gradle project:
implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
implementation group:'com.github.jferrater', name: 'opa-datafilter-jpa-spring-boot-starter', version: '0.5.1'
or maven:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>com.github.jferrater</groupId>
<artifactId>opa-datafilter-jpa-spring-boot-starter</artifactId>
<version>0.5.1</version>
</dependency>
- Add the following minimum configuration to the application.yml or application.properties of the Spring Boot project. Replace the values as necessary. See
Configurations
section for more details.
opa:
authorization:
url: "http://localhost:8181/v1/compile"
partial-request:
query: "data.petclinic.authz.allow = true"
unknowns:
- "data.pets"
# Spring Data JPA specific configurations
spring:
datasource:
driver-class-name: org.mariadb.jdbc.Driver
url: jdbc:mariadb://localhost:3306/integrationTest
username: admin
password: MangaonTaNiny0!
- Create a sub interface of
OpaDataFilterRepository
. This repository is a sub-interface of Spring Data JPA repository which overrides thefindAll()
method to enforce authorization. ThefindAll()
method sends a partial request to the OPA server. The response from OPA which is a simplified version of the policy is translated intoTypedQuery
object which will be used by Spring Data JPA to filter results. The filtered results are the data the user is allowed to see.
package com.example.opadatafilterdemo.repository;
import com.github.jferrater.opadatafilterjpaspringbootstarter.repository.OpaDataFilterRepository;
import org.springframework.stereotype.Repository;
@Repository
public interface PetRepository extends OpaDataFilterRepository<PetProfileEntity, Long> {
}
where the managed entity:
package com.example.opadatafilterdemo.repository;
import javax.persistence.Entity;
import javax.persistence.Id;
import javax.persistence.Table;
@Entity
@Table(name = "pets")
public class PetProfileEntity {
@Id
private Long id;
private String name;
private String owner;
private String veterinarian;
private String clinic;
// getters and setters
}
- Finally, enable JPA repository. Note that
repositoryFactoryBeanClass = OpaRepositoryFactoryBean.class
is required in the@EnableJpaRepositories
.
import com.github.jferrater.opadatafilterjpaspringbootstarter.repository.OpaRepositoryFactoryBean;
import org.springframework.context.annotation.Configuration;
import org.springframework.data.jpa.repository.config.EnableJpaRepositories;
@Configuration
@EnableJpaRepositories(
value = "com.example.opadatafilterdemo.repository",
repositoryFactoryBeanClass = OpaRepositoryFactoryBean.class
)
public class JpaEnvConfig {
}
See example Spring Boot microservice application that uses the library: