feat: Add bearer token support and trust self-signed CA for HTTPS in …

…OPA (#255) - Added functionality to pass a bearer token during OPA connections. - Registered the self-signed CA used to sign the OPA server certificate as a trusted CA, enabling HTTPS connections. Signed-off-by: Benjamin <[email protected]>
open-policy-agent · Jul 25, 2024 · b3e3986 · b3e3986
1 parent b8ec9ba
commit b3e3986
Show file tree

Hide file tree

Showing 6 changed files with 63 additions and 23 deletions.
diff --git a/opa-iptables/go.mod b/opa-iptables/go.mod
@@ -3,7 +3,7 @@ module github.com/open-policy-agent/contrib/opa-iptables
 go 1.12
 
 require (
-	github.com/coreos/go-iptables v0.4.1
+	github.com/coreos/go-iptables v0.7.0
 	github.com/gorilla/mux v1.7.3
 	github.com/mattn/go-shellwords v1.0.5
 	github.com/sirupsen/logrus v1.4.2

diff --git a/opa-iptables/go.sum b/opa-iptables/go.sum
@@ -1,5 +1,5 @@
-github.com/coreos/go-iptables v0.4.1 h1:TyEMaK2xD/EcB0385QcvX/OvI2XI7s4SJEI2EhZFfEU=
-github.com/coreos/go-iptables v0.4.1/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
+github.com/coreos/go-iptables v0.7.0 h1:XWM3V+MPRr5/q51NuWSgU0fqMad64Zyxs8ZUoMsamr8=
+github.com/coreos/go-iptables v0.7.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/gorilla/mux v1.7.3 h1:gnP5JzjVOuiZD07fKKToCAOjS0yOpj/qPETTXCCS6hw=

diff --git a/opa-iptables/main.go b/opa-iptables/main.go
@@ -16,6 +16,8 @@ import (
 
 func main() {
 	opaEndpoint := flag.String("opa-endpoint", "http://127.0.0.1:8181", "endpoint of opa in form of http://ip:port i.e. http://192.33.0.1:8181")
+	opaAuthorization := flag.String("opa-authorization", "", "Bearer token for OPA authorization")
+	opaTrustedCAFile := flag.String("opa-trusted-cafile", "", "File path to the OPA trusted CA certificate")
 	controllerAddr := flag.String("controller-host", "0.0.0.0", "controller host")
 	// setting default port value to some high port to prevent accidentally block this port in IPTable rules
 	controllerPort := flag.String("controller-port", "33455", "controller port on which it listen on")
@@ -57,12 +59,14 @@ func main() {
 	}
 
 	controllerConfig := controller.Config{
-		OpaEndpoint:     *opaEndpoint,
-		ControllerAddr:  *controllerAddr,
-		ControllerPort:  *controllerPort,
-		WatcherInterval: *watcherInterval,
-		WatcherFlag:     *watcherFlag,
-		WorkerCount:     *workerCount,
+		OpaEndpoint:      *opaEndpoint,
+		ControllerAddr:   *controllerAddr,
+		ControllerPort:   *controllerPort,
+		WatcherInterval:  *watcherInterval,
+		WatcherFlag:      *watcherFlag,
+		WorkerCount:      *workerCount,
+		OpaAuthorization: *opaAuthorization,
+		OpaTrustedCAFile: *opaTrustedCAFile,
 	}
 
 	logger.WithFields(logrus.Fields{

diff --git a/opa-iptables/pkg/controller/controller.go b/opa-iptables/pkg/controller/controller.go
@@ -17,15 +17,15 @@ func New(config Config) *Controller {
 	return &Controller{
 		logger:     logging.GetLogger(),
 		listenAddr: config.ControllerAddr + ":" + config.ControllerPort,
-		opaClient:  opa.New(config.OpaEndpoint, ""),
+		opaClient:  opa.New(config.OpaEndpoint, config.OpaAuthorization, config.OpaTrustedCAFile),
 		w: &watcher{
 			watcherInterval: config.WatcherInterval,
 			watcherState:    make(map[string]*state),
 			watcherDoneCh:   make(chan struct{}, 1),
 			logger:          logging.GetLogger(),
 		},
 		watcherWorkerCount: config.WorkerCount,
-		watcher:        config.WatcherFlag,
+		watcher:            config.WatcherFlag,
 	}
 }
 

diff --git a/opa-iptables/pkg/controller/types.go b/opa-iptables/pkg/controller/types.go
@@ -10,12 +10,14 @@ import (
 )
 
 type Config struct {
-	OpaEndpoint     string
-	ControllerAddr  string
-	ControllerPort  string
-	WatcherInterval time.Duration
-	WatcherFlag     bool
-	WorkerCount     int
+	OpaEndpoint      string
+	OpaAuthorization string
+	OpaTrustedCAFile string
+	ControllerAddr   string
+	ControllerPort   string
+	WatcherInterval  time.Duration
+	WatcherFlag      bool
+	WorkerCount      int
 }
 
 // Controller is a struct which is used for storing server related data.

diff --git a/opa-iptables/pkg/opa/opa.go b/opa-iptables/pkg/opa/opa.go
@@ -2,10 +2,14 @@ package opa
 
 import (
 	"bytes"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
+	"log"
 	"net/http"
+	"os"
 	"time"
 )
 
@@ -35,7 +39,7 @@ type Query interface {
 
 type Data interface {
 	PutData(path string, data []byte) error
-	GetData(path string) ([]byte,error)
+	GetData(path string) ([]byte, error)
 	DeleteData(path string) error
 }
 
@@ -45,13 +49,43 @@ type opaClient struct {
 	client         *http.Client
 }
 
-func New(opaEndpoint string, auth string) Client {
+func New(opaEndpoint string, auth string, opaTrustedCAFile string) Client {
 	client := &http.Client{
 		Timeout: 10 * time.Second,
 	}
+	if opaTrustedCAFile != "" {
+		if _, err := os.Stat(opaTrustedCAFile); err == nil {
+			tlsConfig, err := createTLSConfig(opaTrustedCAFile)
+			if err != nil {
+				log.Fatalf("Failed to create TLS config: %v", err)
+			}
+			client.Transport = &http.Transport{
+				TLSClientConfig: tlsConfig,
+			}
+		} else if !os.IsNotExist(err) {
+			log.Fatalf("Failed to check CA file: %v", err)
+		}
+	}
 	return &opaClient{opaEndpoint, auth, client}
 }
 
+func createTLSConfig(opaTrustedCAFile string) (*tls.Config, error) {
+	systemCertPool, err := x509.SystemCertPool()
+	if err != nil {
+		return nil, fmt.Errorf("failed to load system cert pool: %v", err)
+	}
+	rootCA, err := ioutil.ReadFile(opaTrustedCAFile)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read root CA certificate: %v", err)
+	}
+	if ok := systemCertPool.AppendCertsFromPEM(rootCA); !ok {
+		return nil, fmt.Errorf("failed to append root CA certificate")
+	}
+	return &tls.Config{
+		RootCAs: systemCertPool,
+	}, nil
+}
+
 func (c *opaClient) DoQuery(path string, input interface{}) (data []byte, err error) {
 	url := c.opaEndpoint + fmt.Sprintf(documentEndpointFmt, path)
 	d, ok := input.([]byte)
@@ -67,18 +101,18 @@ func (c *opaClient) DoQuery(path string, input interface{}) (data []byte, err er
 
 func (c *opaClient) PutData(path string, data []byte) error {
 	url := c.opaEndpoint + fmt.Sprintf(documentEndpointFmt, path)
-	_,err := c.do(http.MethodPut, url, data)
+	_, err := c.do(http.MethodPut, url, data)
 	if err != nil {
 		return err
 	}
 	return nil
 }
 
-func (c *opaClient) GetData(path string) ([]byte,error) {
+func (c *opaClient) GetData(path string) ([]byte, error) {
 	url := c.opaEndpoint + fmt.Sprintf(documentEndpointFmt, path)
-	res,err := c.do(http.MethodGet, url, nil)
+	res, err := c.do(http.MethodGet, url, nil)
 	if err != nil {
-		return nil,err
+		return nil, err
 	}
 	return res, nil
 }