Predicate on our "well-known attributes"

[alexsnaps]

fix to #112

[alexsnaps]

This may need to supersede #110 ... stil wip tho

[alexsnaps]

tl;dr this replaces PatternExpression with CEL Predicates, while keeping the former as a working fallback...

Of interest if probably this change as well, where the whole fn needs to be replace as if cfg!(test) within the method would work, but won't make the linker happy on anything but wasm...

[eguzki]

doc missing. At the very least on README.md.

Doc about routeRuleConditions.predicates list being any or allOf

[eguzki]

I would change the PR tittle. That goes on the auto-generated release notes.

[eguzki]

review still WIP

[alexsnaps]

Just to be clear about the state of this... now that #110 was merged, while broken, let's not merge this quite yet.
I took @didierofrivia work over in supporting "not so well known attribute", i.e. the data coming from authorino. I'll do that in 2 passes, scalar values (e.g. auth.identity.anonymous being resolved as being of type bool and then supporting any expression coming from authorino, expressed as JSON, in there too: List & Object)
I should get the former done by EOD EST, possibly the latter too...

[alexsnaps]

this change has the first step, but I think the latter step is not required because of how the struct is decomposed in process_metadata; that being said reading this on the Authorino side, I'm unsure treating all values as String would actually always work. I'd need to delegate to @didierofrivia or possibly @adam-cattermole that did that integration

[alexsnaps]

If auth isn't indeed part of it, which I think it may well not be, then I think it should be added when we store_metadata... rather than shoving what comes back from Authorino in the metadata struct straight into the KUADRANT_NAMESPACE...

[eguzki]

nice peace of work!

Some minor comments dropped.

Doc is required

[eguzki]

Consider adding some comment to explain this high level.

Some example can help like

A map from properties [["auth", "identity", "user"], ["auth", "identity", "group"]] would be

{
    "auth": Node(
         {
             "identity": Node(
                    {
                          "user": Value(["auth", "identity", "c"]), 
                          "group": Value(["auth", "identity", "group"])
                      }
              )
           }
       )
}

[alexsnaps]

Alright, it should "all" work. i.e. now we store JSON representation of the auth data coming back from authorino, so to not lose the type information... We even get integers! I also added support for getting to headers...

[didierofrivia]

I like this way of defining the fn when it's meant to be mocked for testing and not. Might be worthy to follow the same pattern for the operation dispatcher and grpc message req/res //TODO:(didierofrivia)

[didierofrivia]

LGTM. 💪🏼 🥇 🙏🏼

[alexsnaps]

This is how we've send data to limitador so far, losing the type information... just a string: true, 42, bob looks "good" today

[alexsnaps]

Wondering if we should skip that descriptor entry... this could happen if a value is explicitly set to null in auth ...

[alexsnaps]

Status update: this 🔥 the need for anything but CEL. While the previous ways are still there, they should NOT be used anymore and comes with bunch of caveat... I'll let the code speak for itself as how one can shoot themselves in the foot by going to raw properties/attribute values.

[eguzki]

Left some comments and food for thoughts.

This is not about requesting changes.

From my side, this is ready to be merged

[eguzki]

I was thinking that the auth prefix should come from pub fn process_auth_grpc_response method.

Then, pub fn store_metadata(metastruct: &Struct) could be pub fn store_metadata(prefix: &str, metastruct: &Struct)

My diff

diff --git a/src/data/attribute.rs b/src/data/attribute.rs
index 9e65caa..7888462 100644
--- a/src/data/attribute.rs
+++ b/src/data/attribute.rs
@@ -126,10 +126,10 @@ pub fn set_attribute(attr: &str, value: &[u8]) {
     };
 }
 
-pub fn store_metadata(metastruct: &Struct) {
+pub fn store_metadata(prefix: &str, metastruct: &Struct) {
     let metadata = process_metadata(metastruct, String::new());
     for (key, value) in metadata {
-        let attr = format!("{KUADRANT_NAMESPACE}\\.auth\\.{key}");
+        let attr = format!("{KUADRANT_NAMESPACE}\\.{prefix}\\.{key}");
         debug!("set_attribute: {attr} = {value}");
         set_attribute(attr.as_str(), value.into_bytes().as_slice());
     }
diff --git a/src/service/auth.rs b/src/service/auth.rs
index c8e4a4d..8364a8b 100644
--- a/src/service/auth.rs
+++ b/src/service/auth.rs
@@ -128,7 +128,7 @@ impl AuthService {
     ) -> Result<(), StatusCode> {
         if let GrpcMessageResponse::Auth(check_response) = auth_resp {
             // store dynamic metadata in filter state
-            store_metadata(check_response.get_dynamic_metadata());
+            store_metadata("auth", check_response.get_dynamic_metadata());
 
             match check_response.http_response {
                 Some(CheckResponse_oneof_http_response::ok_response(ok_response)) => {

[eguzki]

What about this debug! macro in pub fn set_attribute(attr: &str, value: &[u8]) ?

[eguzki]

Can you please add a comment saying that attributes set here are accessible with wasm.* prefix?

[eguzki]

can we make key optional? it would default to the expression value (not the referenced value, though).

[alexsnaps]

I think it makes for a very horrible default, but... 🤷

[alexsnaps]

@eguzki This is my gift to you... you all of course :)
Do whatever you want with the PR! You have my blessing. I need to move on here...