Skip to main content
Version: websocket_v1.x.x

Opafiber

Release Discord Test Security Linter

Open Policy Agent support for Fiber.

Note: Requires Go 1.19 and above

Install

go get -u github.com/gofiber/fiber/v2
go get -u github.com/gofiber/contrib/opafiber/v2

Signature

opafiber.New(config opafiber.Config) fiber.Handler

Config

PropertyTypeDescriptionDefault
RegoQuerystringRequired - Rego query-
RegoPolicyio.ReaderRequired - Rego policy-
IncludeQueryStringboolInclude query string as input to rego policyfalse
DeniedStatusCodeintHttp status code to return when policy denies request400
DeniedResponseMessagestringHttp response body text to return when policy denies request""
IncludeHeaders[]stringInclude headers as input to rego policy-
InputCreationMethodInputCreationFuncUse your own function to provide input for OPAfunc defaultInput(ctx *fiber.Ctx) (map[string]interface{}, error)

Types

type InputCreationFunc func(c *fiber.Ctx) (map[string]interface{}, error)

Usage

OPA Fiber middleware sends the following example data to the policy engine as input:

{
"method": "GET",
"path": "/somePath",
"query": {
"name": ["John Doe"]
},
"headers": {
"Accept": "application/json",
"Content-Type": "application/json"
}
}
package main

import (
"github.com/gofiber/fiber/v2"
"github.com/gofiber/contrib/opafiber/v2"
)

func main() {
app := fiber.New()
module := `
package example.authz

default allow := false

allow {
input.method == "GET"
}
`

cfg := opafiber.Config{
RegoQuery: "data.example.authz.allow",
RegoPolicy: bytes.NewBufferString(module),
IncludeQueryString: true,
DeniedStatusCode: fiber.StatusForbidden,
DeniedResponseMessage: "status forbidden",
IncludeHeaders: []string{"Authorization"},
InputCreationMethod: func (ctx *fiber.Ctx) (map[string]interface{}, error) {
return map[string]interface{}{
"method": ctx.Method(),
"path": ctx.Path(),
}, nil
},
}
app.Use(opafiber.New(cfg))

app.Get("/", func(ctx *fiber.Ctx) error {
return ctx.SendStatus(200)
})

app.Listen(":8080")
}