-
Notifications
You must be signed in to change notification settings - Fork 7
/
api.go
229 lines (211 loc) · 8.27 KB
/
api.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
/*
Copyright 2023 The EdgeFarm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1alpha1
import (
"fmt"
"github.com/edgefarm/vault-plugin-secrets-nats/pkg/claims/common"
"github.com/nats-io/jwt/v2"
)
// +kubebuilder:object:generate=true
// Specifies claims of the JWT
type AccountClaims struct {
// Common data for all JWTs
common.ClaimsData `json:",inline"`
// Account specific claims
// +kubebuilder:validation:Optional
Account `json:"account,omitempty"`
}
// Specifies account specific claims data
type Account struct {
// A list of account/subject combinations that this account is allowed to import
// +kubebuilder:validation:Optional
Imports []Import `json:"imports,omitempty"`
// A list of account/subject combinations that this account is allowed to export
// +kubebuilder:validation:Optional
Exports []Export `json:"exports,omitempty"`
// A set of limits for this account
// +kubebuilder:validation:Optional
Limits OperatorLimits `json:"limits,omitempty"`
// A list of signing keys the account can use
// +kubebuilder:validation:Optional
SigningKeys []string `json:"signingKeys,omitempty"`
// Stores user JWTs that have been revoked and the time they were revoked
// +kubebuilder:validation:Optional
Revocations map[string]int64 `json:"revocations,omitempty"`
// Default pub/sub permissions for this account that users inherit
// +kubebuilder:validation:Optional
DefaultPermissions common.Permissions `json:"defaultPermissions,omitempty"`
// Stores subjects that get mapped to other subjects using a weighted mapping.
// For more information see https://docs.nats.io/nats-concepts/subject_mapping
// +kubebuilder:validation:Optional
Mappings map[string][]WeightedMapping `json:"mappings,omitempty"`
// Enable external authorization for account users.
// +kubebuilder:validation:Optional
Authorization ExternalAuthorization `json:"authorization,omitempty"`
common.Info `json:",inline"`
common.GenericFields `json:",inline"`
}
// Enable external authorization for account users.
type ExternalAuthorization struct {
AuthUsers []string `json:"auth_users,omitempty"`
AllowedAccounts []string `json:"allowed_accounts,omitempty"`
XKey string `json:"xkey,omitempty"`
}
// WeightedMapping is a mapping from one subject to another with a weight and a destination cluster
type WeightedMapping struct {
// The subject to map to
Subject string `json:"subject"`
// The amount of 100% that this mapping should be used
// +kubebuilder:validation:Optional
Weight uint8 `json:"weight,omitempty"`
// The cluster to map to
// +kubebuilder:validation:Optional
Cluster string `json:"cluster,omitempty"`
}
// OperatorLimits represents the limits for that are set on an account
type OperatorLimits struct {
common.NatsLimits `json:",inline"`
AccountLimits `json:",inline"`
JetStreamLimits `json:",inline"`
// JetStreamTieredLimits as far as i can tell it is only used by NATS internally.
// So not exposed to the user for now.
// JetStreamTieredLimits `json:"tieredLimits,omitempty"`
}
// JetStreamTieredLimits as far as i can tell it is only used by NATS internally.
// So not exposed to the user for now.
// type JetStreamTieredLimits map[string]JetStreamLimits
// JetStreamLimits represents the Jetstream limits for an account
type JetStreamLimits struct {
// Max number of bytes stored in memory across all streams. (0 means disabled)
// +kubebuilder:validation:Optional
MemoryStorage int64 `json:"memStorage,omitempty"`
// Max number of bytes stored on disk across all streams. (0 means disabled)
// +kubebuilder:validation:Optional
DiskStorage int64 `json:"diskStorage,omitempty"`
// Max number of streams
// +kubebuilder:validation:Optional
Streams int64 `json:"streams,omitempty"`
// Max number of consumers
// +kubebuilder:validation:Optional
Consumer int64 `json:"consumer,omitempty"`
// Max number of acks pending
// +kubebuilder:validation:Optional
MaxAckPending int64 `json:"maxAckPending,omitempty"`
// Max number of bytes a stream can have in memory. (0 means unlimited)
// +kubebuilder:validation:Optional
// +kubebuilder:default=0
MemoryMaxStreamBytes int64 `json:"memMaxStreamBytes,omitempty"`
// Max number of bytes a stream can have on disk. (0 means unlimited)
// +kubebuilder:validation:Optional
// +kubebuilder:default=0
DiskMaxStreamBytes int64 `json:"diskMaxStreamBytes,omitempty"`
// Max bytes required by all Streams
// +kubebuilder:validation:Optional
MaxBytesRequired bool `json:"maxBytesRequired,omitempty"`
}
type AccountLimits struct {
// Max number of imports
// +kubebuilder:validation:Optional
Imports int64 `json:"imports,omitempty"`
// Max number of exports
// +kubebuilder:validation:Optional
Exports int64 `json:"exports,omitempty"`
// Specifies if wildcards are allowed in exports
// +kubebuilder:validation:Optional
WildcardExports bool `json:"wildcardExports,omitempty"`
// Specifies that user JWT can't be bearer token
// +kubebuilder:validation:Optional
DisallowBearer bool `json:"disallowBearer,omitempty"`
// Max number of connections
// +kubebuilder:validation:Optional
Conn int64 `json:"conn,omitempty"`
// Max number of leaf node connections
// +kubebuilder:validation:Optional
LeafNodeConn int64 `json:"leafNodeConn,omitempty"`
}
func convertExportType(t string) (jwt.ExportType, error) {
switch t {
case "Stream":
return jwt.Stream, nil
case "Service":
return jwt.Service, nil
case "Unknown":
return jwt.Unknown, nil
default:
return -1, fmt.Errorf("invalid export type")
}
}
// Import describes a mapping from another account into this one
type Import struct {
// The name of the import
// +kubebuilder:validation:Optional
Name string `json:"name,omitempty"`
// The subject to import
// +kubebuilder:validation:Optional
Subject string `json:"subject,omitempty"`
// The account to import from
// +kubebuilder:validation:Optional
Account string `json:"account,omitempty"`
// The token to use for the import
// +kubebuilder:validation:Optional
Token string `json:"token,omitempty"`
// The local subject to import to
// +kubebuilder:validation:Optional
LocalSubject string `json:"localSubject,omitempty"`
// The type of the import
// +kubebuilder:validation:Optional
Type string `json:"type,omitempty"`
// Specifies if the import is shared
// +kubebuilder:validation:Optional
Share bool `json:"share,omitempty"`
}
// Export describes a mapping from this account to another one
type Export struct {
// The name of the export
// +kubebuilder:validation:Optional
Name string `json:"name,omitempty"`
// The subject to export
// +kubebuilder:validation:Optional
Subject string `json:"subject,omitempty"`
// The type of the export
// +kubebuilder:validation:Optional
Type string `json:"type,omitempty"`
// Specifies if a token is required for the export
// +kubebuilder:validation:Optional
TokenReq bool `json:"tokenReq,omitempty"`
// The revocations for the export
// +kubebuilder:validation:Optional
Revocations map[string]int64 `json:"revocations,omitempty"`
// The response type for the export
// +kubebuilder:validation:Optional
ResponseType string `json:"responseType,omitempty"`
// The response threshold for the export
// +kubebuilder:validation:Optional
ResponseThreshold string `json:"responseThreshold,omitempty"`
// The latency for the export.
// +kubebuilder:validation:Optional
Latency *ServiceLatency `json:"serviceLatency,omitempty"`
// The account token position for the export
// +kubebuilder:validation:Optional
AccountTokenPosition uint `json:"accountTokenPosition,omitempty"`
// Specifies if the export is advertised
// +kubebuilder:validation:Optional
Advertise bool `json:"advertise,omitempty"`
common.Info `json:",inline"`
}
type ServiceLatency struct {
// Specifies the sampling for the latency
Sampling int `json:"sampling"`
// Specifies the results for the latency
Results string `json:"results"`
}