Open Policy Agent (openpolicyagent/OPA) middleware for actix-web applications.
This middleware performs a policy check against an Open Policy Agent instance for incoming HTTP requests.
Both the policy check request and response are generic.
Take the following request :
curl -XGET -H 'Authorization: Bearer 123123123' http://localhost:8080/order/item/1
This will need to be translated to a JSON call to OPA :
{
"input" : {
"token" : "123123123",
"method" : "GET",
"path" : ["order", "item", "1"]
}
}We represent this as two Rust structs which implement Serialize,
#[derive(Serialize)]
struct PolicyRequest {
input: PolicyRequestInput,
}
#[derive(Serialize)]
struct PolicyRequestInput {
token: String,
method: String,
path: Vec<String>,
}The expected response is a JSON object :
{
"result" : {
"allow" : true
}
}We represent this as two Rust structs which implement Deserialize,
#[derive(Deserialize)]
struct PolicyResponse {
input: PolicyResponseResult,
}
#[derive(Deserialize)]
struct PolicyResponseResult {
allow: bool,
}Lastly we have to implement the OPARequest<S> and OPAResponse traits so that
impl<S> OPARequest<S> for PolicyRequest {
fn from_http_request(req: &HttpRequest<S>) -> Result<Self, String> {
// This needs to be constructured from _req
Ok(PolicyRequest {
input: PolicyRequestInput {
token: "123".into(),
method: req.method().to_string(),
path: vec!["order", "item", "1"],
}
})
}
}
impl OPAResponse for PolicyResponse {
fn allowed(&self) -> bool {
self.input.allow
}
} type VerifierMiddleware = PolicyVerifier<PolicyRequest, PolicyResponse>;