From e73c2a6ee54185f0ab07a5715bb372762e63dc1b Mon Sep 17 00:00:00 2001 From: Magnus Jungsbluth Date: Mon, 14 Aug 2023 10:51:45 +0200 Subject: [PATCH] Rename filters Signed-off-by: Magnus Jungsbluth --- docs/operation/operation.md | 16 ++++++++-------- docs/reference/filters.md | 12 ++++++------ docs/tutorials/auth.md | 6 +++--- filters/filters.go | 4 ++-- .../opaauthorizerequest.go} | 16 ++++++++-------- .../opaauthorizerequest_test.go} | 8 ++++---- .../opaserveresponse.go} | 16 ++++++++-------- .../opaserveresponse_test.go} | 8 ++++---- skipper.go | 8 ++++---- 9 files changed, 47 insertions(+), 47 deletions(-) rename filters/openpolicyagent/{authorizewithregopolicy/authorizewithregopolicy.go => opaauthorizerequest/opaauthorizerequest.go} (85%) rename filters/openpolicyagent/{authorizewithregopolicy/authorizewithregopolicy_test.go => opaauthorizerequest/opaauthorizerequest_test.go} (95%) rename filters/openpolicyagent/{serveresponsewithregopolicy/serveresponsewithregopolicy.go => opaserveresponse/opaserveresponse.go} (77%) rename filters/openpolicyagent/{serveresponsewithregopolicy/serveresponsewithregopolicy_test.go => opaserveresponse/opaserveresponse_test.go} (94%) diff --git a/docs/operation/operation.md b/docs/operation/operation.md index a5d8a5b77c..e40feee974 100644 --- a/docs/operation/operation.md +++ b/docs/operation/operation.md @@ -493,17 +493,17 @@ See more details about rate limiting at [Rate limiting](../reference/filters.md# If Open Policy Agent filters are enabled, the following counters show up in the `/metrics` endpoint. The bundle-name is the first parameter of the filter so that for example increased error codes can be attributed to a specific source bundle / system. -- `skipper.authorizeWithRegoPolicy.custom.decision.allow.` -- `skipper.authorizeWithRegoPolicy.custom.decision.deny.` -- `skipper.authorizeWithRegoPolicy.custom.decision.err.` -- `skipper.serveResponseWithRegoPolicy.custom.decision.allow.` -- `skipper.serveResponseWithRegoPolicy.custom.decision.deny.` -- `skipper.serveResponseWithRegoPolicy.custom.decision.err.` +- `skipper.opaAuthorizeRequest.custom.decision.allow.` +- `skipper.opaAuthorizeRequest.custom.decision.deny.` +- `skipper.opaAuthorizeRequest.custom.decision.err.` +- `skipper.opaServeResponse.custom.decision.allow.` +- `skipper.opaServeResponse.custom.decision.deny.` +- `skipper.opaServeResponse.custom.decision.err.` The following timer metrics are exposed per used bundle-name: -- `skipper.authorizeWithRegoPolicy.custom.eval_time.` -- `skipper.serveResponseWithRegoPolicy.custom.eval_time.` +- `skipper.opaAuthorizeRequest.custom.eval_time.` +- `skipper.opaServeResponse.custom.eval_time.` ## OpenTracing diff --git a/docs/reference/filters.md b/docs/reference/filters.md index 50fdb35ef0..3ef8cfa4a8 100644 --- a/docs/reference/filters.md +++ b/docs/reference/filters.md @@ -1723,19 +1723,19 @@ As of now there is no negative/deny rule possible. The first matching path is ev To get started with [Open Policy Agent](https://www.openpolicyagent.org/), also have a look at the [tutorial](../tutorials/auth.md#open-policy-agent). This section is only a reference for the implemented filters. -#### authorizeWithRegoPolicy +#### opaAuthorizeRequest The canonical use case that is also implemented with [Envoy External Authorization](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_authz_filter): Use the http request to evaluate if Skipper should deny the request (with customizable response) or let the request pass to the downstream service Example: ``` -authorizeWithRegoPolicy("my-app-id") +opaAuthorizeRequest("my-app-id") ``` Example (passing context): ``` -authorizeWithRegoPolicy("my-app-id", "com.mydomain.xxx.myprop: myvalue") +opaAuthorizeRequest("my-app-id", "com.mydomain.xxx.myprop: myvalue") ``` *Data Flows* @@ -1798,7 +1798,7 @@ Headers both to the upstream and the downstream service can be manipulated the s This allows both to add and remove unwanted headers in allow/deny cases. -#### serveResponseWithRegoPolicy +#### opaServeResponse Always serves the response even if the policy allows the request and can customize the response completely. Can be used to re-implement legacy authorization services by already using data in Open Policy Agent but implementing an old REST API. This can also be useful to support Single Page Applications to return the calling users' permissions. @@ -1807,12 +1807,12 @@ Always serves the response even if the policy allows the request and can customi Example: ``` -serveResponseWithRegoPolicy("my-app-id") +opaServeResponse("my-app-id") ``` Example (passing context): ``` -serveResponseWithRegoPolicy("my-app-id", "com.mydomain.xxx.myprop: myvalue") +opaServeResponse("my-app-id", "com.mydomain.xxx.myprop: myvalue") ``` *Data Flows* diff --git a/docs/tutorials/auth.md b/docs/tutorials/auth.md index cd00d9f05e..35fd393dfa 100644 --- a/docs/tutorials/auth.md +++ b/docs/tutorials/auth.md @@ -455,8 +455,8 @@ Generally there are two ways to pass context to a policy: This context can be passed as second argument to filters: -`authorizeWithRegoPolicy("my-app-id", "com.mycompany.myprop: myvalue")` -or `authorizeWithRegoPolicy("my-app-id", "{'com.mycompany.myprop': 'my value'}")` +`opaAuthorizeRequest("my-app-id", "com.mycompany.myprop: myvalue")` +or `opaAuthorizeRequest("my-app-id", "{'com.mycompany.myprop': 'my value'}")` The second argument is parsed as YAML, cannot be nested and values need to be strings. @@ -492,7 +492,7 @@ Start Skipper with ``` skipper -enable-open-policy-agent -open-policy-agent-config-template opaconfig.yaml \ - -inline-routes 'notfound: * -> authorizeWithRegoPolicy("") -> inlineContent("

Authorized Hello

") -> ' + -inline-routes 'notfound: * -> opaAuthorizeRequest("") -> inlineContent("

Authorized Hello

") -> ' ``` You can test the policy with diff --git a/filters/filters.go b/filters/filters.go index ffb4ed1a7c..33d89ad731 100644 --- a/filters/filters.go +++ b/filters/filters.go @@ -341,8 +341,8 @@ const ( EndpointCreatedName = "endpointCreated" ConsistentHashKeyName = "consistentHashKey" ConsistentHashBalanceFactorName = "consistentHashBalanceFactor" - AuthorizeWithRegoPolicyName = "authorizeWithRegoPolicy" - ServeResponseWithRegoPolicyName = "serveResponseWithRegoPolicy" + OpaAuthorizeRequestName = "opaAuthorizeRequest" + OpaServeResponseName = "opaServeResponse" // Undocumented filters HealthCheckName = "healthcheck" diff --git a/filters/openpolicyagent/authorizewithregopolicy/authorizewithregopolicy.go b/filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest.go similarity index 85% rename from filters/openpolicyagent/authorizewithregopolicy/authorizewithregopolicy.go rename to filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest.go index 1909019cb4..b3747d5d5b 100644 --- a/filters/openpolicyagent/authorizewithregopolicy/authorizewithregopolicy.go +++ b/filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest.go @@ -1,4 +1,4 @@ -package authorizewithregopolicy +package opaauthorizerequest import ( "net/http" @@ -16,7 +16,7 @@ type spec struct { opts []func(*openpolicyagent.OpenPolicyAgentInstanceConfig) error } -func NewAuthorizeWithRegoPolicySpec(registry *openpolicyagent.OpenPolicyAgentRegistry, opts ...func(*openpolicyagent.OpenPolicyAgentInstanceConfig) error) filters.Spec { +func NewOpaAuthorizeRequestSpec(registry *openpolicyagent.OpenPolicyAgentRegistry, opts ...func(*openpolicyagent.OpenPolicyAgentInstanceConfig) error) filters.Spec { return &spec{ registry: registry, opts: opts, @@ -24,7 +24,7 @@ func NewAuthorizeWithRegoPolicySpec(registry *openpolicyagent.OpenPolicyAgentReg } func (s *spec) Name() string { - return filters.AuthorizeWithRegoPolicyName + return filters.OpaAuthorizeRequestName } func (s *spec) CreateFilter(args []interface{}) (filters.Filter, error) { @@ -68,20 +68,20 @@ func (s *spec) CreateFilter(args []interface{}) (filters.Filter, error) { return nil, err } - return &authorizeWithRegoPolicyFilter{ + return &opaAuthorizeRequestFilter{ opa: opa, registry: s.registry, envoyContextExtensions: envoyContextExtensions, }, nil } -type authorizeWithRegoPolicyFilter struct { +type opaAuthorizeRequestFilter struct { opa *openpolicyagent.OpenPolicyAgentInstance registry *openpolicyagent.OpenPolicyAgentRegistry envoyContextExtensions map[string]string } -func (f *authorizeWithRegoPolicyFilter) Request(fc filters.FilterContext) { +func (f *opaAuthorizeRequestFilter) Request(fc filters.FilterContext) { req := fc.Request() span, ctx := f.opa.StartSpanFromFilterContext(fc) defer span.Finish() @@ -144,8 +144,8 @@ func addRequestHeaders(fc filters.FilterContext, headers http.Header) { } } -func (*authorizeWithRegoPolicyFilter) Response(filters.FilterContext) {} +func (*opaAuthorizeRequestFilter) Response(filters.FilterContext) {} -func (f *authorizeWithRegoPolicyFilter) OpenPolicyAgent() *openpolicyagent.OpenPolicyAgentInstance { +func (f *opaAuthorizeRequestFilter) OpenPolicyAgent() *openpolicyagent.OpenPolicyAgentInstance { return f.opa } diff --git a/filters/openpolicyagent/authorizewithregopolicy/authorizewithregopolicy_test.go b/filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest_test.go similarity index 95% rename from filters/openpolicyagent/authorizewithregopolicy/authorizewithregopolicy_test.go rename to filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest_test.go index ea56d6e975..41c3169259 100644 --- a/filters/openpolicyagent/authorizewithregopolicy/authorizewithregopolicy_test.go +++ b/filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest_test.go @@ -1,4 +1,4 @@ -package authorizewithregopolicy +package opaauthorizerequest import ( "fmt" @@ -218,10 +218,10 @@ func TestAuthorizeRequestFilter(t *testing.T) { }`, opaControlPlane.URL(), ti.regoQuery)) opaFactory := openpolicyagent.NewOpenPolicyAgentRegistry() - ftSpec := NewAuthorizeWithRegoPolicySpec(opaFactory, openpolicyagent.WithConfigTemplate(config)) + ftSpec := NewOpaAuthorizeRequestSpec(opaFactory, openpolicyagent.WithConfigTemplate(config)) fr.Register(ftSpec) - r := eskip.MustParse(fmt.Sprintf(`* -> authorizeWithRegoPolicy("%s", "%s") -> "%s"`, ti.bundleName, ti.contextExtensions, clientServer.URL)) + r := eskip.MustParse(fmt.Sprintf(`* -> opaAuthorizeRequest("%s", "%s") -> "%s"`, ti.bundleName, ti.contextExtensions, clientServer.URL)) proxy := proxytest.New(fr, r...) @@ -251,7 +251,7 @@ func TestAuthorizeRequestFilter(t *testing.T) { func TestCreateFilterArguments(t *testing.T) { opaRegistry := openpolicyagent.NewOpenPolicyAgentRegistry() - ftSpec := NewAuthorizeWithRegoPolicySpec(opaRegistry, openpolicyagent.WithConfigTemplate([]byte(""))) + ftSpec := NewOpaAuthorizeRequestSpec(opaRegistry, openpolicyagent.WithConfigTemplate([]byte(""))) _, err := ftSpec.CreateFilter([]interface{}{}) assert.ErrorIs(t, err, filters.ErrInvalidFilterParameters) diff --git a/filters/openpolicyagent/serveresponsewithregopolicy/serveresponsewithregopolicy.go b/filters/openpolicyagent/opaserveresponse/opaserveresponse.go similarity index 77% rename from filters/openpolicyagent/serveresponsewithregopolicy/serveresponsewithregopolicy.go rename to filters/openpolicyagent/opaserveresponse/opaserveresponse.go index c83c8ccaca..6134fa0d74 100644 --- a/filters/openpolicyagent/serveresponsewithregopolicy/serveresponsewithregopolicy.go +++ b/filters/openpolicyagent/opaserveresponse/opaserveresponse.go @@ -1,4 +1,4 @@ -package serveresponsewithregopolicy +package opaserveresponse import ( "time" @@ -15,7 +15,7 @@ type spec struct { opts []func(*openpolicyagent.OpenPolicyAgentInstanceConfig) error } -func NewServeResponseWithRegoPolicySpec(registry *openpolicyagent.OpenPolicyAgentRegistry, opts ...func(*openpolicyagent.OpenPolicyAgentInstanceConfig) error) filters.Spec { +func NewOpaServeResponseSpec(registry *openpolicyagent.OpenPolicyAgentRegistry, opts ...func(*openpolicyagent.OpenPolicyAgentInstanceConfig) error) filters.Spec { return &spec{ registry: registry, opts: opts, @@ -23,7 +23,7 @@ func NewServeResponseWithRegoPolicySpec(registry *openpolicyagent.OpenPolicyAgen } func (s *spec) Name() string { - return filters.ServeResponseWithRegoPolicyName + return filters.OpaServeResponseName } func (s *spec) CreateFilter(args []interface{}) (filters.Filter, error) { @@ -66,20 +66,20 @@ func (s *spec) CreateFilter(args []interface{}) (filters.Filter, error) { return nil, err } - return &serveResponseWithRegoPolicyFilter{ + return &opaServeResponseFilter{ opa: opa, registry: s.registry, envoyContextExtensions: envoyContextExtensions, }, nil } -type serveResponseWithRegoPolicyFilter struct { +type opaServeResponseFilter struct { opa *openpolicyagent.OpenPolicyAgentInstance registry *openpolicyagent.OpenPolicyAgentRegistry envoyContextExtensions map[string]string } -func (f *serveResponseWithRegoPolicyFilter) Request(fc filters.FilterContext) { +func (f *opaServeResponseFilter) Request(fc filters.FilterContext) { span, ctx := f.opa.StartSpanFromFilterContext(fc) defer span.Finish() @@ -97,8 +97,8 @@ func (f *serveResponseWithRegoPolicyFilter) Request(fc filters.FilterContext) { f.opa.ServeResponse(fc, span, result) } -func (f *serveResponseWithRegoPolicyFilter) Response(fc filters.FilterContext) {} +func (f *opaServeResponseFilter) Response(fc filters.FilterContext) {} -func (f *serveResponseWithRegoPolicyFilter) OpenPolicyAgent() *openpolicyagent.OpenPolicyAgentInstance { +func (f *opaServeResponseFilter) OpenPolicyAgent() *openpolicyagent.OpenPolicyAgentInstance { return f.opa } diff --git a/filters/openpolicyagent/serveresponsewithregopolicy/serveresponsewithregopolicy_test.go b/filters/openpolicyagent/opaserveresponse/opaserveresponse_test.go similarity index 94% rename from filters/openpolicyagent/serveresponsewithregopolicy/serveresponsewithregopolicy_test.go rename to filters/openpolicyagent/opaserveresponse/opaserveresponse_test.go index 98342568f4..63494faf43 100644 --- a/filters/openpolicyagent/serveresponsewithregopolicy/serveresponsewithregopolicy_test.go +++ b/filters/openpolicyagent/opaserveresponse/opaserveresponse_test.go @@ -1,4 +1,4 @@ -package serveresponsewithregopolicy +package opaserveresponse import ( "fmt" @@ -165,7 +165,7 @@ func TestAuthorizeRequestFilter(t *testing.T) { }`, opaControlPlane.URL(), ti.regoQuery)) opaFactory := openpolicyagent.NewOpenPolicyAgentRegistry() - ftSpec := NewServeResponseWithRegoPolicySpec(opaFactory, openpolicyagent.WithConfigTemplate(config)) + ftSpec := NewOpaServeResponseSpec(opaFactory, openpolicyagent.WithConfigTemplate(config)) filterArgs := []interface{}{ti.bundleName} if ti.contextExtensions != "" { @@ -177,7 +177,7 @@ func TestAuthorizeRequestFilter(t *testing.T) { fr.Register(ftSpec) - r := eskip.MustParse(fmt.Sprintf(`* -> serveResponseWithRegoPolicy("%s", "%s") -> "%s"`, ti.bundleName, ti.contextExtensions, clientServer.URL)) + r := eskip.MustParse(fmt.Sprintf(`* -> opaServeResponse("%s", "%s") -> "%s"`, ti.bundleName, ti.contextExtensions, clientServer.URL)) proxy := proxytest.New(fr, r...) reqURL, err := url.Parse(proxy.URL) @@ -209,7 +209,7 @@ func TestAuthorizeRequestFilter(t *testing.T) { func TestCreateFilterArguments(t *testing.T) { opaRegistry := openpolicyagent.NewOpenPolicyAgentRegistry() - ftSpec := NewServeResponseWithRegoPolicySpec(opaRegistry, openpolicyagent.WithConfigTemplate([]byte(""))) + ftSpec := NewOpaServeResponseSpec(opaRegistry, openpolicyagent.WithConfigTemplate([]byte(""))) _, err := ftSpec.CreateFilter([]interface{}{}) assert.ErrorIs(t, err, filters.ErrInvalidFilterParameters) diff --git a/skipper.go b/skipper.go index d8ccf44dec..1f4af8f91a 100644 --- a/skipper.go +++ b/skipper.go @@ -37,8 +37,8 @@ import ( "github.com/zalando/skipper/filters/fadein" logfilter "github.com/zalando/skipper/filters/log" "github.com/zalando/skipper/filters/openpolicyagent" - "github.com/zalando/skipper/filters/openpolicyagent/authorizewithregopolicy" - "github.com/zalando/skipper/filters/openpolicyagent/serveresponsewithregopolicy" + "github.com/zalando/skipper/filters/openpolicyagent/opaauthorizerequest" + "github.com/zalando/skipper/filters/openpolicyagent/opaserveresponse" ratelimitfilters "github.com/zalando/skipper/filters/ratelimit" "github.com/zalando/skipper/filters/shedder" teefilters "github.com/zalando/skipper/filters/tee" @@ -1773,8 +1773,8 @@ func run(o Options, sig chan os.Signal, idleConnsCH chan struct{}) error { } o.CustomFilters = append(o.CustomFilters, - authorizewithregopolicy.NewAuthorizeWithRegoPolicySpec(opaRegistry, opts...), - serveresponsewithregopolicy.NewServeResponseWithRegoPolicySpec(opaRegistry, opts...), + opaauthorizerequest.NewOpaAuthorizeRequestSpec(opaRegistry, opts...), + opaserveresponse.NewOpaServeResponseSpec(opaRegistry, opts...), ) }