Implement AccessToken priority logic (#31)

* added upstream timeout reason support

* fixed go sum

* Impliment priority structure into crds and test access function

api/v1alpha1/accesstoken_types.go

@@ -64,6 +64,12 @@ type AccessTokenSpec struct {
 	// Secret Ref points to secret containing the API Key secret
 	// if it exists it will use the token value in it and will create a new secret if not exists
 	TokenSecretRef *corev1.LocalObjectReference `json:"secretRef,omitempty"`
+
+	// Priority shows the access level of the token
+	// +kubebuilder:default=0
+	// +kubebuilder:validation:Minimum=0
+	// +optional
+	Priority int `json:"priority,omitempty"`
 }
 
 // TODO use AccessToken.Metadata.Name as TokenSecretRef

api/v1alpha1/webservice_types.go

@@ -45,6 +45,12 @@ type WebServiceSpec struct {
 	// IgnoreDomain tells Cerberus whether it should check domain list of specific webservice or not
 	// +optional
 	IgnoreDomain bool `json:"ignoreDomain"`
+
+	// MinimumTokenPriority tells Cerberus what minimum priority it should stablish for token authentication
+	// +kubebuilder:default=0
+	// +kubebuilder:validation:Minimum=0
+	// +optional
+	MinimumTokenPriority int `json:"minimumTokenPriority"`
 }
 
 // TODO set default value for LookupHeader

config/crd/bases/cerberus.snappcloud.io_accesstokens.yaml

@@ -47,6 +47,11 @@ spec:
                 items:
                   type: string
                 type: array
+              priority:
+                default: 0
+                description: Priority shows the access level of the token
+                minimum: 0
+                type: integer
               secretRef:
                 description: Secret Ref points to secret containing the API Key secret
                   if it exists it will use the token value in it and will create a

config/crd/bases/cerberus.snappcloud.io_webservices.yaml

@@ -49,6 +49,12 @@ spec:
                   as the access token for authentication (case-sensitive).
                 pattern: ^(X-[A-Za-z-]*[A-Za-z]|Authorization)$
                 type: string
+              minimumTokenPriority:
+                default: 0
+                description: MinimumTokenPriority tells Cerberus whether it should
+                  stablish the minimum priority threshold for token authentication
+                minimum: 0
+                type: integer
               upstreamHttpAuth:
                 description: UpstreamHttpAuth tells Cerberus whether it needs to forward
                   authentication to another (HTTP) service or not

pkg/auth/authenticator.go

@@ -109,6 +109,9 @@ const (
 	//doesn't match with the ip domain list for specific webservice
 	CerberusReasonIpNotAllowed CerberusReason = "ip-not-allowed"
 
+	// CerberusReasonAccessForbidden means that the token has a priority lower than the minimum required priority set by the web service
+	CerberusReasonAccessForbidden CerberusReason = "access-forbidden"
+
 	// CerberusReasonTokenNotFound means that given AccessToken is read
 	// from request headers, but it is not listed by the Cerberus
 	CerberusReasonTokenNotFound CerberusReason = "token-not-found"
@@ -276,17 +279,19 @@ func (a *Authenticator) TestAccess(request *Request, wsvc ServicesCacheEntry) (b
 	defer a.cacheLock.RUnlock()
 	defer cacheReaders.Dec()
 
-
 	if token == "" {
 		return false, CerberusReasonTokenEmpty, newExtraHeaders
 	}
 
 	ac, ok := (*a.accessCache)[token]
-
 	if !ok {
 		return false, CerberusReasonTokenNotFound, newExtraHeaders
 	}
 
+	if (*a.accessCache)[token].Spec.Priority < wsvc.Spec.MinimumTokenPriority {
+		return false, CerberusReasonAccessForbidden, newExtraHeaders
+	}
+
 	var referrer string
 	if len(ac.Spec.IpAllowList) > 0 {
 		ipList := make([]string, 0)