hexa-org / policy-mapper Goto Github PK

Unlike projectid in AWS providers or GCP provider, projectid is never actually used. Instead the platform project is wrapped up in the bundle url and the access token.

This is important to simplify and avoid confusion.

When using the Hexa CLI and using the OPA HTTP provider. The client actually tries to get policy from the Server URL root rather than <server-rood>/bundles/bundle.tar.gz

The orchestrator "democonfig" service is an implementation of a bundle server that can be used for testing.

This would be moved over to the "examples" directory of policy-mapper to let evaluators set up and run a bundle server and OPA server.

Adding documentation for Azure test harness

The OPA Provider Get Policies function is expecting OPA Bundle server to respond with a file structure of
/bundle/

Instead the current testBundleServer is returning
/default/bundle/

This causes an unexpected file not found error

Adding documentation for the AWS Cognito provider

For some reason, the default policy generated by AVP often includes a when { true }; clause

permit(
  principal,
  action in [hexa_avp::Action::"ReadAccount",hexa_avp::Action::"Transfer",hexa_avp::Action::"Deposit",hexa_avp::Action::"Withdrawl"],
  resource
) when {
  true
};

The above when clause should be converted or just ignored.

This adds support for Scopes which are obligations returned to a PEP. For example a SQL Filter, or IDQL Filter, or a set of attributes or columns allowed to be returned.

Use cases:

• SQL Servers (filters expressed as WHERE clauses)
• SCIM (use IDQL Filter expressions)
• LDAP (can convert IDQL filter to LDAP filter)

Discovered there were some migration issues between old and new policy formats.

Json attributes should all be lower initial case

Adding documentation for the Azure common provider information

Adding documentation for the main models directory

Current Policy-OPA project is using a version of IDQL that has Policy.ID. This has been moved to meta.policyId.

Because of the way the OPA Rego interpreter works, each IDQL policy installed needs to have an identifier.

See: Policy-OPA Issue#2.

Adding documentation for the AWS common provider info

Occasionally for testing purposes and other integration work there is the need to initialize a custom HTTP Client when calling cloud APIs. For example, the custom client can mock the remote server and its responses.

This is currently implemented inside many of Hexa Providers but is not yet exposed through the SDK interface.

This is to publish hexaOpa image so that IDQL enhanced OPA can be easily deployed with docker-compose and on cloud platforms.

At present bundle updates via HTTP can only be done anonymously.

For some reason when kong type=existingfile is used, the value is kept blank after the first use (good or bad).

Remove use of existingfile for now.

Add support for using authorization header values in addition to mutual TLS.

This is needed for AuthZen server.

Currently generates an error when parsing:

permit(
    principal == ?principal,
    action in [hexa_avp::Action::"ReadAccount"],
    resource == ?resource
);

? is unexpected

Adding documentation for the Azure AD provider

Adding documentation for the SDK example

Current OPA provider is downgrading to an old version of IDQL. Should be end-to-end IDQL 0.6

Finalize OPA and integrate with Hexa console

Provide a little more context as to the type of resource. E.g. iap_proxy:backend:xyz