Awesome
OPA-AspDotNetCore-Middleware
<p align="center"><img src="Logo-build.png" class="center" alt="build-logo" width="30%"/></p>Abstract
build.security provides simple development and management for your organization's authorization policy. OPA-AspDotNetCore-Middleware is a .Net middleware intended for performing authorization requests against build.security PDP(Policy Decision Point)/OPA.
Data Flow
<p align="center"> <img src="Data%20flow.png" alt="drawing" width="60%"/></p>Usage
Before you start we recommend completing the onboarding tutorial.
Important note
To simplify the setup process, the following example uses a local build.security PDP instance. If you are already familiar with how to run your PDP, You can also run a PDP on you environment (Dev/Prod, etc).
In that case, don't forget to change the hostname and the port in your code.
Simple usage
To use the middleware add this to your startup.cs
services.AddBuildAuthorization(options =>
{
options.Enable = true;
options.BaseAddress = "http://localhost:8181";
options.PolicyPath = "/v1/data/authz/allow";
options.AllowOnFailure = false;
options.Timeout = 5;
});
You can also add more context for the PDP authz decision using the Authorize
attribute on a ASP.NET controller, as shown in the sample application.
Mandatory configuration
BaseAddress
: String. The address of the Policy Decision Point (PDP)
Optional configuration
PolicyPath
: String. Full path to the policy (including the rule) that decides whether requests should be authorized. /v1/data/authz/allowAllowOnFailure
: Boolean. "Fail open" mechanism to allow access to the API in case the policy engine is not reachable. Default is false.IncludeBody
: Boolean. Whether or not to pass the request body to the policy engine. Default is true.IncludeHeaders
: Boolean. Whether or not to pass the request headers to the policy engine. Default is trueTimeout
: Boolean. Amount of time to wait before request is abandoned and request is declared as failed. Default is 1000ms.Enable
: Boolean. Whether or not to consult with the policy engine for the specific request. Default is trueIgnoreEndpoints
- String array. Determines what endpoint should be excluded from authorization.IgnoreRegex
- String array. Determines what endpoints should be excluded from authorization using regex.
PDP Request example
This is what the input received by the PDP would look like:
{
"input":{
"request":{
"method":"GET",
"query":[
],
"path":"/static/js/0.chunk.js",
"scheme":"http",
"host":{
"value":"localhost:5000",
"hasValue":true,
"host":"localhost",
"port":5000
}
},
"source":{
"ipAddress":"::1",
"port":64288
},
"destination":{
"ipAddress":"::1",
"port":5000
},
"resources":{
"requirements":[
],
"attributes":{
}
},
"sample":"application"
}
}
If everything works well you should receive the following response:
{
"decision_id":"ef414180-05bd-4817-9634-7d1537d5a657",
"result":true
}