k8s.io/apiserver@v0.31.1/pkg/authentication/cel/interface.go (about) 1 /* 2 Copyright 2023 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 // Package cel contains the CEL related interfaces and structs for authentication. 18 package cel 19 20 import ( 21 "context" 22 23 celgo "github.com/google/cel-go/cel" 24 "github.com/google/cel-go/common/types/ref" 25 26 "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" 27 ) 28 29 // ExpressionAccessor is an interface that provides access to a CEL expression. 30 type ExpressionAccessor interface { 31 GetExpression() string 32 ReturnTypes() []*celgo.Type 33 } 34 35 // CompilationResult represents a compiled validations expression. 36 type CompilationResult struct { 37 Program celgo.Program 38 AST *celgo.Ast 39 ExpressionAccessor ExpressionAccessor 40 } 41 42 // EvaluationResult contains the minimal required fields and metadata of a cel evaluation 43 type EvaluationResult struct { 44 EvalResult ref.Val 45 ExpressionAccessor ExpressionAccessor 46 } 47 48 // Compiler provides a CEL expression compiler configured with the desired authentication related CEL variables. 49 type Compiler interface { 50 CompileClaimsExpression(expressionAccessor ExpressionAccessor) (CompilationResult, error) 51 CompileUserExpression(expressionAccessor ExpressionAccessor) (CompilationResult, error) 52 } 53 54 // ClaimsMapper provides a CEL expression mapper configured with the claims CEL variable. 55 type ClaimsMapper interface { 56 // EvalClaimMapping evaluates the given claim mapping expression and returns a EvaluationResult. 57 // This is used for username, groups and uid claim mapping that contains a single expression. 58 EvalClaimMapping(ctx context.Context, claims *unstructured.Unstructured) (EvaluationResult, error) 59 // EvalClaimMappings evaluates the given expressions and returns a list of EvaluationResult. 60 // This is used for extra claim mapping and claim validation that contains a list of expressions. 61 EvalClaimMappings(ctx context.Context, claims *unstructured.Unstructured) ([]EvaluationResult, error) 62 } 63 64 // UserMapper provides a CEL expression mapper configured with the user CEL variable. 65 type UserMapper interface { 66 // EvalUser evaluates the given user expressions and returns a list of EvaluationResult. 67 // This is used for user validation that contains a list of expressions. 68 EvalUser(ctx context.Context, userInfo *unstructured.Unstructured) ([]EvaluationResult, error) 69 } 70 71 var _ ExpressionAccessor = &ClaimMappingExpression{} 72 73 // ClaimMappingExpression is a CEL expression that maps a claim. 74 type ClaimMappingExpression struct { 75 Expression string 76 } 77 78 // GetExpression returns the CEL expression. 79 func (v *ClaimMappingExpression) GetExpression() string { 80 return v.Expression 81 } 82 83 // ReturnTypes returns the CEL expression return types. 84 func (v *ClaimMappingExpression) ReturnTypes() []*celgo.Type { 85 // return types is only used for validation. The claims variable that's available 86 // to the claim mapping expressions is a map[string]interface{}, so we can't 87 // really know what the return type is during compilation. Strict type checking 88 // is done during evaluation. 89 return []*celgo.Type{celgo.AnyType} 90 } 91 92 var _ ExpressionAccessor = &ClaimValidationCondition{} 93 94 // ClaimValidationCondition is a CEL expression that validates a claim. 95 type ClaimValidationCondition struct { 96 Expression string 97 Message string 98 } 99 100 // GetExpression returns the CEL expression. 101 func (v *ClaimValidationCondition) GetExpression() string { 102 return v.Expression 103 } 104 105 // ReturnTypes returns the CEL expression return types. 106 func (v *ClaimValidationCondition) ReturnTypes() []*celgo.Type { 107 return []*celgo.Type{celgo.BoolType} 108 } 109 110 var _ ExpressionAccessor = &ExtraMappingExpression{} 111 112 // ExtraMappingExpression is a CEL expression that maps an extra to a list of values. 113 type ExtraMappingExpression struct { 114 Key string 115 Expression string 116 } 117 118 // GetExpression returns the CEL expression. 119 func (v *ExtraMappingExpression) GetExpression() string { 120 return v.Expression 121 } 122 123 // ReturnTypes returns the CEL expression return types. 124 func (v *ExtraMappingExpression) ReturnTypes() []*celgo.Type { 125 // return types is only used for validation. The claims variable that's available 126 // to the claim mapping expressions is a map[string]interface{}, so we can't 127 // really know what the return type is during compilation. Strict type checking 128 // is done during evaluation. 129 return []*celgo.Type{celgo.AnyType} 130 } 131 132 var _ ExpressionAccessor = &UserValidationCondition{} 133 134 // UserValidationCondition is a CEL expression that validates a User. 135 type UserValidationCondition struct { 136 Expression string 137 Message string 138 } 139 140 // GetExpression returns the CEL expression. 141 func (v *UserValidationCondition) GetExpression() string { 142 return v.Expression 143 } 144 145 // ReturnTypes returns the CEL expression return types. 146 func (v *UserValidationCondition) ReturnTypes() []*celgo.Type { 147 return []*celgo.Type{celgo.BoolType} 148 }