https://github.com/barbiecue/opa-http-api-example-kotlin

A simple example showing how to restrict a custom HTTP API using the Open Policy Agent.
https://github.com/barbiecue/opa-http-api-example-kotlin

http-api kotlin open-policy-agent

Last synced: 6 months ago
JSON representation

A simple example showing how to restrict a custom HTTP API using the Open Policy Agent.

• Host: GitHub
• URL: https://github.com/barbiecue/opa-http-api-example-kotlin
• Owner: BarbieCue
• License: mit
• Created: 2022-11-06T17:17:48.000Z (about 3 years ago)
• Default Branch: main
• Last Pushed: 2023-08-01T04:21:40.000Z (over 2 years ago)
• Last Synced: 2025-03-15T09:28:09.473Z (11 months ago)
• Topics: http-api, kotlin, open-policy-agent
• Language: Kotlin
• Homepage:
• Size: 769 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          


# Open Policy Agent HTTP API example





A minimalistic example of restricting an HTTP API with OPA



## Get started

### 1. Start the API server (kotlin application)

```shell

./gradlew run

```

### 2. Start the OPA server (+ bundle server)

 ```shell

 docker compose -f opa/docker-compose.yml up

 ```

### 3. Be the client - sample requests to the API server

_Allowed_

```shell

curl --user alice:password localhost:5000/finance/salary/alice

```

_Forbidden_

```shell

curl --user alice:password localhost:5000/finance/salary/charlie

```

# What happens here?

![](docs/opa_flow.png)

On each HTTP request from a client to the API server, 

the API server asks the OPA server whether the requesting client

is authorized to perform this action or not.

Depending on the answer of OPA, 

the client request will be processed or rejected.  

## Policy / Bundle

Why does the OPA server knows about the permissions of a client?

From the policy!

- The policy is defined in the `example-policy.rego` file

- From this file a bundle was built using the OPA executable

- This bundle is persisted in and shipped from the bundle server to the OPA server

![](docs/opa_build.png)

## How to edit and apply the policy?

1. Make changes to the policy file

2. [Download and install](https://www.openpolicyagent.org/docs/v0.11.0/get-started/) the Open Policy Agent. *Tip: drop the opa executable to ~/.local/bin, so it is on the PATH.*

3. Build the policy and move the resulting bundle to the correct folder so that it can be collected by the bundle server

    ```shell

    cd opa

    opa build example-policy.rego

    mv bundle.tar.gz bundles

    ```

# References

- Inspired by https://www.openpolicyagent.org/docs/latest/http-api-authorization/

- Corresponding python implementaion https://github.com/open-policy-agent/contrib/tree/main/api_authz