openpolicyagent

package
v0.8.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 18, 2024 License: Apache-2.0 Imports: 31 Imported by: 4

README

Hexa

Open Policy Agent Provider

The Open Policy Agent Provider enables the retrieval and provisioning of IDQL policies to an Open Policy Agent environment.

[!Tip] For full support of IDQL conditions, use the extended OPA server found in the sister Policy-OPA project.

Feature Description Platform Support Provider Support
RBAC Support for basic translation of role-based access policy Yes Yes
ABAC Support for attribute conditions Yes Yes
Type IDQL Native. Policy is interpreted by OPA Rego processor. Rego Deployment of IDQL and Rego policy
Attribute Mapping Attribute names in policy can be mapped to platform Yes
Hexa CLI Supported in the Hexa CLI application Yes
Discovery Supports discovery of Policy Application Points Queries IAP Backend and AppEngine services Yes
Get Policies Supports retrieval of all policies from a PAP Yes Yes
Set Policies Supports the ability to apply a set of policies to a PAP Yes
Reconcile Returns the differences between an existing set of policies (e.g. at the source) and another set (updates) Via pkg/hexaPolicy Yes

How IDQL and OPA works

This provider works by assembling a Rego script for processing IDQL (hexaPolicy.rego) and IDQL policy (data.json) as a bundle that can be provisioned to an OPA server via a bundle pick-up point. Currently 4 bundle service types are implemented:

  • Google Cloud Storage,
  • Amazon S3 Storage,
  • Github Repository, and,
  • HTTP Server

To support IDQL Conditions, a HexaFilter extension is provided that may be installed in the OPA server. For more information, see the Hexa Policy-OPA project.

Integration Support Notes

In the Hexa CLI, adding an OPA integration takes the form:

hexa add opa http myBundle --file=integration.json

Or, parameters can be passed with flags (e.g. --url and --cafile)

hexa add opa http myBundle --url="https://hexa-bundle-server:8889" --cafile="./examples/opa-server/.certs/ca-cert.pem"

In the SDK, typically the same JSON file may be passed to the SDK as follows:

package main

import (
    "encoding/json"
    "fmt"
    "os"

    "github.com/hexa-org/policy-mapper/api/policyprovider"
    "github.com/hexa-org/policy-mapper/sdk"
)

func main() {
    
    // Read the integration.json file and insert as the Key...
    keybytes, err := os.ReadFile("integration.json")
    if err != nil {
        panic(-1)
    }

    info := policyprovider.IntegrationInfo{
        Name: sdk.ProviderTypeOpa,
        Key:  keybytes,
    }

    integration, err := sdk.OpenIntegration(&info)
    if err != nil {
        fmt.Println("Error opening integration: " + err.Error())
        panic(-1)
    }

    . . .

}
Integration Key File Examples

Integration Configuration For Google Cloud Storage:

{
  "gcp": {
    "bucket_name": "BUCKET_NAME",
    "object_name": "bundle.tar.gz",
    "key": {
      "type": "service_account",
      "project_id": "google-cloud-project-id",
      "private_key_id": "",
      "private_key": "-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----\n",
      "client_email": "google-cloud-project-id@google-cloud-project-id.iam.gserviceaccount.com",
      "client_id": "000000000000000000000",
      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
      "token_uri": "https://oauth2.googleapis.com/token",
      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/google-cloud-project-id%google-cloud-project-id.iam.gserviceaccount.com"
    }
  }
}

Integration with Amazon S3 Storage: The key must allow s3:PutObject and s3.GetObject actions.

{
  "aws": {
    "bucket_name": "aws-s3-bucket-name",
    "object_name": "bundle.tar.gz",
    "key": {
      "region": "aws-region",
      "accessKeyID": "00000000000000000000",
      "secretAccessKey": "99999999999999999999999"
    }
  }
}

Integration with Github:

To integrate with Github, create a personal access token (classic). Must allow read:packages, write:packages.

{
  "github": {
    "account": "github-org-or-account",
    "repo": "github-repo",
    "bundlePath": "bundle.tar.gz",
    "key": {
      "accessToken": "github_personal_access_token_classic"
    }
  }
}

Integration for HTTP:

{
  "bundle_url": "https://hexa-bundle-server",
  "ca_cert": "MIIFbTCCA1WgAwIBAgICB+MwDQYJKoZIhvcNAQELBQAwSDELMAkGA1UEBhMCVVMx ... y9NWifDJgUtx887LJA=="
}

The ca_cert is a PEM encoded public key. This is used to authenticate the bundle_url endpoint. Generally this is needed when using self-signed certificates.

Documentation

Index

Constants

View Source 
const BundleTypeAws string = "aws-s3"
View Source 
const BundleTypeGcp string = "GCP_Storage"
View Source 
const BundleTypeGithub string = "Github"
View Source 
const BundleTypeHttp string = "HTTP"
View Source 
const PolicyDataPath string = "/v1/data/policies"
View Source 
const ProviderTypeOpa string = "opa"

Variables

This section is empty.

Functions

func CheckBundleUrl added in v0.6.13 

func CheckBundleUrl(bundleUrl string) string

func MakeHexaBundle added in v0.6.9 

func MakeHexaBundle(data []byte) (bytes.Buffer, error)

MakeHexaBundle will generate a default bundle with current rego. If data is nil, an empty set of policies is generated.

Types

type AWSBundleClient 

type AWSBundleClient struct {
	// contains filtered or unexported fields
}

func NewAWSBundleClient 

func NewAWSBundleClient(bucketName, objectName string, key []byte, opts awscommon.AWSClientOptions) (*AWSBundleClient, error)

func (*AWSBundleClient) GetDataFromBundle 

func (a *AWSBundleClient) GetDataFromBundle(path string) ([]byte, error)

func (*AWSBundleClient) PostBundle 

func (a *AWSBundleClient) PostBundle(bundle []byte) (int, error)

func (*AWSBundleClient) Type added in v0.6.4 

func (a *AWSBundleClient) Type() string

type AwsCredentials added in v0.6.3 

type AwsCredentials GcpCredentials

type BundleClient 

type BundleClient interface {

	// GetDataFromBundle calls the bundle client, retrieves the bundle and extracts the results to the path provided
	GetDataFromBundle(path string) ([]byte, error)

	PostBundle(bundle []byte) (int, error)
	Type() string
}

type Credentials added in v0.6.3 

type Credentials struct {
	// ProjectID string             `json:"project_id,omitempty"`
	BundleUrl     string                    `json:"bundle_url"`
	CACert        string                    `json:"ca_cert,omitempty"`
	Authorization string                    `json:"authorization,omitempty"`
	GCP           *GcpCredentials           `json:"gcp,omitempty"`
	AWS           *AwsCredentials           `json:"aws,omitempty"`
	GITHUB        *GithubCredentials        `json:"github,omitempty"`
	Client        *clientcredentials.Config `json:"oauth_client,omitempty"`
}

type GCPBundleClient 

type GCPBundleClient struct {
	// contains filtered or unexported fields
}

func NewGCPBundleClient 

func NewGCPBundleClient(bucketName, objectName string, key []byte, opts ...GCPBundleClientOpt) (*GCPBundleClient, error)

func (*GCPBundleClient) GetDataFromBundle 

func (g *GCPBundleClient) GetDataFromBundle(path string) ([]byte, error)

func (*GCPBundleClient) PostBundle 

func (g *GCPBundleClient) PostBundle(bundle []byte) (int, error)

func (*GCPBundleClient) Type added in v0.6.4 

func (g *GCPBundleClient) Type() string

type GCPBundleClientOpt 

type GCPBundleClientOpt func(client *GCPBundleClient)

func WithGcpHTTPClient added in v0.6.13 

func WithGcpHTTPClient(c HTTPClient) GCPBundleClientOpt

type GCSAPIErr 

type GCSAPIErr struct {
	Message  string `json:"message,omitempty"`
	Location string `json:"location,omitempty"`
}

type GCSAPIErrDetail 

type GCSAPIErrDetail struct {
	Code    int         `json:"code,omitempty"`
	Message string      `json:"message,omitempty"`
	Errors  []GCSAPIErr `json:"errors,omitempty"`
}

type GCSAPIErrResp 

type GCSAPIErrResp struct {
	Error *GCSAPIErrDetail `json:"error,omitempty"`
}

type GcpCredentials added in v0.6.3 

type GcpCredentials struct {
	BucketName string          `json:"bucket_name,omitempty"`
	ObjectName string          `json:"object_name,omitempty"`
	Key        json.RawMessage `json:"key,omitempty"`
}

type GithubBundleClient 

type GithubBundleClient struct {
	// contains filtered or unexported fields
}

func NewGithubBundleClient 

func NewGithubBundleClient(account, repo, bundlePath string, key []byte, opts GithubBundleClientOptions) (*GithubBundleClient, error)

func (*GithubBundleClient) GetDataFromBundle 

func (g *GithubBundleClient) GetDataFromBundle(path string) ([]byte, error)

func (*GithubBundleClient) PostBundle 

func (g *GithubBundleClient) PostBundle(bundle []byte) (int, error)

func (*GithubBundleClient) Type added in v0.6.4 

func (g *GithubBundleClient) Type() string

type GithubBundleClientOptions 

type GithubBundleClientOptions struct {
	HTTPClient GithubHTTPClient
}

type GithubCredentials added in v0.6.3 

type GithubCredentials struct {
	Account    string          `json:"account,omitempty"`
	Repo       string          `json:"repo,omitempty"`
	BundlePath string          `json:"bundlePath,omitempty"`
	Key        json.RawMessage `json:"key,omitempty"`
}

type GithubHTTPClient 

type GithubHTTPClient interface {
	Get(url string) (resp *http.Response, err error)
	Post(url, contentType string, body io.Reader) (resp *http.Response, err error)
	Do(request *http.Request) (resp *http.Response, err error)
}

type GithubPublishInfo 

type GithubPublishInfo struct {
	Message string `json:"message"`
	Content string `json:"content"`
	Sha     string `json:"sha,omitempty"`
}

type HTTPBundleClient 

type HTTPBundleClient struct {
	BundleServerURL string
	Authorization   *string
	HttpClient      HTTPClient
}

func (*HTTPBundleClient) GetDataFromBundle 

func (b *HTTPBundleClient) GetDataFromBundle(path string) ([]byte, error)

func (*HTTPBundleClient) PostBundle 

func (b *HTTPBundleClient) PostBundle(bundle []byte) (int, error)

func (*HTTPBundleClient) Type added in v0.6.4 

func (b *HTTPBundleClient) Type() string

type HTTPClient 

type HTTPClient interface {
	Get(url string) (resp *http.Response, err error)
	Post(url, contentType string, body io.Reader) (resp *http.Response, err error)
	Do(request *http.Request) (resp *http.Response, err error)
}

type OpaBundleClient added in v0.6.3 

type OpaBundleClient struct {
	OpaServerUrl string
	HttpClient   HTTPClient
}

OpaBundleClient is intended to use the OPA Policy API to directly update and retrieve Policy bundles from an OPA Policy Server instance. Note: typically OPA servers are configured to poll for updates at some configured common retrieval point. Usage of this bundle is mainly for local development purposes.

func (*OpaBundleClient) GetDataFromBundle added in v0.6.3 

func (b *OpaBundleClient) GetDataFromBundle(_ string) ([]byte, error)

func (*OpaBundleClient) PostBundle added in v0.6.3 

func (b *OpaBundleClient) PostBundle(bundle []byte) (int, error)

type OpaDataResponse added in v0.6.3 

type OpaDataResponse struct {
	Result []hexapolicy.PolicyInfo `json:"result"`
}

type OpaProvider 

type OpaProvider struct {
	BundleClientOverride BundleClient
	HttpClient           *http.Client
	JwtHandler           oauth2support.JwtClientHandler
}

func (*OpaProvider) ConfigureClient 

func (o *OpaProvider) ConfigureClient(key []byte) (BundleClient, error)

func (*OpaProvider) DiscoverApplications 

func (o *OpaProvider) DiscoverApplications(info policyprovider.IntegrationInfo) ([]policyprovider.ApplicationInfo, error)

func (*OpaProvider) GetPolicyInfo 

func (o *OpaProvider) GetPolicyInfo(integration policyprovider.IntegrationInfo, _ policyprovider.ApplicationInfo) ([]hexapolicy.PolicyInfo, error)

func (*OpaProvider) IsOAuthClient added in v0.6.11 

func (o *OpaProvider) IsOAuthClient() bool

func (*OpaProvider) Name 

func (o *OpaProvider) Name() string

func (*OpaProvider) SetPolicyInfo 

func (o *OpaProvider) SetPolicyInfo(integration policyprovider.IntegrationInfo, appInfo policyprovider.ApplicationInfo, policyInfos []hexapolicy.PolicyInfo) (int, error)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.