This monorepo contains the code for the EA Financial, a fictional global bank serving as an example institution for demonstrating best practices in policy-as-code with fully integrated Open Policy Agent (OPA) authorization.
./app.shOpens the app instantly in your browser. This is the fastest way to get started!
./infra/scripts/open-app.shThis will start port-forwarding and automatically open the app in your browser at http://localhost:8080.
./infra/scripts/get-urls.shShows available URLs without starting persistent connections.
./infra/scripts/start-app.shStarts both frontend and API with auto-restart and detailed logging. Includes:
- Frontend:
http://localhost:8080 - API:
http://localhost:8081 - Auto-opens browser
- Keeps running until Ctrl+C
For persistent access without keeping a terminal open:
./infra/scripts/setup-tunnel.shThen access at:
- Frontend:
http://127.0.0.1:30000 - API:
http://127.0.0.1:30001
./app.sh help # Show all access options
./app.sh start # Full development mode
./app.sh urls # Just show URLs
./app.sh tunnel # Permanent access
./app.sh health # Health checks
./app.sh monitor # Live monitoring- Manager:
mjohnson/password456(Full access) - Senior Rep:
jsmith/password123(Enhanced access) - Representative:
rbrown/password789(Read access)
This monorepo is organized into the following top-level directories:
Complete authorization system using Enterprise Open Policy Agent (EOPA):
policies/main.rego- Main authorization policy with RBACdata/users.json- Demo users with roles/permissions- See infra/opa/README.md for detailed documentation
Kubernetes deployments, Docker configurations, and management scripts:
k8s/- Kubernetes manifests and ConfigMapsopa/- EOPA server configurationscripts/- Deployment and monitoring scripts- See infra/README.md for detailed documentation
Banking application services and APIs:
consumer-accounts-internal-api/- Account management service- Additional services as they are developed
The CI workflow (.github/workflows/ea-deploy.yml) deploys the Retail API system policies to EnforceAuth:
- Entity ID: Configured in
EA_ENTITY_IDsecret - Policies Location:
infra/opa/policies/ - Trigger: Manual dispatch via
workflow_dispatch
The workflow uses the EnforceAuth GitHub Action to deploy policy bundles with wait-for-completion and a 10-minute timeout.
Run policy tests locally using opa test or eopa test:
# Run all policy tests
opa test infra/opa/policies/ -v
# Run only retail_api tests
opa test infra/opa/policies/retail/retail_api/ -v
# With eopa (Enterprise OPA)
eopa test infra/opa/policies/ -vTest files are located alongside policy files with _test.rego suffix:
infra/opa/policies/retail/retail_api/authentication_test.regoinfra/opa/policies/retail/retail_api/accounts_test.regoinfra/opa/policies/retail/retail_api/compliance_test.regoinfra/opa/policies/retail/retail_api/transactions_test.rego
# Test health check (should allow)
eopa eval -d infra/opa/policies/main.rego -d infra/opa/data/users.json \
--input <(echo '{"request":{"http":{"method":"GET","path":"/health"}}}') \
'data.main.allow'
# Test manager access (should allow)
eopa eval -d infra/opa/policies/main.rego -d infra/opa/data/users.json \
--input <(echo '{"request":{"http":{"method":"GET","path":"/accounts","headers":{"authorization":"Bearer mjohnson_token_456"}}}}') \
'data.main.allow'# Run regal linter on authorization policies
regal lint infra/opa/policies/main.regocd infra
./deploy.sh setup # Initial setup
./deploy.sh start # Start services
./monitor.sh status # Check status- ✅ OPA Integration: Fully integrated Open Policy Agent authorization with real-time policy evaluation
- 🔐 Role-Based Access Control: Hierarchical permission system (Manager → Senior Rep → Representative → Analyst)
- 📜 Policy-as-Code: Authorization policies defined in Rego with comprehensive test coverage
- 🏗️ Kubernetes-Native: Cloud-native deployment with OPA sidecar architecture
- 🧪 Development-Friendly: Local testing, linting tools, and comprehensive test suite
- 📊 Compliance-Ready: Complete audit logging and decision tracking for banking regulations
- 🔒 Production-Ready: Enterprise-grade security with fail-safe defaults
🎉 OPA Integration Complete! The Consumer Accounts API now features:
- Real-time authorization through OPA policies
- Token-based authentication with OPA user data
- Comprehensive role-based permissions
- Complete audit trail for compliance
- Fail-safe security when OPA is unavailable
- Full test coverage for authorization flows
All API endpoints are now protected by OPA policies with fine-grained access control.
- 🔐 Authorization Module - Detailed OPA authorization documentation
- 🌐 Consumer Accounts API - NEW: Complete OPA integration guide
- 🏗️ Infrastructure Guide - Deployment and operations (includes technical overview)
The system includes demo credentials for testing different access levels:
| Role | Username | Password | Access Level |
|---|---|---|---|
| Manager | mjohnson |
password456 |
Full access to all operations |
| Senior Rep | jsmith |
password123 |
Transaction operations, no admin |
| Representative | rbrown |
password789 |
Read-only access |
| Analyst | slee |
password000 |
Inactive user (access denied) |
# Test the OPA integration
cd projects/consumer-accounts-internal-api
./scripts/test-opa-integration.sh
# Or test without OPA (offline mode)
./scripts/test-integration-offline.sh