feat(jans-cedarling) add OPA plugin

[SafinWasi]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #13405

Implementation Details

---

Test and Document the changes

N/A

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

Summary by CodeRabbit

• New Features

  • Adds a Cedarling authorization plugin for OPA with packaging and build automation, a runnable OPA binary integrating the plugin, and plugin lifecycle support (start/stop/reconfigure) for live updates.
  • Provides an example runtime config enabling multi-issuer JWT validation, policy store mapping, and sample Cedar policies for evaluation.

• Documentation

  • New README with prerequisites, build/run instructions, configuration examples, and usage notes.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3e65d5a5-6a5e-432b-870d-979cd5cb2f42

📥 Commits

Reviewing files that changed from the base of the PR and between 326f602 and ce63044.

📒 Files selected for processing (1)

• jans-cedarling/cedarling_opa/plugins/cedarling_opa/plugin.go

---

📝 Walkthrough

Walkthrough

Adds a new Cedarling OPA plugin and build tooling: Makefile and Go module, a Go entrypoint that registers the plugin, plugin implementation (Config, Factory, CedarPlugin with lifecycle methods), plugin registration helper, README, and example opa-config.json.

Changes

Cohort / File(s)	Summary
Build & Module jans-cedarling/cedarling_opa/Makefile, jans-cedarling/cedarling_opa/go.mod	Introduces Makefile to build native Rust library and Go binary with CGO linkage; adds Go module and dependency declarations.
Entrypoint jans-cedarling/cedarling_opa/main.go	Adds main to register plugins and execute the OPA root command with error handling.
Plugin Implementation jans-cedarling/cedarling_opa/plugins/cedarling_opa/plugin.go	Implements PluginName, Config, CedarPlugin (Start/Stop/Reconfigure) and Factory; integrates with cedarling_go to manage an embedded Cedarling instance and updates plugin status.
Plugin Registration jans-cedarling/cedarling_opa/plugins/plugins.go	Adds Register() to register the Cedarling plugin with OPA runtime.
Docs & Example Config jans-cedarling/cedarling_opa/README.md, jans-cedarling/cedarling_opa/opa-config.json	Adds README with build/run instructions and example opa-config.json showing bootstrap_config, policy_store, policies, and schema.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• fix: feat(jans-cedarling): add cedarling OPA plugin -autocreated  #13400: Same functionality—adds the cedarling OPA plugin (Makefile, module, main, plugin types, registration), so this PR could be linked to that issue.

Suggested labels

comp-docs

Suggested reviewers

• haileyesus2433
• olehbozhok
• ossdhaval

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding an OPA plugin to jans-cedarling.
Description check	✅ Passed	The PR description includes the prepare checklist, target issue reference (#13405), and confirms no doc impact, though implementation details section is empty.
Linked Issues check	✅ Passed	The PR successfully implements the primary objective from issue #13405: creating an OPA plugin with embedded cedarling instance for policy-based authorization, includes README documentation, and provides the plugin with configuration and lifecycle management.
Out of Scope Changes check	✅ Passed	All changes are scoped to the OPA plugin implementation, configuration, and documentation as defined in issue #13405. No unrelated changes detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat-cedarling-opa-plugin

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mo-auto]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[nynymike]

Next we need to define some Rego verbs that, when called, will pass the input to the authz interface.

[coderabbitai]

Actionable comments posted: 8

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@jans-cedarling/cedarling_opa/builtins/builtins.go`:
- Line 1: The builtins package is currently a no-op and not imported, so the
embedded Cedarling instance created in plugins/cedarling_opa/plugin.go is not
reachable from policy evaluation; implement and export a registration function
(e.g., RegisterBuiltins or InitBuiltins) in the builtins package that registers
the Cedarling-based builtin(s) with the evaluator (or uses package init to
register), reference the embedded Cedarling instance created in plugin.go (the
Cedarling instance name used there) when registering, and ensure
plugins/cedarling_opa/plugin.go (or another evaluation-entry file) imports/
calls that registration so the package is wired into evaluation before merging.

In `@jans-cedarling/cedarling_opa/main.go`:
- Around line 12-14: The CLI currently prints command execution errors to
stdout; change the error printing in the cmd.RootCommand.Execute() failure path
to write to stderr instead of stdout by sending the error string to os.Stderr
(replace the fmt.Println(err) call in the error branch that handles
cmd.RootCommand.Execute() with a write to os.Stderr, e.g., using
fmt.Fprintln(os.Stderr, err) or equivalent) so CLI failures go to stderr.

In `@jans-cedarling/cedarling_opa/Makefile`:
- Around line 29-34: The build target (and similarly the debug target) doesn't
ensure $(BUILD_DIR) exists before running $(GO) build, so create the output
directory at the start of the build and debug targets; explicitly run a mkdir -p
$(BUILD_DIR) prior to invoking the build command so that writing to
$(BUILD_DIR)/$(APP_NAME) succeeds on a clean checkout (update the Makefile
targets referencing BUILD_DIR, APP_NAME, build, and debug accordingly).
- Around line 15-17: The Makefile currently hard-codes LIB_FILE :=
lib$(LIB_NAME).so which only works on Linux; update the Makefile to set the
shared-library extension based on the platform (e.g., detect uname/$(OS) or use
shell conditional on $(shell uname -s)) and compute LIB_FILE as
lib$(LIB_NAME).$(EXT) where EXT is chosen from so (Linux), dylib (macOS), or dll
(Windows), and also adjust any env guidance (LD_LIBRARY_PATH → DYLD_LIBRARY_PATH
on macOS or PATH on Windows) accordingly; alternatively, if you intend to remain
Linux-only, add a clear README comment and Makefile note that the target is
Linux-only and keep LIB_FILE unchanged.

In `@jans-cedarling/cedarling_opa/plugins/cedarling_opa/plugin.go`:
- Around line 18-22: The Config.stderr boolean is parsed but ignored; replace
the direct fmt.Println startup call(s) in this file (the usage at the site of
fmt.Println around startup/logging) so output goes to stderr when Config.Stderr
is true and stdout otherwise — e.g. check the Config instance's Stderr field and
write to os.Stderr (use fmt.Fprintln(os.Stderr, ...)) when true, otherwise keep
fmt.Println (or fmt.Fprintln(os.Stdout, ...)); update every direct fmt.Println
in plugin.go that emits startup or log text to honor Config.Stderr.
- Around line 62-66: Reconfigure currently only swaps p.config without updating
the running Cedarling instance (p.cedar); change Reconfigure to, while holding
p.mtx, gracefully stop/shutdown the existing p.cedar (call its shutdown method
such as Close/Shutdown/Stop used elsewhere), create a new Cedarling instance
using the new config with the same constructor/initializer used at startup,
assign the new instance to p.cedar and handle/return any errors; alternatively,
if live reconfiguration is not supported, make Reconfigure validate and
explicitly reject the request (return an error or log and leave p.cedar
unchanged) instead of only updating p.config.
- Around line 80-82: Factory.Validate currently unmarshals into Config but does
not reject missing required sections, causing later panics when code writes into
nil maps; update the Validate implementation to unmarshal the config (using
util.Unmarshal as now) into parsedConfig and then explicitly check that
parsedConfig.BootstrapConfig (and parsedConfig.PolicyStore or the field named
for policy_store) are non-nil/present, returning a clear error if either is
missing instead of returning parsedConfig with no validation.

In `@jans-cedarling/cedarling_opa/README.md`:
- Around line 46-61: The README config snippet contains a stray ')' after the
markdown link and a missing closing brace for "plugins" which makes the JSON
invalid; edit the block in README.md to remove the extra ')' following
[opa-config.json] and add the missing closing brace(s) so the JSON object that
includes "decision_logs" and "plugins" (and the nested "cedarling_opa" object)
is syntactically valid and properly closed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6fd775f7-09b1-44bc-adec-475de3218434

📥 Commits

Reviewing files that changed from the base of the PR and between 27dd703 and b773742.

⛔ Files ignored due to path filters (1)

• jans-cedarling/cedarling_opa/go.sum is excluded by !**/*.sum

📒 Files selected for processing (9)

• jans-cedarling/cedarling_opa/Makefile
• jans-cedarling/cedarling_opa/README.md
• jans-cedarling/cedarling_opa/builtins/builtins.go
• jans-cedarling/cedarling_opa/builtins/cedarling_authz.go
• jans-cedarling/cedarling_opa/go.mod
• jans-cedarling/cedarling_opa/main.go
• jans-cedarling/cedarling_opa/opa-config.json
• jans-cedarling/cedarling_opa/plugins/cedarling_opa/plugin.go
• jans-cedarling/cedarling_opa/plugins/plugins.go

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@jans-cedarling/cedarling_opa/Makefile`:
- Around line 29-35: The build and debug targets can run before the native
shared library is present; make build and make debug depend on the native target
(or directly on the built library artifact) so the shared library
(libcedarling_go placed into $(LIB_DIR)) is produced/copied first. Update the
Makefile so the build and debug targets list native (or
$(LIB_DIR)/libcedarling_go.so) as a prerequisite, and do the same for the
corresponding debug-related target group around lines 48-53 to ensure the native
artifact is always available before linking.
- Around line 39-42: The clean target currently uses "rm $(LIB_DIR)/$(LIB_FILE)"
which fails if the file is already missing; update the clean rule (target
"clean") to use a force/remove-if-present flag for the library removal (use rm
-f on the path built from $(LIB_DIR)/$(LIB_FILE)) so running make clean twice is
safe and idempotent while leaving the rest of the steps (removing $(BUILD_DIR))
unchanged.

In `@jans-cedarling/cedarling_opa/plugins/cedarling_opa/plugin.go`:
- Around line 34-58: The Start/bootstrap assembly is duplicated and reloads are
non-atomic: extract the code that builds the bootstrap map (currently in Start)
into a single helper (e.g., buildBootstrapConfig) that returns the map and any
error from json.Marshal; on reload use that helper to construct the new config,
call cedarling_go.NewCedarling(newConfig) to create the new instance first, then
acquire p.mtx and atomically swap p.config and p.cedar, release the lock and
only then shut down the old instance; ensure json.Marshal failures are
returned/handled instead of ignored and update places that previously inlined
the assembly to use the helper (referencing Start, buildBootstrapConfig,
p.config, p.cedar, and cedarling_go.NewCedarling).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f14ee833-993d-4758-9831-4a822adf7d98

📥 Commits

Reviewing files that changed from the base of the PR and between b773742 and 9aba8a2.

📒 Files selected for processing (4)

• jans-cedarling/cedarling_opa/Makefile
• jans-cedarling/cedarling_opa/README.md
• jans-cedarling/cedarling_opa/main.go
• jans-cedarling/cedarling_opa/plugins/cedarling_opa/plugin.go

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@jans-cedarling/cedarling_opa/plugins/cedarling_opa/plugin.go`:
- Around line 79-105: Reconfigure currently replaces p.cedar but never publishes
a new plugin status, leaving the manager with stale Ok/Err/NotReady state; after
successfully creating and assigning new_instance (i.e., after p.cedar =
new_instance and p.mtx.Unlock()), call the same status-publishing logic used by
Start() to mark the plugin healthy (or publish an error if new_instance reports
a problem) so the manager reflects the new live state; use the same helper or
method Start() uses to publish status (the status-publish/update function the
codebase provides) and ensure this runs before returning (and keep
old_cedar.ShutDown() as-is).
- Around line 70-76: The Stop method on CedarPlugin should be made idempotent by
clearing the p.cedar field under the mutex and performing the native shutdown
after releasing the lock: inside Stop, acquire p.mtx, copy p.cedar to a local
variable (e.g., old := p.cedar), set p.cedar = nil, update the plugin status via
p.manager.UpdatePluginStatus(PluginName, ...), release the lock, then if old !=
nil call old.ShutDown(); this mirrors the safe pattern used in Reload and
prevents multiple ShutDown calls on the same native handle.
- Around line 16-17: Replace the fragile cgo linker flag "-L." with an explicit
package-directory path by changing the LDFLAGS comment to use "-L${SRCDIR}" so
cgo resolves the library directory relative to the source instead of the build
temp dir; update the cgo directive above import "C" (the existing `#cgo LDFLAGS`
line in plugin.go) to reference ${SRCDIR} and keep the rest of the directive
intact.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 64166e77-7a0f-49fe-a1b5-2994eceefb59

📥 Commits

Reviewing files that changed from the base of the PR and between 9aba8a2 and 010a2a7.

📒 Files selected for processing (2)

• jans-cedarling/cedarling_opa/Makefile
• jans-cedarling/cedarling_opa/plugins/cedarling_opa/plugin.go

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@jans-cedarling/cedarling_opa/plugins/cedarling_opa/plugin.go`:
- Around line 54-59: Extract the duplicated stderr-aware print logic into a
single helper (e.g., func logMessage(stderr bool, msg string)) and replace the
duplicated blocks in Start and Reconfigure with calls to
logMessage(p.config.Stderr, "Initializing cedarling") (and the other message in
Reconfigure). Define the helper at file scope in plugin.go so both Start and
Reconfigure can call it, and keep using p.config.Stderr to determine whether to
write to os.Stderr or stdout.
- Around line 81-108: Reconfigure currently returns early on errors from
buildBootstrapConfig or cedarling_go.NewCedarling while only writing to stderr,
leaving p.cedar and plugin status unchanged; change Reconfigure to, on any error
from buildBootstrapConfig or NewCedarling, call
p.manager.UpdatePluginStatus(PluginName, &plugins.Status{State:
plugins.StateError, Message: err.Error()}) (or an appropriate non-OK state),
ensure p.config and p.cedar are not replaced, and if an old instance exists
leave it running (or explicitly shut it down only when new instance succeeds);
update references in the Reconfigure function around buildBootstrapConfig,
NewCedarling, p.config, p.cedar, old_cedar, and p.manager.UpdatePluginStatus to
implement this error-path status update and prevent silent failures.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 64dae309-0e1d-47e4-875d-38942a7d253e

📥 Commits

Reviewing files that changed from the base of the PR and between 010a2a7 and 65e05c9.

📒 Files selected for processing (1)

• jans-cedarling/cedarling_opa/plugins/cedarling_opa/plugin.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@jans-cedarling/cedarling_opa/plugins/cedarling_opa/plugin.go`:
- Around line 55-60: When Start (CedarPlugin.Start) fails during
buildBootstrapConfig, update the plugin status to mark startup as failed before
returning the error; replicate the same status transition and error reporting
logic used in Reconfigure's error path so the plugin doesn't remain stuck in
StateNotReady — call the same status/state update method Reconfigure uses
(include the error message) and then return the original err from
buildBootstrapConfig.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: e8073988-8796-4d63-94a8-ea4aeff143b5

📥 Commits

Reviewing files that changed from the base of the PR and between 65e05c9 and 43f2f82.

📒 Files selected for processing (1)

• jans-cedarling/cedarling_opa/plugins/cedarling_opa/plugin.go

[SafinWasi]

@coderabbitai resume

[coderabbitai]

✅ Actions performed

Reviews resumed.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@jans-cedarling/cedarling_opa/plugins/cedarling_opa/plugin.go`:
- Around line 42-52: buildBootstrapConfig currently unconditionally overwrites
bootstrap_config["CEDARLING_POLICY_STORE_LOCAL"], silently ignoring
user-supplied values; change it to first check if "CEDARLING_POLICY_STORE_LOCAL"
already exists in cfg.BootstrapConfig and return a validation error if so, then
proceed to marshal cfg.PolicyStore and set the key only when absent; apply the
same guard to the other config-builder that sets "CEDARLING_POLICY_STORE_LOCAL"
(the second block that serializes PolicyStore and assigns that key) so both
places fail fast on a user-provided key instead of overwriting it.
- Around line 75-83: When swapping out p.cedar in CedarPlugin.Stop serialize the
plugin status update with the pointer swap while holding p.mtx: acquire p.mtx,
copy p.cedar to a local (cedar), set p.cedar = nil, call
p.manager.UpdatePluginStatus(PluginName, &plugins.Status{State:
plugins.StateNotReady}) while still holding the lock, then unlock and finally,
if cedar != nil, call cedar.ShutDown(); apply the same pattern in Reconfigure so
its p.manager.UpdatePluginStatus(PluginName, &plugins.Status{State:
plugins.StateOK}) is performed while holding p.mtx to prevent races between
pointer swaps and status publishes.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ddb0544a-14ce-4a1e-ac31-66cd801c7119

📥 Commits

Reviewing files that changed from the base of the PR and between 65e05c9 and 326f602.

📒 Files selected for processing (1)

• jans-cedarling/cedarling_opa/plugins/cedarling_opa/plugin.go