Skip to content

Commit

Permalink
AuthPolicy v1beta2
Browse files Browse the repository at this point in the history
Defines new `v1beta2` version of the `AuthPolicy` CRD, based on Authorino's `AuthConfig/v1beta2`.

Closes #247

Depends on Kuadrant/authorino#417, Kuadrant/authorino-operator#137
  • Loading branch information
guicassolato committed Sep 27, 2023
1 parent 6f257ce commit face4ef
Show file tree
Hide file tree
Showing 21 changed files with 5,254 additions and 3,450 deletions.
220 changes: 0 additions & 220 deletions api/v1beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

68 changes: 40 additions & 28 deletions api/v1beta1/authpolicy_types.go → api/v1beta2/authpolicy_types.go
Original file line number Diff line number Diff line change
@@ -1,59 +1,71 @@
package v1beta1
package v1beta2

import (
"fmt"

"github.com/go-logr/logr"
"github.com/google/go-cmp/cmp"
authorinov1beta1 "github.com/kuadrant/authorino/api/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
gatewayapiv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
gatewayapiv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"

authorinoapi "github.com/kuadrant/authorino/api/v1beta2"
"github.com/kuadrant/kuadrant-operator/pkg/common"
)

type AuthSchemeSpec struct {
// Named sets of JSON patterns that can be referred in `when` conditionals and in JSON-pattern matching policy rules.
Patterns map[string]authorinov1beta1.JSONPatternExpressions `json:"patterns,omitempty"`
// Named sets of patterns that can be referred in `when` conditions and in pattern-matching authorization policy rules.
// +optional
NamedPatterns map[string]authorinoapi.PatternExpressions `json:"patterns,omitempty"`

// Overall conditions for the AuthPolicy to be enforced.
// If omitted, the AuthPolicy will be enforced at all requests to the protected routes.
// If present, all conditions must match for the AuthPolicy to be enforced; otherwise, the authorization service skips the AuthPolicy and returns to the auth request with status OK.
// +optional
Conditions []authorinoapi.PatternExpressionOrRef `json:"when,omitempty"`

// Conditions for the AuthConfig to be enforced.
// If omitted, the AuthConfig will be enforced for all requests.
// If present, all conditions must match for the AuthConfig to be enforced; otherwise, Authorino skips the AuthConfig and returns immediately with status OK.
Conditions []authorinov1beta1.JSONPattern `json:"when,omitempty"`
// TODO(@guicassolato): define top-level `routeSelectors`

// List of identity sources/authentication modes.
// At least one config of this list MUST evaluate to a valid identity for a request to be successful in the identity verification phase.
Identity []*authorinov1beta1.Identity `json:"identity,omitempty"`
// Authentication configs.
// At least one config MUST evaluate to a valid identity object for the auth request to be successful.
// +optional
Authentication map[string]authorinoapi.AuthenticationSpec `json:"authentication,omitempty"`

// List of metadata source configs.
// Authorino fetches JSON content from sources on this list on every request.
Metadata []*authorinov1beta1.Metadata `json:"metadata,omitempty"`
// Metadata sources.
// Authorino fetches auth metadata as JSON from sources specified in this config.
// +optional
Metadata map[string]authorinoapi.MetadataSpec `json:"metadata,omitempty"`

// Authorization is the list of authorization policies.
// All policies in this list MUST evaluate to "true" for a request be successful in the authorization phase.
Authorization []*authorinov1beta1.Authorization `json:"authorization,omitempty"`
// Authorization policies.
// All policies MUST evaluate to "allowed = true" for the auth request be successful.
// +optional
Authorization map[string]authorinoapi.AuthorizationSpec `json:"authorization,omitempty"`

// List of response configs.
// Authorino gathers data from the auth pipeline to build custom responses for the client.
Response []*authorinov1beta1.Response `json:"response,omitempty"`
// Response items.
// Authorino builds custom responses to the client of the auth request.
// +optional
Response *authorinoapi.ResponseSpec `json:"response,omitempty"`

// Custom denial response codes, statuses and headers to override default 40x's.
DenyWith *authorinov1beta1.DenyWith `json:"denyWith,omitempty"`
// Callback functions.
// Authorino sends callbacks at the end of the auth pipeline to the endpoints specified in this config.
// +optional
Callbacks map[string]authorinoapi.CallbackSpec `json:"callbacks,omitempty"`
}

type AuthPolicySpec struct {
// TargetRef identifies an API object to apply policy to.
TargetRef gatewayapiv1alpha2.PolicyTargetReference `json:"targetRef"`

// Rule describe the requests that will be routed to external authorization provider
AuthRules []AuthRule `json:"rules,omitempty"`
// Route rules specify the HTTP route attributes that trigger the external authorization service
// TODO(@guicassolato): remove – conditions to trigger the ext-authz service will be computed from `routeSelectors`
RouteRules []RouteRule `json:"routes,omitempty"`

// AuthSchemes are embedded Authorino's AuthConfigs
AuthScheme AuthSchemeSpec `json:"authScheme,omitempty"`
// The auth rules of the policy.
// See Authorino's AuthConfig CRD for more details.
AuthScheme AuthSchemeSpec `json:"rules,omitempty"`
}

type AuthRule struct {
type RouteRule struct {
Hosts []string `json:"hosts,omitempty"`
Methods []string `json:"methods,omitempty"`
Paths []string `json:"paths,omitempty"`
Expand Down Expand Up @@ -144,7 +156,7 @@ func (ap *AuthPolicy) GetWrappedNamespace() gatewayapiv1beta1.Namespace {

func (ap *AuthPolicy) GetRulesHostnames() (ruleHosts []string) {
ruleHosts = make([]string, 0)
for _, rule := range ap.Spec.AuthRules {
for _, rule := range ap.Spec.RouteRules {
ruleHosts = append(ruleHosts, rule.Hosts...)
}
return
Expand Down
Loading

0 comments on commit face4ef

Please sign in to comment.