OPA decision masks do not apply correctly to paths containing a character that would be URL encoded

[pauly4it]

Short description

While building a decision mask specifically for Envoy input data which uses a JWT access_token URL query param, I noticed that the query param and value show up in 3 places: input.parsed_query, input.attributes.request.http.path, and input.attributes.request.http.headers[":path"].

I looked into how OPA would handle masking the input.attributes.request.http.headers[":path"] param, and it appears that it won't correctly apply the mask because the path parts are escaped by OPA (reference: https://github.com/open-policy-agent/opa/blob/v0.40.0/plugins/logs/mask.go#L78). As a result, if I pass in a masking path of "/input/attributes/request/http/headers/:path", OPA attempts to mask "/input/attributes/request/http/headers/%3Apath".

Here's a rego playground link with example input and a simple upsert mask: https://play.openpolicyagent.org/p/IKGpsHcXAB. The output for this playground example, however, does not represent the actual masking operation. To do that, I added two new test cases to mask_test.go locally on my machine and got a failure for each (details in Steps To Reproduce section).

Steps To Reproduce

1. Using OPA v0.40.0, add the following test case to TestMaskRuleMask in mask_test.go at line 543 (https://github.com/open-policy-agent/opa/blob/v0.40.0/plugins/logs/mask_test.go#L543):

{
	note: "erase: :path",
	ptr: &maskRule{
		OP:   maskOPRemove,
		Path: "/input/:path",
	},
	event: `{"input": {"bar": 1, ":path": "token"}}`,
	exp:   `{"input": {"bar": 1}, "erased": ["/input/:path"]}`,
},
{
	note: "upsert in :path",
	ptr: &maskRule{
		OP:    maskOPUpsert,
		Path:  "/input/:path",
		Value: "upserted",
	},
	event: `{"input": {"bar": 1, ":path": "token"}}`,
	exp:   `{"input": {"bar": 1, ":path": "upserted"}, "masked": ["/input/:path"]}`,
},

2. Run make test

3. Receive a github.com/open-policy-agent/opa/plugins/logs test failure:

--- FAIL: TestMaskRuleMask (0.00s)
    --- FAIL: TestMaskRuleMask/erase:_:path (0.00s)
        mask_test.go:602: Expected: {
              "labels": null,
              "decision_id": "",
              "input": {
                "bar": 1
              },
              "erased": [
                "/input/:path"
              ],
              "timestamp": "0001-01-01T00:00:00Z"
            }
            Got: {
              "labels": null,
              "decision_id": "",
              "input": {
                ":path": "token",
                "bar": 1
              },
              "timestamp": "0001-01-01T00:00:00Z"
            }
    --- FAIL: TestMaskRuleMask/upsert_in_:path (0.00s)
        mask_test.go:602: Expected: {
              "labels": null,
              "decision_id": "",
              "input": {
                ":path": "upserted",
                "bar": 1
              },
              "masked": [
                "/input/:path"
              ],
              "timestamp": "0001-01-01T00:00:00Z"
            }
            Got: {
              "labels": null,
              "decision_id": "",
              "input": {
                "%3Apath": "upserted",
                ":path": "token",
                "bar": 1
              },
              "masked": [
                "/input/%3Apath"
              ],
              "timestamp": "0001-01-01T00:00:00Z"
            }

Expected behavior

OPA should be able to properly handle mask paths which contain a character that would be URL encoded (see the example test case above).

Additional context

This issue is not confined just to Envoy input data, as other systems provide inputs with headers[":path"] along with :authority and :method. At the moment, users cannot use OPA decision masking to mask just those parts of the headers input object and would need to mask the entire headers object, which may remove useful data from the decision log.