policy_api: implement policy reduction and apply default values

scuba_argument_parser: fix bug in converting argument value data types drive rego: fix 6.1 for subOUs/groups policy_api: add ability to dump Google's raw policy response installation & OPA instructions: add more detail about setup downloading OPA
cisagov · Dec 18, 2024 · 9157948 · 9157948
1 parent 7994a57
commit 9157948
Show file tree

Hide file tree

Showing 6 changed files with 513 additions and 214 deletions.
diff --git a/docs/installation/DownloadAndInstall.md b/docs/installation/DownloadAndInstall.md
@@ -1,17 +1,19 @@
 # Getting started
 
 > [!IMPORTANT]
-> Use of this tool requires access to an internet browser for initial setup and to view the html report output.
+> Use of this tool requires access to an internet browser for initial setup
+> and to view the html report output.
 
 Setting up to run ScubaGoggles for the first time involves the following steps:
 
 1. Install [Python 3](https://www.python.org/) on your system.
 2. (Optional) Create and activate a Python virtual environment.
 3. Install ScubaGoggles and dependencies into the Python environment.
-4. Run ScubaGoggles setup to specify the output directory, the location of the
-   OPA executable, and the credentials file.
-5. Download the Open Policy Agent (OPA) executable.
-6. Create a Google OAuth credential file, unless you'll be using a Google
+4. Run `scubagoggles setup` to specify the output directory, the location of the
+   OPA executable, and the credentials file.  By default, the setup will
+   download the Open Policy Agent (OPA)
+   executable.
+5. Create a Google OAuth credential file, unless you'll be using a Google
    service account.
 
 ## Install Python 3
@@ -127,7 +129,8 @@ location of the output directory.
 The ScubaGoggles setup utility lets you configure the data directory location,
 as well as the locations of the OPA executable and the Google credentials file.
 It is perfectly fine to locate the OPA executable and credentials files in the
-output directory you create.
+output directory you create.  Unless you specify otherwise, the OPA executable
+will be downloaded to the location you specify.
 
 When you run the setup utility, it will create a configuration file in your
 top-level user directory called `.scubagoggles` (**Note** the leading dot (.)

diff --git a/docs/installation/OPA.md b/docs/installation/OPA.md
@@ -1,9 +1,16 @@
 
 # Download the OPA executable
 
-The tool makes use of [Open Policy Agent's Rego Policy language](https://www.openpolicyagent.org/docs/latest/policy-language/).
-An OPA executable is required to execute this tool and can be downloaded
-with the `scubagoggles getopa` command.
+The tool makes use of [Open Policy Agent's Rego Policy language]
+(https://www.openpolicyagent.org/docs/latest/policy-language/).  By default,
+the `scubagoggles setup` command downloads the OPA executable.  You will only
+need to download the OPA executable separately if you need a **specific**
+version.  Otherwise, you may skip this step and continue to
+[Prerequisites](../prerequisites/Prerequisites.md).
+
+You may download the OPA executable, to either upgrade the version you
+currently have or use a specific version, using the `scubagoggles getopa`
+command:
 
 ```
 scubagoggles getopa --help
@@ -20,24 +27,34 @@ options:
   --opa_directory <directory>, -r <directory>
                         Directory containing OPA executable (default: location established by setup)
 ```
-```
+```bash
 # example
 scubagoggles getopa -v v0.60.0
 ```
 
 If you have run the [ScubaGoggles setup utility](DownloadAndInstall.md#ScubaGoggles-Setup-Utility),
 you will have specified the location of the OPA executable.  This location is
-used by `getopa` when downloading the OPA executable.
+used by `getopa` when downloading the OPA executable.  Optionally, you may
+download the executable to a location that is in the PATH environment variable.
+
+## Downloading the OPA Executable from the OPA Website
 
-1. If the above script can not execute for any reason or you would prefer to download OPA manually, go to the [Open Policy Agent website](https://www.openpolicyagent.org/docs/latest/#running-opa)
-2. Check the website for a compatible OPA version (Currently v0.45.0 and above) for ScubaGoggles and select the corresponding version on top left of the website
-3. Navigate to the menu on left side of the screen: `Introduction -> Running OPA -> Download OPA`
-4. Follow the instructions for downloading the respective OPA executable for your OS.
+1. If the above script can not execute for any reason or you would prefer to
+   download OPA manually, go to the [Open Policy Agent website]
+   (https://www.openpolicyagent.org/docs/latest/#running-opa)
+2. Check the website for a compatible OPA version (Currently v0.45.0 and above)
+   for ScubaGoggles and select the corresponding version on top left of the
+   website.
+3. Navigate to the menu on left side of the screen:
+   `Introduction -> Running OPA -> Download OPA`
+4. Follow the instructions for downloading the respective OPA executable for
+   your OS.
 
 > [!NOTE]
 > For linux and macOS, you must make sure the OPA executable has execute
-> permission.  If you downloaded the OPA executable using the `getopa`
-> subcommand, the permission has already been set correctly.
+> permission.  If you downloaded the OPA executable either during the setup
+> process or using the `getopa`subcommand, the permission has already been set
+> correctly.
 
 ```bash
 # give the opa executable execute permissions