/
validate_authentication.go
133 lines (107 loc) · 4.13 KB
/
validate_authentication.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
package authentication
import (
"fmt"
"io"
"k8s.io/apimachinery/pkg/api/validation"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/apiserver/pkg/admission"
configv1 "github.com/openshift/api/config/v1"
crvalidation "github.com/openshift/origin/pkg/admission/customresourcevalidation"
)
const PluginName = "config.openshift.io/ValidateAuthentication"
// Register registers a plugin
func Register(plugins *admission.Plugins) {
plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
return crvalidation.NewValidator(
map[schema.GroupResource]bool{
configv1.GroupVersion.WithResource("authentications").GroupResource(): true,
},
map[schema.GroupVersionKind]crvalidation.ObjectValidator{
configv1.GroupVersion.WithKind("Authentication"): authenticationV1{},
})
})
}
func toAuthenticationV1(uncastObj runtime.Object) (*configv1.Authentication, field.ErrorList) {
if uncastObj == nil {
return nil, nil
}
obj, ok := uncastObj.(*configv1.Authentication)
if !ok {
return nil, field.ErrorList{
field.NotSupported(field.NewPath("kind"), fmt.Sprintf("%T", uncastObj), []string{"Authentication"}),
field.NotSupported(field.NewPath("apiVersion"), fmt.Sprintf("%T", uncastObj), []string{"config.openshift.io/v1"}),
}
}
return obj, nil
}
type authenticationV1 struct{}
func (authenticationV1) ValidateCreate(uncastObj runtime.Object) field.ErrorList {
obj, errs := toAuthenticationV1(uncastObj)
if len(errs) > 0 {
return errs
}
errs = append(errs, validation.ValidateObjectMeta(&obj.ObjectMeta, false, crvalidation.RequireNameCluster, field.NewPath("metadata"))...)
errs = append(errs, validateAuthenticationSpecCreate(obj.Spec)...)
return errs
}
func (authenticationV1) ValidateUpdate(uncastObj runtime.Object, uncastOldObj runtime.Object) field.ErrorList {
obj, errs := toAuthenticationV1(uncastObj)
if len(errs) > 0 {
return errs
}
oldObj, errs := toAuthenticationV1(uncastOldObj)
if len(errs) > 0 {
return errs
}
errs = append(errs, validation.ValidateObjectMetaUpdate(&obj.ObjectMeta, &oldObj.ObjectMeta, field.NewPath("metadata"))...)
errs = append(errs, validateAuthenticationSpecUpdate(obj.Spec, oldObj.Spec)...)
return errs
}
func (authenticationV1) ValidateStatusUpdate(uncastObj runtime.Object, uncastOldObj runtime.Object) field.ErrorList {
obj, errs := toAuthenticationV1(uncastObj)
if len(errs) > 0 {
return errs
}
oldObj, errs := toAuthenticationV1(uncastOldObj)
if len(errs) > 0 {
return errs
}
errs = append(errs, validation.ValidateObjectMetaUpdate(&obj.ObjectMeta, &oldObj.ObjectMeta, field.NewPath("metadata"))...)
errs = append(errs, validateAuthenticationStatus(obj.Status)...)
return errs
}
func validateAuthenticationSpecCreate(spec configv1.AuthenticationSpec) field.ErrorList {
return validateAuthenticationSpec(spec)
}
func validateAuthenticationSpecUpdate(newspec, oldspec configv1.AuthenticationSpec) field.ErrorList {
return validateAuthenticationSpec(newspec)
}
func validateAuthenticationSpec(spec configv1.AuthenticationSpec) field.ErrorList {
errs := field.ErrorList{}
specField := field.NewPath("spec")
switch spec.Type {
case configv1.AuthenticationTypeNone, configv1.AuthenticationTypeIntegratedOAuth, "":
default:
errs = append(errs, field.NotSupported(specField.Child("type"),
spec.Type,
[]string{string(configv1.AuthenticationTypeNone), string(configv1.AuthenticationTypeIntegratedOAuth)},
))
}
errs = append(errs, crvalidation.ValidateConfigMapReference(specField.Child("oauthMetadata"), spec.OAuthMetadata, false)...)
// validate the secret names in WebhookTokenAuthenticators
for i, wh := range spec.WebhookTokenAuthenticators {
errs = append(
errs,
crvalidation.ValidateSecretReference(
specField.Child("webhookTokenAuthenticators").Index(i).Child("kubeConfig"),
wh.KubeConfig,
true,
)...)
}
return errs
}
func validateAuthenticationStatus(status configv1.AuthenticationStatus) field.ErrorList {
return crvalidation.ValidateConfigMapReference(field.NewPath("status", "integratedOAuthMetadata"), status.IntegratedOAuthMetadata, false)
}