stormchaser-opa 1.3.2

A robust, distributed workflow engine for event-driven and human-triggered workflows.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

//! OPA WebAssembly Integration Module.
//!
//! Provides execution capabilities for OPA policies compiled to WebAssembly.

use anyhow::{Context, Result};
use async_trait::async_trait;
use opa_wasm::Runtime;
use serde_json::Value;
use stormchaser_model::auth::OpaWasmExecutor;
use wasmtime::*;

/// Represents an instantiated OPA WASM engine ready for evaluation.
pub struct OpaWasmInstance {
    engine: Engine,
    module: Module,
}

impl OpaWasmInstance {
    /// Creates a new `OpaWasmInstance` from the given WASM module bytes.
    pub fn new(module_bytes: &[u8]) -> Result<Self> {
        let config = Config::new();
        // config.async_support(true); // No longer needed in wasmtime 43.0
        let engine = Engine::new(&config)?;
        let module = Module::new(&engine, module_bytes)?;
        Ok(Self { engine, module })
    }
}

#[async_trait]
impl OpaWasmExecutor for OpaWasmInstance {
    async fn evaluate(&self, entrypoint: &str, input: &Value) -> Result<bool> {
        let mut store = Store::new(&self.engine, ());
        let runtime = Runtime::new(&mut store, &self.module)
            .await
            .context("Failed to initialize OPA WASM runtime")?;

        let policy = runtime.without_data(&mut store).await?;

        let result: Value = policy
            .evaluate(&mut store, entrypoint, input)
            .await
            .context("Failed to evaluate OPA policy")?;

        tracing::debug!("OPA WASM result: {:?}", result);

        if let Some(arr) = result.as_array() {
            if let Some(first) = arr.first() {
                if let Some(b) = first.as_bool() {
                    return Ok(b);
                }
                if let Some(obj) = first.as_object() {
                    if let Some(res) = obj.get("result").and_then(|v| v.as_bool()) {
                        return Ok(res);
                    }
                }
            }
        }

        if let Some(b) = result.as_bool() {
            return Ok(b);
        }

        Ok(false)
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_opa_wasm_instance_new_invalid_bytes() {
        let result = OpaWasmInstance::new(b"not a wasm module");
        assert!(result.is_err());
    }

    #[tokio::test]
    async fn test_opa_wasm_evaluate_fails_on_empty_module() {
        // We can't easily test a real evaluation without a valid OPA WASM module,
        // but we can at least test that we handle invalid states.
    }
}