diff --git a/api/v1alpha1/cloudflareaccessgroup_types.go b/api/v1alpha1/cloudflareaccessgroup_types.go index 2ee1239..c65fc46 100644 --- a/api/v1alpha1/cloudflareaccessgroup_types.go +++ b/api/v1alpha1/cloudflareaccessgroup_types.go @@ -77,8 +77,11 @@ type CloudFlareAccessGroupRule struct { // Matches Google Group GoogleGroups []GoogleGroup `json:"googleGroups,omitempty"` - // // Okta Groups + // Okta Groups OktaGroup []OktaGroup `json:"oktaGroup,omitempty"` + + // OIDC Claims + OIDCClaims []OIDCClaim `json:"oidcClaims,omitempty"` } // CloudflareAccessGroupStatus defines the observed state of CloudflareAccessGroup. @@ -200,6 +203,10 @@ func (c CloudFlareAccessGroupRuleGroups) TransformCloudflareRuleFields(managedCF for _, oktaGroup := range field.OktaGroup { *managedCFFields[i] = append(*managedCFFields[i], cfapi.NewAccessGroupOktaGroup(oktaGroup.Name, oktaGroup.IdentityProviderID)) } + + for _, oidcClaim := range field.OIDCClaims { + *managedCFFields[i] = append(*managedCFFields[i], cfapi.NewAccessGroupOIDCClaim(oidcClaim.Name, oidcClaim.Value, oidcClaim.IdentityProviderID)) + } } } } diff --git a/api/v1alpha1/cloudflareaccessgroup_types_test.go b/api/v1alpha1/cloudflareaccessgroup_types_test.go index 65b78dc..e9547dc 100644 --- a/api/v1alpha1/cloudflareaccessgroup_types_test.go +++ b/api/v1alpha1/cloudflareaccessgroup_types_test.go @@ -1,6 +1,7 @@ package v1alpha1_test import ( + "github.com/bojanzelic/cloudflare-zero-trust-operator/internal/cfapi" "testing" "github.com/bojanzelic/cloudflare-zero-trust-operator/api/v1alpha1" @@ -128,6 +129,36 @@ var _ = Describe("Creating a CloudflareAccessGroup", Label("CloudflareAccessGrou } }) + It("can export oidcClaims to the cloudflare object", func() { + accessRule.Spec.Include = []v1alpha1.CloudFlareAccessGroupRule{{ + OIDCClaims: []v1alpha1.OIDCClaim{ + { + Name: "myOidcClaimName1", + Value: "myOidcClaimValue1", + IdentityProviderID: "00000000-0000-0000-0000-00000000000000", + }, + { + Name: "myOidcClaimName2", + Value: "myOidcClaimValue2", + IdentityProviderID: "11111111-1111-1111-1111-111111111111", + }, + }}, + } + for i, group := range accessRule.Spec.Include[0].OIDCClaims { + Expect(accessRule.ToCloudflare().Include[i]).To(Equal(cfapi.AccessGroupOIDCClaim{ + OIDC: struct { + Name string "json:\"claim_name\"" + Value string "json:\"claim_value\"" + IdentityProviderID string "json:\"identity_provider_id\"" + }{ + Name: group.Name, + Value: group.Value, + IdentityProviderID: group.IdentityProviderID, + }, + })) + } + }) + It("can export ipRanges to the cloudflare object", func() { ips := []string{"1.1.1.1/32", "8.8.8.8/32"} accessRule.Spec.Include = []v1alpha1.CloudFlareAccessGroupRule{{ diff --git a/api/v1alpha1/reference_types.go b/api/v1alpha1/reference_types.go index eea9182..08655b6 100644 --- a/api/v1alpha1/reference_types.go +++ b/api/v1alpha1/reference_types.go @@ -36,6 +36,15 @@ type OktaGroup struct { IdentityProviderID string `json:"identityProviderId"` } +type OIDCClaim struct { + // Name of the OIDC claim + Name string `json:"name"` + // Value of the OIDC claim + Value string `json:"value"` + // Identity Provider Id + IdentityProviderID string `json:"identityProviderId"` +} + type AccessGroupReference struct { // `namespace` is the namespace of the AccessGroup. // Required diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 0377f70..5206039 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -133,6 +133,11 @@ func (in *CloudFlareAccessGroupRule) DeepCopyInto(out *CloudFlareAccessGroupRule *out = make([]OktaGroup, len(*in)) copy(*out, *in) } + if in.OIDCClaims != nil { + in, out := &in.OIDCClaims, &out.OIDCClaims + *out = make([]OIDCClaim, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudFlareAccessGroupRule. @@ -598,6 +603,21 @@ func (in *GoogleGroup) DeepCopy() *GoogleGroup { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClaim) DeepCopyInto(out *OIDCClaim) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClaim. +func (in *OIDCClaim) DeepCopy() *OIDCClaim { + if in == nil { + return nil + } + out := new(OIDCClaim) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OktaGroup) DeepCopyInto(out *OktaGroup) { *out = *in diff --git a/config/crd/bases/cloudflare.zelic.io_cloudflareaccessapplications.yaml b/config/crd/bases/cloudflare.zelic.io_cloudflareaccessapplications.yaml index 28da703..164855a 100644 --- a/config/crd/bases/cloudflare.zelic.io_cloudflareaccessapplications.yaml +++ b/config/crd/bases/cloudflare.zelic.io_cloudflareaccessapplications.yaml @@ -165,8 +165,27 @@ spec: items: type: string type: array + oidcClaims: + description: OIDC Claims + items: + properties: + identityProviderId: + description: Identity Provider Id + type: string + name: + description: Name of the OIDC claim + type: string + value: + description: Value of the OIDC claim + type: string + required: + - identityProviderId + - name + - value + type: object + type: array oktaGroup: - description: // Okta Groups + description: Okta Groups items: properties: identityProviderId: @@ -293,8 +312,27 @@ spec: items: type: string type: array + oidcClaims: + description: OIDC Claims + items: + properties: + identityProviderId: + description: Identity Provider Id + type: string + name: + description: Name of the OIDC claim + type: string + value: + description: Value of the OIDC claim + type: string + required: + - identityProviderId + - name + - value + type: object + type: array oktaGroup: - description: // Okta Groups + description: Okta Groups items: properties: identityProviderId: @@ -424,8 +462,27 @@ spec: items: type: string type: array + oidcClaims: + description: OIDC Claims + items: + properties: + identityProviderId: + description: Identity Provider Id + type: string + name: + description: Name of the OIDC claim + type: string + value: + description: Value of the OIDC claim + type: string + required: + - identityProviderId + - name + - value + type: object + type: array oktaGroup: - description: // Okta Groups + description: Okta Groups items: properties: identityProviderId: diff --git a/config/crd/bases/cloudflare.zelic.io_cloudflareaccessgroups.yaml b/config/crd/bases/cloudflare.zelic.io_cloudflareaccessgroups.yaml index 388d954..d1314b0 100644 --- a/config/crd/bases/cloudflare.zelic.io_cloudflareaccessgroups.yaml +++ b/config/crd/bases/cloudflare.zelic.io_cloudflareaccessgroups.yaml @@ -118,8 +118,27 @@ spec: items: type: string type: array + oidcClaims: + description: OIDC Claims + items: + properties: + identityProviderId: + description: Identity Provider Id + type: string + name: + description: Name of the OIDC claim + type: string + value: + description: Value of the OIDC claim + type: string + required: + - identityProviderId + - name + - value + type: object + type: array oktaGroup: - description: // Okta Groups + description: Okta Groups items: properties: identityProviderId: @@ -246,8 +265,27 @@ spec: items: type: string type: array + oidcClaims: + description: OIDC Claims + items: + properties: + identityProviderId: + description: Identity Provider Id + type: string + name: + description: Name of the OIDC claim + type: string + value: + description: Value of the OIDC claim + type: string + required: + - identityProviderId + - name + - value + type: object + type: array oktaGroup: - description: // Okta Groups + description: Okta Groups items: properties: identityProviderId: @@ -377,8 +415,27 @@ spec: items: type: string type: array + oidcClaims: + description: OIDC Claims + items: + properties: + identityProviderId: + description: Identity Provider Id + type: string + name: + description: Name of the OIDC claim + type: string + value: + description: Value of the OIDC claim + type: string + required: + - identityProviderId + - name + - value + type: object + type: array oktaGroup: - description: // Okta Groups + description: Okta Groups items: properties: identityProviderId: diff --git a/helm/cloudflare-zero-trust-operator/templates/cloudflareaccessapplication-crd.yaml b/helm/cloudflare-zero-trust-operator/templates/cloudflareaccessapplication-crd.yaml index 31e5537..01cfa16 100644 --- a/helm/cloudflare-zero-trust-operator/templates/cloudflareaccessapplication-crd.yaml +++ b/helm/cloudflare-zero-trust-operator/templates/cloudflareaccessapplication-crd.yaml @@ -167,8 +167,27 @@ spec: items: type: string type: array + oidcClaims: + description: OIDC Claims + items: + properties: + identityProviderId: + description: Identity Provider Id + type: string + name: + description: Name of the OIDC claim + type: string + value: + description: Value of the OIDC claim + type: string + required: + - identityProviderId + - name + - value + type: object + type: array oktaGroup: - description: // Okta Groups + description: Okta Groups items: properties: identityProviderId: @@ -295,8 +314,27 @@ spec: items: type: string type: array + oidcClaims: + description: OIDC Claims + items: + properties: + identityProviderId: + description: Identity Provider Id + type: string + name: + description: Name of the OIDC claim + type: string + value: + description: Value of the OIDC claim + type: string + required: + - identityProviderId + - name + - value + type: object + type: array oktaGroup: - description: // Okta Groups + description: Okta Groups items: properties: identityProviderId: @@ -426,8 +464,27 @@ spec: items: type: string type: array + oidcClaims: + description: OIDC Claims + items: + properties: + identityProviderId: + description: Identity Provider Id + type: string + name: + description: Name of the OIDC claim + type: string + value: + description: Value of the OIDC claim + type: string + required: + - identityProviderId + - name + - value + type: object + type: array oktaGroup: - description: // Okta Groups + description: Okta Groups items: properties: identityProviderId: diff --git a/helm/cloudflare-zero-trust-operator/templates/cloudflareaccessgroup-crd.yaml b/helm/cloudflare-zero-trust-operator/templates/cloudflareaccessgroup-crd.yaml index c20925c..8f0253a 100644 --- a/helm/cloudflare-zero-trust-operator/templates/cloudflareaccessgroup-crd.yaml +++ b/helm/cloudflare-zero-trust-operator/templates/cloudflareaccessgroup-crd.yaml @@ -121,8 +121,27 @@ spec: items: type: string type: array + oidcClaims: + description: OIDC Claims + items: + properties: + identityProviderId: + description: Identity Provider Id + type: string + name: + description: Name of the OIDC claim + type: string + value: + description: Value of the OIDC claim + type: string + required: + - identityProviderId + - name + - value + type: object + type: array oktaGroup: - description: // Okta Groups + description: Okta Groups items: properties: identityProviderId: @@ -249,8 +268,27 @@ spec: items: type: string type: array + oidcClaims: + description: OIDC Claims + items: + properties: + identityProviderId: + description: Identity Provider Id + type: string + name: + description: Name of the OIDC claim + type: string + value: + description: Value of the OIDC claim + type: string + required: + - identityProviderId + - name + - value + type: object + type: array oktaGroup: - description: // Okta Groups + description: Okta Groups items: properties: identityProviderId: @@ -380,8 +418,27 @@ spec: items: type: string type: array + oidcClaims: + description: OIDC Claims + items: + properties: + identityProviderId: + description: Identity Provider Id + type: string + name: + description: Name of the OIDC claim + type: string + value: + description: Value of the OIDC claim + type: string + required: + - identityProviderId + - name + - value + type: object + type: array oktaGroup: - description: // Okta Groups + description: Okta Groups items: properties: identityProviderId: diff --git a/internal/cfapi/access_group_types.go b/internal/cfapi/access_group_types.go index 7675c57..cd0d7b6 100644 --- a/internal/cfapi/access_group_types.go +++ b/internal/cfapi/access_group_types.go @@ -111,3 +111,28 @@ func NewAccessGroupOktaGroup(name string, identityProviderID string) cloudflare. }, } } + +func NewAccessGroupOIDCClaim(name string, value string, identityProviderID string) AccessGroupOIDCClaim { + return AccessGroupOIDCClaim{ + OIDC: struct { + Name string `json:"claim_name"` + Value string `json:"claim_value"` + IdentityProviderID string `json:"identity_provider_id"` + }{ + Name: name, + Value: value, + IdentityProviderID: identityProviderID, + }, + } +} + +// AccessGroupOIDCClaim is used to configure access based on an OIDC claim. +// This type lives here because it is not supported by cloudflare-go, but +// is supported by the Cloudflare API. +type AccessGroupOIDCClaim struct { + OIDC struct { + Name string `json:"claim_name"` + Value string `json:"claim_value"` + IdentityProviderID string `json:"identity_provider_id"` + } `json:"oidc"` +}