docs: Common Expression Language (CEL) #509
Conversation
Signed-off-by: Guilherme Cassolato <[email protected]>
docs/features.md
Outdated
| @@ -250,7 +264,7 @@ spec: | |||
| authentication: | |||
| "pre-validated-jwt": | |||
| plain: | |||
| selector: context.metadata_context.filter_metadata.envoy\.filters\.http\.jwt_authn|verified_jwt | |||
| expression: metadata.filter_metadata.envoy['filters.http.jwt_authn'].verified_jwt | |||
There was a problem hiding this comment.
We've seen issues getting to that data in the wasm-shim when directly requesting that from envoy.
But would that even work on the authorino side? There is no way the entire filter chain's metadata is sent over... is it? Did that ever worked?
Also, this should be metadata.filter_metadata['envoy.filters.http.jwt_authn'].verified_jwt
There was a problem hiding this comment.
It works in Authorino.
There was a problem hiding this comment.
Also, this should be metadata.filter_metadata['envoy.filters.http.jwt_authn'].verified_jwt
Nice catch! Fixing it now. Thanks!
docs/features.md
Outdated
| - selector: auth.identity.anonymous | ||
| operator: eq | ||
| value: "true" | ||
| - predicate: auth.identity.anonymous |
There was a problem hiding this comment.
So anonymous is always set in auth.identity at this stage? If it isn't this could result in a evaluation error at runtime.
There was a problem hiding this comment.
Good point. No, it is not always set. In the example, if the other authentication method wins, then there will be no anonymous in auth.identity.
That wasn't a problem before. I guess now our options are:
has(auth.identity.anonymous) && auth.identity.anonymousauthentication: { "jwt": { …, defaults: { anonymous: { expression: "false" } } }, "anonymous": {…} }
There was a problem hiding this comment.
There also seem to be optional types, but they are not supported in the rust interpreter afaik... I also need to understand these better anyways, but they'd be another option: auth.identity.?anonymous.hasValue() but you always end up with the same pattern... i.e. test for the presence of the field rather than implying that a null value has some special overloaded semantic.
There was a problem hiding this comment.
Which can be handy, as for when the absence needs to be checked for in nested structs
| @@ -644,9 +655,9 @@ spec: | |||
| json: | |||
| properties: | |||
| "api-key-ns": | |||
| seletor: auth.identity.metadata.namespace | |||
There was a problem hiding this comment.
If only we could test these example for correctness 😭
| "born": | ||
| selector: auth.identity.metadata.creationTimestamp | ||
| "age": | ||
| expression: int(request.time.seconds) - (timestamp(auth.identity.metadata.creationTimestamp) - timestamp("1970-01-01T00:00:00Z")).getSeconds() |
There was a problem hiding this comment.
Should we add a note on request.time ?
docs/features.md
Outdated
| - predicate: request.path != '/hi' | ||
| - predicate: request.path != '/hello' | ||
| - predicate: request.path != '/aloha' | ||
| - predicate: request.path != '/ciao' |
There was a problem hiding this comment.
This could also be expressed as !(request.path in ['/hi', '/hello', '/aloha', '/ciao'])
Signed-off-by: Guilherme Cassolato <[email protected]>
Signed-off-by: Guilherme Cassolato <[email protected]>
….Timestamp Signed-off-by: Guilherme Cassolato <[email protected]>
Signed-off-by: Guilherme Cassolato <[email protected]>
| @@ -250,7 +264,7 @@ spec: | |||
| authentication: | |||
| "pre-validated-jwt": | |||
| plain: | |||
| selector: context.metadata_context.filter_metadata.envoy\.filters\.http\.jwt_authn|verified_jwt | |||
| expression: metadata.filter_metadata['envoy.filters.http.jwt_authn'].verified_jwt | |||
There was a problem hiding this comment.
like this, it is much neater and easier to read IMO
No description provided.