From 2b59352c60859799d66d0109c63d96e028c7957c Mon Sep 17 00:00:00 2001 From: Guilherme Cassolato Date: Mon, 4 Nov 2024 15:12:22 +0100 Subject: [PATCH] Merge pull request #501 from Kuadrant/fix/rawextension-to-str fix: RawExtension to string conversion Signed-off-by: Guilherme Cassolato --- pkg/evaluators/authorization/authzed.go | 37 ++++++++++++--- .../authorization/kubernetes_authz.go | 47 +++++++++++++++---- pkg/evaluators/metadata/generic_http.go | 7 ++- pkg/json/json.go | 4 ++ 4 files changed, 78 insertions(+), 17 deletions(-) diff --git a/pkg/evaluators/authorization/authzed.go b/pkg/evaluators/authorization/authzed.go index cb65acda..0bff7d7b 100644 --- a/pkg/evaluators/authorization/authzed.go +++ b/pkg/evaluators/authorization/authzed.go @@ -48,10 +48,23 @@ func (a *Authzed) Call(pipeline auth.AuthPipeline, ctx gocontext.Context) (inter authJSON := pipeline.GetAuthorizationJSON() + resource, err := authzedObjectFor(a.Resource, a.ResourceKind, authJSON) + if err != nil { + return nil, err + } + object, err := authzedObjectFor(a.Subject, a.SubjectKind, authJSON) + if err != nil { + return nil, err + } + permission := a.Permission.ResolveFor(authJSON) + permissionStr, err := json.StringifyJSON(permission) + if err != nil { + return nil, err + } resp, err := client.CheckPermission(ctx, &authzedpb.CheckPermissionRequest{ - Resource: authzedObjectFor(a.Resource, a.ResourceKind, authJSON), - Subject: &authzedpb.SubjectReference{Object: authzedObjectFor(a.Subject, a.SubjectKind, authJSON)}, - Permission: fmt.Sprintf("%s", a.Permission.ResolveFor(authJSON)), + Resource: resource, + Subject: &authzedpb.SubjectReference{Object: object}, + Permission: permissionStr, }) if err != nil { return nil, err @@ -74,9 +87,19 @@ func (a *Authzed) Call(pipeline auth.AuthPipeline, ctx gocontext.Context) (inter return obj, nil } -func authzedObjectFor(name, kind json.JSONValue, authJSON string) *authzedpb.ObjectReference { - return &authzedpb.ObjectReference{ - ObjectId: fmt.Sprintf("%s", name.ResolveFor(authJSON)), - ObjectType: fmt.Sprintf("%s", kind.ResolveFor(authJSON)), +func authzedObjectFor(name, kind json.JSONValue, authJSON string) (*authzedpb.ObjectReference, error) { + objectId := name.ResolveFor(authJSON) + objectIdStr, err := json.StringifyJSON(objectId) + if err != nil { + return nil, err } + objectType := kind.ResolveFor(authJSON) + objectTypeStr, err := json.StringifyJSON(objectType) + if err != nil { + return nil, err + } + return &authzedpb.ObjectReference{ + ObjectId: objectIdStr, + ObjectType: objectTypeStr, + }, nil } diff --git a/pkg/evaluators/authorization/kubernetes_authz.go b/pkg/evaluators/authorization/kubernetes_authz.go index e37fa80f..63ad1665 100644 --- a/pkg/evaluators/authorization/kubernetes_authz.go +++ b/pkg/evaluators/authorization/kubernetes_authz.go @@ -63,26 +63,55 @@ func (k *KubernetesAuthz) Call(pipeline auth.AuthPipeline, ctx gocontext.Context } authJSON := pipeline.GetAuthorizationJSON() - jsonValueToStr := func(value json.JSONValue) string { - return fmt.Sprintf("%s", value.ResolveFor(authJSON)) + jsonValueToStr := func(value json.JSONValue) (string, error) { + resolved := value.ResolveFor(authJSON) + return json.StringifyJSON(resolved) } + user, err := jsonValueToStr(k.User) + if err != nil { + return nil, err + } subjectAccessReview := kubeAuthz.SubjectAccessReview{ Spec: kubeAuthz.SubjectAccessReviewSpec{ - User: jsonValueToStr(k.User), + User: user, }, } if k.ResourceAttributes != nil { resourceAttributes := k.ResourceAttributes + namespace, err := jsonValueToStr(resourceAttributes.Namespace) + if err != nil { + return nil, err + } + group, err := jsonValueToStr(resourceAttributes.Group) + if err != nil { + return nil, err + } + resource, err := jsonValueToStr(resourceAttributes.Resource) + if err != nil { + return nil, err + } + name, err := jsonValueToStr(resourceAttributes.Name) + if err != nil { + return nil, err + } + subresource, err := jsonValueToStr(resourceAttributes.SubResource) + if err != nil { + return nil, err + } + verb, err := jsonValueToStr(resourceAttributes.Verb) + if err != nil { + return nil, err + } subjectAccessReview.Spec.ResourceAttributes = &kubeAuthz.ResourceAttributes{ - Namespace: jsonValueToStr(resourceAttributes.Namespace), - Group: jsonValueToStr(resourceAttributes.Group), - Resource: jsonValueToStr(resourceAttributes.Resource), - Name: jsonValueToStr(resourceAttributes.Name), - Subresource: jsonValueToStr(resourceAttributes.SubResource), - Verb: jsonValueToStr(resourceAttributes.Verb), + Namespace: namespace, + Group: group, + Resource: resource, + Name: name, + Subresource: subresource, + Verb: verb, } } else { request := pipeline.GetHttp() diff --git a/pkg/evaluators/metadata/generic_http.go b/pkg/evaluators/metadata/generic_http.go index f9a8417f..a13e78d1 100644 --- a/pkg/evaluators/metadata/generic_http.go +++ b/pkg/evaluators/metadata/generic_http.go @@ -127,7 +127,12 @@ func (h *GenericHttp) buildRequest(ctx gocontext.Context, endpoint, authJSON str } for _, header := range h.Headers { - req.Header.Set(header.Name, fmt.Sprintf("%s", header.Value.ResolveFor(authJSON))) + headerValue := header.Value.ResolveFor(authJSON) + headerValueStr, err := json.StringifyJSON(headerValue) + if err != nil { + return nil, err + } + req.Header.Set(header.Name, headerValueStr) } req.Header.Set("Content-Type", contentType) diff --git a/pkg/json/json.go b/pkg/json/json.go index b7eddcd4..b1498069 100644 --- a/pkg/json/json.go +++ b/pkg/json/json.go @@ -151,6 +151,10 @@ func ReplaceJSONPlaceholders(source string, jsonData string) string { } func StringifyJSON(data interface{}) (string, error) { + _, ok := data.(string) + if ok { + return data.(string), nil + } if dataAsJSON, err := json.Marshal(data); err != nil { return "", err } else {