This library is intended to make writing Rego (OPA) rules more easy when working with GraphQL. It will parse the document into AST using the Rego GraphQL builtins. It also expects a schema (in a single text field) to be located at data.schema.gql, this is used to change the references into types in order to make better rules.
This sample relies on OPA builtins that were added in v0.41.0, if using older versions of OPA, use the pre-builtin branch.
- The schema should to be stored in OPA at data.schema.gql
- If the schema is in a different location then instead of using imports for the library use can use rules like the following to override
query_types := qt { qt := data.global.graphql.util.query_types with data.schema.gql as data.myschema.myproperty } ...
- A helpful sed command that will strip comments and remove newlines (this may not be a fully JSONified, so use at your own risk)
sed -e ':a' -e 'N' -e '$!ba' -e 's/\n//g' -e 's/"[^"]*"//g' <schema file>
- The GraphQL query document needs to be in one of the following locations (if not use the same trick that was shown above)
- input.parsed_body.query
- input.attributes.request.http.body
- input.parsed_query.query
- query_types/mutation_types
- These rules take the references from the query/mutation document and translate them to their type. So if you want to make a rule about a property called name on a type called Character you would do something like
query_types["Character"]["name"]
- These rules take the references from the query/mutation document and translate them to their type. So if you want to make a rule about a property called name on a type called Character you would do something like
- query_fields/mutation_fields
- These are rules that work off of the references in the document (normally less useful). To make a rule about a property called name on a reference name hero you would do something like
query_fields["hero"]["name"]
- These are rules that work off of the references in the document (normally less useful). To make a rule about a property called name on a reference name hero you would do something like
- query_arguments/mutation_arguments
- These are rules that you can use to check the equality of an argument. This is currently working off the references not the types. Using it would look something like
query_arguments["hero"]["episode"] == "JEDI"
- These are rules that you can use to check the equality of an argument. This is currently working off the references not the types. Using it would look something like
import data.global.graphql.util.query_types
import data.global.graphql.util.query_fields
import data.global.graphql.util.query_arguments
allow {
not restricted_field
not restricted_row
}
restricted_field {
not in_group(["admin"])
query_types["Character"]["id"]
}
restricted_field {
not in_group(["admin", "manager"])
query_fields["friends"]["name"]
}
restricted_row {
not in_group(["admin"])
query_arguments["hero"]["episode"] == "JEDI"
}