diff --git a/gso/auth/opa.py b/gso/auth/opa.py
new file mode 100644
index 0000000000000000000000000000000000000000..28c0cad8feff8d74207cda86078fdea0318b46ff
--- /dev/null
+++ b/gso/auth/opa.py
@@ -0,0 +1,44 @@
+from http import HTTPStatus
+
+from fastapi.exceptions import HTTPException
+from fastapi.params import Depends
+from httpx import AsyncClient, NetworkError
+from oauth2_lib.fastapi import OIDCUserModel, OPAAuthorization, OPAResult
+from oauth2_lib.settings import oauth2lib_settings
+from starlette.requests import Request
+from structlog import get_logger
+
+from gso.auth.oidc import oidc_instance
+
+logger = get_logger(__name__)
+
+
+class OPAAuthorization(OPAAuthorization):
+ _instance = None
+
+ def __new__(cls, *args, **kwargs):
+ if cls._instance is None:
+ cls._instance = super(OPAAuthorization, cls).__new__(cls)
+ return cls._instance
+
+ async def authorize(
+ self, request: Request, user_info: OIDCUserModel = Depends(oidc_instance.authenticate)
+ ) -> bool | None:
+ return await super().authorize(request, user_info)
+
+ async def get_decision(self, async_request: AsyncClient, opa_input: dict) -> OPAResult:
+ logger.debug("Posting input json to Policy agent", opa_url=self.opa_url, input=opa_input)
+ try:
+ result = await async_request.post(self.opa_url, json=opa_input)
+ except (NetworkError, TypeError) as exc:
+ logger.debug("Could not get decision from policy agent", error=str(exc))
+ raise HTTPException(status_code=HTTPStatus.SERVICE_UNAVAILABLE, detail="Policy agent is unavailable")
+
+ json_result = result.json()
+ logger.debug("Received decision from policy agent", decision=json_result)
+ return OPAResult(decision_id=json_result["decision_id"], result=json_result["result"]["allow"])
+
+
+opa_instance = OPAAuthorization(
+ opa_url=oauth2lib_settings.OPA_URL,
+)
diff --git a/gso/migrations/versions/2024-04-02_1ec810b289c0_add_orchestrator_2_1_2_migrations.py b/gso/migrations/versions/2024-04-02_1ec810b289c0_add_orchestrator_2_1_2_migrations.py
new file mode 100644
index 0000000000000000000000000000000000000000..aa9593a8ba0279329a6361900a1965b2eddc365c
--- /dev/null
+++ b/gso/migrations/versions/2024-04-02_1ec810b289c0_add_orchestrator_2_1_2_migrations.py
@@ -0,0 +1,23 @@
+"""remove subscription cancellation workflow.
+
+Revision ID: 1ec810b289c0
+Revises:
+Create Date: 2024-04-02 10:21:08.539591
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '1ec810b289c0'
+down_revision = '4ec89ab289c0'
+branch_labels = None
+# TODO: check it carefuly
+depends_on = '048219045729' # in this revision, SURF has added a new columns to the workflow table like delted_at, so we need to add a dependency on the revision that added the columns to the workflow table.
+
+
+def upgrade() -> None:
+ pass
+
+
+def downgrade() -> None:
+ pass
+
diff --git a/log.txt b/log.txt
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/requirements.txt b/requirements.txt
index 3463f0c52bfebe389377947e0ae1d39065e0fdc0..a430ae38c707028526b4e36a0735110ec0b44157 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,4 +1,4 @@
-orchestrator-core==2.2.1
+orchestrator-core==2.1.2
requests==2.31.0
infoblox-client~=0.6.0
pycountry==23.12.11
diff --git a/test/auth/test_oidc_policy_helper.py b/test/auth/test_oidc_policy_helper.py
index 17bed723430d913ef88e1f95f09b7a6b2b6e088d..844c08ff28f383f7ff2860c54a4a817f3c3398ff 100644
--- a/test/auth/test_oidc_policy_helper.py
+++ b/test/auth/test_oidc_policy_helper.py
@@ -7,13 +7,7 @@ from httpx import AsyncClient, NetworkError, Response
from gso.auth.oidc_policy_helper import (
OIDCConfig,
- OIDCUser,
- OIDCUserModel,
- OPAResult,
- _evaluate_decision,
- _get_decision,
- _is_callback_step_endpoint,
- opa_decision,
+ OIDCUser, OIDCUserModel, OPAResult, opa_decision, _get_decision, _evaluate_decision, _is_callback_step_endpoint,
)
from gso.auth.settings import oauth2lib_settings