Fix top-level when conditions

testsuite/kuadrant/policy/authorization/auth_policy.py

@@ -1,20 +1,17 @@
 """Module containing classes related to AuthPolicy"""
 
 from functools import cached_property
-from typing import Dict, TYPE_CHECKING
+from typing import Dict
 
 from testsuite.gateway import Referencable
 from testsuite.kubernetes import modify
 from testsuite.kubernetes.client import KubernetesClient
 from testsuite.utils import asdict
 from .auth_config import AuthConfig
 from .sections import ResponseSection
-from .. import Policy
+from .. import Policy, CelPredicate
 from . import Pattern
 
-if TYPE_CHECKING:
-    from . import Rule
-
 
 class AuthPolicy(Policy, AuthConfig):
     """AuthPolicy object, it serves as Kuadrants AuthConfig"""
@@ -44,7 +41,7 @@ def create_instance(
         return cls(model, context=cluster.context)
 
     @modify
-    def add_rule(self, when: list["Rule"]):
+    def add_rule(self, when: list[CelPredicate]):
         """Add rule for the skip of entire AuthPolicy"""
         self.model.spec.setdefault("when", [])
         self.model.spec["when"].extend([asdict(x) for x in when])

testsuite/tests/singlecluster/authorino/conditions/test_top_level_condition.py

@@ -2,15 +2,15 @@
 
 import pytest
 
-from testsuite.kuadrant.policy.authorization import Pattern
+from testsuite.kuadrant.policy import CelPredicate
 
 pytestmark = [pytest.mark.authorino]
 
 
 @pytest.fixture(scope="module")
 def authorization(authorization, module_label):
     """Add rule to the AuthConfig to skip entire authn/authz with certain request header"""
-    authorization.add_rule([Pattern("context.request.http.headers.key", "neq", module_label)])
+    authorization.add_rule([CelPredicate(f"request.headers.key != '{module_label}'")])
     return authorization
 
 

testsuite/tests/singlecluster/authorino/dinosaur/conftest.py

@@ -6,6 +6,7 @@
 from openshift_client import OpenShiftPythonException
 
 from testsuite.httpx.auth import HttpxOidcClientAuth
+from testsuite.kuadrant.policy import CelPredicate
 from testsuite.oidc.keycloak import Keycloak
 from testsuite.utils import ContentType
 from testsuite.kuadrant.policy.authorization import Pattern, PatternRef, Value, ValueFrom, DenyResponse
@@ -100,21 +101,18 @@ def _resource_info(org_id, owner):
 @pytest.fixture(scope="module")
 def authorization(authorization, keycloak, terms_and_conditions, cluster_info, admin_rhsso, resource_info):
     """Creates complex Authorization Config."""
-    path_fourth_element = 'context.request.http.path.@extract:{"sep":"/","pos":4}'
-    path_third_element = 'context.request.http.path.@extract:{"sep":"/","pos":3}'
+    path_fourth_element = 'request.path.@extract:{"sep":"/","pos":4}'
     authorization.add_patterns(
         {
-            "api-route": [Pattern("context.request.http.path", "matches", "^/anything/dinosaurs_mgmt/.+")],
-            "v1-route": [Pattern(path_third_element, "eq", "v1")],
             "dinosaurs-route": [Pattern(path_fourth_element, "eq", "dinosaurs")],
-            "dinosaur-resource-route": [Pattern("context.request.http.path", "matches", "/dinosaurs/[^/]+$")],
+            "dinosaur-resource-route": [Pattern("request.path", "matches", "/dinosaurs/[^/]+$")],
             "create-dinosaur-route": [
-                Pattern("context.request.http.path", "matches", "/dinosaurs/?$"),
-                Pattern("context.request.http.method", "eq", "POST"),
+                Pattern("request.path", "matches", "/dinosaurs/?$"),
+                Pattern("request.method", "eq", "POST"),
             ],
             "metrics-federate-route": [
                 Pattern(path_fourth_element, "eq", "dinosaurs"),
-                Pattern("context.request.http.path", "matches", "/metrics/federate$"),
+                Pattern("request.path", "matches", "/metrics/federate$"),
             ],
             "service-accounts-route": [Pattern(path_fourth_element, "eq", "service_accounts")],
             "supported-instance-types-route": [Pattern(path_fourth_element, "eq", "instance_types")],
@@ -129,7 +127,12 @@ def authorization(authorization, keycloak, terms_and_conditions, cluster_info, a
             "require-org-id": [Pattern("auth.identity.org_id", "neq", "")],
         }
     )
-    authorization.add_rule([PatternRef("api-route"), PatternRef("v1-route")])
+    authorization.add_rule(
+        [
+            CelPredicate("request.path.matches('^/anything/dinosaurs_mgmt/.+')"),
+            CelPredicate("request.path.split('/')[3] == 'v1'"),
+        ]
+    )
 
     authorization.identity.clear_all()
     authorization.identity.add_oidc(