I would like to have a policy where the decision has to be made by querying a field against a system of record which doesnot have a http api. Is there a way for a policy to call an external program and use its return code to decide whether to allow/deny?
Looking at https://www.openpolicyagent.org/docs/latest/policy-reference/#built-in-functions, I am not finding a function to use. Is there a function I am missing?
OPA does not provide a way to directly call external programs in the policy evaluation.
There are maybe a few things I'd recommend considering:
Call the external program before doing an evaluation with OPA that requires the data, and provide the result from the program as part of the input.
Implement a custom builtin function. Check out https://www.openpolicyagent.org/docs/latest/extensions/ for a couple of options
(depending on how you are integrating OPA).
You could implement a lightweight HTTP service which wraps making the call to the external program (eg simple python or golang app that exec's the other program and returns the data for use by the http.send builtin)
Related
What is the best way (considering both security and template re-use) to provide secrets like a host/port and external service username/password when the consumer doesn't expect or support a ValueProvider? By consumer I mean what is typically an IO class, such as MongoDbIO, ElasticsearchIO, etc.
I've already seen and successfully used this method: https://henrysuryawirawan.com/posts/dataflow-secret-manager/ but in that example, and some apache-provided IOs, the IO accepts the parameters in a ValueProvider. The apache ElasticsearchIO does not, neither does the MongoDbIO. The RedisIO does (via the RedisConnectionConfiguration). SpannerIO does.
So if the IO we want to use does not, is providing the config statically at template compile time the only option, and how is this typically done? Providing them dynamically seems safer security-wise, especially through something like Secret Manager.
Yes, SecretManager / KMS are likely the best ways to deal here. But unfortunately, your options are limited if ValueProviders are not allowed.
You may use Flex Templates to work around the need of ValueProviders.
We have a probably useful example in DataflowTemplates: KMSUtils.java, which expands options using KMS during runtime.
There does not appear to be any method in the Python client API for Google's storage transfer service that checks the status of an ongoing transfer operation. There is get_transfer_job, which shows the status of a transfer job itself (and gives the latest operation name). But I can't find any way of getting the status of an actual operation, which is critical.
I know other languages' client APIs (including at least Go and node.js) have this functionality. It may be possible to use a naked REST API request, but we're running into authentication issues. Is there any other way that I'm missing? Any way to call the TransferOperation type directly (such as client.TransferOperation(<transfer_operation_name>)?
There is method available for the same which you can use in the following manner.
GetTransferJobRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)
Reference Link - Class GetTransferJobRequest
I'm making an application that can pass form from a web page to a Google spreadsheet. I've found a two basic ways how to do that:
1) I submit a form on a web page and then I process an event via doPost(e) -> JSON.stringify(e). (This is in "code.gs".)
or
2) I make a function i.e. "writeToCellA1()" and call it as follows google.script.run.writeToCellA1(someData). (This is in "index.html")
The question is: Is there some background of those two possible ways of writing data to Google spradsheet that suggests that one of them is superior? Safer, more raliable, more promising future functions developement etc....
If you use doPost, you have to determine what actual function to call by inspecting the payload, since all input from the client is going to this single entry point. All function parameters have to be object-based (i.e. named). Unless you use asynchronous methods to connect, you will block your client code. Further, any response you receive will be either ContentService or HtmlService.
If you use the google.script.run pattern, your calls can be directed to a specific server function, you can easily specify function parameters in traditional manners (i.e. both positional and object-based), your calls are guaranteed to be asynchronous, and you can return most serializable data types directly.
There is additionally an access argument - doPost is available to any sufficiently authorized client, perhaps even anonymous, per the settings of your published web app. This could be external code that you or others write, e.g. a php script. Calls made via google.script.run are only available from a page served by HtmlService (you can use the Apps Script API to target individual functions from external code). Note that you are not required to publish as a webapp to use google.script.run - i.e. you can use these in sidebars and modal dialogs, too.
There is also the manner of error / response handling. If you want to add success and failure callbacks for these calls to doPost, you will need to do more work than if you want to do the same for calls with google.script.run - the latter supports easily adding these with two methods, withSuccessHandler and withFailureHandler.
Regardless, you should review the official documentation for these topics:
doPost
web apps
Client-server communication
I have spent my afternoon getting very excited about the container-native serverless platform 'fn project' - http://fnproject.io/.
I love the idea of the FaaS model but have no intention of locking myself into a particular cloud vendor for most of the lifetime of an app - and several other reasons including the desire to spin up the entire app on a small server anywhere if I choose.
fn project seems great for my needs until I finish perusing the documentation and all the relevant blog posts and suddenly think 'what? Wait....what??? Where are the http operations?'.
I cannot find a single reference anywhere that states if it is even possible to to have http triggers for different http operations (ie POST, PUT, PATCH, DELETE), let alone how I would do it.
I want to build REST api's (or certainly at the very least json-serving http-based RPC apis - if it doesn't have hypermedia links it isn't REST ;) but let's not get into that one in this thread)
Am I missing something here (certainly the correct bit of documentation)??
Can anybody please enlighten me as to how I would do this, or even tell me if I have totally misunderstood what I should use this for?
My excitement has gone soft for now but I'm hoping someone that will change with the right information.
It feels odd that I can't find anyone else complaining about this, so I think that indicates my misunderstanding perhaps.
Other solutions such as OpenFaaS look interesting but I dont wan't to have to learn how to deploy kubernetes and docker swarms if I can avoid it :)
I'm not an expert, but as of now it seems not possible to specify the http method inside the trigger. Check latest trigger spec : as you can see, there is no notion of http method here.
However, handling different HTTP methods can be done inside the function itself.
For example, in Java (with fdk-java v1.0.80), you can use com.fnproject.fn.api.httpgateway.HTTPGatewayContext as the first parameter of the function, as described in the section "Accessing HTTP Information From Functions" of the documentation :
In Fn for Java, when your function is being served by an HTTP trigger (or another compatible HTTP gateway) you can get access to both the incoming request headers for your function by adding a 'com.fnproject.fn.api.httpgateway.HTTPGatewayContext' parameter to your function's parameters.
Using this allows you to :
...
Access the method and request URL for the trigger
...
You can then retrieve the HTTP method by calling getMethod() on the HTTPGatewayContext passed as parameter.
In other languages (with others fdk), it's possible to do the same :
in Go : example calling RequestMethod() on context
in Ruby : class HTTPContext
in Python : class HTTPGatewayContext
in Node : class HTTPGatewayContext
From this different contexts, you'll then be able to get method parameter passed when fn invoke --method=[GET|POST|...] (via fn-http-method header).
The main drawback here is that all HTTP methods should be handled in the same function. Nonetheless, you can structure your code to have only one class per method.
After some further thought it seems fairly clear now what my actual misunderstanding was....
When I have built Serverless framework services in the past (or built and deployed Lambda functions using terraform) I have been deploying to AWS and so have been using AWS's API Gateway offering (their product is actually called API gateway but its important to recognise that API Gateway is a distributed systems / micro-sevices design pattern).
API gateway makes it possible to route specific http request types including the method (GET,POST,PUT,DELETE) to the desired functions.
Platforms such as Fn project and OpenFaaS do not provide an out of the box api gateway solution and it seems we would need to take care of this ourselves.
These above mentioned platforms are about deployment of functions. We find the other bits via our product of choice.
Is there an API call to check if the current user has write access to the registry?
We have an older program which sadly stores several critical values in HKLM that must be updated when the application starts and ends (there is a service which picks these up).
Elevating the user is not an option and running as admin is also not an option.
We just need to check if we can write (and no, writing a key and catching the exception is not what im looking for).
The Win32 API function that you ask for is AccessCheck. However, it's not the easiest function to use.
The commonly accepted way to do what you are attempting is to write the value without performing any checks beforehand. If the write fails with ERROR_ACCESS_DENIED, then you don't have rights. It's better to ask forgiveness than permission, certainly when it comes to Windows security!