v1alpha1

type FederationDomain struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Spec of the OIDC provider.
	Spec FederationDomainSpec `json:"spec"`

	// Status of the OIDC provider.
	Status FederationDomainStatus `json:"status,omitempty"`
}

type FederationDomainIdentityProvider struct {
	// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
	// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
	// disruptive change for those users.
	// +kubebuilder:validation:MinLength=1
	DisplayName string `json:"displayName"`

	// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
	// If the reference cannot be resolved then the identity provider will not be made available.
	// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
	// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
	ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`

	// Transforms is an optional way to specify transformations to be applied during user authentication and
	// session refresh.
	// +optional
	Transforms FederationDomainTransforms `json:"transforms,omitempty"`
}

type FederationDomainList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`

	Items []FederationDomain `json:"items"`
}

type FederationDomainPhase string

type FederationDomainSecrets struct {
	// JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are
	// stored. If it is empty, then the signing/verification keys are either unknown or they don't
	// exist.
	// +optional
	JWKS corev1.LocalObjectReference `json:"jwks,omitempty"`

	// TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
	// signing tokens is stored.
	// +optional
	TokenSigningKey corev1.LocalObjectReference `json:"tokenSigningKey,omitempty"`

	// StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
	// signing state parameters is stored.
	// +optional
	StateSigningKey corev1.LocalObjectReference `json:"stateSigningKey,omitempty"`

	// StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
	// encrypting state parameters is stored.
	// +optional
	StateEncryptionKey corev1.LocalObjectReference `json:"stateEncryptionKey,omitempty"`
}

type FederationDomainSpec struct {
	// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
	// identifier that it will use for the iss claim in issued JWTs. This field will also be used as
	// the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is
	// https://example.com/foo, then your authorization endpoint will look like
	// https://example.com/foo/some/path/to/auth/endpoint).
	//
	// See
	// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:XValidation:message="issuer must be an HTTPS URL",rule="isURL(self) && url(self).getScheme() == 'https'"
	Issuer string `json:"issuer"`

	// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
	// +optional
	TLS *FederationDomainTLSSpec `json:"tls,omitempty"`

	// IdentityProviders is the list of identity providers available for use by this FederationDomain.
	//
	// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
	// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
	// extract a normalized user identity. Normalized user identities include a username and a list of group names.
	// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
	// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
	// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
	// accidental conflicts when multiple identity providers have different users with the same username (e.g.
	// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
	// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
	// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
	// disallow the authentication unless the user belongs to a specific group in the identity provider.
	//
	// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
	// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
	// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
	// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
	// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
	// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
	// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
	// explicitly list the identity provider using this IdentityProviders field.
	//
	// +optional
	IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
}

type FederationDomainStatus struct {
	// Phase summarizes the overall status of the FederationDomain.
	// +kubebuilder:default=Pending
	// +kubebuilder:validation:Enum=Pending;Ready;Error
	Phase FederationDomainPhase `json:"phase,omitempty"`

	// Conditions represent the observations of an FederationDomain's current state.
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`

	// Secrets contains information about this OIDC Provider's secrets.
	// +optional
	Secrets FederationDomainSecrets `json:"secrets,omitempty"`
}

type FederationDomainTLSSpec struct {
	// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
	// the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret
	// named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use
	// for TLS.
	//
	// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
	//
	// SecretName is required if you would like to use different TLS certificates for issuers of different hostnames.
	// SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
	// SecretName value even if they have different port numbers.
	//
	// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is
	// configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar).
	// It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
	// use the default TLS certificate, which is configured elsewhere.
	//
	// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
	//
	// +optional
	SecretName string `json:"secretName,omitempty"`
}

type FederationDomainTransforms struct {
	// Constants defines constant variables and their values which will be made available to the transform expressions.
	// +patchMergeKey=name
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=name
	// +optional
	Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`

	// Expressions are an optional list of transforms and policies to be executed in the order given during every
	// authentication attempt, including during every session refresh.
	// Each is a CEL expression. It may use the basic CEL language as defined in
	// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
	// https://github.com/google/cel-go/tree/master/ext#strings.
	//
	// The username and groups extracted from the identity provider, and the constants defined in this CR, are
	// available as variables in all expressions. The username is provided via a variable called `username` and
	// the list of group names is provided via a variable called `groups` (which may be an empty list).
	// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
	// and `strListConst.varName` for string list constants.
	//
	// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
	// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
	// and the authentication attempt is rejected.
	// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
	// username or group names.
	// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
	// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
	// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
	// groups list.
	// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
	// After each expression, the new (potentially changed) username or groups get passed to the following expression.
	//
	// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
	// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
	// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
	// and group names have been decided for that authentication attempt.
	//
	// +optional
	Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`

	// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
	// expected. Examples define sample input identities which are then run through the expression list, and the
	// results are compared to the expected results. If any example in this list fails, then this
	// identity provider will not be available for use within this FederationDomain, and the error(s) will be
	// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
	// expressions, and also act as living documentation for other administrators to better understand the expressions.
	// +optional
	Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
}

type FederationDomainTransformsConstant struct {
	// Name determines the name of the constant. It must be a valid identifier name.
	// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=64
	Name string `json:"name"`

	// Type determines the type of the constant, and indicates which other field should be non-empty.
	// Allowed values are "string" or "stringList".
	// +kubebuilder:validation:Enum=string;stringList
	Type string `json:"type"`

	// StringValue should hold the value when Type is "string", and is otherwise ignored.
	// +optional
	StringValue string `json:"stringValue,omitempty"`

	// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
	// +optional
	StringListValue []string `json:"stringListValue,omitempty"`
}

type FederationDomainTransformsExample struct {
	// Username is the input username.
	// +kubebuilder:validation:MinLength=1
	Username string `json:"username"`

	// Groups is the input list of group names.
	// +optional
	Groups []string `json:"groups,omitempty"`

	// Expects is the expected output of the entire sequence of transforms when they are run against the
	// input Username and Groups.
	Expects FederationDomainTransformsExampleExpects `json:"expects"`
}

type FederationDomainTransformsExampleExpects struct {
	// Username is the expected username after the transformations have been applied.
	// +optional
	Username string `json:"username,omitempty"`

	// Groups is the expected list of group names after the transformations have been applied.
	// +optional
	Groups []string `json:"groups,omitempty"`

	// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
	// after the transformations have been applied. True means that it is expected that the authentication would be
	// rejected. The default value of false means that it is expected that the authentication would not be rejected
	// by any policy expression.
	// +optional
	Rejected bool `json:"rejected,omitempty"`

	// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
	// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
	// then Message will be treated as the default error message for authentication attempts which are rejected by a
	// policy. When Rejected is false, then Message is the expected error message for some other non-policy
	// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
	// +optional
	Message string `json:"message,omitempty"`
}

type FederationDomainTransformsExpression struct {
	// Type determines the type of the expression. It must be one of the supported types.
	// Allowed values are "policy/v1", "username/v1", or "groups/v1".
	// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
	Type string `json:"type"`

	// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
	// +kubebuilder:validation:MinLength=1
	Expression string `json:"expression"`

	// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
	// an authentication attempt. When empty, a default message will be used.
	// +optional
	Message string `json:"message,omitempty"`
}

type GrantType string

type OIDCClient struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Spec of the OIDC client.
	Spec OIDCClientSpec `json:"spec"`

	// Status of the OIDC client.
	Status OIDCClientStatus `json:"status,omitempty"`
}

type OIDCClientList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`

	Items []OIDCClient `json:"items"`
}

type OIDCClientPhase string

type OIDCClientSpec struct {
	// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
	// client. Any other uris will be rejected.
	// Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme.
	// Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri.
	// +listType=set
	// +kubebuilder:validation:MinItems=1
	AllowedRedirectURIs []RedirectURI `json:"allowedRedirectURIs"`

	// allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this
	// client.
	//
	// Must only contain the following values:
	// - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to
	//   authenticate users. This grant must always be listed.
	// - refresh_token: allows the client to perform refresh grants for the user to extend the user's session.
	//   This grant must be listed if allowedScopes lists offline_access.
	// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
	//   which is a step in the process to be able to get a cluster credential for the user.
	//   This grant must be listed if allowedScopes lists pinniped:request-audience.
	// +listType=set
	// +kubebuilder:validation:MinItems=1
	AllowedGrantTypes []GrantType `json:"allowedGrantTypes"`

	// allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client.
	//
	// Must only contain the following values:
	// - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat).
	//   This scope must always be listed.
	// - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow.
	//   This scope must be listed if allowedGrantTypes lists refresh_token.
	// - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange,
	//   which is a step in the process to be able to get a cluster credential for the user.
	//   openid, username and groups scopes must be listed when this scope is present.
	//   This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange.
	// - username: The client is allowed to request that ID tokens contain the user's username.
	//   Without the username scope being requested and allowed, the ID token will not contain the user's username.
	// - groups: The client is allowed to request that ID tokens contain the user's group membership,
	//   if their group membership is discoverable by the Supervisor.
	//   Without the groups scope being requested and allowed, the ID token will not contain groups.
	// +listType=set
	// +kubebuilder:validation:MinItems=1
	AllowedScopes []Scope `json:"allowedScopes"`

	// tokenLifetimes are the optional overrides of token lifetimes for an OIDCClient.
	// +optional
	TokenLifetimes OIDCClientTokenLifetimes `json:"tokenLifetimes,omitempty"`
}

type OIDCClientStatus struct {
	// phase summarizes the overall status of the OIDCClient.
	// +kubebuilder:default=Pending
	// +kubebuilder:validation:Enum=Pending;Ready;Error
	Phase OIDCClientPhase `json:"phase,omitempty"`

	// conditions represent the observations of an OIDCClient's current state.
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`

	// totalClientSecrets is the current number of client secrets that are detected for this OIDCClient.
	// +optional
	TotalClientSecrets int32 `json:"totalClientSecrets"` // do not omitempty to allow it to show in the printer column even when it is 0
}

type OIDCClientTokenLifetimes struct {
	// idTokenSeconds is the lifetime of ID tokens issued to this client, in seconds. This will choose the lifetime of
	// ID tokens returned by the authorization flow and the refresh grant. It will not influence the lifetime of the ID
	// tokens returned by RFC8693 token exchange. When null, a short-lived default value will be used.
	// This value must be between 120 and 1,800 seconds (30 minutes), inclusive. It is recommended to make these tokens
	// short-lived to force the client to perform the refresh grant often, because the refresh grant will check with the
	// external identity provider to decide if it is acceptable for the end user to continue their session, and will
	// update the end user's group memberships from the external identity provider. Giving these tokens a long life is
	// will allow the end user to continue to use a token while avoiding these updates from the external identity
	// provider. However, some web applications may have reasons specific to the design of that application to prefer
	// longer lifetimes.
	// +kubebuilder:validation:Minimum=120
	// +kubebuilder:validation:Maximum=1800
	// +optional
	IDTokenSeconds *int32 `json:"idTokenSeconds,omitempty"`
}

type RedirectURI string

type Scope string