Skip to content

Commit

Permalink
Revert "Fix some leaks in opa policies (#1624)" (#1678)
Browse files Browse the repository at this point in the history
* Revert "Fix some leaks in opa policies (#1624)"

This reverts commit c2a3414.

Signed-off-by: NikitaSkrynnik <nikita.skrynnik@xored.com>

* fix inter issues

Signed-off-by: NikitaSkrynnik <nikita.skrynnik@xored.com>

---------

Signed-off-by: NikitaSkrynnik <nikita.skrynnik@xored.com>
  • Loading branch information
NikitaSkrynnik authored and denis-tingaikin committed Oct 17, 2024
1 parent 1f880a5 commit bbfe77c
Showing 1 changed file with 31 additions and 19 deletions.
50 changes: 31 additions & 19 deletions pkg/tools/opa/policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,10 @@ package opa

import (
"context"
"fmt"
"os"
"path/filepath"
"strings"
"sync"

"github.com/open-policy-agent/opa/rego"
"github.com/pkg/errors"
Expand Down Expand Up @@ -77,12 +77,15 @@ func WithNamedPolicyFromSource(name, source, query string, checkQuery CheckQuery

// AuthorizationPolicy checks that passed tokens are valid
type AuthorizationPolicy struct {
initErr error
name string
policyFilePath string
policySource string
pkg string
query string
evalQuery *rego.PreparedEvalQuery
checker CheckAccessFunc
once sync.Once
}

// Name returns AuthorizationPolicy name
Expand All @@ -96,11 +99,10 @@ func (d *AuthorizationPolicy) Check(ctx context.Context, model interface{}) erro
if err != nil {
return err
}
evalQuery, intErr := d.init()
if intErr != nil {
if intErr := d.init(); intErr != nil {
return intErr
}
rs, err := evalQuery.Eval(ctx, rego.EvalInput(input))
rs, err := d.evalQuery.Eval(ctx, rego.EvalInput(input))
if err != nil {
return status.Error(codes.Internal, err.Error())
}
Expand All @@ -114,23 +116,33 @@ func (d *AuthorizationPolicy) Check(ctx context.Context, model interface{}) erro
return nil
}

func (d *AuthorizationPolicy) init() (*rego.PreparedEvalQuery, error) {
if d.query == "" {
d.query = strings.TrimSuffix(filepath.Base(d.policyFilePath), filepath.Ext(d.policyFilePath))
}
if err := d.loadSource(); err != nil {
return nil, err
}
if err := d.checkModule(); err != nil {
return nil, err
func (d *AuthorizationPolicy) init() error {
d.once.Do(func() {
if d.query == "" {
d.query = strings.TrimSuffix(filepath.Base(d.policyFilePath), filepath.Ext(d.policyFilePath))
}
if d.initErr = d.loadSource(); d.initErr != nil {
return
}
if d.initErr = d.checkModule(); d.initErr != nil {
return
}
var r rego.PreparedEvalQuery
r, d.initErr = rego.New(
rego.Query(strings.Join([]string{"data", d.pkg, d.query}, ".")),
rego.Module(d.pkg, d.policySource)).PrepareForEval(context.Background())
if d.initErr != nil {
return
}
d.evalQuery = &r
})
if d.initErr != nil {
return d.initErr
}
r, err := rego.New(
rego.Query(strings.Join([]string{"data", d.pkg, d.query}, ".")),
rego.Module(d.pkg, d.policySource)).PrepareForEval(context.Background())
if err != nil {
return nil, errors.Wrap(err, fmt.Sprintf("policy %v is not compiled", d.policySource))
if d.evalQuery == nil {
return errors.Errorf("policy %v is not compiled", d.policySource)
}
return &r, nil
return nil
}

func (d *AuthorizationPolicy) loadSource() error {
Expand Down

0 comments on commit bbfe77c

Please sign in to comment.