Feature/strategy move (#42)

* add strategy field

* Unify processing

* Initial

* Switch processing

* forward

* cleanup

* cleanup

* Great cleanup

* Make tests great again

* cleanup

* Small fixes

* Review fixes

* Review fixes

* Review fixes

Makefile

@@ -61,7 +61,6 @@ clean:
 install: manifests
 	kustomize build config/crd | kubectl apply -f -
 	@if ! kubectl get crd virtualservices.networking.istio.io > /dev/null 2>&1 ; then kubectl apply -f hack/networking.istio.io_virtualservice.yaml; fi;
-	@if ! kubectl get crd policies.authentication.istio.io > /dev/null 2>&1 ; then kubectl apply -f hack/authentication.istio.io_policies.yaml; fi;
 	@if ! kubectl get crd rules.oathkeeper.ory.sh > /dev/null 2>&1 ; then kubectl apply -f hack/oathkeeper.ory.sh_rules.yaml; fi;
 
 # Generate static installation files

api/v2alpha1/gate_types.go

@@ -103,7 +103,7 @@ type Service struct {
 
 //AuthStrategy .
 type AuthStrategy struct {
-	// +kubebuilder:validation:Enum=JWT;OAUTH;ALLOW
+	// Deprected, to be deleted
 	Name *string `json:"name"`
 	// Config configures the auth strategy. Configuration keys vary per strategy.
 	// +kubebuilder:validation:Type=object
@@ -119,6 +119,8 @@ type Rule struct {
 	Scopes []string `json:"scopes,omitempty"`
 	// Set of allowed HTTP methods
 	Methods []string `json:"methods,omitempty"`
+	// Set of access strategies for a single path
+	AccessStrategies []*rulev1alpha1.Authenticator `json:"accessStrategies,omitempty"`
 	// Mutators to be used
 	Mutators []*rulev1alpha1.Mutator `json:"mutators,omitempty"`
 }

api/v2alpha1/zz_generated.deepcopy.go

@@ -316,6 +316,17 @@ func (in *Rule) DeepCopyInto(out *Rule) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.AccessStrategies != nil {
+		in, out := &in.AccessStrategies, &out.AccessStrategies
+		*out = make([]*v1alpha1.Authenticator, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(v1alpha1.Authenticator)
+				(*in).DeepCopyInto(*out)
+			}
+		}
+	}
 	if in.Mutators != nil {
 		in, out := &in.Mutators, &out.Mutators
 		*out = make([]*v1alpha1.Mutator, len(*in))

config/crd/bases/gateway.kyma-project.io_gates.yaml

@@ -395,10 +395,7 @@ spec:
                     keys vary per strategy.
                   type: object
                 name:
-                  enum:
-                  - JWT
-                  - OAUTH
-                  - ALLOW
+                  description: Deprected, to be deleted
                   type: string
               required:
               - name
@@ -411,6 +408,21 @@ spec:
               description: Paths represents collection of Path to secure
               items:
                 properties:
+                  accessStrategies:
+                    description: Set of access strategies for a single path
+                    items:
+                      properties:
+                        config:
+                          description: Config configures the handler. Configuration
+                            keys vary per handler.
+                          type: object
+                        handler:
+                          description: Name is the name of a handler
+                          type: string
+                      required:
+                      - handler
+                      type: object
+                    type: array
                   methods:
                     description: Set of allowed HTTP methods
                     items:

config/samples/invalid.yaml

@@ -4,93 +4,80 @@ kind: Gate
 metadata:
   name: passthrough-bad-host
 spec:
-  gateway: some-gateway.some-namespace
   service:
     host: https://imgur.com
-    name: imgur
-    port: 443
-  auth: 
-    name: PASSTHROUGH
----
-apiVersion: gateway.kyma-project.io/v2alpha1
-kind: Gate
-metadata:
-  name: passthrough-bad-gateway
-spec:
-  gateway: short-name-gateway
-  service:
-    host: imgur.com
-    name: imgur
-    port: 443
-  auth: 
-    name: PASSTHROUGH
----
-apiVersion: gateway.kyma-project.io/v2alpha1
-kind: Gate
-metadata:
-  name: oauth-no-paths
-spec:
-  gateway: kyma-gateway.kyma-system.svc.cluster.local
-  service:
-    host: httpbin.kyma.local
     name: httpbin
     port: 8000
   auth:
-    name: OAUTH
-  rules: []
+    name: ALLOW
+  gateway: kyma-gateway.kyma-system.svc.cluster.local
+  rules:
+    - path: /.*
+      scopes: []
+      methods: ["GET"]
+      accessStrategy:
+        - handler: noop
+      mutators: []
 ---
 apiVersion: gateway.kyma-project.io/v2alpha1
 kind: Gate
 metadata:
-  name: oauth-multiple-paths
+  name: passthrough-bad-host
 spec:
-  gateway: kyma-gateway.kyma-system.svc.cluster.local
   service:
-    host: httpbin.kyma.local
+    host: https://imgur.com
     name: httpbin
     port: 8000
   auth:
-    name: OAUTH
+    name: ALLOW
+  gateway: short-name-gateway
   rules:
-    - path: /foo
-      scopes: ["read"]
-      methods: ["GET"]
-    - path: /bar
-      scopes: ["read"]
+    - path: /.*
+      scopes: []
       methods: ["GET"]
+      accessStrategy:
+        - handler: noop
+      mutators: []
 ---
 apiVersion: gateway.kyma-project.io/v2alpha1
 kind: Gate
 metadata:
-  name: jwt-all-bad-issuer
+  name: gate-no-rules
 spec:
-  gateway: kyma-gateway.kyma-system.svc.cluster.local
   service:
-    name: foo-service
-    port: 8080
-    host: foo.bar
-  auth: 
-    name: JWT
-    config:
-      issuer: not-a-valid-url
-      jwks: []
-  rules:
-    - path: /.*
-      scopes: ["foo", "bar"]
-      methods: ["GET"]
+    host: https://imgur.com
+    name: httpbin
+    port: 8000
+  auth:
+    name: ALLOW
+  gateway: kyma-gateway.kyma-system.svc.cluster.local
+  rules: []
 ---
 apiVersion: gateway.kyma-project.io/v2alpha1
 kind: Gate
 metadata:
-  name: invalid-auth
+  name: gate-multiple-hosts
 spec:
   service:
-    host: httpbin.kyma.local
+    host: https://imgur.com
     name: httpbin
     port: 8000
   auth:
-    name: NOT_VALID
-  gateway: kyma-gateway.kyma-system.svc.cluster.local
+    name: ALLOW
+  gateway: short-name-gateway
+  rules:
+    - path: /.*
+      scopes: []
+      methods: ["GET"]
+      accessStrategy:
+        - handler: noop
+      mutators: []
+    - path: /foo
+      scopes: []
+      methods: ["GET"]
+      accessStrategy:
+        - handler: noop
+      mutators: []
 ---
 apiVersion: gateway.kyma-project.io/v2alpha1
 kind: Gate

config/samples/valid.yaml

@@ -15,6 +15,8 @@ spec:
     - path: /.*
       scopes: []
       methods: ["GET"]
+      accessStrategy:
+        - handler: noop
       mutators: []
 ---
 apiVersion: gateway.kyma-project.io/v2alpha1
@@ -32,6 +34,8 @@ spec:
   rules:
     - path: /.*
       methods: ["GET"]
+      accessStrategy:
+        - handler: noop
       mutators:
         - handler: noop
 ---
@@ -52,9 +56,13 @@ spec:
       jwks: []
   rules:
     - path: /.*
-      scopes: []
       methods: ["GET"]
       mutators: []
+      accessStrategy:
+        - handler: jwt
+          config:
+            trusted_issuers: ["http://dex.kyma.local"]
+            required_scope: []
 ---
 apiVersion: gateway.kyma-project.io/v2alpha1
 kind: Gate
@@ -73,10 +81,14 @@ spec:
       jwks: []
   rules:
     - path: /.*
-      scopes: ["foo", "bar"]
       methods: ["GET"]
       mutators:
         - handler: noop
+      accessStrategy:
+        - handler: jwt
+          config:
+            trusted_issuers: ["http://dex.kyma.local"]
+            required_scope: []
 ---
 apiVersion: gateway.kyma-project.io/v2alpha1
 kind: Gate
@@ -95,9 +107,13 @@ spec:
       jwks: []
   rules:
     - path: /.*
-      scopes: ["foo", "bar"]
       methods: ["GET"]
       mutators: []
+      accessStrategy:
+        - handler: jwt
+          config:
+            trusted_issuers: ["http://dex.kyma.local"]
+            required_scope: ["foo", "bar"]
 ---
 apiVersion: gateway.kyma-project.io/v2alpha1
 kind: Gate
@@ -116,6 +132,10 @@ spec:
       scopes: ["read"]
       methods: ["GET"]
       mutators: []
+      accessStrategy:
+        - handler: oauth2_introspection
+          config:
+            required_scope: ["foo", "bar"]
 ---
 apiVersion: gateway.kyma-project.io/v2alpha1
 kind: Gate
@@ -131,8 +151,11 @@ spec:
     name: OAUTH
   rules:
     - path: /.*
-      scopes: ["read"]
       methods: ["GET"]
       mutators:
         - handler: noop
-          config: {}
+          config: {}
+      accessStrategy:
+        - handler: oauth2_introspection
+          config:
+            required_scope: []

controllers/api_controller.go

@@ -24,7 +24,6 @@ import (
 	"github.com/go-logr/logr"
 	gatewayv2alpha1 "github.com/kyma-incubator/api-gateway/api/v2alpha1"
 	"github.com/kyma-incubator/api-gateway/internal/clients"
-	"github.com/kyma-incubator/api-gateway/internal/validation"
 	apierrs "k8s.io/apimachinery/pkg/api/errors"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -43,7 +42,6 @@ type APIReconciler struct {
 }
 
 //Reconcile .
-// +kubebuilder:rbac:groups=authentication.istio.io,resources=policies,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=gateway.kyma-project.io,resources=gates,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=gateway.kyma-project.io,resources=gates/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=networking.istio.io,resources=virtualservices,verbs=get;list;watch;create;update;patch;delete
@@ -81,37 +79,13 @@ func (r *APIReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 
 	if api.Generation != api.Status.ObservedGeneration {
 		r.Log.Info("Api processing")
-
-		validationStrategy, err := validation.NewFactory(r.Log).StrategyFor(*api.Spec.Auth.Name)
+		err = processing.NewFactory(r.ExtCRClients.ForVirtualService(), r.ExtCRClients.ForAccessRule(), r.Log, r.OathkeeperSvc, r.OathkeeperSvcPort, r.JWKSURI).Run(ctx, api)
 		if err != nil {
-			_, updateStatErr := r.updateStatus(ctx, api, generateErrorStatus(err), virtualServiceStatus, policyStatus, accessRuleStatus)
-			if updateStatErr != nil {
-				return reconcile.Result{Requeue: true}, err
-			}
-			return ctrl.Result{}, err
-		}
-
-		err = validationStrategy.Validate(api)
-		if err != nil {
-			_, updateStatErr := r.updateStatus(ctx, api, generateErrorStatus(err), virtualServiceStatus, policyStatus, accessRuleStatus)
-			if updateStatErr != nil {
-				return reconcile.Result{Requeue: true}, err
-			}
-			return ctrl.Result{}, err
-		}
-
-		processingStrategy, err := processing.NewFactory(r.ExtCRClients.ForVirtualService(), r.ExtCRClients.ForAccessRule(), r.Log, r.OathkeeperSvc, r.OathkeeperSvcPort, r.JWKSURI).StrategyFor(*api.Spec.Auth.Name)
-		if err != nil {
-			_, updateStatErr := r.updateStatus(ctx, api, generateErrorStatus(err), virtualServiceStatus, policyStatus, accessRuleStatus)
-			if updateStatErr != nil {
-				return reconcile.Result{Requeue: true}, err
+			virtualServiceStatus = &gatewayv2alpha1.GatewayResourceStatus{
+				Code:        gatewayv2alpha1.StatusError,
+				Description: err.Error(),
 			}
-			return ctrl.Result{}, err
-		}
-
-		err = processingStrategy.Process(ctx, api)
-		if err != nil {
-			virtualServiceStatus := &gatewayv2alpha1.GatewayResourceStatus{
+			accessRuleStatus = &gatewayv2alpha1.GatewayResourceStatus{
 				Code:        gatewayv2alpha1.StatusError,
 				Description: err.Error(),
 			}
@@ -123,7 +97,11 @@ func (r *APIReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 			return ctrl.Result{}, err
 		}
 
-		virtualServiceStatus := &gatewayv2alpha1.GatewayResourceStatus{
+		virtualServiceStatus = &gatewayv2alpha1.GatewayResourceStatus{
+			Code: gatewayv2alpha1.StatusOK,
+		}
+
+		accessRuleStatus = &gatewayv2alpha1.GatewayResourceStatus{
 			Code: gatewayv2alpha1.StatusOK,
 		}