1/*
2Copyright 2017 The Kubernetes Authors.
3
4Licensed under the Apache License, Version 2.0 (the "License");
5you may not use this file except in compliance with the License.
6You may obtain a copy of the License at
7
8    http://www.apache.org/licenses/LICENSE-2.0
9
10Unless required by applicable law or agreed to in writing, software
11distributed under the License is distributed on an "AS IS" BASIS,
12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13See the License for the specific language governing permissions and
14limitations under the License.
15*/
16
17package v1
18
19import (
20	"fmt"
21
22	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
23	"k8s.io/apimachinery/pkg/types"
24)
25
26const (
27	// ImpersonateUserHeader is used to impersonate a particular user during an API server request
28	ImpersonateUserHeader = "Impersonate-User"
29
30	// ImpersonateGroupHeader is used to impersonate a particular group during an API server request.
31	// It can be repeated multiplied times for multiple groups.
32	ImpersonateGroupHeader = "Impersonate-Group"
33
34	// ImpersonateUserExtraHeaderPrefix is a prefix for any header used to impersonate an entry in the
35	// extra map[string][]string for user.Info.  The key will be every after the prefix.
36	// It can be repeated multiplied times for multiple map keys and the same key can be repeated multiple
37	// times to have multiple elements in the slice under a single key
38	ImpersonateUserExtraHeaderPrefix = "Impersonate-Extra-"
39)
40
41// +genclient
42// +genclient:nonNamespaced
43// +genclient:noVerbs
44// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
45
46// TokenReview attempts to authenticate a token to a known user.
47// Note: TokenReview requests may be cached by the webhook token authenticator
48// plugin in the kube-apiserver.
49type TokenReview struct {
50	metav1.TypeMeta `json:",inline"`
51	// +optional
52	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
53
54	// Spec holds information about the request being evaluated
55	Spec TokenReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
56
57	// Status is filled in by the server and indicates whether the request can be authenticated.
58	// +optional
59	Status TokenReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
60}
61
62// TokenReviewSpec is a description of the token authentication request.
63type TokenReviewSpec struct {
64	// Token is the opaque bearer token.
65	// +optional
66	Token string `json:"token,omitempty" protobuf:"bytes,1,opt,name=token"`
67}
68
69// TokenReviewStatus is the result of the token authentication request.
70type TokenReviewStatus struct {
71	// Authenticated indicates that the token was associated with a known user.
72	// +optional
73	Authenticated bool `json:"authenticated,omitempty" protobuf:"varint,1,opt,name=authenticated"`
74	// User is the UserInfo associated with the provided token.
75	// +optional
76	User UserInfo `json:"user,omitempty" protobuf:"bytes,2,opt,name=user"`
77	// Error indicates that the token couldn't be checked
78	// +optional
79	Error string `json:"error,omitempty" protobuf:"bytes,3,opt,name=error"`
80}
81
82// UserInfo holds the information about the user needed to implement the
83// user.Info interface.
84type UserInfo struct {
85	// The name that uniquely identifies this user among all active users.
86	// +optional
87	Username string `json:"username,omitempty" protobuf:"bytes,1,opt,name=username"`
88	// A unique value that identifies this user across time. If this user is
89	// deleted and another user by the same name is added, they will have
90	// different UIDs.
91	// +optional
92	UID string `json:"uid,omitempty" protobuf:"bytes,2,opt,name=uid"`
93	// The names of groups this user is a part of.
94	// +optional
95	Groups []string `json:"groups,omitempty" protobuf:"bytes,3,rep,name=groups"`
96	// Any additional information provided by the authenticator.
97	// +optional
98	Extra map[string]ExtraValue `json:"extra,omitempty" protobuf:"bytes,4,rep,name=extra"`
99}
100
101// ExtraValue masks the value so protobuf can generate
102// +protobuf.nullable=true
103// +protobuf.options.(gogoproto.goproto_stringer)=false
104type ExtraValue []string
105
106func (t ExtraValue) String() string {
107	return fmt.Sprintf("%v", []string(t))
108}
109
110// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
111
112// TokenRequest requests a token for a given service account.
113type TokenRequest struct {
114	metav1.TypeMeta `json:",inline"`
115	// +optional
116	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
117
118	Spec TokenRequestSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
119	// +optional
120	Status TokenRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
121}
122
123// TokenRequestSpec contains client provided parameters of a token request.
124type TokenRequestSpec struct {
125	// Audiences are the intendend audiences of the token. A recipient of a
126	// token must identitfy themself with an identifier in the list of
127	// audiences of the token, and otherwise should reject the token. A
128	// token issued for multiple audiences may be used to authenticate
129	// against any of the audiences listed but implies a high degree of
130	// trust between the target audiences.
131	Audiences []string `json:"audiences" protobuf:"bytes,1,rep,name=audiences"`
132
133	// ExpirationSeconds is the requested duration of validity of the request. The
134	// token issuer may return a token with a different validity duration so a
135	// client needs to check the 'expiration' field in a response.
136	// +optional
137	ExpirationSeconds *int64 `json:"expirationSeconds" protobuf:"varint,4,opt,name=expirationSeconds"`
138
139	// BoundObjectRef is a reference to an object that the token will be bound to.
140	// The token will only be valid for as long as the bound objet exists.
141	// +optional
142	BoundObjectRef *BoundObjectReference `json:"boundObjectRef" protobuf:"bytes,3,opt,name=boundObjectRef"`
143}
144
145// TokenRequestStatus is the result of a token request.
146type TokenRequestStatus struct {
147	// Token is the opaque bearer token.
148	Token string `json:"token" protobuf:"bytes,1,opt,name=token"`
149	// ExpirationTimestamp is the time of expiration of the returned token.
150	ExpirationTimestamp metav1.Time `json:"expirationTimestamp" protobuf:"bytes,2,opt,name=expirationTimestamp"`
151}
152
153// BoundObjectReference is a reference to an object that a token is bound to.
154type BoundObjectReference struct {
155	// Kind of the referent. Valid kinds are 'Pod' and 'Secret'.
156	// +optional
157	Kind string `json:"kind,omitempty" protobuf:"bytes,1,opt,name=kind"`
158	// API version of the referent.
159	// +optional
160	APIVersion string `json:"apiVersion,omitempty" protobuf:"bytes,2,opt,name=aPIVersion"`
161
162	// Name of the referent.
163	// +optional
164	Name string `json:"name,omitempty" protobuf:"bytes,3,opt,name=name"`
165	// UID of the referent.
166	// +optional
167	UID types.UID `json:"uid,omitempty" protobuf:"bytes,4,opt,name=uID,casttype=k8s.io/apimachinery/pkg/types.UID"`
168}
169