From 2b09ca81319dda001eb332403b617bebd1c06232 Mon Sep 17 00:00:00 2001 From: dd di cesare Date: Fri, 22 Sep 2023 11:38:12 +0200 Subject: [PATCH 1/6] [feat] Well-known attributes * Built from envoy auth v3 context --- pkg/service/well_known_attributes.go | 180 ++++++++++++++++++++++ pkg/service/well_known_attributes_test.go | 43 ++++++ 2 files changed, 223 insertions(+) create mode 100644 pkg/service/well_known_attributes.go create mode 100644 pkg/service/well_known_attributes_test.go diff --git a/pkg/service/well_known_attributes.go b/pkg/service/well_known_attributes.go new file mode 100644 index 00000000..a0f2c955 --- /dev/null +++ b/pkg/service/well_known_attributes.go @@ -0,0 +1,180 @@ +/* +Copyright 2023 Red Hat, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package service + +import ( + envoycore "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" + envoyauth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" + "github.com/golang/protobuf/ptypes/timestamp" + "net/url" +) + +type WellKnownAttributes struct { + // Dynamic request metadata + Metadata *envoycore.Metadata `json:"metadata,omitempty"` + // Request attributes + Request *RequestAttributes `json:"request,omitempty"` + // Source attributes + Source *SourceAttributes `json:"source,omitempty"` + // Destination attributes + Destination *DestinationAttributes `json:"destination,omitempty"` +} + +type RequestAttributes struct { + // Request ID corresponding to x-request-id header value + Id string `json:"id,omitempty"` + // Time of the first byte received + Time *timestamp.Timestamp `json:"time,omitempty"` + // Request protocol (“HTTP/1.0”, “HTTP/1.1”, “HTTP/2”, or “HTTP/3”) + Protocol string `json:"protocol,omitempty"` + // The scheme portion of the URL e.g. “http” + Scheme string `json:"scheme,omitempty"` + // The host portion of the URL e.g. “example.com” + Host string `json:"host,omitempty"` + // Request method e.g. “GET” + Method string `json:"method,omitempty"` + // The path portion of the URL e.g. “/foo?bar=baz” + Path string `json:"path,omitempty"` + // The path portion of the URL without the query string e.g. “/foo” + URLPath string `json:"url_path,omitempty"` + // The query portion of the URL in the format of “name1=value1&name2=value2” + Query string `json:"query,omitempty"` + // All request headers indexed by the lower-cased header name e.g. “accept-encoding”: “gzip” + Headers map[string]string `json:"headers,omitempty"` + // Referer request header e.g. “https://www.kuadrant.io/” + Referer string `json:"referer,omitempty"` + // User agent request header e.g. “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/…” + UserAgent string `json:"user_agent,omitempty"` + // The HTTP request size in bytes. If unknown, it must be -1 e.g. 1234 + Size int64 `json:"size,omitempty"` + // The HTTP request body. (Disabled by default. Requires additional proxy configuration to enabled it.) e.g. “…” + Body string `json:"body,omitempty"` + // The HTTP request body in bytes. This is sometimes used instead of body depending on the proxy configuration. e.g. 1234 + RawBody []byte `json:"raw_body,omitempty"` + // This is analogous to request.headers, however these contents are not sent to the upstream server. It provides an + // extension mechanism for sending additional information to the auth service without modifying the proto definition. + // It maps to the internal opaque context in the proxy filter chain. (Requires additional configuration in the proxy.) + ContextExtensions map[string]string `json:"context_extensions,omitempty"` +} + +type SourceAttributes struct { + // Downstream connection remote address + Address string `json:"address,omitempty"` + // Downstream connection remote port e.g. 8080 + Port int32 `json:"port,omitempty"` + // The canonical service name of the peer e.g. “foo.default.svc.cluster.local” + Service string `json:"service,omitempty"` + // The labels associated with the peer. These could be pod labels for Kubernetes or tags for VMs. The source of the + // labels could be an X.509 certificate or other configuration. + Labels map[string]string `json:"labels,omitempty"` + // The authenticated identity of this peer. If an X.509 certificate is used to assert the identity in the proxy, this + // field is sourced from "URI Subject Alternative Names", "DNS Subject Alternate Names" or "Subject" in that order. + // The format is issuer specific – e.g. SPIFFE format is spiffe://trust-domain/path, Google account format is https://accounts.google.com/{userid}. + Principal string `json:"principal,omitempty"` + // The X.509 certificate used to authenticate the identity of this peer. When present, the certificate contents are encoded in URL and PEM format. + Certificate string `json:"certificate,omitempty"` +} + +type DestinationAttributes struct { + // Downstream connection local address + Address string `json:"address,omitempty"` + // Downstream connection local port e.g. 9090 + Port int32 `json:"port,omitempty"` + // The canonical service name of the peer e.g. “foo.default.svc.cluster.local” + Service string `json:"service,omitempty"` + // The labels associated with the peer. These could be pod labels for Kubernetes or tags for VMs. The source of the + // labels could be an X.509 certificate or other configuration. + Labels map[string]string `json:"labels,omitempty"` + // The authenticated identity of this peer. If an X.509 certificate is used to assert the identity in the proxy, this + // field is sourced from "URI Subject Alternative Names", "DNS Subject Alternate Names" or "Subject" in that order. + // The format is issuer specific – e.g. SPIFFE format is spiffe://trust-domain/path, Google account format is https://accounts.google.com/{userid}. + Principal string `json:"principal,omitempty"` + // The X.509 certificate used to authenticate the identity of this peer. When present, the certificate contents are encoded in URL and PEM format. + Certificate string `json:"certificate,omitempty"` +} + +type AuthAttributes struct { + // Single resolved identity object, post-identity verification + Identity any `json:"identity,omitempty"` + // External metadata fetched + Metadata map[string]any `json:"metadata,omitempty"` + // Authorization results resolved by each authorization rule, access granted only + Authorization map[string]any `json:"authorization,omitempty"` + // Response objects exported by the auth service post-access granted + Response map[string]any `json:"response,omitempty"` + // Response objects returned by the callback requests issued by the auth service + Callbacks map[string]any `json:"callbacks,omitempty"` +} + +// NewWellKnownAttributes creates a new WellKnownAttributes object from an envoyauth.AttributeContext +func NewWellKnownAttributes(attributes *envoyauth.AttributeContext) *WellKnownAttributes { + return &WellKnownAttributes{ + Metadata: attributes.MetadataContext, + Request: newRequestAttributes(attributes), + Source: newSourceAttributes(attributes), + Destination: newDestinationAttributes(attributes), + } +} + +func newRequestAttributes(attributes *envoyauth.AttributeContext) *RequestAttributes { + request := attributes.GetRequest() + httpRequest := request.GetHttp() + urlParsed, _ := url.Parse(httpRequest.Path) + headers := httpRequest.GetHeaders() + return &RequestAttributes{ + Id: httpRequest.Id, + Time: request.Time, + Protocol: httpRequest.Protocol, + Scheme: httpRequest.GetScheme(), + Host: httpRequest.GetHost(), + Method: httpRequest.GetMethod(), + Path: httpRequest.GetPath(), + URLPath: urlParsed.Path, + Query: urlParsed.RawQuery, + Headers: headers, + Referer: headers["referer"], + UserAgent: headers["user-agent"], + Size: httpRequest.GetSize(), + Body: httpRequest.GetBody(), + RawBody: httpRequest.GetRawBody(), + ContextExtensions: attributes.GetContextExtensions(), + } +} + +func newSourceAttributes(attributes *envoyauth.AttributeContext) *SourceAttributes { + source := attributes.Source + socketAddress := source.GetAddress().GetSocketAddress() + return &SourceAttributes{ + Address: socketAddress.GetAddress(), + Port: int32(socketAddress.GetPortValue()), + Service: source.GetService(), + Labels: source.GetLabels(), + Principal: source.GetPrincipal(), + } +} + +func newDestinationAttributes(attributes *envoyauth.AttributeContext) *DestinationAttributes { + destination := attributes.Destination + socketAddress := destination.GetAddress().GetSocketAddress() + return &DestinationAttributes{ + Address: socketAddress.GetAddress(), + Port: int32(socketAddress.GetPortValue()), + Service: destination.GetService(), + Labels: destination.GetLabels(), + Principal: destination.GetPrincipal(), + } +} diff --git a/pkg/service/well_known_attributes_test.go b/pkg/service/well_known_attributes_test.go new file mode 100644 index 00000000..71e9f14b --- /dev/null +++ b/pkg/service/well_known_attributes_test.go @@ -0,0 +1,43 @@ +package service + +import ( + "testing" + + envoycore "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" + envoyauth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" + "github.com/golang/protobuf/ptypes/timestamp" + "github.com/stretchr/testify/assert" +) + +func TestNewWellKnownAttributes(t *testing.T) { + envoyAttrs := &envoyauth.AttributeContext{ + MetadataContext: &envoycore.Metadata{}, + Request: &envoyauth.AttributeContext_Request{ + Http: &envoyauth.AttributeContext_HttpRequest{ + Headers: map[string]string{ + "referer": "www.kuadrant.io", + "user-agent": "best browser ever", + }, + Path: "/force", + Protocol: "HTTP/2.1", + Method: "GET", + }, + Time: ×tamp.Timestamp{}, + }, + Source: &envoyauth.AttributeContext_Peer{ + Service: "svc.rebels.local", + }, + Destination: &envoyauth.AttributeContext_Peer{ + Service: "svc.rogue-1.local", + Labels: map[string]string{"squad": "rogue"}, + }, + } + + wellKnownAttributes := NewWellKnownAttributes(envoyAttrs) + + assert.Equal(t, wellKnownAttributes.Request.Path, "/force") + assert.Equal(t, wellKnownAttributes.Request.Referer, "www.kuadrant.io") + assert.Equal(t, wellKnownAttributes.Request.UserAgent, "best browser ever") + assert.Equal(t, wellKnownAttributes.Source.Service, "svc.rebels.local") + assert.Equal(t, wellKnownAttributes.Destination.Labels, map[string]string{"squad": "rogue"}) +} From d758e6c64d46927201d42b544e65044cc15bb249 Mon Sep 17 00:00:00 2001 From: dd di cesare Date: Thu, 28 Sep 2023 13:05:23 +0200 Subject: [PATCH 2/6] [feat] Including WellKnownAttributes in authorizationJson --- pkg/service/auth_pipeline.go | 10 ++++++---- pkg/service/auth_pipeline_test.go | 3 ++- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/pkg/service/auth_pipeline.go b/pkg/service/auth_pipeline.go index a4822bcf..e40b4cc8 100644 --- a/pkg/service/auth_pipeline.go +++ b/pkg/service/auth_pipeline.go @@ -533,8 +533,9 @@ func (pipeline *AuthPipeline) GetResolvedIdentity() (interface{}, interface{}) { } type authorizationJSON struct { - Context *envoy_auth.AttributeContext `json:"context"` - AuthData map[string]interface{} `json:"auth"` + Context *envoy_auth.AttributeContext `json:"context"` + AuthData map[string]interface{} `json:"auth"` + *WellKnownAttributes `json:""` } func (pipeline *AuthPipeline) GetAuthorizationJSON() string { @@ -574,8 +575,9 @@ func (pipeline *AuthPipeline) GetAuthorizationJSON() string { } authJSON, _ := gojson.Marshal(&authorizationJSON{ - Context: pipeline.GetRequest().Attributes, - AuthData: authData, + Context: pipeline.GetRequest().Attributes, + AuthData: authData, + WellKnownAttributes: NewWellKnownAttributes(pipeline.GetRequest().Attributes), }) return string(authJSON) diff --git a/pkg/service/auth_pipeline_test.go b/pkg/service/auth_pipeline_test.go index 18cd3a0c..686d0baa 100644 --- a/pkg/service/auth_pipeline_test.go +++ b/pkg/service/auth_pipeline_test.go @@ -316,7 +316,8 @@ func TestAuthPipelineGetAuthorizationJSON(t *testing.T) { }, &requestMock) requestJSON, _ := gojson.Marshal(requestMock.GetAttributes()) - expectedJSON := fmt.Sprintf(`{"context":%s,"auth":{"authorization":{},"identity":null,"metadata":{},"response":{}}}`, requestJSON) + expectedWellKnownAttributes := `"request":{"host":"my-api","method":"GET","path":"/operation","url_path":"/operation","headers":{"authorization":"Bearer n3ex87bye9238ry8"}},"source":{"address":"\u003cnil\u003e"},"destination":{"address":"\u003cnil\u003e"}` + expectedJSON := fmt.Sprintf(`{"context":%s,"auth":{"authorization":{},"identity":null,"metadata":{},"response":{}},%s}`, requestJSON, expectedWellKnownAttributes) assert.Equal(t, pipeline.GetAuthorizationJSON(), expectedJSON) } From 80fa4fa93cecec818393376eab498ec28c696690 Mon Sep 17 00:00:00 2001 From: dd di cesare Date: Thu, 28 Sep 2023 16:45:40 +0200 Subject: [PATCH 3/6] [refactor] Including Auth within WellKnownAttributes --- pkg/service/auth_pipeline.go | 4 +--- pkg/service/auth_pipeline_test.go | 4 ++-- pkg/service/well_known_attributes.go | 24 +++++++++++++++++++++-- pkg/service/well_known_attributes_test.go | 23 ++++++++++++++++------ 4 files changed, 42 insertions(+), 13 deletions(-) diff --git a/pkg/service/auth_pipeline.go b/pkg/service/auth_pipeline.go index e40b4cc8..b2bb0bee 100644 --- a/pkg/service/auth_pipeline.go +++ b/pkg/service/auth_pipeline.go @@ -534,7 +534,6 @@ func (pipeline *AuthPipeline) GetResolvedIdentity() (interface{}, interface{}) { type authorizationJSON struct { Context *envoy_auth.AttributeContext `json:"context"` - AuthData map[string]interface{} `json:"auth"` *WellKnownAttributes `json:""` } @@ -576,8 +575,7 @@ func (pipeline *AuthPipeline) GetAuthorizationJSON() string { authJSON, _ := gojson.Marshal(&authorizationJSON{ Context: pipeline.GetRequest().Attributes, - AuthData: authData, - WellKnownAttributes: NewWellKnownAttributes(pipeline.GetRequest().Attributes), + WellKnownAttributes: NewWellKnownAttributes(pipeline.GetRequest().Attributes, authData), }) return string(authJSON) diff --git a/pkg/service/auth_pipeline_test.go b/pkg/service/auth_pipeline_test.go index 686d0baa..d90aef27 100644 --- a/pkg/service/auth_pipeline_test.go +++ b/pkg/service/auth_pipeline_test.go @@ -316,8 +316,8 @@ func TestAuthPipelineGetAuthorizationJSON(t *testing.T) { }, &requestMock) requestJSON, _ := gojson.Marshal(requestMock.GetAttributes()) - expectedWellKnownAttributes := `"request":{"host":"my-api","method":"GET","path":"/operation","url_path":"/operation","headers":{"authorization":"Bearer n3ex87bye9238ry8"}},"source":{"address":"\u003cnil\u003e"},"destination":{"address":"\u003cnil\u003e"}` - expectedJSON := fmt.Sprintf(`{"context":%s,"auth":{"authorization":{},"identity":null,"metadata":{},"response":{}},%s}`, requestJSON, expectedWellKnownAttributes) + expectedWellKnownAttributes := `"request":{"host":"my-api","method":"GET","path":"/operation","url_path":"/operation","headers":{"authorization":"Bearer n3ex87bye9238ry8"}},"source":{"address":"\u003cnil\u003e"},"destination":{"address":"\u003cnil\u003e"},"auth":{}` + expectedJSON := fmt.Sprintf(`{"context":%s,%s}`, requestJSON, expectedWellKnownAttributes) assert.Equal(t, pipeline.GetAuthorizationJSON(), expectedJSON) } diff --git a/pkg/service/well_known_attributes.go b/pkg/service/well_known_attributes.go index a0f2c955..2c2d3fbc 100644 --- a/pkg/service/well_known_attributes.go +++ b/pkg/service/well_known_attributes.go @@ -17,10 +17,13 @@ limitations under the License. package service import ( + "net/url" + "reflect" + "strings" + envoycore "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" envoyauth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" "github.com/golang/protobuf/ptypes/timestamp" - "net/url" ) type WellKnownAttributes struct { @@ -32,6 +35,8 @@ type WellKnownAttributes struct { Source *SourceAttributes `json:"source,omitempty"` // Destination attributes Destination *DestinationAttributes `json:"destination,omitempty"` + // Auth attributes + Auth *AuthAttributes `json:"auth,omitempty"` } type RequestAttributes struct { @@ -121,12 +126,13 @@ type AuthAttributes struct { } // NewWellKnownAttributes creates a new WellKnownAttributes object from an envoyauth.AttributeContext -func NewWellKnownAttributes(attributes *envoyauth.AttributeContext) *WellKnownAttributes { +func NewWellKnownAttributes(attributes *envoyauth.AttributeContext, authData map[string]any) *WellKnownAttributes { return &WellKnownAttributes{ Metadata: attributes.MetadataContext, Request: newRequestAttributes(attributes), Source: newSourceAttributes(attributes), Destination: newDestinationAttributes(attributes), + Auth: newAuthAttributes(authData), } } @@ -178,3 +184,17 @@ func newDestinationAttributes(attributes *envoyauth.AttributeContext) *Destinati Principal: destination.GetPrincipal(), } } + +func newAuthAttributes(authData map[string]interface{}) *AuthAttributes { + authAttributes := &AuthAttributes{} + authAttributesValue := reflect.ValueOf(authAttributes).Elem() + for key, value := range authData { + fieldValue := authAttributesValue.FieldByName(strings.ToUpper(key[:1]) + key[1:]) + if fieldValue.IsValid() && fieldValue.CanSet() { + if value != nil { + fieldValue.Set(reflect.ValueOf(value)) + } + } + } + return authAttributes +} diff --git a/pkg/service/well_known_attributes_test.go b/pkg/service/well_known_attributes_test.go index 71e9f14b..96b67952 100644 --- a/pkg/service/well_known_attributes_test.go +++ b/pkg/service/well_known_attributes_test.go @@ -32,12 +32,23 @@ func TestNewWellKnownAttributes(t *testing.T) { Labels: map[string]string{"squad": "rogue"}, }, } + authData := map[string]interface{}{ + "identity": map[string]any{"user": "luke", "group": "rebels"}, + "metadata": map[string]any{"squad": "rogue"}, + "authorization": map[string]any{"group": "rebels"}, + "response": map[string]any{"status": 200}, + } - wellKnownAttributes := NewWellKnownAttributes(envoyAttrs) + wellKnownAttributes := NewWellKnownAttributes(envoyAttrs, authData) - assert.Equal(t, wellKnownAttributes.Request.Path, "/force") - assert.Equal(t, wellKnownAttributes.Request.Referer, "www.kuadrant.io") - assert.Equal(t, wellKnownAttributes.Request.UserAgent, "best browser ever") - assert.Equal(t, wellKnownAttributes.Source.Service, "svc.rebels.local") - assert.Equal(t, wellKnownAttributes.Destination.Labels, map[string]string{"squad": "rogue"}) + assert.Equal(t, "/force", wellKnownAttributes.Request.Path) + assert.Equal(t, "www.kuadrant.io", wellKnownAttributes.Request.Referer) + assert.Equal(t, "best browser ever", wellKnownAttributes.Request.UserAgent) + assert.Equal(t, "svc.rebels.local", wellKnownAttributes.Source.Service) + assert.Equal(t, map[string]string{"squad": "rogue"}, wellKnownAttributes.Destination.Labels) + assert.Equal(t, map[string]any{"user": "luke", "group": "rebels"}, wellKnownAttributes.Auth.Identity) + assert.Equal(t, map[string]any{"squad": "rogue"}, wellKnownAttributes.Auth.Metadata) + assert.Equal(t, map[string]any{"group": "rebels"}, wellKnownAttributes.Auth.Authorization) + assert.Equal(t, map[string]any{"status": 200}, wellKnownAttributes.Auth.Response) + assert.Nil(t, wellKnownAttributes.Auth.Callbacks) } From fed57d0808edd03afef0396608ac0865833dde0b Mon Sep 17 00:00:00 2001 From: dd di cesare Date: Mon, 2 Oct 2023 17:49:07 +0200 Subject: [PATCH 4/6] =?UTF-8?q?[deprecated]=C2=A0Marking=20deprecated=20Co?= =?UTF-8?q?ntext?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- pkg/service/auth_pipeline.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/service/auth_pipeline.go b/pkg/service/auth_pipeline.go index b2bb0bee..6ed8e99f 100644 --- a/pkg/service/auth_pipeline.go +++ b/pkg/service/auth_pipeline.go @@ -533,6 +533,7 @@ func (pipeline *AuthPipeline) GetResolvedIdentity() (interface{}, interface{}) { } type authorizationJSON struct { + // Deprecated: Use WellKnownAttributes instead. Context *envoy_auth.AttributeContext `json:"context"` *WellKnownAttributes `json:""` } From 30e4743dd3ae66b5195319aa15d1030beda7135a Mon Sep 17 00:00:00 2001 From: dd di cesare Date: Mon, 2 Oct 2023 19:01:28 +0200 Subject: [PATCH 5/6] =?UTF-8?q?[refactor]=C2=A0Adding=20`NewAuthorizationJ?= =?UTF-8?q?SON`=20func?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- pkg/service/auth_pipeline.go | 15 +++++++++------ pkg/service/auth_pipeline_test.go | 15 +++++++++++++++ 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/pkg/service/auth_pipeline.go b/pkg/service/auth_pipeline.go index 6ed8e99f..c57c472c 100644 --- a/pkg/service/auth_pipeline.go +++ b/pkg/service/auth_pipeline.go @@ -574,12 +574,7 @@ func (pipeline *AuthPipeline) GetAuthorizationJSON() string { authData["callbacks"] = callbacks } - authJSON, _ := gojson.Marshal(&authorizationJSON{ - Context: pipeline.GetRequest().Attributes, - WellKnownAttributes: NewWellKnownAttributes(pipeline.GetRequest().Attributes, authData), - }) - - return string(authJSON) + return NewAuthorizationJSON(pipeline.GetRequest(), authData) } func (pipeline *AuthPipeline) customizeDenyWith(authResult auth.AuthResult, denyWith *evaluators.DenyWithValues) auth.AuthResult { @@ -610,3 +605,11 @@ func (pipeline *AuthPipeline) customizeDenyWith(authResult auth.AuthResult, deny return authResult } + +func NewAuthorizationJSON(request *envoy_auth.CheckRequest, authPipeline map[string]any) string { + authJSON, _ := gojson.Marshal(&authorizationJSON{ + Context: request.Attributes, + WellKnownAttributes: NewWellKnownAttributes(request.Attributes, authPipeline), + }) + return string(authJSON) +} diff --git a/pkg/service/auth_pipeline_test.go b/pkg/service/auth_pipeline_test.go index d90aef27..bf32436f 100644 --- a/pkg/service/auth_pipeline_test.go +++ b/pkg/service/auth_pipeline_test.go @@ -577,3 +577,18 @@ func BenchmarkAuthPipeline(b *testing.B) { assert.DeepEqual(b, r.Message, "") assert.DeepEqual(b, r.Code, rpc.OK) } + +func TestNewAuthorizationJSON(t *testing.T) { + request := &envoy_auth.CheckRequest{} + _ = gojson.Unmarshal([]byte(rawRequest), &request) + + authPipeline := map[string]any{ + "identity": "leeloo", + "authorization": map[string]any{ + "credential": "multipass", + }, + } + expectedAuthJSON := `{"context":{"request":{"http":{"method":"GET","headers":{"authorization":"Bearer n3ex87bye9238ry8"},"path":"/operation","host":"my-api"}}},"request":{"host":"my-api","method":"GET","path":"/operation","url_path":"/operation","headers":{"authorization":"Bearer n3ex87bye9238ry8"}},"source":{"address":"\u003cnil\u003e"},"destination":{"address":"\u003cnil\u003e"},"auth":{"identity":"leeloo","authorization":{"credential":"multipass"}}}` + + assert.Equal(t, expectedAuthJSON, NewAuthorizationJSON(request, authPipeline)) +} From 18c9da2d1fb6683698b1ea94014d607d4fb777dd Mon Sep 17 00:00:00 2001 From: dd di cesare Date: Mon, 9 Oct 2023 11:13:34 +0200 Subject: [PATCH 6/6] [test] Fixing tests --- pkg/service/auth_pipeline_test.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkg/service/auth_pipeline_test.go b/pkg/service/auth_pipeline_test.go index bf32436f..60ff2446 100644 --- a/pkg/service/auth_pipeline_test.go +++ b/pkg/service/auth_pipeline_test.go @@ -316,9 +316,10 @@ func TestAuthPipelineGetAuthorizationJSON(t *testing.T) { }, &requestMock) requestJSON, _ := gojson.Marshal(requestMock.GetAttributes()) - expectedWellKnownAttributes := `"request":{"host":"my-api","method":"GET","path":"/operation","url_path":"/operation","headers":{"authorization":"Bearer n3ex87bye9238ry8"}},"source":{"address":"\u003cnil\u003e"},"destination":{"address":"\u003cnil\u003e"},"auth":{}` + expectedWellKnownAttributes := `"request":{"host":"my-api","method":"GET","path":"/operation","url_path":"/operation","headers":{"authorization":"Bearer n3ex87bye9238ry8"}},"source":{},"destination":{},"auth":{}` expectedJSON := fmt.Sprintf(`{"context":%s,%s}`, requestJSON, expectedWellKnownAttributes) - assert.Equal(t, pipeline.GetAuthorizationJSON(), expectedJSON) + + assert.Equal(t, expectedJSON, pipeline.GetAuthorizationJSON()) } func TestEvaluateWithCustomDenyOptions(t *testing.T) { @@ -588,7 +589,7 @@ func TestNewAuthorizationJSON(t *testing.T) { "credential": "multipass", }, } - expectedAuthJSON := `{"context":{"request":{"http":{"method":"GET","headers":{"authorization":"Bearer n3ex87bye9238ry8"},"path":"/operation","host":"my-api"}}},"request":{"host":"my-api","method":"GET","path":"/operation","url_path":"/operation","headers":{"authorization":"Bearer n3ex87bye9238ry8"}},"source":{"address":"\u003cnil\u003e"},"destination":{"address":"\u003cnil\u003e"},"auth":{"identity":"leeloo","authorization":{"credential":"multipass"}}}` + expectedAuthJSON := `{"context":{"request":{"http":{"method":"GET","headers":{"authorization":"Bearer n3ex87bye9238ry8"},"path":"/operation","host":"my-api"}}},"request":{"host":"my-api","method":"GET","path":"/operation","url_path":"/operation","headers":{"authorization":"Bearer n3ex87bye9238ry8"}},"source":{},"destination":{},"auth":{"identity":"leeloo","authorization":{"credential":"multipass"}}}` assert.Equal(t, expectedAuthJSON, NewAuthorizationJSON(request, authPipeline)) }