Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initialization error for input check #7185

Open
Starry-x opened this issue Nov 22, 2024 · 3 comments
Open

Initialization error for input check #7185

Starry-x opened this issue Nov 22, 2024 · 3 comments
Labels

Comments

@Starry-x
Copy link

Short description

When I was upgrading OPA to the version after 0.57.0, the custom input.other_token field in my code stopped working. The input is passed from the request after starting OPA. Now it cannot be started.

Examples:

  • Version: all versions after 0.57.0
  • Input: {"input": {"other_token": "Bearer xxx"}}
  • Policy:
bearer_token = t {
	v := input.other_token
	startswith(v, "Bearer ")
	t := substring(v, count("Bearer "), -1)
}
  • Error:
error: initialization error: 1 error occurred: rules/utils/jwt.rego:10: rego_type_error: undefined ref: input.other_token
        input.other_token
              ^
              have: "other_token"
              want (one of): ["body" "client_certificates" "headers" "identity" "method" "params" "path"]

-->

Expected behavior

OPA can start.

Additional context

I found it can be start by add --skip-known-schema-check, but this is not safe. I wonder if this can be resolved at the code level?

@Starry-x Starry-x added the bug label Nov 22, 2024
@anderseknert
Copy link
Member

anderseknert commented Nov 22, 2024

Hi there! That schema is only checked for the system.authz package, which is used for authentication/authorization policies protecting OPA's own REST API. Using that package name for other purposes is not recommended, so if that's the case I would suggest renaming it to something else.

@Starry-x
Copy link
Author

Thank you, I am not defined in system.authz; I am defined in jwt.rego. However, I imported data.utils.jwt in system.authz, which is why there is this issue. Because I want to share the jwt verify related code between system.authzand user policy checks.

@anderseknert
Copy link
Member

That's interesting, and certainly a reasonable thing to do. I guess the workaround is to disable the schema check like you do alrrady, but I wonder what a better solution would look like. We could the check only on system.authz and sub-modules, but OTOH, there might be cases where you want to have the schema check extend also to dependencies 🤔

@johanfylling @ashutosh-narkar any ideas?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants