serviceprovider

package
v0.7.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 29, 2022 License: Apache-2.0 Imports: 19 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AuthenticatingHttpClient added in v0.4.1

func AuthenticatingHttpClient(cl *http.Client) *http.Client

func GetAllScopes

func GetAllScopes(convertToScopes func(permission api.Permission) []string, perms *api.Permissions) []string

GetAllScopes is a helper method to translate all the provided permissions into a list of service-provided-specific scopes.

func GetHostWithScheme added in v0.3.0

func GetHostWithScheme(repoUrl string) (string, error)

GetHostWithScheme is a helper function to extract the scheme and host portion of the provided url.

func RepoHostFromSchemelessUrl added in v0.6.5

func RepoHostFromSchemelessUrl(repoUrl string) (string, error)

func RepoHostFromUrl added in v0.5.5

func RepoHostFromUrl(repoUrl string) (string, error)

Types

type AccessTokenMapper added in v0.5.5

type AccessTokenMapper struct {
	Name                    string   `json:"name"`
	Token                   string   `json:"token"`
	ServiceProviderUrl      string   `json:"serviceProviderUrl"`
	ServiceProviderUserName string   `json:"serviceProviderUserName"`
	ServiceProviderUserId   string   `json:"serviceProviderUserId"`
	UserId                  string   `json:"userId"`
	ExpiredAfter            *uint64  `json:"expiredAfter"`
	Scopes                  []string `json:"scopes"`
}

AccessTokenMapper is a helper to convert token (together with its metadata) into maps suitable for storing in secrets according to the secret type.

func DefaultMapToken added in v0.5.5

func DefaultMapToken(tokenObject *api.SPIAccessToken, tokenData *api.Token) AccessTokenMapper

func (AccessTokenMapper) FillByMapping added in v0.5.5

func (at AccessTokenMapper) FillByMapping(mapping *api.TokenFieldMapping, existingMap map[string]string)

FillByMapping sets the data from the mapper into the provided map according to the settings specified in the provided mapping.

func (AccessTokenMapper) ToSecretType added in v0.5.5

func (at AccessTokenMapper) ToSecretType(secretType corev1.SecretType) map[string]string

ToSecretType converts the data in the mapper to a map with fields corresponding to the provided secret type.

type Constructor added in v0.2.1

type Constructor interface {
	// Construct creates a new instance of service provider
	Construct(factory *Factory, baseUrl string) (ServiceProvider, error)
}

Constructor is able to produce a new service provider instance using data from the provided Factory and the base URL of the service provider.

type ConstructorFunc added in v0.2.1

type ConstructorFunc func(factory *Factory, baseUrl string) (ServiceProvider, error)

ConstructorFunc converts a compatible function into the Constructor interface

func (ConstructorFunc) Construct added in v0.2.1

func (c ConstructorFunc) Construct(factory *Factory, baseUrl string) (ServiceProvider, error)

type Factory

type Factory struct {
	Configuration    opconfig.OperatorConfiguration
	KubernetesClient client.Client
	HttpClient       *http.Client
	Initializers     map[config.ServiceProviderType]Initializer
	TokenStorage     tokenstorage.TokenStorage
}

Factory is able to construct service providers from repository URLs.

func (*Factory) FromRepoUrl

func (f *Factory) FromRepoUrl(ctx context.Context, repoUrl string) (ServiceProvider, error)

FromRepoUrl returns the service provider instance able to talk to the repository on the provided URL.

type GenericLookup added in v0.3.0

type GenericLookup struct {
	// ServiceProviderType is just the type of the provider we're dealing with. It is used to limit the number of
	// results the filter function needs to sift through.
	ServiceProviderType api.ServiceProviderType
	// TokenFilter is the filter function that decides whether a token matches the requirements of a binding, given
	// the token's service-provider-specific state
	TokenFilter TokenFilter
	// MetadataProvider is used to figure out metadata of a token in the service provider useful for token lookup
	MetadataProvider MetadataProvider
	// MetadataCache is an abstraction used for storing/fetching the metadata of tokens
	MetadataCache *MetadataCache
	// RepoHostParser is a function that extracts the host from the repoUrl
	RepoHostParser RepoHostParser
}

GenericLookup implements a token lookup in a generic way such that the users only need to provide a function to provide a service-provider-specific "state" of the token and a "filter" function that uses the token and its state to match it against a binding

func (GenericLookup) Lookup added in v0.3.0

func (l GenericLookup) Lookup(ctx context.Context, cl client.Client, matchable Matchable) ([]api.SPIAccessToken, error)

func (GenericLookup) PersistMetadata added in v0.3.0

func (l GenericLookup) PersistMetadata(ctx context.Context, token *api.SPIAccessToken) error

type Initializer added in v0.2.1

type Initializer struct {
	Probe       Probe
	Constructor Constructor
}

Initializer is struct that contains all necessary data to initialize a service provider instance from a URL using a Factory.

type Matchable added in v0.5.1

type Matchable interface {
	Validated
	RepoUrl() string
	ObjNamespace() string
}

type MetadataCache added in v0.3.0

type MetadataCache struct {
	// contains filtered or unexported fields
}

MetadataCache acts like a cache of metadata of tokens. On top of just CRUDing the token metadata, this struct handles the refreshes of the data when it is determined stale.

func NewMetadataCache added in v0.3.0

func NewMetadataCache(client client.Client, expirationPolicy MetadataExpirationPolicy) MetadataCache

NewMetadataCache creates a new cache instance with the provided configuration.

func (*MetadataCache) Ensure added in v0.3.0

Ensure makes sure that the metadata of the token is either still valid or has been refreshed using the MetadataProvider. This method calls Persist if needed.

func (*MetadataCache) Persist added in v0.3.0

func (c *MetadataCache) Persist(ctx context.Context, token *api.SPIAccessToken) error

Persist assigns the last refresh time of the token metadata and updates the token

type MetadataExpirationPolicy added in v0.5.5

type MetadataExpirationPolicy interface {
	// IsExpired returns true if the metadata of the supplied token should be refreshed, false otherwise.
	// The implementation can assume that `token.Status.TokenMetadata` is not nil.
	IsExpired(token *api.SPIAccessToken) bool
}

MetadataExpirationPolicy is responsible for the decision whether the metadata of a token should be refreshed or whether they are still considered valid.

type MetadataExpirationPolicyFunc added in v0.5.5

type MetadataExpirationPolicyFunc func(token *api.SPIAccessToken) bool

MetadataExpirationPolicyFunc an adaptor for making a function an implementation of MetadataExpirationPolicy interface.

func (MetadataExpirationPolicyFunc) IsExpired added in v0.5.5

type MetadataProvider added in v0.3.0

type MetadataProvider interface {
	// Fetch tries to fetch the token metadata and assign it in the token. Note that the metadata of the token may or
	// may not be nil and this method shouldn't change it unless there is data to assign.
	// Implementors should make sure to return some errors.ServiceProviderError if the failure to fetch the metadata is
	// caused by the token or service provider itself and not other environmental reasons
	Fetch(ctx context.Context, token *api.SPIAccessToken) (*api.TokenMetadata, error)
}

MetadataProvider is a function that converts a fills in the metadata in the token's status with service-provider-specific information used for token matching.

type MetadataProviderFunc added in v0.3.0

type MetadataProviderFunc func(ctx context.Context, token *api.SPIAccessToken) (*api.TokenMetadata, error)

func (MetadataProviderFunc) Fetch added in v0.3.0

type NeverMetadataExpirationPolicy added in v0.5.5

type NeverMetadataExpirationPolicy struct{}

NeverMetadataExpirationPolicy is a MetadataExpirationPolicy that makes the metadata to never expire.

func (NeverMetadataExpirationPolicy) IsExpired added in v0.5.5

type Probe added in v0.2.1

type Probe interface {
	// Examine returns the base url of the service provider, if the provided URL can be handled by that provider or
	// an empty string if it cannot. The provided http client can be used to perform requests against the URL if needed.
	Examine(cl *http.Client, url string) (string, error)
}

Probe is a simple function that can determine whether a URL can be handled by a certain service provider.

type ProbeFunc added in v0.2.1

type ProbeFunc func(*http.Client, string) (string, error)

ProbeFunc provides the Probe implementation for compatible functions

func (ProbeFunc) Examine added in v0.2.1

func (p ProbeFunc) Examine(cl *http.Client, url string) (string, error)

type RepoHostParser added in v0.5.5

type RepoHostParser func(url string) (string, error)

type ServiceProvider

type ServiceProvider interface {
	// LookupToken tries to match an SPIAccessToken object with the requirements expressed in the provided binding.
	// This usually searches kubernetes (using the provided client) and the service provider itself (using some specific
	// mechanism (usually an http client)).
	LookupToken(ctx context.Context, cl client.Client, binding *api.SPIAccessTokenBinding) (*api.SPIAccessToken, error)

	// PersistMetadata tries to use the OAuth access token associated with the provided token (if any) and persists any
	// state and metadata required for the token lookup. The metadata must be stored in the Status.TokenMetadata field
	// of the provided token.
	// Implementors should make sure that this method returns InvalidAccessTokenError if the reason for the failure is
	// an invalid token. This is important to distinguish between environmental errors and errors in the data itself.
	PersistMetadata(ctx context.Context, cl client.Client, token *api.SPIAccessToken) error

	// GetBaseUrl returns the base URL of the service provider this instance talks to. This info is saved with the
	// SPIAccessTokens so that later on, the OAuth service can use it to construct the OAuth flow URLs.
	GetBaseUrl() string

	// OAuthScopesFor translates all the permissions into a list of service-provider-specific scopes. This method
	// is used to compose the OAuth flow URL. There is a generic helper, GetAllScopes, that can be used if all that is
	// needed is just a translation of permissions into scopes.
	OAuthScopesFor(permissions *api.Permissions) []string

	// GetType merely returns the type of the service provider this instance talks to.
	GetType() api.ServiceProviderType

	CheckRepositoryAccess(ctx context.Context, cl client.Client, accessCheck *api.SPIAccessCheck) (*api.SPIAccessCheckStatus, error)

	// GetOAuthEndpoint returns the URL of the OAuth initiation. This must point to the SPI oauth service, NOT
	//the service provider itself.
	GetOAuthEndpoint() string

	// MapToken creates an access token mapper for given binding and token using the service-provider specific data.
	// The implementations can use the DefaultMapToken method if they don't use any custom logic.
	MapToken(ctx context.Context, binding *api.SPIAccessTokenBinding, token *api.SPIAccessToken, tokenData *api.Token) (AccessTokenMapper, error)

	// Validate checks that the provided object (token or binding) is valid in this service provider
	Validate(ctx context.Context, validated Validated) (ValidationResult, error)
}

ServiceProvider abstracts the interaction with some service provider

type TokenFilter added in v0.3.0

type TokenFilter interface {
	Matches(ctx context.Context, matchable Matchable, token *api.SPIAccessToken) (bool, error)
}

TokenFilter is a helper interface to implement the ServiceProvider.LookupToken method using the GenericLookup struct.

var MatchAllTokenFilter TokenFilter = TokenFilterFunc(func(ctx context.Context, binding Matchable, token *api.SPIAccessToken) (bool, error) {
	debugLog := log.FromContext(ctx).V(logs.DebugLevel)
	debugLog.Info("Unconditional token match", "token", token)
	return true, nil
})

MatchAllTokenFilter is a TokenFilter that match any token

func NewFilter added in v0.7.3

func NewFilter(policy config.TokenPolicy, exactTokenFilter TokenFilter) TokenFilter

type TokenFilterFunc added in v0.3.0

type TokenFilterFunc func(ctx context.Context, matchable Matchable, token *api.SPIAccessToken) (bool, error)

TokenFilterFunc converts a function into the implementation of the TokenFilter interface

func (TokenFilterFunc) Matches added in v0.3.0

func (f TokenFilterFunc) Matches(ctx context.Context, matchable Matchable, token *api.SPIAccessToken) (bool, error)

type TtlMetadataExpirationPolicy added in v0.5.5

type TtlMetadataExpirationPolicy struct {
	Ttl time.Duration
}

TtlMetadataExpirationPolicy is a MetadataExpirationPolicy implementation that checks whether the metadata of the token is older than the configured TTL (time to live).

func (TtlMetadataExpirationPolicy) IsExpired added in v0.5.5

func (t TtlMetadataExpirationPolicy) IsExpired(token *api.SPIAccessToken) bool

type Validated added in v0.5.5

type Validated interface {
	Permissions() *api.Permissions
}

type ValidationResult added in v0.5.5

type ValidationResult struct {
	// ScopeValidation is the reasons for the scopes and permissions to be invalid
	ScopeValidation []error
}

ValidationResult represents the results of the ServiceProvider.Validate method.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL