Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initialization error for input check #7185

Open
Starry-x opened this issue Nov 22, 2024 · 4 comments
Open

Initialization error for input check #7185

Starry-x opened this issue Nov 22, 2024 · 4 comments
Labels
bug inactive

Comments

@Starry-x
Copy link

Short description

When I was upgrading OPA to the version after 0.57.0, the custom input.other_token field in my code stopped working. The input is passed from the request after starting OPA. Now it cannot be started.

Examples:

  • Version: all versions after 0.57.0
  • Input: {"input": {"other_token": "Bearer xxx"}}
  • Policy:
bearer_token = t {
	v := input.other_token
	startswith(v, "Bearer ")
	t := substring(v, count("Bearer "), -1)
}
  • Error:
error: initialization error: 1 error occurred: rules/utils/jwt.rego:10: rego_type_error: undefined ref: input.other_token
        input.other_token
              ^
              have: "other_token"
              want (one of): ["body" "client_certificates" "headers" "identity" "method" "params" "path"]

-->

Expected behavior

OPA can start.

Additional context

I found it can be start by add --skip-known-schema-check, but this is not safe. I wonder if this can be resolved at the code level?
@Starry-x Starry-x added the bug label Nov 22, 2024
@anderseknert
Copy link
Member

anderseknert commented Nov 22, 2024
edited
Loading

Hi there! That schema is only checked for the system.authz package, which is used for authentication/authorization policies protecting OPA's own REST API. Using that package name for other purposes is not recommended, so if that's the case I would suggest renaming it to something else.

@Starry-x
Copy link
Author

Thank you, I am not defined in system.authz; I am defined in jwt.rego. However, I imported data.utils.jwt in system.authz, which is why there is this issue. Because I want to share the jwt verify related code between system.authzand user policy checks.

@anderseknert
Copy link
Member

That's interesting, and certainly a reasonable thing to do. I guess the workaround is to disable the schema check like you do alrrady, but I wonder what a better solution would look like. We could the check only on system.authz and sub-modules, but OTOH, there might be cases where you want to have the schema check extend also to dependencies 🤔

@johanfylling @ashutosh-narkar any ideas?

@stale Stale
Copy link

stale bot commented Dec 28, 2024

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue.

@stale stale bot added the inactive label Dec 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug inactive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anderseknert @Starry-x