easegress-io · suchen-sci · Nov 28, 2022 · Nov 10, 2022 · Nov 18, 2022 · Nov 24, 2022
diff --git a/doc/reference/filters.md b/doc/reference/filters.md
@@ -61,6 +61,9 @@
   - [OIDCAdaptor](#OIDCAdaptor)
     - [Configuration](#configuration-19)
     - [Results](#results-19)
+  - [OPAFilter](#OPAFilter)
+    - [Configuration](#configuration-20)
+    - [Results](#results-20) 
   - [Common Types](#common-types)
     - [pathadaptor.Spec](#pathadaptorspec)
     - [pathadaptor.RegexpReplace](#pathadaptorregexpreplace)
@@ -1059,6 +1062,68 @@ After OIDCAdaptor handled, following OIDC related information can be obtained fr
 * **X-Access-Token**: The AccessToken returned by OpenId Connect or OAuth2.0 flow.
 
 
+
+## OPAFilter
+The [Open Policy Agent (OPA)](https://www.openpolicyagent.org/docs/latest/) is an open source, 
+general-purpose policy engine that unifies policy enforcement across the stack. It provides a 
+high-level declarative language, which can be used to define and enforce policies in 
+Easegress API Gateway. Currently, there are 160+ built-in operators and functions we can use, 
+for examples `net.cidr_contains` and `contains`.
+
+```yaml
+name: demo-pipeline
+kind: Pipeline
+flow:
+  - filter: opa-filter
+    jumpIf: { opaDenied: END }
+filters:
+  - name: opa-filter
+    kind: OPAFilter
+    defaultStatus: 403
+    readBody: true
+    includedHeaders: a,b,c
+    policy: |
+      package http
+      default allow = false
+      allow {
+         input.request.method == "POST"
+         input.request.scheme == "https"
+         contains(input.request.path, "/")               
+         net.cidr_contains("127.0.0.0/24",input.request.realIP)          
+      }
+```
+
+The following table lists input request fields that can be used in an OPA policy to help enforce it.
+
+| Name                     | Type   | Description                                                           | Example                              |
+|--------------------------|--------|-----------------------------------------------------------------------|--------------------------------------|
+| input.request.method     | string | The current http request method                                       | "POST"                               |
+| input.request.path       | string | The current http request URL path                                     | "/a/b/c"                             |
+| input.request.path_parts | array  | The current http request URL path parts                               | ["a","b","c"]                        |
+| input.request.raw_query  | string | The current http request raw query                                    | "a=1&b=2&c=3"                        |
+| input.request.query      | map    | The current http request query map                                    | {"a":1,"b":2,"c":3}                  |
+| input.request.headers    | map    | The current http request header map targeted by<br/> includedHeaders  | {"Content-Type":"application/json"}  |
+| input.request.scheme     | string | The current http request scheme                                       | "https"                              | 
+| input.request.realIP     | string | The current http request client real IP                               | "127.0.0.1"                          |
+| input.request.body       | string | The current http request body string data                             | {"data":"xxx"}                       |
+
+
+### Configuration
+
+| Name             | Type   | Description                                                                          | Required |
+|------------------|--------|--------------------------------------------------------------------------------------|----------|
+| defaultStatus    | int    | The default HTTP status code when request is denied by the OPA policy decision       | No       |
+| readBody         | bool   | Whether to read request body as OPA policy data on condition                         | No       |
+| includedHeaders  | string | Names of the HTTP headers to be included in `input.request.headers`, comma-separated | No       |
+| policy           | string | The OPA policy written in the Rego declarative language                              | Yes      |
+
+### Results
+| Value     | Description                                   |
+|-----------|-----------------------------------------------|
+| opaDenied | The request is denied by OPA policy decision. |
+
+
+
 ## Common Types
 
 ### pathadaptor.Spec

diff --git a/go.mod b/go.mod
@@ -37,6 +37,7 @@ require (
 	github.com/megaease/yaml v0.0.0-20220804061446-4f18d6510aed
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nacos-group/nacos-sdk-go v1.1.0
+	github.com/open-policy-agent/opa v0.35.0
 	github.com/openzipkin/zipkin-go v0.4.0
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2
@@ -85,6 +86,7 @@ require (
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962 // indirect
+	github.com/OneOfOne/xxhash v1.2.8 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/aliyun/alibaba-cloud-sdk-go v1.61.18 // indirect
@@ -127,21 +129,23 @@ require (
 	github.com/facebookgo/stack v0.0.0-20160209184415-751773369052 // indirect
 	github.com/facebookgo/subset v0.0.0-20200203212716-c811ad88dec4 // indirect
 	github.com/form3tech-oss/jwt-go v3.2.5+incompatible // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
-	github.com/go-kit/log v0.1.0 // indirect
-	github.com/go-logfmt/logfmt v0.5.0 // indirect
-	github.com/go-logr/logr v1.2.2 // indirect
+	github.com/go-kit/log v0.2.0 // indirect
+	github.com/go-logfmt/logfmt v0.5.1 // indirect
+	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.19.5 // indirect
 	github.com/go-openapi/swag v0.19.15 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/mock v1.6.0 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/btree v1.0.1 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
-	github.com/google/go-cmp v0.5.8 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/go-containerregistry v0.8.1-0.20220414143355-892d7a808387 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
@@ -184,7 +188,7 @@ require (
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
-	github.com/miekg/dns v1.1.41 // indirect
+	github.com/miekg/dns v1.1.43 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
@@ -197,15 +201,15 @@ require (
 	github.com/pierrec/lz4/v4 v4.1.15 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.12.1 // indirect
+	github.com/prometheus/client_golang v1.13.0 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/common v0.32.1 // indirect
-	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/prometheus/common v0.37.0 // indirect
+	github.com/prometheus/procfs v0.8.0 // indirect
 	github.com/prometheus/statsd_exporter v0.21.0 // indirect
 	github.com/rickb777/date v1.13.0 // indirect
 	github.com/rickb777/plural v1.2.1 // indirect
 	github.com/robfig/cron/v3 v3.0.1 // indirect
-	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/soheilhy/cmux v0.1.5 // indirect
 	github.com/spaolacci/murmur3 v1.1.0
 	github.com/spf13/afero v1.8.2 // indirect
@@ -219,6 +223,7 @@ require (
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect
 	github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca // indirect
+	github.com/yashtewari/glob-intersection v0.1.0 // indirect
 	go.etcd.io/bbolt v1.3.6 // indirect
 	go.etcd.io/etcd/client/pkg/v3 v3.5.4 // indirect
 	go.etcd.io/etcd/client/v2 v2.305.4 // indirect
@@ -234,7 +239,7 @@ require (
 	go.opentelemetry.io/otel/sdk/export/metric v0.20.0 // indirect
 	go.opentelemetry.io/otel/sdk/metric v0.20.0 // indirect
 	go.opentelemetry.io/otel/trace v0.20.0 // indirect
-	go.opentelemetry.io/proto/otlp v0.7.0 // indirect
+	go.opentelemetry.io/proto/otlp v0.16.0 // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.8.0 // indirect
@@ -272,10 +277,10 @@ require (
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )
 
-replace github.com/go-openapi/spec => github.com/go-openapi/spec v0.19.3
-
-replace github.com/buger/jsonparser => github.com/buger/jsonparser v1.1.1
-
-replace k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.24.1
-
-replace k8s.io/cli-runtime => k8s.io/cli-runtime v0.24.1
+replace (
+	github.com/buger/jsonparser => github.com/buger/jsonparser v1.1.1
+	github.com/go-openapi/spec => github.com/go-openapi/spec v0.19.3
+	go.opentelemetry.io/proto/otlp => go.opentelemetry.io/proto/otlp v0.7.0
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.24.1
+	k8s.io/cli-runtime => k8s.io/cli-runtime v0.24.1
+)