Skip to content

Instantly share code, notes, and snippets.

View tsandall's full-sized avatar

Torin Warwick (Sandall) tsandall

239 followers · 3 following
  • Apple
View GitHub Profile
@tsandall
tsandall / main.go
Created October 13, 2020 20:22
package main
import (
"context"
"fmt"
"github.com/open-policy-agent/opa/ast"
"github.com/open-policy-agent/opa/rego"
)
@tsandall
tsandall / gist:deeaff535f9eaae5a55559067611473e
Created October 8, 2020 16:11
diff --git a/topdown/http.go b/topdown/http.go
index 856e790c..ae0c69af 100644
--- a/topdown/http.go
+++ b/topdown/http.go
@@ -79,70 +79,55 @@ func builtinHTTPSend(bctx BuiltinContext, args []*ast.Term, iter func(*ast.Term)
return handleBuiltinErr(ast.HTTPSend.Name, bctx.Location, err)
}
- return builtinHTTPSendHelper(bctx, req, raiseError, iter)
-}
@tsandall
tsandall / main.rego
Last active June 17, 2020 16:33 — forked from myoung34/multiple ecr mixed missing true false
$ for file in *.json; do echo "$file"; opa eval -i "$file" -d main.rego 'data.main.deny'; done
multiple ecr mixed missing true false.json
{
"result": [
{
"expressions": [
{
"value": [
"(policy/ecr.rego) Image Scanning 'Scan on push' is required to be true for all ecr repositories."
],
@tsandall
tsandall / ACLs.md
Created February 14, 2019 17:08

Option 1. Express policy as ACL.

Pros: Uses simple policy constructs. OPA will index the allow rules and yield constant-time eval. See https://blog.openpolicyagent.org/optimizing-opa-rule-indexing-59f03f17caf3

Cons: Maintaining policy manually could be painful. This could be solved by rendering/generating the policy.

# Allow group "techlead" to do anything on subscription "X".
allow {
    input.subject.group = "techlead"
@tsandall
tsandall / data.json
Last active February 13, 2019 21:39
Example of JSON documents and Rego files all contributing to 'data'.
{
"kubernetes": {
"pods": {
"default": {
"nginx": {
"metadata": {
"name": "nginx",
"namespace": "default"
},
"spec": {
@tsandall
tsandall / ABAC
Last active November 7, 2018 16:23
ALFA comparison
package example
default allow = false
allow {
input.action = "GET"
input.path = "/index.html"
allowed_roles := ["guest", "user", "admin"]
input.subject.roles[_] = allowed_roles[_]
}
@tsandall
tsandall / main.go
Last active October 18, 2018 17:45
Example of running OPA HTTP server in standalone mode.
diff --git a/server/server.go b/server/server.go
index aa905554..13839f2a 100644
--- a/server/server.go
+++ b/server/server.go
@@ -80,6 +80,7 @@ var unsafeBuiltinsMap = map[string]bool{ast.HTTPSend.Name: true}
type Server struct {
Handler http.Handler
+ router *mux.Router
addrs []string
@tsandall
tsandall / gist:c7b57b5f96b77765ef416fba6f8e9f3e
Last active May 29, 2023 23:44
Example of verifying JWTs signed with RS256 in OPA
package example
cert = `-----BEGIN CERTIFICATE-----
MIIFiDCCA3ACCQCGV6XsfG/oRTANBgkqhkiG9w0BAQUFADCBhTELMAkGA1UEBhMC
VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAcMDFJlZHdvb2QgQ2l0eTEO
MAwGA1UECgwFU3R5cmExDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJbG9jYWxob3N0
MRgwFgYJKoZIhvcNAQkBFglhc2hAc3R5cmEwHhcNMTgwMzA2MDAxNTU5WhcNMTkw
MzA2MDAxNTU5WjCBhTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
FTATBgNVBAcMDFJlZHdvb2QgQ2l0eTEOMAwGA1UECgwFU3R5cmExDDAKBgNVBAsM
A0RldjESMBAGA1UEAwwJbG9jYWxob3N0MRgwFgYJKoZIhvcNAQkBFglhc2hAc3R5
@tsandall
tsandall / mutating.md
Created February 21, 2018 17:26

MutatingAdmissionWebhook Example with OPA

This is a quick example of how to use OPA as a Mutating Admission Controller in Kubernetes 1.9.

Steps

  1. Register OPA as a MutatingAdmissionWebhook
  2. Load a policy to test mutation
  3. Exercise the policy
@tsandall
tsandall / unrolled
Created February 5, 2018 18:41
default allow = false
allow {
input.method = “PUT”
input.resource = “air-conditioner”
}
allow {
input.method = “GET”
input.resource = “security-camera”