1 /* 2 Copyright 2016 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package v1beta1 18 19 import ( 20 "fmt" 21 22 v1 "k8s.io/api/authentication/v1" 23 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 24 ) 25 26 // +genclient 27 // +genclient:nonNamespaced 28 // +genclient:onlyVerbs=create 29 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 30 // +k8s:prerelease-lifecycle-gen:introduced=1.4 31 // +k8s:prerelease-lifecycle-gen:deprecated=1.19 32 // +k8s:prerelease-lifecycle-gen:replacement=authentication.k8s.io,v1,TokenReview 33 34 // TokenReview attempts to authenticate a token to a known user. 35 // Note: TokenReview requests may be cached by the webhook token authenticator 36 // plugin in the kube-apiserver. 37 type TokenReview struct { 38 metav1.TypeMeta `json:",inline"` 39 // Standard object's metadata. 40 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 41 // +optional 42 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 43 44 // Spec holds information about the request being evaluated 45 Spec TokenReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"` 46 47 // Status is filled in by the server and indicates whether the token can be authenticated. 48 // +optional 49 Status TokenReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` 50 } 51 52 // TokenReviewSpec is a description of the token authentication request. 53 type TokenReviewSpec struct { 54 // Token is the opaque bearer token. 55 // +optional 56 Token string `json:"token,omitempty" protobuf:"bytes,1,opt,name=token"` 57 // Audiences is a list of the identifiers that the resource server presented 58 // with the token identifies as. Audience-aware token authenticators will 59 // verify that the token was intended for at least one of the audiences in 60 // this list. If no audiences are provided, the audience will default to the 61 // audience of the Kubernetes apiserver. 62 // +optional 63 // +listType=atomic 64 Audiences []string `json:"audiences,omitempty" protobuf:"bytes,2,rep,name=audiences"` 65 } 66 67 // TokenReviewStatus is the result of the token authentication request. 68 type TokenReviewStatus struct { 69 // Authenticated indicates that the token was associated with a known user. 70 // +optional 71 Authenticated bool `json:"authenticated,omitempty" protobuf:"varint,1,opt,name=authenticated"` 72 // User is the UserInfo associated with the provided token. 73 // +optional 74 User UserInfo `json:"user,omitempty" protobuf:"bytes,2,opt,name=user"` 75 // Audiences are audience identifiers chosen by the authenticator that are 76 // compatible with both the TokenReview and token. An identifier is any 77 // identifier in the intersection of the TokenReviewSpec audiences and the 78 // token's audiences. A client of the TokenReview API that sets the 79 // spec.audiences field should validate that a compatible audience identifier 80 // is returned in the status.audiences field to ensure that the TokenReview 81 // server is audience aware. If a TokenReview returns an empty 82 // status.audience field where status.authenticated is "true", the token is 83 // valid against the audience of the Kubernetes API server. 84 // +optional 85 // +listType=atomic 86 Audiences []string `json:"audiences,omitempty" protobuf:"bytes,4,rep,name=audiences"` 87 // Error indicates that the token couldn't be checked 88 // +optional 89 Error string `json:"error,omitempty" protobuf:"bytes,3,opt,name=error"` 90 } 91 92 // UserInfo holds the information about the user needed to implement the 93 // user.Info interface. 94 type UserInfo struct { 95 // The name that uniquely identifies this user among all active users. 96 // +optional 97 Username string `json:"username,omitempty" protobuf:"bytes,1,opt,name=username"` 98 // A unique value that identifies this user across time. If this user is 99 // deleted and another user by the same name is added, they will have 100 // different UIDs. 101 // +optional 102 UID string `json:"uid,omitempty" protobuf:"bytes,2,opt,name=uid"` 103 // The names of groups this user is a part of. 104 // +optional 105 // +listType=atomic 106 Groups []string `json:"groups,omitempty" protobuf:"bytes,3,rep,name=groups"` 107 // Any additional information provided by the authenticator. 108 // +optional 109 Extra map[string]ExtraValue `json:"extra,omitempty" protobuf:"bytes,4,rep,name=extra"` 110 } 111 112 // ExtraValue masks the value so protobuf can generate 113 // +protobuf.nullable=true 114 // +protobuf.options.(gogoproto.goproto_stringer)=false 115 type ExtraValue []string 116 117 func (t ExtraValue) String() string { 118 return fmt.Sprintf("%v", []string(t)) 119 } 120 121 // +genclient 122 // +genclient:nonNamespaced 123 // +genclient:onlyVerbs=create 124 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 125 // +k8s:prerelease-lifecycle-gen:introduced=1.27 126 127 // SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. 128 // When using impersonation, users will receive the user info of the user being impersonated. If impersonation or 129 // request header authentication is used, any extra keys will have their case ignored and returned as lowercase. 130 type SelfSubjectReview struct { 131 metav1.TypeMeta `json:",inline"` 132 // Standard object's metadata. 133 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 134 // +optional 135 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 136 // Status is filled in by the server with the user attributes. 137 Status SelfSubjectReviewStatus `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"` 138 } 139 140 // SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user. 141 type SelfSubjectReviewStatus struct { 142 // User attributes of the user making this request. 143 // +optional 144 UserInfo v1.UserInfo `json:"userInfo,omitempty" protobuf:"bytes,1,opt,name=userInfo"` 145 } 146