drop user-defined top-level conditions in the authpolicy if favour of…

… cel predicates only Signed-off-by: Guilherme Cassolato <[email protected]>
Kuadrant · Nov 7, 2024 · a189890 · a189890
1 parent a925273
commit a189890
Show file tree

Hide file tree

Showing 18 changed files with 239 additions and 720 deletions.
diff --git a/api/v1beta3/authpolicy_types.go b/api/v1beta3/authpolicy_types.go
@@ -24,7 +24,6 @@ import (
 	"github.com/google/go-cmp/cmp"
 	authorinov1beta3 "github.com/kuadrant/authorino/api/v1beta3"
 	"github.com/kuadrant/policy-machinery/machinery"
-	"github.com/samber/lo"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"
@@ -42,43 +41,6 @@ const (
 	AuthPolicyDirectReferenceAnnotationName = "kuadrant.io/authpolicy"
 )
 
-const (
-	EqualOperator      WhenConditionOperator = "eq"
-	NotEqualOperator   WhenConditionOperator = "neq"
-	StartsWithOperator WhenConditionOperator = "startsWith"
-	EndsWithOperator   WhenConditionOperator = "endsWith"
-	IncludeOperator    WhenConditionOperator = "incl"
-	ExcludeOperator    WhenConditionOperator = "excl"
-	MatchesOperator    WhenConditionOperator = "matches"
-)
-
-// +kubebuilder:validation:Enum:=eq;neq;startswith;endswith;incl;excl;matches
-type WhenConditionOperator string
-
-// ContextSelector defines one item from the well known attributes
-// Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes
-// Well-known selectors: https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors
-// They are named by a dot-separated path (e.g. request.path)
-// Example: "request.path" -> The path portion of the URL
-// +kubebuilder:validation:MinLength=1
-// +kubebuilder:validation:MaxLength=253
-type ContextSelector string
-
-// WhenCondition defines semantics for matching an HTTP request based on conditions
-// https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec
-type WhenCondition struct {
-	// Selector defines one item from the well known selectors
-	// TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors
-	Selector ContextSelector `json:"selector"`
-
-	// The binary operator to be applied to the content fetched from the selector
-	// Possible values are: "eq" (equal to), "neq" (not equal to)
-	Operator WhenConditionOperator `json:"operator"`
-
-	// The value of reference for the comparison.
-	Value string `json:"value"`
-}
-
 var (
 	AuthPolicyGroupKind  = schema.GroupKind{Group: SchemeGroupVersion.Group, Kind: "AuthPolicy"}
 	AuthPoliciesResource = SchemeGroupVersion.WithResource("authpolicies")
@@ -170,9 +132,8 @@ func (p *AuthPolicy) Rules() map[string]kuadrantv1.MergeableRule {
 		rules[fmt.Sprintf("patterns#%s", ruleID)] = kuadrantv1.NewMergeableRule(&rule, policyLocator)
 	}
 
-	for ruleID := range spec.Conditions {
-		rule := spec.Conditions[ruleID]
-		rules[fmt.Sprintf("conditions#%d", ruleID)] = kuadrantv1.NewMergeableRule(&rule, policyLocator)
+	if whenPredicates := spec.MergeableWhenPredicates; len(whenPredicates.Predicates) > 0 {
+		rules["conditions#"] = kuadrantv1.NewMergeableRule(&whenPredicates, policyLocator)
 	}
 
 	if spec.AuthScheme == nil {
@@ -226,7 +187,7 @@ func (p *AuthPolicy) Rules() map[string]kuadrantv1.MergeableRule {
 func (p *AuthPolicy) SetRules(rules map[string]kuadrantv1.MergeableRule) {
 	// clear all rules of the policy before setting new ones
 	p.Spec.Proper().NamedPatterns = nil
-	p.Spec.Proper().Conditions = nil
+	p.Spec.Proper().Predicates = nil
 	p.Spec.Proper().AuthScheme = nil
 
 	ensureNamedPatterns := func() {
@@ -305,7 +266,7 @@ func (p *AuthPolicy) SetRules(rules map[string]kuadrantv1.MergeableRule) {
 			ensureNamedPatterns()
 			p.Spec.Proper().NamedPatterns[ruleID] = *rule.(*MergeablePatternExpressions)
 		case "conditions":
-			p.Spec.Proper().Conditions = append(p.Spec.Proper().Conditions, *rule.(*MergeablePatternExpressionOrRef))
+			p.Spec.Proper().MergeableWhenPredicates = *rule.(*MergeableWhenPredicates)
 		case "authentication":
 			ensureAuthentication()
 			p.Spec.Proper().AuthScheme.Authentication[ruleID] = *rule.(*MergeableAuthenticationSpec)
@@ -429,7 +390,7 @@ type AuthPolicySpecProper struct {
 	// If omitted, the AuthPolicy will be enforced at all requests to the protected routes.
 	// If present, all conditions must match for the AuthPolicy to be enforced; otherwise, the authorization service skips the AuthPolicy and returns to the auth request with status OK.
 	// +optional
-	Conditions []MergeablePatternExpressionOrRef `json:"when,omitempty"`
+	MergeableWhenPredicates `json:""`
 
 	// The auth rules of the policy.
 	// See Authorino's AuthConfig CRD for more details.
@@ -490,39 +451,6 @@ func (r *MergeablePatternExpressionOrRef) WithSource(source string) kuadrantv1.M
 	r.Source = source
 	return r
 }
-func (r *MergeablePatternExpressionOrRef) ToWhenConditions(namedPatterns map[string]MergeablePatternExpressions) []WhenCondition {
-	if ref := r.PatternRef.Name; ref != "" {
-		if pattern, ok := namedPatterns[ref]; ok {
-			return lo.Map(pattern.PatternExpressions, func(p authorinov1beta3.PatternExpression, _ int) WhenCondition {
-				return WhenCondition{
-					Selector: ContextSelector(p.Selector),
-					Operator: WhenConditionOperator(p.Operator),
-					Value:    p.Value,
-				}
-			})
-		}
-	}
-
-	if allOf := r.All; len(allOf) > 0 {
-		return lo.Map(allOf, func(p authorinov1beta3.UnstructuredPatternExpressionOrRef, _ int) WhenCondition {
-			return WhenCondition{
-				Selector: ContextSelector(p.Selector),
-				Operator: WhenConditionOperator(p.Operator),
-				Value:    p.Value,
-			}
-		})
-	}
-
-	// FIXME: anyOf cannot be represented in the current schema of the wasm config
-
-	return []WhenCondition{
-		{
-			Selector: ContextSelector(r.Selector),
-			Operator: WhenConditionOperator(r.Operator),
-			Value:    r.Value,
-		},
-	}
-}
 
 type MergeableAuthenticationSpec struct {
 	authorinov1beta3.AuthenticationSpec `json:",inline"`

diff --git a/api/v1beta3/common_types.go b/api/v1beta3/common_types.go
@@ -0,0 +1,66 @@
+package v1beta3
+
+import (
+	"github.com/samber/lo"
+
+	kuadrantv1 "github.com/kuadrant/kuadrant-operator/api/v1"
+)
+
+func NewPredicate(predicate string) Predicate {
+	return Predicate{Predicate: predicate}
+}
+
+// Predicate defines one CEL expression that must be evaluated to bool
+type Predicate struct {
+	// +kubebuilder:validation:MinLength=1
+	Predicate string `json:"predicate"`
+}
+
+func NewWhenPredicates(predicates ...string) WhenPredicates {
+	whenPredicates := make(WhenPredicates, 0)
+	for _, predicate := range predicates {
+		whenPredicates = append(whenPredicates, NewPredicate(predicate))
+	}
+
+	return whenPredicates
+}
+
+type WhenPredicates []Predicate
+
+func (w WhenPredicates) Extend(other WhenPredicates) WhenPredicates {
+	return append(w, other...)
+}
+
+func (w WhenPredicates) Into() []string {
+	if w == nil {
+		return nil
+	}
+
+	return lo.Map(w, func(p Predicate, _ int) string { return p.Predicate })
+}
+
+type MergeableWhenPredicates struct {
+	// Overall conditions for the policy to be enforced.
+	// If omitted, the policy will be enforced at all requests to the protected routes.
+	// If present, all conditions must match for the policy to be enforced.
+	// +optional
+	Predicates WhenPredicates `json:"when,omitempty"`
+
+	// Source stores the locator of the policy where the limit is orignaly defined (internal use)
+	Source string `json:"-"`
+}
+
+var _ kuadrantv1.MergeableRule = &MergeableWhenPredicates{}
+
+func (p *MergeableWhenPredicates) GetSpec() any {
+	return p.Predicates
+}
+
+func (p *MergeableWhenPredicates) GetSource() string {
+	return p.Source
+}
+
+func (p *MergeableWhenPredicates) WithSource(source string) kuadrantv1.MergeableRule {
+	p.Source = source
+	return p
+}
diff --git a/api/v1beta3/ratelimitpolicy_types.go b/api/v1beta3/ratelimitpolicy_types.go
@@ -20,7 +20,6 @@ import (
 	"time"
 
 	"github.com/kuadrant/policy-machinery/machinery"
-	"github.com/samber/lo"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"
@@ -120,16 +119,14 @@ func (p *RateLimitPolicy) Empty() bool {
 func (p *RateLimitPolicy) Rules() map[string]kuadrantv1.MergeableRule {
 	rules := make(map[string]kuadrantv1.MergeableRule)
 	policyLocator := p.GetLocator()
+	spec := p.Spec.Proper()
 
-	if len(p.Spec.Proper().When) > 0 {
-		rules[RulesKeyTopLevelPredicates] = kuadrantv1.NewMergeableRule(
-			&WhenPredicatesMergeableRule{When: p.Spec.Proper().When, Source: policyLocator},
-			policyLocator,
-		)
+	if whenPredicates := spec.MergeableWhenPredicates; len(whenPredicates.Predicates) > 0 {
+		rules[RulesKeyTopLevelPredicates] = kuadrantv1.NewMergeableRule(&whenPredicates, policyLocator)
 	}
 
-	for ruleID := range p.Spec.Proper().Limits {
-		limit := p.Spec.Proper().Limits[ruleID]
+	for ruleID := range spec.Limits {
+		limit := spec.Limits[ruleID]
 		rules[ruleID] = kuadrantv1.NewMergeableRule(&limit, policyLocator)
 	}
 
@@ -139,15 +136,15 @@ func (p *RateLimitPolicy) Rules() map[string]kuadrantv1.MergeableRule {
 func (p *RateLimitPolicy) SetRules(rules map[string]kuadrantv1.MergeableRule) {
 	// clear all rules of the policy before setting new ones
 	p.Spec.Proper().Limits = nil
-	p.Spec.Proper().When = nil
+	p.Spec.Proper().Predicates = nil
 
 	if len(rules) > 0 {
 		p.Spec.Proper().Limits = make(map[string]Limit)
 	}
 
 	for ruleID := range rules {
 		if ruleID == RulesKeyTopLevelPredicates {
-			p.Spec.Proper().When = rules[ruleID].(*WhenPredicatesMergeableRule).When
+			p.Spec.Proper().MergeableWhenPredicates = *rules[ruleID].(*MergeableWhenPredicates)
 		} else {
 			p.Spec.Proper().Limits[ruleID] = *rules[ruleID].(*Limit)
 		}
@@ -238,68 +235,13 @@ type MergeableRateLimitPolicySpec struct {
 type RateLimitPolicySpecProper struct {
 	// When holds a list of "top-level" `Predicate`s
 	// +optional
-	When WhenPredicates `json:"when,omitempty"`
+	MergeableWhenPredicates `json:""`
 
 	// Limits holds the struct of limits indexed by a unique name
 	// +optional
 	Limits map[string]Limit `json:"limits,omitempty"`
 }
 
-// Predicate defines one CEL expression that must be evaluated to bool
-type Predicate struct {
-	// +kubebuilder:validation:MinLength=1
-	Predicate string `json:"predicate"`
-}
-
-func NewPredicate(predicate string) Predicate {
-	return Predicate{Predicate: predicate}
-}
-
-type WhenPredicates []Predicate
-
-func NewWhenPredicates(predicates ...string) WhenPredicates {
-	whenPredicates := make(WhenPredicates, 0)
-	for _, predicate := range predicates {
-		whenPredicates = append(whenPredicates, NewPredicate(predicate))
-	}
-
-	return whenPredicates
-}
-
-func (w WhenPredicates) Extend(other WhenPredicates) WhenPredicates {
-	return append(w, other...)
-}
-
-func (w WhenPredicates) Into() []string {
-	if w == nil {
-		return nil
-	}
-
-	return lo.Map(w, func(p Predicate, _ int) string { return p.Predicate })
-}
-
-type WhenPredicatesMergeableRule struct {
-	When WhenPredicates
-
-	// Source stores the locator of the policy where the limit is orignaly defined (internal use)
-	Source string
-}
-
-var _ kuadrantv1.MergeableRule = &WhenPredicatesMergeableRule{}
-
-func (w *WhenPredicatesMergeableRule) GetSpec() any {
-	return w.When
-}
-
-func (w *WhenPredicatesMergeableRule) GetSource() string {
-	return w.Source
-}
-
-func (w *WhenPredicatesMergeableRule) WithSource(source string) kuadrantv1.MergeableRule {
-	w.Source = source
-	return w
-}
-
 type Counter struct {
 	Expression Expression `json:"expression"`
 }