-
Notifications
You must be signed in to change notification settings - Fork 71
/
authentication_spec.go
97 lines (87 loc) · 3.69 KB
/
authentication_spec.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
//
// DISCLAIMER
//
// Copyright 2016-2023 ArangoDB GmbH, Cologne, Germany
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// Copyright holder is ArangoDB GmbH, Cologne, Germany
//
package v2alpha1
import (
shared "github.com/arangodb/kube-arangodb/pkg/apis/shared"
"github.com/arangodb/kube-arangodb/pkg/util"
"github.com/arangodb/kube-arangodb/pkg/util/errors"
)
// AuthenticationSpec holds authentication specific configuration settings
type AuthenticationSpec struct {
// JWTSecretName setting specifies the name of a kubernetes `Secret` that contains a secret key used for generating
// JWT tokens to access all ArangoDB servers.
// When no name is specified, it defaults to `<deployment-name>-jwt`.
// To disable authentication, set this value to `None`.
// If you specify a name of a `Secret`, that secret must have the key value in a data field named `token`.
// If you specify a name of a `Secret` that does not exist, a random key is created and stored in a `Secret` with given name.
// Changing secret key results in restarting of a whole cluster.
JWTSecretName *string `json:"jwtSecretName,omitempty"`
}
const (
// JWTSecretNameDisabled is the value of JWTSecretName to use for disabling authentication.
JWTSecretNameDisabled = "None"
)
// GetJWTSecretName returns the value of jwtSecretName.
func (s AuthenticationSpec) GetJWTSecretName() string {
return util.TypeOrDefault[string](s.JWTSecretName)
}
// IsAuthenticated returns true if authentication is enabled.
// Returns false other (when JWTSecretName == "None").
func (s AuthenticationSpec) IsAuthenticated() bool {
return s.GetJWTSecretName() != JWTSecretNameDisabled
}
// Validate the given spec
func (s AuthenticationSpec) Validate(required bool) error {
if required && !s.IsAuthenticated() {
return errors.WithStack(errors.Wrap(ValidationError, "JWT secret is required"))
}
if s.IsAuthenticated() {
if err := shared.ValidateResourceName(s.GetJWTSecretName()); err != nil {
return errors.WithStack(err)
}
}
return nil
}
// SetDefaults fills in missing defaults
func (s *AuthenticationSpec) SetDefaults(defaultJWTSecretName string) {
if s.GetJWTSecretName() == "" {
// Note that we don't check for nil here, since even a specified, but empty
// string should result in the default value.
s.JWTSecretName = util.NewType[string](defaultJWTSecretName)
}
}
// SetDefaultsFrom fills unspecified fields with a value from given source spec.
func (s *AuthenticationSpec) SetDefaultsFrom(source AuthenticationSpec) {
if s.JWTSecretName == nil {
s.JWTSecretName = util.NewTypeOrNil[string](source.JWTSecretName)
}
}
// ResetImmutableFields replaces all immutable fields in the given target with values from the source spec.
// It returns a list of fields that have been reset.
// Field names are relative to given field prefix.
func (s AuthenticationSpec) ResetImmutableFields(fieldPrefix string, target *AuthenticationSpec) []string {
var resetFields []string
if s.IsAuthenticated() != target.IsAuthenticated() {
// Note: You can change the name, but not from empty to non-empty (or reverse).
target.JWTSecretName = util.NewTypeOrNil[string](s.JWTSecretName)
resetFields = append(resetFields, fieldPrefix+".jwtSecretName")
}
return resetFields
}