Package org.sdase.commons.server.opa

Class OpaBundle<T extends io.dropwizard.Configuration>

  • All Implemented Interfaces:
    io.dropwizard.ConfiguredBundle<T>
    public class OpaBundle<T extends io.dropwizard.Configuration>
extends java.lang.Object
implements io.dropwizard.ConfiguredBundle<T>
    The OPA bundle enables support for the Open Policy Agent.

    Note, the OPA bundle is not an alternative for the @AuthBundle it is an addition for authorization. The AuthBundle is still required for validating the JWT *

    A new filter is added to the invocation chain of every endpoint invocation. This filter invokes the OPA at the configured URL. Normally, this should be a sidecar of the actual service. The response includes an authorization decision and optional constraints that must be evaluated when querying the database or filtering the result set of the request.

    The constraints should be modeled as an Java pojo and documented within this pojo. The OPA policies must be designed that the predefined result structure is returned, such as 

    
 {
    "result": {
       "allow": true,
       "constraint1": true,
       "constraint2": [ "v2.1", "v2.2" ]
    }
 }

    The filter evaluates the overall allow decision and adds the constraints to the SecurityContext as OpaJwtPrincipal.

    The endpoints for swagger are excluded from the OPA filter.

    • Method Detail

      • initialize

        public void initialize​(io.dropwizard.setup.Bootstrap<?> bootstrap)
        Specified by:
        initialize in interface io.dropwizard.ConfiguredBundle<T extends io.dropwizard.Configuration>

      • run

        public void run​(T configuration,
                io.dropwizard.setup.Environment environment)
        Specified by:
        run in interface io.dropwizard.ConfiguredBundle<T extends io.dropwizard.Configuration>