Skip to content

Commit

Permalink
Disallow empty AuthPolicies (#1034)
Browse files Browse the repository at this point in the history
Signed-off-by: Guilherme Cassolato <[email protected]>
  • Loading branch information
guicassolato authored Nov 27, 2024
1 parent f58cb54 commit 877a742
Show file tree
Hide file tree
Showing 6 changed files with 201 additions and 13 deletions.
3 changes: 3 additions & 0 deletions api/v1/authpolicy_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -292,6 +292,9 @@ func (p *AuthPolicy) Kind() string {
// +kubebuilder:validation:XValidation:rule="!(has(self.defaults) && (has(self.patterns) || has(self.when) || has(self.rules)))",message="Implicit and explicit defaults are mutually exclusive"
// +kubebuilder:validation:XValidation:rule="!(has(self.overrides) && (has(self.patterns) || has(self.when) || has(self.rules)))",message="Implicit defaults and explicit overrides are mutually exclusive"
// +kubebuilder:validation:XValidation:rule="!(has(self.overrides) && has(self.defaults))",message="Explicit overrides and explicit defaults are mutually exclusive"
// +kubebuilder:validation:XValidation:rule="!(has(self.overrides) || has(self.defaults)) ? has(self.rules) && ((has(self.rules.authentication) && size(self.rules.authentication) > 0) || (has(self.rules.metadata) && size(self.rules.metadata) > 0) || (has(self.rules.authorization) && size(self.rules.authorization) > 0) || (has(self.rules.response) && (has(self.rules.response.unauthenticated) || has(self.rules.response.unauthorized) || (has(self.rules.response.success) && (size(self.rules.response.success.headers) > 0 || size(self.rules.response.success.filters) > 0)))) || (has(self.rules.callbacks) && size(self.rules.callbacks) > 0)) : true",message="At least one spec.rules must be defined"
// +kubebuilder:validation:XValidation:rule="has(self.defaults) ? has(self.defaults.rules) && ((has(self.defaults.rules.authentication) && size(self.defaults.rules.authentication) > 0) || (has(self.defaults.rules.metadata) && size(self.defaults.rules.metadata) > 0) || (has(self.defaults.rules.authorization) && size(self.defaults.rules.authorization) > 0) || (has(self.defaults.rules.response) && (has(self.defaults.rules.response.unauthenticated) || has(self.defaults.rules.response.unauthorized) || (has(self.defaults.rules.response.success) && (size(self.defaults.rules.response.success.headers) > 0 || size(self.defaults.rules.response.success.filters) > 0)))) || (has(self.defaults.rules.callbacks) && size(self.defaults.rules.callbacks) > 0)) : true",message="At least one spec.defaults.rules must be defined"
// +kubebuilder:validation:XValidation:rule="has(self.overrides) ? has(self.overrides.rules) && ((has(self.overrides.rules.authentication) && size(self.overrides.rules.authentication) > 0) || (has(self.overrides.rules.metadata) && size(self.overrides.rules.metadata) > 0) || (has(self.overrides.rules.authorization) && size(self.overrides.rules.authorization) > 0) || (has(self.overrides.rules.response) && (has(self.overrides.rules.response.unauthenticated) || has(self.overrides.rules.response.unauthorized) || (has(self.overrides.rules.response.success) && (size(self.overrides.rules.response.success.headers) > 0 || size(self.overrides.rules.response.success.filters) > 0)))) || (has(self.overrides.rules.callbacks) && size(self.overrides.rules.callbacks) > 0)) : true",message="At least one spec.overrides.rules must be defined"
type AuthPolicySpec struct {
// Reference to the object to which this policy applies.
// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'",message="Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ metadata:
capabilities: Basic Install
categories: Integration & Delivery
containerImage: quay.io/kuadrant/kuadrant-operator:latest
createdAt: "2024-11-25T09:30:08Z"
createdAt: "2024-11-26T15:09:44Z"
description: A Kubernetes Operator to manage the lifecycle of the Kuadrant system
operators.operatorframework.io/builder: operator-sdk-v1.32.0
operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
Expand Down
30 changes: 30 additions & 0 deletions bundle/manifests/kuadrant.io_authpolicies.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6888,6 +6888,36 @@ spec:
|| has(self.rules)))'
- message: Explicit overrides and explicit defaults are mutually exclusive
rule: '!(has(self.overrides) && has(self.defaults))'
- message: At least one spec.rules must be defined
rule: '!(has(self.overrides) || has(self.defaults)) ? has(self.rules)
&& ((has(self.rules.authentication) && size(self.rules.authentication)
> 0) || (has(self.rules.metadata) && size(self.rules.metadata) > 0)
|| (has(self.rules.authorization) && size(self.rules.authorization)
> 0) || (has(self.rules.response) && (has(self.rules.response.unauthenticated)
|| has(self.rules.response.unauthorized) || (has(self.rules.response.success)
&& (size(self.rules.response.success.headers) > 0 || size(self.rules.response.success.filters)
> 0)))) || (has(self.rules.callbacks) && size(self.rules.callbacks)
> 0)) : true'
- message: At least one spec.defaults.rules must be defined
rule: 'has(self.defaults) ? has(self.defaults.rules) && ((has(self.defaults.rules.authentication)
&& size(self.defaults.rules.authentication) > 0) || (has(self.defaults.rules.metadata)
&& size(self.defaults.rules.metadata) > 0) || (has(self.defaults.rules.authorization)
&& size(self.defaults.rules.authorization) > 0) || (has(self.defaults.rules.response)
&& (has(self.defaults.rules.response.unauthenticated) || has(self.defaults.rules.response.unauthorized)
|| (has(self.defaults.rules.response.success) && (size(self.defaults.rules.response.success.headers)
> 0 || size(self.defaults.rules.response.success.filters) > 0))))
|| (has(self.defaults.rules.callbacks) && size(self.defaults.rules.callbacks)
> 0)) : true'
- message: At least one spec.overrides.rules must be defined
rule: 'has(self.overrides) ? has(self.overrides.rules) && ((has(self.overrides.rules.authentication)
&& size(self.overrides.rules.authentication) > 0) || (has(self.overrides.rules.metadata)
&& size(self.overrides.rules.metadata) > 0) || (has(self.overrides.rules.authorization)
&& size(self.overrides.rules.authorization) > 0) || (has(self.overrides.rules.response)
&& (has(self.overrides.rules.response.unauthenticated) || has(self.overrides.rules.response.unauthorized)
|| (has(self.overrides.rules.response.success) && (size(self.overrides.rules.response.success.headers)
> 0 || size(self.overrides.rules.response.success.filters) > 0))))
|| (has(self.overrides.rules.callbacks) && size(self.overrides.rules.callbacks)
> 0)) : true'
status:
properties:
conditions:
Expand Down
30 changes: 30 additions & 0 deletions charts/kuadrant-operator/templates/manifests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6888,6 +6888,36 @@ spec:
|| has(self.rules)))'
- message: Explicit overrides and explicit defaults are mutually exclusive
rule: '!(has(self.overrides) && has(self.defaults))'
- message: At least one spec.rules must be defined
rule: '!(has(self.overrides) || has(self.defaults)) ? has(self.rules)
&& ((has(self.rules.authentication) && size(self.rules.authentication)
> 0) || (has(self.rules.metadata) && size(self.rules.metadata) > 0)
|| (has(self.rules.authorization) && size(self.rules.authorization)
> 0) || (has(self.rules.response) && (has(self.rules.response.unauthenticated)
|| has(self.rules.response.unauthorized) || (has(self.rules.response.success)
&& (size(self.rules.response.success.headers) > 0 || size(self.rules.response.success.filters)
> 0)))) || (has(self.rules.callbacks) && size(self.rules.callbacks)
> 0)) : true'
- message: At least one spec.defaults.rules must be defined
rule: 'has(self.defaults) ? has(self.defaults.rules) && ((has(self.defaults.rules.authentication)
&& size(self.defaults.rules.authentication) > 0) || (has(self.defaults.rules.metadata)
&& size(self.defaults.rules.metadata) > 0) || (has(self.defaults.rules.authorization)
&& size(self.defaults.rules.authorization) > 0) || (has(self.defaults.rules.response)
&& (has(self.defaults.rules.response.unauthenticated) || has(self.defaults.rules.response.unauthorized)
|| (has(self.defaults.rules.response.success) && (size(self.defaults.rules.response.success.headers)
> 0 || size(self.defaults.rules.response.success.filters) > 0))))
|| (has(self.defaults.rules.callbacks) && size(self.defaults.rules.callbacks)
> 0)) : true'
- message: At least one spec.overrides.rules must be defined
rule: 'has(self.overrides) ? has(self.overrides.rules) && ((has(self.overrides.rules.authentication)
&& size(self.overrides.rules.authentication) > 0) || (has(self.overrides.rules.metadata)
&& size(self.overrides.rules.metadata) > 0) || (has(self.overrides.rules.authorization)
&& size(self.overrides.rules.authorization) > 0) || (has(self.overrides.rules.response)
&& (has(self.overrides.rules.response.unauthenticated) || has(self.overrides.rules.response.unauthorized)
|| (has(self.overrides.rules.response.success) && (size(self.overrides.rules.response.success.headers)
> 0 || size(self.overrides.rules.response.success.filters) > 0))))
|| (has(self.overrides.rules.callbacks) && size(self.overrides.rules.callbacks)
> 0)) : true'
status:
properties:
conditions:
Expand Down
30 changes: 30 additions & 0 deletions config/crd/bases/kuadrant.io_authpolicies.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6887,6 +6887,36 @@ spec:
|| has(self.rules)))'
- message: Explicit overrides and explicit defaults are mutually exclusive
rule: '!(has(self.overrides) && has(self.defaults))'
- message: At least one spec.rules must be defined
rule: '!(has(self.overrides) || has(self.defaults)) ? has(self.rules)
&& ((has(self.rules.authentication) && size(self.rules.authentication)
> 0) || (has(self.rules.metadata) && size(self.rules.metadata) > 0)
|| (has(self.rules.authorization) && size(self.rules.authorization)
> 0) || (has(self.rules.response) && (has(self.rules.response.unauthenticated)
|| has(self.rules.response.unauthorized) || (has(self.rules.response.success)
&& (size(self.rules.response.success.headers) > 0 || size(self.rules.response.success.filters)
> 0)))) || (has(self.rules.callbacks) && size(self.rules.callbacks)
> 0)) : true'
- message: At least one spec.defaults.rules must be defined
rule: 'has(self.defaults) ? has(self.defaults.rules) && ((has(self.defaults.rules.authentication)
&& size(self.defaults.rules.authentication) > 0) || (has(self.defaults.rules.metadata)
&& size(self.defaults.rules.metadata) > 0) || (has(self.defaults.rules.authorization)
&& size(self.defaults.rules.authorization) > 0) || (has(self.defaults.rules.response)
&& (has(self.defaults.rules.response.unauthenticated) || has(self.defaults.rules.response.unauthorized)
|| (has(self.defaults.rules.response.success) && (size(self.defaults.rules.response.success.headers)
> 0 || size(self.defaults.rules.response.success.filters) > 0))))
|| (has(self.defaults.rules.callbacks) && size(self.defaults.rules.callbacks)
> 0)) : true'
- message: At least one spec.overrides.rules must be defined
rule: 'has(self.overrides) ? has(self.overrides.rules) && ((has(self.overrides.rules.authentication)
&& size(self.overrides.rules.authentication) > 0) || (has(self.overrides.rules.metadata)
&& size(self.overrides.rules.metadata) > 0) || (has(self.overrides.rules.authorization)
&& size(self.overrides.rules.authorization) > 0) || (has(self.overrides.rules.response)
&& (has(self.overrides.rules.response.unauthenticated) || has(self.overrides.rules.response.unauthorized)
|| (has(self.overrides.rules.response.success) && (size(self.overrides.rules.response.success.headers)
> 0 || size(self.overrides.rules.response.success.filters) > 0))))
|| (has(self.overrides.rules.callbacks) && size(self.overrides.rules.callbacks)
> 0)) : true'
status:
properties:
conditions:
Expand Down
Loading

0 comments on commit 877a742

Please sign in to comment.