Merge pull request #1042 from s-urbaniak/pr-1038

config/v1/types_oauth: add OAuthAudit
openshift · Nov 5, 2021 · cb9596d · cb9596d
2 parents 5088c83 + afee15a
commit cb9596d
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 0 deletions.
diff --git a/config/v1/0000_10_config-operator_01_oauth.crd.yaml b/config/v1/0000_10_config-operator_01_oauth.crd.yaml
@@ -36,6 +36,19 @@ spec:
               description: spec holds user settable values for configuration
               type: object
               properties:
+                audit:
+                  description: audit specifies what should be audited in the context of OAuthServer. By default the Audit is turned on.
+                  type: object
+                  default:
+                    profile: WriteLoginEvents
+                  properties:
+                    profile:
+                      description: profile is a simple drop in profile type that can be turned off by setting it to "None" or it can be turned on by setting it to "WriteLoginEvents". By default the profile is set to "WriteLoginEvents".
+                      type: string
+                      default: WriteLoginEvents
+                      enum:
+                        - None
+                        - WriteLoginEvents
                 identityProviders:
                   description: identityProviders is an ordered list of ways for a user to identify themselves. When this list is empty, no identities are provisioned for users.
                   type: array

diff --git a/config/v1/types_oauth.go b/config/v1/types_oauth.go
@@ -40,8 +40,36 @@ type OAuthSpec struct {
 	// templates allow you to customize pages like the login page.
 	// +optional
 	Templates OAuthTemplates `json:"templates"`
+	// audit specifies what should be audited in the context of OAuthServer. By
+	// default the Audit is turned on.
+	// +optional
+	// +kubebuilder:default:={"profile":"WriteLoginEvents"}
+	Audit OAuthAudit `json:"audit"`
+}
+
+// OAuthAudit specifies the Audit profile in use.
+type OAuthAudit struct {
+	// profile is a simple drop in profile type that can be turned off by
+	// setting it to "None" or it can be turned on by setting it to
+	// "WriteLoginEvents". By default the profile is set to "WriteLoginEvents".
+	// +kubebuilder:default:="WriteLoginEvents"
+	Profile OAuthAuditProfileType `json:"profile,omitempty"`
 }
 
+// OAuthAuditProfileType defines a simple audit profile, which can turn OAuth
+// authentication audit logging on or off.
+// +kubebuilder:validation:Enum=None;WriteLoginEvents
+type OAuthAuditProfileType string
+
+const (
+	// "None" disables audit logs.
+	OAuthNoneAuditProfileType AuditProfileType = "None"
+
+	// "WriteLoginEvents" logs login and login failure events.
+	// This is the default.
+	OAuthWriteLoginEventsProfileType AuditProfileType = "WriteLoginEvents"
+)
+
 // OAuthStatus shows current known state of OAuth server in the cluster
 type OAuthStatus struct {
 	// TODO Fill in with status of identityProviders and templates (and maybe tokenConfig)

diff --git a/config/v1/zz_generated.deepcopy.go b/config/v1/zz_generated.deepcopy.go
diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go