/policy

CLI for building OPA policies into OCI images

Primary LanguageGoApache License 2.0Apache-2.0

opcr

policy - the CLI for managing authorization policies

The policy CLI is a tool for building, versioning and publishing your authorization policies. It uses OCI standards to manage artifacts, and the Open Policy Agent (OPA) to compile and run.


Go Report Card ci codebeat badge GitHub all releases Apache 2.0 GitHub release (latest SemVer) CodeQL OpenSSF Best Practices

Documentation

Please refer to our documentation site for installation, usage, customization and tips.

Slack Channel

Wanna discuss features or show your support for this tool?


Installation

policy is available on Linux, macOS and Windows platforms.

  • Binaries for Linux, Windows and Mac are available as tarballs in the release page.

  • Via Homebrew for macOS or LinuxBrew for Linux

    brew tap opcr-io/tap && brew install opcr-io/tap/policy

    Note: if you want to try a pre-release version before the official release:

    brew tap opcr-io/tap && brew install opcr-io/tap/policy-rc
  • Via the nix package manager on nixOS, other linux distros, and macOS

    At the moment the package is only available in the unstable channel. Below are some examples using nix to install policy via the shell, NixOS configuration, and home-manager configuration.

    Shell:

    nix-env --install -A nixpkgs.opcr-policy

    NixOS:

      # your other config ...
      environment.systemPackages = with pkgs; [
        # your other packages ...
        opcr-policy
      ];

    home-manager:

      # your other config ...
      home.packages = with pkgs; [
        # your other packages ...
        opcr-policy
      ];
  • Via a GO install

    go install github.com/opcr-io/policy/cmd/policy@latest

Building From Source

policy is currently using go v1.16 or above. In order to build policy from source you must:

  1. Install mage

  2. Clone the repo

  3. Build and run the executable

    mage build && ./dist/build_linux_amd64/policy

Running with Docker

Running the official Docker image

You can run as a Docker container:

docker run -it --rm ghcr.io/opcr-io/policy:latest --help

The Command Line

$ policy --help
Usage: policy <command>

Commands:
  build        Build policies.
  images       List policy images.
  push         Push policies to a registry.
  pull         Pull policies from a registry.
  login        Login to a registry.
  logout       Logout from a registry.
  save         Save a policy to a local bundle tarball.
  tag          Create a new tag for an existing policy.
  rm           Removes a policy from the local registry.
  inspect      Displays information about a policy.
  repl         Sets you up with a shell for running queries using an OPA instance with a policy loaded.
  templates    List and apply templates
  version      Prints version information.

Flags:
  -h, --help             Show context-sensitive help.
  -c, --config="/Users/ogazitt/.policy/config.yaml"
                         Path to the policy CLI config file.
      --debug            Enable debug mode.
  -v, --verbosity=INT    Use to increase output verbosity.
  -k, --insecure         Do not verify TLS connections.

Run "policy <command> --help" for more information on a command.

Logs

Logs are printed to stderr. You can increase detail using the verbosity flag (e.g. -vvv).

Demo Videos/Recordings

demo


Known Issues

This is still work in progress! If something is broken or there's a feature that you want, please file an issue and if so inclined submit a PR!


Credits

The policy CLI uses a lot of great and amazing open source projects and libraries. A big thank you to all of them!


Contributions Guideline

  • File an issue first prior to submitting a PR!
  • Ensure all exported items are properly commented
  • If applicable, submit a test suite against your PR

Reporting Vulnerabilities

Please send an email to one of the maintainers. We commit to addressing vulnerabilities promptly.