Package com.styra.opa.springboot
Class OPAAuthorizationManager
java.lang.Object
com.styra.opa.springboot.OPAAuthorizationManager
- All Implemented Interfaces:
AuthorizationManager<RequestAuthorizationContext>
@Component
public class OPAAuthorizationManager
extends Object
implements AuthorizationManager<RequestAuthorizationContext>
This class implements a Spring AuthorizationManager which wraps the OPA Java
SDK (https://github.com/StyraInc/opa-java). OPA inputs are constructed by
inspecting the Spring Authentication and RequestAuthorizationContext
arguments to check and verify, and are compliant with the AuthZEN spec
(https://openid.github.io/authzen).
-
Constructor Summary
ConstructorsConstructorDescriptionThe authorization manager will internally instantiate an OPAClient instance with default settings.The authorization manager will be instantiated with the provided OPA client.OPAAuthorizationManager(OPAClient opa, ContextDataProvider newProvider) The authorization manager will be instantiated with a caller-supplied client, requests will be sent to the default path, and the caller provided ContextDataProvider will be used to populate OPA input at input.context.data.OPAAuthorizationManager(OPAClient opa, String newOpaPath) The authorization manager will be instantiated with a caller-supplied client, and all OPA requests will be sent to the specified path.OPAAuthorizationManager(OPAClient opa, String newOpaPath, ContextDataProvider newProvider) The authorization manager will be instantiated with a caller-supplied client and path, and the ContextDataProvider will be used to populate the OPA input at input.context.data.OPAAuthorizationManager(String newOpaPath) The authorization manager will internally instantiate an OPA client.OPAAuthorizationManager(String newOpaPath, ContextDataProvider newProvider) The authorization manager will instantiate an OPA client internally, but use a caller-supplied path, and ContextDataProvider. -
Method Summary
Modifier and TypeMethodDescriptioncheck(Supplier<Authentication> authentication, RequestAuthorizationContext object) opaRequest(Supplier<Authentication> authentication, RequestAuthorizationContext object) This method can be used to directly call OPA without generating an AuthorizationDecision, which can be used to examine the OPA response.voidsetReasonKey(String newReasonKey) Changes the "preferred" key where the access decision reason should be searched for in the OPAResponse object.voidverify(Supplier<Authentication> authentication, RequestAuthorizationContext object)
-
Constructor Details
-
OPAAuthorizationManager
public OPAAuthorizationManager()The authorization manager will internally instantiate an OPAClient instance with default settings. The OPA URL may be overridden using the OPA_URL environment variable. All OPA requests will be sent to the default path defined by the OPA configuration. -
OPAAuthorizationManager
The authorization manager will be instantiated with the provided OPA client. The caller must perform any needed client configuration before passing it to this constructor. The default path will be used.- Parameters:
opa-
-
OPAAuthorizationManager
The authorization manager will be instantiated with a caller-supplied client, and all OPA requests will be sent to the specified path. The path should be suitable for use with the check() and evaluate() methods of OPAClient.- Parameters:
opa-newOpaPath-
-
OPAAuthorizationManager
The authorization manager will internally instantiate an OPA client. The OPA URL may be overridden using the OPA_URL environment variable. All OPA requests will be sent to the provided path.- Parameters:
newOpaPath-
-
OPAAuthorizationManager
The authorization manager will be instantiated with a caller-supplied client, requests will be sent to the default path, and the caller provided ContextDataProvider will be used to populate OPA input at input.context.data.- Parameters:
opa-newProvider-
-
OPAAuthorizationManager
The authorization manager will be instantiated with a caller-supplied client and path, and the ContextDataProvider will be used to populate the OPA input at input.context.data.- Parameters:
opa-newOpaPath-newProvider-
-
OPAAuthorizationManager
The authorization manager will instantiate an OPA client internally, but use a caller-supplied path, and ContextDataProvider.- Parameters:
newOpaPath-newProvider-
-
-
Method Details
-
getReasonKey
-
setReasonKey
Changes the "preferred" key where the access decision reason should be searched for in the OPAResponse object. A default value of 'en' is used. If the selected key is not present in the response, the key which sorts lexicographically first is used instead.- Parameters:
newReasonKey-
-
opaRequest
public OPAResponse opaRequest(Supplier<Authentication> authentication, RequestAuthorizationContext object) This method can be used to directly call OPA without generating an AuthorizationDecision, which can be used to examine the OPA response. You should consider using the OPA Java SDK (which the OPA Spring Boot SDK depends on) directly rather than using this method, as it should not be needed during normal use. -
check
public AuthorizationDecision check(Supplier<Authentication> authentication, RequestAuthorizationContext object) - Specified by:
checkin interfaceAuthorizationManager<RequestAuthorizationContext>
-
verify
- Specified by:
verifyin interfaceAuthorizationManager<RequestAuthorizationContext>
-