Add support for OPA: add resource opa_cli and opa_api #5592

Vasu1105 · 2021-07-08T13:14:17Z

Signed-off-by: Vasu1105 vasundhara.jagdale@chef.io

Description

This adds support for OPA by adding opa_cli resource and opa_api resource.

It assumes that opa command is executable on the targeted system.
It assumes the data file and the policy file required for opa_cli is present on the target system
For opa_api resource use need to provide OPA server URL and the data to be used.
Have both Linux and Windows support

opa cli gives the result in the following JSON format

$ opa eval -i input.json -d example.rego "data.example.allow"
{
  "result": [
    {
      "expressions": [
        {
          "value": false,
          "text": "data.example.allow",
          "location": {
            "row": 1,
            "col": 1
          }
        }
      ]
    }
  ]
}

another example

$ opa eval -i input.json -d example.rego "data.example.violation[x]"
{
  "result": [
    {
      "expressions": [
        {
          "value": "ci",
          "text": "data.example.violation[x]",
          "location": {
            "row": 1,
            "col": 1
          }
        }
      ],
      "bindings": {
        "x": "ci"
      }
    },
    {
      "expressions": [
        {
          "value": "busybox",
          "text": "data.example.violation[x]",
          "location": {
            "row": 1,
            "col": 1
          }
        }
      ],
      "bindings": {
        "x": "busybox"
      }
    }
  ]
}

OPA API gives output in the following format

$ curl -X POST localhost:8181/v1/data/example/violation -d @v1-data-input.json -H 'Content-Type: application/json'
{"result":["ci","busybox"]}

curl -X POST localhost:8181/v1/data/example/allow -d @v1-data-input.json -H 'Content-Type: application/json'
{"result":false}

local tested examples

describe opa_cli(query: "data.example.violation[x]", policy: "/path-to-policy-file/example.rego", data: "path-to-data-file/input.json") do
  its(["result", 0, "expressions", 0, "value"]) { should eq 'ci' }
  its(["result", 1, "expressions", 0, "value"]) { should eq 'busybox' }
end

describe opa_cli(query: "data.example.allow", policy: "/path-to-policy-file/example.rego", data: "path-to-data-file/input.json") do
  its(["result", 0, "expressions", 0, "value"]) { should eq true }
  its(["result", 0, "expressions", 0, "value"]) { should eq false }
  its("allow") { should eq false }
  its("allow") { should cmp "false" }
end

On windows

describe opa_cli(query: "data.example.violation[x]", policy: "C:\\Users\\Vasundhara\\workspace\\opa-work\\example.rego", data: "C:\\Users\\Vasundhara\\workspace\\opa-work\\input.json") do
  its(["result", 0, "expressions", 0, "value"]) { should eq 'ci' }
  its(["result", 1, "expressions", 0, "value"]) { should eq 'busybox' }
end

describe opa_cli(query: "data.example.allow", policy: "C:\\Users\\Vasundhara\\workspace\\opa-work\\example.rego", data: "C:\\Users\\Vasundhara\\workspace\\opa-work\\input.json") do
  its(["result", 0, "expressions", 0, "value"]) { should eq true }
  its(["result", 0, "expressions", 0, "value"]) { should eq false }
  its("allow") { should eq false }
  its("allow") { should cmp "false" }
end

Related Issue

Fix #5575

Types of changes

Bug fix (non-breaking change which fixes an issue)
New content (non-breaking change)
Breaking change (a content change which would break existing functionality or processes)

Checklist:

I have read the CONTRIBUTING document.

Signed-off-by: Vasu1105 <vasundhara.jagdale@chef.io>

netlify · 2021-07-08T13:14:21Z

✔️ Deploy Preview for chef-inspec ready!

🔨 Explore the source changes: da9693a

🔍 Inspect the deploy log: https://app.netlify.com/sites/chef-inspec/deploys/60ffabc592bbb90008cba526

😎 Browse the preview: https://deploy-preview-5592--chef-inspec.netlify.app

clintoncwolfe · 2021-07-08T23:24:17Z

lib/inspec/resources/opa_api.rb

+    def initialize(opts={})
+      @url = opts[:url]
+      @data = opts[:data]
+      fail_resource "policy and data are the mandatory for executing OPA." if @url.nil? && @data.nil?


I think this should be an ||, and also you should update the message to be "url and data are mandatory", not "policy and data".

clintoncwolfe · 2021-07-08T23:27:01Z

lib/inspec/resources/opa_cli.rb

+      @policy = opts[:policy] || nil
+      @data = opts[:data] || nil
+      @query = opts[:query] || nil
+      fail_resource "policy and data are the mandatory for executing OPA." if @policy.nil? && @data.nil?


"policy and data are mandataory..." - no "the".

Also, this should probably be a ||.

Isn't query mandatory as well?

clintoncwolfe · 2021-07-08T23:28:19Z

lib/inspec/resources/opa_cli.rb

+    def load_result
+      raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
+
+      result = inspec.command("opa eval -i '#{@data}' -d '#{@policy}' '#{@query}'")


You will probably want to make the path to the opa command an option.

I was assuming that the user will export that in the PATH variable but this can be good option too. Should we consider "opa" as the default value for the path? considering that the user sets the path for executable in PATH variable ?

Signed-off-by: Vasu1105 <vasundhara.jagdale@chef.io>

Nik08 · 2021-07-20T08:07:55Z

Looks good to me!

IanMadd · 2021-07-26T23:09:52Z

docs-chef-io/content/inspec/resources/opa_api.md

+
+- `'url'` specifies the url of the OPA server on which OPA is running.
+- `'data'` specifies the json formatted data or json file.
+- `its(["result"]) { should eq 'value' }` compares the results of the query against the expected result in the test


Suggested change

- `its(["result"]) { should eq 'value' }` compares the results of the query against the expected result in the test

- `its(["returned_result"]) { should eq 'expected_result' }` compares the results of the query against the expected result in the test.

IanMadd · 2021-07-26T23:10:16Z

docs-chef-io/content/inspec/resources/opa_api.md

+    parent = "inspec/resources/os"
+++
+
+Use the `opa_api` Chef InSpec audit resource to query the OPA using the OPA url and data.


Suggested change

Use the `opa_api` Chef InSpec audit resource to query the OPA using the OPA url and data.

Use the `opa_api` Chef InSpec audit resource to query Open Policy Agent (OPA) using the OPA URL and data.

IanMadd · 2021-07-26T23:10:29Z

docs-chef-io/content/inspec/resources/opa_api.md

+
+## Syntax
+
+A `opa_api` resource


Suggested change

A `opa_api` resource

An `opa_api` resource block declares OPA policy configurations that can be tested.

IanMadd · 2021-07-26T23:10:43Z

docs-chef-io/content/inspec/resources/opa_api.md

+
+## parameters
+
+`opa_api` resource InSpec resource accepts `url` and `data`


Suggested change

`opa_api` resource InSpec resource accepts `url` and `data`

The `opa_api` resource InSpec resource requires a `url` and `data` as a JSON file or a string in JSON format.

IanMadd · 2021-07-26T23:10:50Z

docs-chef-io/content/inspec/resources/opa_api.md

+
+### `url` _(required)_
+
+URL of the OPA API server.


Suggested change

URL of the OPA API server.

The URL of the OPA API server.

IanMadd · 2021-07-26T23:10:52Z

docs-chef-io/content/inspec/resources/opa_api.md

+
+### `data` _(required)_
+
+This accepts input.json file or input data in json format.


Suggested change

This accepts input.json file or input data in json format.

An OPA query as a JSON data file or a string in JSON format.

IanMadd · 2021-07-26T23:11:18Z

docs-chef-io/content/inspec/resources/opa_api.md

+      its("allow") { should eq "true" }
+    end
+
+Above example shows how `allow` value can be fetched in 2 ways.


Suggested change

Above example shows how `allow` value can be fetched in 2 ways.

The above example shows how the `allow` value can be fetched in two ways.

IanMadd

Docs suggestions

IanMadd · 2021-07-26T23:30:36Z