From 832948cffde2be40442fe4502eb2176f2bb4d66b Mon Sep 17 00:00:00 2001 From: Daisie Huang Date: Thu, 28 Jul 2022 15:44:15 -0700 Subject: [PATCH] Need additional header for secret opa tokens Tyk will only allow valid bearer tokens, so need additional place to add magic root token --- permissions_engine/authz.rego | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/permissions_engine/authz.rego b/permissions_engine/authz.rego index bee59c2..08ccedb 100644 --- a/permissions_engine/authz.rego +++ b/permissions_engine/authz.rego @@ -41,8 +41,10 @@ allow { # Allow request if... right.path == input.path # Right.path matches input.path. } +x_opa := input.headers["X-Opa"][_] + identity_rights[right] { # Right is in the identity_rights set if... - token := tokens[input.identity] # Token exists for identity, and... + token := tokens[x_opa] # Token exists for identity, and... role := token.roles[_] # Token has a role, and... right := rights[role] # Role has rights defined. }