-
Notifications
You must be signed in to change notification settings - Fork 272
/
oidcconfig_types.go
166 lines (144 loc) Β· 4.73 KB
/
oidcconfig_types.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.
// OIDCConfig defines an OpenID Connect (OIDCConfigSpec) identity provider configuration
// OIDCConfigSpec defines the desired state of OIDCConfig
type OIDCConfigSpec struct {
// ClientId defines the client ID for the OpenID Connect client
ClientId string `json:"clientId,omitempty"`
// +kubebuilder:validation:Optional
// GroupsClaim defines the name of a custom OpenID Connect claim for specifying user groups
GroupsClaim string `json:"groupsClaim,omitempty"`
// +kubebuilder:validation:Optional
// GroupsPrefix defines a string to be prefixed to all groups to prevent conflicts with other authentication strategies
GroupsPrefix string `json:"groupsPrefix,omitempty"`
// IssuerUrl defines the URL of the OpenID issuer, only HTTPS scheme will be accepted
IssuerUrl string `json:"issuerUrl,omitempty"`
// +kubebuilder:validation:Optional
// RequiredClaims defines a key=value pair that describes a required claim in the ID Token
RequiredClaims []OIDCConfigRequiredClaim `json:"requiredClaims,omitempty"`
// +kubebuilder:validation:Optional
// UsernameClaim defines the OpenID claim to use as the user name. Note that claims other than the default ('sub') is not guaranteed to be unique and immutable
UsernameClaim string `json:"usernameClaim,omitempty"`
// +kubebuilder:validation:Optional
// UsernamePrefix defines a string to prefixed to all usernames. If not provided, username claims other than 'email' are prefixed by the issuer URL to avoid clashes. To skip any prefixing, provide the value '-'.
UsernamePrefix string `json:"usernamePrefix,omitempty"`
}
func (e *OIDCConfigSpec) Equal(n *OIDCConfigSpec) bool {
if e == n {
return true
}
if e == nil || n == nil {
return false
}
if e.ClientId != n.ClientId {
return false
}
if e.GroupsClaim != n.GroupsClaim {
return false
}
if e.GroupsPrefix != n.GroupsPrefix {
return false
}
if e.IssuerUrl != n.IssuerUrl {
return false
}
if e.UsernameClaim != n.UsernameClaim {
return false
}
if e.UsernamePrefix != n.UsernamePrefix {
return false
}
return RequiredClaimsSliceEqual(e.RequiredClaims, n.RequiredClaims)
}
func RequiredClaimsSliceEqual(a, b []OIDCConfigRequiredClaim) bool {
if len(a) != len(b) {
return false
}
m := make(map[string]int, len(a))
for _, v := range a {
m[v.Claim+v.Value]++
}
for _, v := range b {
if _, ok := m[v.Claim+v.Value]; !ok {
return false
}
m[v.Claim+v.Value] -= 1
if m[v.Claim+v.Value] == 0 {
delete(m, v.Claim+v.Value)
}
}
return len(m) == 0
}
// IsManaged returns true if the oidcconfig is associated with a workload cluster
func (c *OIDCConfig) IsManaged() bool {
if s, ok := c.Annotations[managementAnnotation]; ok {
return s != ""
}
return false
}
func (c *OIDCConfig) SetManagedBy(clusterName string) {
if c.Annotations == nil {
c.Annotations = map[string]string{}
}
c.Annotations[managementAnnotation] = clusterName
}
type OIDCConfigRequiredClaim struct {
Claim string `json:"claim,omitempty"`
Value string `json:"value,omitempty"`
}
// OIDCConfigStatus defines the observed state of OIDCConfig
type OIDCConfigStatus struct{}
//+kubebuilder:object:root=true
//+kubebuilder:subresource:status
// OIDCConfig is the Schema for the oidcconfigs API
type OIDCConfig struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec OIDCConfigSpec `json:"spec,omitempty"`
Status OIDCConfigStatus `json:"status,omitempty"`
}
// +kubebuilder:object:generate=false
// Same as OIDCConfig except stripped down for generation of yaml file while writing to github repo when flux is enabled
type OIDCConfigGenerate struct {
metav1.TypeMeta `json:",inline"`
ObjectMeta `json:"metadata,omitempty"`
Spec OIDCConfigSpec `json:"spec,omitempty"`
}
//+kubebuilder:object:root=true
// OIDCConfigList contains a list of OIDCConfig
type OIDCConfigList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []OIDCConfig `json:"items"`
}
func (c *OIDCConfig) Kind() string {
return c.TypeMeta.Kind
}
func (c *OIDCConfig) ExpectedKind() string {
return OIDCConfigKind
}
func (c *OIDCConfig) Validate() error {
return validateOIDCConfig(c)
}
func (c *OIDCConfig) ConvertConfigToConfigGenerateStruct() *OIDCConfigGenerate {
namespace := defaultEksaNamespace
if c.Namespace != "" {
namespace = c.Namespace
}
config := &OIDCConfigGenerate{
TypeMeta: c.TypeMeta,
ObjectMeta: ObjectMeta{
Name: c.Name,
Annotations: c.Annotations,
Namespace: namespace,
},
Spec: c.Spec,
}
return config
}
func init() {
SchemeBuilder.Register(&OIDCConfig{}, &OIDCConfigList{})
}