Skip to content

Commit

Permalink
Merge pull request #276 from Kuadrant/authpolicy-v2-api-enhancement
Browse files Browse the repository at this point in the history 
[authpolicy-v2] Move AuthPolicy top-level 'patterns' and 'when' fields one level up
  • Loading branch information
@guicassolato
guicassolato committed Oct 17, 2023
2 parents ae5d7f6 + f9eae17 commit 1ba111e
Show file tree
Hide file tree
Showing 7 changed files with 229 additions and 231 deletions.
20 changes: 10 additions & 10 deletions api/v1beta2/authpolicy_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,16 +15,6 @@ import (
)

type AuthSchemeSpec struct {
// Named sets of patterns that can be referred in `when` conditions and in pattern-matching authorization policy rules.
// +optional
NamedPatterns map[string]authorinoapi.PatternExpressions `json:"patterns,omitempty"`

// Overall conditions for the AuthPolicy to be enforced.
// If omitted, the AuthPolicy will be enforced at all requests to the protected routes.
// If present, all conditions must match for the AuthPolicy to be enforced; otherwise, the authorization service skips the AuthPolicy and returns to the auth request with status OK.
// +optional
Conditions []authorinoapi.PatternExpressionOrRef `json:"when,omitempty"`

// Authentication configs.
// At least one config MUST evaluate to a valid identity object for the auth request to be successful.
// +optional
Expand Down Expand Up @@ -136,6 +126,16 @@ type AuthPolicySpec struct {
// +optional
RouteSelectors []RouteSelector `json:"routeSelectors,omitempty"`

// Named sets of patterns that can be referred in `when` conditions and in pattern-matching authorization policy rules.
// +optional
NamedPatterns map[string]authorinoapi.PatternExpressions `json:"patterns,omitempty"`

// Overall conditions for the AuthPolicy to be enforced.
// If omitted, the AuthPolicy will be enforced at all requests to the protected routes.
// If present, all conditions must match for the AuthPolicy to be enforced; otherwise, the authorization service skips the AuthPolicy and returns to the auth request with status OK.
// +optional
Conditions []authorinoapi.PatternExpressionOrRef `json:"when,omitempty"`

// The auth rules of the policy.
// See Authorino's AuthConfig CRD for more details.
AuthScheme AuthSchemeSpec `json:"rules,omitempty"`
Expand Down
44 changes: 22 additions & 22 deletions api/v1beta2/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion bundle/manifests/kuadrant-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ metadata:
capabilities: Basic Install
categories: Integration & Delivery
containerImage: quay.io/kuadrant/kuadrant-operator:latest
createdAt: "2023-09-27T10:29:36Z"
createdAt: "2023-10-17T08:12:53Z"
operators.operatorframework.io/builder: operator-sdk-v1.28.1
operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
repository: https://github.com/Kuadrant/kuadrant-operator
Expand Down
175 changes: 87 additions & 88 deletions bundle/manifests/kuadrant.io_authpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,40 @@ spec:
type: object
spec:
properties:
patterns:
additionalProperties:
items:
properties:
operator:
description: 'The binary operator to be applied to the content
fetched from the authorization JSON, for comparison with
"value". Possible values are: "eq" (equal to), "neq" (not
equal to), "incl" (includes; for arrays), "excl" (excludes;
for arrays), "matches" (regex)'
enum:
- eq
- neq
- incl
- excl
- matches
type: string
selector:
description: Path selector to fetch content from the authorization
JSON (e.g. 'request.method'). Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson
can be used. Authorino custom JSON path modifiers are also
supported.
type: string
value:
description: The value of reference for the comparison with
the content fetched from the authorization JSON. If used
with the "matches" operator, the value must compile to a
valid Golang regex.
type: string
type: object
type: array
description: Named sets of patterns that can be referred in `when`
conditions and in pattern-matching authorization policy rules.
type: object
routeSelectors:
description: Top-level route selectors. If present, the elements will
be used to select HTTPRoute rules that, when activated, trigger
Expand Down Expand Up @@ -2908,41 +2942,6 @@ spec:
description: Metadata sources. Authorino fetches auth metadata
as JSON from sources specified in this config.
type: object
patterns:
additionalProperties:
items:
properties:
operator:
description: 'The binary operator to be applied to the
content fetched from the authorization JSON, for comparison
with "value". Possible values are: "eq" (equal to),
"neq" (not equal to), "incl" (includes; for arrays),
"excl" (excludes; for arrays), "matches" (regex)'
enum:
- eq
- neq
- incl
- excl
- matches
type: string
selector:
description: Path selector to fetch content from the authorization
JSON (e.g. 'request.method'). Any pattern supported
by https://pkg.go.dev/github.com/tidwall/gjson can be
used. Authorino custom JSON path modifiers are also
supported.
type: string
value:
description: The value of reference for the comparison
with the content fetched from the authorization JSON.
If used with the "matches" operator, the value must
compile to a valid Golang regex.
type: string
type: object
type: array
description: Named sets of patterns that can be referred in `when`
conditions and in pattern-matching authorization policy rules.
type: object
response:
description: Response items. Authorino builds custom responses
to the client of the auth request.
Expand Down Expand Up @@ -4087,59 +4086,6 @@ spec:
type: object
type: object
type: object
when:
description: Overall conditions for the AuthPolicy to be enforced.
If omitted, the AuthPolicy will be enforced at all requests
to the protected routes. If present, all conditions must match
for the AuthPolicy to be enforced; otherwise, the authorization
service skips the AuthPolicy and returns to the auth request
with status OK.
items:
properties:
all:
description: A list of pattern expressions to be evaluated
as a logical AND.
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
any:
description: A list of pattern expressions to be evaluated
as a logical OR.
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
operator:
description: 'The binary operator to be applied to the content
fetched from the authorization JSON, for comparison with
"value". Possible values are: "eq" (equal to), "neq" (not
equal to), "incl" (includes; for arrays), "excl" (excludes;
for arrays), "matches" (regex)'
enum:
- eq
- neq
- incl
- excl
- matches
type: string
patternRef:
description: Reference to a named set of pattern expressions
type: string
selector:
description: Path selector to fetch content from the authorization
JSON (e.g. 'request.method'). Any pattern supported by
https://pkg.go.dev/github.com/tidwall/gjson can be used.
Authorino custom JSON path modifiers are also supported.
type: string
value:
description: The value of reference for the comparison with
the content fetched from the authorization JSON. If used
with the "matches" operator, the value must compile to
a valid Golang regex.
type: string
type: object
type: array
type: object
targetRef:
description: TargetRef identifies an API object to apply policy to.
Expand Down Expand Up @@ -4174,6 +4120,59 @@ spec:
- kind
- name
type: object
when:
description: Overall conditions for the AuthPolicy to be enforced.
If omitted, the AuthPolicy will be enforced at all requests to the
protected routes. If present, all conditions must match for the
AuthPolicy to be enforced; otherwise, the authorization service
skips the AuthPolicy and returns to the auth request with status
OK.
items:
properties:
all:
description: A list of pattern expressions to be evaluated as
a logical AND.
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
any:
description: A list of pattern expressions to be evaluated as
a logical OR.
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
operator:
description: 'The binary operator to be applied to the content
fetched from the authorization JSON, for comparison with "value".
Possible values are: "eq" (equal to), "neq" (not equal to),
"incl" (includes; for arrays), "excl" (excludes; for arrays),
"matches" (regex)'
enum:
- eq
- neq
- incl
- excl
- matches
type: string
patternRef:
description: Reference to a named set of pattern expressions
type: string
selector:
description: Path selector to fetch content from the authorization
JSON (e.g. 'request.method'). Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson
can be used. Authorino custom JSON path modifiers are also
supported.
type: string
value:
description: The value of reference for the comparison with
the content fetched from the authorization JSON. If used with
the "matches" operator, the value must compile to a valid
Golang regex.
type: string
type: object
type: array
required:
- targetRef
type: object
Expand Down
Loading

0 comments on commit 1ba111e

Please sign in to comment.