Skip to content

Commit

Permalink
Merge pull request #149 from pehala/common_features
Browse files Browse the repository at this point in the history
Add support for Common Features
  • Loading branch information
pehala authored Dec 1, 2022
2 parents 521c453 + a245bc5 commit 0f8139c
Show file tree
Hide file tree
Showing 3 changed files with 92 additions and 47 deletions.
37 changes: 36 additions & 1 deletion testsuite/objects/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ class MatchExpression:
@dataclass
class Rule:
"""
Data class for authorization rules represented by simple pattern-matching expressions.
Data class for rules represented by simple pattern-matching expressions.
Args:
:param selector: that is fetched from the Authorization JSON
:param operator: `eq` (equals), `neq` (not equal), `incl` (includes) and `excl` (excludes), for arrays
Expand All @@ -35,6 +35,41 @@ class Rule:
value: str


class Value:
"""Dataclass for specifying a Value in Authorization, can be either constant or value from AuthJson (jsonPath)"""

# pylint: disable=invalid-name
def __init__(self, value=None, jsonPath=None) -> None:
super().__init__()
if not (value is None) ^ (jsonPath is None):
raise AttributeError("Exactly one of the `value` and `jsonPath` argument must be specified")
self.value = value
self.jsonPath = jsonPath

def to_dict(self):
"""Returns dict representation of itself (shallow copy only)"""
return {"value": self.value} if self.value else {"valueFrom": {"authJson": self.jsonPath}}


@dataclass
class Cache:
"""Dataclass for specifying Cache in Authorization"""
ttl: int
# pylint: disable=invalid-name
value: Value

def to_dict(self):
"""Returns dict representation of itself (shallow copy only)"""
return {"ttl": self.ttl, "value": self.value.to_dict()}


@dataclass
class PatternRef:
"""Dataclass for specifying Pattern reference in Authorization"""
# pylint: disable=invalid-name
patternRef: str


class LifecycleObject(abc.ABC):
"""Any objects which has its lifecycle controlled by create() and delete() methods"""

Expand Down
28 changes: 14 additions & 14 deletions testsuite/objects/sections.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,47 +11,47 @@ class Authorizations(abc.ABC):
"""Authorization configuration"""

@abc.abstractmethod
def opa_policy(self, name, rego_policy):
def opa_policy(self, name, rego_policy, **common_features):
"""Adds OPA inline Rego policy"""

@abc.abstractmethod
def external_opa_policy(self, name, endpoint, ttl):
def external_opa_policy(self, name, endpoint, ttl, **common_features):
"""Adds OPA policy from external registry"""

@abc.abstractmethod
def role_rule(self, name: str, role: str, path: str, metrics: bool, priority: int):
def role_rule(self, name: str, role: str, path: str, metrics: bool, priority: int, **common_features):
"""Adds a rule, which allows access to 'path' only to users with 'role'"""

@abc.abstractmethod
def auth_rule(self, name: str, rule: "Rule", when: "Rule", metrics: bool, priority: int):
def auth_rule(self, name: str, rule: "Rule", when: "Rule", metrics: bool, priority: int, **common_features):
"""Adds JSON pattern-matching authorization rule (authorization.json)"""

@abc.abstractmethod
def kubernetes(self, name: str, when: list, kube_attrs: dict, priority: int):
def kubernetes(self, name: str, when: list, kube_attrs: dict, priority: int, **common_features):
"""Adds kubernetes authorization rule."""


class Identities(abc.ABC):
"""Identities configuration"""

@abc.abstractmethod
def oidc(self, name, endpoint, credentials, selector):
def oidc(self, name, endpoint, credentials, selector, **common_features):
"""Adds OIDC identity provider"""

@abc.abstractmethod
def api_key(self, name, all_namespaces, match_label, match_expression, credentials, selector):
def api_key(self, name, all_namespaces, match_label, match_expression, credentials, selector, **common_features):
"""Adds API Key identity"""

@abc.abstractmethod
def mtls(self, name: str, selector_key: str, selector_value: str):
def mtls(self, name: str, selector_key: str, selector_value: str, **common_features):
"""Adds mTLS identity"""

@abc.abstractmethod
def anonymous(self, name):
def anonymous(self, name, **common_features):
"""Adds anonymous identity"""

@abc.abstractmethod
def kubernetes(self, name, authjson):
def kubernetes(self, name, authjson, **common_features):
"""Adds kubernetes identity"""

@abc.abstractmethod
Expand All @@ -63,21 +63,21 @@ class Metadata(abc.ABC):
"""Metadata configuration"""

@abc.abstractmethod
def http_metadata(self, name, endpoint, method):
def http_metadata(self, name, endpoint, method, **common_features):
"""Set metadata http external auth feature"""

@abc.abstractmethod
def user_info_metadata(self, name, identity_source):
def user_info_metadata(self, name, identity_source, **common_features):
"""Set metadata OIDC user info"""

@abc.abstractmethod
def uma_metadata(self, name, endpoint, credentials):
def uma_metadata(self, name, endpoint, credentials, **common_features):
"""Set metadata User-Managed Access (UMA) resource registry """


class Responses(abc.ABC):
"""Responses configuration"""

@abc.abstractmethod
def add(self, response):
def add(self, response, **common_features):
"""Add response to AuthConfig"""
74 changes: 42 additions & 32 deletions testsuite/openshift/objects/auth_config/sections.py
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
"""AuthConfig CR object"""
from dataclasses import asdict
from typing import Dict, Literal
from typing import Dict, Literal, Iterable

from testsuite.objects import Identities, Metadata, Responses, MatchExpression, Authorizations, Rule
from testsuite.objects import Identities, Metadata, Responses, MatchExpression, Authorizations, Rule, Cache
from testsuite.openshift.objects import OpenShiftObject, modify


Expand All @@ -29,16 +29,26 @@ def section(self):
"""The actual dict section which will be edited"""
return self.obj.model.spec.setdefault(self.section_name, [])

def add_item(self, name, value):
def add_item(self, name, value, priority: int = None, when: Iterable[Rule] = None,
metrics: bool = None, cache: Cache = None):
"""Adds item to the section"""
self.section.append({"name": name, **value})
item = {"name": name, **value}
if when:
item["when"] = [asdict(x) for x in when]
if metrics:
item["metrics"] = metrics
if cache:
item["cache"] = cache.to_dict()
if priority:
item["priority"] = priority
self.section.append(item)


class IdentitySection(Section, Identities):
"""Section which contains identity configuration"""

@modify
def mtls(self, name: str, selector_key: str, selector_value: str):
def mtls(self, name: str, selector_key: str, selector_value: str, **common_features):
"""Adds mTLS identity
Args:
:param name: name of the identity
Expand All @@ -53,10 +63,10 @@ def mtls(self, name: str, selector_key: str, selector_value: str):
}
}
}
})
}, **common_features)

@modify
def oidc(self, name, endpoint, credentials="authorization_header", selector="Bearer"):
def oidc(self, name, endpoint, credentials="authorization_header", selector="Bearer", **common_features):
"""Adds OIDC identity"""
self.add_item(name, {
"oidc": {
Expand All @@ -66,12 +76,12 @@ def oidc(self, name, endpoint, credentials="authorization_header", selector="Bea
"in": credentials,
"keySelector": selector
}
})
}, **common_features)

@modify
def api_key(self, name, all_namespaces: bool = False,
match_label=None, match_expression: MatchExpression = None,
credentials="authorization_header", selector="APIKEY"):
credentials="authorization_header", selector="APIKEY", **common_features):
"""
Adds API Key identity
Args:
Expand Down Expand Up @@ -107,17 +117,17 @@ def api_key(self, name, all_namespaces: bool = False,
"in": credentials,
"keySelector": selector
}
})
}, **common_features)

@modify
def anonymous(self, name):
def anonymous(self, name, **common_features):
"""Adds anonymous identity"""
self.add_item(name, {"anonymous": {}})
self.add_item(name, {"anonymous": {}}, **common_features)

@modify
def kubernetes(self, name, authjson):
def kubernetes(self, name, authjson, **common_features):
"""Adds kubernetes identity"""
self.add_item(name, {"plain": {"authJSON": authjson}})
self.add_item(name, {"plain": {"authJSON": authjson}, **common_features})

@modify
def remove_all(self):
Expand All @@ -128,27 +138,27 @@ def remove_all(self):
class MetadataSection(Section, Metadata):
"""Section which contains metadata configuration"""
@modify
def http_metadata(self, name, endpoint, method: Literal["GET", "POST"]):
def http_metadata(self, name, endpoint, method: Literal["GET", "POST"], **common_features):
"""Set metadata http external auth feature"""
self.add_item(name, {
"http": {
"endpoint": endpoint,
"method": method,
"headers": [{"name": "Accept", "value": "application/json"}]
}
})
}, **common_features)

@modify
def user_info_metadata(self, name, identity_source):
def user_info_metadata(self, name, identity_source, **common_features):
"""Set metadata OIDC user info"""
self.add_item(name, {
"userInfo": {
"identitySource": identity_source
}
})
}, **common_features)

@modify
def uma_metadata(self, name, endpoint, credentials):
def uma_metadata(self, name, endpoint, credentials, **common_features):
"""Set metadata feature for resource-level authorization with User-Managed Access (UMA) resource registry"""
self.add_item(name, {
"uma": {
Expand All @@ -157,23 +167,23 @@ def uma_metadata(self, name, endpoint, credentials):
"name": credentials
}
}
})
}, **common_features)


class ResponsesSection(Section, Responses):
"""Section which contains response configuration"""

@modify
def add(self, response):
def add(self, response, **common_features):
"""Adds response section to AuthConfig."""
self.add_item(response.pop("name"), response)
self.add_item(response.pop("name"), response, **common_features)


class AuthorizationsSection(Section, Authorizations):
"""Section which contains authorization configuration"""

@modify
def auth_rule(self, name, rule: Rule, when: Rule = None, metrics=False, priority=0):
def auth_rule(self, name, rule: Rule, when: Rule = None, metrics=False, priority=0, **common_features):
"""Adds JSON pattern-matching authorization rule (authorization.json)"""
section = {
"metrics": metrics,
Expand All @@ -184,9 +194,9 @@ def auth_rule(self, name, rule: Rule, when: Rule = None, metrics=False, priority
}
if when:
section["when"] = [asdict(when)]
self.add_item(name, section)
self.add_item(name, section, **common_features)

def role_rule(self, name: str, role: str, path: str, metrics=False, priority=0):
def role_rule(self, name: str, role: str, path: str, metrics=False, priority=0, **common_features):
"""
Adds a rule, which allows access to 'path' only to users with 'role'
Args:
Expand All @@ -198,19 +208,19 @@ def role_rule(self, name: str, role: str, path: str, metrics=False, priority=0):
"""
rule = Rule("auth.identity.realm_access.roles", "incl", role)
when = Rule("context.request.http.path", "matches", path)
self.auth_rule(name, rule, when, metrics, priority)
self.auth_rule(name, rule, when, metrics, priority, **common_features)

@modify
def opa_policy(self, name, rego_policy):
def opa_policy(self, name, rego_policy, **common_features):
"""Adds Opa (https://www.openpolicyagent.org/docs/latest/) policy to the AuthConfig"""
self.add_item(name, {
"opa": {
"inlineRego": rego_policy
}
})
}, **common_features)

@modify
def external_opa_policy(self, name, endpoint, ttl=0):
def external_opa_policy(self, name, endpoint, ttl=0, **common_features):
"""
Adds OPA policy that is declared as an HTTP endpoint
"""
Expand All @@ -221,10 +231,10 @@ def external_opa_policy(self, name, endpoint, ttl=0):
"ttl": ttl
}
}
})
}, **common_features)

@modify
def kubernetes(self, name: str, when: list, kube_attrs: dict, priority=0):
def kubernetes(self, name: str, when: list, kube_attrs: dict, priority=0, **common_features):
"""Adds Kubernetes authorization
:param name: name of kubernetes authorization
Expand All @@ -239,4 +249,4 @@ def kubernetes(self, name: str, when: list, kube_attrs: dict, priority=0):
"priority": priority,
"kubernetes": {"user": kube_user, "resourceAttributes": kube_attrs},
"when": when
})
}, **common_features)

0 comments on commit 0f8139c

Please sign in to comment.