Fuzzy OPA

[guicassolato]

Adds the option to return all values in the OPA virtual document (all rules), instead of just the "allow" rule that is used by Authorino to decide about the policy overall.

This allows to extract individual values from the Rego virtual documents, e.g. to be used in subsequent authorization policies (i.e. > priority) and custom responses and implement use cases such as of fuzzy authorization.

Partial OPA policies can be defined to evaluate complex authorization rules and "export" values via Authorization JSON to other evaluators. The overall authorization decision can be postponed by setting allow = true in the partial policies.

E.g.:

spec:
  authorization:
  - name: pre
    priority: 0
    opa:
      inlineRego: |
        some_rule = x { x := ... } # some complex computation
        allow = true # postponing the authz decision
      allValues: true

  - name: policy-1
    priority: 1
    opa:
      inlineRego: |
        other_rule { ... }
        allow {
          other_rule
          input.auth.authorization.pre.some_rule != "foo"
        }

  - name: policy-2
    priority: 1
    json:
      rules:
      - selector: auth.authorization.pre.some_rule
        operator: neq
        value: baz

  response:
  - name: pre-authz
    json:
      properties:
      - name: some_rule
        valueFrom: { authJSON: auth.authorization.pre.some_rule }

Verification steps

make local-setup

kubectl -n authorino apply -f -<<EOF
apiVersion: authorino.kuadrant.io/v1beta1
kind: AuthConfig
metadata:
  name: talker-api-protection
spec:
  hosts:
  - talker-api-authorino.127.0.0.1.nip.io
  identity:
  - name: anonymous
    anonymous: {}
  authorization:
  - name: fuzzy
    opa:
      inlineRego: |
        import input.context.request.http.method

        allowed_methods := ["GET", "POST"]

        is_allowed { allowed_methods[_] == method }

        allow = true
      allValues: true
  response:
  - name: authorization-data
    json:
      properties:
      - name: fuzzy
        valueFrom: { authJSON: auth.authorization.fuzzy }
EOF

kubectl -n authorino port-forward deployment/envoy 8000:8000

curl http://talker-api-authorino.127.0.0.1.nip.io:8000
# ...
# "Authorization-Data": "{\"fuzzy\":{\"allow\":true,\"allowed_methods\":[\"GET\",\"POST\"],\"is_allowed\":true}}",
# ...

curl http://talker-api-authorino.127.0.0.1.nip.io:8000 -X PUT
# ...
# "Authorization-Data": "{\"fuzzy\":{\"allow\":true,\"allowed_methods\":[\"GET\",\"POST\"],\"is_allowed\":null}}",
# ...

Breaking changes

The resolved object returned by the OPA authorization evaluators is no longer a simple boolean value, but now an actual object { "allow": boolean, ...other rules }, where ...other rules is only available when allValues: true.

Bug fixes

Fixed non-boolean values set for the ‘allow’ rule crashes Authorino (Thanks, @maleck13!)

---

Related to #109

[guicassolato]

I'm afraid this might affect performance with multiple Rego rules having to be registered as queries, both while pre-compiling the policy and later when the built-in OPA module evaluates the policy and handles control back to Authorino carrying a bigger, more complex response.

Maybe we should put this under a field option added to the API:

spec:
  authorization:
    - opa:
        inlineRego: |
           r1 { ... }
           r2 { ... }
           allow { true }
        fuzzy: true # defaults to false

[guicassolato]

The "allow" query should always be injected or runtime errors may happen:

panic: interface conversion: interface {} is nil, not bool

[guicassolato]

I guess this error would not happen due to

authorino/pkg/config/authorization/opa.go

Line 21 in b07bb9c

default allow = false

On the other hand, if #216 (comment) is done, then yes. In case of looping through the list of rules to register all the queries is behind a conditional (i.e. only when fuzzy: true), then we'd need to ensure the "allow" query is always injected.

[guicassolato]

Done.

[jjaferson]

Code looks good!

[maleck13]

This looks ok to me, just small comment around the type casting

[jjaferson]

Just tested the changes and it works

curl http://talker-api-authorino.127.0.0.1.nip.io:8000
{
  "method": "GET",
  "path": "/",
  "query_string": null,
  "body": "",
  "headers": {
    "Host": "talker-api-authorino.127.0.0.1.nip.io:8000",
    "User-Agent": "curl/7.64.1",
    "Accept": "*/*",
    "X-Forwarded-For": "10.244.0.10",
    "X-Forwarded-Proto": "http",
    "X-Envoy-Internal": "true",
    "X-Request-Id": "e7767f72-f705-4de3-88a9-73b22c20e6ff",
    "Authorization-Data": "{\"fuzzy\":{\"allow\":true,\"allowed_methods\":[\"GET\",\"POST\"],\"is_allowed\":true}}",
    "X-Envoy-Expected-Rq-Timeout-Ms": "15000",
    "Version": "HTTP/1.1"
  },
  "uuid": "04164ef0-7bdc-4158-b73e-eb7fe2e0b350"
}%

curl http://talker-api-authorino.127.0.0.1.nip.io:8000 -X PUT

{
  "method": "PUT",
  "path": "/",
  "query_string": null,
  "body": "",
  "headers": {
    "Host": "talker-api-authorino.127.0.0.1.nip.io:8000",
    "User-Agent": "curl/7.64.1",
    "Accept": "*/*",
    "X-Forwarded-For": "10.244.0.10",
    "X-Forwarded-Proto": "http",
    "X-Envoy-Internal": "true",
    "X-Request-Id": "04818471-86f5-4693-8b86-9ff3b12dbbbc",
    "Authorization-Data": "{\"fuzzy\":{\"allow\":true,\"allowed_methods\":[\"GET\",\"POST\"],\"is_allowed\":null}}",
    "X-Envoy-Expected-Rq-Timeout-Ms": "15000",
    "Version": "HTTP/1.1"
  },
  "uuid": "2273e250-2635-49e8-bdcc-e60f11f2b3ad"
}%