chore: add tests

Signed-off-by: Arjun Raja Yogidas <[email protected]>

Author: coderbirju

docs/opa-middleware.md

@@ -46,7 +46,20 @@ Example:
 
 ## Comprehensive API Path Protection
 
-When writing Rego policies, it's crucial to implement thorough path matching to prevent unintended access to APIs. The daemon processes API paths without strict prefix validation, which could lead to security bypasses.
+When writing Rego policies, use pattern matching for API paths to prevent unauthorized access. Simple string matching can be bypassed by adding prefixes to API paths.
+
+Consider this potentially vulnerable policy that tries to restrict access to a specific container:
+```
+# INCORRECT: Can be bypassed
+allow if {
+    not (input.Path == "/v1.43/containers/sensitive-container/json")
+}
+```
+This policy can be bypassed in multiple ways:
+1. Using container ID instead of name: `/v1.43/containers/abc123.../json`
+2. Adding path prefixes: `/custom/v1.43/containers/sensitive-container/json`
+
+Follow the path matching best practices below to properly secure your resources.
 
 ## Path Matching Best Practices
 

docs/sample-rego-policies/case1-incompatible_API.rego

@@ -18,3 +18,13 @@ is_swarm_api if {
     input.Method == "GET"
     glob.match("/**/swarm", ["/"], input.Path)
 }
+
+is_forbidden_container if {
+    input.Method == "GET"
+    glob.match("/**/containers/1f576a797a486438548377124f6cb7770a5cb7c8ff6a11c069cb4128d3f59462/top", ["/"], input.Path)
+}
+
+is_missing_container if {
+    input.Method == "GET"
+    glob.match("/**/containers/1f576a797a486438548377124f6cb7770a5cb7c8ff6a11c069cb4128d3f59462/json", ["/"], input.Path)
+}

docs/sample-rego-policies/default.rego

@@ -33,6 +33,6 @@ is_plugins if {
 }
 
 is_forbidden_container if {
-    intpu.Method == "GET"
+    input.Method == "GET"
     glob.match("/**/container/1f576a797a486438548377124f6cb7770a5cb7c8ff6a11c069cb4128d3f59462/json", ["/"], input.Path)
 }

docs/sample-rego-policies/invalid.rego

@@ -0,0 +1,5 @@
+package finch.authz
+
+default allow = false
+
+invalid syntax

docs/sample-rego-policies/test.rego

@@ -0,0 +1,33 @@
+package finch.authz
+
+import future.keywords.if
+import rego.v1
+
+default allow = false
+
+allow if {
+    not is_networs_api
+    not is_swarm_api
+    not is_inspect_by_name
+}
+
+is_container_create if {
+    input.Method == "POST"
+    glob.match("/**/containers/create", ["/"], input.Path)
+}
+
+is_networs_api if {
+    input.Method == "GET"
+    glob.match("/**/networks", ["/"], input.Path)
+}
+
+is_swarm_api if {
+    input.Method == "GET"
+    glob.match("/**/swarm", ["/"], input.Path)
+}
+
+
+is_inspect_by_name if {
+    input.Method == "GET"
+    glob.match("/**/containers/test-container/json", ["/"], input.Path)
+}

docs/sample-rego-policies/test_fail_open.rego

@@ -28,7 +28,6 @@ func TestRun(t *testing.T) {
 	} else {
 		t.Skip("E2E tests skipped. Set TEST_E2E=1 to run regular E2E tests or MIDDLEWARE_E2E=1 to run OPA middleware tests")
 	}
-	opt, _ := option.New([]string{*Subject, "--namespace", "finch"})
 }
 
 func runOPATests(t *testing.T) {