Package io.github.open_policy_agent.opa.springboot

Class OPAAuthorizationManager

java.lang.Object

io.github.open_policy_agent.opa.springboot.OPAAuthorizationManager

All Implemented Interfaces:

AuthorizationManager<RequestAuthorizationContext>

@Component
public class OPAAuthorizationManager
extends Object
implements AuthorizationManager<RequestAuthorizationContext>

This class implements AuthorizationManager which wraps the OPA Java SDK. Authorization will be done in authorize(Supplier, RequestAuthorizationContext) and verify(Supplier, RequestAuthorizationContext) by:

1. constructing an input (map) based on Authentication and RequestAuthorizationContext
2. sending an HTTP request with the input as the request body to the OPA server
3. receiving the output as an OPAResponse and using it for authorization

OPA input (request body) and response are compliant with the AuthZEN spec.

Constructor Summary

Constructors

Constructor	Description
OPAAuthorizationManager()
OPAAuthorizationManager(@Nullable io.github.open_policy_agent.opa.OPAClient opaClient, @Nullable String opaPath, @Nullable ContextDataProvider contextDataProvider)	Instantiates an instance to authorizes requests.
OPAAuthorizationManager(io.github.open_policy_agent.opa.OPAClient opaClient)
OPAAuthorizationManager(io.github.open_policy_agent.opa.OPAClient opaClient, ContextDataProvider contextDataProvider)
OPAAuthorizationManager(io.github.open_policy_agent.opa.OPAClient opaClient, String opaPath)
OPAAuthorizationManager(String opaPath)
OPAAuthorizationManager(String opaPath, ContextDataProvider contextDataProvider)

Method Summary

Modifier and Type	Method	Description
AuthorizationDecision	authorize(Supplier<? extends Authentication> authenticationSupplier, @Nullable RequestAuthorizationContext object)
@Nullable OPAResponse	opaRequest(Supplier<? extends Authentication> authenticationSupplier, RequestAuthorizationContext object)	This method can be used to directly call OPA without generating an AuthorizationDecision, which can be used to examine the OPA response.
void	setOpaProperties(OPAProperties opaProperties)
void	setReasonKey(String reasonKey)	Changes the "preferred" key where the access decision reason should be searched for in the OPAResponse.
void	verify(Supplier<? extends Authentication> authenticationSupplier, @Nullable RequestAuthorizationContext object)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

OPAAuthorizationManager

public OPAAuthorizationManager()

OPAAuthorizationManager

public OPAAuthorizationManager(io.github.open_policy_agent.opa.OPAClient opaClient)

See Also:

• OPAAuthorizationManager(OPAClient, String, ContextDataProvider)

OPAAuthorizationManager

public OPAAuthorizationManager(String opaPath)

See Also:

• OPAAuthorizationManager(OPAClient, String, ContextDataProvider)

OPAAuthorizationManager

public OPAAuthorizationManager(io.github.open_policy_agent.opa.OPAClient opaClient,
 String opaPath)

See Also:

• OPAAuthorizationManager(OPAClient, String, ContextDataProvider)

OPAAuthorizationManager

public OPAAuthorizationManager(io.github.open_policy_agent.opa.OPAClient opaClient,
 ContextDataProvider contextDataProvider)

See Also:

• OPAAuthorizationManager(OPAClient, String, ContextDataProvider)

OPAAuthorizationManager

public OPAAuthorizationManager(String opaPath,
 ContextDataProvider contextDataProvider)

See Also:

• OPAAuthorizationManager(OPAClient, String, ContextDataProvider)

OPAAuthorizationManager

public OPAAuthorizationManager(@Nullable io.github.open_policy_agent.opa.OPAClient opaClient,
 @Nullable String opaPath,
 @Nullable ContextDataProvider contextDataProvider)

Instantiates an instance to authorizes requests.

Parameters:

opaClient - if null, a default OPAClient will be created using OPA_URL environment variable or default OPA url ("http://localhost:8181").

opaPath - if null, the default path defined by the OPA configuration will be used, unless an OPAPathSelector bean is defined.

contextDataProvider - helps providing additional context data in input.context.data.

Method Details

verify

public void verify(Supplier<? extends Authentication> authenticationSupplier,
 @Nullable RequestAuthorizationContext object)

Specified by:

verify in interface AuthorizationManager<RequestAuthorizationContext>

authorize

public AuthorizationDecision authorize(Supplier<? extends Authentication> authenticationSupplier,
 @Nullable RequestAuthorizationContext object)

Specified by:

authorize in interface AuthorizationManager<RequestAuthorizationContext>

opaRequest

public @Nullable OPAResponse opaRequest(Supplier<? extends Authentication> authenticationSupplier,
 RequestAuthorizationContext object)

This method can be used to directly call OPA without generating an AuthorizationDecision, which can be used to examine the OPA response. You should consider using the OPA Java SDK (which this library depends on) directly rather than using this method, as it should not be needed during normal use.

setOpaProperties

@Autowired
public void setOpaProperties(OPAProperties opaProperties)

setReasonKey

public void setReasonKey(String reasonKey)

Changes the "preferred" key where the access decision reason should be searched for in the OPAResponse. A default value of "en" is used. If the selected key is not present in the response, the key which sorts lexicographically first is used instead.