protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, OpaPolicyRequirement requirement)
{
// Only shows the concept, you'd need to: (1) cache wasms, (2) json-in, json-out, (3) evaluate out-json
// json-in: a defined set of properties of the request that is then being evaluated by the OPA policy (treated as black box)
// Might need a https://docs.microsoft.com/en-us/aspnet/core/security/authorization/iauthorizationpolicyprovider?view=aspnetcore-3.1
string policyName = requirement.Policy;
var(wasmBytes, succeeded) = await _policiesStore.LoadPolicyAsync(policyName);
if (succeeded)
{
using var opaModule = new OpaModule();
// TODO: This incurs the compilation penalty for wasm - use an object pool (single-threaded use only)
using var module = opaModule.Load(policyName, wasmBytes);
using var opaPolicy = new OpaPolicy(opaModule, module);
opaPolicy.SetData(@"{""world"": ""world""}");
string input = @"{""message"": ""world""}";
string output = opaPolicy.Evaluate(input);
context.Succeed(requirement);
}
else
{
_logger.LogError($"Policy {policyName} not found, cannot evaluate");
}
}
public WasmPolicyExecution()
{
var policyBytes = System.IO.File.ReadAllBytes("example.wasm");
_opaModule = new OpaModule();
_module = _opaModule.Load("example", policyBytes);
}
static void EvaluateHelloWorld()
{
using var opaModule = new OpaModule();
using var module = opaModule.Load("example.wasm");
using var opaPolicy = new OpaPolicy(opaModule, module);
opaPolicy.SetData(@"{""world"": ""world""}");
string input = @"{""message"": ""world""}";
string output = opaPolicy.Evaluate(input);
Console.WriteLine($"Hello world output: {output}");
}
// https://play.openpolicyagent.org/ "Role-based" example stripped down to minimum
static void EvaluateRbac()
{
using var opaModule = new OpaModule();
using var module = opaModule.Load("rbac.wasm");
using var opaPolicy = new OpaPolicy(opaModule, module);
opaPolicy.SetData(@"{""user_roles"": { ""alice"": [""admin""],""bob"": [""employee"",""billing""],""eve"": [""customer""]}}");
string input = @"{ ""user"": ""alice"", ""action"": ""read"", ""object"": ""id123"", ""type"": ""dog"" }";
string output = opaPolicy.Evaluate(input);
Console.WriteLine($"RBAC output: {output}");
}
public void RbacTest()
{
using var opaModule = new OpaModule();
using var module = opaModule.Load(WasmFiles.RbacExample);
using var opaPolicy = new OpaPolicy(opaModule, module);
string data = File.ReadAllText(Path.Combine("TestData", "basic_rbac_data.json"));
opaPolicy.SetData(data);
string input = File.ReadAllText(Path.Combine("TestData", "basic_rbac_input.json"));
string outputJson = opaPolicy.Evaluate(input);
dynamic output = outputJson.ToDynamic();
Assert.IsTrue(output[0].result.allow);
Assert.IsTrue(output[0].result.user_is_admin);
}
public void HelloWorldTest()
{
using var opaModule = new OpaModule();
using var module = opaModule.Load(WasmFiles.HelloWorldExample);
using var opaPolicy = new OpaPolicy(opaModule, module);
string data = new
{
world = "world"
}.ToJson();
opaPolicy.SetData(data);
string input = new
{
message = "world"
}.ToJson();
string outputJson = opaPolicy.Evaluate(input);
dynamic output = outputJson.ToDynamic();
Assert.IsTrue(output[0].result);
}
