Update RLP to use CEL

Signed-off-by: Jakub Smolar <[email protected]>
jsmolar · Nov 11, 2024 · 54cc9e2 · 54cc9e2
1 parent bceda3d
commit 54cc9e2
Show file tree

Hide file tree

Showing 9 changed files with 35 additions and 28 deletions.
diff --git a/testsuite/kuadrant/policy/__init__.py b/testsuite/kuadrant/policy/__init__.py
@@ -1,9 +1,25 @@
 """Contains Base class for policies"""
 
+from dataclasses import dataclass
+
 from testsuite.kubernetes import KubernetesObject
 from testsuite.utils import check_condition
 
 
+@dataclass
+class CelPredicate:
+    """Dataclass that references CEL predicate e.g. auth.identity.anonymous == 'true'"""
+
+    predicate: str
+
+
+@dataclass
+class CelExpression:
+    """Dataclass that references CEL expression"""
+
+    expression: str
+
+
 def has_condition(condition_type, status="True", reason=None, message=None):
     """Returns function, that returns True if the Kubernetes object has a specific value"""
 

diff --git a/testsuite/kuadrant/policy/authorization/sections.py b/testsuite/kuadrant/policy/authorization/sections.py
@@ -232,7 +232,7 @@ def add_success_dynamic(self, name: str, value: SUCCESS_RESPONSE, **common_featu
         This section is for items wrapped as Envoy Dynamic Metadata.
         """
 
-        success_dynamic_metadata = self.section.setdefault("success", {}).setdefault("dynamicMetadata", {})
+        success_dynamic_metadata = self.section.setdefault("success", {}).setdefault("filters", {})
         asdict_value = asdict(value)
         add_common_features(asdict_value, **common_features)
         success_dynamic_metadata.update({name: asdict_value})

diff --git a/testsuite/kuadrant/policy/rate_limit.py b/testsuite/kuadrant/policy/rate_limit.py
@@ -2,13 +2,12 @@
 
 import time
 from dataclasses import dataclass
-from typing import Iterable, Literal
+from typing import Iterable
 
 from testsuite.gateway import Referencable
 from testsuite.kubernetes import modify
 from testsuite.kubernetes.client import KubernetesClient
-from testsuite.kuadrant.policy import Policy
-from testsuite.kuadrant.policy.authorization import Rule
+from testsuite.kuadrant.policy import Policy, CelPredicate, CelExpression
 from testsuite.utils import asdict
 
 
@@ -46,8 +45,8 @@ def add_limit(
         self,
         name,
         limits: Iterable[Limit],
-        when: Iterable[Rule] = None,
-        counters: list[str] = None,
+        when: list[CelPredicate] = None,
+        counters: list[CelExpression] = None,
     ):
         """Add another limit"""
         limit: dict = {
@@ -56,7 +55,7 @@ def add_limit(
         if when:
             limit["when"] = [asdict(rule) for rule in when]
         if counters:
-            limit["counters"] = counters
+            limit["counters"] = [asdict(rule) for rule in counters]
 
         if self.spec_section is None:
             self.spec_section = self.model.spec

diff --git a/testsuite/tests/singlecluster/limitador/method/test_route_subset_method.py b/testsuite/tests/singlecluster/limitador/method/test_route_subset_method.py
@@ -3,7 +3,7 @@
 import pytest
 
 from testsuite.gateway import RouteMatch, PathMatch, MatchType, HTTPMethod
-from testsuite.kuadrant.policy.authorization import Pattern
+from testsuite.kuadrant.policy import CelPredicate
 from testsuite.kuadrant.policy.rate_limit import Limit
 
 
@@ -28,7 +28,7 @@ def route(route, backend):
 @pytest.fixture(scope="module")
 def rate_limit(rate_limit):
     """Add limit to the policy"""
-    when = [Pattern("request.path", "eq", "/anything"), Pattern("request.method", "eq", "GET")]
+    when = [CelPredicate("request.path == '/anything'"), CelPredicate("request.method == 'GET'")]
     rate_limit.add_limit("anything", [Limit(5, "10s")], when=when)
     return rate_limit
 

diff --git a/testsuite/tests/singlecluster/limitador/route/test_limit_targeting_two_rules.py b/testsuite/tests/singlecluster/limitador/route/test_limit_targeting_two_rules.py
@@ -2,7 +2,7 @@
 
 import pytest
 
-from testsuite.kuadrant.policy.authorization import Pattern
+from testsuite.kuadrant.policy import CelPredicate
 from testsuite.kuadrant.policy.rate_limit import Limit
 
 
@@ -12,8 +12,7 @@
 @pytest.fixture(scope="module")
 def rate_limit(rate_limit):
     """Add limit to the policy"""
-    when = Pattern("request.method", "eq", "GET")
-    rate_limit.add_limit("test", [Limit(5, "10s")], when=[when])
+    rate_limit.add_limit("test", [Limit(5, "10s")], when=[CelPredicate("request.method == 'GET'")])
     return rate_limit
 
 

diff --git a/testsuite/tests/singlecluster/limitador/route/test_multiple_same_rule.py b/testsuite/tests/singlecluster/limitador/route/test_multiple_same_rule.py
@@ -2,8 +2,8 @@
 
 import pytest
 
+from testsuite.kuadrant.policy import CelPredicate
 from testsuite.kuadrant.policy.rate_limit import Limit
-from testsuite.kuadrant.policy.authorization import Pattern
 
 
 pytestmark = [pytest.mark.kuadrant_only, pytest.mark.limitador]
@@ -12,7 +12,7 @@
 @pytest.fixture(scope="module")
 def rate_limit(rate_limit):
     """Add limit to the policy"""
-    when = Pattern("request.path", "eq", "/get")
+    when = CelPredicate("request.path == '/get'")
     rate_limit.add_limit("test1", [Limit(8, "10s")], when=[when])
     rate_limit.add_limit("test2", [Limit(3, "5s")], when=[when])
     return rate_limit

diff --git a/testsuite/tests/singlecluster/limitador/route/test_route_rule.py b/testsuite/tests/singlecluster/limitador/route/test_route_rule.py
@@ -2,17 +2,16 @@
 
 import pytest
 
+from testsuite.kuadrant.policy import CelPredicate
 from testsuite.kuadrant.policy.rate_limit import Limit
-from testsuite.kuadrant.policy.authorization import Pattern
 
 pytestmark = [pytest.mark.kuadrant_only, pytest.mark.limitador]
 
 
 @pytest.fixture(scope="module")
 def rate_limit(rate_limit):
     """Add limit to the policy"""
-    when = [Pattern("request.path", "eq", "/get")]
-    rate_limit.add_limit("multiple", [Limit(5, "10s")], when=when)
+    rate_limit.add_limit("multiple", [Limit(5, "10s")], when=[CelPredicate("request.path == '/get'")])
     return rate_limit
 
 

diff --git a/testsuite/tests/singlecluster/test_rate_limit_anonymous.py b/testsuite/tests/singlecluster/test_rate_limit_anonymous.py
@@ -3,7 +3,8 @@
 import pytest
 
 from testsuite.httpx.auth import HttpxOidcClientAuth
-from testsuite.kuadrant.policy.authorization import Pattern, JsonResponse, ValueFrom
+from testsuite.kuadrant.policy import CelPredicate
+from testsuite.kuadrant.policy.authorization import JsonResponse, ValueFrom
 from testsuite.kuadrant.policy.rate_limit import Limit
 
 pytestmark = [pytest.mark.kuadrant_only, pytest.mark.limitador]
@@ -15,13 +16,7 @@ def rate_limit(rate_limit):
     rate_limit.add_limit(
         "basic",
         [Limit(5, "10s")],
-        when=[
-            Pattern(
-                selector=r"metadata.filter_metadata.envoy\.filters\.http\.ext_authz.identity.anonymous",
-                operator="eq",
-                value='"true"',
-            )
-        ],
+        when=[CelPredicate("auth.identity.anonymous == 'true'")],
     )
     return rate_limit
 

diff --git a/testsuite/tests/singlecluster/test_rate_limit_authz.py b/testsuite/tests/singlecluster/test_rate_limit_authz.py
@@ -3,6 +3,7 @@
 import pytest
 
 from testsuite.httpx.auth import HttpxOidcClientAuth
+from testsuite.kuadrant.policy import CelExpression
 from testsuite.kuadrant.policy.authorization import ValueFrom, JsonResponse
 from testsuite.kuadrant.policy.rate_limit import Limit
 
@@ -13,9 +14,7 @@
 @pytest.fixture(scope="module")
 def rate_limit(rate_limit):
     """Add limit to the policy"""
-    rate_limit.add_limit(
-        "basic", [Limit(5, "60s")], counters=[r"metadata.filter_metadata.envoy\.filters\.http\.ext_authz.identity.user"]
-    )
+    rate_limit.add_limit("basic", [Limit(5, "60s")], counters=[CelExpression("auth.identity.user")])
     return rate_limit