opa icon indicating copy to clipboard operation
opa copied to clipboard
verified publisher icon open-policy-agent

Initialization error for input check

Open Starry-x opened this issue 1 year ago • 4 comments

Short description

When I was upgrading OPA to the version after 0.57.0, the custom input.other_token field in my code stopped working. The input is passed from the request after starting OPA. Now it cannot be started.

Examples:

  • Version: all versions after 0.57.0
  • Input: {"input": {"other_token": "Bearer xxx"}}
  • Policy:
bearer_token = t {
	v := input.other_token
	startswith(v, "Bearer ")
	t := substring(v, count("Bearer "), -1)
}
  • Error:
error: initialization error: 1 error occurred: rules/utils/jwt.rego:10: rego_type_error: undefined ref: input.other_token
        input.other_token
              ^
              have: "other_token"
              want (one of): ["body" "client_certificates" "headers" "identity" "method" "params" "path"]

-->

Expected behavior

OPA can start.

Additional context

I found it can be start by add --skip-known-schema-check, but this is not safe. I wonder if this can be resolved at the code level?

Starry-x avatar Nov 22 '24 07:11 Starry-x

Hi there! That schema is only checked for the system.authz package, which is used for authentication/authorization policies protecting OPA's own REST API. Using that package name for other purposes is not recommended, so if that's the case I would suggest renaming it to something else.

anderseknert avatar Nov 22 '24 07:11 anderseknert

Thank you, I am not defined in system.authz; I am defined in jwt.rego. However, I imported data.utils.jwt in system.authz, which is why there is this issue. Because I want to share the jwt verify related code between system.authzand user policy checks.

Starry-x avatar Nov 26 '24 10:11 Starry-x

That's interesting, and certainly a reasonable thing to do. I guess the workaround is to disable the schema check like you do alrrady, but I wonder what a better solution would look like. We could the check only on system.authz and sub-modules, but OTOH, there might be cases where you want to have the schema check extend also to dependencies 🤔

@johanfylling @ashutosh-narkar any ideas?

anderseknert avatar Nov 26 '24 10:11 anderseknert

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue.

stale[bot] avatar Dec 28 '24 05:12 stale[bot]