From face4ef24511f8bc90baa12568d6ea4d2a4d1f51 Mon Sep 17 00:00:00 2001 From: Guilherme Cassolato Date: Mon, 4 Sep 2023 12:03:49 +0200 Subject: [PATCH] AuthPolicy v1beta2 Defines new `v1beta2` version of the `AuthPolicy` CRD, based on Authorino's `AuthConfig/v1beta2`. Closes #247 Depends on https://github.com/Kuadrant/authorino/pull/417, https://github.com/Kuadrant/authorino-operator/pull/137 --- api/v1beta1/zz_generated.deepcopy.go | 220 -- api/{v1beta1 => v1beta2}/authpolicy_types.go | 68 +- api/v1beta2/zz_generated.deepcopy.go | 204 + ...adrant-operator.clusterserviceversion.yaml | 59 +- .../manifests/kuadrant.io_authpolicies.yaml | 3433 ++++++++++------- bundle/manifests/kuadrant.io_kuadrants.yaml | 11 - .../kuadrant.io_ratelimitpolicies.yaml | 69 + .../crd/bases/kuadrant.io_authpolicies.yaml | 3433 ++++++++++------- config/crd/bases/kuadrant.io_kuadrants.yaml | 11 - .../bases/kuadrant.io_ratelimitpolicies.yaml | 69 + controllers/authpolicy_auth_config.go | 30 +- controllers/authpolicy_controller.go | 2 +- controllers/authpolicy_controller_test.go | 101 +- .../authpolicy_istio_authorization_policy.go | 6 +- controllers/authpolicy_status.go | 13 +- .../authenticated-rl-for-app-developers.md | 39 +- ...uthenticated-rl-with-jwt-and-k8s-authnz.md | 50 +- examples/toystore/authpolicy.yaml | 52 +- .../toystore/authpolicy_jwt-k8s-authnz.yaml | 23 +- go.mod | 61 +- go.sum | 750 ++++ 21 files changed, 5254 insertions(+), 3450 deletions(-) rename api/{v1beta1 => v1beta2}/authpolicy_types.go (60%) diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index c66c17f0f..e461ad89a 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -22,230 +22,10 @@ limitations under the License. package v1beta1 import ( - apiv1beta1 "github.com/kuadrant/authorino/api/v1beta1" "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AuthPolicy) DeepCopyInto(out *AuthPolicy) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - in.Status.DeepCopyInto(&out.Status) -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicy. -func (in *AuthPolicy) DeepCopy() *AuthPolicy { - if in == nil { - return nil - } - out := new(AuthPolicy) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *AuthPolicy) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AuthPolicyList) DeepCopyInto(out *AuthPolicyList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]AuthPolicy, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicyList. -func (in *AuthPolicyList) DeepCopy() *AuthPolicyList { - if in == nil { - return nil - } - out := new(AuthPolicyList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *AuthPolicyList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AuthPolicySpec) DeepCopyInto(out *AuthPolicySpec) { - *out = *in - in.TargetRef.DeepCopyInto(&out.TargetRef) - if in.AuthRules != nil { - in, out := &in.AuthRules, &out.AuthRules - *out = make([]AuthRule, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - in.AuthScheme.DeepCopyInto(&out.AuthScheme) -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicySpec. -func (in *AuthPolicySpec) DeepCopy() *AuthPolicySpec { - if in == nil { - return nil - } - out := new(AuthPolicySpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AuthPolicyStatus) DeepCopyInto(out *AuthPolicyStatus) { - *out = *in - if in.Conditions != nil { - in, out := &in.Conditions, &out.Conditions - *out = make([]v1.Condition, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicyStatus. -func (in *AuthPolicyStatus) DeepCopy() *AuthPolicyStatus { - if in == nil { - return nil - } - out := new(AuthPolicyStatus) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AuthRule) DeepCopyInto(out *AuthRule) { - *out = *in - if in.Hosts != nil { - in, out := &in.Hosts, &out.Hosts - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.Methods != nil { - in, out := &in.Methods, &out.Methods - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.Paths != nil { - in, out := &in.Paths, &out.Paths - *out = make([]string, len(*in)) - copy(*out, *in) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthRule. -func (in *AuthRule) DeepCopy() *AuthRule { - if in == nil { - return nil - } - out := new(AuthRule) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AuthSchemeSpec) DeepCopyInto(out *AuthSchemeSpec) { - *out = *in - if in.Patterns != nil { - in, out := &in.Patterns, &out.Patterns - *out = make(map[string]apiv1beta1.JSONPatternExpressions, len(*in)) - for key, val := range *in { - var outVal []apiv1beta1.JSONPatternExpression - if val == nil { - (*out)[key] = nil - } else { - in, out := &val, &outVal - *out = make(apiv1beta1.JSONPatternExpressions, len(*in)) - copy(*out, *in) - } - (*out)[key] = outVal - } - } - if in.Conditions != nil { - in, out := &in.Conditions, &out.Conditions - *out = make([]apiv1beta1.JSONPattern, len(*in)) - copy(*out, *in) - } - if in.Identity != nil { - in, out := &in.Identity, &out.Identity - *out = make([]*apiv1beta1.Identity, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(apiv1beta1.Identity) - (*in).DeepCopyInto(*out) - } - } - } - if in.Metadata != nil { - in, out := &in.Metadata, &out.Metadata - *out = make([]*apiv1beta1.Metadata, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(apiv1beta1.Metadata) - (*in).DeepCopyInto(*out) - } - } - } - if in.Authorization != nil { - in, out := &in.Authorization, &out.Authorization - *out = make([]*apiv1beta1.Authorization, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(apiv1beta1.Authorization) - (*in).DeepCopyInto(*out) - } - } - } - if in.Response != nil { - in, out := &in.Response, &out.Response - *out = make([]*apiv1beta1.Response, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(apiv1beta1.Response) - (*in).DeepCopyInto(*out) - } - } - } - if in.DenyWith != nil { - in, out := &in.DenyWith, &out.DenyWith - *out = new(apiv1beta1.DenyWith) - (*in).DeepCopyInto(*out) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthSchemeSpec. -func (in *AuthSchemeSpec) DeepCopy() *AuthSchemeSpec { - if in == nil { - return nil - } - out := new(AuthSchemeSpec) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Kuadrant) DeepCopyInto(out *Kuadrant) { *out = *in diff --git a/api/v1beta1/authpolicy_types.go b/api/v1beta2/authpolicy_types.go similarity index 60% rename from api/v1beta1/authpolicy_types.go rename to api/v1beta2/authpolicy_types.go index d17abb350..141f7c3ea 100644 --- a/api/v1beta1/authpolicy_types.go +++ b/api/v1beta2/authpolicy_types.go @@ -1,59 +1,71 @@ -package v1beta1 +package v1beta2 import ( "fmt" "github.com/go-logr/logr" "github.com/google/go-cmp/cmp" - authorinov1beta1 "github.com/kuadrant/authorino/api/v1beta1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" gatewayapiv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" gatewayapiv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" + authorinoapi "github.com/kuadrant/authorino/api/v1beta2" "github.com/kuadrant/kuadrant-operator/pkg/common" ) type AuthSchemeSpec struct { - // Named sets of JSON patterns that can be referred in `when` conditionals and in JSON-pattern matching policy rules. - Patterns map[string]authorinov1beta1.JSONPatternExpressions `json:"patterns,omitempty"` + // Named sets of patterns that can be referred in `when` conditions and in pattern-matching authorization policy rules. + // +optional + NamedPatterns map[string]authorinoapi.PatternExpressions `json:"patterns,omitempty"` + + // Overall conditions for the AuthPolicy to be enforced. + // If omitted, the AuthPolicy will be enforced at all requests to the protected routes. + // If present, all conditions must match for the AuthPolicy to be enforced; otherwise, the authorization service skips the AuthPolicy and returns to the auth request with status OK. + // +optional + Conditions []authorinoapi.PatternExpressionOrRef `json:"when,omitempty"` - // Conditions for the AuthConfig to be enforced. - // If omitted, the AuthConfig will be enforced for all requests. - // If present, all conditions must match for the AuthConfig to be enforced; otherwise, Authorino skips the AuthConfig and returns immediately with status OK. - Conditions []authorinov1beta1.JSONPattern `json:"when,omitempty"` + // TODO(@guicassolato): define top-level `routeSelectors` - // List of identity sources/authentication modes. - // At least one config of this list MUST evaluate to a valid identity for a request to be successful in the identity verification phase. - Identity []*authorinov1beta1.Identity `json:"identity,omitempty"` + // Authentication configs. + // At least one config MUST evaluate to a valid identity object for the auth request to be successful. + // +optional + Authentication map[string]authorinoapi.AuthenticationSpec `json:"authentication,omitempty"` - // List of metadata source configs. - // Authorino fetches JSON content from sources on this list on every request. - Metadata []*authorinov1beta1.Metadata `json:"metadata,omitempty"` + // Metadata sources. + // Authorino fetches auth metadata as JSON from sources specified in this config. + // +optional + Metadata map[string]authorinoapi.MetadataSpec `json:"metadata,omitempty"` - // Authorization is the list of authorization policies. - // All policies in this list MUST evaluate to "true" for a request be successful in the authorization phase. - Authorization []*authorinov1beta1.Authorization `json:"authorization,omitempty"` + // Authorization policies. + // All policies MUST evaluate to "allowed = true" for the auth request be successful. + // +optional + Authorization map[string]authorinoapi.AuthorizationSpec `json:"authorization,omitempty"` - // List of response configs. - // Authorino gathers data from the auth pipeline to build custom responses for the client. - Response []*authorinov1beta1.Response `json:"response,omitempty"` + // Response items. + // Authorino builds custom responses to the client of the auth request. + // +optional + Response *authorinoapi.ResponseSpec `json:"response,omitempty"` - // Custom denial response codes, statuses and headers to override default 40x's. - DenyWith *authorinov1beta1.DenyWith `json:"denyWith,omitempty"` + // Callback functions. + // Authorino sends callbacks at the end of the auth pipeline to the endpoints specified in this config. + // +optional + Callbacks map[string]authorinoapi.CallbackSpec `json:"callbacks,omitempty"` } type AuthPolicySpec struct { // TargetRef identifies an API object to apply policy to. TargetRef gatewayapiv1alpha2.PolicyTargetReference `json:"targetRef"` - // Rule describe the requests that will be routed to external authorization provider - AuthRules []AuthRule `json:"rules,omitempty"` + // Route rules specify the HTTP route attributes that trigger the external authorization service + // TODO(@guicassolato): remove – conditions to trigger the ext-authz service will be computed from `routeSelectors` + RouteRules []RouteRule `json:"routes,omitempty"` - // AuthSchemes are embedded Authorino's AuthConfigs - AuthScheme AuthSchemeSpec `json:"authScheme,omitempty"` + // The auth rules of the policy. + // See Authorino's AuthConfig CRD for more details. + AuthScheme AuthSchemeSpec `json:"rules,omitempty"` } -type AuthRule struct { +type RouteRule struct { Hosts []string `json:"hosts,omitempty"` Methods []string `json:"methods,omitempty"` Paths []string `json:"paths,omitempty"` @@ -144,7 +156,7 @@ func (ap *AuthPolicy) GetWrappedNamespace() gatewayapiv1beta1.Namespace { func (ap *AuthPolicy) GetRulesHostnames() (ruleHosts []string) { ruleHosts = make([]string, 0) - for _, rule := range ap.Spec.AuthRules { + for _, rule := range ap.Spec.RouteRules { ruleHosts = append(ruleHosts, rule.Hosts...) } return diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go index 94ad44d76..c13b4d6c5 100644 --- a/api/v1beta2/zz_generated.deepcopy.go +++ b/api/v1beta2/zz_generated.deepcopy.go @@ -22,11 +22,185 @@ limitations under the License. package v1beta2 import ( + apiv1beta2 "github.com/kuadrant/authorino/api/v1beta2" "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" "sigs.k8s.io/gateway-api/apis/v1beta1" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthPolicy) DeepCopyInto(out *AuthPolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicy. +func (in *AuthPolicy) DeepCopy() *AuthPolicy { + if in == nil { + return nil + } + out := new(AuthPolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *AuthPolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthPolicyList) DeepCopyInto(out *AuthPolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]AuthPolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicyList. +func (in *AuthPolicyList) DeepCopy() *AuthPolicyList { + if in == nil { + return nil + } + out := new(AuthPolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *AuthPolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthPolicySpec) DeepCopyInto(out *AuthPolicySpec) { + *out = *in + in.TargetRef.DeepCopyInto(&out.TargetRef) + if in.RouteRules != nil { + in, out := &in.RouteRules, &out.RouteRules + *out = make([]RouteRule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + in.AuthScheme.DeepCopyInto(&out.AuthScheme) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicySpec. +func (in *AuthPolicySpec) DeepCopy() *AuthPolicySpec { + if in == nil { + return nil + } + out := new(AuthPolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthPolicyStatus) DeepCopyInto(out *AuthPolicyStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicyStatus. +func (in *AuthPolicyStatus) DeepCopy() *AuthPolicyStatus { + if in == nil { + return nil + } + out := new(AuthPolicyStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthSchemeSpec) DeepCopyInto(out *AuthSchemeSpec) { + *out = *in + if in.NamedPatterns != nil { + in, out := &in.NamedPatterns, &out.NamedPatterns + *out = make(map[string]apiv1beta2.PatternExpressions, len(*in)) + for key, val := range *in { + var outVal []apiv1beta2.PatternExpression + if val == nil { + (*out)[key] = nil + } else { + in, out := &val, &outVal + *out = make(apiv1beta2.PatternExpressions, len(*in)) + copy(*out, *in) + } + (*out)[key] = outVal + } + } + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]apiv1beta2.PatternExpressionOrRef, len(*in)) + copy(*out, *in) + } + if in.Authentication != nil { + in, out := &in.Authentication, &out.Authentication + *out = make(map[string]apiv1beta2.AuthenticationSpec, len(*in)) + for key, val := range *in { + (*out)[key] = *val.DeepCopy() + } + } + if in.Metadata != nil { + in, out := &in.Metadata, &out.Metadata + *out = make(map[string]apiv1beta2.MetadataSpec, len(*in)) + for key, val := range *in { + (*out)[key] = *val.DeepCopy() + } + } + if in.Authorization != nil { + in, out := &in.Authorization, &out.Authorization + *out = make(map[string]apiv1beta2.AuthorizationSpec, len(*in)) + for key, val := range *in { + (*out)[key] = *val.DeepCopy() + } + } + if in.Response != nil { + in, out := &in.Response, &out.Response + *out = new(apiv1beta2.ResponseSpec) + (*in).DeepCopyInto(*out) + } + if in.Callbacks != nil { + in, out := &in.Callbacks, &out.Callbacks + *out = make(map[string]apiv1beta2.CallbackSpec, len(*in)) + for key, val := range *in { + (*out)[key] = *val.DeepCopy() + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthSchemeSpec. +func (in *AuthSchemeSpec) DeepCopy() *AuthSchemeSpec { + if in == nil { + return nil + } + out := new(AuthSchemeSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Limit) DeepCopyInto(out *Limit) { *out = *in @@ -183,6 +357,36 @@ func (in *RateLimitPolicyStatus) DeepCopy() *RateLimitPolicyStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RouteRule) DeepCopyInto(out *RouteRule) { + *out = *in + if in.Hosts != nil { + in, out := &in.Hosts, &out.Hosts + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Methods != nil { + in, out := &in.Methods, &out.Methods + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Paths != nil { + in, out := &in.Paths, &out.Paths + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RouteRule. +func (in *RouteRule) DeepCopy() *RouteRule { + if in == nil { + return nil + } + out := new(RouteRule) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RouteSelector) DeepCopyInto(out *RouteSelector) { *out = *in diff --git a/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml b/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml index cf15c79cf..10062d75f 100644 --- a/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml +++ b/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml @@ -4,57 +4,6 @@ metadata: annotations: alm-examples: |- [ - { - "apiVersion": "kuadrant.io/v1beta1", - "kind": "AuthPolicy", - "metadata": { - "name": "toystore" - }, - "spec": { - "authScheme": { - "identity": [ - { - "apiKey": { - "allNamespaces": true, - "selector": { - "matchLabels": { - "app": "toystore" - } - } - }, - "credentials": { - "in": "authorization_header", - "keySelector": "APIKEY" - }, - "name": "friends" - } - ], - "response": [ - { - "json": { - "properties": [ - { - "name": "userID", - "valueFrom": { - "authJSON": "auth.identity.metadata.annotations.secret\\.kuadrant\\.io/user-id" - } - } - ] - }, - "name": "rate-limit-apikey", - "wrapper": "envoyDynamicMetadata", - "wrapperKey": "ext_auth_data" - } - ] - }, - "rules": null, - "targetRef": { - "group": "gateway.networking.k8s.io", - "kind": "HTTPRoute", - "name": "toystore" - } - } - }, { "apiVersion": "kuadrant.io/v1beta1", "kind": "Kuadrant", @@ -92,7 +41,7 @@ metadata: capabilities: Basic Install categories: Integration & Delivery containerImage: quay.io/kuadrant/kuadrant-operator:latest - createdAt: "2023-07-11T10:58:10Z" + createdAt: "2023-09-04T10:02:37Z" operators.operatorframework.io/builder: operator-sdk-v1.28.1 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 repository: https://github.com/Kuadrant/kuadrant-operator @@ -103,11 +52,9 @@ spec: apiservicedefinitions: {} customresourcedefinitions: owned: - - description: Enable AuthN and AuthZ based access control on workloads - displayName: AuthPolicy - kind: AuthPolicy + - kind: AuthPolicy name: authpolicies.kuadrant.io - version: v1beta1 + version: v1beta2 - description: Kuadrant is the Schema for the kuadrants API displayName: Kuadrant kind: Kuadrant diff --git a/bundle/manifests/kuadrant.io_authpolicies.yaml b/bundle/manifests/kuadrant.io_authpolicies.yaml index bc004b947..eff23b4bc 100644 --- a/bundle/manifests/kuadrant.io_authpolicies.yaml +++ b/bundle/manifests/kuadrant.io_authpolicies.yaml @@ -16,7 +16,7 @@ spec: singular: authpolicy scope: Namespaced versions: - - name: v1beta1 + - name: v1beta2 schema: openAPIV3Schema: properties: @@ -34,226 +34,123 @@ spec: type: object spec: properties: - authScheme: - description: AuthSchemes are embedded Authorino's AuthConfigs + routes: + description: 'Route rules specify the HTTP route attributes that trigger + the external authorization service TODO(@guicassolato): remove – + conditions to trigger the ext-authz service will be computed from + `routeSelectors`' + items: + properties: + hosts: + items: + type: string + type: array + methods: + items: + type: string + type: array + paths: + items: + type: string + type: array + type: object + type: array + rules: + description: The auth rules of the policy. See Authorino's AuthConfig + CRD for more details. properties: - authorization: - description: Authorization is the list of authorization policies. - All policies in this list MUST evaluate to "true" for a request - be successful in the authorization phase. - items: - description: 'Authorization policy to be enforced. Apart from - "name", one of the following parameters is required and only - one of the following parameters is allowed: "opa", "json" - or "kubernetes".' + authentication: + additionalProperties: properties: - authzed: - description: Authzed authorization + anonymous: + description: Anonymous access. + type: object + apiKey: + description: Authentication based on API keys stored in + Kubernetes secrets. properties: - endpoint: - description: Endpoint of the Authzed service. - type: string - insecure: - description: Insecure HTTP connection (i.e. disables - TLS verification) + allNamespaces: + default: false + description: Whether Authorino should look for API key + secrets in all namespaces or only in the same namespace + as the AuthConfig. Enabling this option in namespaced + Authorino instances has no effect. type: boolean - permission: - description: The name of the permission (or relation) - on which to execute the check. - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - type: object - resource: - description: The resource on which to check the permission - or relation. - properties: - kind: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a - value from a dynamic source (e.g. a path pattern - of authorization JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value - from the authorization JSON. It can be - any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any patterns - supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - type: object - name: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a - value from a dynamic source (e.g. a path pattern - of authorization JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value - from the authorization JSON. It can be - any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any patterns - supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - type: object - type: object - sharedSecretRef: - description: Reference to a Secret key whose value will - be used by Authorino to authenticate with the Authzed - service. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: The name of the secret in the Authorino's - namespace to select from. - type: string - required: - - key - - name - type: object - subject: - description: The subject that will be checked for the - permission or relation. + selector: + description: Label selector used by Authorino to match + secrets from the cluster storing valid credentials + to authenticate to this service properties: - kind: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a - value from a dynamic source (e.g. a path pattern - of authorization JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value - from the authorization JSON. It can be - any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any patterns - supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - type: object - name: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a - value from a dynamic source (e.g. a path pattern - of authorization JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value - from the authorization JSON. It can be - any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any patterns - supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: type: string - type: object + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic required: - - endpoint + - selector type: object cache: - description: Caching options for the policy evaluation results - when enforcing this config. Omit it to avoid caching policy - evaluation results for this config. + description: Caching options for the resolved object returned + when applying this config. Omit it to avoid caching objects + for this config. properties: key: description: Key used to store the entry in the cache. - Cache entries from different metadata configs are - stored and managed separately regardless of the key. + The resolved key must be unique within the scope of + this particular config. properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string value: description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object + x-kubernetes-preserve-unknown-fields: true type: object ttl: default: 60 @@ -263,360 +160,179 @@ spec: required: - key type: object - json: - description: JSON pattern matching authorization policy. + credentials: + description: Defines where credentials are required to be + passed in the request for authentication based on this + config. If omitted, it defaults to credentials passed + in the HTTP Authorization header and the "Bearer" prefix + prepended to the secret credential value. properties: - rules: - description: The rules that must all evaluate to "true" - for the request to be authorized. - items: - properties: - operator: - description: 'The binary operator to be applied - to the content fetched from the authorization - JSON, for comparison with "value". Possible - values are: "eq" (equal to), "neq" (not equal - to), "incl" (includes; for arrays), "excl" (excludes; - for arrays), "matches" (regex)' - enum: - - eq - - neq - - incl - - excl - - matches - type: string - patternRef: - description: Name of a named pattern - type: string - selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the - input authorization JSON built by Authorino - along the identity and metadata phases. - type: string - value: - description: The value of reference for the comparison - with the content fetched from the authorization - JSON. If used with the "matches" operator, the - value must compile to a valid Golang regex. - type: string - type: object - type: array - required: - - rules + authorizationHeader: + properties: + prefix: + type: string + type: object + cookie: + properties: + name: + type: string + required: + - name + type: object + customHeader: + properties: + name: + type: string + prefix: + type: string + required: + - name + type: object + queryString: + properties: + name: + type: string + required: + - name + type: object + type: object + defaults: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Set default property values (claims) for the + resolved identity object, that are set before appending + the object to the authorization JSON. If the property + is already present in the resolved identity object, the + default value is ignored. It requires the resolved identity + object to always be a JSON object. Do not use this option + with identity objects of other JSON types (array, string, + etc). type: object - kubernetes: - description: Kubernetes authorization policy based on `SubjectAccessReview` - Path and Verb are inferred from the request. + jwt: + description: Authentication based on JWT tokens. properties: - groups: - description: Groups to test for. + issuerUrl: + description: URL of the issuer of the JWT. If `jwksUrl` + is omitted, Authorino will append the path to the + OpenID Connect Well-Known Discovery endpoint (i.e. + "/.well-known/openid-configuration") to this URL, + to discover the OIDC configuration where to obtain + the "jkws_uri" claim from. The value must coincide + with the value of the "iss" (issuer) claim of the + discovered OpenID Connect configuration. + type: string + jwksUrl: + description: URL of the JSON Web Ket Set (JWKS) endpoint. + Use this if the issuer of the JWT tokens is not an + OIDC provider or does not implement OIDC Discovery. + type: string + ttl: + description: Decides how long to wait before refreshing + the JWKS (in seconds). If omitted, Authorino will + never refresh the JWKS. + type: integer + type: object + kubernetesTokenReview: + description: Authentication by Kubernetes token review. + properties: + audiences: + description: The list of audiences (scopes) that must + be claimed in a Kubernetes authentication token supplied + in the request, and reviewed by Authorino. If omitted, + Authorino will review tokens expecting the host name + of the requested protected service amongst the audiences. items: type: string type: array - resourceAttributes: - description: Use ResourceAttributes for checking permissions - on Kubernetes resources If omitted, it performs a - non-resource `SubjectAccessReview`, with verb and - path inferred from the request. + type: object + metrics: + default: false + description: Whether this config should generate individual + observability metrics + type: boolean + oauth2Introspection: + description: Authentication by OAuth2 token introspection. + properties: + credentialsRef: + description: Reference to a Kubernetes secret in the + same namespace, that stores client credentials to + the OAuth2 server. properties: - group: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a - value from a dynamic source (e.g. a path pattern - of authorization JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value - from the authorization JSON. It can be - any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any patterns - supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - type: object name: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a - value from a dynamic source (e.g. a path pattern - of authorization JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value - from the authorization JSON. It can be - any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any patterns - supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - type: object - namespace: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a - value from a dynamic source (e.g. a path pattern - of authorization JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value - from the authorization JSON. It can be - any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any patterns - supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - type: object - resource: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a - value from a dynamic source (e.g. a path pattern - of authorization JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value - from the authorization JSON. It can be - any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any patterns - supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - type: object - subresource: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a - value from a dynamic source (e.g. a path pattern - of authorization JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value - from the authorization JSON. It can be - any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any patterns - supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - type: object - verb: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a - value from a dynamic source (e.g. a path pattern - of authorization JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value - from the authorization JSON. It can be - any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any patterns - supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - type: object - type: object - user: - description: User to test for. If without "Groups", - then is it interpreted as "What if User were not a - member of any groups" - properties: - value: - description: Static value + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object type: object + x-kubernetes-map-type: atomic + endpoint: + description: The full URL of the token introspection + endpoint. + type: string + tokenTypeHint: + description: The token type hint for the token introspection. + If omitted, it defaults to "access_token". + type: string required: - - user + - credentialsRef + - endpoint type: object - metrics: - default: false - description: Whether this authorization config should generate - individual observability metrics - type: boolean - name: - description: Name of the authorization policy. It can be - used to refer to the resolved authorization object in - other configs. - type: string - opa: - description: Open Policy Agent (OPA) authorization policy. + overrides: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Overrides the resolved identity object by setting + the additional properties (claims) specified in this config, + before appending the object to the authorization JSON. + It requires the resolved identity object to always be + a JSON object. Do not use this option with identity objects + of other JSON types (array, string, etc). + type: object + plain: + description: Identity object extracted from the context. + Use this method when authentication is performed beforehand + by a proxy and the resulting object passed to Authorino + as JSON in the auth request. properties: - allValues: - default: false - description: Returns the value of all Rego rules in - the virtual document. Values can be read in subsequent - evaluators/phases of the Auth Pipeline. Otherwise, - only the default `allow` rule will be exposed. Returning - all Rego rules can affect performance of OPA policies - during reconciliation (policy precompile) and at runtime. - type: boolean - externalRegistry: - description: External registry of OPA policies. - properties: - credentials: - description: Defines where client credentials will - be passed in the request to the service. If omitted, - it defaults to client credentials passed in the - HTTP Authorization header and the "Bearer" prefix - expected prepended to the secret value. - properties: - in: - default: authorization_header - description: The location in the request where - client credentials shall be passed on requests - authenticating with this identity source/authentication - mode. - enum: - - authorization_header - - custom_header - - query - - cookie - type: string - keySelector: - description: Used in conjunction with the `in` - parameter. When used with `authorization_header`, - the value is the prefix of the client credentials - string, separated by a white-space, in the - HTTP Authorization header (e.g. "Bearer", - "Basic"). When used with `custom_header`, - `query` or `cookie`, the value is the name - of the HTTP header, query string parameter - or cookie key, respectively. - type: string - required: - - keySelector - type: object - endpoint: - description: Endpoint of the HTTP external registry. - The endpoint must respond with either plain/text - or application/json content-type. In the latter - case, the JSON returned in the body must include - a path `result.raw`, where the raw Rego policy - will be extracted from. This complies with the - specification of the OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). - type: string - sharedSecretRef: - description: Reference to a Secret key whose value - will be passed by Authorino in the request. The - HTTP service can use the shared secret to authenticate - the origin of the request. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - description: The name of the secret in the Authorino's - namespace to select from. - type: string - required: - - key - - name - type: object - ttl: - description: Duration (in seconds) of the external - data in the cache before pulled again from the - source. - type: integer - type: object - inlineRego: - description: Authorization policy as a Rego language - document. The Rego document must include the "allow" - condition, set by Authorino to "false" by default - (i.e. requests are unauthorized unless changed). The - Rego document must NOT include the "package" declaration - in line 1. + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve to + patterns (e.g. "Hello, {auth.identity.name}!"). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string + required: + - selector type: object priority: default: 0 @@ -625,10 +341,10 @@ spec: priority groups are evaluated sequentially. type: integer when: - description: Conditions for Authorino to enforce this authorization - policy. If omitted, the config will be enforced for all - requests. If present, all conditions must match for the - config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to + be enforced; otherwise, the config will be skipped. items: properties: operator: @@ -646,13 +362,14 @@ spec: - matches type: string patternRef: - description: Name of a named pattern + description: Reference to a named set of pattern expressions type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input - authorization JSON built by Authorino along the - identity and metadata phases. + description: Path selector to fetch content from the + authorization JSON (e.g. 'request.method'). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. type: string value: description: The value of reference for the comparison @@ -662,225 +379,24 @@ spec: type: string type: object type: array - required: - - name - type: object - type: array - denyWith: - description: Custom denial response codes, statuses and headers - to override default 40x's. - properties: - unauthenticated: - description: Denial status customization when the request - is unauthenticated. - properties: - body: - description: HTTP response body to override the default - denial body. - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - type: object - code: - description: HTTP status code to override the default - denial status code. - format: int64 - maximum: 599 - minimum: 300 - type: integer - headers: - description: HTTP response headers to override the default - denial headers. - items: - properties: - name: - description: The name of the JSON property - type: string - value: - description: Static value of the JSON property - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the JSON property - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - required: - - name - type: object - type: array - message: - description: HTTP message to override the default denial - message. - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - type: object - type: object - unauthorized: - description: Denial status customization when the request - is unauthorized. - properties: - body: - description: HTTP response body to override the default - denial body. - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - type: object - code: - description: HTTP status code to override the default - denial status code. - format: int64 - maximum: 599 - minimum: 300 - type: integer - headers: - description: HTTP response headers to override the default - denial headers. - items: - properties: - name: - description: The name of the JSON property - type: string - value: - description: Static value of the JSON property - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the JSON property - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - required: - - name - type: object - type: array - message: - description: HTTP message to override the default denial - message. - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - type: object - type: object - type: object - identity: - description: List of identity sources/authentication modes. At - least one config of this list MUST evaluate to a valid identity - for a request to be successful in the identity verification - phase. - items: - description: 'The identity source/authentication mode config. - Apart from "name", one of the following parameters is required - and only one of the following parameters is allowed: "oicd", - "apiKey" or "kubernetes".' - properties: - anonymous: - type: object - apiKey: + x509: + description: Authentication based on client X.509 certificates. + The certificates presented by the clients must be signed + by a trusted CA whose certificates are stored in Kubernetes + secrets. properties: allNamespaces: default: false - description: Whether Authorino should look for API key - secrets in all namespaces or only in the same namespace - as the AuthConfig. Enabling this option in namespaced + description: Whether Authorino should look for TLS secrets + in all namespaces or only in the same namespace as + the AuthConfig. Enabling this option in namespaced Authorino instances has no effect. type: boolean selector: description: Label selector used by Authorino to match - secrets from the cluster storing valid credentials - to authenticate to this service + secrets from the cluster storing trusted CA certificates + to validate clients trying to authenticate to this + service properties: matchExpressions: description: matchExpressions is a list of label @@ -929,36 +445,37 @@ spec: required: - selector type: object - cache: - description: Caching options for the identity resolved when - applying this config. Omit it to avoid caching identity - objects for this config. + type: object + description: Authentication configs. At least one config MUST + evaluate to a valid identity object for the auth request to + be successful. + type: object + authorization: + additionalProperties: + properties: + cache: + description: Caching options for the resolved object returned + when applying this config. Omit it to avoid caching objects + for this config. properties: key: description: Key used to store the entry in the cache. - Cache entries from different metadata configs are - stored and managed separately regardless of the key. + The resolved key must be unique within the scope of + this particular config. properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string value: description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object + x-kubernetes-preserve-unknown-fields: true type: object ttl: default: 60 @@ -968,222 +485,891 @@ spec: required: - key type: object - credentials: - description: Defines where client credentials are required - to be passed in the request for this identity source/authentication - mode. If omitted, it defaults to client credentials passed - in the HTTP Authorization header and the "Bearer" prefix - expected prepended to the credentials value (token, API - key, etc). - properties: - in: - default: authorization_header - description: The location in the request where client - credentials shall be passed on requests authenticating - with this identity source/authentication mode. - enum: - - authorization_header - - custom_header - - query - - cookie - type: string - keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is - the prefix of the client credentials string, separated - by a white-space, in the HTTP Authorization header - (e.g. "Bearer", "Basic"). When used with `custom_header`, - `query` or `cookie`, the value is the name of the - HTTP header, query string parameter or cookie key, - respectively. - type: string - required: - - keySelector - type: object - extendedProperties: - description: Extends the resolved identity object with additional - custom properties before appending to the authorization - JSON. It requires the resolved identity object to always - be of the JSON type 'object'. Other JSON types (array, - string, etc) will break. - items: - properties: - name: - description: The name of the JSON property - type: string - overwrite: - default: false - description: Whether the value should overwrite the - value of an existing property with the same name. - type: boolean - value: - description: Static value of the JSON property - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the JSON property - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - required: - - name - type: object - type: array - kubernetes: + kubernetesSubjectAccessReview: + description: Authorization by Kubernetes SubjectAccessReview properties: - audiences: - description: The list of audiences (scopes) that must - be claimed in a Kubernetes authentication token supplied - in the request, and reviewed by Authorino. If omitted, - Authorino will review tokens expecting the host name - of the requested protected service amongst the audiences. + groups: + description: Groups the user must be a member of or, + if `user` is omitted, the groups to check for authorization + in the Kubernetes RBAC. items: type: string type: array + resourceAttributes: + description: Use resourceAttributes to check permissions + on Kubernetes resources. If omitted, it performs a + non-resource SubjectAccessReview, with verb and path + inferred from the request. + properties: + group: + description: API group of the resource. Use '*' + for all API groups. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + name: + description: Resource name Omit it to check for + authorization on all resources of the specified + kind. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + namespace: + description: Namespace where the user must have + permissions on the resource. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + resource: + description: Resource kind Use '*' for all resource + kinds. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + subresource: + description: Subresource kind + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + verb: + description: Verb to check for authorization on + the resource. Use '*' for all verbs. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + user: + description: User to check for authorization in the + Kubernetes RBAC. Omit it to check for group authorization + only. + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object type: object metrics: default: false - description: Whether this identity config should generate - individual observability metrics + description: Whether this config should generate individual + observability metrics type: boolean - mtls: + opa: + description: Open Policy Agent (OPA) Rego policy. properties: - allNamespaces: + allValues: default: false - description: Whether Authorino should look for TLS secrets - in all namespaces or only in the same namespace as - the AuthConfig. Enabling this option in namespaced - Authorino instances has no effect. + description: Returns the value of all Rego rules in + the virtual document. Values can be read in subsequent + evaluators/phases of the Auth Pipeline. Otherwise, + only the default `allow` rule will be exposed. Returning + all Rego rules can affect performance of OPA policies + during reconciliation (policy precompile) and at runtime. type: boolean - selector: - description: Label selector used by Authorino to match - secrets from the cluster storing trusted CA certificates - to validate clients trying to authenticate to this - service + externalPolicy: + description: External registry of OPA policies. properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + body: + description: Raw body of the HTTP request. Supersedes + 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set + parameters as query string in the 'endpoint' (placeholders + can be used). + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + bodyParameters: + additionalProperties: properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true type: object - type: array - matchLabels: + description: Custom parameters to encode in the + body of the HTTP request. Superseded by 'body'; + use either one or the other. Use it with method=POST; + for GET requests, set parameters as query string + in the 'endpoint' (placeholders can be used). + type: object + contentType: + default: application/x-www-form-urlencoded + description: Content-Type of the request body. Shapes + how 'bodyParameters' are encoded. Use it with + method=POST; for GET requests, Content-Type is + automatically set to 'text/plain'. + enum: + - application/x-www-form-urlencoded + - application/json + type: string + credentials: + description: Defines where client credentials will + be passed in the request to the service. If omitted, + it defaults to client credentials passed in the + HTTP Authorization header and the "Bearer" prefix + expected prepended to the secret value. + properties: + authorizationHeader: + properties: + prefix: + type: string + type: object + cookie: + properties: + name: + type: string + required: + - name + type: object + customHeader: + properties: + name: + type: string + prefix: + type: string + required: + - name + type: object + queryString: + properties: + name: + type: string + required: + - name + type: object + type: object + headers: additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Custom headers in the HTTP request. + type: object + insecure: + description: Insecure HTTP connection (i.e. disables + TLS verification) + type: boolean + method: + default: GET + description: 'HTTP verb used in the request to the + service. Accepted values: GET (default), POST. + When the request method is POST, the authorization + JSON is passed in the body of the request.' + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - HEAD + - OPTIONS + - CONNECT + - TRACE + type: string + oauth2: + description: Authentication with the HTTP service + by OAuth2 Client Credentials grant. + properties: + cache: + default: true + description: Caches and reuses the token until + expired. Set it to false to force fetch the + token at every authorization request regardless + of expiration. + type: boolean + clientId: + description: OAuth2 Client ID. + type: string + clientSecretRef: + description: Reference to a Kuberentes Secret + key that stores that OAuth2 Client Secret. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: The name of the secret in the + Authorino's namespace to select from. + type: string + required: + - key + - name + type: object + extraParams: + additionalProperties: + type: string + description: Optional extra parameters for the + requests to the token URL. + type: object + scopes: + description: Optional scopes for the client + credentials grant, if supported by he OAuth2 + server. + items: + type: string + type: array + tokenUrl: + description: Token endpoint URL of the OAuth2 + resource server. + type: string + required: + - clientId + - clientSecretRef + - tokenUrl + type: object + sharedSecretRef: + description: Reference to a Secret key whose value + will be passed by Authorino in the request. The + HTTP service can use the shared secret to authenticate + the origin of the request. Ignored if used together + with oauth2. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name type: object + ttl: + description: Duration (in seconds) of the external + data in the cache before pulled again from the + source. + type: integer + url: + description: Endpoint URL of the HTTP service. The + value can include variable placeholders in the + format "{selector}", where "selector" is any pattern + supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. + E.g. https://ext-auth-server.io/metadata?p={request.path} + type: string + required: + - url + type: object + rego: + description: Authorization policy as a Rego language + document. The Rego document must include the "allow" + condition, set by Authorino to "false" by default + (i.e. requests are unauthorized unless changed). The + Rego document must NOT include the "package" declaration + in line 1. + type: string + type: object + patternMatching: + description: Pattern-matching authorization rules. + properties: + patterns: + items: + properties: + operator: + description: 'The binary operator to be applied + to the content fetched from the authorization + JSON, for comparison with "value". Possible + values are: "eq" (equal to), "neq" (not equal + to), "incl" (includes; for arrays), "excl" (excludes; + for arrays), "matches" (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set of pattern + expressions + type: string + selector: + description: Path selector to fetch content from + the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the + value must compile to a valid Golang regex. + type: string + type: object + type: array + required: + - patterns + type: object + priority: + default: 0 + description: Priority group of the config. All configs in + the same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. + type: integer + spicedb: + description: Authorization decision delegated to external + Authzed/SpiceDB server. + properties: + endpoint: + description: Hostname and port number to the GRPC interface + of the SpiceDB server (e.g. spicedb:50051). + type: string + insecure: + description: Insecure HTTP connection (i.e. disables + TLS verification) + type: boolean + permission: + description: The name of the permission (or relation) + on which to execute the check. + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + resource: + description: The resource on which to check the permission + or relation. + properties: + kind: + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + name: + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + sharedSecretRef: + description: Reference to a Secret key whose value will + be used by Authorino to authenticate with the Authzed + service. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + subject: + description: The subject that will be checked for the + permission or relation. + properties: + kind: + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + name: + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + required: + - endpoint + type: object + when: + description: Conditions for Authorino to enforce this config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to + be enforced; otherwise, the config will be skipped. + items: + properties: + operator: + description: 'The binary operator to be applied to + the content fetched from the authorization JSON, + for comparison with "value". Possible values are: + "eq" (equal to), "neq" (not equal to), "incl" (includes; + for arrays), "excl" (excludes; for arrays), "matches" + (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set of pattern expressions + type: string + selector: + description: Path selector to fetch content from the + authorization JSON (e.g. 'request.method'). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the value + must compile to a valid Golang regex. + type: string + type: object + type: array + type: object + description: Authorization policies. All policies MUST evaluate + to "allowed = true" for the auth request be successful. + type: object + callbacks: + additionalProperties: + properties: + cache: + description: Caching options for the resolved object returned + when applying this config. Omit it to avoid caching objects + for this config. + properties: + key: + description: Key used to store the entry in the cache. + The resolved key must be unique within the scope of + this particular config. + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + required: + - key + type: object + http: + description: Settings of the external HTTP request + properties: + body: + description: Raw body of the HTTP request. Supersedes + 'bodyParameters'; use either one or the other. Use + it with method=POST; for GET requests, set parameters + as query string in the 'endpoint' (placeholders can + be used). + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + bodyParameters: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Custom parameters to encode in the body + of the HTTP request. Superseded by 'body'; use either + one or the other. Use it with method=POST; for GET + requests, set parameters as query string in the 'endpoint' + (placeholders can be used). + type: object + contentType: + default: application/x-www-form-urlencoded + description: Content-Type of the request body. Shapes + how 'bodyParameters' are encoded. Use it with method=POST; + for GET requests, Content-Type is automatically set + to 'text/plain'. + enum: + - application/x-www-form-urlencoded + - application/json + type: string + credentials: + description: Defines where client credentials will be + passed in the request to the service. If omitted, + it defaults to client credentials passed in the HTTP + Authorization header and the "Bearer" prefix expected + prepended to the secret value. + properties: + authorizationHeader: + properties: + prefix: + type: string + type: object + cookie: + properties: + name: + type: string + required: + - name + type: object + customHeader: + properties: + name: + type: string + prefix: + type: string + required: + - name + type: object + queryString: + properties: + name: + type: string + required: + - name + type: object + type: object + headers: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Custom headers in the HTTP request. + type: object + insecure: + description: Insecure HTTP connection (i.e. disables + TLS verification) + type: boolean + method: + default: GET + description: 'HTTP verb used in the request to the service. + Accepted values: GET (default), POST. When the request + method is POST, the authorization JSON is passed in + the body of the request.' + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - HEAD + - OPTIONS + - CONNECT + - TRACE + type: string + oauth2: + description: Authentication with the HTTP service by + OAuth2 Client Credentials grant. + properties: + cache: + default: true + description: Caches and reuses the token until expired. + Set it to false to force fetch the token at every + authorization request regardless of expiration. + type: boolean + clientId: + description: OAuth2 Client ID. + type: string + clientSecretRef: + description: Reference to a Kuberentes Secret key + that stores that OAuth2 Client Secret. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + extraParams: + additionalProperties: + type: string + description: Optional extra parameters for the requests + to the token URL. + type: object + scopes: + description: Optional scopes for the client credentials + grant, if supported by he OAuth2 server. + items: + type: string + type: array + tokenUrl: + description: Token endpoint URL of the OAuth2 resource + server. + type: string + required: + - clientId + - clientSecretRef + - tokenUrl type: object - x-kubernetes-map-type: atomic - required: - - selector - type: object - name: - description: The name of this identity source/authentication - mode. It usually identifies a source of identities or - group of users/clients of the protected service. It can - be used to refer to the resolved identity object in other - configs. - type: string - oauth2: - properties: - credentialsRef: - description: Reference to a Kubernetes secret in the - same namespace, that stores client credentials to - the OAuth2 server. + sharedSecretRef: + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin + of the request. Ignored if used together with oauth2. properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: The name of the secret in the Authorino's + namespace to select from. type: string + required: + - key + - name type: object - x-kubernetes-map-type: atomic - tokenIntrospectionUrl: - description: The full URL of the token introspection - endpoint. - type: string - tokenTypeHint: - description: The token type hint for the token introspection. - If omitted, it defaults to "access_token". - type: string - required: - - credentialsRef - - tokenIntrospectionUrl - type: object - oidc: - properties: - endpoint: - description: Endpoint of the OIDC issuer. Authorino - will append to this value the well-known path to the - OpenID Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), - used to automatically discover the OpenID Connect - configuration, whose set of claims is expected to - include (among others) the "jkws_uri" claim. The value - must coincide with the value of the "iss" (issuer) - claim of the discovered OpenID Connect configuration. + url: + description: Endpoint URL of the HTTP service. The value + can include variable placeholders in the format "{selector}", + where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. + https://ext-auth-server.io/metadata?p={request.path} type: string - ttl: - description: Decides how long to wait before refreshing - the OIDC configuration (in seconds). - type: integer required: - - endpoint - type: object - plain: - properties: - authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders that - resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' - type: string + - url type: object + metrics: + default: false + description: Whether this config should generate individual + observability metrics + type: boolean priority: default: 0 description: Priority group of the config. All configs in @@ -1191,10 +1377,10 @@ spec: priority groups are evaluated sequentially. type: integer when: - description: Conditions for Authorino to enforce this identity - config. If omitted, the config will be enforced for all - requests. If present, all conditions must match for the - config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to + be enforced; otherwise, the config will be skipped. items: properties: operator: @@ -1212,13 +1398,14 @@ spec: - matches type: string patternRef: - description: Name of a named pattern + description: Reference to a named set of pattern expressions type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input - authorization JSON built by Authorino along the - identity and metadata phases. + description: Path selector to fetch content from the + authorization JSON (e.g. 'request.method'). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. type: string value: description: The value of reference for the comparison @@ -1229,47 +1416,38 @@ spec: type: object type: array required: - - name + - http type: object - type: array + description: Callback functions. Authorino sends callbacks at + the end of the auth pipeline to the endpoints specified in this + config. + type: object metadata: - description: List of metadata source configs. Authorino fetches - JSON content from sources on this list on every request. - items: - description: 'The metadata config. Apart from "name", one of - the following parameters is required and only one of the following - parameters is allowed: "http", userInfo" or "uma".' + additionalProperties: properties: cache: - description: Caching options for the external metadata fetched - when applying this config. Omit it to avoid caching metadata - from this source. + description: Caching options for the resolved object returned + when applying this config. Omit it to avoid caching objects + for this config. properties: key: description: Key used to store the entry in the cache. - Cache entries from different metadata configs are - stored and managed separately regardless of the key. + The resolved key must be unique within the scope of + this particular config. properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string value: description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object + x-kubernetes-preserve-unknown-fields: true type: object ttl: default: 60 @@ -1280,8 +1458,7 @@ spec: - key type: object http: - description: Generic HTTP interface to obtain authorization - metadata from a HTTP service. + description: External source of auth metadata via HTTP request properties: body: description: Raw body of the HTTP request. Supersedes @@ -1290,62 +1467,44 @@ spec: as query string in the 'endpoint' (placeholders can be used). properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string value: description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object + x-kubernetes-preserve-unknown-fields: true type: object bodyParameters: - description: Custom parameters to encode in the body - of the HTTP request. Superseded by 'body'; use either - one or the other. Use it with method=POST; for GET - requests, set parameters as query string in the 'endpoint' - (placeholders can be used). - items: + additionalProperties: properties: - name: - description: The name of the JSON property + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: - description: Static value of the JSON property + description: Static value x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the JSON property - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - required: - - name type: object - type: array + description: Custom parameters to encode in the body + of the HTTP request. Superseded by 'body'; use either + one or the other. Use it with method=POST; for GET + requests, set parameters as query string in the 'endpoint' + (placeholders can be used). + type: object contentType: default: application/x-www-form-urlencoded description: Content-Type of the request body. Shapes @@ -1363,68 +1522,59 @@ spec: Authorization header and the "Bearer" prefix expected prepended to the secret value. properties: - in: - default: authorization_header - description: The location in the request where client - credentials shall be passed on requests authenticating - with this identity source/authentication mode. - enum: - - authorization_header - - custom_header - - query - - cookie - type: string - keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value - is the prefix of the client credentials string, - separated by a white-space, in the HTTP Authorization - header (e.g. "Bearer", "Basic"). When used with - `custom_header`, `query` or `cookie`, the value - is the name of the HTTP header, query string parameter - or cookie key, respectively. - type: string - required: - - keySelector + authorizationHeader: + properties: + prefix: + type: string + type: object + cookie: + properties: + name: + type: string + required: + - name + type: object + customHeader: + properties: + name: + type: string + prefix: + type: string + required: + - name + type: object + queryString: + properties: + name: + type: string + required: + - name + type: object type: object - endpoint: - description: Endpoint of the HTTP service. The endpoint - accepts variable placeholders in the format "{selector}", - where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - and selects value from the authorization JSON. E.g. - https://ext-auth-server.io/metadata?p={context.request.http.path} - type: string headers: - description: Custom headers in the HTTP request. - items: + additionalProperties: properties: - name: - description: The name of the JSON property + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: - description: Static value of the JSON property + description: Static value x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the JSON property - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - required: - - name type: object - type: array + description: Custom headers in the HTTP request. + type: object + insecure: + description: Insecure HTTP connection (i.e. disables + TLS verification) + type: boolean method: default: GET description: 'HTTP verb used in the request to the service. @@ -1434,6 +1584,13 @@ spec: enum: - GET - POST + - PUT + - PATCH + - DELETE + - HEAD + - OPTIONS + - CONNECT + - TRACE type: string oauth2: description: Authentication with the HTTP service by @@ -1503,19 +1660,21 @@ spec: - key - name type: object + url: + description: Endpoint URL of the HTTP service. The value + can include variable placeholders in the format "{selector}", + where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. + https://ext-auth-server.io/metadata?p={request.path} + type: string required: - - endpoint + - url type: object metrics: default: false - description: Whether this metadata config should generate - individual observability metrics + description: Whether this config should generate individual + observability metrics type: boolean - name: - description: The name of the metadata source. It can be - used to refer to the resolved metadata object in other - configs. - type: string priority: default: 0 description: Priority group of the config. All configs in @@ -1543,229 +1702,27 @@ spec: must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint. type: string - required: - - credentialsRef - - endpoint - type: object - userInfo: - description: OpendID Connect UserInfo linked to an OIDC - identity config of this same spec. - properties: - identitySource: - description: The name of an OIDC identity source included - in the "identity" section and whose OpenID Connect - configuration discovered includes the OIDC "userinfo_endpoint" - claim. - type: string - required: - - identitySource - type: object - when: - description: Conditions for Authorino to apply this metadata - config. If omitted, the config will be applied for all - requests. If present, all conditions must match for the - config to be applied; otherwise, the config will be skipped. - items: - properties: - operator: - description: 'The binary operator to be applied to - the content fetched from the authorization JSON, - for comparison with "value". Possible values are: - "eq" (equal to), "neq" (not equal to), "incl" (includes; - for arrays), "excl" (excludes; for arrays), "matches" - (regex)' - enum: - - eq - - neq - - incl - - excl - - matches - type: string - patternRef: - description: Name of a named pattern - type: string - selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input - authorization JSON built by Authorino along the - identity and metadata phases. - type: string - value: - description: The value of reference for the comparison - with the content fetched from the authorization - JSON. If used with the "matches" operator, the value - must compile to a valid Golang regex. - type: string - type: object - type: array - required: - - name - type: object - type: array - patterns: - additionalProperties: - items: - properties: - operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' - enum: - - eq - - neq - - incl - - excl - - matches - type: string - selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. - type: string - value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. - type: string - type: object - type: array - description: Named sets of JSON patterns that can be referred - in `when` conditionals and in JSON-pattern matching policy rules. - type: object - response: - description: List of response configs. Authorino gathers data - from the auth pipeline to build custom responses for the client. - items: - description: 'Dynamic response to return to the client. Apart - from "name", one of the following parameters is required and - only one of the following parameters is allowed: "wristband" - or "json".' - properties: - cache: - description: Caching options for dynamic responses built - when applying this config. Omit it to avoid caching dynamic - responses for this config. - properties: - key: - description: Key used to store the entry in the cache. - Cache entries from different metadata configs are - stored and managed separately regardless of the key. - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - type: object - ttl: - default: 60 - description: Duration (in seconds) of the external data - in the cache before pulled again from the source. - type: integer - required: - - key - type: object - json: - properties: - properties: - description: List of JSON property-value pairs to be - added to the dynamic response. - items: - properties: - name: - description: The name of the JSON property - type: string - value: - description: Static value of the JSON property - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the JSON property - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - required: - - name - type: object - type: array - required: - - properties - type: object - metrics: - default: false - description: Whether this response config should generate - individual observability metrics - type: boolean - name: - description: Name of the custom response. It can be used - to refer to the resolved response object in other configs. - type: string - plain: - description: StaticOrDynamicValue is either a constant static - string value or a config for fetching a value from a dynamic - source (e.g. a path pattern of authorization JSON) + required: + - credentialsRef + - endpoint + type: object + userInfo: + description: OpendID Connect UserInfo linked to an OIDC + authentication config specified in this same AuthConfig. properties: - value: - description: Static value + identitySource: + description: The name of an OIDC-enabled JWT authentication + config whose OpenID Connect configuration discovered + includes the OIDC "userinfo_endpoint" claim. type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' - type: string - type: object + required: + - identitySource type: object - priority: - default: 0 - description: Priority group of the config. All configs in - the same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. - type: integer when: - description: Conditions for Authorino to enforce this custom - response config. If omitted, the config will be enforced - for all requests. If present, all conditions must match - for the config to be enforced; otherwise, the config will - be skipped. + description: Conditions for Authorino to enforce this config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to + be enforced; otherwise, the config will be skipped. items: properties: operator: @@ -1783,13 +1740,14 @@ spec: - matches type: string patternRef: - description: Name of a named pattern + description: Reference to a named set of pattern expressions type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input - authorization JSON built by Authorino along the - identity and metadata phases. + description: Path selector to fetch content from the + authorization JSON (e.g. 'request.method'). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. type: string value: description: The value of reference for the comparison @@ -1799,108 +1757,646 @@ spec: type: string type: object type: array - wrapper: - default: httpHeader - description: How Authorino wraps the response. Use "httpHeader" - (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" - to wrap the response as Envoy Dynamic Metadata - enum: - - httpHeader - - envoyDynamicMetadata - type: string - wrapperKey: - description: The name of key used in the wrapped response - (name of the HTTP header or property of the Envoy Dynamic - Metadata JSON). If omitted, it will be set to the name - of the configuration. - type: string - wristband: - properties: - customClaims: - description: Any claims to be added to the wristband - token apart from the standard JWT claims (iss, iat, - exp) added by default. - items: - properties: - name: - description: The name of the JSON property - type: string - value: - description: Static value of the JSON property - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the JSON property + type: object + description: Metadata sources. Authorino fetches auth metadata + as JSON from sources specified in this config. + type: object + patterns: + additionalProperties: + items: + properties: + operator: + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + selector: + description: Path selector to fetch content from the authorization + JSON (e.g. 'request.method'). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson can be + used. Authorino custom JSON path modifiers are also + supported. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. + type: string + type: object + type: array + description: Named sets of patterns that can be referred in `when` + conditions and in pattern-matching authorization policy rules. + type: object + response: + description: Response items. Authorino builds custom responses + to the client of the auth request. + properties: + success: + description: Response items to be included in the auth response + when the request is authenticated and authorized. For integration + of Authorino via proxy, the proxy must use these settings + to propagate dynamic metadata and/or inject data in the + request. + properties: + dynamicMetadata: + additionalProperties: + description: Settings of the success custom response + item. + properties: + cache: + description: Caching options for the resolved object + returned when applying this config. Omit it to + avoid caching objects for this config. + properties: + key: + description: Key used to store the entry in + the cache. The resolved key must be unique + within the scope of this particular config. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external + data in the cache before pulled again from + the source. + type: integer + required: + - key + type: object + json: + description: JSON object Specify it as the list + of properties of the object, whose values can + combine static values and values selected from + the authorization JSON. + properties: properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + additionalProperties: + properties: + selector: + description: 'Simple path selector to + fetch content from the authorization + JSON (e.g. ''request.method'') or a + string template with variables that + resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino + custom modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + required: + - properties + type: object + metrics: + default: false + description: Whether this config should generate + individual observability metrics + type: boolean + plain: + description: Plain text content + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + priority: + default: 0 + description: Priority group of the config. All configs + in the same priority group are evaluated concurrently; + consecutive priority groups are evaluated sequentially. + type: integer + when: + description: Conditions for Authorino to enforce + this config. If omitted, the config will be enforced + for all requests. If present, all conditions must + match for the config to be enforced; otherwise, + the config will be skipped. + items: + properties: + operator: + description: 'The binary operator to be applied + to the content fetched from the authorization + JSON, for comparison with "value". Possible + values are: "eq" (equal to), "neq" (not + equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" + (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set of pattern + expressions + type: string + selector: + description: Path selector to fetch content + from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path + modifiers are also supported. + type: string + value: + description: The value of reference for the + comparison with the content fetched from + the authorization JSON. If used with the + "matches" operator, the value must compile + to a valid Golang regex. type: string type: object - required: - - name - type: object - type: array - issuer: - description: 'The endpoint to the Authorino service - that issues the wristband (format: ://:/, - where = /://:/, where + = /://:/, where + = /://:/, - where = /://:/, where + = /://:/, where + = /