From dcb19150fc5b0f913ef30e7a324bbff1c10c7c91 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Wed, 16 Dec 2020 09:42:19 -0800 Subject: [PATCH] Nest claim configs one level deeper in JWTAuthenticatorSpec Signed-off-by: Margo Crawford --- .../authentication/v1alpha1/types_jwt.go.tmpl | 25 +++++++++++++------ ...cierge.pinniped.dev_jwtauthenticators.yaml | 25 +++++++++++-------- generated/1.17/README.adoc | 21 ++++++++++++++-- .../authentication/v1alpha1/types_jwt.go | 25 +++++++++++++------ .../v1alpha1/zz_generated.deepcopy.go | 17 +++++++++++++ ...cierge.pinniped.dev_jwtauthenticators.yaml | 25 +++++++++++-------- generated/1.18/README.adoc | 21 ++++++++++++++-- .../authentication/v1alpha1/types_jwt.go | 25 +++++++++++++------ .../v1alpha1/zz_generated.deepcopy.go | 17 +++++++++++++ ...cierge.pinniped.dev_jwtauthenticators.yaml | 25 +++++++++++-------- generated/1.19/README.adoc | 21 ++++++++++++++-- .../authentication/v1alpha1/types_jwt.go | 25 +++++++++++++------ .../v1alpha1/zz_generated.deepcopy.go | 17 +++++++++++++ ...cierge.pinniped.dev_jwtauthenticators.yaml | 25 +++++++++++-------- .../jwtcachefiller/jwtcachefiller.go | 4 +-- .../jwtcachefiller/jwtcachefiller_test.go | 24 ++++++++++-------- test/library/client.go | 2 +- 17 files changed, 253 insertions(+), 91 deletions(-) diff --git a/apis/concierge/authentication/v1alpha1/types_jwt.go.tmpl b/apis/concierge/authentication/v1alpha1/types_jwt.go.tmpl index b08e8279..0087fad4 100644 --- a/apis/concierge/authentication/v1alpha1/types_jwt.go.tmpl +++ b/apis/concierge/authentication/v1alpha1/types_jwt.go.tmpl @@ -27,21 +27,30 @@ type JWTAuthenticatorSpec struct { // +kubebuilder:validation:MinLength=1 Audience string `json:"audience"` - // UsernameClaim is the name of the claim which should be read to extract the - // username from the JWT token. When not specified, it will default to "username". + // Claims allows customization of the claims that will be mapped to user identity + // for Kubernetes access. // +optional - UsernameClaim string `json:"username_claim"` - - // GroupsClaim is the name of the claim which should be read to extract the user's - // group membership from the JWT token. When not specified, it will default to "groups". - // +optional - GroupsClaim string `json:"groups_claim"` + Claims JWTTokenClaims `json:"claims"` // TLS configuration for communicating with the OIDC provider. // +optional TLS *TLSSpec `json:"tls,omitempty"` } +// JWTTokenClaims allows customization of the claims that will be mapped to user identity +// for Kubernetes access. +type JWTTokenClaims struct { + // Groups is the name of the claim which should be read to extract the user's + // group membership from the JWT token. When not specified, it will default to "groups". + // +optional + Groups string `json:"groups"` + + // Username is the name of the claim which should be read to extract the + // username from the JWT token. When not specified, it will default to "username". + // +optional + Username string `json:"username"` +} + // JWTAuthenticator describes the configuration of a JWT authenticator. // // Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid diff --git a/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index 0865ca3c..e800411e 100644 --- a/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -51,11 +51,21 @@ spec: description: Audience is the required value of the "aud" JWT claim. minLength: 1 type: string - groups_claim: - description: GroupsClaim is the name of the claim which should be - read to extract the user's group membership from the JWT token. - When not specified, it will default to "groups". - type: string + claims: + description: Claims allows customization of the claims that will be + mapped to user identity for Kubernetes access. + properties: + groups: + description: Groups is the name of the claim which should be read + to extract the user's group membership from the JWT token. When + not specified, it will default to "groups". + type: string + username: + description: Username is the name of the claim which should be + read to extract the username from the JWT token. When not specified, + it will default to "username". + type: string + type: object issuer: description: Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT @@ -71,11 +81,6 @@ spec: If omitted, a default set of system roots will be trusted. type: string type: object - username_claim: - description: UsernameClaim is the name of the claim which should be - read to extract the username from the JWT token. When not specified, - it will default to "username". - type: string required: - audience - issuer diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 1f29282c..fa198e84 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -92,8 +92,7 @@ Spec for configuring a JWT authenticator. | Field | Description | *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim. | *`audience`* __string__ | Audience is the required value of the "aud" JWT claim. -| *`username_claim`* __string__ | UsernameClaim is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username". -| *`groups_claim`* __string__ | GroupsClaim is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups". +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-jwttokenclaims[$$JWTTokenClaims$$]__ | Claims allows customization of the claims that will be mapped to user identity for Kubernetes access. | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider. |=== @@ -115,6 +114,24 @@ Status of a JWT authenticator. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-jwttokenclaims"] +==== JWTTokenClaims + +JWTTokenClaims allows customization of the claims that will be mapped to user identity for Kubernetes access. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-jwtauthenticatorspec[$$JWTAuthenticatorSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`groups`* __string__ | Groups is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups". +| *`username`* __string__ | Username is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username". +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-tlsspec"] ==== TLSSpec diff --git a/generated/1.17/apis/concierge/authentication/v1alpha1/types_jwt.go b/generated/1.17/apis/concierge/authentication/v1alpha1/types_jwt.go index 1c43f68f..3e159148 100644 --- a/generated/1.17/apis/concierge/authentication/v1alpha1/types_jwt.go +++ b/generated/1.17/apis/concierge/authentication/v1alpha1/types_jwt.go @@ -27,21 +27,30 @@ type JWTAuthenticatorSpec struct { // +kubebuilder:validation:MinLength=1 Audience string `json:"audience"` - // UsernameClaim is the name of the claim which should be read to extract the - // username from the JWT token. When not specified, it will default to "username". + // Claims allows customization of the claims that will be mapped to user identity + // for Kubernetes access. // +optional - UsernameClaim string `json:"username_claim"` - - // GroupsClaim is the name of the claim which should be read to extract the user's - // group membership from the JWT token. When not specified, it will default to "groups". - // +optional - GroupsClaim string `json:"groups_claim"` + Claims JWTTokenClaims `json:"claims"` // TLS configuration for communicating with the OIDC provider. // +optional TLS *TLSSpec `json:"tls,omitempty"` } +// JWTTokenClaims allows customization of the claims that will be mapped to user identity +// for Kubernetes access. +type JWTTokenClaims struct { + // Groups is the name of the claim which should be read to extract the user's + // group membership from the JWT token. When not specified, it will default to "groups". + // +optional + Groups string `json:"groups"` + + // Username is the name of the claim which should be read to extract the + // username from the JWT token. When not specified, it will default to "username". + // +optional + Username string `json:"username"` +} + // JWTAuthenticator describes the configuration of a JWT authenticator. // // Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid diff --git a/generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go index 93d4e837..c7c6968a 100644 --- a/generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go @@ -92,6 +92,7 @@ func (in *JWTAuthenticatorList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) { *out = *in + out.Claims = in.Claims if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) @@ -133,6 +134,22 @@ func (in *JWTAuthenticatorStatus) DeepCopy() *JWTAuthenticatorStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *JWTTokenClaims) DeepCopyInto(out *JWTTokenClaims) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTTokenClaims. +func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims { + if in == nil { + return nil + } + out := new(JWTTokenClaims) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in diff --git a/generated/1.17/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.17/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index 0865ca3c..e800411e 100644 --- a/generated/1.17/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.17/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -51,11 +51,21 @@ spec: description: Audience is the required value of the "aud" JWT claim. minLength: 1 type: string - groups_claim: - description: GroupsClaim is the name of the claim which should be - read to extract the user's group membership from the JWT token. - When not specified, it will default to "groups". - type: string + claims: + description: Claims allows customization of the claims that will be + mapped to user identity for Kubernetes access. + properties: + groups: + description: Groups is the name of the claim which should be read + to extract the user's group membership from the JWT token. When + not specified, it will default to "groups". + type: string + username: + description: Username is the name of the claim which should be + read to extract the username from the JWT token. When not specified, + it will default to "username". + type: string + type: object issuer: description: Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT @@ -71,11 +81,6 @@ spec: If omitted, a default set of system roots will be trusted. type: string type: object - username_claim: - description: UsernameClaim is the name of the claim which should be - read to extract the username from the JWT token. When not specified, - it will default to "username". - type: string required: - audience - issuer diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index 2cef60f4..327bc8fa 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -92,8 +92,7 @@ Spec for configuring a JWT authenticator. | Field | Description | *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim. | *`audience`* __string__ | Audience is the required value of the "aud" JWT claim. -| *`username_claim`* __string__ | UsernameClaim is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username". -| *`groups_claim`* __string__ | GroupsClaim is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups". +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-jwttokenclaims[$$JWTTokenClaims$$]__ | Claims allows customization of the claims that will be mapped to user identity for Kubernetes access. | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider. |=== @@ -115,6 +114,24 @@ Status of a JWT authenticator. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-jwttokenclaims"] +==== JWTTokenClaims + +JWTTokenClaims allows customization of the claims that will be mapped to user identity for Kubernetes access. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-jwtauthenticatorspec[$$JWTAuthenticatorSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`groups`* __string__ | Groups is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups". +| *`username`* __string__ | Username is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username". +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-tlsspec"] ==== TLSSpec diff --git a/generated/1.18/apis/concierge/authentication/v1alpha1/types_jwt.go b/generated/1.18/apis/concierge/authentication/v1alpha1/types_jwt.go index 1c43f68f..3e159148 100644 --- a/generated/1.18/apis/concierge/authentication/v1alpha1/types_jwt.go +++ b/generated/1.18/apis/concierge/authentication/v1alpha1/types_jwt.go @@ -27,21 +27,30 @@ type JWTAuthenticatorSpec struct { // +kubebuilder:validation:MinLength=1 Audience string `json:"audience"` - // UsernameClaim is the name of the claim which should be read to extract the - // username from the JWT token. When not specified, it will default to "username". + // Claims allows customization of the claims that will be mapped to user identity + // for Kubernetes access. // +optional - UsernameClaim string `json:"username_claim"` - - // GroupsClaim is the name of the claim which should be read to extract the user's - // group membership from the JWT token. When not specified, it will default to "groups". - // +optional - GroupsClaim string `json:"groups_claim"` + Claims JWTTokenClaims `json:"claims"` // TLS configuration for communicating with the OIDC provider. // +optional TLS *TLSSpec `json:"tls,omitempty"` } +// JWTTokenClaims allows customization of the claims that will be mapped to user identity +// for Kubernetes access. +type JWTTokenClaims struct { + // Groups is the name of the claim which should be read to extract the user's + // group membership from the JWT token. When not specified, it will default to "groups". + // +optional + Groups string `json:"groups"` + + // Username is the name of the claim which should be read to extract the + // username from the JWT token. When not specified, it will default to "username". + // +optional + Username string `json:"username"` +} + // JWTAuthenticator describes the configuration of a JWT authenticator. // // Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid diff --git a/generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go index 93d4e837..c7c6968a 100644 --- a/generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go @@ -92,6 +92,7 @@ func (in *JWTAuthenticatorList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) { *out = *in + out.Claims = in.Claims if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) @@ -133,6 +134,22 @@ func (in *JWTAuthenticatorStatus) DeepCopy() *JWTAuthenticatorStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *JWTTokenClaims) DeepCopyInto(out *JWTTokenClaims) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTTokenClaims. +func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims { + if in == nil { + return nil + } + out := new(JWTTokenClaims) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in diff --git a/generated/1.18/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.18/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index 0865ca3c..e800411e 100644 --- a/generated/1.18/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.18/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -51,11 +51,21 @@ spec: description: Audience is the required value of the "aud" JWT claim. minLength: 1 type: string - groups_claim: - description: GroupsClaim is the name of the claim which should be - read to extract the user's group membership from the JWT token. - When not specified, it will default to "groups". - type: string + claims: + description: Claims allows customization of the claims that will be + mapped to user identity for Kubernetes access. + properties: + groups: + description: Groups is the name of the claim which should be read + to extract the user's group membership from the JWT token. When + not specified, it will default to "groups". + type: string + username: + description: Username is the name of the claim which should be + read to extract the username from the JWT token. When not specified, + it will default to "username". + type: string + type: object issuer: description: Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT @@ -71,11 +81,6 @@ spec: If omitted, a default set of system roots will be trusted. type: string type: object - username_claim: - description: UsernameClaim is the name of the claim which should be - read to extract the username from the JWT token. When not specified, - it will default to "username". - type: string required: - audience - issuer diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index bfb3c44f..3fa12249 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -92,8 +92,7 @@ Spec for configuring a JWT authenticator. | Field | Description | *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim. | *`audience`* __string__ | Audience is the required value of the "aud" JWT claim. -| *`username_claim`* __string__ | UsernameClaim is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username". -| *`groups_claim`* __string__ | GroupsClaim is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups". +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-jwttokenclaims[$$JWTTokenClaims$$]__ | Claims allows customization of the claims that will be mapped to user identity for Kubernetes access. | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider. |=== @@ -115,6 +114,24 @@ Status of a JWT authenticator. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-jwttokenclaims"] +==== JWTTokenClaims + +JWTTokenClaims allows customization of the claims that will be mapped to user identity for Kubernetes access. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-jwtauthenticatorspec[$$JWTAuthenticatorSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`groups`* __string__ | Groups is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups". +| *`username`* __string__ | Username is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username". +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-tlsspec"] ==== TLSSpec diff --git a/generated/1.19/apis/concierge/authentication/v1alpha1/types_jwt.go b/generated/1.19/apis/concierge/authentication/v1alpha1/types_jwt.go index 1c43f68f..3e159148 100644 --- a/generated/1.19/apis/concierge/authentication/v1alpha1/types_jwt.go +++ b/generated/1.19/apis/concierge/authentication/v1alpha1/types_jwt.go @@ -27,21 +27,30 @@ type JWTAuthenticatorSpec struct { // +kubebuilder:validation:MinLength=1 Audience string `json:"audience"` - // UsernameClaim is the name of the claim which should be read to extract the - // username from the JWT token. When not specified, it will default to "username". + // Claims allows customization of the claims that will be mapped to user identity + // for Kubernetes access. // +optional - UsernameClaim string `json:"username_claim"` - - // GroupsClaim is the name of the claim which should be read to extract the user's - // group membership from the JWT token. When not specified, it will default to "groups". - // +optional - GroupsClaim string `json:"groups_claim"` + Claims JWTTokenClaims `json:"claims"` // TLS configuration for communicating with the OIDC provider. // +optional TLS *TLSSpec `json:"tls,omitempty"` } +// JWTTokenClaims allows customization of the claims that will be mapped to user identity +// for Kubernetes access. +type JWTTokenClaims struct { + // Groups is the name of the claim which should be read to extract the user's + // group membership from the JWT token. When not specified, it will default to "groups". + // +optional + Groups string `json:"groups"` + + // Username is the name of the claim which should be read to extract the + // username from the JWT token. When not specified, it will default to "username". + // +optional + Username string `json:"username"` +} + // JWTAuthenticator describes the configuration of a JWT authenticator. // // Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid diff --git a/generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go index 93d4e837..c7c6968a 100644 --- a/generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go @@ -92,6 +92,7 @@ func (in *JWTAuthenticatorList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) { *out = *in + out.Claims = in.Claims if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) @@ -133,6 +134,22 @@ func (in *JWTAuthenticatorStatus) DeepCopy() *JWTAuthenticatorStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *JWTTokenClaims) DeepCopyInto(out *JWTTokenClaims) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTTokenClaims. +func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims { + if in == nil { + return nil + } + out := new(JWTTokenClaims) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in diff --git a/generated/1.19/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.19/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index 0865ca3c..e800411e 100644 --- a/generated/1.19/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.19/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -51,11 +51,21 @@ spec: description: Audience is the required value of the "aud" JWT claim. minLength: 1 type: string - groups_claim: - description: GroupsClaim is the name of the claim which should be - read to extract the user's group membership from the JWT token. - When not specified, it will default to "groups". - type: string + claims: + description: Claims allows customization of the claims that will be + mapped to user identity for Kubernetes access. + properties: + groups: + description: Groups is the name of the claim which should be read + to extract the user's group membership from the JWT token. When + not specified, it will default to "groups". + type: string + username: + description: Username is the name of the claim which should be + read to extract the username from the JWT token. When not specified, + it will default to "username". + type: string + type: object issuer: description: Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT @@ -71,11 +81,6 @@ spec: If omitted, a default set of system roots will be trusted. type: string type: object - username_claim: - description: UsernameClaim is the name of the claim which should be - read to extract the username from the JWT token. When not specified, - it will default to "username". - type: string required: - audience - issuer diff --git a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go index 682a5ee6..03fea206 100644 --- a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go +++ b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go @@ -169,11 +169,11 @@ func newJWTAuthenticator(spec *auth1alpha1.JWTAuthenticatorSpec) (*jwtAuthentica caFile = temp.Name() } - usernameClaim := spec.UsernameClaim + usernameClaim := spec.Claims.Username if usernameClaim == "" { usernameClaim = defaultUsernameClaim } - groupsClaim := spec.GroupsClaim + groupsClaim := spec.Claims.Groups if groupsClaim == "" { groupsClaim = defaultGroupsClaim } diff --git a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go index 1c2fe19b..1f2d350f 100644 --- a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go +++ b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go @@ -90,16 +90,20 @@ func TestController(t *testing.T) { TLS: tlsSpecFromTLSConfig(server.TLS), } someJWTAuthenticatorSpecWithUsernameClaim := &auth1alpha1.JWTAuthenticatorSpec{ - Issuer: goodIssuer, - Audience: goodAudience, - TLS: tlsSpecFromTLSConfig(server.TLS), - UsernameClaim: "my-custom-username-claim", + Issuer: goodIssuer, + Audience: goodAudience, + TLS: tlsSpecFromTLSConfig(server.TLS), + Claims: auth1alpha1.JWTTokenClaims{ + Username: "my-custom-username-claim", + }, } someJWTAuthenticatorSpecWithGroupsClaim := &auth1alpha1.JWTAuthenticatorSpec{ - Issuer: goodIssuer, - Audience: goodAudience, - TLS: tlsSpecFromTLSConfig(server.TLS), - GroupsClaim: "my-custom-groups-claim", + Issuer: goodIssuer, + Audience: goodAudience, + TLS: tlsSpecFromTLSConfig(server.TLS), + Claims: auth1alpha1.JWTTokenClaims{ + Groups: "my-custom-groups-claim", + }, } otherJWTAuthenticatorSpec := &auth1alpha1.JWTAuthenticatorSpec{ Issuer: "https://some-other-issuer.com", @@ -170,7 +174,7 @@ func TestController(t *testing.T) { `jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`, }, wantCacheEntries: 1, - wantUsernameClaim: someJWTAuthenticatorSpecWithUsernameClaim.UsernameClaim, + wantUsernameClaim: someJWTAuthenticatorSpecWithUsernameClaim.Claims.Username, runTestsOnResultingAuthenticator: true, }, { @@ -189,7 +193,7 @@ func TestController(t *testing.T) { `jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`, }, wantCacheEntries: 1, - wantGroupsClaim: someJWTAuthenticatorSpecWithGroupsClaim.GroupsClaim, + wantGroupsClaim: someJWTAuthenticatorSpecWithGroupsClaim.Claims.Groups, runTestsOnResultingAuthenticator: true, }, { diff --git a/test/library/client.go b/test/library/client.go index 9e83dea1..4b108662 100644 --- a/test/library/client.go +++ b/test/library/client.go @@ -182,7 +182,7 @@ func CreateTestJWTAuthenticatorForCLIUpstream(ctx context.Context, t *testing.T) Audience: testEnv.CLITestUpstream.ClientID, // The default UsernameClaim is "username" but the upstreams that we use for // integration tests won't necessarily have that claim, so use "sub" here. - UsernameClaim: "sub", + Claims: auth1alpha1.JWTTokenClaims{Username: "sub"}, } // If the test upstream does not have a CA bundle specified, then don't configure one in the // JWTAuthenticator. Leaving TLSSpec set to nil will result in OIDC discovery using the OS's root