OCM-5822 Update the ExternalAuth model

model/clusters_mgmt/v1/external_auth_config_resource.model

@@ -0,0 +1,27 @@
+/*
+Copyright (c) 2024 Red Hat, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Manages the external authentication configuration for a ROSA HCP cluster.
+resource ExternalAuthConfig {
+   method Get {
+        out Body ExternalAuthConfig
+   }
+
+    // Reference to the resource that manages the collection of ExternalAuths resources.
+    locator ExternalAuths {
+        target ExternalAuths
+    }
+}

model/clusters_mgmt/v1/external_auth_config.type.model → model/clusters_mgmt/v1/external_auth_config_type.model

@@ -23,4 +23,6 @@ struct ExternalAuthConfig {
     // To enable it the cluster needs to be ROSA HCP cluster and the organization of the user needs
     // to have the `external-authentication` feature toggle enabled.
     Enabled Boolean
+
+    link ExternalAuths []ExternalAuth
 }

model/clusters_mgmt/v1/external_auth_resource.model

@@ -0,0 +1,32 @@
+/*
+Copyright (c) 2024 Red Hat, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Manages a specific external authentication.
+resource ExternalAuth {
+    // Retrieves the details of an external authentication.
+    method Get {
+        out Body ExternalAuth
+    }
+
+    // Updates the external authentication.
+    method Update {
+        in out Body ExternalAuth
+    }
+
+    // Deletes the external authentication.
+    method Delete {
+    }
+}

model/clusters_mgmt/v1/external_auth_type.model

@@ -0,0 +1,128 @@
+/*
+Copyright (c) 2024 Red Hat, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Representation of an external authentication provider.
+class ExternalAuth {
+
+    // The issuer describes the attributes of the OIDC token issuer.
+    Issuer TokenIssuer
+
+    // The list of the platform's clients that need to request tokens from the issuer.
+    Clients []ExternalAuthClientConfig
+
+    // The rules on how to transform information from an ID token into a cluster identity.
+    Claim ExternalAuthClaim
+}
+
+// Representation of a token issuer used in an external authentication.
+struct TokenIssuer {
+
+	// URL is the serving URL of the token issuer.
+	URL String
+
+	// Audiences is an array of audiences that the token was issued for.
+	// Valid tokens must include at least one of these values in their
+	// "aud" claim.
+	// Must be set to exactly one value.
+    Audiences []String
+
+	// Certificate bundle to use to validate server certificates for the configured URL.
+	CA String
+}
+
+// ExternalAuthClientConfig contains configuration for the platform's clients that
+// need to request tokens from the issuer.
+struct ExternalAuthClientConfig {
+
+    // The component that is supposed to consume this client configuration.
+    Component ClientComponent
+
+    // The identifier of the OIDC client from the OIDC provider.
+    ID String
+
+    // The secret of the OIDC client from the OIDC provider.
+    Secret String
+
+    // ExtraScopes is an optional set of scopes to request tokens with.
+    ExtraScopes []String
+}
+
+// The reference of a component that will consume the client configuration.
+struct ClientComponent {
+
+    // The name of the component.
+    Name String
+
+    // The namespace of the component.
+    Namespace String
+}
+
+// The claims and validation rules used in the configuration of the external authentication.
+struct ExternalAuthClaim {
+
+    // Mapping describes rules on how to transform information from an ID token into a cluster identity.
+    Mappings    TokenClaimMappings
+
+    // ValidationRules are rules that are applied to validate token claims to authenticate users.
+    ValidationRules []TokenClaimValidationRule
+}
+
+// The claim mappings defined for users and groups.
+struct TokenClaimMappings {
+
+    // Username is a name of the claim that should be used to construct usernames for the cluster identity.
+    UserName UsernameClaim
+
+	// Groups is a name of the claim that should be used to construct groups for the cluster identity.
+    Groups GroupsClaim
+}
+
+// The username claim mapping.
+struct UsernameClaim {
+
+    // The claim used in the token.
+    Claim String
+
+    // A prefix contatenated in the claim (Optional).
+    Prefix String
+
+    // PrefixPolicy specifies how a prefix should apply.
+    //
+	// By default, claims other than `email` will be prefixed with the issuer URL to
+	// prevent naming clashes with other plugins.
+	//
+	// Set to "NoPrefix" to disable prefixing.
+    PrefixPolicy String
+}
+
+struct GroupsClaim {
+    // The claim used in the token.
+    Claim String
+
+    // A prefix contatenated in the claim (Optional).
+    Prefix String
+}
+
+// The rule that is applied to validate token claims to authenticate users.
+struct TokenClaimValidationRule {
+
+    // Claim is a name of a required claim.
+    Claim String
+
+    // RequiredValue is the required value for the claim.
+    RequiredValue String
+}
+

model/clusters_mgmt/v1/external_auths_resource.model

@@ -0,0 +1,44 @@
+/*
+Copyright (c) 2024 Red Hat, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Manages the collection of external authentication defined for a ROSA HCP cluster.
+resource ExternalAuths {
+    method List {
+		// Index of the requested page, where one corresponds to the first page.
+		in out Page Integer = 1
+
+		// Number of items contained in the returned page.
+		in out Size Integer = 100
+
+		// Total number of items of the collection.
+		out Total Integer
+
+		// Retrieved list of external authentications.
+		out Items []ExternalAuth
+    }
+
+	// Adds a new authentication to the cluster.
+	method Add {
+		// Description of the external authentication.
+		in out Body ExternalAuth
+	}
+
+	// Reference to the service that manages a specific external authentication.
+	locator ExternalAuth {
+		target ExternalAuth
+		variable ID
+	}
+}