Open Policy Agent engine evaluation per tenant #170
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wcalderipe
commented
Mar 19, 2024
| transactionRequest?: TransactionRequest | ||
| principal: CredentialEntity | ||
| resource?: { uid: string } | ||
| approvals: CredentialEntity[] |
There was a problem hiding this comment.
@samteb why are the approvals always required? Is it because the principal always approves the request, so it'll always have at least one?
There was a problem hiding this comment.
I feel we have a misaligned somewhere because the Evaluation Request specifies the approvals as optional.
export type EvaluationRequest = {
authentication: JwtString
request: Request
approvals?: JwtString[]
transfers?: HistoricalTransfer[]
prices?: Prices
feeds?: Feed<unknown>[]
}Original commit: 33ae82c
It was moved to Open Policy Agent module.
wcalderipe
changed the title
Check encryption configuration at the bootstrap.
wcalderipe
force-pushed
the
feature/policy-dataset-compilation
branch
from
4dad927 to
9fbfc98
Compare
mattschoch
pushed a commit
that referenced
this pull request
Jun 19, 2024
Note: - Engine signing is currently a proof of concept. It's unclear how it will evolve with remote signing, so I'd rather not modify it at this point. - Building OPA targeting WASM involves a process with many steps that interact with the OS and its file system. The current implementation addresses the happy path and a few obvious errors. Therefore, error handling for edge cases is not yet implemented, and I expect these to be addressed as we encounter issues in the building process. - The whole implementation is in a single place (see `wasm-build.util.ts`). Changelog: - Added a core Engine interface along with an Open Policy Agent implementation of it, effectively hiding OPA as an implementation detail. Everything outside the `apps/policy-engine/src/open-policy-agent` directory SHOULD NOT have knowledge of OPA and Rego. - Added temporary code in the BootstrapService to add a development tenant pointing to the devtool stores. - Added a `resource` directory for the server to access files from the disk. - Added a `RESOURCE_PATH` environment variable because we can't depend on `__dirname` to resolve the path. Its value changes based on how the application is built. With webpack, it minimizes, and `__dirname` always points to the lowest level of the directory tree. By contrast, in tests, the directory tree is preserved because files are transformed on the fly. - Added the resource directory as a NestJS assets directory in `project.json`. - Changed the Rego core directory to `apps/policy-engine/src/resource`. - Removed most of the legacy OPA code. - Changed the tenant module location to the engine module due to numerous circular dependency issues in the DI container. - Note: it felt like a good example of unclear module boundaries, and I'd rather roll it back and see how it evolves than trying to address problems we SHOULD NOT have. Co-authored-by: samuel <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Note
wasm-build.util.ts).Changelog
apps/policy-engine/src/open-policy-agentdirectory SHOULD NOT have knowledge of OPA and Rego.resourcedirectory for the server to access files from the disk.RESOURCE_PATHenvironment variable because we can't depend on__dirnameto resolve the path. Its value changes based on how the application is built. With webpack, it minimizes, and__dirnamealways points to the lowest level of the directory tree. By contrast, in tests, the directory tree is preserved because files are transformed on the fly.project.json.apps/policy-engine/src/resource.