oidcsecurity

package
v0.0.0-...-3cbe5de Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 26, 2024 License: Apache-2.0 Imports: 28 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// PlatformAuthIDPConfigMapName is the name of the ConfigMap containing settings used for Client management
	PlatformAuthIDPConfigMapName string = "platform-auth-idp"
	// PlatformAuthIDPCredentialsSecretName is the name of the Secret containing default credentials
	PlatformAuthIDPCredentialsSecretName string = "platform-auth-idp-credentials"
	// PlatformOIDCCredentialsSecretName is the name of the Secret containing the OP admin oauthadmin's password
	PlatformOIDCCredentialsSecretName string = "platform-oidc-credentials"
	// CSCACertificateSecretName is the name of the Secret created by the installer in the shared services namespace
	// that contains the Common Services CA certificate and private key details
	CSCACertificateSecretName string = "cs-ca-certificate-secret"
	// CP3FinalizerName is the name of the finalizer added to Clients by the Client controller in IM v4.x
	CP3FinalizerName string = "client.oidc.security.ibm.com"
	// CP2FinalizerName is the name of the finalizer added to Clients by the OIDC Client Watcher in IAM v3.x
	CP2FinalizerName  string = "fynalyzer.client.oidc.security.ibm.com"
	AdministratorRole string = "Administrator"
)
View Source 
const (
	MessageCreateClientSuccessful             = "OIDC client registration create successful"
	MessageUpdateClientSuccessful             = "OIDC client registration update successful"
	MessageClientSuccessful                   = "OIDC client registration successful"
	MessageCreateClientFailed                 = "OIDC client registration create failed"
	MessageCreateZenRegistrationFailed        = "Registration of the Zen Instance failed"
	MessageUnknown                     string = "Unexpected error occurred while processing the request"

	ReasonCreateClientSuccessful             = "CreateClientSuccessful"
	ReasonCreateClientFailed                 = "CreateClientFailed"
	ReasonUpdateClientSuccessful             = "UpdateClientSuccessful"
	ReasonUpdateClientFailed                 = "UpdateClientFailed"
	ReasonGetClientFailed                    = "GetClientFailed"
	ReasonDeleteClientFailed                 = "DeleteClientFailed"
	ReasonCreateZenRegistrationFailed        = "CreateZenRegistrationFailed"
	ReasonUnknown                     string = "Unknown"
)
View Source 
const OptimisticLockErrorMsg = "the object has been modified; please apply your changes to the latest version and try again"

Variables

View Source 
var Clock clock.Clock = clock.RealClock{}
View Source 
var ConfigNotSetError error = fmt.Errorf("config is not set")

Functions

func GetConfig 

func GetConfig(ctx context.Context, k8sClient *client.Client, config *AuthenticationConfig) (err error)

func IsHTTPError 

func IsHTTPError(err error) bool

IsHTTPError returns whether the error is the result of an HTTP connection that has failed in some way

func IsOIDCError 

func IsOIDCError(err error) bool

IsOIDCError returns whether the error is related to an attempt to register OIDC Client or an existing OIDC Client

func IsZenError 

func IsZenError(err error) bool

IsZenError returns whether the error relates to a failure received when interacting with Zen

func NewCP2ServiceURLFormatError 

func NewCP2ServiceURLFormatError() (err error)

func NewConfigValueNotFoundError 

func NewConfigValueNotFoundError(key string) (err error)

func NewInvalidResourceError 

func NewInvalidResourceError(kind, name, namespace, reason string) (err error)

Types

type AuthenticationConfig 

type AuthenticationConfig map[string][]byte

AuthenticationConfig collects relevant Authentication configuration from Secrets and ConfigMaps and provides that information through a single interface

func (AuthenticationConfig) ApplyAuthenticationNamespace 

func (c AuthenticationConfig) ApplyAuthenticationNamespace(namespace string)

func (AuthenticationConfig) ApplyConfigMap 

func (c AuthenticationConfig) ApplyConfigMap(configMap *corev1.ConfigMap, keysList ...string) (err error)

ApplyConfigMap takes the key value pairs found in a ConfigMap's Data field and sets the same keys and values in the AuthenticationConfig. Produces an error if the ConfigMap had an empty Data field.

func (AuthenticationConfig) ApplySecret 

func (c AuthenticationConfig) ApplySecret(secret *corev1.Secret, keysList ...string) (err error)

ApplySecret takes the key value pairs found in a Secret's Data field and sets the same keys and values in the AuthenticationConfig after converting the values into strings from []byte. Produces an error if the Secret had an empty Data field.

func (AuthenticationConfig) GetAuthServiceURL 

func (c AuthenticationConfig) GetAuthServiceURL() (value string, err error)

GetAuthServiceURL gets the IAM Auth Service URL from the ClientReconciler's AuthenticationConfig. Produces an error if the AuthenticationConfig is empty or if the key is not present.

func (AuthenticationConfig) GetAuthenticationNamespace 

func (c AuthenticationConfig) GetAuthenticationNamespace() (value string, err error)

GetAuthenticationNamespace gets the namespace in which the Authentication CR (and, in turn, the rest of the shared services) are installed.

func (AuthenticationConfig) GetCSCATLSKey 

func (c AuthenticationConfig) GetCSCATLSKey() (value []byte, err error)

func (AuthenticationConfig) GetDefaultAdminPassword 

func (c AuthenticationConfig) GetDefaultAdminPassword() (value string, err error)

GetDefaultAdminPassword gets the default admin password for the IAM API from the ClientReconciler's AuthenticationConfig. Produces an error if the AuthenticationConfig is empty or if the key is not present.

func (AuthenticationConfig) GetDefaultAdminUser 

func (c AuthenticationConfig) GetDefaultAdminUser() (value string, err error)

GetDefaultAdminUser gets the default admin user for the IAM API from the ClientReconciler's AuthenticationConfig. Produces an error if the AuthenticationConfig is empty or if the key is not present.

func (AuthenticationConfig) GetIdentityManagementURL 

func (c AuthenticationConfig) GetIdentityManagementURL() (value string, err error)

GetIdentityManagementURL gets the Identity Management URL from the ClientReconciler's AuthenticationConfig. Produces an error if the AuthenticationConfig is empty or if the key is not present.

func (AuthenticationConfig) GetIdentityProviderURL 

func (c AuthenticationConfig) GetIdentityProviderURL() (value string, err error)

GetIdentityProviderURL gets the Identity Provider URL from the ClientReconciler's AuthenticationConfig. Produces an error if the AuthenticationConfig is empty or if the key is not present.

func (AuthenticationConfig) GetOAuthAdminPassword 

func (c AuthenticationConfig) GetOAuthAdminPassword() (value string, err error)

GetOauthAdminPassword gets the password for the OAuth Provider oauthadmin account from the ClientReconciler's AuthenticationConfig. Produces an error if the AuthenticationConfig is empty or if the key is not present.

func (AuthenticationConfig) GetROKSEnabled 

func (c AuthenticationConfig) GetROKSEnabled() (value bool, err error)

GetROKSEnabled gets from the AuthenticationConfig whether the controller is enabled to use OpenShift OAuthClients for OIDC Client authentication via legacy configuration; creates and manages OAuthClient objects with names that match OIDC Client's clientId field. Produces an error if the AuthenticationConfig is empty or if the key is not present.

func (AuthenticationConfig) IsConfigured 

func (c AuthenticationConfig) IsConfigured() bool

IsConfigured returns whether all mandatory config fields are set.

type CP2ServiceURLFormatError 

type CP2ServiceURLFormatError struct{}

func (*CP2ServiceURLFormatError) Error 

func (e *CP2ServiceURLFormatError) Error() string

type ClientCredentials 

type ClientCredentials struct {
	ClientID     string `json:"CLIENT_ID"`
	ClientSecret string `json:"CLIENT_SECRET"`
}

type ClientReconciler 

type ClientReconciler struct {
	runtimeClient.Client
	Scheme   *runtime.Scheme
	Recorder record.EventRecorder
}

ClientReconciler reconciles a Client object

func (*ClientReconciler) GetClientCreds 

func (r *ClientReconciler) GetClientCreds(ctx context.Context, client *oidcsecurityv1.Client) (clientCreds *ClientCredentials, err error)

GetClientCreds uses information from a Client to obtain the Client's credentials from the cluster. The Client must at a minimum have its ClientId, Secret, and namespace set.

func (*ClientReconciler) Reconcile 

func (r *ClientReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, err error)

Reconcile is part of the main kubernetes reconciliation loop which aims to move the current state of the cluster closer to the desired state.

func (*ClientReconciler) SetupWithManager 

func (r *ClientReconciler) SetupWithManager(mgr ctrl.Manager) error

SetupWithManager sets up the controller with the Manager.

type ConfigValueNotFoundError 

type ConfigValueNotFoundError struct {
	Key string
}

ConfigValueNotFoundError is returned when a specific key is not available in the AuthenticationConfig

func (*ConfigValueNotFoundError) Error 

func (e *ConfigValueNotFoundError) Error() string

type InvalidResourceError 

type InvalidResourceError struct {
	Kind      string
	Name      string
	Namespace string
	Reason    string
}

func (*InvalidResourceError) Error 

func (e *InvalidResourceError) Error() string

type OIDCClientRegistrationError 

type OIDCClientRegistrationError struct {
	Description string `json:"error_description"`
	// contains filtered or unexported fields
}

OIDCClientRegistrationError is an error for any issue that occurs while interacting with OIDC Client registrations.

func NewOIDCClientRegistrationError 

func NewOIDCClientRegistrationError(clientID, requestMethod, origErrMsg string, response *http.Response) (oidcErr *OIDCClientRegistrationError)

NewOIDCClientRegistrationError produces a new OIDCClientError by attempting to unmarshal the response body JSON into an OIDCClientRegistrationError's description field.

func (*OIDCClientRegistrationError) ClientID 

func (e *OIDCClientRegistrationError) ClientID() string

func (*OIDCClientRegistrationError) Error 

func (e *OIDCClientRegistrationError) Error() string

func (*OIDCClientRegistrationError) RequestMethod 

func (e *OIDCClientRegistrationError) RequestMethod() string

func (*OIDCClientRegistrationError) Response 

func (e *OIDCClientRegistrationError) Response() *http.Response

type OidcClientResponse 

type OidcClientResponse struct {
	ClientIDIssuedAt        int      `json:"client_id_issued_at"`
	RegistrationClientURI   string   `json:"registration_client_uri"`
	ClientSecretExpiresAt   int      `json:"client_secret_expires_at"`
	TokenEndpointAuthMethod string   `json:"token_endpoint_auth_method"`
	Scope                   string   `json:"scope"`
	GrantTypes              []string `json:"grant_types"`
	ResponseTypes           []string `json:"response_types"`
	ApplicationType         string   `json:"application_type"`
	SubjectType             string   `json:"subject_type"`
	PostLogoutRedirectUris  []string `json:"post_logout_redirect_uris"`
	PreauthorizedScope      string   `json:"preauthorized_scope"`
	IntrospectTokens        bool     `json:"introspect_tokens"`
	TrustedURIPrefixes      []string `json:"trusted_uri_prefixes"`
	ResourceIds             []string `json:"resource_ids"`
	FunctionalUserGroupIds  []string `json:"functional_user_groupIds"`
	FunctionalUserID        string   `json:"functional_user_id"`
	AppPasswordAllowed      bool     `json:"appPasswordAllowed"`
	AppTokenAllowed         bool     `json:"appTokenAllowed"`
	ClientID                string   `json:"client_id"`
	ClientSecret            string   `json:"client_secret"`
	ClientName              string   `json:"client_name"`
	RedirectUris            []string `json:"redirect_uris"`
	AllowRegexpRedirects    bool     `json:"allow_regexp_redirects"`
}

type TokenInfo 

type TokenInfo struct {
	AccessToken  string `json:"access_token"`
	TokenType    string `json:"token_type"`
	ExpiresIn    int    `json:"expires_in"`
	Scope        string `json:"scope"`
	RefreshToken string `json:"refresh_token"`
	IdToken      string `json:"id_token"`
}

type ZenClientRegistrationError 

type ZenClientRegistrationError struct {
	Description string
	// contains filtered or unexported fields
}

ZenClientRegistrationError is an error for any issue that occurs while interacting with a Zen instance.

func NewZenClientRegistrationError 

func NewZenClientRegistrationError(clientID, requestMethod, zenInstanceId, origErrMsg string, response *http.Response) (zenErr *ZenClientRegistrationError)

NewZenClientRegistrationError produces a new ZenClientRegistrationError by attempting to unmarshal the response body JSON into an ZenClientRegistrationError's description field.

func (*ZenClientRegistrationError) ClientID 

func (e *ZenClientRegistrationError) ClientID() string

func (*ZenClientRegistrationError) Error 

func (e *ZenClientRegistrationError) Error() string

func (*ZenClientRegistrationError) RequestMethod 

func (e *ZenClientRegistrationError) RequestMethod() string

func (*ZenClientRegistrationError) Response 

func (e *ZenClientRegistrationError) Response() *http.Response

func (*ZenClientRegistrationError) ZenInstanceId 

func (e *ZenClientRegistrationError) ZenInstanceId() string

type ZenInstance 

type ZenInstance struct {
	ClientID       string `json:"clientId"`
	InstanceId     string `json:"instanceId"`
	ProductNameUrl string `json:"productNameUrl"`
	Namespace      string `json:"namespace"`
	ZenAuditUrl    string `json:"zenAuditUrl"`
}

ZenInstance represents the zen instance model (response from post, get)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.