trustee
trustee copied to clipboard
Published
20 hours ago •
confidential-containers
confidential-containers
KBS: Be more tolerant to policy rego files
KBC fails to set policy in KBS and AS unless the rego file ends with an empty line. Either make the code more tolerant or make it clear in docuemtation.
Example:
$ cat -n allow_all.rego
1
2 package policy
3
4 default allow = true
$ cat -n allow_all_modified.rego
1
2 package policy
3
4 default allow = true
5
$ kbs-client --url "http://192.168.122.182:30713" config --auth-private-key ./privateKey set-resource-policy --policy-file allow_all.rego
Error: Request Failed, Response: "{\"type\":\"https://github.com/confidential-containers/kbs/errors/PolicyEndpoint\",\"detail\":\"Policy error: Set policy error Base64 decode OPA policy string failed: InvalidPadding\"}"
$ kbs-client --url "http://192.168.122.182:30713" config --auth-private-key ./privateKey set-resource-policy --policy-file allow_all_modified.rego
Set resource policy success
policy: CnBhY2thZ2UgcG9saWN5CgpkZWZhdWx0IGFsbG93ID0gdHJ1ZQoK
same issue with set-attestation-policy
