CadolesKube/hydra-maester
7
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

WIP: Gestion des attributs supplémentaires du client dans la CRD #1

Draft
wpetit wants to merge 1 commits from issue-151 into master
pull from: issue-151
merge into: CadolesKube:master
Conversation 0 Commits 1 Files Changed 5 +362 -376
5 changed files with 362 additions and 376 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
api/v1alpha1/oauth2client_types.go
View File

@ -225,6 +225,11 @@ type OAuth2ClientSpec struct {
// Indicates if a deleted OAuth2Client custom resource should delete the database row or not.
// Value 1 means deletion of the OAuth2 client, value 2 means keep an orphan oauth2 client.
DeletionPolicy OAuth2ClientDeletionPolicy `json:"deletionPolicy,omitempty"`
// +kubebuilder:validation:type=string
//
// UserInfoSignedResponseAlg value specifying the JWS alg algorithm for signing UserInfo Responses
UserInfoSignedResponseAlg string `json:"userInfoSignedResponseAlg,omitempty"`
}
// GrantType represents an OAuth 2.0 grant type

665
config/crd/bases/hydra.ory.sh_oauth2clients.yaml
View File

@ -14,358 +14,337 @@ spec:
singular: oauth2client
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: OAuth2Client is the Schema for the oauth2clients API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description:
OAuth2ClientSpec defines the desired state of OAuth2Client
properties:
allowedCorsOrigins:
description:
AllowedCorsOrigins is an array of allowed CORS origins
items:
description:
RedirectURI represents a redirect URI for the client
pattern: \w+:/?/?[^\s]+
type: string
type: array
audience:
description:
Audience is a whitelist defining the audiences this client
is allowed to request tokens for
items:
type: string
type: array
backChannelLogoutSessionRequired:
default: false
description:
BackChannelLogoutSessionRequired Boolean value specifying
whether the RP requires that a sid (session ID) Claim be
included in the Logout Token to identify the RP session with
the OP when the backchannel_logout_uri is used. If omitted,
the default value is false.
type: boolean
backChannelLogoutURI:
description:
BackChannelLogoutURI RP URL that will cause the RP to log
itself out when sent a Logout Token by the OP
pattern: (^$|^https?://.*)
- name: v1alpha1
schema:
openAPIV3Schema:
description: OAuth2Client is the Schema for the oauth2clients API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: OAuth2ClientSpec defines the desired state of OAuth2Client
properties:
allowedCorsOrigins:
description: AllowedCorsOrigins is an array of allowed CORS origins
items:
description: RedirectURI represents a redirect URI for the client
pattern: \w+:/?/?[^\s]+
type: string
clientName:
description:
ClientName is the human-readable string name of the client
to be presented to the end-user during authorization.
type: array
audience:
description: Audience is a whitelist defining the audiences this client
is allowed to request tokens for
items:
type: string
deletionPolicy:
description: |-
Indicates if a deleted OAuth2Client custom resource should delete the database row or not.
Value 0 means deletion of the OAuth2 client, value 1 means keep an orphan oauth2 client.
type: array
backChannelLogoutSessionRequired:
default: false
description: BackChannelLogoutSessionRequired Boolean value specifying
whether the RP requires that a sid (session ID) Claim be included
in the Logout Token to identify the RP session with the OP when
the backchannel_logout_uri is used. If omitted, the default value
is false.
type: boolean
backChannelLogoutURI:
description: BackChannelLogoutURI RP URL that will cause the RP to
log itself out when sent a Logout Token by the OP
pattern: (^$|^https?://.*)
type: string
clientName:
description: ClientName is the human-readable string name of the client
to be presented to the end-user during authorization.
type: string
deletionPolicy:
description: |-
Indicates if a deleted OAuth2Client custom resource should delete the database row or not.
Value 1 means deletion of the OAuth2 client, value 2 means keep an orphan oauth2 client.
enum:
- 1
- 2
type: integer
frontChannelLogoutSessionRequired:
default: false
description: FrontChannelLogoutSessionRequired Boolean value specifying
whether the RP requires that iss (issuer) and sid (session ID) query
parameters be included to identify the RP session with the OP when
the frontchannel_logout_uri is used
type: boolean
frontChannelLogoutURI:
description: FrontChannelLogoutURI RP URL that will cause the RP to
log itself out when rendered in an iframe by the OP. An iss (issuer)
query parameter and a sid (session ID) query parameter MAY be included
by the OP to enable the RP to validate the request and to determine
which of the potentially multiple sessions is to be logged out;
if either is included, both MUST be
pattern: (^$|^https?://.*)
type: string
grantTypes:
description: GrantTypes is an array of grant types the client is allowed
to use.
items:
description: GrantType represents an OAuth 2.0 grant type
enum:
- 0
- 1
type: integer
frontChannelLogoutSessionRequired:
default: false
description:
FrontChannelLogoutSessionRequired Boolean value specifying
whether the RP requires that iss (issuer) and sid (session
ID) query parameters be included to identify the RP session
with the OP when the frontchannel_logout_uri is used
type: boolean
frontChannelLogoutURI:
description:
FrontChannelLogoutURI RP URL that will cause the RP to log
itself out when rendered in an iframe by the OP. An iss
(issuer) query parameter and a sid (session ID) query
parameter MAY be included by the OP to enable the RP to
validate the request and to determine which of the
potentially multiple sessions is to be logged out; if either
is included, both MUST be
pattern: (^$|^https?://.*)
- client_credentials
- authorization_code
- implicit
- refresh_token
type: string
grantTypes:
description:
GrantTypes is an array of grant types the client is allowed
to use.
items:
description: GrantType represents an OAuth 2.0 grant type
enum:
- client_credentials
- authorization_code
- implicit
- refresh_token
maxItems: 4
minItems: 1
type: array
hydraAdmin:
description: |-
HydraAdmin is the optional configuration to use for managing
this client
properties:
endpoint:
description: |-
Endpoint is the endpoint for the hydra instance on which
to set up the client. This value will override the value
provided to `--endpoint` (defaults to `"/clients"` in the
application)
pattern: (^$|^/.*)
type: string
maxItems: 4
minItems: 1
type: array
hydraAdmin:
description: |-
HydraAdmin is the optional configuration to use for managing
this client
forwardedProto:
description: |-
ForwardedProto overrides the `--forwarded-proto` flag. The
value "off" will force this to be off even if
`--forwarded-proto` is specified
pattern: (^$|https?|off)
type: string
port:
description: |-
Port is the port for the hydra instance on
which to set up the client. This value will override the value
provided to `--hydra-port`
maximum: 65535
type: integer
url:
description: |-
URL is the URL for the hydra instance on
which to set up the client. This value will override the value
provided to `--hydra-url`
maxLength: 64
pattern: (^$|^https?://.*)
type: string
type: object
jwksUri:
description: JwksUri Define the URL where the JSON Web Key Set should
be fetched from when performing the private_key_jwt client authentication
method.
pattern: (^$|^https?://.*)
type: string
metadata:
description: Metadata is arbitrary data
nullable: true
type: object
x-kubernetes-preserve-unknown-fields: true
postLogoutRedirectUris:
description: PostLogoutRedirectURIs is an array of the post logout
redirect URIs allowed for the application
items:
description: RedirectURI represents a redirect URI for the client
pattern: \w+:/?/?[^\s]+
type: string
type: array
redirectUris:
description: RedirectURIs is an array of the redirect URIs allowed
for the application
items:
description: RedirectURI represents a redirect URI for the client
pattern: \w+:/?/?[^\s]+
type: string
type: array
responseTypes:
description: |-
ResponseTypes is an array of the OAuth 2.0 response type strings that the client can
use at the authorization endpoint.
items:
description: ResponseType represents an OAuth 2.0 response type
strings
enum:
- id_token
- code
- token
- code token
- code id_token
- id_token token
- code id_token token
type: string
maxItems: 3
minItems: 1
type: array
scope:
description: |-
Scope is a string containing a space-separated list of scope values (as
described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client
can use when requesting access tokens.
Use scopeArray instead.
pattern: ([a-zA-Z0-9\.\*]+\s?)*
type: string
scopeArray:
description: |-
Scope is an array of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749])
that the client can use when requesting access tokens.
items:
type: string
type: array
secretName:
description: SecretName points to the K8s secret that contains this
client's ID and password
maxLength: 253
minLength: 1
pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'
type: string
skipConsent:
default: false
description: SkipConsent skips the consent screen for this client.
type: boolean
tokenEndpointAuthMethod:
allOf:
- enum:
- client_secret_basic
- client_secret_post
- private_key_jwt
- none
- enum:
- client_secret_basic
- client_secret_post
- private_key_jwt
- none
description: Indication which authentication method should be used
for the token endpoint
type: string
tokenLifespans:
description: |-
TokenLifespans is the configuration to use for managing different token lifespans
depending on the used grant type.
properties:
authorization_code_grant_access_token_lifespan:
description: |-
AuthorizationCodeGrantAccessTokenLifespan is the access token lifespan
issued on an authorization_code grant.
pattern: '[0-9]+(ns|us|ms|s|m|h)'
type: string
authorization_code_grant_id_token_lifespan:
description: |-
AuthorizationCodeGrantIdTokenLifespan is the id token lifespan
issued on an authorization_code grant.
pattern: '[0-9]+(ns|us|ms|s|m|h)'
type: string
authorization_code_grant_refresh_token_lifespan:
description: |-
AuthorizationCodeGrantRefreshTokenLifespan is the refresh token lifespan
issued on an authorization_code grant.
pattern: '[0-9]+(ns|us|ms|s|m|h)'
type: string
client_credentials_grant_access_token_lifespan:
description: |-
AuthorizationCodeGrantRefreshTokenLifespan is the access token lifespan
issued on a client_credentials grant.
pattern: '[0-9]+(ns|us|ms|s|m|h)'
type: string
implicit_grant_access_token_lifespan:
description: |-
ImplicitGrantAccessTokenLifespan is the access token lifespan
issued on an implicit grant.
pattern: '[0-9]+(ns|us|ms|s|m|h)'
type: string
implicit_grant_id_token_lifespan:
description: |-
ImplicitGrantIdTokenLifespan is the id token lifespan
issued on an implicit grant.
pattern: '[0-9]+(ns|us|ms|s|m|h)'
type: string
jwt_bearer_grant_access_token_lifespan:
description: |-
JwtBearerGrantAccessTokenLifespan is the access token lifespan
issued on a jwt_bearer grant.
pattern: '[0-9]+(ns|us|ms|s|m|h)'
type: string
refresh_token_grant_access_token_lifespan:
description: |-
RefreshTokenGrantAccessTokenLifespan is the access token lifespan
issued on a refresh_token grant.
pattern: '[0-9]+(ns|us|ms|s|m|h)'
type: string
refresh_token_grant_id_token_lifespan:
description: |-
RefreshTokenGrantIdTokenLifespan is the id token lifespan
issued on a refresh_token grant.
pattern: '[0-9]+(ns|us|ms|s|m|h)'
type: string
refresh_token_grant_refresh_token_lifespan:
description: |-
RefreshTokenGrantRefreshTokenLifespan is the refresh token lifespan
issued on a refresh_token grant.
pattern: '[0-9]+(ns|us|ms|s|m|h)'
type: string
type: object
userInfoSignedResponseAlg:
description: UserInfoSignedResponseAlg value specifying the JWS alg
algorithm for signing UserInfo Responses
type: string
required:
- grantTypes
- secretName
type: object
status:
description: OAuth2ClientStatus defines the observed state of OAuth2Client
properties:
conditions:
items:
description: OAuth2ClientCondition contains condition information
for an OAuth2Client
properties:
endpoint:
description: |-
Endpoint is the endpoint for the hydra instance on which
to set up the client. This value will override the value
provided to `--endpoint` (defaults to `"/clients"` in the
application)
pattern: (^$|^/.*)
status:
enum:
- "True"
- "False"
- Unknown
type: string
forwardedProto:
description: |-
ForwardedProto overrides the `--forwarded-proto` flag. The
value "off" will force this to be off even if
`--forwarded-proto` is specified
pattern: (^$|https?|off)
type: string
port:
description: |-
Port is the port for the hydra instance on
which to set up the client. This value will override the value
provided to `--hydra-port`
maximum: 65535
type: integer
url:
description: |-
URL is the URL for the hydra instance on
which to set up the client. This value will override the value
provided to `--hydra-url`
maxLength: 64
pattern: (^$|^https?://.*)
type:
type: string
required:
- status
- type
type: object
jwksUri:
type: array
observedGeneration:
description: ObservedGeneration represents the most recent generation
observed by the daemon set controller.
format: int64
type: integer
reconciliationError:
description: ReconciliationError represents an error that occurred
during the reconciliation process
properties:
description:
JwksUri Define the URL where the JSON Web Key Set should be
fetched from when performing the private_key_jwt client
authentication method.
pattern: (^$|^https?://.*)
type: string
metadata:
description: Metadata is arbitrary data
nullable: true
type: object
x-kubernetes-preserve-unknown-fields: true
postLogoutRedirectUris:
description:
PostLogoutRedirectURIs is an array of the post logout
redirect URIs allowed for the application
items:
description:
RedirectURI represents a redirect URI for the client
pattern: \w+:/?/?[^\s]+
description: Description is the description of the reconciliation
error
type: string
type: array
redirectUris:
description:
RedirectURIs is an array of the redirect URIs allowed for
the application
items:
description:
RedirectURI represents a redirect URI for the client
pattern: \w+:/?/?[^\s]+
statusCode:
description: Code is the status code of the reconciliation error
type: string
type: array
responseTypes:
description: |-
ResponseTypes is an array of the OAuth 2.0 response type strings that the client can
use at the authorization endpoint.
items:
description:
ResponseType represents an OAuth 2.0 response type strings
enum:
- id_token
- code
- token
- code token
- code id_token
- id_token token
- code id_token token
type: string
maxItems: 3
minItems: 1
type: array
scope:
description: |-
Scope is a string containing a space-separated list of scope values (as
described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client
can use when requesting access tokens.
Use scopeArray instead.
pattern: ([a-zA-Z0-9\.\*]+\s?)*
type: string
scopeArray:
description: |-
Scope is an array of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749])
that the client can use when requesting access tokens.
items:
type: string
type: array
secretName:
description:
SecretName points to the K8s secret that contains this
client's ID and password
maxLength: 253
minLength: 1
pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'
type: string
skipConsent:
default: false
description:
SkipConsent skips the consent screen for this client.
type: boolean
tokenEndpointAuthMethod:
allOf:
- enum:
- client_secret_basic
- client_secret_post
- private_key_jwt
- none
- enum:
- client_secret_basic
- client_secret_post
- private_key_jwt
- none
description:
Indication which authentication method should be used for
the token endpoint
type: string
tokenLifespans:
description: |-
TokenLifespans is the configuration to use for managing different token lifespans
depending on the used grant type.
properties:
authorization_code_grant_access_token_lifespan:
description: |-
AuthorizationCodeGrantAccessTokenLifespan is the access token lifespan
issued on an authorization_code grant.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
authorization_code_grant_id_token_lifespan:
description: |-
AuthorizationCodeGrantIdTokenLifespan is the id token lifespan
issued on an authorization_code grant.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
authorization_code_grant_refresh_token_lifespan:
description: |-
AuthorizationCodeGrantRefreshTokenLifespan is the refresh token lifespan
issued on an authorization_code grant.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
client_credentials_grant_access_token_lifespan:
description: |-
AuthorizationCodeGrantRefreshTokenLifespan is the access token lifespan
issued on a client_credentials grant.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
implicit_grant_access_token_lifespan:
description: |-
ImplicitGrantAccessTokenLifespan is the access token lifespan
issued on an implicit grant.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
implicit_grant_id_token_lifespan:
description: |-
ImplicitGrantIdTokenLifespan is the id token lifespan
issued on an implicit grant.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
jwt_bearer_grant_access_token_lifespan:
description: |-
JwtBearerGrantAccessTokenLifespan is the access token lifespan
issued on a jwt_bearer grant.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
refresh_token_grant_access_token_lifespan:
description: |-
RefreshTokenGrantAccessTokenLifespan is the access token lifespan
issued on a refresh_token grant.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
refresh_token_grant_id_token_lifespan:
description: |-
RefreshTokenGrantIdTokenLifespan is the id token lifespan
issued on a refresh_token grant.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
refresh_token_grant_refresh_token_lifespan:
description: |-
RefreshTokenGrantRefreshTokenLifespan is the refresh token lifespan
issued on a refresh_token grant.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
type: object
required:
- grantTypes
- secretName
type: object
status:
description:
OAuth2ClientStatus defines the observed state of OAuth2Client
properties:
conditions:
items:
description:
OAuth2ClientCondition contains condition information for
an OAuth2Client
properties:
status:
enum:
- "True"
- "False"
- Unknown
type: string
type:
type: string
required:
- status
- type
type: object
type: array
observedGeneration:
description:
ObservedGeneration represents the most recent generation
observed by the daemon set controller.
format: int64
type: integer
reconciliationError:
description:
ReconciliationError represents an error that occurred during
the reconciliation process
properties:
description:
description:
Description is the description of the reconciliation
error
type: string
statusCode:
description:
Code is the status code of the reconciliation error
type: string
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}

2
config/default/manager_image_patch.yaml
View File

@ -8,6 +8,6 @@ spec:
spec:
containers:
# Change the value of image field below to your controller image URL
- image: controller:latest
- image: reg.cadoles.com/wpetit/hydra-maester
name: manager
imagePullPolicy: IfNotPresent

64
config/rbac/role.yaml
View File

@ -4,35 +4,35 @@ kind: ClusterRole
metadata:
name: manager-role
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- hydra.ory.sh
resources:
- oauth2clients
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- hydra.ory.sh
resources:
- oauth2clients/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- hydra.ory.sh
resources:
- oauth2clients
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- hydra.ory.sh
resources:
- oauth2clients/status
verbs:
- get
- patch
- update

2
hydra/types.go
View File

@ -44,6 +44,7 @@ type OAuth2ClientJSON struct {
RefreshTokenGrantAccessTokenLifespan string `json:"refresh_token_grant_access_token_lifespan,omitempty"`
RefreshTokenGrantIdTokenLifespan string `json:"refresh_token_grant_id_token_lifespan,omitempty"`
RefreshTokenGrantRefreshTokenLifespan string `json:"refresh_token_grant_refresh_token_lifespan,omitempty"`
UserInfoSignedResponseAlg string `json:"userinfo_signed_response_alg,omitempty"`
}
// Oauth2ClientCredentials represents client ID and password fetched from a
@ -104,6 +105,7 @@ func FromOAuth2Client(c *hydrav1alpha1.OAuth2Client) (*OAuth2ClientJSON, error)
RefreshTokenGrantAccessTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantAccessTokenLifespan,
RefreshTokenGrantIdTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantIdTokenLifespan,
RefreshTokenGrantRefreshTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantRefreshTokenLifespan,
UserInfoSignedResponseAlg: c.Spec.UserInfoSignedResponseAlg,
}, nil
}