From 3b8e313d552090c52d8aadca95f6952f42a03192 Mon Sep 17 00:00:00 2001 From: Adam Cattermole Date: Tue, 5 Nov 2024 16:53:52 +0000 Subject: [PATCH] Integrate `AuthConfig`'s `v1beta3` changes in `AuthPolicy` (#971) * Use AuthConfig v1beta3 Signed-off-by: Adam Cattermole * Update to use CEL predicates when present Signed-off-by: Adam Cattermole * Handle PathMatchExact case Signed-off-by: Adam Cattermole * Update bundle manifests Signed-off-by: Adam Cattermole * Update helm manifests Signed-off-by: Adam Cattermole * Update tests to use routeRuleCondition Predicates Signed-off-by: Adam Cattermole --------- Signed-off-by: Adam Cattermole --- api/v1beta1/topology.go | 8 +- api/v1beta3/authpolicy_types.go | 24 +- api/v1beta3/ratelimitpolicy_types.go | 4 +- api/v1beta3/zz_generated.deepcopy.go | 4 +- .../manifests/kuadrant.io_authpolicies.yaml | 342 ++++++++++++++++-- .../templates/manifests.yaml | 342 ++++++++++++++++-- .../crd/bases/kuadrant.io_authpolicies.yaml | 342 ++++++++++++++++-- controllers/auth_policy_status_updater.go | 14 +- controllers/auth_workflow_helpers.go | 18 +- controllers/authconfigs_reconciler.go | 40 +- controllers/ratelimit_workflow_helpers.go | 2 +- controllers/ratelimit_workflow_test.go | 2 +- controllers/state_of_the_world.go | 6 +- controllers/test_common.go | 2 +- go.mod | 12 +- go.sum | 32 +- main.go | 2 +- pkg/wasm/types.go | 28 +- pkg/wasm/types_test.go | 20 +- pkg/wasm/utils.go | 43 +-- pkg/wasm/utils_test.go | 44 +-- .../authpolicy/authpolicy_controller_test.go | 160 ++++---- .../target_status_controller_test.go | 2 +- tests/commons.go | 2 +- .../envoygateway/extension_reconciler_test.go | 28 +- tests/istio/extension_reconciler_test.go | 280 ++++---------- 26 files changed, 1250 insertions(+), 553 deletions(-) diff --git a/api/v1beta1/topology.go b/api/v1beta1/topology.go index 69cf954d9..e36a8bb8e 100644 --- a/api/v1beta1/topology.go +++ b/api/v1beta1/topology.go @@ -2,7 +2,7 @@ package v1beta1 import ( authorinooperatorv1beta1 "github.com/kuadrant/authorino-operator/api/v1beta1" - authorinov1beta2 "github.com/kuadrant/authorino/api/v1beta2" + authorinov1beta3 "github.com/kuadrant/authorino/api/v1beta3" limitadorv1alpha1 "github.com/kuadrant/limitador-operator/api/v1alpha1" "github.com/kuadrant/policy-machinery/controller" "github.com/kuadrant/policy-machinery/machinery" @@ -15,12 +15,12 @@ var ( KuadrantGroupKind = schema.GroupKind{Group: GroupVersion.Group, Kind: "Kuadrant"} LimitadorGroupKind = schema.GroupKind{Group: limitadorv1alpha1.GroupVersion.Group, Kind: "Limitador"} AuthorinoGroupKind = schema.GroupKind{Group: authorinooperatorv1beta1.GroupVersion.Group, Kind: "Authorino"} - AuthConfigGroupKind = schema.GroupKind{Group: authorinov1beta2.GroupVersion.Group, Kind: "AuthConfig"} + AuthConfigGroupKind = schema.GroupKind{Group: authorinov1beta3.GroupVersion.Group, Kind: "AuthConfig"} KuadrantsResource = GroupVersion.WithResource("kuadrants") LimitadorsResource = limitadorv1alpha1.GroupVersion.WithResource("limitadors") AuthorinosResource = authorinooperatorv1beta1.GroupVersion.WithResource("authorinos") - AuthConfigsResource = authorinov1beta2.GroupVersion.WithResource("authconfigs") + AuthConfigsResource = authorinov1beta3.GroupVersion.WithResource("authconfigs") AuthConfigHTTPRouteRuleAnnotation = machinery.HTTPRouteRuleGroupKind.String() ) @@ -86,7 +86,7 @@ func LinkHTTPRouteRuleToAuthConfig(objs controller.Store) machinery.LinkFunc { To: AuthConfigGroupKind, Func: func(child machinery.Object) []machinery.Object { return lo.FilterMap(httpRouteRules, func(httpRouteRule *machinery.HTTPRouteRule, _ int) (machinery.Object, bool) { - authConfig := child.(*controller.RuntimeObject).Object.(*authorinov1beta2.AuthConfig) + authConfig := child.(*controller.RuntimeObject).Object.(*authorinov1beta3.AuthConfig) annotations := authConfig.GetAnnotations() return httpRouteRule, annotations != nil && annotations[AuthConfigHTTPRouteRuleAnnotation] == httpRouteRule.GetLocator() }) diff --git a/api/v1beta3/authpolicy_types.go b/api/v1beta3/authpolicy_types.go index bbae0f157..316565058 100644 --- a/api/v1beta3/authpolicy_types.go +++ b/api/v1beta3/authpolicy_types.go @@ -22,7 +22,7 @@ import ( "github.com/go-logr/logr" "github.com/google/go-cmp/cmp" - authorinov1beta2 "github.com/kuadrant/authorino/api/v1beta2" + authorinov1beta3 "github.com/kuadrant/authorino/api/v1beta3" "github.com/kuadrant/policy-machinery/machinery" "github.com/samber/lo" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -431,7 +431,7 @@ type AuthSchemeSpec struct { } type MergeablePatternExpressions struct { - authorinov1beta2.PatternExpressions `json:"allOf"` + authorinov1beta3.PatternExpressions `json:"allOf"` Source string `json:"-"` } @@ -443,7 +443,7 @@ func (r *MergeablePatternExpressions) WithSource(source string) kuadrantv1.Merge } type MergeablePatternExpressionOrRef struct { - authorinov1beta2.PatternExpressionOrRef `json:",inline"` + authorinov1beta3.PatternExpressionOrRef `json:",inline"` Source string `json:"-"` } @@ -456,7 +456,7 @@ func (r *MergeablePatternExpressionOrRef) WithSource(source string) kuadrantv1.M func (r *MergeablePatternExpressionOrRef) ToWhenConditions(namedPatterns map[string]MergeablePatternExpressions) []WhenCondition { if ref := r.PatternRef.Name; ref != "" { if pattern, ok := namedPatterns[ref]; ok { - return lo.Map(pattern.PatternExpressions, func(p authorinov1beta2.PatternExpression, _ int) WhenCondition { + return lo.Map(pattern.PatternExpressions, func(p authorinov1beta3.PatternExpression, _ int) WhenCondition { return WhenCondition{ Selector: ContextSelector(p.Selector), Operator: WhenConditionOperator(p.Operator), @@ -467,7 +467,7 @@ func (r *MergeablePatternExpressionOrRef) ToWhenConditions(namedPatterns map[str } if allOf := r.All; len(allOf) > 0 { - return lo.Map(allOf, func(p authorinov1beta2.UnstructuredPatternExpressionOrRef, _ int) WhenCondition { + return lo.Map(allOf, func(p authorinov1beta3.UnstructuredPatternExpressionOrRef, _ int) WhenCondition { return WhenCondition{ Selector: ContextSelector(p.Selector), Operator: WhenConditionOperator(p.Operator), @@ -488,7 +488,7 @@ func (r *MergeablePatternExpressionOrRef) ToWhenConditions(namedPatterns map[str } type MergeableAuthenticationSpec struct { - authorinov1beta2.AuthenticationSpec `json:",inline"` + authorinov1beta3.AuthenticationSpec `json:",inline"` Source string `json:"-"` } @@ -500,7 +500,7 @@ func (r *MergeableAuthenticationSpec) WithSource(source string) kuadrantv1.Merge } type MergeableMetadataSpec struct { - authorinov1beta2.MetadataSpec `json:",inline"` + authorinov1beta3.MetadataSpec `json:",inline"` Source string `json:"-"` } @@ -512,7 +512,7 @@ func (r *MergeableMetadataSpec) WithSource(source string) kuadrantv1.MergeableRu } type MergeableAuthorizationSpec struct { - authorinov1beta2.AuthorizationSpec `json:",inline"` + authorinov1beta3.AuthorizationSpec `json:",inline"` Source string `json:"-"` } @@ -544,7 +544,7 @@ type MergeableResponseSpec struct { } type MergeableDenyWithSpec struct { - authorinov1beta2.DenyWithSpec `json:",inline"` + authorinov1beta3.DenyWithSpec `json:",inline"` Source string `json:"-"` } @@ -564,7 +564,7 @@ type MergeableWrappedSuccessResponseSpec struct { } type MergeableHeaderSuccessResponseSpec struct { - authorinov1beta2.HeaderSuccessResponseSpec `json:",inline"` + authorinov1beta3.HeaderSuccessResponseSpec `json:",inline"` Source string `json:"-"` } @@ -576,7 +576,7 @@ func (r *MergeableHeaderSuccessResponseSpec) WithSource(source string) kuadrantv } type MergeableSuccessResponseSpec struct { - authorinov1beta2.SuccessResponseSpec `json:",inline"` + authorinov1beta3.SuccessResponseSpec `json:",inline"` Source string `json:"-"` } @@ -588,7 +588,7 @@ func (r *MergeableSuccessResponseSpec) WithSource(source string) kuadrantv1.Merg } type MergeableCallbackSpec struct { - authorinov1beta2.CallbackSpec `json:",inline"` + authorinov1beta3.CallbackSpec `json:",inline"` Source string `json:"-"` } diff --git a/api/v1beta3/ratelimitpolicy_types.go b/api/v1beta3/ratelimitpolicy_types.go index 0d058291b..e78ccc885 100644 --- a/api/v1beta3/ratelimitpolicy_types.go +++ b/api/v1beta3/ratelimitpolicy_types.go @@ -32,8 +32,8 @@ import ( const ( EqualOperator WhenConditionOperator = "eq" NotEqualOperator WhenConditionOperator = "neq" - StartsWithOperator WhenConditionOperator = "startswith" - EndsWithOperator WhenConditionOperator = "endswith" + StartsWithOperator WhenConditionOperator = "startsWith" + EndsWithOperator WhenConditionOperator = "endsWith" IncludeOperator WhenConditionOperator = "incl" ExcludeOperator WhenConditionOperator = "excl" MatchesOperator WhenConditionOperator = "matches" diff --git a/api/v1beta3/zz_generated.deepcopy.go b/api/v1beta3/zz_generated.deepcopy.go index e54e1a628..02215fa9e 100644 --- a/api/v1beta3/zz_generated.deepcopy.go +++ b/api/v1beta3/zz_generated.deepcopy.go @@ -21,7 +21,7 @@ limitations under the License. package v1beta3 import ( - "github.com/kuadrant/authorino/api/v1beta2" + apiv1beta3 "github.com/kuadrant/authorino/api/v1beta3" "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -379,7 +379,7 @@ func (in *MergeablePatternExpressions) DeepCopyInto(out *MergeablePatternExpress *out = *in if in.PatternExpressions != nil { in, out := &in.PatternExpressions, &out.PatternExpressions - *out = make(v1beta2.PatternExpressions, len(*in)) + *out = make(apiv1beta3.PatternExpressions, len(*in)) copy(*out, *in) } } diff --git a/bundle/manifests/kuadrant.io_authpolicies.yaml b/bundle/manifests/kuadrant.io_authpolicies.yaml index 2c2f1df2f..41827641a 100644 --- a/bundle/manifests/kuadrant.io_authpolicies.yaml +++ b/bundle/manifests/kuadrant.io_authpolicies.yaml @@ -195,6 +195,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -249,6 +251,8 @@ spec: defaults: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -335,6 +339,8 @@ spec: overrides: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -356,14 +362,14 @@ spec: Identity object extracted from the context. Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string - required: - - selector type: object priority: default: 0 @@ -407,6 +413,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -502,6 +510,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -541,6 +551,8 @@ spec: API group of the resource. Use '*' for all API groups. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -556,6 +568,8 @@ spec: Resource name Omit it to check for authorization on all resources of the specified kind. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -570,6 +584,8 @@ spec: description: Namespace where the user must have permissions on the resource. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -585,6 +601,8 @@ spec: Resource kind Use '*' for all resource kinds. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -598,6 +616,8 @@ spec: subresource: description: Subresource kind properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -613,6 +633,8 @@ spec: Verb to check for authorization on the resource. Use '*' for all verbs. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -629,6 +651,8 @@ spec: User to check for authorization in the Kubernetes RBAC. Omit it to check for group authorization only. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -668,6 +692,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -681,6 +707,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -740,6 +768,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -851,8 +881,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object rego: description: |- @@ -896,6 +926,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -934,6 +966,8 @@ spec: description: The name of the permission (or relation) on which to execute the check. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -950,6 +984,8 @@ spec: properties: kind: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -962,6 +998,8 @@ spec: type: object name: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -996,6 +1034,8 @@ spec: properties: kind: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1008,6 +1048,8 @@ spec: type: object name: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1058,6 +1100,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -1090,6 +1134,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1118,6 +1164,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1131,6 +1179,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1190,6 +1240,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1294,8 +1346,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object metrics: default: false @@ -1344,6 +1396,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -1378,6 +1432,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1407,6 +1463,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1420,6 +1478,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1479,6 +1539,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1583,8 +1645,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object metrics: default: false @@ -1676,6 +1738,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -1718,6 +1782,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1745,6 +1811,8 @@ spec: properties: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1772,6 +1840,8 @@ spec: plain: description: Plain text content properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1824,6 +1894,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -1843,6 +1915,8 @@ spec: customClaims: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1917,6 +1991,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1944,6 +2020,8 @@ spec: properties: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1971,6 +2049,8 @@ spec: plain: description: Plain text content properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2023,6 +2103,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -2042,6 +2124,8 @@ spec: customClaims: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2113,6 +2197,8 @@ spec: description: HTTP response body to override the default denial body. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2133,6 +2219,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2150,6 +2238,8 @@ spec: description: HTTP message to override the default denial message. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2171,6 +2261,8 @@ spec: description: HTTP response body to override the default denial body. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2191,6 +2283,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2208,6 +2302,8 @@ spec: description: HTTP message to override the default denial message. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2264,6 +2360,8 @@ spec: patternRef: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -2402,6 +2500,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2456,6 +2556,8 @@ spec: defaults: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2542,6 +2644,8 @@ spec: overrides: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2563,14 +2667,14 @@ spec: Identity object extracted from the context. Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string - required: - - selector type: object priority: default: 0 @@ -2614,6 +2718,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -2709,6 +2815,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2748,6 +2856,8 @@ spec: API group of the resource. Use '*' for all API groups. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2763,6 +2873,8 @@ spec: Resource name Omit it to check for authorization on all resources of the specified kind. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2777,6 +2889,8 @@ spec: description: Namespace where the user must have permissions on the resource. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2792,6 +2906,8 @@ spec: Resource kind Use '*' for all resource kinds. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2805,6 +2921,8 @@ spec: subresource: description: Subresource kind properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2820,6 +2938,8 @@ spec: Verb to check for authorization on the resource. Use '*' for all verbs. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2836,6 +2956,8 @@ spec: User to check for authorization in the Kubernetes RBAC. Omit it to check for group authorization only. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2875,6 +2997,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2888,6 +3012,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2947,6 +3073,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3058,8 +3186,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object rego: description: |- @@ -3103,6 +3231,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -3141,6 +3271,8 @@ spec: description: The name of the permission (or relation) on which to execute the check. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3157,6 +3289,8 @@ spec: properties: kind: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3169,6 +3303,8 @@ spec: type: object name: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3203,6 +3339,8 @@ spec: properties: kind: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3215,6 +3353,8 @@ spec: type: object name: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3265,6 +3405,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -3297,6 +3439,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3325,6 +3469,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3338,6 +3484,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3397,6 +3545,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3501,8 +3651,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object metrics: default: false @@ -3551,6 +3701,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -3585,6 +3737,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3614,6 +3768,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3627,6 +3783,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3686,6 +3844,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3790,8 +3950,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object metrics: default: false @@ -3883,6 +4043,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -3925,6 +4087,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3952,6 +4116,8 @@ spec: properties: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3979,6 +4145,8 @@ spec: plain: description: Plain text content properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4031,6 +4199,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -4050,6 +4220,8 @@ spec: customClaims: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4124,6 +4296,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4151,6 +4325,8 @@ spec: properties: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4178,6 +4354,8 @@ spec: plain: description: Plain text content properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4230,6 +4408,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -4249,6 +4429,8 @@ spec: customClaims: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4320,6 +4502,8 @@ spec: description: HTTP response body to override the default denial body. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4340,6 +4524,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4357,6 +4543,8 @@ spec: description: HTTP message to override the default denial message. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4378,6 +4566,8 @@ spec: description: HTTP response body to override the default denial body. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4398,6 +4588,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4415,6 +4607,8 @@ spec: description: HTTP message to override the default denial message. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4471,6 +4665,8 @@ spec: patternRef: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -4603,6 +4799,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4656,6 +4854,8 @@ spec: defaults: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4742,6 +4942,8 @@ spec: overrides: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4763,14 +4965,14 @@ spec: Identity object extracted from the context. Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string - required: - - selector type: object priority: default: 0 @@ -4813,6 +5015,8 @@ spec: patternRef: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -4907,6 +5111,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4945,6 +5151,8 @@ spec: API group of the resource. Use '*' for all API groups. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4960,6 +5168,8 @@ spec: Resource name Omit it to check for authorization on all resources of the specified kind. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4974,6 +5184,8 @@ spec: description: Namespace where the user must have permissions on the resource. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4989,6 +5201,8 @@ spec: Resource kind Use '*' for all resource kinds. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5002,6 +5216,8 @@ spec: subresource: description: Subresource kind properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5017,6 +5233,8 @@ spec: Verb to check for authorization on the resource. Use '*' for all verbs. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5033,6 +5251,8 @@ spec: User to check for authorization in the Kubernetes RBAC. Omit it to check for group authorization only. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5072,6 +5292,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5085,6 +5307,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5144,6 +5368,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5253,8 +5479,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object rego: description: |- @@ -5298,6 +5524,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -5336,6 +5564,8 @@ spec: description: The name of the permission (or relation) on which to execute the check. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5352,6 +5582,8 @@ spec: properties: kind: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5364,6 +5596,8 @@ spec: type: object name: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5398,6 +5632,8 @@ spec: properties: kind: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5410,6 +5646,8 @@ spec: type: object name: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5459,6 +5697,8 @@ spec: patternRef: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -5491,6 +5731,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5518,6 +5760,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5531,6 +5775,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5590,6 +5836,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5693,8 +5941,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object metrics: default: false @@ -5742,6 +5990,8 @@ spec: patternRef: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -5776,6 +6026,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5803,6 +6055,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5816,6 +6070,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5875,6 +6131,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5978,8 +6236,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object metrics: default: false @@ -6070,6 +6328,8 @@ spec: patternRef: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -6112,6 +6372,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6139,6 +6401,8 @@ spec: properties: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6166,6 +6430,8 @@ spec: plain: description: Plain text content properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6218,6 +6484,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -6237,6 +6505,8 @@ spec: customClaims: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6310,6 +6580,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6337,6 +6609,8 @@ spec: properties: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6364,6 +6638,8 @@ spec: plain: description: Plain text content properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6416,6 +6692,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -6435,6 +6713,8 @@ spec: customClaims: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6505,6 +6785,8 @@ spec: description: HTTP response body to override the default denial body. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6525,6 +6807,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6542,6 +6826,8 @@ spec: description: HTTP message to override the default denial message. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6563,6 +6849,8 @@ spec: description: HTTP response body to override the default denial body. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6583,6 +6871,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6600,6 +6890,8 @@ spec: description: HTTP message to override the default denial message. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6697,6 +6989,8 @@ spec: patternRef: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). diff --git a/charts/kuadrant-operator/templates/manifests.yaml b/charts/kuadrant-operator/templates/manifests.yaml index f7e638bb0..f361ef6c4 100644 --- a/charts/kuadrant-operator/templates/manifests.yaml +++ b/charts/kuadrant-operator/templates/manifests.yaml @@ -195,6 +195,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -249,6 +251,8 @@ spec: defaults: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -335,6 +339,8 @@ spec: overrides: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -356,14 +362,14 @@ spec: Identity object extracted from the context. Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string - required: - - selector type: object priority: default: 0 @@ -407,6 +413,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -502,6 +510,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -541,6 +551,8 @@ spec: API group of the resource. Use '*' for all API groups. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -556,6 +568,8 @@ spec: Resource name Omit it to check for authorization on all resources of the specified kind. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -570,6 +584,8 @@ spec: description: Namespace where the user must have permissions on the resource. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -585,6 +601,8 @@ spec: Resource kind Use '*' for all resource kinds. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -598,6 +616,8 @@ spec: subresource: description: Subresource kind properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -613,6 +633,8 @@ spec: Verb to check for authorization on the resource. Use '*' for all verbs. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -629,6 +651,8 @@ spec: User to check for authorization in the Kubernetes RBAC. Omit it to check for group authorization only. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -668,6 +692,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -681,6 +707,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -740,6 +768,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -851,8 +881,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object rego: description: |- @@ -896,6 +926,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -934,6 +966,8 @@ spec: description: The name of the permission (or relation) on which to execute the check. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -950,6 +984,8 @@ spec: properties: kind: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -962,6 +998,8 @@ spec: type: object name: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -996,6 +1034,8 @@ spec: properties: kind: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1008,6 +1048,8 @@ spec: type: object name: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1058,6 +1100,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -1090,6 +1134,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1118,6 +1164,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1131,6 +1179,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1190,6 +1240,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1294,8 +1346,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object metrics: default: false @@ -1344,6 +1396,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -1378,6 +1432,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1407,6 +1463,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1420,6 +1478,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1479,6 +1539,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1583,8 +1645,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object metrics: default: false @@ -1676,6 +1738,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -1718,6 +1782,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1745,6 +1811,8 @@ spec: properties: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1772,6 +1840,8 @@ spec: plain: description: Plain text content properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1824,6 +1894,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -1843,6 +1915,8 @@ spec: customClaims: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1917,6 +1991,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1944,6 +2020,8 @@ spec: properties: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1971,6 +2049,8 @@ spec: plain: description: Plain text content properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2023,6 +2103,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -2042,6 +2124,8 @@ spec: customClaims: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2113,6 +2197,8 @@ spec: description: HTTP response body to override the default denial body. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2133,6 +2219,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2150,6 +2238,8 @@ spec: description: HTTP message to override the default denial message. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2171,6 +2261,8 @@ spec: description: HTTP response body to override the default denial body. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2191,6 +2283,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2208,6 +2302,8 @@ spec: description: HTTP message to override the default denial message. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2264,6 +2360,8 @@ spec: patternRef: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -2402,6 +2500,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2456,6 +2556,8 @@ spec: defaults: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2542,6 +2644,8 @@ spec: overrides: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2563,14 +2667,14 @@ spec: Identity object extracted from the context. Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string - required: - - selector type: object priority: default: 0 @@ -2614,6 +2718,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -2709,6 +2815,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2748,6 +2856,8 @@ spec: API group of the resource. Use '*' for all API groups. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2763,6 +2873,8 @@ spec: Resource name Omit it to check for authorization on all resources of the specified kind. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2777,6 +2889,8 @@ spec: description: Namespace where the user must have permissions on the resource. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2792,6 +2906,8 @@ spec: Resource kind Use '*' for all resource kinds. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2805,6 +2921,8 @@ spec: subresource: description: Subresource kind properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2820,6 +2938,8 @@ spec: Verb to check for authorization on the resource. Use '*' for all verbs. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2836,6 +2956,8 @@ spec: User to check for authorization in the Kubernetes RBAC. Omit it to check for group authorization only. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2875,6 +2997,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2888,6 +3012,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2947,6 +3073,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3058,8 +3186,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object rego: description: |- @@ -3103,6 +3231,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -3141,6 +3271,8 @@ spec: description: The name of the permission (or relation) on which to execute the check. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3157,6 +3289,8 @@ spec: properties: kind: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3169,6 +3303,8 @@ spec: type: object name: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3203,6 +3339,8 @@ spec: properties: kind: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3215,6 +3353,8 @@ spec: type: object name: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3265,6 +3405,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -3297,6 +3439,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3325,6 +3469,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3338,6 +3484,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3397,6 +3545,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3501,8 +3651,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object metrics: default: false @@ -3551,6 +3701,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -3585,6 +3737,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3614,6 +3768,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3627,6 +3783,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3686,6 +3844,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3790,8 +3950,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object metrics: default: false @@ -3883,6 +4043,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -3925,6 +4087,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3952,6 +4116,8 @@ spec: properties: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3979,6 +4145,8 @@ spec: plain: description: Plain text content properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4031,6 +4199,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -4050,6 +4220,8 @@ spec: customClaims: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4124,6 +4296,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4151,6 +4325,8 @@ spec: properties: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4178,6 +4354,8 @@ spec: plain: description: Plain text content properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4230,6 +4408,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -4249,6 +4429,8 @@ spec: customClaims: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4320,6 +4502,8 @@ spec: description: HTTP response body to override the default denial body. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4340,6 +4524,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4357,6 +4543,8 @@ spec: description: HTTP message to override the default denial message. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4378,6 +4566,8 @@ spec: description: HTTP response body to override the default denial body. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4398,6 +4588,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4415,6 +4607,8 @@ spec: description: HTTP message to override the default denial message. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4471,6 +4665,8 @@ spec: patternRef: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -4603,6 +4799,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4656,6 +4854,8 @@ spec: defaults: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4742,6 +4942,8 @@ spec: overrides: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4763,14 +4965,14 @@ spec: Identity object extracted from the context. Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string - required: - - selector type: object priority: default: 0 @@ -4813,6 +5015,8 @@ spec: patternRef: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -4907,6 +5111,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4945,6 +5151,8 @@ spec: API group of the resource. Use '*' for all API groups. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4960,6 +5168,8 @@ spec: Resource name Omit it to check for authorization on all resources of the specified kind. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4974,6 +5184,8 @@ spec: description: Namespace where the user must have permissions on the resource. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4989,6 +5201,8 @@ spec: Resource kind Use '*' for all resource kinds. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5002,6 +5216,8 @@ spec: subresource: description: Subresource kind properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5017,6 +5233,8 @@ spec: Verb to check for authorization on the resource. Use '*' for all verbs. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5033,6 +5251,8 @@ spec: User to check for authorization in the Kubernetes RBAC. Omit it to check for group authorization only. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5072,6 +5292,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5085,6 +5307,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5144,6 +5368,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5253,8 +5479,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object rego: description: |- @@ -5298,6 +5524,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -5336,6 +5564,8 @@ spec: description: The name of the permission (or relation) on which to execute the check. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5352,6 +5582,8 @@ spec: properties: kind: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5364,6 +5596,8 @@ spec: type: object name: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5398,6 +5632,8 @@ spec: properties: kind: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5410,6 +5646,8 @@ spec: type: object name: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5459,6 +5697,8 @@ spec: patternRef: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -5491,6 +5731,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5518,6 +5760,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5531,6 +5775,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5590,6 +5836,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5693,8 +5941,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object metrics: default: false @@ -5742,6 +5990,8 @@ spec: patternRef: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -5776,6 +6026,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5803,6 +6055,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5816,6 +6070,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5875,6 +6131,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5978,8 +6236,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object metrics: default: false @@ -6070,6 +6328,8 @@ spec: patternRef: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -6112,6 +6372,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6139,6 +6401,8 @@ spec: properties: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6166,6 +6430,8 @@ spec: plain: description: Plain text content properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6218,6 +6484,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -6237,6 +6505,8 @@ spec: customClaims: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6310,6 +6580,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6337,6 +6609,8 @@ spec: properties: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6364,6 +6638,8 @@ spec: plain: description: Plain text content properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6416,6 +6692,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -6435,6 +6713,8 @@ spec: customClaims: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6505,6 +6785,8 @@ spec: description: HTTP response body to override the default denial body. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6525,6 +6807,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6542,6 +6826,8 @@ spec: description: HTTP message to override the default denial message. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6563,6 +6849,8 @@ spec: description: HTTP response body to override the default denial body. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6583,6 +6871,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6600,6 +6890,8 @@ spec: description: HTTP message to override the default denial message. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6697,6 +6989,8 @@ spec: patternRef: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). diff --git a/config/crd/bases/kuadrant.io_authpolicies.yaml b/config/crd/bases/kuadrant.io_authpolicies.yaml index ad5eecf34..235176e71 100644 --- a/config/crd/bases/kuadrant.io_authpolicies.yaml +++ b/config/crd/bases/kuadrant.io_authpolicies.yaml @@ -194,6 +194,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -248,6 +250,8 @@ spec: defaults: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -334,6 +338,8 @@ spec: overrides: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -355,14 +361,14 @@ spec: Identity object extracted from the context. Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string - required: - - selector type: object priority: default: 0 @@ -406,6 +412,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -501,6 +509,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -540,6 +550,8 @@ spec: API group of the resource. Use '*' for all API groups. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -555,6 +567,8 @@ spec: Resource name Omit it to check for authorization on all resources of the specified kind. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -569,6 +583,8 @@ spec: description: Namespace where the user must have permissions on the resource. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -584,6 +600,8 @@ spec: Resource kind Use '*' for all resource kinds. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -597,6 +615,8 @@ spec: subresource: description: Subresource kind properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -612,6 +632,8 @@ spec: Verb to check for authorization on the resource. Use '*' for all verbs. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -628,6 +650,8 @@ spec: User to check for authorization in the Kubernetes RBAC. Omit it to check for group authorization only. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -667,6 +691,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -680,6 +706,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -739,6 +767,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -850,8 +880,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object rego: description: |- @@ -895,6 +925,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -933,6 +965,8 @@ spec: description: The name of the permission (or relation) on which to execute the check. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -949,6 +983,8 @@ spec: properties: kind: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -961,6 +997,8 @@ spec: type: object name: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -995,6 +1033,8 @@ spec: properties: kind: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1007,6 +1047,8 @@ spec: type: object name: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1057,6 +1099,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -1089,6 +1133,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1117,6 +1163,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1130,6 +1178,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1189,6 +1239,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1293,8 +1345,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object metrics: default: false @@ -1343,6 +1395,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -1377,6 +1431,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1406,6 +1462,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1419,6 +1477,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1478,6 +1538,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1582,8 +1644,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object metrics: default: false @@ -1675,6 +1737,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -1717,6 +1781,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1744,6 +1810,8 @@ spec: properties: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1771,6 +1839,8 @@ spec: plain: description: Plain text content properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1823,6 +1893,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -1842,6 +1914,8 @@ spec: customClaims: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1916,6 +1990,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1943,6 +2019,8 @@ spec: properties: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -1970,6 +2048,8 @@ spec: plain: description: Plain text content properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2022,6 +2102,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -2041,6 +2123,8 @@ spec: customClaims: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2112,6 +2196,8 @@ spec: description: HTTP response body to override the default denial body. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2132,6 +2218,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2149,6 +2237,8 @@ spec: description: HTTP message to override the default denial message. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2170,6 +2260,8 @@ spec: description: HTTP response body to override the default denial body. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2190,6 +2282,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2207,6 +2301,8 @@ spec: description: HTTP message to override the default denial message. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2263,6 +2359,8 @@ spec: patternRef: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -2401,6 +2499,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2455,6 +2555,8 @@ spec: defaults: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2541,6 +2643,8 @@ spec: overrides: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2562,14 +2666,14 @@ spec: Identity object extracted from the context. Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string - required: - - selector type: object priority: default: 0 @@ -2613,6 +2717,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -2708,6 +2814,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2747,6 +2855,8 @@ spec: API group of the resource. Use '*' for all API groups. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2762,6 +2872,8 @@ spec: Resource name Omit it to check for authorization on all resources of the specified kind. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2776,6 +2888,8 @@ spec: description: Namespace where the user must have permissions on the resource. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2791,6 +2905,8 @@ spec: Resource kind Use '*' for all resource kinds. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2804,6 +2920,8 @@ spec: subresource: description: Subresource kind properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2819,6 +2937,8 @@ spec: Verb to check for authorization on the resource. Use '*' for all verbs. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2835,6 +2955,8 @@ spec: User to check for authorization in the Kubernetes RBAC. Omit it to check for group authorization only. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2874,6 +2996,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2887,6 +3011,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -2946,6 +3072,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3057,8 +3185,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object rego: description: |- @@ -3102,6 +3230,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -3140,6 +3270,8 @@ spec: description: The name of the permission (or relation) on which to execute the check. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3156,6 +3288,8 @@ spec: properties: kind: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3168,6 +3302,8 @@ spec: type: object name: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3202,6 +3338,8 @@ spec: properties: kind: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3214,6 +3352,8 @@ spec: type: object name: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3264,6 +3404,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -3296,6 +3438,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3324,6 +3468,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3337,6 +3483,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3396,6 +3544,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3500,8 +3650,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object metrics: default: false @@ -3550,6 +3700,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -3584,6 +3736,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3613,6 +3767,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3626,6 +3782,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3685,6 +3843,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3789,8 +3949,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object metrics: default: false @@ -3882,6 +4042,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -3924,6 +4086,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3951,6 +4115,8 @@ spec: properties: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -3978,6 +4144,8 @@ spec: plain: description: Plain text content properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4030,6 +4198,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -4049,6 +4219,8 @@ spec: customClaims: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4123,6 +4295,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4150,6 +4324,8 @@ spec: properties: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4177,6 +4353,8 @@ spec: plain: description: Plain text content properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4229,6 +4407,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -4248,6 +4428,8 @@ spec: customClaims: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4319,6 +4501,8 @@ spec: description: HTTP response body to override the default denial body. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4339,6 +4523,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4356,6 +4542,8 @@ spec: description: HTTP message to override the default denial message. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4377,6 +4565,8 @@ spec: description: HTTP response body to override the default denial body. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4397,6 +4587,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4414,6 +4606,8 @@ spec: description: HTTP message to override the default denial message. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4470,6 +4664,8 @@ spec: patternRef: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -4602,6 +4798,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4655,6 +4853,8 @@ spec: defaults: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4741,6 +4941,8 @@ spec: overrides: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4762,14 +4964,14 @@ spec: Identity object extracted from the context. Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string - required: - - selector type: object priority: default: 0 @@ -4812,6 +5014,8 @@ spec: patternRef: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -4906,6 +5110,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4944,6 +5150,8 @@ spec: API group of the resource. Use '*' for all API groups. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4959,6 +5167,8 @@ spec: Resource name Omit it to check for authorization on all resources of the specified kind. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4973,6 +5183,8 @@ spec: description: Namespace where the user must have permissions on the resource. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -4988,6 +5200,8 @@ spec: Resource kind Use '*' for all resource kinds. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5001,6 +5215,8 @@ spec: subresource: description: Subresource kind properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5016,6 +5232,8 @@ spec: Verb to check for authorization on the resource. Use '*' for all verbs. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5032,6 +5250,8 @@ spec: User to check for authorization in the Kubernetes RBAC. Omit it to check for group authorization only. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5071,6 +5291,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5084,6 +5306,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5143,6 +5367,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5252,8 +5478,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object rego: description: |- @@ -5297,6 +5523,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -5335,6 +5563,8 @@ spec: description: The name of the permission (or relation) on which to execute the check. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5351,6 +5581,8 @@ spec: properties: kind: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5363,6 +5595,8 @@ spec: type: object name: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5397,6 +5631,8 @@ spec: properties: kind: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5409,6 +5645,8 @@ spec: type: object name: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5458,6 +5696,8 @@ spec: patternRef: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -5490,6 +5730,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5517,6 +5759,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5530,6 +5774,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5589,6 +5835,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5692,8 +5940,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object metrics: default: false @@ -5741,6 +5989,8 @@ spec: patternRef: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -5775,6 +6025,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5802,6 +6054,8 @@ spec: Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5815,6 +6069,8 @@ spec: bodyParameters: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5874,6 +6130,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -5977,8 +6235,8 @@ spec: by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string - required: - - url + urlExpression: + type: string type: object metrics: default: false @@ -6069,6 +6327,8 @@ spec: patternRef: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -6111,6 +6371,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6138,6 +6400,8 @@ spec: properties: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6165,6 +6429,8 @@ spec: plain: description: Plain text content properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6217,6 +6483,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -6236,6 +6504,8 @@ spec: customClaims: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6309,6 +6579,8 @@ spec: Key used to store the entry in the cache. The resolved key must be unique within the scope of this particular config. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6336,6 +6608,8 @@ spec: properties: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6363,6 +6637,8 @@ spec: plain: description: Plain text content properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6415,6 +6691,8 @@ spec: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). @@ -6434,6 +6712,8 @@ spec: customClaims: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6504,6 +6784,8 @@ spec: description: HTTP response body to override the default denial body. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6524,6 +6806,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6541,6 +6825,8 @@ spec: description: HTTP message to override the default denial message. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6562,6 +6848,8 @@ spec: description: HTTP response body to override the default denial body. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6582,6 +6870,8 @@ spec: headers: additionalProperties: properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6599,6 +6889,8 @@ spec: description: HTTP message to override the default denial message. properties: + expression: + type: string selector: description: |- Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). @@ -6696,6 +6988,8 @@ spec: patternRef: description: Reference to a named set of pattern expressions type: string + predicate: + type: string selector: description: |- Path selector to fetch content from the authorization JSON (e.g. 'request.method'). diff --git a/controllers/auth_policy_status_updater.go b/controllers/auth_policy_status_updater.go index 113713d9a..23fac78b4 100644 --- a/controllers/auth_policy_status_updater.go +++ b/controllers/auth_policy_status_updater.go @@ -8,7 +8,7 @@ import ( envoygatewayv1alpha1 "github.com/envoyproxy/gateway/api/v1alpha1" authorinooperatorv1beta1 "github.com/kuadrant/authorino-operator/api/v1beta1" - authorinov1beta2 "github.com/kuadrant/authorino/api/v1beta2" + authorinov1beta3 "github.com/kuadrant/authorino/api/v1beta3" "github.com/kuadrant/policy-machinery/controller" "github.com/kuadrant/policy-machinery/machinery" "github.com/samber/lo" @@ -197,7 +197,7 @@ func (r *AuthPolicyStatusUpdater) enforcedCondition(policy *kuadrantv1beta3.Auth authConfig, found := lo.Find(topology.Objects().Children(httpRouteRule), func(authConfig machinery.Object) bool { return authConfig.GroupVersionKind().GroupKind() == kuadrantv1beta1.AuthConfigGroupKind && authConfig.GetName() == authConfigName }) - if !found || !isAuthConfigReady(authConfig.(*controller.RuntimeObject).Object.(*authorinov1beta2.AuthConfig)) { + if !found || !isAuthConfigReady(authConfig.(*controller.RuntimeObject).Object.(*authorinov1beta3.AuthConfig)) { componentsToSync = append(componentsToSync, fmt.Sprintf("%s (%s)", kuadrantv1beta1.AuthConfigGroupKind.Kind, authConfigName)) } } @@ -251,7 +251,7 @@ func authorinoOperatorConditionToProperConditionFunc(condition authorinooperator } } -func authorinoConditionToProperConditionFunc(cond authorinov1beta2.AuthConfigStatusCondition, _ int) metav1.Condition { +func authorinoConditionToProperConditionFunc(cond authorinov1beta3.AuthConfigStatusCondition, _ int) metav1.Condition { return metav1.Condition{ Type: string(cond.Type), Status: metav1.ConditionStatus(cond.Status), @@ -260,13 +260,13 @@ func authorinoConditionToProperConditionFunc(cond authorinov1beta2.AuthConfigSta } } -func authConfigReadyStatusFunc(state *sync.Map) func(authConfig *authorinov1beta2.AuthConfig) bool { +func authConfigReadyStatusFunc(state *sync.Map) func(authConfig *authorinov1beta3.AuthConfig) bool { modifiedAuthConfigs, modified := state.Load(StateModifiedAuthConfigs) if !modified { return authConfigReadyStatus } modifiedAuthConfigsList := modifiedAuthConfigs.([]string) - return func(authConfig *authorinov1beta2.AuthConfig) bool { + return func(authConfig *authorinov1beta3.AuthConfig) bool { if lo.Contains(modifiedAuthConfigsList, authConfig.GetName()) { return false } @@ -274,8 +274,8 @@ func authConfigReadyStatusFunc(state *sync.Map) func(authConfig *authorinov1beta } } -func authConfigReadyStatus(authConfig *authorinov1beta2.AuthConfig) bool { - if condition := meta.FindStatusCondition(lo.Map(authConfig.Status.Conditions, authorinoConditionToProperConditionFunc), string(authorinov1beta2.StatusConditionReady)); condition != nil { +func authConfigReadyStatus(authConfig *authorinov1beta3.AuthConfig) bool { + if condition := meta.FindStatusCondition(lo.Map(authConfig.Status.Conditions, authorinoConditionToProperConditionFunc), string(authorinov1beta3.StatusConditionReady)); condition != nil { return condition.Status == metav1.ConditionTrue } return false diff --git a/controllers/auth_workflow_helpers.go b/controllers/auth_workflow_helpers.go index c428f9e43..3edb1303f 100644 --- a/controllers/auth_workflow_helpers.go +++ b/controllers/auth_workflow_helpers.go @@ -124,11 +124,23 @@ func buildWasmActionsForAuth(pathID string, effectivePolicy EffectiveAuthPolicy) Scope: AuthConfigNameForPath(pathID), } spec := effectivePolicy.Spec.Spec.Proper() - if conditions := wasm.PredicatesFromWhenConditions(lo.FlatMap(spec.Conditions, func(pattern kuadrantv1beta3.MergeablePatternExpressionOrRef, _ int) []kuadrantv1beta3.WhenCondition { - return pattern.ToWhenConditions(spec.NamedPatterns) - })...); len(conditions) > 0 { + + predicates := make([]string, 0) + whenConditions := make([]kuadrantv1beta3.WhenCondition, 0) + for _, condition := range spec.Conditions { + if condition.Predicate != "" { + predicates = append(predicates, condition.Predicate) + } else { + whenConditions = append(whenConditions, condition.ToWhenConditions(spec.NamedPatterns)...) + } + } + if len(predicates) > 0 { + action.Predicates = predicates + } + if conditions := wasm.ConditionsFromWhenConditions(whenConditions...); len(conditions) > 0 { action.Conditions = conditions } + return []wasm.Action{action} } diff --git a/controllers/authconfigs_reconciler.go b/controllers/authconfigs_reconciler.go index 03fa021e8..7c72b4701 100644 --- a/controllers/authconfigs_reconciler.go +++ b/controllers/authconfigs_reconciler.go @@ -7,7 +7,7 @@ import ( "reflect" "sync" - authorinov1beta2 "github.com/kuadrant/authorino/api/v1beta2" + authorinov1beta3 "github.com/kuadrant/authorino/api/v1beta3" "github.com/kuadrant/policy-machinery/controller" "github.com/kuadrant/policy-machinery/machinery" "github.com/samber/lo" @@ -98,7 +98,7 @@ func (r *AuthConfigsReconciler) Reconcile(ctx context.Context, _ []controller.Re continue } - existingAuthConfig := existingAuthConfigObj.(*controller.RuntimeObject).Object.(*authorinov1beta2.AuthConfig) + existingAuthConfig := existingAuthConfigObj.(*controller.RuntimeObject).Object.(*authorinov1beta3.AuthConfig) if equalAuthConfigs(existingAuthConfig, desiredAuthConfig) { logger.V(1).Info("authconfig object is up to date, nothing to do") @@ -149,13 +149,13 @@ func (r *AuthConfigsReconciler) Reconcile(ctx context.Context, _ []controller.Re return nil } -func (r *AuthConfigsReconciler) buildDesiredAuthConfig(effectivePolicy EffectiveAuthPolicy, name, namespace string) *authorinov1beta2.AuthConfig { +func (r *AuthConfigsReconciler) buildDesiredAuthConfig(effectivePolicy EffectiveAuthPolicy, name, namespace string) *authorinov1beta3.AuthConfig { _, _, _, _, httpRouteRule, _ := common.ObjectsInRequestPath(effectivePolicy.Path) - authConfig := &authorinov1beta2.AuthConfig{ + authConfig := &authorinov1beta3.AuthConfig{ TypeMeta: metav1.TypeMeta{ Kind: "AuthConfig", - APIVersion: authorinov1beta2.GroupVersion.String(), + APIVersion: authorinov1beta3.GroupVersion.String(), }, ObjectMeta: metav1.ObjectMeta{ Name: name, @@ -165,7 +165,7 @@ func (r *AuthConfigsReconciler) buildDesiredAuthConfig(effectivePolicy Effective }, Labels: AuthObjectLabels(), }, - Spec: authorinov1beta2.AuthConfigSpec{ + Spec: authorinov1beta3.AuthConfigSpec{ Hosts: []string{name}, }, } @@ -174,14 +174,14 @@ func (r *AuthConfigsReconciler) buildDesiredAuthConfig(effectivePolicy Effective // named patterns if namedPatterns := spec.NamedPatterns; namedPatterns != nil { - authConfig.Spec.NamedPatterns = lo.MapValues(spec.NamedPatterns, func(v kuadrantv1beta3.MergeablePatternExpressions, _ string) authorinov1beta2.PatternExpressions { + authConfig.Spec.NamedPatterns = lo.MapValues(spec.NamedPatterns, func(v kuadrantv1beta3.MergeablePatternExpressions, _ string) authorinov1beta3.PatternExpressions { return v.PatternExpressions }) } // top-level conditions if conditions := spec.Conditions; conditions != nil { - authConfig.Spec.Conditions = lo.Map(spec.Conditions, func(v kuadrantv1beta3.MergeablePatternExpressionOrRef, _ int) authorinov1beta2.PatternExpressionOrRef { + authConfig.Spec.Conditions = lo.Map(spec.Conditions, func(v kuadrantv1beta3.MergeablePatternExpressionOrRef, _ int) authorinov1beta3.PatternExpressionOrRef { return v.PatternExpressionOrRef }) } @@ -194,45 +194,45 @@ func (r *AuthConfigsReconciler) buildDesiredAuthConfig(effectivePolicy Effective // authentication if authentication := authScheme.Authentication; authentication != nil { - authConfig.Spec.Authentication = lo.MapValues(authentication, func(v kuadrantv1beta3.MergeableAuthenticationSpec, _ string) authorinov1beta2.AuthenticationSpec { + authConfig.Spec.Authentication = lo.MapValues(authentication, func(v kuadrantv1beta3.MergeableAuthenticationSpec, _ string) authorinov1beta3.AuthenticationSpec { return v.AuthenticationSpec }) } // metadata if metadata := authScheme.Metadata; metadata != nil { - authConfig.Spec.Metadata = lo.MapValues(metadata, func(v kuadrantv1beta3.MergeableMetadataSpec, _ string) authorinov1beta2.MetadataSpec { + authConfig.Spec.Metadata = lo.MapValues(metadata, func(v kuadrantv1beta3.MergeableMetadataSpec, _ string) authorinov1beta3.MetadataSpec { return v.MetadataSpec }) } // authorization if authorization := authScheme.Authorization; authorization != nil { - authConfig.Spec.Authorization = lo.MapValues(authorization, func(v kuadrantv1beta3.MergeableAuthorizationSpec, _ string) authorinov1beta2.AuthorizationSpec { + authConfig.Spec.Authorization = lo.MapValues(authorization, func(v kuadrantv1beta3.MergeableAuthorizationSpec, _ string) authorinov1beta3.AuthorizationSpec { return v.AuthorizationSpec }) } // response if response := authScheme.Response; response != nil { - var unauthenticated *authorinov1beta2.DenyWithSpec + var unauthenticated *authorinov1beta3.DenyWithSpec if response.Unauthenticated != nil { unauthenticated = &response.Unauthenticated.DenyWithSpec } - var unauthorized *authorinov1beta2.DenyWithSpec + var unauthorized *authorinov1beta3.DenyWithSpec if response.Unauthorized != nil { unauthorized = &response.Unauthorized.DenyWithSpec } - authConfig.Spec.Response = &authorinov1beta2.ResponseSpec{ + authConfig.Spec.Response = &authorinov1beta3.ResponseSpec{ Unauthenticated: unauthenticated, Unauthorized: unauthorized, - Success: authorinov1beta2.WrappedSuccessResponseSpec{ - Headers: authorinoSpecsFromConfigs(response.Success.Headers, func(config kuadrantv1beta3.MergeableHeaderSuccessResponseSpec) authorinov1beta2.HeaderSuccessResponseSpec { - return authorinov1beta2.HeaderSuccessResponseSpec{SuccessResponseSpec: config.SuccessResponseSpec} + Success: authorinov1beta3.WrappedSuccessResponseSpec{ + Headers: authorinoSpecsFromConfigs(response.Success.Headers, func(config kuadrantv1beta3.MergeableHeaderSuccessResponseSpec) authorinov1beta3.HeaderSuccessResponseSpec { + return authorinov1beta3.HeaderSuccessResponseSpec{SuccessResponseSpec: config.SuccessResponseSpec} }), - DynamicMetadata: authorinoSpecsFromConfigs(response.Success.DynamicMetadata, func(config kuadrantv1beta3.MergeableSuccessResponseSpec) authorinov1beta2.SuccessResponseSpec { + DynamicMetadata: authorinoSpecsFromConfigs(response.Success.DynamicMetadata, func(config kuadrantv1beta3.MergeableSuccessResponseSpec) authorinov1beta3.SuccessResponseSpec { return config.SuccessResponseSpec }), }, @@ -241,7 +241,7 @@ func (r *AuthConfigsReconciler) buildDesiredAuthConfig(effectivePolicy Effective // callbacks if callbacks := authScheme.Callbacks; callbacks != nil { - authConfig.Spec.Callbacks = lo.MapValues(callbacks, func(v kuadrantv1beta3.MergeableCallbackSpec, _ string) authorinov1beta2.CallbackSpec { + authConfig.Spec.Callbacks = lo.MapValues(callbacks, func(v kuadrantv1beta3.MergeableCallbackSpec, _ string) authorinov1beta3.CallbackSpec { return v.CallbackSpec }) } @@ -263,7 +263,7 @@ func authorinoSpecsFromConfigs[T, U any](configs map[string]U, extractAuthorinoS return specs } -func equalAuthConfigs(existing, desired *authorinov1beta2.AuthConfig) bool { +func equalAuthConfigs(existing, desired *authorinov1beta3.AuthConfig) bool { // httprouterule back ref annotation existingAnnotations := existing.GetAnnotations() desiredAnnotations := desired.GetAnnotations() diff --git a/controllers/ratelimit_workflow_helpers.go b/controllers/ratelimit_workflow_helpers.go index 1eeb9a166..aa04b943a 100644 --- a/controllers/ratelimit_workflow_helpers.go +++ b/controllers/ratelimit_workflow_helpers.go @@ -154,7 +154,7 @@ func wasmActionFromLimit(limit *kuadrantv1beta3.Limit, limitIdentifier, scope st ServiceName: wasm.RateLimitServiceName, Scope: scope, } - if conditions := wasm.PredicatesFromWhenConditions(limit.When...); len(conditions) > 0 { + if conditions := wasm.ConditionsFromWhenConditions(limit.When...); len(conditions) > 0 { action.Conditions = conditions } if data := wasmDataFromLimit(limitIdentifier, limit); len(data) > 0 { diff --git a/controllers/ratelimit_workflow_test.go b/controllers/ratelimit_workflow_test.go index 00f1dc02b..46d0cadad 100644 --- a/controllers/ratelimit_workflow_test.go +++ b/controllers/ratelimit_workflow_test.go @@ -141,7 +141,7 @@ func TestWasmActionFromLimit(t *testing.T) { expectedAction: wasm.Action{ ServiceName: wasm.RateLimitServiceName, Scope: "my-ns/my-route", - Conditions: []wasm.Predicate{ + Conditions: []wasm.Condition{ { Selector: "auth.identity.group", Operator: wasm.PatternOperator(kuadrantv1beta3.NotEqualOperator), diff --git a/controllers/state_of_the_world.go b/controllers/state_of_the_world.go index d6ced1a60..495e5a6e3 100644 --- a/controllers/state_of_the_world.go +++ b/controllers/state_of_the_world.go @@ -9,7 +9,7 @@ import ( egv1alpha1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/go-logr/logr" authorinooperatorv1beta1 "github.com/kuadrant/authorino-operator/api/v1beta1" - authorinov1beta2 "github.com/kuadrant/authorino/api/v1beta2" + authorinov1beta3 "github.com/kuadrant/authorino/api/v1beta3" kuadrantdnsv1alpha1 "github.com/kuadrant/dns-operator/api/v1alpha1" limitadorv1alpha1 "github.com/kuadrant/limitador-operator/api/v1alpha1" "github.com/kuadrant/policy-machinery/controller" @@ -114,10 +114,10 @@ func NewPolicyMachineryController(manager ctrlruntime.Manager, client *dynamic.D metav1.NamespaceAll, )), controller.WithRunnable("authconfig watcher", controller.Watch( - &authorinov1beta2.AuthConfig{}, + &authorinov1beta3.AuthConfig{}, kuadrantv1beta1.AuthConfigsResource, metav1.NamespaceAll, - controller.FilterResourcesByLabel[*authorinov1beta2.AuthConfig](fmt.Sprintf("%s=true", kuadrantManagedLabelKey)), + controller.FilterResourcesByLabel[*authorinov1beta3.AuthConfig](fmt.Sprintf("%s=true", kuadrantManagedLabelKey)), )), controller.WithPolicyKinds( kuadrantv1.DNSPolicyGroupKind, diff --git a/controllers/test_common.go b/controllers/test_common.go index c08b7303b..4c3137da4 100644 --- a/controllers/test_common.go +++ b/controllers/test_common.go @@ -46,7 +46,7 @@ import ( gatewayapiv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" authorinoopapi "github.com/kuadrant/authorino-operator/api/v1beta1" - authorinoapi "github.com/kuadrant/authorino/api/v1beta2" + authorinoapi "github.com/kuadrant/authorino/api/v1beta3" kuadrantdnsv1alpha1 "github.com/kuadrant/dns-operator/api/v1alpha1" limitadorv1alpha1 "github.com/kuadrant/limitador-operator/api/v1alpha1" diff --git a/go.mod b/go.mod index a6f39860e..e49985d68 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( github.com/go-logr/logr v1.4.2 github.com/goccy/go-yaml v1.12.0 github.com/google/go-cmp v0.6.0 - github.com/kuadrant/authorino v0.18.0 + github.com/kuadrant/authorino v0.19.0 github.com/kuadrant/authorino-operator v0.11.1 github.com/kuadrant/dns-operator v0.0.0-20241018131559-f2ce8b6aaaef github.com/kuadrant/limitador-operator v0.9.0 @@ -18,7 +18,7 @@ require ( github.com/onsi/ginkgo/v2 v2.20.2 github.com/onsi/gomega v1.34.1 github.com/openshift/api v0.0.0-20240926211938-f89ab92f1597 - github.com/prometheus/client_golang v1.19.1 + github.com/prometheus/client_golang v1.20.2 github.com/samber/lo v1.39.0 go.uber.org/zap v1.27.0 google.golang.org/protobuf v1.34.2 @@ -105,7 +105,7 @@ require ( github.com/jmoiron/sqlx v1.3.5 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/klauspost/compress v1.17.8 // indirect + github.com/klauspost/compress v1.17.9 // indirect github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect github.com/lib/pq v1.10.9 // indirect @@ -149,7 +149,7 @@ require ( github.com/xeipuuv/gojsonschema v1.2.0 // indirect github.com/xlab/treeprint v1.2.0 // indirect go.opentelemetry.io/contrib/exporters/autoexport v0.53.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect go.opentelemetry.io/otel v1.28.0 // indirect go.opentelemetry.io/otel/metric v1.28.0 // indirect go.opentelemetry.io/otel/trace v1.28.0 // indirect @@ -163,13 +163,13 @@ require ( golang.org/x/sys v0.24.0 // indirect golang.org/x/term v0.23.0 // indirect golang.org/x/text v0.17.0 // indirect - golang.org/x/time v0.5.0 // indirect + golang.org/x/time v0.6.0 // indirect golang.org/x/tools v0.24.0 // indirect golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240730163845-b1a4ccb954bf // indirect - google.golang.org/grpc v1.65.0 // indirect + google.golang.org/grpc v1.66.0 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/go.sum b/go.sum index 21395826a..4944619f7 100644 --- a/go.sum +++ b/go.sum @@ -111,8 +111,8 @@ github.com/emicklei/go-restful/v3 v3.12.1 h1:PJMDIM/ak7btuL8Ex0iYET9hxM3CI2sjZtz github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/gateway v1.1.0 h1:4+mNtirUNwLudBj8y9qXqL10qXxEDwBytQOU/2YgINQ= github.com/envoyproxy/gateway v1.1.0/go.mod h1:9hrhbkuH7sBwB0pzMXm3AFyw+lxG3e+YCvuWaM6JKrw= -github.com/envoyproxy/go-control-plane v0.12.1-0.20240612043845-c54ec4ce422d h1:RopQsG28t61pLLZRkwzwBsi60yDsOP8RvW47A3eAcGo= -github.com/envoyproxy/go-control-plane v0.12.1-0.20240612043845-c54ec4ce422d/go.mod h1:5Wkq+JduFtdAXihLmeTJf+tRYIT4KBc2vPXDhwVo1pA= +github.com/envoyproxy/go-control-plane v0.12.1-0.20240621013728-1eb8caab5155 h1:IgJPqnrlY2Mr4pYB6oaMKvFvwJ9H+X6CCY5x1vCTcpc= +github.com/envoyproxy/go-control-plane v0.12.1-0.20240621013728-1eb8caab5155/go.mod h1:5Wkq+JduFtdAXihLmeTJf+tRYIT4KBc2vPXDhwVo1pA= github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls= @@ -181,8 +181,8 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= -github.com/google/cel-go v0.20.1 h1:nDx9r8S3L4pE61eDdt8igGj8rf5kjYR3ILxWIpWNi84= -github.com/google/cel-go v0.20.1/go.mod h1:kWcIzTsPX0zmQ+H3TirHstLLf9ep5QTsZBN9u4dOYLg= +github.com/google/cel-go v0.21.0 h1:cl6uW/gxN+Hy50tNYvI691+sXxioCnstFzLp2WO4GCI= +github.com/google/cel-go v0.21.0/go.mod h1:rHUlWCcBKgyEk+eV03RPdZUekPp6YcJwV0FxuUksYxc= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -243,8 +243,8 @@ github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHm github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0NAMnU= -github.com/klauspost/compress v1.17.8/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= +github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= +github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= @@ -254,8 +254,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/kuadrant/authorino v0.18.0 h1:9NjOly+Esy63JTE+CA2Aoapq5t1nJPi3lR50B5jisqg= -github.com/kuadrant/authorino v0.18.0/go.mod h1:70VTo3BuAgHFqWhQHEgjJwlDOKNcsmA0A3WebRQeGUA= +github.com/kuadrant/authorino v0.19.0 h1:vPkDWVgQPi5A91MfIyWe06rLW0ZaACd+8j2SZPKrbHc= +github.com/kuadrant/authorino v0.19.0/go.mod h1:J9B/8aZMSyim6CxdmSlS2kRfQt3xMrZub2V/qHnkNeA= github.com/kuadrant/authorino-operator v0.11.1 h1:jndTZhiHMU+2Dk0NU+KP2+MUSfvclrn+YtTCQDJj+1s= github.com/kuadrant/authorino-operator v0.11.1/go.mod h1:TeFFdX477vUTMushCojaHpvwPLga4DpErGI2oQbqFIs= github.com/kuadrant/dns-operator v0.0.0-20241018131559-f2ce8b6aaaef h1:6P2pC1kOPcrT/22N23Mr3xr3CTHmQQkj3jmOlUEJvO0= @@ -368,8 +368,8 @@ github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjz github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= -github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= -github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= +github.com/prometheus/client_golang v1.20.2 h1:5ctymQzZlyOON1666svgwn3s6IKWgfbjsejTMiXIyjg= +github.com/prometheus/client_golang v1.20.2/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= @@ -453,8 +453,8 @@ go.opentelemetry.io/contrib/bridges/prometheus v0.53.0 h1:BdkKDtcrHThgjcEia1737O go.opentelemetry.io/contrib/bridges/prometheus v0.53.0/go.mod h1:ZkhVxcJgeXlL/lVyT/vxNHVFiSG5qOaDwYaSgD8IfZo= go.opentelemetry.io/contrib/exporters/autoexport v0.53.0 h1:13K+tY7E8GJInkrvRiPAhC0gi/7vKjzDNhtmCf+QXG8= go.opentelemetry.io/contrib/exporters/autoexport v0.53.0/go.mod h1:lyQF6xQ4iDnMg4sccNdFs1zf62xd79YI8vZqKjOTwMs= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo= go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.4.0 h1:zBPZAISA9NOc5cE8zydqDiS0itvg/P/0Hn9m72a5gvM= @@ -594,8 +594,8 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= -golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= -golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U= +golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= @@ -617,8 +617,8 @@ google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 h1: google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094/go.mod h1:fJ/e3If/Q67Mj99hin0hMhiNyCRmt6BQ2aWIJshUSJw= google.golang.org/genproto/googleapis/rpc v0.0.0-20240730163845-b1a4ccb954bf h1:liao9UHurZLtiEwBgT9LMOnKYsHze6eA6w1KQCMVN2Q= google.golang.org/genproto/googleapis/rpc v0.0.0-20240730163845-b1a4ccb954bf/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= -google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= -google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= +google.golang.org/grpc v1.66.0 h1:DibZuoBznOxbDQxRINckZcUvnCEvrW9pcWIE2yF9r1c= +google.golang.org/grpc v1.66.0/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= diff --git a/main.go b/main.go index 87dfa92e8..1f28e3099 100644 --- a/main.go +++ b/main.go @@ -25,7 +25,7 @@ import ( certmanv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" egv1alpha1 "github.com/envoyproxy/gateway/api/v1alpha1" authorinoopapi "github.com/kuadrant/authorino-operator/api/v1beta1" - authorinoapi "github.com/kuadrant/authorino/api/v1beta2" + authorinoapi "github.com/kuadrant/authorino/api/v1beta3" kuadrantdnsv1alpha1 "github.com/kuadrant/dns-operator/api/v1alpha1" limitadorv1alpha1 "github.com/kuadrant/limitador-operator/api/v1alpha1" consolev1 "github.com/openshift/api/console/v1" diff --git a/pkg/wasm/types.go b/pkg/wasm/types.go index 32d1de1c2..4f1ee435e 100644 --- a/pkg/wasm/types.go +++ b/pkg/wasm/types.go @@ -14,7 +14,6 @@ import ( var ( PathMatchTypeMap = map[gatewayapiv1.PathMatchType]PatternOperator{ - gatewayapiv1.PathMatchExact: PatternOperator(kuadrantv1beta3.EqualOperator), gatewayapiv1.PathMatchPathPrefix: PatternOperator(kuadrantv1beta3.StartsWithOperator), gatewayapiv1.PathMatchRegularExpression: PatternOperator(kuadrantv1beta3.MatchesOperator), } @@ -116,12 +115,12 @@ func (s *ActionSet) EqualTo(other ActionSet) bool { } type RouteRuleConditions struct { - Hostnames []string `json:"hostnames"` - Matches []Predicate `json:"matches,omitempty"` + Hostnames []string `json:"hostnames"` + Predicates []string `json:"predicates,omitempty"` } func (r *RouteRuleConditions) EqualTo(other RouteRuleConditions) bool { - if len(r.Hostnames) != len(other.Hostnames) || len(r.Matches) != len(other.Matches) { + if len(r.Hostnames) != len(other.Hostnames) || len(r.Predicates) != len(other.Predicates) { return false } @@ -131,8 +130,8 @@ func (r *RouteRuleConditions) EqualTo(other RouteRuleConditions) bool { } } - for i := range r.Matches { - if !r.Matches[i].EqualTo(other.Matches[i]) { + for i := range r.Predicates { + if r.Predicates[i] != other.Predicates[i] { return false } } @@ -140,7 +139,7 @@ func (r *RouteRuleConditions) EqualTo(other RouteRuleConditions) bool { return true } -type Predicate struct { +type Condition struct { // Selector of an attribute from the contextual properties provided by kuadrant // during request and connection processing Selector kuadrantv1beta3.ContextSelector `json:"selector"` @@ -154,7 +153,7 @@ type Predicate struct { Value string `json:"value"` } -func (p *Predicate) EqualTo(other Predicate) bool { +func (p *Condition) EqualTo(other Condition) bool { return p.Selector == other.Selector && p.Operator == other.Operator && p.Value == other.Value @@ -166,8 +165,11 @@ type Action struct { ServiceName string `json:"service"` Scope string `json:"scope"` + // Predicates that activate the action + Predicates []string `json:"predicates,omitempty"` + // Conditions that activate the action - Conditions []Predicate `json:"conditions,omitempty"` + Conditions []Condition `json:"conditions,omitempty"` // Data to be sent to the service // +optional @@ -175,10 +177,16 @@ type Action struct { } func (a *Action) EqualTo(other Action) bool { - if a.Scope != other.Scope || a.ServiceName != other.ServiceName || len(a.Conditions) != len(other.Conditions) || len(a.Data) != len(other.Data) { + if a.Scope != other.Scope || a.ServiceName != other.ServiceName || len(a.Predicates) != len(other.Predicates) || len(a.Conditions) != len(other.Conditions) || len(a.Data) != len(other.Data) { return false } + for i := range a.Predicates { + if a.Predicates[i] != other.Predicates[i] { + return false + } + } + for i := range a.Conditions { if !a.Conditions[i].EqualTo(other.Conditions[i]) { return false diff --git a/pkg/wasm/types_test.go b/pkg/wasm/types_test.go index ae6fe51f1..1e296adf3 100644 --- a/pkg/wasm/types_test.go +++ b/pkg/wasm/types_test.go @@ -62,19 +62,15 @@ func TestConfigEqual(t *testing.T) { Name: "5755da0b3c275ba6b8f553890eb32b04768a703b60ab9a5d7f4e0948e23ef0ab", RouteRuleConditions: RouteRuleConditions{ Hostnames: []string{"other.example.com"}, - Matches: []Predicate{ - { - Selector: "request.url_path", - Operator: "startswith", - Value: "/", - }, + Predicates: []string{ + "request.url_path.startsWith('/')", }, }, Actions: []Action{ { ServiceName: "ratelimit-service", Scope: "default/other", - Conditions: []Predicate{ + Conditions: []Condition{ { Selector: "source.address", Operator: "neq", @@ -101,7 +97,7 @@ func TestConfigEqual(t *testing.T) { { Actions: []Action{ { - Conditions: []Predicate{ + Conditions: []Condition{ { Operator: "neq", Selector: "source.address", @@ -125,12 +121,8 @@ func TestConfigEqual(t *testing.T) { Name: "5755da0b3c275ba6b8f553890eb32b04768a703b60ab9a5d7f4e0948e23ef0ab", RouteRuleConditions: RouteRuleConditions{ Hostnames: []string{"other.example.com"}, - Matches: []Predicate{ - { - Operator: "startswith", - Selector: "request.url_path", - Value: "/", - }, + Predicates: []string{ + "request.url_path.startsWith('/')", }, }, }, diff --git a/pkg/wasm/utils.go b/pkg/wasm/utils.go index 32a66a365..f4919d7d2 100644 --- a/pkg/wasm/utils.go +++ b/pkg/wasm/utils.go @@ -61,7 +61,7 @@ func BuildActionSetsForPath(pathID string, path []machinery.Targetable, actions Hostnames: []string{string(hostname)}, } if predicates := PredicatesFromHTTPRouteMatch(httpRouteMatch); len(predicates) > 0 { - routeRuleConditions.Matches = predicates + routeRuleConditions.Predicates = predicates } actionSet.RouteRuleConditions = routeRuleConditions return kuadrantgatewayapi.HTTPRouteMatchConfig{ @@ -113,10 +113,10 @@ func ConfigFromJSON(configJSON *apiextensionsv1.JSON) (*Config, error) { return config, nil } -// PredicatesFromWhenConditions builds a list of predicates from a list of (selector, operator, value) when conditions -func PredicatesFromWhenConditions(when ...kuadrantv1beta3.WhenCondition) []Predicate { - return lo.Map(when, func(when kuadrantv1beta3.WhenCondition, _ int) Predicate { - return Predicate{ +// ConditionsFromWhenConditions builds a list of predicates from a list of (selector, operator, value) when conditions +func ConditionsFromWhenConditions(when ...kuadrantv1beta3.WhenCondition) []Condition { + return lo.Map(when, func(when kuadrantv1beta3.WhenCondition, _ int) Condition { + return Condition{ Selector: when.Selector, Operator: PatternOperator(when.Operator), Value: when.Value, @@ -125,8 +125,8 @@ func PredicatesFromWhenConditions(when ...kuadrantv1beta3.WhenCondition) []Predi } // PredicatesFromHTTPRouteMatch builds a list of conditions from a rule match -func PredicatesFromHTTPRouteMatch(match gatewayapiv1.HTTPRouteMatch) []Predicate { - predicates := make([]Predicate, 0) +func PredicatesFromHTTPRouteMatch(match gatewayapiv1.HTTPRouteMatch) []string { + predicates := make([]string, 0) // method if match.Method != nil { @@ -151,7 +151,7 @@ func PredicatesFromHTTPRouteMatch(match gatewayapiv1.HTTPRouteMatch) []Predicate return predicates } -func predicateFromPathMatch(pathMatch gatewayapiv1.HTTPPathMatch) Predicate { +func predicateFromPathMatch(pathMatch gatewayapiv1.HTTPPathMatch) string { var ( operator = PatternOperator(kuadrantv1beta3.StartsWithOperator) // default value value = "/" // default value @@ -162,33 +162,22 @@ func predicateFromPathMatch(pathMatch gatewayapiv1.HTTPPathMatch) Predicate { } if pathMatch.Type != nil { + if *pathMatch.Type == gatewayapiv1.PathMatchExact { + return fmt.Sprintf("request.url_path == '%s'", value) + } if val, ok := PathMatchTypeMap[*pathMatch.Type]; ok { operator = val } } - - return Predicate{ - Selector: "request.url_path", - Operator: operator, - Value: value, - } + return fmt.Sprintf("request.url_path.%s('%s')", operator, value) } -func predicateFromMethod(method gatewayapiv1.HTTPMethod) Predicate { - return Predicate{ - Selector: "request.method", - Operator: PatternOperator(kuadrantv1beta3.EqualOperator), - Value: string(method), - } +func predicateFromMethod(method gatewayapiv1.HTTPMethod) string { + return fmt.Sprintf("request.method == '%s'", string(method)) } -func predicateFromHeader(headerMatch gatewayapiv1.HTTPHeaderMatch) Predicate { +func predicateFromHeader(headerMatch gatewayapiv1.HTTPHeaderMatch) string { // As for gateway api v1, the only operation type with core support is Exact match. // https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPHeaderMatch - - return Predicate{ - Selector: kuadrantv1beta3.ContextSelector(fmt.Sprintf("request.headers.%s", headerMatch.Name)), - Operator: PatternOperator(kuadrantv1beta3.EqualOperator), - Value: headerMatch.Value, - } + return fmt.Sprintf("request.headers['%s'] == '%s'", headerMatch.Name, headerMatch.Value) } diff --git a/pkg/wasm/utils_test.go b/pkg/wasm/utils_test.go index 4c0f52744..155963e8c 100644 --- a/pkg/wasm/utils_test.go +++ b/pkg/wasm/utils_test.go @@ -31,19 +31,15 @@ var ( Name: "5755da0b3c275ba6b8f553890eb32b04768a703b60ab9a5d7f4e0948e23ef0ab", RouteRuleConditions: RouteRuleConditions{ Hostnames: []string{"other.example.com"}, - Matches: []Predicate{ - { - Selector: "request.url_path", - Operator: "startswith", - Value: "/", - }, + Predicates: []string{ + "request.url_path.startsWith('/')", }, }, Actions: []Action{ { ServiceName: "ratelimit-service", Scope: "default/other", - Conditions: []Predicate{ + Conditions: []Condition{ { Selector: "source.address", Operator: "neq", @@ -67,17 +63,9 @@ var ( Name: "21cb3adc608c09a360d62a03fd1afd7cc6f8720999a51d7916927fff26a34ef8", RouteRuleConditions: RouteRuleConditions{ Hostnames: []string{"*"}, - Matches: []Predicate{ - { - Selector: "request.method", - Operator: "eq", - Value: "GET", - }, - { - Selector: "request.url_path", - Operator: "startswith", - Value: "/", - }, + Predicates: []string{ + "request.method == 'GET'", + "request.url_path.startsWith('/')", }, }, Actions: []Action{ @@ -102,7 +90,7 @@ var ( { ServiceName: "ratelimit-service", Scope: "default/toystore", - Conditions: []Predicate{ + Conditions: []Condition{ { Selector: "source.address", Operator: "neq", @@ -124,7 +112,7 @@ var ( }, }, } - testBasicConfigJSON = `{"services":{"auth-service":{"endpoint":"kuadrant-auth-service","type":"auth","failureMode":"deny"},"ratelimit-service":{"endpoint":"kuadrant-ratelimit-service","type":"ratelimit","failureMode":"allow"}},"actionSets":[{"name":"5755da0b3c275ba6b8f553890eb32b04768a703b60ab9a5d7f4e0948e23ef0ab","routeRuleConditions":{"hostnames":["other.example.com"],"matches":[{"operator":"startswith","selector":"request.url_path","value":"/"}]},"actions":[{"service":"ratelimit-service","scope":"default/other","conditions":[{"operator":"neq","selector":"source.address","value":"127.0.0.1"}],"data":[{"static":{"key":"limit.global__f63bec56","value":"1"}}]}]},{"name":"21cb3adc608c09a360d62a03fd1afd7cc6f8720999a51d7916927fff26a34ef8","routeRuleConditions":{"hostnames":["*"],"matches":[{"operator":"eq","selector":"request.method","value":"GET"},{"operator":"startswith","selector":"request.url_path","value":"/"}]},"actions":[{"service":"auth-service","scope":"e2db39952dd3bc72e152330a2eb15abbd9675c7ac6b54a1a292f07f25f09f138"},{"service":"ratelimit-service","scope":"default/toystore","data":[{"static":{"key":"limit.specific__69ea4d2d","value":"1"}}]},{"service":"ratelimit-service","scope":"default/toystore","conditions":[{"operator":"neq","selector":"source.address","value":"127.0.0.1"}],"data":[{"static":{"key":"limit.global__f63bec56","value":"1"}}]}]}]}` + testBasicConfigJSON = `{"services":{"auth-service":{"endpoint":"kuadrant-auth-service","type":"auth","failureMode":"deny"},"ratelimit-service":{"endpoint":"kuadrant-ratelimit-service","type":"ratelimit","failureMode":"allow"}},"actionSets":[{"name":"5755da0b3c275ba6b8f553890eb32b04768a703b60ab9a5d7f4e0948e23ef0ab","routeRuleConditions":{"hostnames":["other.example.com"],"predicates":["request.url_path.startsWith('/')"]},"actions":[{"service":"ratelimit-service","scope":"default/other","conditions":[{"operator":"neq","selector":"source.address","value":"127.0.0.1"}],"data":[{"static":{"key":"limit.global__f63bec56","value":"1"}}]}]},{"name":"21cb3adc608c09a360d62a03fd1afd7cc6f8720999a51d7916927fff26a34ef8","routeRuleConditions":{"hostnames":["*"],"predicates":["request.method == 'GET'","request.url_path.startsWith('/')"]},"actions":[{"service":"auth-service","scope":"e2db39952dd3bc72e152330a2eb15abbd9675c7ac6b54a1a292f07f25f09f138"},{"service":"ratelimit-service","scope":"default/toystore","data":[{"static":{"key":"limit.specific__69ea4d2d","value":"1"}}]},{"service":"ratelimit-service","scope":"default/toystore","conditions":[{"operator":"neq","selector":"source.address","value":"127.0.0.1"}],"data":[{"static":{"key":"limit.global__f63bec56","value":"1"}}]}]}]}` testBasicConfigYAML = ` services: auth-service: @@ -140,10 +128,8 @@ actionSets: routeRuleConditions: hostnames: - other.example.com - matches: - - operator: startswith - selector: request.url_path - value: / + predicates: + - request.url_path.startsWith('/') actions: - service: ratelimit-service scope: default/other @@ -159,13 +145,9 @@ actionSets: routeRuleConditions: hostnames: - "*" - matches: - - operator: eq - selector: request.method - value: GET - - operator: startswith - selector: request.url_path - value: / + predicates: + - request.method == 'GET' + - request.url_path.startsWith('/') actions: - service: auth-service scope: e2db39952dd3bc72e152330a2eb15abbd9675c7ac6b54a1a292f07f25f09f138 diff --git a/tests/common/authpolicy/authpolicy_controller_test.go b/tests/common/authpolicy/authpolicy_controller_test.go index 31a8f317d..2be5f51bd 100644 --- a/tests/common/authpolicy/authpolicy_controller_test.go +++ b/tests/common/authpolicy/authpolicy_controller_test.go @@ -12,7 +12,7 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" - authorinov1beta2 "github.com/kuadrant/authorino/api/v1beta2" + authorinov1beta3 "github.com/kuadrant/authorino/api/v1beta3" "github.com/kuadrant/policy-machinery/machinery" apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/meta" @@ -58,7 +58,7 @@ var _ = Describe("AuthPolicy controller", func() { return types.NamespacedName{Name: authConfigName, Namespace: kuadrantInstallationNS} } - fetchReadyAuthConfig := func(ctx context.Context, httpRoute *gatewayapiv1.HTTPRoute, httpRouteRuleIndex int, authConfig *authorinov1beta2.AuthConfig) func() bool { + fetchReadyAuthConfig := func(ctx context.Context, httpRoute *gatewayapiv1.HTTPRoute, httpRouteRuleIndex int, authConfig *authorinov1beta3.AuthConfig) func() bool { authConfigKey := authConfigKeyForPath(httpRoute, httpRouteRuleIndex) return func() bool { err := k8sClient.Get(ctx, authConfigKey, authConfig) @@ -149,7 +149,7 @@ var _ = Describe("AuthPolicy controller", func() { Eventually(tests.IsAuthPolicyAcceptedAndEnforced(ctx, testClient(), policy)).WithContext(ctx).Should(BeTrue()) // check authorino authconfig - authConfig := &authorinov1beta2.AuthConfig{} + authConfig := &authorinov1beta3.AuthConfig{} Eventually(fetchReadyAuthConfig(ctx, httpRoute, 0, authConfig)).WithContext(ctx).Should(BeTrue()) Expect(authConfig.Spec.Authentication).To(HaveLen(1)) Expect(authConfig.Spec.Authentication).To(HaveKeyWithValue("apiKey", policy.Spec.Proper().AuthScheme.Authentication["apiKey"].AuthenticationSpec)) @@ -161,7 +161,7 @@ var _ = Describe("AuthPolicy controller", func() { Eventually(tests.RouteIsAccepted(ctx, k8sClient, client.ObjectKeyFromObject(otherHTTPRoute))).WithContext(ctx).Should(BeTrue()) // check authorino other authconfig - otherAuthConfig := &authorinov1beta2.AuthConfig{} + otherAuthConfig := &authorinov1beta3.AuthConfig{} Eventually(fetchReadyAuthConfig(ctx, otherHTTPRoute, 0, otherAuthConfig)).WithContext(ctx).Should(BeTrue()) Expect(otherAuthConfig.Spec.Authentication).To(HaveLen(1)) Expect(otherAuthConfig.Spec.Authentication).To(HaveKeyWithValue("apiKey", policy.Spec.Proper().AuthScheme.Authentication["apiKey"].AuthenticationSpec)) @@ -178,7 +178,7 @@ var _ = Describe("AuthPolicy controller", func() { Eventually(tests.IsAuthPolicyAcceptedAndEnforced(ctx, testClient(), policy)).WithContext(ctx).Should(BeTrue()) // check authorino authconfig - authConfig := &authorinov1beta2.AuthConfig{} + authConfig := &authorinov1beta3.AuthConfig{} Eventually(fetchReadyAuthConfig(ctx, httpRoute, 0, authConfig)).WithContext(ctx).Should(BeTrue()) Expect(authConfig.Spec.Authentication).To(HaveLen(1)) Expect(authConfig.Spec.Authentication).To(HaveKeyWithValue("apiKey", policy.Spec.Proper().AuthScheme.Authentication["apiKey"].AuthenticationSpec)) @@ -217,12 +217,12 @@ var _ = Describe("AuthPolicy controller", func() { Eventually(tests.IsAuthPolicyAcceptedAndEnforced(ctx, testClient(), gwPolicy)).WithContext(ctx).Should(BeTrue()) // check authorino authconfig - authConfig := &authorinov1beta2.AuthConfig{} + authConfig := &authorinov1beta3.AuthConfig{} Eventually(fetchReadyAuthConfig(ctx, httpRoute, 0, authConfig)).WithContext(ctx).Should(BeTrue()) Expect(authConfig.Spec.Authentication).To(HaveLen(1)) Expect(authConfig.Spec.Authentication).To(HaveKeyWithValue("apiKey", routePolicy.Spec.Proper().AuthScheme.Authentication["apiKey"].AuthenticationSpec)) - otherAuthConfig := &authorinov1beta2.AuthConfig{} + otherAuthConfig := &authorinov1beta3.AuthConfig{} Eventually(fetchReadyAuthConfig(ctx, otherRoute, 0, otherAuthConfig)).WithContext(ctx).Should(BeTrue()) Expect(otherAuthConfig.Spec.Authentication).To(HaveLen(1)) Expect(otherAuthConfig.Spec.Authentication).To(HaveKeyWithValue("apiKey", gwPolicy.Spec.Proper().AuthScheme.Authentication["apiKey"].AuthenticationSpec)) @@ -245,7 +245,7 @@ var _ = Describe("AuthPolicy controller", func() { // check authorino authconfig authConfigKey := authConfigKeyForPath(httpRoute, 0) Eventually(func() bool { - err := k8sClient.Get(ctx, authConfigKey, &authorinov1beta2.AuthConfig{}) + err := k8sClient.Get(ctx, authConfigKey, &authorinov1beta3.AuthConfig{}) return apierrors.IsNotFound(err) }).WithContext(ctx).Should(BeTrue()) }, testTimeOut) @@ -254,19 +254,19 @@ var _ = Describe("AuthPolicy controller", func() { policy := policyFactory(func(policy *kuadrantv1beta3.AuthPolicy) { policy.Spec.Proper().NamedPatterns = map[string]kuadrantv1beta3.MergeablePatternExpressions{ "internal-source": { - PatternExpressions: []authorinov1beta2.PatternExpression{ + PatternExpressions: []authorinov1beta3.PatternExpression{ { Selector: "source.ip", - Operator: authorinov1beta2.PatternExpressionOperator("matches"), + Operator: authorinov1beta3.PatternExpressionOperator("matches"), Value: `192\.168\..*`, }, }, }, "authz-and-rl-required": { - PatternExpressions: []authorinov1beta2.PatternExpression{ + PatternExpressions: []authorinov1beta3.PatternExpression{ { Selector: "source.ip", - Operator: authorinov1beta2.PatternExpressionOperator("neq"), + Operator: authorinov1beta3.PatternExpressionOperator("neq"), Value: "192.168.0.10", }, }, @@ -274,8 +274,8 @@ var _ = Describe("AuthPolicy controller", func() { } policy.Spec.Proper().Conditions = []kuadrantv1beta3.MergeablePatternExpressionOrRef{ { - PatternExpressionOrRef: authorinov1beta2.PatternExpressionOrRef{ - PatternRef: authorinov1beta2.PatternRef{ + PatternExpressionOrRef: authorinov1beta3.PatternExpressionOrRef{ + PatternRef: authorinov1beta3.PatternRef{ Name: "internal-source", }, }, @@ -284,11 +284,11 @@ var _ = Describe("AuthPolicy controller", func() { policy.Spec.Proper().AuthScheme = &kuadrantv1beta3.AuthSchemeSpec{ Authentication: map[string]kuadrantv1beta3.MergeableAuthenticationSpec{ "jwt": { - AuthenticationSpec: authorinov1beta2.AuthenticationSpec{ - CommonEvaluatorSpec: authorinov1beta2.CommonEvaluatorSpec{ - Conditions: []authorinov1beta2.PatternExpressionOrRef{ + AuthenticationSpec: authorinov1beta3.AuthenticationSpec{ + CommonEvaluatorSpec: authorinov1beta3.CommonEvaluatorSpec{ + Conditions: []authorinov1beta3.PatternExpressionOrRef{ { - PatternExpression: authorinov1beta2.PatternExpression{ + PatternExpression: authorinov1beta3.PatternExpression{ Selector: `filter_metadata.envoy\.filters\.http\.jwt_authn|verified_jwt`, Operator: "neq", Value: "", @@ -296,8 +296,8 @@ var _ = Describe("AuthPolicy controller", func() { }, }, }, - AuthenticationMethodSpec: authorinov1beta2.AuthenticationMethodSpec{ - Plain: &authorinov1beta2.PlainIdentitySpec{ + AuthenticationMethodSpec: authorinov1beta3.AuthenticationMethodSpec{ + Plain: &authorinov1beta3.PlainIdentitySpec{ Selector: `filter_metadata.envoy\.filters\.http\.jwt_authn|verified_jwt`, }, }, @@ -306,20 +306,20 @@ var _ = Describe("AuthPolicy controller", func() { }, Metadata: map[string]kuadrantv1beta3.MergeableMetadataSpec{ "user-groups": { - MetadataSpec: authorinov1beta2.MetadataSpec{ - CommonEvaluatorSpec: authorinov1beta2.CommonEvaluatorSpec{ - Conditions: []authorinov1beta2.PatternExpressionOrRef{ + MetadataSpec: authorinov1beta3.MetadataSpec{ + CommonEvaluatorSpec: authorinov1beta3.CommonEvaluatorSpec{ + Conditions: []authorinov1beta3.PatternExpressionOrRef{ { - PatternExpression: authorinov1beta2.PatternExpression{ + PatternExpression: authorinov1beta3.PatternExpression{ Selector: "auth.identity.admin", - Operator: authorinov1beta2.PatternExpressionOperator("neq"), + Operator: authorinov1beta3.PatternExpressionOperator("neq"), Value: "true", }, }, }, }, - MetadataMethodSpec: authorinov1beta2.MetadataMethodSpec{ - Http: &authorinov1beta2.HttpEndpointSpec{ + MetadataMethodSpec: authorinov1beta3.MetadataMethodSpec{ + Http: &authorinov1beta3.HttpEndpointSpec{ Url: "http://user-groups/username={auth.identity.username}", }, }, @@ -328,35 +328,35 @@ var _ = Describe("AuthPolicy controller", func() { }, Authorization: map[string]kuadrantv1beta3.MergeableAuthorizationSpec{ "admin-or-privileged": { - AuthorizationSpec: authorinov1beta2.AuthorizationSpec{ - CommonEvaluatorSpec: authorinov1beta2.CommonEvaluatorSpec{ - Conditions: []authorinov1beta2.PatternExpressionOrRef{ + AuthorizationSpec: authorinov1beta3.AuthorizationSpec{ + CommonEvaluatorSpec: authorinov1beta3.CommonEvaluatorSpec{ + Conditions: []authorinov1beta3.PatternExpressionOrRef{ { - PatternRef: authorinov1beta2.PatternRef{ + PatternRef: authorinov1beta3.PatternRef{ Name: "authz-and-rl-required", }, }, }, }, - AuthorizationMethodSpec: authorinov1beta2.AuthorizationMethodSpec{ - PatternMatching: &authorinov1beta2.PatternMatchingAuthorizationSpec{ - Patterns: []authorinov1beta2.PatternExpressionOrRef{ + AuthorizationMethodSpec: authorinov1beta3.AuthorizationMethodSpec{ + PatternMatching: &authorinov1beta3.PatternMatchingAuthorizationSpec{ + Patterns: []authorinov1beta3.PatternExpressionOrRef{ { - Any: []authorinov1beta2.UnstructuredPatternExpressionOrRef{ + Any: []authorinov1beta3.UnstructuredPatternExpressionOrRef{ { - PatternExpressionOrRef: authorinov1beta2.PatternExpressionOrRef{ - PatternExpression: authorinov1beta2.PatternExpression{ + PatternExpressionOrRef: authorinov1beta3.PatternExpressionOrRef{ + PatternExpression: authorinov1beta3.PatternExpression{ Selector: "auth.identity.admin", - Operator: authorinov1beta2.PatternExpressionOperator("eq"), + Operator: authorinov1beta3.PatternExpressionOperator("eq"), Value: "true", }, }, }, { - PatternExpressionOrRef: authorinov1beta2.PatternExpressionOrRef{ - PatternExpression: authorinov1beta2.PatternExpression{ + PatternExpressionOrRef: authorinov1beta3.PatternExpressionOrRef{ + PatternExpression: authorinov1beta3.PatternExpression{ Selector: "auth.metadata.user-groups", - Operator: authorinov1beta2.PatternExpressionOperator("incl"), + Operator: authorinov1beta3.PatternExpressionOperator("incl"), Value: "privileged", }, }, @@ -371,15 +371,15 @@ var _ = Describe("AuthPolicy controller", func() { }, Response: &kuadrantv1beta3.MergeableResponseSpec{ Unauthenticated: &kuadrantv1beta3.MergeableDenyWithSpec{ - DenyWithSpec: authorinov1beta2.DenyWithSpec{ - Message: &authorinov1beta2.ValueOrSelector{ + DenyWithSpec: authorinov1beta3.DenyWithSpec{ + Message: &authorinov1beta3.ValueOrSelector{ Value: k8sruntime.RawExtension{Raw: []byte(`"Missing verified JWT injected by the gateway"`)}, }, }, }, Unauthorized: &kuadrantv1beta3.MergeableDenyWithSpec{ - DenyWithSpec: authorinov1beta2.DenyWithSpec{ - Message: &authorinov1beta2.ValueOrSelector{ + DenyWithSpec: authorinov1beta3.DenyWithSpec{ + Message: &authorinov1beta3.ValueOrSelector{ Value: k8sruntime.RawExtension{Raw: []byte(`"User must be admin or member of privileged group"`)}, }, }, @@ -387,21 +387,21 @@ var _ = Describe("AuthPolicy controller", func() { Success: kuadrantv1beta3.MergeableWrappedSuccessResponseSpec{ Headers: map[string]kuadrantv1beta3.MergeableHeaderSuccessResponseSpec{ "x-username": { - HeaderSuccessResponseSpec: authorinov1beta2.HeaderSuccessResponseSpec{ - SuccessResponseSpec: authorinov1beta2.SuccessResponseSpec{ - CommonEvaluatorSpec: authorinov1beta2.CommonEvaluatorSpec{ - Conditions: []authorinov1beta2.PatternExpressionOrRef{ + HeaderSuccessResponseSpec: authorinov1beta3.HeaderSuccessResponseSpec{ + SuccessResponseSpec: authorinov1beta3.SuccessResponseSpec{ + CommonEvaluatorSpec: authorinov1beta3.CommonEvaluatorSpec{ + Conditions: []authorinov1beta3.PatternExpressionOrRef{ { - PatternExpression: authorinov1beta2.PatternExpression{ + PatternExpression: authorinov1beta3.PatternExpression{ Selector: "request.headers.x-propagate-username.@case:lower", - Operator: authorinov1beta2.PatternExpressionOperator("matches"), + Operator: authorinov1beta3.PatternExpressionOperator("matches"), Value: "1|yes|true", }, }, }, }, - AuthResponseMethodSpec: authorinov1beta2.AuthResponseMethodSpec{ - Plain: &authorinov1beta2.PlainAuthResponseSpec{ + AuthResponseMethodSpec: authorinov1beta3.AuthResponseMethodSpec{ + Plain: &authorinov1beta3.PlainAuthResponseSpec{ Selector: "auth.identity.username", }, }, @@ -411,19 +411,19 @@ var _ = Describe("AuthPolicy controller", func() { }, DynamicMetadata: map[string]kuadrantv1beta3.MergeableSuccessResponseSpec{ "x-auth-data": { - SuccessResponseSpec: authorinov1beta2.SuccessResponseSpec{ - CommonEvaluatorSpec: authorinov1beta2.CommonEvaluatorSpec{ - Conditions: []authorinov1beta2.PatternExpressionOrRef{ + SuccessResponseSpec: authorinov1beta3.SuccessResponseSpec{ + CommonEvaluatorSpec: authorinov1beta3.CommonEvaluatorSpec{ + Conditions: []authorinov1beta3.PatternExpressionOrRef{ { - PatternRef: authorinov1beta2.PatternRef{ + PatternRef: authorinov1beta3.PatternRef{ Name: "authz-and-rl-required", }, }, }, }, - AuthResponseMethodSpec: authorinov1beta2.AuthResponseMethodSpec{ - Json: &authorinov1beta2.JsonAuthResponseSpec{ - Properties: authorinov1beta2.NamedValuesOrSelectors{ + AuthResponseMethodSpec: authorinov1beta3.AuthResponseMethodSpec{ + Json: &authorinov1beta3.JsonAuthResponseSpec{ + Properties: authorinov1beta3.NamedValuesOrSelectors{ "username": { Selector: "auth.identity.username", }, @@ -440,29 +440,29 @@ var _ = Describe("AuthPolicy controller", func() { }, Callbacks: map[string]kuadrantv1beta3.MergeableCallbackSpec{ "unauthorized-attempt": { - CallbackSpec: authorinov1beta2.CallbackSpec{ - CommonEvaluatorSpec: authorinov1beta2.CommonEvaluatorSpec{ - Conditions: []authorinov1beta2.PatternExpressionOrRef{ + CallbackSpec: authorinov1beta3.CallbackSpec{ + CommonEvaluatorSpec: authorinov1beta3.CommonEvaluatorSpec{ + Conditions: []authorinov1beta3.PatternExpressionOrRef{ { - PatternRef: authorinov1beta2.PatternRef{ + PatternRef: authorinov1beta3.PatternRef{ Name: "authz-and-rl-required", }, }, { - PatternExpression: authorinov1beta2.PatternExpression{ + PatternExpression: authorinov1beta3.PatternExpression{ Selector: "auth.authorization.admin-or-privileged", - Operator: authorinov1beta2.PatternExpressionOperator("neq"), + Operator: authorinov1beta3.PatternExpressionOperator("neq"), Value: "true", }, }, }, }, - CallbackMethodSpec: authorinov1beta2.CallbackMethodSpec{ - Http: &authorinov1beta2.HttpEndpointSpec{ + CallbackMethodSpec: authorinov1beta3.CallbackMethodSpec{ + Http: &authorinov1beta3.HttpEndpointSpec{ Url: "http://events/unauthorized", - Method: ptr.To(authorinov1beta2.HttpMethod("POST")), - ContentType: authorinov1beta2.HttpContentType("application/json"), - Body: &authorinov1beta2.ValueOrSelector{ + Method: ptr.To(authorinov1beta3.HttpMethod("POST")), + ContentType: authorinov1beta3.HttpContentType("application/json"), + Body: &authorinov1beta3.ValueOrSelector{ Selector: `\{"identity":{auth.identity},"request-id":{request.id}\}`, }, }, @@ -481,7 +481,7 @@ var _ = Describe("AuthPolicy controller", func() { Eventually(tests.IsAuthPolicyAcceptedAndEnforced(ctx, testClient(), policy)).WithContext(ctx).Should(BeTrue()) // check authorino authconfig - authConfig := &authorinov1beta2.AuthConfig{} + authConfig := &authorinov1beta3.AuthConfig{} Eventually(fetchReadyAuthConfig(ctx, httpRoute, 0, authConfig)).WithContext(ctx).Should(BeTrue()) authConfigSpecAsJSON, _ := json.Marshal(authConfig.Spec) Expect(string(authConfigSpecAsJSON)).To(Equal(fmt.Sprintf(`{"hosts":["%s"],"patterns":{"authz-and-rl-required":[{"selector":"source.ip","operator":"neq","value":"192.168.0.10"}],"internal-source":[{"selector":"source.ip","operator":"matches","value":"192\\.168\\..*"}]},"when":[{"patternRef":"internal-source"}],"authentication":{"jwt":{"when":[{"selector":"filter_metadata.envoy\\.filters\\.http\\.jwt_authn|verified_jwt","operator":"neq"}],"credentials":{},"plain":{"selector":"filter_metadata.envoy\\.filters\\.http\\.jwt_authn|verified_jwt"}}},"metadata":{"user-groups":{"when":[{"selector":"auth.identity.admin","operator":"neq","value":"true"}],"http":{"url":"http://user-groups/username={auth.identity.username}","method":"GET","contentType":"application/x-www-form-urlencoded","credentials":{}}}},"authorization":{"admin-or-privileged":{"when":[{"patternRef":"authz-and-rl-required"}],"patternMatching":{"patterns":[{"any":[{"selector":"auth.identity.admin","operator":"eq","value":"true"},{"selector":"auth.metadata.user-groups","operator":"incl","value":"privileged"}]}]}}},"response":{"unauthenticated":{"message":{"value":"Missing verified JWT injected by the gateway"}},"unauthorized":{"message":{"value":"User must be admin or member of privileged group"}},"success":{"headers":{"x-username":{"when":[{"selector":"request.headers.x-propagate-username.@case:lower","operator":"matches","value":"1|yes|true"}],"plain":{"value":null,"selector":"auth.identity.username"}}},"dynamicMetadata":{"x-auth-data":{"when":[{"patternRef":"authz-and-rl-required"}],"json":{"properties":{"groups":{"value":null,"selector":"auth.metadata.user-groups"},"username":{"value":null,"selector":"auth.identity.username"}}}}}}},"callbacks":{"unauthorized-attempt":{"when":[{"patternRef":"authz-and-rl-required"},{"selector":"auth.authorization.admin-or-privileged","operator":"neq","value":"true"}],"http":{"url":"http://events/unauthorized","method":"POST","body":{"value":null,"selector":"\\{\"identity\":{auth.identity},\"request-id\":{request.id}\\}"},"contentType":"application/json","credentials":{}}}}}`, authConfig.GetName()))) @@ -524,10 +524,10 @@ var _ = Describe("AuthPolicy controller", func() { Eventually(tests.IsAuthPolicyAcceptedAndEnforced(ctx, testClient(), policy)).WithContext(ctx).Should(BeTrue()) // check authorino authconfigs - authConfigPOST_DELETE_admin := &authorinov1beta2.AuthConfig{} + authConfigPOST_DELETE_admin := &authorinov1beta3.AuthConfig{} Eventually(fetchReadyAuthConfig(ctx, httpRoute, 0, authConfigPOST_DELETE_admin)).WithContext(ctx).Should(BeTrue()) - authConfigGET_private := &authorinov1beta2.AuthConfig{} + authConfigGET_private := &authorinov1beta3.AuthConfig{} Eventually(fetchReadyAuthConfig(ctx, httpRoute, 1, authConfigGET_private)).WithContext(ctx).Should(BeTrue()) }, testTimeOut) }) @@ -626,7 +626,7 @@ var _ = Describe("AuthPolicy controller", func() { Eventually(tests.IsAuthPolicyAcceptedAndEnforced(ctx, testClient(), routePolicy)).WithContext(ctx).Should(BeTrue()) // check authorino authconfig - authConfig := &authorinov1beta2.AuthConfig{} + authConfig := &authorinov1beta3.AuthConfig{} Eventually(fetchReadyAuthConfig(ctx, httpRoute, 0, authConfig)).WithContext(ctx).Should(BeTrue()) Expect(authConfig.Spec.Authentication).To(HaveLen(1)) Expect(authConfig.Spec.Authentication).To(HaveKeyWithValue("apiKey", routePolicy.Spec.Proper().AuthScheme.Authentication["apiKey"].AuthenticationSpec)) @@ -649,7 +649,7 @@ var _ = Describe("AuthPolicy controller", func() { Eventually(assertAcceptedCondTrueAndEnforcedCond(ctx, gwPolicy, metav1.ConditionFalse, string(kuadrant.PolicyReasonOverridden), fmt.Sprintf("AuthPolicy is overridden by [%s]", routePolicyKey.String()))).WithContext(ctx).Should(BeTrue()) // check authorino authconfig - authConfig = &authorinov1beta2.AuthConfig{} + authConfig = &authorinov1beta3.AuthConfig{} Eventually(fetchReadyAuthConfig(ctx, httpRoute, 0, authConfig)).WithContext(ctx).Should(BeTrue()) Expect(authConfig.Spec.Authentication).To(HaveLen(1)) Expect(authConfig.Spec.Authentication).To(HaveKeyWithValue("apiKey", routePolicy.Spec.Proper().AuthScheme.Authentication["apiKey"].AuthenticationSpec)) @@ -976,10 +976,10 @@ var _ = Describe("AuthPolicy CEL Validations", func() { policy.Spec.Defaults = &kuadrantv1beta3.MergeableAuthPolicySpec{} policy.Spec.NamedPatterns = map[string]kuadrantv1beta3.MergeablePatternExpressions{ "internal-source": { - PatternExpressions: []authorinov1beta2.PatternExpression{ + PatternExpressions: []authorinov1beta3.PatternExpression{ { Selector: "source.ip", - Operator: authorinov1beta2.PatternExpressionOperator("matches"), + Operator: authorinov1beta3.PatternExpressionOperator("matches"), Value: `192\.168\..*`, }, }, @@ -996,8 +996,8 @@ var _ = Describe("AuthPolicy CEL Validations", func() { policy.Spec.Defaults = &kuadrantv1beta3.MergeableAuthPolicySpec{} policy.Spec.Conditions = []kuadrantv1beta3.MergeablePatternExpressionOrRef{ { - PatternExpressionOrRef: authorinov1beta2.PatternExpressionOrRef{ - PatternRef: authorinov1beta2.PatternRef{ + PatternExpressionOrRef: authorinov1beta3.PatternExpressionOrRef{ + PatternRef: authorinov1beta3.PatternRef{ Name: "internal-source", }, }, diff --git a/tests/common/targetstatus/target_status_controller_test.go b/tests/common/targetstatus/target_status_controller_test.go index 0645764d4..5ca274132 100644 --- a/tests/common/targetstatus/target_status_controller_test.go +++ b/tests/common/targetstatus/target_status_controller_test.go @@ -10,7 +10,7 @@ import ( certmanv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" certmanmetav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" - authorinoapi "github.com/kuadrant/authorino/api/v1beta2" + authorinoapi "github.com/kuadrant/authorino/api/v1beta3" kuadrantdnsv1alpha1 "github.com/kuadrant/dns-operator/api/v1alpha1" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" diff --git a/tests/commons.go b/tests/commons.go index 53cd7324a..7e57a685b 100644 --- a/tests/commons.go +++ b/tests/commons.go @@ -11,7 +11,7 @@ import ( certmanv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" certmanmetav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" - authorinoapi "github.com/kuadrant/authorino/api/v1beta2" + authorinoapi "github.com/kuadrant/authorino/api/v1beta3" kuadrantdnsv1alpha1 "github.com/kuadrant/dns-operator/api/v1alpha1" kuadrantdnsbuilder "github.com/kuadrant/dns-operator/pkg/builder" "github.com/kuadrant/kuadrant-operator/pkg/library/kuadrant" diff --git a/tests/envoygateway/extension_reconciler_test.go b/tests/envoygateway/extension_reconciler_test.go index 5ed82c081..2a2424fc2 100644 --- a/tests/envoygateway/extension_reconciler_test.go +++ b/tests/envoygateway/extension_reconciler_test.go @@ -184,17 +184,9 @@ var _ = Describe("wasm controller", func() { Name: actionSetName, RouteRuleConditions: wasm.RouteRuleConditions{ Hostnames: []string{string(gwRoute.Spec.Hostnames[0])}, - Matches: []wasm.Predicate{ - { - Selector: "request.method", - Operator: wasm.PatternOperator(kuadrantv1beta3.EqualOperator), - Value: "GET", - }, - { - Selector: "request.url_path", - Operator: wasm.PatternOperator(kuadrantv1beta3.StartsWithOperator), - Value: "/toy", - }, + Predicates: []string{ + "request.method == 'GET'", + "request.url_path.startsWith('/toy')", }, }, Actions: []wasm.Action{ @@ -356,17 +348,9 @@ var _ = Describe("wasm controller", func() { Name: actionSetName, RouteRuleConditions: wasm.RouteRuleConditions{ Hostnames: []string{string(gwRoute.Spec.Hostnames[0])}, - Matches: []wasm.Predicate{ - { - Selector: "request.method", - Operator: wasm.PatternOperator(kuadrantv1beta3.EqualOperator), - Value: "GET", - }, - { - Selector: "request.url_path", - Operator: wasm.PatternOperator(kuadrantv1beta3.StartsWithOperator), - Value: "/toy", - }, + Predicates: []string{ + "request.method == 'GET'", + "request.url_path.startsWith('/toy')", }, }, Actions: []wasm.Action{ diff --git a/tests/istio/extension_reconciler_test.go b/tests/istio/extension_reconciler_test.go index 5e54aceb9..3e72e0a53 100644 --- a/tests/istio/extension_reconciler_test.go +++ b/tests/istio/extension_reconciler_test.go @@ -163,17 +163,9 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { Name: wasm.ActionSetNameForPath(pathID, 0, "*.example.com"), RouteRuleConditions: wasm.RouteRuleConditions{ Hostnames: []string{"*.example.com"}, - Matches: []wasm.Predicate{ - { - Selector: "request.method", - Operator: wasm.PatternOperator(kuadrantv1beta3.EqualOperator), - Value: "GET", - }, - { - Selector: "request.url_path", - Operator: wasm.PatternOperator(kuadrantv1beta3.StartsWithOperator), - Value: "/toy", - }, + Predicates: []string{ + "request.method == 'GET'", + "request.url_path.startsWith('/toy')", }, }, Actions: []wasm.Action{ @@ -316,19 +308,15 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { pathID := kuadrantv1.PathID(append(basePath, httpRouteRuleAssets)) Expect(actionSet.Name).To(Equal(wasm.ActionSetNameForPath(pathID, 0, "*.toystore.acme.com"))) Expect(actionSet.RouteRuleConditions.Hostnames).To(Equal([]string{"*.toystore.acme.com"})) - Expect(actionSet.RouteRuleConditions.Matches).To(ContainElements( - wasm.Predicate{ - Selector: "request.url_path", - Operator: wasm.PatternOperator(kuadrantv1beta3.StartsWithOperator), - Value: "/assets", - }, + Expect(actionSet.RouteRuleConditions.Predicates).To(ContainElements( + "request.url_path.startsWith('/assets')", )) Expect(actionSet.Actions).To(HaveLen(2)) Expect(actionSet.Actions).To(ContainElements( wasm.Action{ // action to activate the 'users' limit definition ServiceName: wasm.RateLimitServiceName, Scope: controllers.LimitsNamespaceFromRoute(httpRoute), - Conditions: []wasm.Predicate{ + Conditions: []wasm.Condition{ { Selector: "auth.identity.group", Operator: wasm.PatternOperator(kuadrantv1beta3.NotEqualOperator), @@ -374,24 +362,16 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { pathID = kuadrantv1.PathID(append(basePath, httpRouteRuleToys)) Expect(actionSet.Name).To(Equal(wasm.ActionSetNameForPath(pathID, 0, "*.toystore.acme.com"))) Expect(actionSet.RouteRuleConditions.Hostnames).To(Equal([]string{"*.toystore.acme.com"})) - Expect(actionSet.RouteRuleConditions.Matches).To(ContainElements( - wasm.Predicate{ - Selector: "request.method", - Operator: wasm.PatternOperator(kuadrantv1beta3.EqualOperator), - Value: "GET", - }, - wasm.Predicate{ - Selector: "request.url_path", - Operator: wasm.PatternOperator(kuadrantv1beta3.StartsWithOperator), - Value: "/toys", - }, + Expect(actionSet.RouteRuleConditions.Predicates).To(ContainElements( + "request.method == 'GET'", + "request.url_path.startsWith('/toys')", )) Expect(actionSet.Actions).To(HaveLen(2)) Expect(actionSet.Actions).To(ContainElements( wasm.Action{ // action to activate the 'users' limit definition ServiceName: wasm.RateLimitServiceName, Scope: controllers.LimitsNamespaceFromRoute(httpRoute), - Conditions: []wasm.Predicate{ + Conditions: []wasm.Condition{ { Selector: "auth.identity.group", Operator: wasm.PatternOperator(kuadrantv1beta3.NotEqualOperator), @@ -437,24 +417,16 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { pathID = kuadrantv1.PathID(append(basePath, httpRouteRuleToys)) Expect(actionSet.Name).To(Equal(wasm.ActionSetNameForPath(pathID, 1, "*.toystore.acme.com"))) Expect(actionSet.RouteRuleConditions.Hostnames).To(Equal([]string{"*.toystore.acme.com"})) - Expect(actionSet.RouteRuleConditions.Matches).To(ContainElements( - wasm.Predicate{ - Selector: "request.method", - Operator: wasm.PatternOperator(kuadrantv1beta3.EqualOperator), - Value: "POST", - }, - wasm.Predicate{ - Selector: "request.url_path", - Operator: wasm.PatternOperator(kuadrantv1beta3.StartsWithOperator), - Value: "/toys", - }, + Expect(actionSet.RouteRuleConditions.Predicates).To(ContainElements( + "request.method == 'POST'", + "request.url_path.startsWith('/toys')", )) Expect(actionSet.Actions).To(HaveLen(2)) Expect(actionSet.Actions).To(ContainElements( wasm.Action{ // action to activate the 'users' limit definition ServiceName: wasm.RateLimitServiceName, Scope: controllers.LimitsNamespaceFromRoute(httpRoute), - Conditions: []wasm.Predicate{ + Conditions: []wasm.Condition{ { Selector: "auth.identity.group", Operator: wasm.PatternOperator(kuadrantv1beta3.NotEqualOperator), @@ -500,19 +472,15 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { pathID = kuadrantv1.PathID(append(basePath, httpRouteRuleAssets)) Expect(actionSet.Name).To(Equal(wasm.ActionSetNameForPath(pathID, 0, "api.toystore.io"))) Expect(actionSet.RouteRuleConditions.Hostnames).To(Equal([]string{"api.toystore.io"})) - Expect(actionSet.RouteRuleConditions.Matches).To(ContainElements( - wasm.Predicate{ - Selector: "request.url_path", - Operator: wasm.PatternOperator(kuadrantv1beta3.StartsWithOperator), - Value: "/assets", - }, + Expect(actionSet.RouteRuleConditions.Predicates).To(ContainElements( + "request.url_path.startsWith('/assets')", )) Expect(actionSet.Actions).To(HaveLen(2)) Expect(actionSet.Actions).To(ContainElements( wasm.Action{ // action to activate the 'users' limit definition ServiceName: wasm.RateLimitServiceName, Scope: controllers.LimitsNamespaceFromRoute(httpRoute), - Conditions: []wasm.Predicate{ + Conditions: []wasm.Condition{ { Selector: "auth.identity.group", Operator: wasm.PatternOperator(kuadrantv1beta3.NotEqualOperator), @@ -558,24 +526,16 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { pathID = kuadrantv1.PathID(append(basePath, httpRouteRuleToys)) Expect(actionSet.Name).To(Equal(wasm.ActionSetNameForPath(pathID, 0, "api.toystore.io"))) Expect(actionSet.RouteRuleConditions.Hostnames).To(Equal([]string{"api.toystore.io"})) - Expect(actionSet.RouteRuleConditions.Matches).To(ContainElements( - wasm.Predicate{ - Selector: "request.method", - Operator: wasm.PatternOperator(kuadrantv1beta3.EqualOperator), - Value: "GET", - }, - wasm.Predicate{ - Selector: "request.url_path", - Operator: wasm.PatternOperator(kuadrantv1beta3.StartsWithOperator), - Value: "/toys", - }, + Expect(actionSet.RouteRuleConditions.Predicates).To(ContainElements( + "request.method == 'GET'", + "request.url_path.startsWith('/toys')", )) Expect(actionSet.Actions).To(HaveLen(2)) Expect(actionSet.Actions).To(ContainElements( wasm.Action{ // action to activate the 'users' limit definition ServiceName: wasm.RateLimitServiceName, Scope: controllers.LimitsNamespaceFromRoute(httpRoute), - Conditions: []wasm.Predicate{ + Conditions: []wasm.Condition{ { Selector: "auth.identity.group", Operator: wasm.PatternOperator(kuadrantv1beta3.NotEqualOperator), @@ -621,24 +581,16 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { pathID = kuadrantv1.PathID(append(basePath, httpRouteRuleToys)) Expect(actionSet.Name).To(Equal(wasm.ActionSetNameForPath(pathID, 1, "api.toystore.io"))) Expect(actionSet.RouteRuleConditions.Hostnames).To(Equal([]string{"api.toystore.io"})) - Expect(actionSet.RouteRuleConditions.Matches).To(ContainElements( - wasm.Predicate{ - Selector: "request.method", - Operator: wasm.PatternOperator(kuadrantv1beta3.EqualOperator), - Value: "POST", - }, - wasm.Predicate{ - Selector: "request.url_path", - Operator: wasm.PatternOperator(kuadrantv1beta3.StartsWithOperator), - Value: "/toys", - }, + Expect(actionSet.RouteRuleConditions.Predicates).To(ContainElements( + "request.method == 'POST'", + "request.url_path.startsWith('/toys')", )) Expect(actionSet.Actions).To(HaveLen(2)) Expect(actionSet.Actions).To(ContainElements( wasm.Action{ // action to activate the 'users' limit definition ServiceName: wasm.RateLimitServiceName, Scope: controllers.LimitsNamespaceFromRoute(httpRoute), - Conditions: []wasm.Predicate{ + Conditions: []wasm.Condition{ { Selector: "auth.identity.group", Operator: wasm.PatternOperator(kuadrantv1beta3.NotEqualOperator), @@ -758,17 +710,9 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { Name: wasm.ActionSetNameForPath(pathID, 0, "*.example.com"), RouteRuleConditions: wasm.RouteRuleConditions{ Hostnames: []string{"*.example.com"}, - Matches: []wasm.Predicate{ - { - Selector: "request.method", - Operator: wasm.PatternOperator(kuadrantv1beta3.EqualOperator), - Value: "GET", - }, - { - Selector: "request.url_path", - Operator: wasm.PatternOperator(kuadrantv1beta3.StartsWithOperator), - Value: "/toy", - }, + Predicates: []string{ + "request.method == 'GET'", + "request.url_path.startsWith('/toy')", }, }, Actions: []wasm.Action{ @@ -987,17 +931,9 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { Name: wasm.ActionSetNameForPath(pathID, 0, "*.example.com"), RouteRuleConditions: wasm.RouteRuleConditions{ Hostnames: []string{"*.example.com"}, - Matches: []wasm.Predicate{ - { - Selector: "request.method", - Operator: wasm.PatternOperator(kuadrantv1beta3.EqualOperator), - Value: "GET", - }, - { - Selector: "request.url_path", - Operator: wasm.PatternOperator(kuadrantv1beta3.StartsWithOperator), - Value: "/toy", - }, + Predicates: []string{ + "request.method == 'GET'", + "request.url_path.startsWith('/toy')", }, }, Actions: []wasm.Action{ @@ -1205,17 +1141,9 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { Name: wasm.ActionSetNameForPath(pathID, 0, "*.example.com"), RouteRuleConditions: wasm.RouteRuleConditions{ Hostnames: []string{"*.example.com"}, - Matches: []wasm.Predicate{ - { - Selector: "request.method", - Operator: wasm.PatternOperator(kuadrantv1beta3.EqualOperator), - Value: "GET", - }, - { - Selector: "request.url_path", - Operator: wasm.PatternOperator(kuadrantv1beta3.StartsWithOperator), - Value: "/toy", - }, + Predicates: []string{ + "request.method == 'GET'", + "request.url_path.startsWith('/toy')", }, }, Actions: []wasm.Action{ @@ -1341,17 +1269,9 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { Name: wasm.ActionSetNameForPath(pathID, 0, "*.example.com"), RouteRuleConditions: wasm.RouteRuleConditions{ Hostnames: []string{"*.example.com"}, - Matches: []wasm.Predicate{ - { - Selector: "request.method", - Operator: wasm.PatternOperator(kuadrantv1beta3.EqualOperator), - Value: "GET", - }, - { - Selector: "request.url_path", - Operator: wasm.PatternOperator(kuadrantv1beta3.StartsWithOperator), - Value: "/toy", - }, + Predicates: []string{ + "request.method == 'GET'", + "request.url_path.startsWith('/toy')", }, }, Actions: []wasm.Action{ @@ -1549,17 +1469,9 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { Name: wasm.ActionSetNameForPath(pathID, 0, "*.a.example.com"), RouteRuleConditions: wasm.RouteRuleConditions{ Hostnames: []string{"*.a.example.com"}, - Matches: []wasm.Predicate{ - { - Selector: "request.method", - Operator: wasm.PatternOperator(kuadrantv1beta3.EqualOperator), - Value: "GET", - }, - { - Selector: "request.url_path", - Operator: wasm.PatternOperator(kuadrantv1beta3.StartsWithOperator), - Value: "/routeA", - }, + Predicates: []string{ + "request.method == 'GET'", + "request.url_path.startsWith('/routeA')", }, }, Actions: []wasm.Action{ @@ -1648,17 +1560,9 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { Name: wasm.ActionSetNameForPath(pathID, 0, "*.b.example.com"), RouteRuleConditions: wasm.RouteRuleConditions{ Hostnames: []string{"*.b.example.com"}, - Matches: []wasm.Predicate{ - { - Selector: "request.method", - Operator: wasm.PatternOperator(kuadrantv1beta3.EqualOperator), - Value: "GET", - }, - { - Selector: "request.url_path", - Operator: wasm.PatternOperator(kuadrantv1beta3.StartsWithOperator), - Value: "/routeB", - }, + Predicates: []string{ + "request.method == 'GET'", + "request.url_path.startsWith('/routeB')", }, }, Actions: []wasm.Action{ @@ -1831,17 +1735,9 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { Name: wasm.ActionSetNameForPath(pathID, 0, "*.a.example.com"), RouteRuleConditions: wasm.RouteRuleConditions{ Hostnames: []string{"*.a.example.com"}, - Matches: []wasm.Predicate{ - { - Selector: "request.method", - Operator: wasm.PatternOperator(kuadrantv1beta3.EqualOperator), - Value: "GET", - }, - { - Selector: "request.url_path", - Operator: wasm.PatternOperator(kuadrantv1beta3.StartsWithOperator), - Value: "/routeA", - }, + Predicates: []string{ + "request.method == 'GET'", + "request.url_path.startsWith('/routeA')", }, }, Actions: []wasm.Action{ @@ -1948,17 +1844,9 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { Name: wasm.ActionSetNameForPath(pathID, 0, "*.a.example.com"), RouteRuleConditions: wasm.RouteRuleConditions{ Hostnames: []string{"*.a.example.com"}, - Matches: []wasm.Predicate{ - { - Selector: "request.method", - Operator: wasm.PatternOperator(kuadrantv1beta3.EqualOperator), - Value: "GET", - }, - { - Selector: "request.url_path", - Operator: wasm.PatternOperator(kuadrantv1beta3.StartsWithOperator), - Value: "/routeA", - }, + Predicates: []string{ + "request.method == 'GET'", + "request.url_path.startsWith('/routeA')", }, }, Actions: []wasm.Action{ @@ -2167,17 +2055,9 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { Name: wasm.ActionSetNameForPath(pathID, 0, "*.a.example.com"), RouteRuleConditions: wasm.RouteRuleConditions{ Hostnames: []string{"*.a.example.com"}, - Matches: []wasm.Predicate{ - { - Selector: "request.method", - Operator: wasm.PatternOperator(kuadrantv1beta3.EqualOperator), - Value: "GET", - }, - { - Selector: "request.url_path", - Operator: wasm.PatternOperator(kuadrantv1beta3.StartsWithOperator), - Value: "/routeA", - }, + Predicates: []string{ + "request.method == 'GET'", + "request.url_path.startsWith('/routeA')", }, }, Actions: []wasm.Action{ @@ -2281,17 +2161,9 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { Name: wasm.ActionSetNameForPath(pathID, 0, "*.a.example.com"), RouteRuleConditions: wasm.RouteRuleConditions{ Hostnames: []string{"*.a.example.com"}, - Matches: []wasm.Predicate{ - { - Selector: "request.method", - Operator: wasm.PatternOperator(kuadrantv1beta3.EqualOperator), - Value: "GET", - }, - { - Selector: "request.url_path", - Operator: wasm.PatternOperator(kuadrantv1beta3.StartsWithOperator), - Value: "/routeA", - }, + Predicates: []string{ + "request.method == 'GET'", + "request.url_path.startsWith('/routeA')", }, }, Actions: []wasm.Action{ @@ -2315,17 +2187,9 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { Name: wasm.ActionSetNameForPath(pathID_B, 0, "*.b.example.com"), RouteRuleConditions: wasm.RouteRuleConditions{ Hostnames: []string{"*.b.example.com"}, - Matches: []wasm.Predicate{ - { - Selector: "request.method", - Operator: wasm.PatternOperator(kuadrantv1beta3.EqualOperator), - Value: "GET", - }, - { - Selector: "request.url_path", - Operator: wasm.PatternOperator(kuadrantv1beta3.StartsWithOperator), - Value: "/routeB", - }, + Predicates: []string{ + "request.method == 'GET'", + "request.url_path.startsWith('/routeB')", }, }, Actions: []wasm.Action{ @@ -2462,17 +2326,9 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { Name: wasm.ActionSetNameForPath(pathID, 0, gwHostname), RouteRuleConditions: wasm.RouteRuleConditions{ Hostnames: []string{gwHostname}, - Matches: []wasm.Predicate{ - { - Selector: "request.method", - Operator: wasm.PatternOperator(kuadrantv1beta3.EqualOperator), - Value: "GET", - }, - { - Selector: "request.url_path", - Operator: wasm.PatternOperator(kuadrantv1beta3.StartsWithOperator), - Value: "/toy", - }, + Predicates: []string{ + "request.method == 'GET'", + "request.url_path.startsWith('/toy')", }, }, Actions: []wasm.Action{ @@ -2546,17 +2402,9 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { Name: wasm.ActionSetNameForPath(pathID, 0, hostname), RouteRuleConditions: wasm.RouteRuleConditions{ Hostnames: []string{hostname}, - Matches: []wasm.Predicate{ - { - Selector: "request.method", - Operator: wasm.PatternOperator(kuadrantv1beta3.EqualOperator), - Value: "GET", - }, - { - Selector: "request.url_path", - Operator: wasm.PatternOperator(kuadrantv1beta3.StartsWithOperator), - Value: "/toy", - }, + Predicates: []string{ + "request.method == 'GET'", + "request.url_path.startsWith('/toy')", }, }, Actions: []wasm.Action{