Skip to content

Commit 64bdd4a

Browse files
kcp-ci-botkcp-ci-bot
authored
Merge pull request #3551 from ntnn/kcp3513-cel-validation
Add CEL validation to WorkspaceAuthenticationConfiguration
2 parents f49f89b + c500490 commit 64bdd4a

File tree

6 files changed

+254
-60
lines changed

6 files changed

+254
-60
lines changed

config/crds/tenancy.kcp.io_workspaceauthenticationconfigurations.yaml

Lines changed: 40 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -68,61 +68,87 @@ spec:
6868
for a single prefixed claim or expression.
6969
properties:
7070
claim:
71+
minLength: 1
7172
type: string
7273
expression:
74+
minLength: 1
7375
type: string
7476
prefix:
7577
type: string
76-
required:
77-
- claim
7878
type: object
79+
x-kubernetes-validations:
80+
- message: either claim or expression must be specified
81+
rule: has(self.claim) || has(self.expression)
82+
- message: claim and expression cannot both be specified
83+
rule: '!(has(self.claim) && has(self.expression))'
84+
- message: prefix can only be specified when claim is specified
85+
rule: '!(has(self.prefix)) || has(self.claim)'
7986
uid:
8087
description: ClaimOrExpression provides the configuration
8188
for a single claim or expression.
8289
properties:
8390
claim:
91+
minLength: 1
8492
type: string
8593
expression:
94+
minLength: 1
8695
type: string
87-
required:
88-
- claim
8996
type: object
97+
x-kubernetes-validations:
98+
- message: claim and expression cannot both be specified
99+
rule: '!(has(self.claim) && has(self.expression))'
90100
username:
91101
description: PrefixedClaimOrExpression provides the configuration
92102
for a single prefixed claim or expression.
93103
properties:
94104
claim:
105+
minLength: 1
95106
type: string
96107
expression:
108+
minLength: 1
97109
type: string
98110
prefix:
99111
type: string
100-
required:
101-
- claim
102112
type: object
103-
required:
104-
- groups
105-
- username
113+
x-kubernetes-validations:
114+
- message: either claim or expression must be specified
115+
rule: has(self.claim) || has(self.expression)
116+
- message: claim and expression cannot both be specified
117+
rule: '!(has(self.claim) && has(self.expression))'
118+
- message: prefix can only be specified when claim is specified
119+
rule: '!(has(self.prefix)) || has(self.claim)'
106120
type: object
107121
claimValidationRules:
108122
items:
109123
description: ClaimValidationRule provides the configuration
110124
for a single claim validation rule.
111125
properties:
112126
claim:
127+
minLength: 1
113128
type: string
114129
expression:
130+
minLength: 1
115131
type: string
116132
message:
133+
minLength: 1
117134
type: string
118135
requiredValue:
136+
minLength: 1
119137
type: string
120-
required:
121-
- claim
122-
- expression
123-
- message
124-
- requiredValue
125138
type: object
139+
x-kubernetes-validations:
140+
- message: either claim or expression must be specified
141+
rule: has(self.claim) || has(self.expression)
142+
- message: claim and expression cannot both be specified
143+
rule: '!(has(self.claim) && has(self.expression))'
144+
- message: requiredValue can only be specified when claim
145+
is specified
146+
rule: (has(self.expression) && !has(self.requiredValue))
147+
|| (has(self.claim) && has(self.requiredValue))
148+
- message: message can only be specified when expression is
149+
specified
150+
rule: (has(self.expression) && has(self.message)) || (has(self.claim)
151+
&& !has(self.message))
126152
type: array
127153
issuer:
128154
description: Issuer provides the configuration for an external

config/root-phase0/apiexport-tenancy.kcp.io.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ spec:
99
resources:
1010
- group: tenancy.kcp.io
1111
name: workspaceauthenticationconfigurations
12-
schema: v250802-1b3cd3d0d.workspaceauthenticationconfigurations.tenancy.kcp.io
12+
schema: v250827-717cfea84.workspaceauthenticationconfigurations.tenancy.kcp.io
1313
storage:
1414
crd: {}
1515
- group: tenancy.kcp.io

config/root-phase0/apiresourceschema-workspaceauthenticationconfigurations.tenancy.kcp.io.yaml

Lines changed: 41 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ apiVersion: apis.kcp.io/v1alpha1
22
kind: APIResourceSchema
33
metadata:
44
creationTimestamp: null
5-
name: v250802-1b3cd3d0d.workspaceauthenticationconfigurations.tenancy.kcp.io
5+
name: v250827-717cfea84.workspaceauthenticationconfigurations.tenancy.kcp.io
66
spec:
77
group: tenancy.kcp.io
88
names:
@@ -65,61 +65,87 @@ spec:
6565
for a single prefixed claim or expression.
6666
properties:
6767
claim:
68+
minLength: 1
6869
type: string
6970
expression:
71+
minLength: 1
7072
type: string
7173
prefix:
7274
type: string
73-
required:
74-
- claim
7575
type: object
76+
x-kubernetes-validations:
77+
- message: either claim or expression must be specified
78+
rule: has(self.claim) || has(self.expression)
79+
- message: claim and expression cannot both be specified
80+
rule: '!(has(self.claim) && has(self.expression))'
81+
- message: prefix can only be specified when claim is specified
82+
rule: '!(has(self.prefix)) || has(self.claim)'
7683
uid:
7784
description: ClaimOrExpression provides the configuration
7885
for a single claim or expression.
7986
properties:
8087
claim:
88+
minLength: 1
8189
type: string
8290
expression:
91+
minLength: 1
8392
type: string
84-
required:
85-
- claim
8693
type: object
94+
x-kubernetes-validations:
95+
- message: claim and expression cannot both be specified
96+
rule: '!(has(self.claim) && has(self.expression))'
8797
username:
8898
description: PrefixedClaimOrExpression provides the configuration
8999
for a single prefixed claim or expression.
90100
properties:
91101
claim:
102+
minLength: 1
92103
type: string
93104
expression:
105+
minLength: 1
94106
type: string
95107
prefix:
96108
type: string
97-
required:
98-
- claim
99109
type: object
100-
required:
101-
- groups
102-
- username
110+
x-kubernetes-validations:
111+
- message: either claim or expression must be specified
112+
rule: has(self.claim) || has(self.expression)
113+
- message: claim and expression cannot both be specified
114+
rule: '!(has(self.claim) && has(self.expression))'
115+
- message: prefix can only be specified when claim is specified
116+
rule: '!(has(self.prefix)) || has(self.claim)'
103117
type: object
104118
claimValidationRules:
105119
items:
106120
description: ClaimValidationRule provides the configuration
107121
for a single claim validation rule.
108122
properties:
109123
claim:
124+
minLength: 1
110125
type: string
111126
expression:
127+
minLength: 1
112128
type: string
113129
message:
130+
minLength: 1
114131
type: string
115132
requiredValue:
133+
minLength: 1
116134
type: string
117-
required:
118-
- claim
119-
- expression
120-
- message
121-
- requiredValue
122135
type: object
136+
x-kubernetes-validations:
137+
- message: either claim or expression must be specified
138+
rule: has(self.claim) || has(self.expression)
139+
- message: claim and expression cannot both be specified
140+
rule: '!(has(self.claim) && has(self.expression))'
141+
- message: requiredValue can only be specified when claim is
142+
specified
143+
rule: (has(self.expression) && !has(self.requiredValue)) ||
144+
(has(self.claim) && has(self.requiredValue))
145+
- message: message can only be specified when expression is
146+
specified
147+
rule: (has(self.expression) && has(self.message)) || (has(self.claim)
148+
&& !has(self.message))
123149
type: array
124150
issuer:
125151
description: Issuer provides the configuration for an external

pkg/openapi/zz_generated.openapi.go

Lines changed: 12 additions & 22 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

sdk/apis/tenancy/v1alpha1/types_workspaceauthentication.go

Lines changed: 30 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -102,37 +102,59 @@ const (
102102
)
103103

104104
// ClaimValidationRule provides the configuration for a single claim validation rule.
105+
// +kubebuilder:validation:XValidation:rule="has(self.claim) || has(self.expression)",message="either claim or expression must be specified"
106+
// +kubebuilder:validation:XValidation:rule="!(has(self.claim) && has(self.expression))",message="claim and expression cannot both be specified"
107+
// +kubebuilder:validation:XValidation:rule="(has(self.expression) && !has(self.requiredValue)) || (has(self.claim) && has(self.requiredValue))",message="requiredValue can only be specified when claim is specified"
108+
// +kubebuilder:validation:XValidation:rule="(has(self.expression) && has(self.message)) || (has(self.claim) && !has(self.message))",message="message can only be specified when expression is specified"
105109
type ClaimValidationRule struct {
106-
Claim string `json:"claim"`
107-
RequiredValue string `json:"requiredValue"`
110+
// +optional
111+
// +kubebuilder:validation:MinLength=1
112+
Claim string `json:"claim,omitempty"`
113+
// +optional
114+
// +kubebuilder:validation:MinLength=1
115+
RequiredValue string `json:"requiredValue,omitempty"`
108116

109-
Expression string `json:"expression"`
110-
Message string `json:"message"`
117+
// +optional
118+
// +kubebuilder:validation:MinLength=1
119+
Expression string `json:"expression,omitempty"`
120+
// +optional
121+
// +kubebuilder:validation:MinLength=1
122+
Message string `json:"message,omitempty"`
111123
}
112124

113125
// ClaimMappings provides the configuration for claim mapping.
114126
type ClaimMappings struct {
115-
Username PrefixedClaimOrExpression `json:"username"`
116-
Groups PrefixedClaimOrExpression `json:"groups"`
127+
Username PrefixedClaimOrExpression `json:"username,omitempty"`
128+
Groups PrefixedClaimOrExpression `json:"groups,omitempty"`
117129
// +optional
118130
UID ClaimOrExpression `json:"uid,omitempty"`
119131
// +optional
120132
Extra []ExtraMapping `json:"extra,omitempty"`
121133
}
122134

123135
// PrefixedClaimOrExpression provides the configuration for a single prefixed claim or expression.
136+
// +kubebuilder:validation:XValidation:rule="has(self.claim) || has(self.expression)",message="either claim or expression must be specified"
137+
// +kubebuilder:validation:XValidation:rule="!(has(self.claim) && has(self.expression))",message="claim and expression cannot both be specified"
138+
// +kubebuilder:validation:XValidation:rule="!(has(self.prefix)) || has(self.claim)",message="prefix can only be specified when claim is specified"
124139
type PrefixedClaimOrExpression struct {
125-
Claim string `json:"claim"`
140+
// +optional
141+
// +kubebuilder:validation:MinLength=1
142+
Claim string `json:"claim,omitempty"`
126143
// +optional
127144
Prefix *string `json:"prefix,omitempty"`
128145
// +optional
146+
// +kubebuilder:validation:MinLength=1
129147
Expression string `json:"expression,omitempty"`
130148
}
131149

132150
// ClaimOrExpression provides the configuration for a single claim or expression.
151+
// +kubebuilder:validation:XValidation:rule="!(has(self.claim) && has(self.expression))",message="claim and expression cannot both be specified"
133152
type ClaimOrExpression struct {
134-
Claim string `json:"claim"`
135153
// +optional
154+
// +kubebuilder:validation:MinLength=1
155+
Claim string `json:"claim,omitempty"`
156+
// +optional
157+
// +kubebuilder:validation:MinLength=1
136158
Expression string `json:"expression,omitempty"`
137159
}
138160

0 commit comments

Comments
 (0)