kubesphere.io/api@v0.0.0-20231107125330-c9a03957060c/iam/v1alpha2/types.go (about)

     1  /*
     2  Copyright 2019 The KubeSphere Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package v1alpha2
    18  
    19  import (
    20  	rbacv1 "k8s.io/api/rbac/v1"
    21  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    22  	"k8s.io/apimachinery/pkg/runtime"
    23  )
    24  
    25  const (
    26  	ResourceKindUser                      = "User"
    27  	ResourcesSingularUser                 = "user"
    28  	ResourcesPluralUser                   = "users"
    29  	ResourceKindLoginRecord               = "LoginRecord"
    30  	ResourcesSingularLoginRecord          = "loginrecord"
    31  	ResourcesPluralLoginRecord            = "loginrecords"
    32  	ResourceKindGlobalRoleBinding         = "GlobalRoleBinding"
    33  	ResourcesSingularGlobalRoleBinding    = "globalrolebinding"
    34  	ResourcesPluralGlobalRoleBinding      = "globalrolebindings"
    35  	ResourceKindClusterRoleBinding        = "ClusterRoleBinding"
    36  	ResourcesSingularClusterRoleBinding   = "clusterrolebinding"
    37  	ResourcesPluralClusterRoleBinding     = "clusterrolebindings"
    38  	ResourceKindRoleBinding               = "RoleBinding"
    39  	ResourcesSingularRoleBinding          = "rolebinding"
    40  	ResourcesPluralRoleBinding            = "rolebindings"
    41  	ResourceKindGlobalRole                = "GlobalRole"
    42  	ResourcesSingularGlobalRole           = "globalrole"
    43  	ResourcesPluralGlobalRole             = "globalroles"
    44  	ResourceKindWorkspaceRoleBinding      = "WorkspaceRoleBinding"
    45  	ResourcesSingularWorkspaceRoleBinding = "workspacerolebinding"
    46  	ResourcesPluralWorkspaceRoleBinding   = "workspacerolebindings"
    47  	ResourceKindWorkspaceRole             = "WorkspaceRole"
    48  	ResourcesSingularWorkspaceRole        = "workspacerole"
    49  	ResourcesPluralWorkspaceRole          = "workspaceroles"
    50  	ResourceKindClusterRole               = "ClusterRole"
    51  	ResourcesSingularClusterRole          = "clusterrole"
    52  	ResourcesPluralClusterRole            = "clusterroles"
    53  	ResourceKindRole                      = "Role"
    54  	ResourcesSingularRole                 = "role"
    55  	ResourcesPluralRole                   = "roles"
    56  	RegoOverrideAnnotation                = "iam.kubesphere.io/rego-override"
    57  	AggregationRolesAnnotation            = "iam.kubesphere.io/aggregation-roles"
    58  	GlobalRoleAnnotation                  = "iam.kubesphere.io/globalrole"
    59  	WorkspaceRoleAnnotation               = "iam.kubesphere.io/workspacerole"
    60  	ClusterRoleAnnotation                 = "iam.kubesphere.io/clusterrole"
    61  	GrantedClustersAnnotation             = "iam.kubesphere.io/granted-clusters"
    62  	UninitializedAnnotation               = "iam.kubesphere.io/uninitialized"
    63  	LastPasswordChangeTimeAnnotation      = "iam.kubesphere.io/last-password-change-time"
    64  	RoleAnnotation                        = "iam.kubesphere.io/role"
    65  	RoleTemplateLabel                     = "iam.kubesphere.io/role-template"
    66  	ScopeLabelFormat                      = "scope.kubesphere.io/%s"
    67  	UserReferenceLabel                    = "iam.kubesphere.io/user-ref"
    68  	IdentifyProviderLabel                 = "iam.kubesphere.io/identify-provider"
    69  	OriginUIDLabel                        = "iam.kubesphere.io/origin-uid"
    70  	ServiceAccountReferenceLabel          = "iam.kubesphere.io/serviceaccount-ref"
    71  	FieldEmail                            = "email"
    72  	ExtraEmail                            = FieldEmail
    73  	ExtraIdentityProvider                 = "idp"
    74  	ExtraUID                              = "uid"
    75  	ExtraUsername                         = "username"
    76  	ExtraDisplayName                      = "displayName"
    77  	ExtraUninitialized                    = "uninitialized"
    78  	InGroup                               = "ingroup"
    79  	NotInGroup                            = "notingroup"
    80  	AggregateTo                           = "aggregateTo"
    81  	ScopeWorkspace                        = "workspace"
    82  	ScopeCluster                          = "cluster"
    83  	ScopeNamespace                        = "namespace"
    84  	ScopeDevOps                           = "devops"
    85  	PlatformAdmin                         = "platform-admin"
    86  	NamespaceAdmin                        = "admin"
    87  	ClusterAdmin                          = "cluster-admin"
    88  	PreRegistrationUser                   = "system:pre-registration"
    89  	PreRegistrationUserGroup              = "pre-registration"
    90  )
    91  
    92  // +genclient
    93  // +genclient:nonNamespaced
    94  // +kubebuilder:object:root=true
    95  // +k8s:openapi-gen=true
    96  
    97  // User is the Schema for the users API
    98  // +kubebuilder:printcolumn:name="Email",type="string",JSONPath=".spec.email"
    99  // +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.state"
   100  // +kubebuilder:resource:categories="iam",scope="Cluster"
   101  // +kubebuilder:object:root=true
   102  type User struct {
   103  	metav1.TypeMeta `json:",inline"`
   104  	// +optional
   105  	metav1.ObjectMeta `json:"metadata,omitempty"`
   106  
   107  	Spec UserSpec `json:"spec"`
   108  	// +optional
   109  	Status UserStatus `json:"status,omitempty"`
   110  }
   111  
   112  type FinalizerName string
   113  
   114  // UserSpec defines the desired state of User
   115  type UserSpec struct {
   116  	// Unique email address(https://www.ietf.org/rfc/rfc5322.txt).
   117  	Email string `json:"email"`
   118  	// The preferred written or spoken language for the user.
   119  	// +optional
   120  	Lang string `json:"lang,omitempty"`
   121  	// Description of the user.
   122  	// +optional
   123  	Description string `json:"description,omitempty"`
   124  	// +optional
   125  	DisplayName string `json:"displayName,omitempty"`
   126  	// +optional
   127  	Groups []string `json:"groups,omitempty"`
   128  
   129  	// password will be encrypted by mutating admission webhook
   130  	// +kubebuilder:validation:MinLength=8
   131  	// +kubebuilder:validation:MaxLength=64
   132  	// +kubebuilder:validation:Pattern=`^(.*[a-z].*[A-Z].*[0-9].*)$|^(.*[a-z].*[0-9].*[A-Z].*)$|^(.*[A-Z].*[a-z].*[0-9].*)$|^(.*[A-Z].*[0-9].*[a-z].*)$|^(.*[0-9].*[a-z].*[A-Z].*)$|^(.*[0-9].*[A-Z].*[a-z].*)$|^(\$2[ayb]\$.{56})$`
   133  	// Password pattern is tricky here.
   134  	// The rule is simple: length between [6,64], at least one uppercase letter, one lowercase letter, one digit.
   135  	// The regexp in console(javascript) is quite straightforward: ^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[^]{6,64}$
   136  	// But in Go, we don't have ?= (back tracking) capability in regexp (also in CRD validation pattern)
   137  	// So we adopted an alternative scheme to achieve.
   138  	// Use 6 different regexp to combine to achieve the same effect.
   139  	// These six schemes enumerate the arrangement of numbers, uppercase letters, and lowercase letters that appear for the first time.
   140  	// - ^(.*[a-z].*[A-Z].*[0-9].*)$ stands for lowercase letter comes first, then followed by an uppercase letter, then a digit.
   141  	// - ^(.*[a-z].*[0-9].*[A-Z].*)$ stands for lowercase letter comes first, then followed by a digit, then an uppercase leeter.
   142  	// - ^(.*[A-Z].*[a-z].*[0-9].*)$ ...
   143  	// - ^(.*[A-Z].*[0-9].*[a-z].*)$ ...
   144  	// - ^(.*[0-9].*[a-z].*[A-Z].*)$ ...
   145  	// - ^(.*[0-9].*[A-Z].*[a-z].*)$ ...
   146  	// Last but not least, the bcrypt string is also included to match the encrypted password. ^(\$2[ayb]\$.{56})$
   147  	EncryptedPassword string `json:"password,omitempty"`
   148  }
   149  
   150  type UserState string
   151  
   152  // These are the valid phases of a user.
   153  const (
   154  	// UserActive means the user is available.
   155  	UserActive UserState = "Active"
   156  	// UserDisabled means the user is disabled.
   157  	UserDisabled UserState = "Disabled"
   158  	// UserAuthLimitExceeded means restrict user login.
   159  	UserAuthLimitExceeded UserState = "AuthLimitExceeded"
   160  
   161  	AuthenticatedSuccessfully = "authenticated successfully"
   162  )
   163  
   164  // UserStatus defines the observed state of User
   165  type UserStatus struct {
   166  	// The user status
   167  	// +optional
   168  	State UserState `json:"state,omitempty"`
   169  	// +optional
   170  	Reason string `json:"reason,omitempty"`
   171  	// +optional
   172  	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
   173  	// Last login attempt timestamp
   174  	// +optional
   175  	LastLoginTime *metav1.Time `json:"lastLoginTime,omitempty"`
   176  }
   177  
   178  // +kubebuilder:object:root=true
   179  // +kubebuilder:object:root=true
   180  // UserList contains a list of User
   181  type UserList struct {
   182  	metav1.TypeMeta `json:",inline"`
   183  	// Standard object's metadata.
   184  	// +optional
   185  	metav1.ListMeta `json:"metadata,omitempty"`
   186  	Items           []User `json:"items"`
   187  }
   188  
   189  // +genclient
   190  // +genclient:nonNamespaced
   191  // +kubebuilder:object:root=true
   192  // +kubebuilder:resource:categories="iam",scope="Cluster"
   193  // +kubebuilder:object:root=true
   194  type GlobalRole struct {
   195  	metav1.TypeMeta `json:",inline"`
   196  	// +optional
   197  	metav1.ObjectMeta `json:"metadata,omitempty"`
   198  
   199  	// Rules holds all the PolicyRules for this GlobalRole
   200  	// +optional
   201  	Rules []rbacv1.PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
   202  }
   203  
   204  // +kubebuilder:object:root=true
   205  // +kubebuilder:object:root=true
   206  // GlobalRoleList contains a list of GlobalRole
   207  type GlobalRoleList struct {
   208  	metav1.TypeMeta `json:",inline"`
   209  	metav1.ListMeta `json:"metadata,omitempty"`
   210  	Items           []GlobalRole `json:"items"`
   211  }
   212  
   213  // +genclient
   214  // +genclient:nonNamespaced
   215  // +kubebuilder:object:root=true
   216  // +kubebuilder:resource:categories="iam",scope="Cluster"
   217  // GlobalRoleBinding is the Schema for the globalrolebindings API
   218  // +kubebuilder:object:root=true
   219  type GlobalRoleBinding struct {
   220  	metav1.TypeMeta `json:",inline"`
   221  	// +optional
   222  	metav1.ObjectMeta `json:"metadata,omitempty"`
   223  
   224  	// Subjects holds references to the objects the role applies to.
   225  	// +optional
   226  	Subjects []rbacv1.Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"`
   227  
   228  	// RoleRef can only reference a GlobalRole.
   229  	// If the RoleRef cannot be resolved, the Authorizer must return an error.
   230  	RoleRef rbacv1.RoleRef `json:"roleRef" protobuf:"bytes,3,opt,name=roleRef"`
   231  }
   232  
   233  // +kubebuilder:object:root=true
   234  // +kubebuilder:object:root=true
   235  // GlobalRoleBindingList contains a list of GlobalRoleBinding
   236  type GlobalRoleBindingList struct {
   237  	metav1.TypeMeta `json:",inline"`
   238  	// Standard object's metadata.
   239  	// +optional
   240  	metav1.ListMeta `json:"metadata,omitempty"`
   241  	Items           []GlobalRoleBinding `json:"items"`
   242  }
   243  
   244  // +genclient
   245  // +genclient:nonNamespaced
   246  // +kubebuilder:object:root=true
   247  // +kubebuilder:printcolumn:name="Workspace",type="string",JSONPath=".metadata.labels.kubesphere\\.io/workspace"
   248  // +kubebuilder:printcolumn:name="Alias",type="string",JSONPath=".metadata.annotations.kubesphere\\.io/alias-name"
   249  // +kubebuilder:resource:categories="iam",scope="Cluster"
   250  // +kubebuilder:object:root=true
   251  type WorkspaceRole struct {
   252  	metav1.TypeMeta `json:",inline"`
   253  	// +optional
   254  	metav1.ObjectMeta `json:"metadata,omitempty"`
   255  
   256  	// Rules holds all the PolicyRules for this WorkspaceRole
   257  	// +optional
   258  	Rules []rbacv1.PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
   259  }
   260  
   261  // +kubebuilder:object:root=true
   262  // +kubebuilder:object:root=true
   263  // WorkspaceRoleList contains a list of WorkspaceRole
   264  type WorkspaceRoleList struct {
   265  	metav1.TypeMeta `json:",inline"`
   266  	metav1.ListMeta `json:"metadata,omitempty"`
   267  	Items           []WorkspaceRole `json:"items"`
   268  }
   269  
   270  // +genclient
   271  // +genclient:nonNamespaced
   272  // +kubebuilder:object:root=true
   273  // +kubebuilder:printcolumn:name="Workspace",type="string",JSONPath=".metadata.labels.kubesphere\\.io/workspace"
   274  // +kubebuilder:resource:categories="iam",scope="Cluster"
   275  // WorkspaceRoleBinding is the Schema for the workspacerolebindings API
   276  // +kubebuilder:object:root=true
   277  type WorkspaceRoleBinding struct {
   278  	metav1.TypeMeta   `json:",inline"`
   279  	metav1.ObjectMeta `json:"metadata,omitempty"`
   280  
   281  	// Subjects holds references to the objects the role applies to.
   282  	// +optional
   283  	Subjects []rbacv1.Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"`
   284  
   285  	// RoleRef can only reference a WorkspaceRole.
   286  	// If the RoleRef cannot be resolved, the Authorizer must return an error.
   287  	RoleRef rbacv1.RoleRef `json:"roleRef" protobuf:"bytes,3,opt,name=roleRef"`
   288  }
   289  
   290  // +kubebuilder:object:root=true
   291  // +kubebuilder:object:root=true
   292  // WorkspaceRoleBindingList contains a list of WorkspaceRoleBinding
   293  type WorkspaceRoleBindingList struct {
   294  	metav1.TypeMeta `json:",inline"`
   295  	metav1.ListMeta `json:"metadata,omitempty"`
   296  	Items           []WorkspaceRoleBinding `json:"items"`
   297  }
   298  
   299  // +genclient
   300  // +genclient:nonNamespaced
   301  // +kubebuilder:object:root=true
   302  // +kubebuilder:resource:categories="iam",scope="Cluster"
   303  // +kubebuilder:object:root=true
   304  type RoleBase struct {
   305  	metav1.TypeMeta   `json:",inline"`
   306  	metav1.ObjectMeta `json:"metadata,omitempty"`
   307  	// +kubebuilder:pruning:PreserveUnknownFields
   308  	// +kubebuilder:validation:EmbeddedResource
   309  	Role runtime.RawExtension `json:"role"`
   310  }
   311  
   312  // +kubebuilder:object:root=true
   313  // +kubebuilder:object:root=true
   314  // RoleBaseList contains a list of RoleBase
   315  type RoleBaseList struct {
   316  	metav1.TypeMeta `json:",inline"`
   317  	metav1.ListMeta `json:"metadata,omitempty"`
   318  	Items           []RoleBase `json:"items"`
   319  }
   320  
   321  // +genclient
   322  // +genclient:nonNamespaced
   323  // +kubebuilder:object:root=true
   324  // +kubebuilder:printcolumn:name="Type",type="string",JSONPath=".spec.type"
   325  // +kubebuilder:printcolumn:name="Provider",type="string",JSONPath=".spec.provider"
   326  // +kubebuilder:printcolumn:name="From",type="string",JSONPath=".spec.sourceIP"
   327  // +kubebuilder:printcolumn:name="Success",type="string",JSONPath=".spec.success"
   328  // +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=".spec.reason"
   329  // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
   330  // +kubebuilder:resource:categories="iam",scope="Cluster"
   331  // +kubebuilder:object:root=true
   332  type LoginRecord struct {
   333  	metav1.TypeMeta   `json:",inline"`
   334  	metav1.ObjectMeta `json:"metadata,omitempty"`
   335  	Spec              LoginRecordSpec `json:"spec"`
   336  }
   337  
   338  type LoginRecordSpec struct {
   339  	// Which authentication method used, Password/OAuth/Token
   340  	Type LoginType `json:"type"`
   341  	// Provider of authentication, Ldap/Github etc.
   342  	Provider string `json:"provider"`
   343  	// Source IP of client
   344  	SourceIP string `json:"sourceIP"`
   345  	// User agent of login attempt
   346  	UserAgent string `json:"userAgent,omitempty"`
   347  	// Successful login attempt or not
   348  	Success bool `json:"success"`
   349  	// States failed login attempt reason
   350  	Reason string `json:"reason"`
   351  }
   352  
   353  type LoginType string
   354  
   355  const (
   356  	Password LoginType = "Password"
   357  	OAuth    LoginType = "OAuth"
   358  	Token    LoginType = "Token"
   359  )
   360  
   361  // +kubebuilder:object:root=true
   362  // +kubebuilder:object:root=true
   363  // LoginRecordList contains a list of LoginRecord
   364  type LoginRecordList struct {
   365  	metav1.TypeMeta `json:",inline"`
   366  	metav1.ListMeta `json:"metadata,omitempty"`
   367  	Items           []LoginRecord `json:"items"`
   368  }