-
Notifications
You must be signed in to change notification settings - Fork 0
/
policy_service.go
53 lines (44 loc) · 1.03 KB
/
policy_service.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
package main
import (
"context"
"fmt"
"os"
"github.com/open-policy-agent/opa/logging"
"github.com/open-policy-agent/opa/sdk"
)
type policyService interface {
eval(context.Context, policyRequest) (bool, error)
}
// opaSDK implements policyService
type opaSDK struct {
opa *sdk.OPA
}
func newOPASDK(ctx context.Context) (*opaSDK, error) {
f, err := os.Open("./resources/opa_config.yaml")
if err != nil {
return nil, err
}
defer f.Close()
sdk, err := sdk.New(ctx, sdk.Options{
Logger: logging.New(),
Config: f,
})
if err != nil {
return nil, fmt.Errorf("creating opa sdk instance: %w", err)
}
return &opaSDK{opa: sdk}, nil
}
func (o *opaSDK) eval(ctx context.Context, r policyRequest) (bool, error) {
res, err := o.opa.Decision(ctx, sdk.DecisionOptions{
Input: r,
Path: "policy/authz",
})
if err != nil {
return false, fmt.Errorf("failed to evaluate policy: %w", err)
}
authz, ok := res.Result.(bool)
if !ok {
return false, fmt.Errorf("authz not bool, but %T (%#v)", ok, res.Result)
}
return authz, nil
}