Flask extension to use OPA as a client

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for EliuX from gravatar.com EliuX

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: MIT License (MIT)

Author: Eliecer Hernandez

Classifiers

Project description

Flask-OPA

Build Status codecov PyPI Version

Simple to use Flask extension that lets you use Open Policy Agent in your project.

How to run the application

If you want to try a demo check the code in examples, but for development:

  1. Run OPA in server mode

    • Check the latest OPA release and download it.
    • Put the binary file in the path of your system
    • Allow its execution with something like
    • Run opa in server mode with the sample policies
    cd examples
opa run -s -w data.json app.rego
    • -s is to run it in server mode instead of opening the REPL
    • -w is for watching the changes of the data/policy files

  2. Specify configuration variables

    • OPA_URL url string that specifies the OPA url to evaluate your input. It includes the path of the policy. E.g http://localhost:8181/v1/data/examples/allow.

    • OPA_SECURED boolean to specify if OPA will be enabled to your application.

    See more at the rest api reference

  3. Bind the OPA class to your Flask application

    Its easy to bind the Flask-OPA library to your application. Just follow the following steps:

  4. Create the OPA instance

    app = Flask(__name__)
app.config.from_pyfile('app.cfg')
opa = OPA(app, parse_input)

    Lets see the parameters that we passed to the OPA class:

    • parse_input (Required) contains a method that returns the input data json to be evaluated by the policy, e.g.:
    {
    "input": {
      "method": "GET",
      "path": ["data", "jon"],
      "user": "paul"
    }
}
    • url (Optional) to use an specific url instead of the OPA_URL optionally specified in the app configuration.
    • allow_function (Optional) predicate that determinate if the response from OPA allows (True) or denies (False) the request

    If you want enforce the OPA security in your application you can create the OPA instance like this:

    opa = OPA.secure(app, parse_input, url="http://localhost:8181/v1/data/package_name/allow")

    or

    opa = OPA(app, parse_input, url="http://localhost:8181/v1/data/package_name/allow").secured()

    otherwise OPA will enforce your security only if OPA_SECURED is True.

    Specify the logging level to DEBUG if you want to get access to Flask-OPA logs of its operations using

    app.logger.setLevel(logging.DEBUG)

  5. Run your Flask application.

Policy Enforcement point

For practical purposes, lets imagine a sample function that is in charge of logging content related to actions done by users. In this case we must create a different input functions that provide useful information for certain policies that will decide if a log should be sent or not to a remote server. Lets suppose that the logging function is something like:

def log_remotely(content):
    # Imagine a code to log this remotely
    app.logger.info("Logged remotely: %s", content)

to decorate it we must implement a PEP using our OPA instance as a function (callable mode). The parameters are pretty much the same as those used to secure the application. The resulting instance will serve as decorator of our function of interest:

def validate_logging_input_function(*arg, **kwargs):
   return {
        "input": {
            "user": request.headers.get("Authorization", ""),
            "content": arg[0]
        }
    }

secure_logging = app.opa("Logging PEP", app.config["OPA_URL_LOGGING"], validate_logging_input_function)

@secure_logging
def log_remotely(content):
    # Imagine a code to log content remotely
    app.logger.info("Logged remotely: %s", content)

As you might have noticed, the only thing we truly require for adding the PEP is a new input function. This function can provide a more versatile input than the one used by the OPA instance created for the whole app: in our example it provides info related to the user request and info provided by the parameters of the decorated function as well.

Read the examples README for more detailed information about how to run a demo.

Status

Pre-release or Beta: The project has gone through multiple rounds of active development with a goal of reaching a stable release version, but is not there yet.

Path of Development: Active (October 31th 2018)

Author

Eliecer Hernandez Garbey

Links

License

This project is licensed under the MIT License - see the LICENSE.md file for details.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for EliuX from gravatar.com EliuX

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: MIT License (MIT)

Author: Eliecer Hernandez

Classifiers

Release history Release notifications | RSS feed

1.0.0

0.6

0.5

This version

0.5b0 pre-release

0.4

0.3

0.2

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

Flask-OPA-0.5b0.tar.gz (5.6 kB view hashes)

Uploaded Source

Built Distribution

Flask_OPA-0.5b0-py2.py3-none-any.whl (5.9 kB view hashes)

Uploaded Python 2 Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page