From b3e9437304ec9d2248f440bb4eb89960490219cb Mon Sep 17 00:00:00 2001 From: Guilherme Cassolato Date: Mon, 4 Sep 2023 12:03:49 +0200 Subject: [PATCH] AuthPolicy v1beta2 Defines new `v1beta2` version of the `AuthPolicy` CRD, based on Authorino's `AuthConfig/v1beta2`. Closes #247 Depends on https://github.com/Kuadrant/authorino/pull/417, https://github.com/Kuadrant/authorino-operator/pull/137 Bump Authorino to latest (unreleased) version Bump Authorino to latest (unreleased) version Bump Authorino to latest (unreleased) version Update AuthPolicy manifests based on latest AuthConfig v1beta2 changes Bump Authorino to latest (unreleased) version Bump Authorino to latest (unreleased) version --- api/v1beta1/zz_generated.deepcopy.go | 221 -- api/{v1beta1 => v1beta2}/authpolicy_types.go | 68 +- api/v1beta2/zz_generated.deepcopy.go | 207 + ...adrant-operator.clusterserviceversion.yaml | 59 +- .../manifests/kuadrant.io_authpolicies.yaml | 3512 ++++++++++------- .../crd/bases/kuadrant.io_authpolicies.yaml | 3512 ++++++++++------- controllers/authpolicy_auth_config.go | 30 +- controllers/authpolicy_controller.go | 2 +- controllers/authpolicy_controller_test.go | 101 +- .../authpolicy_istio_authorization_policy.go | 6 +- controllers/authpolicy_status.go | 13 +- controllers/suite_test.go | 8 +- .../authenticated-rl-for-app-developers.md | 39 +- ...uthenticated-rl-with-jwt-and-k8s-authnz.md | 50 +- examples/toystore/authpolicy.yaml | 52 +- .../toystore/authpolicy_jwt-k8s-authnz.yaml | 23 +- go.mod | 6 +- go.sum | 13 +- main.go | 8 +- 19 files changed, 4512 insertions(+), 3418 deletions(-) rename api/{v1beta1 => v1beta2}/authpolicy_types.go (60%) diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index 8d3cf2e94..ce406a60e 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -21,231 +21,10 @@ limitations under the License. package v1beta1 import ( - apiv1beta1 "github.com/kuadrant/authorino/api/v1beta1" "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AuthPolicy) DeepCopyInto(out *AuthPolicy) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - in.Status.DeepCopyInto(&out.Status) -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicy. -func (in *AuthPolicy) DeepCopy() *AuthPolicy { - if in == nil { - return nil - } - out := new(AuthPolicy) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *AuthPolicy) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AuthPolicyList) DeepCopyInto(out *AuthPolicyList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]AuthPolicy, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicyList. -func (in *AuthPolicyList) DeepCopy() *AuthPolicyList { - if in == nil { - return nil - } - out := new(AuthPolicyList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *AuthPolicyList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AuthPolicySpec) DeepCopyInto(out *AuthPolicySpec) { - *out = *in - in.TargetRef.DeepCopyInto(&out.TargetRef) - if in.AuthRules != nil { - in, out := &in.AuthRules, &out.AuthRules - *out = make([]AuthRule, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - in.AuthScheme.DeepCopyInto(&out.AuthScheme) -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicySpec. -func (in *AuthPolicySpec) DeepCopy() *AuthPolicySpec { - if in == nil { - return nil - } - out := new(AuthPolicySpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AuthPolicyStatus) DeepCopyInto(out *AuthPolicyStatus) { - *out = *in - if in.Conditions != nil { - in, out := &in.Conditions, &out.Conditions - *out = make([]v1.Condition, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicyStatus. -func (in *AuthPolicyStatus) DeepCopy() *AuthPolicyStatus { - if in == nil { - return nil - } - out := new(AuthPolicyStatus) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AuthRule) DeepCopyInto(out *AuthRule) { - *out = *in - if in.Hosts != nil { - in, out := &in.Hosts, &out.Hosts - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.Methods != nil { - in, out := &in.Methods, &out.Methods - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.Paths != nil { - in, out := &in.Paths, &out.Paths - *out = make([]string, len(*in)) - copy(*out, *in) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthRule. -func (in *AuthRule) DeepCopy() *AuthRule { - if in == nil { - return nil - } - out := new(AuthRule) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AuthSchemeSpec) DeepCopyInto(out *AuthSchemeSpec) { - *out = *in - if in.Patterns != nil { - in, out := &in.Patterns, &out.Patterns - *out = make(map[string]apiv1beta1.JSONPatternExpressions, len(*in)) - for key, val := range *in { - var outVal []apiv1beta1.JSONPatternExpression - if val == nil { - (*out)[key] = nil - } else { - inVal := (*in)[key] - in, out := &inVal, &outVal - *out = make(apiv1beta1.JSONPatternExpressions, len(*in)) - copy(*out, *in) - } - (*out)[key] = outVal - } - } - if in.Conditions != nil { - in, out := &in.Conditions, &out.Conditions - *out = make([]apiv1beta1.JSONPattern, len(*in)) - copy(*out, *in) - } - if in.Identity != nil { - in, out := &in.Identity, &out.Identity - *out = make([]*apiv1beta1.Identity, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(apiv1beta1.Identity) - (*in).DeepCopyInto(*out) - } - } - } - if in.Metadata != nil { - in, out := &in.Metadata, &out.Metadata - *out = make([]*apiv1beta1.Metadata, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(apiv1beta1.Metadata) - (*in).DeepCopyInto(*out) - } - } - } - if in.Authorization != nil { - in, out := &in.Authorization, &out.Authorization - *out = make([]*apiv1beta1.Authorization, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(apiv1beta1.Authorization) - (*in).DeepCopyInto(*out) - } - } - } - if in.Response != nil { - in, out := &in.Response, &out.Response - *out = make([]*apiv1beta1.Response, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(apiv1beta1.Response) - (*in).DeepCopyInto(*out) - } - } - } - if in.DenyWith != nil { - in, out := &in.DenyWith, &out.DenyWith - *out = new(apiv1beta1.DenyWith) - (*in).DeepCopyInto(*out) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthSchemeSpec. -func (in *AuthSchemeSpec) DeepCopy() *AuthSchemeSpec { - if in == nil { - return nil - } - out := new(AuthSchemeSpec) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Kuadrant) DeepCopyInto(out *Kuadrant) { *out = *in diff --git a/api/v1beta1/authpolicy_types.go b/api/v1beta2/authpolicy_types.go similarity index 60% rename from api/v1beta1/authpolicy_types.go rename to api/v1beta2/authpolicy_types.go index d17abb350..141f7c3ea 100644 --- a/api/v1beta1/authpolicy_types.go +++ b/api/v1beta2/authpolicy_types.go @@ -1,59 +1,71 @@ -package v1beta1 +package v1beta2 import ( "fmt" "github.com/go-logr/logr" "github.com/google/go-cmp/cmp" - authorinov1beta1 "github.com/kuadrant/authorino/api/v1beta1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" gatewayapiv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" gatewayapiv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" + authorinoapi "github.com/kuadrant/authorino/api/v1beta2" "github.com/kuadrant/kuadrant-operator/pkg/common" ) type AuthSchemeSpec struct { - // Named sets of JSON patterns that can be referred in `when` conditionals and in JSON-pattern matching policy rules. - Patterns map[string]authorinov1beta1.JSONPatternExpressions `json:"patterns,omitempty"` + // Named sets of patterns that can be referred in `when` conditions and in pattern-matching authorization policy rules. + // +optional + NamedPatterns map[string]authorinoapi.PatternExpressions `json:"patterns,omitempty"` + + // Overall conditions for the AuthPolicy to be enforced. + // If omitted, the AuthPolicy will be enforced at all requests to the protected routes. + // If present, all conditions must match for the AuthPolicy to be enforced; otherwise, the authorization service skips the AuthPolicy and returns to the auth request with status OK. + // +optional + Conditions []authorinoapi.PatternExpressionOrRef `json:"when,omitempty"` - // Conditions for the AuthConfig to be enforced. - // If omitted, the AuthConfig will be enforced for all requests. - // If present, all conditions must match for the AuthConfig to be enforced; otherwise, Authorino skips the AuthConfig and returns immediately with status OK. - Conditions []authorinov1beta1.JSONPattern `json:"when,omitempty"` + // TODO(@guicassolato): define top-level `routeSelectors` - // List of identity sources/authentication modes. - // At least one config of this list MUST evaluate to a valid identity for a request to be successful in the identity verification phase. - Identity []*authorinov1beta1.Identity `json:"identity,omitempty"` + // Authentication configs. + // At least one config MUST evaluate to a valid identity object for the auth request to be successful. + // +optional + Authentication map[string]authorinoapi.AuthenticationSpec `json:"authentication,omitempty"` - // List of metadata source configs. - // Authorino fetches JSON content from sources on this list on every request. - Metadata []*authorinov1beta1.Metadata `json:"metadata,omitempty"` + // Metadata sources. + // Authorino fetches auth metadata as JSON from sources specified in this config. + // +optional + Metadata map[string]authorinoapi.MetadataSpec `json:"metadata,omitempty"` - // Authorization is the list of authorization policies. - // All policies in this list MUST evaluate to "true" for a request be successful in the authorization phase. - Authorization []*authorinov1beta1.Authorization `json:"authorization,omitempty"` + // Authorization policies. + // All policies MUST evaluate to "allowed = true" for the auth request be successful. + // +optional + Authorization map[string]authorinoapi.AuthorizationSpec `json:"authorization,omitempty"` - // List of response configs. - // Authorino gathers data from the auth pipeline to build custom responses for the client. - Response []*authorinov1beta1.Response `json:"response,omitempty"` + // Response items. + // Authorino builds custom responses to the client of the auth request. + // +optional + Response *authorinoapi.ResponseSpec `json:"response,omitempty"` - // Custom denial response codes, statuses and headers to override default 40x's. - DenyWith *authorinov1beta1.DenyWith `json:"denyWith,omitempty"` + // Callback functions. + // Authorino sends callbacks at the end of the auth pipeline to the endpoints specified in this config. + // +optional + Callbacks map[string]authorinoapi.CallbackSpec `json:"callbacks,omitempty"` } type AuthPolicySpec struct { // TargetRef identifies an API object to apply policy to. TargetRef gatewayapiv1alpha2.PolicyTargetReference `json:"targetRef"` - // Rule describe the requests that will be routed to external authorization provider - AuthRules []AuthRule `json:"rules,omitempty"` + // Route rules specify the HTTP route attributes that trigger the external authorization service + // TODO(@guicassolato): remove – conditions to trigger the ext-authz service will be computed from `routeSelectors` + RouteRules []RouteRule `json:"routes,omitempty"` - // AuthSchemes are embedded Authorino's AuthConfigs - AuthScheme AuthSchemeSpec `json:"authScheme,omitempty"` + // The auth rules of the policy. + // See Authorino's AuthConfig CRD for more details. + AuthScheme AuthSchemeSpec `json:"rules,omitempty"` } -type AuthRule struct { +type RouteRule struct { Hosts []string `json:"hosts,omitempty"` Methods []string `json:"methods,omitempty"` Paths []string `json:"paths,omitempty"` @@ -144,7 +156,7 @@ func (ap *AuthPolicy) GetWrappedNamespace() gatewayapiv1beta1.Namespace { func (ap *AuthPolicy) GetRulesHostnames() (ruleHosts []string) { ruleHosts = make([]string, 0) - for _, rule := range ap.Spec.AuthRules { + for _, rule := range ap.Spec.RouteRules { ruleHosts = append(ruleHosts, rule.Hosts...) } return diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go index b864d6e2f..0270fd4a8 100644 --- a/api/v1beta2/zz_generated.deepcopy.go +++ b/api/v1beta2/zz_generated.deepcopy.go @@ -21,11 +21,188 @@ limitations under the License. package v1beta2 import ( + apiv1beta2 "github.com/kuadrant/authorino/api/v1beta2" "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" "sigs.k8s.io/gateway-api/apis/v1beta1" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthPolicy) DeepCopyInto(out *AuthPolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicy. +func (in *AuthPolicy) DeepCopy() *AuthPolicy { + if in == nil { + return nil + } + out := new(AuthPolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *AuthPolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthPolicyList) DeepCopyInto(out *AuthPolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]AuthPolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicyList. +func (in *AuthPolicyList) DeepCopy() *AuthPolicyList { + if in == nil { + return nil + } + out := new(AuthPolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *AuthPolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthPolicySpec) DeepCopyInto(out *AuthPolicySpec) { + *out = *in + in.TargetRef.DeepCopyInto(&out.TargetRef) + if in.RouteRules != nil { + in, out := &in.RouteRules, &out.RouteRules + *out = make([]RouteRule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + in.AuthScheme.DeepCopyInto(&out.AuthScheme) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicySpec. +func (in *AuthPolicySpec) DeepCopy() *AuthPolicySpec { + if in == nil { + return nil + } + out := new(AuthPolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthPolicyStatus) DeepCopyInto(out *AuthPolicyStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicyStatus. +func (in *AuthPolicyStatus) DeepCopy() *AuthPolicyStatus { + if in == nil { + return nil + } + out := new(AuthPolicyStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthSchemeSpec) DeepCopyInto(out *AuthSchemeSpec) { + *out = *in + if in.NamedPatterns != nil { + in, out := &in.NamedPatterns, &out.NamedPatterns + *out = make(map[string]apiv1beta2.PatternExpressions, len(*in)) + for key, val := range *in { + var outVal []apiv1beta2.PatternExpression + if val == nil { + (*out)[key] = nil + } else { + inVal := (*in)[key] + in, out := &inVal, &outVal + *out = make(apiv1beta2.PatternExpressions, len(*in)) + copy(*out, *in) + } + (*out)[key] = outVal + } + } + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]apiv1beta2.PatternExpressionOrRef, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Authentication != nil { + in, out := &in.Authentication, &out.Authentication + *out = make(map[string]apiv1beta2.AuthenticationSpec, len(*in)) + for key, val := range *in { + (*out)[key] = *val.DeepCopy() + } + } + if in.Metadata != nil { + in, out := &in.Metadata, &out.Metadata + *out = make(map[string]apiv1beta2.MetadataSpec, len(*in)) + for key, val := range *in { + (*out)[key] = *val.DeepCopy() + } + } + if in.Authorization != nil { + in, out := &in.Authorization, &out.Authorization + *out = make(map[string]apiv1beta2.AuthorizationSpec, len(*in)) + for key, val := range *in { + (*out)[key] = *val.DeepCopy() + } + } + if in.Response != nil { + in, out := &in.Response, &out.Response + *out = new(apiv1beta2.ResponseSpec) + (*in).DeepCopyInto(*out) + } + if in.Callbacks != nil { + in, out := &in.Callbacks, &out.Callbacks + *out = make(map[string]apiv1beta2.CallbackSpec, len(*in)) + for key, val := range *in { + (*out)[key] = *val.DeepCopy() + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthSchemeSpec. +func (in *AuthSchemeSpec) DeepCopy() *AuthSchemeSpec { + if in == nil { + return nil + } + out := new(AuthSchemeSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Limit) DeepCopyInto(out *Limit) { *out = *in @@ -182,6 +359,36 @@ func (in *RateLimitPolicyStatus) DeepCopy() *RateLimitPolicyStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RouteRule) DeepCopyInto(out *RouteRule) { + *out = *in + if in.Hosts != nil { + in, out := &in.Hosts, &out.Hosts + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Methods != nil { + in, out := &in.Methods, &out.Methods + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Paths != nil { + in, out := &in.Paths, &out.Paths + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RouteRule. +func (in *RouteRule) DeepCopy() *RouteRule { + if in == nil { + return nil + } + out := new(RouteRule) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RouteSelector) DeepCopyInto(out *RouteSelector) { *out = *in diff --git a/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml b/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml index 80e5018d0..2c9e38570 100644 --- a/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml +++ b/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml @@ -4,57 +4,6 @@ metadata: annotations: alm-examples: |- [ - { - "apiVersion": "kuadrant.io/v1beta1", - "kind": "AuthPolicy", - "metadata": { - "name": "toystore" - }, - "spec": { - "authScheme": { - "identity": [ - { - "apiKey": { - "allNamespaces": true, - "selector": { - "matchLabels": { - "app": "toystore" - } - } - }, - "credentials": { - "in": "authorization_header", - "keySelector": "APIKEY" - }, - "name": "friends" - } - ], - "response": [ - { - "json": { - "properties": [ - { - "name": "userID", - "valueFrom": { - "authJSON": "auth.identity.metadata.annotations.secret\\.kuadrant\\.io/user-id" - } - } - ] - }, - "name": "rate-limit-apikey", - "wrapper": "envoyDynamicMetadata", - "wrapperKey": "ext_auth_data" - } - ] - }, - "rules": null, - "targetRef": { - "group": "gateway.networking.k8s.io", - "kind": "HTTPRoute", - "name": "toystore" - } - } - }, { "apiVersion": "kuadrant.io/v1beta1", "kind": "Kuadrant", @@ -92,7 +41,7 @@ metadata: capabilities: Basic Install categories: Integration & Delivery containerImage: quay.io/kuadrant/kuadrant-operator:latest - createdAt: "2023-10-18T09:13:46Z" + createdAt: "2023-10-18T09:46:22Z" operators.operatorframework.io/builder: operator-sdk-v1.28.1 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 repository: https://github.com/Kuadrant/kuadrant-operator @@ -103,11 +52,9 @@ spec: apiservicedefinitions: {} customresourcedefinitions: owned: - - description: Enable AuthN and AuthZ based access control on workloads - displayName: AuthPolicy - kind: AuthPolicy + - kind: AuthPolicy name: authpolicies.kuadrant.io - version: v1beta1 + version: v1beta2 - description: Kuadrant is the Schema for the kuadrants API displayName: Kuadrant kind: Kuadrant diff --git a/bundle/manifests/kuadrant.io_authpolicies.yaml b/bundle/manifests/kuadrant.io_authpolicies.yaml index 7897bfbd2..67575631c 100644 --- a/bundle/manifests/kuadrant.io_authpolicies.yaml +++ b/bundle/manifests/kuadrant.io_authpolicies.yaml @@ -16,7 +16,7 @@ spec: singular: authpolicy scope: Namespaced versions: - - name: v1beta1 + - name: v1beta2 schema: openAPIV3Schema: properties: @@ -34,226 +34,123 @@ spec: type: object spec: properties: - authScheme: - description: AuthSchemes are embedded Authorino's AuthConfigs + routes: + description: 'Route rules specify the HTTP route attributes that trigger + the external authorization service TODO(@guicassolato): remove – + conditions to trigger the ext-authz service will be computed from + `routeSelectors`' + items: + properties: + hosts: + items: + type: string + type: array + methods: + items: + type: string + type: array + paths: + items: + type: string + type: array + type: object + type: array + rules: + description: The auth rules of the policy. See Authorino's AuthConfig + CRD for more details. properties: - authorization: - description: Authorization is the list of authorization policies. - All policies in this list MUST evaluate to "true" for a request - be successful in the authorization phase. - items: - description: 'Authorization policy to be enforced. Apart from - "name", one of the following parameters is required and only - one of the following parameters is allowed: "opa", "json" - or "kubernetes".' + authentication: + additionalProperties: properties: - authzed: - description: Authzed authorization + anonymous: + description: Anonymous access. + type: object + apiKey: + description: Authentication based on API keys stored in + Kubernetes secrets. properties: - endpoint: - description: Endpoint of the Authzed service. - type: string - insecure: - description: Insecure HTTP connection (i.e. disables - TLS verification) + allNamespaces: + default: false + description: Whether Authorino should look for API key + secrets in all namespaces or only in the same namespace + as the AuthConfig. Enabling this option in namespaced + Authorino instances has no effect. type: boolean - permission: - description: The name of the permission (or relation) - on which to execute the check. - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - type: object - resource: - description: The resource on which to check the permission - or relation. - properties: - kind: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a - value from a dynamic source (e.g. a path pattern - of authorization JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value - from the authorization JSON. It can be - any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any patterns - supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - type: object - name: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a - value from a dynamic source (e.g. a path pattern - of authorization JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value - from the authorization JSON. It can be - any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any patterns - supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - type: object - type: object - sharedSecretRef: - description: Reference to a Secret key whose value will - be used by Authorino to authenticate with the Authzed - service. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: The name of the secret in the Authorino's - namespace to select from. - type: string - required: - - key - - name - type: object - subject: - description: The subject that will be checked for the - permission or relation. + selector: + description: Label selector used by Authorino to match + secrets from the cluster storing valid credentials + to authenticate to this service properties: - kind: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a - value from a dynamic source (e.g. a path pattern - of authorization JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value - from the authorization JSON. It can be - any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any patterns - supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - type: object - name: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a - value from a dynamic source (e.g. a path pattern - of authorization JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value - from the authorization JSON. It can be - any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any patterns - supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: type: string - type: object + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic required: - - endpoint + - selector type: object cache: - description: Caching options for the policy evaluation results - when enforcing this config. Omit it to avoid caching policy - evaluation results for this config. + description: Caching options for the resolved object returned + when applying this config. Omit it to avoid caching objects + for this config. properties: key: description: Key used to store the entry in the cache. - Cache entries from different metadata configs are - stored and managed separately regardless of the key. + The resolved key must be unique within the scope of + this particular config. properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string value: description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object + x-kubernetes-preserve-unknown-fields: true type: object ttl: default: 60 @@ -263,360 +160,172 @@ spec: required: - key type: object - json: - description: JSON pattern matching authorization policy. + credentials: + description: Defines where credentials are required to be + passed in the request for authentication based on this + config. If omitted, it defaults to credentials passed + in the HTTP Authorization header and the "Bearer" prefix + prepended to the secret credential value. properties: - rules: - description: The rules that must all evaluate to "true" - for the request to be authorized. - items: - properties: - operator: - description: 'The binary operator to be applied - to the content fetched from the authorization - JSON, for comparison with "value". Possible - values are: "eq" (equal to), "neq" (not equal - to), "incl" (includes; for arrays), "excl" (excludes; - for arrays), "matches" (regex)' - enum: - - eq - - neq - - incl - - excl - - matches - type: string - patternRef: - description: Name of a named pattern - type: string - selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the - input authorization JSON built by Authorino - along the identity and metadata phases. - type: string - value: - description: The value of reference for the comparison - with the content fetched from the authorization - JSON. If used with the "matches" operator, the - value must compile to a valid Golang regex. - type: string - type: object - type: array - required: - - rules + authorizationHeader: + properties: + prefix: + type: string + type: object + cookie: + properties: + name: + type: string + required: + - name + type: object + customHeader: + properties: + name: + type: string + required: + - name + type: object + queryString: + properties: + name: + type: string + required: + - name + type: object + type: object + defaults: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Set default property values (claims) for the + resolved identity object, that are set before appending + the object to the authorization JSON. If the property + is already present in the resolved identity object, the + default value is ignored. It requires the resolved identity + object to always be a JSON object. Do not use this option + with identity objects of other JSON types (array, string, + etc). type: object - kubernetes: - description: Kubernetes authorization policy based on `SubjectAccessReview` - Path and Verb are inferred from the request. + jwt: + description: Authentication based on JWT tokens. properties: - groups: - description: Groups to test for. + issuerUrl: + description: URL of the issuer of the JWT. If `jwksUrl` + is omitted, Authorino will append the path to the + OpenID Connect Well-Known Discovery endpoint (i.e. + "/.well-known/openid-configuration") to this URL, + to discover the OIDC configuration where to obtain + the "jkws_uri" claim from. The value must coincide + with the value of the "iss" (issuer) claim of the + discovered OpenID Connect configuration. + type: string + ttl: + description: Decides how long to wait before refreshing + the JWKS (in seconds). If omitted, Authorino will + never refresh the JWKS. + type: integer + type: object + kubernetesTokenReview: + description: Authentication by Kubernetes token review. + properties: + audiences: + description: The list of audiences (scopes) that must + be claimed in a Kubernetes authentication token supplied + in the request, and reviewed by Authorino. If omitted, + Authorino will review tokens expecting the host name + of the requested protected service amongst the audiences. items: type: string type: array - resourceAttributes: - description: Use ResourceAttributes for checking permissions - on Kubernetes resources If omitted, it performs a - non-resource `SubjectAccessReview`, with verb and - path inferred from the request. + type: object + metrics: + default: false + description: Whether this config should generate individual + observability metrics + type: boolean + oauth2Introspection: + description: Authentication by OAuth2 token introspection. + properties: + credentialsRef: + description: Reference to a Kubernetes secret in the + same namespace, that stores client credentials to + the OAuth2 server. properties: - group: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a - value from a dynamic source (e.g. a path pattern - of authorization JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value - from the authorization JSON. It can be - any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any patterns - supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - type: object name: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a - value from a dynamic source (e.g. a path pattern - of authorization JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value - from the authorization JSON. It can be - any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any patterns - supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - type: object - namespace: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a - value from a dynamic source (e.g. a path pattern - of authorization JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value - from the authorization JSON. It can be - any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any patterns - supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - type: object - resource: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a - value from a dynamic source (e.g. a path pattern - of authorization JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value - from the authorization JSON. It can be - any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any patterns - supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - type: object - subresource: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a - value from a dynamic source (e.g. a path pattern - of authorization JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value - from the authorization JSON. It can be - any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any patterns - supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - type: object - verb: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a - value from a dynamic source (e.g. a path pattern - of authorization JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value - from the authorization JSON. It can be - any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any patterns - supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - type: object - type: object - user: - description: User to test for. If without "Groups", - then is it interpreted as "What if User were not a - member of any groups" - properties: - value: - description: Static value + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object type: object + x-kubernetes-map-type: atomic + endpoint: + description: The full URL of the token introspection + endpoint. + type: string + tokenTypeHint: + description: The token type hint for the token introspection. + If omitted, it defaults to "access_token". + type: string required: - - user + - credentialsRef + - endpoint type: object - metrics: - default: false - description: Whether this authorization config should generate - individual observability metrics - type: boolean - name: - description: Name of the authorization policy. It can be - used to refer to the resolved authorization object in - other configs. - type: string - opa: - description: Open Policy Agent (OPA) authorization policy. + overrides: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Overrides the resolved identity object by setting + the additional properties (claims) specified in this config, + before appending the object to the authorization JSON. + It requires the resolved identity object to always be + a JSON object. Do not use this option with identity objects + of other JSON types (array, string, etc). + type: object + plain: + description: Identity object extracted from the context. + Use this method when authentication is performed beforehand + by a proxy and the resulting object passed to Authorino + as JSON in the auth request. properties: - allValues: - default: false - description: Returns the value of all Rego rules in - the virtual document. Values can be read in subsequent - evaluators/phases of the Auth Pipeline. Otherwise, - only the default `allow` rule will be exposed. Returning - all Rego rules can affect performance of OPA policies - during reconciliation (policy precompile) and at runtime. - type: boolean - externalRegistry: - description: External registry of OPA policies. - properties: - credentials: - description: Defines where client credentials will - be passed in the request to the service. If omitted, - it defaults to client credentials passed in the - HTTP Authorization header and the "Bearer" prefix - expected prepended to the secret value. - properties: - in: - default: authorization_header - description: The location in the request where - client credentials shall be passed on requests - authenticating with this identity source/authentication - mode. - enum: - - authorization_header - - custom_header - - query - - cookie - type: string - keySelector: - description: Used in conjunction with the `in` - parameter. When used with `authorization_header`, - the value is the prefix of the client credentials - string, separated by a white-space, in the - HTTP Authorization header (e.g. "Bearer", - "Basic"). When used with `custom_header`, - `query` or `cookie`, the value is the name - of the HTTP header, query string parameter - or cookie key, respectively. - type: string - required: - - keySelector - type: object - endpoint: - description: Endpoint of the HTTP external registry. - The endpoint must respond with either plain/text - or application/json content-type. In the latter - case, the JSON returned in the body must include - a path `result.raw`, where the raw Rego policy - will be extracted from. This complies with the - specification of the OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). - type: string - sharedSecretRef: - description: Reference to a Secret key whose value - will be passed by Authorino in the request. The - HTTP service can use the shared secret to authenticate - the origin of the request. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - description: The name of the secret in the Authorino's - namespace to select from. - type: string - required: - - key - - name - type: object - ttl: - description: Duration (in seconds) of the external - data in the cache before pulled again from the - source. - type: integer - type: object - inlineRego: - description: Authorization policy as a Rego language - document. The Rego document must include the "allow" - condition, set by Authorino to "false" by default - (i.e. requests are unauthorized unless changed). The - Rego document must NOT include the "package" declaration - in line 1. + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve to + patterns (e.g. "Hello, {auth.identity.name}!"). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string + required: + - selector type: object priority: default: 0 @@ -625,12 +334,26 @@ spec: priority groups are evaluated sequentially. type: integer when: - description: Conditions for Authorino to enforce this authorization - policy. If omitted, the config will be enforced for all - requests. If present, all conditions must match for the - config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to + be enforced; otherwise, the config will be skipped. items: properties: + all: + description: A list of pattern expressions to be evaluated + as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to be evaluated + as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array operator: description: 'The binary operator to be applied to the content fetched from the authorization JSON, @@ -646,13 +369,14 @@ spec: - matches type: string patternRef: - description: Name of a named pattern + description: Reference to a named set of pattern expressions type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input - authorization JSON built by Authorino along the - identity and metadata phases. + description: Path selector to fetch content from the + authorization JSON (e.g. 'request.method'). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. type: string value: description: The value of reference for the comparison @@ -662,225 +386,24 @@ spec: type: string type: object type: array - required: - - name - type: object - type: array - denyWith: - description: Custom denial response codes, statuses and headers - to override default 40x's. - properties: - unauthenticated: - description: Denial status customization when the request - is unauthenticated. - properties: - body: - description: HTTP response body to override the default - denial body. - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - type: object - code: - description: HTTP status code to override the default - denial status code. - format: int64 - maximum: 599 - minimum: 300 - type: integer - headers: - description: HTTP response headers to override the default - denial headers. - items: - properties: - name: - description: The name of the JSON property - type: string - value: - description: Static value of the JSON property - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the JSON property - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - required: - - name - type: object - type: array - message: - description: HTTP message to override the default denial - message. - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - type: object - type: object - unauthorized: - description: Denial status customization when the request - is unauthorized. - properties: - body: - description: HTTP response body to override the default - denial body. - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - type: object - code: - description: HTTP status code to override the default - denial status code. - format: int64 - maximum: 599 - minimum: 300 - type: integer - headers: - description: HTTP response headers to override the default - denial headers. - items: - properties: - name: - description: The name of the JSON property - type: string - value: - description: Static value of the JSON property - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the JSON property - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - required: - - name - type: object - type: array - message: - description: HTTP message to override the default denial - message. - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - type: object - type: object - type: object - identity: - description: List of identity sources/authentication modes. At - least one config of this list MUST evaluate to a valid identity - for a request to be successful in the identity verification - phase. - items: - description: 'The identity source/authentication mode config. - Apart from "name", one of the following parameters is required - and only one of the following parameters is allowed: "oicd", - "apiKey" or "kubernetes".' - properties: - anonymous: - type: object - apiKey: + x509: + description: Authentication based on client X.509 certificates. + The certificates presented by the clients must be signed + by a trusted CA whose certificates are stored in Kubernetes + secrets. properties: allNamespaces: default: false - description: Whether Authorino should look for API key - secrets in all namespaces or only in the same namespace - as the AuthConfig. Enabling this option in namespaced + description: Whether Authorino should look for TLS secrets + in all namespaces or only in the same namespace as + the AuthConfig. Enabling this option in namespaced Authorino instances has no effect. type: boolean selector: description: Label selector used by Authorino to match - secrets from the cluster storing valid credentials - to authenticate to this service + secrets from the cluster storing trusted CA certificates + to validate clients trying to authenticate to this + service properties: matchExpressions: description: matchExpressions is a list of label @@ -929,36 +452,37 @@ spec: required: - selector type: object + type: object + description: Authentication configs. At least one config MUST + evaluate to a valid identity object for the auth request to + be successful. + type: object + authorization: + additionalProperties: + properties: cache: - description: Caching options for the identity resolved when - applying this config. Omit it to avoid caching identity - objects for this config. + description: Caching options for the resolved object returned + when applying this config. Omit it to avoid caching objects + for this config. properties: key: description: Key used to store the entry in the cache. - Cache entries from different metadata configs are - stored and managed separately regardless of the key. + The resolved key must be unique within the scope of + this particular config. properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string value: description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object + x-kubernetes-preserve-unknown-fields: true type: object ttl: default: 60 @@ -968,222 +492,913 @@ spec: required: - key type: object - credentials: - description: Defines where client credentials are required - to be passed in the request for this identity source/authentication - mode. If omitted, it defaults to client credentials passed - in the HTTP Authorization header and the "Bearer" prefix - expected prepended to the credentials value (token, API - key, etc). - properties: - in: - default: authorization_header - description: The location in the request where client - credentials shall be passed on requests authenticating - with this identity source/authentication mode. - enum: - - authorization_header - - custom_header - - query - - cookie - type: string - keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is - the prefix of the client credentials string, separated - by a white-space, in the HTTP Authorization header - (e.g. "Bearer", "Basic"). When used with `custom_header`, - `query` or `cookie`, the value is the name of the - HTTP header, query string parameter or cookie key, - respectively. - type: string - required: - - keySelector - type: object - extendedProperties: - description: Extends the resolved identity object with additional - custom properties before appending to the authorization - JSON. It requires the resolved identity object to always - be of the JSON type 'object'. Other JSON types (array, - string, etc) will break. - items: - properties: - name: - description: The name of the JSON property - type: string - overwrite: - default: false - description: Whether the value should overwrite the - value of an existing property with the same name. - type: boolean - value: - description: Static value of the JSON property - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the JSON property - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - required: - - name - type: object - type: array - kubernetes: + kubernetesSubjectAccessReview: + description: Authorization by Kubernetes SubjectAccessReview properties: - audiences: - description: The list of audiences (scopes) that must - be claimed in a Kubernetes authentication token supplied - in the request, and reviewed by Authorino. If omitted, - Authorino will review tokens expecting the host name - of the requested protected service amongst the audiences. + groups: + description: Groups the user must be a member of or, + if `user` is omitted, the groups to check for authorization + in the Kubernetes RBAC. items: type: string type: array + resourceAttributes: + description: Use resourceAttributes to check permissions + on Kubernetes resources. If omitted, it performs a + non-resource SubjectAccessReview, with verb and path + inferred from the request. + properties: + group: + description: API group of the resource. Use '*' + for all API groups. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + name: + description: Resource name Omit it to check for + authorization on all resources of the specified + kind. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + namespace: + description: Namespace where the user must have + permissions on the resource. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + resource: + description: Resource kind Use '*' for all resource + kinds. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + subresource: + description: Subresource kind + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + verb: + description: Verb to check for authorization on + the resource. Use '*' for all verbs. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + user: + description: User to check for authorization in the + Kubernetes RBAC. Omit it to check for group authorization + only. + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object type: object metrics: default: false - description: Whether this identity config should generate - individual observability metrics + description: Whether this config should generate individual + observability metrics type: boolean - mtls: + opa: + description: Open Policy Agent (OPA) Rego policy. properties: - allNamespaces: + allValues: default: false - description: Whether Authorino should look for TLS secrets - in all namespaces or only in the same namespace as - the AuthConfig. Enabling this option in namespaced - Authorino instances has no effect. + description: Returns the value of all Rego rules in + the virtual document. Values can be read in subsequent + evaluators/phases of the Auth Pipeline. Otherwise, + only the default `allow` rule will be exposed. Returning + all Rego rules can affect performance of OPA policies + during reconciliation (policy precompile) and at runtime. type: boolean - selector: - description: Label selector used by Authorino to match - secrets from the cluster storing trusted CA certificates - to validate clients trying to authenticate to this - service + externalPolicy: + description: 'Settings for fetching the OPA policy from + an external registry. Use it alternatively to ''rego''. + For the configurations of the HTTP request, the following + options are not implemented: ''method'', ''body'', + ''bodyParameters'', ''contentType'', ''headers'', + ''oauth2''. Use it only with: ''url'', ''sharedSecret'', + ''credentials''.' properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + body: + description: Raw body of the HTTP request. Supersedes + 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set + parameters as query string in the 'endpoint' (placeholders + can be used). + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + bodyParameters: + additionalProperties: properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true type: object - type: array - matchLabels: + description: Custom parameters to encode in the + body of the HTTP request. Superseded by 'body'; + use either one or the other. Use it with method=POST; + for GET requests, set parameters as query string + in the 'endpoint' (placeholders can be used). + type: object + contentType: + default: application/x-www-form-urlencoded + description: Content-Type of the request body. Shapes + how 'bodyParameters' are encoded. Use it with + method=POST; for GET requests, Content-Type is + automatically set to 'text/plain'. + enum: + - application/x-www-form-urlencoded + - application/json + type: string + credentials: + description: Defines where client credentials will + be passed in the request to the service. If omitted, + it defaults to client credentials passed in the + HTTP Authorization header and the "Bearer" prefix + expected prepended to the secret value. + properties: + authorizationHeader: + properties: + prefix: + type: string + type: object + cookie: + properties: + name: + type: string + required: + - name + type: object + customHeader: + properties: + name: + type: string + required: + - name + type: object + queryString: + properties: + name: + type: string + required: + - name + type: object + type: object + headers: additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Custom headers in the HTTP request. + type: object + method: + default: GET + description: 'HTTP verb used in the request to the + service. Accepted values: GET (default), POST. + When the request method is POST, the authorization + JSON is passed in the body of the request.' + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - HEAD + - OPTIONS + - CONNECT + - TRACE + type: string + oauth2: + description: Authentication with the HTTP service + by OAuth2 Client Credentials grant. + properties: + cache: + default: true + description: Caches and reuses the token until + expired. Set it to false to force fetch the + token at every authorization request regardless + of expiration. + type: boolean + clientId: + description: OAuth2 Client ID. + type: string + clientSecretRef: + description: Reference to a Kuberentes Secret + key that stores that OAuth2 Client Secret. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: The name of the secret in the + Authorino's namespace to select from. + type: string + required: + - key + - name + type: object + extraParams: + additionalProperties: + type: string + description: Optional extra parameters for the + requests to the token URL. + type: object + scopes: + description: Optional scopes for the client + credentials grant, if supported by he OAuth2 + server. + items: + type: string + type: array + tokenUrl: + description: Token endpoint URL of the OAuth2 + resource server. + type: string + required: + - clientId + - clientSecretRef + - tokenUrl + type: object + sharedSecretRef: + description: Reference to a Secret key whose value + will be passed by Authorino in the request. The + HTTP service can use the shared secret to authenticate + the origin of the request. Ignored if used together + with oauth2. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name type: object + ttl: + description: Duration (in seconds) of the external + data in the cache before pulled again from the + source. + type: integer + url: + description: Endpoint URL of the HTTP service. The + value can include variable placeholders in the + format "{selector}", where "selector" is any pattern + supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. + E.g. https://ext-auth-server.io/metadata?p={request.path} + type: string + required: + - url + type: object + rego: + description: Authorization policy as a Rego language + document. The Rego document must include the "allow" + condition, set by Authorino to "false" by default + (i.e. requests are unauthorized unless changed). The + Rego document must NOT include the "package" declaration + in line 1. + type: string + type: object + patternMatching: + description: Pattern-matching authorization rules. + properties: + patterns: + items: + properties: + all: + description: A list of pattern expressions to + be evaluated as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to + be evaluated as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: 'The binary operator to be applied + to the content fetched from the authorization + JSON, for comparison with "value". Possible + values are: "eq" (equal to), "neq" (not equal + to), "incl" (includes; for arrays), "excl" (excludes; + for arrays), "matches" (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set of pattern + expressions + type: string + selector: + description: Path selector to fetch content from + the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the + value must compile to a valid Golang regex. + type: string + type: object + type: array + required: + - patterns + type: object + priority: + default: 0 + description: Priority group of the config. All configs in + the same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. + type: integer + spicedb: + description: Authorization decision delegated to external + Authzed/SpiceDB server. + properties: + endpoint: + description: Hostname and port number to the GRPC interface + of the SpiceDB server (e.g. spicedb:50051). + type: string + insecure: + description: Insecure HTTP connection (i.e. disables + TLS verification) + type: boolean + permission: + description: The name of the permission (or relation) + on which to execute the check. + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + resource: + description: The resource on which to check the permission + or relation. + properties: + kind: + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + name: + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + sharedSecretRef: + description: Reference to a Secret key whose value will + be used by Authorino to authenticate with the Authzed + service. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + subject: + description: The subject that will be checked for the + permission or relation. + properties: + kind: + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + name: + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + required: + - endpoint + type: object + when: + description: Conditions for Authorino to enforce this config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to + be enforced; otherwise, the config will be skipped. + items: + properties: + all: + description: A list of pattern expressions to be evaluated + as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to be evaluated + as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: 'The binary operator to be applied to + the content fetched from the authorization JSON, + for comparison with "value". Possible values are: + "eq" (equal to), "neq" (not equal to), "incl" (includes; + for arrays), "excl" (excludes; for arrays), "matches" + (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set of pattern expressions + type: string + selector: + description: Path selector to fetch content from the + authorization JSON (e.g. 'request.method'). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the value + must compile to a valid Golang regex. + type: string + type: object + type: array + type: object + description: Authorization policies. All policies MUST evaluate + to "allowed = true" for the auth request be successful. + type: object + callbacks: + additionalProperties: + properties: + cache: + description: Caching options for the resolved object returned + when applying this config. Omit it to avoid caching objects + for this config. + properties: + key: + description: Key used to store the entry in the cache. + The resolved key must be unique within the scope of + this particular config. + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + required: + - key + type: object + http: + description: Settings of the external HTTP request + properties: + body: + description: Raw body of the HTTP request. Supersedes + 'bodyParameters'; use either one or the other. Use + it with method=POST; for GET requests, set parameters + as query string in the 'endpoint' (placeholders can + be used). + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + bodyParameters: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Custom parameters to encode in the body + of the HTTP request. Superseded by 'body'; use either + one or the other. Use it with method=POST; for GET + requests, set parameters as query string in the 'endpoint' + (placeholders can be used). + type: object + contentType: + default: application/x-www-form-urlencoded + description: Content-Type of the request body. Shapes + how 'bodyParameters' are encoded. Use it with method=POST; + for GET requests, Content-Type is automatically set + to 'text/plain'. + enum: + - application/x-www-form-urlencoded + - application/json + type: string + credentials: + description: Defines where client credentials will be + passed in the request to the service. If omitted, + it defaults to client credentials passed in the HTTP + Authorization header and the "Bearer" prefix expected + prepended to the secret value. + properties: + authorizationHeader: + properties: + prefix: + type: string + type: object + cookie: + properties: + name: + type: string + required: + - name + type: object + customHeader: + properties: + name: + type: string + required: + - name + type: object + queryString: + properties: + name: + type: string + required: + - name + type: object + type: object + headers: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Custom headers in the HTTP request. + type: object + method: + default: GET + description: 'HTTP verb used in the request to the service. + Accepted values: GET (default), POST. When the request + method is POST, the authorization JSON is passed in + the body of the request.' + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - HEAD + - OPTIONS + - CONNECT + - TRACE + type: string + oauth2: + description: Authentication with the HTTP service by + OAuth2 Client Credentials grant. + properties: + cache: + default: true + description: Caches and reuses the token until expired. + Set it to false to force fetch the token at every + authorization request regardless of expiration. + type: boolean + clientId: + description: OAuth2 Client ID. + type: string + clientSecretRef: + description: Reference to a Kuberentes Secret key + that stores that OAuth2 Client Secret. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + extraParams: + additionalProperties: + type: string + description: Optional extra parameters for the requests + to the token URL. + type: object + scopes: + description: Optional scopes for the client credentials + grant, if supported by he OAuth2 server. + items: + type: string + type: array + tokenUrl: + description: Token endpoint URL of the OAuth2 resource + server. + type: string + required: + - clientId + - clientSecretRef + - tokenUrl type: object - x-kubernetes-map-type: atomic - required: - - selector - type: object - name: - description: The name of this identity source/authentication - mode. It usually identifies a source of identities or - group of users/clients of the protected service. It can - be used to refer to the resolved identity object in other - configs. - type: string - oauth2: - properties: - credentialsRef: - description: Reference to a Kubernetes secret in the - same namespace, that stores client credentials to - the OAuth2 server. + sharedSecretRef: + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin + of the request. Ignored if used together with oauth2. properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: The name of the secret in the Authorino's + namespace to select from. type: string + required: + - key + - name type: object - x-kubernetes-map-type: atomic - tokenIntrospectionUrl: - description: The full URL of the token introspection - endpoint. - type: string - tokenTypeHint: - description: The token type hint for the token introspection. - If omitted, it defaults to "access_token". - type: string - required: - - credentialsRef - - tokenIntrospectionUrl - type: object - oidc: - properties: - endpoint: - description: Endpoint of the OIDC issuer. Authorino - will append to this value the well-known path to the - OpenID Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), - used to automatically discover the OpenID Connect - configuration, whose set of claims is expected to - include (among others) the "jkws_uri" claim. The value - must coincide with the value of the "iss" (issuer) - claim of the discovered OpenID Connect configuration. + url: + description: Endpoint URL of the HTTP service. The value + can include variable placeholders in the format "{selector}", + where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. + https://ext-auth-server.io/metadata?p={request.path} type: string - ttl: - description: Decides how long to wait before refreshing - the OIDC configuration (in seconds). - type: integer required: - - endpoint - type: object - plain: - properties: - authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders that - resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' - type: string + - url type: object + metrics: + default: false + description: Whether this config should generate individual + observability metrics + type: boolean priority: default: 0 description: Priority group of the config. All configs in @@ -1191,12 +1406,26 @@ spec: priority groups are evaluated sequentially. type: integer when: - description: Conditions for Authorino to enforce this identity - config. If omitted, the config will be enforced for all - requests. If present, all conditions must match for the - config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to + be enforced; otherwise, the config will be skipped. items: properties: + all: + description: A list of pattern expressions to be evaluated + as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to be evaluated + as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array operator: description: 'The binary operator to be applied to the content fetched from the authorization JSON, @@ -1212,13 +1441,14 @@ spec: - matches type: string patternRef: - description: Name of a named pattern + description: Reference to a named set of pattern expressions type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input - authorization JSON built by Authorino along the - identity and metadata phases. + description: Path selector to fetch content from the + authorization JSON (e.g. 'request.method'). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. type: string value: description: The value of reference for the comparison @@ -1229,47 +1459,38 @@ spec: type: object type: array required: - - name + - http type: object - type: array + description: Callback functions. Authorino sends callbacks at + the end of the auth pipeline to the endpoints specified in this + config. + type: object metadata: - description: List of metadata source configs. Authorino fetches - JSON content from sources on this list on every request. - items: - description: 'The metadata config. Apart from "name", one of - the following parameters is required and only one of the following - parameters is allowed: "http", userInfo" or "uma".' + additionalProperties: properties: cache: - description: Caching options for the external metadata fetched - when applying this config. Omit it to avoid caching metadata - from this source. + description: Caching options for the resolved object returned + when applying this config. Omit it to avoid caching objects + for this config. properties: key: description: Key used to store the entry in the cache. - Cache entries from different metadata configs are - stored and managed separately regardless of the key. + The resolved key must be unique within the scope of + this particular config. properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string value: description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object + x-kubernetes-preserve-unknown-fields: true type: object ttl: default: 60 @@ -1280,8 +1501,7 @@ spec: - key type: object http: - description: Generic HTTP interface to obtain authorization - metadata from a HTTP service. + description: External source of auth metadata via HTTP request properties: body: description: Raw body of the HTTP request. Supersedes @@ -1290,62 +1510,44 @@ spec: as query string in the 'endpoint' (placeholders can be used). properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string value: description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object + x-kubernetes-preserve-unknown-fields: true type: object bodyParameters: - description: Custom parameters to encode in the body - of the HTTP request. Superseded by 'body'; use either - one or the other. Use it with method=POST; for GET - requests, set parameters as query string in the 'endpoint' - (placeholders can be used). - items: + additionalProperties: properties: - name: - description: The name of the JSON property + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: - description: Static value of the JSON property + description: Static value x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the JSON property - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - required: - - name type: object - type: array + description: Custom parameters to encode in the body + of the HTTP request. Superseded by 'body'; use either + one or the other. Use it with method=POST; for GET + requests, set parameters as query string in the 'endpoint' + (placeholders can be used). + type: object contentType: default: application/x-www-form-urlencoded description: Content-Type of the request body. Shapes @@ -1363,68 +1565,53 @@ spec: Authorization header and the "Bearer" prefix expected prepended to the secret value. properties: - in: - default: authorization_header - description: The location in the request where client - credentials shall be passed on requests authenticating - with this identity source/authentication mode. - enum: - - authorization_header - - custom_header - - query - - cookie - type: string - keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value - is the prefix of the client credentials string, - separated by a white-space, in the HTTP Authorization - header (e.g. "Bearer", "Basic"). When used with - `custom_header`, `query` or `cookie`, the value - is the name of the HTTP header, query string parameter - or cookie key, respectively. - type: string - required: - - keySelector + authorizationHeader: + properties: + prefix: + type: string + type: object + cookie: + properties: + name: + type: string + required: + - name + type: object + customHeader: + properties: + name: + type: string + required: + - name + type: object + queryString: + properties: + name: + type: string + required: + - name + type: object type: object - endpoint: - description: Endpoint of the HTTP service. The endpoint - accepts variable placeholders in the format "{selector}", - where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - and selects value from the authorization JSON. E.g. - https://ext-auth-server.io/metadata?p={context.request.http.path} - type: string headers: - description: Custom headers in the HTTP request. - items: + additionalProperties: properties: - name: - description: The name of the JSON property + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: - description: Static value of the JSON property + description: Static value x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the JSON property - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - required: - - name type: object - type: array + description: Custom headers in the HTTP request. + type: object method: default: GET description: 'HTTP verb used in the request to the service. @@ -1434,6 +1621,13 @@ spec: enum: - GET - POST + - PUT + - PATCH + - DELETE + - HEAD + - OPTIONS + - CONNECT + - TRACE type: string oauth2: description: Authentication with the HTTP service by @@ -1503,19 +1697,21 @@ spec: - key - name type: object + url: + description: Endpoint URL of the HTTP service. The value + can include variable placeholders in the format "{selector}", + where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. + https://ext-auth-server.io/metadata?p={request.path} + type: string required: - - endpoint + - url type: object metrics: default: false - description: Whether this metadata config should generate - individual observability metrics + description: Whether this config should generate individual + observability metrics type: boolean - name: - description: The name of the metadata source. It can be - used to refer to the resolved metadata object in other - configs. - type: string priority: default: 0 description: Priority group of the config. All configs in @@ -1549,225 +1745,37 @@ spec: type: object userInfo: description: OpendID Connect UserInfo linked to an OIDC - identity config of this same spec. + authentication config specified in this same AuthConfig. properties: identitySource: - description: The name of an OIDC identity source included - in the "identity" section and whose OpenID Connect - configuration discovered includes the OIDC "userinfo_endpoint" - claim. + description: The name of an OIDC-enabled JWT authentication + config whose OpenID Connect configuration discovered + includes the OIDC "userinfo_endpoint" claim. type: string required: - identitySource type: object when: - description: Conditions for Authorino to apply this metadata - config. If omitted, the config will be applied for all - requests. If present, all conditions must match for the - config to be applied; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to + be enforced; otherwise, the config will be skipped. items: properties: - operator: - description: 'The binary operator to be applied to - the content fetched from the authorization JSON, - for comparison with "value". Possible values are: - "eq" (equal to), "neq" (not equal to), "incl" (includes; - for arrays), "excl" (excludes; for arrays), "matches" - (regex)' - enum: - - eq - - neq - - incl - - excl - - matches - type: string - patternRef: - description: Name of a named pattern - type: string - selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input - authorization JSON built by Authorino along the - identity and metadata phases. - type: string - value: - description: The value of reference for the comparison - with the content fetched from the authorization - JSON. If used with the "matches" operator, the value - must compile to a valid Golang regex. - type: string - type: object - type: array - required: - - name - type: object - type: array - patterns: - additionalProperties: - items: - properties: - operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' - enum: - - eq - - neq - - incl - - excl - - matches - type: string - selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. - type: string - value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. - type: string - type: object - type: array - description: Named sets of JSON patterns that can be referred - in `when` conditionals and in JSON-pattern matching policy rules. - type: object - response: - description: List of response configs. Authorino gathers data - from the auth pipeline to build custom responses for the client. - items: - description: 'Dynamic response to return to the client. Apart - from "name", one of the following parameters is required and - only one of the following parameters is allowed: "wristband" - or "json".' - properties: - cache: - description: Caching options for dynamic responses built - when applying this config. Omit it to avoid caching dynamic - responses for this config. - properties: - key: - description: Key used to store the entry in the cache. - Cache entries from different metadata configs are - stored and managed separately regardless of the key. - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string + all: + description: A list of pattern expressions to be evaluated + as a logical AND. + items: type: object - type: object - ttl: - default: 60 - description: Duration (in seconds) of the external data - in the cache before pulled again from the source. - type: integer - required: - - key - type: object - json: - properties: - properties: - description: List of JSON property-value pairs to be - added to the dynamic response. - items: - properties: - name: - description: The name of the JSON property - type: string - value: - description: Static value of the JSON property - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the JSON property - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - required: - - name - type: object - type: array - required: - - properties - type: object - metrics: - default: false - description: Whether this response config should generate - individual observability metrics - type: boolean - name: - description: Name of the custom response. It can be used - to refer to the resolved response object in other configs. - type: string - plain: - description: StaticOrDynamicValue is either a constant static - string value or a config for fetching a value from a dynamic - source (e.g. a path pattern of authorization JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' - type: string - type: object - type: object - priority: - default: 0 - description: Priority group of the config. All configs in - the same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. - type: integer - when: - description: Conditions for Authorino to enforce this custom - response config. If omitted, the config will be enforced - for all requests. If present, all conditions must match - for the config to be enforced; otherwise, the config will - be skipped. - items: - properties: + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to be evaluated + as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array operator: description: 'The binary operator to be applied to the content fetched from the authorization JSON, @@ -1783,13 +1791,14 @@ spec: - matches type: string patternRef: - description: Name of a named pattern + description: Reference to a named set of pattern expressions type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input - authorization JSON built by Authorino along the - identity and metadata phases. + description: Path selector to fetch content from the + authorization JSON (e.g. 'request.method'). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. type: string value: description: The value of reference for the comparison @@ -1799,110 +1808,698 @@ spec: type: string type: object type: array - wrapper: - default: httpHeader - description: How Authorino wraps the response. Use "httpHeader" - (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" - to wrap the response as Envoy Dynamic Metadata - enum: - - httpHeader - - envoyDynamicMetadata - type: string - wrapperKey: - description: The name of key used in the wrapped response - (name of the HTTP header or property of the Envoy Dynamic - Metadata JSON). If omitted, it will be set to the name - of the configuration. - type: string - wristband: - properties: - customClaims: - description: Any claims to be added to the wristband - token apart from the standard JWT claims (iss, iat, - exp) added by default. - items: - properties: - name: - description: The name of the JSON property - type: string - value: - description: Static value of the JSON property - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the JSON property + type: object + description: Metadata sources. Authorino fetches auth metadata + as JSON from sources specified in this config. + type: object + patterns: + additionalProperties: + items: + properties: + operator: + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + selector: + description: Path selector to fetch content from the authorization + JSON (e.g. 'request.method'). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson can be + used. Authorino custom JSON path modifiers are also + supported. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. + type: string + type: object + type: array + description: Named sets of patterns that can be referred in `when` + conditions and in pattern-matching authorization policy rules. + type: object + response: + description: Response items. Authorino builds custom responses + to the client of the auth request. + properties: + success: + description: Response items to be included in the auth response + when the request is authenticated and authorized. For integration + of Authorino via proxy, the proxy must use these settings + to propagate dynamic metadata and/or inject data in the + request. + properties: + dynamicMetadata: + additionalProperties: + description: Settings of the success custom response + item. + properties: + cache: + description: Caching options for the resolved object + returned when applying this config. Omit it to + avoid caching objects for this config. + properties: + key: + description: Key used to store the entry in + the cache. The resolved key must be unique + within the scope of this particular config. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external + data in the cache before pulled again from + the source. + type: integer + required: + - key + type: object + json: + description: JSON object Specify it as the list + of properties of the object, whose values can + combine static values and values selected from + the authorization JSON. + properties: properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + additionalProperties: + properties: + selector: + description: 'Simple path selector to + fetch content from the authorization + JSON (e.g. ''request.method'') or a + string template with variables that + resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino + custom modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + required: + - properties + type: object + key: + description: The key used to add the custom response + item (name of the HTTP header or root property + of the Dynamic Metadata object). If omitted, it + will be set to the name of the response config. + type: string + metrics: + default: false + description: Whether this config should generate + individual observability metrics + type: boolean + plain: + description: Plain text content + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + priority: + default: 0 + description: Priority group of the config. All configs + in the same priority group are evaluated concurrently; + consecutive priority groups are evaluated sequentially. + type: integer + when: + description: Conditions for Authorino to enforce + this config. If omitted, the config will be enforced + for all requests. If present, all conditions must + match for the config to be enforced; otherwise, + the config will be skipped. + items: + properties: + all: + description: A list of pattern expressions + to be evaluated as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions + to be evaluated as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: 'The binary operator to be applied + to the content fetched from the authorization + JSON, for comparison with "value". Possible + values are: "eq" (equal to), "neq" (not + equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" + (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set of pattern + expressions + type: string + selector: + description: Path selector to fetch content + from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path + modifiers are also supported. + type: string + value: + description: The value of reference for the + comparison with the content fetched from + the authorization JSON. If used with the + "matches" operator, the value must compile + to a valid Golang regex. type: string type: object - required: - - name - type: object - type: array - issuer: - description: 'The endpoint to the Authorino service - that issues the wristband (format: ://:/, - where = /://:/, where + = /://:/, where + = /://:/, - where = /://:/, where + = /://:/, where + = /