From e796e94e4795414430a3d06b1723cef9b5e14a41 Mon Sep 17 00:00:00 2001
From: daveads <the.daveads@gmail.com>
Date: Fri, 11 Oct 2024 10:01:41 +0100
Subject: [PATCH 1/3] packages/opal-client/opal_client/callbacks

---
 packages/opal-client/opal_client/config.py       |  7 +++++++
 .../opal-client/opal_client/engine/options.py    |  2 ++
 .../opal-client/opal_client/engine/runner.py     | 16 ++++++++++++++--
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/packages/opal-client/opal_client/config.py b/packages/opal-client/opal_client/config.py
index 58d7ae2c8..80ef2340a 100644
--- a/packages/opal-client/opal_client/config.py
+++ b/packages/opal-client/opal_client/config.py
@@ -147,6 +147,13 @@ def load_policy_store():
         "INLINE_OPA_LOG_FORMAT", EngineLogFormat, EngineLogFormat.NONE
     )
 
+
+    INLINE_OPA_EXECUTABLE_PATH = confi.str(
+        "INLINE_OPA_EXECUTABLE_PATH",
+        "opa",
+        description="Path to the OPA executable. Defaults to 'opa' if not specified."
+    )
+    
     # Cedar runner configuration (Cedar-engine can optionally be run by OPAL) ----------------
 
     # whether or not OPAL should run the Cedar agent by itself in the same container
diff --git a/packages/opal-client/opal_client/engine/options.py b/packages/opal-client/opal_client/engine/options.py
index 370424e68..abae6d6a2 100644
--- a/packages/opal-client/opal_client/engine/options.py
+++ b/packages/opal-client/opal_client/engine/options.py
@@ -63,6 +63,8 @@ class OpaServerOptions(BaseModel):
         description="list of built-in rego policies and data.json files that must be loaded into OPA on startup. e.g: system.authz policy when using --authorization=basic, see: https://www.openpolicyagent.org/docs/latest/security/#authentication-and-authorization",
     )
 
+    opa_executable_path: str = Field(default="opa", description="Path to the OPA executable")
+    
     class Config:
         use_enum_values = True
         allow_population_by_field_name = True
diff --git a/packages/opal-client/opal_client/engine/runner.py b/packages/opal-client/opal_client/engine/runner.py
index 9cca62c28..67a8bb671 100644
--- a/packages/opal-client/opal_client/engine/runner.py
+++ b/packages/opal-client/opal_client/engine/runner.py
@@ -5,10 +5,11 @@
 from typing import Callable, Coroutine, List, Optional
 
 import psutil
-from opal_client.config import EngineLogFormat
+from opal_client.config import EngineLogFormat, opal_client_config
 from opal_client.engine.logger import log_engine_output_opa, log_engine_output_simple
 from opal_client.engine.options import CedarServerOptions, OpaServerOptions
 from opal_client.logger import logger
+
 from tenacity import retry, wait_random_exponential
 
 AsyncCallback = Callable[[], Coroutine]
@@ -252,7 +253,9 @@ def command(self) -> str:
         opts = self._options.get_cli_options_dict()
         opts_string = " ".join([f"{k}={v}" for k, v in opts.items()])
         startup_files = self._options.get_opa_startup_files()
-        return f"opa run --server {opts_string} {startup_files}".strip()
+        opa_path = self._options.opa_executable_path
+        return f"{opa_path} run --server {opts_string} {startup_files}".strip()
+
 
     @staticmethod
     def setup_opa_runner(
@@ -273,6 +276,15 @@ def setup_opa_runner(
             to handle authorization queries. therefore it is necessary that we rehydrate the
             cache with fresh state fetched from the server.
         """
+
+        if options is None:
+            options = OpaServerOptions(
+                opa_executable_path=opal_client_config.INLINE_OPA_EXECUTABLE_PATH
+            )
+        elif options.opa_executable_path == "opa":
+            options.opa_executable_path = opal_client_config.INLINE_OPA_EXECUTABLE_PATH
+
+
         opa_runner = OpaRunner(options=options, piped_logs_format=piped_logs_format)
         if initial_start_callbacks:
             opa_runner.register_process_initial_start_callbacks(initial_start_callbacks)

From ee59f996957e16b113ac5350ef118f9d90e095af Mon Sep 17 00:00:00 2001
From: daveads <the.daveads@gmail.com>
Date: Tue, 15 Oct 2024 14:26:06 +0100
Subject: [PATCH 2/3] based off review

---
 packages/opal-client/opal_client/engine/runner.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/packages/opal-client/opal_client/engine/runner.py b/packages/opal-client/opal_client/engine/runner.py
index 67a8bb671..eb34ab42e 100644
--- a/packages/opal-client/opal_client/engine/runner.py
+++ b/packages/opal-client/opal_client/engine/runner.py
@@ -254,6 +254,15 @@ def command(self) -> str:
         opts_string = " ".join([f"{k}={v}" for k, v in opts.items()])
         startup_files = self._options.get_opa_startup_files()
         opa_path = self._options.opa_executable_path
+
+        # Check if the OPA executable exists and is a file
+        if not os.path.isfile(opa_path):
+            raise FileNotFoundError(f"OPA executable not found at path: {opa_path}")
+        
+        opts = self._options.get_cli_options_dict()
+        opts_string = " ".join([f"{k}={v}" for k, v in opts.items()])
+        startup_files = self._options.get_opa_startup_files()
+
         return f"{opa_path} run --server {opts_string} {startup_files}".strip()
 
 
@@ -284,6 +293,10 @@ def setup_opa_runner(
         elif options.opa_executable_path == "opa":
             options.opa_executable_path = opal_client_config.INLINE_OPA_EXECUTABLE_PATH
 
+        # Check if the OPA executable exists and is a file
+        if not os.path.isfile(options.opa_executable_path):
+            raise FileNotFoundError(f"OPA executable not found at path: {options.opa_executable_path}")
+
 
         opa_runner = OpaRunner(options=options, piped_logs_format=piped_logs_format)
         if initial_start_callbacks:

From 08199fab0e24b540e9dc9546e1b13b01b6c13061 Mon Sep 17 00:00:00 2001
From: daveads <the.daveads@gmail.com>
Date: Tue, 15 Oct 2024 15:05:03 +0100
Subject: [PATCH 3/3] doc

---
 documentation/docs/getting-started/configuration.mdx | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/documentation/docs/getting-started/configuration.mdx b/documentation/docs/getting-started/configuration.mdx
index 5cd2ed4c9..69d40d728 100644
--- a/documentation/docs/getting-started/configuration.mdx
+++ b/documentation/docs/getting-started/configuration.mdx
@@ -39,7 +39,8 @@ Please use this table as a reference.
 | AUTH_PUBLIC_KEY                         |                                                                                                                                                                                 |         |
 | AUTH_JWT_ALGORITHM                      | JWT algorithm. See possible values [here](https://pyjwt.readthedocs.io/en/stable/algorithms.html).                                                                              |         |
 | AUTH_JWT_AUDIENCE                       |                                                                                                                                                                                 |         |
-| AUTH_JWT_ISSUER                         |
+| AUTH_JWT_ISSUER                         |                                                                                                                                                                                 |                           |
+| INLINE_OPA_EXECUTABLE_PATH              | Path to the OPA executable. If not specified, defaults to "opa", assuming the OPA executable is in the system PATH.                                                             | /usr/local/bin/opa        |
 
 ## OPAL Server Configuration Variables