openpolicyagent

package
v0.6.9 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 16, 2024 License: Apache-2.0 Imports: 28 Imported by: 4

README

Hexa

Open Policy Agent Provider

The Open Policy Agent Provider enables the retrieval and provisioning of IDQL policies to an Open Policy Agent environment.

[!Tip] For full support of IDQL conditions, use the extended OPA server found in the sister Policy-OPA project.

Feature Description Platform Support Provider Support
RBAC Support for basic translation of role-based access policy Yes Yes
ABAC Support for attribute conditions Yes Yes
Type IDQL Native. Policy is interpreted by OPA Rego processor. Rego Deployment of IDQL and Rego policy
Attribute Mapping Attribute names in policy can be mapped to platform Yes
Hexa CLI Supported in the Hexa CLI application Yes
Discovery Supports discovery of Policy Application Points Queries IAP Backend and AppEngine services Yes
Get Policies Supports retrieval of all policies from a PAP Yes Yes
Set Policies Supports the ability to apply a set of policies to a PAP Yes
Reconcile Returns the differences between an existing set of policies (e.g. at the source) and another set (updates) Via pkg/hexaPolicy Yes

How IDQL and OPA works

This provider works by assembling a Rego script for processing IDQL (hexaPolicy.rego) and IDQL policy (data.json) as a bundle that can be provisioned to an OPA server via a bundle pick-up point. Currently 4 bundle service types are implemented:

  • Google Cloud Storage,
  • Amazon S3 Storage,
  • Github Repository, and,
  • HTTP Server

To support IDQL Conditions, a HexaFilter extension is provided that may be installed in the OPA server. For more information, see the Hexa Policy-OPA project.

Integration Support Notes

In the Hexa CLI, adding an OPA integration takes the form:

hexa add opa http myBundle --file=integration.json

Or, parameters can be passed with flags (e.g. --url and --cafile)

hexa add opa http myBundle --url="https://hexa-bundle-server:8889" --cafile="./examples/opa-server/.certs/ca-cert.pem"

In the SDK, typically the same JSON file may be passed to the SDK as follows:

package main

import (
    "encoding/json"
    "fmt"
    "os"

    "github.com/hexa-org/policy-mapper/api/policyprovider"
    "github.com/hexa-org/policy-mapper/sdk"
)

func main() {
    
    // Read the integration.json file and insert as the Key...
    keybytes, err := os.ReadFile("integration.json")
    if err != nil {
        panic(-1)
    }

    info := policyprovider.IntegrationInfo{
        Name: sdk.ProviderTypeOpa,
        Key:  keybytes,
    }

    integration, err := sdk.OpenIntegration(&info)
    if err != nil {
        fmt.Println("Error opening integration: " + err.Error())
        panic(-1)
    }

    . . .

}
Integration Key File Examples

Integration Configuration For Google Cloud Storage:

{
  "gcp": {
    "bucket_name": "BUCKET_NAME",
    "object_name": "bundle.tar.gz",
    "key": {
      "type": "service_account",
      "project_id": "google-cloud-project-id",
      "private_key_id": "",
      "private_key": "-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----\n",
      "client_email": "google-cloud-project-id@google-cloud-project-id.iam.gserviceaccount.com",
      "client_id": "000000000000000000000",
      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
      "token_uri": "https://oauth2.googleapis.com/token",
      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/google-cloud-project-id%google-cloud-project-id.iam.gserviceaccount.com"
    }
  }
}

Integration with Amazon S3 Storage: The key must allow s3:PutObject and s3.GetObject actions.

{
  "aws": {
    "bucket_name": "aws-s3-bucket-name",
    "object_name": "bundle.tar.gz",
    "key": {
      "region": "aws-region",
      "accessKeyID": "00000000000000000000",
      "secretAccessKey": "99999999999999999999999"
    }
  }
}

Integration with Github:

To integrate with Github, create a personal access token (classic). Must allow read:packages, write:packages.

{
  "github": {
    "account": "github-org-or-account",
    "repo": "github-repo",
    "bundlePath": "bundle.tar.gz",
    "key": {
      "accessToken": "github_personal_access_token_classic"
    }
  }
}

Integration for HTTP:

{
  "bundle_url": "https://hexa-bundle-server",
  "ca_cert": "MIIFbTCCA1WgAwIBAgICB+MwDQYJKoZIhvcNAQELBQAwSDELMAkGA1UEBhMCVVMx ... y9NWifDJgUtx887LJA=="
}

The ca_cert is a PEM encoded public key. This is used to authenticate the bundle_url endpoint. Generally this is needed when using self-signed certificates.

Documentation

Index

Constants

View Source
const BundleTypeAws string = "aws-s3"
View Source
const BundleTypeGcp string = "GCP_Storage"
View Source
const BundleTypeGithub string = "Github"
View Source
const BundleTypeHttp string = "HTTP"
View Source
const PolicyDataPath string = "/v1/data/policies"
View Source
const ProviderTypeOpa string = "opa"

Variables

This section is empty.

Functions

func MakeHexaBundle added in v0.6.9

func MakeHexaBundle(data []byte) (bytes.Buffer, error)

MakeHexaBundle will generate a default bundle with current rego. If data is nil, an empty set of policies is generated.

Types

type AWSBundleClient

type AWSBundleClient struct {
	// contains filtered or unexported fields
}

func NewAWSBundleClient

func NewAWSBundleClient(bucketName, objectName string, key []byte, opts awscommon.AWSClientOptions) (*AWSBundleClient, error)

func (*AWSBundleClient) GetDataFromBundle

func (a *AWSBundleClient) GetDataFromBundle(path string) ([]byte, error)

func (*AWSBundleClient) PostBundle

func (a *AWSBundleClient) PostBundle(bundle []byte) (int, error)

func (*AWSBundleClient) Type added in v0.6.4

func (a *AWSBundleClient) Type() string

type AwsCredentials added in v0.6.3

type AwsCredentials GcpCredentials

type BundleClient

type BundleClient interface {

	// GetDataFromBundle calls the bundle client, retrieves the bundle and extracts the results to the path provided
	GetDataFromBundle(path string) ([]byte, error)

	PostBundle(bundle []byte) (int, error)
	Type() string
}

type Credentials added in v0.6.3

type Credentials struct {
	// ProjectID string             `json:"project_id,omitempty"`
	BundleUrl     string             `json:"bundle_url"`
	CACert        string             `json:"ca_cert,omitempty"`
	Authorization string             `json:"authorization,omitempty"`
	GCP           *GcpCredentials    `json:"gcp,omitempty"`
	AWS           *AwsCredentials    `json:"aws,omitempty"`
	GITHUB        *GithubCredentials `json:"github,omitempty"`
}

type GCPBundleClient

type GCPBundleClient struct {
	// contains filtered or unexported fields
}

func NewGCPBundleClient

func NewGCPBundleClient(bucketName, objectName string, key []byte, opts ...GCPBundleClientOpt) (*GCPBundleClient, error)

func (*GCPBundleClient) GetDataFromBundle

func (g *GCPBundleClient) GetDataFromBundle(path string) ([]byte, error)

func (*GCPBundleClient) PostBundle

func (g *GCPBundleClient) PostBundle(bundle []byte) (int, error)

func (*GCPBundleClient) Type added in v0.6.4

func (g *GCPBundleClient) Type() string

type GCPBundleClientOpt

type GCPBundleClientOpt func(client *GCPBundleClient)

func WithHTTPClient

func WithHTTPClient(c HTTPClient) GCPBundleClientOpt

type GCSAPIErr

type GCSAPIErr struct {
	Message  string `json:"message,omitempty"`
	Location string `json:"location,omitempty"`
}

type GCSAPIErrDetail

type GCSAPIErrDetail struct {
	Code    int         `json:"code,omitempty"`
	Message string      `json:"message,omitempty"`
	Errors  []GCSAPIErr `json:"errors,omitempty"`
}

type GCSAPIErrResp

type GCSAPIErrResp struct {
	Error *GCSAPIErrDetail `json:"error,omitempty"`
}

type GcpCredentials added in v0.6.3

type GcpCredentials struct {
	BucketName string          `json:"bucket_name,omitempty"`
	ObjectName string          `json:"object_name,omitempty"`
	Key        json.RawMessage `json:"key,omitempty"`
}

type GithubBundleClient

type GithubBundleClient struct {
	// contains filtered or unexported fields
}

func NewGithubBundleClient

func NewGithubBundleClient(account, repo, bundlePath string, key []byte, opts GithubBundleClientOptions) (*GithubBundleClient, error)

func (*GithubBundleClient) GetDataFromBundle

func (g *GithubBundleClient) GetDataFromBundle(path string) ([]byte, error)

func (*GithubBundleClient) PostBundle

func (g *GithubBundleClient) PostBundle(bundle []byte) (int, error)

func (*GithubBundleClient) Type added in v0.6.4

func (g *GithubBundleClient) Type() string

type GithubBundleClientOptions

type GithubBundleClientOptions struct {
	HTTPClient GithubHTTPClient
}

type GithubCredentials added in v0.6.3

type GithubCredentials struct {
	Account    string          `json:"account,omitempty"`
	Repo       string          `json:"repo,omitempty"`
	BundlePath string          `json:"bundlePath,omitempty"`
	Key        json.RawMessage `json:"key,omitempty"`
}

type GithubHTTPClient

type GithubHTTPClient interface {
	Get(url string) (resp *http.Response, err error)
	Post(url, contentType string, body io.Reader) (resp *http.Response, err error)
	Do(request *http.Request) (resp *http.Response, err error)
}

type GithubPublishInfo

type GithubPublishInfo struct {
	Message string `json:"message"`
	Content string `json:"content"`
	Sha     string `json:"sha,omitempty"`
}

type HTTPBundleClient

type HTTPBundleClient struct {
	BundleServerURL string
	Authorization   *string
	HttpClient      HTTPClient
}

func (*HTTPBundleClient) GetDataFromBundle

func (b *HTTPBundleClient) GetDataFromBundle(path string) ([]byte, error)

func (*HTTPBundleClient) PostBundle

func (b *HTTPBundleClient) PostBundle(bundle []byte) (int, error)

func (*HTTPBundleClient) Type added in v0.6.4

func (b *HTTPBundleClient) Type() string

type HTTPClient

type HTTPClient interface {
	Get(url string) (resp *http.Response, err error)
	Post(url, contentType string, body io.Reader) (resp *http.Response, err error)
	Do(request *http.Request) (resp *http.Response, err error)
}

type OpaBundleClient added in v0.6.3

type OpaBundleClient struct {
	OpaServerUrl string
	HttpClient   HTTPClient
}

OpaBundleClient is intended to use the OPA Policy API to directly update and retrieve Policy bundles from an OPA Policy Server instance. Note: typically OPA servers are configured to poll for updates at some configured common retrieval point. Usage of this bundle is mainly for local development purposes.

func (*OpaBundleClient) GetDataFromBundle added in v0.6.3

func (b *OpaBundleClient) GetDataFromBundle(_ string) ([]byte, error)

func (*OpaBundleClient) PostBundle added in v0.6.3

func (b *OpaBundleClient) PostBundle(bundle []byte) (int, error)

type OpaDataResponse added in v0.6.3

type OpaDataResponse struct {
	Result []hexapolicy.PolicyInfo `json:"result"`
}

type OpaProvider

type OpaProvider struct {
	BundleClientOverride BundleClient
	ResourcesDirectory   string
}

func (*OpaProvider) ConfigureClient

func (o *OpaProvider) ConfigureClient(key []byte) (BundleClient, error)

func (*OpaProvider) DiscoverApplications

func (*OpaProvider) GetPolicyInfo

func (*OpaProvider) Name

func (o *OpaProvider) Name() string

func (*OpaProvider) SetPolicyInfo

func (o *OpaProvider) SetPolicyInfo(integration policyprovider.IntegrationInfo, appInfo policyprovider.ApplicationInfo, policyInfos []hexapolicy.PolicyInfo) (int, error)

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL