-
Notifications
You must be signed in to change notification settings - Fork 2
/
opa_provider.go
368 lines (314 loc) · 11.9 KB
/
opa_provider.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
package openpolicyagent
import (
"bytes"
"crypto/tls"
"crypto/x509"
_ "embed"
"encoding/json"
"errors"
"fmt"
"net/url"
"github.com/hexa-org/policy-mapper/api/policyprovider"
"github.com/hexa-org/policy-mapper/pkg/hexapolicy"
"github.com/hexa-org/policy-mapper/pkg/oauth2support"
"golang.org/x/oauth2/clientcredentials"
"github.com/hexa-org/policy-mapper/providers/aws/awscommon"
"github.com/hexa-org/policy-mapper/providers/openpolicyagent/compressionsupport"
"math/rand"
"net/http"
"os"
"path/filepath"
"strings"
"time"
log "golang.org/x/exp/slog"
"github.com/go-playground/validator/v10"
)
//go:embed resources/bundles/bundle/hexaPolicy.rego
var hexaRego []byte
//go:embed resources/bundles/bundle/.manifest
var manifest []byte
const ProviderTypeOpa string = "opa"
type BundleClient interface {
// GetDataFromBundle calls the bundle client, retrieves the bundle and extracts the results to the path provided
GetDataFromBundle(path string) ([]byte, error)
PostBundle(bundle []byte) (int, error)
Type() string
}
type OpaProvider struct {
BundleClientOverride BundleClient
HttpClient *http.Client
JwtHandler oauth2support.JwtClientHandler
}
func (o *OpaProvider) Name() string {
return ProviderTypeOpa
}
func (o *OpaProvider) DiscoverApplications(info policyprovider.IntegrationInfo) ([]policyprovider.ApplicationInfo, error) {
c, err := o.credentials(info.Key)
if err != nil {
return nil, err
}
var apps []policyprovider.ApplicationInfo
if strings.EqualFold(info.Name, o.Name()) {
apps = append(apps, c.getApplicationInfo())
}
return apps, nil
}
func (o *OpaProvider) GetPolicyInfo(integration policyprovider.IntegrationInfo, _ policyprovider.ApplicationInfo) ([]hexapolicy.PolicyInfo, error) {
key := integration.Key
client, err := o.ConfigureClient(key)
if err != nil {
msg := fmt.Sprintf("open-policy-agent, unable to build client: %s", err)
log.Error(msg)
return nil, fmt.Errorf("invalid client: %w", err)
}
random := rand.New(rand.NewSource(time.Now().UnixNano()))
path := filepath.Join(os.TempDir(), fmt.Sprintf("/opa-bundle-%d", random.Uint64()))
data, err := client.GetDataFromBundle(path)
if err != nil {
log.Warn("open-policy-agent, unable to retrieve bundle data file. %s\n", err)
return nil, err
}
var policies hexapolicy.Policies
unmarshalErr := json.Unmarshal(data, &policies)
if unmarshalErr != nil {
return nil, unmarshalErr
}
return policies.Policies, nil
}
func (o *OpaProvider) SetPolicyInfo(integration policyprovider.IntegrationInfo, appInfo policyprovider.ApplicationInfo, policyInfos []hexapolicy.PolicyInfo) (int, error) {
validate := validator.New() // todo - move this up?
errApp := validate.Struct(appInfo)
if errApp != nil {
return http.StatusInternalServerError, fmt.Errorf("invalid app info: %w", errApp)
}
errPolicies := validate.Var(policyInfos, "omitempty,dive")
if errPolicies != nil {
return http.StatusInternalServerError, fmt.Errorf("invalid policy info: %w", errPolicies)
}
key := integration.Key
client, err := o.ConfigureClient(key)
if err != nil {
log.Warn("open-policy-agent, unable to build client: %s", err)
return http.StatusInternalServerError, fmt.Errorf("invalid client: %w", err)
}
var policies []hexapolicy.PolicyInfo
for _, p := range policyInfos {
// Set up and update the Meta block...
now := time.Now()
meta := p.Meta
if meta.Created == nil {
meta.Created = &now
}
meta.Modified = &now
meta.PapId = &appInfo.ObjectID
meta.ProviderType = ProviderTypeOpa
if meta.PolicyId == nil {
// Assign a default policy id based on the resourceId. If not available, use the Pap ObjectID. An alias is appended to ensure uniqueness
alias := generateAliasOfSize(3)
resId := *meta.PapId
if p.Object.ResourceID != "" {
resId = p.Object.ResourceID
}
pid := fmt.Sprintf("%s_%s", resId, alias)
meta.PolicyId = &pid
}
p.Meta = meta
policies = append(policies, p)
}
data, marshalErr := json.Marshal(hexapolicy.Policies{Policies: policies})
if marshalErr != nil {
log.Warn("open-policy-agent, unable to create data file. %s\n", marshalErr)
return http.StatusInternalServerError, marshalErr
}
bundle, copyErr := MakeHexaBundle(data)
if copyErr != nil {
log.Warn("open-policy-agent, unable to create default bundle. %s\n", copyErr)
return http.StatusInternalServerError, copyErr
}
defer func() {
if err := recover(); err != nil {
log.Warn("unable to set policy: %v", err)
}
}()
return client.PostBundle(bundle.Bytes())
}
// MakeHexaBundle will generate a default bundle with current rego. If data is nil, an empty set of policies is generated.
func MakeHexaBundle(data []byte) (bytes.Buffer, error) {
tempDir, err := os.MkdirTemp("", "policy-opa-*")
defer func(path string) {
_ = os.RemoveAll(path)
}(tempDir)
if err != nil {
log.Error("unable to create temporary directory: %s", err)
return bytes.Buffer{}, err
}
_ = os.Mkdir(filepath.Join(tempDir, "/bundles"), 0744)
_ = os.Mkdir(filepath.Join(tempDir, "/bundles/bundle"), 0744)
_ = os.WriteFile(filepath.Join(tempDir, "/bundles/bundle/.manifest"), manifest, 0644)
if data == nil {
emptyPolicies := hexapolicy.Policies{}
data, _ = json.Marshal(&emptyPolicies)
}
_ = os.WriteFile(filepath.Join(tempDir, "/bundles/bundle/data.json"), data, 0644)
_ = os.WriteFile(filepath.Join(tempDir, "/bundles/bundle/hexaPolicy.rego"), hexaRego, 0644)
tar, _ := compressionsupport.TarFromPath(filepath.Join(tempDir, "/bundles"))
var buffer bytes.Buffer
_ = compressionsupport.Gzip(&buffer, tar)
return buffer, nil
}
type Credentials struct {
// ProjectID string `json:"project_id,omitempty"`
BundleUrl string `json:"bundle_url"`
CACert string `json:"ca_cert,omitempty"`
Authorization string `json:"authorization,omitempty"`
GCP *GcpCredentials `json:"gcp,omitempty"`
AWS *AwsCredentials `json:"aws,omitempty"`
GITHUB *GithubCredentials `json:"github,omitempty"`
Client *clientcredentials.Config `json:"oauth_client,omitempty"`
}
func (c Credentials) objectID() string {
switch c.opaType() {
case BundleTypeGcp:
return c.GCP.BucketName
case BundleTypeAws:
return c.AWS.BucketName
case BundleTypeGithub:
return c.GITHUB.Repo
}
bundleUrl, _ := url.Parse(c.BundleUrl)
httpId := fmt.Sprintf("%s/%s", bundleUrl.Host, bundleUrl.Path)
return httpId
}
func (c Credentials) opaType() string {
if c.GCP != nil {
return BundleTypeGcp
}
if c.AWS != nil {
return BundleTypeAws
}
if c.GITHUB != nil {
return BundleTypeGithub
}
return BundleTypeHttp
}
func (c Credentials) getApplicationInfo() policyprovider.ApplicationInfo {
opaType := c.opaType()
switch opaType {
case BundleTypeAws, BundleTypeGithub, BundleTypeGcp:
return policyprovider.ApplicationInfo{
ObjectID: c.objectID(),
Name: fmt.Sprintf("OPA %s Bucket %s", opaType, c.objectID()),
Description: fmt.Sprintf("OPA %s Bundle Service", opaType),
Service: fmt.Sprintf("OPA %s", opaType),
}
default:
return policyprovider.ApplicationInfo{
ObjectID: c.objectID(),
Name: fmt.Sprintf("OPA %s %s", BundleTypeHttp, c.BundleUrl),
Description: "OPA HTTP Bundle Service",
Service: fmt.Sprintf("OPA %s", BundleTypeHttp),
}
}
}
type GcpCredentials struct {
BucketName string `json:"bucket_name,omitempty"`
ObjectName string `json:"object_name,omitempty"`
Key json.RawMessage `json:"key,omitempty"`
}
type AwsCredentials GcpCredentials
type GithubCredentials struct {
Account string `json:"account,omitempty"`
Repo string `json:"repo,omitempty"`
BundlePath string `json:"bundlePath,omitempty"`
Key json.RawMessage `json:"key,omitempty"`
}
func (o *OpaProvider) credentials(key []byte) (Credentials, error) {
var foundCredentials Credentials
err := json.NewDecoder(bytes.NewReader(key)).Decode(&foundCredentials)
if err != nil {
return Credentials{}, fmt.Errorf("invalid integration key: %w", err)
}
// if foundCredentials.ProjectID == "" {
// foundCredentials.ProjectID = "package authz"
// }
return foundCredentials, nil
}
func (o *OpaProvider) IsOAuthClient() bool {
return o.JwtHandler != nil
}
func (o *OpaProvider) ConfigureClient(key []byte) (BundleClient, error) {
integrationCredential, err := o.credentials(key)
if err != nil {
return nil, err
}
if integrationCredential.GCP != nil {
return NewGCPBundleClient(
integrationCredential.GCP.BucketName,
integrationCredential.GCP.ObjectName,
integrationCredential.GCP.Key,
)
}
if integrationCredential.AWS != nil {
return NewAWSBundleClient(
integrationCredential.AWS.BucketName,
integrationCredential.AWS.ObjectName,
integrationCredential.AWS.Key,
awscommon.AWSClientOptions{},
)
}
if integrationCredential.GITHUB != nil {
return NewGithubBundleClient(
integrationCredential.GITHUB.Account,
integrationCredential.GITHUB.Repo,
integrationCredential.GITHUB.BundlePath,
integrationCredential.GITHUB.Key,
GithubBundleClientOptions{})
}
if o.BundleClientOverride != nil {
return o.BundleClientOverride, nil
}
// If there is an externally provided HTTP client, these defaults will not be set including CA Cert install
if o.HttpClient == nil {
client := &http.Client{
Timeout: 10 * time.Second,
}
if integrationCredential.CACert != "" {
log.Debug("Installing CA certificate.")
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM([]byte(integrationCredential.CACert))
client.Transport = &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: caCertPool,
},
}
}
o.HttpClient = client
}
if integrationCredential.Client != nil {
log.Debug("Configuring OAuth2 Client credentials support")
o.JwtHandler = oauth2support.NewJwtClientHandlerWithConfig(integrationCredential.Client, o.HttpClient)
o.HttpClient = o.JwtHandler.GetHttpClient()
}
bundleUrl, err := url.Parse(integrationCredential.BundleUrl)
if err != nil {
return nil, errors.New(fmt.Sprintf("error parsing bundleUrl: %s", err.Error()))
}
if bundleUrl.Path == "" || bundleUrl.Path == "/" {
log.Debug("Defaulting bundle path to: bundles/bundle.tar.gz")
bundleUrl.Path = "/bundles/bundle.tar.gz"
}
var authorization *string
if integrationCredential.Authorization != "" {
if strings.Contains(integrationCredential.Authorization, " ") {
authorization = &integrationCredential.Authorization
} else {
bearer := fmt.Sprintf("Bearer %s", integrationCredential.Authorization)
authorization = &bearer
}
}
return &HTTPBundleClient{
BundleServerURL: bundleUrl.String(),
HttpClient: o.HttpClient,
Authorization: authorization,
}, nil
}