In [1]:
import requests
from pprint import pprint
import json

# https://www.openpolicyagent.org/docs/latest/rest-api/
URL_PREFIX = 'http://localhost:8181'

headers = {
    'content-type': 'application/json'
}

def _dump(r):
    print(f'\nResponse:\n{r.status_code}')
    try:
        pprint(r.json())
    except:
        print(r.text)

# Policy

The Policy API exposes CRUD endpoints for managing policy modules. Policy modules can be added, removed, and modified at any time.

## List Policies

In [2]:
url = URL_PREFIX + '/v1/policies'
print(url)
params = {}
r = requests.get(url=url, headers=headers, params=params)
_dump(r)

http://localhost:8181/v1/policies

Response:
200
{'result': [{'ast': {'comments': [{'Location': {'col': 53,
                                                'file': '/opa-examples/example.rego',
                                                'row': 5},
                                   'Text': 'IHVubGVzcyBvdGhlcndpc2UgZGVmaW5lZCwgYWxsb3cgaXMgZmFsc2U='},
                                  {'Location': {'col': 53,
                                                'file': '/opa-examples/example.rego',
                                                'row': 7},
                                   'Text': 'IGFsbG93IGlzIHRydWUgaWYuLi4='},
                                  {'Location': {'col': 53,
                                                'file': '/opa-examples/example.rego',
                                                'row': 8},
                                   'Text': 'IHRoZXJlIGFyZSB6ZXJvIHZpb2xhdGlvbnMu'},
                                  {'Location': {'col': 53,
                

## Get a Policy

In [4]:
policy_id = 'example1'
url = URL_PREFIX + f'/v1/policies/{policy_id}'
print(url)
params = {}
r = requests.get(url=url, headers=headers, params=params)
_dump(r)

http://localhost:8181/v1/policies/example1

Response:
200
{'result': {'ast': {'package': {'path': [{'type': 'var', 'value': 'data'},
                                         {'type': 'string',
                                          'value': 'system'}]},
                    'rules': [{'body': [{'generated': True,
                                         'index': 0,
                                         'terms': [{'type': 'ref',
                                                    'value': [{'type': 'var',
                                                               'value': 'eq'}]},
                                                   {'type': 'var',
                                                    'value': '__local10__'},
                                                   {'type': 'ref',
                                                    'value': [{'type': 'var',
                                                               'value': 'input'},
                                 

## Create/Update a Policy

In [3]:
headers['content-type'] = 'text/plain'

policy_id = 'example1'
url = URL_PREFIX + f'/v1/policies/{policy_id}'
params = {}
data = """package system

import rego.v1

main := msg if {
	msg := sprintf("hello, %v", [input.user])
}"""
r = requests.put(url=url, headers=headers, params=params, data=data)
_dump(r)
headers['content-type'] = 'application/json'


Response:
200
{}


## Delete a Policy

In [52]:
policy_id = 'example1'
url = URL_PREFIX + f'/v1/policies/{policy_id}'
params = {}
r = requests.delete(url=url, headers=headers, params=params, data=data)
_dump(r)

200
{}


# Data

The Data API exposes endpoints for reading and writing documents in OPA.

## Create/Overwrite a Document

In [102]:
input_json = {
    "servers": [
        {"id": "app", "protocols": ["https", "ssh"], "ports": ["p1", "p2", "p3"]},
        {"id": "db", "protocols": ["mysql"], "ports": ["p3"]},
        {"id": "cache", "protocols": ["memcache"], "ports": ["p3"]},
        {"id": "ci", "protocols": ["http"], "ports": ["p1", "p2"]},
        {"id": "busybox", "protocols": ["telnet"], "ports": ["p1"]}
    ],
    "networks": [
        {"id": "net1", "public": False},
        {"id": "net2", "public": False},
        {"id": "net3", "public": True},
        {"id": "net4", "public": True}
    ],
    "ports": [
        {"id": "p1", "network": "net1"},
        {"id": "p2", "network": "net3"},
        {"id": "p3", "network": "net2"}
    ]
}

In [33]:
data_path = '/examples/input1.json'

In [104]:
url = URL_PREFIX + f'/v1/data{data_path}'
print(url)
params = {}
data = input_json
print(f'Request:\nurl={url}\nheaders={headers}\nparms={params}\ndata={data}')

r = requests.put(url=url, headers=headers, params=params, data=json.dumps(data))
_dump(r)

http://localhost:8181/v1/data/examples/input1.json
Request:
url=http://localhost:8181/v1/data/examples/input1.json
headers={'content-type': 'application/json'}
parms={}
data={'servers': [{'id': 'app', 'protocols': ['https', 'ssh'], 'ports': ['p1', 'p2', 'p3']}, {'id': 'db', 'protocols': ['mysql'], 'ports': ['p3']}, {'id': 'cache', 'protocols': ['memcache'], 'ports': ['p3']}, {'id': 'ci', 'protocols': ['http'], 'ports': ['p1', 'p2']}, {'id': 'busybox', 'protocols': ['telnet'], 'ports': ['p1']}], 'networks': [{'id': 'net1', 'public': False}, {'id': 'net2', 'public': False}, {'id': 'net3', 'public': True}, {'id': 'net4', 'public': True}], 'ports': [{'id': 'p1', 'network': 'net1'}, {'id': 'p2', 'network': 'net3'}, {'id': 'p3', 'network': 'net2'}]}

Response:
204



## Get a Document

In [105]:
url = URL_PREFIX + '/v1/data' + data_path
print(url)
params = {}
r = requests.get(url=url, headers=headers, params=params)
_dump(r)

http://localhost:8181/v1/data/examples/input1.json

Response:
200
{'decision_id': 'bdfdbacb-ce31-4ea9-8d46-6e8cef24b03d',
 'result': {'networks': [{'id': 'net1', 'public': False},
                         {'id': 'net2', 'public': False},
                         {'id': 'net3', 'public': True},
                         {'id': 'net4', 'public': True}],
            'ports': [{'id': 'p1', 'network': 'net1'},
                      {'id': 'p2', 'network': 'net3'},
                      {'id': 'p3', 'network': 'net2'}],
            'servers': [{'id': 'app',
                         'ports': ['p1', 'p2', 'p3'],
                         'protocols': ['https', 'ssh']},
                        {'id': 'db', 'ports': ['p3'], 'protocols': ['mysql']},
                        {'id': 'cache',
                         'ports': ['p3'],
                         'protocols': ['memcache']},
                        {'id': 'ci',
                         'ports': ['p1', 'p2'],
                         'protoco

## Delete a Document

In [59]:
url = URL_PREFIX + '/v1/data' + data_path
print(url)
params = {}
r = requests.delete(url=url, headers=headers, params=params)
_dump(r)

http://localhost:8181/v1/data/examples/input1.json
204



# Query

## Simple Query

If the default decision (defaulting to `/system/main`) is undefined, the server returns 404.

In [108]:
# with policy 'example1' created
url = URL_PREFIX
print(url)
params = {}
data = {
  "user": ["alice"]
}
r = requests.post(url=url, headers=headers, params=params, data=json.dumps(data))
_dump(r)

http://localhost:8181

Response:
200
'hello, ["alice"]'


## Ad-hoc Query

In [114]:
# with policy 'example1' created
url = URL_PREFIX + '/v1/query'
params = {
    'pretty': True,
    'explain': 'debug', # notes, fails, full, debug
}
query = '''input.servers[i].ports[_] = "p2"; input.servers[i].id = id'''
data = {
    "query": query,
    "input": input_json
}
print(f'Request:\nurl={url}\nheaders={headers}\nparms={params}\ndata={data}')

r = requests.post(url=url, headers=headers, params=params, data=json.dumps(data))
_dump(r)

Request:
url=http://localhost:8181/v1/query
headers={'content-type': 'application/json'}
parms={'pretty': True, 'explain': 'debug'}
data={'query': 'input.servers[i].ports[_] = "p2"; input.servers[i].id = id', 'input': {'servers': [{'id': 'app', 'protocols': ['https', 'ssh'], 'ports': ['p1', 'p2', 'p3']}, {'id': 'db', 'protocols': ['mysql'], 'ports': ['p3']}, {'id': 'cache', 'protocols': ['memcache'], 'ports': ['p3']}, {'id': 'ci', 'protocols': ['http'], 'ports': ['p1', 'p2']}, {'id': 'busybox', 'protocols': ['telnet'], 'ports': ['p1']}], 'networks': [{'id': 'net1', 'public': False}, {'id': 'net2', 'public': False}, {'id': 'net3', 'public': True}, {'id': 'net4', 'public': True}], 'ports': [{'id': 'p1', 'network': 'net1'}, {'id': 'p2', 'network': 'net3'}, {'id': 'p3', 'network': 'net2'}]}}

Response:
200
{'explanation': ['query:1     Enter input.servers[i].ports[_] = "p2"; '
                 'input.servers[i].id = id',
                 'query:1     | Eval input.servers[i].ports[_] = "p2"

# Compile

# Health

In [99]:
url = URL_PREFIX + '/health'
params = {}
print(f'Request:\nurl={url}\nheaders={headers}\nparms={params}')

r = requests.get(url=url, headers=headers, params=params)
_dump(r)

Request:
url=http://localhost:8181/health
headers={'content-type': 'application/json'}
parms={}

Response:
200
{}


In [82]:
url = URL_PREFIX + '/health?bundles'
params = {}
print(f'Request:\nurl={url}\nheaders={headers}\nparms={params}')

r = requests.get(url=url, headers=headers, params=params)
_dump(r)

Request:
url=http://localhost:8181/health?bundles
headers={'content-type': 'application/json'}
parms={}

Response:
200
{}


In [101]:
url = URL_PREFIX + '/health?plugins'
params = {}
print(f'Request:\nurl={url}\nheaders={headers}\nparms={params}')

r = requests.get(url=url, headers=headers, params=params)
_dump(r)

Request:
url=http://localhost:8181/health?plugins
headers={'content-type': 'application/json'}
parms={}

Response:
200
{}


# Config

In [93]:
url = URL_PREFIX + '/v1/config'
params = {}
print(f'Request:\nurl={url}\nheaders={headers}\nparms={params}')

r = requests.get(url=url, headers=headers, params=params)
_dump(r)

Request:
url=http://localhost:8181/v1/config
headers={'content-type': 'application/json'}
parms={}

Response:
200
{'result': {'decision_logs': {'console': True,
                              'reporting': {'max_delay_seconds': 600,
                                            'min_delay_seconds': 300},
                              'service': 'example'},
            'default_authorization_decision': '/system/authz/allow',
            'default_decision': '/system/main',
            'labels': {'id': 'b256d0c3-9ec4-4530-b3dc-ebd69c69edeb',
                       'version': '0.60.0'},
            'lables': {'environment': 'dev',
                       'region': 'dev',
                       'service': 'example'},
            'persistence_directory': '/var/opa',
            'services': {'example': {'response_header_timeout_seconds': 5,
                                     'url': 'http://localhost:8181/policy/v1'}},
            'status': {'service': 'example'}}}


# Status

In [98]:
url = URL_PREFIX + '/v1/status'
params = {}
print(f'Request:\nurl={url}\nheaders={headers}\nparms={params}')

r = requests.get(url=url, headers=headers, params=params)
_dump(r)

Request:
url=http://localhost:8181/v1/status
headers={'content-type': 'application/json'}
parms={}

Response:
200
{'result': {'decision_logs': {'code': 'decision_log_error',
                              'http_code': 404,
                              'message': 'log upload failed, server replied '
                                         'with HTTP 404 Not Found'},
            'labels': {'id': 'b256d0c3-9ec4-4530-b3dc-ebd69c69edeb',
                       'version': '0.60.0'},
            'metrics': {'prometheus': {'counter_enc_soft_limit_scale_up': 1,
                                       'go_cgo_go_to_c_calls_calls_total': {'help': 'Count '
                                                                                    'of '
                                                                                    'calls '
                                                                                    'made '
                                                                        

# Decison Logs

In [97]:
url = URL_PREFIX + '/206a3f36-1a21-4014-992b-01a57f168d06'
params = {}
print(f'Request:\nurl={url}\nheaders={headers}\nparms={params}')

r = requests.post(url=url, headers=headers, params=params)
_dump(r)

Request:
url=http://localhost:8181/206a3f36-1a21-4014-992b-01a57f168d06
headers={'content-type': 'application/json'}
parms={}

Response:
404
404 page not found



# Use Cases

## HTTP API

https://www.openpolicyagent.org/docs/latest/http-api-authorization/

In [124]:
# 1 Create Policy
headers['content-type'] = 'text/plain'
policy_id = 'httpapi.authz'
url = URL_PREFIX + f'/v1/policies/{policy_id}'
params = {}
data = """package httpapi.authz

import rego.v1

# bob is alice's manager, and betty is charlie's.
subordinates := {"alice": [], "charlie": [], "bob": ["alice"], "betty": ["charlie"]}

default allow := false

# Allow users to get their own salaries.
allow if {
	input.method == "GET"
	input.path == ["finance", "salary", input.user]
}

# Allow managers to get their subordinates' salaries.
allow if {
	some username
	input.method == "GET"
	input.path = ["finance", "salary", username]
	subordinates[input.user][_] == username
}"""
r = requests.put(url=url, headers=headers, params=params, data=data)
_dump(r)
headers['content-type'] = 'application/json'


Response:
200
{}


In [132]:
# Query
url = URL_PREFIX + '/v1/data' + '/httpapi/authz'
print(url)
params = {}

# alice -> alice
data = {
    "input": {
        "method": "GET",
        "path": [
            "finance",
            "salary",
            "alice"
        ],
        "user": "alice"
    }
}
r = requests.post(url=url, headers=headers, params=params, data=json.dumps(data))
_dump(r)

# bob -> alice
data = {
    "input": {
        "method": "GET",
        "path": [
            "finance",
            "salary",
            "alice"
        ],
        "user": "bob"
    }
}
r = requests.post(url=url, headers=headers, params=params, data=json.dumps(data))
_dump(r)

# bob -> charlie
url = URL_PREFIX + '/v1/data' + '/httpapi/authz/allow' # Only query 'allow'

data = {
    "input": {
        "method": "GET",
        "path": [
            "finance",
            "salary",
            "charlie"
        ],
        "user": "bob"
    }
}
r = requests.post(url=url, headers=headers, params=params, data=json.dumps(data))
_dump(r)

http://localhost:8181/v1/data/httpapi/authz

Response:
200
{'decision_id': '4a059620-a328-4b86-abfc-dcfcb6536ab0',
 'result': {'allow': True,
            'subordinates': {'alice': [],
                             'betty': ['charlie'],
                             'bob': ['alice'],
                             'charlie': []}}}

Response:
200
{'decision_id': '71ed5bbe-e010-4ad6-b742-08a116a34026',
 'result': {'allow': True,
            'subordinates': {'alice': [],
                             'betty': ['charlie'],
                             'bob': ['alice'],
                             'charlie': []}}}

Response:
200
{'decision_id': '9be65e16-4249-4975-a439-e6322d2fd8a1', 'result': False}
