformation, error)
|
||||
}
|
||||
|
||||
var _ CELTransformation = (*UsernameTransformation)(nil)
|
||||
var _ CELTransformation = (*GroupsTransformation)(nil)
|
||||
var _ CELTransformation = (*AllowAuthenticationPolicy)(nil)
|
||||
|
||||
// UsernameTransformation is a CEL expression that can transform a username (or leave it unchanged).
|
||||
// It implements CELTransformation.
|
||||
type UsernameTransformation struct {
|
||||
Expression string
|
||||
}
|
||||
|
||||
// GroupsTransformation is a CEL expression that can transform a list of group names (or leave it unchanged).
|
||||
// It implements CELTransformation.
|
||||
type GroupsTransformation struct {
|
||||
Expression string
|
||||
}
|
||||
|
||||
// AllowAuthenticationPolicy is a CEL expression that can allow the authentication to proceed by returning true.
|
||||
// It implements CELTransformation. When the CEL expression returns false, the authentication is rejected and the
|
||||
// RejectedAuthenticationMessage is used. When RejectedAuthenticationMessage is empty, a default message will be
|
||||
// used for rejected authentications.
|
||||
type AllowAuthenticationPolicy struct {
|
||||
Expression string
|
||||
RejectedAuthenticationMessage string
|
||||
}
|
||||
|
||||
func compileProgram(transformer *CELTransformer, expectedExpressionType *cel.Type, expr string) (cel.Program, error) {
|
||||
if strings.TrimSpace(expr) == "" {
|
||||
return nil, fmt.Errorf("cannot compile empty CEL expression")
|
||||
}
|
||||
|
||||
// compile does both parsing and type checking. The parsing phase indicates whether the expression is
|
||||
// syntactically valid and expands any macros present within the environment. Parsing and checking are
|
||||
// more computationally expensive than evaluation, so parsing and checking are done in advance.
|
||||
ast, issues := transformer.compiler.Compile(expr)
|
||||
if issues != nil {
|
||||
return nil, fmt.Errorf("CEL expression compile error: %s", issues.String())
|
||||
}
|
||||
|
||||
// The compiler's type checker has determined the type of the expression's result.
|
||||
// Check that it matches the type that we expect.
|
||||
if ast.OutputType().String() != expectedExpressionType.String() {
|
||||
return nil, fmt.Errorf("CEL expression should return type %q but returns type %q", expectedExpressionType, ast.OutputType())
|
||||
}
|
||||
|
||||
// The cel.Program is stateless, thread-safe, and cachable.
|
||||
program, err := transformer.compiler.Program(ast,
|
||||
cel.InterruptCheckFrequency(100), // Kubernetes uses 100 here, so we'll copy that setting.
|
||||
cel.EvalOptions(cel.OptOptimize), // Optimize certain things now rather than at evaluation time.
|
||||
)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("CEL expression program construction error: %w", err)
|
||||
}
|
||||
return program, nil
|
||||
}
|
||||
|
||||
func (t *UsernameTransformation) compile(transformer *CELTransformer, consts *TransformationConstants) (idtransform.IdentityTransformation, error) {
|
||||
program, err := compileProgram(transformer, cel.StringType, t.Expression)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &compiledUsernameTransformation{
|
||||
baseCompiledTransformation: &baseCompiledTransformation{
|
||||
program: program,
|
||||
consts: consts,
|
||||
sourceExpr: t,
|
||||
maxExpressionRuntime: transformer.maxExpressionRuntime,
|
||||
},
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (t *GroupsTransformation) compile(transformer *CELTransformer, consts *TransformationConstants) (idtransform.IdentityTransformation, error) {
|
||||
program, err := compileProgram(transformer, cel.ListType(cel.StringType), t.Expression)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &compiledGroupsTransformation{
|
||||
baseCompiledTransformation: &baseCompiledTransformation{
|
||||
program: program,
|
||||
consts: consts,
|
||||
sourceExpr: t,
|
||||
maxExpressionRuntime: transformer.maxExpressionRuntime,
|
||||
},
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (t *AllowAuthenticationPolicy) compile(transformer *CELTransformer, consts *TransformationConstants) (idtransform.IdentityTransformation, error) {
|
||||
program, err := compileProgram(transformer, cel.BoolType, t.Expression)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &compiledAllowAuthenticationPolicy{
|
||||
baseCompiledTransformation: &baseCompiledTransformation{
|
||||
program: program,
|
||||
consts: consts,
|
||||
sourceExpr: t,
|
||||
maxExpressionRuntime: transformer.maxExpressionRuntime,
|
||||
},
|
||||
rejectedAuthenticationMessage: t.RejectedAuthenticationMessage,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// Base type for common aspects of compiled transformations.
|
||||
type baseCompiledTransformation struct {
|
||||
program cel.Program
|
||||
consts *TransformationConstants
|
||||
sourceExpr CELTransformation
|
||||
maxExpressionRuntime time.Duration
|
||||
}
|
||||
|
||||
// Implements idtransform.IdentityTransformation.
|
||||
type compiledUsernameTransformation struct {
|
||||
*baseCompiledTransformation
|
||||
}
|
||||
|
||||
// Implements idtransform.IdentityTransformation.
|
||||
type compiledGroupsTransformation struct {
|
||||
*baseCompiledTransformation
|
||||
}
|
||||
|
||||
// Implements idtransform.IdentityTransformation.
|
||||
type compiledAllowAuthenticationPolicy struct {
|
||||
*baseCompiledTransformation
|
||||
rejectedAuthenticationMessage string
|
||||
}
|
||||
|
||||
func (c *baseCompiledTransformation) evalProgram(ctx context.Context, username string, groups []string) (ref.Val, error) {
|
||||
// Limit the runtime of a CEL expression to avoid accidental very expensive expressions.
|
||||
timeoutCtx, cancel := context.WithTimeout(ctx, c.maxExpressionRuntime)
|
||||
defer cancel()
|
||||
|
||||
// Evaluation is thread-safe and side effect free. Many inputs can be sent to the same cel.Program
|
||||
// and if fields are present in the input, but not referenced in the expression, they are ignored.
|
||||
// The argument to Eval may either be an `interpreter.Activation` or a `map[string]interface{}`.
|
||||
val, _, err := c.program.ContextEval(timeoutCtx, map[string]interface{}{
|
||||
usernameVariableName: username,
|
||||
groupsVariableName: groups,
|
||||
constStringVariableName: c.consts.StringConstants,
|
||||
constStringListVariableName: c.consts.StringListConstants,
|
||||
})
|
||||
return val, err
|
||||
}
|
||||
|
||||
func (c *compiledUsernameTransformation) Evaluate(ctx context.Context, username string, groups []string) (*idtransform.TransformationResult, error) {
|
||||
val, err := c.evalProgram(ctx, username, groups)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
nativeValue, err := val.ConvertToNative(reflect.TypeOf(""))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("could not convert expression result to string: %w", err)
|
||||
}
|
||||
stringValue, ok := nativeValue.(string)
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("could not convert expression result to string")
|
||||
}
|
||||
return &idtransform.TransformationResult{
|
||||
Username: stringValue,
|
||||
Groups: groups, // groups are not modified by username transformations
|
||||
AuthenticationAllowed: true,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (c *compiledGroupsTransformation) Evaluate(ctx context.Context, username string, groups []string) (*idtransform.TransformationResult, error) {
|
||||
val, err := c.evalProgram(ctx, username, groups)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
nativeValue, err := val.ConvertToNative(reflect.TypeOf([]string{}))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("could not convert expression result to []string: %w", err)
|
||||
}
|
||||
stringSliceValue, ok := nativeValue.([]string)
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("could not convert expression result to []string")
|
||||
}
|
||||
return &idtransform.TransformationResult{
|
||||
Username: username, // username is not modified by groups transformations
|
||||
Groups: stringSliceValue,
|
||||
AuthenticationAllowed: true,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (c *compiledAllowAuthenticationPolicy) Evaluate(ctx context.Context, username string, groups []string) (*idtransform.TransformationResult, error) {
|
||||
val, err := c.evalProgram(ctx, username, groups)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
nativeValue, err := val.ConvertToNative(reflect.TypeOf(true))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("could not convert expression result to bool: %w", err)
|
||||
}
|
||||
boolValue, ok := nativeValue.(bool)
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("could not convert expression result to bool")
|
||||
}
|
||||
result := &idtransform.TransformationResult{
|
||||
Username: username, // username is not modified by policies
|
||||
Groups: groups, // groups are not modified by policies
|
||||
AuthenticationAllowed: boolValue,
|
||||
}
|
||||
if !boolValue {
|
||||
if len(c.rejectedAuthenticationMessage) == 0 {
|
||||
result.RejectedAuthenticationMessage = DefaultPolicyRejectedAuthMessage
|
||||
} else {
|
||||
result.RejectedAuthenticationMessage = c.rejectedAuthenticationMessage
|
||||
}
|
||||
}
|
||||
return result, nil
|
||||
}
|
||||
|
||||
type CELTransformationSource struct {
|
||||
Expr CELTransformation
|
||||
Consts *TransformationConstants
|
||||
}
|
||||
|
||||
func (c *compiledUsernameTransformation) Source() interface{} {
|
||||
return &CELTransformationSource{Expr: c.sourceExpr, Consts: c.consts}
|
||||
}
|
||||
|
||||
func (c *compiledGroupsTransformation) Source() interface{} {
|
||||
return &CELTransformationSource{Expr: c.sourceExpr, Consts: c.consts}
|
||||
}
|
||||
|
||||
func (c *compiledAllowAuthenticationPolicy) Source() interface{} {
|
||||
return &CELTransformationSource{Expr: c.sourceExpr, Consts: c.consts}
|
||||
}
|
||||
|
||||
func newEnv() (*cel.Env, error) {
|
||||
// Note that Kubernetes uses CEL in several places, which are helpful to see as an example of
|
||||
// how to configure the CEL compiler for production usage. Examples:
|
||||
// https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/compiler.go
|
||||
// https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/compilation.go
|
||||
return cel.NewEnv(
|
||||
// Declare our variable without giving them values yet. By declaring them here, the type is known during
|
||||
// the parsing/checking phase.
|
||||
cel.Variable(usernameVariableName, cel.StringType),
|
||||
cel.Variable(groupsVariableName, cel.ListType(cel.StringType)),
|
||||
cel.Variable(constStringVariableName, cel.MapType(cel.StringType, cel.StringType)),
|
||||
cel.Variable(constStringListVariableName, cel.MapType(cel.StringType, cel.ListType(cel.StringType))),
|
||||
|
||||
// Enable the strings extensions.
|
||||
// See https://github.com/google/cel-go/tree/master/ext#strings
|
||||
// CEL also has other extensions for bas64 encoding/decoding and for math that we could choose to enable.
|
||||
// See https://github.com/google/cel-go/tree/master/ext
|
||||
// Kubernetes adds more extensions for extra regexp helpers, URLs, and extra list helpers that we could also
|
||||
// consider enabling. Note that if we added their regexp extension, then we would also need to add
|
||||
// cel.OptimizeRegex(library.ExtensionLibRegexOptimizations...) as an option when we call cel.Program.
|
||||
// See https://github.com/kubernetes/kubernetes/tree/master/staging/src/k8s.io/apiserver/pkg/cel/library
|
||||
ext.Strings(),
|
||||
|
||||
// Just in case someone converts a string to a timestamp, make any time operations which do not include
|
||||
// an explicit timezone argument default to UTC.
|
||||
cel.DefaultUTCTimeZone(true),
|
||||
|
||||
// Check list and map literal entry types during type-checking.
|
||||
cel.HomogeneousAggregateLiterals(),
|
||||
|
||||
// Check for collisions in declarations now instead of later.
|
||||
cel.EagerlyValidateDeclarations(true),
|
||||
)
|
||||
}
|
900
internal/celtransformer/celformer_test.go
Normal file
900
internal/celtransformer/celformer_test.go
Normal file
@ -0,0 +1,900 @@
|
||||
// Copyright 2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package celtransformer
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"runtime"
|
||||
"sort"
|
||||
"sync"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"go.pinniped.dev/internal/here"
|
||||
"go.pinniped.dev/internal/idtransform"
|
||||
)
|
||||
|
||||
func TestTransformer(t *testing.T) {
|
||||
var veryLargeGroupList []string
|
||||
for i := 0; i < 10000; i++ {
|
||||
veryLargeGroupList = append(veryLargeGroupList, fmt.Sprintf("g%d", i))
|
||||
}
|
||||
|
||||
alreadyCancelledContext, cancel := context.WithCancel(context.Background())
|
||||
cancel()
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
username string
|
||||
groups []string
|
||||
transforms []CELTransformation
|
||||
consts *TransformationConstants
|
||||
ctx context.Context
|
||||
|
||||
wantUsername string
|
||||
wantGroups []string
|
||||
wantAuthRejected bool
|
||||
wantAuthRejectedMessage string
|
||||
wantCompileErr string
|
||||
wantEvaluationErr string
|
||||
}{
|
||||
{
|
||||
name: "empty transforms list does not change the identity and allows auth",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"admins", "developers", "other"},
|
||||
},
|
||||
{
|
||||
name: "simple transforms which do not change the identity and allows auth",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: `username`},
|
||||
&GroupsTransformation{Expression: `groups`},
|
||||
&AllowAuthenticationPolicy{Expression: `true`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"admins", "developers", "other"},
|
||||
},
|
||||
{
|
||||
name: "transformations run in the order that they are given and accumulate results",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: `"a:" + username`},
|
||||
&UsernameTransformation{Expression: `"b:" + username`},
|
||||
&GroupsTransformation{Expression: `groups.map(g, "a:" + g)`},
|
||||
&GroupsTransformation{Expression: `groups.map(g, "b:" + g)`},
|
||||
},
|
||||
wantUsername: "b:a:ryan",
|
||||
wantGroups: []string{"b:a:admins", "b:a:developers", "b:a:other"},
|
||||
},
|
||||
{
|
||||
name: "policies which return false cause the pipeline to stop running and return a rejected auth result",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: `"a:" + username`},
|
||||
&AllowAuthenticationPolicy{Expression: `true`, RejectedAuthenticationMessage: `Everyone is allowed`},
|
||||
&GroupsTransformation{Expression: `groups.map(g, "a:" + g)`},
|
||||
&AllowAuthenticationPolicy{Expression: `username == "admin"`, RejectedAuthenticationMessage: `Only the username "admin" is allowed`},
|
||||
&GroupsTransformation{Expression: `groups.map(g, "b:" + g)`}, // does not get evaluated
|
||||
},
|
||||
wantUsername: "a:ryan",
|
||||
wantGroups: []string{"a:admins", "a:developers", "a:other"},
|
||||
wantAuthRejected: true,
|
||||
wantAuthRejectedMessage: `Only the username "admin" is allowed`,
|
||||
},
|
||||
{
|
||||
name: "policies without a RejectedAuthenticationMessage get a default message",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&AllowAuthenticationPolicy{Expression: `username == "admin"`, RejectedAuthenticationMessage: ""},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"admins", "developers", "other"},
|
||||
wantAuthRejected: true,
|
||||
wantAuthRejectedMessage: `authentication was rejected by a configured policy`,
|
||||
},
|
||||
{
|
||||
name: "any transformations can use the username and group variables",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&AllowAuthenticationPolicy{Expression: `groups[0] == "admins" && username == "ryan"`},
|
||||
&GroupsTransformation{Expression: `groups + [username]`},
|
||||
&UsernameTransformation{Expression: `groups[2]`}, // changes the username to "other"
|
||||
&GroupsTransformation{Expression: `groups + [username + "2"]`}, // by the time this expression runs, the username was already changed to "other"
|
||||
},
|
||||
wantUsername: "other",
|
||||
wantGroups: []string{"admins", "developers", "other", "other2", "ryan"},
|
||||
},
|
||||
{
|
||||
name: "any transformation can use the provided constants as variables",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
consts: &TransformationConstants{
|
||||
StringConstants: map[string]string{
|
||||
"x": "abc",
|
||||
"y": "def",
|
||||
},
|
||||
StringListConstants: map[string][]string{
|
||||
"x": {"uvw", "xyz"},
|
||||
"y": {"123", "456"},
|
||||
},
|
||||
},
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: `strConst.x + strListConst.x[0]`},
|
||||
&GroupsTransformation{Expression: `[strConst.x, strConst.y, strListConst.x[1], strListConst.y[0]]`},
|
||||
&AllowAuthenticationPolicy{Expression: `strConst.x == "abc"`},
|
||||
},
|
||||
wantUsername: "abcuvw",
|
||||
wantGroups: []string{"123", "abc", "def", "xyz"},
|
||||
},
|
||||
{
|
||||
name: "the CEL string extensions are enabled for use in the expressions",
|
||||
username: " ryan ",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&GroupsTransformation{Expression: `groups.map(g, g.replace("mins", "ministrators"))`},
|
||||
&UsernameTransformation{Expression: `username.upperAscii()`},
|
||||
&AllowAuthenticationPolicy{Expression: `(username.lowerAscii()).trim() == "ryan"`, RejectedAuthenticationMessage: `Silly example`},
|
||||
&UsernameTransformation{Expression: `username.trim()`},
|
||||
},
|
||||
wantUsername: "RYAN",
|
||||
wantGroups: []string{"administrators", "developers", "other"},
|
||||
},
|
||||
{
|
||||
name: "UTC is the default time zone for time operations",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: `string(timestamp("2023-01-16T10:00:20.021-08:00").getHours())`},
|
||||
},
|
||||
// Without the compiler option cel.DefaultUTCTimeZone, this result would be 10.
|
||||
// With the option, this result is the original hour from the timestamp string (10), plus the effect
|
||||
// of the timezone (8), to move the hour into the UTC time zone.
|
||||
wantUsername: "18",
|
||||
wantGroups: []string{"admins", "developers", "other"},
|
||||
},
|
||||
{
|
||||
name: "the default UTC time zone for time operations can be overridden by passing the time zone as an argument to the operation",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: `string(timestamp("2023-01-16T10:00:20.021-08:00").getHours("US/Mountain"))`},
|
||||
},
|
||||
// This is the hour of the timestamp in Mountain time, which is one time zone over from Pacific (-08:00),
|
||||
// hence it is one larger than the original "10" from the timestamp string.
|
||||
wantUsername: "11",
|
||||
wantGroups: []string{"admins", "developers", "other"},
|
||||
},
|
||||
{
|
||||
name: "quick expressions are finished by CEL before CEL even looks at the cancel context",
|
||||
username: "ryan",
|
||||
groups: veryLargeGroupList,
|
||||
transforms: []CELTransformation{
|
||||
&GroupsTransformation{Expression: `["one group"]`},
|
||||
},
|
||||
ctx: alreadyCancelledContext,
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"one group"},
|
||||
},
|
||||
|
||||
//
|
||||
// Unit tests to demonstrate practical examples of useful CEL expressions.
|
||||
//
|
||||
{
|
||||
name: "can prefix username and all groups",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: `"username_prefix:" + username`},
|
||||
&GroupsTransformation{Expression: `groups.map(g, "group_prefix:" + g)`},
|
||||
},
|
||||
wantUsername: "username_prefix:ryan",
|
||||
wantGroups: []string{"group_prefix:admins", "group_prefix:developers", "group_prefix:other"},
|
||||
},
|
||||
{
|
||||
name: "can suffix username and all groups",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: `username + ":username_suffix"`},
|
||||
&GroupsTransformation{Expression: `groups.map(g, g + ":group_suffix")`},
|
||||
},
|
||||
wantUsername: "ryan:username_suffix",
|
||||
wantGroups: []string{"admins:group_suffix", "developers:group_suffix", "other:group_suffix"},
|
||||
},
|
||||
{
|
||||
name: "can change case of username and all groups",
|
||||
username: "rYan 🚀",
|
||||
groups: []string{"aDmins", "dEvelopers", "oTher"},
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: `username.lowerAscii()`},
|
||||
&GroupsTransformation{Expression: `groups.map(g, g.upperAscii())`},
|
||||
},
|
||||
wantUsername: "ryan 🚀",
|
||||
wantGroups: []string{"ADMINS", "DEVELOPERS", "OTHER"},
|
||||
},
|
||||
{
|
||||
name: "can replace whitespace",
|
||||
username: " r\ty a n \n",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: `username.replace(" ", "").replace("\n", "").replace("\t", "")`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"admins", "developers", "other"},
|
||||
},
|
||||
{
|
||||
name: "can use regex on strings: when the regex matches",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: `username.matches("^r[abcy].n$") ? "ryan-modified" : username`},
|
||||
},
|
||||
wantUsername: "ryan-modified",
|
||||
wantGroups: []string{"admins", "developers", "other"},
|
||||
},
|
||||
{
|
||||
name: "can use regex on strings: when the regex does not match",
|
||||
username: "olive",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: `username.matches("^r[abcy].n$") ? "ryan-modified" : username`},
|
||||
},
|
||||
wantUsername: "olive",
|
||||
wantGroups: []string{"admins", "developers", "other"},
|
||||
},
|
||||
{
|
||||
name: "can filter groups based on an allow list",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&GroupsTransformation{Expression: `groups.filter(g, g in ["admins", "developers"])`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"admins", "developers"},
|
||||
},
|
||||
{
|
||||
name: "can filter groups based on an allow list provided as a const",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
consts: &TransformationConstants{
|
||||
StringListConstants: map[string][]string{"allowedGroups": {"admins", "developers"}},
|
||||
},
|
||||
transforms: []CELTransformation{
|
||||
&GroupsTransformation{Expression: `groups.filter(g, g in strListConst.allowedGroups)`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"admins", "developers"},
|
||||
},
|
||||
{
|
||||
name: "can filter groups based on a disallow list",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&GroupsTransformation{Expression: `groups.filter(g, !(g in ["admins", "developers"]))`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"other"},
|
||||
},
|
||||
{
|
||||
name: "can filter groups based on a disallowed prefixes",
|
||||
username: "ryan",
|
||||
groups: []string{"disallowed1:admins", "disallowed2:developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&GroupsTransformation{Expression: `groups.filter(group, !(["disallowed1:", "disallowed2:"].exists(prefix, group.startsWith(prefix))))`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"other"},
|
||||
},
|
||||
{
|
||||
name: "can filter groups based on a disallowed prefixes provided as a const",
|
||||
username: "ryan",
|
||||
groups: []string{"disallowed1:admins", "disallowed2:developers", "other"},
|
||||
consts: &TransformationConstants{
|
||||
StringListConstants: map[string][]string{"disallowedPrefixes": {"disallowed1:", "disallowed2:"}},
|
||||
},
|
||||
transforms: []CELTransformation{
|
||||
&GroupsTransformation{Expression: `groups.filter(group, !(strListConst.disallowedPrefixes.exists(prefix, group.startsWith(prefix))))`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"other"},
|
||||
},
|
||||
{
|
||||
name: "can add a group",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&GroupsTransformation{Expression: `groups + ["new-group"]`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"admins", "developers", "new-group", "other"},
|
||||
},
|
||||
{
|
||||
name: "a nil passed as groups will be converted to an empty list",
|
||||
username: "ryan",
|
||||
groups: nil,
|
||||
transforms: []CELTransformation{
|
||||
&GroupsTransformation{Expression: `groups`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{},
|
||||
},
|
||||
{
|
||||
name: "a nil passed as groups will be converted to an empty list and can be used with CEL operators",
|
||||
username: "ryan",
|
||||
groups: nil,
|
||||
transforms: []CELTransformation{
|
||||
&GroupsTransformation{Expression: `groups == [] ? ["the-groups-list-was-an-empty-list"] : ["the-groups-list-was-not-an-empty-list"]`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"the-groups-list-was-an-empty-list"},
|
||||
},
|
||||
{
|
||||
name: "an empty list of groups is allowed",
|
||||
username: "ryan",
|
||||
groups: []string{},
|
||||
transforms: []CELTransformation{
|
||||
&GroupsTransformation{Expression: `groups`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{},
|
||||
},
|
||||
{
|
||||
name: "can add a group from a const",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
consts: &TransformationConstants{
|
||||
StringConstants: map[string]string{"groupToAlwaysAdd": "new-group"},
|
||||
},
|
||||
transforms: []CELTransformation{
|
||||
&GroupsTransformation{Expression: `groups + [strConst.groupToAlwaysAdd]`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"admins", "developers", "new-group", "other"},
|
||||
},
|
||||
{
|
||||
name: "can add a group but only if they already belong to another group - when the user does belong to that other group",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&GroupsTransformation{Expression: `"other" in groups ? groups + ["new-group"] : groups`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"admins", "developers", "new-group", "other"},
|
||||
},
|
||||
{
|
||||
name: "can add a group but only if they already belong to another group - when the user does NOT belong to that other group",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers"},
|
||||
transforms: []CELTransformation{
|
||||
&GroupsTransformation{Expression: `"other" in groups ? groups + ["new-group"] : groups`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"admins", "developers"},
|
||||
},
|
||||
{
|
||||
name: "can rename a group",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&GroupsTransformation{Expression: `groups.map(g, g == "other" ? "other-renamed" : g)`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"admins", "developers", "other-renamed"},
|
||||
},
|
||||
{
|
||||
name: "can reject auth based on belonging to one group - when the user meets the criteria",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other", "super-admins"},
|
||||
transforms: []CELTransformation{
|
||||
&AllowAuthenticationPolicy{Expression: `"super-admins" in groups`, RejectedAuthenticationMessage: `Only users who belong to the "super-admins" group are allowed`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"admins", "developers", "other", "super-admins"},
|
||||
},
|
||||
{
|
||||
name: "can reject auth based on belonging to one group - when the user does NOT meet the criteria",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&AllowAuthenticationPolicy{Expression: `"super-admins" in groups`, RejectedAuthenticationMessage: `Only users who belong to the "super-admins" group are allowed`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"admins", "developers", "other"},
|
||||
wantAuthRejected: true,
|
||||
wantAuthRejectedMessage: `Only users who belong to the "super-admins" group are allowed`,
|
||||
},
|
||||
{
|
||||
name: "can reject auth unless the user belongs to any one of the groups in a list - when the user meets the criteria",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "foobar", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&AllowAuthenticationPolicy{Expression: `groups.exists(g, g in ["foobar", "foobaz", "foobat"])`, RejectedAuthenticationMessage: `Only users who belong to any of the groups in a list are allowed`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"admins", "developers", "foobar", "other"},
|
||||
},
|
||||
{
|
||||
name: "can reject auth unless the user belongs to any one of the groups in a list - when the user does NOT meet the criteria",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&AllowAuthenticationPolicy{Expression: `groups.exists(g, g in ["foobar", "foobaz", "foobat"])`, RejectedAuthenticationMessage: `Only users who belong to any of the groups in a list are allowed`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"admins", "developers", "other"},
|
||||
wantAuthRejected: true,
|
||||
wantAuthRejectedMessage: `Only users who belong to any of the groups in a list are allowed`,
|
||||
},
|
||||
{
|
||||
name: "can reject auth unless the user belongs to all of the groups in a list - when the user meets the criteria",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other", "foobar", "foobaz", "foobat"},
|
||||
transforms: []CELTransformation{
|
||||
&AllowAuthenticationPolicy{Expression: `["foobar", "foobaz", "foobat"].all(g, g in groups)`, RejectedAuthenticationMessage: `Only users who belong to all groups in a list are allowed`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"admins", "developers", "foobar", "foobat", "foobaz", "other"},
|
||||
},
|
||||
{
|
||||
name: "can reject auth unless the user belongs to all of the groups in a list - when the user does NOT meet the criteria",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other", "foobaz", "foobat"},
|
||||
transforms: []CELTransformation{
|
||||
&AllowAuthenticationPolicy{Expression: `["foobar", "foobaz", "foobat"].all(g, g in groups)`, RejectedAuthenticationMessage: `Only users who belong to all groups in a list are allowed`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"admins", "developers", "other", "foobaz", "foobat"},
|
||||
wantAuthRejected: true,
|
||||
wantAuthRejectedMessage: `Only users who belong to all groups in a list are allowed`,
|
||||
},
|
||||
{
|
||||
name: "can reject auth if the user belongs to any groups in a disallowed groups list - when the user meets the criteria",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&AllowAuthenticationPolicy{Expression: `!groups.exists(g, g in ["foobar", "foobaz"])`, RejectedAuthenticationMessage: `Only users who do not belong to any of the groups in a list are allowed`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"admins", "developers", "other"},
|
||||
},
|
||||
{
|
||||
name: "can reject auth if the user belongs to any groups in a disallowed groups list - when the user does NOT meet the criteria",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other", "foobaz"},
|
||||
transforms: []CELTransformation{
|
||||
&AllowAuthenticationPolicy{Expression: `!groups.exists(g, g in ["foobar", "foobaz"])`, RejectedAuthenticationMessage: `Only users who do not belong to any of the groups in a list are allowed`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"admins", "developers", "other", "foobaz"},
|
||||
wantAuthRejected: true,
|
||||
wantAuthRejectedMessage: `Only users who do not belong to any of the groups in a list are allowed`,
|
||||
},
|
||||
{
|
||||
name: "can reject auth unless the username is in an allowed users list - when the user meets the criteria",
|
||||
username: "foobaz",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&AllowAuthenticationPolicy{Expression: `username in ["foobar", "foobaz"]`, RejectedAuthenticationMessage: `Only certain usernames allowed`},
|
||||
},
|
||||
wantUsername: "foobaz",
|
||||
wantGroups: []string{"admins", "developers", "other"},
|
||||
},
|
||||
{
|
||||
name: "can reject auth unless the username is in an allowed users list - when the user does NOT meet the criteria",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&AllowAuthenticationPolicy{Expression: `username in ["foobar", "foobaz"]`, RejectedAuthenticationMessage: `Only certain usernames allowed`},
|
||||
},
|
||||
wantUsername: "ryan",
|
||||
wantGroups: []string{"admins", "developers", "other"},
|
||||
wantAuthRejected: true,
|
||||
wantAuthRejectedMessage: `Only certain usernames allowed`,
|
||||
},
|
||||
|
||||
//
|
||||
// Error cases
|
||||
//
|
||||
{
|
||||
name: "username transformation returns an empty string as the new username",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: `""`},
|
||||
},
|
||||
wantEvaluationErr: "identity transformation returned an empty username, which is not allowed",
|
||||
},
|
||||
{
|
||||
name: "username transformation returns a string containing only whitespace as the new username",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: `" \n \t "`},
|
||||
},
|
||||
wantEvaluationErr: "identity transformation returned an empty username, which is not allowed",
|
||||
},
|
||||
{
|
||||
name: "username transformation compiles to return null, which is not a string so it has the wrong type",
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: `null`},
|
||||
},
|
||||
wantCompileErr: `CEL expression should return type "string" but returns type "null_type"`,
|
||||
},
|
||||
{
|
||||
name: "groups transformation compiles to return null, which is not a string so it has the wrong type",
|
||||
transforms: []CELTransformation{
|
||||
&GroupsTransformation{Expression: `null`},
|
||||
},
|
||||
wantCompileErr: `CEL expression should return type "list(string)" but returns type "null_type"`,
|
||||
},
|
||||
{
|
||||
name: "policy transformation compiles to return null, which is not a string so it has the wrong type",
|
||||
transforms: []CELTransformation{
|
||||
&AllowAuthenticationPolicy{Expression: `null`},
|
||||
},
|
||||
wantCompileErr: `CEL expression should return type "bool" but returns type "null_type"`,
|
||||
},
|
||||
{
|
||||
name: "username transformation has empty expression",
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: ``},
|
||||
},
|
||||
wantCompileErr: `cannot compile empty CEL expression`,
|
||||
},
|
||||
{
|
||||
name: "groups transformation has empty expression",
|
||||
transforms: []CELTransformation{
|
||||
&GroupsTransformation{Expression: ``},
|
||||
},
|
||||
wantCompileErr: `cannot compile empty CEL expression`,
|
||||
},
|
||||
{
|
||||
name: "policy transformation has empty expression",
|
||||
transforms: []CELTransformation{
|
||||
&AllowAuthenticationPolicy{Expression: ``},
|
||||
},
|
||||
wantCompileErr: `cannot compile empty CEL expression`,
|
||||
},
|
||||
{
|
||||
name: "username transformation has expression which contains only whitespace",
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: " \n\t "},
|
||||
},
|
||||
wantCompileErr: `cannot compile empty CEL expression`,
|
||||
},
|
||||
{
|
||||
name: "groups transformation has expression which contains only whitespace",
|
||||
transforms: []CELTransformation{
|
||||
&GroupsTransformation{Expression: " \n\t "},
|
||||
},
|
||||
wantCompileErr: `cannot compile empty CEL expression`,
|
||||
},
|
||||
{
|
||||
name: "policy transformation has expression which contains only whitespace",
|
||||
transforms: []CELTransformation{
|
||||
&AllowAuthenticationPolicy{Expression: " \n\t "},
|
||||
},
|
||||
wantCompileErr: `cannot compile empty CEL expression`,
|
||||
},
|
||||
{
|
||||
name: "slow username transformation expressions are canceled by the cancel context after partial evaluation",
|
||||
username: "ryan",
|
||||
groups: veryLargeGroupList,
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: `groups.filter(x, groups.all(x, true))[0]`},
|
||||
},
|
||||
ctx: alreadyCancelledContext,
|
||||
wantEvaluationErr: `identity transformation at index 0: operation interrupted`,
|
||||
},
|
||||
{
|
||||
name: "slow groups transformation expressions are canceled by the cancel context after partial evaluation",
|
||||
username: "ryan",
|
||||
groups: veryLargeGroupList,
|
||||
transforms: []CELTransformation{
|
||||
&GroupsTransformation{Expression: `groups.filter(x, groups.all(x, true))`},
|
||||
},
|
||||
ctx: alreadyCancelledContext,
|
||||
wantEvaluationErr: `identity transformation at index 0: operation interrupted`,
|
||||
},
|
||||
{
|
||||
name: "slow policy expressions are canceled by the cancel context after partial evaluation",
|
||||
username: "ryan",
|
||||
groups: veryLargeGroupList,
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: "username"},
|
||||
&AllowAuthenticationPolicy{Expression: `groups.all(x, groups.all(x, true))`}, // this is the slow one
|
||||
},
|
||||
ctx: alreadyCancelledContext,
|
||||
wantEvaluationErr: `identity transformation at index 1: operation interrupted`,
|
||||
},
|
||||
{
|
||||
name: "slow transformation expressions are canceled and the rest of the expressions do not run",
|
||||
username: "ryan",
|
||||
groups: veryLargeGroupList,
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: `username`}, // quick expressions are allowed to run even though the context is cancelled
|
||||
&UsernameTransformation{Expression: `groups.filter(x, groups.all(x, true))[0]`},
|
||||
&UsernameTransformation{Expression: `groups.filter(x, groups.all(x, true))[0]`},
|
||||
&UsernameTransformation{Expression: `groups.filter(x, groups.all(x, true))[0]`},
|
||||
},
|
||||
ctx: alreadyCancelledContext,
|
||||
wantEvaluationErr: `identity transformation at index 1: operation interrupted`,
|
||||
},
|
||||
{
|
||||
name: "slow username transformation expressions are canceled after a maximum allowed duration",
|
||||
username: "ryan",
|
||||
groups: veryLargeGroupList,
|
||||
transforms: []CELTransformation{
|
||||
// On my laptop, evaluating this expression would take ~20 seconds if we allowed it to evaluate to completion.
|
||||
&UsernameTransformation{Expression: `groups.filter(x, groups.all(x, true))[0]`},
|
||||
},
|
||||
wantEvaluationErr: `identity transformation at index 0: operation interrupted`,
|
||||
},
|
||||
{
|
||||
name: "slow groups transformation expressions are canceled after a maximum allowed duration",
|
||||
username: "ryan",
|
||||
groups: veryLargeGroupList,
|
||||
transforms: []CELTransformation{
|
||||
// On my laptop, evaluating this expression would take ~20 seconds if we allowed it to evaluate to completion.
|
||||
&GroupsTransformation{Expression: `groups.filter(x, groups.all(x, true))`},
|
||||
},
|
||||
wantEvaluationErr: `identity transformation at index 0: operation interrupted`,
|
||||
},
|
||||
{
|
||||
name: "slow policy transformation expressions are canceled after a maximum allowed duration",
|
||||
username: "ryan",
|
||||
groups: veryLargeGroupList,
|
||||
transforms: []CELTransformation{
|
||||
// On my laptop, evaluating this expression would take ~20 seconds if we allowed it to evaluate to completion.
|
||||
&AllowAuthenticationPolicy{Expression: `groups.all(x, groups.all(x, true))`},
|
||||
},
|
||||
wantEvaluationErr: `identity transformation at index 0: operation interrupted`,
|
||||
},
|
||||
{
|
||||
name: "compile errors are returned by the compile step for a username transform",
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: `foobar.junk()`},
|
||||
},
|
||||
wantCompileErr: here.Doc(`
|
||||
CEL expression compile error: ERROR: <input>:1:1: undeclared reference to 'foobar' (in container '')
|
||||
| foobar.junk()
|
||||
| ^
|
||||
ERROR: <input>:1:12: undeclared reference to 'junk' (in container '')
|
||||
| foobar.junk()
|
||||
| ...........^`,
|
||||
),
|
||||
},
|
||||
{
|
||||
name: "compile errors are returned by the compile step for a groups transform",
|
||||
transforms: []CELTransformation{
|
||||
&GroupsTransformation{Expression: `foobar.junk()`},
|
||||
},
|
||||
wantCompileErr: here.Doc(`
|
||||
CEL expression compile error: ERROR: <input>:1:1: undeclared reference to 'foobar' (in container '')
|
||||
| foobar.junk()
|
||||
| ^
|
||||
ERROR: <input>:1:12: undeclared reference to 'junk' (in container '')
|
||||
| foobar.junk()
|
||||
| ...........^`,
|
||||
),
|
||||
},
|
||||
{
|
||||
name: "compile errors are returned by the compile step for a policy",
|
||||
transforms: []CELTransformation{
|
||||
&AllowAuthenticationPolicy{Expression: `foobar.junk()`},
|
||||
},
|
||||
wantCompileErr: here.Doc(`
|
||||
CEL expression compile error: ERROR: <input>:1:1: undeclared reference to 'foobar' (in container '')
|
||||
| foobar.junk()
|
||||
| ^
|
||||
ERROR: <input>:1:12: undeclared reference to 'junk' (in container '')
|
||||
| foobar.junk()
|
||||
| ...........^`,
|
||||
),
|
||||
},
|
||||
{
|
||||
name: "evaluation errors stop the pipeline and return an error",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: "username"},
|
||||
&AllowAuthenticationPolicy{Expression: `1 / 0 == 7`},
|
||||
},
|
||||
wantEvaluationErr: `identity transformation at index 1: division by zero`,
|
||||
},
|
||||
{
|
||||
name: "HomogeneousAggregateLiterals compiler setting is enabled to help the user avoid type mistakes in expressions",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&GroupsTransformation{Expression: `groups.all(g, g in ["admins", 1])`},
|
||||
},
|
||||
wantCompileErr: here.Doc(`
|
||||
CEL expression compile error: ERROR: <input>:1:31: expected type 'string' but found 'int'
|
||||
| groups.all(g, g in ["admins", 1])
|
||||
| ..............................^`,
|
||||
),
|
||||
},
|
||||
{
|
||||
name: "when an expression's type cannot be determined at compile time, e.g. due to the use of dynamic types",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&GroupsTransformation{Expression: `groups.map(g, {"admins": dyn(1), "developers":"a"}[g])`},
|
||||
},
|
||||
wantCompileErr: `CEL expression should return type "list(string)" but returns type "list(dyn)"`,
|
||||
},
|
||||
{
|
||||
name: "using string constants which were not were provided",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: `strConst.x`},
|
||||
},
|
||||
wantEvaluationErr: `identity transformation at index 0: no such key: x`,
|
||||
},
|
||||
{
|
||||
name: "using string list constants which were not were provided",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
transforms: []CELTransformation{
|
||||
&GroupsTransformation{Expression: `strListConst.x`},
|
||||
},
|
||||
wantEvaluationErr: `identity transformation at index 0: no such key: x`,
|
||||
},
|
||||
{
|
||||
name: "using an illegal name for a string constant",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
consts: &TransformationConstants{StringConstants: map[string]string{" illegal": "a"}},
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: `username`},
|
||||
},
|
||||
wantCompileErr: `" illegal" is an invalid const variable name (must match [_a-zA-Z][_a-zA-Z0-9]*)`,
|
||||
},
|
||||
{
|
||||
name: "using an illegal name for a stringList constant",
|
||||
username: "ryan",
|
||||
groups: []string{"admins", "developers", "other"},
|
||||
consts: &TransformationConstants{StringListConstants: map[string][]string{" illegal": {"a"}}},
|
||||
transforms: []CELTransformation{
|
||||
&UsernameTransformation{Expression: `username`},
|
||||
},
|
||||
wantCompileErr: `" illegal" is an invalid const variable name (must match [_a-zA-Z][_a-zA-Z0-9]*)`,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
tt := tt
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
transformer, err := NewCELTransformer(100 * time.Millisecond)
|
||||
require.NoError(t, err)
|
||||
|
||||
pipeline := idtransform.NewTransformationPipeline()
|
||||
expectedPipelineSource := []interface{}{}
|
||||
|
||||
for _, transform := range tt.transforms {
|
||||
compiledTransform, err := transformer.CompileTransformation(transform, tt.consts)
|
||||
if tt.wantCompileErr != "" {
|
||||
require.EqualError(t, err, tt.wantCompileErr)
|
||||
return // the rest of the test doesn't make sense when there was a compile error
|
||||
}
|
||||
require.NoError(t, err, "got an unexpected compile error")
|
||||
pipeline.AppendTransformation(compiledTransform)
|
||||
|
||||
expectedTransformSource := &CELTransformationSource{
|
||||
Expr: transform,
|
||||
Consts: tt.consts,
|
||||
}
|
||||
if expectedTransformSource.Consts == nil {
|
||||
expectedTransformSource.Consts = &TransformationConstants{}
|
||||
}
|
||||
expectedPipelineSource = append(expectedPipelineSource, expectedTransformSource)
|
||||
}
|
||||
|
||||
ctx := context.Background()
|
||||
if tt.ctx != nil {
|
||||
ctx = tt.ctx
|
||||
}
|
||||
|
||||
result, err := pipeline.Evaluate(ctx, tt.username, tt.groups)
|
||||
if tt.wantEvaluationErr != "" {
|
||||
require.EqualError(t, err, tt.wantEvaluationErr)
|
||||
return // the rest of the test doesn't make sense when there was an evaluation error
|
||||
}
|
||||
require.NoError(t, err, "got an unexpected evaluation error")
|
||||
|
||||
require.Equal(t, tt.wantUsername, result.Username)
|
||||
require.Equal(t, tt.wantGroups, result.Groups)
|
||||
require.Equal(t, !tt.wantAuthRejected, result.AuthenticationAllowed, "AuthenticationAllowed had unexpected value")
|
||||
require.Equal(t, tt.wantAuthRejectedMessage, result.RejectedAuthenticationMessage)
|
||||
|
||||
require.Equal(t, expectedPipelineSource, pipeline.Source())
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestTypicalPerformanceAndThreadSafety(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
transformer, err := NewCELTransformer(5 * time.Second) // CI workers can be slow, so allow slow transforms
|
||||
require.NoError(t, err)
|
||||
|
||||
pipeline := idtransform.NewTransformationPipeline()
|
||||
|
||||
var compiledTransform idtransform.IdentityTransformation
|
||||
compiledTransform, err = transformer.CompileTransformation(&UsernameTransformation{Expression: `"username_prefix:" + username`}, nil)
|
||||
require.NoError(t, err)
|
||||
pipeline.AppendTransformation(compiledTransform)
|
||||
compiledTransform, err = transformer.CompileTransformation(&GroupsTransformation{Expression: `groups.map(g, "group_prefix:" + g)`}, nil)
|
||||
require.NoError(t, err)
|
||||
pipeline.AppendTransformation(compiledTransform)
|
||||
compiledTransform, err = transformer.CompileTransformation(&AllowAuthenticationPolicy{Expression: `username == "username_prefix:ryan"`}, nil)
|
||||
require.NoError(t, err)
|
||||
pipeline.AppendTransformation(compiledTransform)
|
||||
|
||||
var groups []string
|
||||
var wantGroups []string
|
||||
for i := 0; i < 100; i++ {
|
||||
groups = append(groups, fmt.Sprintf("g%d", i))
|
||||
wantGroups = append(wantGroups, fmt.Sprintf("group_prefix:g%d", i))
|
||||
}
|
||||
sort.Strings(wantGroups)
|
||||
|
||||
// Before looking at performance, check that the behavior of the function is correct.
|
||||
result, err := pipeline.Evaluate(context.Background(), "ryan", groups)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, "username_prefix:ryan", result.Username)
|
||||
require.Equal(t, wantGroups, result.Groups)
|
||||
require.True(t, result.AuthenticationAllowed)
|
||||
require.Empty(t, result.RejectedAuthenticationMessage)
|
||||
|
||||
// This loop is meant to give a sense of typical runtime of CEL expressions which transforms a username
|
||||
// and 100 group names. It is not meant to be a pass/fail test or scientific benchmark test.
|
||||
iterations := 1000
|
||||
start := time.Now()
|
||||
for i := 0; i < iterations; i++ {
|
||||
_, _ = pipeline.Evaluate(context.Background(), "ryan", groups)
|
||||
}
|
||||
elapsed := time.Since(start)
|
||||
t.Logf("TestTypicalPerformanceAndThreadSafety %d iterations of Evaluate took %s; average runtime %s", iterations, elapsed, elapsed/time.Duration(iterations))
|
||||
// On my laptop this prints: TestTypicalPerformanceAndThreadSafety 1000 iterations of Evaluate took 257.981421ms; average runtime 257.981µs
|
||||
|
||||
// Now use the transformations pipeline from different goroutines at the same time. Hopefully the race detector
|
||||
// will complain if this is not thread safe in some way. Use the pipeline enough that it will be very likely that
|
||||
// there will be several parallel invocations of the Evaluate function. Every invocation should also yield the
|
||||
// exact same result, since they are all using the same inputs. This assumes that the unit tests are run using
|
||||
// the race detector.
|
||||
var wg sync.WaitGroup
|
||||
numGoroutines := runtime.NumCPU() / 2
|
||||
t.Logf("Running tight loops in %d simultaneous goroutines", numGoroutines)
|
||||
for i := 0; i < numGoroutines; i++ {
|
||||
wg.Add(1) // increment WaitGroup counter for each goroutine
|
||||
go func() {
|
||||
defer wg.Done() // decrement WaitGroup counter when this goroutine finishes
|
||||
for j := 0; j < iterations*2; j++ {
|
||||
localResult, localErr := pipeline.Evaluate(context.Background(), "ryan", groups)
|
||||
require.NoError(t, localErr)
|
||||
require.Equal(t, "username_prefix:ryan", localResult.Username)
|
||||
require.Equal(t, wantGroups, localResult.Groups)
|
||||
require.True(t, localResult.AuthenticationAllowed)
|
||||
require.Empty(t, localResult.RejectedAuthenticationMessage)
|
||||
}
|
||||
}()
|
||||
}
|
||||
wg.Wait() // wait for the counter to reach zero, indicating the all goroutines are finished
|
||||
}
|
@ -11,7 +11,7 @@ import (
|
||||
"k8s.io/apiserver/pkg/server/dynamiccertificates"
|
||||
|
||||
"go.pinniped.dev/internal/certauthority"
|
||||
"go.pinniped.dev/internal/issuer"
|
||||
"go.pinniped.dev/internal/clientcertissuer"
|
||||
)
|
||||
|
||||
// ca is a type capable of issuing certificates.
|
||||
@ -21,7 +21,7 @@ type ca struct {
|
||||
|
||||
// New creates a ClientCertIssuer, ready to issue certs whenever
|
||||
// the given CertKeyContentProvider has a keypair to provide.
|
||||
func New(provider dynamiccertificates.CertKeyContentProvider) issuer.ClientCertIssuer {
|
||||
func New(provider dynamiccertificates.CertKeyContentProvider) clientcertissuer.ClientCertIssuer {
|
||||
return &ca{
|
||||
provider: provider,
|
||||
}
|
||||
|
@ -9,8 +9,8 @@ import (
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"go.pinniped.dev/internal/clientcertissuer"
|
||||
"go.pinniped.dev/internal/dynamiccert"
|
||||
"go.pinniped.dev/internal/issuer"
|
||||
"go.pinniped.dev/internal/testutil"
|
||||
)
|
||||
|
||||
@ -116,7 +116,7 @@ func TestCAIssuePEM(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func issuePEM(provider dynamiccert.Provider, ca issuer.ClientCertIssuer, caCrt, caKey []byte) ([]byte, []byte, error) {
|
||||
func issuePEM(provider dynamiccert.Provider, ca clientcertissuer.ClientCertIssuer, caCrt, caKey []byte) ([]byte, []byte, error) {
|
||||
// if setting fails, look at that error
|
||||
if caCrt != nil || caKey != nil {
|
||||
if err := provider.SetCertKeyContent(caCrt, caKey); err != nil {
|
||||
|
@ -1,7 +1,7 @@
|
||||
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package issuer
|
||||
package clientcertissuer
|
||||
|
||||
import (
|
||||
"fmt"
|
@ -1,7 +1,7 @@
|
||||
// Copyright 2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package issuer
|
||||
package clientcertissuer
|
||||
|
||||
import (
|
||||
"errors"
|
@ -15,8 +15,8 @@ import (
|
||||
"k8s.io/apiserver/pkg/registry/rest"
|
||||
genericapiserver "k8s.io/apiserver/pkg/server"
|
||||
|
||||
"go.pinniped.dev/internal/clientcertissuer"
|
||||
"go.pinniped.dev/internal/controllerinit"
|
||||
"go.pinniped.dev/internal/issuer"
|
||||
"go.pinniped.dev/internal/plog"
|
||||
"go.pinniped.dev/internal/pversion"
|
||||
"go.pinniped.dev/internal/registry/credentialrequest"
|
||||
@ -30,7 +30,7 @@ type Config struct {
|
||||
|
||||
type ExtraConfig struct {
|
||||
Authenticator credentialrequest.TokenCredentialRequestAuthenticator
|
||||
Issuer issuer.ClientCertIssuer
|
||||
Issuer clientcertissuer.ClientCertIssuer
|
||||
BuildControllersPostStartHook controllerinit.RunnerBuilder
|
||||
Scheme *runtime.Scheme
|
||||
NegotiatedSerializer runtime.NegotiatedSerializer
|
||||
|
@ -23,6 +23,7 @@ import (
|
||||
|
||||
conciergeopenapi "go.pinniped.dev/generated/latest/client/concierge/openapi"
|
||||
"go.pinniped.dev/internal/certauthority/dynamiccertauthority"
|
||||
"go.pinniped.dev/internal/clientcertissuer"
|
||||
"go.pinniped.dev/internal/concierge/apiserver"
|
||||
conciergescheme "go.pinniped.dev/internal/concierge/scheme"
|
||||
"go.pinniped.dev/internal/config/concierge"
|
||||
@ -33,7 +34,6 @@ import (
|
||||
"go.pinniped.dev/internal/downward"
|
||||
"go.pinniped.dev/internal/dynamiccert"
|
||||
"go.pinniped.dev/internal/here"
|
||||
"go.pinniped.dev/internal/issuer"
|
||||
"go.pinniped.dev/internal/kubeclient"
|
||||
"go.pinniped.dev/internal/plog"
|
||||
"go.pinniped.dev/internal/pversion"
|
||||
@ -159,7 +159,7 @@ func (a *App) runServer(ctx context.Context) error {
|
||||
return fmt.Errorf("could not prepare controllers: %w", err)
|
||||
}
|
||||
|
||||
certIssuer := issuer.ClientCertIssuers{
|
||||
certIssuer := clientcertissuer.ClientCertIssuers{
|
||||
dynamiccertauthority.New(dynamicSigningCertProvider), // attempt to use the real Kube CA if possible
|
||||
dynamiccertauthority.New(impersonationProxySigningCertProvider), // fallback to our internal CA if we need to
|
||||
}
|
||||
@ -194,7 +194,7 @@ func (a *App) runServer(ctx context.Context) error {
|
||||
func getAggregatedAPIServerConfig(
|
||||
dynamicCertProvider dynamiccert.Private,
|
||||
authenticator credentialrequest.TokenCredentialRequestAuthenticator,
|
||||
issuer issuer.ClientCertIssuer,
|
||||
issuer clientcertissuer.ClientCertIssuer,
|
||||
buildControllers controllerinit.RunnerBuilder,
|
||||
apiGroupSuffix string,
|
||||
aggregatedAPIServerPort int64,
|
||||
|
@ -67,11 +67,11 @@ func mergeIDPCondition(existing *[]v1.Condition, new *v1.Condition) bool {
|
||||
}
|
||||
|
||||
// MergeConfigConditions merges conditions into conditionsToUpdate. If returns true if it merged any error conditions.
|
||||
func MergeConfigConditions(conditions []*v1.Condition, observedGeneration int64, conditionsToUpdate *[]v1.Condition, log plog.MinLogger) bool {
|
||||
func MergeConfigConditions(conditions []*v1.Condition, observedGeneration int64, conditionsToUpdate *[]v1.Condition, log plog.MinLogger, now v1.Time) bool {
|
||||
hadErrorCondition := false
|
||||
for i := range conditions {
|
||||
cond := conditions[i].DeepCopy()
|
||||
cond.LastTransitionTime = v1.Now()
|
||||
cond.LastTransitionTime = now
|
||||
cond.ObservedGeneration = observedGeneration
|
||||
if mergeConfigCondition(conditionsToUpdate, cond) {
|
||||
log.Info("updated condition", "type", cond.Type, "status", cond.Status, "reason", cond.Reason, "message", cond.Message)
|
||||
|
@ -26,7 +26,7 @@ import (
|
||||
"go.pinniped.dev/internal/controller/conditionsutil"
|
||||
"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers"
|
||||
"go.pinniped.dev/internal/controllerlib"
|
||||
"go.pinniped.dev/internal/oidc/provider"
|
||||
"go.pinniped.dev/internal/federationdomain/upstreamprovider"
|
||||
"go.pinniped.dev/internal/plog"
|
||||
"go.pinniped.dev/internal/upstreamldap"
|
||||
)
|
||||
@ -225,7 +225,7 @@ func (s *activeDirectoryUpstreamGenericLDAPStatus) Conditions() []metav1.Conditi
|
||||
|
||||
// UpstreamActiveDirectoryIdentityProviderICache is a thread safe cache that holds a list of validated upstream LDAP IDP configurations.
|
||||
type UpstreamActiveDirectoryIdentityProviderICache interface {
|
||||
SetActiveDirectoryIdentityProviders([]provider.UpstreamLDAPIdentityProviderI)
|
||||
SetActiveDirectoryIdentityProviders([]upstreamprovider.UpstreamLDAPIdentityProviderI)
|
||||
}
|
||||
|
||||
type activeDirectoryWatcherController struct {
|
||||
@ -299,7 +299,7 @@ func (c *activeDirectoryWatcherController) Sync(ctx controllerlib.Context) error
|
||||
}
|
||||
|
||||
requeue := false
|
||||
validatedUpstreams := make([]provider.UpstreamLDAPIdentityProviderI, 0, len(actualUpstreams))
|
||||
validatedUpstreams := make([]upstreamprovider.UpstreamLDAPIdentityProviderI, 0, len(actualUpstreams))
|
||||
for _, upstream := range actualUpstreams {
|
||||
valid, requestedRequeue := c.validateUpstream(ctx.Context, upstream)
|
||||
if valid != nil {
|
||||
@ -318,7 +318,7 @@ func (c *activeDirectoryWatcherController) Sync(ctx controllerlib.Context) error
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *activeDirectoryWatcherController) validateUpstream(ctx context.Context, upstream *v1alpha1.ActiveDirectoryIdentityProvider) (p provider.UpstreamLDAPIdentityProviderI, requeue bool) {
|
||||
func (c *activeDirectoryWatcherController) validateUpstream(ctx context.Context, upstream *v1alpha1.ActiveDirectoryIdentityProvider) (p upstreamprovider.UpstreamLDAPIdentityProviderI, requeue bool) {
|
||||
spec := upstream.Spec
|
||||
|
||||
adUpstreamImpl := &activeDirectoryUpstreamGenericLDAPImpl{activeDirectoryIdentityProvider: *upstream}
|
||||
@ -344,7 +344,7 @@ func (c *activeDirectoryWatcherController) validateUpstream(ctx context.Context,
|
||||
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){
|
||||
"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID"),
|
||||
},
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
|
||||
pwdLastSetAttribute: attributeUnchangedSinceLogin(pwdLastSetAttribute),
|
||||
userAccountControlAttribute: validUserAccountControl,
|
||||
userAccountControlComputedAttribute: validComputedUserAccountControl,
|
||||
@ -445,7 +445,7 @@ func getDomainFromDistinguishedName(distinguishedName string) (string, error) {
|
||||
}
|
||||
|
||||
//nolint:gochecknoglobals // this needs to be a global variable so that tests can check pointer equality
|
||||
var validUserAccountControl = func(entry *ldap.Entry, _ provider.RefreshAttributes) error {
|
||||
var validUserAccountControl = func(entry *ldap.Entry, _ upstreamprovider.RefreshAttributes) error {
|
||||
userAccountControl, err := strconv.Atoi(entry.GetAttributeValue(userAccountControlAttribute))
|
||||
if err != nil {
|
||||
return err
|
||||
@ -459,7 +459,7 @@ var validUserAccountControl = func(entry *ldap.Entry, _ provider.RefreshAttribut
|
||||
}
|
||||
|
||||
//nolint:gochecknoglobals // this needs to be a global variable so that tests can check pointer equality
|
||||
var validComputedUserAccountControl = func(entry *ldap.Entry, _ provider.RefreshAttributes) error {
|
||||
var validComputedUserAccountControl = func(entry *ldap.Entry, _ upstreamprovider.RefreshAttributes) error {
|
||||
userAccountControl, err := strconv.Atoi(entry.GetAttributeValue(userAccountControlComputedAttribute))
|
||||
if err != nil {
|
||||
return err
|
||||
@ -473,8 +473,8 @@ var validComputedUserAccountControl = func(entry *ldap.Entry, _ provider.Refresh
|
||||
}
|
||||
|
||||
//nolint:gochecknoglobals // this needs to be a global variable so that tests can check pointer equality
|
||||
var attributeUnchangedSinceLogin = func(attribute string) func(*ldap.Entry, provider.RefreshAttributes) error {
|
||||
return func(entry *ldap.Entry, storedAttributes provider.RefreshAttributes) error {
|
||||
var attributeUnchangedSinceLogin = func(attribute string) func(*ldap.Entry, upstreamprovider.RefreshAttributes) error {
|
||||
return func(entry *ldap.Entry, storedAttributes upstreamprovider.RefreshAttributes) error {
|
||||
prevAttributeValue := storedAttributes.AdditionalAttributes[attribute]
|
||||
newValues := entry.GetRawAttributeValues(attribute)
|
||||
|
||||
|
@ -29,8 +29,9 @@ import (
|
||||
"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers"
|
||||
"go.pinniped.dev/internal/controllerlib"
|
||||
"go.pinniped.dev/internal/endpointaddr"
|
||||
"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
|
||||
"go.pinniped.dev/internal/federationdomain/upstreamprovider"
|
||||
"go.pinniped.dev/internal/mocks/mockldapconn"
|
||||
"go.pinniped.dev/internal/oidc/provider"
|
||||
"go.pinniped.dev/internal/testutil"
|
||||
"go.pinniped.dev/internal/upstreamldap"
|
||||
)
|
||||
@ -229,7 +230,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
GroupNameAttribute: testGroupSearchNameAttrName,
|
||||
},
|
||||
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
|
||||
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
|
||||
"userAccountControl": validUserAccountControl,
|
||||
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
|
||||
@ -572,7 +573,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
GroupNameAttribute: testGroupSearchNameAttrName,
|
||||
},
|
||||
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
|
||||
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
|
||||
"userAccountControl": validUserAccountControl,
|
||||
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
|
||||
@ -642,7 +643,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
GroupNameAttribute: "sAMAccountName",
|
||||
},
|
||||
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
|
||||
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
|
||||
"userAccountControl": validUserAccountControl,
|
||||
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
|
||||
@ -715,7 +716,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
GroupNameAttribute: testGroupSearchNameAttrName,
|
||||
},
|
||||
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
|
||||
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
|
||||
"userAccountControl": validUserAccountControl,
|
||||
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
|
||||
@ -795,7 +796,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
GroupNameAttribute: testGroupSearchNameAttrName,
|
||||
},
|
||||
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
|
||||
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
|
||||
"userAccountControl": validUserAccountControl,
|
||||
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
|
||||
@ -859,7 +860,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
GroupNameAttribute: testGroupSearchNameAttrName,
|
||||
},
|
||||
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
|
||||
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
|
||||
"userAccountControl": validUserAccountControl,
|
||||
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
|
||||
@ -1010,7 +1011,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
GroupNameAttribute: testGroupSearchNameAttrName,
|
||||
},
|
||||
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
|
||||
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
|
||||
"userAccountControl": validUserAccountControl,
|
||||
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
|
||||
@ -1160,7 +1161,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
GroupNameAttribute: testGroupSearchNameAttrName,
|
||||
},
|
||||
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
|
||||
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
|
||||
"userAccountControl": validUserAccountControl,
|
||||
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
|
||||
@ -1232,7 +1233,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
GroupNameAttribute: testGroupSearchNameAttrName,
|
||||
},
|
||||
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
|
||||
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
|
||||
"userAccountControl": validUserAccountControl,
|
||||
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
|
||||
@ -1499,7 +1500,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
},
|
||||
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
|
||||
GroupAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"sAMAccountName": groupSAMAccountNameWithDomainSuffix},
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
|
||||
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
|
||||
"userAccountControl": validUserAccountControl,
|
||||
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
|
||||
@ -1559,7 +1560,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
GroupNameAttribute: testGroupSearchNameAttrName,
|
||||
},
|
||||
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
|
||||
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
|
||||
"userAccountControl": validUserAccountControl,
|
||||
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
|
||||
@ -1623,7 +1624,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
GroupNameAttribute: testGroupSearchNameAttrName,
|
||||
},
|
||||
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
|
||||
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
|
||||
"userAccountControl": validUserAccountControl,
|
||||
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
|
||||
@ -1687,7 +1688,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
GroupNameAttribute: testGroupSearchNameAttrName,
|
||||
},
|
||||
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
|
||||
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
|
||||
"userAccountControl": validUserAccountControl,
|
||||
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
|
||||
@ -1899,7 +1900,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
GroupNameAttribute: testGroupSearchNameAttrName,
|
||||
},
|
||||
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
|
||||
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
|
||||
"userAccountControl": validUserAccountControl,
|
||||
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
|
||||
@ -1962,7 +1963,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
SkipGroupRefresh: true,
|
||||
},
|
||||
UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
|
||||
RefreshAttributeChecks: map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{
|
||||
"pwdLastSet": attributeUnchangedSinceLogin("pwdLastSet"),
|
||||
"userAccountControl": validUserAccountControl,
|
||||
"msDS-User-Account-Control-Computed": validComputedUserAccountControl,
|
||||
@ -2009,8 +2010,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
pinnipedInformers := pinnipedinformers.NewSharedInformerFactory(fakePinnipedClient, 0)
|
||||
fakeKubeClient := fake.NewSimpleClientset(tt.inputSecrets...)
|
||||
kubeInformers := informers.NewSharedInformerFactory(fakeKubeClient, 0)
|
||||
cache := provider.NewDynamicUpstreamIDPProvider()
|
||||
cache.SetActiveDirectoryIdentityProviders([]provider.UpstreamLDAPIdentityProviderI{
|
||||
cache := dynamicupstreamprovider.NewDynamicUpstreamIDPProvider()
|
||||
cache.SetActiveDirectoryIdentityProviders([]upstreamprovider.UpstreamLDAPIdentityProviderI{
|
||||
upstreamldap.New(upstreamldap.ProviderConfig{Name: "initial-entry"}),
|
||||
})
|
||||
|
||||
@ -2104,8 +2105,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
|
||||
expectedRefreshAttributeChecks := copyOfExpectedValueForResultingCache.RefreshAttributeChecks
|
||||
actualRefreshAttributeChecks := actualConfig.RefreshAttributeChecks
|
||||
copyOfExpectedValueForResultingCache.RefreshAttributeChecks = map[string]func(*ldap.Entry, provider.RefreshAttributes) error{}
|
||||
actualConfig.RefreshAttributeChecks = map[string]func(*ldap.Entry, provider.RefreshAttributes) error{}
|
||||
copyOfExpectedValueForResultingCache.RefreshAttributeChecks = map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{}
|
||||
actualConfig.RefreshAttributeChecks = map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error{}
|
||||
require.Equal(t, len(expectedRefreshAttributeChecks), len(actualRefreshAttributeChecks))
|
||||
for k, v := range expectedRefreshAttributeChecks {
|
||||
require.NotNil(t, actualRefreshAttributeChecks[k])
|
||||
@ -2354,7 +2355,7 @@ func TestValidUserAccountControl(t *testing.T) {
|
||||
for _, test := range tests {
|
||||
tt := test
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
err := validUserAccountControl(tt.entry, provider.RefreshAttributes{})
|
||||
err := validUserAccountControl(tt.entry, upstreamprovider.RefreshAttributes{})
|
||||
|
||||
if tt.wantErr != "" {
|
||||
require.Error(t, err)
|
||||
@ -2415,7 +2416,7 @@ func TestValidComputedUserAccountControl(t *testing.T) {
|
||||
for _, test := range tests {
|
||||
tt := test
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
err := validComputedUserAccountControl(tt.entry, provider.RefreshAttributes{})
|
||||
err := validComputedUserAccountControl(tt.entry, upstreamprovider.RefreshAttributes{})
|
||||
|
||||
if tt.wantErr != "" {
|
||||
require.Error(t, err)
|
||||
@ -2490,7 +2491,7 @@ func TestAttributeUnchangedSinceLogin(t *testing.T) {
|
||||
tt := test
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
initialValRawEncoded := base64.RawURLEncoding.EncodeToString([]byte(initialVal))
|
||||
err := attributeUnchangedSinceLogin(attributeName)(tt.entry, provider.RefreshAttributes{AdditionalAttributes: map[string]string{attributeName: initialValRawEncoded}})
|
||||
err := attributeUnchangedSinceLogin(attributeName)(tt.entry, upstreamprovider.RefreshAttributes{AdditionalAttributes: map[string]string{attributeName: initialValRawEncoded}})
|
||||
if tt.wantErr != "" {
|
||||
require.Error(t, err)
|
||||
require.Equal(t, tt.wantErr, err.Error())
|
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -20,7 +20,7 @@ import (
|
||||
"go.pinniped.dev/internal/controller/conditionsutil"
|
||||
"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers"
|
||||
"go.pinniped.dev/internal/controllerlib"
|
||||
"go.pinniped.dev/internal/oidc/provider"
|
||||
"go.pinniped.dev/internal/federationdomain/upstreamprovider"
|
||||
"go.pinniped.dev/internal/plog"
|
||||
"go.pinniped.dev/internal/upstreamldap"
|
||||
)
|
||||
@ -133,7 +133,7 @@ func (s *ldapUpstreamGenericLDAPStatus) Conditions() []metav1.Condition {
|
||||
|
||||
// UpstreamLDAPIdentityProviderICache is a thread safe cache that holds a list of validated upstream LDAP IDP configurations.
|
||||
type UpstreamLDAPIdentityProviderICache interface {
|
||||
SetLDAPIdentityProviders([]provider.UpstreamLDAPIdentityProviderI)
|
||||
SetLDAPIdentityProviders([]upstreamprovider.UpstreamLDAPIdentityProviderI)
|
||||
}
|
||||
|
||||
type ldapWatcherController struct {
|
||||
@ -207,7 +207,7 @@ func (c *ldapWatcherController) Sync(ctx controllerlib.Context) error {
|
||||
}
|
||||
|
||||
requeue := false
|
||||
validatedUpstreams := make([]provider.UpstreamLDAPIdentityProviderI, 0, len(actualUpstreams))
|
||||
validatedUpstreams := make([]upstreamprovider.UpstreamLDAPIdentityProviderI, 0, len(actualUpstreams))
|
||||
for _, upstream := range actualUpstreams {
|
||||
valid, requestedRequeue := c.validateUpstream(ctx.Context, upstream)
|
||||
if valid != nil {
|
||||
@ -226,7 +226,7 @@ func (c *ldapWatcherController) Sync(ctx controllerlib.Context) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *ldapWatcherController) validateUpstream(ctx context.Context, upstream *v1alpha1.LDAPIdentityProvider) (p provider.UpstreamLDAPIdentityProviderI, requeue bool) {
|
||||
func (c *ldapWatcherController) validateUpstream(ctx context.Context, upstream *v1alpha1.LDAPIdentityProvider) (p upstreamprovider.UpstreamLDAPIdentityProviderI, requeue bool) {
|
||||
spec := upstream.Spec
|
||||
|
||||
config := &upstreamldap.ProviderConfig{
|
||||
|
@ -28,8 +28,9 @@ import (
|
||||
"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers"
|
||||
"go.pinniped.dev/internal/controllerlib"
|
||||
"go.pinniped.dev/internal/endpointaddr"
|
||||
"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
|
||||
"go.pinniped.dev/internal/federationdomain/upstreamprovider"
|
||||
"go.pinniped.dev/internal/mocks/mockldapconn"
|
||||
"go.pinniped.dev/internal/oidc/provider"
|
||||
"go.pinniped.dev/internal/testutil"
|
||||
"go.pinniped.dev/internal/upstreamldap"
|
||||
)
|
||||
@ -1138,8 +1139,8 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
pinnipedInformers := pinnipedinformers.NewSharedInformerFactory(fakePinnipedClient, 0)
|
||||
fakeKubeClient := fake.NewSimpleClientset(tt.inputSecrets...)
|
||||
kubeInformers := informers.NewSharedInformerFactory(fakeKubeClient, 0)
|
||||
cache := provider.NewDynamicUpstreamIDPProvider()
|
||||
cache.SetLDAPIdentityProviders([]provider.UpstreamLDAPIdentityProviderI{
|
||||
cache := dynamicupstreamprovider.NewDynamicUpstreamIDPProvider()
|
||||
cache.SetLDAPIdentityProviders([]upstreamprovider.UpstreamLDAPIdentityProviderI{
|
||||
upstreamldap.New(upstreamldap.ProviderConfig{Name: "initial-entry"}),
|
||||
})
|
||||
|
||||
|
@ -21,7 +21,7 @@ import (
|
||||
pinnipedcontroller "go.pinniped.dev/internal/controller"
|
||||
"go.pinniped.dev/internal/controller/conditionsutil"
|
||||
"go.pinniped.dev/internal/controllerlib"
|
||||
"go.pinniped.dev/internal/oidc/oidcclientvalidator"
|
||||
"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
|
||||
"go.pinniped.dev/internal/oidcclientsecretstorage"
|
||||
"go.pinniped.dev/internal/plog"
|
||||
)
|
||||
@ -133,11 +133,12 @@ func (c *oidcClientWatcherController) updateStatus(
|
||||
) error {
|
||||
updated := upstream.DeepCopy()
|
||||
|
||||
hadErrorCondition := conditionsutil.MergeConfigConditions(conditions, upstream.Generation, &updated.Status.Conditions, plog.New())
|
||||
hadErrorCondition := conditionsutil.MergeConfigConditions(conditions,
|
||||
upstream.Generation, &updated.Status.Conditions, plog.New(), metav1.Now())
|
||||
|
||||
updated.Status.Phase = v1alpha1.PhaseReady
|
||||
updated.Status.Phase = v1alpha1.OIDCClientPhaseReady
|
||||
if hadErrorCondition {
|
||||
updated.Status.Phase = v1alpha1.PhaseError
|
||||
updated.Status.Phase = v1alpha1.OIDCClientPhaseError
|
||||
}
|
||||
|
||||
updated.Status.TotalClientSecrets = int32(totalClientSecrets)
|
||||
|
@ -34,8 +34,8 @@ import (
|
||||
"go.pinniped.dev/internal/controller/conditionsutil"
|
||||
"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers"
|
||||
"go.pinniped.dev/internal/controllerlib"
|
||||
"go.pinniped.dev/internal/federationdomain/upstreamprovider"
|
||||
"go.pinniped.dev/internal/net/phttp"
|
||||
"go.pinniped.dev/internal/oidc/provider"
|
||||
"go.pinniped.dev/internal/plog"
|
||||
"go.pinniped.dev/internal/upstreamoidc"
|
||||
)
|
||||
@ -91,10 +91,10 @@ var (
|
||||
|
||||
// UpstreamOIDCIdentityProviderICache is a thread safe cache that holds a list of validated upstream OIDC IDP configurations.
|
||||
type UpstreamOIDCIdentityProviderICache interface {
|
||||
SetOIDCIdentityProviders([]provider.UpstreamOIDCIdentityProviderI)
|
||||
SetOIDCIdentityProviders([]upstreamprovider.UpstreamOIDCIdentityProviderI)
|
||||
}
|
||||
|
||||
// lruValidatorCache caches the *oidc.Provider associated with a particular issuer/TLS configuration.
|
||||
// lruValidatorCache caches the *coreosoidc.Provider associated with a particular issuer/TLS configuration.
|
||||
type lruValidatorCache struct{ cache *cache.Expiring }
|
||||
|
||||
type lruValidatorCacheEntry struct {
|
||||
@ -175,13 +175,13 @@ func (c *oidcWatcherController) Sync(ctx controllerlib.Context) error {
|
||||
}
|
||||
|
||||
requeue := false
|
||||
validatedUpstreams := make([]provider.UpstreamOIDCIdentityProviderI, 0, len(actualUpstreams))
|
||||
validatedUpstreams := make([]upstreamprovider.UpstreamOIDCIdentityProviderI, 0, len(actualUpstreams))
|
||||
for _, upstream := range actualUpstreams {
|
||||
valid := c.validateUpstream(ctx, upstream)
|
||||
if valid == nil {
|
||||
requeue = true
|
||||
} else {
|
||||
validatedUpstreams = append(validatedUpstreams, provider.UpstreamOIDCIdentityProviderI(valid))
|
||||
validatedUpstreams = append(validatedUpstreams, upstreamprovider.UpstreamOIDCIdentityProviderI(valid))
|
||||
}
|
||||
}
|
||||
c.cache.SetOIDCIdentityProviders(validatedUpstreams)
|
||||
|
@ -28,7 +28,8 @@ import (
|
||||
pinnipedinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions"
|
||||
"go.pinniped.dev/internal/certauthority"
|
||||
"go.pinniped.dev/internal/controllerlib"
|
||||
"go.pinniped.dev/internal/oidc/provider"
|
||||
"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
|
||||
"go.pinniped.dev/internal/federationdomain/upstreamprovider"
|
||||
"go.pinniped.dev/internal/plog"
|
||||
"go.pinniped.dev/internal/testutil"
|
||||
"go.pinniped.dev/internal/testutil/oidctestutil"
|
||||
@ -80,8 +81,8 @@ func TestOIDCUpstreamWatcherControllerFilterSecret(t *testing.T) {
|
||||
pinnipedInformers := pinnipedinformers.NewSharedInformerFactory(fakePinnipedClient, 0)
|
||||
fakeKubeClient := fake.NewSimpleClientset()
|
||||
kubeInformers := informers.NewSharedInformerFactory(fakeKubeClient, 0)
|
||||
cache := provider.NewDynamicUpstreamIDPProvider()
|
||||
cache.SetOIDCIdentityProviders([]provider.UpstreamOIDCIdentityProviderI{
|
||||
cache := dynamicupstreamprovider.NewDynamicUpstreamIDPProvider()
|
||||
cache.SetOIDCIdentityProviders([]upstreamprovider.UpstreamOIDCIdentityProviderI{
|
||||
&upstreamoidc.ProviderConfig{Name: "initial-entry"},
|
||||
})
|
||||
secretInformer := kubeInformers.Core().V1().Secrets()
|
||||
@ -1415,8 +1416,8 @@ oidc: issuer did not match the issuer returned by provider, expected "` + testIs
|
||||
fakeKubeClient := fake.NewSimpleClientset(tt.inputSecrets...)
|
||||
kubeInformers := informers.NewSharedInformerFactory(fakeKubeClient, 0)
|
||||
testLog := testlogger.NewLegacy(t) //nolint:staticcheck // old test with lots of log statements
|
||||
cache := provider.NewDynamicUpstreamIDPProvider()
|
||||
cache.SetOIDCIdentityProviders([]provider.UpstreamOIDCIdentityProviderI{
|
||||
cache := dynamicupstreamprovider.NewDynamicUpstreamIDPProvider()
|
||||
cache.SetOIDCIdentityProviders([]upstreamprovider.UpstreamOIDCIdentityProviderI{
|
||||
&upstreamoidc.ProviderConfig{Name: "initial-entry"},
|
||||
})
|
||||
|
||||
|
@ -16,7 +16,7 @@ import (
|
||||
|
||||
"go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
|
||||
"go.pinniped.dev/internal/constable"
|
||||
"go.pinniped.dev/internal/oidc/provider"
|
||||
"go.pinniped.dev/internal/federationdomain/upstreamprovider"
|
||||
"go.pinniped.dev/internal/plog"
|
||||
"go.pinniped.dev/internal/upstreamldap"
|
||||
)
|
||||
@ -365,7 +365,7 @@ func validateAndSetLDAPServerConnectivityAndSearchBase(
|
||||
return ldapConnectionValidCondition, searchBaseFoundCondition
|
||||
}
|
||||
|
||||
func EvaluateConditions(conditions GradatedConditions, config *upstreamldap.ProviderConfig) (provider.UpstreamLDAPIdentityProviderI, bool) {
|
||||
func EvaluateConditions(conditions GradatedConditions, config *upstreamldap.ProviderConfig) (upstreamprovider.UpstreamLDAPIdentityProviderI, bool) {
|
||||
for _, gradatedCondition := range conditions.gradatedConditions {
|
||||
if gradatedCondition.condition.Status != metav1.ConditionTrue && gradatedCondition.isFatal {
|
||||
// Invalid provider, so do not load it into the cache.
|
||||
|
@ -1,4 +1,4 @@
|
||||
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package supervisorstorage
|
||||
@ -21,12 +21,13 @@ import (
|
||||
pinnipedcontroller "go.pinniped.dev/internal/controller"
|
||||
"go.pinniped.dev/internal/controllerlib"
|
||||
"go.pinniped.dev/internal/crud"
|
||||
"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
|
||||
"go.pinniped.dev/internal/federationdomain/upstreamprovider"
|
||||
"go.pinniped.dev/internal/fositestorage/accesstoken"
|
||||
"go.pinniped.dev/internal/fositestorage/authorizationcode"
|
||||
"go.pinniped.dev/internal/fositestorage/openidconnect"
|
||||
"go.pinniped.dev/internal/fositestorage/pkce"
|
||||
"go.pinniped.dev/internal/fositestorage/refreshtoken"
|
||||
"go.pinniped.dev/internal/oidc/provider"
|
||||
"go.pinniped.dev/internal/plog"
|
||||
"go.pinniped.dev/internal/psession"
|
||||
)
|
||||
@ -43,7 +44,7 @@ type garbageCollectorController struct {
|
||||
|
||||
// UpstreamOIDCIdentityProviderICache is a thread safe cache that holds a list of validated upstream OIDC IDP configurations.
|
||||
type UpstreamOIDCIdentityProviderICache interface {
|
||||
GetOIDCIdentityProviders() []provider.UpstreamOIDCIdentityProviderI
|
||||
GetOIDCIdentityProviders() []upstreamprovider.UpstreamOIDCIdentityProviderI
|
||||
}
|
||||
|
||||
func GarbageCollectorController(
|
||||
@ -143,7 +144,7 @@ func (c *garbageCollectorController) Sync(ctx controllerlib.Context) error {
|
||||
// cleaning them out of etcd storage.
|
||||
fourHoursAgo := frozenClock.Now().Add(-4 * time.Hour)
|
||||
nowIsLessThanFourHoursBeyondSecretGCTime := garbageCollectAfterTime.After(fourHoursAgo)
|
||||
if errors.As(revokeErr, &provider.RetryableRevocationError{}) && nowIsLessThanFourHoursBeyondSecretGCTime {
|
||||
if errors.As(revokeErr, &dynamicupstreamprovider.RetryableRevocationError{}) && nowIsLessThanFourHoursBeyondSecretGCTime {
|
||||
// Hasn't been very long since secret expired, so skip deletion to try revocation again later.
|
||||
plog.Trace("garbage collector keeping Secret to retry upstream OIDC token revocation later", logKV(secret)...)
|
||||
continue
|
||||
@ -244,7 +245,7 @@ func (c *garbageCollectorController) tryRevokeUpstreamOIDCToken(ctx context.Cont
|
||||
}
|
||||
|
||||
// Try to find the provider that was originally used to create the stored session.
|
||||
var foundOIDCIdentityProviderI provider.UpstreamOIDCIdentityProviderI
|
||||
var foundOIDCIdentityProviderI upstreamprovider.UpstreamOIDCIdentityProviderI
|
||||
for _, p := range c.idpCache.GetOIDCIdentityProviders() {
|
||||
if p.GetName() == customSessionData.ProviderName && p.GetResourceUID() == customSessionData.ProviderUID {
|
||||
foundOIDCIdentityProviderI = p
|
||||
@ -260,7 +261,7 @@ func (c *garbageCollectorController) tryRevokeUpstreamOIDCToken(ctx context.Cont
|
||||
upstreamAccessToken := customSessionData.OIDC.UpstreamAccessToken
|
||||
|
||||
if upstreamRefreshToken != "" {
|
||||
err := foundOIDCIdentityProviderI.RevokeToken(ctx, upstreamRefreshToken, provider.RefreshTokenType)
|
||||
err := foundOIDCIdentityProviderI.RevokeToken(ctx, upstreamRefreshToken, upstreamprovider.RefreshTokenType)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -268,7 +269,7 @@ func (c *garbageCollectorController) tryRevokeUpstreamOIDCToken(ctx context.Cont
|
||||
}
|
||||
|
||||
if upstreamAccessToken != "" {
|
||||
err := foundOIDCIdentityProviderI.RevokeToken(ctx, upstreamAccessToken, provider.AccessTokenType)
|
||||
err := foundOIDCIdentityProviderI.RevokeToken(ctx, upstreamAccessToken, upstreamprovider.AccessTokenType)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package supervisorstorage
|
||||
@ -25,11 +25,12 @@ import (
|
||||
clocktesting "k8s.io/utils/clock/testing"
|
||||
|
||||
"go.pinniped.dev/internal/controllerlib"
|
||||
"go.pinniped.dev/internal/federationdomain/clientregistry"
|
||||
"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
|
||||
"go.pinniped.dev/internal/federationdomain/upstreamprovider"
|
||||
"go.pinniped.dev/internal/fositestorage/accesstoken"
|
||||
"go.pinniped.dev/internal/fositestorage/authorizationcode"
|
||||
"go.pinniped.dev/internal/fositestorage/refreshtoken"
|
||||
"go.pinniped.dev/internal/oidc/clientregistry"
|
||||
"go.pinniped.dev/internal/oidc/provider"
|
||||
"go.pinniped.dev/internal/psession"
|
||||
"go.pinniped.dev/internal/testutil"
|
||||
"go.pinniped.dev/internal/testutil/oidctestutil"
|
||||
@ -137,7 +138,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
|
||||
// Defer starting the informers until the last possible moment so that the
|
||||
// nested Before's can keep adding things to the informer caches.
|
||||
var startInformersAndController = func(idpCache provider.DynamicUpstreamIDPProvider) {
|
||||
var startInformersAndController = func(idpCache dynamicupstreamprovider.DynamicUpstreamIDPProvider) {
|
||||
// Set this at the last second to allow for injection of server override.
|
||||
subject = GarbageCollectorController(
|
||||
idpCache,
|
||||
@ -263,7 +264,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
when("there are valid, expired authcode secrets which contain upstream refresh tokens", func() {
|
||||
it.Before(func() {
|
||||
activeOIDCAuthcodeSession := &authorizationcode.Session{
|
||||
Version: "4",
|
||||
Version: "5",
|
||||
Active: true,
|
||||
Request: &fosite.Request{
|
||||
ID: "request-id-1",
|
||||
@ -308,7 +309,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
r.NoError(kubeClient.Tracker().Add(activeOIDCAuthcodeSessionSecret))
|
||||
|
||||
inactiveOIDCAuthcodeSession := &authorizationcode.Session{
|
||||
Version: "4",
|
||||
Version: "5",
|
||||
Active: false,
|
||||
Request: &fosite.Request{
|
||||
ID: "request-id-2",
|
||||
@ -360,7 +361,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
WithRevokeTokenError(nil)
|
||||
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
||||
|
||||
startInformersAndController(idpListerBuilder.Build())
|
||||
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
|
||||
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
||||
|
||||
// The upstream refresh token is only revoked for the active authcode session.
|
||||
@ -369,7 +370,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
&oidctestutil.RevokeTokenArgs{
|
||||
Ctx: syncContext.Context,
|
||||
Token: "fake-upstream-refresh-token",
|
||||
TokenType: provider.RefreshTokenType,
|
||||
TokenType: upstreamprovider.RefreshTokenType,
|
||||
},
|
||||
)
|
||||
|
||||
@ -387,7 +388,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
when("there are valid, expired authcode secrets which contain upstream access tokens", func() {
|
||||
it.Before(func() {
|
||||
activeOIDCAuthcodeSession := &authorizationcode.Session{
|
||||
Version: "4",
|
||||
Version: "5",
|
||||
Active: true,
|
||||
Request: &fosite.Request{
|
||||
ID: "request-id-1",
|
||||
@ -432,7 +433,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
r.NoError(kubeClient.Tracker().Add(activeOIDCAuthcodeSessionSecret))
|
||||
|
||||
inactiveOIDCAuthcodeSession := &authorizationcode.Session{
|
||||
Version: "4",
|
||||
Version: "5",
|
||||
Active: false,
|
||||
Request: &fosite.Request{
|
||||
ID: "request-id-2",
|
||||
@ -484,7 +485,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
WithRevokeTokenError(nil)
|
||||
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
||||
|
||||
startInformersAndController(idpListerBuilder.Build())
|
||||
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
|
||||
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
||||
|
||||
// The upstream refresh token is only revoked for the active authcode session.
|
||||
@ -493,7 +494,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
&oidctestutil.RevokeTokenArgs{
|
||||
Ctx: syncContext.Context,
|
||||
Token: "fake-upstream-access-token",
|
||||
TokenType: provider.AccessTokenType,
|
||||
TokenType: upstreamprovider.AccessTokenType,
|
||||
},
|
||||
)
|
||||
|
||||
@ -511,7 +512,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
when("there is an invalid, expired authcode secret", func() {
|
||||
it.Before(func() {
|
||||
invalidOIDCAuthcodeSession := &authorizationcode.Session{
|
||||
Version: "4",
|
||||
Version: "5",
|
||||
Active: true,
|
||||
Request: &fosite.Request{
|
||||
ID: "", // it is invalid for there to be a missing request ID
|
||||
@ -561,7 +562,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
WithRevokeTokenError(nil)
|
||||
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
||||
|
||||
startInformersAndController(idpListerBuilder.Build())
|
||||
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
|
||||
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
||||
|
||||
// Nothing to revoke since we couldn't read the invalid secret.
|
||||
@ -580,7 +581,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
when("there is a valid, expired authcode secret but its upstream name does not match any existing upstream", func() {
|
||||
it.Before(func() {
|
||||
wrongProviderNameOIDCAuthcodeSession := &authorizationcode.Session{
|
||||
Version: "4",
|
||||
Version: "5",
|
||||
Active: true,
|
||||
Request: &fosite.Request{
|
||||
ID: "request-id-1",
|
||||
@ -632,7 +633,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
WithRevokeTokenError(nil)
|
||||
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
||||
|
||||
startInformersAndController(idpListerBuilder.Build())
|
||||
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
|
||||
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
||||
|
||||
// Nothing to revoke since we couldn't find the upstream in the cache.
|
||||
@ -651,7 +652,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
when("there is a valid, expired authcode secret but its upstream UID does not match any existing upstream", func() {
|
||||
it.Before(func() {
|
||||
wrongProviderNameOIDCAuthcodeSession := &authorizationcode.Session{
|
||||
Version: "4",
|
||||
Version: "5",
|
||||
Active: true,
|
||||
Request: &fosite.Request{
|
||||
ID: "request-id-1",
|
||||
@ -703,7 +704,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
WithRevokeTokenError(nil)
|
||||
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
||||
|
||||
startInformersAndController(idpListerBuilder.Build())
|
||||
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
|
||||
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
||||
|
||||
// Nothing to revoke since we couldn't find the upstream in the cache.
|
||||
@ -722,7 +723,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
when("there is a valid, recently expired authcode secret but the upstream revocation fails", func() {
|
||||
it.Before(func() {
|
||||
activeOIDCAuthcodeSession := &authorizationcode.Session{
|
||||
Version: "4",
|
||||
Version: "5",
|
||||
Active: true,
|
||||
Request: &fosite.Request{
|
||||
ID: "request-id-1",
|
||||
@ -773,10 +774,10 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
WithName("upstream-oidc-provider-name").
|
||||
WithResourceUID("upstream-oidc-provider-uid").
|
||||
// make the upstream revocation fail in a retryable way
|
||||
WithRevokeTokenError(provider.NewRetryableRevocationError(errors.New("some retryable upstream revocation error")))
|
||||
WithRevokeTokenError(dynamicupstreamprovider.NewRetryableRevocationError(errors.New("some retryable upstream revocation error")))
|
||||
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
||||
|
||||
startInformersAndController(idpListerBuilder.Build())
|
||||
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
|
||||
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
||||
|
||||
// Tried to revoke it, although this revocation will fail.
|
||||
@ -785,7 +786,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
&oidctestutil.RevokeTokenArgs{
|
||||
Ctx: syncContext.Context,
|
||||
Token: "fake-upstream-refresh-token",
|
||||
TokenType: provider.RefreshTokenType,
|
||||
TokenType: upstreamprovider.RefreshTokenType,
|
||||
},
|
||||
)
|
||||
|
||||
@ -801,7 +802,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
WithRevokeTokenError(errors.New("some upstream revocation error not worth retrying"))
|
||||
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
||||
|
||||
startInformersAndController(idpListerBuilder.Build())
|
||||
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
|
||||
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
||||
|
||||
// Tried to revoke it, although this revocation will fail.
|
||||
@ -810,7 +811,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
&oidctestutil.RevokeTokenArgs{
|
||||
Ctx: syncContext.Context,
|
||||
Token: "fake-upstream-refresh-token",
|
||||
TokenType: provider.RefreshTokenType,
|
||||
TokenType: upstreamprovider.RefreshTokenType,
|
||||
},
|
||||
)
|
||||
|
||||
@ -827,7 +828,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
when("there is a valid, long-since expired authcode secret but the upstream revocation fails", func() {
|
||||
it.Before(func() {
|
||||
activeOIDCAuthcodeSession := &authorizationcode.Session{
|
||||
Version: "4",
|
||||
Version: "5",
|
||||
Active: true,
|
||||
Request: &fosite.Request{
|
||||
ID: "request-id-1",
|
||||
@ -880,7 +881,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
WithRevokeTokenError(errors.New("some upstream revocation error")) // the upstream revocation will fail
|
||||
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
||||
|
||||
startInformersAndController(idpListerBuilder.Build())
|
||||
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
|
||||
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
||||
|
||||
// Tried to revoke it, although this revocation will fail.
|
||||
@ -889,7 +890,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
&oidctestutil.RevokeTokenArgs{
|
||||
Ctx: syncContext.Context,
|
||||
Token: "fake-upstream-refresh-token",
|
||||
TokenType: provider.RefreshTokenType,
|
||||
TokenType: upstreamprovider.RefreshTokenType,
|
||||
},
|
||||
)
|
||||
|
||||
@ -906,7 +907,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
when("there are valid, expired access token secrets which contain upstream refresh tokens", func() {
|
||||
it.Before(func() {
|
||||
offlineAccessGrantedOIDCAccessTokenSession := &accesstoken.Session{
|
||||
Version: "4",
|
||||
Version: "5",
|
||||
Request: &fosite.Request{
|
||||
GrantedScope: fosite.Arguments{"scope1", "scope2", "offline_access"},
|
||||
ID: "request-id-1",
|
||||
@ -951,7 +952,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
r.NoError(kubeClient.Tracker().Add(offlineAccessGrantedOIDCAccessTokenSessionSecret))
|
||||
|
||||
offlineAccessNotGrantedOIDCAccessTokenSession := &accesstoken.Session{
|
||||
Version: "4",
|
||||
Version: "5",
|
||||
Request: &fosite.Request{
|
||||
GrantedScope: fosite.Arguments{"scope1", "scope2"},
|
||||
ID: "request-id-2",
|
||||
@ -1003,7 +1004,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
WithRevokeTokenError(nil)
|
||||
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
||||
|
||||
startInformersAndController(idpListerBuilder.Build())
|
||||
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
|
||||
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
||||
|
||||
// The upstream refresh token is only revoked for the downstream session which had offline_access granted.
|
||||
@ -1012,7 +1013,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
&oidctestutil.RevokeTokenArgs{
|
||||
Ctx: syncContext.Context,
|
||||
Token: "fake-upstream-refresh-token",
|
||||
TokenType: provider.RefreshTokenType,
|
||||
TokenType: upstreamprovider.RefreshTokenType,
|
||||
},
|
||||
)
|
||||
|
||||
@ -1030,7 +1031,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
when("there are valid, expired access token secrets which contain upstream access tokens", func() {
|
||||
it.Before(func() {
|
||||
offlineAccessGrantedOIDCAccessTokenSession := &accesstoken.Session{
|
||||
Version: "4",
|
||||
Version: "5",
|
||||
Request: &fosite.Request{
|
||||
GrantedScope: fosite.Arguments{"scope1", "scope2", "offline_access"},
|
||||
ID: "request-id-1",
|
||||
@ -1075,7 +1076,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
r.NoError(kubeClient.Tracker().Add(offlineAccessGrantedOIDCAccessTokenSessionSecret))
|
||||
|
||||
offlineAccessNotGrantedOIDCAccessTokenSession := &accesstoken.Session{
|
||||
Version: "4",
|
||||
Version: "5",
|
||||
Request: &fosite.Request{
|
||||
GrantedScope: fosite.Arguments{"scope1", "scope2"},
|
||||
ID: "request-id-2",
|
||||
@ -1127,7 +1128,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
WithRevokeTokenError(nil)
|
||||
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
||||
|
||||
startInformersAndController(idpListerBuilder.Build())
|
||||
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
|
||||
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
||||
|
||||
// The upstream refresh token is only revoked for the downstream session which had offline_access granted.
|
||||
@ -1136,7 +1137,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
&oidctestutil.RevokeTokenArgs{
|
||||
Ctx: syncContext.Context,
|
||||
Token: "fake-upstream-access-token",
|
||||
TokenType: provider.AccessTokenType,
|
||||
TokenType: upstreamprovider.AccessTokenType,
|
||||
},
|
||||
)
|
||||
|
||||
@ -1154,7 +1155,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
when("there are valid, expired refresh secrets which contain upstream refresh tokens", func() {
|
||||
it.Before(func() {
|
||||
oidcRefreshSession := &refreshtoken.Session{
|
||||
Version: "4",
|
||||
Version: "5",
|
||||
Request: &fosite.Request{
|
||||
ID: "request-id-1",
|
||||
Client: &clientregistry.Client{},
|
||||
@ -1205,7 +1206,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
WithRevokeTokenError(nil)
|
||||
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
||||
|
||||
startInformersAndController(idpListerBuilder.Build())
|
||||
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
|
||||
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
||||
|
||||
// The upstream refresh token is revoked.
|
||||
@ -1214,7 +1215,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
&oidctestutil.RevokeTokenArgs{
|
||||
Ctx: syncContext.Context,
|
||||
Token: "fake-upstream-refresh-token",
|
||||
TokenType: provider.RefreshTokenType,
|
||||
TokenType: upstreamprovider.RefreshTokenType,
|
||||
},
|
||||
)
|
||||
|
||||
@ -1231,7 +1232,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
when("there are valid, expired refresh secrets which contain upstream access tokens", func() {
|
||||
it.Before(func() {
|
||||
oidcRefreshSession := &refreshtoken.Session{
|
||||
Version: "4",
|
||||
Version: "5",
|
||||
Request: &fosite.Request{
|
||||
ID: "request-id-1",
|
||||
Client: &clientregistry.Client{},
|
||||
@ -1282,7 +1283,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
WithRevokeTokenError(nil)
|
||||
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
||||
|
||||
startInformersAndController(idpListerBuilder.Build())
|
||||
startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
|
||||
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
||||
|
||||
// The upstream refresh token is revoked.
|
||||
@ -1291,7 +1292,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
|
||||
&oidctestutil.RevokeTokenArgs{
|
||||
Ctx: syncContext.Context,
|
||||
Token: "fake-upstream-access-token",
|
||||
TokenType: provider.AccessTokenType,
|
||||
TokenType: upstreamprovider.AccessTokenType,
|
||||
},
|
||||
)
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package controller
|
||||
@ -18,6 +18,16 @@ func NameAndNamespaceExactMatchFilterFactory(name, namespace string) controllerl
|
||||
}, nil)
|
||||
}
|
||||
|
||||
// MatchAnythingIgnoringUpdatesFilter returns a controllerlib.Filter that allows all objects but ignores updates.
|
||||
func MatchAnythingIgnoringUpdatesFilter(parentFunc controllerlib.ParentFunc) controllerlib.Filter {
|
||||
return controllerlib.FilterFuncs{
|
||||
AddFunc: func(object metav1.Object) bool { return true },
|
||||
UpdateFunc: func(oldObj, newObj metav1.Object) bool { return false },
|
||||
DeleteFunc: func(object metav1.Object) bool { return true },
|
||||
ParentFunc: parentFunc,
|
||||
}
|
||||
}
|
||||
|
||||
// MatchAnythingFilter returns a controllerlib.Filter that allows all objects.
|
||||
func MatchAnythingFilter(parentFunc controllerlib.ParentFunc) controllerlib.Filter {
|
||||
return SimpleFilter(func(object metav1.Object) bool { return true }, parentFunc)
|
||||
|
@ -1,4 +1,4 @@
|
||||
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
// Package controllermanager provides an entrypoint into running all of the controllers that run as
|
||||
|
@ -1,4 +1,4 @@
|
||||
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
// Package clientregistry defines Pinniped's OAuth2/OIDC clients.
|
||||
@ -18,7 +18,7 @@ import (
|
||||
configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
|
||||
oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
|
||||
supervisorclient "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
|
||||
"go.pinniped.dev/internal/oidc/oidcclientvalidator"
|
||||
"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
|
||||
"go.pinniped.dev/internal/oidcclientsecretstorage"
|
||||
"go.pinniped.dev/internal/plog"
|
||||
)
|
@ -1,4 +1,4 @@
|
||||
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package clientregistry
|
||||
@ -21,7 +21,7 @@ import (
|
||||
|
||||
configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
|
||||
supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake"
|
||||
"go.pinniped.dev/internal/oidc/oidcclientvalidator"
|
||||
"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
|
||||
"go.pinniped.dev/internal/oidcclientsecretstorage"
|
||||
"go.pinniped.dev/internal/testutil"
|
||||
)
|
@ -1,4 +1,4 @@
|
||||
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
// Package csp defines helpers related to HTML Content Security Policies.
|
@ -1,4 +1,4 @@
|
||||
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package csp
|
@ -1,4 +1,4 @@
|
||||
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package csrftoken
|
@ -1,4 +1,4 @@
|
||||
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package csrftoken
|
@ -5,6 +5,7 @@
|
||||
package downstreamsession
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net/url"
|
||||
@ -19,8 +20,9 @@ import (
|
||||
oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
|
||||
"go.pinniped.dev/internal/authenticators"
|
||||
"go.pinniped.dev/internal/constable"
|
||||
"go.pinniped.dev/internal/oidc"
|
||||
"go.pinniped.dev/internal/oidc/provider"
|
||||
"go.pinniped.dev/internal/federationdomain/oidc"
|
||||
"go.pinniped.dev/internal/federationdomain/upstreamprovider"
|
||||
"go.pinniped.dev/internal/idtransform"
|
||||
"go.pinniped.dev/internal/plog"
|
||||
"go.pinniped.dev/internal/psession"
|
||||
"go.pinniped.dev/pkg/oidcclient/oidctypes"
|
||||
@ -38,6 +40,9 @@ const (
|
||||
requiredClaimEmptyErr = constable.Error("required claim in upstream ID token is empty")
|
||||
emailVerifiedClaimInvalidFormatErr = constable.Error("email_verified claim in upstream ID token has invalid format")
|
||||
emailVerifiedClaimFalseErr = constable.Error("email_verified claim in upstream ID token has false value")
|
||||
idTransformUnexpectedErr = constable.Error("configured identity transformation or policy resulted in unexpected error")
|
||||
|
||||
idpNameSubjectQueryParam = "idpName"
|
||||
)
|
||||
|
||||
// MakeDownstreamSession creates a downstream OIDC session.
|
||||
@ -82,13 +87,17 @@ func MakeDownstreamSession(
|
||||
}
|
||||
|
||||
func MakeDownstreamLDAPOrADCustomSessionData(
|
||||
ldapUpstream provider.UpstreamLDAPIdentityProviderI,
|
||||
ldapUpstream upstreamprovider.UpstreamLDAPIdentityProviderI,
|
||||
idpType psession.ProviderType,
|
||||
authenticateResponse *authenticators.Response,
|
||||
username string,
|
||||
untransformedUpstreamUsername string,
|
||||
untransformedUpstreamGroups []string,
|
||||
) *psession.CustomSessionData {
|
||||
customSessionData := &psession.CustomSessionData{
|
||||
Username: username,
|
||||
UpstreamUsername: untransformedUpstreamUsername,
|
||||
UpstreamGroups: untransformedUpstreamGroups,
|
||||
ProviderUID: ldapUpstream.GetResourceUID(),
|
||||
ProviderName: ldapUpstream.GetName(),
|
||||
ProviderType: idpType,
|
||||
@ -112,9 +121,11 @@ func MakeDownstreamLDAPOrADCustomSessionData(
|
||||
}
|
||||
|
||||
func MakeDownstreamOIDCCustomSessionData(
|
||||
oidcUpstream provider.UpstreamOIDCIdentityProviderI,
|
||||
oidcUpstream upstreamprovider.UpstreamOIDCIdentityProviderI,
|
||||
token *oidctypes.Token,
|
||||
username string,
|
||||
untransformedUpstreamUsername string,
|
||||
untransformedUpstreamGroups []string,
|
||||
) (*psession.CustomSessionData, error) {
|
||||
upstreamSubject, err := ExtractStringClaimValue(oidcapi.IDTokenClaimSubject, oidcUpstream.GetName(), token.IDToken.Claims)
|
||||
if err != nil {
|
||||
@ -127,6 +138,8 @@ func MakeDownstreamOIDCCustomSessionData(
|
||||
|
||||
customSessionData := &psession.CustomSessionData{
|
||||
Username: username,
|
||||
UpstreamUsername: untransformedUpstreamUsername,
|
||||
UpstreamGroups: untransformedUpstreamGroups,
|
||||
ProviderUID: oidcUpstream.GetResourceUID(),
|
||||
ProviderName: oidcUpstream.GetName(),
|
||||
ProviderType: psession.ProviderTypeOIDC,
|
||||
@ -200,10 +213,11 @@ func AutoApproveScopes(authorizeRequester fosite.AuthorizeRequester) {
|
||||
|
||||
// GetDownstreamIdentityFromUpstreamIDToken returns the mapped subject, username, and group names, in that order.
|
||||
func GetDownstreamIdentityFromUpstreamIDToken(
|
||||
upstreamIDPConfig provider.UpstreamOIDCIdentityProviderI,
|
||||
upstreamIDPConfig upstreamprovider.UpstreamOIDCIdentityProviderI,
|
||||
idTokenClaims map[string]interface{},
|
||||
idpDisplayName string,
|
||||
) (string, string, []string, error) {
|
||||
subject, username, err := getSubjectAndUsernameFromUpstreamIDToken(upstreamIDPConfig, idTokenClaims)
|
||||
subject, username, err := getSubjectAndUsernameFromUpstreamIDToken(upstreamIDPConfig, idTokenClaims, idpDisplayName)
|
||||
if err != nil {
|
||||
return "", "", nil, err
|
||||
}
|
||||
@ -218,7 +232,7 @@ func GetDownstreamIdentityFromUpstreamIDToken(
|
||||
|
||||
// MapAdditionalClaimsFromUpstreamIDToken returns the additionalClaims mapped from the upstream token, if any.
|
||||
func MapAdditionalClaimsFromUpstreamIDToken(
|
||||
upstreamIDPConfig provider.UpstreamOIDCIdentityProviderI,
|
||||
upstreamIDPConfig upstreamprovider.UpstreamOIDCIdentityProviderI,
|
||||
idTokenClaims map[string]interface{},
|
||||
) map[string]interface{} {
|
||||
mapped := make(map[string]interface{}, len(upstreamIDPConfig.GetAdditionalClaimMappings()))
|
||||
@ -237,9 +251,34 @@ func MapAdditionalClaimsFromUpstreamIDToken(
|
||||
return mapped
|
||||
}
|
||||
|
||||
func ApplyIdentityTransformations(
|
||||
ctx context.Context,
|
||||
identityTransforms *idtransform.TransformationPipeline,
|
||||
username string,
|
||||
groups []string,
|
||||
) (string, []string, error) {
|
||||
transformationResult, err := identityTransforms.Evaluate(ctx, username, groups)
|
||||
if err != nil {
|
||||
plog.Error("unexpected identity transformation error during authentication", err, "inputUsername", username)
|
||||
return "", nil, idTransformUnexpectedErr
|
||||
}
|
||||
if !transformationResult.AuthenticationAllowed {
|
||||
plog.Debug("authentication rejected by configured policy", "inputUsername", username, "inputGroups", groups)
|
||||
return "", nil, fmt.Errorf("configured identity policy rejected this authentication: %s", transformationResult.RejectedAuthenticationMessage)
|
||||
}
|
||||
plog.Debug("identity transformation successfully applied during authentication",
|
||||
"originalUsername", username,
|
||||
"newUsername", transformationResult.Username,
|
||||
"originalGroups", groups,
|
||||
"newGroups", transformationResult.Groups,
|
||||
)
|
||||
return transformationResult.Username, transformationResult.Groups, nil
|
||||
}
|
||||
|
||||
func getSubjectAndUsernameFromUpstreamIDToken(
|
||||
upstreamIDPConfig provider.UpstreamOIDCIdentityProviderI,
|
||||
upstreamIDPConfig upstreamprovider.UpstreamOIDCIdentityProviderI,
|
||||
idTokenClaims map[string]interface{},
|
||||
idpDisplayName string,
|
||||
) (string, string, error) {
|
||||
// The spec says the "sub" claim is only unique per issuer,
|
||||
// so we will prepend the issuer string to make it globally unique.
|
||||
@ -251,11 +290,11 @@ func getSubjectAndUsernameFromUpstreamIDToken(
|
||||
if err != nil {
|
||||
return "", "", err
|
||||
}
|
||||
subject := downstreamSubjectFromUpstreamOIDC(upstreamIssuer, upstreamSubject)
|
||||
subject := downstreamSubjectFromUpstreamOIDC(upstreamIssuer, upstreamSubject, idpDisplayName)
|
||||
|
||||
usernameClaimName := upstreamIDPConfig.GetUsernameClaim()
|
||||
if usernameClaimName == "" {
|
||||
return subject, subject, nil
|
||||
return subject, downstreamUsernameFromUpstreamOIDCSubject(upstreamIssuer, upstreamSubject), nil
|
||||
}
|
||||
|
||||
// If the upstream username claim is configured to be the special "email" claim and the upstream "email_verified"
|
||||
@ -323,27 +362,41 @@ func ExtractStringClaimValue(claimName string, upstreamIDPName string, idTokenCl
|
||||
return valueAsString, nil
|
||||
}
|
||||
|
||||
func DownstreamSubjectFromUpstreamLDAP(ldapUpstream provider.UpstreamLDAPIdentityProviderI, authenticateResponse *authenticators.Response) string {
|
||||
func DownstreamSubjectFromUpstreamLDAP(
|
||||
ldapUpstream upstreamprovider.UpstreamLDAPIdentityProviderI,
|
||||
authenticateResponse *authenticators.Response,
|
||||
idpDisplayName string,
|
||||
) string {
|
||||
ldapURL := *ldapUpstream.GetURL()
|
||||
return DownstreamLDAPSubject(authenticateResponse.User.GetUID(), ldapURL)
|
||||
return DownstreamLDAPSubject(authenticateResponse.User.GetUID(), ldapURL, idpDisplayName)
|
||||
}
|
||||
|
||||
func DownstreamLDAPSubject(uid string, ldapURL url.URL) string {
|
||||
func DownstreamLDAPSubject(uid string, ldapURL url.URL, idpDisplayName string) string {
|
||||
q := ldapURL.Query()
|
||||
q.Set(idpNameSubjectQueryParam, idpDisplayName)
|
||||
q.Set(oidcapi.IDTokenClaimSubject, uid)
|
||||
ldapURL.RawQuery = q.Encode()
|
||||
return ldapURL.String()
|
||||
}
|
||||
|
||||
func downstreamSubjectFromUpstreamOIDC(upstreamIssuerAsString string, upstreamSubject string) string {
|
||||
return fmt.Sprintf("%s?%s=%s", upstreamIssuerAsString, oidcapi.IDTokenClaimSubject, url.QueryEscape(upstreamSubject))
|
||||
func downstreamSubjectFromUpstreamOIDC(upstreamIssuerAsString string, upstreamSubject string, idpDisplayName string) string {
|
||||
return fmt.Sprintf("%s?%s=%s&%s=%s", upstreamIssuerAsString,
|
||||
idpNameSubjectQueryParam, url.QueryEscape(idpDisplayName),
|
||||
oidcapi.IDTokenClaimSubject, url.QueryEscape(upstreamSubject),
|
||||
)
|
||||
}
|
||||
|
||||
func downstreamUsernameFromUpstreamOIDCSubject(upstreamIssuerAsString string, upstreamSubject string) string {
|
||||
return fmt.Sprintf("%s?%s=%s", upstreamIssuerAsString,
|
||||
oidcapi.IDTokenClaimSubject, url.QueryEscape(upstreamSubject),
|
||||
)
|
||||
}
|
||||
|
||||
// GetGroupsFromUpstreamIDToken returns mapped group names coerced into a slice of strings.
|
||||
// It returns nil when there is no configured groups claim name, or then when the configured claim name is not found
|
||||
// in the provided map of claims. It returns an error when the claim exists but its value cannot be parsed.
|
||||
func GetGroupsFromUpstreamIDToken(
|
||||
upstreamIDPConfig provider.UpstreamOIDCIdentityProviderI,
|
||||
upstreamIDPConfig upstreamprovider.UpstreamOIDCIdentityProviderI,
|
||||
idTokenClaims map[string]interface{},
|
||||
) ([]string, error) {
|
||||
groupsClaimName := upstreamIDPConfig.GetGroupsClaim()
|
@ -0,0 +1,274 @@
|
||||
// Copyright 2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package downstreamsession
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/url"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"go.pinniped.dev/internal/celtransformer"
|
||||
"go.pinniped.dev/internal/idtransform"
|
||||
"go.pinniped.dev/internal/testutil/oidctestutil"
|
||||
)
|
||||
|
||||
func TestMapAdditionalClaimsFromUpstreamIDToken(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
additionalClaimMappings map[string]string
|
||||
upstreamClaims map[string]interface{}
|
||||
wantClaims map[string]interface{}
|
||||
}{
|
||||
{
|
||||
name: "happy path",
|
||||
additionalClaimMappings: map[string]string{
|
||||
"email": "notification_email",
|
||||
},
|
||||
upstreamClaims: map[string]interface{}{
|
||||
"notification_email": "test@example.com",
|
||||
},
|
||||
wantClaims: map[string]interface{}{
|
||||
"email": "test@example.com",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "missing",
|
||||
additionalClaimMappings: map[string]string{
|
||||
"email": "email",
|
||||
},
|
||||
upstreamClaims: map[string]interface{}{},
|
||||
wantClaims: map[string]interface{}{},
|
||||
},
|
||||
{
|
||||
name: "complex",
|
||||
additionalClaimMappings: map[string]string{
|
||||
"complex": "complex",
|
||||
},
|
||||
upstreamClaims: map[string]interface{}{
|
||||
"complex": map[string]string{
|
||||
"subClaim": "subValue",
|
||||
},
|
||||
},
|
||||
wantClaims: map[string]interface{}{
|
||||
"complex": map[string]string{
|
||||
"subClaim": "subValue",
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for _, test := range tests {
|
||||
test := test
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
idp := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().
|
||||
WithAdditionalClaimMappings(test.additionalClaimMappings).
|
||||
Build()
|
||||
actual := MapAdditionalClaimsFromUpstreamIDToken(idp, test.upstreamClaims)
|
||||
|
||||
require.Equal(t, test.wantClaims, actual)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestApplyIdentityTransformations(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
transforms []celtransformer.CELTransformation
|
||||
username string
|
||||
groups []string
|
||||
wantUsername string
|
||||
wantGroups []string
|
||||
wantErr string
|
||||
}{
|
||||
{
|
||||
name: "unexpected errors",
|
||||
transforms: []celtransformer.CELTransformation{
|
||||
&celtransformer.UsernameTransformation{Expression: `""`},
|
||||
},
|
||||
username: "ryan",
|
||||
groups: []string{"a", "b"},
|
||||
wantErr: "configured identity transformation or policy resulted in unexpected error",
|
||||
},
|
||||
{
|
||||
name: "auth disallowed by policy with implicit rejection message",
|
||||
transforms: []celtransformer.CELTransformation{
|
||||
&celtransformer.AllowAuthenticationPolicy{Expression: `false`},
|
||||
},
|
||||
username: "ryan",
|
||||
groups: []string{"a", "b"},
|
||||
wantErr: "configured identity policy rejected this authentication: authentication was rejected by a configured policy",
|
||||
},
|
||||
{
|
||||
name: "auth disallowed by policy with explicit rejection message",
|
||||
transforms: []celtransformer.CELTransformation{
|
||||
&celtransformer.AllowAuthenticationPolicy{
|
||||
Expression: `false`,
|
||||
RejectedAuthenticationMessage: "this is the stated reason",
|
||||
},
|
||||
},
|
||||
username: "ryan",
|
||||
groups: []string{"a", "b"},
|
||||
wantErr: "configured identity policy rejected this authentication: this is the stated reason",
|
||||
},
|
||||
{
|
||||
name: "successful auth",
|
||||
transforms: []celtransformer.CELTransformation{
|
||||
&celtransformer.UsernameTransformation{Expression: `"pre:" + username`},
|
||||
&celtransformer.GroupsTransformation{Expression: `groups.map(g, "pre:" + g)`},
|
||||
},
|
||||
username: "ryan",
|
||||
groups: []string{"a", "b"},
|
||||
wantUsername: "pre:ryan",
|
||||
wantGroups: []string{"pre:a", "pre:b"},
|
||||
},
|
||||
}
|
||||
|
||||
for _, test := range tests {
|
||||
tt := test
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
transformer, err := celtransformer.NewCELTransformer(5 * time.Second)
|
||||
require.NoError(t, err)
|
||||
|
||||
pipeline := idtransform.NewTransformationPipeline()
|
||||
for _, transform := range tt.transforms {
|
||||
compiledTransform, err := transformer.CompileTransformation(transform, nil)
|
||||
require.NoError(t, err)
|
||||
pipeline.AppendTransformation(compiledTransform)
|
||||
}
|
||||
|
||||
gotUsername, gotGroups, err := ApplyIdentityTransformations(context.Background(), pipeline, tt.username, tt.groups)
|
||||
if tt.wantErr != "" {
|
||||
require.EqualError(t, err, tt.wantErr)
|
||||
require.Empty(t, gotUsername)
|
||||
require.Nil(t, gotGroups)
|
||||
} else {
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, tt.wantUsername, gotUsername)
|
||||
require.Equal(t, tt.wantGroups, gotGroups)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestDownstreamLDAPSubject(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
uid string
|
||||
ldapURL string
|
||||
idpDisplayName string
|
||||
wantSubject string
|
||||
}{
|
||||
{
|
||||
name: "simple display name",
|
||||
uid: "some uid",
|
||||
ldapURL: "ldaps://server.example.com:1234",
|
||||
idpDisplayName: "simpleName",
|
||||
wantSubject: "ldaps://server.example.com:1234?idpName=simpleName&sub=some+uid",
|
||||
},
|
||||
{
|
||||
name: "interesting display name",
|
||||
uid: "some uid",
|
||||
ldapURL: "ldaps://server.example.com:1234",
|
||||
idpDisplayName: "this is a 👍 display name that 🦭 can handle",
|
||||
wantSubject: "ldaps://server.example.com:1234?idpName=this+is+a+%F0%9F%91%8D+display+name+that+%F0%9F%A6%AD+can+handle&sub=some+uid",
|
||||
},
|
||||
{
|
||||
name: "url already has query",
|
||||
uid: "some uid",
|
||||
ldapURL: "ldaps://server.example.com:1234?a=1&b=%F0%9F%A6%AD",
|
||||
idpDisplayName: "some name",
|
||||
wantSubject: "ldaps://server.example.com:1234?a=1&b=%F0%9F%A6%AD&idpName=some+name&sub=some+uid",
|
||||
},
|
||||
}
|
||||
|
||||
for _, test := range tests {
|
||||
test := test
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
url, err := url.Parse(test.ldapURL)
|
||||
require.NoError(t, err)
|
||||
|
||||
actual := DownstreamLDAPSubject(test.uid, *url, test.idpDisplayName)
|
||||
|
||||
require.Equal(t, test.wantSubject, actual)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestDownstreamSubjectFromUpstreamOIDC(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
upstreamIssuerAsString string
|
||||
upstreamSubject string
|
||||
idpDisplayName string
|
||||
wantSubject string
|
||||
}{
|
||||
{
|
||||
name: "simple display name",
|
||||
upstreamIssuerAsString: "https://server.example.com:1234/path",
|
||||
upstreamSubject: "some subject",
|
||||
idpDisplayName: "simpleName",
|
||||
wantSubject: "https://server.example.com:1234/path?idpName=simpleName&sub=some+subject",
|
||||
},
|
||||
{
|
||||
name: "interesting display name",
|
||||
upstreamIssuerAsString: "https://server.example.com:1234/path",
|
||||
upstreamSubject: "some subject",
|
||||
idpDisplayName: "this is a 👍 display name that 🦭 can handle",
|
||||
wantSubject: "https://server.example.com:1234/path?idpName=this+is+a+%F0%9F%91%8D+display+name+that+%F0%9F%A6%AD+can+handle&sub=some+subject",
|
||||
},
|
||||
}
|
||||
|
||||
for _, test := range tests {
|
||||
test := test
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
actual := downstreamSubjectFromUpstreamOIDC(test.upstreamIssuerAsString, test.upstreamSubject, test.idpDisplayName)
|
||||
|
||||
require.Equal(t, test.wantSubject, actual)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestDownstreamUsernameFromUpstreamOIDCSubject(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
upstreamIssuerAsString string
|
||||
upstreamSubject string
|
||||
wantSubject string
|
||||
}{
|
||||
{
|
||||
name: "simple upstreamSubject",
|
||||
upstreamIssuerAsString: "https://server.example.com:1234/path",
|
||||
upstreamSubject: "some subject",
|
||||
wantSubject: "https://server.example.com:1234/path?sub=some+subject",
|
||||
},
|
||||
{
|
||||
name: "interesting upstreamSubject",
|
||||
upstreamIssuerAsString: "https://server.example.com:1234/path",
|
||||
upstreamSubject: "this is a 👍 subject that 🦭 can handle",
|
||||
wantSubject: "https://server.example.com:1234/path?sub=this+is+a+%F0%9F%91%8D+subject+that+%F0%9F%A6%AD+can+handle",
|
||||
},
|
||||
}
|
||||
|
||||
for _, test := range tests {
|
||||
test := test
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
actual := downstreamUsernameFromUpstreamOIDCSubject(test.upstreamIssuerAsString, test.upstreamSubject)
|
||||
|
||||
require.Equal(t, test.wantSubject, actual)
|
||||
})
|
||||
}
|
||||
}
|
@ -1,4 +1,4 @@
|
||||
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
// Package dynamiccodec provides a type that can encode information using a just-in-time signing and
|
||||
@ -10,7 +10,7 @@ import (
|
||||
|
||||
"github.com/gorilla/securecookie"
|
||||
|
||||
"go.pinniped.dev/internal/oidc"
|
||||
"go.pinniped.dev/internal/federationdomain/oidc"
|
||||
)
|
||||
|
||||
var _ oidc.Codec = &Codec{}
|
@ -1,4 +1,4 @@
|
||||
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package dynamiccodec
|
@ -1,7 +1,7 @@
|
||||
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package provider
|
||||
package dynamictlscertprovider
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user