protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, OpaPolicyRequirement requirement) { // Only shows the concept, you'd need to: (1) cache wasms, (2) json-in, json-out, (3) evaluate out-json // json-in: a defined set of properties of the request that is then being evaluated by the OPA policy (treated as black box) // Might need a https://docs.microsoft.com/en-us/aspnet/core/security/authorization/iauthorizationpolicyprovider?view=aspnetcore-3.1 string policyName = requirement.Policy; var(wasmBytes, succeeded) = await _policiesStore.LoadPolicyAsync(policyName); if (succeeded) { using var opaModule = new OpaModule(); // TODO: This incurs the compilation penalty for wasm - use an object pool (single-threaded use only) using var module = opaModule.Load(policyName, wasmBytes); using var opaPolicy = new OpaPolicy(opaModule, module); opaPolicy.SetData(@"{""world"": ""world""}"); string input = @"{""message"": ""world""}"; string output = opaPolicy.Evaluate(input); context.Succeed(requirement); } else { _logger.LogError($"Policy {policyName} not found, cannot evaluate"); } }
public WasmPolicyExecution() { var policyBytes = System.IO.File.ReadAllBytes("example.wasm"); _opaModule = new OpaModule(); _module = _opaModule.Load("example", policyBytes); }
static void EvaluateHelloWorld() { using var opaModule = new OpaModule(); using var module = opaModule.Load("example.wasm"); using var opaPolicy = new OpaPolicy(opaModule, module); opaPolicy.SetData(@"{""world"": ""world""}"); string input = @"{""message"": ""world""}"; string output = opaPolicy.Evaluate(input); Console.WriteLine($"Hello world output: {output}"); }
// https://play.openpolicyagent.org/ "Role-based" example stripped down to minimum static void EvaluateRbac() { using var opaModule = new OpaModule(); using var module = opaModule.Load("rbac.wasm"); using var opaPolicy = new OpaPolicy(opaModule, module); opaPolicy.SetData(@"{""user_roles"": { ""alice"": [""admin""],""bob"": [""employee"",""billing""],""eve"": [""customer""]}}"); string input = @"{ ""user"": ""alice"", ""action"": ""read"", ""object"": ""id123"", ""type"": ""dog"" }"; string output = opaPolicy.Evaluate(input); Console.WriteLine($"RBAC output: {output}"); }
public void RbacTest() { using var opaModule = new OpaModule(); using var module = opaModule.Load(WasmFiles.RbacExample); using var opaPolicy = new OpaPolicy(opaModule, module); string data = File.ReadAllText(Path.Combine("TestData", "basic_rbac_data.json")); opaPolicy.SetData(data); string input = File.ReadAllText(Path.Combine("TestData", "basic_rbac_input.json")); string outputJson = opaPolicy.Evaluate(input); dynamic output = outputJson.ToDynamic(); Assert.IsTrue(output[0].result.allow); Assert.IsTrue(output[0].result.user_is_admin); }
public void HelloWorldTest() { using var opaModule = new OpaModule(); using var module = opaModule.Load(WasmFiles.HelloWorldExample); using var opaPolicy = new OpaPolicy(opaModule, module); string data = new { world = "world" }.ToJson(); opaPolicy.SetData(data); string input = new { message = "world" }.ToJson(); string outputJson = opaPolicy.Evaluate(input); dynamic output = outputJson.ToDynamic(); Assert.IsTrue(output[0].result); }