Bind all well known attributes, no 'context' anymore

Signed-off-by: Alex Snaps <[email protected]>
Kuadrant · Oct 18, 2024 · a25343f · a25343f
1 parent f93fa6f
commit a25343f
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 11 deletions.
diff --git a/controllers/auth_config_controller_test.go b/controllers/auth_config_controller_test.go
@@ -96,7 +96,7 @@ func newTestAuthConfig(authConfigLabels map[string]string) api.AuthConfig {
 						Patterns: []api.PatternExpressionOrRef{
 							{
 								CelPredicate: api.CelPredicate{
-									Predicate: "context.identity.role == 'admin'",
+									Predicate: "auth.identity.role == 'admin'",
 								},
 							},
 						},

diff --git a/pkg/expressions/cel/expressions.go b/pkg/expressions/cel/expressions.go
@@ -14,8 +14,11 @@ import (
 	"google.golang.org/protobuf/types/known/structpb"
 )
 
+const RootMetadataBinding = "metadata"
+const RootRequestBinding = "request"
+const RootSourceBinding = "source"
+const RootDestinationBinding = "destination"
 const RootAuthBinding = "auth"
-const RootContextBinding = "context"
 
 type Predicate struct {
 	program cel.Program
@@ -116,8 +119,11 @@ func (e *Expression) EvaluateStringValue(json string) (string, error) {
 
 func Compile(expression string, expectedType *cel.Type, opts ...cel.EnvOption) (cel.Program, error) {
 	envOpts := append([]cel.EnvOption{cel.Declarations(
+		decls.NewConst(RootMetadataBinding, decls.NewObjectType("google.protobuf.Struct"), nil),
+		decls.NewConst(RootRequestBinding, decls.NewObjectType("google.protobuf.Struct"), nil),
+		decls.NewConst(RootSourceBinding, decls.NewObjectType("google.protobuf.Struct"), nil),
+		decls.NewConst(RootDestinationBinding, decls.NewObjectType("google.protobuf.Struct"), nil),
 		decls.NewConst(RootAuthBinding, decls.NewObjectType("google.protobuf.Struct"), nil),
-		decls.NewConst(RootContextBinding, decls.NewObjectType("google.protobuf.Struct"), nil),
 	)}, opts...)
 	env, env_err := cel.NewEnv(envOpts...)
 	if env_err != nil {
@@ -166,11 +172,18 @@ func AuthJsonToCel(json string) (map[string]interface{}, error) {
 	if err := jsonpb.Unmarshal(strings.NewReader(json), &data); err != nil {
 		return nil, err
 	}
-	auth := data.GetFields()["auth"]
-	context := data.GetFields()["context"]
+	metadata := data.GetFields()[RootMetadataBinding]
+	request := data.GetFields()[RootRequestBinding]
+	source := data.GetFields()[RootSourceBinding]
+	destination := data.GetFields()[RootDestinationBinding]
+	auth := data.GetFields()[RootAuthBinding]
+
 	input := map[string]interface{}{
-		RootAuthBinding:    auth,
-		RootContextBinding: context,
+		RootMetadataBinding:    metadata,
+		RootRequestBinding:     request,
+		RootSourceBinding:      source,
+		RootDestinationBinding: destination,
+		RootAuthBinding:        auth,
 	}
 	return input, nil
 }
diff --git a/pkg/expressions/cel/expressions_test.go b/pkg/expressions/cel/expressions_test.go
@@ -13,7 +13,7 @@ func TestPredicate(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
 
-	predicate, err := NewPredicate(`context`)
+	predicate, err := NewPredicate(`auth`)
 	assert.ErrorContains(t, err, "wanted bool output type")
 
 	pipelineMock := mock_auth.NewMockAuthPipeline(ctrl)
@@ -34,10 +34,10 @@ func TestPredicate(t *testing.T) {
 	assert.NilError(t, err)
 	assert.Equal(t, response, true)
 
-	predicate, err = NewPredicate(`context.request.http.method == "GET"`)
+	predicate, err = NewPredicate(`request.http.method == "GET"`)
 	assert.NilError(t, err)
 
-	pipelineMock.EXPECT().GetAuthorizationJSON().Return(`{"context":{"request":{"http": {"method": "GET"}}}}`)
+	pipelineMock.EXPECT().GetAuthorizationJSON().Return(`{"request":{"http": {"method": "GET"}}}`)
 	response, err = predicate.Matches(pipelineMock.GetAuthorizationJSON())
 	assert.NilError(t, err)
 	assert.Equal(t, response, true)

diff --git a/tests/v1beta2/authconfig.yaml b/tests/v1beta2/authconfig.yaml
@@ -74,7 +74,7 @@ spec:
       anonymous: {}
       priority: 1
       when:
-      - predicate: context.request.http.method == "GET"
+      - predicate: request.http.method == "GET"
       - selector: context.request.http.path
         operator: matches
         value: ^/$