authservice icon indicating copy to clipboard operation
authservice copied to clipboard

Published 20 hours ago verified publisher icon istio-ecosystem

POC: and/or/not semantics in filter chain matcher

Open Shikugawa opened this issue 3 years ago • 0 comments

This is a necessary feature to realize #172: by introducing the and/or/not semantics into the filter chain match, we can integrate the features that currently realize TriggerRule into Matcher. For example, in the previous implementation, the

  • If /path1 is matched, authentication is performed
  • If test.com is matched, authentication is performed

However, when we integrated TriggerRule and Matcher in #172, we can no longer write rules that require such and semantics. This is why this is necessary.

Authenticate if path matches /path1 and domain matches test.com.

{
  "matches": [{
    "and": [
        {
           default": {
             "header": ":path",
             "equality": "/path1" 
           }
        },
        {
           "default": {
             "header": ":authority",
             "equality": "test.com" 
           },
         }
     ]
  }]
}

If path matches /path2 and domain matches test2.com, do not authenticate.

{
  "matches": [{
    "or": [
        {
           "not": {
             "header": ":path",
             "equality": "/path1" 
            },
        }
        {
           "not": {
             "header": ":authority",
             "equality": "test.com" 
            },
         }
     ]
  }]
}

To achieve this, we need an API like the following

message Default {
  Match match = 1;
}

message Not {
  Unit unit = 1;
}

message And {
  repeatedly Unit unit = 1;
}

message Or {
  repeatedly Unit unit = 1;
}

message Unit {
  oneof {
    Default default = 1;
    Not not = 2;
    And and = 3;
    Or or = 4;
  }
}

message Matches {
  repeatedly Unit unit = 1;
}

Shikugawa avatar Oct 14 '21 04:10 Shikugawa