Fixup Add request authorization ruleset

pkg/apis/options/alpha_options.go

@@ -9,6 +9,11 @@ package options
 // They may change between releases without notice.
 // :::
 type AlphaOptions struct {
+	// Authorization is used to configure authorization checks.
+	// Rules can be configured for HTTP requests to allow or deny requests,
+	// or to delegate the authorization to session based authorization.
+	Authorization Authorization `json:"authorization,omitempty"`
+
 	// UpstreamConfig is used to configure upstream servers.
 	// Once a user is authenticated, requests to the server will be proxied to
 	// these upstream servers based on the path mappings defined in this list.

pkg/apis/options/authorization.go

@@ -1,17 +1,53 @@
 package options
 
+// AuthorizationPolicy is an enumeration of different authorization rule
+// policies. Each policy determines a different action for a matching rule.
 type AuthorizationPolicy string
 
 const (
+	// AllowPolicy when used, with a matching authorization rule, allows the
+	// request without further authorization.
 	AllowPolicy AuthorizationPolicy = "Allow"
-	DenyPolicy  AuthorizationPolicy = "Deny"
+
+	// DelegatePolicy when used, with a matching authorization rule, delegates
+	// the authorization to the session based authorization.
+	// This can only be used with request based authorization rules.
+	DelegatePolicy AuthorizationPolicy = "Delegate"
+
+	// DenyPolicy when used, with a matching authorization rule, denies the
+	// request without further authorization.
+	DenyPolicy AuthorizationPolicy = "Deny"
 )
 
-type AuthorizationRule struct {
-	Policy  AuthorizationPolicy
-	Path    string
-	Methods []string
-	IPs     []string
+// Authorization contains fields to allow configuration of request authorization.
+type Authorization struct {
+	// RequestRules determines a set of rules for which each request to the proxy
+	// should be matched against.
+	// If any rule matches the request, the policy for the rule is applied to the
+	// request.
+	RequestRules []AuthorizationRule `json:"requestRules,omitempty"`
 }
 
-type RequestRules []AuthorizationRule
+// AuthorizationRule determines the configuration for a particular authorization
+// rule.
+
+type AuthorizationRule struct {
+	// Policy is the authorization policy to apply should the rule match the given
+	// request.
+	// All conditions specified within the rule must match the request for the
+	// policy to be applied.
+	// Valid values are Allow, Deny and Delegate.
+	Policy AuthorizationPolicy
+
+	// Path is a regex string that expects to match the HTTP request path.
+	Path string
+
+	// Methods is a list of HTTP methods to match against the HTTP request method.
+	// If any method in the list matches the request method, this rule is
+	// considered to match.
+	Methods []string
+
+	// IPs is a list of IP or network addresses (in CIDR notation) with which to
+	// match the request client IP address.
+	IPs []string
+}

pkg/authorization/rules.go

@@ -12,11 +12,12 @@ type AuthorizationPolicy int
 const (
 	NonePolicy AuthorizationPolicy = iota
 	AllowPolicy
+	DelegatePolicy
 	DenyPolicy
 )
 
 type RuleSet interface {
-	Matches(req *http.Request) AuthorizationPolicy
+	MatchesRequest(req *http.Request) AuthorizationPolicy
 }
 
 type rule struct {
@@ -63,6 +64,8 @@ func newRule(authRule options.AuthorizationRule, getClientIPFunc func(*http.Requ
 	switch authRule.Policy {
 	case options.AllowPolicy:
 		policy = AllowPolicy
+	case options.DelegatePolicy:
+		policy = DelegatePolicy
 	case options.DenyPolicy:
 		policy = DenyPolicy
 	default:
@@ -80,7 +83,7 @@ type ruleSet struct {
 	rules []rule
 }
 
-func (r ruleSet) Matches(req *http.Request) AuthorizationPolicy {
+func (r ruleSet) MatchesRequest(req *http.Request) AuthorizationPolicy {
 	for _, rule := range r.rules {
 		if policy := rule.matches(req); policy != NonePolicy {
 			// The rule applies to this request, return its policy
@@ -91,7 +94,7 @@ func (r ruleSet) Matches(req *http.Request) AuthorizationPolicy {
 	return NonePolicy
 }
 
-func NewRuleSet(requestRules options.RequestRules, getClientIPFunc func(*http.Request) net.IP) (RuleSet, error) {
+func NewRuleSet(requestRules []options.AuthorizationRule, getClientIPFunc func(*http.Request) net.IP) (RuleSet, error) {
 	rules := []rule{}
 	for _, requestRule := range requestRules {
 		r, err := newRule(requestRule, getClientIPFunc)