Skip to content

Commit

Permalink
Tentative at dealing with no Response provided
Browse files Browse the repository at this point in the history
Signed-off-by: Alex Snaps <[email protected]>
  • Loading branch information
alexsnaps committed Sep 4, 2024
1 parent 37ef7d1 commit 46d39a9
Show file tree
Hide file tree
Showing 5 changed files with 135 additions and 116 deletions.
223 changes: 116 additions & 107 deletions controllers/auth_config_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,9 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf
authConfigIdentityConfigs := authConfig.Spec.Authentication

if len(authConfigIdentityConfigs) == 0 {
if authConfigIdentityConfigs == nil {
authConfigIdentityConfigs = make(map[string]api.AuthenticationSpec)
}
authConfigIdentityConfigs["anonymous"] = api.AuthenticationSpec{
CommonEvaluatorSpec: api.CommonEvaluatorSpec{},
Credentials: api.Credentials{},
Expand Down Expand Up @@ -472,129 +475,133 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf

interfacedResponseConfigs := make([]auth.AuthConfigEvaluator, 0)

for responseName, headerResponse := range authConfig.Spec.Response.Success.Headers {
translatedResponse := evaluators.NewResponseConfig(
responseName,
headerResponse.Priority,
buildJSONExpression(authConfig, headerResponse.Conditions, jsonexp.All),
"httpHeader",
headerResponse.Key,
headerResponse.Metrics,
)
if authConfig.Spec.Response != nil {
for responseName, headerResponse := range authConfig.Spec.Response.Success.Headers {
translatedResponse := evaluators.NewResponseConfig(
responseName,
headerResponse.Priority,
buildJSONExpression(authConfig, headerResponse.Conditions, jsonexp.All),
"httpHeader",
headerResponse.Key,
headerResponse.Metrics,
)

if headerResponse.Cache != nil {
ttl := headerResponse.Cache.TTL
if ttl == 0 {
ttl = api.EvaluatorDefaultCacheTTL
if headerResponse.Cache != nil {
ttl := headerResponse.Cache.TTL
if ttl == 0 {
ttl = api.EvaluatorDefaultCacheTTL
}
translatedResponse.Cache = evaluators.NewEvaluatorCache(
*getJsonFromStaticDynamic(&headerResponse.Cache.Key),
ttl,
)
}
translatedResponse.Cache = evaluators.NewEvaluatorCache(
*getJsonFromStaticDynamic(&headerResponse.Cache.Key),
ttl,
)
interfacedResponseConfigs = append(interfacedResponseConfigs, translatedResponse)
}
interfacedResponseConfigs = append(interfacedResponseConfigs, translatedResponse)
}

for responseName, response := range authConfig.Spec.Response.Success.DynamicMetadata {
translatedResponse := evaluators.NewResponseConfig(
responseName,
response.Priority,
buildJSONExpression(authConfig, response.Conditions, jsonexp.All),
"envoyDynamicMetadata",
response.Key,
response.Metrics,
)
if authConfig.Spec.Response != nil {
for responseName, response := range authConfig.Spec.Response.Success.DynamicMetadata {
translatedResponse := evaluators.NewResponseConfig(
responseName,
response.Priority,
buildJSONExpression(authConfig, response.Conditions, jsonexp.All),
"envoyDynamicMetadata",
response.Key,
response.Metrics,
)

if response.Cache != nil {
ttl := response.Cache.TTL
if ttl == 0 {
ttl = api.EvaluatorDefaultCacheTTL
if response.Cache != nil {
ttl := response.Cache.TTL
if ttl == 0 {
ttl = api.EvaluatorDefaultCacheTTL
}
translatedResponse.Cache = evaluators.NewEvaluatorCache(
*getJsonFromStaticDynamic(&response.Cache.Key),
ttl,
)
}
translatedResponse.Cache = evaluators.NewEvaluatorCache(
*getJsonFromStaticDynamic(&response.Cache.Key),
ttl,
)
}

switch response.GetMethod() {
// wristband
case api.WristbandAuthResponse:
wristband := response.Wristband
signingKeys := make([]jose.JSONWebKey, 0)
switch response.GetMethod() {
// wristband
case api.WristbandAuthResponse:
wristband := response.Wristband
signingKeys := make([]jose.JSONWebKey, 0)

for _, signingKeyRef := range wristband.SigningKeyRefs {
secret := &v1.Secret{}
secretName := types.NamespacedName{
Namespace: authConfig.Namespace,
Name: signingKeyRef.Name,
}
if err := r.Client.Get(ctx, secretName, secret); err != nil {
return nil, err // TODO: Review this error, perhaps we don't need to return an error, just reenqueue.
} else {
if signingKey, err := response_evaluators.NewSigningKey(
signingKeyRef.Name,
string(signingKeyRef.Algorithm),
secret.Data["key.pem"],
); err != nil {
return nil, err
for _, signingKeyRef := range wristband.SigningKeyRefs {
secret := &v1.Secret{}
secretName := types.NamespacedName{
Namespace: authConfig.Namespace,
Name: signingKeyRef.Name,
}
if err := r.Client.Get(ctx, secretName, secret); err != nil {
return nil, err // TODO: Review this error, perhaps we don't need to return an error, just reenqueue.
} else {
signingKeys = append(signingKeys, *signingKey)
if signingKey, err := response_evaluators.NewSigningKey(
signingKeyRef.Name,
string(signingKeyRef.Algorithm),
secret.Data["key.pem"],
); err != nil {
return nil, err
} else {
signingKeys = append(signingKeys, *signingKey)
}
}
}
}

customClaims := make([]json.JSONProperty, 0)
for claimName, claim := range wristband.CustomClaims {
customClaims = append(customClaims, json.JSONProperty{
Name: claimName,
Value: json.JSONValue{
Static: claim.Value,
Pattern: claim.Selector,
},
})
}
customClaims := make([]json.JSONProperty, 0)
for claimName, claim := range wristband.CustomClaims {
customClaims = append(customClaims, json.JSONProperty{
Name: claimName,
Value: json.JSONValue{
Static: claim.Value,
Pattern: claim.Selector,
},
})
}

if authorinoWristband, err := response_evaluators.NewWristbandConfig(
wristband.Issuer,
customClaims,
wristband.TokenDuration,
signingKeys,
); err != nil {
return nil, err
} else {
translatedResponse.Wristband = authorinoWristband
}
if authorinoWristband, err := response_evaluators.NewWristbandConfig(
wristband.Issuer,
customClaims,
wristband.TokenDuration,
signingKeys,
); err != nil {
return nil, err
} else {
translatedResponse.Wristband = authorinoWristband
}

// dynamic json
case api.JsonAuthResponse:
jsonProperties := make([]json.JSONProperty, 0)
// dynamic json
case api.JsonAuthResponse:
jsonProperties := make([]json.JSONProperty, 0)

for propertyName, property := range response.Json.Properties {
jsonProperties = append(jsonProperties, json.JSONProperty{
Name: propertyName,
Value: json.JSONValue{
Static: property.Value,
Pattern: property.Selector,
},
})
}

for propertyName, property := range response.Json.Properties {
jsonProperties = append(jsonProperties, json.JSONProperty{
Name: propertyName,
Value: json.JSONValue{
Static: property.Value,
Pattern: property.Selector,
},
})
}
translatedResponse.DynamicJSON = response_evaluators.NewDynamicJSONResponse(jsonProperties)

translatedResponse.DynamicJSON = response_evaluators.NewDynamicJSONResponse(jsonProperties)
// plain
case api.PlainAuthResponse:
translatedResponse.Plain = &response_evaluators.Plain{
JSONValue: json.JSONValue{
Static: response.Plain.Value,
Pattern: response.Plain.Selector,
},
}

// plain
case api.PlainAuthResponse:
translatedResponse.Plain = &response_evaluators.Plain{
JSONValue: json.JSONValue{
Static: response.Plain.Value,
Pattern: response.Plain.Selector,
},
case api.UnknownAuthResponseMethod:
return nil, fmt.Errorf("unknown response type %v", response)
}

case api.UnknownAuthResponseMethod:
return nil, fmt.Errorf("unknown response type %v", response)
interfacedResponseConfigs = append(interfacedResponseConfigs, translatedResponse)
}

interfacedResponseConfigs = append(interfacedResponseConfigs, translatedResponse)
}

interfacedCallbackConfigs := make([]auth.AuthConfigEvaluator, 0)
Expand Down Expand Up @@ -634,11 +641,13 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf
}

// denyWith
if denyWith := authConfig.Spec.Response.Unauthenticated; denyWith != nil {
translatedAuthConfig.Unauthenticated = buildAuthorinoDenyWithValues(denyWith)
}
if denyWith := authConfig.Spec.Response.Unauthorized; denyWith != nil {
translatedAuthConfig.Unauthorized = buildAuthorinoDenyWithValues(denyWith)
if authConfig.Spec.Response != nil {
if denyWith := authConfig.Spec.Response.Unauthenticated; denyWith != nil {
translatedAuthConfig.Unauthenticated = buildAuthorinoDenyWithValues(denyWith)
}
if denyWith := authConfig.Spec.Response.Unauthorized; denyWith != nil {
translatedAuthConfig.Unauthorized = buildAuthorinoDenyWithValues(denyWith)
}
}

return translatedAuthConfig, nil
Expand Down
10 changes: 7 additions & 3 deletions controllers/auth_config_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -170,7 +170,7 @@ func TestReconcileAuthConfigOk(t *testing.T) {
config := authConfigIndex.Get("echo-api")
assert.Check(t, config != nil)
idConfig, _ := config.IdentityConfigs[0].(*evaluators.IdentityConfig)
assert.Equal(t, idConfig.ExtendedProperties[0].Name, "source")
assert.Equal(t, idConfig.ExtendedProperties[1].Name, "source")
// TODO(@guicassolato): assert other fields of the AuthConfig
}

Expand Down Expand Up @@ -390,14 +390,18 @@ func TestBootstrapIndex(t *testing.T) {
indexMock := mock_index.NewMockIndex(mockController)

authConfig := newTestAuthConfig(map[string]string{"scope": "in"})
expectedNumResponseItems := 0
if authConfig.Spec.Response != nil {
expectedNumResponseItems = len(authConfig.Spec.Response.Success.DynamicMetadata) + len(authConfig.Spec.Response.Success.Headers)
}
authConfig.Status.Summary = api.AuthConfigStatusSummary{
Ready: true,
HostsReady: authConfig.Spec.Hosts,
NumHostsReady: fmt.Sprintf("%d/%d", len(authConfig.Spec.Hosts), len(authConfig.Spec.Hosts)),
NumIdentitySources: int64(len(authConfig.Spec.Authentication)),
NumMetadataSources: int64(len(authConfig.Spec.Metadata)),
NumAuthorizationPolicies: int64(len(authConfig.Spec.Authorization)),
NumResponseItems: int64(len(authConfig.Spec.Response.Success.DynamicMetadata) + len(authConfig.Spec.Response.Success.Headers)),
NumResponseItems: int64(expectedNumResponseItems),
FestivalWristbandEnabled: false,
}

Expand All @@ -409,7 +413,7 @@ func TestBootstrapIndex(t *testing.T) {
NumIdentitySources: int64(len(authConfig.Spec.Authentication)),
NumMetadataSources: int64(len(authConfig.Spec.Metadata)),
NumAuthorizationPolicies: int64(len(authConfig.Spec.Authorization)),
NumResponseItems: int64(len(authConfig.Spec.Response.Success.DynamicMetadata) + len(authConfig.Spec.Response.Success.Headers)),
NumResponseItems: int64(expectedNumResponseItems),
FestivalWristbandEnabled: false,
}

Expand Down
14 changes: 10 additions & 4 deletions controllers/auth_config_status_updater.go
Original file line number Diff line number Diff line change
Expand Up @@ -181,14 +181,18 @@ func updateStatusSummary(authConfig *api.AuthConfig, newLinkedHosts []string) (c
newLinkedHosts = []string{}
}

numResponseItems := 0
if authConfig.Spec.Response != nil {
numResponseItems = len(authConfig.Spec.Response.Success.DynamicMetadata) + len(authConfig.Spec.Response.Success.Headers)
}
new := api.AuthConfigStatusSummary{
Ready: authConfig.Status.Ready(),
HostsReady: newLinkedHosts,
NumHostsReady: fmt.Sprintf("%d/%d", len(newLinkedHosts), len(authConfig.Spec.Hosts)),
NumIdentitySources: int64(len(authConfig.Spec.Authentication)),
NumMetadataSources: int64(len(authConfig.Spec.Metadata)),
NumAuthorizationPolicies: int64(len(authConfig.Spec.Authorization)),
NumResponseItems: int64(len(authConfig.Spec.Response.Success.DynamicMetadata) + len(authConfig.Spec.Response.Success.Headers)),
NumResponseItems: int64(numResponseItems),
FestivalWristbandEnabled: issuingWristbands(authConfig),
}

Expand All @@ -213,9 +217,11 @@ func updateStatusSummary(authConfig *api.AuthConfig, newLinkedHosts []string) (c
}

func issuingWristbands(authConfig *api.AuthConfig) bool {
for _, responseConfig := range authConfig.Spec.Response.Success.DynamicMetadata {
if responseConfig.GetMethod() == api.WristbandAuthResponse {
return true
if authConfig.Spec.Response != nil {
for _, responseConfig := range authConfig.Spec.Response.Success.DynamicMetadata {
if responseConfig.GetMethod() == api.WristbandAuthResponse {
return true
}
}
}
return false
Expand Down
2 changes: 1 addition & 1 deletion pkg/evaluators/authorization/authzed_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ import (
"gotest.tools/assert"
)

const testAuthzedServerEndpoint string = "127.0.0.1:9010"
const testAuthzedServerEndpoint string = "127.0.0.1:9012"

// testAuthzedPermissionService implements authzedpb.PermissionsServiceServer
type testAuthzedPermissionService struct {
Expand Down
2 changes: 1 addition & 1 deletion pkg/evaluators/callbacks_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ import (
"gotest.tools/assert"
)

const testCallbackServerHost string = "127.0.0.1:9010"
const testCallbackServerHost string = "127.0.0.1:9012"

func TestCallbacks(t *testing.T) {
var called bool
Expand Down

0 comments on commit 46d39a9

Please sign in to comment.