id |
---|
opafiber |
Open Policy Agent support for Fiber.
Note: Requires Go 1.19 and above
go get -u github.com/gofiber/fiber/v2
go get -u github.com/gofiber/contrib/opafiber/v2
opafiber.New(config opafiber.Config) fiber.Handler
Property | Type | Description | Default |
---|---|---|---|
RegoQuery | string |
Required - Rego query | - |
RegoPolicy | io.Reader |
Required - Rego policy | - |
IncludeQueryString | bool |
Include query string as input to rego policy | false |
DeniedStatusCode | int |
Http status code to return when policy denies request | 400 |
DeniedResponseMessage | string |
Http response body text to return when policy denies request | "" |
IncludeHeaders | []string |
Include headers as input to rego policy | - |
InputCreationMethod | InputCreationFunc |
Use your own function to provide input for OPA | func defaultInput(ctx *fiber.Ctx) (map[string]interface{}, error) |
type InputCreationFunc func(c *fiber.Ctx) (map[string]interface{}, error)
OPA Fiber middleware sends the following example data to the policy engine as input:
{
"method": "GET",
"path": "/somePath",
"query": {
"name": ["John Doe"]
},
"headers": {
"Accept": "application/json",
"Content-Type": "application/json"
}
}
package main
import (
"github.com/gofiber/fiber/v2"
"github.com/gofiber/contrib/opafiber/v2"
)
func main() {
app := fiber.New()
module := `
package example.authz
default allow := false
allow {
input.method == "GET"
}
`
cfg := opafiber.Config{
RegoQuery: "data.example.authz.allow",
RegoPolicy: bytes.NewBufferString(module),
IncludeQueryString: true,
DeniedStatusCode: fiber.StatusForbidden,
DeniedResponseMessage: "status forbidden",
IncludeHeaders: []string{"Authorization"},
InputCreationMethod: func (ctx *fiber.Ctx) (map[string]interface{}, error) {
return map[string]interface{}{
"method": ctx.Method(),
"path": ctx.Path(),
}, nil
},
}
app.Use(opafiber.New(cfg))
app.Get("/", func(ctx *fiber.Ctx) error {
return ctx.SendStatus(200)
})
app.Listen(":8080")
}