You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While building a decision mask specifically for Envoy input data which uses a JWT access_token URL query param, I noticed that the query param and value show up in 3 places: input.parsed_query, input.attributes.request.http.path, and input.attributes.request.http.headers[":path"].
I looked into how OPA would handle masking the input.attributes.request.http.headers[":path"] param, and it appears that it won't correctly apply the mask because the path parts are escaped by OPA (reference: https://github.com/open-policy-agent/opa/blob/v0.40.0/plugins/logs/mask.go#L78). As a result, if I pass in a masking path of "/input/attributes/request/http/headers/:path", OPA attempts to mask "/input/attributes/request/http/headers/%3Apath".
Here's a rego playground link with example input and a simple upsert mask: https://play.openpolicyagent.org/p/IKGpsHcXAB. The output for this playground example, however, does not represent the actual masking operation. To do that, I added two new test cases to mask_test.go locally on my machine and got a failure for each (details in Steps To Reproduce section).
OPA should be able to properly handle mask paths which contain a character that would be URL encoded (see the example test case above).
Additional context
This issue is not confined just to Envoy input data, as other systems provide inputs with headers[":path"] along with :authority and :method. At the moment, users cannot use OPA decision masking to mask just those parts of the headers input object and would need to mask the entire headers object, which may remove useful data from the decision log.
The text was updated successfully, but these errors were encountered:
Earlier the paths to the field to perform an upsert or
remove operation on were escaped using Go's url.QueryEscape
method. This results in incorrect behavior when the paths contain
a reserved character like ":". This change updates to using
url.PathEscape instead to escape the input and result paths.
Fixes: open-policy-agent#4717
Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
Earlier the paths to the field to perform an upsert or
remove operation on were escaped using Go's url.QueryEscape
method. This results in incorrect behavior when the paths contain
a reserved character like ":". This change updates to using
url.PathEscape instead to escape the input and result paths.
Fixes: #4717
Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
Short description
While building a decision mask specifically for Envoy input data which uses a JWT
access_token
URL query param, I noticed that the query param and value show up in 3 places:input.parsed_query
,input.attributes.request.http.path
, andinput.attributes.request.http.headers[":path"]
.I looked into how OPA would handle masking the
input.attributes.request.http.headers[":path"]
param, and it appears that it won't correctly apply the mask because the path parts are escaped by OPA (reference: https://github.com/open-policy-agent/opa/blob/v0.40.0/plugins/logs/mask.go#L78). As a result, if I pass in a masking path of"/input/attributes/request/http/headers/:path"
, OPA attempts to mask"/input/attributes/request/http/headers/%3Apath"
.Here's a rego playground link with example input and a simple upsert mask: https://play.openpolicyagent.org/p/IKGpsHcXAB. The output for this playground example, however, does not represent the actual masking operation. To do that, I added two new test cases to
mask_test.go
locally on my machine and got a failure for each (details in Steps To Reproduce section).Steps To Reproduce
TestMaskRuleMask
inmask_test.go
at line 543 (https://github.com/open-policy-agent/opa/blob/v0.40.0/plugins/logs/mask_test.go#L543):Run
make test
Receive a
github.com/open-policy-agent/opa/plugins/logs
test failure:Expected behavior
OPA should be able to properly handle mask paths which contain a character that would be URL encoded (see the example test case above).
Additional context
This issue is not confined just to Envoy input data, as other systems provide inputs with
headers[":path"]
along with:authority
and:method
. At the moment, users cannot use OPA decision masking to mask just those parts of theheaders
input object and would need to mask the entireheaders
object, which may remove useful data from the decision log.The text was updated successfully, but these errors were encountered: