Skip to content

Instantly share code, notes, and snippets.

View anderseknert's full-sized avatar
👨‍💻
Hacking on all things OPA

Anders Eknert anderseknert

👨‍💻
Hacking on all things OPA
220 followers · 135 following
View GitHub Profile
@anderseknert
anderseknert / find_commits.txt
Created November 17, 2019 18:31
Find GitHub commits by commiter name or e-mail
https://github.com/organization/project/commits/master?author=<username>
OR
https://github.com/organization/project/commits/master?author=<email address>
@anderseknert
anderseknert / gist:2a24232fa3a6e8c8c823e103acd33731
Created January 3, 2020 09:58
Read kubernetes certificate data
yq read ~/.kube/config.env users[0].user.client-certificate-data | base64 -D | openssl x509 -text
@anderseknert
anderseknert / deny.rego
Created February 4, 2020 11:52
Incremental deny rule
deny[reason] {
input.role != "admin"
reason = "User not an admin"
}
deny[reason] {
time.weekday(time.now_ns()) == "Sunday"
reason = "Access not allowed on Sundays"
}
@anderseknert
anderseknert / filedeliveries.yaml
Created October 13, 2020 08:48
Argo test
apiVersion: argoproj.io/v1alpha1
kind: Workflow # new type of k8s spec
metadata:
generateName: hello-world- # name of the workflow spec
spec:
entrypoint: whalesay # invoke the whalesay template
templates:
- name: whalesay # name of the template
container:
image: alpine:3.7
@anderseknert
anderseknert / policy.rego
Created January 26, 2021 15:21
policy.rego
package policy
default allow = false
allow {
input.role == "admin"
}
@anderseknert
anderseknert / policy.rego
Created January 26, 2021 19:28
package policy
allow {
true
}
@anderseknert
anderseknert / discovery.rego
Last active June 11, 2021 08:35
discovery.rego
package oidc
issuers = {"https://issuer1.example.com", "https://issuer2.example.com"}
metadata_discovery(issuer) = http.send({
"url": concat("", [issuers[issuer], "/.well-known/openid-configuration"]),
"method": "GET",
"force_cache": true,
"force_cache_duration_seconds": 86400 # Cache response for 24 hours
}).body
@anderseknert
anderseknert / jwks.rego
Created January 26, 2021 19:37
jwks.rego
package oidc
jwks_request(url) = http.send({
"url": url,
"method": "GET",
"force_cache": true,
"force_cache_duration_seconds": 3600 # Cache response for an hour
})
jwks = jwks_request("https://authorization-server.example.com/jwks").body
@anderseknert
anderseknert / jwks_rotation.rego
Created January 26, 2021 19:38
jwks_rotation.rego
package oidc
jwks_request(url) = http.send({
"url": url,
"method": "GET",
"force_cache": true,
"force_cache_duration_seconds": 3600
})
jwt_unverified := io.jwt.decode(input.token)
@anderseknert
anderseknert / token_retrieval.rego
Created January 26, 2021 19:40
token_retrieval.rego
package oauth2
token = t {
response := http.send({
"url": "https://authorization-server.example.com/token",
"method": "POST",
"headers": {
"Content-Type": "application/x-www-form-urlencoded",
"Authorization": concat(" ", [
"Basic",