Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenFGA Migrate Job Fails with Unescaped URI #1509

Open
6 tasks done
joshmorningstar opened this issue Apr 3, 2024 · 1 comment
Open
6 tasks done

OpenFGA Migrate Job Fails with Unescaped URI #1509

joshmorningstar opened this issue Apr 3, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@joshmorningstar
Copy link

joshmorningstar commented Apr 3, 2024
edited

Checklist

  • I have looked into the README and have not found a suitable solution or answer.
  • I have looked into the documentation and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have upgraded to the latest version of OpenFGA and the issue still persists.
  • I have searched the OpenFGA Community and have not found a suitable solution or answer.
  • I agree to the terms within the OpenFGA Code of Conduct.

Description

When trying to deploy OpenFGA with Postgres via Kubernetes we ran into a “userinfo” parsing error. We are providing the Job the credentials via external secrets as outlined in the helm template conditional. The final manifest produces the following URI (redacted to remove all production references): ”uri”: “postgres://postgres:<password-containing-unescaped-characters>@host:port/database”. The password contains hyphens, curly brackets, and parenthesis; looking into url.parse() in Golang it looks like it is expecting escaped characters.

case "postgres":
	driver = "pgx"
	migrationsPath = assets.PostgresMigrationDir

	// Parse the database uri with url.Parse() and update username/password, if set via flags
	dbURI, err := url.Parse(uri)

Expectation

I would expect this to sanitize the URI string on the backend and not expect the URI to be escaped. For instance, the following URI should be valid:

postgres://postgres:JdnKsnd83$;):”-&:jaj]^]*}hs/ns\l@example.com:5432/postgres

Due to the way url.parse() currently handles this, this string would fail due to unescaped non-alpha-numeric characters being present in the password.

Reproduction

  1. Configure OpenFGA in Kubernetes
  2. Configure OpenFGA to use Postgres
  3. Configure Postgres to use a URI
  4. Configure the Postgres URI to contain unescaped non-alpha-numeric characters

Store data

N/A

OpenFGA version

v1.5.1

How are you running OpenFGA?

In Kubernetes

What datastore are you using?

Postgres

OpenFGA Flags

None

Logs

No response
@joshmorningstar joshmorningstar added the bug Something isn't working label Apr 3, 2024
@rhamzeh
Copy link
Member

rhamzeh commented Apr 13, 2024
edited

From @joshmorningstar on Discord:

We implemented a workaround in our external secrets that seemed to work for now:
{{ urlquery .password }} for pulling our password out of the AWS secret manager and URL encoding it.

This causes the connection URI to work with non alpha-numeric values in the userinfo.

Perhaps in leiu of updating the code, adding notes to the README that the URI string VALUES should be url encoded before being passed in -- e.g. postgres://{{ urlquery <username> }}:{{ urlquery password }}@{{ urlquery <database-server> }}:{{ <port> }}/{{ urlquery <database> }}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rhamzeh @joshmorningstar