1 package v1 2 3 import ( 4 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 5 ) 6 7 // +genclient 8 // +genclient:nonNamespaced 9 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 10 11 // OAuthAccessToken describes an OAuth access token. 12 // The name of a token must be prefixed with a `sha256~` string, must not contain "/" or "%" characters and must be at 13 // least 32 characters long. 14 // 15 // The name of the token is constructed from the actual token by sha256-hashing it and using URL-safe unpadded 16 // base64-encoding (as described in RFC4648) on the hashed result. 17 // 18 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 19 // +openshift:compatibility-gen:level=1 20 type OAuthAccessToken struct { 21 metav1.TypeMeta `json:",inline"` 22 23 // metadata is the standard object's metadata. 24 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 25 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 26 27 // ClientName references the client that created this token. 28 ClientName string `json:"clientName,omitempty" protobuf:"bytes,2,opt,name=clientName"` 29 30 // ExpiresIn is the seconds from CreationTime before this token expires. 31 ExpiresIn int64 `json:"expiresIn,omitempty" protobuf:"varint,3,opt,name=expiresIn"` 32 33 // Scopes is an array of the requested scopes. 34 Scopes []string `json:"scopes,omitempty" protobuf:"bytes,4,rep,name=scopes"` 35 36 // RedirectURI is the redirection associated with the token. 37 RedirectURI string `json:"redirectURI,omitempty" protobuf:"bytes,5,opt,name=redirectURI"` 38 39 // UserName is the user name associated with this token 40 UserName string `json:"userName,omitempty" protobuf:"bytes,6,opt,name=userName"` 41 42 // UserUID is the unique UID associated with this token 43 UserUID string `json:"userUID,omitempty" protobuf:"bytes,7,opt,name=userUID"` 44 45 // AuthorizeToken contains the token that authorized this token 46 AuthorizeToken string `json:"authorizeToken,omitempty" protobuf:"bytes,8,opt,name=authorizeToken"` 47 48 // RefreshToken is the value by which this token can be renewed. Can be blank. 49 RefreshToken string `json:"refreshToken,omitempty" protobuf:"bytes,9,opt,name=refreshToken"` 50 51 // InactivityTimeoutSeconds is the value in seconds, from the 52 // CreationTimestamp, after which this token can no longer be used. 53 // The value is automatically incremented when the token is used. 54 InactivityTimeoutSeconds int32 `json:"inactivityTimeoutSeconds,omitempty" protobuf:"varint,10,opt,name=inactivityTimeoutSeconds"` 55 } 56 57 // +genclient 58 // +genclient:nonNamespaced 59 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 60 61 // OAuthAuthorizeToken describes an OAuth authorization token 62 // 63 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 64 // +openshift:compatibility-gen:level=1 65 type OAuthAuthorizeToken struct { 66 metav1.TypeMeta `json:",inline"` 67 68 // metadata is the standard object's metadata. 69 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 70 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 71 72 // ClientName references the client that created this token. 73 ClientName string `json:"clientName,omitempty" protobuf:"bytes,2,opt,name=clientName"` 74 75 // ExpiresIn is the seconds from CreationTime before this token expires. 76 ExpiresIn int64 `json:"expiresIn,omitempty" protobuf:"varint,3,opt,name=expiresIn"` 77 78 // Scopes is an array of the requested scopes. 79 Scopes []string `json:"scopes,omitempty" protobuf:"bytes,4,rep,name=scopes"` 80 81 // RedirectURI is the redirection associated with the token. 82 RedirectURI string `json:"redirectURI,omitempty" protobuf:"bytes,5,opt,name=redirectURI"` 83 84 // State data from request 85 State string `json:"state,omitempty" protobuf:"bytes,6,opt,name=state"` 86 87 // UserName is the user name associated with this token 88 UserName string `json:"userName,omitempty" protobuf:"bytes,7,opt,name=userName"` 89 90 // UserUID is the unique UID associated with this token. UserUID and UserName must both match 91 // for this token to be valid. 92 UserUID string `json:"userUID,omitempty" protobuf:"bytes,8,opt,name=userUID"` 93 94 // CodeChallenge is the optional code_challenge associated with this authorization code, as described in rfc7636 95 CodeChallenge string `json:"codeChallenge,omitempty" protobuf:"bytes,9,opt,name=codeChallenge"` 96 97 // CodeChallengeMethod is the optional code_challenge_method associated with this authorization code, as described in rfc7636 98 CodeChallengeMethod string `json:"codeChallengeMethod,omitempty" protobuf:"bytes,10,opt,name=codeChallengeMethod"` 99 } 100 101 // +genclient 102 // +genclient:nonNamespaced 103 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 104 105 // OAuthClient describes an OAuth client 106 // 107 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 108 // +openshift:compatibility-gen:level=1 109 type OAuthClient struct { 110 metav1.TypeMeta `json:",inline"` 111 112 // metadata is the standard object's metadata. 113 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 114 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 115 116 // Secret is the unique secret associated with a client 117 Secret string `json:"secret,omitempty" protobuf:"bytes,2,opt,name=secret"` 118 119 // AdditionalSecrets holds other secrets that may be used to identify the client. This is useful for rotation 120 // and for service account token validation 121 AdditionalSecrets []string `json:"additionalSecrets,omitempty" protobuf:"bytes,3,rep,name=additionalSecrets"` 122 123 // RespondWithChallenges indicates whether the client wants authentication needed responses made in the form of challenges instead of redirects 124 RespondWithChallenges bool `json:"respondWithChallenges,omitempty" protobuf:"varint,4,opt,name=respondWithChallenges"` 125 126 // RedirectURIs is the valid redirection URIs associated with a client 127 // +patchStrategy=merge 128 RedirectURIs []string `json:"redirectURIs,omitempty" patchStrategy:"merge" protobuf:"bytes,5,rep,name=redirectURIs"` 129 130 // GrantMethod is a required field which determines how to handle grants for this client. 131 // Valid grant handling methods are: 132 // - auto: always approves grant requests, useful for trusted clients 133 // - prompt: prompts the end user for approval of grant requests, useful for third-party clients 134 GrantMethod GrantHandlerType `json:"grantMethod,omitempty" protobuf:"bytes,6,opt,name=grantMethod,casttype=GrantHandlerType"` 135 136 // ScopeRestrictions describes which scopes this client can request. Each requested scope 137 // is checked against each restriction. If any restriction matches, then the scope is allowed. 138 // If no restriction matches, then the scope is denied. 139 ScopeRestrictions []ScopeRestriction `json:"scopeRestrictions,omitempty" protobuf:"bytes,7,rep,name=scopeRestrictions"` 140 141 // AccessTokenMaxAgeSeconds overrides the default access token max age for tokens granted to this client. 142 // 0 means no expiration. 143 AccessTokenMaxAgeSeconds *int32 `json:"accessTokenMaxAgeSeconds,omitempty" protobuf:"varint,8,opt,name=accessTokenMaxAgeSeconds"` 144 145 // AccessTokenInactivityTimeoutSeconds overrides the default token 146 // inactivity timeout for tokens granted to this client. 147 // The value represents the maximum amount of time that can occur between 148 // consecutive uses of the token. Tokens become invalid if they are not 149 // used within this temporal window. The user will need to acquire a new 150 // token to regain access once a token times out. 151 // This value needs to be set only if the default set in configuration is 152 // not appropriate for this client. Valid values are: 153 // - 0: Tokens for this client never time out 154 // - X: Tokens time out if there is no activity for X seconds 155 // The current minimum allowed value for X is 300 (5 minutes) 156 // 157 // WARNING: existing tokens' timeout will not be affected (lowered) by changing this value 158 AccessTokenInactivityTimeoutSeconds *int32 `json:"accessTokenInactivityTimeoutSeconds,omitempty" protobuf:"varint,9,opt,name=accessTokenInactivityTimeoutSeconds"` 159 } 160 161 type GrantHandlerType string 162 163 const ( 164 // GrantHandlerAuto auto-approves client authorization grant requests 165 GrantHandlerAuto GrantHandlerType = "auto" 166 // GrantHandlerPrompt prompts the user to approve new client authorization grant requests 167 GrantHandlerPrompt GrantHandlerType = "prompt" 168 // GrantHandlerDeny auto-denies client authorization grant requests 169 GrantHandlerDeny GrantHandlerType = "deny" 170 ) 171 172 // ScopeRestriction describe one restriction on scopes. Exactly one option must be non-nil. 173 type ScopeRestriction struct { 174 // ExactValues means the scope has to match a particular set of strings exactly 175 ExactValues []string `json:"literals,omitempty" protobuf:"bytes,1,rep,name=literals"` 176 177 // ClusterRole describes a set of restrictions for cluster role scoping. 178 ClusterRole *ClusterRoleScopeRestriction `json:"clusterRole,omitempty" protobuf:"bytes,2,opt,name=clusterRole"` 179 } 180 181 // ClusterRoleScopeRestriction describes restrictions on cluster role scopes 182 type ClusterRoleScopeRestriction struct { 183 // RoleNames is the list of cluster roles that can referenced. * means anything 184 RoleNames []string `json:"roleNames" protobuf:"bytes,1,rep,name=roleNames"` 185 // Namespaces is the list of namespaces that can be referenced. * means any of them (including *) 186 Namespaces []string `json:"namespaces" protobuf:"bytes,2,rep,name=namespaces"` 187 // AllowEscalation indicates whether you can request roles and their escalating resources 188 AllowEscalation bool `json:"allowEscalation" protobuf:"varint,3,opt,name=allowEscalation"` 189 } 190 191 // +genclient 192 // +genclient:nonNamespaced 193 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 194 195 // OAuthClientAuthorization describes an authorization created by an OAuth client 196 // 197 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 198 // +openshift:compatibility-gen:level=1 199 type OAuthClientAuthorization struct { 200 metav1.TypeMeta `json:",inline"` 201 202 // metadata is the standard object's metadata. 203 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 204 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 205 206 // ClientName references the client that created this authorization 207 ClientName string `json:"clientName,omitempty" protobuf:"bytes,2,opt,name=clientName"` 208 209 // UserName is the user name that authorized this client 210 UserName string `json:"userName,omitempty" protobuf:"bytes,3,opt,name=userName"` 211 212 // UserUID is the unique UID associated with this authorization. UserUID and UserName 213 // must both match for this authorization to be valid. 214 UserUID string `json:"userUID,omitempty" protobuf:"bytes,4,opt,name=userUID"` 215 216 // Scopes is an array of the granted scopes. 217 Scopes []string `json:"scopes,omitempty" protobuf:"bytes,5,rep,name=scopes"` 218 } 219 220 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 221 222 // OAuthAccessTokenList is a collection of OAuth access tokens 223 // 224 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 225 // +openshift:compatibility-gen:level=1 226 type OAuthAccessTokenList struct { 227 metav1.TypeMeta `json:",inline"` 228 229 // metadata is the standard list's metadata. 230 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 231 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 232 233 // Items is the list of OAuth access tokens 234 Items []OAuthAccessToken `json:"items" protobuf:"bytes,2,rep,name=items"` 235 } 236 237 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 238 239 // OAuthAuthorizeTokenList is a collection of OAuth authorization tokens 240 // 241 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 242 // +openshift:compatibility-gen:level=1 243 type OAuthAuthorizeTokenList struct { 244 metav1.TypeMeta `json:",inline"` 245 246 // metadata is the standard list's metadata. 247 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 248 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 249 250 // Items is the list of OAuth authorization tokens 251 Items []OAuthAuthorizeToken `json:"items" protobuf:"bytes,2,rep,name=items"` 252 } 253 254 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 255 256 // OAuthClientList is a collection of OAuth clients 257 // 258 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 259 // +openshift:compatibility-gen:level=1 260 type OAuthClientList struct { 261 metav1.TypeMeta `json:",inline"` 262 263 // metadata is the standard list's metadata. 264 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 265 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 266 267 // Items is the list of OAuth clients 268 Items []OAuthClient `json:"items" protobuf:"bytes,2,rep,name=items"` 269 } 270 271 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 272 273 // OAuthClientAuthorizationList is a collection of OAuth client authorizations 274 // 275 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 276 // +openshift:compatibility-gen:level=1 277 type OAuthClientAuthorizationList struct { 278 metav1.TypeMeta `json:",inline"` 279 280 // metadata is the standard list's metadata. 281 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 282 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 283 284 // Items is the list of OAuth client authorizations 285 Items []OAuthClientAuthorization `json:"items" protobuf:"bytes,2,rep,name=items"` 286 } 287 288 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 289 290 // OAuthRedirectReference is a reference to an OAuth redirect object. 291 // 292 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 293 // +openshift:compatibility-gen:level=1 294 type OAuthRedirectReference struct { 295 metav1.TypeMeta `json:",inline"` 296 297 // metadata is the standard object's metadata. 298 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 299 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 300 301 // The reference to an redirect object in the current namespace. 302 Reference RedirectReference `json:"reference,omitempty" protobuf:"bytes,2,opt,name=reference"` 303 } 304 305 // RedirectReference specifies the target in the current namespace that resolves into redirect URIs. Only the 'Route' kind is currently allowed. 306 type RedirectReference struct { 307 // The group of the target that is being referred to. 308 Group string `json:"group" protobuf:"bytes,1,opt,name=group"` 309 310 // The kind of the target that is being referred to. Currently, only 'Route' is allowed. 311 Kind string `json:"kind" protobuf:"bytes,2,opt,name=kind"` 312 313 // The name of the target that is being referred to. e.g. name of the Route. 314 Name string `json:"name" protobuf:"bytes,3,opt,name=name"` 315 } 316 317 // +genclient 318 // +genclient:nonNamespaced 319 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 320 321 // UserOAuthAccessToken is a virtual resource to mirror OAuthAccessTokens to 322 // the user the access token was issued for 323 // +openshift:compatibility-gen:level=1 324 type UserOAuthAccessToken OAuthAccessToken 325 326 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 327 328 // UserOAuthAccessTokenList is a collection of access tokens issued on behalf of 329 // the requesting user 330 // 331 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 332 // +openshift:compatibility-gen:level=1 333 type UserOAuthAccessTokenList struct { 334 metav1.TypeMeta `json:",inline"` 335 336 // metadata is the standard list's metadata. 337 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 338 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 339 340 Items []UserOAuthAccessToken `json:"items" protobuf:"bytes,2,rep,name=items"` 341 } 342