From e4b703c5ad98ec654890ce2700e2f06eaf17147d Mon Sep 17 00:00:00 2001
From: Jakub Smolar <jsmolar@redhat.com>
Date: Tue, 12 Nov 2024 13:20:33 +0100
Subject: [PATCH 1/2] Fix top-level when condition test

Signed-off-by: Jakub Smolar <jsmolar@redhat.com>
---
 .../authorino/conditions/test_top_level_condition.py          | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/testsuite/tests/singlecluster/authorino/conditions/test_top_level_condition.py b/testsuite/tests/singlecluster/authorino/conditions/test_top_level_condition.py
index a02f927d..04200470 100644
--- a/testsuite/tests/singlecluster/authorino/conditions/test_top_level_condition.py
+++ b/testsuite/tests/singlecluster/authorino/conditions/test_top_level_condition.py
@@ -2,7 +2,7 @@
 
 import pytest
 
-from testsuite.kuadrant.policy.authorization import Pattern
+from testsuite.kuadrant.policy import CelPredicate
 
 pytestmark = [pytest.mark.authorino]
 
@@ -10,7 +10,7 @@
 @pytest.fixture(scope="module")
 def authorization(authorization, module_label):
     """Add rule to the AuthConfig to skip entire authn/authz with certain request header"""
-    authorization.add_rule([Pattern("context.request.http.headers.key", "neq", module_label)])
+    authorization.add_rule([CelPredicate(f"request.headers.key != '{module_label}'")])
     return authorization
 
 

From 442c6b81070e55a87bf1760c12906c8dc1300fb2 Mon Sep 17 00:00:00 2001
From: Jakub Smolar <jsmolar@redhat.com>
Date: Wed, 13 Nov 2024 10:55:24 +0100
Subject: [PATCH 2/2] Fix dinosaur tests

Signed-off-by: Jakub Smolar <jsmolar@redhat.com>
---
 .../policy/authorization/auth_policy.py       |  9 +++-----
 .../authorino/dinosaur/conftest.py            | 21 +++++++++++--------
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/testsuite/kuadrant/policy/authorization/auth_policy.py b/testsuite/kuadrant/policy/authorization/auth_policy.py
index f7b69230..4c77bfe4 100644
--- a/testsuite/kuadrant/policy/authorization/auth_policy.py
+++ b/testsuite/kuadrant/policy/authorization/auth_policy.py
@@ -1,7 +1,7 @@
 """Module containing classes related to AuthPolicy"""
 
 from functools import cached_property
-from typing import Dict, TYPE_CHECKING
+from typing import Dict
 
 from testsuite.gateway import Referencable
 from testsuite.kubernetes import modify
@@ -9,12 +9,9 @@
 from testsuite.utils import asdict
 from .auth_config import AuthConfig
 from .sections import ResponseSection
-from .. import Policy
+from .. import Policy, CelPredicate
 from . import Pattern
 
-if TYPE_CHECKING:
-    from . import Rule
-
 
 class AuthPolicy(Policy, AuthConfig):
     """AuthPolicy object, it serves as Kuadrants AuthConfig"""
@@ -44,7 +41,7 @@ def create_instance(
         return cls(model, context=cluster.context)
 
     @modify
-    def add_rule(self, when: list["Rule"]):
+    def add_rule(self, when: list[CelPredicate]):
         """Add rule for the skip of entire AuthPolicy"""
         self.model.spec.setdefault("when", [])
         self.model.spec["when"].extend([asdict(x) for x in when])
diff --git a/testsuite/tests/singlecluster/authorino/dinosaur/conftest.py b/testsuite/tests/singlecluster/authorino/dinosaur/conftest.py
index dfe46de3..4183baa8 100644
--- a/testsuite/tests/singlecluster/authorino/dinosaur/conftest.py
+++ b/testsuite/tests/singlecluster/authorino/dinosaur/conftest.py
@@ -6,6 +6,7 @@
 from openshift_client import OpenShiftPythonException
 
 from testsuite.httpx.auth import HttpxOidcClientAuth
+from testsuite.kuadrant.policy import CelPredicate
 from testsuite.oidc.keycloak import Keycloak
 from testsuite.utils import ContentType
 from testsuite.kuadrant.policy.authorization import Pattern, PatternRef, Value, ValueFrom, DenyResponse
@@ -100,21 +101,18 @@ def _resource_info(org_id, owner):
 @pytest.fixture(scope="module")
 def authorization(authorization, keycloak, terms_and_conditions, cluster_info, admin_rhsso, resource_info):
     """Creates complex Authorization Config."""
-    path_fourth_element = 'context.request.http.path.@extract:{"sep":"/","pos":4}'
-    path_third_element = 'context.request.http.path.@extract:{"sep":"/","pos":3}'
+    path_fourth_element = 'request.path.@extract:{"sep":"/","pos":4}'
     authorization.add_patterns(
         {
-            "api-route": [Pattern("context.request.http.path", "matches", "^/anything/dinosaurs_mgmt/.+")],
-            "v1-route": [Pattern(path_third_element, "eq", "v1")],
             "dinosaurs-route": [Pattern(path_fourth_element, "eq", "dinosaurs")],
-            "dinosaur-resource-route": [Pattern("context.request.http.path", "matches", "/dinosaurs/[^/]+$")],
+            "dinosaur-resource-route": [Pattern("request.path", "matches", "/dinosaurs/[^/]+$")],
             "create-dinosaur-route": [
-                Pattern("context.request.http.path", "matches", "/dinosaurs/?$"),
-                Pattern("context.request.http.method", "eq", "POST"),
+                Pattern("request.path", "matches", "/dinosaurs/?$"),
+                Pattern("request.method", "eq", "POST"),
             ],
             "metrics-federate-route": [
                 Pattern(path_fourth_element, "eq", "dinosaurs"),
-                Pattern("context.request.http.path", "matches", "/metrics/federate$"),
+                Pattern("request.path", "matches", "/metrics/federate$"),
             ],
             "service-accounts-route": [Pattern(path_fourth_element, "eq", "service_accounts")],
             "supported-instance-types-route": [Pattern(path_fourth_element, "eq", "instance_types")],
@@ -129,7 +127,12 @@ def authorization(authorization, keycloak, terms_and_conditions, cluster_info, a
             "require-org-id": [Pattern("auth.identity.org_id", "neq", "")],
         }
     )
-    authorization.add_rule([PatternRef("api-route"), PatternRef("v1-route")])
+    authorization.add_rule(
+        [
+            CelPredicate("request.path.matches('^/anything/dinosaurs_mgmt/.+')"),
+            CelPredicate("request.path.split('/')[3] == 'v1'"),
+        ]
+    )
 
     authorization.identity.clear_all()
     authorization.identity.add_oidc(