evaluate opa policy through inbound filter

privacy-profile-composer/go.mod

@@ -5,14 +5,12 @@ go 1.18
 require (
 	github.com/cncf/xds/go v0.0.0-20231109132714-523115ebc101
 	github.com/envoyproxy/envoy v1.27.1-0.20230920193053-83e604abd821
-	github.com/open-policy-agent/opa v0.57.1
-    github.com/openzipkin/zipkin-go v0.4.2
+	github.com/open-policy-agent/opa v0.61.0
+	github.com/openzipkin/zipkin-go v0.4.2
 	google.golang.org/grpc v1.61.0
 	google.golang.org/protobuf v1.31.0
 )
 
-require github.com/open-policy-agent/opa v0.61.0
-
 require (
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
 	github.com/Microsoft/hcsshim v0.11.4 // indirect
@@ -33,7 +31,7 @@ require (
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
-	github.com/klauspost/compress v1.16.0 // indirect
+	github.com/klauspost/compress v1.16.6 // indirect
 	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect

privacy-profile-composer/go.sum

@@ -80,7 +80,7 @@ github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms=
 github.com/klauspost/compress v1.16.6 h1:91SKEy4K37vkp255cJ8QesJhjyRO0hn9i9G0GoUwLsk=
-github.com/klauspost/compress v1.16.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/klauspost/compress v1.16.6/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg=
@@ -95,6 +95,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI=
 github.com/opencontainers/image-spec v1.1.0-rc5/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
+github.com/openzipkin/zipkin-go v0.4.2 h1:zjqfqHjUpPmB3c1GlCvvgsM1G4LkvqQbBDueDOCg/jA=
+github.com/openzipkin/zipkin-go v0.4.2/go.mod h1:ZeVkFjuuBiSy13y8vpSDCjMi9GoI3hPpCJSBx/EYFhY=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=

privacy-profile-composer/pkg/envoyfilter/inbound_filter.go

@@ -12,6 +12,7 @@ import (
 	"net/url"
 
 	"github.com/envoyproxy/envoy/contrib/golang/common/go/api"
+	"github.com/open-policy-agent/opa/sdk"
 	"github.com/openzipkin/zipkin-go"
 	"github.com/openzipkin/zipkin-go/model"
 	"google.golang.org/grpc"
@@ -58,6 +59,54 @@ func (f *inboundFilter) DecodeHeaders(header api.RequestHeaderMap, endStream boo
 
 	common.LogDecodeHeaderData(header)
 
+	ctx := context.Background()
+	// Replace url with http://prose-server.prose-system.svc.cluster.local:8080
+	// Remove the leading /bundles/ in the resource // bundles.default.resource=bundle.tar.gz
+	opa_config := []byte(`{
+		"services": {
+			"bundles": {
+				"url": "http://prose-server.prose-system.svc.cluster.local:8080"
+			}
+		},
+		"bundles": {
+			"default": {
+				"resource": "/bundles/bundle.tar.gz",
+				"polling": {
+					"min_delay_seconds": 120,
+					"max_delay_seconds": 3600,	
+				}
+			}
+		},
+		"decision_logs": {
+			"console": true
+		}
+	}`)
+
+	log.Printf("about to instantiate a new opaObj sdk object\n")
+	// create an instance of the OPA object
+	opaObj, err := sdk.New(ctx, sdk.Options{
+		ID:     "opaObj-test-1",
+		Config: bytes.NewReader(opa_config),
+	})
+	log.Printf("got a response from sdk.New\n")
+
+	if err != nil {
+		log.Printf("could not initialize an OPA object --- this means that the data plane cannot evaluate the target privacy policy ----- %s\n", err)
+		return api.Continue
+	}
+
+	defer opaObj.Stop(ctx)
+	log.Printf("initialized an OPA object\n")
+
+	// get the named policy decision for the specified input
+	if result, err := opaObj.Decision(ctx, sdk.DecisionOptions{Path: "/authz/allow", Input: map[string]interface{}{"hello": "world"}}); err != nil {
+		log.Printf("had an error evaluating the policy: %s\n", err)
+	} else if decision, ok := result.Result.(bool); !ok || !decision {
+		log.Printf("result: descision: %v, ok: %v\n", decision, ok)
+	} else {
+		log.Printf("policy accepted the input data \n")
+	}
+
 	return api.Continue
 }