Enable OAuth2 authentication.

docker/docker-compose-with-oauth-jwt-token.yml

@@ -0,0 +1,93 @@
+services:
+  # When scaling the opal-server to multiple nodes and/or multiple workers, we use
+  # a *broadcast* channel to sync between all the instances of opal-server.
+  # Under the hood, this channel is implemented by encode/broadcaster (see link below).
+  # At the moment, the broadcast channel can be either: postgresdb, redis or kafka.
+  # The format of the broadcaster URI string (the one we pass to opal server as `OPAL_BROADCAST_URI`) is specified here:
+  # https://github.com/encode/broadcaster#available-backends
+  broadcast_channel:
+    image: postgres:alpine
+    environment:
+      - POSTGRES_DB=postgres
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=postgres
+  opal_server:
+    # by default we run opal-server from latest official image
+    image: permitio/opal-server:latest
+    environment:
+      # the broadcast backbone uri used by opal server workers (see comments above for: broadcast_channel)
+      - OPAL_BROADCAST_URI=postgres://postgres:postgres@broadcast_channel:5432/postgres
+      # number of uvicorn workers to run inside the opal-server container
+      - UVICORN_NUM_WORKERS=4
+      # the git repo hosting our policy
+      # - if this repo is not public, you can pass an ssh key via `OPAL_POLICY_REPO_SSH_KEY`)
+      # - the repo we pass in this example is *public* and acts as an example repo with dummy rego policy
+      # - for more info, see: https://docs.opal.ac/tutorials/track_a_git_repo
+      - OPAL_POLICY_REPO_URL=https://github.com/permitio/opal-example-policy-repo
+      # in this example we will use a polling interval of 30 seconds to check for new policy updates (git commits affecting the rego policy).
+      # however, it is better to utilize a git *webhook* to trigger the server to check for changes only when the repo has new commits.
+      # for more info see: https://docs.opal.ac/tutorials/track_a_git_repo
+      - OPAL_POLICY_REPO_POLLING_INTERVAL=30
+      # configures from where the opal client should initially fetch data (when it first goes up, after disconnection, etc).
+      # the data sources represents from where the opal clients should get a "complete picture" of the data they need.
+      # after the initial sources are fetched, the client will subscribe only to update notifications sent by the server.
+      - OPAL_DATA_CONFIG_SOURCES={"config":{"entries":[{"url":"http://opal_server:7002/policy-data","topics":["policy_data"],"dst_path":"/static"}]}}
+      - OPAL_LOG_FORMAT_INCLUDE_PID=true
+      # to protect resources with OAuth2 Opaque token provided by dedicated server
+      - OPAL_AUTH_TYPE=oauth2
+      # URL to generate new OAuth 2.0 Client Credentials Grant token
+      - OPAL_OAUTH2_TOKEN_URL=https://example/oauth2/token
+      # JWT validation
+      - OPAL_OAUTH2_OPENID_CONFIGURATION_URL=https://example/.well-known/openid-configuration
+      - OPAL_OAUTH2_EXACT_MATCH_CLAIMS=aud=some_audience,iss=some_issuer
+      - OPAL_OAUTH2_REQUIRED_CLAIMS=sub,iat,exp
+      - OPAL_OAUTH2_JWT_ALGORITHM=RS256
+      - OPAL_OAUTH2_JWT_AUDIENCE=some_audience
+      - OPAL_OAUTH2_JWT_ISSUER=https://example/issuer
+    ports:
+      # exposes opal server on the host machine, you can access the server at: http://localhost:7002
+      - "7002:7002"
+    depends_on:
+      - broadcast_channel
+  opal_client:
+    # by default we run opal-client from latest official image
+    image: permitio/opal-client:latest
+    environment:
+      - OPAL_SERVER_URL=http://opal_server:7002
+      - OPAL_LOG_FORMAT_INCLUDE_PID=true
+      - OPAL_INLINE_OPA_LOG_FORMAT=http
+      # to protect resources with OAuth2 Opaque token provided by dedicated server
+      - OPAL_AUTH_TYPE=oauth2
+      # client credentials
+      - OPAL_OAUTH2_CLIENT_ID=some_client_id
+      - OPAL_OAUTH2_CLIENT_SECRET=some_client_secret
+      # URL to generate new OAuth 2.0 Client Credentials Grant token
+      - OPAL_OAUTH2_TOKEN_URL=https://example/oauth2/token
+      # JWT validation
+      - OPAL_OAUTH2_OPENID_CONFIGURATION_URL=https://example/.well-known/openid-configuration
+      - OPAL_OAUTH2_EXACT_MATCH_CLAIMS=aud=some_audience,iss=some_issuer
+      - OPAL_OAUTH2_REQUIRED_CLAIMS=sub,iat,exp
+      - OPAL_OAUTH2_JWT_ALGORITHM=RS256
+      - OPAL_OAUTH2_JWT_AUDIENCE=some_audience
+      - OPAL_OAUTH2_JWT_ISSUER=https://example/issuer
+      # Enable Authorization / Authentication in OPA
+      - 'OPAL_INLINE_OPA_CONFIG={"authentication":"token", "authorization":"basic", "files": ["authz.rego"]}'
+    volumes:
+      # The goal is to create an initial authorization rego that allows OPAL to write the first policy from the POLICY_REPO_URL.
+      # This is achieved through policy overwrite based on the "id" attribute.
+      # When the authz.rego file is placed in the root directory of OPA, it is given the id 'authz.rego'.
+      # Similarly, if there is another authz.rego file in the root of POLICY_REPO_URL, it will also be given the id 'authz.rego'.
+      # Therefore, if the authz.rego file from the POLICY_REPO_URL exists, it will overwrite the initial authz.rego file.
+      - ./docker_files/policy_test/authz.rego:/opal/authz.rego
+    ports:
+      # exposes opal client on the host machine, you can access the client at: http://localhost:7766
+      - "7766:7000"
+      # exposes the OPA agent (being run by OPAL) on the host machine
+      # you can access the OPA api that you know and love at: http://localhost:8181
+      # OPA api docs are at: https://www.openpolicyagent.org/docs/latest/rest-api/
+      - "8181:8181"
+    depends_on:
+      - opal_server
+    # this command is not necessary when deploying OPAL for real, it is simply a trick for dev environments
+    # to make sure that opal-server is already up before starting the client.
+    command: sh -c "exec ./wait-for.sh opal_server:7002 --timeout=20 -- ./start.sh"

docker/docker-compose-with-oauth-opaque-token.yml

@@ -0,0 +1,83 @@
+services:
+  # When scaling the opal-server to multiple nodes and/or multiple workers, we use
+  # a *broadcast* channel to sync between all the instances of opal-server.
+  # Under the hood, this channel is implemented by encode/broadcaster (see link below).
+  # At the moment, the broadcast channel can be either: postgresdb, redis or kafka.
+  # The format of the broadcaster URI string (the one we pass to opal server as `OPAL_BROADCAST_URI`) is specified here:
+  # https://github.com/encode/broadcaster#available-backends
+  broadcast_channel:
+    image: postgres:alpine
+    environment:
+      - POSTGRES_DB=postgres
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=postgres
+  opal_server:
+    # by default we run opal-server from latest official image
+    image: permitio/opal-server:latest
+    environment:
+      # the broadcast backbone uri used by opal server workers (see comments above for: broadcast_channel)
+      - OPAL_BROADCAST_URI=postgres://postgres:postgres@broadcast_channel:5432/postgres
+      # number of uvicorn workers to run inside the opal-server container
+      - UVICORN_NUM_WORKERS=4
+      # the git repo hosting our policy
+      # - if this repo is not public, you can pass an ssh key via `OPAL_POLICY_REPO_SSH_KEY`)
+      # - the repo we pass in this example is *public* and acts as an example repo with dummy rego policy
+      # - for more info, see: https://docs.opal.ac/tutorials/track_a_git_repo
+      - OPAL_POLICY_REPO_URL=https://github.com/permitio/opal-example-policy-repo
+      # in this example we will use a polling interval of 30 seconds to check for new policy updates (git commits affecting the rego policy).
+      # however, it is better to utilize a git *webhook* to trigger the server to check for changes only when the repo has new commits.
+      # for more info see: https://docs.opal.ac/tutorials/track_a_git_repo
+      - OPAL_POLICY_REPO_POLLING_INTERVAL=30
+      # configures from where the opal client should initially fetch data (when it first goes up, after disconnection, etc).
+      # the data sources represents from where the opal clients should get a "complete picture" of the data they need.
+      # after the initial sources are fetched, the client will subscribe only to update notifications sent by the server.
+      - OPAL_DATA_CONFIG_SOURCES={"config":{"entries":[{"url":"http://opal_server:7002/policy-data","topics":["policy_data"],"dst_path":"/static"}]}}
+      - OPAL_LOG_FORMAT_INCLUDE_PID=true
+      # to protect resources with OAuth2 Opaque token provided by dedicated server
+      - OPAL_AUTH_TYPE=oauth2
+      # URL to generate new OAuth 2.0 Client Credentials Grant token
+      - OPAL_OAUTH2_TOKEN_URL=https://example/oauth2/token
+      # introspect URL for Opaque token validation
+      - OPAL_OAUTH2_INTROSPECT_URL=https://example/oauth2/introspect
+    ports:
+      # exposes opal server on the host machine, you can access the server at: http://localhost:7002
+      - "7002:7002"
+    depends_on:
+      - broadcast_channel
+  opal_client:
+    # by default we run opal-client from latest official image
+    image: permitio/opal-client:latest
+    environment:
+      - OPAL_SERVER_URL=http://opal_server:7002
+      - OPAL_LOG_FORMAT_INCLUDE_PID=true
+      - OPAL_INLINE_OPA_LOG_FORMAT=http
+      # to protect resources with OAuth2 Opaque token provided by dedicated server
+      - OPAL_AUTH_TYPE=oauth2
+      # client credentials
+      - OPAL_OAUTH2_CLIENT_ID=some_client_id
+      - OPAL_OAUTH2_CLIENT_SECRET=some_client_secret
+      # URL to generate new OAuth 2.0 Client Credentials Grant token
+      - OPAL_OAUTH2_TOKEN_URL=https://example/oauth2/token
+      # introspect URL for Opaque token validation
+      - OPAL_OAUTH2_INTROSPECT_URL=https://example/oauth2/introspect
+      # Enable Authorization / Authentication in OPA
+      - 'OPAL_INLINE_OPA_CONFIG={"authentication":"token", "authorization":"basic", "files": ["authz.rego"]}'
+    volumes:
+      # The goal is to create an initial authorization rego that allows OPAL to write the first policy from the POLICY_REPO_URL.
+      # This is achieved through policy overwrite based on the "id" attribute.
+      # When the authz.rego file is placed in the root directory of OPA, it is given the id 'authz.rego'.
+      # Similarly, if there is another authz.rego file in the root of POLICY_REPO_URL, it will also be given the id 'authz.rego'.
+      # Therefore, if the authz.rego file from the POLICY_REPO_URL exists, it will overwrite the initial authz.rego file.
+      - ./docker_files/policy_test/authz.rego:/opal/authz.rego
+    ports:
+      # exposes opal client on the host machine, you can access the client at: http://localhost:7766
+      - "7766:7000"
+      # exposes the OPA agent (being run by OPAL) on the host machine
+      # you can access the OPA api that you know and love at: http://localhost:8181
+      # OPA api docs are at: https://www.openpolicyagent.org/docs/latest/rest-api/
+      - "8181:8181"
+    depends_on:
+      - opal_server
+    # this command is not necessary when deploying OPAL for real, it is simply a trick for dev environments
+    # to make sure that opal-server is already up before starting the client.
+    command: sh -c "exec ./wait-for.sh opal_server:7002 --timeout=20 -- ./start.sh"

packages/opal-client/opal_client/callbacks/api.py

@@ -3,8 +3,8 @@
 from fastapi import APIRouter, Depends, HTTPException, Response, status
 from opal_client.callbacks.register import CallbacksRegister
 from opal_client.config import opal_client_config
+from opal_common.authentication.authenticator import Authenticator
 from opal_common.authentication.authz import require_peer_type
-from opal_common.authentication.deps import JWTAuthenticator
 from opal_common.authentication.types import JWTClaims
 from opal_common.authentication.verifier import Unauthorized
 from opal_common.logger import logger
@@ -13,7 +13,7 @@
 from starlette.status import HTTP_500_INTERNAL_SERVER_ERROR
 
 
-def init_callbacks_api(authenticator: JWTAuthenticator, register: CallbacksRegister):
+def init_callbacks_api(authenticator: Authenticator, register: CallbacksRegister):
     async def require_listener_token(claims: JWTClaims = Depends(authenticator)):
         try:
             require_peer_type(

packages/opal-client/opal_client/client.py

@@ -2,9 +2,7 @@
 import functools
 import os
 import signal
-import tempfile
 import uuid
-from logging import disable
 from typing import Awaitable, Callable, List, Literal, Optional, Union
 
 import aiofiles
@@ -19,8 +17,8 @@
 from opal_client.callbacks.register import CallbacksRegister
 from opal_client.config import PolicyStoreTypes, opal_client_config
 from opal_client.data.api import init_data_router
-from opal_client.data.fetcher import DataFetcher
 from opal_client.data.updater import DataUpdater
+from opal_client.data.updater_factory import DataUpdaterFactory
 from opal_client.engine.options import CedarServerOptions, OpaServerOptions
 from opal_client.engine.runner import CedarRunner, OpaRunner
 from opal_client.limiter import StartupLoadLimiter
@@ -31,8 +29,8 @@
 from opal_client.policy_store.policy_store_client_factory import (
     PolicyStoreClientFactory,
 )
-from opal_common.authentication.deps import JWTAuthenticator
-from opal_common.authentication.verifier import JWTVerifier
+from opal_common.authentication.authenticator import Authenticator
+from opal_common.authentication.authenticator_factory import AuthenticatorFactory
 from opal_common.config import opal_common_config
 from opal_common.logger import configure_logs, logger
 from opal_common.middleware import configure_middleware
@@ -51,7 +49,7 @@ def __init__(
         inline_opa_options: OpaServerOptions = None,
         inline_cedar_enabled: bool = None,
         inline_cedar_options: CedarServerOptions = None,
-        verifier: Optional[JWTVerifier] = None,
+        authenticator: Optional[Authenticator] = None,
         store_backup_path: Optional[str] = None,
         store_backup_interval: Optional[int] = None,
         offline_mode_enabled: bool = False,
@@ -70,6 +68,10 @@ def __init__(
                 data_updater (DataUpdater, optional): Defaults to None.
                 policy_updater (PolicyUpdater, optional): Defaults to None.
         """
+        if authenticator is not None:
+            self.authenticator = authenticator
+        else:
+            self.authenticator = AuthenticatorFactory.create()
         self._shard_id = shard_id
         # defaults
         policy_store_type: PolicyStoreTypes = (
@@ -127,6 +129,7 @@ def __init__(
                     opal_client_id=opal_client_identifier,
                     on_connect=on_policy_updater_connect,
                     on_disconnect=on_policy_updater_disconnect,
+                    authenticator=self.authenticator,
                 )
         else:
             self.policy_updater = None
@@ -142,14 +145,15 @@ def __init__(
                     else opal_client_config.DATA_TOPICS
                 )
 
-                self.data_updater = DataUpdater(
+                self.data_updater = DataUpdaterFactory.create(
                     policy_store=self.policy_store,
                     data_topics=data_topics,
                     callbacks_register=self._callbacks_register,
                     opal_client_id=opal_client_identifier,
                     shard_id=self._shard_id,
                     on_connect=on_data_updater_connect,
                     on_disconnect=on_data_updater_disconnect,
+                    authenticator=self.authenticator,
                 )
         else:
             self.data_updater = None
@@ -172,19 +176,6 @@ def __init__(
                 "OPAL client is configured to trust self-signed certificates"
             )
 
-        if verifier is not None:
-            self.verifier = verifier
-        else:
-            self.verifier = JWTVerifier(
-                public_key=opal_common_config.AUTH_PUBLIC_KEY,
-                algorithm=opal_common_config.AUTH_JWT_ALGORITHM,
-                audience=opal_common_config.AUTH_JWT_AUDIENCE,
-                issuer=opal_common_config.AUTH_JWT_ISSUER,
-            )
-        if not self.verifier.enabled:
-            logger.info(
-                "API authentication disabled (public encryption key was not provided)"
-            )
         self.store_backup_path = (
             store_backup_path or opal_client_config.STORE_BACKUP_PATH
         )
@@ -264,13 +255,13 @@ async def _is_ready(self):
     def _configure_api_routes(self, app: FastAPI):
         """Mounts the api routes on the app object."""
 
-        authenticator = JWTAuthenticator(self.verifier)
-
         # Init api routers with required dependencies
         policy_router = init_policy_router(policy_updater=self.policy_updater)
         data_router = init_data_router(data_updater=self.data_updater)
-        policy_store_router = init_policy_store_router(authenticator)
-        callbacks_router = init_callbacks_api(authenticator, self._callbacks_register)
+        policy_store_router = init_policy_store_router(self.authenticator)
+        callbacks_router = init_callbacks_api(
+            self.authenticator, self._callbacks_register
+        )
 
         # mount the api routes on the app object
         app.include_router(policy_router, tags=["Policy Updater"])

packages/opal-client/opal_client/data/oauth2_updater.py

@@ -0,0 +1,46 @@
+from urllib.parse import parse_qs, urlencode, urlparse
+
+import aiohttp
+from aiohttp.client import ClientSession
+from opal_client.logger import logger
+
+from .updater import DefaultDataUpdater
+
+
+class OAuth2DataUpdater(DefaultDataUpdater):
+    async def _load_policy_data_config(
+        self, url: str, headers
+    ) -> aiohttp.ClientResponse:
+        await self._authenticator.authenticate(headers)
+
+        async with ClientSession(headers=headers, trust_env=True) as session:
+            response = await session.get(
+                url, **self._ssl_context_kwargs, allow_redirects=False
+            )
+
+            if response.status == 307:
+                return await self._load_redirected_policy_data_config(
+                    response.headers["location"], headers
+                )
+            else:
+                return response
+
+    async def _load_redirected_policy_data_config(self, url: str, headers):
+        redirect_url = self.__redirect_url(url)
+
+        logger.info(
+            "Redirecting to data-sources configuration '{source}'", source=redirect_url
+        )
+
+        async with ClientSession(headers=headers, trust_env=True) as session:
+            return await session.get(
+                redirect_url, **self._ssl_context_kwargs, allow_redirects=False
+            )
+
+    def __redirect_url(self, url: str) -> str:
+        u = urlparse(url)
+        query = parse_qs(u.query, keep_blank_values=True)
+        query.pop("token", None)
+        u = u._replace(query=urlencode(query, True))
+
+        return u.geturl()