From 661b6302526955db298edca47323178608a127df Mon Sep 17 00:00:00 2001 From: Shane Bryzak Date: Wed, 7 Feb 2024 10:00:13 +1000 Subject: [PATCH] Drop all arbitrary SSO claim properties and annotations (#393) * drop all arbitrary SSO claim properties and annotations * reintroduce the annotations file with specific annotations for the User resource * removed originalsub * review comments * added openapi-gen=true to PropagatedClaims * fixed annotation value * use new fields for printcolumns --- api/v1alpha1/annotations.go | 12 --- api/v1alpha1/masteruserrecord_types.go | 14 --- api/v1alpha1/useraccount_types.go | 28 +++--- api/v1alpha1/usersignup_types.go | 36 +------- api/v1alpha1/zz_generated.openapi.go | 121 +++++++++++-------------- 5 files changed, 70 insertions(+), 141 deletions(-) delete mode 100644 api/v1alpha1/annotations.go diff --git a/api/v1alpha1/annotations.go b/api/v1alpha1/annotations.go deleted file mode 100644 index db288438..00000000 --- a/api/v1alpha1/annotations.go +++ /dev/null @@ -1,12 +0,0 @@ -package v1alpha1 - -const ( - // AnnotationKeyPrefix is the prefix used for annotation key values - AnnotationKeyPrefix = LabelKeyPrefix - - // SSOUserIDAnnotationKey is used to store the user's user_id claim value issued by the SSO provider - SSOUserIDAnnotationKey = AnnotationKeyPrefix + "sso-user-id" - - // SSOAccountIDAnnotationKey is used to store the user's account_id claim value issued by the SSO provider - SSOAccountIDAnnotationKey = AnnotationKeyPrefix + "sso-account-id" -) diff --git a/api/v1alpha1/masteruserrecord_types.go b/api/v1alpha1/masteruserrecord_types.go index 2f329bce..de639e4a 100644 --- a/api/v1alpha1/masteruserrecord_types.go +++ b/api/v1alpha1/masteruserrecord_types.go @@ -41,11 +41,6 @@ const ( // MasterUserRecordOwnerLabelKey indicates the label value that contains the owner reference for this resource, // which will be the UserSignup instance with the corresponding resource name MasterUserRecordOwnerLabelKey = OwnerLabelKey - - // #### ANNOTATIONS #### - // MasterUserRecordEmailAnnotationKey is used to store the user's email in an annotation - // (Note: key is the same as for the UserSignup annotation) - MasterUserRecordEmailAnnotationKey = UserSignupUserEmailAnnotationKey ) // NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. @@ -56,10 +51,6 @@ type MasterUserRecordSpec struct { // Important: Run "operator-sdk generate k8s" to regenerate code after modifying this file // Add custom validation using kubebuilder tags: https://book.kubebuilder.io/beyond_basics/generating_crd.html - // UserID is the user ID from RHD Identity Provider token (“sub” claim) - // +optional - UserID string `json:"userID,omitempty"` - // If set to true then the corresponding user should not be able to login (but the underlying UserAccounts still exists) // "false" is assumed by default // +optional @@ -70,11 +61,6 @@ type MasterUserRecordSpec struct { // +listMapKey=targetCluster UserAccounts []UserAccountEmbedded `json:"userAccounts,omitempty"` - // OriginalSub is an optional property temporarily introduced for the purpose of migrating the users to - // a new IdP provider client, and contains the user's "original-sub" claim - // +optional - OriginalSub string `json:"originalSub,omitempty"` - // TierName is an optional property introduced to retain the name of the tier // for which the Dev Sandbox user is provisioned, so we can still deal with deactivation // once the NSTemplateSet field has been removed from `[]spec.UserAccounts` diff --git a/api/v1alpha1/useraccount_types.go b/api/v1alpha1/useraccount_types.go index 0adfc9fe..497f45df 100644 --- a/api/v1alpha1/useraccount_types.go +++ b/api/v1alpha1/useraccount_types.go @@ -17,10 +17,20 @@ const ( UserAccountTerminatingReason = terminatingReason UserAccountUpdatingReason = updatingReason - // #### ANNOTATIONS #### - // UserEmailAnnotationKey is used to store the user's email in an annotation of UserAccount and User CRs - // (Note: key is the same as for the MasterUserRecord email annotation) - UserEmailAnnotationKey = MasterUserRecordEmailAnnotationKey + // AnnotationKeyPrefix is the prefix used for annotation key values + AnnotationKeyPrefix = LabelKeyPrefix + + // UserIDUserAnnotationKey is used to set an annotation value in the User resource on the member cluster, that + // contains the user's User ID as set in the user's JWT token. + UserIDUserAnnotationKey = AnnotationKeyPrefix + "sso-user-id" + + // AccountIDUserAnnotationKey is used to set an annotation value in the User resource on the member cluster, that + // contains the user's Account ID as set in the user's JWT token. + AccountIDUserAnnotationKey = AnnotationKeyPrefix + "sso-account-id" + + // EmailUserAnnotationKey is used to set an annotation value in the User resource on the member cluster, that + // contains the user's Email as set in the user's JWT token. + EmailUserAnnotationKey = AnnotationKeyPrefix + "user-email" ) // NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. @@ -31,21 +41,11 @@ type UserAccountSpec struct { // Important: Run "operator-sdk generate k8s" to regenerate code after modifying this file // Add custom validation using kubebuilder tags: https://book.kubebuilder.io/beyond_basics/generating_crd.html - // UserID is the user ID from RHD Identity Provider token (“sub” claim) - // Is to be used to create Identity and UserIdentityMapping resources - // +optional - UserID string `json:"userID,omitempty"` - // If set to true then the corresponding user should not be able to login // "false" is assumed by default // +optional Disabled bool `json:"disabled,omitempty"` - // OriginalSub is an optional property temporarily introduced for the purpose of migrating the users to - // a new IdP provider client, and contains the user's "original-sub" claim - // +optional - OriginalSub string `json:"originalSub,omitempty"` - // PropagatedClaims contains a selection of claim values from the SSO Identity Provider which are intended to // be "propagated" down the resource dependency chain // +optional diff --git a/api/v1alpha1/usersignup_types.go b/api/v1alpha1/usersignup_types.go index e5a27a66..fb60e3f2 100644 --- a/api/v1alpha1/usersignup_types.go +++ b/api/v1alpha1/usersignup_types.go @@ -19,8 +19,6 @@ const ( // UserSignupLastTargetClusterAnnotationKey is used for tracking the cluster for returning users UserSignupLastTargetClusterAnnotationKey = LabelKeyPrefix + "last-target-cluster" - // UserSignupUserEmailAnnotationKey is used for the usersignup email annotations key - UserSignupUserEmailAnnotationKey = LabelKeyPrefix + "user-email" // UserSignupVerificationCodeAnnotationKey is used for the usersignup verification code annotation key UserSignupVerificationCodeAnnotationKey = LabelKeyPrefix + "verification-code" // UserSignupVerificationTimestampAnnotationKey is used for the usersignup verification timestamp annotation key @@ -170,36 +168,11 @@ type UserSignupSpec struct { // +optional TargetCluster string `json:"targetCluster,omitempty"` - // The user's user ID, obtained from the identity provider from the 'sub' (subject) claim - // +optional - Userid string `json:"userid,omitempty"` - - // The user's username, obtained from the identity provider. - // +optional - Username string `json:"username,omitempty"` - - // The user's first name, obtained from the identity provider. - // +optional - GivenName string `json:"givenName,omitempty"` - - // The user's last name, obtained from the identity provider. - // +optional - FamilyName string `json:"familyName,omitempty"` - - // The user's company name, obtained from the identity provider. - // +optional - Company string `json:"company,omitempty"` - // States contains a number of values that reflect the desired state of the UserSignup. // +optional // +listType=atomic States []UserSignupState `json:"states,omitempty"` - // OriginalSub is an optional property temporarily introduced for the purpose of migrating the users to - // a new IdP provider client, and contains the user's "original-sub" claim - // +optional - OriginalSub string `json:"originalSub,omitempty"` - // IdentityClaims contains as-is claim values extracted from the user's access token // +optional IdentityClaims IdentityClaimsEmbedded `json:"identityClaims,omitempty"` @@ -228,6 +201,7 @@ type IdentityClaimsEmbedded struct { Company string `json:"company,omitempty"` } +// +k8s:openapi-gen=true type PropagatedClaims struct { // Sub contains the value of the 'sub' claim Sub string `json:"sub"` @@ -283,10 +257,10 @@ type UserSignupStatus struct { // +k8s:openapi-gen=true // +kubebuilder:subresource:status // +kubebuilder:resource:scope=Namespaced -// +kubebuilder:printcolumn:name="Username",type="string",JSONPath=`.spec.username` -// +kubebuilder:printcolumn:name="First Name",type="string",JSONPath=`.spec.givenName`,priority=1 -// +kubebuilder:printcolumn:name="Last Name",type="string",JSONPath=`.spec.familyName`,priority=1 -// +kubebuilder:printcolumn:name="Company",type="string",JSONPath=`.spec.company`,priority=1 +// +kubebuilder:printcolumn:name="Username",type="string",JSONPath=`.spec.identityClaims.preferredUsername` +// +kubebuilder:printcolumn:name="First Name",type="string",JSONPath=`.spec.identityClaims.givenName`,priority=1 +// +kubebuilder:printcolumn:name="Last Name",type="string",JSONPath=`.spec.identityClaims.familyName`,priority=1 +// +kubebuilder:printcolumn:name="Company",type="string",JSONPath=`.spec.identityClaims.company`,priority=1 // +kubebuilder:printcolumn:name="TargetCluster",type="string",JSONPath=`.spec.targetCluster`,priority=1 // +kubebuilder:printcolumn:name="Complete",type="string",JSONPath=`.status.conditions[?(@.type=="Complete")].status` // +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=`.status.conditions[?(@.type=="Complete")].reason` diff --git a/api/v1alpha1/zz_generated.openapi.go b/api/v1alpha1/zz_generated.openapi.go index 12c52819..e4e27d45 100644 --- a/api/v1alpha1/zz_generated.openapi.go +++ b/api/v1alpha1/zz_generated.openapi.go @@ -78,6 +78,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/codeready-toolchain/api/api/v1alpha1.NotificationSpec": schema_codeready_toolchain_api_api_v1alpha1_NotificationSpec(ref), "github.com/codeready-toolchain/api/api/v1alpha1.NotificationStatus": schema_codeready_toolchain_api_api_v1alpha1_NotificationStatus(ref), "github.com/codeready-toolchain/api/api/v1alpha1.NotificationsConfig": schema_codeready_toolchain_api_api_v1alpha1_NotificationsConfig(ref), + "github.com/codeready-toolchain/api/api/v1alpha1.PropagatedClaims": schema_codeready_toolchain_api_api_v1alpha1_PropagatedClaims(ref), "github.com/codeready-toolchain/api/api/v1alpha1.ProxyPlugin": schema_codeready_toolchain_api_api_v1alpha1_ProxyPlugin(ref), "github.com/codeready-toolchain/api/api/v1alpha1.ProxyPluginSpec": schema_codeready_toolchain_api_api_v1alpha1_ProxyPluginSpec(ref), "github.com/codeready-toolchain/api/api/v1alpha1.ProxyPluginStatus": schema_codeready_toolchain_api_api_v1alpha1_ProxyPluginStatus(ref), @@ -1241,13 +1242,6 @@ func schema_codeready_toolchain_api_api_v1alpha1_MasterUserRecordSpec(ref common Description: "MasterUserRecordSpec defines the desired state of MasterUserRecord", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "userID": { - SchemaProps: spec.SchemaProps{ - Description: "UserID is the user ID from RHD Identity Provider token (“sub” claim)", - Type: []string{"string"}, - Format: "", - }, - }, "disabled": { SchemaProps: spec.SchemaProps{ Description: "If set to true then the corresponding user should not be able to login (but the underlying UserAccounts still exists) \"false\" is assumed by default", @@ -1277,13 +1271,6 @@ func schema_codeready_toolchain_api_api_v1alpha1_MasterUserRecordSpec(ref common }, }, }, - "originalSub": { - SchemaProps: spec.SchemaProps{ - Description: "OriginalSub is an optional property temporarily introduced for the purpose of migrating the users to a new IdP provider client, and contains the user's \"original-sub\" claim", - Type: []string{"string"}, - Format: "", - }, - }, "tierName": { SchemaProps: spec.SchemaProps{ Description: "TierName is an optional property introduced to retain the name of the tier for which the Dev Sandbox user is provisioned, so we can still deal with deactivation once the NSTemplateSet field has been removed from `[]spec.UserAccounts` temporarily marked as optional until the migration took place (CRT-1321)", @@ -2420,6 +2407,56 @@ func schema_codeready_toolchain_api_api_v1alpha1_NotificationsConfig(ref common. } } +func schema_codeready_toolchain_api_api_v1alpha1_PropagatedClaims(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "sub": { + SchemaProps: spec.SchemaProps{ + Description: "Sub contains the value of the 'sub' claim", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "userID": { + SchemaProps: spec.SchemaProps{ + Description: "UserID contains the value of the 'user_id' claim", + Type: []string{"string"}, + Format: "", + }, + }, + "accountID": { + SchemaProps: spec.SchemaProps{ + Description: "AccountID contains the value of the 'account_id' claim", + Type: []string{"string"}, + Format: "", + }, + }, + "originalSub": { + SchemaProps: spec.SchemaProps{ + Description: "OriginalSub is an optional property temporarily introduced for the purpose of migrating the users to a new IdP provider client, and contains the user's \"original-sub\" claim", + Type: []string{"string"}, + Format: "", + }, + }, + "email": { + SchemaProps: spec.SchemaProps{ + Description: "Email contains the user's email address", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"sub", "email"}, + }, + }, + } +} + func schema_codeready_toolchain_api_api_v1alpha1_ProxyPlugin(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -4935,13 +4972,6 @@ func schema_codeready_toolchain_api_api_v1alpha1_UserAccountSpec(ref common.Refe Description: "UserAccountSpec defines the desired state of UserAccount", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "userID": { - SchemaProps: spec.SchemaProps{ - Description: "UserID is the user ID from RHD Identity Provider token (“sub” claim) Is to be used to create Identity and UserIdentityMapping resources", - Type: []string{"string"}, - Format: "", - }, - }, "disabled": { SchemaProps: spec.SchemaProps{ Description: "If set to true then the corresponding user should not be able to login \"false\" is assumed by default", @@ -4949,13 +4979,6 @@ func schema_codeready_toolchain_api_api_v1alpha1_UserAccountSpec(ref common.Refe Format: "", }, }, - "originalSub": { - SchemaProps: spec.SchemaProps{ - Description: "OriginalSub is an optional property temporarily introduced for the purpose of migrating the users to a new IdP provider client, and contains the user's \"original-sub\" claim", - Type: []string{"string"}, - Format: "", - }, - }, "propagatedClaims": { SchemaProps: spec.SchemaProps{ Description: "PropagatedClaims contains a selection of claim values from the SSO Identity Provider which are intended to be \"propagated\" down the resource dependency chain", @@ -5071,41 +5094,6 @@ func schema_codeready_toolchain_api_api_v1alpha1_UserSignupSpec(ref common.Refer Format: "", }, }, - "userid": { - SchemaProps: spec.SchemaProps{ - Description: "The user's user ID, obtained from the identity provider from the 'sub' (subject) claim", - Type: []string{"string"}, - Format: "", - }, - }, - "username": { - SchemaProps: spec.SchemaProps{ - Description: "The user's username, obtained from the identity provider.", - Type: []string{"string"}, - Format: "", - }, - }, - "givenName": { - SchemaProps: spec.SchemaProps{ - Description: "The user's first name, obtained from the identity provider.", - Type: []string{"string"}, - Format: "", - }, - }, - "familyName": { - SchemaProps: spec.SchemaProps{ - Description: "The user's last name, obtained from the identity provider.", - Type: []string{"string"}, - Format: "", - }, - }, - "company": { - SchemaProps: spec.SchemaProps{ - Description: "The user's company name, obtained from the identity provider.", - Type: []string{"string"}, - Format: "", - }, - }, "states": { VendorExtensible: spec.VendorExtensible{ Extensions: spec.Extensions{ @@ -5126,13 +5114,6 @@ func schema_codeready_toolchain_api_api_v1alpha1_UserSignupSpec(ref common.Refer }, }, }, - "originalSub": { - SchemaProps: spec.SchemaProps{ - Description: "OriginalSub is an optional property temporarily introduced for the purpose of migrating the users to a new IdP provider client, and contains the user's \"original-sub\" claim", - Type: []string{"string"}, - Format: "", - }, - }, "identityClaims": { SchemaProps: spec.SchemaProps{ Description: "IdentityClaims contains as-is claim values extracted from the user's access token",