How to execute with bundles?

[jabaran]

This feels like such a simple thing but after hours of staring I need another set of eyes who is familiar with these tools.

As a single file, I am able to get policies to evaluate/execute; however, as I try to DRY up my code with bundles/imports things start breaking.

Goals:

• Have either a directory, or a bundle that can referenced in my policies
• Execute policy which references the above with input via CLI with input files

What I've tried:

• Putting all the common code into a separate directory and adding those files to executions
• Creating a bundle from that directory

I've included the relevant imports into the target policy to the specific elements, but with both opa and conftest I've hit a wall.

Simplified version of what one of the imported packages looks like:

package app.inputs

StandardInput[h] {
    h:=input.input
}

StandardInput[h] {
    h:=input
}

And the consuming policy references it via import data.app.inputs.StadardInput

I would like to execute/test a policy with a bundle and defined input.

I've tried the following (names simplified):

• opa exec -i input.json -d source_controls.rego -b .\bundle.tar.gz
  • input files aren't supported for exec
• conftest test -p .\containsPolicyDirectory -d .\bundle.tar.gz --all-namespaces .input.json
  • Results aren't correct, as if the bundled details aren't loaded, policy exits on first line that uses one of the imported items
  • Tried specifying the policy directly and being a level up
• opa eval -i input.json -d .\policy\source_controls.rego -b .\bundle.tar.gz --explain full
  • specify query argument or --stdin
• opa eval -i input.json -d .\policy\source_controls.rego -b .\bundle.tar.gz --stdin < .\source_controls.rego

Environment

• opa version
  • Version: 0.41.0
  • Build Commit: 0d6a109-dirty
  • Build Timestamp: 2022-06-02T17:47:15Z
  • Build Hostname: a69f467e19f6
  • Go Version: go1.18.3
  • Platform: windows/amd64
  • WebAssembly: available
• conftest --version
  • Conftest: 0.32.1
  • OPA: 0.40.0

I hope someone can point out a nice simple, flaw in what I'm doing that I can quickly address.

[ashutosh-narkar]

Here's a simple example of the process. Let's say you have couple of policy files in your directory.

$ ls
helper.rego  policy.rego

helper.rego

package app.inputs

default allow = false

allow {
    input.message == "hello"
}

policy.rego

package authz

import data.app.inputs

default allow = false

allow {
    inputs.allow
}

Now build your bundle:

opa build -b .

Now evaluate bundle with some input.

input.json

{"message": "hello"}

$ opa eval "data.authz.allow" -b bundle.tar.gz -i input.json
{
  "result": [
    {
      "expressions": [
        {
          "value": true,
          "text": "data.authz.allow",
          "location": {
            "row": 1,
            "col": 1
          }
        }
      ]
    }
  ]
}

[jabaran]

@ashutosh-narkar - First, thank you.

I didn't realize in the opa eval the query would need to prefixed "data" in this scenario. I was able to extend to my specific need with a bundle plus -d data file.

Is there also a means of using conftest in a similar way as above? I don't see a means of referencing bundles that aren't pulled from OCI

conftest test -p .\bundle.tar.gz -d .\policy\policy.source_controls.rego --namespace policy .\input.json

• Error: running test: load: loading policies: no policies found in [.\Library.tar.gz]

conftest test -d .\bundle.tar.gz -p .\policy\policy.source_controls.rego --namespace policy .\input.json

• Test did not run. A trace showed no rules matched

From my opa eval experience I tried a few more variations with namespace e.g. prefixed by "data" and I tried --all-namespaces in case it was something else with "namespace"