Skip to content

Open Policy Agent checks #99

Description

@coopernetes

Hi all! 👋

Given the target use case of git proxy of performing security & compliance policy-based checks, it would be nice to reuse existing policies in Rego with Open Policy Agent running either as a sidecar or separate process along with the proxy.

There is also a WASM implementation but I don't have much experience with that myself so not sure if that fits this project.

Describe the solution you'd like

  1. Provide a JSON body as input data into a rego policy from git-proxy.
{
  "author": "tom@example.com",
  "committer": "dick@example.com",
  "date": "1970-01-01T00:00:00",
  "commitSHA": "74d2a005a8619f9f748436269bbb0ae7d28fc15f",
  "url": "https://github.com/finos/test-allowed-repo",
  "branch": "feat/new-widget",
  ...
}
  1. Launch the proxy with the following config.json using OPA in server mode or using embedded Rego & WASM.
"openPolicyAgent": {
  "enabled": true,
  "mode": "client",
  "url": "https://localhost:8181",
  "policies": [
    "authorized_committers",
    "contains_readme",
    "..."
  ]
  }
"openPolicyAgent": {
  "enabled": true,
  "mode": "embedded",
  "policies": [
    "resources/authorized_committers.rego",
    "resources/contains_readme.rego",
    "..."
  ]
}
  1. Proxy sends sends an HTTP request to the OPA server or evaluates the policies in-place.
HTTP POST localhost:8081/v1/data/<policy_name>/allow
{
  "inputs": {
    "author": "tom@example.com",
    "committer": "dick@example.com",
    "date": "1970-01-01T00:00:00",
    "commitSHA": "74d2a005a8619f9f748436269bbb0ae7d28fc15f",
    "url": "https://github.com/finos/test-allowed-repo",
    "branch": "feat/new-widget"
  }
}
Response
{"result":false}

Describe alternatives you've considered
It may be worth while to write a simple interface around querying external systems and allowing the use of other policy engines such as Hashicorp Sentinel.

Additional context
Related issue(s):
#47

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestpluginsExtensibility of the framework

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions