zhouyuhuan
/
Cloudpods


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264
							// Copyright 2019 Yunion
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package identity

import "yunion.io/x/onecloud/pkg/apis"

const (
	SERVICE_TYPE = apis.SERVICE_TYPE_KEYSTONE

	DEFAULT_DOMAIN_ID   = "default"
	DEFAULT_DOMAIN_NAME = "Default"

	DefaultRemoteDomainId = "default_domain"

	DEFAULT_IDP_ID = DEFAULT_DOMAIN_ID

	SystemAdminUser    = "sysadmin"
	SystemAdminProject = "system"
	SystemAdminRole    = "admin"

	AUTH_METHOD_PASSWORD = "password"
	AUTH_METHOD_TOKEN    = "token"
	AUTH_METHOD_AKSK     = "aksk"
	AUTH_METHOD_CAS      = "cas"
	AUTH_METHOD_SAML     = "saml"
	AUTH_METHOD_OIDC     = "oidc"
	AUTH_METHOD_OAuth2   = "oauth2"
	AUTH_METHOD_VERIFY   = "verify"
	AUTH_METHOD_ASSUME   = "assume"

	// AUTH_METHOD_ID_PASSWORD = 1
	// AUTH_METHOD_ID_TOKEN    = 2

	AUTH_TOKEN_HEADER         = "X-Auth-Token"
	AUTH_SUBJECT_TOKEN_HEADER = "X-Subject-Token"

	AssignmentUserProject  = "UserProject"
	AssignmentGroupProject = "GroupProject"
	AssignmentUserDomain   = "UserDomain"
	AssignmentGroupDomain  = "GroupDomain"

	EndpointInterfacePublic   = "public"
	EndpointInterfaceInternal = "internal"
	EndpointInterfaceAdmin    = "admin"
	EndpointInterfaceConsole  = "console"

	EndpointInterfaceApigateway = "apigateway"

	EndpointInterfaceSlave = "slave"

	KeystoneDomainRoot = "<<keystone.domain.root>>"

	IdMappingEntityUser   = "user"
	IdMappingEntityGroup  = "group"
	IdMappingEntityDomain = "domain"

	IdentityDriverSQL    = "sql"
	IdentityDriverLDAP   = "ldap"
	IdentityDriverCAS    = "cas"
	IdentityDriverSAML   = "saml"
	IdentityDriverOIDC   = "oidc"   // OpenID Connect
	IdentityDriverOAuth2 = "oauth2" // OAuth2.0

	IdentityDriverStatusConnected    = "connected"
	IdentityDriverStatusDisconnected = "disconnected"
	IdentityDriverStatusDeleting     = "deleting"
	IdentityDriverStatusDeleteFailed = "delete_fail"

	IdentityProviderSyncLocal  = "local"
	IdentityProviderSyncFull   = "full"
	IdentityProviderSyncOnAuth = "auth"

	IdentitySyncStatusQueued  = "queued"
	IdentitySyncStatusSyncing = "syncing"
	IdentitySyncStatusIdle    = "idle"

	MinimalSyncIntervalSeconds = 5 * 60 // 5 minutes

	AUTH_TOKEN_LENGTH = 64
)

var (
	AUTH_METHODS = []string{AUTH_METHOD_PASSWORD, AUTH_METHOD_TOKEN, AUTH_METHOD_AKSK, AUTH_METHOD_CAS}

	PASSWORD_PROTECTED_IDPS = []string{
		IdentityDriverSQL,
		IdentityDriverLDAP,
	}

	SensitiveDomainConfigMap = map[string][]string{
		"ldap": {
			"password",
		},
	}

	CommonWhitelistOptionMap = map[string][]string{
		"default": {
			"enable_quota_check",
			"default_quota_value",
			"non_default_domain_projects",
			"time_zone",
			"domainized_namespace",
			"api_server",
			"customized_private_prefixes",
			"global_http_proxy",
			"global_https_proxy",
			"ignore_nonrunning_guests",
			"platform_name",
			"enable_cloud_shell",
			"platform_names",
			"enable_change_owner_auto_rename",
			"default_handlers_whitelist_user_agents",
			"metadata_server_ip4s",
			"metadata_server_ip6s",
		},
	}

	ServiceBlacklistOptionMap = map[string][]string{
		"default": {
			// ############################
			// common blacklist options
			// ############################
			"help",
			"version",
			"config",
			"pid_file",

			"region",
			"application_id",
			"log_level",
			"log_verbose_level",
			"temp_path",
			"address",
			"port",
			"port_v2",
			"admin_port",
			"notify_admin_users",
			"session_endpoint_type",
			"admin_password",
			"admin_project",
			"admin_project_domain",
			"admin_user",
			"admin_domain",
			"auth_url",
			"enable_ssl",
			"ssl_certfile",
			"ssl_keyfile",
			"ssl_ca_certs",

			"is_slave_node",
			"config_sync_period_seconds",
			"enable_app_profiling",

			// ############################
			// db blacklist options
			// ############################
			"sql_connection",
			"clickhouse",
			"ops_log_with_clickhouse",
			"db_checksum_skip_init",
			"db_checksum_tables",
			"enable_db_checksum_tables",
			"db_checksum_hash_algorithm",
			"auto_sync_table",
			"exit_after_db_init",
			"global_virtual_resource_namespace",
			"debug_sqlchemy",
			"lockman_method",
			"etcd_lock_prefix",
			"etcd_lock_ttl",
			"etcd_endpoints",
			"etcd_username",
			"etcd_password",
			"etcd_use_tls",
			"etcd_skip_tls_verify",
			"etcd_cacert",
			"etcd_cert",
			"etcd_key",
			"splitable_max_duration_hours",
			"splitable_max_keep_segments",
			"ops_log_max_keep_months",

			"disable_local_vpc",

			// ############################
			// keystone blacklist options
			// ############################
			"bootstrap_admin_user_password",
			"reset_admin_user_password",
			"fernet_key_repository",

			// ############################
			// baremetal blacklist options
			// ############################
			"listen_interface",
			"access_address",
			"listen_address",
			"tftp_root",
			// "AutoRegisterBaremetal",
			"baremetals_path",
			// "LinuxDefaultRootUser",
			"ipmi_lan_port_shared",
			"zone",
			"dhcp_lease_time",
			"dhcp_renewal_time",
			"enable_general_guest_dhcp",
			"force_dhcp_probe_ipmi",
			"tftp_block_size_in_bytes",
			"tftp_max_timeout_retries",
			"enable_grub_tftp_download",
			"lengthy_worker_count",
			"short_worker_count",
			// "default_ipmi_password",
			// "default_strong_ipmi_password",
			// "windows_default_admin_user",
			"cache_path",
			"enable_pxe_boot",
			"boot_iso_path",
			// "status_probe_interval_seconds",
			// "log_fetch_interval_seconds",
			// "send_metrics_interval_seconds",
			// ############################
			// glance blacklist options
			// ############################
			"deploy_server_socket_path",
			"enable_remote_executor",
			"executor_socket_path",

			// ############################
			// kubeserver blacklist options
			// ############################
			"running_mode",
			"enable_default_policy",
		},
	}
)

func mergeConfigOptionsFrom(opt1, opt2 map[string][]string) map[string][]string {
	for opt, values := range opt2 {
		ovalues, _ := opt1[opt]
		opt1[opt] = append(ovalues, values...)
	}
	return opt1
}

func MergeServiceConfigOptions(opts ...map[string][]string) map[string][]string {
	ret := make(map[string][]string)
	for i := range opts {
		ret = mergeConfigOptionsFrom(ret, opts[i])
	}
	return ret
}