Skip to content

Commit

Permalink
docs: Common Expression Language (CEL)
Browse files Browse the repository at this point in the history
Signed-off-by: Guilherme Cassolato <[email protected]>
  • Loading branch information
guicassolato committed Nov 25, 2024
1 parent a1d035d commit a8d6daa
Show file tree
Hide file tree
Showing 8 changed files with 112 additions and 145 deletions.
2 changes: 1 addition & 1 deletion docs/architecture.md
Original file line number Diff line number Diff line change
Expand Up @@ -286,7 +286,7 @@ After phase (iii), Authorino appends to the authorization JSON the results of th

[Festival Wristbands](./features.md#festival-wristband-tokens-responsesuccessheadersdynamicmetadatawristband) and [Dynamic JSON](./features.md#json-injection-responsesuccessheadersdynamicmetadatajson) responses can include dynamic values (custom claims/properties) fetched from the authorization JSON. These can be returned to the external authorization client in added HTTP headers or as Envoy [Well Known Dynamic Metadata](https://www.envoyproxy.io/docs/envoy/latest/configuration/advanced/well_known_dynamic_metadata). Check out [Custom response features](./features.md#custom-response-features-response) for details.

For information about reading and fetching data from the Authorization JSON (syntax, functions, etc), check out [JSON paths](./features.md#common-feature-json-paths-selector).
For information about reading and fetching data from the Authorization JSON (syntax, functions, etc), check out [Common Expression Language (CEL)](./features.md#common-feature-common-expression-language-cel).

## Raw HTTP Authorization interface

Expand Down
210 changes: 89 additions & 121 deletions docs/features.md

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -163,12 +163,12 @@ spec:
json:
properties:
"username":
selector: auth.identity.metadata.annotations.auth-data\/username
expression: auth.identity.metadata.annotations['auth-data/username']
key: ext_auth_data # how this bit of dynamic metadata from the ext authz service is named in the Envoy config
EOF
```

Check out the docs for information about the common feature [JSON paths](../features.md#common-feature-json-paths-selector) for reading from the [Authorization JSON](../architecture.md#the-authorization-json).
Check out the docs about using [Common Expression Language (CEL)](./features.md#common-feature-common-expression-language-cel) for reading from the [Authorization JSON](../architecture.md#the-authorization-json).

## ❼ Create the API keys

Expand Down
8 changes: 5 additions & 3 deletions docs/user-guides/deny-with-redirect-to-login.md
Original file line number Diff line number Diff line change
Expand Up @@ -157,11 +157,12 @@ spec:
code: 302
headers:
"Location":
selector: "http://matrix-quotes.127.0.0.1.nip.io:8000/login.html?redirect_to={request.path}"
expression: |
'http://matrix-quotes.127.0.0.1.nip.io:8000/login.html?redirect_to=' + request.path
EOF
```

Check out the docs for information about the common feature [JSON paths](../features.md#common-feature-json-paths-selector) for reading from the [Authorization JSON](../architecture.md#the-authorization-json).
Check out the docs about using [Common Expression Language (CEL)](./features.md#common-feature-common-expression-language-cel) for reading from the [Authorization JSON](../architecture.md#the-authorization-json).

## ❻ Create an API key

Expand Down Expand Up @@ -259,7 +260,8 @@ spec:
code: 302
headers:
"Location":
selector: "http://keycloak:8080/realms/kuadrant/protocol/openid-connect/auth?client_id=matrix-quotes&redirect_uri=http://matrix-quotes.127.0.0.1.nip.io:8000/auth?redirect_to={request.path}&scope=openid&response_type=code"
expression: |
'http://keycloak:8080/realms/kuadrant/protocol/openid-connect/auth?client_id=matrix-quotes&redirect_uri=http://matrix-quotes.127.0.0.1.nip.io:8000/auth?redirect_to=' + request.path + '&scope=openid&response_type=code'
EOF
```

Expand Down
7 changes: 4 additions & 3 deletions docs/user-guides/external-metadata.md
Original file line number Diff line number Diff line change
Expand Up @@ -153,10 +153,11 @@ spec:
metadata:
"geo":
http:
url: 'http://ip-api.com/json/{context.request.http.headers.x-forwarded-for.@extract:{"sep":","}}?fields=countryCode'
urlExpression: |
'http://ip-api.com/json/' + request.headers['x-forwarded-for'].split(',')[0] + '?fields=countryCode'
headers:
"Accept":
value: application/json
expression: '"application/json"'
authorization:
"geofence":
opa:
Expand All @@ -171,7 +172,7 @@ spec:
EOF
```

Check out the docs for information about the common feature [JSON paths](../features.md#common-feature-json-paths-selector) for reading from the [Authorization JSON](../architecture.md#the-authorization-json), including the description of the `@extract` string modifier.
Check out the docs about using [Common Expression Language (CEL)](./features.md#common-feature-common-expression-language-cel) for reading from the [Authorization JSON](../architecture.md#the-authorization-json).

## ❻ Create an API key

Expand Down
6 changes: 2 additions & 4 deletions docs/user-guides/http-basic-authentication.md
Original file line number Diff line number Diff line change
Expand Up @@ -150,9 +150,7 @@ spec:
authorization:
"acl":
when:
- selector: context.request.http.path
operator: eq
value: /bye
- predicate: request.path == '/bye'
patternMatching:
patterns:
- selector: context.request.http.headers.authorization.@extract:{"pos":1}|@base64:decode|@extract:{"sep":":"}
Expand All @@ -161,7 +159,7 @@ spec:
EOF
```

Check out the docs for information about the common feature [JSON paths](../features.md#common-feature-json-paths-selector) for reading from the [Authorization JSON](../architecture.md#the-authorization-json), including the description of the string modifiers `@extract` and `@case` used above. Check out as well the common feature [Conditions](../features.md#common-feature-conditions-when) about skipping parts of an `AuthConfig` in the auth pipeline based on context.
Check out the docs about using [Common Expression Language (CEL)](./features.md#common-feature-common-expression-language-cel) for reading from the [Authorization JSON](../architecture.md#the-authorization-json). Check out as well the common feature [Conditions](../features.md#common-feature-conditions-when) about skipping parts of an `AuthConfig` in the auth pipeline based on context.

## ❻ Create user credentials

Expand Down
9 changes: 5 additions & 4 deletions docs/user-guides/injecting-data.md
Original file line number Diff line number Diff line change
Expand Up @@ -155,15 +155,16 @@ spec:
json:
properties:
"authorized":
value: true
expression: "true"
"request-time":
selector: context.request.time.seconds
expression: request.time.seconds
"greeting-message":
selector: Hello, {auth.identity.metadata.annotations.auth-data\/name}!
expression: |
'Hello, ' + auth.identity.metadata.annotations['auth-data/name']
EOF
```

Check out the docs for information about the common feature [JSON paths](../features.md#common-feature-json-paths-selector) for reading from the [Authorization JSON](../architecture.md#the-authorization-json).
Check out the docs about using [Common Expression Language (CEL)](./features.md#common-feature-common-expression-language-cel) for reading from the [Authorization JSON](../architecture.md#the-authorization-json).

## ❻ Create an API key

Expand Down
11 changes: 4 additions & 7 deletions docs/user-guides/json-pattern-matching-authorization.md
Original file line number Diff line number Diff line change
Expand Up @@ -156,18 +156,15 @@ spec:
authorization:
"email-verified-only":
when:
- selector: "context.request.http.headers.x-forwarded-for.@extract:{\"sep\": \",\"}"
operator: matches
value: 192\\.168\\.1\\.\\d+
- predicate: |
request.headers['x-forwarded-for'].split(',')[0].matches("^192\\\.168\\\.1\\\.\\\d+$")
patternMatching:
patterns:
- selector: auth.identity.email_verified
operator: eq
value: "true"
- predicate: auth.identity.email_verified
EOF
```

Check out the docs for information about semantics and operators supported by the [JSON pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching) feature, as well the common feature [JSON paths](../features.md#common-feature-json-paths-selector) for reading from the [Authorization JSON](../architecture.md#the-authorization-json), including the description of the string modifier `@extract` used above. Check out as well the common feature [Conditions](../features.md#common-feature-conditions-when) about skipping parts of an `AuthConfig` in the auth pipeline based on context.
Check out the doc about using [Common Expression Language (CEL)](./features.md#common-feature-common-expression-language-cel) for reading from the [Authorization JSON](../architecture.md#the-authorization-json). Check out as well the common feature [Conditions](../features.md#common-feature-conditions-when) about skipping parts of an `AuthConfig` in the auth pipeline based on context.

## ❻ Obtain an access token and consume the API

Expand Down

0 comments on commit a8d6daa

Please sign in to comment.