-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
- Loading branch information
1 parent
a993b5f
commit 0eeb747
Showing
4 changed files
with
274 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,220 @@ | ||
| package authz | ||
|
|
||
| import ( | ||
| "reflect" | ||
|
|
||
| corev3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" | ||
| authv3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" | ||
| typesv3 "github.com/envoyproxy/go-control-plane/envoy/type/v3" | ||
| "github.com/google/cel-go/cel" | ||
| "github.com/google/cel-go/common/types" | ||
| "github.com/google/cel-go/common/types/ref" | ||
| "google.golang.org/protobuf/types/known/structpb" | ||
| ) | ||
|
|
||
| func celEnv() (*cel.Env, error) { | ||
| base, err := cel.NewEnv(cel.Types((*authv3.CheckRequest)(nil), (*authv3.CheckResponse)(nil))) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| return base.Extend(cel.Lib(EnvoyLib(base.CELTypeAdapter()))) | ||
| } | ||
|
|
||
| func EnvoyLib(adapter types.Adapter) cel.Library { | ||
| return &envoylib{ | ||
| adapter: adapter, | ||
| } | ||
| } | ||
|
|
||
| type envoylib struct { | ||
| adapter types.Adapter | ||
| } | ||
|
|
||
| func (*envoylib) LibraryName() string { | ||
| return "kyverno.envoy" | ||
| } | ||
|
|
||
| func (c *envoylib) CompileOptions() []cel.EnvOption { | ||
| _response := types.NewObjectType("envoy.service.auth.v3.CheckResponse") | ||
| _ok := types.NewObjectType("envoy.service.auth.v3.OkHttpResponse") | ||
| _denied := types.NewObjectType("envoy.service.auth.v3.DeniedHttpResponse") | ||
| _struct := types.NewObjectType("google.protobuf.Struct") | ||
| _header := types.NewObjectType("envoy.config.core.v3.HeaderValueOption") | ||
| var libraryDecls = map[string][]cel.FunctionOpt{ | ||
| "envoy.Allowed": { | ||
| cel.Overload("allowed", []*cel.Type{}, _ok, cel.FunctionBinding(func(values ...ref.Val) ref.Val { return c.allowed() })), | ||
| }, | ||
| "envoy.Denied": { | ||
| cel.Overload("denied", []*cel.Type{types.IntType}, _denied, cel.UnaryBinding(c.denied)), | ||
| }, | ||
| "envoy.Response": { | ||
| cel.Overload("response_ok", []*cel.Type{_ok}, _response, cel.UnaryBinding(c.response_ok)), | ||
| cel.Overload("response_denied", []*cel.Type{_denied}, _response, cel.UnaryBinding(c.response_denied)), | ||
| }, | ||
| "envoy.Header": { | ||
| cel.Overload("header_key_value", []*cel.Type{types.StringType, types.StringType}, _header, cel.BinaryBinding(c.header_key_value)), | ||
| }, | ||
| "WithBody": { | ||
| cel.MemberOverload("denied_with_body", []*cel.Type{_denied, types.StringType}, _denied, cel.BinaryBinding(c.denied_with_body)), | ||
| }, | ||
| "WithHeader": { | ||
| cel.MemberOverload("ok_with_header", []*cel.Type{_ok, _header}, _ok, cel.BinaryBinding(c.ok_with_header)), | ||
| cel.MemberOverload("denied_with_header", []*cel.Type{_denied, _header}, _denied, cel.BinaryBinding(c.denied_with_header)), | ||
| }, | ||
| "WithoutHeader": { | ||
| cel.MemberOverload("ok_without_header", []*cel.Type{_ok, types.StringType}, _ok, cel.BinaryBinding(c.ok_without_header)), | ||
| }, | ||
| "WithResponseHeader": { | ||
| cel.MemberOverload("ok_with_response_header", []*cel.Type{_ok, _header}, _ok, cel.BinaryBinding(c.ok_with_response_header)), | ||
| }, | ||
| "KeepEmptyValue": { | ||
| cel.MemberOverload("header_keep_empty_value", []*cel.Type{_header}, _header, cel.UnaryBinding(c.header_keep_empty_value)), | ||
| cel.MemberOverload("header_keep_empty_value_bool", []*cel.Type{_header, types.BoolType}, _header, cel.BinaryBinding(c.header_keep_empty_value_bool)), | ||
| }, | ||
| "Response": { | ||
| cel.MemberOverload("ok_response", []*cel.Type{_ok}, _response, cel.UnaryBinding(c.response_ok)), | ||
| cel.MemberOverload("denied_response", []*cel.Type{_denied}, _response, cel.UnaryBinding(c.response_denied)), | ||
| }, | ||
| "WithMetadata": { | ||
| cel.MemberOverload("response_with_metadata", []*cel.Type{_response, _struct}, _ok, cel.BinaryBinding(c.response_with_metadata)), | ||
| }, | ||
| } | ||
| options := []cel.EnvOption{} | ||
| for name, overloads := range libraryDecls { | ||
| options = append(options, cel.Function(name, overloads...)) | ||
| } | ||
| return options | ||
| } | ||
|
|
||
| func (_ *envoylib) ProgramOptions() []cel.ProgramOption { | ||
| return []cel.ProgramOption{} | ||
| } | ||
|
|
||
| func (c *envoylib) allowed() ref.Val { | ||
| r := &authv3.OkHttpResponse{} | ||
| return c.adapter.NativeToValue(r) | ||
| } | ||
|
|
||
| func (c *envoylib) ok_with_header(ok ref.Val, header ref.Val) ref.Val { | ||
| if ok, err := convertToNative[*authv3.OkHttpResponse](ok); err != nil { | ||
| return types.WrapErr(err) | ||
| } else if header, err := convertToNative[*corev3.HeaderValueOption](header); err != nil { | ||
| return types.WrapErr(err) | ||
| } else { | ||
| ok.Headers = append(ok.Headers, header) | ||
| return c.adapter.NativeToValue(ok) | ||
| } | ||
| } | ||
|
|
||
| func (c *envoylib) ok_without_header(ok ref.Val, header ref.Val) ref.Val { | ||
| if ok, err := convertToNative[*authv3.OkHttpResponse](ok); err != nil { | ||
| return types.WrapErr(err) | ||
| } else if header, err := convertToNative[string](header); err != nil { | ||
| return types.WrapErr(err) | ||
| } else { | ||
| ok.HeadersToRemove = append(ok.HeadersToRemove, header) | ||
| return c.adapter.NativeToValue(ok) | ||
| } | ||
| } | ||
|
|
||
| func (c *envoylib) ok_with_response_header(ok ref.Val, header ref.Val) ref.Val { | ||
| if ok, err := convertToNative[*authv3.OkHttpResponse](ok); err != nil { | ||
| return types.WrapErr(err) | ||
| } else if header, err := convertToNative[*corev3.HeaderValueOption](header); err != nil { | ||
| return types.WrapErr(err) | ||
| } else { | ||
| ok.ResponseHeadersToAdd = append(ok.ResponseHeadersToAdd, header) | ||
| return c.adapter.NativeToValue(ok) | ||
| } | ||
| } | ||
|
|
||
| func (c *envoylib) denied(code ref.Val) ref.Val { | ||
| if code, err := convertToNative[typesv3.StatusCode](code); err != nil { | ||
| return types.WrapErr(err) | ||
| } else { | ||
| return c.adapter.NativeToValue(&authv3.DeniedHttpResponse{Status: &typesv3.HttpStatus{Code: code}}) | ||
| } | ||
| } | ||
|
|
||
| func (c *envoylib) denied_with_body(denied ref.Val, body ref.Val) ref.Val { | ||
| if denied, err := convertToNative[*authv3.DeniedHttpResponse](denied); err != nil { | ||
| return types.WrapErr(err) | ||
| } else if body, err := convertToNative[string](body); err != nil { | ||
| return types.WrapErr(err) | ||
| } else { | ||
| denied.Body = body | ||
| return c.adapter.NativeToValue(denied) | ||
| } | ||
| } | ||
|
|
||
| func (c *envoylib) denied_with_header(denied ref.Val, header ref.Val) ref.Val { | ||
| if denied, err := convertToNative[*authv3.DeniedHttpResponse](denied); err != nil { | ||
| return types.WrapErr(err) | ||
| } else if header, err := convertToNative[*corev3.HeaderValueOption](header); err != nil { | ||
| return types.WrapErr(err) | ||
| } else { | ||
| denied.Headers = append(denied.Headers, header) | ||
| return c.adapter.NativeToValue(denied) | ||
| } | ||
| } | ||
|
|
||
| func (c *envoylib) header_key_value(key ref.Val, value ref.Val) ref.Val { | ||
| if key, err := convertToNative[string](key); err != nil { | ||
| return types.WrapErr(err) | ||
| } else if value, err := convertToNative[string](value); err != nil { | ||
| return types.WrapErr(err) | ||
| } else { | ||
| return c.adapter.NativeToValue(&corev3.HeaderValueOption{Header: &corev3.HeaderValue{Key: key, Value: value}}) | ||
| } | ||
| } | ||
|
|
||
| func (c *envoylib) header_keep_empty_value(header ref.Val) ref.Val { | ||
| return c.header_keep_empty_value_bool(header, types.True) | ||
| } | ||
|
|
||
| func (c *envoylib) header_keep_empty_value_bool(header ref.Val, flag ref.Val) ref.Val { | ||
| if header, err := convertToNative[*corev3.HeaderValueOption](header); err != nil { | ||
| return types.WrapErr(err) | ||
| } else if flag, err := convertToNative[bool](flag); err != nil { | ||
| return types.WrapErr(err) | ||
| } else { | ||
| header.KeepEmptyValue = flag | ||
| return c.adapter.NativeToValue(header) | ||
| } | ||
| } | ||
|
|
||
| func (c *envoylib) response_ok(ok ref.Val) ref.Val { | ||
| if ok, err := convertToNative[*authv3.OkHttpResponse](ok); err != nil { | ||
| return types.WrapErr(err) | ||
| } else { | ||
| return c.adapter.NativeToValue(&authv3.CheckResponse{HttpResponse: &authv3.CheckResponse_OkResponse{OkResponse: ok}}) | ||
| } | ||
| } | ||
|
|
||
| func (c *envoylib) response_denied(denied ref.Val) ref.Val { | ||
| if denied, err := convertToNative[*authv3.DeniedHttpResponse](denied); err != nil { | ||
| return types.WrapErr(err) | ||
| } else { | ||
| return c.adapter.NativeToValue(&authv3.CheckResponse{HttpResponse: &authv3.CheckResponse_DeniedResponse{DeniedResponse: denied}}) | ||
| } | ||
| } | ||
|
|
||
| func (c *envoylib) response_with_metadata(response ref.Val, metadata ref.Val) ref.Val { | ||
| if response, err := convertToNative[*authv3.CheckResponse](response); err != nil { | ||
| return types.WrapErr(err) | ||
| } else if metadata, err := convertToNative[*structpb.Struct](metadata); err != nil { | ||
| return types.WrapErr(err) | ||
| } else { | ||
| response.DynamicMetadata = metadata | ||
| return c.adapter.NativeToValue(response) | ||
| } | ||
| } | ||
|
|
||
| func convertToNative[T any](value ref.Val) (T, error) { | ||
| response, err := value.ConvertToNative(reflect.TypeFor[T]()) | ||
| if err != nil { | ||
| var t T | ||
| return t, err | ||
| } | ||
| return response.(T), nil | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| package authz | ||
|
|
||
| import ( | ||
| "reflect" | ||
| "testing" | ||
|
|
||
| authv3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" | ||
| "github.com/google/cel-go/interpreter" | ||
| "github.com/stretchr/testify/assert" | ||
| ) | ||
|
|
||
| func Test_celEnv(t *testing.T) { | ||
| source := ` | ||
| envoy | ||
| .Denied(401) | ||
| .WithBody("Authentication Failed") | ||
| .WithHeader(envoy.Header("foo", "bar").KeepEmptyValue()) | ||
| .Response() | ||
| .WithMetadata({"my-new-metadata": "my-new-value"}) | ||
| ` | ||
| env, err := celEnv() | ||
| assert.NoError(t, err) | ||
| ast, issues := env.Compile(source) | ||
| assert.Nil(t, issues) | ||
| prog, err := env.Program(ast) | ||
| assert.NoError(t, err) | ||
| assert.NotNil(t, prog) | ||
| out, _, err := prog.Eval(interpreter.EmptyActivation()) | ||
| assert.NoError(t, err) | ||
| assert.NotNil(t, out) | ||
| a, err := out.ConvertToNative(reflect.TypeFor[*authv3.CheckResponse]()) | ||
| assert.NoError(t, err) | ||
| assert.NotNil(t, a) | ||
| } |