update opa learn things

Signed-off-by: ivan katliarchuk <[email protected]>

Author: ivankatliarchuk

README.md

@@ -10,6 +10,7 @@
 - [Opa: 101](https://www.permit.io/blog/load-external-data-into-opa)
 - [Rego Cool blog](https://www.styra.com/blog/how-to-express-or-in-rego/)
 - [Rego Style guide](https://docs.styra.com/opa/rego-style-guide)
+- [Opa Cheat Sheet](https://docs.styra.com/opa/rego-cheat-sheet)
 
 ## Example Repositories
 

playground/ex30/policy.rego

@@ -0,0 +1,87 @@
+# https://github.com/open-policy-agent/opa/issues/2755
+
+default jwt_exists = false
+jwt_exists {
+  count(jwt_exists_a) > 0
+}
+jwt_exists_a[r] {
+  regex.match(`^[A-Za-z0-9-_=]+\.[A-Za-z0-9-_=]+\.?[A-Za-z0-9-_.+/=]*$`, sso_jwt)
+  r := "input.sso_jwt contains a syntactically valid jwt"
+}
+jwt_exists_d[r] {
+  not jwt_exists
+  r := "input.sso_jwt did not contain a syntactically valid jwt"
+}
+
+# Decode the jwt contained in input.sso_jwt
+default jwt = null
+jwt = t {
+  jwt_exists
+  [_, payload, _] = io.jwt.decode(sso_jwt)
+  t := {
+    "payload": payload
+  }
+}
+
+# check if the jwt is signed
+default jwt_is_signed = false
+jwt_is_signed {
+  count(jwt_is_signed_a) > 0
+}
+jwt_is_signed_a[r] {
+  jwt_exists
+  custom_builtin_verify_jwt(api_host, sso_jwt)
+  r := {"input.sso_jwt is signed"} | jwt_exists_a
+}
+jwt_is_signed_d[r] {
+  not jwt_is_signed
+  r := {"input.sso_jwt is not signed"} | jwt_exists_d
+}
+
+# get employee information in the jwt payload
+default employee = null
+employee = e {
+  count(employee_a) > 0
+  e := {
+    "username": jwt.payload.username
+  }
+}
+employee_a[r] {
+  jwt_is_signed
+  jwt_has_expected_prop_2
+  jwt_has_expected_prop_3
+  r := {"jwt represents an employee"} | jwt_is_signed_a | jwt_has_expected_prop_2_a | jwt_has_expected_prop_3_a
+}
+employee_d[r] {
+  is_null(employee)
+  r := {"jwt does not represent an employee"} | jwt_is_signed_d | jwt_has_expected_prop_2_d | jwt_has_expected_prop_3_d
+}
+
+# check if the jwt has not exceeded its ttl
+default jwt_is_fresh = false
+jwt_is_fresh {
+  count(jwt_is_fresh_a) > 0
+}
+jwt_is_fresh_a[r] {
+  (round(time.now_ns() / 1e9) - jwt.payload.iat) < max_ttl
+  r := "jwt is fresh"
+}
+jwt_is_fresh_d[r] {
+  not jwt_is_fresh
+  r := "jwt is not fresh"
+}
+
+# can we do a thing
+default can_do_thing = false
+can_do_thing {
+  count(can_do_thing_a) > 0
+}
+can_do_thing_a[r] {
+  not is_null(employee)
+  jwt_is_fresh
+  r := employee_a | jwt_is_fresh_a
+}
+can_do_thing_d[r] {
+  not can_do_thing
+  r := employee_d | jwt_is_fresh_d
+}

playground/ex31/policy.rego

@@ -0,0 +1,68 @@
+# METADATA
+# title: My Example Package
+# description: A set of rules illustrating how metadata annotations can be merged.
+# authors:
+# - John Doe <[email protected]>
+# organizations:
+# - Acme Corp.
+package example
+
+# https://www.openpolicyagent.org/docs/latest/policy-reference/
+# opa eval --data playground/ex31 --format pretty 'data.example.allow'
+
+# METADATA
+# scope: document
+# description: A rule that merges metadata annotations in various ways.
+
+# METADATA
+# title: My Allow Rule
+# authors:
+# - Jane Doe <[email protected]>
+allow if {
+	meta := merge(rego.metadata.chain())
+	meta.title == "My Allow Rule" # 'title' pulled from 'rule' scope
+	meta.description == "A rule that merges metadata annotations in various ways." # 'description' pulled from 'document' scope
+	meta.authors == {
+		{"email": "[email protected]", "name": "Jane Doe"}, # 'authors' joined from 'package' and 'rule' scopes
+		{"email": "[email protected]", "name": "John Doe"},
+	}
+	meta.organizations == {"Acme Corp."} # 'organizations' pulled from 'package' scope
+}
+
+allow if {
+	meta := merge(rego.metadata.chain())
+	meta.title == null # No 'title' present in 'rule' or 'document' scopes
+	meta.description == "A rule that merges metadata annotations in various ways." # 'description' pulled from 'document' scope
+	meta.authors == { # 'authors' pulled from 'package' scope
+		{"email": "[email protected]", "name": "John Doe"}
+	}
+	meta.organizations == {"Acme Corp."} # 'organizations' pulled from 'package' scope
+}
+
+merge(chain) := meta if {
+    print(chain)
+    output := opa.runtime()
+    print("output:", output)
+	ruleAndDoc := ["rule", "document"]
+	meta := {
+		"title": override_annot(chain, "title", ruleAndDoc), # looks for 'title' in 'rule' scope, then 'document' scope
+		"description": override_annot(chain, "description", ruleAndDoc), # looks for 'description' in 'rule' scope, then 'document' scope
+		"related_resources": override_annot(chain, "related_resources", ruleAndDoc), # looks for 'related_resources' in 'rule' scope, then 'document' scope
+		"authors": merge_annot(chain, "authors"), # merges all 'authors' across all scopes
+		"organizations": merge_annot(chain, "organizations"), # merges all 'organizations' across all scopes
+	}
+}
+
+override_annot(chain, name, scopes) := val if {
+	val := [v |
+		link := chain[_]
+		link.annotations.scope in scopes
+		v := link.annotations[name]
+	][0]
+} else := null
+
+merge_annot(chain, name) := val if {
+	val := {v |
+		v := chain[_].annotations[name][_]
+	}
+} else := null

playground/ex32/policy.rego

@@ -0,0 +1,25 @@
+package example
+
+# https://www.openpolicyagent.org/docs/latest/policy-reference/
+# opa eval --data playground/ex32 --format pretty 'data.example.deny'
+
+# METADATA
+# title: Deny invalid numbers
+# description: Numbers may not be higher than 5
+# custom:
+#  severity: MEDIUM
+deny contains format(rego.metadata.rule()) if {
+    print(rego.metadata.rule())
+        input.number > 5
+}
+
+# METADATA
+# title: Deny non-admin subjects
+# description: Subject must have the 'admin' role
+# custom:
+#  severity: HIGH
+deny contains format(rego.metadata.rule()) if {
+        input.subject.role != "admin"
+}
+
+format(meta) := {"severity": meta.custom.severity, "reason": meta.description}