Task: HTTP API Authorization Policy

Create an HTTP API authorization policy in Rego that controls access based on the HTTP method, request path, and the requesting user's role.

Requirements

Policy file

Create authz.rego with package httpapi.authz and import rego.v1.

The policy evaluates the following input structure:

{
  "method": "GET",
  "path": "/api/orders",
  "subject": {
    "user": "alice"
  }
}

External data is available at data.user_roles (maps usernames to a role name) and data.role_permissions (maps role names to a list of allowed HTTP methods). Example:

{
  "user_roles": {
    "alice": "admin",
    "bob": "readonly"
  },
  "role_permissions": {
    "admin":    ["GET", "POST", "PUT", "DELETE"],
    "readonly": ["GET"]
  }
}

Critical requirement: Do not use import input or import input as <alias> at the top of the file. Always reference input fields directly (e.g. input.method, input.subject.user).

The policy must:

• Default to deny (i.e., default allow := false)
• Allow any user (authenticated or not) to GET /api/health
• Define a helper rule user_role that resolves the current user's role from data.user_roles
• Define a helper rule permitted_methods that yields the set of methods allowed for the current user's role
• Define an allow rule that permits access when input.method is in permitted_methods

Test file

Create authz_test.rego with package httpapi.authz_test and import rego.v1.

Use the with keyword to inject both input and data in every test. Include tests for:

• A request to GET /api/health with no user — should be allowed
• An admin user making a DELETE request — should be allowed
• A readonly user making a GET request — should be allowed
• A readonly user making a POST request — should be denied
• A user not present in data.user_roles making any request — should be denied

Run the tests

Run opa test . -v and confirm all tests pass.