Merge pull request #501 from Kuadrant/fix/rawextension-to-str

fix: RawExtension to string conversion Signed-off-by: Guilherme Cassolato <[email protected]>
Kuadrant · Nov 4, 2024 · 2b59352 · 2b59352
1 parent 7d07f22
commit 2b59352
Show file tree

Hide file tree

Showing 4 changed files with 78 additions and 17 deletions.
diff --git a/pkg/evaluators/authorization/authzed.go b/pkg/evaluators/authorization/authzed.go
@@ -48,10 +48,23 @@ func (a *Authzed) Call(pipeline auth.AuthPipeline, ctx gocontext.Context) (inter
 
 	authJSON := pipeline.GetAuthorizationJSON()
 
+	resource, err := authzedObjectFor(a.Resource, a.ResourceKind, authJSON)
+	if err != nil {
+		return nil, err
+	}
+	object, err := authzedObjectFor(a.Subject, a.SubjectKind, authJSON)
+	if err != nil {
+		return nil, err
+	}
+	permission := a.Permission.ResolveFor(authJSON)
+	permissionStr, err := json.StringifyJSON(permission)
+	if err != nil {
+		return nil, err
+	}
 	resp, err := client.CheckPermission(ctx, &authzedpb.CheckPermissionRequest{
-		Resource:   authzedObjectFor(a.Resource, a.ResourceKind, authJSON),
-		Subject:    &authzedpb.SubjectReference{Object: authzedObjectFor(a.Subject, a.SubjectKind, authJSON)},
-		Permission: fmt.Sprintf("%s", a.Permission.ResolveFor(authJSON)),
+		Resource:   resource,
+		Subject:    &authzedpb.SubjectReference{Object: object},
+		Permission: permissionStr,
 	})
 	if err != nil {
 		return nil, err
@@ -74,9 +87,19 @@ func (a *Authzed) Call(pipeline auth.AuthPipeline, ctx gocontext.Context) (inter
 	return obj, nil
 }
 
-func authzedObjectFor(name, kind json.JSONValue, authJSON string) *authzedpb.ObjectReference {
-	return &authzedpb.ObjectReference{
-		ObjectId:   fmt.Sprintf("%s", name.ResolveFor(authJSON)),
-		ObjectType: fmt.Sprintf("%s", kind.ResolveFor(authJSON)),
+func authzedObjectFor(name, kind json.JSONValue, authJSON string) (*authzedpb.ObjectReference, error) {
+	objectId := name.ResolveFor(authJSON)
+	objectIdStr, err := json.StringifyJSON(objectId)
+	if err != nil {
+		return nil, err
 	}
+	objectType := kind.ResolveFor(authJSON)
+	objectTypeStr, err := json.StringifyJSON(objectType)
+	if err != nil {
+		return nil, err
+	}
+	return &authzedpb.ObjectReference{
+		ObjectId:   objectIdStr,
+		ObjectType: objectTypeStr,
+	}, nil
 }
diff --git a/pkg/evaluators/authorization/kubernetes_authz.go b/pkg/evaluators/authorization/kubernetes_authz.go
@@ -63,26 +63,55 @@ func (k *KubernetesAuthz) Call(pipeline auth.AuthPipeline, ctx gocontext.Context
 	}
 
 	authJSON := pipeline.GetAuthorizationJSON()
-	jsonValueToStr := func(value json.JSONValue) string {
-		return fmt.Sprintf("%s", value.ResolveFor(authJSON))
+	jsonValueToStr := func(value json.JSONValue) (string, error) {
+		resolved := value.ResolveFor(authJSON)
+		return json.StringifyJSON(resolved)
 	}
 
+	user, err := jsonValueToStr(k.User)
+	if err != nil {
+		return nil, err
+	}
 	subjectAccessReview := kubeAuthz.SubjectAccessReview{
 		Spec: kubeAuthz.SubjectAccessReviewSpec{
-			User: jsonValueToStr(k.User),
+			User: user,
 		},
 	}
 
 	if k.ResourceAttributes != nil {
 		resourceAttributes := k.ResourceAttributes
 
+		namespace, err := jsonValueToStr(resourceAttributes.Namespace)
+		if err != nil {
+			return nil, err
+		}
+		group, err := jsonValueToStr(resourceAttributes.Group)
+		if err != nil {
+			return nil, err
+		}
+		resource, err := jsonValueToStr(resourceAttributes.Resource)
+		if err != nil {
+			return nil, err
+		}
+		name, err := jsonValueToStr(resourceAttributes.Name)
+		if err != nil {
+			return nil, err
+		}
+		subresource, err := jsonValueToStr(resourceAttributes.SubResource)
+		if err != nil {
+			return nil, err
+		}
+		verb, err := jsonValueToStr(resourceAttributes.Verb)
+		if err != nil {
+			return nil, err
+		}
 		subjectAccessReview.Spec.ResourceAttributes = &kubeAuthz.ResourceAttributes{
-			Namespace:   jsonValueToStr(resourceAttributes.Namespace),
-			Group:       jsonValueToStr(resourceAttributes.Group),
-			Resource:    jsonValueToStr(resourceAttributes.Resource),
-			Name:        jsonValueToStr(resourceAttributes.Name),
-			Subresource: jsonValueToStr(resourceAttributes.SubResource),
-			Verb:        jsonValueToStr(resourceAttributes.Verb),
+			Namespace:   namespace,
+			Group:       group,
+			Resource:    resource,
+			Name:        name,
+			Subresource: subresource,
+			Verb:        verb,
 		}
 	} else {
 		request := pipeline.GetHttp()

diff --git a/pkg/evaluators/metadata/generic_http.go b/pkg/evaluators/metadata/generic_http.go
@@ -127,7 +127,12 @@ func (h *GenericHttp) buildRequest(ctx gocontext.Context, endpoint, authJSON str
 	}
 
 	for _, header := range h.Headers {
-		req.Header.Set(header.Name, fmt.Sprintf("%s", header.Value.ResolveFor(authJSON)))
+		headerValue := header.Value.ResolveFor(authJSON)
+		headerValueStr, err := json.StringifyJSON(headerValue)
+		if err != nil {
+			return nil, err
+		}
+		req.Header.Set(header.Name, headerValueStr)
 	}
 
 	req.Header.Set("Content-Type", contentType)

diff --git a/pkg/json/json.go b/pkg/json/json.go
@@ -151,6 +151,10 @@ func ReplaceJSONPlaceholders(source string, jsonData string) string {
 }
 
 func StringifyJSON(data interface{}) (string, error) {
+	_, ok := data.(string)
+	if ok {
+		return data.(string), nil
+	}
 	if dataAsJSON, err := json.Marshal(data); err != nil {
 		return "", err
 	} else {