}

Open Policy Agent (OPA) is an open source tool used to define and enforce policies.

Policies are written in a high-level, declarative language called Rego. Coder’s RBAC rules are defined in the[`policy.rego`](policy.rego) file.

When OPA evaluates policies, it binds input data to a global variable called`input`.

In the`rbac` package, this structured data is defined as JSON and contains the subject, action, and object (see`regoInputValue` in[astvalue.go](astvalue.go)).

OPA evaluates whether the subject is allowed to perform the action on the object across three levels: site, org, and user.

This is determined by the final rule`allow`, defined in[`policy.rego`](policy.rego), which aggregates the results of multiple rules to decide if the user has the necessary permissions.

Similarly to the input, OPA produces structured output data, which includes the`allow` variable as part of the evaluation result.

Authorization succeeds only if`allow` explicitly evaluates to`true`. If no`allow` is returned, it is considered unauthorized.

To learn more about OPA and Rego, seehttps://www.openpolicyagent.org/docs.

-[`rbac/authz.go`](authz.go) – Application layer integration: provides the core authorization logic that integrates with Rego for policy evaluation.

-[`database/dbauthz/dbauthz.go`](../database/dbauthz/dbauthz.go) – Database layer integration: wraps the database layer with authorization checks to enforce access control.

There are two types of evaluation in OPA:

-**Full evaluation**: Produces a decision that can be enforced.

This is the default evaluation mode, where OPA evaluates the policy using`input` data that contains all known values and returns output data with the`allow` variable.

-**Partial evaluation**: Produces a new policy that can be evaluated later when the_unknowns_ become_known_.

This is an optimization in OPA where it evaluates as much of the policy as possible without resolving expressions that depend on_unknown_ values from the`input`.

To learn more about partial evaluation, see this[OPA blog post](https://blog.openpolicyagent.org/partial-evaluation-162750eaf422).

Application of Full and Partial evaluation in`rbac` package:

-**Full Evaluation** is handled by the`RegoAuthorizer.Authorize()` method in`authz.go`.

This method determines whether a subject (user) can perform a specific action on an object.

It performs a full evaluation of the Rego policy, which returns the`allow` variable to decide whether access is granted or denied (`true` or`false`, respectively).

-**Partial Evaluation** is handled by the`RegoAuthorizer.Prepare()` method in`authz.go`.

This method compiles Rego’s partial evaluation queries into`SQL WHERE` clauses.

These clauses are then used to enforce authorization directly in database queries, rather than in application code.

Authorization Patterns:

- Fetch-then-authorize: an object is first retrieved from the database, and a single authorization check is performed using full evaluation via`Authorize()`.

- Authorize-while-fetching: Partial evaluation via`Prepare()` is used to inject SQL filters directly into queries, allowing efficient authorization of many objects of the same type.

`dbauthz` methods that enforce authorization directly in the SQL query are prefixed with`Authorized`, for example,`GetAuthorizedWorkspaces`.

You can test outside of golang by using the`opa` cli.

- OPA Playground:https://play.openpolicyagent.org/

- OPA CLI (`opa eval`): useful for experimenting with different inputs and understanding how the policy behaves under various conditions.

`opa eval` returns the constraints that must be satisfied for a rule to evaluate to true.

**Evaluation**

opaeval --format=pretty"data.authz.allow" -d policy.rego -i input.json

**Partial Evaluation**

This command fully evaluates the policy in the`policy.rego` file using the input data from`input.json`, and returns the result of the`allow` variable:

-`data.authz.allow` accesses the`allow` rule within the`authz` package.

-`data.authz` on its own would return the entire output object of the package.

This command answers the question: “Is the user allowed?”

opaeval --partial --format=pretty'data.authz.allow' -d policy.rego --unknowns input.object.owner --unknowns input.object.org_owner --unknowns input.object.acl_user_list --unknowns input.object.acl_group_list -i input.json

This command performs a partial evaluation of the policy, specifying a set of unknown input parameters.

The result is a set of partial queries that can be converted into`SQL WHERE` clauses and injected into SQL queries.

This command answers the question: “What conditions must be met for the user to be allowed?”

Benchmark tests to evaluate the performance of full and partial evaluation can be found in`authz_test.go`.

You can run these tests with the`-bench` flag, for example:

gotest -bench=BenchmarkRBACFilter -run=^$

To capture memory and CPU profiles, use the following flags:

The script[`benchmark_authz.sh`](./scripts/benchmark_authz.sh) runs the authz benchmark tests on the current Git branch or compares benchmark results between two branches using[`benchstat`](https://pkg.go.dev/golang.org/x/perf/cmd/benchstat).

`benchstat` compares the performance of a baseline benchmark against a new benchmark result and highlights any statistically significant differences.

- To run benchmark on the current branch:

benchmark_authz.sh --single

```

- To compare benchmarks between 2 branches:

funcBenchmarkRBACAuthorize(b*testing.B) {

benchCases,user,orgs:=benchmarkUserCases()

users:=append([]uuid.UUID{},

funcBenchmarkRBACAuthorizeGroups(b*testing.B) {

benchCases,user,orgs:=benchmarkUserCases()

users:=append([]uuid.UUID{},

funcBenchmarkRBACFilter(b*testing.B) {

benchCases,user,orgs:=benchmarkUserCases()

users:=append([]uuid.UUID{},

bool_flip(b):=flipped if{

bool_flip(b):=false if{

b

flipped=false

}

bool_flip(b):=flipped if{

bool_flip(b):=true if{

notb

flipped=true

}

number(set):= c if{

count(set)==0

c:=0

}

number(set):= c if{

number(set):=-1 if{

false inset

c:=-1

}

number(set):= c if{

number(set):=0 if{

count(set)==0

}

number(set):=1 if{

notfalse inset

set[_]

c:=1

}

defaultsite:=0

defaultsite:=0

site:=site_allow(input.subject.roles)

defaultscope_site:=0

scope_site:=site_allow([input.subject.scope])

site_allow(roles):= num if{

allow:= {x|

allow:= {is_allowed|

perm:= roles[_].site[_]

perm.action in[input.action,"*"]

perm.resource_type in[input.object.type,"*"]

x:=bool_flip(perm.negate)

is_allowed:=bool_flip(perm.negate)

}

num:=number(allow)

}

org_members:= {orgID|

input.subject.roles[_].org[orgID]

}

defaultorg:=0

org:=org_allow(input.subject.roles)

defaultscope_org:=0

scope_org:=org_allow([input.scope])

org_allow_set(roles):= allow_set if{

allow_set:= {id: num|

id:= org_members[_]

set:= {x|

set:= {is_allowed|

perm:= roles[_].org[id][_]

perm.action in[input.action,"*"]

perm.resource_type in[input.object.type,"*"]

x:=bool_flip(perm.negate)

is_allowed:=bool_flip(perm.negate)

}

num:=number(set)

}

notinput.object.any_org

}

defaultuser:=0

user:=user_allow(input.subject.roles)

defaultuser_scope:=0

defaultscope_user:=0

scope_user:=user_allow([input.scope])

user_allow(roles):= num if{

input.object.owner!=""

input.subject.id= input.object.owner

allow:= {x|

allow:= {is_allowed|

perm:= roles[_].user[_]

perm.action in[input.action,"*"]

perm.resource_type in[input.object.type,"*"]

x:=bool_flip(perm.negate)

is_allowed:=bool_flip(perm.negate)

}

num:=number(allow)

}

input.object.id ininput.subject.scope.allow_list

}

role_allow if{

site=1

user=1

}

scope_allow if{

scope_allow_list

scope_site=1

scope_user=1

}

acl_allow if{

[input.action,"*"][_] inperms

}

allow if{

role_allow

scope_allow