opactl

opactl executes your own Rego (OPA) policy as CLI command.

This is how it works. You define a rule in OPA policy, for example rule1. Then, opactl detects your rule and turns it into subcommand such as opactl rule1.

Options are supported for various usage. Also, you can preset configuration file, then opactl reads it.

Prerequisite

• CLI opa is used in opactl. You can install opa following Running OPA.

Execute a rule as subcommand

When you define a rule filter as follows,

package opactl

# pick up only lines which includes specific mod
filter = { line |
  # load each line of stdin
  line := input.stdin[_]
  # split into words
  texts := split(texts, " ")
  # check the first word equals to parameter `mod`
  texts[0] == input.mod
}

you can run a subcommand opactl filter like this.

# Run subcommand filter with using stdin (-i) and parameter (mod=...)
ls -l | opactl -i filter -p mod="-rwxr-xr-x"
[
  "-rwxr-xr-x  1 hiroyukosaki  staff  8055840 May 12 01:04 opactl"
]

Installation

Build from source

go build
sudo cp opactl /usr/local/bin/

Enable shell completion

# bash
source <(opactl completion bash)
# zsh
opactl completion zsh > /usr/local/share/zsh/site-functions/_opactl

opactl autocompletes the subcommands.

opactl <tab>
hierarchy visibility ..(as many rules as you define)

Options

Flags:
  -a, --all                 Show all commands
  -b, --base string         OPA base path which will be evaluated (default "data.opactl")
      --config string       config file (default is $HOME/.opactl.yaml)
  -d, --directory strings   directories
  -h, --help                help for opactl
  -i, --input               Accept stdin as input.stdin
  -p, --parameter strings   parameter (key=value)
  -q, --query string        Input your own query script (example: { rtn | rtn := 1 }
  -v, --verbose             Toggle verbose mode on/off

Usage example)

opactl -a
# all rules should be listed.
[
  "filter",
  "hierarchy",
  "visibility"
]

Configuration

You can create an .opactl configuration file. When you run opactl command in the same directory, opactl loads the configuration and set options.

Each field in .opactl is connected to one option. For example, parameter field is read as --parameter option.

directory:
- examples
base: data.opactl
parameter:
- item=1

Define your rule

• Rules – Policy Language (Open Policy Agent)
  • Rules are virtual document in OPA. Rules allows users to generate objects, sets, arrays, functions and so on.

# object
get_test_object = {
  "test": "test"
}

get_first_line = rtn {
  rtn := input.stdin[0]
} else = {}
# To define default return value is strongly recommended.

# set (Kind of list. Elements are unique. No order.)
select_unique_lines[rtn] {
  rtn := input.stdin[_]
}

# array (Kind of list. Elements are not necessary unique. The order is preserved.)
lines = [rtn|
  rtn := input.stdin[_]
]

GitHub

View Github