From 0dec2eee32e8ec951e6688d60647ac80a8b09a6c Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Mon, 6 Jun 2022 10:15:25 -0700 Subject: [PATCH] Add enum validation for scopes and grant types Signed-off-by: Margo Crawford --- .../oauth/v1alpha1/types_oidcclient.go.tmpl | 10 ++++++++-- .../oauth.supervisor.pinniped.dev_oidcclients.yaml | 10 ++++++++++ deploy/supervisor/z0_crd_overlay.yaml | 11 ++++++++++- generated/1.17/README.adoc | 4 ++-- .../supervisor/oauth/v1alpha1/types_oidcclient.go | 10 ++++++++-- .../oauth/v1alpha1/zz_generated.deepcopy.go | 4 ++-- .../oauth.supervisor.pinniped.dev_oidcclients.yaml | 10 ++++++++++ generated/1.18/README.adoc | 4 ++-- .../supervisor/oauth/v1alpha1/types_oidcclient.go | 10 ++++++++-- .../oauth/v1alpha1/zz_generated.deepcopy.go | 4 ++-- .../oauth.supervisor.pinniped.dev_oidcclients.yaml | 10 ++++++++++ generated/1.19/README.adoc | 4 ++-- .../supervisor/oauth/v1alpha1/types_oidcclient.go | 10 ++++++++-- .../oauth/v1alpha1/zz_generated.deepcopy.go | 4 ++-- .../oauth.supervisor.pinniped.dev_oidcclients.yaml | 10 ++++++++++ generated/1.20/README.adoc | 4 ++-- .../supervisor/oauth/v1alpha1/types_oidcclient.go | 10 ++++++++-- .../oauth/v1alpha1/zz_generated.deepcopy.go | 4 ++-- .../oauth.supervisor.pinniped.dev_oidcclients.yaml | 10 ++++++++++ generated/1.21/README.adoc | 4 ++-- .../supervisor/oauth/v1alpha1/types_oidcclient.go | 10 ++++++++-- .../oauth/v1alpha1/zz_generated.deepcopy.go | 4 ++-- .../oauth.supervisor.pinniped.dev_oidcclients.yaml | 10 ++++++++++ generated/1.22/README.adoc | 4 ++-- .../supervisor/oauth/v1alpha1/types_oidcclient.go | 10 ++++++++-- .../oauth/v1alpha1/zz_generated.deepcopy.go | 4 ++-- .../oauth.supervisor.pinniped.dev_oidcclients.yaml | 10 ++++++++++ generated/1.23/README.adoc | 4 ++-- .../supervisor/oauth/v1alpha1/types_oidcclient.go | 10 ++++++++-- .../oauth/v1alpha1/zz_generated.deepcopy.go | 4 ++-- .../oauth.supervisor.pinniped.dev_oidcclients.yaml | 10 ++++++++++ .../supervisor/oauth/v1alpha1/types_oidcclient.go | 10 ++++++++-- .../oauth/v1alpha1/zz_generated.deepcopy.go | 4 ++-- 33 files changed, 192 insertions(+), 49 deletions(-) diff --git a/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl b/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl index b4aaf2759..e905c61a7 100644 --- a/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl +++ b/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl @@ -7,6 +7,12 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" +type GrantType string + +// +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" +type Scope string + // OIDCClientSpec is a struct that describes an OIDC Client. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -27,7 +33,7 @@ type OIDCClientSpec struct { // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. // +kubebuilder:validation:MinItems=1 - AllowedGrantTypes []string `json:"allowedGrantTypes"` + AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. // @@ -46,7 +52,7 @@ type OIDCClientSpec struct { // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. // +kubebuilder:validation:MinItems=1 - AllowedScopes []string `json:"allowedScopes"` + AllowedScopes []Scope `json:"allowedScopes"` } // OIDCClientStatus is a struct that describes the actual state of an OIDC Client. diff --git a/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml b/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml index 802234ed3..589a91543 100644 --- a/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -54,6 +54,10 @@ spec: step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience." items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange type: string minItems: 1 type: array @@ -89,6 +93,12 @@ spec: the groups scope being requested and allowed, the ID token will not contain groups." items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience type: string minItems: 1 type: array diff --git a/deploy/supervisor/z0_crd_overlay.yaml b/deploy/supervisor/z0_crd_overlay.yaml index 7596975d4..130f780dc 100644 --- a/deploy/supervisor/z0_crd_overlay.yaml +++ b/deploy/supervisor/z0_crd_overlay.yaml @@ -1,4 +1,4 @@ -#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:overlay", "overlay") @@ -40,3 +40,12 @@ metadata: name: #@ pinnipedDevAPIGroupWithPrefix("activedirectoryidentityproviders.idp.supervisor") spec: group: #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor") + +#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"oidcclients.oauth.supervisor.pinniped.dev"}}), expects=1 +--- +metadata: + #@overlay/match missing_ok=True + labels: #@ labels() + name: #@ pinnipedDevAPIGroupWithPrefix("oidcclients.oauth.supervisor") +spec: + group: #@ pinnipedDevAPIGroupWithPrefix("oauth.supervisor") diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 994dc3e8e..06dd963eb 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -1377,9 +1377,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. |=== | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __string array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __string array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index b4aaf2759..e905c61a7 100644 --- a/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -7,6 +7,12 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" +type GrantType string + +// +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" +type Scope string + // OIDCClientSpec is a struct that describes an OIDC Client. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -27,7 +33,7 @@ type OIDCClientSpec struct { // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. // +kubebuilder:validation:MinItems=1 - AllowedGrantTypes []string `json:"allowedGrantTypes"` + AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. // @@ -46,7 +52,7 @@ type OIDCClientSpec struct { // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. // +kubebuilder:validation:MinItems=1 - AllowedScopes []string `json:"allowedScopes"` + AllowedScopes []Scope `json:"allowedScopes"` } // OIDCClientStatus is a struct that describes the actual state of an OIDC Client. diff --git a/generated/1.17/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go index cb35cea5b..1aba8aea0 100644 --- a/generated/1.17/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.17/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -83,12 +83,12 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { } if in.AllowedGrantTypes != nil { in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]string, len(*in)) + *out = make([]GrantType, len(*in)) copy(*out, *in) } if in.AllowedScopes != nil { in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]string, len(*in)) + *out = make([]Scope, len(*in)) copy(*out, *in) } return diff --git a/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 802234ed3..589a91543 100644 --- a/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -54,6 +54,10 @@ spec: step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience." items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange type: string minItems: 1 type: array @@ -89,6 +93,12 @@ spec: the groups scope being requested and allowed, the ID token will not contain groups." items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience type: string minItems: 1 type: array diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index fc6c13110..3cdade3a3 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -1377,9 +1377,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. |=== | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __string array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __string array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index b4aaf2759..e905c61a7 100644 --- a/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -7,6 +7,12 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" +type GrantType string + +// +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" +type Scope string + // OIDCClientSpec is a struct that describes an OIDC Client. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -27,7 +33,7 @@ type OIDCClientSpec struct { // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. // +kubebuilder:validation:MinItems=1 - AllowedGrantTypes []string `json:"allowedGrantTypes"` + AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. // @@ -46,7 +52,7 @@ type OIDCClientSpec struct { // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. // +kubebuilder:validation:MinItems=1 - AllowedScopes []string `json:"allowedScopes"` + AllowedScopes []Scope `json:"allowedScopes"` } // OIDCClientStatus is a struct that describes the actual state of an OIDC Client. diff --git a/generated/1.18/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go index cb35cea5b..1aba8aea0 100644 --- a/generated/1.18/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.18/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -83,12 +83,12 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { } if in.AllowedGrantTypes != nil { in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]string, len(*in)) + *out = make([]GrantType, len(*in)) copy(*out, *in) } if in.AllowedScopes != nil { in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]string, len(*in)) + *out = make([]Scope, len(*in)) copy(*out, *in) } return diff --git a/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 802234ed3..589a91543 100644 --- a/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -54,6 +54,10 @@ spec: step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience." items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange type: string minItems: 1 type: array @@ -89,6 +93,12 @@ spec: the groups scope being requested and allowed, the ID token will not contain groups." items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience type: string minItems: 1 type: array diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index bbfcf79c2..41377c388 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -1377,9 +1377,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. |=== | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __string array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __string array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index b4aaf2759..e905c61a7 100644 --- a/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -7,6 +7,12 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" +type GrantType string + +// +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" +type Scope string + // OIDCClientSpec is a struct that describes an OIDC Client. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -27,7 +33,7 @@ type OIDCClientSpec struct { // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. // +kubebuilder:validation:MinItems=1 - AllowedGrantTypes []string `json:"allowedGrantTypes"` + AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. // @@ -46,7 +52,7 @@ type OIDCClientSpec struct { // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. // +kubebuilder:validation:MinItems=1 - AllowedScopes []string `json:"allowedScopes"` + AllowedScopes []Scope `json:"allowedScopes"` } // OIDCClientStatus is a struct that describes the actual state of an OIDC Client. diff --git a/generated/1.19/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go index cb35cea5b..1aba8aea0 100644 --- a/generated/1.19/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.19/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -83,12 +83,12 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { } if in.AllowedGrantTypes != nil { in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]string, len(*in)) + *out = make([]GrantType, len(*in)) copy(*out, *in) } if in.AllowedScopes != nil { in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]string, len(*in)) + *out = make([]Scope, len(*in)) copy(*out, *in) } return diff --git a/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 802234ed3..589a91543 100644 --- a/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -54,6 +54,10 @@ spec: step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience." items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange type: string minItems: 1 type: array @@ -89,6 +93,12 @@ spec: the groups scope being requested and allowed, the ID token will not contain groups." items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience type: string minItems: 1 type: array diff --git a/generated/1.20/README.adoc b/generated/1.20/README.adoc index eb390ef48..26266ceda 100644 --- a/generated/1.20/README.adoc +++ b/generated/1.20/README.adoc @@ -1377,9 +1377,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. |=== | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __string array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __string array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index b4aaf2759..e905c61a7 100644 --- a/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -7,6 +7,12 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" +type GrantType string + +// +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" +type Scope string + // OIDCClientSpec is a struct that describes an OIDC Client. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -27,7 +33,7 @@ type OIDCClientSpec struct { // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. // +kubebuilder:validation:MinItems=1 - AllowedGrantTypes []string `json:"allowedGrantTypes"` + AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. // @@ -46,7 +52,7 @@ type OIDCClientSpec struct { // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. // +kubebuilder:validation:MinItems=1 - AllowedScopes []string `json:"allowedScopes"` + AllowedScopes []Scope `json:"allowedScopes"` } // OIDCClientStatus is a struct that describes the actual state of an OIDC Client. diff --git a/generated/1.20/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.20/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go index cb35cea5b..1aba8aea0 100644 --- a/generated/1.20/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.20/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -83,12 +83,12 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { } if in.AllowedGrantTypes != nil { in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]string, len(*in)) + *out = make([]GrantType, len(*in)) copy(*out, *in) } if in.AllowedScopes != nil { in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]string, len(*in)) + *out = make([]Scope, len(*in)) copy(*out, *in) } return diff --git a/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 802234ed3..589a91543 100644 --- a/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -54,6 +54,10 @@ spec: step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience." items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange type: string minItems: 1 type: array @@ -89,6 +93,12 @@ spec: the groups scope being requested and allowed, the ID token will not contain groups." items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience type: string minItems: 1 type: array diff --git a/generated/1.21/README.adoc b/generated/1.21/README.adoc index 92407effc..d6feec771 100644 --- a/generated/1.21/README.adoc +++ b/generated/1.21/README.adoc @@ -1377,9 +1377,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. |=== | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __string array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __string array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index b4aaf2759..e905c61a7 100644 --- a/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -7,6 +7,12 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" +type GrantType string + +// +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" +type Scope string + // OIDCClientSpec is a struct that describes an OIDC Client. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -27,7 +33,7 @@ type OIDCClientSpec struct { // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. // +kubebuilder:validation:MinItems=1 - AllowedGrantTypes []string `json:"allowedGrantTypes"` + AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. // @@ -46,7 +52,7 @@ type OIDCClientSpec struct { // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. // +kubebuilder:validation:MinItems=1 - AllowedScopes []string `json:"allowedScopes"` + AllowedScopes []Scope `json:"allowedScopes"` } // OIDCClientStatus is a struct that describes the actual state of an OIDC Client. diff --git a/generated/1.21/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.21/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go index cb35cea5b..1aba8aea0 100644 --- a/generated/1.21/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.21/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -83,12 +83,12 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { } if in.AllowedGrantTypes != nil { in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]string, len(*in)) + *out = make([]GrantType, len(*in)) copy(*out, *in) } if in.AllowedScopes != nil { in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]string, len(*in)) + *out = make([]Scope, len(*in)) copy(*out, *in) } return diff --git a/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 802234ed3..589a91543 100644 --- a/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -54,6 +54,10 @@ spec: step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience." items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange type: string minItems: 1 type: array @@ -89,6 +93,12 @@ spec: the groups scope being requested and allowed, the ID token will not contain groups." items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience type: string minItems: 1 type: array diff --git a/generated/1.22/README.adoc b/generated/1.22/README.adoc index 6a1281fbd..5d37f8840 100644 --- a/generated/1.22/README.adoc +++ b/generated/1.22/README.adoc @@ -1377,9 +1377,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. |=== | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __string array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __string array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index b4aaf2759..e905c61a7 100644 --- a/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -7,6 +7,12 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" +type GrantType string + +// +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" +type Scope string + // OIDCClientSpec is a struct that describes an OIDC Client. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -27,7 +33,7 @@ type OIDCClientSpec struct { // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. // +kubebuilder:validation:MinItems=1 - AllowedGrantTypes []string `json:"allowedGrantTypes"` + AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. // @@ -46,7 +52,7 @@ type OIDCClientSpec struct { // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. // +kubebuilder:validation:MinItems=1 - AllowedScopes []string `json:"allowedScopes"` + AllowedScopes []Scope `json:"allowedScopes"` } // OIDCClientStatus is a struct that describes the actual state of an OIDC Client. diff --git a/generated/1.22/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.22/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go index cb35cea5b..1aba8aea0 100644 --- a/generated/1.22/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.22/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -83,12 +83,12 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { } if in.AllowedGrantTypes != nil { in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]string, len(*in)) + *out = make([]GrantType, len(*in)) copy(*out, *in) } if in.AllowedScopes != nil { in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]string, len(*in)) + *out = make([]Scope, len(*in)) copy(*out, *in) } return diff --git a/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 802234ed3..589a91543 100644 --- a/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -54,6 +54,10 @@ spec: step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience." items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange type: string minItems: 1 type: array @@ -89,6 +93,12 @@ spec: the groups scope being requested and allowed, the ID token will not contain groups." items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience type: string minItems: 1 type: array diff --git a/generated/1.23/README.adoc b/generated/1.23/README.adoc index 80a89a56e..9f71c4895 100644 --- a/generated/1.23/README.adoc +++ b/generated/1.23/README.adoc @@ -1377,9 +1377,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. |=== | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __string array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __string array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index b4aaf2759..e905c61a7 100644 --- a/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -7,6 +7,12 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" +type GrantType string + +// +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" +type Scope string + // OIDCClientSpec is a struct that describes an OIDC Client. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -27,7 +33,7 @@ type OIDCClientSpec struct { // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. // +kubebuilder:validation:MinItems=1 - AllowedGrantTypes []string `json:"allowedGrantTypes"` + AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. // @@ -46,7 +52,7 @@ type OIDCClientSpec struct { // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. // +kubebuilder:validation:MinItems=1 - AllowedScopes []string `json:"allowedScopes"` + AllowedScopes []Scope `json:"allowedScopes"` } // OIDCClientStatus is a struct that describes the actual state of an OIDC Client. diff --git a/generated/1.23/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.23/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go index cb35cea5b..1aba8aea0 100644 --- a/generated/1.23/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.23/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -83,12 +83,12 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { } if in.AllowedGrantTypes != nil { in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]string, len(*in)) + *out = make([]GrantType, len(*in)) copy(*out, *in) } if in.AllowedScopes != nil { in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]string, len(*in)) + *out = make([]Scope, len(*in)) copy(*out, *in) } return diff --git a/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 802234ed3..589a91543 100644 --- a/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -54,6 +54,10 @@ spec: step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience." items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange type: string minItems: 1 type: array @@ -89,6 +93,12 @@ spec: the groups scope being requested and allowed, the ID token will not contain groups." items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience type: string minItems: 1 type: array diff --git a/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index b4aaf2759..e905c61a7 100644 --- a/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -7,6 +7,12 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" +type GrantType string + +// +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" +type Scope string + // OIDCClientSpec is a struct that describes an OIDC Client. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -27,7 +33,7 @@ type OIDCClientSpec struct { // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. // +kubebuilder:validation:MinItems=1 - AllowedGrantTypes []string `json:"allowedGrantTypes"` + AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. // @@ -46,7 +52,7 @@ type OIDCClientSpec struct { // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. // +kubebuilder:validation:MinItems=1 - AllowedScopes []string `json:"allowedScopes"` + AllowedScopes []Scope `json:"allowedScopes"` } // OIDCClientStatus is a struct that describes the actual state of an OIDC Client. diff --git a/generated/latest/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/latest/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go index cb35cea5b..1aba8aea0 100644 --- a/generated/latest/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ b/generated/latest/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -83,12 +83,12 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { } if in.AllowedGrantTypes != nil { in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]string, len(*in)) + *out = make([]GrantType, len(*in)) copy(*out, *in) } if in.AllowedScopes != nil { in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]string, len(*in)) + *out = make([]Scope, len(*in)) copy(*out, *in) } return