http.send unix domain sockets - URL format #3661
Comments
|
Thanks @kirk-patton. The This is where the HTTP client used for @ashutosh-narkar did I miss anything here? I'm not sure if there's some special consideration given the caching stuff. etc. |
|
This seems like something that would need to be enabled with a config option, no? I don’t think OPA admins would expect policy authors to have that capability by default. |
|
@anderseknert I'm not sure I follow. You're suggesting that admins are okay with users being able to execute arbitrary HTTP requests via TCP but not via UNIX domain socket? Can you elaborate a bit? |
|
Yes, I think the function name implies as much. I would not expect policy authors to be able to send arbitrary IPC requests to the (however poorly configured) Docker daemon (or whatever else is) running on the same host on a Unix socket without explicit permission from the OPA admin. I think those are often poorly configured precisely because the expectation is they’re not exposed to untrusted processes. |
|
That makes sense. I suggest we solve that in the same context as other security-related improvements to |
|
Sounds good! As for localhost sockets, yeah - I think there’s just more of an awareness what’s running on those among admins in general, but I agree, it would be good to be able to disallow localhost requests regardless of protocol. |
The implementation described by Torin in this comment sounds good to me. Regarding caching, the server would need to send a We could extend the |
Let's look into that separately. The allow list needs to be set by something other than the policy; I don't think it makes sense to allow the policy to be able to define the allow list. |
You're right. It's not appropriate to have it in the built-in. Maybe the OPA config would be better ? |
|
thanks @kirk-patton, I'll take a look hopefully today. Don't worry about the changes to restrict the call. That requires some design work and is outside the scope of this issue. |
Fixes open-policy-agent#3661. Signed-off-by: Kirk Patton <kpatton@verizonmedia.com>
Fixes open-policy-agent#3661. Signed-off-by: Kirk Patton <kpatton@verizonmedia.com> Signed-off-by: Dolev Farhi <farhi.dolev@gmail.com>
I am not sure if OPA supports unix domain sockets when using the http.send method. If it does, then I am interested in the correct syntax to use when specifying the socket as part of the request.
Expected Behavior
http.send(unix://path/to/socket/path/to/url/endpoint) OR something similar
Actual Behavior
does not work.
Steps to Reproduce the Problem
socatSocket = response {
# In a terminal run
# (while true; do date; sleep 5; done) | socat UNIX-LISTEN:/tmp/http.sock -
# NOTE: works with _
# curl --unix-socket /tmp/http.sock http://localhost/
request := {
"url": "unix:///tmp/http.socket",
"method": "GET",
}
response := http.send(request)
trace(sprintf("DEBUG: **** %v",[response]))
}
Additional Info
The text was updated successfully, but these errors were encountered: