This project will demo how to use OPA for authorization with webassembly on typescript.
RBAC examples reference: https://www.openpolicyagent.org/docs/latest/comparison-to-other-systems/
curl -L -o opa https://openpolicyagent.org/downloads/v0.29.4/opa_linux_amd64
mv opa /usr/local/bin
chmod 755 /usr/local/bin/opa
opa -h
npm install
- example.rego
package example
default allow = false
allow {
# list of roles for input user
roles := data.user_roles[input.user]
# for each role
r := roles[_]
# lookup the permissions list for role
permissions := data.role_permissions[r]
# for each permission
p := permissions[_]
# check permission
p == {"action": input.action, "object": input.object }
}
- Our data will be dynamically generated, an example is as follows:
- Reference: https://github.com/weihanchen/opa-webassembly-ts/blob/master/app.ts#L9
{
// user-role assignments
"user_roles": {
"userA": ["editor"],
},
// role-permissions assignments
"role_permissions": {
"editor": [{ "action": "edit", "object": "article" }],
},
}
opa build -t wasm -e 'example/allow' ./example.rego && tar -xzf ./bundle.tar.gz /policy.wasm
# or npm run build:opa
npm start -- "{\"user\":\"userA\",\"object\":\"article\",\"action\":\"edit\"}"
[
{
"result": true
}
]
./opa test -v policy/*.rego