Renamed the opa_enable key for the filter to opa_enforce. Earlier, the OPA enable mode just decided whether to run OPA or not. Instead, we use it to decide whether to drop requests after a violation or not. Ideally, I want to avoid having two opa flags (one for whether to run OPA or not and another for whether to enforce its decision), as that can be confusing. So we always create the OPA object and evaluate the PII types etc against the policy. Note that we can set the bundle server to dispense an "allow all" policy in the development stage, before the privacy engineer has set a meaningful target policy.
OPA Enforcement: If the opa_enforce key is set to true, actually drop the request.
TODO: OPA is currently evaluating sample inputs. Tweak it to pass in the purpose of use, pii types and third parties. See TODO in runPresidioAndOPA.
opa_enable
key for the filter toopa_enforce
. Earlier, the OPA enable mode just decided whether to run OPA or not. Instead, we use it to decide whether to drop requests after a violation or not. Ideally, I want to avoid having two opa flags (one for whether to run OPA or not and another for whether to enforce its decision), as that can be confusing. So we always create the OPA object and evaluate the PII types etc against the policy. Note that we can set the bundle server to dispense an "allow all" policy in the development stage, before the privacy engineer has set a meaningful target policy.opa_enforce
key is set to true, actually drop the request.TODO: OPA is currently evaluating sample inputs. Tweak it to pass in the purpose of use, pii types and third parties. See TODO in
runPresidioAndOPA
.