From 54cc9e237aeeb5566b3159a0d3fc82e63567b519 Mon Sep 17 00:00:00 2001 From: Jakub Smolar Date: Mon, 11 Nov 2024 16:24:37 +0100 Subject: [PATCH] Update RLP to use CEL Signed-off-by: Jakub Smolar --- testsuite/kuadrant/policy/__init__.py | 16 ++++++++++++++++ .../kuadrant/policy/authorization/sections.py | 2 +- testsuite/kuadrant/policy/rate_limit.py | 11 +++++------ .../limitador/method/test_route_subset_method.py | 4 ++-- .../route/test_limit_targeting_two_rules.py | 5 ++--- .../limitador/route/test_multiple_same_rule.py | 4 ++-- .../limitador/route/test_route_rule.py | 5 ++--- .../singlecluster/test_rate_limit_anonymous.py | 11 +++-------- .../tests/singlecluster/test_rate_limit_authz.py | 5 ++--- 9 files changed, 35 insertions(+), 28 deletions(-) diff --git a/testsuite/kuadrant/policy/__init__.py b/testsuite/kuadrant/policy/__init__.py index 0e3f7aa9..8b0c6ccf 100644 --- a/testsuite/kuadrant/policy/__init__.py +++ b/testsuite/kuadrant/policy/__init__.py @@ -1,9 +1,25 @@ """Contains Base class for policies""" +from dataclasses import dataclass + from testsuite.kubernetes import KubernetesObject from testsuite.utils import check_condition +@dataclass +class CelPredicate: + """Dataclass that references CEL predicate e.g. auth.identity.anonymous == 'true'""" + + predicate: str + + +@dataclass +class CelExpression: + """Dataclass that references CEL expression""" + + expression: str + + def has_condition(condition_type, status="True", reason=None, message=None): """Returns function, that returns True if the Kubernetes object has a specific value""" diff --git a/testsuite/kuadrant/policy/authorization/sections.py b/testsuite/kuadrant/policy/authorization/sections.py index 7f158ff0..b35cb145 100644 --- a/testsuite/kuadrant/policy/authorization/sections.py +++ b/testsuite/kuadrant/policy/authorization/sections.py @@ -232,7 +232,7 @@ def add_success_dynamic(self, name: str, value: SUCCESS_RESPONSE, **common_featu This section is for items wrapped as Envoy Dynamic Metadata. """ - success_dynamic_metadata = self.section.setdefault("success", {}).setdefault("dynamicMetadata", {}) + success_dynamic_metadata = self.section.setdefault("success", {}).setdefault("filters", {}) asdict_value = asdict(value) add_common_features(asdict_value, **common_features) success_dynamic_metadata.update({name: asdict_value}) diff --git a/testsuite/kuadrant/policy/rate_limit.py b/testsuite/kuadrant/policy/rate_limit.py index 6a62b82c..55102209 100644 --- a/testsuite/kuadrant/policy/rate_limit.py +++ b/testsuite/kuadrant/policy/rate_limit.py @@ -2,13 +2,12 @@ import time from dataclasses import dataclass -from typing import Iterable, Literal +from typing import Iterable from testsuite.gateway import Referencable from testsuite.kubernetes import modify from testsuite.kubernetes.client import KubernetesClient -from testsuite.kuadrant.policy import Policy -from testsuite.kuadrant.policy.authorization import Rule +from testsuite.kuadrant.policy import Policy, CelPredicate, CelExpression from testsuite.utils import asdict @@ -46,8 +45,8 @@ def add_limit( self, name, limits: Iterable[Limit], - when: Iterable[Rule] = None, - counters: list[str] = None, + when: list[CelPredicate] = None, + counters: list[CelExpression] = None, ): """Add another limit""" limit: dict = { @@ -56,7 +55,7 @@ def add_limit( if when: limit["when"] = [asdict(rule) for rule in when] if counters: - limit["counters"] = counters + limit["counters"] = [asdict(rule) for rule in counters] if self.spec_section is None: self.spec_section = self.model.spec diff --git a/testsuite/tests/singlecluster/limitador/method/test_route_subset_method.py b/testsuite/tests/singlecluster/limitador/method/test_route_subset_method.py index bca92951..6d5711f5 100644 --- a/testsuite/tests/singlecluster/limitador/method/test_route_subset_method.py +++ b/testsuite/tests/singlecluster/limitador/method/test_route_subset_method.py @@ -3,7 +3,7 @@ import pytest from testsuite.gateway import RouteMatch, PathMatch, MatchType, HTTPMethod -from testsuite.kuadrant.policy.authorization import Pattern +from testsuite.kuadrant.policy import CelPredicate from testsuite.kuadrant.policy.rate_limit import Limit @@ -28,7 +28,7 @@ def route(route, backend): @pytest.fixture(scope="module") def rate_limit(rate_limit): """Add limit to the policy""" - when = [Pattern("request.path", "eq", "/anything"), Pattern("request.method", "eq", "GET")] + when = [CelPredicate("request.path == '/anything'"), CelPredicate("request.method == 'GET'")] rate_limit.add_limit("anything", [Limit(5, "10s")], when=when) return rate_limit diff --git a/testsuite/tests/singlecluster/limitador/route/test_limit_targeting_two_rules.py b/testsuite/tests/singlecluster/limitador/route/test_limit_targeting_two_rules.py index ad772b27..35548ff7 100644 --- a/testsuite/tests/singlecluster/limitador/route/test_limit_targeting_two_rules.py +++ b/testsuite/tests/singlecluster/limitador/route/test_limit_targeting_two_rules.py @@ -2,7 +2,7 @@ import pytest -from testsuite.kuadrant.policy.authorization import Pattern +from testsuite.kuadrant.policy import CelPredicate from testsuite.kuadrant.policy.rate_limit import Limit @@ -12,8 +12,7 @@ @pytest.fixture(scope="module") def rate_limit(rate_limit): """Add limit to the policy""" - when = Pattern("request.method", "eq", "GET") - rate_limit.add_limit("test", [Limit(5, "10s")], when=[when]) + rate_limit.add_limit("test", [Limit(5, "10s")], when=[CelPredicate("request.method == 'GET'")]) return rate_limit diff --git a/testsuite/tests/singlecluster/limitador/route/test_multiple_same_rule.py b/testsuite/tests/singlecluster/limitador/route/test_multiple_same_rule.py index e3cef74f..0796e1bb 100644 --- a/testsuite/tests/singlecluster/limitador/route/test_multiple_same_rule.py +++ b/testsuite/tests/singlecluster/limitador/route/test_multiple_same_rule.py @@ -2,8 +2,8 @@ import pytest +from testsuite.kuadrant.policy import CelPredicate from testsuite.kuadrant.policy.rate_limit import Limit -from testsuite.kuadrant.policy.authorization import Pattern pytestmark = [pytest.mark.kuadrant_only, pytest.mark.limitador] @@ -12,7 +12,7 @@ @pytest.fixture(scope="module") def rate_limit(rate_limit): """Add limit to the policy""" - when = Pattern("request.path", "eq", "/get") + when = CelPredicate("request.path == '/get'") rate_limit.add_limit("test1", [Limit(8, "10s")], when=[when]) rate_limit.add_limit("test2", [Limit(3, "5s")], when=[when]) return rate_limit diff --git a/testsuite/tests/singlecluster/limitador/route/test_route_rule.py b/testsuite/tests/singlecluster/limitador/route/test_route_rule.py index 1e2e8816..f199eb10 100644 --- a/testsuite/tests/singlecluster/limitador/route/test_route_rule.py +++ b/testsuite/tests/singlecluster/limitador/route/test_route_rule.py @@ -2,8 +2,8 @@ import pytest +from testsuite.kuadrant.policy import CelPredicate from testsuite.kuadrant.policy.rate_limit import Limit -from testsuite.kuadrant.policy.authorization import Pattern pytestmark = [pytest.mark.kuadrant_only, pytest.mark.limitador] @@ -11,8 +11,7 @@ @pytest.fixture(scope="module") def rate_limit(rate_limit): """Add limit to the policy""" - when = [Pattern("request.path", "eq", "/get")] - rate_limit.add_limit("multiple", [Limit(5, "10s")], when=when) + rate_limit.add_limit("multiple", [Limit(5, "10s")], when=[CelPredicate("request.path == '/get'")]) return rate_limit diff --git a/testsuite/tests/singlecluster/test_rate_limit_anonymous.py b/testsuite/tests/singlecluster/test_rate_limit_anonymous.py index c6897b76..7572b05a 100644 --- a/testsuite/tests/singlecluster/test_rate_limit_anonymous.py +++ b/testsuite/tests/singlecluster/test_rate_limit_anonymous.py @@ -3,7 +3,8 @@ import pytest from testsuite.httpx.auth import HttpxOidcClientAuth -from testsuite.kuadrant.policy.authorization import Pattern, JsonResponse, ValueFrom +from testsuite.kuadrant.policy import CelPredicate +from testsuite.kuadrant.policy.authorization import JsonResponse, ValueFrom from testsuite.kuadrant.policy.rate_limit import Limit pytestmark = [pytest.mark.kuadrant_only, pytest.mark.limitador] @@ -15,13 +16,7 @@ def rate_limit(rate_limit): rate_limit.add_limit( "basic", [Limit(5, "10s")], - when=[ - Pattern( - selector=r"metadata.filter_metadata.envoy\.filters\.http\.ext_authz.identity.anonymous", - operator="eq", - value='"true"', - ) - ], + when=[CelPredicate("auth.identity.anonymous == 'true'")], ) return rate_limit diff --git a/testsuite/tests/singlecluster/test_rate_limit_authz.py b/testsuite/tests/singlecluster/test_rate_limit_authz.py index 6e91e541..d22aa296 100644 --- a/testsuite/tests/singlecluster/test_rate_limit_authz.py +++ b/testsuite/tests/singlecluster/test_rate_limit_authz.py @@ -3,6 +3,7 @@ import pytest from testsuite.httpx.auth import HttpxOidcClientAuth +from testsuite.kuadrant.policy import CelExpression from testsuite.kuadrant.policy.authorization import ValueFrom, JsonResponse from testsuite.kuadrant.policy.rate_limit import Limit @@ -13,9 +14,7 @@ @pytest.fixture(scope="module") def rate_limit(rate_limit): """Add limit to the policy""" - rate_limit.add_limit( - "basic", [Limit(5, "60s")], counters=[r"metadata.filter_metadata.envoy\.filters\.http\.ext_authz.identity.user"] - ) + rate_limit.add_limit("basic", [Limit(5, "60s")], counters=[CelExpression("auth.identity.user")]) return rate_limit