Skip to content

Instantly share code, notes, and snippets.

View anderseknert's full-sized avatar
👨‍💻
Hacking on all things OPA

Anders Eknert anderseknert

👨‍💻
Hacking on all things OPA
178 followers · 121 following
View GitHub Profile
@anderseknert
anderseknert / p.rego
Created April 5, 2023 20:11
Policy
package p
import future.keywords
global := "foo"
allow if {
a := global
b := [c | c := input[x]] # can't capture x
@anderseknert
anderseknert / clojureclr.md
Last active January 7, 2023 09:05
ClojureCLR notes

ClojureCLR Notes

Some random notes from using ClojureCLR (.NET Core version) on Mac OS. YMMV, obviously :)

REPL

The REPL provided by Clojure.Main does not support niceties like history, or even using arrow keys to move around while editing. On Linux and Mac, this may be solved by rlwrap, which is also used to enhance the built-in REPL in JVM Clojure (included in the clj script). To create a similar wrapper for Clojure.Main, you can create a cljr script (and place it somewhere on $PATH) as follows:

@anderseknert
anderseknert / funcs.json
Created September 22, 2022 12:37
Funcs
{
"funcs": {
"funcs": [
{
"name": "g0.data.policy.is_admin",
"params": [
0,
1
],
"return": 2,
@anderseknert
anderseknert / plans.json
Created September 21, 2022 13:30
Plans
{
"plans": {
"plans": [
{
"name": "policy/allow",
"blocks": [
{
"stmts": [
{
"type": "CallStmt",
@anderseknert
anderseknert / static.json
Created September 21, 2022 11:05
Static block
{
"static": {
"strings": [{"value": "result"}, {"value": "user"}, {"value": "roles"}, {"value": "admin"}],
"builtin_funcs": [
{
"name": "internal.member_2",
"decl": {
"args": [{"type": "any"}, {"type": "any"}],
"result": {"type": "boolean"},
"type": "function"
@anderseknert
anderseknert / policy.rego
Created September 21, 2022 11:02
policy.rego
package policy
import future.keywords.if
import future.keywords.in
allow if is_admin
is_admin if "admin" in input.user.roles
@anderseknert
anderseknert / policy.rego
Last active September 7, 2022 15:12
CVE-2022-36085
package policy
# Note the use of the allowed is_object function here
response := is_object({
"method": "GET",
"url": "https://www.openpolicyagent.org"
})
# This would work (and send a HTTP request) even though
# the http.send built-in function had been declared unsafe
@anderseknert
anderseknert / cleanup.py
Created June 27, 2022 19:58
Horrendous cleanup script
#!/usr/bin/env python3
import json
import os
import subprocess
import tempfile
import yaml
yaml.SafeDumper.org_represent_str = yaml.SafeDumper.represent_str
@anderseknert
anderseknert / bucket_not_private.rego
Created April 7, 2022 10:39
Bucket not private
deny["S3 Bucket: 'AccessControl' attribute value must be 'Private'"] {
not bucket_is_private
}
@anderseknert
anderseknert / bucket_is_private.rego
Created April 7, 2022 10:34
Bucket is private
bucket_is_private {
input.resource.properties.AccessControl == "Private"
}