Allow scope to be passed as array (#150)

* feat: Allow scope to be passed as array Scopes are currently passed as a scope string, separating scopes by spaces. Clients can grow to many scopes, resulting in a very long string. This change allows us to specify scopes using the property scopeArray. That way, we can separate scopes by newlines. Additionally, this allows us to comment a single scope temporarily or add a comment for a specific scope, e.g. as a reason why that client has this scope granted. * feat: Deprecate scope in favor of scopeArray * feat: Use kubebuilder:deprecatedversion
2024-10-14 10:06:41 +02:00
parent aa0bff206a
commit 44cd2371d9
7 changed files with 79 additions and 6 deletions
--- a/api/v1alpha1/oauth2client_types.go
+++ b/api/v1alpha1/oauth2client_types.go
@ -145,12 +145,18 @@ type OAuth2ClientSpec struct {
 	// Audience is a whitelist defining the audiences this client is allowed to request tokens for
 	Audience []string `json:"audience,omitempty"`

-	// +kubebuilder:validation:Pattern=([a-zA-Z0-9\.\*]+\s?)+
+	// +kubebuilder:validation:Pattern=([a-zA-Z0-9\.\*]+\s?)*
+	// +kubebuilder:deprecatedversion:warning="Property scope is deprecated. Use scopeArray instead."
 	//
 	// Scope is a string containing a space-separated list of scope values (as
 	// described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client
 	// can use when requesting access tokens.
-	Scope string `json:"scope"`
+	// Use scopeArray instead.
+	Scope string `json:"scope,omitempty"`
+
+	// Scope is an array of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749])
+	// that the client can use when requesting access tokens.
+	ScopeArray []string `json:"scopeArray,omitempty"`

 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:MaxLength=253
--- a/api/v1alpha1/oauth2client_types_test.go
+++ b/api/v1alpha1/oauth2client_types_test.go
@ -92,7 +92,6 @@ func TestCreateAPI(t *testing.T) {
 				"invalid grant type":                                func() { created.Spec.GrantTypes = []GrantType{"invalid"} },
 				"invalid response type":                             func() { created.Spec.ResponseTypes = []ResponseType{"invalid", "code"} },
 				"invalid composite response type":                   func() { created.Spec.ResponseTypes = []ResponseType{"invalid code", "code id_token"} },
-				"invalid scope":                                     func() { created.Spec.Scope = "" },
 				"missing secret name":                               func() { created.Spec.SecretName = "" },
 				"invalid redirect URI":                              func() { created.Spec.RedirectURIs = []RedirectURI{"invalid"} },
 				"invalid logout redirect URI":                       func() { created.Spec.PostLogoutRedirectURIs = []RedirectURI{"invalid"} },
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@ -147,6 +147,11 @@ func (in *OAuth2ClientSpec) DeepCopyInto(out *OAuth2ClientSpec) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.ScopeArray != nil {
+		in, out := &in.ScopeArray, &out.ScopeArray
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	out.HydraAdmin = in.HydraAdmin
 	out.TokenLifespans = in.TokenLifespans
 	in.Metadata.DeepCopyInto(&out.Metadata)