OPA object support (#8383)

* add api for exposing auth decision data to envoy * add changelog * Adding changelog file to new location * Deleting changelog file from old location * Adding changelog file to new location * Deleting changelog file from old location * Adding changelog file to new location * Deleting changelog file from old location * Adding changelog file to new location * Deleting changelog file from old location * Adding changelog file to new location * Deleting changelog file from old location * Adding changelog file to new location * Deleting changelog file from old location * Adding changelog file to new location * Deleting changelog file from old location * update after code review * Adding changelog file to new location * Deleting changelog file from old location * api changes --------- Co-authored-by: changelog-bot <changelog-bot> Co-authored-by: soloio-bulldozer[bot] <48420018+soloio-bulldozer[bot]@users.noreply.github.com>
solo-io · Jul 13, 2023 · d6241c8 · d6241c8
1 parent 889ff8a
commit d6241c8
Show file tree

Hide file tree

Showing 8 changed files with 788 additions and 742 deletions.
diff --git a/changelog/v1.15.0-beta20/add-ext-auth-decision-api.yaml b/changelog/v1.15.0-beta20/add-ext-auth-decision-api.yaml
@@ -0,0 +1,4 @@
+changelog:
+  - type: NON_USER_FACING
+    description: >-
+      Add field to OPA API to eventually support ext-auth returning objects from OPA decisions.
diff --git a/...-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk.md b/...-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk.md
diff --git a/install/helm/gloo/crds/enterprise.gloo.solo.io_v1_AuthConfig.yaml b/install/helm/gloo/crds/enterprise.gloo.solo.io_v1_AuthConfig.yaml
@@ -651,6 +651,8 @@ spec:
                           properties:
                             fastInputConversion:
                               type: boolean
+                            returnDecisionReason:
+                              type: boolean
                           type: object
                         query:
                           type: string

diff --git a/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto b/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto
@@ -1078,6 +1078,14 @@ message OpaAuthOptions {
     // are included in the request input. All other fields are dropped. Dropped fields will not be evaluated by the OPA engine.
     // By default, this is set to false and all fields are evaluated by OPA.
     bool fast_input_conversion = 1;
+
+    // Return the reason given from the OPA engine after a decision made on this policy. Reason must be the second
+    // parameter of the query and will be a protobuf struct if the reason is an object, and otherwise will be a json
+    // string. The entry will be in the returned DynamicMetadata in the CheckResponse and the structure will be
+    // envoy.filters.http.ext_authz:
+    //   -> name of the auth step, i.e. spec.configs[i].name
+    //       -> reason
+    bool return_decision_reason = 2;
 }
 
 // Authenticates and authorizes requests by querying an LDAP server. Gloo makes the following assumptions:

diff --git a/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.clone.go b/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.clone.go
diff --git a/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.equal.go b/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.equal.go
diff --git a/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.go b/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.go
diff --git a/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.hash.go b/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.hash.go