Refering other Rego files (or rules) from a Rego file

[S1DDHEY]

I am trying to write the policies in such a way that I don't have to check for all the rules one by one instead it just hits the decision rule from one rego file that has the rule references from the other rego files.

auth.rego

package auth

default decision := {"allow": false, "reason": "default deny"}

decision := out if {
    data.auth.global.allow
    out := {"allow": true, "reason": "global"}
} else := out if {
    data.auth.rbac.allow
    out := {"allow": true, "reason": "rbac"}
} else := out if {
    data.auth.rebac.allow
    out := {"allow": true, "reason": "rebac"}
}

rbac.rego

package auth.rbac

import future.keywords.in


all_permissions contains perm if {

    user_role := lower(input.user.role)


    permissions_for_role := data.roles[user_role].permissions[input.module][input.feature][input.entity]

    # Iterate through permissions
    perm := permissions_for_role[_]
}

allow if {
    input.action in all_permissions
}

currently I have not written the rule for rebac.rego or global.rego they are just some boilerplate code, I am trying to test out whether my approach is correct or not.

Because when I hit the decision rule in the auth.rego with the input.json file

{
    "user": {
        "role": "hr_admin"
    },
    "module": "hrm",
    "feature": "performance",
    "entity": "cycle",
    "action": "read"
}

and roles.json (as data)

{
  "roles": {
    "hr_admin": {
      "permissions": {
        "hrm": {
          "performance": {
            "cycle": [
              "create",
              "read",
              "update",
              "delete"
            ],
            "goals": [
              "create",
              "read",
              "update",
              "delete"
            ],
            "appraisals": [
              "create",
              "read",
              "update",
              "delete"
            ],
            "feedback": [
              "create",
              "read",
              "update"
            ]
          }
        }
      }
    },
    "manager": {
      "permissions": {
        "hrm": {
          "performance": {
            "cycle": [
              "read",
              "update"
            ],
            "goals": [
              "read",
              "update"
            ],
            "appraisals": [
              "read"
            ],
            "feedback": [
              "create",
              "read",
              "update"
            ]
          }
        }
      }
    },
    "employee": {
      "permissions": {
        "hrm": {
          "performance": {
            "cycle": [
              "read"
            ],
            "goals": [
              "read"
            ],
            "appraisals": [
              "read"
            ],
            "feedback": [
              "read"
            ]
          }
        }
      }
    }
  }
}

the response is just a default deny, opa doesn't check the data.auth.rbac.allowrule.
But when I try opa eval for this rule it gives me the correct response that it should give (i.e.true)

Can someone tell me what is wrong with this logic ?

[johanfylling]

If your data.auth.rbac.allow rule evaluates as expected when queried directly, then it looks like your data.auth.decision rule should behave properly too. How are you invoking OPA? Are you including all rego/data files in your command? E.g. opa eval -d auth.rego -d rbac.rego -d roles.json -I input.json 'data.auth.decision'

[S1DDHEY]

I am using the opa-python-client by Turall (https://github.com/Turall/OPA-python-client) for intializing the OPA instance and this is the python code and I run opa run --server in a separate terminal with this

import os
from flask import Flask, request, jsonify
from opa_client.opa import OpaClient
from pathlib import Path
import json

app = Flask(__name__)

ROOT_DIR = Path(__file__).parent.parent
OPA_POLICY_DIR = str(ROOT_DIR / "opa")
ROLES_CONFIG_PATH = str(ROOT_DIR / "opa" / "roles.json")

try:
    print(f"Initializing OPA client...")
    
    # Initialize the OPA client
    client = OpaClient(host="localhost", port=8181)
    
    print("OPA client initialized successfully.")
    
    # Load policies
    client.update_policy_from_file(filepath="../opa/auth.rego", endpoint="auth")
    client.update_policy_from_file(filepath="../opa/rbac.rego", endpoint="auth.rbac")
    client.update_policy_from_file(filepath="../opa/rebac.rego", endpoint="auth.rebac")
    client.update_policy_from_file(filepath="../opa/global.rego", endpoint="auth.global")
    client.update_policy_from_file(filepath="../opa/tenant.rego", endpoint="auth.tenant")


    # Load the roles.json data
    print(f"Loading roles data from: {ROLES_CONFIG_PATH}")
    with open(ROLES_CONFIG_PATH, 'r') as f:
        roles_data = json.load(f)
    client.update_or_create_data(roles_data, "roles")
    print("Roles data loaded into OPA client.")

except Exception as e:
    print(f"Error initializing OPA client or loading data: {e}")
    # We will let the app crash if initialization fails, as it's a critical error.
    raise


@app.route('/v1/data/auth/decision', methods=['POST'])
def get_decision():
    try:
        # Get the input from the request body
        input_data = request.get_json()
        if not input_data:
            return jsonify({"error": "Invalid JSON input"}), 400

        print(f"Received input for evaluation: {input_data}")

        # The 'input' key is expected by OPA
        opa_input = {"input": input_data}

        # Evaluate the policy
        # The path corresponds to the rule we want to evaluate: data.auth.decision
        decision = client.query_rule(input_data=opa_input, package_path="auth", rule_name="decision")
        
        print(f"OPA decision: {decision}")

        return jsonify(decision.get('result', {}))

    except Exception as e:
        print(f"Error during OPA evaluation: {e}")
        return jsonify({"error": "Internal server error during policy evaluation"}), 500


if __name__ == '__main__':

    app.run(host='0.0.0.0', port=5001, debug=True)

If your data.auth.rbac.allow rule evaluates as expected when queried directly, then it looks like your data.auth.decision rule should behave properly too. How are you invoking OPA? Are you including all rego/data files in your command? E.g. opa eval -d auth.rego -d rbac.rego -d roles.json -I input.json 'data.auth.decision'

for this opa eval -d auth.rego -d rbac.rego -d roles.json -i input.json 'data.auth.decision' i am getting the correct response

{
  "result": [
    {
      "expressions": [
        {
          "value": {
            "allow": true,
            "reason": "rbac"
          },
          "text": "data.auth.decision",
          "location": {
            "row": 1,
            "col": 1
          }
        }
      ]
    }
  ]
}

But when I try http://localhost:5001/v1/data/auth/decision endpoint
I get this

@johanfylling Can you tell me what is wrong with this ?
Is my approach correct ?

[srenatus]

I'd question this

   # The 'input' key is expected by OPA
        opa_input = {"input": input_data}

Can you try without the extra wrapping? I'd think they python lib probably takes care of this already.

[S1DDHEY]

@srenatus I removed the extra wrapping this gave me

it should give me

{
    "allow": true,
    "reason": "rbac"
}

what should I change ?