Skip to main content

Testing Policies

Authorization bugs are false allows — the highest-severity class of policy defects. Test Rego before EnforceAuth promotes bundles to production.

Local: opa test

From your policy repo root:

opa test ./policies --verbose

Tests are rules prefixed with test_ (or in _test.rego files):

package authz.api

import data.authz.api.allow

test_allow_admin if {
allow with input as {
"user": {"roles": ["admin"]},
"action": "delete",
"resource": {"type": "account"},
}
}

test_deny_guest_delete if {
not allow with input as {
"user": {"roles": ["guest"]},
"action": "delete",
"resource": {"type": "account"},
}
}

Use with input as to simulate PEP payloads without standing up services.

Coverage habits

ScenarioTest
Happy path allowtest_allow_*
Missing role / attributetest_deny_*
Suspended / blocked usertest_deny_suspended_*
Cross-tenant accesstest_deny_cross_tenant_*
Boundary valuesclearance levels, empty arrays

See Rego patterns for RBAC/ABAC/deny-override examples with tests.

opa eval for debugging

Ad-hoc evaluation without a full test file:

opa eval -d policies/ -i fixtures/input.json 'data.authz.allow'

Useful when iterating on a single rule before committing tests.

CI gate (every PR)

Run tests in GitHub Actions / GitLab CI before merge:

- name: OPA tests
run: |
curl -L -o opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64
chmod +x opa
./opa test ./policies --verbose

EnforceAuth's deploy pipeline runs opa test again in the Testing phase — CI on the PR should catch failures first so developers get fast feedback.

Policy PRs created via the console (Save as Draft) should pass the same checks your repo enforces on branch protection.

EnforceAuth deploy pipeline

Deployment phases include Testing between Fetching and Building:

InitializingFetchingTestingBuildingDeployingComplete

A failing test aborts the run — status Failed in Deployments. Fix Rego locally, push, redeploy.

Pre-production validation

Before promoting stagingprod:

  1. Compare bundle revisions across environments (multi-environment)
  2. Review Top Triggered Policies on the Policies statistics tab for unexpected error rates
  3. Replay critical scenarios against staging PDP if you maintain a fixture suite outside opa test

EnforceAuth decision log replay for draft bundles is on the roadmap — today, combine opa test with staging traffic shadowing where feasible.

False allow mindset

Tests prove rules you wrote; they do not prove completeness. For each new allow rule, add at least one test that would have been denied before the change.

QA standard: treat authorization accuracy as S1 — see internal false-allow matrices for regulated pilots.