-
Notifications
You must be signed in to change notification settings - Fork 31
/
auth_config_types.go
804 lines (654 loc) · 35.2 KB
/
auth_config_types.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
/*
Copyright 2020 Red Hat, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
k8score "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
)
const (
TypeUnknown = "UNKNOWN"
IdentityOAuth2 = "IDENTITY_OAUTH2"
IdentityOidc = "IDENTITY_OIDC"
IdentityApiKey = "IDENTITY_APIKEY"
IdentityMTLS = "IDENTITY_MTLS"
IdentityKubernetesAuth = "IDENTITY_KUBERNETESAUTH"
IdentityAnonymous = "IDENTITY_ANONYMOUS"
IdentityPlain = "IDENTITY_PLAIN"
MetadataUma = "METADATA_UMA"
MetadataGenericHTTP = "METADATA_GENERIC_HTTP"
MetadataUserinfo = "METADATA_USERINFO"
AuthorizationOPA = "AUTHORIZATION_OPA"
AuthorizationJSONPatternMatching = "AUTHORIZATION_JSON"
AuthorizationKubernetesAuthz = "AUTHORIZATION_KUBERNETESAUTHZ"
AuthorizationAuthzed = "AUTHORIZATION_AUTHZED"
ResponseWristband = "RESPONSE_WRISTBAND"
ResponseDynamicJSON = "RESPONSE_DYNAMIC_JSON"
CallbackHTTP = "CALLBACK_HTTP"
EvaluatorDefaultCacheTTL = 60
// Status conditions
StatusConditionAvailable ConditionType = "Available"
StatusConditionReady ConditionType = "Ready"
// Status reasons
StatusReasonReconciling string = "Reconciling"
StatusReasonReconciled string = "Reconciled"
StatusReasonInvalidResource string = "Invalid"
StatusReasonHostsLinked string = "HostsLinked"
StatusReasonHostsNotLinked string = "HostsNotLinked"
StatusReasonCachingError string = "CachingError"
StatusReasonUnknown string = "Unknown"
)
// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!
// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.
// SecretKeyReference selects a key of a Secret.
type SecretKeyReference struct {
// The name of the secret in the Authorino's namespace to select from.
Name string `json:"name"`
// The key of the secret to select from. Must be a valid secret key.
Key string `json:"key"`
}
// StaticOrDynamicValue is either a constant static string value or a config for fetching a value from a dynamic source (e.g. a path pattern of authorization JSON)
type StaticOrDynamicValue struct {
// Static value
Value string `json:"value,omitempty"`
// Dynamic value
ValueFrom ValueFrom `json:"valueFrom,omitempty"`
}
type ValueFrom struct {
// Selector to fetch a value from the authorization JSON.
// It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
// or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
// Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
// The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
AuthJSON string `json:"authJSON,omitempty"`
}
type JsonProperty struct {
// The name of the JSON property
Name string `json:"name"`
// Static value of the JSON property
// +kubebuilder:validation:Schemaless
// +kubebuilder:pruning:PreserveUnknownFields
Value runtime.RawExtension `json:"value,omitempty"`
// Dynamic value of the JSON property
ValueFrom ValueFrom `json:"valueFrom,omitempty"`
}
type EvaluatorCaching struct {
// Key used to store the entry in the cache.
// Cache entries from different metadata configs are stored and managed separately regardless of the key.
Key StaticOrDynamicValue `json:"key"`
// Duration (in seconds) of the external data in the cache before pulled again from the source.
// +kubebuilder:default:=60
TTL int `json:"ttl,omitempty"`
}
// Specifies the desired state of the AuthConfig resource, i.e. the authencation/authorization scheme to be applied to protect the matching service hosts.
type AuthConfigSpec struct {
// Important: Run "make" to regenerate code after modifying this file
// The list of public host names of the services protected by this authentication/authorization scheme.
// Authorino uses the requested host to lookup for the corresponding authentication/authorization configs to enforce.
Hosts []string `json:"hosts"`
// Named sets of JSON patterns that can be referred in `when` conditionals and in JSON-pattern matching policy rules.
Patterns map[string]JSONPatternExpressions `json:"patterns,omitempty"`
// Conditions for the AuthConfig to be enforced.
// If omitted, the AuthConfig will be enforced for all requests.
// If present, all conditions must match for the AuthConfig to be enforced; otherwise, Authorino skips the AuthConfig and returns immediately with status OK.
Conditions []JSONPattern `json:"when,omitempty"`
// List of identity sources/authentication modes.
// At least one config of this list MUST evaluate to a valid identity for a request to be successful in the identity verification phase.
Identity []*Identity `json:"identity,omitempty"`
// List of metadata source configs.
// Authorino fetches JSON content from sources on this list on every request.
Metadata []*Metadata `json:"metadata,omitempty"`
// Authorization is the list of authorization policies.
// All policies in this list MUST evaluate to "true" for a request be successful in the authorization phase.
Authorization []*Authorization `json:"authorization,omitempty"`
// List of response configs.
// Authorino gathers data from the auth pipeline to build custom responses for the client.
Response []*Response `json:"response,omitempty"`
// List of callback configs.
// Authorino sends callbacks to specified endpoints at the end of the auth pipeline.
Callbacks []*Callback `json:"callbacks,omitempty"`
// Custom denial response codes, statuses and headers to override default 40x's.
DenyWith *DenyWith `json:"denyWith,omitempty"`
}
type JSONPattern struct {
JSONPatternRef `json:",omitempty"`
JSONPatternExpression `json:",omitempty"`
}
type JSONPatternRef struct {
// Name of a named pattern
JSONPatternName string `json:"patternRef,omitempty"`
}
type JSONPatternExpressions []JSONPatternExpression
type JSONPatternExpression struct {
// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson.
// The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases.
Selector string `json:"selector,omitempty"`
// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value".
// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)
Operator JSONPatternOperator `json:"operator,omitempty"`
// The value of reference for the comparison with the content fetched from the authorization JSON.
// If used with the "matches" operator, the value must compile to a valid Golang regex.
Value string `json:"value,omitempty"`
}
// +kubebuilder:validation:Enum:=eq;neq;incl;excl;matches
type JSONPatternOperator string
// +kubebuilder:validation:Enum:=authorization_header;custom_header;query;cookie
type Credentials_In string
type Credentials struct {
// The location in the request where client credentials shall be passed on requests authenticating with this identity source/authentication mode.
// +kubebuilder:default:=authorization_header
In Credentials_In `json:"in,omitempty"`
// Used in conjunction with the `in` parameter.
// When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic").
// When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively.
KeySelector string `json:"keySelector"`
}
// The identity source/authentication mode config.
// Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "oicd", "apiKey" or "kubernetes".
type Identity struct {
// The name of this identity source/authentication mode.
// It usually identifies a source of identities or group of users/clients of the protected service.
// It can be used to refer to the resolved identity object in other configs.
Name string `json:"name"`
// Priority group of the config.
// All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially.
// +kubebuilder:default:=0
Priority int `json:"priority,omitempty"`
// Whether this identity config should generate individual observability metrics
// +kubebuilder:default:=false
Metrics bool `json:"metrics,omitempty"`
// Conditions for Authorino to enforce this identity config.
// If omitted, the config will be enforced for all requests.
// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped.
Conditions []JSONPattern `json:"when,omitempty"`
// Caching options for the identity resolved when applying this config.
// Omit it to avoid caching identity objects for this config.
Cache *EvaluatorCaching `json:"cache,omitempty"`
// Defines where client credentials are required to be passed in the request for this identity source/authentication mode.
// If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the credentials value (token, API key, etc).
Credentials Credentials `json:"credentials,omitempty"`
// Extends the resolved identity object with additional custom properties before appending to the authorization JSON.
// It requires the resolved identity object to always be of the JSON type 'object'. Other JSON types (array, string, etc) will break.
ExtendedProperties []JsonProperty `json:"extendedProperties,omitempty"`
OAuth2 *Identity_OAuth2Config `json:"oauth2,omitempty"`
Oidc *Identity_OidcConfig `json:"oidc,omitempty"`
APIKey *Identity_APIKey `json:"apiKey,omitempty"`
MTLS *Identity_MTLS `json:"mtls,omitempty"`
KubernetesAuth *Identity_KubernetesAuth `json:"kubernetes,omitempty"`
Anonymous *Identity_Anonymous `json:"anonymous,omitempty"`
Plain *Identity_Plain `json:"plain,omitempty"`
}
func (i *Identity) GetType() string {
if i.OAuth2 != nil {
return IdentityOAuth2
} else if i.Oidc != nil {
return IdentityOidc
} else if i.APIKey != nil {
return IdentityApiKey
} else if i.MTLS != nil {
return IdentityMTLS
} else if i.KubernetesAuth != nil {
return IdentityKubernetesAuth
} else if i.Anonymous != nil {
return IdentityAnonymous
} else if i.Plain != nil {
return IdentityPlain
} else {
return TypeUnknown
}
}
type Identity_OAuth2Config struct {
// The full URL of the token introspection endpoint.
TokenIntrospectionUrl string `json:"tokenIntrospectionUrl"`
// The token type hint for the token introspection.
// If omitted, it defaults to "access_token".
TokenTypeHint string `json:"tokenTypeHint,omitempty"`
// Reference to a Kubernetes secret in the same namespace, that stores client credentials to the OAuth2 server.
Credentials *k8score.LocalObjectReference `json:"credentialsRef"`
}
type Identity_OidcConfig struct {
// Endpoint of the OIDC issuer.
// Authorino will append to this value the well-known path to the OpenID Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), used to automatically discover the OpenID Connect configuration, whose set of claims is expected to include (among others) the "jkws_uri" claim.
// The value must coincide with the value of the "iss" (issuer) claim of the discovered OpenID Connect configuration.
Endpoint string `json:"endpoint"`
// Decides how long to wait before refreshing the OIDC configuration (in seconds).
TTL int `json:"ttl,omitempty"`
}
type Identity_APIKey struct {
// Label selector used by Authorino to match secrets from the cluster storing valid credentials to authenticate to this service
Selector *metav1.LabelSelector `json:"selector"`
// Whether Authorino should look for API key secrets in all namespaces or only in the same namespace as the AuthConfig.
// Enabling this option in namespaced Authorino instances has no effect.
// +kubebuilder:default:=false
AllNamespaces bool `json:"allNamespaces,omitempty"`
}
type Identity_MTLS struct {
// Label selector used by Authorino to match secrets from the cluster storing trusted CA certificates to validate clients trying to authenticate to this service
Selector *metav1.LabelSelector `json:"selector"`
// Whether Authorino should look for TLS secrets in all namespaces or only in the same namespace as the AuthConfig.
// Enabling this option in namespaced Authorino instances has no effect.
// +kubebuilder:default:=false
AllNamespaces bool `json:"allNamespaces,omitempty"`
}
type Identity_KubernetesAuth struct {
// The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino.
// If omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences.
Audiences []string `json:"audiences,omitempty"`
}
type Identity_Anonymous struct{}
type Identity_Plain ValueFrom
// The metadata config.
// Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "http", userInfo" or "uma".
type Metadata struct {
// The name of the metadata source.
// It can be used to refer to the resolved metadata object in other configs.
Name string `json:"name"`
// Priority group of the config.
// All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially.
// +kubebuilder:default:=0
Priority int `json:"priority,omitempty"`
// Whether this metadata config should generate individual observability metrics
// +kubebuilder:default:=false
Metrics bool `json:"metrics,omitempty"`
// Conditions for Authorino to apply this metadata config.
// If omitted, the config will be applied for all requests.
// If present, all conditions must match for the config to be applied; otherwise, the config will be skipped.
Conditions []JSONPattern `json:"when,omitempty"`
// Caching options for the external metadata fetched when applying this config.
// Omit it to avoid caching metadata from this source.
Cache *EvaluatorCaching `json:"cache,omitempty"`
UserInfo *Metadata_UserInfo `json:"userInfo,omitempty"`
UMA *Metadata_UMA `json:"uma,omitempty"`
GenericHTTP *Metadata_GenericHTTP `json:"http,omitempty"`
}
func (m *Metadata) GetType() string {
if m.UserInfo != nil {
return MetadataUserinfo
} else if m.UMA != nil {
return MetadataUma
} else if m.GenericHTTP != nil {
return MetadataGenericHTTP
}
return TypeUnknown
}
// OpendID Connect UserInfo linked to an OIDC identity config of this same spec.
type Metadata_UserInfo struct {
// The name of an OIDC identity source included in the "identity" section and whose OpenID Connect configuration discovered includes the OIDC "userinfo_endpoint" claim.
IdentitySource string `json:"identitySource"`
}
// User-Managed Access (UMA) source of resource data.
type Metadata_UMA struct {
// The endpoint of the UMA server.
// The value must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint.
Endpoint string `json:"endpoint"`
// Reference to a Kubernetes secret in the same namespace, that stores client credentials to the resource registration API of the UMA server.
Credentials *k8score.LocalObjectReference `json:"credentialsRef"`
}
// +kubebuilder:validation:Enum:=GET;POST
type GenericHTTP_Method string
// +kubebuilder:validation:Enum:=application/x-www-form-urlencoded;application/json
type Metadata_GenericHTTP_ContentType string
// Generic HTTP interface to obtain authorization metadata from a HTTP service.
type Metadata_GenericHTTP struct {
// Endpoint of the HTTP service.
// The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported
// by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON.
// E.g. https://ext-auth-server.io/metadata?p={context.request.http.path}
Endpoint string `json:"endpoint"`
// HTTP verb used in the request to the service. Accepted values: GET (default), POST.
// When the request method is POST, the authorization JSON is passed in the body of the request.
// +kubebuilder:default:=GET
Method *GenericHTTP_Method `json:"method,omitempty"`
// Raw body of the HTTP request.
// Supersedes 'bodyParameters'; use either one or the other.
// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used).
Body *StaticOrDynamicValue `json:"body,omitempty"`
// Custom parameters to encode in the body of the HTTP request.
// Superseded by 'body'; use either one or the other.
// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used).
Parameters []JsonProperty `json:"bodyParameters,omitempty"`
// Content-Type of the request body. Shapes how 'bodyParameters' are encoded.
// Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'.
// +kubebuilder:default:=application/x-www-form-urlencoded
ContentType Metadata_GenericHTTP_ContentType `json:"contentType,omitempty"`
// Custom headers in the HTTP request.
Headers []JsonProperty `json:"headers,omitempty"`
// Reference to a Secret key whose value will be passed by Authorino in the request.
// The HTTP service can use the shared secret to authenticate the origin of the request.
// Ignored if used together with oauth2.
SharedSecret *SecretKeyReference `json:"sharedSecretRef,omitempty"`
// Authentication with the HTTP service by OAuth2 Client Credentials grant.
OAuth2 *OAuth2ClientAuthentication `json:"oauth2,omitempty"`
// Defines where client credentials will be passed in the request to the service.
// If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value.
Credentials Credentials `json:"credentials,omitempty"`
}
type OAuth2ClientAuthentication struct {
// Token endpoint URL of the OAuth2 resource server.
TokenUrl string `json:"tokenUrl"`
// OAuth2 Client ID.
ClientId string `json:"clientId"`
// Reference to a Kuberentes Secret key that stores that OAuth2 Client Secret.
ClientSecret SecretKeyReference `json:"clientSecretRef"`
// Optional scopes for the client credentials grant, if supported by he OAuth2 server.
Scopes []string `json:"scopes,omitempty"`
// Optional extra parameters for the requests to the token URL.
ExtraParams map[string]string `json:"extraParams,omitempty"`
// Caches and reuses the token until expired.
// Set it to false to force fetch the token at every authorization request regardless of expiration.
// +kubebuilder:default:=true
Cache *bool `json:"cache,omitempty"`
}
// Authorization policy to be enforced.
// Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "opa", "json" or "kubernetes".
type Authorization struct {
// Name of the authorization policy.
// It can be used to refer to the resolved authorization object in other configs.
Name string `json:"name"`
// Priority group of the config.
// All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially.
// +kubebuilder:default:=0
Priority int `json:"priority,omitempty"`
// Whether this authorization config should generate individual observability metrics
// +kubebuilder:default:=false
Metrics bool `json:"metrics,omitempty"`
// Conditions for Authorino to enforce this authorization policy.
// If omitted, the config will be enforced for all requests.
// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped.
Conditions []JSONPattern `json:"when,omitempty"`
// Caching options for the policy evaluation results when enforcing this config.
// Omit it to avoid caching policy evaluation results for this config.
Cache *EvaluatorCaching `json:"cache,omitempty"`
OPA *Authorization_OPA `json:"opa,omitempty"`
JSON *Authorization_JSONPatternMatching `json:"json,omitempty"`
KubernetesAuthz *Authorization_KubernetesAuthz `json:"kubernetes,omitempty"`
Authzed *Authorization_Authzed `json:"authzed,omitempty"`
}
func (a *Authorization) GetType() string {
if a.OPA != nil {
return AuthorizationOPA
} else if a.JSON != nil {
return AuthorizationJSONPatternMatching
} else if a.KubernetesAuthz != nil {
return AuthorizationKubernetesAuthz
} else if a.Authzed != nil {
return AuthorizationAuthzed
}
return TypeUnknown
}
// ExternalRegistry specifies external source of data (i.e. OPA policy registry)
type ExternalRegistry struct {
// Endpoint of the HTTP external registry.
// The endpoint must respond with either plain/text or application/json content-type.
// In the latter case, the JSON returned in the body must include a path `result.raw`, where the raw Rego policy will be extracted from. This complies with the specification of the OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy).
Endpoint string `json:"endpoint,omitempty"`
// Reference to a Secret key whose value will be passed by Authorino in the request.
// The HTTP service can use the shared secret to authenticate the origin of the request.
SharedSecret *SecretKeyReference `json:"sharedSecretRef,omitempty"`
// Defines where client credentials will be passed in the request to the service.
// If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value.
Credentials Credentials `json:"credentials,omitempty"`
// Duration (in seconds) of the external data in the cache before pulled again from the source.
TTL int `json:"ttl,omitempty"`
}
// Open Policy Agent (OPA) authorization policy.
type Authorization_OPA struct {
// Authorization policy as a Rego language document.
// The Rego document must include the "allow" condition, set by Authorino to "false" by default (i.e. requests are unauthorized unless changed).
// The Rego document must NOT include the "package" declaration in line 1.
InlineRego string `json:"inlineRego,omitempty"`
// External registry of OPA policies.
ExternalRegistry ExternalRegistry `json:"externalRegistry,omitempty"`
// Returns the value of all Rego rules in the virtual document. Values can be read in subsequent evaluators/phases of the Auth Pipeline.
// Otherwise, only the default `allow` rule will be exposed.
// Returning all Rego rules can affect performance of OPA policies during reconciliation (policy precompile) and at runtime.
// +kubebuilder:default:=false
AllValues bool `json:"allValues,omitempty"`
}
// JSON pattern matching authorization policy.
type Authorization_JSONPatternMatching struct {
// The rules that must all evaluate to "true" for the request to be authorized.
Rules []JSONPattern `json:"rules"`
}
type Authorization_KubernetesAuthz_ResourceAttributes struct {
Namespace StaticOrDynamicValue `json:"namespace,omitempty"`
Group StaticOrDynamicValue `json:"group,omitempty"`
Resource StaticOrDynamicValue `json:"resource,omitempty"`
Name StaticOrDynamicValue `json:"name,omitempty"`
SubResource StaticOrDynamicValue `json:"subresource,omitempty"`
Verb StaticOrDynamicValue `json:"verb,omitempty"`
}
// Kubernetes authorization policy based on `SubjectAccessReview`
// Path and Verb are inferred from the request.
type Authorization_KubernetesAuthz struct {
// User to test for.
// If without "Groups", then is it interpreted as "What if User were not a member of any groups"
User StaticOrDynamicValue `json:"user"`
// Groups to test for.
Groups []string `json:"groups,omitempty"`
// Use ResourceAttributes for checking permissions on Kubernetes resources
// If omitted, it performs a non-resource `SubjectAccessReview`, with verb and path inferred from the request.
ResourceAttributes *Authorization_KubernetesAuthz_ResourceAttributes `json:"resourceAttributes,omitempty"`
}
// Authzed authorization
type Authorization_Authzed struct {
// Endpoint of the Authzed service.
Endpoint string `json:"endpoint"`
// Insecure HTTP connection (i.e. disables TLS verification)
Insecure bool `json:"insecure,omitempty"`
// Reference to a Secret key whose value will be used by Authorino to authenticate with the Authzed service.
SharedSecret *SecretKeyReference `json:"sharedSecretRef,omitempty"`
// The subject that will be checked for the permission or relation.
Subject *AuthzedObject `json:"subject,omitempty"`
// The resource on which to check the permission or relation.
Resource *AuthzedObject `json:"resource,omitempty"`
// The name of the permission (or relation) on which to execute the check.
Permission StaticOrDynamicValue `json:"permission,omitempty"`
}
type AuthzedObject struct {
Name StaticOrDynamicValue `json:"name,omitempty"`
Kind StaticOrDynamicValue `json:"kind,omitempty"`
}
// +kubebuilder:validation:Enum:=httpHeader;envoyDynamicMetadata
type Response_Wrapper string
// Dynamic response to return to the client.
// Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "wristband" or "json".
type Response struct {
// Name of the custom response.
// It can be used to refer to the resolved response object in other configs.
Name string `json:"name"`
// Priority group of the config.
// All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially.
// +kubebuilder:default:=0
Priority int `json:"priority,omitempty"`
// Whether this response config should generate individual observability metrics
// +kubebuilder:default:=false
Metrics bool `json:"metrics,omitempty"`
// Conditions for Authorino to enforce this custom response config.
// If omitted, the config will be enforced for all requests.
// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped.
Conditions []JSONPattern `json:"when,omitempty"`
// Caching options for dynamic responses built when applying this config.
// Omit it to avoid caching dynamic responses for this config.
Cache *EvaluatorCaching `json:"cache,omitempty"`
// How Authorino wraps the response.
// Use "httpHeader" (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" to wrap the response as Envoy Dynamic Metadata
// +kubebuilder:default:=httpHeader
Wrapper Response_Wrapper `json:"wrapper,omitempty"`
// The name of key used in the wrapped response (name of the HTTP header or property of the Envoy Dynamic Metadata JSON).
// If omitted, it will be set to the name of the configuration.
WrapperKey string `json:"wrapperKey,omitempty"`
Wristband *Response_Wristband `json:"wristband,omitempty"`
JSON *Response_DynamicJSON `json:"json,omitempty"`
}
func (r *Response) GetType() string {
if r.Wristband != nil {
return ResponseWristband
} else if r.JSON != nil {
return ResponseDynamicJSON
}
return TypeUnknown
}
// Endpoints to callback at the end of each auth pipeline.
type Callback struct {
// Name of the callback.
// It can be used to refer to the resolved callback response in other configs.
Name string `json:"name"`
// Priority group of the config.
// All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially.
// +kubebuilder:default:=0
Priority int `json:"priority,omitempty"`
// Whether this callback config should generate individual observability metrics
// +kubebuilder:default:=false
Metrics bool `json:"metrics,omitempty"`
// Conditions for Authorino to perform this callback.
// If omitted, the callback will be attempted for all requests.
// If present, all conditions must match for the callback to be attempted; otherwise, the callback will be skipped.
Conditions []JSONPattern `json:"when,omitempty"`
HTTP *Metadata_GenericHTTP `json:"http"` // make this 'omitempty' if other alternate methods are added
}
func (r *Callback) GetType() string {
if r.HTTP != nil {
return CallbackHTTP
}
return TypeUnknown
}
// +kubebuilder:validation:Enum:=ES256;ES384;ES512;RS256;RS384;RS512
type SigningKeyAlgorithm string
type SigningKeyRef struct {
// Name of the signing key.
// The value is used to reference the Kubernetes secret that stores the key and in the `kid` claim of the wristband token header.
Name string `json:"name"`
// Algorithm to sign the wristband token using the signing key provided
Algorithm SigningKeyAlgorithm `json:"algorithm"`
}
type Response_Wristband struct {
// The endpoint to the Authorino service that issues the wristband (format: <scheme>://<host>:<port>/<realm>, where <realm> = <namespace>/<authorino-auth-config-resource-name/wristband-config-name)
Issuer string `json:"issuer"`
// Any claims to be added to the wristband token apart from the standard JWT claims (iss, iat, exp) added by default.
CustomClaims []JsonProperty `json:"customClaims,omitempty"`
// Time span of the wristband token, in seconds.
TokenDuration *int64 `json:"tokenDuration,omitempty"`
// Reference by name to Kubernetes secrets and corresponding signing algorithms.
// The secrets must contain a `key.pem` entry whose value is the signing key formatted as PEM.
SigningKeyRefs []*SigningKeyRef `json:"signingKeyRefs"`
}
type Response_DynamicJSON struct {
// List of JSON property-value pairs to be added to the dynamic response.
Properties []JsonProperty `json:"properties"`
}
// +kubebuilder:validation:Minimum:=300
// +kubebuilder:validation:Maximum:=599
type DenyWith_Code int64
type DenyWithSpec struct {
// HTTP status code to override the default denial status code.
Code DenyWith_Code `json:"code,omitempty"`
// HTTP message to override the default denial message.
Message *StaticOrDynamicValue `json:"message,omitempty"`
// HTTP response headers to override the default denial headers.
Headers []JsonProperty `json:"headers,omitempty"`
// HTTP response body to override the default denial body.
Body *StaticOrDynamicValue `json:"body,omitempty"`
}
type DenyWith struct {
// Denial status customization when the request is unauthenticated.
Unauthenticated *DenyWithSpec `json:"unauthenticated,omitempty"`
// Denial status customization when the request is unauthorized.
Unauthorized *DenyWithSpec `json:"unauthorized,omitempty"`
}
type ConditionType string
type Condition struct {
// Type of condition
Type ConditionType `json:"type"`
// Status of the condition, one of True, False, Unknown.
Status k8score.ConditionStatus `json:"status"`
// Last time the condition transit from one status to another.
// +optional
LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
// (brief) reason for the condition's last transition.
// +optional
Reason string `json:"reason,omitempty"`
// Human readable message indicating details about last transition.
// +optional
Message string `json:"message,omitempty"`
// Last time the condition was updated
// +optional
LastUpdatedTime *metav1.Time `json:"lastUpdatedTime,omitempty"`
}
type Summary struct {
// Whether all hosts from spec.hosts have been linked to the resource in the index
Ready bool `json:"ready"`
// Lists the hosts from spec.hosts linked to the resource in the index
HostsReady []string `json:"hostsReady"`
// Number of hosts from spec.hosts linked to the resource in the index, compared to the total number of hosts in spec.hosts
NumHostsReady string `json:"numHostsReady"`
// Number of trusted sources of identity for authentication in the AuthConfig
NumIdentitySources int64 `json:"numIdentitySources"`
// Number of sources of external metadata in the AuthConfig
NumMetadataSources int64 `json:"numMetadataSources"`
// Number of authorization policies in the AuthConfig
NumAuthorizationPolicies int64 `json:"numAuthorizationPolicies"`
// Number of custom authorization response items in the AuthConfig
NumResponseItems int64 `json:"numResponseItems"`
// Indicator of whether the AuthConfig issues Festival Wristband tokens on successful evaluation of the AuthConfig (access granted)
FestivalWristbandEnabled bool `json:"festivalWristbandEnabled"`
}
// AuthConfigStatus defines the observed state of AuthConfig
type AuthConfigStatus struct {
Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
Summary Summary `json:"summary,omitempty"`
}
func (s *AuthConfigStatus) Ready() bool {
for _, condition := range s.Conditions {
if condition.Type == StatusConditionReady {
return condition.Status == k8score.ConditionTrue
}
}
return false
}
// AuthConfig is the schema for Authorino's AuthConfig API
// +kubebuilder:object:root=true
// +kubebuilder:subresource:status
// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.summary.ready`,description="Ready for all hosts"
// +kubebuilder:printcolumn:name="Hosts",type=string,JSONPath=`.status.summary.numHostsReady`,description="Number of hosts ready"
// +kubebuilder:printcolumn:name="Authentication",type=integer,JSONPath=`.status.summary.numIdentitySources`,description="Number of trusted identity sources",priority=2
// +kubebuilder:printcolumn:name="Metadata",type=integer,JSONPath=`.status.summary.numMetadataSources`,description="Number of external metadata sources",priority=2
// +kubebuilder:printcolumn:name="Authorization",type=integer,JSONPath=`.status.summary.numAuthorizationPolicies`,description="Number of authorization policies",priority=2
// +kubebuilder:printcolumn:name="Response",type=integer,JSONPath=`.status.summary.numResponseItems`,description="Number of items added to the authorization response",priority=2
// +kubebuilder:printcolumn:name="Wristband",type=boolean,JSONPath=`.status.summary.festivalWristbandEnabled`,description="Whether issuing Festival Wristbands",priority=2
type AuthConfig struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec AuthConfigSpec `json:"spec,omitempty"`
Status AuthConfigStatus `json:"status,omitempty"`
}
// +kubebuilder:object:root=true
// AuthConfigList contains a list of AuthConfig
type AuthConfigList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items AuthConfigSlice `json:"items"`
}
type AuthConfigSlice []AuthConfig
func (s AuthConfigSlice) Len() int {
return len(s)
}
func (s AuthConfigSlice) Less(i, j int) bool {
return s[i].CreationTimestamp.Before(&s[j].CreationTimestamp)
}
func (s AuthConfigSlice) Swap(i, j int) {
s[i], s[j] = s[j], s[i]
}
func init() {
SchemeBuilder.Register(&AuthConfig{}, &AuthConfigList{})
}