Abstracted expressions.Value away somewhat

Signed-off-by: Alex Snaps <[email protected]>
Kuadrant · Oct 15, 2024 · 0d0a0a9 · 0d0a0a9
1 parent b1c4cc2
commit 0d0a0a9
Show file tree

Hide file tree

Showing 21 changed files with 119 additions and 95 deletions.
diff --git a/controllers/auth_config_controller.go b/controllers/auth_config_controller.go
@@ -19,6 +19,7 @@ package controllers
 import (
 	"context"
 	"fmt"
+	"github.com/kuadrant/authorino/pkg/expressions"
 	"sort"
 	"sync"
 
@@ -182,13 +183,13 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf
 	for identityCfgName, identity := range authConfigIdentityConfigs {
 		extendedProperties := make([]evaluators.IdentityExtension, len(identity.Defaults)+len(identity.Overrides))
 		for propertyName, property := range identity.Defaults {
-			extendedProperties = append(extendedProperties, evaluators.NewIdentityExtension(propertyName, json.JSONValue{
+			extendedProperties = append(extendedProperties, evaluators.NewIdentityExtension(propertyName, &json.JSONValue{
 				Static:  property.Value,
 				Pattern: property.Selector,
 			}, false))
 		}
 		for propertyName, property := range identity.Overrides {
-			extendedProperties = append(extendedProperties, evaluators.NewIdentityExtension(propertyName, json.JSONValue{
+			extendedProperties = append(extendedProperties, evaluators.NewIdentityExtension(propertyName, &json.JSONValue{
 				Static:  property.Value,
 				Pattern: property.Selector,
 			}, true))
@@ -212,7 +213,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf
 				ttl = api.EvaluatorDefaultCacheTTL
 			}
 			translatedIdentity.Cache = evaluators.NewEvaluatorCache(
-				*getJsonFromStaticDynamic(&identity.Cache.Key),
+				getJsonFromStaticDynamic(&identity.Cache.Key),
 				ttl,
 			)
 		}
@@ -310,7 +311,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf
 				ttl = api.EvaluatorDefaultCacheTTL
 			}
 			translatedMetadata.Cache = evaluators.NewEvaluatorCache(
-				*getJsonFromStaticDynamic(&metadata.Cache.Key),
+				getJsonFromStaticDynamic(&metadata.Cache.Key),
 				ttl,
 			)
 		}
@@ -383,7 +384,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf
 				ttl = api.EvaluatorDefaultCacheTTL
 			}
 			translatedAuthorization.Cache = evaluators.NewEvaluatorCache(
-				*getJsonFromStaticDynamic(&authorization.Cache.Key),
+				getJsonFromStaticDynamic(&authorization.Cache.Key),
 				ttl,
 			)
 		}
@@ -444,17 +445,17 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf
 			resourceAttributes := authorization.KubernetesSubjectAccessReview.ResourceAttributes
 			if resourceAttributes != nil {
 				authorinoResourceAttributes = &authorization_evaluators.KubernetesAuthzResourceAttributes{
-					Namespace:   json.JSONValue{Static: resourceAttributes.Namespace.Value, Pattern: resourceAttributes.Namespace.Selector},
-					Group:       json.JSONValue{Static: resourceAttributes.Group.Value, Pattern: resourceAttributes.Group.Selector},
-					Resource:    json.JSONValue{Static: resourceAttributes.Resource.Value, Pattern: resourceAttributes.Resource.Selector},
-					Name:        json.JSONValue{Static: resourceAttributes.Name.Value, Pattern: resourceAttributes.Name.Selector},
-					SubResource: json.JSONValue{Static: resourceAttributes.SubResource.Value, Pattern: resourceAttributes.SubResource.Selector},
-					Verb:        json.JSONValue{Static: resourceAttributes.Verb.Value, Pattern: resourceAttributes.Verb.Selector},
+					Namespace:   &json.JSONValue{Static: resourceAttributes.Namespace.Value, Pattern: resourceAttributes.Namespace.Selector},
+					Group:       &json.JSONValue{Static: resourceAttributes.Group.Value, Pattern: resourceAttributes.Group.Selector},
+					Resource:    &json.JSONValue{Static: resourceAttributes.Resource.Value, Pattern: resourceAttributes.Resource.Selector},
+					Name:        &json.JSONValue{Static: resourceAttributes.Name.Value, Pattern: resourceAttributes.Name.Selector},
+					SubResource: &json.JSONValue{Static: resourceAttributes.SubResource.Value, Pattern: resourceAttributes.SubResource.Selector},
+					Verb:        &json.JSONValue{Static: resourceAttributes.Verb.Value, Pattern: resourceAttributes.Verb.Selector},
 				}
 			}
 
 			var err error
-			translatedAuthorization.KubernetesAuthz, err = authorization_evaluators.NewKubernetesAuthz(authorinoUser, authorization.KubernetesSubjectAccessReview.Groups, authorinoResourceAttributes)
+			translatedAuthorization.KubernetesAuthz, err = authorization_evaluators.NewKubernetesAuthz(&authorinoUser, authorization.KubernetesSubjectAccessReview.Groups, authorinoResourceAttributes)
 			if err != nil {
 				return nil, err
 			}
@@ -475,7 +476,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf
 				Endpoint:     authzed.Endpoint,
 				Insecure:     authzed.Insecure,
 				SharedSecret: sharedSecret,
-				Permission:   *getJsonFromStaticDynamic(&authzed.Permission),
+				Permission:   getJsonFromStaticDynamic(&authzed.Permission),
 			}
 			translatedAuthzed.Subject, translatedAuthzed.SubjectKind = spiceDBObjectToJsonValues(authzed.Subject)
 			translatedAuthzed.Resource, translatedAuthzed.ResourceKind = spiceDBObjectToJsonValues(authzed.Resource)
@@ -627,7 +628,7 @@ func injectResponseConfig(ctx context.Context, authConfig *api.AuthConfig, succe
 		for claimName, claim := range wristband.CustomClaims {
 			customClaims = append(customClaims, json.JSONProperty{
 				Name: claimName,
-				Value: json.JSONValue{
+				Value: &json.JSONValue{
 					Static:  claim.Value,
 					Pattern: claim.Selector,
 				},
@@ -652,7 +653,7 @@ func injectResponseConfig(ctx context.Context, authConfig *api.AuthConfig, succe
 		for propertyName, property := range successResponse.Json.Properties {
 			jsonProperties = append(jsonProperties, json.JSONProperty{
 				Name: propertyName,
-				Value: json.JSONValue{
+				Value: &json.JSONValue{
 					Static:  property.Value,
 					Pattern: property.Selector,
 				},
@@ -664,7 +665,7 @@ func injectResponseConfig(ctx context.Context, authConfig *api.AuthConfig, succe
 	// plain
 	case api.PlainAuthResponse:
 		translatedResponse.Plain = &response_evaluators.Plain{
-			JSONValue: json.JSONValue{
+			Value: &json.JSONValue{
 				Static:  successResponse.Plain.Value,
 				Pattern: successResponse.Plain.Selector,
 			},
@@ -683,7 +684,7 @@ func injectCache(cache *api.EvaluatorCaching, translatedResponse *evaluators.Res
 			ttl = api.EvaluatorDefaultCacheTTL
 		}
 		translatedResponse.Cache = evaluators.NewEvaluatorCache(
-			*getJsonFromStaticDynamic(&cache.Key),
+			getJsonFromStaticDynamic(&cache.Key),
 			ttl,
 		)
 	}
@@ -838,7 +839,7 @@ func (r *AuthConfigReconciler) buildGenericHttpEvaluator(ctx context.Context, ht
 	for name, param := range http.Parameters {
 		params = append(params, json.JSONProperty{
 			Name: name,
-			Value: json.JSONValue{
+			Value: &json.JSONValue{
 				Static:  param.Value,
 				Pattern: param.Selector,
 			},
@@ -849,7 +850,7 @@ func (r *AuthConfigReconciler) buildGenericHttpEvaluator(ctx context.Context, ht
 	for name, header := range http.Headers {
 		headers = append(headers, json.JSONProperty{
 			Name: name,
-			Value: json.JSONValue{
+			Value: &json.JSONValue{
 				Static:  header.Value,
 				Pattern: header.Selector,
 			},
@@ -981,7 +982,7 @@ func buildAuthorinoDenyWithValues(denyWithSpec *api.DenyWithSpec) *evaluators.De
 
 	headers := make([]json.JSONProperty, 0, len(denyWithSpec.Headers))
 	for name, header := range denyWithSpec.Headers {
-		headers = append(headers, json.JSONProperty{Name: name, Value: json.JSONValue{Static: header.Value, Pattern: header.Selector}})
+		headers = append(headers, json.JSONProperty{Name: name, Value: &json.JSONValue{Static: header.Value, Pattern: header.Selector}})
 	}
 
 	return &evaluators.DenyWithValues{
@@ -1003,13 +1004,13 @@ func getJsonFromStaticDynamic(value *api.ValueOrSelector) *json.JSONValue {
 	}
 }
 
-func spiceDBObjectToJsonValues(obj *api.SpiceDBObject) (name json.JSONValue, kind json.JSONValue) {
+func spiceDBObjectToJsonValues(obj *api.SpiceDBObject) (name expressions.Value, kind expressions.Value) {
 	if obj == nil {
 		return
 	}
 
-	name = *getJsonFromStaticDynamic(&obj.Name)
-	kind = *getJsonFromStaticDynamic(&obj.Kind)
+	name = getJsonFromStaticDynamic(&obj.Name)
+	kind = getJsonFromStaticDynamic(&obj.Kind)
 
 	return name, kind
 }
diff --git a/pkg/evaluators/authorization/authzed.go b/pkg/evaluators/authorization/authzed.go
@@ -5,7 +5,7 @@ import (
 	"fmt"
 
 	"github.com/kuadrant/authorino/pkg/auth"
-	"github.com/kuadrant/authorino/pkg/json"
+	"github.com/kuadrant/authorino/pkg/expressions"
 	"google.golang.org/grpc"
 	insecuregrpc "google.golang.org/grpc/credentials/insecure"
 
@@ -19,11 +19,11 @@ type Authzed struct {
 	Insecure     bool
 	SharedSecret string
 
-	Subject      json.JSONValue
-	SubjectKind  json.JSONValue
-	Resource     json.JSONValue
-	ResourceKind json.JSONValue
-	Permission   json.JSONValue
+	Subject      expressions.Value
+	SubjectKind  expressions.Value
+	Resource     expressions.Value
+	ResourceKind expressions.Value
+	Permission   expressions.Value
 }
 
 type permissionResponse struct {
@@ -86,7 +86,7 @@ func (a *Authzed) Call(pipeline auth.AuthPipeline, ctx gocontext.Context) (inter
 	return obj, nil
 }
 
-func authzedObjectFor(name, kind json.JSONValue, authJSON string) (*authzedpb.ObjectReference, error) {
+func authzedObjectFor(name, kind expressions.Value, authJSON string) (*authzedpb.ObjectReference, error) {
 	objectId, err := name.ResolveFor(authJSON)
 	if err != nil {
 		return nil, err

diff --git a/pkg/evaluators/authorization/authzed_test.go b/pkg/evaluators/authorization/authzed_test.go
@@ -52,11 +52,11 @@ func TestAuthzedCallAuthorized(t *testing.T) {
 		Endpoint:     testAuthzedServerEndpoint,
 		Insecure:     true,
 		SharedSecret: "secret",
-		Subject:      json.JSONValue{Static: "1"},
-		SubjectKind:  json.JSONValue{Static: "user"},
-		Resource:     json.JSONValue{Static: "123"},
-		ResourceKind: json.JSONValue{Static: "post"},
-		Permission:   json.JSONValue{Static: "read"},
+		Subject:      &json.JSONValue{Static: "1"},
+		SubjectKind:  &json.JSONValue{Static: "user"},
+		Resource:     &json.JSONValue{Static: "123"},
+		ResourceKind: &json.JSONValue{Static: "post"},
+		Permission:   &json.JSONValue{Static: "read"},
 	}
 
 	obj, err := authzed.Call(pipelineMock, ctx)
@@ -91,11 +91,11 @@ func TestAuthzedCallForbidden(t *testing.T) {
 		Endpoint:     testAuthzedServerEndpoint,
 		Insecure:     true,
 		SharedSecret: "secret",
-		Subject:      json.JSONValue{Static: "1"},
-		SubjectKind:  json.JSONValue{Static: "user"},
-		Resource:     json.JSONValue{Static: "123"},
-		ResourceKind: json.JSONValue{Static: "post"},
-		Permission:   json.JSONValue{Static: "read"},
+		Subject:      &json.JSONValue{Static: "1"},
+		SubjectKind:  &json.JSONValue{Static: "user"},
+		Resource:     &json.JSONValue{Static: "123"},
+		ResourceKind: &json.JSONValue{Static: "post"},
+		Permission:   &json.JSONValue{Static: "read"},
 	}
 
 	obj, err := authzed.Call(pipelineMock, ctx)

diff --git a/pkg/evaluators/authorization/kubernetes_authz.go b/pkg/evaluators/authorization/kubernetes_authz.go
@@ -3,11 +3,11 @@ package authorization
 import (
 	gocontext "context"
 	"fmt"
+	"github.com/kuadrant/authorino/pkg/expressions"
 	"strings"
 
 	"github.com/kuadrant/authorino/pkg/auth"
 	"github.com/kuadrant/authorino/pkg/context"
-	"github.com/kuadrant/authorino/pkg/json"
 	"github.com/kuadrant/authorino/pkg/log"
 
 	kubeAuthz "k8s.io/api/authorization/v1"
@@ -21,7 +21,7 @@ type kubernetesSubjectAccessReviewer interface {
 	SubjectAccessReviews() kubeAuthzClient.SubjectAccessReviewInterface
 }
 
-func NewKubernetesAuthz(user json.JSONValue, groups []string, resourceAttributes *KubernetesAuthzResourceAttributes) (*KubernetesAuthz, error) {
+func NewKubernetesAuthz(user expressions.Value, groups []string, resourceAttributes *KubernetesAuthzResourceAttributes) (*KubernetesAuthz, error) {
 	config, err := rest.InClusterConfig()
 	if err != nil {
 		return nil, err
@@ -41,16 +41,16 @@ func NewKubernetesAuthz(user json.JSONValue, groups []string, resourceAttributes
 }
 
 type KubernetesAuthzResourceAttributes struct {
-	Namespace   json.JSONValue
-	Group       json.JSONValue
-	Resource    json.JSONValue
-	Name        json.JSONValue
-	SubResource json.JSONValue
-	Verb        json.JSONValue
+	Namespace   expressions.Value
+	Group       expressions.Value
+	Resource    expressions.Value
+	Name        expressions.Value
+	SubResource expressions.Value
+	Verb        expressions.Value
 }
 
 type KubernetesAuthz struct {
-	User               json.JSONValue
+	User               expressions.Value
 	Groups             []string
 	ResourceAttributes *KubernetesAuthzResourceAttributes
 
@@ -63,7 +63,7 @@ func (k *KubernetesAuthz) Call(pipeline auth.AuthPipeline, ctx gocontext.Context
 	}
 
 	authJSON := pipeline.GetAuthorizationJSON()
-	jsonValueToStr := func(value json.JSONValue) (string, error) {
+	jsonValueToStr := func(value expressions.Value) (string, error) {
 		resolved, err := value.ResolveFor(authJSON)
 		if err != nil {
 			return "", err

diff --git a/pkg/evaluators/authorization/kubernetes_authz_test.go b/pkg/evaluators/authorization/kubernetes_authz_test.go
@@ -2,6 +2,7 @@ package authorization
 
 import (
 	"context"
+	"github.com/kuadrant/authorino/pkg/expressions"
 	"testing"
 
 	mock_auth "github.com/kuadrant/authorino/pkg/auth/mocks"
@@ -58,7 +59,7 @@ func (client *k8sAuthorizationClientMock) GetRequest() kubeAuthz.SubjectAccessRe
 	return client.request
 }
 
-func newKubernetesAuthz(user json.JSONValue, groups []string, resourceAttributes *KubernetesAuthzResourceAttributes, subjectAccessReviewResponseStatus kubeAuthz.SubjectAccessReviewStatus) *KubernetesAuthz {
+func newKubernetesAuthz(user expressions.Value, groups []string, resourceAttributes *KubernetesAuthzResourceAttributes, subjectAccessReviewResponseStatus kubeAuthz.SubjectAccessReviewStatus) *KubernetesAuthz {
 	return &KubernetesAuthz{
 		User:               user,
 		Groups:             groups,
@@ -80,7 +81,7 @@ func TestKubernetesAuthzNonResource_Allowed(t *testing.T) {
 	pipelineMock.EXPECT().GetHttp().Return(request)
 
 	kubernetesAuth := newKubernetesAuthz(
-		json.JSONValue{Pattern: "auth.identity.username"},
+		&json.JSONValue{Pattern: "auth.identity.username"},
 		[]string{},
 		nil,
 		kubeAuthz.SubjectAccessReviewStatus{Allowed: true, Reason: ""},
@@ -108,7 +109,7 @@ func TestKubernetesAuthzNonResource_Denied(t *testing.T) {
 	pipelineMock.EXPECT().GetHttp().Return(request)
 
 	kubernetesAuth := newKubernetesAuthz(
-		json.JSONValue{Pattern: "auth.identity.username"},
+		&json.JSONValue{Pattern: "auth.identity.username"},
 		[]string{},
 		nil,
 		kubeAuthz.SubjectAccessReviewStatus{Allowed: false, Reason: "some-reason"},
@@ -133,9 +134,9 @@ func TestKubernetesAuthzResource_Allowed(t *testing.T) {
 	pipelineMock.EXPECT().GetAuthorizationJSON().Return(`{"context":{"request":{"http":{"method":"GET","path":"/hello"}}},"auth":{"identity":{"username":"john"}}}`)
 
 	kubernetesAuth := newKubernetesAuthz(
-		json.JSONValue{Pattern: "auth.identity.username"},
+		&json.JSONValue{Pattern: "auth.identity.username"},
 		[]string{},
-		&KubernetesAuthzResourceAttributes{Namespace: json.JSONValue{Static: "default"}},
+		&KubernetesAuthzResourceAttributes{Namespace: &json.JSONValue{Static: "default"}},
 		kubeAuthz.SubjectAccessReviewStatus{Allowed: true, Reason: ""},
 	)
 	authorized, err := kubernetesAuth.Call(pipelineMock, context.TODO())
@@ -157,9 +158,9 @@ func TestKubernetesAuthzResource_Denied(t *testing.T) {
 	pipelineMock.EXPECT().GetAuthorizationJSON().Return(`{"context":{"request":{"http":{"method":"GET","path":"/hello"}}},"auth":{"identity":{"username":"john"}}}`)
 
 	kubernetesAuth := newKubernetesAuthz(
-		json.JSONValue{Pattern: "auth.identity.username"},
+		&json.JSONValue{Pattern: "auth.identity.username"},
 		[]string{},
-		&KubernetesAuthzResourceAttributes{Namespace: json.JSONValue{Static: "default"}},
+		&KubernetesAuthzResourceAttributes{Namespace: &json.JSONValue{Static: "default"}},
 		kubeAuthz.SubjectAccessReviewStatus{Allowed: false, Reason: "some-reason"},
 	)
 	authorized, err := kubernetesAuth.Call(pipelineMock, context.TODO())

diff --git a/pkg/evaluators/cache.go b/pkg/evaluators/cache.go
@@ -4,7 +4,7 @@ import (
 	gojson "encoding/json"
 	"time"
 
-	"github.com/kuadrant/authorino/pkg/json"
+	"github.com/kuadrant/authorino/pkg/expressions"
 
 	"github.com/coocood/freecache"
 	gocache "github.com/eko/gocache/cache"
@@ -20,7 +20,7 @@ type EvaluatorCache interface {
 	Shutdown() error
 }
 
-func NewEvaluatorCache(keyTemplate json.JSONValue, ttl int) EvaluatorCache {
+func NewEvaluatorCache(keyTemplate expressions.Value, ttl int) EvaluatorCache {
 	duration := time.Duration(ttl) * time.Second
 	cacheClient := freecache.NewCache(EvaluatorCacheSize * 1024 * 1024)
 	cacheStore := cache_store.NewFreecache(cacheClient, &cache_store.Options{Expiration: duration})
@@ -33,7 +33,7 @@ func NewEvaluatorCache(keyTemplate json.JSONValue, ttl int) EvaluatorCache {
 
 // evaluatorCache caches JSON values (objects, arrays, strings, etc)
 type evaluatorCache struct {
-	keyTemplate json.JSONValue
+	keyTemplate expressions.Value
 	store       *gocache.Cache
 }
 

diff --git a/pkg/evaluators/config.go b/pkg/evaluators/config.go
@@ -6,6 +6,7 @@ import (
 	"sync"
 
 	"github.com/kuadrant/authorino/pkg/auth"
+	"github.com/kuadrant/authorino/pkg/expressions"
 	"github.com/kuadrant/authorino/pkg/json"
 	"github.com/kuadrant/authorino/pkg/jsonexp"
 
@@ -74,7 +75,7 @@ type DenyWith struct {
 
 type DenyWithValues struct {
 	Code    int32
-	Message *json.JSONValue
+	Message expressions.Value
 	Headers []json.JSONProperty
-	Body    *json.JSONValue
+	Body    expressions.Value
 }