Skip to content

PSR-7 and PSR-15 OPA Authorization Middleware and Open Policy Agent Client

License

Notifications You must be signed in to change notification settings

segrax/openpolicyagent

Repository files navigation

Open Policy Agent Library

This library provides a client for the Open Policy Agent (OPA), a PSR-15 authorization middleware and a PSR-15 bundle distributor middleware.

Latest Version Packagist Software License Build Status codecov

For working examples, please see segrax/opa-php-examples and a walkthrough is available to guide you through the examples.

Install

Install the latest using composer.

composer require segrax/open-policy-agent

Usage Examples

Client Usage

use Segrax\OpenPolicyAgent\Client;
use GuzzleHttp\Client as GuzzleHttpClient;

$apiPolicy = "package my.api
              default allow=false
              allow {
                  input.path = [\"abc\"]
                  input.user == \"a random user\"
              }";

$client = new Client(null, new GuzzleHttpClient(), new RequestFactory(), 'http://127.0.0.1:8181', 'MyToken');

// Push a policy to the agent
$client->policyUpdate('my/api', $apiPolicy, false);

// Execute the policy
$inputs = [ 'path' => ['abc'],
            'user' => 'a random user'];

$res = $client->policy('my/api', $inputs, false, false, false, false );
if ($res->getByName('allow') === true ) {
    // Do stuff
}

Authorization Middleware

Create the client, and add the Authorization object onto the middleware stack

use Segrax\OpenPolicyAgent\Client;
use Segrax\OpenPolicyAgent\Middleware\Authorization;

$app = AppFactory::create();

$client = new Client(null, new GuzzleHttpClient(), new RequestFactory(), 'http://127.0.0.1:8181', 'MyToken');
$app->add(new Authorization(
                [Authorization::OPT_POLICY => 'auth/api'],
                $client,
                $app->getResponseFactory()));

Distributor Middleware

Insert the middleware, it will respond to bundle requests at /opa/bundles/{service_name} for users with a valid JWT with the subfield 'opa'

use Segrax\OpenPolicyAgent\Client;
use Segrax\OpenPolicyAgent\Middleware\Distributor;

$app = AppFactory::create();

$app->add(new Distributor(
                        '/opa/bundles/',        // Route
                        __DIR__ . '/opa',       // Policy Path
                        [Distributor::OPT_AGENT_USER => 'opa'], // Token Sub Field
                        $app->getResponseFactory(),
                        new StreamFactory(),
                        $app->getLogger()));

// Add a GET route for the opa bundle route
$app->get('/opa/bundles/{name}', function (Request $request, Response $response, array $args) {
    return $response->withStatus(404);
});

Code Testing

make tests

Security

If you discover any security related issues, please email robcrossfield@gmail.com.

License

The MIT License (MIT). Please see License File for more information.

About

PSR-7 and PSR-15 OPA Authorization Middleware and Open Policy Agent Client

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages