Skip to content

Latest commit

 

History

History
50 lines (36 loc) · 2.82 KB

README.md

File metadata and controls

50 lines (36 loc) · 2.82 KB

Bouncer Policies

A repository with a set of access control policies consumable by the bouncer service, written in Rego language.

Authoring

New access control policies go to /policies/service directory. Each new policy MUST be accompanied by a set of test cases, those go /test/test directory. The /policies and the /test directories as a whole are policy bundles, please follow documented conventions carefully.

Each policy under /policies/service can be specified as ruleset id when talking to bouncer. For example, ruleset identified with "service/authz/api" maps to /policies/service/authz/api.rego policy.

Bouncer expects each policy to define document with the name "assertions", with following structure:

{
    // Set of assertions which tell why operation under the input context is forbidden.
    // When the set is empty operation is not explicitly forbidden.
    // Each element must be an object containing at least a "code" property, meant
    // primarily for machines to read and analyze. Though a "description" property meant
    // for humans won't hurt.
    // ```
    // {"code": "auth_expired", "description": "...", ...}
    // ```
    "forbidden" : [...],

    // Set of assertions which tell why operation under the input context is allowed.
    // When the set is empty operation is not explicitly allowed.
    // Each element must be a similar object, containing at least a "code" property.
    "allowed"   : [...]
}

When evaluating some policy bouncer will provide bouncer context in a JSON representation as an input document.

Testing

Running make test in the project directory will execute all test cases in the /test bundle under docker container with OPA binary of the fixed version, consult Makefile to find out which version is currently in use.

Please put all context instances used for testing purposes in data documents under fixtures/ subdirectory, this way the validator can pick them up and validate against Thrift schema. Run make wc_validate to do that. Do not forget to upgrade bouncer proto version if needed using cd validator && rebar3 upgrade bouncer_proto.

Running

Running make build_image will produce another Docker image tagged with HEAD commit hash, as always. This image is essentially an OPA binary set up to serve documents defined in the policy bundle.

Most of the usual OPA API operations are secured with the help of a system authorization policy defined under /policies/system.