Discussed in #124

Discussed in https://github.com/orgs/open-policy-agent/discussions/22

Dear All,

I have a requirement to check the order of the input keys with the order of the data available in data.json

example:
{"input" : [{"name":"Daniel", "age":23, "gender":"male","location":"Switzerland"},{"name":"Moorthy", "age":43, "location":"Switzerland","gender":"male"}] }

data.json {"orderofheader": ["name","age","gender","location"]}

In this example the order of keys in the 2nd object of the input is not as expected and hence the result should be false .

I have tried below approach but i couldn't do arithmetic operation to increment the value of a variable .

package play

import data.orderofheader
import future.keywords.in

default ordercheck=false

ordercheck_result[message]{
headers:=input[]
i:=0
j:=1
some key, in headers
not has_key(key, i)
i=sum({i, j}) #----------Its not working
#i=i+1 ----------Its not working
#i=i+j ----------Its not working
#z:=i+j ------it works but couldn't increment the z value further since reassigning different value is not possible
#message:=sprintf("index is %v and Key is %v",[z, key])
message:=sprintf("The value of the header '%v' in the given input is not in proper order ", [key])
}

has_key(key,i){
key==orderofheader[i]
}

In General, if i assign a value to a variable say i:=0 then im not able to overwrite the value of the variable.

On side Note: Is there a way to get the current index value of the key while using "some key, _ in headers"

Could any of you advice on any workaround ?

Hi,
I'm trying to get the union of two objects where one of the objects may be optional. i.e. undefined (one object is coming from data and the other from input and may or may not be there). I tried using object.union(objectA, objectB), however if one of the args is undefined the result is also undefined.
Does somebody have an idea how to solve that issue?

Original Requestor: ken_wee.pok
Original Thread: https://openpolicyagent.slack.com/archives/C1H0ZF6BE/p1649675395.948639

Message:

Hi everyone, I'm wondering if anybody had looked into/experimented the https://docs.dapr.io/reference/components-reference/supported-middleware/middleware-opa/OPA middleware> integration for DAPR? I have some questions with regards to the workings of OPA deployed in that manner, and not sure if this is a right place to ask? My question is specifically on

1. If external data can be supplemented to the middleware to aid decision making?
2. Which version of OPA is running in the middleware? (as OPA version affects new keywords support and built-in functions)
3. If all built-in functions for OPA are supported? e.g. http.send
4. How are upgrades to the OPA engine handled?
5. If changes to the policy (as part of component definition) requires a redeployment of the component itself?

Organization Name

No response

Organization Website

No response

Organization Logo (optional)

No response

How is your organization using OPA?

Hello Team,
I am also working on it but I think since I am still learning, it is good to also ask the community so we learn from the best practice.

May I ask if any rego snippets that can be provided that to add environment variables to every container and init container in a multiple container pod?

thanks.

Source Code Link (optional)

No response

Want to link blogs or videos? Share them here.

No response

Update entry

• Check this box if you want to update an existing entry.

We did deploy OPA-ISTIO-PLUGIN with previous version [ istio 1.5.6 ] using MutatingWebhookConfiguration and admission-controller. Which help us to decouple application deployment file and opa configuration files. [ Which was our expectation also ].

In recent past we are planning to upgrade istio to latest version [1.7.4 ] and trying to consider upgrade OPA plugin also.

But surprisingly we have noticed, in recent deployment approach, there is nothing like OPA-ISTIO-PLUGIN, whereas it is now OPA-ENVOY-PLUGIN. [ Which i can understand for generic behavior ], but I haven't found any MutatingWebhookConfiguration and admission-controller in OPA-ENVOY-PLUGIN deployment.

Don't we have any process to use MutatingWebhookConfiguration and admission-controller and make OPA and APPLICATION deployment files loosely coupled in latest OPA-ENVOY-PLUGIN deployment process. If we have, could you please provide me the implementation approach, else we will stuck in middle because we have already implement opa-istio-plugin using admission controller.

I find the rego documentation utterly incomprehensible. For example, I feel this is an important statement:
"When evaluating rule bodies, OPA searches for variable bindings that make all of the expressions true."
But what does that even mean?
What searches? What does it search?
I'm trying to write a simple policy "Dave can do a, b, c; Mary can do x, y, z), and after 2 days, all I can get from OPA are errors.

Not able to find any documentation or example to understand how I can push incremental data ( only the changes) to OPA. It is not possible to load whole data for smaller changes for us. Can someone please guide me.

Discussed in https://github.com/orgs/open-policy-agent/discussions/472

package play
import data.play.policies

allow {
    policy := policies[input.name]
    policy.test(input.params)
}

package play.policies.policy1

test(params) {
    params["env"] == "dev"
}

package play.policies.policy2

test(params) {
    params["env"] == "prod"
}
```</div>

In a use-case where OPA is being used as authorization provider from Envoy, what is the format with which OPA receives input from Envoy?

From postman I am calling my endpoint by passing the header x-custom-header: foo. It is first routed to envoy sidecar which in turn calls OPA and forwards the request headers to OPA. What is the format/pattern in which OPA receives the Http request? Please advise.

Request example:

GET /api/v1/employees/departments
Accept: */*
x-custom-header : foo

I have been working with opa test -c with the example from https://www.openpolicyagent.org/docs/latest/policy-testing/. When I condense the rego from example.rego to

package authz

allow { input.path == ["users"]; input.method == "POST"; }

allow { some profile_id; input.path = ["users", profile_id]; input.method == "GET"; profile_id == input.user_id; }

And remove all test in example_test.rego except for test_post_allowed

package authz

test_post_allowed {
    allow with input as {"path": ["users"], "method": "POST"}
}

Actual Behavior

The coverage result shows the example.rego was covered only 20 percent.

{
  "files": {
    "example.rego": {
      "covered": [
        {
          "start": {
            "row": 3
          },
          "end": {
            "row": 3
          }
        }
      ],
      "not_covered": [
        {
          "start": {
            "row": 4
          },
          "end": {
            "row": 4
          }
        },
        {
          "start": {
            "row": 4
          },
          "end": {
            "row": 4
          }
        },
        {
          "start": {
            "row": 4
          },
          "end": {
            "row": 4
          }
        },
        {
          "start": {
            "row": 4
          },
          "end": {
            "row": 4
          }
        }
      ],
      "coverage": 20
    },
    "tests/test.rego": {
      "covered": [
        {
          "start": {
            "row": 3
          },
          "end": {
            "row": 4
          }
        }
      ],
      "coverage": 100
    }
  },
  "coverage": 42.85
}

Expected Behavior

I think coverage is counted from statements but the first allow definition has 2 statements and the second has 4, so coverage should be 33%. Overall I would think that if statements were counted then it shouldn't matter how the rego is formatted, but if I leave example.rego in the original format and only run test_post_allowed then I get a coverage on example.rego equal to "coverage": 42.85.

Steps to Reproduce the Problem

Copy the code blocks above for example.rego and example_test.rego and run opa test . -c. You should get the same result I have posed above.

opa version
Version: 0.28.0
Build Commit: 3fbcd71
Build Timestamp: 2021-04-27T13:51:34Z
Go Version: go1.15.8
WebAssembly: unavailable

The API of array type

What part of OPA would you like to see improved?

I'd like to know if operation like append and extend is supported by array. If yes, could you point me to any doc link? If not, what's the best practice to achieve this in the current REGO? Can it be added in REGO natively in the future?

Describe the ideal solution

Describe a "Good Enough" solution

Additional Context

It may be very simple question if people already know answer to it ,what I want to achieve is inside rego I want to specify a simple if string equals condition , however base string I want to provide at runtime , depending on many conditions.
For example I want to check if max days since login has passed then fail policy and don't let it pass , now max days for each of specific area/company is set by users. E.g. for america people says it should be 5 days and for india people says 4 days. So can I pass this max value at runtime to opa to evaluate. There can be thousand of such values and hence putting all values and doing if else is not possible.

L
![16574196432596895586312101289443](https://user-images.githubusercontent.com/92107358/178128739-bccd701a-0503-4de2-9e5b-cc51bf0a27b7.jpg

I am trying to write a policy to check if lifecycle label is any of the value of {dev, qa ,cert-cde, prod-cde,svcs,cert-ncde,prod-ncde}

The logic is working when I entered lifecycle label as prod or dev apart for other lifecycle labels value the conditions is not getting fails

Hello,

I am having issue understanding how partial evaluation works. I thought we could prepare a query for further evaluation given what is known at the time (query and inputs).
For example, I have a policy to grant access and it will be used at two different code paths. Do I need to create two different policies?

package main

import (
	"context"
	"fmt"

	"github.com/open-policy-agent/opa/rego"
)

func main() {
	ctx := context.Background()
	module := `
		package example

		allow {
			input.subject.user = "alice"
			input.auth_type = "hmac"
		}

		allow {
			input.subject.user = "john"
			input.auth_type = "api_key"
		}
	`

	pre := map[string]interface{}{"auth_type": "hmac"}

	r := rego.New(
		rego.Query("data.example.allow"),
		rego.Module("example.rego", module),
		rego.Input(pre),
	)

	pr, err := r.PartialResult(ctx)
	if err != nil {
		panic(err.Error())
	}

	input := map[string]interface{}{
		"subject": map[string]interface{}{
			"user": "alice",
		},
	}
	rr := pr.Rego(rego.Input(input))
	rs, err := rr.Eval(ctx)
	if err != nil {
		panic(err.Error())
	} else {
		fmt.Printf("allowed: %v\n", rs.Allowed())
	}
}

Expected Behavior

allowed: true

Actual Behavior

allowed: false

Thanks

Discussed in https://github.com/orgs/open-policy-agent/discussions/395

https://github.com/orgs/open-policy-agent/discussions/399
https://github.com/orgs/open-policy-agent/discussions/408

opa-envoy-plugin extends OPA with a gRPC server, and it always returns 403 for all denied requests. But opa can be used for both authentication and authorization, I want to return 401 when authentication is failed, is the opa-envoy-plugin able to do that?

Hello, I am new to OPA and rego code and I am trying to implement a policy in my test environment. In the below constraint template, I am trying to import the resourcequota data configured in all of the namespaces of a cluster. Below constraint template's objective is to deny pod creation if the namespace where it is supposed to create does not have resource quota defined.

Blog referred to create this template: https://www.magalix.com/blog/how-to-force-kubernetes-namespaces-to-have-resourcequotas-defined-using-opa

Image used for the below constraint template : openpolicyagent/gatekeeper:v3.8.1

cat template.yaml

apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8sresourcequota
spec:
crd:
spec:
names:
kind: K8sResourceQuota
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sresourcequota
import data.kubernetes.resourcequotas
violation[{"msg": msg}] {
input.request.kind.kind == "Pod"
# Extract the the namespace from the request information
requestns := input.request.object.metadata.namespace
# Is it part of the existing resource quotas?
existingrqs := {e | e := resourcequotas[][].metadata.namespace}
not ns_exists(requestns,existingrqs)
msg = sprintf("The Pod %v could not be created because the %v namespace does not have ResourceQuotas defined",[input.request.object.metadata.name,input.request.object.metadata.namespace])
}
ns_exists(ns,arr){
arr[_] = ns
}

But when I try to apply this file, I get the following error. Why is it showing bad import? From where can I check, the types of import that can be included in the rego code.

kubectl apply -f template.yaml

Error from server: error when creating "template.yaml": admission webhook "validation.gatekeeper.sh" denied the request: invalid ConstraintTemplate: invalid import: bad import

Discussed in https://github.com/orgs/open-policy-agent/discussions/341

The Feedback repository is a central location for all the OPA subprojects to use GitHub Discussions.

If you have a question you'd like to discuss with the OPA community, head over to the Discussions Tab.

If you have a bug to report please file an issue in the respective repository.

OPA
Gatekeeper
Conftest
Envoy-Plugin

I have a use-case where I need to implement multiple rules in the Rego file to validate GET, POST endpoints with different x-incoming-flow custom header. For example in the example below; my intension is to allow HR applications (indicated by request hr-flow) to retrieve basic demographic information. Similarly allow finance applications (indicated by finance-flow) to update finance information. The headers are passed by consuming applications.

In this use-case, what is the best practice to prepare the rules? Do I need to write multiple allow blocks or is there a better way to write them in a single allow block. Please advise

package demo
import input.attributes.request.http as http_request
default allow = false

allow {
        #Allow GET:/api/v1/employees/demographics if it has x-incoming-flow as `hr-flow`
        http_request.method="GET"
        http_request.path == "/api/v1/employees/demographics"
        http_request.headers["x-incoming-flow"] == "hr-flow"
}

allow {
        #Allow POST:/api/v1/employees/salaries if it has x-incoming-flow as `finance-flow`
        http_request.method="POST"
        http_request.path == "/api/v1/employees/salaries"
        http_request.headers["x-incoming-flow"] == "finance-flow"
}

Input 1: -- Output should be true

{
  "attributes": {
    "request": {
      "http": {
        "method": "GET",
        "path": "/api/v1/employees/demographics",
        "headers": {
          "x-incoming-flow": "hr-flow"
        }
      }
    }
  }
}

Input 2: -- Output should be false

{
  "attributes": {
    "request": {
      "http": {
        "method": "GET",
        "path": "/api/v1/employees/demographics",
        "headers": {
          "x-incoming-flow": "deparments-flow"
        }
      }
    }
  }
}

Input 3: -- Output should be true

{
  "attributes": {
    "request": {
      "http": {
        "method": "POST",
        "path": "/api/v1/employees/finance",
        "headers": {
          "x-incoming-flow": "finance-flow"
        }
      }
    }
  }
}

From discussion #142
Issue reported by @jj80

{
    "client_addr": "XXXX",
    "level": "info",
    "msg": "Received request.",
    "req_body": "[{\"op\":\"replace\",\"path\":\"Acls/XYZ\",\"value\":{\"X\":\"A\",\"XYZ\":[\"12345\"],\"LIST\":[\"3456\",\"4567\",\"5678\",\"6789\",\"789\",\"890\",\"9012\",\"01111\",\"55558\",\"3434343\",\"5453422\",\"43242345\",\"5354353\",\"5345345\",\"5646546\",\"5345345\",\"87974466\",\"4456411\",\"445477\",\"6879911\",\"7842313\",\"5411000\",\"364894\",\"321888\",\"7779912\",\"799\",\"3488931\",\"48941699\",\"971fddfg61\"],\"OOO\":null,\"WER\":false}}]",
    "req_id": 30460,
    "req_method": "PATCH",
    "req_params": {},
    "req_path": "/v1/data/AAA/BB/CCC",
    "time": "2022-03-04T08:48:42Z"
}

{
    "client_addr": "XXXX",
    "level": "info",
    "msg": "Sent response.",
    "req_id": 30460,
    "req_method": "PATCH",
    "req_path": "/v1/data/AAA/BB/CCC",
    "resp_body": "",
    "resp_bytes": 0,
    "resp_duration": 25305.964576,
    "resp_status": 204,
    "time": "2022-03-04T08:49:08Z"
}

Original Requestor: aimtiaz
Original Thread: https://openpolicyagent.slack.com/archives/CBR63TK2A/p1649170893.320489

Message:

Hi! Very new to OPA and I'm looking to lint rego test files. Essentially, looking through each of the test files, and ensuring that they follow the format of [test][package_name][test_name].

I couldn't find anything similar, and opa fmt did not seem like it would fit my use case. Has anybody done something similar or would I need to roll my own linter?

Thank you 🙂

Original Requestor: anthonyabarbieri
Original Thread: https://openpolicyagent.slack.com/archives/CLE8VEKGT/p1650889161.145719

Message:

Hey Folks, I put together a setup-conftest action this weekend based off the setup-opa action in the OPA organization. It downloads the conftest binary and adds it to the path for use in other steps: https://github.com/princespaghetti/setup-conftest

Original Requestor: zia.ur-rehman
Original Thread: https://openpolicyagent.slack.com/archives/CDTN970AX/p1652361341.359949

Message:

Hi Everyone, OPA is writing some stuff to disk what is it?

Hi,

I have been using OPA Rego policies to configure user role based access and OPA is giving suitable decisions.

However I am interested in configuring an IP based access and tried with the following rego policy for allow decision

package abc
default allow = false
allow {
input.method = "GET"
input.addrs = [":8181"]
}

to allow the localhost running server.

input.json query

{
"method": "GET",
"addrs": [":8181"]
}

The policy evaluated for the input is not resulting for allow = true or false

Please suggest the feature for testing IPs and MAC address in this context to manage decisions for the incoming IP, MAC address.

With regards,
Shashank

Expected Behavior

The results of API call should be the same command line or Playground

Actual Behavior

API calls always returns false

Steps to Reproduce the Problem

Here is my simple policy (playPolicy.rego):

package play

default allow = false

allow {
  input.method == "GET"
}

Here is my input file (playInput.json)

{
    "method": "GET"
}

1. when I try this using RegoPlayground, the evaluation is true (https://play.openpolicyagent.org/p/cIWCURitWQ)

2. I then tried it using command line (I am using OPA 0.34.1)

3. Then I deployed a docker container (downloaded from the official location) out of port 9090. I tried port 8181 on my linux as well also I tried various opa versions as well, same results.
   docker run -d -p 9090:9090 --name opa openpolicyagent/opa:0.34.1 run --server --log-level debug -a :9090

4. Then I uploaded my policy using following command:
   curl -X PUT --data-binary @playPolicy.rego localhost:9090/v1/policies/play

5. Then I used GET to retrieve the contents
   curl localhost:9090/v1/policies/play
   all looked good

6. Then I query with following call to get results and I got false, which is very strange!
   curl -X POST localhost:9090/v1/data/play/allow -d @playInput.json -H 'Content-Type: application/json'

7. Tried with PostMan as well, same results

8. As part of debug, I added print() to my policies and run it on command line. my value was printed out correctly and the return was true. So am I calling API wrong? I added ?explain=full&pretty to the API call. although I dont quite understand the meaning of it, here is detail:

{
    "explanation": [
        "query:1     Enter data.play.allow = _",
        "query:1     | Eval data.play.allow = _",
        "query:1     | Index data.play.allow (matched 0 rules)",
        "play:3      | Enter data.play.allow",
        "play:3      | | Eval true",
        "play:3      | | Exit data.play.allow",
        "query:1     | Exit data.play.allow = _",
        "query:1     Redo data.play.allow = _",
        "query:1     | Redo data.play.allow = _",
        "play:3      | Redo data.play.allow",
        "play:3      | | Redo true"
    ],
    "result": false
}

Please help. Many thanks!!!

• Eric

Additional Info

Original Requestor: raje.g.995
Original Thread: https://openpolicyagent.slack.com/archives/CBR63TK2A/p1648828146.908049

Message:

Hi, I am trying to use sync.yaml -> config to load some CRDs to evaluate my OPA Gatekeeper in EKS.

I am facing issues in loading those CRDS. I have installed the sync.yaml correctly.

Steps followed -

Installed OPA
Installed sync.yaml to load the CRDs dynamically.

Issue :

While evaluating the policy in the constrainttemplate , OPA is not able to list those objects.

Sample sync.yaml

# Sync.yaml
apiVersion: http://config.gatekeeper.sh/v1alpha1config.gatekeeper.sh/v1alpha1>
kind: Config
metadata:
  name: config
  namespace: "gatekeeper-system"
spec:
  sync:
    syncOnly:
      - group: "http://project.team.orchestrator.predix.ioproject.team.orchestrator.predix.io>"
        version: "v1alpha1"
        kind: Environment
      - group: "http://project.team.orchestrator.predix.ioproject.team.orchestrator.predix.io>"
        version: "v1alpha1"
        kind: "DeveloperProjectControl"

Sample policy constrainttemplate

apiVersion: http://templates.gatekeeper.sh/v1beta1templates.gatekeeper.sh/v1beta1>
kind: ConstraintTemplate
metadata:
  name: developerprojectcontrolnotexist
spec:
  crd:
    spec:
      names:
        kind: DeveloperProjectControlNotExist

  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package developerprojectcontrolnotexist

        violation[{"msg": msg1}] {
              input.review.object.kind != "DeveloperProjectControl"
              ns := input.review.object.metadata.namespace

              ns != "NS"
             #msg1 := sprintf("VALUE - %v ", [data.inventory.namespace[ns]["http://project.team.orchestrator.predix.io/v1alpha1project.team.orchestrator.predix.io/v1alpha1>"]])
             dpcObject := object.get(data.inventory.namespace[ns]["http://project.team.orchestrator.predix.io/v1alpha1project.team.orchestrator.predix.io/v1alpha1>"],"DeveloperProjectControl", "NOTFOUND")
             dpcObject == "NOTFOUND"
             msg1 := sprintf("No developerprojectcontrol object present in the namespace  ", [dpcObject])
        }

Here the dpcObject value is {} and instead of NOTFOUND , when the corresponding object - DeveloperProjectControl is not present in the namespace.

My current scenario is to do an authentication function

The data source has a large amount of data and is continuously updated (including the addition, deletion and modification of permissions);

I hope that the data source can be loaded into OPA quickly when OPA is started; And it can keep updating with the data source efficiently

I think of two ways now, but I don't think they are very perfect

1. Use bundle to load tar at one time GZ file; However, it can only update through polling. This time, there is a delay, which makes the process very inefficient; I expect to update the loaded data through the restapi, but I'm sorry to prompt "path bindings is owned by bundle " authz \ "

2. When OPA is started, 5g data is loaded into OPA through restapi; Subsequent updates through API; This disadvantage feels that a large amount of data needs to be written through the API. I don't know how the performance is; Of course, I can deploy multiple OPAs by business; The feeling is not very perfect;

I don't know if there is a good solution to load quickly and update the data in it