ory · Demonsthere · Apr 25, 2023 · Apr 25, 2023 · Apr 25, 2023 · Apr 25, 2023
@@ -15,7 +15,7 @@ kube-builder: &install-kube-builder
     sudo mv /tmp/kubebuilder_2.3.2_${os}_${arch} /usr/local/kubebuilder
     export PATH=$PATH:/usr/local/kubebuilder/bin
 golaing_image: &golang_image
-  image: circleci/golang:1.16.12
+  image: circleci/golang:1.17.5
 version: 2
 jobs:
   build:
@@ -44,8 +44,8 @@ jobs:
           name: Update golang
           command: |
             sudo rm -rf /usr/local/go/
-            curl -LO https://go.dev/dl/go1.16.12.linux-amd64.tar.gz
-            sudo tar -C /usr/local -xzf go1.16.12.linux-amd64.tar.gz
+            curl -LO https://go.dev/dl/go1.17.5.linux-amd64.tar.gz
+            sudo tar -C /usr/local -xzf go1.17.5.linux-amd64.tar.gz
             sudo echo "export PATH=$PATH:/usr/local/go/bin" >> $HOME/.profile
             go version
       - run:

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.16 as builder
+FROM golang:1.17 as builder
 WORKDIR /go/src/app
 COPY . .
 RUN apt update &&\

@@ -1,4 +1,4 @@
-// Copyright © 2022 Ory Corp
+// Copyright © 2023 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -7,11 +7,13 @@ var (
 	DefaultAuthenticatorsAvailable = [...]string{"noop", "unauthorized", "anonymous", "cookie_session", "oauth2_client_credentials", "oauth2_introspection", "jwt", "bearer_token"}
 	DefaultAuthorizersAvailable    = [...]string{"allow", "deny", "keto_engine_acp_ory", "remote", "remote_json"}
 	DefaultMutatorsAvailable       = [...]string{"noop", "id_token", "header", "cookie", "hydrator"}
+	DefaultErrorsAvailable         = [...]string{"json", "redirect", "www_authenticate"}
 )
 
 const (
 	AuthenticatorsAvailableEnv = "authenticatorsAvailable"
 	AuthorizersAvailableEnv    = "authorizersAvailable"
 	MutatorsAvailableEnv       = "mutatorsAvailable"
+	ErrorsAvailableEnv         = "errorsAvailable"
 	RulesFileNameRegexp        = "\\A[-._a-zA-Z0-9]+\\z"
 )
@@ -1,4 +1,4 @@
-// Copyright © 2022 Ory Corp
+// Copyright © 2023 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
 // Package v1alpha1 contains API Schema definitions for the oathkeeper v1alpha1 API group

@@ -1,4 +1,4 @@
-// Copyright © 2022 Ory Corp
+// Copyright © 2023 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1

@@ -1,4 +1,4 @@
-// Copyright © 2022 Ory Corp
+// Copyright © 2023 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1

@@ -1,4 +1,4 @@
-// Copyright © 2022 Ory Corp
+// Copyright © 2023 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -52,6 +52,7 @@ type RuleSpec struct {
 	Authenticators []*Authenticator `json:"authenticators,omitempty"`
 	Authorizer     *Authorizer      `json:"authorizer,omitempty"`
 	Mutators       []*Mutator       `json:"mutators,omitempty"`
+	Errors         []*Error         `json:"errors,omitempty"`
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:MaxLength=253
 	// +kubebuilder:validation:Pattern=[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*
@@ -112,6 +113,11 @@ type Mutator struct {
 	*Handler `json:",inline"`
 }
 
+// Error represents a handler that is responsible for executing logic when an error happens.
+type Error struct {
+	*Handler `json:",inline"`
+}
+
 // Handler represents an Oathkeeper routine that operates on incoming requests. It is used to either validate a request (Authenticator, Authorizer) or modify it (Mutator).
 type Handler struct {
 	// Name is the name of a handler

@@ -1,4 +1,4 @@
-// Copyright © 2022 Ory Corp
+// Copyright © 2023 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -58,6 +58,14 @@ var (
           ]
         }
       }
+    ],
+    "errors": [
+      {
+        "handler": "handler1",
+        "config": {
+          "key1": "val1"
+        }
+      }
     ]
   },
   {
@@ -98,6 +106,18 @@ var (
       {
         "handler": "noop"
       }
+    ],
+    "errors": [
+      {
+        "handler": "handler2",
+        "config": {
+          "key1": [
+            "val1",
+            "val2",
+            "val3"
+          ]
+        }
+      }
     ]
   },
   {
@@ -128,6 +148,24 @@ var (
       {
         "handler": "noop"
       }
+    ],
+    "errors": [
+      {
+        "handler": "handler1",
+        "config": {
+          "key1": "val1"
+        }
+      },
+      {
+        "handler": "handler2",
+        "config": {
+          "key1": [
+            "val1",
+            "val2",
+            "val3"
+          ]
+        }
+      }
     ]
   },
   {
@@ -212,7 +250,9 @@ func TestToOathkeeperRules(t *testing.T) {
 				newBoolPtr(true),
 				[]*Authenticator{{h1}},
 				nil,
-				[]*Mutator{{h1}, {h2}})
+				[]*Mutator{{h1}, {h2}},
+				[]*Error{{h1}},
+			)
 
 			rule2 := newRule(
 				"foo2",
@@ -224,7 +264,8 @@ func TestToOathkeeperRules(t *testing.T) {
 				newBoolPtr(false),
 				[]*Authenticator{{h1}, {h2}},
 				nil,
-				nil)
+				nil,
+				[]*Error{{h2}})
 
 			rule3 := newRule(
 				"foo3",
@@ -236,7 +277,8 @@ func TestToOathkeeperRules(t *testing.T) {
 				nil,
 				nil,
 				&Authorizer{h1},
-				nil)
+				nil,
+				[]*Error{{h1}, {h2}})
 
 			rule4 := newRule(
 				"fooNoUpstream",
@@ -248,6 +290,7 @@ func TestToOathkeeperRules(t *testing.T) {
 				nil,
 				nil,
 				&Authorizer{h1},
+				nil,
 				nil)
 
 			list.Items = []Rule{*rule1, *rule2, *rule3, *rule4}
@@ -278,7 +321,7 @@ func TestToRuleJson(t *testing.T) {
 
 		{
 			"If no handlers have been specified, it should generate an ID and add default values for missing handlers",
-			newStaticRule(nil, nil, nil),
+			newStaticRule(nil, nil, nil, nil),
 			func(r *RuleJSON) {
 				assert.Equal(unauthorizedHandler, r.Authenticators[0].Handler)
 				assert.Equal(denyHandler, r.Authorizer.Handler)
@@ -287,7 +330,7 @@ func TestToRuleJson(t *testing.T) {
 		},
 		{
 			"If one handler type has been provided, it should generate an ID, rewrite the provided handler and add default values for missing handlers",
-			newStaticRule(nil, nil, []*Mutator{{testHandler}}),
+			newStaticRule(nil, nil, []*Mutator{{testHandler}}, nil),
 			func(r *RuleJSON) {
 				assert.Equal(unauthorizedHandler, r.Authenticators[0].Handler)
 				assert.Equal(denyHandler, r.Authorizer.Handler)
@@ -296,7 +339,7 @@ func TestToRuleJson(t *testing.T) {
 		},
 		{
 			"If all handler types are defined, it should generate an ID and rewrite the handlers",
-			newStaticRule([]*Authenticator{{testHandler}}, &Authorizer{testHandler}, []*Mutator{{testHandler}}),
+			newStaticRule([]*Authenticator{{testHandler}}, &Authorizer{testHandler}, []*Mutator{{testHandler}}, nil),
 			func(r *RuleJSON) {
 				assert.Equal(testHandler, r.Authenticators[0].Handler)
 				assert.Equal(testHandler, r.Authorizer.Handler)
@@ -305,13 +348,14 @@ func TestToRuleJson(t *testing.T) {
 		},
 		{
 			"if multiple authentication and/or mutation handlers have been provided, it should rewrite all of them",
-			newStaticRule([]*Authenticator{{testHandler}, {testHandler2}}, nil, []*Mutator{{testHandler}, {testHandler2}}),
+			newStaticRule([]*Authenticator{{testHandler}, {testHandler2}}, nil, []*Mutator{{testHandler}, {testHandler2}}, []*Error{{testHandler}}),
 			func(r *RuleJSON) {
 				assert.Equal(testHandler, r.Authenticators[0].Handler)
 				assert.Equal(testHandler2, r.Authenticators[1].Handler)
 				assert.Equal(testHandler, r.Mutators[0].Handler)
 				assert.Equal(testHandler2, r.Mutators[1].Handler)
 				assert.Equal(denyHandler, r.Authorizer.Handler)
+				assert.Equal(testHandler, r.Errors[0].Handler)
 			},
 		},
 	} {
@@ -351,6 +395,7 @@ func TestValidateWith(t *testing.T) {
 		newBoolPtr(true),
 		nil,
 		nil,
+		nil,
 		nil)
 
 	var validationConfig = validation.Config{
@@ -424,11 +469,11 @@ func TestFilterNotValid(t *testing.T) {
 	})
 }
 
-func newStaticRule(authenticators []*Authenticator, authorizer *Authorizer, mutators []*Mutator) *Rule {
-	return newRule("r1", "test", "", "", newStringPtr(""), nil, newBoolPtr(false), authenticators, authorizer, mutators)
+func newStaticRule(authenticators []*Authenticator, authorizer *Authorizer, mutators []*Mutator, errors []*Error) *Rule {
+	return newRule("r1", "test", "", "", newStringPtr(""), nil, newBoolPtr(false), authenticators, authorizer, mutators, errors)
 }
 
-func newRule(name, namespace, upstreamURL, matchURL string, stripURLPath, configMapName *string, preserveURLHost *bool, authenticators []*Authenticator, authorizer *Authorizer, mutators []*Mutator) *Rule {
+func newRule(name, namespace, upstreamURL, matchURL string, stripURLPath, configMapName *string, preserveURLHost *bool, authenticators []*Authenticator, authorizer *Authorizer, mutators []*Mutator, errorrs []*Error) *Rule {
 
 	spec := RuleSpec{
 		Upstream: &Upstream{
@@ -443,6 +488,7 @@ func newRule(name, namespace, upstreamURL, matchURL string, stripURLPath, config
 		Authenticators: authenticators,
 		Authorizer:     authorizer,
 		Mutators:       mutators,
+		Errors:         errorrs,
 		ConfigMapName:  configMapName,
 	}
 

@@ -86,6 +86,25 @@ spec:
                   minLength: 1
                   pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'
                   type: string
+                errors:
+                  items:
+                    description:
+                      Error represents a handler that is responsible for
+                      executing logic when an error happens.
+                    properties:
+                      config:
+                        description:
+                          Config configures the handler. Configuration keys vary
+                          per handler.
+                        type: object
+                        x-kubernetes-preserve-unknown-fields: true
+                      handler:
+                        description: Name is the name of a handler
+                        type: string
+                    required:
+                      - handler
+                    type: object
+                  type: array
                 match:
                   description:
                     Match defines the URL(s) that an access rule should match.

@@ -1,4 +1,4 @@
-// Copyright © 2022 Ory Corp
+// Copyright © 2023 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
 package controllers

@@ -1,4 +1,4 @@
-// Copyright © 2022 Ory Corp
+// Copyright © 2023 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
 package controllers

@@ -1,4 +1,4 @@
-// Copyright © 2022 Ory Corp
+// Copyright © 2023 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
 package controllers

@@ -11,8 +11,8 @@ require (
 	github.com/onsi/ginkgo v1.16.4
 	github.com/onsi/gomega v1.10.2
 	github.com/stretchr/testify v1.6.1
-	golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f // indirect
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	golang.org/x/crypto v0.8.0 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20220521103104-8f96da9f5d5e // indirect
 	k8s.io/api v0.20.2
 	k8s.io/apimachinery v0.20.2
 	k8s.io/client-go v0.20.2