opa-spring-security icon indicating copy to clipboard operation
opa-spring-security copied to clipboard

Published 20 hours ago verified publisher icon Bisnode

Enable filtering with HTTP properties configured through yaml

Open lukasz-kaminski opened this issue 4 years ago • 8 comments

Currently, we're always using path, method and JWT to make queries to OPA. We should allow for better elasticity.

lukasz-kaminski avatar Mar 17 '20 09:03 lukasz-kaminski

Would it make sense to forward the whole HTTP request "as-is" (as much as that is possible) as an option to provide OPA with all data available there?

anderseknert avatar Mar 17 '20 12:03 anderseknert

I guess we can provide an array of http properties that users can request in their config file, also JWT. Like

opa.filter.request-include:
   jwt: encrypted (/decrypted)
   http:
     method: true
     path: true
     headers: [Content-Type, Origin]

So that would be the default implementation and it could be overridden or extended to add some custom data to the request.

What do you think?

lukasz-kaminski avatar Mar 18 '20 18:03 lukasz-kaminski

The reason to filter out attributes from the original request would be to keep the payload size low?

I'm not sure I find the special treatment of JWTs necessary - checking for its presence in the headers inside a policy is trivial anyway, no?

And there should probably be an option to include the body. at least given some content types.

Besides that, I like it :)

anderseknert avatar Mar 18 '20 18:03 anderseknert

The reason to filter out attributes from the original request would be to keep the payload size low?

Yes, also some of those might be sensitive and they don't necessarily have to be sent to localhost, OPA instance might be remote.

I'm not sure I find the special treatment of JWTs necessary - checking for its presence in the headers inside a policy is trivial anyway, no?

You're right, I don't know why I fixated on this :)

And there should probably be an option to include the body. at least given some content types.

Of course, properties I've posted above are only an example.

Besides that, I like it :)

I'm glad to hear that!

lukasz-kaminski avatar Mar 18 '20 19:03 lukasz-kaminski

So for the first version of this feature I'll go with the following:

--- 
opa.filter.data.http: 
  method:
    include: all # or none - by default
    except:
      - OPTIONS
  path:
    include: all # or none - by default
    except:
      - /setPassword # because the password is sent in query params
  headers: 
    include: all # or none - by default
    except:
    - Content-Type
    - Origin
    - Authorization
    - bla # any string really
  sessionId.include: true # false by default
  cookies:
    include: all # or none - by default
    except:
      - secretToken
  queryParams.include: true # false by default
  body.include: true # false by default

lukasz-kaminski avatar Mar 18 '20 19:03 lukasz-kaminski

Looks great. Is include also a list or can you only say all and blacklist?

anderseknert avatar Mar 19 '20 11:03 anderseknert

Yeah, the idea is to have two ways:

include: all
except:
  - something

and

include: none
except:
  - something

lukasz-kaminski avatar Mar 20 '20 08:03 lukasz-kaminski

Awesome!

anderseknert avatar Mar 20 '20 08:03 anderseknert