Extauth boolean expr api (#3676)

* Add API for boolean logic within auth chain * Support more complex boolean logic * Simpler api for more complex boolean logic * Add server side config * Rename field and improve comments * Add changelog * Improve comments
solo-io · Sep 29, 2020 · 6cd58f6 · 6cd58f6
1 parent 458b203
commit 6cd58f6
Show file tree

Hide file tree

Showing 5 changed files with 368 additions and 187 deletions.
diff --git a/changelog/v1.5.0-beta27/add-boolean-expr-api-to-extauth.yaml b/changelog/v1.5.0-beta27/add-boolean-expr-api-to-extauth.yaml
@@ -0,0 +1,10 @@
+changelog:
+  - type: NEW_FEATURE
+    issueLink: https://github.com/solo-io/gloo/issues/3207
+    description: >-
+      Add API to `AuthConfig` that allows users to specify a boolean expression to determine how to evaluate auth
+      configs within an auth chain. Previously, each config on an auth config must be authorized for the entire request
+      to be authorized. This remains the default, but now users can additionally specify a boolean expression (the
+      `booleanExpr` field on an auth config) to reference the auth configs and AND/OR/NOT them together to achieve the
+      desired access policy.
+    resolvesIssue: false
diff --git a/...-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk.md b/...-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk.md
@@ -65,14 +65,16 @@ format that will be included in the extauth snapshot.
 "status": .core.solo.io.Status
 "metadata": .core.solo.io.Metadata
 "configs": []enterprise.gloo.solo.io.AuthConfig.Config
+"booleanExpr": .google.protobuf.StringValue
 
 ```
 
 | Field | Type | Description | Default |
 | ----- | ---- | ----------- |----------- | 
 | `status` | [.core.solo.io.Status](../../../../../../../../../../solo-kit/api/v1/status.proto.sk/#status) | Status indicates the validation status of this resource. Status is read-only by clients, and set by gloo during validation. |  |
 | `metadata` | [.core.solo.io.Metadata](../../../../../../../../../../solo-kit/api/v1/metadata.proto.sk/#metadata) | Metadata contains the object metadata for this resource. |  |
-| `configs` | [[]enterprise.gloo.solo.io.AuthConfig.Config](../extauth.proto.sk/#config) |  |  |
+| `configs` | [[]enterprise.gloo.solo.io.AuthConfig.Config](../extauth.proto.sk/#config) | List of auth configs to be checked for requests on a route referencing this auth config, By default, every config must be authorized for the entire request to be authorized. This behavior can be changed by defining names for each config and defining `boolean_expr` below. State is shared between successful requests on the chain, i.e., the headers returned from each successful auth service get appended into the final auth response. |  |
+| `booleanExpr` | [.google.protobuf.StringValue](https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/string-value) | How to handle processing of named configs within an auth config chain. An example config might be: ( basic1 || basic2 || (oidc1 && !oidc2) ) The boolean expression is evaluated left to right but honors parenthesis and short-circuiting. |  |
 
 
 
@@ -83,6 +85,7 @@ format that will be included in the extauth snapshot.
 
 
 ```yaml
+"name": .google.protobuf.StringValue
 "basicAuth": .enterprise.gloo.solo.io.BasicAuth
 "oauth": .enterprise.gloo.solo.io.OAuth
 "oauth2": .enterprise.gloo.solo.io.OAuth2
@@ -95,6 +98,7 @@ format that will be included in the extauth snapshot.
 
 | Field | Type | Description | Default |
 | ----- | ---- | ----------- |----------- | 
+| `name` | [.google.protobuf.StringValue](https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/string-value) | optional: used when defining complex boolean logic, if `boolean_expr` is defined below. Also used in logging. If omitted, an automatically generated name will be used (e.g. *apikeys.config-0, of the pattern $CONFIG_TYPE-$INDEX_IN_CHAIN). In the case of plugin auth, this field is ignored in favor of the name assigned on the plugin config itself. |  |
 | `basicAuth` | [.enterprise.gloo.solo.io.BasicAuth](../extauth.proto.sk/#basicauth) |  Only one of `basicAuth`, `oauth`, `oauth2`, `apiKeyAuth`, `pluginAuth`, or `ldap` can be set. |  |
 | `oauth` | [.enterprise.gloo.solo.io.OAuth](../extauth.proto.sk/#oauth) |  Only one of `oauth`, `basicAuth`, `oauth2`, `apiKeyAuth`, `pluginAuth`, or `ldap` can be set. |  |
 | `oauth2` | [.enterprise.gloo.solo.io.OAuth2](../extauth.proto.sk/#oauth2) |  Only one of `oauth2`, `basicAuth`, `oauth`, `apiKeyAuth`, `pluginAuth`, or `ldap` can be set. |  |
@@ -596,13 +600,15 @@ is requested (meaning that all the polled connections are in use), the connectio
 ```yaml
 "authConfigRefName": string
 "configs": []enterprise.gloo.solo.io.ExtAuthConfig.Config
+"booleanExpr": .google.protobuf.StringValue
 
 ```
 
 | Field | Type | Description | Default |
 | ----- | ---- | ----------- |----------- | 
 | `authConfigRefName` | `string` |  |  |
-| `configs` | [[]enterprise.gloo.solo.io.ExtAuthConfig.Config](../extauth.proto.sk/#config) |  |  |
+| `configs` | [[]enterprise.gloo.solo.io.ExtAuthConfig.Config](../extauth.proto.sk/#config) | List of auth configs to be checked for requests on a route referencing this auth config, By default, every config must be authorized for the entire request to be authorized. This behavior can be changed by defining names for each config and defining `boolean_expr` below. State is shared between successful requests on the chain, i.e., the headers returned from each successful auth service get appended into the final auth response. |  |
+| `booleanExpr` | [.google.protobuf.StringValue](https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/string-value) | How to handle processing of named configs within an auth config chain. An example config might be: ( basic1 || basic2 || (oidc1 && !oidc2) ) The boolean expression is evaluated left to right but honors parenthesis and short-circuiting. |  |
 
 
 
@@ -751,6 +757,7 @@ Deprecated, prefer OAuth2Config
 
 
 ```yaml
+"name": .google.protobuf.StringValue
 "oauth": .enterprise.gloo.solo.io.ExtAuthConfig.OAuthConfig
 "oauth2": .enterprise.gloo.solo.io.ExtAuthConfig.OAuth2Config
 "basicAuth": .enterprise.gloo.solo.io.BasicAuth
@@ -763,6 +770,7 @@ Deprecated, prefer OAuth2Config
 
 | Field | Type | Description | Default |
 | ----- | ---- | ----------- |----------- | 
+| `name` | [.google.protobuf.StringValue](https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/string-value) | optional: used when defining complex boolean logic, if `boolean_expr` is defined below. Also used in logging. If omitted, an automatically generated name will be used (e.g. *apikeys.config-0, of the pattern $CONFIG_TYPE-$INDEX_IN_CHAIN). In the case of plugin auth, this field is ignored in favor of the name assigned on the plugin config itself. |  |
 | `oauth` | [.enterprise.gloo.solo.io.ExtAuthConfig.OAuthConfig](../extauth.proto.sk/#oauthconfig) |  Only one of `oauth`, `oauth2`, `basicAuth`, `apiKeyAuth`, `pluginAuth`, or `ldap` can be set. |  |
 | `oauth2` | [.enterprise.gloo.solo.io.ExtAuthConfig.OAuth2Config](../extauth.proto.sk/#oauth2config) |  Only one of `oauth2`, `oauth`, `basicAuth`, `apiKeyAuth`, `pluginAuth`, or `ldap` can be set. |  |
 | `basicAuth` | [.enterprise.gloo.solo.io.BasicAuth](../extauth.proto.sk/#basicauth) |  Only one of `basicAuth`, `oauth`, `oauth2`, `apiKeyAuth`, `pluginAuth`, or `ldap` can be set. |  |

diff --git a/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto b/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto
@@ -36,6 +36,13 @@ message AuthConfig {
   core.solo.io.Metadata metadata = 2 [(gogoproto.nullable) = false];
 
   message Config {
+
+    // optional: used when defining complex boolean logic, if `boolean_expr` is defined below. Also used
+    // in logging. If omitted, an automatically generated name will be used (e.g. *apikeys.config-0, of the
+    // pattern $CONFIG_TYPE-$INDEX_IN_CHAIN). In the case of plugin auth, this field is ignored in favor of
+    // the name assigned on the plugin config itself.
+    google.protobuf.StringValue name = 9;
+
     oneof auth_config {
       BasicAuth basic_auth = 1;
       OAuth oauth = 2 [deprecated=true];
@@ -47,7 +54,18 @@ message AuthConfig {
     }
   }
 
+  // List of auth configs to be checked for requests on a route referencing this auth config,
+  // By default, every config must be authorized for the entire request to be authorized. This
+  // behavior can be changed by defining names for each config and defining `boolean_expr` below.
+  //
+  // State is shared between successful requests on the chain, i.e., the headers returned from each
+  // successful auth service get appended into the final auth response.
   repeated Config configs = 3;
+
+  // How to handle processing of named configs within an auth config chain.
+  // An example config might be: ( basic1 || basic2 || (oidc1 && !oidc2) )
+  // The boolean expression is evaluated left to right but honors parenthesis and short-circuiting.
+  google.protobuf.StringValue boolean_expr = 10;
 }
 
 // Auth configurations defined on virtual hosts, routes, and weighted destinations will be unmarshalled to this message.
@@ -512,6 +530,12 @@ message ExtAuthConfig {
 
     reserved 1, 2;
 
+    // optional: used when defining complex boolean logic, if `boolean_expr` is defined below. Also used
+    // in logging. If omitted, an automatically generated name will be used (e.g. *apikeys.config-0, of the
+    // pattern $CONFIG_TYPE-$INDEX_IN_CHAIN). In the case of plugin auth, this field is ignored in favor of
+    // the name assigned on the plugin config itself.
+    google.protobuf.StringValue name = 11;
+
     oneof auth_config {
       OAuthConfig oauth = 3 [deprecated=true];
       OAuth2Config oauth2 = 9;
@@ -523,7 +547,18 @@ message ExtAuthConfig {
     }
   }
 
+  // List of auth configs to be checked for requests on a route referencing this auth config,
+  // By default, every config must be authorized for the entire request to be authorized. This
+  // behavior can be changed by defining names for each config and defining `boolean_expr` below.
+  //
+  // State is shared between successful requests on the chain, i.e., the headers returned from each
+  // successful auth service get appended into the final auth response.
   repeated Config configs = 8;
+
+  // How to handle processing of named configs within an auth config chain.
+  // An example config might be: ( basic1 || basic2 || (oidc1 && !oidc2) )
+  // The boolean expression is evaluated left to right but honors parenthesis and short-circuiting.
+  google.protobuf.StringValue boolean_expr = 10;
 }
 
 /*