https://linen.dev logo
Join Slack
Powered by
This message was deleted.
# opal
s
This message was deleted.
t
looks like I should use the manifest functionality I guess? just looking into that now
a
Hi @Trey Lowerison :) The OPAL server will read all policy files in a certain repo. The OPAL client however can decide what directories inside the repo to read from, so you can filter out directories you don't want. The config var (passed to the client as env var) is called: 
OPAL_POLICY_SUBSCRIPTION_DIRS
You can also enforce what policy directories is a client allowed to ask for, by encoding it to the client JWT
👍 1
The 
.manifest
functionality controls the order of which you load files into OPA.
it does not filter files, only controls the order
t
so if i just omit a file from the manifest it will still be loaded?
a
yes
Use the policy subscription dirs settings and filter based on directories. You can control what a client can subscribe to via the 
permitted_topics
JWT claim
t
hmm ok. my current repo setup is to have test files living as close to the actual policies they're testing e.g. 
create.rego
and 
test_create.rego
are in the same directory. is there a way to mark certain files as being included or excluded from a certain topic so i can recursively omit test files?
it sounds like with subscription dirs the only supported way of omitting test files would be to have them all live in a separate directory entirely from the actual policies
a
mmm there is no current way to do so yet.
but if you'd like to contribute a PR i'd be happy to guide you, or we can try to squeeze that into the next release
👍 1
t
awesome, yeah i'm down to contribute
what's the most appealing way to go about this for you? should we include an ignore files glob path like 
opa build
or omit files using the manifest?
a
Cool 🙂 I think you either want to do an include regex or an exclude regex, or both.
t
gotcha, i'll start with an exclude regex
a
this is the relevant code: https://github.com/permitio/opal/blob/master/packages/opal-common/opal_common/git/bundle_maker.py#L220
Copy code
with CommitViewer(commit) as viewer:
            filter = lambda f: self._has_extension(f) and self._is_under_directories(f)
            explicit_manifest = self._get_explicit_manifest(viewer)
            logger.debug(f"Explicit manifest to be used: {explicit_manifest}")

            for source_file in viewer.files(filter):
You can see that the bundle maker serves files from git. And it passes a filter function to the 
CommitViewer.files
method. All you need to do is: 1) create another method, similar to 
self._has_extension
that filters based on a regex. 2) create another config var for OPAL, similar to 
OPAL_OPA_FILE_EXTENSIONS
and pipe it's value all the way to the bundle maker 🙂
@Ori Shavit can guide you more deeply tomorrow, and @Filip is also available to help.
basically:
Copy code
filter = lambda f: self._has_extension(f) and self._is_under_directories(f) and not self._matches_regex(f, exclude_regex)
t
sweet sounds good!
thanks for the pointers
not sure if i configured the cli / environment variables properly but tests were passing for my use case i believe
a
@Trey Lowerison very cool 🙂
The team will review and get back to you 🙂
t
sounds good! i'm testing it out in the docker image and found some bugs already, mostly just don't know how to plumb the environment variable down to the BundleMaker so working through that rn
2 Views
Open in Slack
PreviousNext
Powered by