SwanseaUniversityMedical · John-Vaughan · May 21, 2024 · May 21, 2024
@@ -0,0 +1,17 @@
+version: "3.9"
+services:
+  opaservice:
+    container_name: opa_tests
+    image: openpolicyagent/opa:latest
+    ports:
+      - 9090:8181 
+    command:
+      - "test"
+      - "testting" 
+      - "-v"
+    volumes:
+      - ./opa/config.yaml:/config.yaml
+      - ./opa/log.properties:/etc/log.properties
+      - ./rego:/testting
+
+
@@ -0,0 +1,13 @@
+services:
+  acmecorp:
+    url: https://host.docker.internal:7157/api/OPA/BundleGetv2
+    allow_insecure_tls : true
+
+bundles:
+  authz:
+    service: acmecorp
+    resource: somedir/bundle.tar.gz
+    persist: true
+    polling:
+      min_delay_seconds: 60
+      max_delay_seconds: 120
@@ -0,0 +1 @@
+io.trino=DEBUG
@@ -0,0 +1,35 @@
+package policy
+
+import rego.v1
+
+default allow := false
+
+#allow all highest level access
+allow if {
+	input.action.operation == "ExecuteQuery"
+}
+
+#allow catalog - only iceberg
+allow if {
+	input.action.operation == "AccessCatalog"
+	input.action.resource.catalog.name == "iceberg"
+}
+
+allow if {
+	input.action.operation == "SelectFromColumns"
+	user_in_correct_group
+}
+
+default user_roles := false
+
+groups_for_object contains group if {
+	some i
+	data.Perms[i].Project == input.action.resource.table.schemaName
+	group := data.Perms[i].Group
+}
+
+user_in_correct_group if {
+	some i, j
+	data.GroupMembers[i].Username == input.context.identity.user
+	data.GroupMembers[i].Group = groups_for_object[j]
+}
@@ -0,0 +1,107 @@
+package policy
+
+data = {
+    "Perms": [{
+            "Project": "sail0675v",
+            "Group": "SAIL_0675_Developer",
+            "PermType": "rw",
+            "Object": ""
+        }
+    ],
+    "GroupMembers": [{
+            "Group": "SAIL_0675_Developer",
+            "Username": "rawlinga"
+        }
+    ]
+}
+
+
+intput = {
+        "context": {
+            "identity": {
+                "user": "rawlinga",
+                "groups": []
+            },
+            "softwareStack": {
+                "trinoVersion": "444"
+            }
+        },
+        "action": {
+            "operation": "SelectFromColumns",
+            "resource": {
+                "table": {
+                    "catalogName": "postgresql",
+                    "schemaName": "sail0675v",
+                    "tableName": "cool",
+                    "columns": ["aaaaaa", "id"]
+                }
+            }
+        }
+    }
+
+test_Default {
+  allow 
+  with input as intput
+  with data as data
+}
+
+
+intput2 = {
+        "context": {
+            "identity": {
+                "user": "rawlinga",
+                "groups": []
+            },
+            "softwareStack": {
+                "trinoVersion": "444"
+            }
+        },
+        "action": {
+            "operation": "SelectFromColumns",
+            "resource": {
+                "table": {
+                    "catalogName": "postgresql",
+                    "schemaName": "nottheOne",
+                    "tableName": "cool",
+                    "columns": ["aaaaaa", "id"]
+                }
+            }
+        }
+    }
+
+test_schemaName_diff {
+  not allow 
+  with input as intput2
+  with data as data
+}
+
+
+
+intpu3 = {
+        "context": {
+            "identity": {
+                "user": "bob",
+                "groups": []
+            },
+            "softwareStack": {
+                "trinoVersion": "444"
+            }
+        },
+        "action": {
+            "operation": "SelectFromColumns",
+            "resource": {
+                "table": {
+                    "catalogName": "postgresql",
+                    "schemaName": "sail0675v",
+                    "tableName": "cool",
+                    "columns": ["aaaaaa", "id"]
+                }
+            }
+        }
+    }
+
+test_user_not_in {
+  not allow 
+  with input as intpu3
+  with data as data
+}
@@ -0,0 +1,14 @@
+{
+    "Perms": [{
+            "Project": "sail0675v",
+            "Group": "SAIL_0675_Developer",
+            "PermType": "rw",
+            "Object": ""
+        }
+    ],
+    "GroupMembers": [{
+            "Group": "SAIL_0675_Developer",
+            "Username": "rawlinga"
+        }
+    ]
+}
@@ -0,0 +1 @@
+docker-compose up