v0.5.0

New features and Enhancements

• External URL for the OPA authorization policy (#144)
  • Extends the AuthConfig API with spec.authorization.opa.externalRegistry to fetch an OPA Rego policy from an external source (reconciliation-time), alternatively to using inlineRego
  • Apart from the endpoint of the external policy, it allows to set a sharedSecretRef and credentials (where in the request) for authentication between Authorino and the policy registry
• Kubernetes authorization based on SubjectAccessReview (#154, #160)
  • Support for SubjectAccessReview queries for resource and non-resource attributes
  • Allows to set spec.authorization.kubernetes.conditions to enforce or skip the policy (similarly to how those work for the JSON pattern-matching authorization policies)
• Custom parameters in the body of HTTP external metadata POST requests (#156)
  • Extends the AuthConfig API with spec.metadata.http.bodyParameters, an array of properties to be added as parameters of the HTTP POST request to the external service
  • Extends the AuthConfig API with spec.metadata.http.contentType, the content-type of the HTTP POST request – application/x-www-form-urlencoded and application/json supported
• Support for string interpolation in the values of valueFrom.authJSON fields (#165, #168 )
  • Possibility to set template-like values with variable placeholders that resolve to gjson patterns (e.g. "Hello, {auth.identity.name}!")
  • Simple JSON patterns such as context.request.http.host continue to be supported as before
• Introduction of new string modifiers to gjson patterns on values fetched from the Authorization JSON (#154, #167)
  • @extract:{sep:string, pos:int} → splits a string value at occurrences of a separator (default: " ") and selects the substring at the pos-th position (default: 0)
  • @replace:{old:string, new:string} → replaces a substring within a string value
  • @case:upper|lower → changes the case of a string value
  • @base64:encode|decode → base64-encodes or decodes a string value; in combination with @extract allows to extract the username of an HTTP Basic Authentication request
• Support for custom denial status code/messages (#159)
  • AuthConfig API extended with options spec.denyWith.unauthenticated and spec.denyWith.unauthorized that allow to set custom code, message and headers to replace the default response attributes returned when 401 Unauthorized and 403 Forbidden
  • Allows to set a redirect 302 status code and Location response header, e.g.
  • Custom response headers defined as JSON properties with static (value) or dynamically fetched (valueFrom.authJSON) values
• Enhanced JSON structured logging (#172)
  • Support for log levels (debug → info → error), set via LOG_LEVEL env var (default: info)
  • Configurable log output modes: production (fully JSON structured) and development (human-readable outputs, extra stack traces and logging info, plus extra values output as JSON), set via LOG_MODE env var (default: production)
  • No sensitive data output to info log messages (closes #161)
  • Log tracing ID: request id propagated across all log entries associated with an external authorization request

Bug fixes

• Fix serialization of JSON strings returned in dynamic response HTTP headers (#157)

Dependencies and Tooling

• Better logging for the Talker API example app (#158)
  • Includes support for LOG_LEVEL=debug environment variable
  • Response message with HTTP header names echoed back in their original form (e.g. X-Ext-Auth-Wristband instead of HTTP_X_EXT_AUTH_WRISTBAND)
• Versions of controller-gen and kustomize pinned to the project path (#150)

Documentation

• Descriptions of log messages, log metadata ("extra values") and log samples added to the docs (#172 )