policy - the CLI for managing authorization policies

Overview

policy

policy - the CLI for managing authorization policies

The policy CLI is a tool for building, versioning and publishing your authorization policies. It uses OCI standards to manage artifacts, and the Open Policy Agent (OPA) to compile and run.


Go Report Card ci codebeat badge GitHub all releases Apache 2.0 GitHub release (latest SemVer)

Documentation

Please refer to our documentation site for installation, usage, customization and tips.

Slack Channel

Wanna discuss features or show your support for this tool?


Installation

policy is available on Linux, macOS and Windows platforms.

  • Binaries for Linux, Windows and Mac are available as tarballs in the release page.

  • Via Homebrew for macOS or LinuxBrew for Linux

    brew tap opcr-io/tap && brew install opcr-io/tap/policy
  • Via a GO install

    # NOTE: The dev version will be in effect!
    go get -u github.com/opcr-io/policy

Building From Source

policy is currently using go v1.16 or above. In order to build policy from source you must:

  1. Install mage

  2. Clone the repo

  3. Build and run the executable

    mage build && ./dist/build_linux_amd64/policy

Running with Docker

Running the official Docker image

You can run as a Docker container:

docker run -it --rm ghcr.io/opcr-io/policy:latest --help

The Command Line

... Build policies. list List policies. push ... Push policies to a registry. pull ... Pull policies from a registry. login Login to a registry. save Save a policy to a local bundle tarball. tag Create a new tag for an existing policy. rm ... Removes a policy from the local registry. run Sets you up with a shell for running queries using an OPA instance with a policy loaded. version Prints version information. Run "policy --help" for more information on a command. ">
$ policy --help
Usage: policy <command>

Flags:
  -h, --help             Show context-sensitive help.
  -c, --config="/home/toaster/.config/policy/config.yaml"
                         Path to the policy CLI config file.
      --debug            Enable debug mode.
  -v, --verbosity=INT    Use to increase output verbosity.

Commands:
  build <path> ...
    Build policies.

  list
    List policies.

  push <policy> ...
    Push policies to a registry.

  pull <policy> ...
    Pull policies from a registry.

  login
    Login to a registry.

  save <policy>
    Save a policy to a local bundle tarball.

  tag <policy> <tag>
    Create a new tag for an existing policy.

  rm <policy> ...
    Removes a policy from the local registry.

  run <policy>
    Sets you up with a shell for running queries using an OPA instance with a policy loaded.

  version
    Prints version information.

Run "policy  --help" for more information on a command.

Logs

Logs are printed to stderr. You can increase detail using the verbosity flag (e.g. -vvv).

Demo Videos/Recordings

demo


Known Issues

This is still work in progress! If something is broken or there's a feature that you want, please file an issue and if so inclined submit a PR!


Credits

The policy CLI uses a lot of great and amazing open source projects and libraries. A big thank you to all of them!


Contributions Guideline

  • File an issue first prior to submitting a PR!
  • Ensure all exported items are properly commented
  • If applicable, submit a test suite against your PR
Issues
  • installation instructions don't work with go1.18

    installation instructions don't work with go1.18

    Scratch/oci % go version
    go version go1.18.1 darwin/amd64
    Scratch/oci % go get -u github.com/opcr-io/policy
    go: go.mod file not found in current directory or any parent directory.
            'go get' is no longer supported outside a module.
            To build and install a command, use 'go install' with a version,
            like 'go install example.com/[email protected]'
            For more information, see https://golang.org/doc/go-get-install-deprecation
            or run 'go help get' or 'go help install'.
    
    opened by srenatus 3
  • login with custom server and pipe won't work without `-d`

    login with custom server and pipe won't work without `-d`

    With echo $GH_PAT | policy login -s ghcr.io -u srenatus --password-stdin:

    Since there's no TTY, it'll just loop forever:

    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [boolCmbool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
    
    opened by srenatus 2
  • Bump github.com/containerd/containerd from 1.5.9 to 1.5.10

    Bump github.com/containerd/containerd from 1.5.9 to 1.5.10

    ⚠️ Dependabot is rebasing this PR ⚠️

    Rebasing might not happen immediately, so don't worry if this takes some time.

    Note: if you make any changes to this PR yourself, they will take precedence over the rebase.


    Bumps github.com/containerd/containerd from 1.5.9 to 1.5.10.

    Release notes

    Sourced from github.com/containerd/containerd's releases.

    containerd 1.5.10

    Welcome to the v1.5.10 release of containerd!

    The tenth patch release for containerd 1.5 includes a fix for CVE-2022-23648 and other issues.

    Notable Updates

    • Use fs.RootPath when mounting volumes (GHSA-crp2-qrr5-8pq7)
    • Return init pid when clean dead shim in runc.v1/v2 shims (#6570)
    • Handle sigint/sigterm in shimv2 (#6509)
    • Use readonly mount to read user/group info (#6503)

    See the changelog for complete list of changes

    Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

    Contributors

    • Derek McGowan
    • Wei Fu
    • Sebastiaan van Stijn
    • Phil Estes
    • Alexander Minbaev
    • Brian Goff
    • Daniel Canter
    • David Porter
    • Kazuyoshi Kato
    • Maksym Pavlenko
    • ruiwen-zhao

    Changes

    • [release/1.5] Prepare release notes for v1.5.10 (#6606)
      • Prepare release notes for v1.5.10
    • Github Security Advisory GHSA-crp2-qrr5-8pq7
      • Use fs.RootPath when mounting volumes
    • [release/1.5] runc.v1/v2: return init pid when clean dead shim (#6570)
      • runc.v1/v2: return init pid when clean dead shim
    • [release/1.5] Update Go to 1.16.14 (#6556)
      • [release/1.5] Update Go to 1.16.14
    • Wait for containerd installation in GCE scripts [1.5 backport] (#6552)
      • Wait for containerd installation in GCE scripts
    • [release/1.5] shimv2: handle sigint/sigterm (#6509)
      • shimv2: handle sigint/sigterm
    • [release/1.5] Update Go to 1.16.13 (#6526)

    ... (truncated)

    Changelog

    Sourced from github.com/containerd/containerd's changelog.

    Versioning and Release

    This document details the versioning and release plan for containerd. Stability is a top goal for this project and we hope that this document and the processes it entails will help to achieve that. It covers the release process, versioning numbering, backporting, API stability and support horizons.

    If you rely on containerd, it would be good to spend time understanding the areas of the API that are and are not supported and how they impact your project in the future.

    This document will be considered a living document. Supported timelines, backport targets and API stability guarantees will be updated here as they change.

    If there is something that you require or this document leaves out, please reach out by filing an issue.

    Releases

    Releases of containerd will be versioned using dotted triples, similar to Semantic Version. For the purposes of this document, we will refer to the respective components of this triple as <major>.<minor>.<patch>. The version number may have additional information, such as alpha, beta and release candidate qualifications. Such releases will be considered "pre-releases".

    Major and Minor Releases

    Major and minor releases of containerd will be made from main. Releases of containerd will be marked with GPG signed tags and announced at https://github.com/containerd/containerd/releases. The tag will be of the format v<major>.<minor>.<patch> and should be made with the command git tag -s v<major>.<minor>.<patch>.

    After a minor release, a branch will be created, with the format release/<major>.<minor> from the minor tag. All further patch releases will be done from that branch. For example, once we release v1.0.0, a branch release/1.0 will be created from that tag. All future patch releases will be done against that branch.

    Pre-releases

    Pre-releases, such as alphas, betas and release candidates will be conducted from their source branch. For major and minor releases, these releases will be done from main. For patch releases, these pre-releases should be done within the corresponding release branch.

    While pre-releases are done to assist in the stabilization process, no guarantees are provided.

    ... (truncated)

    Commits
    • 2a1d4db Merge pull request #6606 from dmcgowan/prepare-v1.5.10
    • c7085be Prepare release notes for v1.5.10
    • 5296045 Merge pull request from GHSA-crp2-qrr5-8pq7
    • 2cbf075 Merge pull request #6570 from fuweid/cp-6452
    • 6f45108 runc.v1/v2: return init pid when clean dead shim
    • d1d905b Use fs.RootPath when mounting volumes
    • 6ddbd47 Merge pull request #6556 from thaJeztah/1.5_bump_go_1.16.14
    • 24b9912 [release/1.5] Update Go to 1.16.14
    • f0f80cd Merge pull request #6552 from bobbypage/backport-6544-1-5
    • 2708d4a Wait for containerd installation in GCE scripts
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 2
  • add ctx parameter and update list orgs

    add ctx parameter and update list orgs

    This PR:

    • update mage generate to also generate the mocks for the tests
    • updates the extended client API to accept a context
    • updates the ListOrgs method to handle the scc-lib changes: https://github.com/aserto-dev/scc-lib/pull/10
    opened by mihaibuzgau 1
Releases(v0.1.30)
Owner
Open Policy Registry
Open Policy Registry
Open Policy Registry
Generate K8s RBAC policies based on e2e test runs

rbac-audit Have you ever wondered whether your controller actually needs all the permissions it has granted to it? Wonder no more! This repo contains

Jason Hall 28 Aug 2, 2021
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Casbin News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/ C

Casbin 11.9k May 13, 2022
⛩️ Go library for protecting HTTP handlers with authorization bearer token.

G8, pronounced Gate, is a simple Go library for protecting HTTP handlers with tokens. Tired of constantly re-implementing a security layer for each

Chris C. 39 Apr 21, 2022
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Casbin News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/ C

Casbin 11.9k May 11, 2022
Go library providing in-memory implementation of an OAuth2 Authorization Server / OpenID Provider

dispans Go library providing in-memory implementation of an OAuth2 Authorization Server / OpenID Provider. The name comes from the Swedish word dispen

Xenit AB 3 Dec 22, 2021
ACL, RBAC, ABAC authorization middleware for KubeSphere

casbin-kubesphere-auth Casbin-kubesphere-auth is a plugin which apply several security authentication check on kubesphere via casbin. This plugin supp

Casbin 3 Nov 5, 2021
an stateless OpenID Connect authorization server that mints ID Tokens from Webauthn challenges

Webauthn-oidc Webauthn-oidc is a very minimal OIDC authorization server that only supports webauthn for authentication. This can be used to bootstrap

Arian van Putten 13 May 16, 2022
Authorization As A Service

a3s NOTE: this is a work in progress and this software is not usable yet a3s (stands for Auth As A Service) is an authentication and ABAC authorizatio

Palo Alto Networks 4 Feb 11, 2022
telegram authorization in telegram without using a widget

TGAH - telegram Authorization Example of authorization in telegram without using a widget Installation go get -d github.com/tioffs/[email protected] Setti

tioffs 2 Oct 28, 2021
A demo of authentication and authorization using jwt

Nogopy Hi, this a demo of how to use jwt for authentication in microservices Keep in mind that this is a demo of how to authenticate using jwt, we don

null 2 Nov 1, 2021
Backend Development Rest Api Project for book management system. Used Features like redis, jwt token,validation and authorization.

Golang-restapi-project Simple Rest Api Project with Authentication, Autherization,Validation and Connection with redis File Structure ├── cache │ ├──

Srijan Chakraborty 2 Nov 28, 2021
A library for Go client applications that need to perform OAuth authorization against a server

oauth-0.8.0.zip oauth A library for Go client applications that need to perform OAuth authorization against a server, typically GitHub.com. Traditiona

tigressma 1 Oct 13, 2021
Mini-framework for multiple authentication and authorization schemes

Go authorization pattern This repository demonstrates an authorization pattern that allows multiple schemes. Demo To start the demo run the following

Tim van Osch 0 Dec 30, 2021
Example of a simple application which is powered by a third-party oAuth 2.0 server for it's authentication / authorization. Written in Golang.

go mod init github.com/bartmika/osin-thirdparty-example go get github.com/spf13/cobra go get github.com/openshift/osin go get github.com/openshift/osi

Bartlomiej Mika 0 Jan 4, 2022
Authelia: an open-source authentication and authorization server providing two-factor authentication

Authelia is an open-source authentication and authorization server providing two

Streato 0 Jan 5, 2022
🔑 Authz0 is an automated authorization test tool. Unauthorized access can be identified based on URL and Role.

Authz0 is an automated authorization test tool. Unauthorized access can be identified based on URL and Role. URLs and Roles are managed as YAML-based

HAHWUL 255 May 13, 2022
Goauth: Pre-made OAuth/OpenIDConnect and general authorization hooks for webapp login

goauth Pre-made OAuth/OpenIDConnect and general authorization hooks for webapp login. Currently supports Google, Facebook and Microsoft "out of the bo

Steven Frew 0 Jan 28, 2022
Go-auth - An authorization project using mongoDB, JWT and Go

Ssibrahimbas Go-Auth An authorization project using mongoDB, JWT and Go. API Typ

Sami Salih İbrahimbaş 1 Mar 10, 2022
Oso is a batteries-included framework for building authorization in your application.

Oso What is Oso? Oso is a batteries-included framework for building authorization in your application. With Oso, you can: Model: Set up common permiss

Oso 2.4k May 20, 2022