This library provides a client for the Open Policy Agent (OPA), a PSR-15 authorization middleware and a PSR-15 bundle distributor middleware.
For working examples, please see segrax/opa-php-examples and a walkthrough is available to guide you through the examples.
Install the latest using composer.
composer require segrax/open-policy-agent
use Segrax\OpenPolicyAgent\Client;
use GuzzleHttp\Client as GuzzleHttpClient;
$apiPolicy = "package my.api
default allow=false
allow {
input.path = [\"abc\"]
input.user == \"a random user\"
}";
$client = new Client(null, new GuzzleHttpClient(), new RequestFactory(), 'http://127.0.0.1:8181', 'MyToken');
// Push a policy to the agent
$client->policyUpdate('my/api', $apiPolicy, false);
// Execute the policy
$inputs = [ 'path' => ['abc'],
'user' => 'a random user'];
$res = $client->policy('my/api', $inputs, false, false, false, false );
if ($res->getByName('allow') === true ) {
// Do stuff
}
Create the client, and add the Authorization object onto the middleware stack
use Segrax\OpenPolicyAgent\Client;
use Segrax\OpenPolicyAgent\Middleware\Authorization;
$app = AppFactory::create();
$client = new Client(null, new GuzzleHttpClient(), new RequestFactory(), 'http://127.0.0.1:8181', 'MyToken');
$app->add(new Authorization(
[Authorization::OPT_POLICY => 'auth/api'],
$client,
$app->getResponseFactory()));
Insert the middleware, it will respond to bundle requests at /opa/bundles/{service_name} for users with a valid JWT with the subfield 'opa'
use Segrax\OpenPolicyAgent\Client;
use Segrax\OpenPolicyAgent\Middleware\Distributor;
$app = AppFactory::create();
$app->add(new Distributor(
'/opa/bundles/', // Route
__DIR__ . '/opa', // Policy Path
[Distributor::OPT_AGENT_USER => 'opa'], // Token Sub Field
$app->getResponseFactory(),
new StreamFactory(),
$app->getLogger()));
// Add a GET route for the opa bundle route
$app->get('/opa/bundles/{name}', function (Request $request, Response $response, array $args) {
return $response->withStatus(404);
});
make tests
If you discover any security related issues, please email robcrossfield@gmail.com.
The MIT License (MIT). Please see License File for more information.