fix: refactor build to support loading built-in policies

Author: WipeAir

Dockerfile

@@ -25,4 +25,4 @@ USER node
 ENV NODE_ENV=production
 
 EXPOSE 8080
-CMD ["node", "/app/dist/bootstrap.js"]
+CMD ["node", "/app/dist/src/bootstrap.js"]

etsc.config.js

@@ -7,6 +7,7 @@ const path = require("path");
 module.exports = {
 	tsConfigFile: "tsconfig.build.json",
 	esbuild: {
+		outbase: "./",
 		entryPoints: ["src/bootstrap.ts"],
 		assetNames: "[dir]/[name]",
 		bundle: true,
@@ -16,6 +17,9 @@ module.exports = {
 			".yaml": "text",
 			".node": "copy",
 		},
+		define: {
+			"process.env.POLICY_DIR": `"./policies"`,
+		},
 	},
 	postbuild: async () => {
 		// uWebSockets.js works with binary targets and it has a different binary for each platform.
@@ -26,7 +30,7 @@ module.exports = {
 			`uws_${process.platform}_${process.arch}_${process.versions.modules}.node`,
 		];
 
-		const dirPath = path.resolve(`dist/_.._/node_modules/uWebSockets.js/`);
+		const dirPath = path.resolve(`dist/node_modules/uWebSockets.js/`);
 
 		// Get all the available .node files.
 		const dirContent = await fsp.readdir(dirPath);
@@ -37,5 +41,7 @@ module.exports = {
 				await fsp.rm(path.resolve(dirPath, file), { recursive: true });
 			}
 		}
+
+		await (await import("cpy")).default("policies/*.wasm", "dist/policies/");
 	},
 };

nodemon.json

@@ -1,4 +1,4 @@
 {
 	"watch": ["src/**/*"],
-	"exec": "etsc && (node ./dist/bootstrap.js | node_modules/.bin/pino-pretty)"
+	"exec": "etsc && (node ./dist/src/bootstrap.js | node_modules/.bin/pino-pretty)"
 }

package.json

@@ -70,6 +70,7 @@
 		"@commitlint/cli": "^19.3.0",
 		"@types/supertest": "^6.0.2",
 		"@vitest/coverage-v8": "^1.5.2",
+		"cpy": "^11.0.1",
 		"dotenv-cli": "^7.4.1",
 		"esbuild": "^0.20.2",
 		"esbuild-node-tsc": "^2.0.5",

shims.d.ts

@@ -0,0 +1,7 @@
+declare module "@open-policy-agent/opa-wasm" {
+	import type { loadPolicy as _loadPolicy } from "@open-policy-agent/opa-wasm/dist/types";
+	import type * as opa from "@open-policy-agent/opa-wasm/dist/types/opa";
+
+	export const loadPolicy: typeof _loadPolicy;
+	export default opa;
+}

src/dispatch-handler/policy.ts

@@ -1,4 +1,3 @@
-// @ts-ignore
 import { loadPolicy } from "@open-policy-agent/opa-wasm";
 import * as fsp from "fs/promises";
 import * as path from "path";
@@ -7,8 +6,7 @@ import z from "zod";
 import { getConfig } from "../utils/config";
 import { getLogger } from "../utils/logger";
 
-// @ts-ignore
-import type { LoadedPolicy } from "@open-policy-agent/opa-wasm/dist/types/opa";
+import type opa from "@open-policy-agent/opa-wasm";
 
 const policyInputSchemas = z.object({
 	config: z.record(z.string()),
@@ -34,8 +32,8 @@ const _logger = getLogger("handler/policy");
 
 // The built-in policies.
 const builtInPolicyMapping = {
-	allow_all: path.join(__dirname, "../../policies/allow_all.wasm"),
-	allow_org_wide: path.join(__dirname, "../../policies/allow_org_wide.wasm"),
+	allow_all: "allow_all.wasm",
+	allow_org_wide: "allow_org_wide.wasm",
 };
 
 /**
@@ -46,7 +44,9 @@ const builtInPolicyMapping = {
  */
 async function readPolicyFile(policyPath: string): Promise<ArrayBuffer> {
 	try {
-		return await fsp.readFile(policyPath);
+		return await fsp.readFile(
+			path.join(process.env.POLICY_DIR as string, policyPath)
+		);
 	} catch (error) {
 		_logger.error({ error }, "Failed to read policy file");
 
@@ -72,7 +72,7 @@ async function parsePolicyConfig(
 }
 
 async function evaluatePolicy(
-	policy: LoadedPolicy,
+	policy: opa.LoadedPolicy,
 	opts: PolicyInput
 ): Promise<boolean> {
 	try {

tsconfig.build.json

@@ -1,5 +1,5 @@
 {
 	"extends": "./tsconfig.json",
-	"include": ["src/**/*.ts"],
+	"include": ["src/**/*.ts", "shims.d.ts"],
 	"exclude": ["src/**/*.spec.ts"]
 }

tsconfig.json

@@ -19,6 +19,11 @@
 		"isolatedModules": true,
 		"incremental": true
 	},
-	"include": ["src/**/*.ts", "test/**/*.ts", "vitest.config.ts"],
+	"include": [
+		"src/**/*.ts",
+		"test/**/*.ts",
+		"vitest.config.*.ts",
+		"shims.d.ts"
+	],
 	"exclude": ["node_modules"]
 }

vitest.config.integration.mts

@@ -2,8 +2,11 @@ import {defineConfig} from "vitest/config";
 
 export default defineConfig({
 	assetsInclude: [
-		"**/*.yaml"
+		"**/*.yaml",
 	],
+	define: {
+		"process.env.POLICY_DIR": `"./policies"`,
+	},
 	test: {
 		include: ["test/**/*.spec-integration.ts"],
 		globals: true,

vitest.config.unit.mts

@@ -2,8 +2,11 @@ import {defineConfig} from "vitest/config";
 
 export default defineConfig({
 	assetsInclude: [
-		"**/*.yaml"
+		"**/*.yaml",
 	],
+	define: {
+		"process.env.POLICY_DIR": `"./policies"`,
+	},
 	test: {
 		include: ["src/**/*.spec.ts"],
 		globals: true,

yarn.lock

@@ -1560,6 +1560,16 @@ __metadata:
   languageName: node
   linkType: hard
 
+"aggregate-error@npm:^4.0.0":
+  version: 4.0.1
+  resolution: "aggregate-error@npm:4.0.1"
+  dependencies:
+    clean-stack: "npm:^4.0.0"
+    indent-string: "npm:^5.0.0"
+  checksum: 10/bb3ffdfd13447800fff237c2cba752c59868ee669104bb995dfbbe0b8320e967d679e683dabb640feb32e4882d60258165cde0baafc4cd467cc7d275a13ad6b5
+  languageName: node
+  linkType: hard
+
 "ajv@npm:^6.12.4":
   version: 6.12.6
   resolution: "ajv@npm:6.12.6"
@@ -2061,6 +2071,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"clean-stack@npm:^4.0.0":
+  version: 4.2.0
+  resolution: "clean-stack@npm:4.2.0"
+  dependencies:
+    escape-string-regexp: "npm:5.0.0"
+  checksum: 10/373f656a31face5c615c0839213b9b542a0a48057abfb1df66900eab4dc2a5c6097628e4a0b5aa559cdfc4e66f8a14ea47be9681773165a44470ef5fb8ccc172
+  languageName: node
+  linkType: hard
+
 "cli-cursor@npm:^4.0.0":
   version: 4.0.0
   resolution: "cli-cursor@npm:4.0.0"
@@ -2260,6 +2279,16 @@ __metadata:
   languageName: node
   linkType: hard
 
+"copy-file@npm:^11.0.0":
+  version: 11.0.0
+  resolution: "copy-file@npm:11.0.0"
+  dependencies:
+    graceful-fs: "npm:^4.2.11"
+    p-event: "npm:^6.0.0"
+  checksum: 10/49714b82fcc1315c06dbb50ce929621f10d620f3a8a17e1b212d4c676fecdcda42626917502b109e3ae5bdd9558ddcfedb5e6b70bd7c485fae53e18fc26e2dba
+  languageName: node
+  linkType: hard
+
 "cors@npm:^2.8.5":
   version: 2.8.5
   resolution: "cors@npm:2.8.5"
@@ -2300,6 +2329,20 @@ __metadata:
   languageName: node
   linkType: hard
 
+"cpy@npm:^11.0.1":
+  version: 11.0.1
+  resolution: "cpy@npm:11.0.1"
+  dependencies:
+    copy-file: "npm:^11.0.0"
+    globby: "npm:^13.2.2"
+    junk: "npm:^4.0.1"
+    micromatch: "npm:^4.0.5"
+    p-filter: "npm:^3.0.0"
+    p-map: "npm:^6.0.0"
+  checksum: 10/0547b160d423f7a23d5c866fe4b3844e639e2c8f19c3521dcd3cf15b7501d1741c3f169f3e294d66834819359d333c588ac8a0b8d9ea5800a95fc1d2ac9574b6
+  languageName: node
+  linkType: hard
+
 "create-require@npm:^1.1.0":
   version: 1.1.1
   resolution: "create-require@npm:1.1.1"
@@ -2874,6 +2917,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"escape-string-regexp@npm:5.0.0":
+  version: 5.0.0
+  resolution: "escape-string-regexp@npm:5.0.0"
+  checksum: 10/20daabe197f3cb198ec28546deebcf24b3dbb1a5a269184381b3116d12f0532e06007f4bc8da25669d6a7f8efb68db0758df4cd981f57bc5b57f521a3e12c59e
+  languageName: node
+  linkType: hard
+
 "escape-string-regexp@npm:^1.0.5":
   version: 1.0.5
   resolution: "escape-string-regexp@npm:1.0.5"
@@ -3541,6 +3591,7 @@ __metadata:
     "@open-policy-agent/opa-wasm": "npm:^1.8.1"
     "@types/supertest": "npm:^6.0.2"
     "@vitest/coverage-v8": "npm:^1.5.2"
+    cpy: "npm:^11.0.1"
     dotenv-cli: "npm:^7.4.1"
     esbuild: "npm:^0.20.2"
     esbuild-node-tsc: "npm:^2.0.5"
@@ -3664,7 +3715,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"globby@npm:^13.1.2":
+"globby@npm:^13.1.2, globby@npm:^13.2.2":
   version: 13.2.2
   resolution: "globby@npm:13.2.2"
   dependencies:
@@ -3686,7 +3737,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"graceful-fs@npm:^4.2.6":
+"graceful-fs@npm:^4.2.11, graceful-fs@npm:^4.2.6":
   version: 4.2.11
   resolution: "graceful-fs@npm:4.2.11"
   checksum: 10/bf152d0ed1dc159239db1ba1f74fdbc40cb02f626770dcd5815c427ce0688c2635a06ed69af364396da4636d0408fcf7d4afdf7881724c3307e46aff30ca49e2
@@ -3926,6 +3977,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"indent-string@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "indent-string@npm:5.0.0"
+  checksum: 10/e466c27b6373440e6d84fbc19e750219ce25865cb82d578e41a6053d727e5520dc5725217d6eb1cc76005a1bb1696a0f106d84ce7ebda3033b963a38583fb3b3
+  languageName: node
+  linkType: hard
+
 "inflight@npm:^1.0.4":
   version: 1.0.6
   resolution: "inflight@npm:1.0.6"
@@ -4438,6 +4496,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"junk@npm:^4.0.1":
+  version: 4.0.1
+  resolution: "junk@npm:4.0.1"
+  checksum: 10/4f0c94c0b2e46172284d9eaeb57bf1b784d86d218dbc673a1c8e08ef3443d03164238eb067591d0ad9f2c76a6ad012aeb618bb8135a2f0f26a6da931058e131b
+  languageName: node
+  linkType: hard
+
 "jwa@npm:^1.4.1":
   version: 1.4.1
   resolution: "jwa@npm:1.4.1"
@@ -4794,7 +4859,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"micromatch@npm:4.0.5, micromatch@npm:^4.0.4":
+"micromatch@npm:4.0.5, micromatch@npm:^4.0.4, micromatch@npm:^4.0.5":
   version: 4.0.5
   resolution: "micromatch@npm:4.0.5"
   dependencies:
@@ -5306,6 +5371,24 @@ __metadata:
   languageName: node
   linkType: hard
 
+"p-event@npm:^6.0.0":
+  version: 6.0.1
+  resolution: "p-event@npm:6.0.1"
+  dependencies:
+    p-timeout: "npm:^6.1.2"
+  checksum: 10/f8a6bb7e5addee541f5be42685fb070d9848aa0fb761132e825762c1e4009d90416b3f78ec06f7d4ee96b48ef9cebda0b809a0a87e504d7ae5f371f406cf16a8
+  languageName: node
+  linkType: hard
+
+"p-filter@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "p-filter@npm:3.0.0"
+  dependencies:
+    p-map: "npm:^5.1.0"
+  checksum: 10/aacc36820f0531c01963334edc6debf5038b47c83a1c2255b7c14f6964a9a5fc1887ce0b93e72d137727403253bcc9bb26eed9bb79896ece1fa9f52d979bb97b
+  languageName: node
+  linkType: hard
+
 "p-limit@npm:^3.0.2":
   version: 3.1.0
   resolution: "p-limit@npm:3.1.0"
@@ -5360,6 +5443,29 @@ __metadata:
   languageName: node
   linkType: hard
 
+"p-map@npm:^5.1.0":
+  version: 5.5.0
+  resolution: "p-map@npm:5.5.0"
+  dependencies:
+    aggregate-error: "npm:^4.0.0"
+  checksum: 10/089a709d2525208a965b7907cc8e58af950542629b538198fc142c40e7f36b3b492dd6a46a1279515ccab58bb6f047e04593c0ab5ef4539d312adf7f761edf55
+  languageName: node
+  linkType: hard
+
+"p-map@npm:^6.0.0":
+  version: 6.0.0
+  resolution: "p-map@npm:6.0.0"
+  checksum: 10/1fd59257b3828a4c4def676ef64acb0edb7809b161ada25efd9a0c8db312ad81c66bcaa9e5d8fd982fd20d412609aabcb8da9b090e81f6c449bc1203752ba0eb
+  languageName: node
+  linkType: hard
+
+"p-timeout@npm:^6.1.2":
+  version: 6.1.2
+  resolution: "p-timeout@npm:6.1.2"
+  checksum: 10/ca3ede368d792bd86fcfa4e133220536382225d31e5f62e2cedb8280df267b25f6684aa0056b22e8aa538cc85014b310058d8fdddeb0a1ff363093d56e87ac3a
+  languageName: node
+  linkType: hard
+
 "parent-module@npm:^1.0.0":
   version: 1.0.1
   resolution: "parent-module@npm:1.0.1"