Skip to content

Commit

Permalink
Abstracted expressions.Value away somewhat
Browse files Browse the repository at this point in the history
Signed-off-by: Alex Snaps <[email protected]>
  • Loading branch information
alexsnaps committed Oct 15, 2024
1 parent b1c4cc2 commit 0d0a0a9
Show file tree
Hide file tree
Showing 21 changed files with 119 additions and 95 deletions.
47 changes: 24 additions & 23 deletions controllers/auth_config_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ package controllers
import (
"context"
"fmt"
"github.com/kuadrant/authorino/pkg/expressions"
"sort"
"sync"

Expand Down Expand Up @@ -182,13 +183,13 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf
for identityCfgName, identity := range authConfigIdentityConfigs {
extendedProperties := make([]evaluators.IdentityExtension, len(identity.Defaults)+len(identity.Overrides))
for propertyName, property := range identity.Defaults {
extendedProperties = append(extendedProperties, evaluators.NewIdentityExtension(propertyName, json.JSONValue{
extendedProperties = append(extendedProperties, evaluators.NewIdentityExtension(propertyName, &json.JSONValue{
Static: property.Value,
Pattern: property.Selector,
}, false))
}
for propertyName, property := range identity.Overrides {
extendedProperties = append(extendedProperties, evaluators.NewIdentityExtension(propertyName, json.JSONValue{
extendedProperties = append(extendedProperties, evaluators.NewIdentityExtension(propertyName, &json.JSONValue{
Static: property.Value,
Pattern: property.Selector,
}, true))
Expand All @@ -212,7 +213,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf
ttl = api.EvaluatorDefaultCacheTTL
}
translatedIdentity.Cache = evaluators.NewEvaluatorCache(
*getJsonFromStaticDynamic(&identity.Cache.Key),
getJsonFromStaticDynamic(&identity.Cache.Key),
ttl,
)
}
Expand Down Expand Up @@ -310,7 +311,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf
ttl = api.EvaluatorDefaultCacheTTL
}
translatedMetadata.Cache = evaluators.NewEvaluatorCache(
*getJsonFromStaticDynamic(&metadata.Cache.Key),
getJsonFromStaticDynamic(&metadata.Cache.Key),
ttl,
)
}
Expand Down Expand Up @@ -383,7 +384,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf
ttl = api.EvaluatorDefaultCacheTTL
}
translatedAuthorization.Cache = evaluators.NewEvaluatorCache(
*getJsonFromStaticDynamic(&authorization.Cache.Key),
getJsonFromStaticDynamic(&authorization.Cache.Key),
ttl,
)
}
Expand Down Expand Up @@ -444,17 +445,17 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf
resourceAttributes := authorization.KubernetesSubjectAccessReview.ResourceAttributes
if resourceAttributes != nil {
authorinoResourceAttributes = &authorization_evaluators.KubernetesAuthzResourceAttributes{
Namespace: json.JSONValue{Static: resourceAttributes.Namespace.Value, Pattern: resourceAttributes.Namespace.Selector},
Group: json.JSONValue{Static: resourceAttributes.Group.Value, Pattern: resourceAttributes.Group.Selector},
Resource: json.JSONValue{Static: resourceAttributes.Resource.Value, Pattern: resourceAttributes.Resource.Selector},
Name: json.JSONValue{Static: resourceAttributes.Name.Value, Pattern: resourceAttributes.Name.Selector},
SubResource: json.JSONValue{Static: resourceAttributes.SubResource.Value, Pattern: resourceAttributes.SubResource.Selector},
Verb: json.JSONValue{Static: resourceAttributes.Verb.Value, Pattern: resourceAttributes.Verb.Selector},
Namespace: &json.JSONValue{Static: resourceAttributes.Namespace.Value, Pattern: resourceAttributes.Namespace.Selector},
Group: &json.JSONValue{Static: resourceAttributes.Group.Value, Pattern: resourceAttributes.Group.Selector},
Resource: &json.JSONValue{Static: resourceAttributes.Resource.Value, Pattern: resourceAttributes.Resource.Selector},
Name: &json.JSONValue{Static: resourceAttributes.Name.Value, Pattern: resourceAttributes.Name.Selector},
SubResource: &json.JSONValue{Static: resourceAttributes.SubResource.Value, Pattern: resourceAttributes.SubResource.Selector},
Verb: &json.JSONValue{Static: resourceAttributes.Verb.Value, Pattern: resourceAttributes.Verb.Selector},
}
}

var err error
translatedAuthorization.KubernetesAuthz, err = authorization_evaluators.NewKubernetesAuthz(authorinoUser, authorization.KubernetesSubjectAccessReview.Groups, authorinoResourceAttributes)
translatedAuthorization.KubernetesAuthz, err = authorization_evaluators.NewKubernetesAuthz(&authorinoUser, authorization.KubernetesSubjectAccessReview.Groups, authorinoResourceAttributes)
if err != nil {
return nil, err
}
Expand All @@ -475,7 +476,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf
Endpoint: authzed.Endpoint,
Insecure: authzed.Insecure,
SharedSecret: sharedSecret,
Permission: *getJsonFromStaticDynamic(&authzed.Permission),
Permission: getJsonFromStaticDynamic(&authzed.Permission),
}
translatedAuthzed.Subject, translatedAuthzed.SubjectKind = spiceDBObjectToJsonValues(authzed.Subject)
translatedAuthzed.Resource, translatedAuthzed.ResourceKind = spiceDBObjectToJsonValues(authzed.Resource)
Expand Down Expand Up @@ -627,7 +628,7 @@ func injectResponseConfig(ctx context.Context, authConfig *api.AuthConfig, succe
for claimName, claim := range wristband.CustomClaims {
customClaims = append(customClaims, json.JSONProperty{
Name: claimName,
Value: json.JSONValue{
Value: &json.JSONValue{
Static: claim.Value,
Pattern: claim.Selector,
},
Expand All @@ -652,7 +653,7 @@ func injectResponseConfig(ctx context.Context, authConfig *api.AuthConfig, succe
for propertyName, property := range successResponse.Json.Properties {
jsonProperties = append(jsonProperties, json.JSONProperty{
Name: propertyName,
Value: json.JSONValue{
Value: &json.JSONValue{
Static: property.Value,
Pattern: property.Selector,
},
Expand All @@ -664,7 +665,7 @@ func injectResponseConfig(ctx context.Context, authConfig *api.AuthConfig, succe
// plain
case api.PlainAuthResponse:
translatedResponse.Plain = &response_evaluators.Plain{
JSONValue: json.JSONValue{
Value: &json.JSONValue{
Static: successResponse.Plain.Value,
Pattern: successResponse.Plain.Selector,
},
Expand All @@ -683,7 +684,7 @@ func injectCache(cache *api.EvaluatorCaching, translatedResponse *evaluators.Res
ttl = api.EvaluatorDefaultCacheTTL
}
translatedResponse.Cache = evaluators.NewEvaluatorCache(
*getJsonFromStaticDynamic(&cache.Key),
getJsonFromStaticDynamic(&cache.Key),
ttl,
)
}
Expand Down Expand Up @@ -838,7 +839,7 @@ func (r *AuthConfigReconciler) buildGenericHttpEvaluator(ctx context.Context, ht
for name, param := range http.Parameters {
params = append(params, json.JSONProperty{
Name: name,
Value: json.JSONValue{
Value: &json.JSONValue{
Static: param.Value,
Pattern: param.Selector,
},
Expand All @@ -849,7 +850,7 @@ func (r *AuthConfigReconciler) buildGenericHttpEvaluator(ctx context.Context, ht
for name, header := range http.Headers {
headers = append(headers, json.JSONProperty{
Name: name,
Value: json.JSONValue{
Value: &json.JSONValue{
Static: header.Value,
Pattern: header.Selector,
},
Expand Down Expand Up @@ -981,7 +982,7 @@ func buildAuthorinoDenyWithValues(denyWithSpec *api.DenyWithSpec) *evaluators.De

headers := make([]json.JSONProperty, 0, len(denyWithSpec.Headers))
for name, header := range denyWithSpec.Headers {
headers = append(headers, json.JSONProperty{Name: name, Value: json.JSONValue{Static: header.Value, Pattern: header.Selector}})
headers = append(headers, json.JSONProperty{Name: name, Value: &json.JSONValue{Static: header.Value, Pattern: header.Selector}})
}

return &evaluators.DenyWithValues{
Expand All @@ -1003,13 +1004,13 @@ func getJsonFromStaticDynamic(value *api.ValueOrSelector) *json.JSONValue {
}
}

func spiceDBObjectToJsonValues(obj *api.SpiceDBObject) (name json.JSONValue, kind json.JSONValue) {
func spiceDBObjectToJsonValues(obj *api.SpiceDBObject) (name expressions.Value, kind expressions.Value) {
if obj == nil {
return
}

name = *getJsonFromStaticDynamic(&obj.Name)
kind = *getJsonFromStaticDynamic(&obj.Kind)
name = getJsonFromStaticDynamic(&obj.Name)
kind = getJsonFromStaticDynamic(&obj.Kind)

return name, kind
}
14 changes: 7 additions & 7 deletions pkg/evaluators/authorization/authzed.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import (
"fmt"

"github.com/kuadrant/authorino/pkg/auth"
"github.com/kuadrant/authorino/pkg/json"
"github.com/kuadrant/authorino/pkg/expressions"
"google.golang.org/grpc"
insecuregrpc "google.golang.org/grpc/credentials/insecure"

Expand All @@ -19,11 +19,11 @@ type Authzed struct {
Insecure bool
SharedSecret string

Subject json.JSONValue
SubjectKind json.JSONValue
Resource json.JSONValue
ResourceKind json.JSONValue
Permission json.JSONValue
Subject expressions.Value
SubjectKind expressions.Value
Resource expressions.Value
ResourceKind expressions.Value
Permission expressions.Value
}

type permissionResponse struct {
Expand Down Expand Up @@ -86,7 +86,7 @@ func (a *Authzed) Call(pipeline auth.AuthPipeline, ctx gocontext.Context) (inter
return obj, nil
}

func authzedObjectFor(name, kind json.JSONValue, authJSON string) (*authzedpb.ObjectReference, error) {
func authzedObjectFor(name, kind expressions.Value, authJSON string) (*authzedpb.ObjectReference, error) {
objectId, err := name.ResolveFor(authJSON)
if err != nil {
return nil, err
Expand Down
20 changes: 10 additions & 10 deletions pkg/evaluators/authorization/authzed_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,11 +52,11 @@ func TestAuthzedCallAuthorized(t *testing.T) {
Endpoint: testAuthzedServerEndpoint,
Insecure: true,
SharedSecret: "secret",
Subject: json.JSONValue{Static: "1"},
SubjectKind: json.JSONValue{Static: "user"},
Resource: json.JSONValue{Static: "123"},
ResourceKind: json.JSONValue{Static: "post"},
Permission: json.JSONValue{Static: "read"},
Subject: &json.JSONValue{Static: "1"},
SubjectKind: &json.JSONValue{Static: "user"},
Resource: &json.JSONValue{Static: "123"},
ResourceKind: &json.JSONValue{Static: "post"},
Permission: &json.JSONValue{Static: "read"},
}

obj, err := authzed.Call(pipelineMock, ctx)
Expand Down Expand Up @@ -91,11 +91,11 @@ func TestAuthzedCallForbidden(t *testing.T) {
Endpoint: testAuthzedServerEndpoint,
Insecure: true,
SharedSecret: "secret",
Subject: json.JSONValue{Static: "1"},
SubjectKind: json.JSONValue{Static: "user"},
Resource: json.JSONValue{Static: "123"},
ResourceKind: json.JSONValue{Static: "post"},
Permission: json.JSONValue{Static: "read"},
Subject: &json.JSONValue{Static: "1"},
SubjectKind: &json.JSONValue{Static: "user"},
Resource: &json.JSONValue{Static: "123"},
ResourceKind: &json.JSONValue{Static: "post"},
Permission: &json.JSONValue{Static: "read"},
}

obj, err := authzed.Call(pipelineMock, ctx)
Expand Down
20 changes: 10 additions & 10 deletions pkg/evaluators/authorization/kubernetes_authz.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@ package authorization
import (
gocontext "context"
"fmt"
"github.com/kuadrant/authorino/pkg/expressions"
"strings"

"github.com/kuadrant/authorino/pkg/auth"
"github.com/kuadrant/authorino/pkg/context"
"github.com/kuadrant/authorino/pkg/json"
"github.com/kuadrant/authorino/pkg/log"

kubeAuthz "k8s.io/api/authorization/v1"
Expand All @@ -21,7 +21,7 @@ type kubernetesSubjectAccessReviewer interface {
SubjectAccessReviews() kubeAuthzClient.SubjectAccessReviewInterface
}

func NewKubernetesAuthz(user json.JSONValue, groups []string, resourceAttributes *KubernetesAuthzResourceAttributes) (*KubernetesAuthz, error) {
func NewKubernetesAuthz(user expressions.Value, groups []string, resourceAttributes *KubernetesAuthzResourceAttributes) (*KubernetesAuthz, error) {
config, err := rest.InClusterConfig()
if err != nil {
return nil, err
Expand All @@ -41,16 +41,16 @@ func NewKubernetesAuthz(user json.JSONValue, groups []string, resourceAttributes
}

type KubernetesAuthzResourceAttributes struct {
Namespace json.JSONValue
Group json.JSONValue
Resource json.JSONValue
Name json.JSONValue
SubResource json.JSONValue
Verb json.JSONValue
Namespace expressions.Value
Group expressions.Value
Resource expressions.Value
Name expressions.Value
SubResource expressions.Value
Verb expressions.Value
}

type KubernetesAuthz struct {
User json.JSONValue
User expressions.Value
Groups []string
ResourceAttributes *KubernetesAuthzResourceAttributes

Expand All @@ -63,7 +63,7 @@ func (k *KubernetesAuthz) Call(pipeline auth.AuthPipeline, ctx gocontext.Context
}

authJSON := pipeline.GetAuthorizationJSON()
jsonValueToStr := func(value json.JSONValue) (string, error) {
jsonValueToStr := func(value expressions.Value) (string, error) {
resolved, err := value.ResolveFor(authJSON)
if err != nil {
return "", err
Expand Down
15 changes: 8 additions & 7 deletions pkg/evaluators/authorization/kubernetes_authz_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package authorization

import (
"context"
"github.com/kuadrant/authorino/pkg/expressions"
"testing"

mock_auth "github.com/kuadrant/authorino/pkg/auth/mocks"
Expand Down Expand Up @@ -58,7 +59,7 @@ func (client *k8sAuthorizationClientMock) GetRequest() kubeAuthz.SubjectAccessRe
return client.request
}

func newKubernetesAuthz(user json.JSONValue, groups []string, resourceAttributes *KubernetesAuthzResourceAttributes, subjectAccessReviewResponseStatus kubeAuthz.SubjectAccessReviewStatus) *KubernetesAuthz {
func newKubernetesAuthz(user expressions.Value, groups []string, resourceAttributes *KubernetesAuthzResourceAttributes, subjectAccessReviewResponseStatus kubeAuthz.SubjectAccessReviewStatus) *KubernetesAuthz {
return &KubernetesAuthz{
User: user,
Groups: groups,
Expand All @@ -80,7 +81,7 @@ func TestKubernetesAuthzNonResource_Allowed(t *testing.T) {
pipelineMock.EXPECT().GetHttp().Return(request)

kubernetesAuth := newKubernetesAuthz(
json.JSONValue{Pattern: "auth.identity.username"},
&json.JSONValue{Pattern: "auth.identity.username"},
[]string{},
nil,
kubeAuthz.SubjectAccessReviewStatus{Allowed: true, Reason: ""},
Expand Down Expand Up @@ -108,7 +109,7 @@ func TestKubernetesAuthzNonResource_Denied(t *testing.T) {
pipelineMock.EXPECT().GetHttp().Return(request)

kubernetesAuth := newKubernetesAuthz(
json.JSONValue{Pattern: "auth.identity.username"},
&json.JSONValue{Pattern: "auth.identity.username"},
[]string{},
nil,
kubeAuthz.SubjectAccessReviewStatus{Allowed: false, Reason: "some-reason"},
Expand All @@ -133,9 +134,9 @@ func TestKubernetesAuthzResource_Allowed(t *testing.T) {
pipelineMock.EXPECT().GetAuthorizationJSON().Return(`{"context":{"request":{"http":{"method":"GET","path":"/hello"}}},"auth":{"identity":{"username":"john"}}}`)

kubernetesAuth := newKubernetesAuthz(
json.JSONValue{Pattern: "auth.identity.username"},
&json.JSONValue{Pattern: "auth.identity.username"},
[]string{},
&KubernetesAuthzResourceAttributes{Namespace: json.JSONValue{Static: "default"}},
&KubernetesAuthzResourceAttributes{Namespace: &json.JSONValue{Static: "default"}},
kubeAuthz.SubjectAccessReviewStatus{Allowed: true, Reason: ""},
)
authorized, err := kubernetesAuth.Call(pipelineMock, context.TODO())
Expand All @@ -157,9 +158,9 @@ func TestKubernetesAuthzResource_Denied(t *testing.T) {
pipelineMock.EXPECT().GetAuthorizationJSON().Return(`{"context":{"request":{"http":{"method":"GET","path":"/hello"}}},"auth":{"identity":{"username":"john"}}}`)

kubernetesAuth := newKubernetesAuthz(
json.JSONValue{Pattern: "auth.identity.username"},
&json.JSONValue{Pattern: "auth.identity.username"},
[]string{},
&KubernetesAuthzResourceAttributes{Namespace: json.JSONValue{Static: "default"}},
&KubernetesAuthzResourceAttributes{Namespace: &json.JSONValue{Static: "default"}},
kubeAuthz.SubjectAccessReviewStatus{Allowed: false, Reason: "some-reason"},
)
authorized, err := kubernetesAuth.Call(pipelineMock, context.TODO())
Expand Down
6 changes: 3 additions & 3 deletions pkg/evaluators/cache.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ import (
gojson "encoding/json"
"time"

"github.com/kuadrant/authorino/pkg/json"
"github.com/kuadrant/authorino/pkg/expressions"

"github.com/coocood/freecache"
gocache "github.com/eko/gocache/cache"
Expand All @@ -20,7 +20,7 @@ type EvaluatorCache interface {
Shutdown() error
}

func NewEvaluatorCache(keyTemplate json.JSONValue, ttl int) EvaluatorCache {
func NewEvaluatorCache(keyTemplate expressions.Value, ttl int) EvaluatorCache {
duration := time.Duration(ttl) * time.Second
cacheClient := freecache.NewCache(EvaluatorCacheSize * 1024 * 1024)
cacheStore := cache_store.NewFreecache(cacheClient, &cache_store.Options{Expiration: duration})
Expand All @@ -33,7 +33,7 @@ func NewEvaluatorCache(keyTemplate json.JSONValue, ttl int) EvaluatorCache {

// evaluatorCache caches JSON values (objects, arrays, strings, etc)
type evaluatorCache struct {
keyTemplate json.JSONValue
keyTemplate expressions.Value
store *gocache.Cache
}

Expand Down
5 changes: 3 additions & 2 deletions pkg/evaluators/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"sync"

"github.com/kuadrant/authorino/pkg/auth"
"github.com/kuadrant/authorino/pkg/expressions"
"github.com/kuadrant/authorino/pkg/json"
"github.com/kuadrant/authorino/pkg/jsonexp"

Expand Down Expand Up @@ -74,7 +75,7 @@ type DenyWith struct {

type DenyWithValues struct {
Code int32
Message *json.JSONValue
Message expressions.Value
Headers []json.JSONProperty
Body *json.JSONValue
Body expressions.Value
}
Loading

0 comments on commit 0d0a0a9

Please sign in to comment.