From the introduction of the openpolicyagent.org site:
First, make sure you have already installed Docker and have it running:
Inside your choosen directory, create two files. One called input.json file for your system representation and one file called example.rego for your rego policy rules.
Add the following content to your json file:
Add the following content for the example.rego:
Each violation block represents the rule that you want to validate your system against. The first violation block checks if any of the system servers have the http protocol in it. If that is the case, the server id is added to the array. In the same way, the second violation block checks for the servers that have the telnet protocol in it and if it finds a match the server id is also added to the violation array.
The final result bring all server ids that have violated any policy rule. In this way, allow is only going to be true if the number of violations are equal to zero.
Looking to our json file we can see that we have two servers violating our policy with the http and telnet protocols, the ci and busybox servers. So, lets run OPA in docker to find out if that is the case.
As we know we can use the opa eval command to evaluate Rego policies. So lets find out how we can run it from docker. To get docker run the eval command we must supply the input and policy files as arguments to docker using the -i and -d flags:
Run the following command, from the same directory where you saved your json and rego files, to download the opa image from docker and run it at the same time:
By mapping the files of your currently directory to the example directory inside docker we can then pass those files as arguments from the comamnd line using docker.
You should get the following result from running the opa eval command:
OPA generates policy decisions by evaluating the query input against policies and data.In this post i am going to show you an easy and fast way to test your policies by running OPA in Docker.
First, make sure you have already installed Docker and have it running:
docker ps
Inside your choosen directory, create two files. One called input.json file for your system representation and one file called example.rego for your rego policy rules.
Add the following content to your json file:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "servers": [ | |
| {"id": "app", "protocols": ["https", "ssh"], "ports": ["p1", "p2", "p3"]}, | |
| {"id": "db", "protocols": ["mysql"], "ports": ["p3"]}, | |
| {"id": "cache", "protocols": ["memcache"], "ports": ["p3"]}, | |
| {"id": "ci", "protocols": ["http"], "ports": ["p1", "p2"]}, | |
| {"id": "busybox", "protocols": ["telnet"], "ports": ["p1"]} | |
| ], | |
| "networks": [ | |
| {"id": "net1", "public": false}, | |
| {"id": "net2", "public": false}, | |
| {"id": "net3", "public": true}, | |
| {"id": "net4", "public": true} | |
| ], | |
| "ports": [ | |
| {"id": "p1", "network": "net1"}, | |
| {"id": "p2", "network": "net3"}, | |
| {"id": "p3", "network": "net2"} | |
| ] | |
| } |
Add the following content for the example.rego:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package example | |
| default allow = false # unless otherwise defined, allow is false | |
| allow = true { # allow is true if... | |
| count(violation) == 0 # there are zero violations. | |
| } | |
| violation[server.id] { # a server is in the violation set if... | |
| some server | |
| public_server[server] # it exists in the 'public_server' set and... | |
| server.protocols[_] == "http" # it contains the insecure "http" protocol. | |
| } | |
| violation[server.id] { # a server is in the violation set if... | |
| server := input.servers[_] # it exists in the input.servers collection and... | |
| server.protocols[_] == "telnet" # it contains the "telnet" protocol. | |
| } | |
| public_server[server] { # a server exists in the public_server set if... | |
| some i, j | |
| server := input.servers[_] # it exists in the input.servers collection and... | |
| server.ports[_] == input.ports[i].id # it references a port in the input.ports collection and... | |
| input.ports[i].network == input.networks[j].id # the port references a network in the input.networks collection and... | |
| input.networks[j].public # the network is public. | |
| } |
Each violation block represents the rule that you want to validate your system against. The first violation block checks if any of the system servers have the http protocol in it. If that is the case, the server id is added to the array. In the same way, the second violation block checks for the servers that have the telnet protocol in it and if it finds a match the server id is also added to the violation array.
The final result bring all server ids that have violated any policy rule. In this way, allow is only going to be true if the number of violations are equal to zero.
count(violation) == 0
Looking to our json file we can see that we have two servers violating our policy with the http and telnet protocols, the ci and busybox servers. So, lets run OPA in docker to find out if that is the case.
As we know we can use the opa eval command to evaluate Rego policies. So lets find out how we can run it from docker. To get docker run the eval command we must supply the input and policy files as arguments to docker using the -i and -d flags:
Run the following command, from the same directory where you saved your json and rego files, to download the opa image from docker and run it at the same time:
docker run -v $PWD:/example openpolicyagent/opa eval -i example/input.json -d example/example.rego "data.example.violation[x]"
By mapping the files of your currently directory to the example directory inside docker we can then pass those files as arguments from the comamnd line using docker.
You should get the following result from running the opa eval command:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "result": [ | |
| { | |
| "expressions": [ | |
| { | |
| "value": "ci", | |
| "text": "data.example.violation[x]", | |
| "location": { | |
| "row": 1, | |
| "col": 1 | |
| } | |
| } | |
| ], | |
| "bindings": { | |
| "x": "ci" | |
| } | |
| }, | |
| { | |
| "expressions": [ | |
| { | |
| "value": "busybox", | |
| "text": "data.example.violation[x]", | |
| "location": { | |
| "row": 1, | |
| "col": 1 | |
| } | |
| } | |
| ], | |
| "bindings": { | |
| "x": "busybox" | |
| } | |
| } | |
| ] | |
| } |
Comments
Post a Comment