Updated docs, testing and OPA version on AWS

1ecfe840 · Shane Hutchins · 714be774 · 1ecfe840 · 1ecfe840 · 1ecfe840
Commit 1ecfe840 authored 6 months ago by Shane Hutchins
--- a/app/Makefile
+++ b/app/Makefile
@@ -106,8 +106,8 @@ scan:
 	docker scan $(IMAGE_NAME):$(TAG)

 #local: LOG_LEVEL_TRANSLATE := DEBUG
-#local: LOG_LEVEL := DEBUG
 #local: aws_set_token_green echoenv
+local: LOG_LEVEL := DEBUG
 local: OPA_URL := http://localhost:$(OPA_PORT)
 local: CLOUD_PROVIDER := LOCAL
 local: DISABLE_OPA_CACHE := False
@@ -437,19 +437,20 @@ gcp_opa_ttab:
 aws_opa_ttab:
 	ttab -t OPA make local_opa

+local_opa: ENTITLEMENTS_BASE_URL := ${BASE_URL}
+local_opa: LEGAL_BASE_URL := ${BASE_URL}
 local_opa:
-	opa run --server
+	opa run -l debug --server

 local_opa_ttab:
 	ttab -t OPA make local_opa

 opa:
-	docker run \
+	docker run -it --rm --platform linux/amd64 \
 	-v ${PWD}:/conf \
 	-e ENTITLEMENTS_BASE_URL=${BASE_URL} \
 	-e LEGAL_BASE_URL=${BASE_URL} \
 	--name $(OPA_NAME) -p 8181:8181 openpolicyagent/opa \
-	--config-file=tests/opa.yaml \
 	run --server

 opa2:

--- a/cache/README.md
+++ b/cache/README.md
+# Testing Cache
+
+## cache.rego
+This rego is a demo of how bad rego's can fill up your cache and not get cache hits.
+This one in particular is useful for testing `caching.inter_query_builtin_cache.max_size_bytes` in OPA config.
+
+### Recommended steps for testing:
+These commands will only work in M24
+
+- Install [AdminCLI](https://osdu.pages.opengroup.org/ui/admincli/install/)
+- Download [eval_legal.json](https://community.opengroup.org/osdu/ui/admincli/-/raw/master/admincli/resources/eval_legal.json)
+- Download [cache.rego](https://community.opengroup.org/osdu/platform/security-and-compliance/policy/-/raw/master/cache/cache.rego)
+- Upload cache.rego to policy via `admincli add -f cache.rego -t cache`
+- Verify policy is in place `admincli ls cache`
+- Run a single eval: `admincli eval -f eval_legal.json -t cache --force --no-cache`
+- Run eval 100 times: - `admincli eval -f eval_legal.json -t cache --force --no-cache --count=100 --quiet`
--- a/cache/cache.rego
+++ b/cache/cache.rego
+package osdu.partition["osdu"].cache
+
+import input
+
+uuid1 = uuid.rfc4122("abc")
+uuid2 = uuid.rfc4122("foo")
+uuid3 = uuid.rfc4122("123")
+
+headers1 = {
+    "Content-Type": "application/json",
+    "data-partition-id": input.datapartitionid,
+    "Authorization": sprintf("Bearer %v", [input.token]),
+    "Accept": "application/json",
+    "correlation-id": uuid1
+}
+
+headers2 = {
+    "Content-Type": "application/json",
+    "data-partition-id": input.datapartitionid,
+    "Authorization": sprintf("Bearer %v", [input.token]),
+    "Accept": "application/json",
+    "correlation-id": uuid2
+}
+
+headers3 = {
+    "Content-Type": "application/json",
+    "data-partition-id": input.datapartitionid,
+    "Authorization": sprintf("Bearer %v", [input.token]),
+    "Accept": "application/json",
+    "uuid": uuid3
+}
+
+body = {
+   "names": { x |  x := input.records[_].legal.legaltags[_] }
+}
+
+legal_base_url = sprintf("%s%s",[opa.runtime().env["LEGAL_BASE_URL"],"/api/legal/v1/legaltags"])
+
+entitlement_base_url = sprintf("%s%s",[opa.runtime().env["ENTITLEMENTS_BASE_URL"],"/api/entitlements/v2/groups"])
+
+legal_response1 := http.send({
+    "method": "GET",
+    "url": sprintf("%s%s",[opa.runtime().env["LEGAL_BASE_URL"],"/api/legal/v1/legaltags"]),
+    "body": body,
+    "headers": headers1,
+    "max_retry_attempts": 5,
+    "force_cache": true,
+    "force_cache_duration_seconds": 14400
+    })
+
+legal_response2 := http.send({
+    "method": "GET",
+    "url": sprintf("%s%s",[opa.runtime().env["LEGAL_BASE_URL"],"/api/legal/v1/legaltags"]),
+    "body": body,
+    "headers": headers2,
+    "max_retry_attempts": 5,
+    "force_cache": true,
+    "force_cache_duration_seconds": 14400
+    })
+
+legal_response3 := http.send({
+    "method": "GET",
+    "url": sprintf("%s%s",[opa.runtime().env["LEGAL_BASE_URL"],"/api/legal/v1/legaltags"]),
+    "body": body,
+    "headers": headers3,
+    "max_retry_attempts": 5,
+    "force_cache": true,
+    "force_cache_duration_seconds": 14400
+    })
+
+groups_response1 := http.send({
+    "method": "GET",
+    "url": sprintf("%s%s",[opa.runtime().env["ENTITLEMENTS_BASE_URL"],"/api/entitlements/v2/groups"]),
+    "headers": headers1,
+    "max_retry_attempts": 5,
+    "force_cache": true,
+    "force_cache_duration_seconds": 14400
+    })
+
+groups_response2 := http.send({
+    "method": "GET",
+    "url": sprintf("%s%s",[opa.runtime().env["ENTITLEMENTS_BASE_URL"],"/api/entitlements/v2/groups"]),
+    "headers": headers2,
+    "max_retry_attempts": 5,
+    "force_cache": true,
+    "force_cache_duration_seconds": 14400
+    })
+
+groups_response3 := http.send({
+    "method": "GET",
+    "url": sprintf("%s%s",[opa.runtime().env["ENTITLEMENTS_BASE_URL"],"/api/entitlements/v2/groups"]),
+    "headers": headers3,
+    "max_retry_attempts": 5,
+    "force_cache": true,
+    "force_cache_duration_seconds": 14400
+    })
+
+policy_response1 := http.send({
+    "method": "GET",
+    "url": sprintf("%s%s",[opa.runtime().env["ENTITLEMENTS_BASE_URL"],"/api/policy/v1/config"]),
+    "headers": headers1,
+    "max_retry_attempts": 5,
+    "force_cache": true,
+    "force_cache_duration_seconds": 14400
+    })
+
+policy_response2 := http.send({
+    "method": "GET",
+    "url": sprintf("%s%s",[opa.runtime().env["ENTITLEMENTS_BASE_URL"],"/api/policy/v1/config"]),
+    "headers": headers2,
+    "max_retry_attempts": 5,
+    "force_cache": true,
+    "force_cache_duration_seconds": 14400
+    })
+
+policy_response3:= http.send({
+    "method": "GET",
+    "url": sprintf("%s%s",[opa.runtime().env["ENTITLEMENTS_BASE_URL"],"/api/policy/v1/config"]),
+    "headers": headers3,
+    "max_retry_attempts": 5,
+    "force_cache": true,
+    "force_cache_duration_seconds": 14400
+    })
+
+search_response1 := http.send({
+    "method": "POST",
+    "url": sprintf("%s%s",[opa.runtime().env["ENTITLEMENTS_BASE_URL"],"/api/search/v2/query"]),
+    "body": {"kind": "*:*:*:*", "query": "", "limit": 1000},
+    "headers": headers1,
+    "max_retry_attempts": 5,
+    "force_cache": true,
+    "force_cache_duration_seconds": 14400
+    })
+
+search_response2 := http.send({
+    "method": "POST",
+    "url": sprintf("%s%s",[opa.runtime().env["ENTITLEMENTS_BASE_URL"],"/api/search/v2/query"]),
+    "body": {"kind": "*:*:*:*", "query": "", "limit": 1000},
+    "headers": headers2,
+    "max_retry_attempts": 5,
+    "force_cache": true,
+    "force_cache_duration_seconds": 14400
+    })
+
+search_response3 := http.send({
+    "method": "POST",
+    "url": sprintf("%s%s",[opa.runtime().env["ENTITLEMENTS_BASE_URL"],"/api/search/v2/query"]),
+    "body": {"kind": "*:*:*:*", "query": "", "limit": 1000},
+    "headers": headers3,
+    "max_retry_attempts": 5,
+    "force_cache": true,
+    "force_cache_duration_seconds": 14400
+    })
--- a/devops/aws/opa/values.yaml
+++ b/devops/aws/opa/values.yaml
@@ -12,4 +12,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-image: openpolicyagent/opa:0.67.1
+image: openpolicyagent/opa:0.68.0
--- a/docs/docs/opa.md
+++ b/docs/docs/opa.md
@@ -13,7 +13,7 @@
 | M21       | v0.56 or later                        |
 | M22       | v0.62.1 or later                      |
 | M23       | v0.62.1 or later                      |
-| M24       | v0.66.0 or later                      |
+| M24       | v0.67.1 or later                      |
 | M25       | v0.68.0 or later                      |

 ## Role

--- a/docs/docs/releasenotes.md
+++ b/docs/docs/releasenotes.md
@@ -5,8 +5,6 @@ Policy Service v0.28.0 2025/01

 ### M25 Minor Changes
 - Documentation updates.
- Added max cache OPA config `caching.inter_query_builtin_cache.max_size_bytes` to AWS.
- Added cache info (if configured) to config API.
 - Min. OPA release recommendation update v0.68 or later

 ### M25 Features
@@ -17,11 +15,13 @@ Policy Service v0.27.0 2024/09

 ### M24 Minor Changes
 - Documentation updates
+- Added max cache OPA config `caching.inter_query_builtin_cache.max_size_bytes` to AWS.
+- Added cache info (if configured) to config API.
 - Default policy cache updates (ignore headers and TTL adjustment) - requires OPA v0.66 or later

 ### M24 Bug Fixes
 - Vulnerability fixes
- Min. OPA release recommendation update v0.66 or later
+- Min. OPA release recommendation update v0.67.1 or later

 ### M24 Features


--- a/docs/docs/testing.md
+++ b/docs/docs/testing.md
@@ -47,11 +47,11 @@ The [test directory](https://community.opengroup.org/osdu/platform/security-and-
 * `OPA_COMPILE_CACHE_TTL` - Added in M20
 * `OPA_DATAAPI_CACHE_MAXSIZE` - Added in M20
 * `OPA_DATAAPI_CACHE_TTL` - Added in M20
-* `OPA_DATA_CACHE_INFO` - Added in M25
-* `OPA_COMPILE_CACHE_INFO` - Added in M25
-* `OPA_DOCUMENT_CACHE_INFO` - Added in M25
-* `OPA_FETCH_CACHE_INFO` - Added in M25
-* `OPA_LIST_CACHE_INFO` - Added in M25
+* `OPA_DATA_CACHE_INFO` - Added in M24
+* `OPA_COMPILE_CACHE_INFO` - Added in M24
+* `OPA_DOCUMENT_CACHE_INFO` - Added in M24
+* `OPA_FETCH_CACHE_INFO` - Added in M24
+* `OPA_LIST_CACHE_INFO` - Added in M24

 ### BUNDLE_PAUSE