Is it possible to implement OPA bundle signing on code?

[somsom13]

Hi, I have to use OPA bundle signing for integrity, but I have to do all bundle generation after signing in my code.

I know that the only bundle signature method provided by OPA is the CLI.
But I want to sign the bundle directly on the code (not go).
To do that, I think I need to be able to make the hash that goes into JWT's payload in the same way that OPA does verification, is it possible?

[ashutosh-narkar]

I don't completely understand the use-case here but if you have a bundle and you want to generate a signature for the files in the bundle you can use the opa sign or opa build command. If you don't want to use the CLI you can use the Go APIs that implement signing. This file is where the singing code is located.

[somsom13]

Hi, thanks for your reply.

If you don't want to use the CLI

This is exactly what I wanted to talk about.

I think the go api you mentioned is to install plugin in the application written as go, is that right?
It's such a good suggestion, but unfortunately, I have to proceed with opa signing in the application written as kotlin.
So if go api means this right, it will be difficult to use in my application.
(So I was wondering if I should make my own hash value for payload as I mentioned above.)

Is there any other solution to this situation?

[ashutosh-narkar]

Can you explain a little bit more about your setup?

[somsom13]

It's a spring boot application that uses Kotlin.
I'm going to look up the DB within the kotlin application and create the data.json used by OPA. And then, make a signed bundle and upload it to an external storage (e.g. s3, git repository).

So I thought both signing and bundle generation should be done inside the application. The compression process of making a bundle (conversion to bundle.tar.gz) is possible on the code, but I'm wondering if it's possible to proceed with the signature on the code.

I don't know if this is the answer to the setup. Let me know right away if you need any additional information!

[ashutosh-narkar]

Thanks for the context. Is there a reason the application handles the bundle creation. I would have imagined a service that is responsible for talking to the DB and generating/signing/uploading the bundle and another service that handles client requests and talks to OPA for an authz decision. Basically a decoupled model. Is that feasible?

[somsom13]

Thank you for your kind reply!

The kotlin application I'm currently developing will be in charge of DB communication/bundle generation/signing/upload as you mentioned. So I thought that if another server asks the kotlin application to create a bundle through API call, it will be in charge of creating, signing, and uploading the bundle. And there is a separate server that sends an authorization request to OPA.

I think the application I'm trying to develop will play the role of the separate application you mentioned, but I can't think of a way to automate all of these processes(1. API call, 2. Get data from DB, convert it to data.json, and create bundle 3. Sign 4. Upload to S3) except to solve it with application logic. I think there's something wrong with me, so may I ask what you think?

And I also considered using OPAL, but decided not to use it!

[ashutosh-narkar]

Ok here's one way to accomplish this:

1. kotlin application communicates with DB, gets data and writes it to a file called data.json (If this was a Go app that would have been perfect but lets leave that for now)
2. Invoke the opa build command from within the code. I haven't worked with Kotlin but there should be a way to do this. (Assumption: opa binary installed on machine/container)
3. Sign the bundle using opa build or opa sign
4. Upload to S3.

All the above steps are happening in the kotlin application so you can run this flow periodically or make it event-based.

Hope this helps. Thanks.

[somsom13]

Thank you so much for your help!

I also thought that I should build and sign as a command within the application server, but that would be the best way for now.

Once again, I would like to thank you.