Merge pull request #509 from Kuadrant/docs/cel

docs: Common Expression Language (CEL)
Kuadrant · Nov 27, 2024 · 20d75a5 · 20d75a5
2 parents a1d035d + 9217e6f
commit 20d75a5
Show file tree

Hide file tree

Showing 8 changed files with 110 additions and 145 deletions.
diff --git a/docs/architecture.md b/docs/architecture.md
@@ -286,7 +286,7 @@ After phase (iii), Authorino appends to the authorization JSON the results of th
 
 [Festival Wristbands](./features.md#festival-wristband-tokens-responsesuccessheadersdynamicmetadatawristband) and [Dynamic JSON](./features.md#json-injection-responsesuccessheadersdynamicmetadatajson) responses can include dynamic values (custom claims/properties) fetched from the authorization JSON. These can be returned to the external authorization client in added HTTP headers or as Envoy [Well Known Dynamic Metadata](https://www.envoyproxy.io/docs/envoy/latest/configuration/advanced/well_known_dynamic_metadata). Check out [Custom response features](./features.md#custom-response-features-response) for details.
 
-For information about reading and fetching data from the Authorization JSON (syntax, functions, etc), check out [JSON paths](./features.md#common-feature-json-paths-selector).
+For information about reading and fetching data from the Authorization JSON (syntax, functions, etc), check out [Common Expression Language (CEL)](./features.md#common-feature-common-expression-language-cel).
 
 ## Raw HTTP Authorization interface
 

diff --git a/docs/features.md b/docs/features.md
diff --git a/docs/user-guides/authenticated-rate-limiting-envoy-dynamic-metadata.md b/docs/user-guides/authenticated-rate-limiting-envoy-dynamic-metadata.md
@@ -163,12 +163,12 @@ spec:
           json:
             properties:
               "username":
-                selector: auth.identity.metadata.annotations.auth-data\/username
+                expression: auth.identity.metadata.annotations['auth-data/username']
           key: ext_auth_data # how this bit of dynamic metadata from the ext authz service is named in the Envoy config
 EOF
 ```
 
-Check out the docs for information about the common feature [JSON paths](../features.md#common-feature-json-paths-selector) for reading from the [Authorization JSON](../architecture.md#the-authorization-json).
+Check out the docs about using [Common Expression Language (CEL)](./features.md#common-feature-common-expression-language-cel) for reading from the [Authorization JSON](../architecture.md#the-authorization-json).
 
 ## ❼ Create the API keys
 

diff --git a/docs/user-guides/deny-with-redirect-to-login.md b/docs/user-guides/deny-with-redirect-to-login.md
@@ -157,11 +157,12 @@ spec:
       code: 302
       headers:
         "Location":
-          selector: "http://matrix-quotes.127.0.0.1.nip.io:8000/login.html?redirect_to={request.path}"
+          expression: |
+            'http://matrix-quotes.127.0.0.1.nip.io:8000/login.html?redirect_to=' + request.path
 EOF
 ```
 
-Check out the docs for information about the common feature [JSON paths](../features.md#common-feature-json-paths-selector) for reading from the [Authorization JSON](../architecture.md#the-authorization-json).
+Check out the docs about using [Common Expression Language (CEL)](./features.md#common-feature-common-expression-language-cel) for reading from the [Authorization JSON](../architecture.md#the-authorization-json).
 
 ## ❻ Create an API key
 
@@ -259,7 +260,8 @@ spec:
       code: 302
       headers:
         "Location":
-          selector: "http://keycloak:8080/realms/kuadrant/protocol/openid-connect/auth?client_id=matrix-quotes&redirect_uri=http://matrix-quotes.127.0.0.1.nip.io:8000/auth?redirect_to={request.path}&scope=openid&response_type=code"
+          expression: |
+            'http://keycloak:8080/realms/kuadrant/protocol/openid-connect/auth?client_id=matrix-quotes&redirect_uri=http://matrix-quotes.127.0.0.1.nip.io:8000/auth?redirect_to=' + request.path + '&scope=openid&response_type=code'
 EOF
 ```
 

diff --git a/docs/user-guides/external-metadata.md b/docs/user-guides/external-metadata.md
@@ -153,10 +153,11 @@ spec:
   metadata:
     "geo":
       http:
-        url: 'http://ip-api.com/json/{context.request.http.headers.x-forwarded-for.@extract:{"sep":","}}?fields=countryCode'
+        urlExpression: |
+          'http://ip-api.com/json/' + request.headers['x-forwarded-for'].split(',')[0] + '?fields=countryCode'
         headers:
           "Accept":
-            value: application/json
+            expression: '"application/json"'
   authorization:
     "geofence":
       opa:
@@ -171,7 +172,7 @@ spec:
 EOF
 ```
 
-Check out the docs for information about the common feature [JSON paths](../features.md#common-feature-json-paths-selector) for reading from the [Authorization JSON](../architecture.md#the-authorization-json), including the description of the `@extract` string modifier.
+Check out the docs about using [Common Expression Language (CEL)](./features.md#common-feature-common-expression-language-cel) for reading from the [Authorization JSON](../architecture.md#the-authorization-json).
 
 ## ❻ Create an API key
 

diff --git a/docs/user-guides/http-basic-authentication.md b/docs/user-guides/http-basic-authentication.md
@@ -150,9 +150,7 @@ spec:
   authorization:
     "acl":
       when:
-      - selector: context.request.http.path
-        operator: eq
-        value: /bye
+      - predicate: request.path == '/bye'
       patternMatching:
         patterns:
         - selector: context.request.http.headers.authorization.@extract:{"pos":1}|@base64:decode|@extract:{"sep":":"}
@@ -161,7 +159,7 @@ spec:
 EOF
 ```
 
-Check out the docs for information about the common feature [JSON paths](../features.md#common-feature-json-paths-selector) for reading from the [Authorization JSON](../architecture.md#the-authorization-json), including the description of the string modifiers `@extract` and `@case` used above. Check out as well the common feature [Conditions](../features.md#common-feature-conditions-when) about skipping parts of an `AuthConfig` in the auth pipeline based on context.
+Check out the docs about using [Common Expression Language (CEL)](./features.md#common-feature-common-expression-language-cel) for reading from the [Authorization JSON](../architecture.md#the-authorization-json). Check out as well the common feature [Conditions](../features.md#common-feature-conditions-when) about skipping parts of an `AuthConfig` in the auth pipeline based on context.
 
 ## ❻ Create user credentials
 

diff --git a/docs/user-guides/injecting-data.md b/docs/user-guides/injecting-data.md
@@ -155,15 +155,16 @@ spec:
           json:
             properties:
               "authorized":
-                value: true
+                expression: "true"
               "request-time":
-                selector: context.request.time.seconds
+                expression: request.time.seconds
               "greeting-message":
-                selector: Hello, {auth.identity.metadata.annotations.auth-data\/name}!
+                expression: |
+                  'Hello, ' + auth.identity.metadata.annotations['auth-data/name']
 EOF
 ```
 
-Check out the docs for information about the common feature [JSON paths](../features.md#common-feature-json-paths-selector) for reading from the [Authorization JSON](../architecture.md#the-authorization-json).
+Check out the docs about using [Common Expression Language (CEL)](./features.md#common-feature-common-expression-language-cel) for reading from the [Authorization JSON](../architecture.md#the-authorization-json).
 
 ## ❻ Create an API key
 

diff --git a/docs/user-guides/json-pattern-matching-authorization.md b/docs/user-guides/json-pattern-matching-authorization.md
@@ -156,18 +156,15 @@ spec:
   authorization:
     "email-verified-only":
       when:
-      - selector: "context.request.http.headers.x-forwarded-for.@extract:{\"sep\": \",\"}"
-        operator: matches
-        value: 192\\.168\\.1\\.\\d+
+      - predicate: |
+          request.headers['x-forwarded-for'].split(',')[0].matches("^192\\\.168\\\.1\\\.\\\d+$")
       patternMatching:
         patterns:
-        - selector: auth.identity.email_verified
-          operator: eq
-          value: "true"
+        - predicate: auth.identity.email_verified
 EOF
 ```
 
-Check out the docs for information about semantics and operators supported by the [JSON pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching) feature, as well the common feature [JSON paths](../features.md#common-feature-json-paths-selector) for reading from the [Authorization JSON](../architecture.md#the-authorization-json), including the description of the string modifier `@extract` used above. Check out as well the common feature [Conditions](../features.md#common-feature-conditions-when) about skipping parts of an `AuthConfig` in the auth pipeline based on context.
+Check out the doc about using [Common Expression Language (CEL)](./features.md#common-feature-common-expression-language-cel) for reading from the [Authorization JSON](../architecture.md#the-authorization-json). Check out as well the common feature [Conditions](../features.md#common-feature-conditions-when) about skipping parts of an `AuthConfig` in the auth pipeline based on context.
 
 ## ❻ Obtain an access token and consume the API