Documentation ¶
Index ¶
- func AuthenticatingHttpClient(cl *http.Client) *http.Client
- func GetAllScopes(convertToScopes func(permission api.Permission) []string, ...) []string
- func GetHostWithScheme(repoUrl string) (string, error)
- func RepoHostFromSchemelessUrl(repoUrl string) (string, error)
- func RepoHostFromUrl(repoUrl string) (string, error)
- type AccessTokenMapper
- type Constructor
- type ConstructorFunc
- type Factory
- type GenericLookup
- type Initializer
- type Matchable
- type MetadataCache
- type MetadataExpirationPolicy
- type MetadataExpirationPolicyFunc
- type MetadataProvider
- type MetadataProviderFunc
- type NeverMetadataExpirationPolicy
- type Probe
- type ProbeFunc
- type RepoHostParser
- type ServiceProvider
- type TokenFilter
- type TokenFilterFunc
- type TtlMetadataExpirationPolicy
- type Validated
- type ValidationResult
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AuthenticatingHttpClient ¶ added in v0.4.1
func GetAllScopes ¶
func GetAllScopes(convertToScopes func(permission api.Permission) []string, perms *api.Permissions) []string
GetAllScopes is a helper method to translate all the provided permissions into a list of service-provided-specific scopes.
func GetHostWithScheme ¶ added in v0.3.0
GetHostWithScheme is a helper function to extract the scheme and host portion of the provided url.
func RepoHostFromSchemelessUrl ¶ added in v0.6.5
func RepoHostFromUrl ¶ added in v0.5.5
Types ¶
type AccessTokenMapper ¶ added in v0.5.5
type AccessTokenMapper struct { Name string `json:"name"` Token string `json:"token"` ServiceProviderUrl string `json:"serviceProviderUrl"` ServiceProviderUserName string `json:"serviceProviderUserName"` ServiceProviderUserId string `json:"serviceProviderUserId"` UserId string `json:"userId"` ExpiredAfter *uint64 `json:"expiredAfter"` Scopes []string `json:"scopes"` }
AccessTokenMapper is a helper to convert token (together with its metadata) into maps suitable for storing in secrets according to the secret type.
func DefaultMapToken ¶ added in v0.5.5
func DefaultMapToken(tokenObject *api.SPIAccessToken, tokenData *api.Token) AccessTokenMapper
func (AccessTokenMapper) FillByMapping ¶ added in v0.5.5
func (at AccessTokenMapper) FillByMapping(mapping *api.TokenFieldMapping, existingMap map[string]string)
FillByMapping sets the data from the mapper into the provided map according to the settings specified in the provided mapping.
func (AccessTokenMapper) ToSecretType ¶ added in v0.5.5
func (at AccessTokenMapper) ToSecretType(secretType corev1.SecretType) map[string]string
ToSecretType converts the data in the mapper to a map with fields corresponding to the provided secret type.
type Constructor ¶ added in v0.2.1
type Constructor interface { // Construct creates a new instance of service provider Construct(factory *Factory, baseUrl string) (ServiceProvider, error) }
Constructor is able to produce a new service provider instance using data from the provided Factory and the base URL of the service provider.
type ConstructorFunc ¶ added in v0.2.1
type ConstructorFunc func(factory *Factory, baseUrl string) (ServiceProvider, error)
ConstructorFunc converts a compatible function into the Constructor interface
func (ConstructorFunc) Construct ¶ added in v0.2.1
func (c ConstructorFunc) Construct(factory *Factory, baseUrl string) (ServiceProvider, error)
type Factory ¶
type Factory struct { Configuration opconfig.OperatorConfiguration KubernetesClient client.Client HttpClient *http.Client Initializers map[config.ServiceProviderType]Initializer TokenStorage tokenstorage.TokenStorage }
Factory is able to construct service providers from repository URLs.
func (*Factory) FromRepoUrl ¶
FromRepoUrl returns the service provider instance able to talk to the repository on the provided URL.
type GenericLookup ¶ added in v0.3.0
type GenericLookup struct { // ServiceProviderType is just the type of the provider we're dealing with. It is used to limit the number of // results the filter function needs to sift through. ServiceProviderType api.ServiceProviderType // TokenFilter is the filter function that decides whether a token matches the requirements of a binding, given // the token's service-provider-specific state TokenFilter TokenFilter // MetadataProvider is used to figure out metadata of a token in the service provider useful for token lookup MetadataProvider MetadataProvider // MetadataCache is an abstraction used for storing/fetching the metadata of tokens MetadataCache *MetadataCache // RepoHostParser is a function that extracts the host from the repoUrl RepoHostParser RepoHostParser }
GenericLookup implements a token lookup in a generic way such that the users only need to provide a function to provide a service-provider-specific "state" of the token and a "filter" function that uses the token and its state to match it against a binding
func (GenericLookup) Lookup ¶ added in v0.3.0
func (l GenericLookup) Lookup(ctx context.Context, cl client.Client, matchable Matchable) ([]api.SPIAccessToken, error)
func (GenericLookup) PersistMetadata ¶ added in v0.3.0
func (l GenericLookup) PersistMetadata(ctx context.Context, token *api.SPIAccessToken) error
type Initializer ¶ added in v0.2.1
type Initializer struct { Probe Probe Constructor Constructor }
Initializer is struct that contains all necessary data to initialize a service provider instance from a URL using a Factory.
type MetadataCache ¶ added in v0.3.0
type MetadataCache struct {
// contains filtered or unexported fields
}
MetadataCache acts like a cache of metadata of tokens. On top of just CRUDing the token metadata, this struct handles the refreshes of the data when it is determined stale.
func NewMetadataCache ¶ added in v0.3.0
func NewMetadataCache(client client.Client, expirationPolicy MetadataExpirationPolicy) MetadataCache
NewMetadataCache creates a new cache instance with the provided configuration.
func (*MetadataCache) Ensure ¶ added in v0.3.0
func (c *MetadataCache) Ensure(ctx context.Context, token *api.SPIAccessToken, ser MetadataProvider) error
Ensure makes sure that the metadata of the token is either still valid or has been refreshed using the MetadataProvider. This method calls Persist if needed.
func (*MetadataCache) Persist ¶ added in v0.3.0
func (c *MetadataCache) Persist(ctx context.Context, token *api.SPIAccessToken) error
Persist assigns the last refresh time of the token metadata and updates the token
type MetadataExpirationPolicy ¶ added in v0.5.5
type MetadataExpirationPolicy interface { // IsExpired returns true if the metadata of the supplied token should be refreshed, false otherwise. // The implementation can assume that `token.Status.TokenMetadata` is not nil. IsExpired(token *api.SPIAccessToken) bool }
MetadataExpirationPolicy is responsible for the decision whether the metadata of a token should be refreshed or whether they are still considered valid.
type MetadataExpirationPolicyFunc ¶ added in v0.5.5
type MetadataExpirationPolicyFunc func(token *api.SPIAccessToken) bool
MetadataExpirationPolicyFunc an adaptor for making a function an implementation of MetadataExpirationPolicy interface.
func (MetadataExpirationPolicyFunc) IsExpired ¶ added in v0.5.5
func (f MetadataExpirationPolicyFunc) IsExpired(token *api.SPIAccessToken) bool
type MetadataProvider ¶ added in v0.3.0
type MetadataProvider interface { // Fetch tries to fetch the token metadata and assign it in the token. Note that the metadata of the token may or // may not be nil and this method shouldn't change it unless there is data to assign. // Implementors should make sure to return some errors.ServiceProviderError if the failure to fetch the metadata is // caused by the token or service provider itself and not other environmental reasons Fetch(ctx context.Context, token *api.SPIAccessToken) (*api.TokenMetadata, error) }
MetadataProvider is a function that converts a fills in the metadata in the token's status with service-provider-specific information used for token matching.
type MetadataProviderFunc ¶ added in v0.3.0
type MetadataProviderFunc func(ctx context.Context, token *api.SPIAccessToken) (*api.TokenMetadata, error)
func (MetadataProviderFunc) Fetch ¶ added in v0.3.0
func (f MetadataProviderFunc) Fetch(ctx context.Context, token *api.SPIAccessToken) (*api.TokenMetadata, error)
type NeverMetadataExpirationPolicy ¶ added in v0.5.5
type NeverMetadataExpirationPolicy struct{}
NeverMetadataExpirationPolicy is a MetadataExpirationPolicy that makes the metadata to never expire.
func (NeverMetadataExpirationPolicy) IsExpired ¶ added in v0.5.5
func (t NeverMetadataExpirationPolicy) IsExpired(_ *api.SPIAccessToken) bool
type Probe ¶ added in v0.2.1
type Probe interface { // Examine returns the base url of the service provider, if the provided URL can be handled by that provider or // an empty string if it cannot. The provided http client can be used to perform requests against the URL if needed. Examine(cl *http.Client, url string) (string, error) }
Probe is a simple function that can determine whether a URL can be handled by a certain service provider.
type ProbeFunc ¶ added in v0.2.1
ProbeFunc provides the Probe implementation for compatible functions
type RepoHostParser ¶ added in v0.5.5
type ServiceProvider ¶
type ServiceProvider interface { // LookupToken tries to match an SPIAccessToken object with the requirements expressed in the provided binding. // This usually searches kubernetes (using the provided client) and the service provider itself (using some specific // mechanism (usually an http client)). LookupToken(ctx context.Context, cl client.Client, binding *api.SPIAccessTokenBinding) (*api.SPIAccessToken, error) // PersistMetadata tries to use the OAuth access token associated with the provided token (if any) and persists any // state and metadata required for the token lookup. The metadata must be stored in the Status.TokenMetadata field // of the provided token. // Implementors should make sure that this method returns InvalidAccessTokenError if the reason for the failure is // an invalid token. This is important to distinguish between environmental errors and errors in the data itself. PersistMetadata(ctx context.Context, cl client.Client, token *api.SPIAccessToken) error // GetBaseUrl returns the base URL of the service provider this instance talks to. This info is saved with the // SPIAccessTokens so that later on, the OAuth service can use it to construct the OAuth flow URLs. GetBaseUrl() string // OAuthScopesFor translates all the permissions into a list of service-provider-specific scopes. This method // is used to compose the OAuth flow URL. There is a generic helper, GetAllScopes, that can be used if all that is // needed is just a translation of permissions into scopes. OAuthScopesFor(permissions *api.Permissions) []string // GetType merely returns the type of the service provider this instance talks to. GetType() api.ServiceProviderType CheckRepositoryAccess(ctx context.Context, cl client.Client, accessCheck *api.SPIAccessCheck) (*api.SPIAccessCheckStatus, error) // GetOAuthEndpoint returns the URL of the OAuth initiation. This must point to the SPI oauth service, NOT //the service provider itself. GetOAuthEndpoint() string // MapToken creates an access token mapper for given binding and token using the service-provider specific data. // The implementations can use the DefaultMapToken method if they don't use any custom logic. MapToken(ctx context.Context, binding *api.SPIAccessTokenBinding, token *api.SPIAccessToken, tokenData *api.Token) (AccessTokenMapper, error) // Validate checks that the provided object (token or binding) is valid in this service provider Validate(ctx context.Context, validated Validated) (ValidationResult, error) }
ServiceProvider abstracts the interaction with some service provider
type TokenFilter ¶ added in v0.3.0
type TokenFilter interface {
Matches(ctx context.Context, matchable Matchable, token *api.SPIAccessToken) (bool, error)
}
TokenFilter is a helper interface to implement the ServiceProvider.LookupToken method using the GenericLookup struct.
var MatchAllTokenFilter TokenFilter = TokenFilterFunc(func(ctx context.Context, binding Matchable, token *api.SPIAccessToken) (bool, error) { debugLog := log.FromContext(ctx).V(logs.DebugLevel) debugLog.Info("Unconditional token match", "token", token) return true, nil })
MatchAllTokenFilter is a TokenFilter that match any token
func NewFilter ¶ added in v0.7.3
func NewFilter(policy config.TokenPolicy, exactTokenFilter TokenFilter) TokenFilter
type TokenFilterFunc ¶ added in v0.3.0
type TokenFilterFunc func(ctx context.Context, matchable Matchable, token *api.SPIAccessToken) (bool, error)
TokenFilterFunc converts a function into the implementation of the TokenFilter interface
func (TokenFilterFunc) Matches ¶ added in v0.3.0
func (f TokenFilterFunc) Matches(ctx context.Context, matchable Matchable, token *api.SPIAccessToken) (bool, error)
type TtlMetadataExpirationPolicy ¶ added in v0.5.5
TtlMetadataExpirationPolicy is a MetadataExpirationPolicy implementation that checks whether the metadata of the token is older than the configured TTL (time to live).
func (TtlMetadataExpirationPolicy) IsExpired ¶ added in v0.5.5
func (t TtlMetadataExpirationPolicy) IsExpired(token *api.SPIAccessToken) bool
type Validated ¶ added in v0.5.5
type Validated interface {
Permissions() *api.Permissions
}
type ValidationResult ¶ added in v0.5.5
type ValidationResult struct { // ScopeValidation is the reasons for the scopes and permissions to be invalid ScopeValidation []error }
ValidationResult represents the results of the ServiceProvider.Validate method.