• Stars
    star
    130
  • Rank 277,575 (Top 6 %)
  • Language
    JavaScript
  • License
    Apache License 2.0
  • Created over 5 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Open Policy Agent WebAssembly NPM module (opa-wasm)

Work in Progress -- Contributions welcome!!

Open Policy Agent WebAssemby NPM Module

This is the source for the @open-policy-agent/opa-wasm NPM module which is a small SDK for using WebAssembly (wasm) compiled Open Policy Agent Rego policies.

Getting Started

Install the module

npm install @open-policy-agent/opa-wasm

Usage

There are only a couple of steps required to start evaluating the policy.

Import the module

const { loadPolicy } = require("@open-policy-agent/opa-wasm");

Load the policy

loadPolicy(policyWasm);

The loadPolicy function returns a Promise with the loaded policy. Typically this means loading it in an async function like:

const policy = await loadPolicy(policyWasm);

Or something like:

loadPolicy(policyWasm).then((policy) => {
  // evaluate or save the policy
}, (error) => {
  console.error("Failed to load policy: " + error);
});

The policyWasm needs to be either the raw byte array of the compiled policy Wasm file, or a WebAssembly module.

For example:

const fs = require("fs");

const policyWasm = fs.readFileSync("policy.wasm");

Alternatively the bytes can be pulled in remotely from a fetch or in some cases (like CloudFlare Workers) the Wasm binary can be loaded directly into the javascript context through external APIs.

Evaluate the Policy

The loaded policy object returned from loadPolicy() has a couple of important APIs for policy evaluation:

setData(data) -- Provide an external data document for policy evaluation.

  • data MUST be a serializable object or ArrayBuffer, which assumed to be a well-formed stringified JSON

evaluate(input) -- Evaluates the policy using any loaded data and the supplied input document.

  • input parameter MAY be an object, primitive literal or ArrayBuffer, which assumed to be a well-formed stringified JSON

ArrayBuffer supported in the APIs above as a performance optimisation feature, given that either network or file system provided contents can easily be represented as ArrayBuffer in a very performant way.

Example:

input = '{"path": "/", "role": "admin"}';

loadPolicy(policyWasm).then((policy) => {
  resultSet = policy.evaluate(input);
  if (resultSet == null) {
    console.error("evaluation error");
  }
  if (resultSet.length == 0) {
    console.log("undefined");
  }
  console.log("allowed = " + allowed[0].result);
}).catch((error) => {
  console.error("Failed to load policy: ", error);
});

For any opa build created WASM binaries the result set, when defined, will contain a result key with the value of the compiled entrypoint. See https://www.openpolicyagent.org/docs/latest/wasm/ for more details.

Writing the policy

See https://www.openpolicyagent.org/docs/latest/how-do-i-write-policies/

Compiling the policy

Either use the Compile REST API or opa build CLI tool.

For example, with OPA v0.20.5+:

opa build -t wasm -e example/allow example.rego

Which is compiling the example.rego policy file with the result set to data.example.allow. The result will be an OPA bundle with the policy.wasm binary included. See ./examples for a more comprehensive example.

See opa build --help for more details.

Development

Lint and Format checks

This project is using Deno's lint and formatter tools in CI. With deno installed locally, the same checks can be invoked using npm:

  • npm run lint
  • npm run fmt -- this will fix the formatting
  • npm run fmt:check -- this happens in CI

All of these operate on git-tracked files, so make sure you've committed the code you'd like to see checked. Alternatively, you can invoke deno lint my_new_file.js directly, too.

Build

The published package provides four different entrypoints for consumption:

  1. A CommonJS module for consumption with older versions of Node or those using require():
    const { loadPolicy } = require("@open-policy-agent/opa-wasm");
  2. An ESM module for consumption with newer versions of Node:
    import { loadPolicy } from "@open-policy-agent/opa-wasm";
  3. An ESM module for consumption in modern browsers (this will contain all dependencies already bundled and can be used standalone).
    <script type="module">
    import opa from 'https://unpkg.com/@open-policy-agent/opa-wasm@latest/dist/opa-wasm-browser.esm.js';
    opa.loadPolicy(...);
    </script>
  4. A script for consumption in all browsers (this will export an opa global variable).
    <script src="https://unpkg.com/@open-policy-agent/opa-wasm@latest/dist/opa-wasm-browser.js"></script>
    <script>
    opa.loadPolicy(...);
    </script>

The browser builds are generated in the ./build.sh script and use esbuild. All exports are defined in the exports field in the package.json file. More detials on how these work are described in the Conditional Exports documentation.

For TypeScript projects we also generate an opa.d.ts declaration file that will give correct typings and is also defined under the types field in the package.json.

More Repositories

1

opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
Go
9,480
star
2

gatekeeper

🐊 Gatekeeper - Policy Controller for Kubernetes
Go
3,602
star
3

conftest

Write tests against structured configuration data using the Open Policy Agent Rego query language
Go
2,857
star
4

gatekeeper-library

📚 The OPA Gatekeeper policy library
Open Policy Agent
628
star
5

contrib

Integrations, examples, and proof-of-concepts that are not part of OPA proper.
Go
321
star
6

opa-envoy-plugin

A plugin to enforce OPA policies with Envoy
Go
316
star
7

kube-mgmt

Sidecar for managing OPA instances in Kubernetes.
Go
232
star
8

frameworks

Go
120
star
9

vscode-opa

An extension for VS Code which provides support for OPA and the Rego policy language
TypeScript
109
star
10

library

The Open Policy Agent project standard library.
Open Policy Agent
93
star
11

example-api-authz-go

Example Go service that uses OPA for API authorization.
Go
93
star
12

cert-controller

Go
89
star
13

opa-docker-authz

A policy-enabled authorization plugin for Docker.
Go
81
star
14

opa-idea-plugin

Open Policy Agent plugin for IntelliJ
Kotlin
56
star
15

rego-python

Python library for interacting with Rego ASTs.
Python
48
star
16

opa-envoy-spire-ext-authz

OPA-Envoy-SPIRE External Authorization Example.
Go
47
star
17

setup-opa

Sets up Open Policy Agent CLI in your GitHub Actions workflow.
TypeScript
44
star
18

example-api-authz-python

Example Python service that uses OPA for API authorization.
Python
32
star
19

community

The Community repository is the place to go for support with OPA and OPA Sub-Projects, like Conftest and Gatekeeper.
31
star
20

golang-opa-wasm

Open Policy Agent WebAssembly Go SDK
Go
20
star
21

gatekeeper-external-data-provider

A template repository for building external data providers for Gatekeeper.
Shell
10
star