OPA filter smoke tests
Closed this issue · 1 comments
This is a tracking issue for discussing OPA filter testing. The idea is that in agent we want to be able to test OPA filter https://github.com/hypertrace/javaagent/tree/main/filter-custom-opa against running https://github.com/open-policy-agent/opa. The filter gets data from /v1/data and runs evaluation on every request.
I would like to package https://github.com/open-policy-agent/opa into a docker container and make data.json and /v1/policies/remote-bundle/traceable/http/request/policy.rego configurable. This container could be used in smoke tests in all Hypertrace agents. There is already a docker container https://hub.docker.com/r/openpolicyagent/opa - we should have a look if it could be used.
In the meantime the OPA filter can be tested by:
- port-forwarding OPA agent from
traceableainamespacek port-forward service/opa 8181:8181 -n traceableai - get the data from OPA agent
curl localhost:8181/v1/dataand pick some IP address fromdenylist - run agent on a test/demo app and do
curl localhost:8080 -H "X-Forwarded-For: <IP from deny list>- the request should be blocked with 403
Removing OPA is moved to a private repo