Skip to content

Commit

Permalink
Add CEL to limit adding the of overrides on AuthPolicies attached to …
Browse files Browse the repository at this point in the history
…HTTPRoutes
  • Loading branch information
Boomatang committed Apr 16, 2024
1 parent 2e58860 commit 17378e0
Show file tree
Hide file tree
Showing 5 changed files with 20 additions and 1 deletion.
1 change: 1 addition & 0 deletions api/v1beta2/authpolicy_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,7 @@ type CallbackSpec struct {
// +kubebuilder:validation:XValidation:rule="!(has(self.defaults) && (has(self.routeSelectors) || has(self.patterns) || has(self.when) || has(self.rules)))",message="Implicit and explicit defaults are mutually exclusive"
// +kubebuilder:validation:XValidation:rule="!(has(self.overrides) && (has(self.routeSelectors) || has(self.patterns) || has(self.when) || has(self.rules)))",message="Implicit defaults and explicit overrides are mutually exclusive"
// +kubebuilder:validation:XValidation:rule="!(has(self.overrides) && has(self.defaults))",message="Explicit overrides and explicit defaults are mutually exclusive"
// +kubebuilder:validation:XValidation:rule="!(has(self.overrides) && self.targetRef.kind == 'HTTPRoute')",message="Overrides are not allowed for policies targeting a HTTPRoute resource"
type AuthPolicySpec struct {
// TargetRef identifies an API object to apply policy to.
// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'",message="Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ metadata:
capabilities: Basic Install
categories: Integration & Delivery
containerImage: quay.io/kuadrant/kuadrant-operator:latest
createdAt: "2024-04-10T13:13:33Z"
createdAt: "2024-04-15T13:13:02Z"
operators.operatorframework.io/builder: operator-sdk-v1.32.0
operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
repository: https://github.com/Kuadrant/kuadrant-operator
Expand Down
3 changes: 3 additions & 0 deletions bundle/manifests/kuadrant.io_authpolicies.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13076,6 +13076,9 @@ spec:
|| has(self.when) || has(self.rules)))'
- message: Explicit overrides and explicit defaults are mutually exclusive
rule: '!(has(self.overrides) && has(self.defaults))'
- message: Overrides are not allowed for policies targeting a HTTPRoute
resource
rule: '!(has(self.overrides) && self.targetRef.kind == ''HTTPRoute'')'
status:
properties:
conditions:
Expand Down
3 changes: 3 additions & 0 deletions config/crd/bases/kuadrant.io_authpolicies.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13075,6 +13075,9 @@ spec:
|| has(self.when) || has(self.rules)))'
- message: Explicit overrides and explicit defaults are mutually exclusive
rule: '!(has(self.overrides) && has(self.defaults))'
- message: Overrides are not allowed for policies targeting a HTTPRoute
resource
rule: '!(has(self.overrides) && self.targetRef.kind == ''HTTPRoute'')'
status:
properties:
conditions:
Expand Down
12 changes: 12 additions & 0 deletions controllers/authpolicy_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1474,6 +1474,18 @@ var _ = Describe("AuthPolicy controller", func() {
Eventually(isAuthPolicyEnforced(gatewayPolicy), 30*time.Second, 5*time.Second).Should(BeFalse())
Eventually(isAuthPolicyEnforced(routePolicy), 30*time.Second, 5*time.Second).Should(BeTrue())
})

It("Blocks creation of AuthPolicies with overrides targeting HTTPRoutes", func() {
routePolicy := policyFactory(func(policy *api.AuthPolicy) {
policy.Spec.Overrides = &api.AuthPolicyCommonSpec{}
policy.Spec.Defaults = nil
policy.Spec.Overrides.AuthScheme = testBasicAuthScheme()
})
err := k8sClient.Create(context.Background(), routePolicy)
logf.Log.V(1).Info("Creating AuthPolicy", "key", client.ObjectKeyFromObject(routePolicy).String(), "error", err)
Expect(err).To(HaveOccurred())
Expect(err.Error()).To(ContainSubstring("Overrides are not allowed for policies targeting a HTTPRoute resource"))
})
})
})

Expand Down

0 comments on commit 17378e0

Please sign in to comment.