CEL in IdentityExtensions

Kuadrant · Oct 28, 2024 · d8f60f4 · d8f60f4
1 parent 1bea626
commit d8f60f4
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 28 deletions.
diff --git a/controllers/auth_config_controller.go b/controllers/auth_config_controller.go
@@ -183,16 +183,32 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf
 	for identityCfgName, identity := range authConfigIdentityConfigs {
 		extendedProperties := make([]evaluators.IdentityExtension, len(identity.Defaults)+len(identity.Overrides))
 		for propertyName, property := range identity.Defaults {
-			extendedProperties = append(extendedProperties, evaluators.NewIdentityExtension(propertyName, json.JSONValue{
-				Static:  property.Value,
-				Pattern: property.Selector,
-			}, false))
+			if property.Expression.Expression != "" {
+				if expression, err := cel.NewExpression(property.Expression.Expression); err == nil {
+					extendedProperties = append(extendedProperties, evaluators.NewIdentityExtension(propertyName, expression, false))
+				} else {
+					return nil, err
+				}
+			} else {
+				extendedProperties = append(extendedProperties, evaluators.NewIdentityExtension(propertyName, &json.JSONValue{
+					Static:  property.Value,
+					Pattern: property.Selector,
+				}, false))
+			}
 		}
 		for propertyName, property := range identity.Overrides {
-			extendedProperties = append(extendedProperties, evaluators.NewIdentityExtension(propertyName, json.JSONValue{
-				Static:  property.Value,
-				Pattern: property.Selector,
-			}, true))
+			if property.Expression.Expression != "" {
+				if expression, err := cel.NewExpression(property.Expression.Expression); err == nil {
+					extendedProperties = append(extendedProperties, evaluators.NewIdentityExtension(propertyName, expression, true))
+				} else {
+					return nil, err
+				}
+			} else {
+				extendedProperties = append(extendedProperties, evaluators.NewIdentityExtension(propertyName, &json.JSONValue{
+					Static:  property.Value,
+					Pattern: property.Selector,
+				}, true))
+			}
 		}
 
 		predicates, err := buildPredicates(authConfig, identity.Conditions, jsonexp.All)

diff --git a/pkg/evaluators/identity_extension.go b/pkg/evaluators/identity_extension.go
@@ -1,16 +1,18 @@
 package evaluators
 
 import (
+	"github.com/kuadrant/authorino/pkg/expressions"
 	"github.com/kuadrant/authorino/pkg/json"
 )
 
-func NewIdentityExtension(name string, value json.JSONValue, overwrite bool) IdentityExtension {
+func NewIdentityExtension(name string, value expressions.Value, overwrite bool) IdentityExtension {
+	property := json.JSONProperty{
+		Name:  name,
+		Value: value,
+	}
 	return IdentityExtension{
-		JSONProperty: json.JSONProperty{
-			Name:  name,
-			Value: &value,
-		},
-		Overwrite: overwrite,
+		JSONProperty: property,
+		Overwrite:    overwrite,
 	}
 }
 

diff --git a/pkg/evaluators/identity_extension_test.go b/pkg/evaluators/identity_extension_test.go
@@ -23,62 +23,62 @@ func TestResolveIdentityExtension(t *testing.T) {
 	}{
 		{
 			name:     "static value for existing property without overwrite",
-			input:    NewIdentityExtension("username", json.JSONValue{Static: "foo"}, false),
+			input:    NewIdentityExtension("username", &json.JSONValue{Static: "foo"}, false),
 			expected: "beth",
 		},
 		{
 			name:     "static value for missing property without overwrite",
-			input:    NewIdentityExtension("uid", json.JSONValue{Static: "foo"}, false),
+			input:    NewIdentityExtension("uid", &json.JSONValue{Static: "foo"}, false),
 			expected: "foo",
 		},
 		{
 			name:     "static value for existing property without overwrite",
-			input:    NewIdentityExtension("username", json.JSONValue{Static: "foo"}, true),
+			input:    NewIdentityExtension("username", &json.JSONValue{Static: "foo"}, true),
 			expected: "foo",
 		},
 		{
 			name:     "static value for missing property without overwrite",
-			input:    NewIdentityExtension("uid", json.JSONValue{Static: "foo"}, true),
+			input:    NewIdentityExtension("uid", &json.JSONValue{Static: "foo"}, true),
 			expected: "foo",
 		},
 		{
 			name:     "existing pattern for existing property without overwrite",
-			input:    NewIdentityExtension("username", json.JSONValue{Pattern: "auth.identity.sub"}, false),
+			input:    NewIdentityExtension("username", &json.JSONValue{Pattern: "auth.identity.sub"}, false),
 			expected: "beth",
 		},
 		{
 			name:     "existing pattern for missing property without overwrite",
-			input:    NewIdentityExtension("uid", json.JSONValue{Pattern: "auth.identity.sub"}, false),
+			input:    NewIdentityExtension("uid", &json.JSONValue{Pattern: "auth.identity.sub"}, false),
 			expected: "1234567890",
 		},
 		{
 			name:     "existing pattern for existing property without overwrite",
-			input:    NewIdentityExtension("username", json.JSONValue{Pattern: "auth.identity.sub"}, true),
+			input:    NewIdentityExtension("username", &json.JSONValue{Pattern: "auth.identity.sub"}, true),
 			expected: "1234567890",
 		},
 		{
 			name:     "existing pattern for missing property without overwrite",
-			input:    NewIdentityExtension("uid", json.JSONValue{Pattern: "auth.identity.sub"}, true),
+			input:    NewIdentityExtension("uid", &json.JSONValue{Pattern: "auth.identity.sub"}, true),
 			expected: "1234567890",
 		},
 		{
 			name:     "missing pattern for existing property without overwrite",
-			input:    NewIdentityExtension("username", json.JSONValue{Pattern: "auth.identity.full_name"}, false),
+			input:    NewIdentityExtension("username", &json.JSONValue{Pattern: "auth.identity.full_name"}, false),
 			expected: "beth",
 		},
 		{
 			name:     "missing pattern for missing property without overwrite",
-			input:    NewIdentityExtension("uid", json.JSONValue{Pattern: "auth.identity.full_name"}, false),
+			input:    NewIdentityExtension("uid", &json.JSONValue{Pattern: "auth.identity.full_name"}, false),
 			expected: "",
 		},
 		{
 			name:     "missing pattern for existing property without overwrite",
-			input:    NewIdentityExtension("username", json.JSONValue{Pattern: "auth.identity.full_name"}, true),
+			input:    NewIdentityExtension("username", &json.JSONValue{Pattern: "auth.identity.full_name"}, true),
 			expected: "",
 		},
 		{
 			name:     "missing pattern for missing property without overwrite",
-			input:    NewIdentityExtension("uid", json.JSONValue{Pattern: "auth.identity.full_name"}, true),
+			input:    NewIdentityExtension("uid", &json.JSONValue{Pattern: "auth.identity.full_name"}, true),
 			expected: "",
 		},
 	}

diff --git a/pkg/evaluators/identity_test.go b/pkg/evaluators/identity_test.go
@@ -41,8 +41,8 @@ func TestIdentityConfig_ResolveExtendedProperties(t *testing.T) {
 		Name:           "test",
 		KubernetesAuth: &identity.KubernetesAuth{},
 		ExtendedProperties: []IdentityExtension{
-			NewIdentityExtension("prop1", json.JSONValue{Static: "value1"}, true),
-			NewIdentityExtension("prop2", json.JSONValue{Pattern: "auth.identity.sub"}, true),
+			NewIdentityExtension("prop1", &json.JSONValue{Static: "value1"}, true),
+			NewIdentityExtension("prop2", &json.JSONValue{Pattern: "auth.identity.sub"}, true),
 		},
 	}