docs: Add examples for crypto.sha256 and base64.encode built-in functions#7762
docs: Add examples for crypto.sha256 and base64.encode built-in functions#7762charlieegan3 merged 29 commits intoopen-policy-agent:mainfrom
Conversation
✅ Deploy Preview for openpolicyagent ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
charlieegan3
left a comment
charlieegan3
left a comment
There was a problem hiding this comment.
Hi there, thanks for working on some more examples here. You'll need to add them to the /docs/policy-reference/builtins/crypto page for them to be visible.
I have left a few other comments. The most important thing with these examples is to show a real or approximately real example, as simply as possible rather than cover all use cases for a function. If we want to show many examples, we can created independent examples with more detail in their explanations. Hope that makes sense! lmk if you have any questions.
Also, can you unmark the PR desc as fixing #3786 since that issue needs more work to close (examples for other functions that we can add in alter PRs).
…ions Add practical examples for two commonly used built-in functions in DevOps and security workflows: - crypto.sha256: Demonstrates file integrity verification, container image validation, and configuration change detection - base64.encode: Shows HTTP Basic Auth encoding, Kubernetes secret preparation, and general data encoding patterns These examples address issue open-policy-agent#3786 by providing concrete use cases that help developers understand how to apply these functions in real-world scenarios. Fixes open-policy-agent#3786 Signed-off-by: ToluGIT <93225033+ToluGIT@users.noreply.github.com>
- Simplify examples to focus on single use cases instead of multiple scenarios - Add examples to builtin documentation pages for visibility using PlaygroundExample - Fix formatting issues (missing newlines in config.json files) - Refine intro descriptions to be more precise Signed-off-by: ToluGIT <93225033+ToluGIT@users.noreply.github.com>
Signed-off-by: ToluGIT <93225033+ToluGIT@users.noreply.github.com>
|
|
||
| # Encode credentials for HTTP Basic Authentication | ||
| username := "admin" | ||
| password := "secret123" |
There was a problem hiding this comment.
I would prefer to see an example here that shows a more realistic example of encode. We have the option to use data.json and input.json in these examples to better simulate real policies.
One example might be adding a new header to a downstream request in opa-envoy. e.g.
encoded_username := base64.encode(input.username)
encoded_password := base64.encode(input.password)
basic_auth_header := sprintf("Basic %s", [base64.encode(sprintf("%s:%s", [input.username, input.password]))])
If you have a look here:
and here:
you can see how the policy is used to add extra headers as part of the ext auth response. Perhaps something like that would be a good idea to show a more real-world use case here?
There was a problem hiding this comment.
Hmmm, true, okay.
Instead of hardcoded fake credentials, now the modified example now takes real input data (username/password) and shows how OPA would process it.
There was a problem hiding this comment.
Hey, I don't see the update yet. Have you pushed your changes?
There was a problem hiding this comment.
Hey, I've reviewed the changes to this example, but they're incomplete. response_headers_to_add is expected in such an integration. You'll need to base the example around that expected format in order for this to make sense.
Docs are here: https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto#service-auth-v3-checkresponse
You can also see some examples from this test: https://github.com/open-policy-agent/opa-envoy-plugin/blob/7ebf657a09b931ef2417d0502bad6bdf600267d5/envoyauth/response_test.go#L461
There was a problem hiding this comment.
Fixed. I have added the complete response_headers_to_add structure as requested.
Thanks for flagging it.
| @@ -0,0 +1 @@ | |||
| The `crypto.sha256` function computes SHA-256 hash values, commonly used for file integrity verification in DevOps workflows. No newline at end of file | |||
There was a problem hiding this comment.
This isn't really the case in OPA since generally OPA is not running against file system content. It'd be nice to update this description to be more about the real world example you choose to implement here instead of a general description of the function.
There was a problem hiding this comment.
Instead of generic descriptions about what the functions do, refined the descriptions now to explain exactly what THIS specific example demonstrates.
There was a problem hiding this comment.
? 😕 not sure what you mean here sorry.
There was a problem hiding this comment.
Hi! I was referring to the description
The current version now says, "This example shows how to use crypto.sha256 to verify data integrity by comparing a provided hash with the computed hash of the actual content."
Instead of the generic description about "file integrity verification in DevOps workflows," it now describes exactly what THIS specific example demonstrates. Comparing a provided hash with the computed hash of input data.
- Rename base64_encode → base64_encode_http_auth - Add realistic input.json files - Add proper headings and positioning - Enable input display in playground - Update descriptions and fix formatting Signed-off-by: ToluGIT <93225033+ToluGIT@users.noreply.github.com>
Co-authored-by: Charlie Egan <git@charlieegan3.com> Signed-off-by: ToluGIT <93225033+ToluGIT@users.noreply.github.com>
Signed-off-by: Stephan Renatus <stephan@styra.com>
Change from generic 'Base64 Encoding' to specific 'HTTP Basic Auth Header Creation' to clearly indicate the example's purpose Signed-off-by: ToluGIT <93225033+ToluGIT@users.noreply.github.com>
- crypto.sha256: Change to signed payload verification with JSON marshaling - base64.encode: Use proper Envoy response_headers_to_add format - Fix missing newlines in title.txt files Signed-off-by: ToluGIT <93225033+ToluGIT@users.noreply.github.com>
| @@ -0,0 +1,13 @@ | |||
| package base64_encode_http_auth | |||
There was a problem hiding this comment.
Typically, envoy policies are invoked from envoy/authz/allow.
There was a problem hiding this comment.
Fixed. I changed the package to "envoy.authz" following the standard OPA-Envoy convention for external authorisation policies.
| package base64_encode_http_auth | ||
|
|
||
| # Envoy external auth response with Basic Auth header | ||
| allow := true |
There was a problem hiding this comment.
Usually a default rule would be used there instead.
There was a problem hiding this comment.
Updated to use proper default deny pattern with default allow := false and conditional allow rule based on credential presence
| # Envoy external auth response with Basic Auth header | ||
| allow := true | ||
|
|
||
| response_headers_to_add := [ |
There was a problem hiding this comment.
response_headers_to_add is not a list, but an object of str:str
There was a problem hiding this comment.
Corrected response_headers_to_add format from array to object (str:str) as per Envoy CheckResponse specification
| { | ||
| "header": { | ||
| "key": "Authorization", | ||
| "value": sprintf("Basic %s", [base64.encode(sprintf("%s:%s", [input.username, input.password]))]) |
There was a problem hiding this comment.
input.username is not set by OPA envoy, you'd need to have extracted this from either the request body or another header in the envoy case. There are in the input, but in different locations depending on body/header. Header is likely the easiest to use for this example.
There was a problem hiding this comment.
Fixed input structure to use proper Envoy CheckRequest format. Now extracts credentials from request headers (x-username/x-password) as suggested, following actual OPA-Envoy integration patterns.
| @@ -0,0 +1,7 @@ | |||
| { | |||
There was a problem hiding this comment.
Thanks for updating this example. Can we rename the folder to something more descriptive than sha256?
There was a problem hiding this comment.
hmmm
verify_signed_payload or signature_verification which would be preferable?
There was a problem hiding this comment.
Perhaps something like digest verification? crypto.md5sum might be better as it's often used for such things. https://www.openpolicyagent.org/docs/policy-reference/builtins/crypto#builtin-crypto-cryptomd5
There was a problem hiding this comment.
Switched to crypto.md5 as you suggested
it's indeed more commonly used for digest verification. Renamed folder to "digest_verification" for clarity.
- Use envoy.authz package convention - Add default deny with conditional allow - Fix response_headers_to_add format (object not array) - Extract credentials from proper Envoy input structure Signed-off-by: ToluGIT <93225033+ToluGIT@users.noreply.github.com>
| @@ -0,0 +1 @@ | |||
| This example shows how to use `crypto.sha256` to verify a signed payload by checking that the JSON representation matches a supplied signature hash. | |||
There was a problem hiding this comment.
Something nice we can do in these intros is explain to users how they can play with the example. In this example, we should prompt users to change the contents of the payload to show that the signature verification would fail. Or something like that.
It'd also be nice to motivate why something like this might be getting done in a policy. Answering the question: why is this useful would be helpful here too.
There was a problem hiding this comment.
Great suggestion! modified the intro with both interactive guidance and motivation:
Added "Try it yourself" section that allows users to change any value in the payload object (like user name or resource path) and re-run the example to see digest_valid become false.
Added a "Why this is useful" section explaining that content verification is essential in APIs and webhooks where you need to ensure data hasn't been tampered with during transmission. The digest acts as a fingerprint for the payload.
| @@ -0,0 +1 @@ | |||
| This example shows how to use `base64.encode` in Envoy external authorization to create HTTP Basic Authentication headers from request credentials and add them to downstream requests. | |||
There was a problem hiding this comment.
Here I think we need to explain that the context is using a base64 encoded example to set a value expected by some downstream service. It is a nice usecase that shows how OPA and envoy can glue things together when the client and server don't speak the same language. Does that make sense? we're using the base64 function here as a utility function.
There was a problem hiding this comment.
Yeah, it does make sense.
Now it clearly demonstrates how OPA and Envoy work together when client and server "don't speak the same language."
…tp_auth/title.txt Co-authored-by: Charlie Egan <git@charlieegan3.com> Signed-off-by: ToluGIT <93225033+ToluGIT@users.noreply.github.com>
- Switch to crypto.md5 for digest verification (more common use case) - Rename folder to digest_verification for clarity - Add interactive guidance and real-world context to intros - Explain base64 as utility bridging client-server communication Signed-off-by: ToluGIT <93225033+ToluGIT@users.noreply.github.com>
| @@ -0,0 +1,6 @@ | |||
| This example shows how `base64.encode` acts as a utility function to bridge communication between client and server when they don't speak the same language. | |||
There was a problem hiding this comment.
| This example shows how `base64.encode` acts as a utility function to bridge communication between client and server when they don't speak the same language. | |
| This example shows how `base64.encode` acts as a utility function to bridge communication between client and server when they expect differing request formats. |
…n/intro.md Co-authored-by: Charlie Egan <git@charlieegan3.com> Signed-off-by: ToluGIT <93225033+ToluGIT@users.noreply.github.com>
…tp_auth/intro.md Co-authored-by: Charlie Egan <git@charlieegan3.com> Signed-off-by: ToluGIT <93225033+ToluGIT@users.noreply.github.com>
…n/intro.md Co-authored-by: Charlie Egan <git@charlieegan3.com> Signed-off-by: ToluGIT <93225033+ToluGIT@users.noreply.github.com>
…tp_auth/intro.md Co-authored-by: Charlie Egan <git@charlieegan3.com> Signed-off-by: ToluGIT <93225033+ToluGIT@users.noreply.github.com>
…tp_auth/title.txt Co-authored-by: Charlie Egan <git@charlieegan3.com> Signed-off-by: ToluGIT <93225033+ToluGIT@users.noreply.github.com>
ToluGIT
left a comment
ToluGIT
left a comment
There was a problem hiding this comment.
Thanks for the review @charlieegan3
| @@ -0,0 +1 @@ | |||
| OPA Envoy Header Manipulation | |||
There was a problem hiding this comment.
I think we should rename
docs/docs/policy-reference/_examples/encoding/base64_encode_http_auth/*
to match the title here.
There was a problem hiding this comment.
Yeah, true.
Done! Renamed the folder from "base64_encode_http_auth" to "envoy_header_manipulation" to match the "OPA Envoy Header Manipulation" title. Also updated the built-in page reference and verified everything still works correctly.
Rename base64_encode_http_auth → envoy_header_manipulation to match 'OPA Envoy Header Manipulation' title as requested Signed-off-by: ToluGIT <93225033+ToluGIT@users.noreply.github.com>
|
Thanks for the back and forth here @ToluGIT, just a few minor edits needed now to get it looking nice in the website editors and we can get this merged. |
…ipulation/policy.rego Co-authored-by: Charlie Egan <git@charlieegan3.com> Signed-off-by: ToluGIT <93225033+ToluGIT@users.noreply.github.com>
…ipulation/policy.rego Co-authored-by: Charlie Egan <git@charlieegan3.com> Signed-off-by: ToluGIT <93225033+ToluGIT@users.noreply.github.com>
…ipulation/policy.rego Co-authored-by: Charlie Egan <git@charlieegan3.com> Signed-off-by: ToluGIT <93225033+ToluGIT@users.noreply.github.com>
…ipulation/policy.rego Co-authored-by: Charlie Egan <git@charlieegan3.com> Signed-off-by: ToluGIT <93225033+ToluGIT@users.noreply.github.com>
…n/policy.rego Co-authored-by: Charlie Egan <git@charlieegan3.com> Signed-off-by: ToluGIT <93225033+ToluGIT@users.noreply.github.com>
…ipulation/intro.md Co-authored-by: Charlie Egan <git@charlieegan3.com> Signed-off-by: ToluGIT <93225033+ToluGIT@users.noreply.github.com>
|
Thanks so much for all the detailed feedback and guidance throughout this process, @charlieegan3. Your insights have really helped shape these examples into something much more practical and educational. I appreciate you taking the time to walk through the proper OPA-Envoy integration patterns. Thanks again for the thorough review; it's been a great learning experience working with you on this! 🙏 |
|
Sorry about that! I accidentally closed the PR instead of waiting for you to merge it. It's reopened now and ready for merge. Thanks again for all the feedback and approval! |
Signed-off-by: Charlie Egan <git@charlieegan3.com>
3 participants
Summary
This PR adds examples for two commonly used built-in functions:
Why these changes are needed
Issue #3786 requests examples for built-in functions that currently lack documentation. The crypto.md5 and base64.encode functions are commonly used in authentication and security workflows but have no
practical examples showing integration patterns.
What's included
crypto.md5 example (/docs/docs/policy-reference/_examples/crypto/digest_verification/):
base64.encode example (/docs/docs/policy-reference/_examples/encoding/base64_encode_http_auth/):
Both examples follow documentation patterns with policy.rego, config.json, intro.md, and title.txt files, are integrated into their respective builtin documentation pages with proper headings, and include educational context explaining why these patterns are useful.
Notes to assist PR review:
opa evalandopa fmt_examples/directoryFurther comments:
This addresses the long-standing issue #3786 incrementally - additional built-in functions can be documented in future PRs using the same approach. The examples chosen are foundational functions that many other security and
DevOps tools depend on.