Open Policy Agent (OPA) middleware for actix-web
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
resource
src
.gitignore
.travis.yml
Cargo.toml
LICENSE
README.md

README.md

actix-web-middleware-opa

Build Status Crates.io Status License Documentation

Open Policy Agent (openpolicyagent/OPA) middleware for actix-web applications.

This middleware performs a policy check against an Open Policy Agent instance for incoming HTTP requests.

Both the policy check request and response are generic.

Flow

Components

Example

Take the following request :

curl -XGET -H 'Authorization: Bearer 123123123' http://localhost:8080/order/item/1

This will need to be translated to a JSON call to OPA :

{
  "input" : {
    "token"  : "123123123",
    "method" : "GET",
    "path"   : ["order", "item", "1"]
  }
}

We represent this as two Rust structs which implement Serialize,

#[derive(Serialize)]
struct PolicyRequest {
    input: PolicyRequestInput,
}

#[derive(Serialize)]
struct PolicyRequestInput {
    token: String,
    method: String,
    path: Vec<String>,
}

The expected response is a JSON object :

{
   "result" : {
      "allow" : true
   }
}

We represent this as two Rust structs which implement Deserialize,

#[derive(Deserialize)]
struct PolicyResponse {
    input: PolicyResponseResult,
}

#[derive(Deserialize)]
struct PolicyResponseResult {
    allow: bool,
}

Lastly we have to implement the OPARequest<S> trait so that

    impl<S> OPARequest<S> for PolicyRequest {
        fn from_http_request(_req: &HttpRequest<S>) -> Result<Self, String> {
            // This needs to be constructured from _req
            Ok(PolicyRequest {
              input: PolicyRequestInput {
                token: "123".into(),
                method: "GET",
                path: vec!["order", "item", "1"],
              }
            })
        }
    }
    type VerifierMiddleware = PolicyVerifier<PolicyRequest, PolicyResponse>;