Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Internal error when evaluating resource with a disabled scope hierarchy #1590

Closed
1 task done
scraymondjr opened this issue May 17, 2023 · 0 comments · Fixed by #1592
Closed
1 task done

Internal error when evaluating resource with a disabled scope hierarchy #1590

scraymondjr opened this issue May 17, 2023 · 0 comments · Fixed by #1592
Labels
kind/bug Something isn't working

Comments

@scraymondjr
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

Internal Server Error returned when evaluating a resource policy with a scope defined where one resource policy in the scope hierarchy is disabled. Example response from CheckResources:

{
  "code": 13,
  "message": "Policy check failed"
}

Expected Behavior

If this setup is invalid, then I expect to see a 400-like error with an error message indicating that the resource access could not be evaluated due to disabled scope policy.

Steps To Reproduce

  1. Add scoped policies such that one policy is disabled (I observed that the level of the hierarchy does not matter). Example with default policy being disabled:
{
  "policies": [
    {
      "apiVersion": "api.cerbos.dev/v1",
      "disabled": true,
      "resourcePolicy": {
        "resource": "test:resource",
        "scope": "",
        "version": "default",
        "rules": [
          {
            "actions": [
              "read"
            ],
            "roles": [
              "TestRole"
            ],
            "effect": "EFFECT_DENY"
          }
        ]
      }
    },
    {
      "apiVersion": "api.cerbos.dev/v1",
      "resourcePolicy": {
        "resource": "test:resource",
        "scope": "a",
        "version": "default",
        "rules": [
          {
            "actions": [
              "read"
            ],
            "roles": [
              "TestRole"
            ],
            "effect": "EFFECT_ALLOW"
          }
        ]
      }
    }
  ]
}
  1. CheckResources call to see internal error:
{
  "requestId": "c2db17b8-4f9f-4fb1-acfd-9162a02be42b",
  "includeMeta": true,
  "principal": {
    "id": "bugs_bunny",
    "policyVersion": "default",
    "roles": [
      "TestRole"
    ]
  },
  "resources": [
    {
      "actions": [
        "read"
      ],
      "resource": {
        "kind": "test:resource",
        "policyVersion": "default",
        "scope": "a",
        "id": "XX125"
      }
    }
  ]
}

Environment

- OS:
- Cerbos version: github.com/cerbos/cerbos v0.26.0
- Docker version: Docker version 20.10.11, build dea9396
- Go version: go version go1.19 darwin/amd64

Anything else?

No response
@scraymondjr scraymondjr added kind/bug Something isn't working status/triage labels May 17, 2023
@charithe charithe mentioned this issue May 18, 2023
Merged
charithe added a commit to charithe/cerbos that referenced this issue May 18, 2023
@charithe
fix: Return correct error code when store is invalid
4e3f7b1 
Instead of returning `Internal` error, return `FailedPrecondition` when
the requested policy has a compilation error.

Fixes cerbos#1590

Signed-off-by: Charith Ellawala <charith@cerbos.dev>
charithe added a commit that referenced this issue May 18, 2023
@charithe
fix: Return correct error code when store is invalid (#1592)
ad1c460 
* fix: Return correct error code when store is invalid

Instead of returning `Internal` error, return `FailedPrecondition` when
the requested policy has a compilation error.

Fixes #1590

Signed-off-by: Charith Ellawala <charith@cerbos.dev>

* Include PlanResources

Signed-off-by: Charith Ellawala <charith@cerbos.dev>

---------

Signed-off-by: Charith Ellawala <charith@cerbos.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Return correct error code when store is invalid charithe/cerbos
2 participants
@charithe @scraymondjr