feat(prose/opa): opa rego changes (#100)

* Improved components of the prose OPA server * Policy related rego and data files are placed in the expected bundle locations * Update rego files for the new format of the input data Related to #55 Co-authored-by: Miti Mazmudar <[email protected]>
dettanym · Mar 20, 2024 · d8f3c42 · d8f3c42
1 parent 4aba386
commit d8f3c42
Show file tree

Hide file tree

Showing 16 changed files with 195 additions and 395 deletions.
diff --git a/docker/opa-composer-server.Dockerfile b/docker/opa-composer-server.Dockerfile
@@ -11,7 +11,7 @@ FROM debian:12-slim
 WORKDIR /app
 
 COPY --from=builder /app/bin/opa-composer-server /app/bin/opa-composer-server
-COPY --from=builder /app/pkg/opa/policy-and-logic/ /app/policy-and-logic/
+COPY --from=builder /app/resources/opa_bundle/ /app/bundle/
 
 RUN mkdir -p /app/tmp \
     && chmod 755 /app/tmp \
@@ -24,6 +24,6 @@ USER nobody:nogroup
 
 CMD [ \
     "/app/bin/opa-composer-server", \
-    "--policy_file", "/app/policy-and-logic/policy.rego", \
+    "--policy_bundle_dir", "/app/bundle", \
     "--compiled_bundle", "/app/tmp/bundle.tar.gz" \
 ]
diff --git a/...uation/kubernetes/apps/test-sample-microservices/bookinfo/envoy-filter/golang-filter.yaml b/...uation/kubernetes/apps/test-sample-microservices/bookinfo/envoy-filter/golang-filter.yaml
@@ -70,7 +70,7 @@ spec:
                   bundles:
                     prose_opa_bundle:
                       service: bundle_server
-                      resource: /bundle.tar.gz
+                      resource: /bundles/bundle.tar.gz
                       polling:
                         min_delay_seconds: 120
                         max_delay_seconds: 3600
@@ -164,7 +164,7 @@ spec:
                   bundles:
                     prose_opa_bundle:
                       service: bundle_server
-                      resource: /bundle.tar.gz
+                      resource: /bundles/bundle.tar.gz
                       polling:
                         min_delay_seconds: 120
                         max_delay_seconds: 3600

diff --git a/privacy-profile-composer/Makefile b/privacy-profile-composer/Makefile
@@ -1,3 +1,3 @@
 run-server:
 	go generate ./...
-	go run ./cmd/opa-composer-server --policy_file ./pkg/opa/policy-and-logic/policy.rego
+	go run ./cmd/opa-composer-server --policy_bundle_dir ./resources/opa_bundle
diff --git a/privacy-profile-composer/cmd/opa-composer-server/main.go b/privacy-profile-composer/cmd/opa-composer-server/main.go
@@ -13,10 +13,10 @@ import (
 )
 
 var (
-	opa_port        = flag.Int("opa_port", 8080, "The OPA server port")
-	composer_port   = flag.Int("composer_port", 50051, "The composer server port")
-	policy_file     = flag.String("policy_file", "./policy.rego", "Location of the policy file")
-	compiled_bundle = flag.String("compiled_bundle", "./bundle.tar.gz", "Location of the compiled bundle")
+	opa_port          = flag.Int("opa_port", 8080, "The OPA server port")
+	composer_port     = flag.Int("composer_port", 50051, "The composer server port")
+	policy_bundle_dir = flag.String("policy_bundle_dir", "./bundle", "Location of bundle folder with all policies and data")
+	compiled_bundle   = flag.String("compiled_bundle", "./bundle.tar.gz", "Location of the compiled bundle")
 )
 
 func main() {
@@ -51,13 +51,13 @@ func main() {
 }
 
 func prepareOpaServer() error {
-	return opa.CompileOPABundle(*policy_file, *compiled_bundle)
+	return opa.CompileOPABundle(*policy_bundle_dir, *compiled_bundle)
 }
 
 func registerOpaServer() *http.ServeMux {
 	s := http.NewServeMux()
 
-	s.HandleFunc("/bundle.tar.gz", func(w http.ResponseWriter, r *http.Request) {
+	s.HandleFunc("/bundles/bundle.tar.gz", func(w http.ResponseWriter, r *http.Request) {
 		http.ServeFile(w, r, *compiled_bundle)
 	})
 

diff --git a/privacy-profile-composer/pkg/envoyfilter/filter.go b/privacy-profile-composer/pkg/envoyfilter/filter.go
@@ -299,7 +299,7 @@ func (f *Filter) runOPA(ctx context.Context, isDecode bool) (sendLocalReply bool
 	result, err := f.opa.Decision(
 		ctx,
 		sdk.DecisionOptions{
-			Path: "/authz/allow",
+			Path: "/prose/allow_all/allow",
 			// TODO: Pass in the purpose of use,
 			//  the PII types and optionally, the third parties
 			//  (if isDecode is true and f.sidecarDirection is outbound)

diff --git a/privacy-profile-composer/pkg/opa/opa_compiler.go b/privacy-profile-composer/pkg/opa/opa_compiler.go
@@ -7,7 +7,7 @@ import (
 	"github.com/open-policy-agent/opa/compile"
 )
 
-func CompileOPABundle(policy_file string, bundle string) error {
+func CompileOPABundle(policyBundleDir string, bundle string) error {
 	f, err := os.Create(bundle)
 	if err != nil {
 		return err
@@ -18,7 +18,7 @@ func CompileOPABundle(policy_file string, bundle string) error {
 	compiler := compile.New()
 
 	err = compiler.
-		WithPaths(policy_file).
+		WithPaths(policyBundleDir).
 		WithOutput(f).
 		Build(ctx)
 

diff --git a/privacy-profile-composer/pkg/opa/opa_evaluator.go b/privacy-profile-composer/pkg/opa/opa_evaluator.go
diff --git a/privacy-profile-composer/pkg/opa/policy-and-logic/policy.rego b/privacy-profile-composer/pkg/opa/policy-and-logic/policy.rego
diff --git a/privacy-profile-composer/pkg/opa/policy-and-logic/simple.rego b/privacy-profile-composer/pkg/opa/policy-and-logic/simple.rego