From 5f05a50a854abf16748d4a84eb8afa54f14d9fa7 Mon Sep 17 00:00:00 2001
From: Stefan Wiedemann <wistefan@googlemail.com>
Date: Tue, 8 Oct 2024 09:53:54 +0200
Subject: [PATCH 01/22] add body support for the opa plugin

---
 apisix/plugins/opa.lua        |  1 +
 apisix/plugins/opa/helper.lua | 23 +++++++++
 t/plugin/opa3.t               | 91 +++++++++++++++++++++++++++++++++++
 3 files changed, 115 insertions(+)
 create mode 100644 t/plugin/opa3.t

diff --git a/apisix/plugins/opa.lua b/apisix/plugins/opa.lua
index 0475529f0c17..fd4989077b28 100644
--- a/apisix/plugins/opa.lua
+++ b/apisix/plugins/opa.lua
@@ -51,6 +51,7 @@ local schema = {
         with_route = {type = "boolean", default = false},
         with_service = {type = "boolean", default = false},
         with_consumer = {type = "boolean", default = false},
+        with_body = {type = "boolean", default = false},
     },
     required = {"host", "policy"}
 }
diff --git a/apisix/plugins/opa/helper.lua b/apisix/plugins/opa/helper.lua
index 638adcf0ef87..a14baee41f89 100644
--- a/apisix/plugins/opa/helper.lua
+++ b/apisix/plugins/opa/helper.lua
@@ -45,8 +45,31 @@ local function build_http_request(conf, ctx)
         headers = core.request.headers(ctx),
         query   = core.request.get_uri_args(ctx),
     }
+
+
+    if conf.with_body then
+        http.body = get_body()
+    end
+      
+    return http
 end
 
+local function get_body() 
+    local original_body, err = core.request.get_body()
+    if err ~= nil then
+        error("opa - failed to get request body: ", err)
+    end
+    if body = nil then 
+        return nil
+    end
+    -- decode to prevent double encoded json objects
+    body, err = core.json.decode(original_body)
+    if err ~nil then
+        -- if its not json, the body can just be added
+        body = original_body
+    end
+    return body
+end
 
 local function build_http_route(conf, ctx, remove_upstream)
     local route = core.table.deepcopy(ctx.matched_route).value
diff --git a/t/plugin/opa3.t b/t/plugin/opa3.t
new file mode 100644
index 000000000000..05f256f98304
--- /dev/null
+++ b/t/plugin/opa3.t
@@ -0,0 +1,91 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_root_location();
+
+add_block_preprocessor(sub {
+    my ($block) = @_;
+
+    if (!defined $block->request) {
+        $block->set_value("request", "GET /t");
+    }
+});
+
+run_tests();
+
+__DATA__
+
+
+=== TEST 1: setup route with plugin
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/routes/1',
+                 ngx.HTTP_PUT,
+                 [[{    
+                        "methods": ["POST"],
+                        "plugins": {
+                            "opa": {
+                                "host": "http://127.0.0.1:8181",
+                                "policy": "example",
+                                "with_body": true
+                            }
+                        },
+                        "upstream": {
+                            "nodes": {
+                                "127.0.0.1:1980": 1
+                            },
+                            "type": "roundrobin"
+                        },
+                        "uris": ["/hello", "/test"]
+                }]]
+                )
+
+            if code >= 300 then
+                ngx.status = code
+            end
+            ngx.say(code..body)
+        }
+    }
+--- response_body
+passed
+
+=== TEST 3: hit route (with empty request)
+--- request
+POST /hello
+--- response_body
+200
+
+=== TEST 4: hit route (with json request)
+--- request
+POST /hello
+{
+    "hello": "world"
+}
+--- response_body
+200 {"hello": "world"}
+
+=== TEST 5: hit route (with non-json request)
+--- request
+POST /hello
+hello world
+--- response_body
+200 hello world
\ No newline at end of file

From a04ec4baa6cfbdb522304553629a0d6a5551e750 Mon Sep 17 00:00:00 2001
From: Stefan Wiedemann <wistefan@googlemail.com>
Date: Tue, 8 Oct 2024 10:50:06 +0200
Subject: [PATCH 02/22] fix method calls and test names

---
 apisix/plugins/opa/helper.lua | 38 +++++++++++++++++------------------
 t/plugin/opa3.t               |  8 ++++----
 2 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/apisix/plugins/opa/helper.lua b/apisix/plugins/opa/helper.lua
index a14baee41f89..c1506b81f751 100644
--- a/apisix/plugins/opa/helper.lua
+++ b/apisix/plugins/opa/helper.lua
@@ -35,8 +35,25 @@ local function build_var(conf, ctx)
 end
 
 
+local function get_body_for_request() 
+    local original_body, err = core.request.get_body()
+    if err ~= nil then
+        error("opa - failed to get request body: ", err)
+    end
+    if body == nil then 
+        return nil
+    end
+    -- decode to prevent double encoded json objects
+    body, err = core.json.decode(original_body)
+    if err ~= nil then
+        -- if its not json, the body can just be added
+        body = original_body
+    end
+    return body
+end
+
 local function build_http_request(conf, ctx)
-    return {
+    local http = {
         scheme  = core.request.get_scheme(ctx),
         method  = core.request.get_method(),
         host    = core.request.get_host(ctx),
@@ -48,29 +65,12 @@ local function build_http_request(conf, ctx)
 
 
     if conf.with_body then
-        http.body = get_body()
+        http.body = get_body_for_request()
     end
       
     return http
 end
 
-local function get_body() 
-    local original_body, err = core.request.get_body()
-    if err ~= nil then
-        error("opa - failed to get request body: ", err)
-    end
-    if body = nil then 
-        return nil
-    end
-    -- decode to prevent double encoded json objects
-    body, err = core.json.decode(original_body)
-    if err ~nil then
-        -- if its not json, the body can just be added
-        body = original_body
-    end
-    return body
-end
-
 local function build_http_route(conf, ctx, remove_upstream)
     local route = core.table.deepcopy(ctx.matched_route).value
 
diff --git a/t/plugin/opa3.t b/t/plugin/opa3.t
index 05f256f98304..bb0fd87f00d6 100644
--- a/t/plugin/opa3.t
+++ b/t/plugin/opa3.t
@@ -66,15 +66,15 @@ __DATA__
         }
     }
 --- response_body
-passed
+200passed
 
-=== TEST 3: hit route (with empty request)
+=== TEST 2: hit route (with empty request)
 --- request
 POST /hello
 --- response_body
 200
 
-=== TEST 4: hit route (with json request)
+=== TEST 3: hit route (with json request)
 --- request
 POST /hello
 {
@@ -83,7 +83,7 @@ POST /hello
 --- response_body
 200 {"hello": "world"}
 
-=== TEST 5: hit route (with non-json request)
+=== TEST 4: hit route (with non-json request)
 --- request
 POST /hello
 hello world

From c86bc2cb8e5a89ccb15716f92b4b360d626de384 Mon Sep 17 00:00:00 2001
From: Stefan Wiedemann <wistefan@googlemail.com>
Date: Tue, 8 Oct 2024 10:53:16 +0200
Subject: [PATCH 03/22] fix linting issues

---
 apisix/plugins/opa/helper.lua | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/apisix/plugins/opa/helper.lua b/apisix/plugins/opa/helper.lua
index c1506b81f751..ad053cb1906b 100644
--- a/apisix/plugins/opa/helper.lua
+++ b/apisix/plugins/opa/helper.lua
@@ -34,13 +34,12 @@ local function build_var(conf, ctx)
     }
 end
 
-
-local function get_body_for_request() 
+local function get_body_for_request()
     local original_body, err = core.request.get_body()
     if err ~= nil then
         error("opa - failed to get request body: ", err)
     end
-    if body == nil then 
+    if body == nil then
         return nil
     end
     -- decode to prevent double encoded json objects
@@ -67,7 +66,7 @@ local function build_http_request(conf, ctx)
     if conf.with_body then
         http.body = get_body_for_request()
     end
-      
+    
     return http
 end
 

From 7b1a8b61c78dd41c4b6d19fdb9d20a19bd0b22ad Mon Sep 17 00:00:00 2001
From: Stefan Wiedemann <wistefan@googlemail.com>
Date: Tue, 8 Oct 2024 12:49:06 +0200
Subject: [PATCH 04/22] fix tests

---
 apisix/plugins/opa.lua           |  2 +-
 apisix/plugins/opa/helper.lua    |  1 -
 ci/pod/docker-compose.plugin.yml |  5 ++++-
 ci/pod/opa/with_body.rego        | 29 +++++++++++++++++++++++++++++
 t/plugin/opa3.t                  | 16 ++++++++--------
 5 files changed, 42 insertions(+), 11 deletions(-)
 create mode 100644 ci/pod/opa/with_body.rego

diff --git a/apisix/plugins/opa.lua b/apisix/plugins/opa.lua
index fd4989077b28..e7df086cbd1d 100644
--- a/apisix/plugins/opa.lua
+++ b/apisix/plugins/opa.lua
@@ -51,7 +51,7 @@ local schema = {
         with_route = {type = "boolean", default = false},
         with_service = {type = "boolean", default = false},
         with_consumer = {type = "boolean", default = false},
-        with_body = {type = "boolean", default = false},
+        with_body = {type = "boolean", default = false}
     },
     required = {"host", "policy"}
 }
diff --git a/apisix/plugins/opa/helper.lua b/apisix/plugins/opa/helper.lua
index ad053cb1906b..a67d11bec97b 100644
--- a/apisix/plugins/opa/helper.lua
+++ b/apisix/plugins/opa/helper.lua
@@ -62,7 +62,6 @@ local function build_http_request(conf, ctx)
         query   = core.request.get_uri_args(ctx),
     }
 
-
     if conf.with_body then
         http.body = get_body_for_request()
     end
diff --git a/ci/pod/docker-compose.plugin.yml b/ci/pod/docker-compose.plugin.yml
index 55f2b443c495..6c8dadea82aa 100644
--- a/ci/pod/docker-compose.plugin.yml
+++ b/ci/pod/docker-compose.plugin.yml
@@ -183,11 +183,14 @@ services:
     restart: unless-stopped
     ports:
       - 8181:8181
-    command: run -s /example.rego /echo.rego /data.json /with_route.rego
+    command: run -s /example.rego /echo.rego /data.json /with_route.rego /with_body.rego
     volumes:
       - type: bind
         source: ./ci/pod/opa/with_route.rego
         target: /with_route.rego
+      - type: bind
+        source: ./ci/pod/opa/with_body.rego
+        target: /with_body.rego
       - type: bind
         source: ./ci/pod/opa/example.rego
         target: /example.rego
diff --git a/ci/pod/opa/with_body.rego b/ci/pod/opa/with_body.rego
new file mode 100644
index 000000000000..f5606d3ff242
--- /dev/null
+++ b/ci/pod/opa/with_body.rego
@@ -0,0 +1,29 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+package with_body
+
+import input.request
+
+default allow = false
+
+allow {
+    request.method == "POST"
+}
+
+allow {
+    request.body
+}
\ No newline at end of file
diff --git a/t/plugin/opa3.t b/t/plugin/opa3.t
index bb0fd87f00d6..3a72e4c84756 100644
--- a/t/plugin/opa3.t
+++ b/t/plugin/opa3.t
@@ -39,13 +39,13 @@ __DATA__
         content_by_lua_block {
             local t = require("lib.test_admin").test
             local code, body = t('/apisix/admin/routes/1',
-                 ngx.HTTP_PUT,
-                 [[{    
+                ngx.HTTP_PUT,
+                [[{    
                         "methods": ["POST"],
                         "plugins": {
                             "opa": {
                                 "host": "http://127.0.0.1:8181",
-                                "policy": "example",
+                                "policy": "with_body",
                                 "with_body": true
                             }
                         },
@@ -62,17 +62,17 @@ __DATA__
             if code >= 300 then
                 ngx.status = code
             end
-            ngx.say(code..body)
+            ngx.say(body)
         }
     }
 --- response_body
-200passed
+passed
 
 === TEST 2: hit route (with empty request)
 --- request
 POST /hello
 --- response_body
-200
+hello world
 
 === TEST 3: hit route (with json request)
 --- request
@@ -81,11 +81,11 @@ POST /hello
     "hello": "world"
 }
 --- response_body
-200 {"hello": "world"}
+hello world
 
 === TEST 4: hit route (with non-json request)
 --- request
 POST /hello
 hello world
 --- response_body
-200 hello world
\ No newline at end of file
+hello world

From 6eeaac5d183d288e238464aed27571279c266607 Mon Sep 17 00:00:00 2001
From: Stefan Wiedemann <wistefan@googlemail.com>
Date: Tue, 8 Oct 2024 12:51:21 +0200
Subject: [PATCH 05/22] linting fixes

---
 apisix/plugins/opa/helper.lua | 2 +-
 ci/pod/opa/with_body.rego     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apisix/plugins/opa/helper.lua b/apisix/plugins/opa/helper.lua
index a67d11bec97b..c0650fc7a103 100644
--- a/apisix/plugins/opa/helper.lua
+++ b/apisix/plugins/opa/helper.lua
@@ -65,7 +65,7 @@ local function build_http_request(conf, ctx)
     if conf.with_body then
         http.body = get_body_for_request()
     end
-    
+
     return http
 end
 
diff --git a/ci/pod/opa/with_body.rego b/ci/pod/opa/with_body.rego
index f5606d3ff242..9a9ef2a5463b 100644
--- a/ci/pod/opa/with_body.rego
+++ b/ci/pod/opa/with_body.rego
@@ -26,4 +26,4 @@ allow {
 
 allow {
     request.body
-}
\ No newline at end of file
+}

From cea6be4b928ca09bbf2a379b9482741158bf5c9a Mon Sep 17 00:00:00 2001
From: Stefan Wiedemann <wistefan@googlemail.com>
Date: Tue, 8 Oct 2024 12:59:35 +0200
Subject: [PATCH 06/22] fix linting

---
 t/plugin/opa3.t | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/t/plugin/opa3.t b/t/plugin/opa3.t
index 3a72e4c84756..ebc3faac530d 100644
--- a/t/plugin/opa3.t
+++ b/t/plugin/opa3.t
@@ -40,7 +40,7 @@ __DATA__
             local t = require("lib.test_admin").test
             local code, body = t('/apisix/admin/routes/1',
                 ngx.HTTP_PUT,
-                [[{    
+                [[{   
                         "methods": ["POST"],
                         "plugins": {
                             "opa": {

From 3aa6a48e3a83026e244c38fd74e2e0472a5f3d84 Mon Sep 17 00:00:00 2001
From: Stefan Wiedemann <wistefan@googlemail.com>
Date: Tue, 8 Oct 2024 13:05:45 +0200
Subject: [PATCH 07/22] add doc

---
 docs/en/latest/plugins/opa.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/en/latest/plugins/opa.md b/docs/en/latest/plugins/opa.md
index 12d79a2e36da..528b751153c8 100644
--- a/docs/en/latest/plugins/opa.md
+++ b/docs/en/latest/plugins/opa.md
@@ -46,6 +46,7 @@ The `opa` Plugin can be used to integrate with [Open Policy Agent (OPA)](https:/
 | with_route        | boolean | False    | false   |               | When set to true, sends information about the current Route.                                                                                                                               |
 | with_service      | boolean | False    | false   |               | When set to true, sends information about the current Service.                                                                                                                             |
 | with_consumer     | boolean | False    | false   |               | When set to true, sends information about the current Consumer. Note that this may send sensitive information like the API key. Make sure to turn it on only when you are sure it is safe. |
+| with_body         | boolean | False    | false   |               | When set to true, sends the request body. |
 
 ## Data definition
 

From 656a3f09e0d551dff3b5d816fa0b308dca995ca8 Mon Sep 17 00:00:00 2001
From: Stefan Wiedemann <wistefan@googlemail.com>
Date: Tue, 8 Oct 2024 13:29:55 +0200
Subject: [PATCH 08/22] clean

---
 t/plugin/opa3.t | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/t/plugin/opa3.t b/t/plugin/opa3.t
index ebc3faac530d..315f1278bdb0 100644
--- a/t/plugin/opa3.t
+++ b/t/plugin/opa3.t
@@ -40,7 +40,7 @@ __DATA__
             local t = require("lib.test_admin").test
             local code, body = t('/apisix/admin/routes/1',
                 ngx.HTTP_PUT,
-                [[{   
+                [[{  
                         "methods": ["POST"],
                         "plugins": {
                             "opa": {

From 13c775f971f7b3e03e3d0d07a905a1058cc53987 Mon Sep 17 00:00:00 2001
From: Stefan Wiedemann <wistefan@googlemail.com>
Date: Tue, 8 Oct 2024 13:32:59 +0200
Subject: [PATCH 09/22] still lintign

---
 t/plugin/opa3.t | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/t/plugin/opa3.t b/t/plugin/opa3.t
index 315f1278bdb0..440bdd69b4d2 100644
--- a/t/plugin/opa3.t
+++ b/t/plugin/opa3.t
@@ -40,7 +40,7 @@ __DATA__
             local t = require("lib.test_admin").test
             local code, body = t('/apisix/admin/routes/1',
                 ngx.HTTP_PUT,
-                [[{  
+                [[{
                         "methods": ["POST"],
                         "plugins": {
                             "opa": {

From 73738b7e879c7bc6d7c46d720437dbffe2f565c9 Mon Sep 17 00:00:00 2001
From: Stefan Wiedemann <wistefan@googlemail.com>
Date: Wed, 9 Oct 2024 07:45:17 +0200
Subject: [PATCH 10/22] fix linter issues

---
 apisix/plugins/opa/helper.lua | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apisix/plugins/opa/helper.lua b/apisix/plugins/opa/helper.lua
index c0650fc7a103..5369f52cab2a 100644
--- a/apisix/plugins/opa/helper.lua
+++ b/apisix/plugins/opa/helper.lua
@@ -39,11 +39,11 @@ local function get_body_for_request()
     if err ~= nil then
         error("opa - failed to get request body: ", err)
     end
-    if body == nil then
+    if original_body == nil then
         return nil
     end
     -- decode to prevent double encoded json objects
-    body, err = core.json.decode(original_body)
+    local body, err = core.json.decode(original_body)
     if err ~= nil then
         -- if its not json, the body can just be added
         body = original_body

From cf69c83ee42174c7f47bb823d846203020c2d2bd Mon Sep 17 00:00:00 2001
From: Stefan Wiedemann <wistefan@googlemail.com>
Date: Mon, 14 Oct 2024 07:14:24 +0200
Subject: [PATCH 11/22] change the error call

---
 apisix/plugins/opa/helper.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apisix/plugins/opa/helper.lua b/apisix/plugins/opa/helper.lua
index 5369f52cab2a..648a9fea7375 100644
--- a/apisix/plugins/opa/helper.lua
+++ b/apisix/plugins/opa/helper.lua
@@ -37,7 +37,7 @@ end
 local function get_body_for_request()
     local original_body, err = core.request.get_body()
     if err ~= nil then
-        error("opa - failed to get request body: ", err)
+        error("opa - failed to get request body: " .. err)
     end
     if original_body == nil then
         return nil

From 0b0e045c3014998a0f8b0250a5d90de2d0b171e0 Mon Sep 17 00:00:00 2001
From: Stefan Wiedemann <wistefan@googlemail.com>
Date: Tue, 7 Jan 2025 08:09:28 +0100
Subject: [PATCH 12/22] Update apisix/plugins/opa/helper.lua

Co-authored-by: Ming Wen <moonbingbing@gmail.com>
---
 apisix/plugins/opa/helper.lua | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/apisix/plugins/opa/helper.lua b/apisix/plugins/opa/helper.lua
index 648a9fea7375..59e3a8c35cca 100644
--- a/apisix/plugins/opa/helper.lua
+++ b/apisix/plugins/opa/helper.lua
@@ -63,7 +63,12 @@ local function build_http_request(conf, ctx)
     }
 
     if conf.with_body then
-        http.body = get_body_for_request()
+        local body, err = get_body_for_request()
+        if err then
+            core.log.warn(err)
+        else
+            http.body = body
+        end
     end
 
     return http

From fdc9b53926b72182b6ebfda79127c28201855fd8 Mon Sep 17 00:00:00 2001
From: Stefan Wiedemann <wistefan@googlemail.com>
Date: Tue, 7 Jan 2025 08:09:38 +0100
Subject: [PATCH 13/22] Update apisix/plugins/opa/helper.lua

Co-authored-by: Ming Wen <moonbingbing@gmail.com>
---
 apisix/plugins/opa/helper.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apisix/plugins/opa/helper.lua b/apisix/plugins/opa/helper.lua
index 59e3a8c35cca..b798d9ac97eb 100644
--- a/apisix/plugins/opa/helper.lua
+++ b/apisix/plugins/opa/helper.lua
@@ -37,7 +37,7 @@ end
 local function get_body_for_request()
     local original_body, err = core.request.get_body()
     if err ~= nil then
-        error("opa - failed to get request body: " .. err)
+        return nil, "failed to get request body: " .. err
     end
     if original_body == nil then
         return nil

From 6d1d6721ccbf8e189806b663046735a98e4445b9 Mon Sep 17 00:00:00 2001
From: Stefan Wiedemann <wistefan@googlemail.com>
Date: Mon, 31 Mar 2025 09:50:52 +0200
Subject: [PATCH 14/22] Update apisix/plugins/opa/helper.lua

Co-authored-by: Baoyuan <baoyuan.top@gmail.com>
---
 apisix/plugins/opa/helper.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apisix/plugins/opa/helper.lua b/apisix/plugins/opa/helper.lua
index b798d9ac97eb..11d9e676b4f9 100644
--- a/apisix/plugins/opa/helper.lua
+++ b/apisix/plugins/opa/helper.lua
@@ -36,7 +36,7 @@ end
 
 local function get_body_for_request()
     local original_body, err = core.request.get_body()
-    if err ~= nil then
+    if err then
         return nil, "failed to get request body: " .. err
     end
     if original_body == nil then

From 897599c3697edb5e81d6d7b1d55cbffbde9f18b3 Mon Sep 17 00:00:00 2001
From: Stefan Wiedemann <wistefan@googlemail.com>
Date: Mon, 31 Mar 2025 10:03:13 +0200
Subject: [PATCH 15/22] add docu and change log level

---
 apisix/plugins/opa/helper.lua | 2 +-
 docs/en/latest/plugins/opa.md | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/apisix/plugins/opa/helper.lua b/apisix/plugins/opa/helper.lua
index 11d9e676b4f9..7b7a4b9b3dee 100644
--- a/apisix/plugins/opa/helper.lua
+++ b/apisix/plugins/opa/helper.lua
@@ -65,7 +65,7 @@ local function build_http_request(conf, ctx)
     if conf.with_body then
         local body, err = get_body_for_request()
         if err then
-            core.log.warn(err)
+            core.log.error(err)
         else
             http.body = body
         end
diff --git a/docs/en/latest/plugins/opa.md b/docs/en/latest/plugins/opa.md
index 528b751153c8..f93beb7b0ad6 100644
--- a/docs/en/latest/plugins/opa.md
+++ b/docs/en/latest/plugins/opa.md
@@ -79,7 +79,8 @@ The JSON below shows the data sent to the OPA service by APISIX:
     },
     "route": {},
     "service": {},
-    "consumer": {}
+    "consumer": {},
+    "body": {}
 }
 ```
 
@@ -88,6 +89,7 @@ Each of these keys are explained below:
 - `type` indicates the request type (`http` or `stream`).
 - `request` is used when the `type` is `http` and contains the basic request information (URL, headers etc).
 - `var` contains the basic information about the requested connection (IP, port, request timestamp etc).
+- `body` constains the http-body of the request
 - `route`, `service` and `consumer` contains the same data as stored in APISIX and are only sent if the `opa` Plugin is configured on these objects.
 
 ### OPA service to APISIX

From f01ac3936eaf816acface8b3e5091671f7420854 Mon Sep 17 00:00:00 2001
From: Stefan Wiedemann <wistefan@googlemail.com>
Date: Thu, 17 Apr 2025 12:51:57 +0200
Subject: [PATCH 16/22] fix typo

---
 docs/en/latest/plugins/opa.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/en/latest/plugins/opa.md b/docs/en/latest/plugins/opa.md
index f93beb7b0ad6..6296812223c5 100644
--- a/docs/en/latest/plugins/opa.md
+++ b/docs/en/latest/plugins/opa.md
@@ -89,7 +89,7 @@ Each of these keys are explained below:
 - `type` indicates the request type (`http` or `stream`).
 - `request` is used when the `type` is `http` and contains the basic request information (URL, headers etc).
 - `var` contains the basic information about the requested connection (IP, port, request timestamp etc).
-- `body` constains the http-body of the request
+- `body` contains the http-body of the request
 - `route`, `service` and `consumer` contains the same data as stored in APISIX and are only sent if the `opa` Plugin is configured on these objects.
 
 ### OPA service to APISIX

From c4fdd13f5a56b98db23d467ecdba50ead3c37332 Mon Sep 17 00:00:00 2001
From: LuciaCabanillasRodriguez <lucia.cabanillasrodriguez@telefonica.com>
Date: Mon, 9 Jun 2025 15:55:21 +0200
Subject: [PATCH 17/22] reindex opa3.t

---
 t/plugin/opa3.t | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/t/plugin/opa3.t b/t/plugin/opa3.t
index 440bdd69b4d2..412a646e3038 100644
--- a/t/plugin/opa3.t
+++ b/t/plugin/opa3.t
@@ -32,7 +32,6 @@ run_tests();
 
 __DATA__
 
-
 === TEST 1: setup route with plugin
 --- config
     location /t {
@@ -68,12 +67,16 @@ __DATA__
 --- response_body
 passed
 
+
+
 === TEST 2: hit route (with empty request)
 --- request
 POST /hello
 --- response_body
 hello world
 
+
+
 === TEST 3: hit route (with json request)
 --- request
 POST /hello
@@ -83,6 +86,8 @@ POST /hello
 --- response_body
 hello world
 
+
+
 === TEST 4: hit route (with non-json request)
 --- request
 POST /hello

From 463b92f004fdf9bd88f00158f970ec486d448263 Mon Sep 17 00:00:00 2001
From: LuciaCabanillasRodriguez <lucia.cabanillasrodriguez@telefonica.com>
Date: Wed, 25 Jun 2025 14:50:18 +0200
Subject: [PATCH 18/22] security warning

---
 docs/en/latest/plugins/opa.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/en/latest/plugins/opa.md b/docs/en/latest/plugins/opa.md
index 6296812223c5..b047b63d8e20 100644
--- a/docs/en/latest/plugins/opa.md
+++ b/docs/en/latest/plugins/opa.md
@@ -46,7 +46,7 @@ The `opa` Plugin can be used to integrate with [Open Policy Agent (OPA)](https:/
 | with_route        | boolean | False    | false   |               | When set to true, sends information about the current Route.                                                                                                                               |
 | with_service      | boolean | False    | false   |               | When set to true, sends information about the current Service.                                                                                                                             |
 | with_consumer     | boolean | False    | false   |               | When set to true, sends information about the current Consumer. Note that this may send sensitive information like the API key. Make sure to turn it on only when you are sure it is safe. |
-| with_body         | boolean | False    | false   |               | When set to true, sends the request body. |
+| with_body         | boolean | False    | false   |               | When set to true, sends the request body. Note that this may send sensitive information such as passwords or API keys. Make sure to enable it only if you understand the security implications. |
 
 ## Data definition
 

From 8f6bd310e8381c829c9a7af7eb1f1cff462c7699 Mon Sep 17 00:00:00 2001
From: LuciaCabanillasRodriguez <lucia.cabanillasrodriguez@telefonica.com>
Date: Mon, 30 Jun 2025 09:33:10 +0200
Subject: [PATCH 19/22] updated Chinese documentation

---
 docs/zh/latest/plugins/opa.md | 100 +++++++++++++++++-----------------
 1 file changed, 50 insertions(+), 50 deletions(-)

diff --git a/docs/zh/latest/plugins/opa.md b/docs/zh/latest/plugins/opa.md
index a72a2f1a9520..d59839c62679 100644
--- a/docs/zh/latest/plugins/opa.md
+++ b/docs/zh/latest/plugins/opa.md
@@ -2,11 +2,11 @@
 title: opa
 keywords:
   - Apache APISIX
-  - API 网关
-  - Plugin
+  - API Gateway
+  - 插件
   - Open Policy Agent
   - opa
-description: 本篇文档介绍了 Apache APISIX 通过 opa 插件与 Open Policy Agent 对接的相关信息。
+description: 本文档包含有关 Apache APISIX opa 插件的信息。
 ---
 
 <!--
@@ -30,28 +30,29 @@ description: 本篇文档介绍了 Apache APISIX 通过 opa 插件与 Open Polic
 
 ## 描述
 
-`opa` 插件可用于与 [Open Policy Agent](https://www.openpolicyagent.org) 进行集成，实现后端服务的认证授权与访问服务等功能解耦，减少系统复杂性。
+`opa` 插件可用于与 [Open Policy Agent (OPA)](https://www.openpolicyagent.org) 集成。OPA 是一个策略引擎，帮助定义和执行授权策略，用以判断用户或应用程序是否拥有执行特定操作或访问特定资源的必要权限。将 OPA 与 APISIX 配合使用可以将授权逻辑从 APISIX 中解耦。
 
 ## 属性
 
-| 名称              | 类型    | 必选项 | 默认值 | 有效值  | 描述                                                                                                                                                                                |
-|-------------------|---------|----------|---------|---------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| host              | string  | 是     |         |               | OPA 服务的主机地址，例如 `https://localhost:8181`。                                                                                                                   |
-| ssl_verify        | boolean | 否    | true    |               | 当设置为 `true` 时，将验证 SSL 证书。                                                                                                                                          |
-| policy            | string  | 是     |         |               | OPA 策略路径，是 `package` 和 `decision` 配置的组合。当使用高级功能（如自定义响应）时，你可以省略 `decision` 配置。                                                  |
-| timeout           | integer | 否    | 3000ms  | [1, 60000]ms  | 设置 HTTP 调用超时时间。                                                                                                                                                                |
-| keepalive         | boolean | 否    | true    |               | 当设置为 `true` 时，将为多个请求保持连接并处于活动状态。                                                                                                                               |
-| keepalive_timeout | integer | 否    | 60000ms | [1000, ...]ms | 连接断开后的闲置时间。                                                                                                                                                                        |
-| keepalive_pool    | integer | 否    | 5       | [1, ...]ms    | 连接池限制。                                                                                                                                                                    |
-| with_route        | boolean | 否    | false   |               | 当设置为 `true` 时，发送关于当前 Route 的信息。                                                                                                                              |
-| with_service      | boolean | 否    | false   |               | 当设置为 `true` 时，发送关于当前 Service 的信息。                                                                                                                            |
-| with_consumer     | boolean | 否    | false   |               | 当设置为 `true` 时，发送关于当前 Consumer 的信息。注意，这可能会发送敏感信息，如 API key。请确保在安全的情况下才打开它。 |
+| 名称              | 类型    | 是否必需 | 默认值   | 有效值        | 描述                                                                                                                                                                                   |
+|-------------------|---------|----------|---------|---------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| host              | string  | 是       |         |               | OPA 服务的主机地址。例如，`https://localhost:8181`。                                                                                                                                  |
+| ssl_verify        | boolean | 否       | true    |               | 设置为 `true` 时验证 SSL 证书。                                                                                                                                                        |
+| policy            | string  | 是       |         |               | OPA 策略路径。由 `package` 和 `decision` 组成。在使用自定义响应等高级功能时，可以省略 `decision`。                                                                                    |
+| timeout           | integer | 否       | 3000ms  | [1, 60000]ms  | HTTP 调用的超时时间。                                                                                                                                                                   |
+| keepalive         | boolean | 否       | true    |               | 设置为 `true` 时，为多个请求保持连接存活。                                                                                                                                                |
+| keepalive_timeout | integer | 否       | 60000ms | [1000, ...]ms | 连接空闲后关闭的时间。                                                                                                                                                                  |
+| keepalive_pool    | integer | 否       | 5       | [1, ...]ms    | 连接池限制。                                                                                                                                                                            |
+| with_route        | boolean | 否       | false   |               | 设置为 `true` 时，发送当前路由的信息。                                                                                                                                                   |
+| with_service      | boolean | 否       | false   |               | 设置为 `true` 时，发送当前服务的信息。                                                                                                                                                   |
+| with_consumer     | boolean | 否       | false   |               | 设置为 `true` 时，发送当前消费者的信息。注意这可能会发送敏感信息，如 API 密钥。确保仅在确认安全时开启此项。                                                                              |
+| with_body         | boolean | 否       | false   |               | 设置为 `true` 时，发送请求体。注意这可能会发送密码或 API 密钥等敏感信息。确保仅在理解安全隐患的情况下启用此功能。                                                                        |
 
 ## 数据定义
 
-### APISIX 向 OPA 发送信息
+### APISIX 到 OPA 服务
 
-下述示例代码展示了如何通过 APISIX 向 OPA 服务发送数据：
+以下 JSON 显示了 APISIX 发送给 OPA 服务的数据：
 
 ```json
 {
@@ -78,20 +79,22 @@ description: 本篇文档介绍了 Apache APISIX 通过 opa 插件与 Open Polic
     },
     "route": {},
     "service": {},
-    "consumer": {}
+    "consumer": {},
+    "body": {}
 }
 ```
 
-上述代码具体释义如下：
+以下是各个键的说明:
 
-- `type` 代表请求类型（如 `http` 或 `stream`）；
-- `request` 则需要在 `type` 为 `http` 时使用，包含基本的请求信息（如 URL、头信息等）；
-- `var` 包含关于请求连接的基本信息（如 IP、端口、请求时间戳等）；
-- `route`、`service` 和 `consumer` 包含的数据与 APISIX 中存储的数据相同，只有当这些对象上配置了 `opa` 插件时才会发送。
+- `type` 表示请求类型（`http` 或 `stream`）.
+- `request` 在 `type` 为 `http` 时使用，包含基本请求信息（URL、头信息等）.
+- `var` 包含请求连接的基本信息（IP、端口、请求时间戳等）。
+- `body` 包含请求的 HTTP 主体。
+- `route`、`service` 和 `consumer` 包含 APISIX 中存储的相同数据，且仅在 `opa` 插件配置在这些对象上时发送。
 
-### OPA 向 APISIX 返回数据
+### OPA 服务到 APISIX
 
-下述示例代码展示了 OPA 服务对 APISIX 发送请求后的响应数据：
+以下 JSON 显示了 OPA 服务返回给 APISIX 的响应：
 
 ```json
 {
@@ -106,14 +109,14 @@ description: 本篇文档介绍了 Apache APISIX 通过 opa 插件与 Open Polic
 }
 ```
 
-上述响应中的代码释义如下：
+响应中的键说明：
 
-- `allow` 配置是必不可少的，它表示请求是否允许通过 APISIX 进行转发；
-- `reason`、`headers` 和 `status_code` 是可选的，只有当你配置一个自定义响应时才会返回这些选项信息，具体使用方法可查看后续测试用例。
+- `allow` 是必需的，表示请求是否被允许通过 APISIX。
+- `reason`、`headers` 和 `status_code` 是可选的，仅在配置自定义响应时返回。请参见下一节用例。
 
-## 测试插件
+## 使用示例
 
-首先启动 OPA 环境：
+首先，您需要启动 Open Policy Agent 环境：
 
 ```shell
 docker run -d --name opa -p 8181:8181 openpolicyagent/opa:0.35.0 run -s
@@ -121,7 +124,7 @@ docker run -d --name opa -p 8181:8181 openpolicyagent/opa:0.35.0 run -s
 
 ### 基本用法
 
-一旦你运行了 OPA 服务，就可以进行基本策略的创建：
+当 OPA 服务运行后，您可以创建一个基本策略：
 
 ```shell
 curl -X PUT '127.0.0.1:8181/v1/policies/example1' \
@@ -138,7 +141,7 @@ allow {
 }'
 ```
 
-然后在指定路由上配置 `opa` 插件：
+然后，您可以在特定路由上配置 `opa` 插件：
 
 ```shell
 curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r1' \
@@ -161,7 +164,7 @@ curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r1' \
 }'
 ```
 
-使用如下命令进行测试：
+现在，测试一下：
 
 ```shell
 curl -i -X GET 127.0.0.1:9080/get
@@ -171,7 +174,7 @@ curl -i -X GET 127.0.0.1:9080/get
 HTTP/1.1 200 OK
 ```
 
-如果尝试向不同的端点发出请求，会出现请求失败的状态：
+如果请求不同的接口， 请求会失败：
 
 ```shell
 curl -i -X POST 127.0.0.1:9080/post
@@ -183,7 +186,7 @@ HTTP/1.1 403 FORBIDDEN
 
 ### 使用自定义响应
 
-除了基础用法外，你还可以为更复杂的使用场景配置自定义响应，参考示例如下：
+您也可以配置自定义响应来处理更复杂的场景：
 
 ```shell
 curl -X PUT '127.0.0.1:8181/v1/policies/example2' \
@@ -216,7 +219,7 @@ status_code = 302 {
 }'
 ```
 
-同时，你可以将 `opa` 插件的策略参数调整为 `example2`，然后发出请求进行测试：
+将 `opa` 插件的策略参数更改为 `example2` 并测试：
 
 ```shell
 curl -i -X GET 127.0.0.1:9080/get
@@ -226,7 +229,7 @@ curl -i -X GET 127.0.0.1:9080/get
 HTTP/1.1 200 OK
 ```
 
-此时如果你发出一个失败请求，将会收到来自 OPA 服务的自定义响应反馈，如下所示：
+如果请求失败，可以看到来自 OPA 服务的自定义响应：
 
 ```shell
 curl -i -X POST 127.0.0.1:9080/post
@@ -241,9 +244,11 @@ test
 
 ### 发送 APISIX 数据
 
-如果你的 OPA 服务需要根据 APISIX 的某些数据（如 Route 和 Consumer 的详细信息）来进行后续操作时，则可以通过配置插件来实现。
+再看一个场景，当决策需要使用一些 APISIX 数据，比如 `route`、`consumer` 等时，如何操作？
 
-下述示例展示了一个简单的 `echo` 策略，它将原样返回 APISIX 发送的数据：
+如果您的 OPA 服务需要基于 APISIX 的路由和消费者等数据做决策，可以配置插件以发送这些数据。
+
+下面示例是一个简单的 `echo` 策略，直接返回 APISIX 发送的数据：
 
 ```shell
 curl -X PUT '127.0.0.1:8181/v1/policies/echo' \
@@ -254,7 +259,7 @@ allow = false
 reason = input'
 ```
 
-现在就可以在路由上配置插件来发送 APISIX 数据：
+配置插件在路由上发送 APISIX 数据：
 
 ```shell
 curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r1' \
@@ -278,13 +283,10 @@ curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r1' \
 }'
 ```
 
-此时如果你提出一个请求，则可以通过自定义响应看到来自路由的数据：
+请求时，可以通过自定义响应看到路由数据：
 
 ```shell
 curl -X GET 127.0.0.1:9080/get
-```
-
-```shell
 {
     "type": "http",
     "request": {
@@ -301,11 +303,9 @@ curl -X GET 127.0.0.1:9080/get
 
 ## 删除插件
 
-当你需要禁用 `opa` 插件时，可以通过以下命令删除相应的 JSON 配置，APISIX 将会自动重新加载相关配置，无需重启服务：
-
-:::note
+若需删除 `opa` 插件，可从插件配置中删除对应的 JSON 配置。APISIX 会自动重新加载，无需重启。
 
-您可以这样从 `config.yaml` 中获取 `admin_key` 并存入环境变量：
+您可以通过以下命令从 `config.yaml` 获取 `admin_key` 并保存到环境变量：
 
 ```bash
 admin_key=$(yq '.deployment.admin.admin_key[0].key' conf/config.yaml | sed 's/"//g')
@@ -314,7 +314,7 @@ admin_key=$(yq '.deployment.admin.admin_key[0].key' conf/config.yaml | sed 's/"/
 :::
 
 ```shell
-curl http://127.0.0.1:9180/apisix/admin/routes/1  -H "X-API-KEY: $admin_key" -X PUT -d '
+curl http://127.0.0.1:9180/apisix/admin/routes/1 -H "X-API-KEY: $admin_key" -X PUT -d '
 {
     "methods": ["GET"],
     "uri": "/hello",

From e50d8df6657ee2aa3db8e4eb07ba300bcc257f1f Mon Sep 17 00:00:00 2001
From: LuciaCabanillasRodriguez <lucia.cabanillasrodriguez@telefonica.com>
Date: Mon, 30 Jun 2025 09:37:40 +0200
Subject: [PATCH 20/22] updated Chinese documentation

---
 docs/zh/latest/plugins/opa.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/zh/latest/plugins/opa.md b/docs/zh/latest/plugins/opa.md
index d59839c62679..939618f6b494 100644
--- a/docs/zh/latest/plugins/opa.md
+++ b/docs/zh/latest/plugins/opa.md
@@ -84,7 +84,7 @@ description: 本文档包含有关 Apache APISIX opa 插件的信息。
 }
 ```
 
-以下是各个键的说明:
+以下是各个键的说明：
 
 - `type` 表示请求类型（`http` 或 `stream`）.
 - `request` 在 `type` 为 `http` 时使用，包含基本请求信息（URL、头信息等）.
@@ -174,7 +174,7 @@ curl -i -X GET 127.0.0.1:9080/get
 HTTP/1.1 200 OK
 ```
 
-如果请求不同的接口， 请求会失败：
+如果请求不同的接口，请求会失败：
 
 ```shell
 curl -i -X POST 127.0.0.1:9080/post

From 9502a184ca9ab293ef97412550550d2ecbe29398 Mon Sep 17 00:00:00 2001
From: LuciaCabanillasRodriguez <lucia.cabanillasrodriguez@telefonica.com>
Date: Tue, 12 Aug 2025 14:49:52 +0200
Subject: [PATCH 21/22] Update docker-compose.plugin.yml and opa3.t test

---
 ci/pod/docker-compose.plugin.yml | 2 +-
 t/plugin/opa3.t                  | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/ci/pod/docker-compose.plugin.yml b/ci/pod/docker-compose.plugin.yml
index 6c8dadea82aa..3a17b43fd87d 100644
--- a/ci/pod/docker-compose.plugin.yml
+++ b/ci/pod/docker-compose.plugin.yml
@@ -183,7 +183,7 @@ services:
     restart: unless-stopped
     ports:
       - 8181:8181
-    command: run -s /example.rego /echo.rego /data.json /with_route.rego /with_body.rego
+    command: run -s --log-level debug /example.rego /echo.rego /data.json /with_route.rego /with_body.rego
     volumes:
       - type: bind
         source: ./ci/pod/opa/with_route.rego
diff --git a/t/plugin/opa3.t b/t/plugin/opa3.t
index 412a646e3038..72d157844e3c 100644
--- a/t/plugin/opa3.t
+++ b/t/plugin/opa3.t
@@ -85,7 +85,8 @@ POST /hello
 }
 --- response_body
 hello world
-
+--- error_log_matches
+"\"request\":{\"body\":{\"hello\":\"world\"}"
 
 
 === TEST 4: hit route (with non-json request)

From 8a27c086dc6e0e05399ef30ea18eb3de1b49de27 Mon Sep 17 00:00:00 2001
From: LuciaCabanillasRodriguez <lucia.cabanillasrodriguez@telefonica.com>
Date: Wed, 13 Aug 2025 08:19:40 +0200
Subject: [PATCH 22/22] Fix test index for opa3.t

---
 t/plugin/opa3.t | 1 +
 1 file changed, 1 insertion(+)

diff --git a/t/plugin/opa3.t b/t/plugin/opa3.t
index 72d157844e3c..a6e8cd6acc01 100644
--- a/t/plugin/opa3.t
+++ b/t/plugin/opa3.t
@@ -89,6 +89,7 @@ hello world
 "\"request\":{\"body\":{\"hello\":\"world\"}"
 
 
+
 === TEST 4: hit route (with non-json request)
 --- request
 POST /hello