sdk: add evaluateDefault()

srenatus · srenatus · commit cb15c5eca13b · 2024-05-17T10:10:50.000+02:00
Signed-off-by: Stephan Renatus &lt;stephan@styra.com&gt;
diff --git a/src/opaclient.ts b/src/opaclient.ts
@@ -56,7 +56,7 @@ export class OPAClient {
     this.opa = new Opa(sdk);
   }
 
-  /** `evaluate` is used to evaluate the policy at the specified.
+  /** `evaluate` is used to evaluate the policy at the specified path with optional input.
    *
    * @param path - The path to the policy, without `/v1/data`: use `authz/allow` to evaluate policy `data.authz.allow`.
    * @param input - The input to the policy, if needed.
@@ -87,4 +87,23 @@ export class OPAClient {
     const res = result.successfulPolicyEvaluation.result;
     return fromResult ? fromResult(res) : (res as Res);
   }
+
+  /** `evaluateDefault` is used to evaluate the server's default policy with optional input.
+   *
+   * @param input - The input to the default policy, defaults to `{}`.
+   * @param fromResult - A function that is used to transform the policy evaluation result (which could be `undefined`).
+   */
+  async evaluateDefault<In extends Input | ToInput, Res>(
+    input?: In,
+    fromResult?: (res?: Result) => Res,
+  ): Promise<Res> {
+    let inp = input ?? {};
+    if (implementsToInput(inp)) {
+      inp = inp.toInput();
+    }
+    const resp = await this.opa.executeDefaultPolicyWithInput(inp);
+    if (!resp.result) throw `no result in API response`;
+    const res = resp.result;
+    return fromResult ? fromResult(res) : (res as Res);
+  }
 }
diff --git a/tests/authorizer.test.ts b/tests/authorizer.test.ts
@@ -29,6 +29,12 @@ it_is := true`,
     token: `package token
 import rego.v1
 p := true
+`,
+    main: `package system.main
+import rego.v1
+
+main.has_input if input
+main.different_input if input.foo == "bar"
 `,
   };
   const authzPolicy = `package system.authz
@@ -39,6 +45,7 @@ allow if input.method == "PUT"
 allow if input.path[0] == "health"
 allow if input.path[2] == "test"
 allow if input.path[2] == "has"
+allow if count(input.path) == 1 # default policy
 allow if {
   input.path[2] = "token"
   input.identity = "opensesame"
@@ -56,6 +63,7 @@ allow if {
         "--log-level=debug",
         "--authentication=token",
         "--authorization=basic",
+        "--set=default_decision=system/main/main",
         "/authz.rego",
       ])
       .withExposedPorts(8181)
@@ -92,6 +100,18 @@ allow if {
     assert.strictEqual(res, true);
   });
 
+  it("default can be called without types, without input", async () => {
+    const res = await new OPAClient(serverURL).evaluateDefault();
+    assert.deepStrictEqual(res, { has_input: true });
+  });
+
+  it("default can be called with input", async () => {
+    const res = await new OPAClient(serverURL).evaluateDefault({
+      foo: "bar",
+    });
+    assert.deepStrictEqual(res, { has_input: true, different_input: true });
+  });
+
   it("supports rules with slashes", async () => {
     const res = await new OPAClient(serverURL).evaluate(
       "has/weird%2fpackage/but/it_is",
