diff --git a/controllers/auth_config_controller_test.go b/controllers/auth_config_controller_test.go index b7e97f3b..bd8bd803 100644 --- a/controllers/auth_config_controller_test.go +++ b/controllers/auth_config_controller_test.go @@ -96,7 +96,7 @@ func newTestAuthConfig(authConfigLabels map[string]string) api.AuthConfig { Patterns: []api.PatternExpressionOrRef{ { CelPredicate: api.CelPredicate{ - Predicate: "context.identity.role == 'admin'", + Predicate: "auth.identity.role == 'admin'", }, }, }, diff --git a/install/crd/authorino.kuadrant.io_authconfigs.yaml b/install/crd/authorino.kuadrant.io_authconfigs.yaml index d21dd4eb..6f03a31d 100644 --- a/install/crd/authorino.kuadrant.io_authconfigs.yaml +++ b/install/crd/authorino.kuadrant.io_authconfigs.yaml @@ -2313,7 +2313,7 @@ spec: type: object type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: @@ -4721,2308 +4721,6 @@ spec: type: object type: object served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: Ready for all hosts - jsonPath: .status.summary.ready - name: Ready - type: string - - description: Number of hosts ready - jsonPath: .status.summary.numHostsReady - name: Hosts - type: string - - description: Number of trusted identity sources - jsonPath: .status.summary.numIdentitySources - name: Authentication - priority: 2 - type: integer - - description: Number of external metadata sources - jsonPath: .status.summary.numMetadataSources - name: Metadata - priority: 2 - type: integer - - description: Number of authorization policies - jsonPath: .status.summary.numAuthorizationPolicies - name: Authorization - priority: 2 - type: integer - - description: Number of items added to the authorization response - jsonPath: .status.summary.numResponseItems - name: Response - priority: 2 - type: integer - - description: Whether issuing Festival Wristbands - jsonPath: .status.summary.festivalWristbandEnabled - name: Wristband - priority: 2 - type: boolean - name: v1beta3 - schema: - openAPIV3Schema: - description: AuthConfig is the schema for Authorino's AuthConfig API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specifies the desired state of the AuthConfig resource, i.e. - the authencation/authorization scheme to be applied to protect the matching - service hosts. - properties: - authentication: - additionalProperties: - properties: - anonymous: - description: Anonymous access. - type: object - apiKey: - description: Authentication based on API keys stored in Kubernetes - secrets. - properties: - allNamespaces: - default: false - description: |- - Whether Authorino should look for API key secrets in all namespaces or only in the same namespace as the AuthConfig. - Enabling this option in namespaced Authorino instances has no effect. - type: boolean - selector: - description: Label selector used by Authorino to match secrets - from the cluster storing valid credentials to authenticate - to this service - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - selector - type: object - cache: - description: |- - Caching options for the resolved object returned when applying this config. - Omit it to avoid caching objects for this config. - properties: - key: - description: |- - Key used to store the entry in the cache. - The resolved key must be unique within the scope of this particular config. - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - ttl: - default: 60 - description: Duration (in seconds) of the external data - in the cache before pulled again from the source. - type: integer - required: - - key - type: object - credentials: - description: |- - Defines where credentials are required to be passed in the request for authentication based on this config. - If omitted, it defaults to credentials passed in the HTTP Authorization header and the "Bearer" prefix prepended to the secret credential value. - properties: - authorizationHeader: - properties: - prefix: - type: string - type: object - cookie: - properties: - name: - type: string - required: - - name - type: object - customHeader: - properties: - name: - type: string - required: - - name - type: object - queryString: - properties: - name: - type: string - required: - - name - type: object - type: object - defaults: - additionalProperties: - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - description: |- - Set default property values (claims) for the resolved identity object, that are set before appending the object to - the authorization JSON. If the property is already present in the resolved identity object, the default value is ignored. - It requires the resolved identity object to always be a JSON object. - Do not use this option with identity objects of other JSON types (array, string, etc). - type: object - jwt: - description: Authentication based on JWT tokens. - properties: - issuerUrl: - description: |- - URL of the issuer of the JWT. - If `jwksUrl` is omitted, Authorino will append the path to the OpenID Connect Well-Known Discovery endpoint - (i.e. "/.well-known/openid-configuration") to this URL, to discover the OIDC configuration where to obtain - the "jkws_uri" claim from. - The value must coincide with the value of the "iss" (issuer) claim of the discovered OpenID Connect configuration. - type: string - ttl: - description: |- - Decides how long to wait before refreshing the JWKS (in seconds). - If omitted, Authorino will never refresh the JWKS. - type: integer - type: object - kubernetesTokenReview: - description: Authentication by Kubernetes token review. - properties: - audiences: - description: |- - The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino. - If omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences. - items: - type: string - type: array - type: object - metrics: - default: false - description: Whether this config should generate individual - observability metrics - type: boolean - oauth2Introspection: - description: Authentication by OAuth2 token introspection. - properties: - credentialsRef: - description: Reference to a Kubernetes secret in the same - namespace, that stores client credentials to the OAuth2 - server. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? - type: string - type: object - x-kubernetes-map-type: atomic - endpoint: - description: The full URL of the token introspection endpoint. - type: string - tokenTypeHint: - description: |- - The token type hint for the token introspection. - If omitted, it defaults to "access_token". - type: string - required: - - credentialsRef - - endpoint - type: object - overrides: - additionalProperties: - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - description: |- - Overrides the resolved identity object by setting the additional properties (claims) specified in this config, - before appending the object to the authorization JSON. - It requires the resolved identity object to always be a JSON object. - Do not use this option with identity objects of other JSON types (array, string, etc). - type: object - plain: - description: |- - Identity object extracted from the context. - Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - required: - - selector - type: object - priority: - default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. - type: integer - when: - description: |- - Conditions for Authorino to enforce this config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. - items: - properties: - all: - description: A list of pattern expressions to be evaluated - as a logical AND. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - any: - description: A list of pattern expressions to be evaluated - as a logical OR. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) - enum: - - eq - - neq - - incl - - excl - - matches - type: string - patternRef: - description: Reference to a named set of pattern expressions - type: string - selector: - description: |- - Path selector to fetch content from the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - Authorino custom JSON path modifiers are also supported. - type: string - value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. - type: string - type: object - type: array - x509: - description: |- - Authentication based on client X.509 certificates. - The certificates presented by the clients must be signed by a trusted CA whose certificates are stored in Kubernetes secrets. - properties: - allNamespaces: - default: false - description: |- - Whether Authorino should look for TLS secrets in all namespaces or only in the same namespace as the AuthConfig. - Enabling this option in namespaced Authorino instances has no effect. - type: boolean - selector: - description: |- - Label selector used by Authorino to match secrets from the cluster storing trusted CA certificates to validate - clients trying to authenticate to this service - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - selector - type: object - type: object - description: |- - Authentication configs. - At least one config MUST evaluate to a valid identity object for the auth request to be successful. - type: object - authorization: - additionalProperties: - properties: - cache: - description: |- - Caching options for the resolved object returned when applying this config. - Omit it to avoid caching objects for this config. - properties: - key: - description: |- - Key used to store the entry in the cache. - The resolved key must be unique within the scope of this particular config. - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - ttl: - default: 60 - description: Duration (in seconds) of the external data - in the cache before pulled again from the source. - type: integer - required: - - key - type: object - kubernetesSubjectAccessReview: - description: Authorization by Kubernetes SubjectAccessReview - properties: - groups: - description: Groups the user must be a member of or, if - `user` is omitted, the groups to check for authorization - in the Kubernetes RBAC. - items: - type: string - type: array - resourceAttributes: - description: |- - Use resourceAttributes to check permissions on Kubernetes resources. - If omitted, it performs a non-resource SubjectAccessReview, with verb and path inferred from the request. - properties: - group: - description: |- - API group of the resource. - Use '*' for all API groups. - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - name: - description: |- - Resource name - Omit it to check for authorization on all resources of the specified kind. - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - namespace: - description: Namespace where the user must have permissions - on the resource. - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - resource: - description: |- - Resource kind - Use '*' for all resource kinds. - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - subresource: - description: Subresource kind - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - verb: - description: |- - Verb to check for authorization on the resource. - Use '*' for all verbs. - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - user: - description: |- - User to check for authorization in the Kubernetes RBAC. - Omit it to check for group authorization only. - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - metrics: - default: false - description: Whether this config should generate individual - observability metrics - type: boolean - opa: - description: Open Policy Agent (OPA) Rego policy. - properties: - allValues: - default: false - description: |- - Returns the value of all Rego rules in the virtual document. Values can be read in subsequent evaluators/phases of the Auth Pipeline. - Otherwise, only the default `allow` rule will be exposed. - Returning all Rego rules can affect performance of OPA policies during reconciliation (policy precompile) and at runtime. - type: boolean - externalPolicy: - description: |- - Settings for fetching the OPA policy from an external registry. - Use it alternatively to 'rego'. - For the configurations of the HTTP request, the following options are not implemented: 'method', 'body', 'bodyParameters', - 'contentType', 'headers', 'oauth2'. Use it only with: 'url', 'sharedSecret', 'credentials'. - properties: - body: - description: |- - Raw body of the HTTP request. - Supersedes 'bodyParameters'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - bodyParameters: - additionalProperties: - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - description: |- - Custom parameters to encode in the body of the HTTP request. - Superseded by 'body'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). - type: object - contentType: - default: application/x-www-form-urlencoded - description: |- - Content-Type of the request body. Shapes how 'bodyParameters' are encoded. - Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. - enum: - - application/x-www-form-urlencoded - - application/json - type: string - credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. - properties: - authorizationHeader: - properties: - prefix: - type: string - type: object - cookie: - properties: - name: - type: string - required: - - name - type: object - customHeader: - properties: - name: - type: string - required: - - name - type: object - queryString: - properties: - name: - type: string - required: - - name - type: object - type: object - headers: - additionalProperties: - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - description: Custom headers in the HTTP request. - type: object - method: - default: GET - description: |- - HTTP verb used in the request to the service. Accepted values: GET (default), POST. - When the request method is POST, the authorization JSON is passed in the body of the request. - enum: - - GET - - POST - - PUT - - PATCH - - DELETE - - HEAD - - OPTIONS - - CONNECT - - TRACE - type: string - oauth2: - description: Authentication with the HTTP service by - OAuth2 Client Credentials grant. - properties: - cache: - default: true - description: |- - Caches and reuses the token until expired. - Set it to false to force fetch the token at every authorization request regardless of expiration. - type: boolean - clientId: - description: OAuth2 Client ID. - type: string - clientSecretRef: - description: Reference to a Kuberentes Secret key - that stores that OAuth2 Client Secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - description: The name of the secret in the Authorino's - namespace to select from. - type: string - required: - - key - - name - type: object - extraParams: - additionalProperties: - type: string - description: Optional extra parameters for the requests - to the token URL. - type: object - scopes: - description: Optional scopes for the client credentials - grant, if supported by he OAuth2 server. - items: - type: string - type: array - tokenUrl: - description: Token endpoint URL of the OAuth2 resource - server. - type: string - required: - - clientId - - clientSecretRef - - tokenUrl - type: object - sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. - Ignored if used together with oauth2. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: The name of the secret in the Authorino's - namespace to select from. - type: string - required: - - key - - name - type: object - ttl: - description: Duration (in seconds) of the external data - in the cache before pulled again from the source. - type: integer - url: - description: |- - Endpoint URL of the HTTP service. - The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. - E.g. https://ext-auth-server.io/metadata?p={request.path} - type: string - required: - - url - type: object - rego: - description: |- - Authorization policy as a Rego language document. - The Rego document must include the "allow" condition, set by Authorino to "false" by default (i.e. requests are unauthorized unless changed). - The Rego document must NOT include the "package" declaration in line 1. - type: string - type: object - patternMatching: - description: Pattern-matching authorization rules. - properties: - patterns: - items: - properties: - all: - description: A list of pattern expressions to be evaluated - as a logical AND. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - any: - description: A list of pattern expressions to be evaluated - as a logical OR. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) - enum: - - eq - - neq - - incl - - excl - - matches - type: string - patternRef: - description: Reference to a named set of pattern expressions - type: string - selector: - description: |- - Path selector to fetch content from the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - Authorino custom JSON path modifiers are also supported. - type: string - value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. - type: string - type: object - type: array - required: - - patterns - type: object - priority: - default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. - type: integer - spicedb: - description: Authorization decision delegated to external Authzed/SpiceDB - server. - properties: - endpoint: - description: Hostname and port number to the GRPC interface - of the SpiceDB server (e.g. spicedb:50051). - type: string - insecure: - description: Insecure HTTP connection (i.e. disables TLS - verification) - type: boolean - permission: - description: The name of the permission (or relation) on - which to execute the check. - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - resource: - description: The resource on which to check the permission - or relation. - properties: - kind: - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - name: - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - sharedSecretRef: - description: Reference to a Secret key whose value will - be used by Authorino to authenticate with the Authzed - service. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: The name of the secret in the Authorino's - namespace to select from. - type: string - required: - - key - - name - type: object - subject: - description: The subject that will be checked for the permission - or relation. - properties: - kind: - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - name: - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - required: - - endpoint - type: object - when: - description: |- - Conditions for Authorino to enforce this config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. - items: - properties: - all: - description: A list of pattern expressions to be evaluated - as a logical AND. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - any: - description: A list of pattern expressions to be evaluated - as a logical OR. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) - enum: - - eq - - neq - - incl - - excl - - matches - type: string - patternRef: - description: Reference to a named set of pattern expressions - type: string - selector: - description: |- - Path selector to fetch content from the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - Authorino custom JSON path modifiers are also supported. - type: string - value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. - type: string - type: object - type: array - type: object - description: |- - Authorization policies. - All policies MUST evaluate to "allowed = true" for the auth request be successful. - type: object - callbacks: - additionalProperties: - properties: - cache: - description: |- - Caching options for the resolved object returned when applying this config. - Omit it to avoid caching objects for this config. - properties: - key: - description: |- - Key used to store the entry in the cache. - The resolved key must be unique within the scope of this particular config. - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - ttl: - default: 60 - description: Duration (in seconds) of the external data - in the cache before pulled again from the source. - type: integer - required: - - key - type: object - http: - description: Settings of the external HTTP request - properties: - body: - description: |- - Raw body of the HTTP request. - Supersedes 'bodyParameters'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - bodyParameters: - additionalProperties: - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - description: |- - Custom parameters to encode in the body of the HTTP request. - Superseded by 'body'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). - type: object - contentType: - default: application/x-www-form-urlencoded - description: |- - Content-Type of the request body. Shapes how 'bodyParameters' are encoded. - Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. - enum: - - application/x-www-form-urlencoded - - application/json - type: string - credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. - properties: - authorizationHeader: - properties: - prefix: - type: string - type: object - cookie: - properties: - name: - type: string - required: - - name - type: object - customHeader: - properties: - name: - type: string - required: - - name - type: object - queryString: - properties: - name: - type: string - required: - - name - type: object - type: object - headers: - additionalProperties: - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - description: Custom headers in the HTTP request. - type: object - method: - default: GET - description: |- - HTTP verb used in the request to the service. Accepted values: GET (default), POST. - When the request method is POST, the authorization JSON is passed in the body of the request. - enum: - - GET - - POST - - PUT - - PATCH - - DELETE - - HEAD - - OPTIONS - - CONNECT - - TRACE - type: string - oauth2: - description: Authentication with the HTTP service by OAuth2 - Client Credentials grant. - properties: - cache: - default: true - description: |- - Caches and reuses the token until expired. - Set it to false to force fetch the token at every authorization request regardless of expiration. - type: boolean - clientId: - description: OAuth2 Client ID. - type: string - clientSecretRef: - description: Reference to a Kuberentes Secret key that - stores that OAuth2 Client Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: The name of the secret in the Authorino's - namespace to select from. - type: string - required: - - key - - name - type: object - extraParams: - additionalProperties: - type: string - description: Optional extra parameters for the requests - to the token URL. - type: object - scopes: - description: Optional scopes for the client credentials - grant, if supported by he OAuth2 server. - items: - type: string - type: array - tokenUrl: - description: Token endpoint URL of the OAuth2 resource - server. - type: string - required: - - clientId - - clientSecretRef - - tokenUrl - type: object - sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. - Ignored if used together with oauth2. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: The name of the secret in the Authorino's - namespace to select from. - type: string - required: - - key - - name - type: object - url: - description: |- - Endpoint URL of the HTTP service. - The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. - E.g. https://ext-auth-server.io/metadata?p={request.path} - type: string - required: - - url - type: object - metrics: - default: false - description: Whether this config should generate individual - observability metrics - type: boolean - priority: - default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. - type: integer - when: - description: |- - Conditions for Authorino to enforce this config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. - items: - properties: - all: - description: A list of pattern expressions to be evaluated - as a logical AND. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - any: - description: A list of pattern expressions to be evaluated - as a logical OR. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) - enum: - - eq - - neq - - incl - - excl - - matches - type: string - patternRef: - description: Reference to a named set of pattern expressions - type: string - selector: - description: |- - Path selector to fetch content from the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - Authorino custom JSON path modifiers are also supported. - type: string - value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. - type: string - type: object - type: array - required: - - http - type: object - description: |- - Callback functions. - Authorino sends callbacks at the end of the auth pipeline to the endpoints specified in this config. - type: object - hosts: - description: |- - The list of public host names of the services protected by this authentication/authorization scheme. - Authorino uses the requested host to lookup for the corresponding authentication/authorization configs to enforce. - items: - type: string - type: array - metadata: - additionalProperties: - properties: - cache: - description: |- - Caching options for the resolved object returned when applying this config. - Omit it to avoid caching objects for this config. - properties: - key: - description: |- - Key used to store the entry in the cache. - The resolved key must be unique within the scope of this particular config. - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - ttl: - default: 60 - description: Duration (in seconds) of the external data - in the cache before pulled again from the source. - type: integer - required: - - key - type: object - http: - description: External source of auth metadata via HTTP request - properties: - body: - description: |- - Raw body of the HTTP request. - Supersedes 'bodyParameters'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - bodyParameters: - additionalProperties: - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - description: |- - Custom parameters to encode in the body of the HTTP request. - Superseded by 'body'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). - type: object - contentType: - default: application/x-www-form-urlencoded - description: |- - Content-Type of the request body. Shapes how 'bodyParameters' are encoded. - Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. - enum: - - application/x-www-form-urlencoded - - application/json - type: string - credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. - properties: - authorizationHeader: - properties: - prefix: - type: string - type: object - cookie: - properties: - name: - type: string - required: - - name - type: object - customHeader: - properties: - name: - type: string - required: - - name - type: object - queryString: - properties: - name: - type: string - required: - - name - type: object - type: object - headers: - additionalProperties: - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - description: Custom headers in the HTTP request. - type: object - method: - default: GET - description: |- - HTTP verb used in the request to the service. Accepted values: GET (default), POST. - When the request method is POST, the authorization JSON is passed in the body of the request. - enum: - - GET - - POST - - PUT - - PATCH - - DELETE - - HEAD - - OPTIONS - - CONNECT - - TRACE - type: string - oauth2: - description: Authentication with the HTTP service by OAuth2 - Client Credentials grant. - properties: - cache: - default: true - description: |- - Caches and reuses the token until expired. - Set it to false to force fetch the token at every authorization request regardless of expiration. - type: boolean - clientId: - description: OAuth2 Client ID. - type: string - clientSecretRef: - description: Reference to a Kuberentes Secret key that - stores that OAuth2 Client Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: The name of the secret in the Authorino's - namespace to select from. - type: string - required: - - key - - name - type: object - extraParams: - additionalProperties: - type: string - description: Optional extra parameters for the requests - to the token URL. - type: object - scopes: - description: Optional scopes for the client credentials - grant, if supported by he OAuth2 server. - items: - type: string - type: array - tokenUrl: - description: Token endpoint URL of the OAuth2 resource - server. - type: string - required: - - clientId - - clientSecretRef - - tokenUrl - type: object - sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. - Ignored if used together with oauth2. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: The name of the secret in the Authorino's - namespace to select from. - type: string - required: - - key - - name - type: object - url: - description: |- - Endpoint URL of the HTTP service. - The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. - E.g. https://ext-auth-server.io/metadata?p={request.path} - type: string - required: - - url - type: object - metrics: - default: false - description: Whether this config should generate individual - observability metrics - type: boolean - priority: - default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. - type: integer - uma: - description: User-Managed Access (UMA) source of resource data. - properties: - credentialsRef: - description: Reference to a Kubernetes secret in the same - namespace, that stores client credentials to the resource - registration API of the UMA server. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? - type: string - type: object - x-kubernetes-map-type: atomic - endpoint: - description: |- - The endpoint of the UMA server. - The value must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint. - type: string - required: - - credentialsRef - - endpoint - type: object - userInfo: - description: OpendID Connect UserInfo linked to an OIDC authentication - config specified in this same AuthConfig. - properties: - identitySource: - description: The name of an OIDC-enabled JWT authentication - config whose OpenID Connect configuration discovered includes - the OIDC "userinfo_endpoint" claim. - type: string - required: - - identitySource - type: object - when: - description: |- - Conditions for Authorino to enforce this config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. - items: - properties: - all: - description: A list of pattern expressions to be evaluated - as a logical AND. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - any: - description: A list of pattern expressions to be evaluated - as a logical OR. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) - enum: - - eq - - neq - - incl - - excl - - matches - type: string - patternRef: - description: Reference to a named set of pattern expressions - type: string - selector: - description: |- - Path selector to fetch content from the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - Authorino custom JSON path modifiers are also supported. - type: string - value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. - type: string - type: object - type: array - type: object - description: |- - Metadata sources. - Authorino fetches auth metadata as JSON from sources specified in this config. - type: object - patterns: - additionalProperties: - items: - properties: - operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) - enum: - - eq - - neq - - incl - - excl - - matches - type: string - selector: - description: |- - Path selector to fetch content from the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - Authorino custom JSON path modifiers are also supported. - type: string - value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. - type: string - type: object - type: array - description: Named sets of patterns that can be referred in `when` - conditions and in pattern-matching authorization policy rules. - type: object - response: - description: |- - Response items. - Authorino builds custom responses to the client of the auth request. - properties: - success: - description: |- - Response items to be included in the auth response when the request is authenticated and authorized. - For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata and/or inject data in the request. - properties: - dynamicMetadata: - additionalProperties: - description: Settings of the success custom response item. - properties: - cache: - description: |- - Caching options for the resolved object returned when applying this config. - Omit it to avoid caching objects for this config. - properties: - key: - description: |- - Key used to store the entry in the cache. - The resolved key must be unique within the scope of this particular config. - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - ttl: - default: 60 - description: Duration (in seconds) of the external - data in the cache before pulled again from the - source. - type: integer - required: - - key - type: object - json: - description: |- - JSON object - Specify it as the list of properties of the object, whose values can combine static values and values selected from the authorization JSON. - properties: - properties: - additionalProperties: - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - required: - - properties - type: object - key: - description: |- - The key used to add the custom response item (name of the HTTP header or root property of the Dynamic Metadata object). - If omitted, it will be set to the name of the response config. - type: string - metrics: - default: false - description: Whether this config should generate individual - observability metrics - type: boolean - plain: - description: Plain text content - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - priority: - default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. - type: integer - when: - description: |- - Conditions for Authorino to enforce this config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. - items: - properties: - all: - description: A list of pattern expressions to - be evaluated as a logical AND. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - any: - description: A list of pattern expressions to - be evaluated as a logical OR. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) - enum: - - eq - - neq - - incl - - excl - - matches - type: string - patternRef: - description: Reference to a named set of pattern - expressions - type: string - selector: - description: |- - Path selector to fetch content from the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - Authorino custom JSON path modifiers are also supported. - type: string - value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. - type: string - type: object - type: array - wristband: - description: Authorino Festival Wristband token - properties: - customClaims: - additionalProperties: - properties: - selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. - type: string - value: - description: Static value - x-kubernetes-preserve-unknown-fields: true - type: object - description: Any claims to be added to the wristband - token apart from the standard JWT claims (iss, - iat, exp) added by default. - type: object - issuer: - description: 'The endpoint to the Authorino service - that issues the wristband (format: ://:/, - where = /://:/, - where = /://:/, - where = /://:/, - where = /://:/, - where = /://:/, - where = /://:/, - where = /://:/, - where = /