Skip to content

jferrater/opa-data-filter-jpa-demo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

35 Commits
gradle/wrapper
gradle/wrapper
 
 
src
src
 
 
.dockerignore
.dockerignore
 
 
.gitignore
.gitignore
 
 
.travis.yml
.travis.yml
 
 
Dockerfile
Dockerfile
 
 
Dockerfile_OPA
Dockerfile_OPA
 
 
README.md
README.md
 
 
build.gradle
build.gradle
 
 
diagram.png
diagram.png
 
 
docker-compose.yml
docker-compose.yml
 
 
gradlew
gradlew
 
 
gradlew.bat
gradlew.bat
 
 
opa_linux_amd64_v0.22.0
opa_linux_amd64_v0.22.0
 
 
petclinic_policy.rego
petclinic_policy.rego
 
 
run_opa.sh
run_opa.sh
 
 
settings.gradle
settings.gradle
 
 

Repository files navigation

Pet Profile Microservice

Build Status

This is a sample Spring Boot application that uses opa-data-filter-spring-boot-starter.

Use cases

  1. “Pet owners can access their own pet’s profiles.”
  2. “Veterinarians can access pet profiles from devices at the clinic.”

Design

Spring Boot App with OPA Data Filter

The Policy

In order to meet the use cases, the following policy is set in the Open Policy Agent server.

package petclinic.authz

default allow = false

allow {
  input.method = "GET"
  input.path = ["pets", name]
  allowed[pet]
  pet.name = name
}

allow {
  input.method = "GET"
  input.path = ["pets"]
  allowed[pet]
}

allowed[pet] {
  pet = data.pets[_]
  pet.owner = input.subject.user
}

allowed[pet] {
  pet = data.pets[_]
  pet.veterinarian = input.subject.user
  pet.clinic = input.subject.location
}

Running the Project

Pre-requisites

  • java 11 or hihger
  • docker-compose

Quick Start

  1. git clone https://github.com/jferrater/opa-data-filter-demo.git
  2. cd opa-data-filter-demo && ./gradlew bootJar
  3. docker-compose up --build
    The docker-compose will run the PetProfile service, Open Policy Agent server with a policy, petclinic_policy.rego and a MariaDB with initial data from classpath:sql/init.sql
  4. Open http://localhost:8081/swagger-ui.html for API documentation.

Testing

Configured users are alice and bob. alice is a veterinarian of the pet with name browny and bob is the pet owner.

curl -i --user alice:password -H "X-ORG-HEADER: SOMA" http://localhost:8081/pets

curl -i --user bob:password -H "X-ORG-HEADER: SOMA" http://localhost:8081/pets
  • alice should be able to see all the pets assigned to her.
  • bob should only see his pet with name browny

Project Implementation

Dependencies

The following dependencies were added in the project to enforce authorization at the Spring Data repository.

implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
implementation group:'com.github.jferrater', name: 'opa-datafilter-jpa-spring-boot-starter', version: '0.4.4'

Configuration

The configuration is defined in the classpath:application-mariadb.yml. This is the configuration used when running command ./gradlew -Dspring.profiles.active=mariadb bootRun

opa:
  authorization:
    url: "http://localhost:8181/v1/compile"
  partial-request:
    query: "data.petclinic.authz.allow = true"
    unknowns:
      - "data.pets"
    user-attribute-to-http-header-map:
      organization: X-ORG-HEADER
    log-partial-request: true

#Spring Data JPA specific configurations
spring:
  datasource:
    driver-class-name: org.mariadb.jdbc.Driver
    url: jdbc:mariadb://localhost:3306/integrationTest
    username: admin
    password: MangaonTaNiny0!

Contact

Contact me at joffry.ferrater@gmail.com for feedback and suggestions.

About

Demo project for opa-datafilter-jpa-spring-boot-starter.

Resources

Readme
Activity

Stars

4 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Languages