v1beta1

type DexConfiguration struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   DexConfigurationSpec   `json:"spec,omitempty"`
	Status DexConfigurationStatus `json:"status,omitempty"`
}

type DexConfigurationList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []DexConfiguration `json:"items"`
}

type DexConfigurationSpec struct {
	// External FQDNs for the Dex service (for certificates)
	// The first name/IP will be used as the "issuer"
	// +optional
	Names []string `json:"names,omitempty"`

	// the NodePort used y the Dex server
	// +optional
	NodePort int `json:"nodePort,omitempty"`

	// The image used for Dex
	// +optional
	Image string `json:"image,omitempty"`

	// number of replicas for the Dex deployment
	// +optional
	Replicas int `json:"replicas,omitempty"`

	// Static clients
	// +optional
	StaticClients []DexStaticClient `json:"staticClients,omitempty"`

	// Use an (already existing) certificate for the Dex service
	// +optional
	Certificate corev1.SecretReference `json:"certificate,omitempty"`

	// TODO: maybe this should be a property of the LDAPConnector
	// +optional
	AdminGroup string `json:"adminGroup,omitempty"`
}

type DexConfigurationStatus struct {
	// Config is the (maybe namespaced) name of the ConfigMap
	Config string `json:"config,omitempty"`

	// Current deployment
	Deployment string `json:"deployment,omitempty"`

	// GeneratedCertificate is the certificate automatically generated for the Dex service
	// It will be empty when using the certificate provided in Spec.Certificate
	// It will be automatically removed when removing the DexConfiguration
	GeneratedCertificate corev1.SecretReference `json:"generatedCertificate,omitempty"`

	// Status of the static clients
	StaticClients []DexStaticClientStatus `json:"staticClients,omitempty"`

	// Number of connectors currently installed
	NumConnectors int `json:"numConnectors,omitempty"`
}

type DexStaticClient struct {
	Name string `json:"name,omitempty"`

	// The redirect URLs
	// +optional
	RedirectURLs []string `json:"redirectURLs,omitempty"`

	// +optional
	Public bool `json:"public,omitempty"`
}

type DexStaticClientStatus struct {
	Name string `json:"name,omitempty"`

	// The redirect URLs
	// +optional
	RedirectURLs []string `json:"redirectURLs,omitempty"`

	// Shared, static password generated
	Password corev1.SecretReference `json:"password,omitempty"`

	// +optional
	Public bool `json:"public,omitempty"`
}

type LDAPConnector struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   LDAPConnectorSpec   `json:"spec,omitempty"`
	Status LDAPConnectorStatus `json:"status,omitempty"`
}

type LDAPConnectorList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []LDAPConnector `json:"items"`
}

type LDAPConnectorSpec struct {
	Name string `json:"name,omitempty"`

	ID string `json:"id,omitempty"`

	// Host and optional port of the LDAP server in the form "host:port".
	// If the port is not supplied, it will be guessed based on "insecureNoSSL",
	// and "startTLS" flags. 389 for insecure or StartTLS connections, 636
	// otherwise.
	Server string `json:"server,omitempty"`

	// The DN and password for an application service account. The connector uses
	// these credentials to search for users and groups. Not required if the LDAP
	// server provides access for anonymous auth.
	// Please note that if the bind password contains a `$`, it has to be saved in an
	// environment variable which should be given as the value to `bindPW`.
	// bindDN: uid=seviceaccount,cn=users,dc=example,dc=com
	// bindPW: password
	// +optional
	BindDN string `json:"bindDn,omitempty"`
	// +optional
	BindPW string `json:"bindPw,omitempty"`

	// +optional
	UsernamePrompt string `json:"usernamePrompt,omitempty"`

	// When connecting to the server, connect using the ldap:// protocol then issue
	// a StartTLS command. If unspecified, connections will use the ldaps:// protocol
	// +optional
	StartTLS bool `json:"startTLS,omitempty"`

	// Path to a trusted root certificate file. Default: use the host's root CA.
	// +optional
	RootCAData string `json:"rootCAData,omitempty"`

	// +optional
	User LDAPUserSpec `json:"user,omitempty"`

	// +optional
	Group LDAPGroupSpec `json:"group,omitempty"`
}

type LDAPConnectorStatus struct {
}

type LDAPGroupSpec struct {
	// BaseDN to start the search from. It will translate to the query
	// "(&(objectClass=group)(member=<user uid>))".
	BaseDN string `json:"baseDn,omitempty"`

	// Optional filter to apply when searching the directory.
	Filter string `json:"filter,omitempty"`

	// Following two fields are used to match a user to a group. It adds an additional
	// requirement to the filter that an attribute in the group must match the user's
	// attribute value.
	UserAttr  string `json:"userAttr,omitempty"`
	GroupAttr string `json:"groupAttr,omitempty"`

	// Represents group name.
	// +optional
	NameAttr string `json:"nameAttr,omitempty"`
}

type LDAPUserSpec struct {
	// BaseDN to start the search from. It will translate to the query
	// "(&(objectClass=person)(uid=<username>))".
	BaseDN string `json:"baseDn,omitempty"`

	// Optional filter to apply when searching the directory.
	// +optional
	Filter string `json:"filter,omitempty"`

	// username attribute used for comparing user entries. This will be translated
	// and combined with the other filter as "(<attr>=<username>)".
	Username string `json:"username,omitempty"`

	// String representation of the user.
	IDAttr string `json:"idAttr,omitempty"`

	// Required. Attribute to map to Email
	EmailAttr string `json:"emailAttr,omitempty"`

	// Maps to display name of users. No default value.
	// +optional
	NameAttr string `json:"nameAttr,omitempty"`
}