rancher
diff --git a/‎docs.md‎
Lines changed: 27 additions & 0 deletions b/‎docs.md‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎go.mod‎
Lines changed: 3 additions & 0 deletions b/‎go.mod‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎go.sum‎
Lines changed: 87 additions & 0 deletions b/‎go.sum‎
Lines changed: 87 additions & 0 deletions
diff --git a/‎pkg/codegen/main.go‎
Lines changed: 1 addition & 0 deletions b/‎pkg/codegen/main.go‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎pkg/generated/objects/management.cattle.io/v3/objects.go‎
Lines changed: 53 additions & 0 deletions b/‎pkg/generated/objects/management.cattle.io/v3/objects.go‎
Lines changed: 53 additions & 0 deletions
diff --git a/‎pkg/resources/management.cattle.io/v3/authconfig/Authconfig.md‎
Lines changed: 24 additions & 0 deletions b/‎pkg/resources/management.cattle.io/v3/authconfig/Authconfig.md‎
Lines changed: 24 additions & 0 deletions
@@ -83,6 +83,33 @@ If yes, the webhook redacts the role, so that it only grants a deletion permissi
 
 # management.cattle.io/v3
 
+## Authconfig
+
+
+### Validation Checks
+
+#### Create and Update
+
+When an LDAP (`openldap`, `freeipa`) or ActiveDirectory (`activedirectory`) authconfig is created or updated, the following checks take place:
+
+- The field `servers` is required.
+- If set, the following fields should have valid LDAP attribute names according to RFC4512
+  - `userSearchAttribute`
+  - `userLoginAttribute`
+  - `userObjectClass`
+  - `userNameAttribute`
+  - `userMemberAttribute` (only for LDAP authconfigs)
+  - `userEnabledAttribute`
+  - `groupSearchAttribute`
+  - `groupObjectClass`
+  - `groupNameAttribute`
+  - `groupDNAttribute`
+  - `groupMemberUserAttribute`
+  - `groupMemberMappingAttribute`
+- If set, the following fields should have a valid LDAP filter expression according to RFC4515
+  - `userSearchFilter`
+  - `groupSearchFilter`
+
 ## Cluster
 
 ### Validation Checks
 
@@ -41,6 +41,7 @@ replace (
 require (
 	github.com/blang/semver v3.5.1+incompatible
 	github.com/evanphx/json-patch v5.9.11+incompatible
+	github.com/go-ldap/ldap/v3 v3.4.10
 	github.com/gorilla/mux v1.8.1
 	github.com/rancher/dynamiclistener v0.6.1
 	github.com/rancher/lasso v0.2.2
@@ -66,6 +67,7 @@ require (
 
 require (
 	cel.dev/expr v0.18.0 // indirect
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/NYTimes/gziphandler v1.1.1 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect
@@ -82,6 +84,7 @@ require (
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 
@@ -92,6 +92,7 @@ func main() {
 				&v3.Project{},
 				&v3.Setting{},
 				&v3.User{},
+				&v3.AuthConfig{},
 			},
 		},
 		"provisioning.cattle.io": {
 
@@ -696,3 +696,56 @@ func UserFromRequest(request *admissionv1.AdmissionRequest) (*v3.User, error) {
 
 	return object, nil
 }
+
+// AuthConfigOldAndNewFromRequest gets the old and new AuthConfig objects, respectively, from the webhook request.
+// If the request is a Delete operation, then the new object is the zero value for AuthConfig.
+// Similarly, if the request is a Create operation, then the old object is the zero value for AuthConfig.
+func AuthConfigOldAndNewFromRequest(request *admissionv1.AdmissionRequest) (*v3.AuthConfig, *v3.AuthConfig, error) {
+	if request == nil {
+		return nil, nil, fmt.Errorf("nil request")
+	}
+
+	object := &v3.AuthConfig{}
+	oldObject := &v3.AuthConfig{}
+
+	if request.Operation != admissionv1.Delete {
+		err := json.Unmarshal(request.Object.Raw, object)
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to unmarshal request object: %w", err)
+		}
+	}
+
+	if request.Operation == admissionv1.Create {
+		return oldObject, object, nil
+	}
+
+	err := json.Unmarshal(request.OldObject.Raw, oldObject)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to unmarshal request oldObject: %w", err)
+	}
+
+	return oldObject, object, nil
+}
+
+// AuthConfigFromRequest returns a AuthConfig object from the webhook request.
+// If the operation is a Delete operation, then the old object is returned.
+// Otherwise, the new object is returned.
+func AuthConfigFromRequest(request *admissionv1.AdmissionRequest) (*v3.AuthConfig, error) {
+	if request == nil {
+		return nil, fmt.Errorf("nil request")
+	}
+
+	object := &v3.AuthConfig{}
+	raw := request.Object.Raw
+
+	if request.Operation == admissionv1.Delete {
+		raw = request.OldObject.Raw
+	}
+
+	err := json.Unmarshal(raw, object)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal request object: %w", err)
+	}
+
+	return object, nil
+}
@@ -0,0 +1,24 @@
+
+## Validation Checks
+
+### Create and Update
+
+When an LDAP (`openldap`, `freeipa`) or ActiveDirectory (`activedirectory`) authconfig is created or updated, the following checks take place:
+
+- The field `servers` is required.
+- If set, the following fields should have valid LDAP attribute names according to RFC4512
+  - `userSearchAttribute`
+  - `userLoginAttribute`
+  - `userObjectClass`
+  - `userNameAttribute`
+  - `userMemberAttribute` (only for LDAP authconfigs)
+  - `userEnabledAttribute`
+  - `groupSearchAttribute`
+  - `groupObjectClass`
+  - `groupNameAttribute`
+  - `groupDNAttribute`
+  - `groupMemberUserAttribute`
+  - `groupMemberMappingAttribute`
+- If set, the following fields should have a valid LDAP filter expression according to RFC4515
+  - `userSearchFilter`
+  - `groupSearchFilter`