forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 0
/
types.go
226 lines (171 loc) · 6.88 KB
/
types.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
package oauth
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type OAuthAccessToken struct {
metav1.TypeMeta
metav1.ObjectMeta
// ClientName references the client that created this token.
ClientName string
// ExpiresIn is the seconds from CreationTime before this token expires.
ExpiresIn int64
// Scopes is an array of the requested scopes.
Scopes []string
// RedirectURI is the redirection associated with the token.
RedirectURI string
// UserName is the user name associated with this token
UserName string
// UserUID is the unique UID associated with this token
UserUID string
// AuthorizeToken contains the token that authorized this token
AuthorizeToken string
// RefreshToken is the value by which this token can be renewed. Can be blank.
RefreshToken string
// InactivityTimeoutSeconds is the value in seconds, from the
// CreationTimestamp, after which this token can no longer be used.
// The value is automatically incremented when the token is used.
InactivityTimeoutSeconds int32
}
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type OAuthAuthorizeToken struct {
metav1.TypeMeta
metav1.ObjectMeta
// ClientName references the client that created this token.
ClientName string
// ExpiresIn is the seconds from CreationTime before this token expires.
ExpiresIn int64
// Scopes is an array of the requested scopes.
Scopes []string
// RedirectURI is the redirection associated with the token.
RedirectURI string
// State data from request
State string
// UserName is the user name associated with this token
UserName string
// UserUID is the unique UID associated with this token. UserUID and UserName must both match
// for this token to be valid.
UserUID string
// CodeChallenge is the optional code_challenge associated with this authorization code, as described in rfc7636
CodeChallenge string
// CodeChallengeMethod is the optional code_challenge_method associated with this authorization code, as described in rfc7636
CodeChallengeMethod string
}
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type OAuthClient struct {
metav1.TypeMeta
metav1.ObjectMeta
// Secret is the unique secret associated with a client
Secret string
// AdditionalSecrets holds other secrets that may be used to identify the client. This is useful for rotation
// and for service account token validation
AdditionalSecrets []string
// RespondWithChallenges indicates whether the client wants authentication needed responses made in the form of challenges instead of redirects
RespondWithChallenges bool
// RedirectURIs is the valid redirection URIs associated with a client
RedirectURIs []string
// GrantMethod determines how to handle grants for this client. If no method is provided, the
// cluster default grant handling method will be used
GrantMethod GrantHandlerType
// ScopeRestrictions describes which scopes this client can request. Each requested scope
// is checked against each restriction. If any restriction matches, then the scope is allowed.
// If no restriction matches, then the scope is denied.
ScopeRestrictions []ScopeRestriction
// AccessTokenMaxAgeSeconds overrides the default access token max age for tokens granted to this client.
// 0 means no expiration.
AccessTokenMaxAgeSeconds *int32
// AccessTokenInactivityTimeoutSeconds overrides the default token
// inactivity timeout for tokens granted to this client.
// The value represents the maximum amount of time that can occur between
// consecutive uses of the token. Tokens become invalid if they are not
// used within this temporal window. The user will need to acquire a new
// token to regain access once a token times out.
// This value needs to be set only if the default set in configuration is
// not appropriate for this client. Valid values are:
// - 0: Tokens for this client never time out
// - X: Tokens time out if there is no activity for X seconds
// The current minimum allowed value for X is 300 (5 minutes)
AccessTokenInactivityTimeoutSeconds *int32
}
type GrantHandlerType string
const (
// GrantHandlerAuto auto-approves client authorization grant requests
GrantHandlerAuto GrantHandlerType = "auto"
// GrantHandlerPrompt prompts the user to approve new client authorization grant requests
GrantHandlerPrompt GrantHandlerType = "prompt"
// GrantHandlerDeny auto-denies client authorization grant requests
GrantHandlerDeny GrantHandlerType = "deny"
)
// ScopeRestriction describe one restriction on scopes. Exactly one option must be non-nil.
type ScopeRestriction struct {
// ExactValues means the scope has to match a particular set of strings exactly
ExactValues []string
// ClusterRole describes a set of restrictions for cluster role scoping.
ClusterRole *ClusterRoleScopeRestriction
}
// ClusterRoleScopeRestriction describes restrictions on cluster role scopes
type ClusterRoleScopeRestriction struct {
// RoleNames is the list of cluster roles that can referenced. * means anything
RoleNames []string
// Namespaces is the list of namespaces that can be referenced. * means any of them (including *)
Namespaces []string
// AllowEscalation indicates whether you can request roles and their escalating resources
AllowEscalation bool
}
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type OAuthClientAuthorization struct {
metav1.TypeMeta
metav1.ObjectMeta
// ClientName references the client that created this authorization
ClientName string
// UserName is the user name that authorized this client
UserName string
// UserUID is the unique UID associated with this authorization. UserUID and UserName
// must both match for this authorization to be valid.
UserUID string
// Scopes is an array of the granted scopes.
Scopes []string
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type OAuthAccessTokenList struct {
metav1.TypeMeta
metav1.ListMeta
Items []OAuthAccessToken
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type OAuthAuthorizeTokenList struct {
metav1.TypeMeta
metav1.ListMeta
Items []OAuthAuthorizeToken
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type OAuthClientList struct {
metav1.TypeMeta
metav1.ListMeta
Items []OAuthClient
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type OAuthClientAuthorizationList struct {
metav1.TypeMeta
metav1.ListMeta
Items []OAuthClientAuthorization
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type OAuthRedirectReference struct {
metav1.TypeMeta
metav1.ObjectMeta
Reference RedirectReference
}
type RedirectReference struct {
Group string
Kind string
Name string
}