search

istio-ecosystem / authservice

Move OIDC token acquisition out of your app code and into the Istio mesh
Apache License 2.0
217 stars 63 forks source link

POC: and/or/not semantics in filter chain matcher #173

Open Shikugawa opened 3 years ago

Shikugawa commented 3 years ago

This is a necessary feature to realize #172: by introducing the and/or/not semantics into the filter chain match, we can integrate the features that currently realize TriggerRule into Matcher. For example, in the previous implementation, the

However, when we integrated TriggerRule and Matcher in #172, we can no longer write rules that require such and semantics. This is why this is necessary.

Authenticate if path matches /path1 and domain matches test.com.

{
  "matches": [{
    "and": [
        {
           default": {
             "header": ":path",
             "equality": "/path1" 
           }
        },
        {
           "default": {
             "header": ":authority",
             "equality": "test.com" 
           },
         }
     ]
  }]
}

If path matches /path2 and domain matches test2.com, do not authenticate.

{
  "matches": [{
    "or": [
        {
           "not": {
             "header": ":path",
             "equality": "/path1" 
            },
        }
        {
           "not": {
             "header": ":authority",
             "equality": "test.com" 
            },
         }
     ]
  }]
}

To achieve this, we need an API like the following

message Default {
  Match match = 1;
}

message Not {
  Unit unit = 1;
}

message And {
  repeatedly Unit unit = 1;
}

message Or {
  repeatedly Unit unit = 1;
}

message Unit {
  oneof {
    Default default = 1;
    Not not = 2;
    And and = 3;
    Or or = 4;
  }
}

message Matches {
  repeatedly Unit unit = 1;
}