ory · ryanph · Jun 5, 2020 · Jun 5, 2020 · Jun 5, 2020 · Jun 8, 2020
@@ -859,6 +859,35 @@
       ],
       "additionalProperties": false
     },
+    "configAuthorizersRemoteOPA": {
+      "type": "object",
+      "title": "Remote OPA Configuration",
+      "description": "This section is optional when the authorizer is disabled.",
+      "properties": {
+        "remote": {
+          "title": "Remote Authorizer URL",
+          "type": "string",
+          "format": "uri",
+          "description": "The URL of the policy document to query on the remote OPA authorizer. The authorizer will POST an input to the document containing the fields user (subject if present), method (HTTP method) and path (the HTTP request path as an array). The policy should return a variable called allow in it's result with a boolean value.\n\n>If this authorizer is enabled, this value is required.",
+          "examples": [
+            "http://opa-host:8181/v1/data/example/authz"
+          ]
+        },
+        "payload": {
+          "title": "JSON Payload",
+          "type": "string",
+          "description": "The JSON payload of the request sent to the remote authorizer. The string will be parsed by the Go text/template package and applied to an AuthenticationSession object after being pre-parsed to handle the parameter PathArray which will insert the HTTP request path as a JSON array.\n\n>If this authorizer is enabled, this value is required.",
+          "examples": [
+            "{\"input\":{\"user\":\"{{ .Subject }}\",\"path\":{{ .PathArray }},\"method\":\"{{ .MatchContext.Method }}\"}}"
+          ]
+        }
+      },
+      "required": [
+        "remote",
+        "payload"
+      ],
+      "additionalProperties": false
+    },
     "configMutatorsCookie": {
       "type": "object",
       "title": "Cookie Mutator Configuration",
@@ -1566,6 +1595,38 @@
               }
             }
           ]
+        },
+        "remote_opa": {
+          "title": "Remote OPA",
+          "description": "The remote_opa authorizer",
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "$ref": "#/definitions/handlerSwitch"
+            }
+          },
+          "oneOf": [
+            {
+              "properties": {
+                "enabled": {
+                  "const": true
+                },
+                "config": {
+                  "$ref": "#/definitions/configAuthorizersRemoteOPA"
+                }
+              },
+              "required": [
+                "config"
+              ]
+            },
+            {
+              "properties": {
+                "enabled": {
+                  "const": false
+                }
+              }
+            }
+          ]
         }
       }
     },

@@ -0,0 +1,5 @@
+{
+  "$id": "/.schema/authorizers.remote_opa.schema.json",
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$ref": "/.schema/config.schema.json#/definitions/configAuthorizersRemoteOPA"
+}
@@ -439,3 +439,106 @@ authorizers:
   ]
 }
 ```
+
+## `remote_opa`
+
+This authorizer performs authorization against an OPA policy document using the API
+of a remote OPA instance. The authorizer makes a HTTP POST request to the OPA instance
+with a JSON formatted policy input generated from a template.
+
+The template is populated from the AuthenticationSession struct and an addition parameter
+PathArray that populates the path of the HTTP request as a JSON array.
+
+The OPA API always returns a "200 OK" response code and a JSON formatted body containing a
+policy result specifying "allow" as either true or false.
+
+If the "allow" value of the policy result is true then access is allowed, if it is false
+or undefined then access is denied. This authorizer is intended to be a drop-in alternative
+to the python middleware in the official Open Policy Agent documentation.
+
+See:
+[`OPA HTTP API Authorization Use Case](https://www.openpolicyagent.org/docs/v0.11.0/http-api-authorization/)
+[`OPA API Documentation - Get a Document (with Input)](https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-document-with-input)
+
+### Configuration
+
+- `remote` (string, required) - The remote OPA policy document URL located
+  under the /v1/data API path.
+- `payload` (string, required) - The payload template to populate and POST
+  to the remote OPA server. 
+
+#### Example
+
+```yaml
+# Global configuration file oathkeeper.yml
+authorizers:
+  remote_opa:
+    # Set enabled to "true" to enable the authenticator, and "false" to disable the authenticator. Defaults to "false".
+    enabled: true
+
+    config:
+      remote: http://opa-host:8181/v1/data/example/authz
+      payload: "{\"input\":{\"user\":\"{{ .Subject }}\",\"path\":{{ .PathArray }},\"method\":\"{{ .MatchContext.Method }}\"}}"
+```
+
+```yaml
+# Some Access Rule: access-rule-1.yaml
+id: access-rule-1
+# match: ...
+# upstream: ...
+authorizers:
+  - handler: remote_opa
+    config:
+      remote: http://opa-host:8181/v1/data/example/authz
+      payload: "{\"input\":{\"user\":\"{{ .Subject }}\",\"path\":{{ .PathArray }},\"method\":\"{{ .MatchContext.Method }}\"}}"
+```
+
+### Access Rule Example
+```shell
+{
+  "id": "some-id",
+  "upstream": {
+    "url": "http://my-backend-service"
+  },
+  "match": {
+    "url": "http://my-app/api/<.*>",
+    "methods": ["GET"]
+  },
+  "authenticators": [
+    {
+      "handler": "anonymous"
+    }
+  ],
+  "authorizer": {
+    "handler": "remote_opa",
+    "config": {
+      "remote": "http://opa-host:8181/v1/data/example/authz",
+      "payload": "{\"input\":{\"user\":\"{{ .Subject }}\",\"path\":{{ .PathArray }},\"method\":\"{{ .MatchContext.Method }}\"}}"
+    }
+  }
+  "mutators": [
+    {
+      "handler": "noop"
+    }
+  ]
+}
+
+### Generated JSON Payload Example
+```shell
+{
+  "input": {
+    "user": "Subject",
+    "path": ["request","url","split","into","an","array"]
+    "method": "GET"
+  }
+}
+```
+
+### Expected JSON Response Example
+```shell
+{
+  "result": {
+    "allow": true
+  }
+}
+```
@@ -66,6 +66,8 @@ const (
 	ViperKeyAuthorizerRemoteIsEnabled = "authorizers.remote.enabled"
 
 	ViperKeyAuthorizerRemoteJSONIsEnabled = "authorizers.remote_json.enabled"
+
+	ViperKeyAuthorizerRemoteOPAIsEnabled = "authorizers.remote_opa.enabled"
 )
 
 // Mutators

@@ -354,6 +354,18 @@ func TestViperProvider(t *testing.T) {
 			assert.EqualValues(t, "https://host/path", config.Remote)
 			assert.EqualValues(t, "{}", config.Payload)
 		})
+
+		t.Run("authorizer=remote_opa", func(t *testing.T) {
+			a := authz.NewAuthorizerRemoteOPA(p)
+			assert.True(t, p.AuthorizerIsEnabled(a.GetID()))
+			require.NoError(t, a.Validate(nil))
+
+			config, err := a.Config(nil)
+			require.NoError(t, err)
+
+			assert.EqualValues(t, "http://opa-host:8181/v1/data/example/authz", config.Remote)
+		})
+
 	})
 
 	t.Run("group=mutators", func(t *testing.T) {

@@ -367,6 +367,7 @@ func (r *RegistryMemory) prepareAuthz() {
 			authz.NewAuthorizerKetoEngineACPORY(r.c),
 			authz.NewAuthorizerRemote(r.c),
 			authz.NewAuthorizerRemoteJSON(r.c),
+			authz.NewAuthorizerRemoteOPA(r.c),
 		}
 
 		r.authorizers = map[string]authz.Authorizer{}

@@ -9,7 +9,7 @@ import (
 func TestRegistryMemoryAvailablePipelineAuthorizers(t *testing.T) {
 	r := NewRegistryMemory()
 	got := r.AvailablePipelineAuthorizers()
-	assert.ElementsMatch(t, got, []string{"allow", "deny", "keto_engine_acp_ory", "remote", "remote_json"})
+	assert.ElementsMatch(t, got, []string{"allow", "deny", "keto_engine_acp_ory", "remote", "remote_json", "remote_opa"})
 }
 
 func TestRegistryMemoryPipelineAuthorizer(t *testing.T) {
@@ -22,6 +22,7 @@ func TestRegistryMemoryPipelineAuthorizer(t *testing.T) {
 		{id: "keto_engine_acp_ory"},
 		{id: "remote"},
 		{id: "remote_json"},
+		{id: "remote_opa"},
 		{id: "unregistered", wantErr: true},
 	}
 	for _, tt := range tests {

@@ -73,4 +73,9 @@ var (
 		CodeField:   http.StatusBadRequest,
 		StatusField: http.StatusText(http.StatusBadRequest),
 	}
+	ErrBadAuthorizerResponse = &herodot.DefaultError{
+		ErrorField:  "The response from the authorizer is malformed or contains invalid data",
+		CodeField:   http.StatusBadGateway,
+		StatusField: http.StatusText(http.StatusBadGateway),
+	}
 )
@@ -270,6 +270,15 @@ authorizers:
       remote: https://host/path
       payload: "{}"
 
+  # Configures the remote_opa authorizer
+  remote_opa:
+    # Set enabled to true if the authorizer should be enabled and false to disable the authorizer. Defaults to false.
+    enabled: true
+
+    config:
+      remote: http://opa-host:8181/v1/data/example/authz
+      payload: "{\"input\":{\"user\":\"{{ .Subject }}\",\"path\":{{ .PathArray }},\"method\":\"{{ .MatchContext.Method }}\"}}"
+
 # All mutators can be configured under this configuration key
 mutators:
   header:

@@ -49,6 +49,7 @@ type AuthenticationSession struct {
 type MatchContext struct {
 	RegexpCaptureGroups []string `json:"regexp_capture_groups"`
 	URL                 *url.URL `json:"url"`
+	Method				string
 }
 
 func (a *AuthenticationSession) SetHeader(key, val string) {