Ad hoc evaluation of input given a policy

[firstdorsal]

Hi!
I want to give the OPA REST API a policy:

package play
import future.keywords.in

default domain = false
default apiMethods = false
default rrTypes = false
default valuePatterns = false


domain {
    startswith(input.domain,"_acme-challenge.")
    endswith(input.domain,".")
}

apiMethods {
    input.apiMethods in ["set","get","delete"]
}

rrTypes {
    input.rrTypes in ["TXT"]
}

valuePatterns {
    true
}

and a query:

{
        "domain": "_acme-challenge.y.gy.",
        "apiMethods": "set",
        "rrTypes": "TXT",
        "valuePatterns": "any"
}

and want it to evaluate the input based on the policy like it can be seen on the playground.
See the working playground example here: https://play.openpolicyagent.org/p/1jbVAVNrtu

I tried doing exactly that with the REST API like that:

curl http://[::]:8081/v1/query -X "POST" -v -H "Content-Type: application/json" \
--data-binary @- << EOF
{
  "query": "package play\nimport future.keywords.in\n\ndefault domain = false\ndefault apiMethods = false\ndefault rrTypes = false\ndefault valuePatterns = false\n\n\ndomain {\n    startswith(input.domain,\"_acme-challenge.\")\n    endswith(input.domain,\".\")\n}\n\napiMethods {\n    input.apiMethods in [\"set\",\"get\",\"delete\"]\n}\n\nrrTypes {\n    input.rrTypes in [\"TXT\"]\n}\n\nvaluePatterns {\n    true\n}",
  "input": {
    "domain":"_acme-challenge.y.gy.",
    "apiMethods":"set",
    "rrTypes":"TXT",
    "valuePatterns": "any"
  }
}
EOF

with the response:

{
  "code": "internal_error",
  "message": "expected body but got *ast.Package"
}

I figured out that it is possibly only evaluating single lines, but this is not pointed out in the documentation.

I looked at playgrounds HTTP request, but I think these are doing something else in the backend than the standard REST API because I couldn't reproduce these either.

Is it possible to do what I want with one request?
Would I have to send multiple requests? (Create policy, send query, delete policy)

Am I missing something?

Thank you!

[firstdorsal]

this is my solution for now:

it took forever to find out how it works... the documentation is everything but not helpful :(

via the cli

opa eval --data acme.rego --input input.json data.system

via rest api:

curl http://[::]:8081/v1/policies/x -X "PUT" -v -H "Content-Type: text/plain" --data-binary @acme.rego

curl http://[::]:8081/ -X "POST" -v -H "Content-Type: application/json" --data-binary @input.json

for the files:
acme.rego

Note that naming the package is done in the rego file! Here: system.main
When then contacting the root url: http://[::]:8081/ it queries the package system.main per default

package system.main
import future.keywords.in

default domain = false
default apiMethods = false
default rrTypes = false
default valuePatterns = false


domain {
    startswith(input.domain,"_acme-challenge.")
    endswith(input.domain,".")
}

apiMethods {
    input.apiMethods in ["set","get","delete"]
}

rrTypes {
    input.rrTypes in ["TXT"]
}

valuePatterns {
    true
}

and
input.json

{
    "domain": "_acme-challenge.y.gy.",
    "apiMethods": "set",
    "rrTypes": "TXT",
    "valuePatterns": "any"
}

[challarao]

Hey @firstdorsal, I'm looking out for clearing similar confusion. In your post, you mentioned about root URL querying system.main.

Note that naming the package is done in the rego file! Here: system.main
When then contacting the root url: http://[::]:8081/ it queries the package system.main per default

How to query non system.main package(like play package)? Does it accept any params or is the Data API only way to do that for non system packages?

[firstdorsal]

I would love to help but I am not using OPA anymore and have no good understanding of it.

[challarao]

@anderseknert any thoughts?

[anderseknert]

You can query any package and rule from the system.main package. See this blog for some ideas on how you could do that.

[anderseknert]

You'll want to query the data API. Given you original policy:

package play

import future.keywords.in

# ...

You'd then query OPA at the /v1/data/play endpoint (matching the package name in this case, though you could also query an individual rule as well, like /v1/data/play/domain):

curl http://localhost:8081/v1/data -d"@input.json"

The HTTP API docs provide a pretty good guide to running and querying OPA in a scenario like this.

[firstdorsal]

Thank you for the quick response!

Yes doing it in two request is stated but why isnt it possible to send this policy as adhoc query?
with package system.main or any package it throws:

{
  "code": "internal_error",
  "message": "expected body but got *ast.Package"
}

and when removing the package it throws

{
  "code": "internal_error",
  "message": "expected body but got *ast.Import"
}

It seems to only evaluate single statements and (i think) this is not sufficiently stated in the documentation.
I would expect an ad hoc evaluation to take my policy and my input to return an answer.

[anderseknert]

Ah, OK! I wasn't sure the single request was what you meant by ad hoc, but that makes sense. No, you currently can't upload a policy and have it evaluated within a single request. If you'd want to develop something like the Rego Playground you'd currently need to use the OPA Go API for that.

[firstdorsal]

It would be awesome to have that as a feature at some point :D
Thank you very much and keep up the great work!

[firstdorsal]

Would it be possible to get an open source version of the rego playground?

[anderseknert]

I'm not aware of any plans to open source the Rego playground, I'm afraid.