1

I am using a similar rule to this:

allow {
    http_request.method == "POST"
    allowed_paths[http_request.path]
    net.cidr_contains("XX.YYY.ZZZ.160/29-XX.YYY.ZZZ.32/29",source_address.Address.SocketAddress.address)
}

And I have two questions:

  1. Is this the right way to filter by the IP address of the client which makes the request?
  2. Does exist some way to simulate the request from some of these IPs and test it?
Ernesto Garcia
  • 11
  • 1
  • Can you post the full file you're using? As-is, it's difficult to guess where some of these variables come from/how they're formatted. If it's too long, feel free to link to https://play.openpolicyagent.org/ – Will Beason May 12 '21 at 16:51

1 Answers1

0

Yes, net.cidr_contains is the right way to go if you know the specific blocks approved requests will originate from.

I assume your Rego looks something like this:

package validate

import input.attributes.request.http as http_request
import input.attributes.source.address as source_address

allowed_paths = {
  "/foo",
  "/bar"
}

allow {
    http_request.method == "POST"
    allowed_paths[http_request.path]
    net.cidr_contains("127.0.0.1/24",source_address.Address.SocketAddress.address)
}

There's a few ways to test.

Manually, you can use the Rego Playground which allows you to hand write requests and test them. This isn't a good automated solution, but will work for spot/sanity-checking.

For CI or precommit checks, you can use the opa CLI to do unit testing. The Gatekeeper Library repository provides excellent examples of how to do this. A test might look something like:

package validate

test_input_allowed_request {
    input := {"attributes":{"request":{"http":{"method":"POST","path":"/foo"}},"source":{"address":{"Address":{"SocketAddress":{"address":"127.0.0.64/26"}}}}}}
    results := allow with input as input
    results.allow
}
Will Beason
  • 3,417
  • 2
  • 28
  • 46