feat: As a user, I want to include the request body in the opa-input, so that I can reason about its contents

[wistefan]

Description

In order to make decisions based on the request body, the OPA-Plugin will also forward the body when configured to do so.

Fixes #11387

Checklist

• I have explained the need for this PR and the problem it solves
• I have explained the changes or the new features added to this PR
• I have added tests corresponding to this change
• I have updated the documentation to reflect this change
• I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

[wistefan]

Is there anything I can do to get this PR forward?

[github-actions]

This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If you think that's incorrect or this pull request should instead be reviewed, please simply write any comment. Even if closed, you can still revive the PR at any time or discuss it on the dev@apisix.apache.org list. Thank you for your contributions.

[moonming]

@wistefan Please synchronize the master code to trigger all CI

[wistefan]

@wistefan Please synchronize the master code to trigger all CI

@moonming Thank you for the review, I updated.

[LuciaCabanillasRodriguez]

Hello! If I want this new implementation with the request body, what should I do?

[Baoyuantop]

Hi @wistefan, please synchronize the latest master branch code to trigger the test.

[LuciaCabanillasRodriguez]

Hi, sorry I will take care as soon as I find time. @LuciaCabanillasRodriguez help would be very welcome, do you have the time to take a look at the test failures?

Hello! I tried to push a file to fix one of the issues, but I received a forbidden message. In any case, I solved it locally by running:

make lint
./utils/reindex t/plugin/opa3.t

[LuciaCabanillasRodriguez]

Regarding the error in t/discovery/consul_dump.t, I see that the test fails because the expected response from Consul isn’t being returned:
got: ''
expected: '{"service_a":[{"host":"127.0.0.1","port":30511,"weight":1}]}'

It seems like either the service_a isn’t being registered properly in Consul during the test, or the endpoint isn’t responding as expected.

As for the other warnings and errors like:
failed to do SSL handshake: certificate verify failed
http_init(): failed to load the configuration: connection refused

These appear to be related to missing services (like Consul or Etcd) or SSL verification issues, but I’m not entirely sure how to fix it with certainty.

[LuciaCabanillasRodriguez]

Good! I could remove one issue, the other one remains! Any help?? I would need some guidance on how to fix it

[Baoyuantop]

Maybe we can merge the master branch.

[LuciaCabanillasRodriguez]

Maybe we can merge the master branch.
Is there any update here?

[Baoyuantop]

Need to modify Chinese documents synchronously

[LuciaCabanillasRodriguez]

Updated!

[Baoyuantop]

The request body may contain sensitive information (passwords, API keys, etc.), so a security warning needs to be added.

[LuciaCabanillasRodriguez]

I have just added a security warning

[Baoyuantop]

We need to verify the body data received by OPA during the test.

[LuciaCabanillasRodriguez]

Should I do something?

[Baoyuantop]

You need to add more tests to verify this scenario.

[LuciaCabanillasRodriguez]

Hi @wistefan, could you please take a look? I’m running into some issues with Nginx and would appreciate your help. Thanks!

[Baoyuantop]

Hi @LuciaCabanillasRodriguez, do you need any help with this?

[Baoyuantop]

Please submit additional fixes to ensure all CI tests pass.

[Baoyuantop]

Hi @wistefan, is there still time to deal with these?

[LuciaCabanillasRodriguez]

Is there any update here?

[Baoyuantop]

The author may be unable to continue processing this PR.

[LuciaCabanillasRodriguez]

The logs for this run have expired and are no longer available.

[github-actions]

This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If you think that's incorrect or this pull request should instead be reviewed, please simply write any comment. Even if closed, you can still revive the PR at any time or discuss it on the dev@apisix.apache.org list. Thank you for your contributions.

[Baoyuantop]

The current integration test is not strict enough.

In ci/pod/opa/with_body.rego, the rule allow { request.method == "POST" } makes the policy allow any POST request, regardless of whether the body is successfully sent or matched. Since all your test cases in t/plugin/opa3.t use POST, they would pass even if the body was missing or corrupted.

To truly verify that the body is being transmitted and parsed correctly by OPA, please update the rego policy to check for a specific value in the body (e.g., input.request.body.hello == "world"), and add a negative test case (e.g., sending `{"hello": "wrong"}) to ensure it gets blocked.

[LuciaCabanillasRodriguez]

Could you please check the 2 failing checks? I think they are not related with opa

[LuciaCabanillasRodriguez]

Could you check it? I think the failing checks are not related with opa

[Baoyuantop]

I reran the failed test.

[Sharoek]

Can three people with write access review this, please?