Code Monkey home page Code Monkey logo

kong-opa-pass's Introduction

kong-opa-pass

Kong plugin that forwards request to Open Policy Agent and process the request only if the authorization policy allows for it.

Description

Basic Sequence Diagram

Configuration Example

config:
    server:
        url: http://localhost:8181/v1/data/
        keepalive_timeout: 60000
        keepalive_pool: 100
    request:
        headers_to_forward:
            - host
            - authorization
            - x-forwarded-for
            - x-forwarded-proto
            - x-real-ip
            - x-forwarded-host
            - x-forwarded-server
            - x-forwarded-port
            - x-forwarded-prefix
            - x-forwarded-scheme
            - x-forwarded-uri
        body: false
        always_pass_forward: false

Parameters

This table shows a list of configuration atributes that can be used to change the plugin behaviour

Default values are shown in the example configuration above.

Name Default Description
server.url - A path to OPA policy document including a protocl and host. Example: http://localhost:8181/v1/data/allow
server.keepalive_timeout 60000 The maximal idle timeout (ms).
server.keepalive_pool 100 The maximal idle timeout (ms).
request.headers_to_forward - List of headers that will be forwarded to OPA as part of an input object. Above you see the default list of headers
request.body false When set true the original request body will be forwarded to OPA as part of an input object. Only when the original request Content-Type set to application/json
request.always_pass_forward false When set to true kong will forward the original request to the upstream event it OPA's decision is false. Helpful when the final decision needs to be made down the road. Additionaly the X-OPA-Decision header is passed back to the upstream service with the value set to true or false

OPA Payload Request

{
    "request": {
        "http": {
            "headers": {
                "authorization": "Basic YWxpY2U6c2VjcmV0Cg==",
                "user-agent": "curl/7.68.0-DEV",
                "x-forwarded-proto": "http",
            },
            "host": "example",
            "method": "POST",
            "path": "/documents",
            "protocol": "HTTP/1.1"
        },
        "body": {}
    }
}

Expected OPA Response

The plugin expects the policy evaluation result to be one of these types: boolean or object. If otherwise the plugin will return Access Denied error.

Boolean

To allow the request to be forwared further, OPA policy should return:

{
    "result": true
}

To restrict the access to the upstream service, OPA policy should return:

{
    "result": false
}

Object

Make the policy decision response in a form of an object gives the additional benefits. The plugin expects the following structure:

{
    "result": {
        "allow": "<boolean>",
        "status": "<HTTP status code>",
        "headers": {
            "<header": "<value>"
        }
    }
}

Only result.allow field is required.

When request.allow is set to true then request.headers key-value pairs are injected into the original request before it is forwarded to the upstream service.

When request.allow is set to false then:

  1. if the configuration option request.always_pass_forward is set to true then request.headers key-value pairs are injected into the original request before it is forwarded to the upstream service. The X-OPA-Decision header is set to result.allow value.

  2. if the configuration option request.always_pass_forward is set to true then request.headers key-value pairs are injected into the response before it is forwarded back to the client. The X-OPA-Decision header is set to result.allow value.

Example

Reference to opa-pass-example repo to see it work.

Author

Eugene Brodsky

kong-opa-pass's People

Contributors

fupslot avatar

Stargazers

avatar avatar

Watchers

avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.