feat: add header overloads (#167)

Signed-off-by: Charles-Edouard Brétéché <[email protected]>

manifests/policies/demo-policy.example.com.yaml

@@ -4,26 +4,24 @@ metadata:
   name: demo-policy.example.com
 spec:
   variables:
-  - name: request_headers
-    expression: object.attributes.request.http.headers
-  - name: force_unauthenticated
-    expression: variables.?request_headers["x-force-unauthenticated"].orValue("disabled") == "enabled"
   - name: force_authorized
-    expression: variables.?request_headers["x-force-authorized"].orValue("false") == "true"
+    expression: object.attributes.request.http.headers[?"x-force-authorized"].orValue("") in ["enabled", "true"]
+  - name: force_unauthenticated
+    expression: object.attributes.request.http.headers[?"x-force-unauthenticated"].orValue("") in ["enabled", "true"]
   - name: metadata
     expression: '{"my-new-metadata": "my-new-value"}'
   authorizations:
   - expression: >
-      !variables.force_unauthenticated && variables.force_authorized
+      variables.force_authorized && !variables.force_unauthenticated
       ? envoy
           .Allowed()
-          .WithHeader(envoy.Header("x-validated-by", "my-security-checkpoint"))
-          .WithoutHeader("user-agent")
+          .WithHeader("x-validated-by", "my-security-checkpoint")
+          .WithoutHeader("x-force-authorized")
+          .WithResponseHeader("x-add-custom-response-header", "added")
           .Response()
           .WithMetadata(variables.metadata)
       : envoy
           .Denied(variables.force_unauthenticated ? 401 : 403)
           .WithBody(variables.force_unauthenticated ? "Authentication Failed" : "Unauthorized Request")
-          .WithHeader(envoy.Header("x-validated-by", "my-security-checkpoint"))
           .Response()
           .WithMetadata(variables.metadata)

pkg/authz/cel/libs/envoy/impl.go

@@ -21,7 +21,7 @@ func (c *impl) allowed() ref.Val {
 	return c.NativeToValue(r)
 }
 
-func (c *impl) ok_with_header(ok ref.Val, header ref.Val) ref.Val {
+func (c *impl) ok_with_header_header(ok ref.Val, header ref.Val) ref.Val {
 	if ok, err := utils.ConvertToNative[*authv3.OkHttpResponse](ok); err != nil {
 		return types.WrapErr(err)
 	} else if header, err := utils.ConvertToNative[*corev3.HeaderValueOption](header); err != nil {
@@ -32,6 +32,19 @@ func (c *impl) ok_with_header(ok ref.Val, header ref.Val) ref.Val {
 	}
 }
 
+func (c *impl) ok_with_header_string_string(values ...ref.Val) ref.Val {
+	if ok, err := utils.ConvertToNative[*authv3.OkHttpResponse](values[0]); err != nil {
+		return types.WrapErr(err)
+	} else if key, err := utils.ConvertToNative[string](values[1]); err != nil {
+		return types.WrapErr(err)
+	} else if value, err := utils.ConvertToNative[string](values[2]); err != nil {
+		return types.WrapErr(err)
+	} else {
+		ok.Headers = append(ok.Headers, &corev3.HeaderValueOption{Header: &corev3.HeaderValue{Key: key, Value: value}})
+		return c.NativeToValue(ok)
+	}
+}
+
 func (c *impl) ok_without_header(ok ref.Val, header ref.Val) ref.Val {
 	if ok, err := utils.ConvertToNative[*authv3.OkHttpResponse](ok); err != nil {
 		return types.WrapErr(err)
@@ -43,7 +56,7 @@ func (c *impl) ok_without_header(ok ref.Val, header ref.Val) ref.Val {
 	}
 }
 
-func (c *impl) ok_with_response_header(ok ref.Val, header ref.Val) ref.Val {
+func (c *impl) ok_with_response_header_header(ok ref.Val, header ref.Val) ref.Val {
 	if ok, err := utils.ConvertToNative[*authv3.OkHttpResponse](ok); err != nil {
 		return types.WrapErr(err)
 	} else if header, err := utils.ConvertToNative[*corev3.HeaderValueOption](header); err != nil {
@@ -54,6 +67,19 @@ func (c *impl) ok_with_response_header(ok ref.Val, header ref.Val) ref.Val {
 	}
 }
 
+func (c *impl) ok_with_response_header_string_string(values ...ref.Val) ref.Val {
+	if ok, err := utils.ConvertToNative[*authv3.OkHttpResponse](values[0]); err != nil {
+		return types.WrapErr(err)
+	} else if key, err := utils.ConvertToNative[string](values[1]); err != nil {
+		return types.WrapErr(err)
+	} else if value, err := utils.ConvertToNative[string](values[2]); err != nil {
+		return types.WrapErr(err)
+	} else {
+		ok.ResponseHeadersToAdd = append(ok.ResponseHeadersToAdd, &corev3.HeaderValueOption{Header: &corev3.HeaderValue{Key: key, Value: value}})
+		return c.NativeToValue(ok)
+	}
+}
+
 func (c *impl) ok_with_query_param(ok ref.Val, param ref.Val) ref.Val {
 	if ok, err := utils.ConvertToNative[*authv3.OkHttpResponse](ok); err != nil {
 		return types.WrapErr(err)
@@ -95,7 +121,7 @@ func (c *impl) denied_with_body(denied ref.Val, body ref.Val) ref.Val {
 	}
 }
 
-func (c *impl) denied_with_header(denied ref.Val, header ref.Val) ref.Val {
+func (c *impl) denied_with_header_header(denied ref.Val, header ref.Val) ref.Val {
 	if denied, err := utils.ConvertToNative[*authv3.DeniedHttpResponse](denied); err != nil {
 		return types.WrapErr(err)
 	} else if header, err := utils.ConvertToNative[*corev3.HeaderValueOption](header); err != nil {
@@ -106,6 +132,19 @@ func (c *impl) denied_with_header(denied ref.Val, header ref.Val) ref.Val {
 	}
 }
 
+func (c *impl) denied_with_header_string_string(values ...ref.Val) ref.Val {
+	if denied, err := utils.ConvertToNative[*authv3.DeniedHttpResponse](values[0]); err != nil {
+		return types.WrapErr(err)
+	} else if key, err := utils.ConvertToNative[string](values[1]); err != nil {
+		return types.WrapErr(err)
+	} else if value, err := utils.ConvertToNative[string](values[2]); err != nil {
+		return types.WrapErr(err)
+	} else {
+		denied.Headers = append(denied.Headers, &corev3.HeaderValueOption{Header: &corev3.HeaderValue{Key: key, Value: value}})
+		return c.NativeToValue(denied)
+	}
+}
+
 func (c *impl) header_key_value(key ref.Val, value ref.Val) ref.Val {
 	if key, err := utils.ConvertToNative[string](key); err != nil {
 		return types.WrapErr(err)

pkg/authz/cel/libs/envoy/lib.go

@@ -68,14 +68,17 @@ func (*lib) extendEnv(env *cel.Env) (*cel.Env, error) {
 			cel.MemberOverload("denied_with_body", []*cel.Type{DeniedHttpResponse, types.StringType}, DeniedHttpResponse, cel.BinaryBinding(impl.denied_with_body)),
 		},
 		"WithHeader": {
-			cel.MemberOverload("ok_with_header", []*cel.Type{OkHttpResponse, HeaderValueOption}, OkHttpResponse, cel.BinaryBinding(impl.ok_with_header)),
-			cel.MemberOverload("denied_with_header", []*cel.Type{DeniedHttpResponse, HeaderValueOption}, DeniedHttpResponse, cel.BinaryBinding(impl.denied_with_header)),
+			cel.MemberOverload("ok_with_header_header", []*cel.Type{OkHttpResponse, HeaderValueOption}, OkHttpResponse, cel.BinaryBinding(impl.ok_with_header_header)),
+			cel.MemberOverload("ok_with_header_string_string", []*cel.Type{OkHttpResponse, types.StringType, types.StringType}, OkHttpResponse, cel.FunctionBinding(impl.ok_with_header_string_string)),
+			cel.MemberOverload("denied_with_header_header", []*cel.Type{DeniedHttpResponse, HeaderValueOption}, DeniedHttpResponse, cel.BinaryBinding(impl.denied_with_header_header)),
+			cel.MemberOverload("denied_with_header_string_string", []*cel.Type{DeniedHttpResponse, types.StringType, types.StringType}, DeniedHttpResponse, cel.FunctionBinding(impl.denied_with_header_string_string)),
 		},
 		"WithoutHeader": {
 			cel.MemberOverload("ok_without_header", []*cel.Type{OkHttpResponse, types.StringType}, OkHttpResponse, cel.BinaryBinding(impl.ok_without_header)),
 		},
 		"WithResponseHeader": {
-			cel.MemberOverload("ok_with_response_header", []*cel.Type{OkHttpResponse, HeaderValueOption}, OkHttpResponse, cel.BinaryBinding(impl.ok_with_response_header)),
+			cel.MemberOverload("ok_with_response_header_header", []*cel.Type{OkHttpResponse, HeaderValueOption}, OkHttpResponse, cel.BinaryBinding(impl.ok_with_response_header_header)),
+			cel.MemberOverload("ok_with_response_header_string_string", []*cel.Type{OkHttpResponse, types.StringType, types.StringType}, OkHttpResponse, cel.FunctionBinding(impl.ok_with_response_header_string_string)),
 		},
 		"WithQueryParam": {
 			cel.MemberOverload("ok_with_query_param", []*cel.Type{OkHttpResponse, QueryParameter}, OkHttpResponse, cel.BinaryBinding(impl.ok_with_query_param)),