Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for AllowNet capability in http.send #3665

Closed
tsandall opened this issue Jul 21, 2021 · 3 comments · Fixed by #4152
Closed

Add support for AllowNet capability in http.send #3665

tsandall opened this issue Jul 21, 2021 · 3 comments · Fixed by #4152
Assignees
@johanfylling
Labels
builtins

Comments

@tsandall
Copy link
Member

tsandall commented Jul 21, 2021
edited
Loading

OPA should support a mechanism for restricting http.send calls at runtime. The primary use case would be restricting what hosts http.send calls can make. To support this, we should look at what interfaces are required in the topdown package. On top of that, we could expose restriction settings via the OPA configuration.

Note, this is not about disabling the http.send call entirely or blocking it at compile-time. The goal here is to allow policy authors to make use of http.send but only for reaching out to specific hosts.

EDIT:

  • We'll need to take into account other built-ins as well, e.g., the recent net.lookup_ip_addr function.

Related #3661
@srenatus srenatus mentioned this issue Aug 20, 2021
Merged
@tsandall
Copy link
Member Author

With #3748 we now have an API for OPA admins to supply a list of hostnames/IPs that an OPA should be allowed to connect to. We should use make use of the capabilities within topdown.

@anderseknert
Copy link
Member

It would be good to allow blocking specific protocols as well, like unix:// or http:// (i.e,. not https) .. might be one wants to request something from a local http service without allowing access to local unix domain sockets on the host filesystem.

@srenatus
Copy link
Contributor

If we follow the semantics of the JSON Schema remote ref fetching, then as soon as there's any entry in allow_net , we'd only allow connections to those hosts from the list. I suppose we could deny http and unix if we supported globs, like https://* (or even https://*.internal.acme.corp etc).

@tsandall tsandall changed the title Add mechanism for callers to restrict http.send calls Add mechanism for callers to restrict http.send and other net calls Nov 19, 2021
@tsandall tsandall changed the title Add mechanism for callers to restrict http.send and other net calls Add support for AllowNet capability in http.send Dec 8, 2021
@johanfylling johanfylling mentioned this issue Dec 16, 2021
Merged
johanfylling added a commit to johanfylling/opa that referenced this issue Dec 16, 2021
@johanfylling
topdown+wasm: Verifying host based on allow_net allowlist in built-in…
de8875c 
… functions

Adding host allow-listing based on the allow_net capability in the http.send()- and
net.lookup_ip_addr() built-in functions when running the eval command.

Fixes: open-policy-agent#3665

Signed-off-by: Johan Fylling <johan.dev@fylling.se>
johanfylling added a commit that referenced this issue Dec 17, 2021
@johanfylling
topdown+wasm: Verifying host based on allow_net allowlist in built-in…
7b64270 
… functions (#4152)

Adding host allow-listing based on the allow_net capability in the http.send()- and
net.lookup_ip_addr() built-in functions when running the eval command.

Fixes: #3665

Signed-off-by: Johan Fylling <johan.dev@fylling.se>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@johanfylling johanfylling

Labels
builtins
Projects
Open Policy Agent
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

topdown+wasm: Verifying host based on allow_net allowlist in built-in functions johanfylling/opa
4 participants
@tsandall @anderseknert @srenatus @johanfylling