add allow_net to capabilities, use it to disable fetching remote schemas
#3748
Conversation
srenatus
force-pushed
the
sr/typechecker/dont-fetch-remote-schemas-without-opt-in
branch
from
c073455
to
b674f1c
Compare
|
While adding that 18K JSON file is somewhat annoying, it's nice to know that we can read it as-is, and stuff works. So, I'm torn, but leaning towards including it 🤔 |
srenatus
force-pushed
the
sr/typechecker/dont-fetch-remote-schemas-without-opt-in
branch
from
b674f1c
to
846c657
Compare
There was a problem hiding this comment.
This look good to me. The only question in my head is whether we should make the CLI tooling default to fetch remote schemas. It's obviously more consistent with the implementation in the compiler to disable it by default, however, I'm just concerned about the UX when people are actually making use of real-world JSON schemas. IOW, to use OPA CLI tooling and real-world JSON schemas, are users always going to have to specify --fetch-remote-schemas? That seems cumbersome. WDYT?
While adding that 18K JSON file is somewhat annoying, it's nice to know that we can read it as-is, and stuff works. So, I'm torn, but leaning towards including it 🤔
This sounds fine to me--we'll forget it's there after this PR is merged.
You're probably right. I'll flip the default here, and the flag name accordingly. 💭 I wonder if a general "don't do anything network-y" flag would be a good idea. This could be even more relevant when imports come from URLs one day. (Akin to deno's network capability, maybe, https://deno.land/manual/getting_started/permissions#permissions-list) |
srenatus
force-pushed
the
sr/typechecker/dont-fetch-remote-schemas-without-opt-in
branch
3 times, most recently
from
aaa69bd
to
2409174
Compare
srenatus
changed the title
|
Flipped all the things 🙃 |
I've wondered whether we could use the capabilities feature for this... |
Actually, yeah, I think we should. So, to keep this backwards-compatible, we'd introduce some key to capabilities that lets you disable networking, default to true. Or we could try to mimic deno even more and allow for specifying hostnames, like https://deno.land/manual/getting_started/permissions#network-access. Deno's default is disallow, so we'd be in the slightly odd but acceptable position that
This would probably be the same user interface that could support #3665. What do you think? |
Introducing a package-level var to gojsonschema isn't the prettiest solution, but since we want this in an all-or-nothing way right now anyways, it does the trick. And it's more ergonomic than adding extra parameters all over the place. Fixes open-policy-agent#3746. Also: * move some profiling-related default params into newEvalCommandParams * replace some errors.Wrap by fmt.Errorf in loader pkg * remove some != nil handling where it didn't make a difference when working on the schema set Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
It would be nice to ensure that the remote refs feature actually works, without introducing a network dependency into our tests. This commit adds the kube 1.14 definitions into ast/testdata, and uses that from a httptest.Server instance in the unit tests. Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
|
So, this requires adding the When adding an |
This renders them exactly as they look in the multiline strings, not with the excessive indentation that a tab might bring. Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
srenatus
force-pushed
the
sr/typechecker/dont-fetch-remote-schemas-without-opt-in
branch
2 times, most recently
from
9360d52
to
4176f9b
Compare
There are follow-up tasks once capabilities are available to `opa eval`, but this commit restricts its being put to use to the type checker's remote json schema refs. Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
srenatus
force-pushed
the
sr/typechecker/dont-fetch-remote-schemas-without-opt-in
branch
from
4176f9b
to
a381a58
Compare
srenatus
changed the title
allow_net to capabilities, use it to disable fetching remote schemas
| @@ -248,6 +273,7 @@ Loads a single JSON file, applying it to the input document; or all the schema f | |||
| evalCommand.Flags().BoolVarP(¶ms.failDefined, "fail-defined", "", false, "exits with non-zero exit code on defined/non-empty result and errors") | |||
|
|
|||
| // Shared flags | |||
| addCapabilitiesFlag(evalCommand.Flags(), params.capabilities) | |||
There was a problem hiding this comment.
A fun side effect of this is that we can now use opa eval to eval like it's 20202:
$ opa eval -fpretty --capabilities capabilities/v0.17.0.json 'base64.is_valid("foo")'
1 error occurred: 1:1: rego_type_error: undefined function base64.is_valid
There was a problem hiding this comment.
Nice! Can you file a follow-up issue to add support into the http.send() built-in function? We'll need to be careful to ensure that's implemented correctly (e.g., we'll have to deal with redirects...)
Nevermind! We have this one #3665
srenatus
deleted the
sr/typechecker/dont-fetch-remote-schemas-without-opt-in
branch
…hemas (open-policy-agent#3748) This adds a new top-level key to the capabilities structure, `allow_net`. It currently is only used for restricting the typechecker's ability to fetch remote refs in JSON schemas, but could be used more widely in the future. It works like this: - If it's not present, any host can be contacted - If it's present, the items will be the hosts or IP addresses that may be contacted; anything not in the list is prohibited. - As a consequence, If it's present and empty (`[]`), no host can be contacted Introducing a package-level var to gojsonschema isn't the prettiest solution, but since we want this in an all-or-nothing way right now anyways, it does the trick. And it's more ergonomic than adding extra parameters all over the place. Fixes open-policy-agent#3746. Also: * move some profiling-related default params into newEvalCommandParams * replace some errors.Wrap by fmt.Errorf in loader pkg * remove some != nil handling where it didn't make a difference when working on the schema set * reduces indentation in code examples in `opa eval -h` and `opa check -h` by replacing tabs by four spaces. * ast: allow testing with remote refs without networking It would be nice to ensure that the remote refs feature actually works, without introducing a network dependency into our tests. This commit adds the kube 1.14 definitions into ast/testdata, and uses that from a httptest.Server instance in the unit tests. Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com> Signed-off-by: Dolev Farhi <farhi.dolev@gmail.com>
Introducing a package-level var to gojsonschema isn't the prettiest solution,
but since we want this in an all-or-nothing way right now anyways, it does
the trick. And it's more ergonomic than adding extra parameters all over the
place.
Fixes #3746.
Also:
opa eval -handopa check -hby replacing tabs by four spaces.It feels to me like the addition to capabilities is a bit dangling right now. We should perhaps tackle #3665 soon.