Add field spec.response.success.(headers|dynamicMetadata).key

Kuadrant · Sep 5, 2023 · b61838f · b61838f
1 parent cf14ba3
commit b61838f
Show file tree

Hide file tree

Showing 7 changed files with 65 additions and 31 deletions.
diff --git a/api/v1beta1/auth_config_types.go b/api/v1beta1/auth_config_types.go
@@ -599,7 +599,6 @@ type Response struct {
 	Wrapper Response_Wrapper `json:"wrapper,omitempty"`
 	// The name of key used in the wrapped response (name of the HTTP header or property of the Envoy Dynamic Metadata JSON).
 	// If omitted, it will be set to the name of the configuration.
-	// [DEPRECATED] Starting in v1beta2, use the name of the response config instead.
 	WrapperKey string `json:"wrapperKey,omitempty"`
 
 	Wristband *Response_Wristband   `json:"wristband,omitempty"`

diff --git a/api/v1beta2/auth_config_conversion.go b/api/v1beta2/auth_config_conversion.go
@@ -835,7 +835,7 @@ func convertSuccessResponseTo(name string, src SuccessResponseSpec, wrapper stri
 		Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo),
 		Cache:      convertEvaluatorCachingTo(src.Cache),
 		Wrapper:    v1beta1.Response_Wrapper(wrapper),
-		WrapperKey: name,
+		WrapperKey: src.Key,
 	}
 
 	switch src.GetMethod() {
@@ -878,6 +878,7 @@ func convertSuccessResponseFrom(src *v1beta1.Response) (string, SuccessResponseS
 			Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom),
 			Cache:      convertEvaluatorCachingFrom(src.Cache),
 		},
+		Key: src.WrapperKey,
 	}
 
 	switch src.GetType() {

diff --git a/api/v1beta2/auth_config_conversion_test.go b/api/v1beta2/auth_config_conversion_test.go
@@ -367,13 +367,15 @@ func authConfig() *AuthConfig {
 				"success": {
 					"dynamicMetadata": {
 						"username": {
+							"key": "",
 							"plain": {
 								"selector": "auth.identity.username"
 							}
 						}
 					},
 					"headers": {
-						"festivalWristband": {
+						"festival-wristband": {
+							"key": "x-wristband-token",
 							"wristband": {
 								"customClaims": {
 									"scope": {
@@ -386,7 +388,7 @@ func authConfig() *AuthConfig {
 										"selector": "auth.identity.username"
 									}
 								},
-								"issuer": "https://authorino-authorino-oidc.authorino.svc.cluster.local:8083/authorino/e2e-test/wristband",
+								"issuer": "https://authorino-authorino-oidc.authorino.svc.cluster.local:8083/authorino/e2e-test/festival-wristband",
 								"signingKeyRefs": [
 									{
 										"algorithm": "ES256",
@@ -409,9 +411,11 @@ func authConfig() *AuthConfig {
 										"selector": "auth.identity.username"
 									}
 								}
-							}
+							},
+							"key": ""
 						},
 						"x-auth-service": {
+							"key": "",
 							"plain": {
 								"value": "Authorino"
 							}
@@ -883,10 +887,10 @@ func hubAuthConfig() *v1beta1.AuthConfig {
 			"response": [
 				{
 					"metrics": false,
-					"name": "festivalWristband",
+					"name": "festival-wristband",
 					"priority": 0,
 					"wrapper": "httpHeader",
-					"wrapperKey": "festivalWristband",
+					"wrapperKey": "x-wristband-token",
 					"wristband": {
 						"customClaims": [
 							{
@@ -908,7 +912,7 @@ func hubAuthConfig() *v1beta1.AuthConfig {
 								}
 							}
 						],
-						"issuer": "https://authorino-authorino-oidc.authorino.svc.cluster.local:8083/authorino/e2e-test/wristband",
+						"issuer": "https://authorino-authorino-oidc.authorino.svc.cluster.local:8083/authorino/e2e-test/festival-wristband",
 						"signingKeyRefs": [
 							{
 								"algorithm": "ES256",
@@ -928,7 +932,7 @@ func hubAuthConfig() *v1beta1.AuthConfig {
 					},
 					"priority": 0,
 					"wrapper": "envoyDynamicMetadata",
-					"wrapperKey": "username"
+					"wrapperKey": ""
 				},
 				{
 					"json": {
@@ -957,7 +961,7 @@ func hubAuthConfig() *v1beta1.AuthConfig {
 					"name": "x-auth-data",
 					"priority": 0,
 					"wrapper": "httpHeader",
-					"wrapperKey": "x-auth-data"
+					"wrapperKey": ""
 				},
 				{
 					"metrics": false,
@@ -968,7 +972,7 @@ func hubAuthConfig() *v1beta1.AuthConfig {
 					},
 					"priority": 0,
 					"wrapper": "httpHeader",
-					"wrapperKey": "x-auth-service"
+					"wrapperKey": ""
 				}
 			],
 			"when": [

diff --git a/api/v1beta2/auth_config_types.go b/api/v1beta2/auth_config_types.go
@@ -701,6 +701,10 @@ type HeaderSuccessResponseSpec struct {
 type SuccessResponseSpec struct {
 	CommonEvaluatorSpec    `json:""`
 	AuthResponseMethodSpec `json:""`
+
+	// The key used to add the custom response item (name of the HTTP header or root property of the Dynamic Metadata object).
+	// If omitted, it will be set to the name of the response config.
+	Key string `json:"key,omitempty"`
 }
 
 func (s *SuccessResponseSpec) GetMethod() AuthResponseMethod {

diff --git a/docs/features.md b/docs/features.md
@@ -574,30 +574,36 @@ Successful authorization custom responses can be set based on any of the support
 
 Set custom responses as HTTP headers injected in the request post-successful authorization by specifying one of the supported methods under `response.success.headers`.
 
+The name of the response config (default) or the value of the `key` option (if provided) will used as the name of the header.
+
 #### Envoy Dynamic Metadata
 
 Authorino custom response methods can also be used to propagate [Envoy Dynamic Metadata](https://www.envoyproxy.io/docs/envoy/latest/configuration/advanced/well_known_dynamic_metadata). To do so, set one of the supported methods under `response.success.dynamicMetadata`.
 
-A custom response exported as Envoy Dynamic Metadata can be configured in the Envoy route or virtual host configuration, to be passed. E.g., for reading metadata emitted by the authorization service in the following scheme: `{ "auth-data": { "api-key-ns": string, "api-key-name": string } }` for a rate limiting:
+The name of the response config (default) or the value of the `key` option (if provided) will used as the name of the root property of the dynamic metadata content.
+
+A custom response exported as Envoy Dynamic Metadata can be set in the Envoy route or virtual host configuration as input to a consecutive filter in the filter chain.
+
+E.g., to read metadata emitted by the authorization service with scheme `{ "auth-data": { "api-key-ns": string, "api-key-name": string } }`, as input in a rate limit configuration placed in the filter chain after the external authorization, the Envoy config may look like the following:
 
 ```yaml
-# Envoy config snippet to inject `user_namespace` and `username` rate limit descriptors from metadata returned by Authorino
+# Envoy config snippet to inject `user_namespace` and `username` rate limit descriptors from metadata emitted by Authorino
 rate_limits:
 - actions:
-    - metadata:
-        metadata_key:
-          key: "envoy.filters.http.ext_authz"
-          path:
-          - key: auth-data
-          - key: api-key-ns
-        descriptor_key: user_namespace
-    - metadata:
-        metadata_key:
-          key: "envoy.filters.http.ext_authz"
-          path:
-          - key: auth-data
-          - key: api-key-name
-        descriptor_key: username
+  - metadata:
+      metadata_key:
+        key: "envoy.filters.http.ext_authz"
+        path:
+        - key: auth-data # root of the dynamic metadata object, as declared in a custom response config of the AuthConfig (name or key)
+        - key: api-key-ns
+      descriptor_key: user_namespace
+  - metadata:
+      metadata_key:
+        key: "envoy.filters.http.ext_authz"
+        path:
+        - key: auth-data # root of the dynamic metadata object, as declared in a custom response config of the AuthConfig (name or key)
+        - key: api-key-name
+      descriptor_key: username
 ```
 
 #### Custom denial status ([`response.unauthenticated`](https://pkg.go.dev/github.com/kuadrant/authorino/api/v1beta2?utm_source=gopls#DenyWithSpec) and [`response.unauthorized`](https://pkg.go.dev/github.com/kuadrant/authorino/api/v1beta2?utm_source=gopls#DenyWithSpec))

diff --git a/install/crd/authorino.kuadrant.io_authconfigs.yaml b/install/crd/authorino.kuadrant.io_authconfigs.yaml
@@ -2067,8 +2067,6 @@ spec:
                       description: The name of key used in the wrapped response (name
                         of the HTTP header or property of the Envoy Dynamic Metadata
                         JSON). If omitted, it will be set to the name of the configuration.
-                        [DEPRECATED] Starting in v1beta2, use the name of the response
-                        config instead.
                       type: string
                     wristband:
                       properties:
@@ -4074,6 +4072,12 @@ spec:
                               required:
                               - properties
                               type: object
+                            key:
+                              description: The key used to add the custom response
+                                item (name of the HTTP header or root property of
+                                the Dynamic Metadata object). If omitted, it will
+                                be set to the name of the response config.
+                              type: string
                             metrics:
                               default: false
                               description: Whether this config should generate individual
@@ -4284,6 +4288,12 @@ spec:
                               required:
                               - properties
                               type: object
+                            key:
+                              description: The key used to add the custom response
+                                item (name of the HTTP header or root property of
+                                the Dynamic Metadata object). If omitted, it will
+                                be set to the name of the response config.
+                              type: string
                             metrics:
                               default: false
                               description: Whether this config should generate individual

diff --git a/install/manifests.yaml b/install/manifests.yaml
@@ -2250,8 +2250,6 @@ spec:
                       description: The name of key used in the wrapped response (name
                         of the HTTP header or property of the Envoy Dynamic Metadata
                         JSON). If omitted, it will be set to the name of the configuration.
-                        [DEPRECATED] Starting in v1beta2, use the name of the response
-                        config instead.
                       type: string
                     wristband:
                       properties:
@@ -4396,6 +4394,12 @@ spec:
                               required:
                               - properties
                               type: object
+                            key:
+                              description: The key used to add the custom response
+                                item (name of the HTTP header or root property of
+                                the Dynamic Metadata object). If omitted, it will
+                                be set to the name of the response config.
+                              type: string
                             metrics:
                               default: false
                               description: Whether this config should generate individual
@@ -4631,6 +4635,12 @@ spec:
                               required:
                               - properties
                               type: object
+                            key:
+                              description: The key used to add the custom response
+                                item (name of the HTTP header or root property of
+                                the Dynamic Metadata object). If omitted, it will
+                                be set to the name of the response config.
+                              type: string
                             metrics:
                               default: false
                               description: Whether this config should generate individual