Skip to content

run-and-test-with-postman.md

Latest commit

 

History

History
200 lines (144 loc) · 3.72 KB

run-and-test-with-postman.md

File metadata and controls

200 lines (144 loc) · 3.72 KB

Run OPA & Test with Postman

This guide explains how to run Open Policy Agent (OPA) for this project and how to test the policy using Postman.

Prerequisites

  • Docker (and Docker Compose) — for running OPA in a container
  • Postman (or any HTTP client) — for testing the API

Running OPA

Option 1: Docker Compose (recommended)

From the project root:

docker compose up -d

Option 2: Shell script

From the project root:

./scripts/run-project.sh

This starts OPA in a container with the policies/ directory mounted and port 8181 exposed.

Verify OPA is running

Health check

  • Method: GET
  • URL: http://localhost:8181/health

Expected: 200 OK with a JSON body indicating OPA is healthy.

Testing with Postman

The project has two policies. Query them via the Data API.

Policy: authz (policy.rego)

1. Query authz.allow (allowed when user is admin)

  • Method: POST
  • URL: http://localhost:8181/v1/data/authz/allow
  • Headers:
    • Content-Type: application/json
  • Body (raw JSON):
{
  "input": {
    "user": "admin"
  }
}

Expected response: 200 OK with body like:

{
  "result": true
}

2. Query authz.allow (denied for non-admin)

  • Method: POST
  • URL: http://localhost:8181/v1/data/authz/allow
  • Headers:
    • Content-Type: application/json
  • Body (raw JSON):
{
  "input": {
    "user": "alice"
  }
}

Expected response: 200 OK with body like:

{
  "result": false
}

3. Optional: Query the whole authz document

  • Method: POST
  • URL: http://localhost:8181/v1/data/authz
  • Headers:
    • Content-Type: application/json
  • Body (raw JSON):
{
  "input": {
    "user": "admin"
  }
}

Expected response: 200 OK with something like:

{
  "result": {
    "allow": true
  }
}

Policy: rbac (rbac.rego)

Role-based access: admin can do anything; user can only perform read actions.

  • Method: POST
  • URL: http://localhost:8181/v1/data/rbac/can_access
  • Headers: Content-Type: application/json
  • Body (admin — allowed):
{
  "input": {
    "role": "admin",
    "action": "write"
  }
}

Expected: {"result": true}

  • Body (user + read — allowed):
{
  "input": {
    "role": "user",
    "action": "read"
  }
}

Expected: {"result": true}

  • Body (user + write — denied):
{
  "input": {
    "role": "user",
    "action": "write"
  }
}

Expected: {"result": false}

Postman quick setup

  1. Create a new request.
  2. Set method to POST and URL to http://localhost:8181/v1/data/authz/allow.
  3. In Headers, add Content-Type: application/json.
  4. In Body, choose raw and JSON, then paste:
    • {"input": {"user": "admin"}} for allowed, or
    • {"input": {"user": "alice"}} for denied.
  5. Send the request and check that result is true or false as expected.

API reference (relevant endpoints)

Purpose Method URL
Health check GET http://localhost:8181/health
Query authz.allow POST http://localhost:8181/v1/data/authz/allow
Query rbac.can_access POST http://localhost:8181/v1/data/rbac/can_access
Query full authz POST http://localhost:8181/v1/data/authz

All POST endpoints accept a JSON body with an input key; OPA evaluates the policy with that input.