ACC-2351 Update OPA version and add test for abac policy

thijslemmens · thijslemmens · commit 2a6b0dfe5f2f · 2025-10-16T16:44:00.000+02:00
diff --git a/opa-async-java-client/src/test/java/com/contentgrid/opa/client/OpaClientIntegrationTests.java b/opa-async-java-client/src/test/java/com/contentgrid/opa/client/OpaClientIntegrationTests.java
@@ -40,12 +40,12 @@
 @Testcontainers
 class OpaClientIntegrationTests {
 
-    private static final DockerImageName OPA_IMAGE = DockerImageName.parse("openpolicyagent/opa:0.70.0");
+    private static final DockerImageName OPA_IMAGE = DockerImageName.parse("openpolicyagent/opa:1.9.0");
     private static final int OPA_EXPOSED_PORT = 8181;
 
     @Container
     private static final GenericContainer<?> opaContainer = new GenericContainer<>(OPA_IMAGE)
-            .withCommand(String.format("run --server --addr :%d", OPA_EXPOSED_PORT))
+            .withCommand(String.format("run --server --addr :%d --v0-compatible", OPA_EXPOSED_PORT))
             .withExposedPorts(OPA_EXPOSED_PORT)
             .waitingFor(Wait.forHttp("/"));
 
@@ -284,6 +284,54 @@ void compileExample() {
                             })));
         }
 
+        @Test
+        void abacExample() {
+            opaClient.upsertPolicy("abac-example", loadResourceAsString("fixtures/openpolicyagent.org/docs/compile/abac-policy.txt")).join();
+
+            var request = new PartialEvaluationRequest(
+                    "data.abac.example.allow == true",
+                    Map.of("request",
+                            Map.of("headers", Map.of("content-type", "application/json"),
+                                    "method", "GET",
+                                    "path", List.of("tests")
+                            ),
+                            "auth", Map.of(
+                                    "authenticated", true,
+                                    "principal", Map.of(
+                                            "kind", "user",
+                                            "contentgrid:att1", List.of("att1v1", "att1v2"),
+                                            "contentgrid:att2", List.of("att2v1", "att2v2")
+                                    )
+                            )
+                    ), List.of("input.entity"));
+
+            var result = opaClient.compile(request).join();
+            assertThat(result).isNotNull();
+            assertThat(result.getResult()).isNotNull();
+
+            assertThat(result.getResult().getQueries())
+                    .isNotNull()
+                    // 4 queries are generated, because there are 4 combinations of the 2 attributes in the policy
+                    .hasSize(4)
+                    .allSatisfy(
+                            query -> assertThat(query)
+                                    // There are 2 expressions per query, one for every user attribute in the policy
+                                    .hasSize(2)
+                                    .allSatisfy(expr -> {
+                                        // each expression has 3 terms (the 'eq' operator, the attribute value and the input value)
+                                        assertThat(expr.getTerms()).hasSize(3);
+                                        assertThat(expr.getTerms()).anySatisfy(
+                                                term ->  {
+                                                    assertThat(term.getClass()).isEqualTo(Ref.class);
+                                                    var ref = (Ref) term;
+                                                    assertThat(ref.getValue()).singleElement().satisfies(
+                                                            t -> assertThat(t.toString()).isEqualTo("eq")
+                                                    );
+                                                }
+                                        );
+                                    }));
+        }
+
         @Test
         void example_alwaysTrue() {
             opaClient.upsertPolicy("compile-example", loadResourceAsString(POLICY_PATH)).join();
diff --git a/opa-async-java-client/src/test/resources/fixtures/openpolicyagent.org/docs/compile/abac-policy.txt b/opa-async-java-client/src/test/resources/fixtures/openpolicyagent.org/docs/compile/abac-policy.txt
@@ -0,0 +1,61 @@
+package abac.example
+
+util.extract_content_type(header) := content_type {
+	mime_type := trim_space(split(header, ";")[0])
+	content_type := lower(mime_type)
+}
+default util.content_type_in(headers, accepted_content_types) := false
+
+util.content_type_in(headers, accepted_content_types) {
+	count(headers) == 1
+	extracted_mime_type := util.extract_content_type(headers[0])
+	extracted_mime_type == accepted_content_types[_]
+}
+default util.request.content_type_in(content_types) := false
+
+util.request.content_type_in(content_types) {
+	util.content_type_in(input.request.headers["content-type"], content_types)
+}
+default can_read_test := false
+
+# - input.entity is type 'test'
+can_read_test {
+	input.auth.authenticated == true
+	input.auth.principal.kind == "user"
+	input.entity.a == input.auth.principal["contentgrid:att1"][_]
+	input.entity.b == input.auth.principal["contentgrid:att2"][_]
+}
+
+# End policy bprnvz6ldw4q
+# Policy nfgusztjwpba
+# - input.entity is type 'test'
+can_read_test {
+	input.auth.authenticated == true
+	input.auth.principal.kind == "user"
+	input.auth.principal["contentgrid:admin"] == true
+}
+
+# End policy nfgusztjwpba
+default allow := false
+
+# Static definition Application Root
+allow {
+	input.request.method == ["HEAD", "GET"][_]
+	# Path /
+	count(input.request.path) == 0
+}
+allow {
+	input.request.method == ["HEAD", "GET"][_]
+	# Path /tests
+	count(input.request.path) == 1
+	input.request.path[0] == "tests"
+	can_read_test == true
+}
+allow {
+	input.request.method == ["HEAD", "GET"][_]
+	# Path /tests/{id}
+	count(input.request.path) == 2
+	input.request.path[0] == "tests"
+	# variable component {id}
+	can_read_test == true
+}
