Flask extension to use OPA as a client
Project description
Flask-OPA
Simple to use Flask extension that lets you secure your projects with Open Policy Agent. It allows
- HTTP API Authorization
- Policy Enforcement Point (AOP using decorators on methods)
Quick start
Its recommended for you to try the app in the package examples
. Thanks to the Makefile
you can run the demo project
with the following command
make demo
How it works?
For a better understanding of what make demo
does and how you should setup flask_opa
in your project, follow the
next steps:
-
Run OPA in server mode
- Check the latest OPA release and download it.
- Put the binary file in the path of your system
- Allow its execution with something like
chmod 755 ./opa
- Run opa in server mode with the sample policies
opa run -s -w examples
-s
is to run it in server mode instead of opening the REPL-w
is for watching the changes of the data/policy files
-
Specify configuration variables
-
OPA_URL
url accessible in your running OPA server, used to evaluate your input. It includes the path of the policy, e.g.http://localhost:8181/v1/data/examples/allow
. -
OPA_SECURED
boolean to specify if OPA will be enabled to your application.
See more at the rest api reference
-
-
Bind the OPA class to your Flask application
Its easy to bind the Flask-OPA library to your application. Just follow the following steps:
-
Create the OPA instance
app = Flask(__name__) app.config.from_pyfile('app.cfg') opa = OPA(app, parse_input)
Lets see the parameters that we passed to the OPA class:
parse_input
(Required) contains a method that returns the input data json to be evaluated by the policy, e.g.:
{ "input": { "method": "GET", "path": ["data", "jon"], "user": "paul" } }
url
(Optional) to use an specific url instead of theOPA_URL
optionally specified in the app configuration.allow_function
(Optional) predicate that determinate if the response from OPA allows (True) or denies (False) the request
If you want enforce the OPA security in your application you can create the OPA instance like this:
opa = OPA.secure(app, parse_input, url="http://localhost:8181/v1/data/package_name/allow")
or
opa = OPA(app, parse_input, url="http://localhost:8181/v1/data/package_name/allow").secured()
otherwise OPA will enforce your security only if
OPA_SECURED
isTrue
.Specify the logging level to
DEBUG
if you want to get access to Flask-OPA logs of its operations usingapp.logger.setLevel(logging.DEBUG)
-
Run your Flask application.
Policy Enforcement point
One of the features this module provides is Policy Enforcement Point which basically allows you to ensure policies at any method of your application. For practical purposes, lets imagine a sample method that is in charge of logging content related to actions done by users. In this case we must create a different input functions that provide useful information for certain policies that will decide if a log should be sent or not to a remote server. Lets suppose that such logging method is something like:
def log_remotely(content):
# Imagine a code to log this remotely
app.logger.info("Logged remotely: %s", content)
to decorate it we will create a PEP decorator using our OPA
instance as a function (callable mode).
The parameters are pretty much the same as those used to secure the application. The resulting instance will decorate
our function of interest:
def validate_logging_input_function(*arg, **kwargs):
return {
"input": {
"user": request.headers.get("Authorization", ""),
"content": arg[0]
}
}
secure_logging = app.opa("Logging PEP", app.config["OPA_URL_LOGGING"], validate_logging_input_function)
@secure_logging
def log_remotely(content):
# Imagine a code to log content remotely
app.logger.info("Logged remotely: %s", content)
As you might have noticed, the only new thing we truly require for adding the PEP is a new input function. This
function can provide a more versatile input than the one used by the OPA
instance created for the whole app: in our
example it provides data related to the user request and data provided by the parameters of the decorated function as
well.
Read the examples README for more detailed information about how to run a demo.
Makefile
The Makefile contains multiple useful actions you might need. Check them with
make help
Status
Pre-release or Beta: The project has gone through multiple rounds of active development with a goal of reaching a stable release version, but is not there yet.
Path of Development: Active (October 31th 2018)
Author
Eliecer Hernandez Garbey
Links
- Main website: EliuX Overflow
- Twitter: @eliux_black
- LinkedIn: eliecer-hernández-garbey-16172686
License
This project is licensed under the MIT License - see the LICENSE.md file for details.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for Flask_OPA-0.6-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | e429a6aabc36d49ba77c81d6f010dff0658868923affefb60f2d640ae43b1a9e |
|
MD5 | 7e5ff633140f6c4bce4de853cb13a804 |
|
BLAKE2b-256 | e4dad554b49d30e144803aa68b23a0edd73044132e487593117ff8cf33ebf062 |