search

Kuadrant / authorino

K8s-native AuthN/AuthZ service to protect your APIs.
Apache License 2.0
201 stars 32 forks source link

fix: RawExtension to string conversion #501

Closed guicassolato closed 2 weeks ago

guicassolato commented 2 weeks ago

Fixes conversion of ValueOrSelector.Value (based on runtime.RawExtension) to string, used at the following configs:

This bug was introduced in v0.18.0, when the AuthConfig controller was updated to work with v1beta2 type (previously (v1beta1), thus activating the option to set static values to JSON/YAML types other than strings. The conversion functions used in the features listed above were overlooked in the process and remain naively treating static values (stored in Golang interface{} variables) as if they were always strings.

Verification steps

make local-setup FF=1
kubectl port-forward deployment/envoy 8000:8000 2>&1 >/dev/null &
kubectl apply -f -<<EOF
apiVersion: authorino.kuadrant.io/v1beta3
kind: AuthConfig
metadata:
  name: talker-api-protection
spec:
  hosts:
  - talker-api.127.0.0.1.nip.io
  authorization:
    "sar":
      kubernetesSubjectAccessReview:
        user:
          value: john
        resourceAttributes:
          resource:
            value: secrets
          name:
            selector: request.path.@extract:{"sep":"/","pos":1}
          verb:
            expression: request.method
  response:
    unauthorized:
      message:
        value: Access denied by the Kubernetes RBAC
EOF
curl http://talker-api.127.0.0.1.nip.io:8000/my-secret -i

Check the Authorino logs. You should spot en entry like the following:

{
  "level": "debug",
  "ts": "2024-11-04T11:06:44Z",
  "logger": "authorino.service.auth.authpipeline.authorization.kubernetesauthz",
  "msg": "calling kubernetes subject access review api",
  "request id": "b6471552-9154-41fb-87e4-843f5db9255a",
  "subjectaccessreview": {
    "metadata": {
      "creationTimestamp": null
    },
    "spec": {
      "resourceAttributes": {
        "verb": "GET",
        "resource": "secrets",
        "name": "my-secret"
      },
      "user": "john"
    },
    "status": {
      "allowed": false
    }
  }
}

Before the fix, attributes such as subjectaccessreview.spec.user were being stringified as "{\"john\" <nil>}", which is the direct print out of the RawExtension type in Golang as string.