v1alpha2

type ApiStatus struct {
	// Whether the resource is synced, not synced, failed to sync, etc
	Phase Phase `json:"phase,omitempty"`
	// The time the resource was last updated.
	// +optional
	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
}

type BasicAuthSecret struct {
	// The name of a secret of type `kubernetes.io/basic-auth` to authenticate to
	// keycloak as admin. The secret need to be in the same namespace as the KeycloakEndpoint.
	Name string `json:"name"`

	// Namespace where the secret resides. Only used for KeycloakClusterEndpoint.
	// Has no effect when used with KeycloakEndpoint.
	Namespace string `json:"namespace,omitempty"`
}

type CertificateLdapMapper struct {
	// +kubebuilder:default=false
	AlwaysReadValueFromLDAP bool `json:"alwaysReadValueFromLDAP"`
	// +kubebuilder:default=""
	AttributeDefaultValue string `json:"attributeDefaultValue,omitempty"`
	// +kubebuilder:default=""
	LDAPAttribute string `json:"ldapAttribute,omitempty"`
	// +kubebuilder:default=true
	ReadOnly bool `json:"readOnly"`
	// If true, attribute is mandatory in LDAP. Hence if there is no value in Keycloak DB,
	// the default or empty value will be set to be propagated to LDAP
	// +kubebuilder:default=false
	IsMandatoryInLDAP bool `json:"isMandatoryInLDAP"`
	// Should be true for binary LDAP attributes
	// +kubebuilder:default=false
	IsBinaryAttribute bool `json:"isBinaryAttribute"`
	// +kubebuilder:default=false
	IsDERFormatted bool `json:"isDERFormatted"`
	// +kubebuilder:default=""
	UserModelAttribute string `json:"userModelAttribute,omitempty"`
}

type ConfigMapValue struct {
	// Name of the configMap referenced
	Name string `json:"name"`

	// Name of the configMap key to use
	Key string `json:"key"`

	// Namespace where the ConfigMap resides. Used only for KeycloakClusterEndpoint.
	// Has no effect when used with KeycloakEndpoint.
	Namespace string `json:"namespace,omitempty"`
}

type EndpointPhase string

type EndpointSelector struct {
	// Kind of the resource representing a Keycloak endpoint
	// +kubebuilder:validation:Enum=KeycloakEndpoint;KeycloakClusterEndpoint
	// +kubebuilder:default=KeycloakEndpoint
	Kind string `json:"kind,omitempty"`
	// Name of the KeycloakEndpoint/KeycloakClusterEndpoint resource
	// +required
	Name string `json:"name,omitempty"`
}

type FullNameLdapMapper struct {
	// +kubebuilder:default="cn"
	LDAPFullNameAttribute string `json:"ldapFullNameAttribute"`
	// +kubebuilder:default=true
	ReadOnly bool `json:"readOnly"`
	// +kubebuilder:default=false
	WriteOnly bool `json:"writeOnly"`
}

type GroupLdapMapper struct {
	// +kubebuilder:default=false
	DropNonExistingGroupsDuringSync bool `json:"dropNonExistingGroupsDuringSync"`
	// Name of LDAP attribute, which is used in group objects for name and RDN of group. Usually it will
	// be 'cn' . In this case typical group/role object may have DN like 'cn=Group1,ou=groups,dc=example,dc=org'
	// +kubebuilder:default="cn"
	GroupNameLdapAttribute string `json:"groupNameLdapAttribute,omitempty"`
	// Object class (or classes) of the group object. It's divided by comma if more classes needed. In typical LDAP
	// deployment it could be 'groupOfNames' . In Active Directory it's usually 'group'
	// +kubebuilder:default={"group"}
	GroupObjectClasses []string `json:"groupObjectClasses,omitempty"`
	// LDAP DN where are groups of this tree saved. For example 'ou=groups,dc=example,dc=org'
	// +required
	GroupsDn string `json:"groupsDn,omitempty"`
	// LDAP Filter adds additional custom filter to the whole query for retrieve LDAP groups. Leave this empty if no
	// additional filtering is needed and you want to retrieve all groups from LDAP. Otherwise make sure that filter
	// starts with '(' and ends with ')'
	// +optional
	GroupsLdapFilter string `json:"groupsLdapFilter,omitempty"`
	// Keycloak group path the LDAP groups are added to. For example if value '/Applications/App1' is used, then LDAP
	// groups will be available in Keycloak under group 'App1', which is child of top level group 'Applications'.
	// The default value is '/' so LDAP groups will be mapped to the Keycloak groups at the top level. The configured
	// group path must already exists in the Keycloak when creating this mapper.
	// +kubebuilder:default="/"
	GroupsPath string `json:"groupsPath"`
	// Ignore missing groups in the group hierarchy
	// +kubebuilder:default=false
	IgnoreMissingGroups bool `json:"ignoreMissingGroups"`
	// +kubebuilder:default=""
	MemberofLdapAttribute string `json:"memberofLdapAttribute"`
	// +kubebuilder:default=""
	MembershipAttributeType string `json:"membershipAttributeType"`
	// +kubebuilder:default=""
	MembershipLdapAttribute string `json:"membershipLdapAttribute"`
	// +kubebuilder:default=""
	MembershipUserLdapAttribute string `json:"membershipUserLdapAttribute"`
	// LDAP_ONLY means that all group mappings of users are retrieved from LDAP and saved into LDAP.
	// READ_ONLY is Read-only LDAP mode where group mappings are retrieved from both LDAP and DB and
	// merged together. New group joins are not saved to LDAP but to DB. IMPORT is Read-only LDAP mode
	// where group mappings are retrieved from LDAP just at the time when user is imported from LDAP and
	// then they are saved to local keycloak DB.
	// +kubebuilder:validation:Enum=IMPORT;LDAP_ONLY;READ_ONLY
	// +kubebuilder:default="READ_ONLY"
	Mode string `json:"mode"`
	// Flag whether group inheritance from LDAP should be propagated to Keycloak. If false, then all LDAP groups
	// will be mapped as flat top-level groups in Keycloak. Otherwise group inheritance is preserved into Keycloak,
	// but the group sync might fail if LDAP structure contains recursions or multiple parent groups per child groups
	// +kubebuilder:default=false
	PreserveGroupInheritance bool `json:"preserveGroupInheritance"`
	// Specify how to retrieve groups of user. LOAD_GROUPS_BY_MEMBER_ATTRIBUTE means that roles of user
	// will be retrieved by sending LDAP query to retrieve all groups where 'member' is our user.
	// GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE means that groups of user will be retrieved from 'memberOf'
	// attribute of our user. Or from the other attribute specified by 'Member-Of LDAP Attribute'.
	// LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY is applicable just in Active Directory and it means that
	// groups of user will be retrieved recursively with usage of LDAP_MATCHING_RULE_IN_CHAIN Ldap extension.
	// +kubebuilder:validation:Enum=GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE;LOAD_GROUPS_BY_MEMBER_ATTRIBUTE;LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY
	// +kubebuilder:default="GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE"
	UserRolesRetrieveStrategy string `json:"userRolesRetrieveStrategy"`
}

type GroupRepresentation struct {
	// Group ID
	// +optional
	ID string `json:"id,omitempty"`
	// Name of the group
	Name string `json:"name"`
}

type HardcodedAttributeMapper struct {
	// Name of the model attribute, which will be added when importing user from ldap
	// +kubebuilder:default=""
	UserModelAttributeName string `json:"userModelAttributeName,omitempty"`
	// Value of the model attribute, which will be added when importing user from ldap
	// +kubebuilder:default=""
	AttributeValue string `json:"attributeValue,omitempty"`
}

type HardcodedLdapAttributeMapper struct {
	// Name of the LDAP attribute, which will be added to the new user during registration
	LDAPAttributeName string `json:"ldapAttributeName"`
	// Value of the LDAP attribute, which will be added to the new user during registration.
	// You can either hardcode any value like 'foo' but you can also use some special tokens.
	// Only supported token right now is '${RANDOM}' , which will be replaced with some randomly generated String.
	LDAPAttributeValue string `json:"ldapAttributeValue"`
}

type HardcodedLdapGroupMapper struct {
	// Group to add the user in. Fill the full path of the group including path.
	// For example '/root-group/child-group'
	Group string `json:"group"`
}

type HardcodedLdapRoleMapper struct {
	// Role to give to the user. For client roles, it should be in the format
	// `<clientID>.<role>`
	Role string `json:"role,omitempty"`
}

type KeycloakClient struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakClientSpec   `json:"spec,omitempty"`
	Status KeycloakClientStatus `json:"status,omitempty"`
}

type KeycloakClientList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakClient `json:"items"`
}

type KeycloakClientProtocolMapper struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakClientProtocolMapperSpec   `json:"spec,omitempty"`
	Status KeycloakClientProtocolMapperStatus `json:"status,omitempty"`
}

type KeycloakClientProtocolMapperList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakClientProtocolMapper `json:"items"`
}

type KeycloakClientProtocolMapperSpec struct {
	Endpoint EndpointSelector `json:"endpoint,omitempty"`
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
	Realm string `json:"realm"`
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
	Client string                 `json:"client"`
	Config gocloak.ProtocolMapper `json:"config,omitempty"`
}

type KeycloakClientProtocolMapperStatus struct {
	// The ID of the client
	ClientID string `json:"clientID,omitempty"`
	// The ID of the protocol mapper managed
	ProtocolMapperID string `json:"protocolMapperID,omitempty"`
	// Base status
	// +optional
	Api ApiStatus `json:"api,omitempty"`
}

type KeycloakClientRole struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	ClientName string `json:"clientName,omitempty"`

	Spec   KeycloakClientRoleSpec   `json:"spec,omitempty"`
	Status KeycloakClientRoleStatus `json:"status,omitempty"`
}

type KeycloakClientRoleList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakClientRole `json:"items"`
}

type KeycloakClientRoleMapping struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakClientRoleMappingSpec   `json:"spec,omitempty"`
	Status KeycloakClientRoleMappingStatus `json:"status,omitempty"`
}

type KeycloakClientRoleMappingList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakClientRoleMapping `json:"items"`
}

type KeycloakClientRoleMappingSpec struct {
	Endpoint EndpointSelector `json:"endpoint,omitempty"`
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
	Realm string `json:"realm"`
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
	Client string `json:"client"`
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
	Role string `json:"role"`
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
	Subject Subject `json:"subject"`
}

type KeycloakClientRoleMappingStatus struct {
	// The ID of the client owning the role concerned by the mapping
	ClientID string `json:"clientID,omitempty"`
	// The ID of the client role concerned by the mapping
	RoleID string `json:"roleID,omitempty"`
	// The ID of the Subject concerned by the mapping
	SubjectID string `json:"subjectID,omitempty"`
	// Base status
	// +optional
	Api ApiStatus `json:"api,omitempty"`
}

type KeycloakClientRoleSpec struct {
	Endpoint EndpointSelector `json:"endpoint,omitempty"`
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
	Realm string `json:"realm"`
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
	Client string       `json:"client"`
	Config gocloak.Role `json:"config"`
}

type KeycloakClientRoleStatus struct {
	// The ID of the client the role belongs to
	ClientID string `json:"clientID,omitempty"`
	// The ID of the role managed
	RoleID string `json:"roleID,omitempty"`
	// Base status
	// +optional
	Api ApiStatus `json:"api,omitempty"`
}

type KeycloakClientScope struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakClientScopeSpec   `json:"spec,omitempty"`
	Status KeycloakClientScopeStatus `json:"status,omitempty"`
}

type KeycloakClientScopeList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakClientScope `json:"items"`
}

type KeycloakClientScopeProtocolMapper struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakClientScopeProtocolMapperSpec   `json:"spec,omitempty"`
	Status KeycloakClientScopeProtocolMapperStatus `json:"status,omitempty"`
}

type KeycloakClientScopeProtocolMapperList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakClientScopeProtocolMapper `json:"items"`
}

type KeycloakClientScopeProtocolMapperSpec struct {
	Endpoint EndpointSelector `json:"endpoint,omitempty"`
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
	Realm string `json:"realm"`
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
	ClientScope string                 `json:"clientScope"`
	Config      gocloak.ProtocolMapper `json:"config,omitempty"`
}

type KeycloakClientScopeProtocolMapperStatus struct {
	// The ID of the client scope
	ClientScopeID string `json:"clientScopeID,omitempty"`
	// The ID of the protocol mapper managed
	ProtocolMapperID string `json:"protocolMapperID,omitempty"`
	// Base status
	// +optional
	Api ApiStatus `json:"api,omitempty"`
}

type KeycloakClientScopeSpec struct {
	Endpoint EndpointSelector `json:"endpoint,omitempty"`
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
	Realm  string              `json:"realm"`
	Config gocloak.ClientScope `json:"config"`
}

type KeycloakClientScopeStatus struct {
	// The ID of the client scope deployed
	ClientScopeID string `json:"clientScopeID,omitempty"`
	// Base status
	// +optional
	Api ApiStatus `json:"api,omitempty"`
}

type KeycloakClientSpec struct {
	Endpoint EndpointSelector `json:"endpoint,omitempty"`
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
	Realm  string          `json:"realm"`
	Secret SecretGenerator `json:"secret,omitempty"`
	Config gocloak.Client  `json:"config"`
}

type KeycloakClientStatus struct {
	// The ID of the OIDC/SAML client that is created / managed
	ClientID string `json:"clientID,omitempty"`
	// Base status
	// +optional
	Api ApiStatus `json:"api,omitempty"`
}

type KeycloakClusterEndpoint struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakEndpointSpec   `json:"spec,omitempty"`
	Status KeycloakEndpointStatus `json:"status,omitempty"`
}

type KeycloakClusterEndpointList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakClusterEndpoint `json:"items"`
}

type KeycloakEndpoint struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakEndpointSpec   `json:"spec,omitempty"`
	Status KeycloakEndpointStatus `json:"status,omitempty"`
}

type KeycloakEndpointList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakEndpoint `json:"items"`
}

type KeycloakEndpointSpec struct {
	// URL to the keycloak server to manage
	BaseUrl string `json:"baseUrl,omitempty"`

	// Additional prefix of the keycloak API (if needed). Should sometimes
	// be set to `/auth` for some deployments of keycloak.
	// +kubebuilder:default=""
	BasePath string `json:"basePath,omitempty"`

	// Use the value stored in a ConfigMap for the CA certificate
	CaConfigMap *ConfigMapValue `json:"caConfigMap,omitempty"`

	// Ignore TLS CA verification. It's recommended to set `caConfigMap` instead.
	// +kubebuilder:default=false
	TlsInsecureSkipVerify bool `json:"tlsInsecureSkipVerify,omitempty"`

	// Realm to use for admin connections. Defaults to `master`.
	// +kubebuilder:default="master"
	Realm string `json:"realm"`

	// Timeout in seconds for the HTTP connection. Defaults to 10 seconds.
	// +kubebuilder:default=10
	Timeout int `json:"timeout"`

	// The name of a secret of type `kubernetes.io/basic-auth` to authenticate to
	// keycloak as admin. The secret need to be in the same namespace as the KeycloakEndpoint.
	// When used in the context of KeycloakClusterEndpoint, a the `namespace` of the secret can
	// be set.
	BasicAuthSecret BasicAuthSecret `json:"basicAuthSecret,omitempty"`

	// A list of rules to complete kubernetes RBAC. If the resource being reconciled matches
	// one of this rule, the action will be executed (allow/reject). If no rule match, the
	// `noMatchBehavior` will be executed. If nothing matches, it will be allowed.
	// If you need to default to forbidden, add a `{action: reject}` as the last rule.
	Rules []Rule `json:"rules,omitempty"`
}

type KeycloakEndpointStatus struct {
	// Whether the CRD could connect to the keycloak endpoint successfully
	Phase   EndpointPhase `json:"phase,omitempty"`
	Version string        `json:"version,omitempty"`
	Message string        `json:"message,omitempty"`
	// +optional
	LastSuccess *metav1.Time `json:"lastSuccess,omitempty"`
}

type KeycloakLDAPFederation struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakLDAPFederationSpec   `json:"spec,omitempty"`
	Status KeycloakLDAPFederationStatus `json:"status,omitempty"`
}

type KeycloakLDAPFederationList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakLDAPFederation `json:"items"`
}

type KeycloakLDAPFederationSpec struct {
	Endpoint EndpointSelector `json:"endpoint,omitempty"`
	Realm    string           `json:"realm"`
	Config   *LdapFederation  `json:"config,omitempty"`
}

type KeycloakLDAPFederationStatus struct {
	// ID of the component representing the managed LDAP federation
	ComponentID string `json:"componentID,omitempty"`
	// Result of the last successful sync
	// +optional
	Result *gocloak.LDAPSyncResult `json:"result,omitempty"`
	// Base status
	// +optional
	Api ApiStatus `json:"api,omitempty"`
}

type KeycloakLDAPMapper struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakLDAPMapperSpec   `json:"spec,omitempty"`
	Status KeycloakLDAPMapperStatus `json:"status,omitempty"`
}

type KeycloakLDAPMapperList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakLDAPMapper `json:"items"`
}

type KeycloakLDAPMapperSpec struct {
	Endpoint EndpointSelector `json:"endpoint,omitempty"`
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
	Realm string `json:"realm"`
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
	Federation string `json:"federation"`
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
	// +kubebuilder:validation:Enum=user-attribute-ldap-mapper;group-ldap-mapper;role-ldap-mapper
	Type string `json:"type"`
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
	Name string `json:"name"`
	// +optional
	GroupLdapMapper *GroupLdapMapper `json:"groupLdapMapper,omitempty"`
	// +optional
	UserAttributeLdapMapper *UserAttributeLdapMapper `json:"userAttributeLdapMapper,omitempty"`
	// +optional
	RoleLdapMapper *RoleLdapMapper `json:"roleLdapMapper,omitempty"`
	// +optional
	FullNameLdapMapper *FullNameLdapMapper `json:"fullNameLdapMapper,omitempty"`
	// +optional
	CertificateLdapMapper *CertificateLdapMapper `json:"certificateLdapMapper,omitempty"`
	// +optional
	HardcodedLdapGroupMapper *HardcodedLdapGroupMapper `json:"hardcodedLdapGroupMapper,omitempty"`
	// +optional
	HardcodedLdapAttributeMapper *HardcodedLdapAttributeMapper `json:"hardcodedLdapAttributeMapper,omitempty"`
	// +optional
	HardcodedAttributeMapper *HardcodedAttributeMapper `json:"hardcodedAttributeMapper,omitempty"`
	// +optional
	HardcodedLdapRoleMapper *HardcodedLdapRoleMapper `json:"hardcodedLdapRoleMapper,omitempty"`
	// +optional
	MSADUserAccountControlMapper *MSADUserAccountControlMapper `json:"msadUserAccountControlMapper,omitempty"`
}

type KeycloakLDAPMapperStatus struct {
	// ID of the component representing the managed LDAP mapper
	ComponentID string `json:"componentID,omitempty"`
	// ID of the LDAP Federation it belongs to
	FederationID string `json:"federationID,omitempty"`
	// Result of the last successful sync
	// +optional
	Result *gocloak.LDAPSyncResult `json:"result,omitempty"`
	// Base status
	// +optional
	Api ApiStatus `json:"api,omitempty"`
}

type KeycloakRealm struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakRealmSpec   `json:"spec,omitempty"`
	Status KeycloakRealmStatus `json:"status,omitempty"`
}

type KeycloakRealmList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakRealm `json:"items"`
}

type KeycloakRealmRole struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakRealmRoleSpec   `json:"spec,omitempty"`
	Status KeycloakRealmRoleStatus `json:"status,omitempty"`
}

type KeycloakRealmRoleList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakRealmRole `json:"items"`
}

type KeycloakRealmRoleSpec struct {
	Endpoint EndpointSelector `json:"endpoint,omitempty"`
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
	Realm  string       `json:"realm"`
	Config gocloak.Role `json:"config"`
}

type KeycloakRealmRoleStatus struct {
	// The ID of the role managed
	RoleID string `json:"roleID,omitempty"`
	// Base status
	// +optional
	Api ApiStatus `json:"api,omitempty"`
}

type KeycloakRealmSpec struct {
	Endpoint EndpointSelector `json:"endpoint,omitempty"`
	// +kubebuilder:validation:Required
	Config gocloak.RealmRepresentation `json:"config"`
}

type KeycloakRealmStatus struct {
	// The ID of the realm managed
	// +optional
	RealmID string `json:"realmId,omitempty"`

	// Base status
	// +optional
	Api ApiStatus `json:"api,omitempty"`
}

type LdapFederation struct {
	// Enable/disable HTTP authentication of users with SPNEGO/Kerberos tokens. The data about authenticated users
	// will be provisioned from this LDAP server.
	// +kubebuilder:default=false
	AllowKerberosAuthentication bool `json:"allowKerberosAuthentication"`
	// Count of LDAP users to be imported from LDAP to Keycloak within a single transaction
	// +kubebuilder:default=1000
	BatchSizeForSync int `json:"batchSizeForSync"`
	// Name of a kubernetes secret holding the `bind_dn` and `bind_password` necessary to connect
	// +kubebuilder:default=""
	BindCredentialsSecret string `json:"bindCredentialsSecret,omitempty"`
	// Cache Policy for this storage provider. 'DEFAULT' is whatever the default settings are for the global cache.
	// 'EVICT_DAILY' is a time of day every day that the cache will be invalidated. 'EVICT_WEEKLY' is a day of the week
	// and time the cache will be invalidated. 'MAX_LIFESPAN' is the time in milliseconds that will be the lifespan of a
	// cache entry.
	// +kubebuilder:validation:Enum=DEFAULT;EVICT_DAILY;EVICT_WEEKLY;MAX_LIFESPAN
	// +kubebuilder:default="DEFAULT"
	CachePolicy string `json:"cachePolicy,omitempty"`
	// Day of the week the entry will become invalid
	// +kubebuilder:validation:Enum=monday;tuesday;wednesday;thursday;friday;saturday;sunday
	// +kubebuilder:default="sunday"
	EvictionDay string `json:"evictionDay,omitempty"`
	// Hour of the day the entry will become invalid (when selecting 'EVICT_DAILY' or 'EVICT_WEEKLY' cachePolicy)
	// +kubebuilder:validation:Minimum=0
	// +kubebuilder:validation:Maximum=23
	// +kubebuilder:default=0
	EvictionHour int `json:"evictionHour,omitempty"`
	// Minute of the hour the entry will become invalid (when selecting 'EVICT_DAILY' or 'EVICT_WEEKLY' cachePolicy)
	// +kubebuilder:validation:Minimum=0
	// +kubebuilder:validation:Maximum=59
	// +kubebuilder:default=0
	EvictionMinute int `json:"evictionMinute,omitempty"`
	// Max lifespan of cache entry in milliseconds (when selecting 'MAX_LIFESPAN' cachePolicy)
	// +kubebuilder:default=86400000
	MaxLifespan int `json:"maxLifespan,omitempty"`
	// Period for synchronization of changed or newly created LDAP users in seconds
	ChangedSyncPeriod *metav1.Duration `json:"changedSyncPeriod,omitempty"`
	// Determines if Keycloak should use connection pooling for accessing LDAP server.
	// +kubebuilder:default=false
	ConnectionPooling *bool `json:"connectionPooling"`
	// Connection URL to your LDAP server
	// +required
	ConnectionUrl string `json:"connectionUrl"`
	// LDAP connection timeout in milliseconds
	ConnectionTimeout *metav1.Duration `json:"connectionTimeout,omitempty"`
	// READ_ONLY is a read-only LDAP store. WRITABLE means data will be synced back to LDAP on demand.
	// UNSYNCED means user data will be imported, but not synced back to LDAP.
	// +kubebuilder:validation:Enum=READ_ONLY;WRITABLE;UNSYNCED
	// +kubebuilder:default="READ_ONLY"
	EditMode string `json:"editMode,omitempty"`
	// Enable or disable the LDAP federation
	// +kubebuilder:default=true
	Enabled bool `json:"enabled"`
	// Period for full synchronization in seconds
	FullSyncPeriod *metav1.Duration `json:"fullSyncPeriod,omitempty"`
	// If true, LDAP users will be imported into the Keycloak DB and synced by the configured sync policies.
	// +kubebuilder:default=true
	ImportEnabled bool `json:"importEnabled"`
	// Whether the LDAP server supports pagination
	// +kubebuilder:default=false
	Pagination bool `json:"pagination"`
	// +kubebuilder:default=0
	Priority int `json:"priority"`
	// Name of the LDAP attribute, which is used as RDN (top attribute) of typical user DN. Usually it's the same as the Username LDAP attribute,
	// however it is not required. For example for Active directory, it is common to use 'cn' as RDN attribute when username attribute might be 'sAMAccountName'.
	// +kubebuilder:default=cn
	RdnLDAPAttribute string `json:"rdnLDAPAttribute,omitempty"`
	// Name of the LDAP federation
	// +required
	Name string `json:"name"`
	// Whether periodic synchronization of changed or newly created LDAP users to Keycloak should be enabled or not
	// +kubebuilder:default=false
	PeriodicChangedUsersSync bool `json:"periodicChangedUsersSync"`
	// Whether periodic full synchronization of LDAP users to Keycloak should be enabled or not
	// +kubebuilder:default=false
	PeriodicFullSync bool `json:"periodicFullSync"`
	// For one level, the search applies only for users in the DNs specified by User DNs. For subtree, the search applies to the whole subtree.
	// See LDAP documentation for more details.
	// +kubebuilder:validation:Enum="1";"2"
	// +kubebuilder:default="2"
	SearchScope string `json:"searchScope"`
	// Encrypts the connection to LDAP using STARTTLS, which will disable connection pooling
	// +kubebuilder:default=false
	StartTls bool `json:"startTls"`
	// +kubebuilder:default=false
	SyncRegistrations bool `json:"syncRegistrations"`
	// +kubebuilder:default=false
	TrustEmail bool `json:"trustEmail"`
	// User Kerberos login module for authenticating username/password against Kerberos server instead of authenticating against
	// LDAP server with Directory Service API
	// +kubebuilder:default=false
	UseKerberosForPasswordAuthentication bool `json:"useKerberosForPasswordAuthentication,omitempty"`
	// Use the LDAPv3 Password Modify Extended Operation (RFC-3062). The password modify extended operation usually requires that
	// LDAP user already has password in the LDAP server. So when this is used with 'Sync Registrations', it can be good to add
	// also 'Hardcoded LDAP attribute mapper' with randomly generated initial password.
	// +kubebuilder:default=false
	UsePasswordModifyExtendedOp bool `json:"usePasswordModifyExtendedOp"`
	// Specifies whether LDAP connection will use the Truststore SPI with the truststore configured in standalone.xml/domain.sml.
	// 'always' means that it will always use it. 'never' means that it will not use it. 'ldapsOnly' means that it will use
	// it if your connection URL use ldaps. Note that even if standalone.xml/domain.xml is not configured, the default java cacerts
	// or certificate specified by 'javax.net.ssl.trustStore' property will be used.
	// +kubebuilder:validation:Enum=always;ldapsOnly;never
	// +kubebuilder:default=ldapsOnly
	UseTruststoreSpi string `json:"useTruststoreSpi"`
	// All values of LDAP objectClass attribute for users in LDAP, divided by commas. For example: 'inetOrgPerson, organizationalPerson'.
	// Newly created Keycloak users will be written to LDAP with all those object classes and existing LDAP user records are found just
	// if they contain all those object classes.
	// +kubebuilder:default={'person'}
	UserObjectClasses []string `json:"userObjectClasses"`
	// Name of the LDAP attribute, which is mapped as Keycloak username. For many LDAP server vendors it can be 'uid'. For Active directory
	// it can be 'sAMAccountName' or 'cn'. The attribute should be filled for all LDAP user records you want to import from LDAP to Keycloak.
	// +kubebuilder:default=samaccountname
	UsernameLDAPAttribute string `json:"usernameLDAPAttribute,omitempty"`
	// Full DN of LDAP tree where your users are. This DN is the parent of LDAP users. It could be for example 'ou=users,dc=example,dc=com'
	// assuming that your typical user will have DN like 'uid='john',ou=users,dc=example,dc=com'.
	// +required
	UsersDn string `json:"usersDn,omitempty"`
	// Name of the LDAP attribute, which is used as a unique object identifier (UUID) for objects in LDAP. For many LDAP server vendors, it is
	// 'entryUUID'; however some are different. For example, for Active directory it should be 'objectGUID'. If your LDAP server does not support
	// the notion of UUID, you can use any other attribute that is supposed to be unique among LDAP users in tree. For example 'uid' or 'entryDN'.
	// +kubebuilder:default=objectGUID
	UuidLDAPAttribute string `json:"uuidLDAPAttribute,omitempty"`
	// Determines if Keycloak should validate the password with the realm password policy before updating it
	// +kubebuilder:default=false
	ValidatePasswordPolicy bool `json:"validatePasswordPolicy"`
	// LDAP vendor (provider)
	// +kubebuilder:validation:Enum=ad;rhds;other;tivoli;edirectory
	// +required
	Vendor string `json:"vendor,omitempty"`
}

type MSADUserAccountControlMapper struct {
	// Applicable just for writable MSAD. If on, then updating password of MSAD user will use
	// LDAP_SERVER_POLICY_HINTS_OID extension, which means that advanced MSAD password policies
	// like 'password history' or 'minimal password age' will be applied. This extension works just
	// for MSAD 2008 R2 or newer.
	// +kubebuilder:default=false
	PasswordPolicyHintsEnabled bool `json:"passwordPolicyHintsEnabled"`
}

type Phase string

type RoleLdapMapper struct {
	// Used just when 'User Roles Retrieve Strategy' is GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE.
	// It specifies the name of the LDAP attribute on the LDAP user, which contains the roles
	// (LDAP Groups), which the user is member of. Usually it will be 'memberOf' and that's
	// also the default value.
	// +kubebuilder:default="memberOf"
	MemberofLdapAttribute string `json:"memberofLdapAttribute,omitempty"`
	// +kubebuilder:validation:Enum=DN;UID
	// +kubebuilder:default="DN"
	MembershipAttributeType string `json:"membershipAttributeType,omitempty"`
	// +kubebuilder:default=""
	MembershipLdapAttribute string `json:"membershipLdapAttribute,omitempty"`
	// +kubebuilder:default=""
	MembershipUserLdapAttribute string `json:"membershipUserLdapAttribute,omitempty"`
	// LDAP_ONLY means that all role mappings are retrieved from LDAP and saved into LDAP. READ_ONLY
	// is Read-only LDAP mode where role mappings are retrieved from both LDAP and DB and merged together.
	// New role grants are not saved to LDAP but to DB. IMPORT is Read-only LDAP mode where role mappings are
	// retrieved from LDAP just at the time when user is imported from LDAP and then they are saved to local keycloak DB.
	// +kubebuilder:validation:Enum=READ_ONLY;IMPORT;LDAP_ONLY
	// +kubebuilder:default="READ_ONLY"
	Mode string `json:"mode"`
	// +optional
	RoleObjectClasses []string `json:"roleObjectClasses,omitempty"`
	// +kubebuilder:default=""
	RolesDn string `json:"rolesDn,omitempty"`
	// If true, then LDAP role mappings will be mapped to realm role mappings in Keycloak. Otherwise it will be mapped to client role mappings
	// +kubebuilder:default=true
	UseRealmRolesMapping bool `json:"useRealmRoleMapping"`
	// Specify how to retrieve groups of user. LOAD_GROUPS_BY_MEMBER_ATTRIBUTE means that roles of user
	// will be retrieved by sending LDAP query to retrieve all groups where 'member' is our user.
	// GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE means that groups of user will be retrieved from 'memberOf'
	// attribute of our user. Or from the other attribute specified by 'Member-Of LDAP Attribute'.
	// LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY is applicable just in Active Directory and it means that
	// groups of user will be retrieved recursively with usage of LDAP_MATCHING_RULE_IN_CHAIN Ldap extension.
	// +kubebuilder:validation:Enum=GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE;LOAD_GROUPS_BY_MEMBER_ATTRIBUTE;LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY
	// +kubebuilder:default="LOAD_GROUPS_BY_MEMBER_ATTRIBUTE"
	UserRolesRetrieveStrategy string `json:"userRolesRetrieveStrategy"`
}

type Rule struct {
	// A name to describe and document the rule.
	// +optional
	Name string `json:"name,omitempty"`
	// The authorization action to perform. Valid values: `allow`/`reject`.
	// +kubebuilder:validation:Enum=allow;reject
	Action string `json:"action"`
	// Resources that are allowed to be modified.
	// `*` and an empty array will authorize the rule for every resource
	Resources []string `json:"resources,omitempty"`
	// Namespaces allowed to manage resources
	// `*` and an empty array will authorize the rule for any namespace
	Namespaces []string `json:"namespaces,omitempty"`
	// Realms concerned by the constraint
	// `*` and an empty array will authorize the rule for any realm
	Realms []string `json:"realms,omitempty"`
}

type SecretGenerator struct {
	// Name of the secret to generate
	Name string `json:"name"`
	// Enable secret generation. Only useful when using the `client-secret`
	// client auth method.
	// +kubebuilder:default=true
	Enabled bool `json:"enabled"`
}

type Subject struct {
	// The type of the subject. Either `user` or `group`.
	// +kubebuilder:validation:Enum=user;group
	Kind string `json:"kind"`
	// The name of the user or group
	Name string `json:"name"`
}

type UserAttributeLdapMapper struct {
	// If on, then during reading of the LDAP attribute value will always used instead of the
	// value from Keycloak DB
	// +kubebuilder:default=false
	AlwaysReadValueFromLdap bool `json:"alwaysReadValueFromLdap"`
	// If there is no value in Keycloak DB and attribute is mandatory in LDAP, this value will
	// be propagated to LDAP
	// +kubebuilder:default=""
	AttributeDefaultValue string `json:"attributeDefaultValue"`
	// Should be true for binary LDAP attributes
	// +kubebuilder:default=false
	IsBinaryAttribute bool `json:"isBinaryAttribute"`
	// If true, attribute is mandatory in LDAP. Hence if there is no value in Keycloak DB,
	// the default or empty value will be set to be propagated to LDAP
	// +kubebuilder:default=false
	IsMandatoryInLdap bool `json:"isMandatoryInLdap"`
	// Name of mapped attribute on LDAP object. For example 'cn', 'sn, 'mail', 'street' etc.
	// +kubebuilder:default=""
	LdapAttribute string `json:"ldapAttribute"`
	// +kubebuilder:default=true
	// Read-only attribute is imported from LDAP to UserModel, but it's not saved back to LDAP when
	// user is updated in Keycloak.
	ReadOnly bool `json:"readOnly"`
	// Name of the UserModel property or attribute you want to map the LDAP attribute into.
	// For example 'firstName', 'lastName, 'email', 'street' etc.
	// +kubebuilder:default=""
	UserModelAttribute string `json:"userModelAttribute"`
}

type UserRepresentation struct {
	// User ID.
	// +optional
	ID string `json:"id,omitempty"`
	// User Name.
	// +optional
	UserName string `json:"username,omitempty"`
}