feat: Opa middleware support

.github/workflows/ci.yaml

@@ -13,7 +13,7 @@ on:
   workflow_dispatch:
 env:
   GO_VERSION: '1.23.8'
-  GOLANGCI_LINT_VERSION: '1.60.3'
+  GOLANGCI_LINT_VERSION: '1.64.8'
 jobs:
   git-secrets:
     runs-on: ubuntu-latest
@@ -105,7 +105,19 @@ jobs:
         run: |
           sudo ls /etc/cni/net.d
           sudo rm /etc/cni/net.d/87-podman-bridge.conflist
+      - name: Verify Rego file presence
+        run: ls -l ${{ github.workspace }}/docs/sample-rego-policies/example.rego
+      - name: Set Rego file path
+        run: echo "REGO_FILE_PATH=${{ github.workspace }}/docs/sample-rego-policies/example.rego" >> $GITHUB_ENV
+      - name: Start finch-daemon with opa Authz
+        run: sudo bin/finch-daemon --debug --experimental --rego-file ${{ github.workspace }}/docs/sample-rego-policies/example.rego --skip-rego-perm-check --socket-owner $UID --socket-addr /run/finch.sock --pidfile /run/finch.pid &
+      - name: Run opa e2e tests
+        run: sudo -E make test-e2e-opa
+      - name: Clean up Daemon socket
+        run: sudo rm /run/finch.sock && sudo rm /run/finch.pid
       - name: Start finch-daemon
         run: sudo bin/finch-daemon  --debug --socket-owner $UID &
       - name: Run e2e test
         run: sudo make test-e2e
+      - name: Clean up Daemon socket
+        run: sudo rm /var/run/finch.sock && sudo rm /run/finch.pid

Makefile

@@ -77,7 +77,7 @@ endif
 .PHONY:  gen-code
  gen-code: linux
 	rm -rf ./pkg/mocks
-	GOBIN=$(BIN) go install github.com/golang/mock/mockgen@v1.6.0
+	GOBIN=$(BIN) go install go.uber.org/mock/mockgen@v0.5.2
 	GOBIN=$(BIN) go install golang.org/x/tools/cmd/[email protected]
 	PATH=$(BIN):$(PATH) go generate ./...
 	PATH=$(BIN):$(PATH) mockgen --destination=./mocks/mocks_container/container.go -package=mocks_container github.com/containerd/containerd/v2/client Container
@@ -114,6 +114,15 @@ test-e2e: linux
 	TEST_E2E=1 \
 	$(GINKGO) $(GFLAGS) ./e2e/...
 
+.PHONY: test-e2e-opa
+test-e2e-opa: linux
+	DOCKER_HOST="unix:///run/finch.sock" \
+	DOCKER_API_VERSION="v1.41" \
+	MIDDLEWARE_E2E=1 \
+	TEST_E2E=0 \
+	DAEMON_ROOT="$(BIN)/finch-daemon" \
+	$(GINKGO) $(GFLAGS) ./e2e/...
+
 .PHONY: licenses
 licenses:
 	PATH=$(BIN):$(PATH) go-licenses report --template="scripts/third-party-license.tpl" --ignore github.com/runfinch ./... > THIRD_PARTY_LICENSES
@@ -126,4 +135,4 @@ coverage: linux
 .PHONY: release
 release: linux
 	@echo "$@"
-	@$(FINCH_DAEMON_PROJECT_ROOT)/scripts/create-releases.sh $(RELEASE_TAG)
+	@$(FINCH_DAEMON_PROJECT_ROOT)/scripts/create-releases.sh $(RELEASE_TAG)

README.md

@@ -35,6 +35,32 @@ Getting started with Finch Daemon on Linux only requires a few steps:
 5. Test any changes with `make test-unit` and `sudo make test-e2e`
 
 
+## Experimental Features
+
+Finch Daemon includes experimental features that can be enabled using the `--experimental` flag. These features are under development and may change in future releases.
+
+### Using Experimental Features
+
+To enable experimental features, use the `--experimental` flag when starting the daemon:
+
+```bash
+sudo bin/finch-daemon --debug --socket-owner $UID --experimental
+```
+
+### Current Experimental Features
+
+#### OPA Authorization Middleware
+
+The OPA (Open Policy Agent) middleware allows you to define authorization policies for API requests using Rego policy language. This feature requires both the `--experimental` flag and the `--rego-file` flag to be set.
+
+Example usage:
+```bash
+sudo bin/finch-daemon --debug --socket-owner $UID --experimental --rego-file /path/to/policy.rego
+```
+
+For detailed documentation on the OPA middleware, see [opa-middleware.md](docs/opa-middleware.md).
+
+
 ## Creating a systemd service
 If you want finch-daemon to be managed as a systemd service, for benefits like automatic
 restart if it gets killed, you can configure it as a systemd service on Linux by

api/handlers/builder/build_test.go

@@ -12,7 +12,7 @@ import (
 	"net/http/httptest"
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 

api/handlers/builder/builder_test.go

@@ -10,7 +10,7 @@ import (
 	"testing"
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/container/attach_test.go

@@ -21,7 +21,7 @@ import (
 	"github.com/runfinch/finch-daemon/api/types"
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"github.com/pkg/errors"

api/handlers/container/container_test.go

@@ -11,7 +11,7 @@ import (
 	"testing"
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/container/create_test.go

@@ -17,7 +17,7 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/config"
 	"github.com/containerd/nerdctl/v2/pkg/defaults"
 	"github.com/docker/go-connections/nat"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 

api/handlers/container/exec_test.go

@@ -11,7 +11,7 @@ import (
 	"net/http/httptest"
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/container/get_archive_test.go

@@ -9,7 +9,7 @@ import (
 	"net/http/httptest"
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/container/inspect_test.go

@@ -10,7 +10,7 @@ import (
 	"net/http/httptest"
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/container/kill_test.go

@@ -11,7 +11,7 @@ import (
 
 	ncTypes "github.com/containerd/nerdctl/v2/pkg/api/types"
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/container/list_test.go

@@ -11,7 +11,7 @@ import (
 
 	ncTypes "github.com/containerd/nerdctl/v2/pkg/api/types"
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 

api/handlers/container/logs_test.go

@@ -11,7 +11,7 @@ import (
 	"strings"
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/container/pause_test.go

@@ -11,7 +11,7 @@ import (
 
 	ncTypes "github.com/containerd/nerdctl/v2/pkg/api/types"
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/container/put_archive_test.go

@@ -9,7 +9,7 @@ import (
 	"net/http/httptest"
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/container/remove_test.go

@@ -9,7 +9,7 @@ import (
 	"net/http/httptest"
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 

api/handlers/container/rename_test.go

@@ -9,7 +9,7 @@ import (
 	"net/http/httptest"
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/container/restart_test.go

@@ -9,7 +9,7 @@ import (
 	"net/http/httptest"
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/container/start_test.go

@@ -11,7 +11,7 @@ import (
 
 	ncTypes "github.com/containerd/nerdctl/v2/pkg/api/types"
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/container/stats_test.go

@@ -12,7 +12,7 @@ import (
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
 	dockertypes "github.com/docker/docker/api/types/container"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/container/stop_test.go

@@ -9,7 +9,7 @@ import (
 	"net/http/httptest"
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/container/unpause_test.go

@@ -11,7 +11,7 @@ import (
 
 	ncTypes "github.com/containerd/nerdctl/v2/pkg/api/types"
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/distribution/distribution_test.go

@@ -12,7 +12,7 @@ import (
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
 	registrytypes "github.com/docker/docker/api/types/registry"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/exec/exec_test.go

@@ -11,7 +11,7 @@ import (
 	"testing"
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/exec/inspect_test.go

@@ -10,7 +10,7 @@ import (
 	"net/http/httptest"
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/exec/resize_test.go

@@ -9,7 +9,7 @@ import (
 	"net/http/httptest"
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/exec/start_test.go

@@ -16,7 +16,7 @@ import (
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
 	hj "github.com/getlantern/httptest"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/image/image_test.go

@@ -10,7 +10,7 @@ import (
 	"testing"
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/image/inspect_test.go

@@ -11,7 +11,7 @@ import (
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
 	"github.com/containerd/nerdctl/v2/pkg/inspecttypes/dockercompat"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/image/load_test.go

@@ -9,7 +9,7 @@ import (
 	"net/http/httptest"
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/image/pull_test.go

@@ -16,7 +16,7 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/config"
 	dockertypes "github.com/docker/cli/cli/config/types"
 	"github.com/docker/docker/pkg/jsonmessage"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 

api/handlers/image/push_test.go

@@ -15,7 +15,7 @@ import (
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
 	dockertypes "github.com/docker/cli/cli/config/types"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/image/remove_test.go

@@ -9,7 +9,7 @@ import (
 	"net/http/httptest"
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/network/create_test.go

@@ -13,7 +13,7 @@ import (
 	"net/http/httptest"
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 

api/handlers/network/inspect_test.go

@@ -11,7 +11,7 @@ import (
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
 	"github.com/containerd/nerdctl/v2/pkg/inspecttypes/dockercompat"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"github.com/gorilla/mux"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

api/handlers/network/list_test.go

@@ -8,7 +8,7 @@ import (
 	"net/http/httptest"
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/golang/mock/gomock"
+	"go.uber.org/mock/gomock"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"