[feat i2g]support auth translate

Author: shuqz

pkg/ingress2gateway/translate/annotation_coverage_test.go

@@ -79,6 +79,15 @@ func TestAllIngressAnnotationsCovered(t *testing.T) {
 			annotations.IngressSuffixUseRegexPathMatch,
 			annotations.IngressSuffixSSLRedirect,
 		},
+		Authentication: {
+			annotations.IngressSuffixAuthType,
+			annotations.IngressSuffixAuthIDPCognito,
+			annotations.IngressSuffixAuthIDPOIDC,
+			annotations.IngressSuffixAuthOnUnauthenticatedRequest,
+			annotations.IngressSuffixAuthScope,
+			annotations.IngressSuffixAuthSessionCookie,
+			annotations.IngressSuffixAuthSessionTimeout,
+		},
 	}
 
 	// Planned: annotations not yet implemented.
@@ -97,13 +106,6 @@ func TestAllIngressAnnotationsCovered(t *testing.T) {
 			// transforms.* translation is implemented in translate_transform_helper.go.
 		},
 		Authentication: {
-			annotations.IngressSuffixAuthType,
-			annotations.IngressSuffixAuthIDPCognito,
-			annotations.IngressSuffixAuthIDPOIDC,
-			annotations.IngressSuffixAuthOnUnauthenticatedRequest,
-			annotations.IngressSuffixAuthScope,
-			annotations.IngressSuffixAuthSessionCookie,
-			annotations.IngressSuffixAuthSessionTimeout,
 			annotations.IngressSuffixJwtValidation,
 		},
 		FrontendNLB: {

pkg/ingress2gateway/translate/auth_config.go

@@ -0,0 +1,175 @@
+package translate
+
+import (
+	"fmt"
+
+	gatewayv1beta1 "sigs.k8s.io/aws-load-balancer-controller/apis/gateway/v1beta1"
+	annotations "sigs.k8s.io/aws-load-balancer-controller/pkg/annotations"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/ingress"
+)
+
+const (
+	authTypeNone    = "none"
+	authTypeCognito = "cognito"
+	authTypeOIDC    = "oidc"
+)
+
+// buildAuthAction reads auth-type and related annotations and returns a
+// ListenerRuleConfiguration Action for authenticate-cognito or authenticate-oidc.
+// Returns (nil, nil) when auth-type is "none" or absent.
+func buildAuthAction(annos map[string]string) (*gatewayv1beta1.Action, error) {
+	authType := getString(annos, annotations.IngressSuffixAuthType)
+	if authType == "" || authType == authTypeNone {
+		return nil, nil
+	}
+
+	switch authType {
+	case authTypeCognito:
+		return buildAuthCognitoAction(annos)
+	case authTypeOIDC:
+		return buildOIDCAction(annos)
+	default:
+		return nil, fmt.Errorf("unsupported auth-type %q", authType)
+	}
+}
+
+// buildAuthCognitoAction parses auth-idp-cognito JSON and shared auth annotations
+// into an authenticate-cognito Action.
+func buildAuthCognitoAction(annos map[string]string) (*gatewayv1beta1.Action, error) {
+	var idp ingress.AuthIDPConfigCognito
+	exists, err := ingressAnnotationParser.ParseJSONAnnotation(annotations.IngressSuffixAuthIDPCognito, &idp, annos)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse %s annotation: %w", annotations.IngressSuffixAuthIDPCognito, err)
+	}
+	if !exists {
+		return nil, fmt.Errorf("auth-type is %q but %s annotation is missing", authTypeCognito, annotations.IngressSuffixAuthIDPCognito)
+	}
+
+	scope := getOptionalAuthScope(annos)
+	onUnauth := getOptionalAuthOnUnauthenticatedRequest(annos)
+	sessionCookie := getOptionalAuthSessionCookieName(annos)
+	sessionTimeout := getOptionalAuthSessionTimeout(annos)
+
+	cfg := &gatewayv1beta1.AuthenticateCognitoActionConfig{
+		UserPoolArn:      idp.UserPoolARN,
+		UserPoolClientID: idp.UserPoolClientID,
+		UserPoolDomain:   idp.UserPoolDomain,
+	}
+
+	if scope != nil {
+		cfg.Scope = scope
+	}
+	if onUnauth != nil {
+		cognitoEnum := gatewayv1beta1.AuthenticateCognitoActionConditionalBehaviorEnum(*onUnauth)
+		cfg.OnUnauthenticatedRequest = &cognitoEnum
+	}
+	if sessionCookie != nil {
+		cfg.SessionCookieName = sessionCookie
+	}
+	if sessionTimeout != nil {
+		cfg.SessionTimeout = sessionTimeout
+	}
+
+	if len(idp.AuthenticationRequestExtraParams) > 0 {
+		params := make(map[string]string, len(idp.AuthenticationRequestExtraParams))
+		for k, v := range idp.AuthenticationRequestExtraParams {
+			params[k] = v
+		}
+		cfg.AuthenticationRequestExtraParams = &params
+	}
+
+	return &gatewayv1beta1.Action{
+		Type:                      gatewayv1beta1.ActionTypeAuthenticateCognito,
+		AuthenticateCognitoConfig: cfg,
+	}, nil
+}
+
+// buildOIDCAction parses auth-idp-oidc JSON and shared auth annotations
+// into an authenticate-oidc Action. The Secret reference (secretName) from
+// the annotation JSON is preserved as Secret.Name on the CRD.
+func buildOIDCAction(annos map[string]string) (*gatewayv1beta1.Action, error) {
+	var idp ingress.AuthIDPConfigOIDC
+	exists, err := ingressAnnotationParser.ParseJSONAnnotation(annotations.IngressSuffixAuthIDPOIDC, &idp, annos)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse %s annotation: %w", annotations.IngressSuffixAuthIDPOIDC, err)
+	}
+	if !exists {
+		return nil, fmt.Errorf("auth-type is %q but %s annotation is missing", authTypeOIDC, annotations.IngressSuffixAuthIDPOIDC)
+	}
+
+	scope := getOptionalAuthScope(annos)
+	onUnauth := getOptionalAuthOnUnauthenticatedRequest(annos)
+	sessionCookie := getOptionalAuthSessionCookieName(annos)
+	sessionTimeout := getOptionalAuthSessionTimeout(annos)
+
+	cfg := &gatewayv1beta1.AuthenticateOidcActionConfig{
+		Issuer:                idp.Issuer,
+		AuthorizationEndpoint: idp.AuthorizationEndpoint,
+		TokenEndpoint:         idp.TokenEndpoint,
+		UserInfoEndpoint:      idp.UserInfoEndpoint,
+		Secret:                &gatewayv1beta1.Secret{Name: idp.SecretName},
+	}
+
+	if scope != nil {
+		cfg.Scope = scope
+	}
+	if onUnauth != nil {
+		oidcEnum := gatewayv1beta1.AuthenticateOidcActionConditionalBehaviorEnum(*onUnauth)
+		cfg.OnUnauthenticatedRequest = &oidcEnum
+	}
+	if sessionCookie != nil {
+		cfg.SessionCookieName = sessionCookie
+	}
+	if sessionTimeout != nil {
+		cfg.SessionTimeout = sessionTimeout
+	}
+
+	if len(idp.AuthenticationRequestExtraParams) > 0 {
+		params := make(map[string]string, len(idp.AuthenticationRequestExtraParams))
+		for k, v := range idp.AuthenticationRequestExtraParams {
+			params[k] = v
+		}
+		cfg.AuthenticationRequestExtraParams = &params
+	}
+
+	return &gatewayv1beta1.Action{
+		Type:                   gatewayv1beta1.ActionTypeAuthenticateOIDC,
+		AuthenticateOIDCConfig: cfg,
+	}, nil
+}
+
+// getOptionalAuthScope returns the auth-scope annotation value, or nil if not set.
+// The CRD has kubebuilder:default="openid" so omitting it lets the webhook fill the default.
+func getOptionalAuthScope(annos map[string]string) *string {
+	v := getString(annos, annotations.IngressSuffixAuthScope)
+	if v == "" {
+		return nil
+	}
+	return &v
+}
+
+// getOptionalAuthOnUnauthenticatedRequest returns the annotation value, or nil if not set.
+// The CRD has kubebuilder:default="authenticate".
+func getOptionalAuthOnUnauthenticatedRequest(annos map[string]string) *string {
+	v := getString(annos, annotations.IngressSuffixAuthOnUnauthenticatedRequest)
+	if v == "" {
+		return nil
+	}
+	return &v
+}
+
+// getOptionalAuthSessionCookieName returns the annotation value, or nil if not set.
+// The CRD has kubebuilder:default="AWSELBAuthSessionCookie".
+func getOptionalAuthSessionCookieName(annos map[string]string) *string {
+	v := getString(annos, annotations.IngressSuffixAuthSessionCookie)
+	if v == "" {
+		return nil
+	}
+	return &v
+}
+
+// getOptionalAuthSessionTimeout returns the annotation value, or nil if not set.
+// The CRD has kubebuilder:default=604800.
+func getOptionalAuthSessionTimeout(annos map[string]string) *int64 {
+	return getInt64(annos, annotations.IngressSuffixAuthSessionTimeout)
+}

pkg/ingress2gateway/translate/auth_config_test.go

@@ -0,0 +1,171 @@
+package translate
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	gatewayv1beta1 "sigs.k8s.io/aws-load-balancer-controller/apis/gateway/v1beta1"
+)
+
+func TestBuildAuthAction_None(t *testing.T) {
+	annos := map[string]string{
+		"alb.ingress.kubernetes.io/auth-type": "none",
+	}
+	action, err := buildAuthAction(annos)
+	require.NoError(t, err)
+	assert.Nil(t, action)
+}
+
+func TestBuildAuthAction_NoAnnotation(t *testing.T) {
+	action, err := buildAuthAction(map[string]string{})
+	require.NoError(t, err)
+	assert.Nil(t, action)
+}
+
+func TestBuildAuthAction_UnknownType(t *testing.T) {
+	annos := map[string]string{
+		"alb.ingress.kubernetes.io/auth-type": "foobar",
+	}
+	_, err := buildAuthAction(annos)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "unsupported auth-type")
+}
+
+func TestBuildAuthAction_CognitoFull(t *testing.T) {
+	annos := map[string]string{
+		"alb.ingress.kubernetes.io/auth-type":                       "cognito",
+		"alb.ingress.kubernetes.io/auth-idp-cognito":                `{"userPoolARN":"arn:aws:cognito-idp:us-west-2:123456789:userpool/us-west-2_abc","userPoolClientID":"my-client-id","userPoolDomain":"my-domain"}`,
+		"alb.ingress.kubernetes.io/auth-scope":                      "email openid",
+		"alb.ingress.kubernetes.io/auth-on-unauthenticated-request": "deny",
+		"alb.ingress.kubernetes.io/auth-session-cookie":             "my-cookie",
+		"alb.ingress.kubernetes.io/auth-session-timeout":            "86400",
+	}
+	action, err := buildAuthAction(annos)
+	require.NoError(t, err)
+	require.NotNil(t, action)
+
+	assert.Equal(t, gatewayv1beta1.ActionTypeAuthenticateCognito, action.Type)
+	require.NotNil(t, action.AuthenticateCognitoConfig)
+
+	cfg := action.AuthenticateCognitoConfig
+	assert.Equal(t, "arn:aws:cognito-idp:us-west-2:123456789:userpool/us-west-2_abc", cfg.UserPoolArn)
+	assert.Equal(t, "my-client-id", cfg.UserPoolClientID)
+	assert.Equal(t, "my-domain", cfg.UserPoolDomain)
+
+	require.NotNil(t, cfg.Scope)
+	assert.Equal(t, "email openid", *cfg.Scope)
+
+	require.NotNil(t, cfg.OnUnauthenticatedRequest)
+	assert.Equal(t, gatewayv1beta1.AuthenticateCognitoActionConditionalBehaviorEnumDeny, *cfg.OnUnauthenticatedRequest)
+
+	require.NotNil(t, cfg.SessionCookieName)
+	assert.Equal(t, "my-cookie", *cfg.SessionCookieName)
+
+	require.NotNil(t, cfg.SessionTimeout)
+	assert.Equal(t, int64(86400), *cfg.SessionTimeout)
+
+	assert.Nil(t, cfg.AuthenticationRequestExtraParams)
+}
+
+func TestBuildAuthAction_CognitoExtraParams(t *testing.T) {
+	annos := map[string]string{
+		"alb.ingress.kubernetes.io/auth-type":        "cognito",
+		"alb.ingress.kubernetes.io/auth-idp-cognito": `{"userPoolARN":"arn:pool","userPoolClientID":"cid","userPoolDomain":"dom","authenticationRequestExtraParams":{"display":"page","prompt":"login"}}`,
+	}
+	action, err := buildAuthAction(annos)
+	require.NoError(t, err)
+	require.NotNil(t, action)
+
+	cfg := action.AuthenticateCognitoConfig
+	require.NotNil(t, cfg.AuthenticationRequestExtraParams)
+	assert.Equal(t, "page", (*cfg.AuthenticationRequestExtraParams)["display"])
+	assert.Equal(t, "login", (*cfg.AuthenticationRequestExtraParams)["prompt"])
+}
+
+func TestBuildAuthAction_CognitoMissingIDP(t *testing.T) {
+	annos := map[string]string{
+		"alb.ingress.kubernetes.io/auth-type": "cognito",
+	}
+	_, err := buildAuthAction(annos)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "missing")
+}
+
+func TestBuildAuthAction_OIDCFull(t *testing.T) {
+	annos := map[string]string{
+		"alb.ingress.kubernetes.io/auth-type":                       "oidc",
+		"alb.ingress.kubernetes.io/auth-idp-oidc":                   `{"issuer":"https://example.com","authorizationEndpoint":"https://auth.example.com","tokenEndpoint":"https://token.example.com","userInfoEndpoint":"https://userinfo.example.com","secretName":"my-k8s-secret"}`,
+		"alb.ingress.kubernetes.io/auth-scope":                      "email openid profile",
+		"alb.ingress.kubernetes.io/auth-on-unauthenticated-request": "allow",
+		"alb.ingress.kubernetes.io/auth-session-cookie":             "oidc-cookie",
+		"alb.ingress.kubernetes.io/auth-session-timeout":            "7200",
+	}
+	action, err := buildAuthAction(annos)
+	require.NoError(t, err)
+	require.NotNil(t, action)
+
+	assert.Equal(t, gatewayv1beta1.ActionTypeAuthenticateOIDC, action.Type)
+	require.NotNil(t, action.AuthenticateOIDCConfig)
+
+	cfg := action.AuthenticateOIDCConfig
+	assert.Equal(t, "https://example.com", cfg.Issuer)
+	assert.Equal(t, "https://auth.example.com", cfg.AuthorizationEndpoint)
+	assert.Equal(t, "https://token.example.com", cfg.TokenEndpoint)
+	assert.Equal(t, "https://userinfo.example.com", cfg.UserInfoEndpoint)
+
+	// Secret reference preserved by name
+	require.NotNil(t, cfg.Secret)
+	assert.Equal(t, "my-k8s-secret", cfg.Secret.Name)
+
+	require.NotNil(t, cfg.Scope)
+	assert.Equal(t, "email openid profile", *cfg.Scope)
+
+	require.NotNil(t, cfg.OnUnauthenticatedRequest)
+	assert.Equal(t, gatewayv1beta1.AuthenticateOidcActionConditionalBehaviorEnumAllow, *cfg.OnUnauthenticatedRequest)
+
+	require.NotNil(t, cfg.SessionCookieName)
+	assert.Equal(t, "oidc-cookie", *cfg.SessionCookieName)
+
+	require.NotNil(t, cfg.SessionTimeout)
+	assert.Equal(t, int64(7200), *cfg.SessionTimeout)
+
+	assert.Nil(t, cfg.AuthenticationRequestExtraParams)
+}
+
+func TestBuildAuthAction_OIDCExtraParams(t *testing.T) {
+	annos := map[string]string{
+		"alb.ingress.kubernetes.io/auth-type":     "oidc",
+		"alb.ingress.kubernetes.io/auth-idp-oidc": `{"issuer":"https://ex.com","authorizationEndpoint":"https://auth.ex.com","tokenEndpoint":"https://tok.ex.com","userInfoEndpoint":"https://ui.ex.com","secretName":"sec","authenticationRequestExtraParams":{"display":"page","prompt":"consent"}}`,
+	}
+	action, err := buildAuthAction(annos)
+	require.NoError(t, err)
+	require.NotNil(t, action)
+
+	cfg := action.AuthenticateOIDCConfig
+	require.NotNil(t, cfg.AuthenticationRequestExtraParams)
+	assert.Equal(t, "page", (*cfg.AuthenticationRequestExtraParams)["display"])
+	assert.Equal(t, "consent", (*cfg.AuthenticationRequestExtraParams)["prompt"])
+}
+
+func TestBuildAuthAction_OIDCMissingIDP(t *testing.T) {
+	annos := map[string]string{
+		"alb.ingress.kubernetes.io/auth-type": "oidc",
+	}
+	_, err := buildAuthAction(annos)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "missing")
+}
+
+func TestBuildAuthAction_OIDCSecretNamePreserved(t *testing.T) {
+	annos := map[string]string{
+		"alb.ingress.kubernetes.io/auth-type":     "oidc",
+		"alb.ingress.kubernetes.io/auth-idp-oidc": `{"issuer":"https://ex.com","authorizationEndpoint":"https://auth.ex.com","tokenEndpoint":"https://tok.ex.com","userInfoEndpoint":"https://ui.ex.com","secretName":"my-special-secret"}`,
+	}
+	action, err := buildAuthAction(annos)
+	require.NoError(t, err)
+	require.NotNil(t, action)
+	require.NotNil(t, action.AuthenticateOIDCConfig)
+	require.NotNil(t, action.AuthenticateOIDCConfig.Secret)
+	assert.Equal(t, "my-special-secret", action.AuthenticateOIDCConfig.Secret.Name)
+}