nicholasjackson/opa-rego-language
Rego is the declarative policy language used by Open Policy Agent (OPA). This tile covers writing and testing Rego policies for Kubernetes admission control, Terraform and infrastructure-as-code plan validation, Docker container authorization, HTTP API authorization, RBAC and role-based access control, data filtering, metadata annotations with opa inspect, and OPA policy testing with opa test.
99
Quality
Pending
Does it follow best practices?
Impact
99%
1.19xAverage score across 31 eval scenarios
Pending
The risk profile of this skill
task.mdevals/scenario-6/
HTTP API: Authorization Policy
Write a Rego policy for our API gateway. Every incoming request is checked by OPA before it reaches the service. Users authenticate with a JWT bearer token.
The policy should allow users to read their own salary record and allow managers to read their subordinates' salary records. All other requests should be denied.
Input
{
"method": "GET",
"path": ["finance", "salary", "alice"],
"user": "bob",
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}The JWT token is at input.token as a raw encoded string. Decode it with io.jwt.decode(input.token) to extract the payload claims (e.g. azp, subordinates, hr).
Expected behaviour
- A user can GET their own salary:
input.path == ["finance", "salary", input.user] - A manager can GET a subordinate's salary: the subordinate's username appears in
token.payload.subordinates - HR members (where
token.payload.hr == true) can GET any salary - The token must be issued to the requesting user:
input.user == token.payload.azp - All other requests are denied (
default allow := false)
docs
evals
scenario-1
scenario-2
scenario-3
scenario-4
scenario-5
scenario-6
scenario-7
scenario-8
scenario-9
scenario-10
scenario-11
scenario-12
scenario-13
scenario-14
scenario-15
scenario-16
scenario-17
scenario-18
scenario-19
scenario-20
scenario-21
scenario-22
scenario-23
scenario-24
scenario-25
scenario-26
scenario-27
scenario-28
scenario-29
scenario-30
scenario-31