OPA executable path (#680)

* packages/opal-client/opal_client/callbacks * based off review * doc * formatted * .. * Fix EOF newline * Fix EOF newline
permitio · Nov 17, 2024 · 3409036 · 3409036
1 parent 1b7c048
commit 3409036
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 3 deletions.
diff --git a/documentation/docs/getting-started/configuration.mdx b/documentation/docs/getting-started/configuration.mdx
@@ -40,7 +40,8 @@ Please use this table as a reference.
 | AUTH_PUBLIC_KEY                         |                                                                                                                                                                                 |         |
 | AUTH_JWT_ALGORITHM                      | JWT algorithm. See possible values [here](https://pyjwt.readthedocs.io/en/stable/algorithms.html).                                                                              |         |
 | AUTH_JWT_AUDIENCE                       |                                                                                                                                                                                 |         |
-| AUTH_JWT_ISSUER                         |
+| AUTH_JWT_ISSUER                         |                                                                                                                                                                                 |                           |
+| INLINE_OPA_EXECUTABLE_PATH              | Path to the OPA executable. If not specified, defaults to "opa", assuming the OPA executable is in the system PATH.                                                             | /usr/local/bin/opa        |
 
 ## OPAL Server Configuration Variables
 

diff --git a/packages/opal-client/opal_client/config.py b/packages/opal-client/opal_client/config.py
@@ -147,6 +147,12 @@ def load_policy_store():
         "INLINE_OPA_LOG_FORMAT", EngineLogFormat, EngineLogFormat.NONE
     )
 
+    INLINE_OPA_EXECUTABLE_PATH = confi.str(
+        "INLINE_OPA_EXECUTABLE_PATH",
+        "opa",
+        description="Path to the OPA executable. Defaults to 'opa' if not specified.",
+    )
+
     # Cedar runner configuration (Cedar-engine can optionally be run by OPAL) ----------------
 
     # whether or not OPAL should run the Cedar agent by itself in the same container

diff --git a/packages/opal-client/opal_client/engine/options.py b/packages/opal-client/opal_client/engine/options.py
@@ -63,6 +63,10 @@ class OpaServerOptions(BaseModel):
         description="list of built-in rego policies and data.json files that must be loaded into OPA on startup. e.g: system.authz policy when using --authorization=basic, see: https://www.openpolicyagent.org/docs/latest/security/#authentication-and-authorization",
     )
 
+    opa_executable_path: str = Field(
+        default="opa", description="Path to the OPA executable"
+    )
+
     class Config:
         use_enum_values = True
         allow_population_by_field_name = True

diff --git a/packages/opal-client/opal_client/engine/runner.py b/packages/opal-client/opal_client/engine/runner.py
@@ -5,7 +5,7 @@
 from typing import Callable, Coroutine, List, Optional
 
 import psutil
-from opal_client.config import EngineLogFormat
+from opal_client.config import EngineLogFormat, opal_client_config
 from opal_client.engine.logger import log_engine_output_opa, log_engine_output_simple
 from opal_client.engine.options import CedarServerOptions, OpaServerOptions
 from opal_client.logger import logger
@@ -252,7 +252,17 @@ def command(self) -> str:
         opts = self._options.get_cli_options_dict()
         opts_string = " ".join([f"{k}={v}" for k, v in opts.items()])
         startup_files = self._options.get_opa_startup_files()
-        return f"opa run --server {opts_string} {startup_files}".strip()
+        opa_path = self._options.opa_executable_path
+
+        # Check if the OPA executable exists and is a file
+        if not os.path.isfile(opa_path):
+            raise FileNotFoundError(f"OPA executable not found at path: {opa_path}")
+
+        opts = self._options.get_cli_options_dict()
+        opts_string = " ".join([f"{k}={v}" for k, v in opts.items()])
+        startup_files = self._options.get_opa_startup_files()
+
+        return f"{opa_path} run --server {opts_string} {startup_files}".strip()
 
     @staticmethod
     def setup_opa_runner(
@@ -273,6 +283,20 @@ def setup_opa_runner(
             to handle authorization queries. therefore it is necessary that we rehydrate the
             cache with fresh state fetched from the server.
         """
+
+        if options is None:
+            options = OpaServerOptions(
+                opa_executable_path=opal_client_config.INLINE_OPA_EXECUTABLE_PATH
+            )
+        elif options.opa_executable_path == "opa":
+            options.opa_executable_path = opal_client_config.INLINE_OPA_EXECUTABLE_PATH
+
+        # Check if the OPA executable exists and is a file
+        if not os.path.isfile(options.opa_executable_path):
+            raise FileNotFoundError(
+                f"OPA executable not found at path: {options.opa_executable_path}"
+            )
+
         opa_runner = OpaRunner(options=options, piped_logs_format=piped_logs_format)
         if initial_start_callbacks:
             opa_runner.register_process_initial_start_callbacks(initial_start_callbacks)
@@ -327,4 +351,5 @@ def setup_cedar_runner(
 
     async def handle_log_line(self, line: bytes) -> bool:
         await log_engine_output_simple(line)
+
         return False