Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--authorization=basic breaks gzipped request decompression #6804

Closed
nevumx opened this issue Jun 10, 2024 · 1 comment · Fixed by #6825
Closed

--authorization=basic breaks gzipped request decompression #6804

nevumx opened this issue Jun 10, 2024 · 1 comment · Fixed by #6825
Labels
bug

Comments

@nevumx
Copy link

nevumx commented Jun 10, 2024
edited
Loading

Short description

Issue exists on OPA v0.65.0 and EOPA v1.22.0, although they have different error messages for some reason... 😕

If the --authorization=basic flag is passed to an opa run -s cli command, opa will output an error on receiving a properly gzipped HTTP request with the Content-Encoding: gzip header.

Steps To Reproduce

  1. Run an opa server with the --authorization=basic flag, e.g. opa run -s --authorization=basic.
  2. Execute a gzipped curl request on another shell window, like echo -n '{}' | gzip | curl -H "Content-Encoding: gzip" --data-binary @- https://127.0.0.1:8181/v1/data
  3. Observe the error given:
{
  "code": "invalid_parameter",
  "message": "invalid character '\\x1f' looking for beginning of value"
}

Or with EOPA:

{
  "code": "invalid_parameter",
  "message": "yaml: control characters are not allowed"
}

Expected behavior

In this case, some error about there being no input or path after /v1/data, but with more policies/proper input, there should be no errors; the request should decompress as expected, and the evaluation/response should continue as expected.
@nevumx nevumx added the bug label Jun 10, 2024
@philipaconrad
Copy link
Contributor

Ah yep! This looks like a case where the server/authorizer package isn't handling gzipped request bodies correctly. I'll see if there's a straightforward fix for this.

philipaconrad added a commit to philipaconrad/opa that referenced this issue Jun 17, 2024
@philipaconrad
server/authorizer: Fix gzip payload handling.
6805365 
This PR fixes an issue where an OPA running authorization policies would
be unable to handle gzipped request bodies.

Example OPA CLI setup:

    opa run -s --authorization=basic

Example request:

    echo -n '{}' | gzip | curl -H "Content-Encoding: gzip" --data-binary @- https://127.0.0.1:8181/v1/data

This would result in unhelpful error messages, like:

```json
{
  "code": "invalid_parameter",
  "message": "invalid character '\\x1f' looking for beginning of value"
}
```

The cause was that the request body handling system in the
`server/authorizer` package did not take gzipped payloads into
account. The fix was to borrow the gzip request body handling function
from `server/server.go`, to transparently decompress the body when
needed.

Fixes: open-policy-agent#6804

Signed-off-by: Philip Conrad <[email protected]>
@philipaconrad philipaconrad mentioned this issue Jun 17, 2024
Merged
1 task
philipaconrad added a commit to philipaconrad/opa that referenced this issue Jun 17, 2024
@philipaconrad
server/authorizer: Fix gzip payload handling.
34889a4 
This PR fixes an issue where an OPA running authorization policies would
be unable to handle gzipped request bodies.

Example OPA CLI setup:

    opa run -s --authorization=basic

Example request:

    echo -n '{}' | gzip | curl -H "Content-Encoding: gzip" --data-binary @- https://127.0.0.1:8181/v1/data

This would result in unhelpful error messages, like:

```json
{
  "code": "invalid_parameter",
  "message": "invalid character '\\x1f' looking for beginning of value"
}
```

The cause was that the request body handling system in the
`server/authorizer` package did not take gzipped payloads into
account. The fix was to borrow the gzip request body handling function
from `server/server.go`, to transparently decompress the body when
needed.

Fixes: open-policy-agent#6804

Signed-off-by: Philip Conrad <[email protected]>
philipaconrad added a commit to philipaconrad/opa that referenced this issue Jun 25, 2024
@philipaconrad
server/authorizer: Fix gzip payload handling.
4ef538a 
This PR fixes an issue where an OPA running authorization policies would
be unable to handle gzipped request bodies.

Example OPA CLI setup:

    opa run -s --authorization=basic

Example request:

    echo -n '{}' | gzip | curl -H "Content-Encoding: gzip" --data-binary @- https://127.0.0.1:8181/v1/data

This would result in unhelpful error messages, like:

```json
{
  "code": "invalid_parameter",
  "message": "invalid character '\\x1f' looking for beginning of value"
}
```

The cause was that the request body handling system in the
`server/authorizer` package did not take gzipped payloads into
account. The fix was to borrow the gzip request body handling function
from `server/server.go`, to transparently decompress the body when
needed.

Fixes: open-policy-agent#6804

Signed-off-by: Philip Conrad <[email protected]>
philipaconrad added a commit to philipaconrad/opa that referenced this issue Jun 26, 2024
@philipaconrad
server/authorizer: Fix gzip payload handling.
0c0e38b 
This PR fixes an issue where an OPA running authorization policies would
be unable to handle gzipped request bodies.

Example OPA CLI setup:

    opa run -s --authorization=basic

Example request:

    echo -n '{}' | gzip | curl -H "Content-Encoding: gzip" --data-binary @- https://127.0.0.1:8181/v1/data

This would result in unhelpful error messages, like:

```json
{
  "code": "invalid_parameter",
  "message": "invalid character '\\x1f' looking for beginning of value"
}
```

The cause was that the request body handling system in the
`server/authorizer` package did not take gzipped payloads into
account. The fix was to borrow the gzip request body handling function
from `server/server.go`, to transparently decompress the body when
needed.

Fixes: open-policy-agent#6804

Signed-off-by: Philip Conrad <[email protected]>
@BrewTestBot BrewTestBot mentioned this issue Jun 27, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
Open Policy Agent
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

server/authorizer: Fix gzip payload handling. philipaconrad/opa
2 participants
@philipaconrad @nevumx