My rego policy always returns false #612

surikalyani · 2024-07-12T17:38:41Z

surikalyani
Jul 12, 2024

This is how I set up OPA in docker

I am trying to validate AWS cognito access token . Its not working , and dont know how to debug or add more logging .

# this policy will be available at /v1/data/example/allow
package example
# import dependencies
import rego.v1
import input.attributes.request.http as http_request
jwks_request(url) = http.send({
    "url": url,
    "method": "GET",
    "force_cache": true,
    "force_cache_duration_seconds": 3600
})
# by default, do not allow access
default allow := false
# The token is verified and valid at the current time.
allow if{

	#read JKWS cert from Token signing key URL
	jwks_cached := jwks_request("https://cognito-idp.ca-central-1.amazonaws.com/ca-central-1_XXXXXXX/.well-known/jwks.json").body
	bearer_token := split(input.event.identitySource[0], " ")[1]
    # Verify the signature on the Bearer token.
    io.jwt.decode_verify(bearer_token, jwks_cached)
	# example pattern matches on the result to obtain the JWT payload.
	[_, payload, _] := io.jwt.decode(bearer_token)
}

input.json

{
	"input": {
		"version": "2.0",
		"type": "REQUEST",
		"identitySource": [
			"Bearer eyJraWQiOiIrS0x5K3FqYnpETFUxaHN6NkFTeVhOUFpGajlLOVNGejR2OG9qdThcL1Z4Zz0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI3YzlkOTVlOC0zMDYxLTcwOTUtMDdjMy04NTBlYmQzNjNkYTAiLCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAuY2EtY2VudHJhbC0xLmFtYXpvbmF3cy5jb21cL2NhLWNlbnRyYWwtMV9VeG54ZUswb0UiLCJjbGllbnRfaWQiOiIyMDhyNGpvY3ZpbGtqOG9jdGFmdDdqaHFlYSIsIm9yaWdpbl9qdGkiOiIyYTJiZjZjOC0xYjZlLTQ0YTYtYTQxZC1hMjhjMWVhYmU1MDciLCJldmVudF9pZCI6ImM0Yzg4MTM5LWYyYzMtNDdlMy04ZGJlLWViMGQ3NzZmMDE1YSIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoiYXdzLmNvZ25pdG8uc2lnbmluLnVzZXIuYWRtaW4iLCJhdXRoX3RpbWUiOjE3MjA4MTE4NjksImV4cCI6MTcyMDgxNTQ2OSwiaWF0IjoxNzIwODExODY5LCJqdGkiOiI1Njk5ODliMS0xNWExLTRkYjUtOTIwOC0wOGNlNjY5NzQyMjUiLCJ1c2VybmFtZSI6IjdjOWQ5NWU4LTMwNjEtNzA5NS0wN2MzLTg1MGViZDM2M2RhMCJ9.j9g4ePa5u9YyfzdQaoRdYx-3Yu_3mooTwLUhdR8wzdbseY9p3IFUHMLoMyrXryxBhIq9XlkNRThVthQwO7ie6AxnZjZKocBzbo4oWGiYDf6iCUeifn2PGOw8pTMtDO6OD_otpD64iPUHK52ubK8kwgmoTcPDOtwHKprv01U4eqnGw4Oe77xl18swY8Y1wFjvzwhuJ7PY9SecEHZUDvg-CYfDJPOBPSaRrfLFr0PuE3Dz3EHAZrEgJ29cHiYeQJk7274OhwaxLuxHrPCdVm6eMl5YzspgrLVVUN5j8z-nZ65RoNeMgDlpyYoRf7WV4Dhg4jmKUVzxBLnwcpT7FZoPpQ"
		],
		"routeKey": "PUT /v1/auth/change_password"
}
}

Not sure how to debug why its not working . Do I need to add --authentication=token when I start OPA as service ?

ashutosh-narkar · 2024-07-12T17:52:40Z

ashutosh-narkar
Jul 12, 2024
Maintainer

If you provide the policy and data loaded in OPA and the input you use to query OPA, we could help investigate.

1 reply

ashutosh-narkar Jul 12, 2024
Maintainer

Also it is good practice to Unit test your policies.

surikalyani · 2024-07-16T17:45:33Z

surikalyani
Jul 16, 2024
Author

Thanks for reply! I have updated my question

0 replies

srenatus · 2024-07-16T18:09:43Z

srenatus
Jul 16, 2024
Maintainer

Your policy says

bearer_token := split(input.event.identitySource[0], " ")[1]

but your input doesn't have "event". I think you could try

bearer_token := split(input.dentitySource[0], " ")[1]

Also, decode_verify already returns the payload, you don't need to decode again after it, see here. This alone should to the trick:

some payload
[true, _, payload] = io.jwt.decode_verify(...)

Also, I don't think passing in your jwks_cached like that is enough. The second argument is a "constraints" object, try using {"cert": jwks_cached} instead.

Unrelated -- if you're not using envoy,

import input.attributes.request.http as http_request

has no effect whatsoever.

0 replies

surikalyani · 2024-07-26T00:22:28Z

surikalyani
Jul 26, 2024
Author

I think my updated policy is not used by OPA server inside docker . HOw to update policy OPA is using
This is my original rego policy

# import dependencies
import rego.v1

# by default, do not allow access
default allow := false

# allow when a valid JWT is provided, which matches expected client ID
allow if {
	jwt := split(input.event.identitySource[0], " ")[1]
	[_, payload, _] := io.jwt.decode(jwt)

	# @todo: check for expiry, check signature, check user is enabled

	valid := payload.client_id == input.client_id
	token := {"valid": valid, "username": payload.username}

	token.valid
}

This is my updated policy


# this policy will be available at /v1/data/example/allow
package example
# import dependencies
import rego.v1
import input.attributes.request.http as http_request
jwks_request(url) = http.send({
    "url": url,
    "method": "GET",
    "force_cache": true,
    "force_cache_duration_seconds": 3600
})
# by default, do not allow access
default allow := false
# The token is verified and valid at the current time.
allow if{

	#read JKWS cert from Token signing key URL
	jwks_cached := jwks_request("https://cognito-idp.ca-central-1.amazonaws.com/ca-central-1_XXXXXXX/.well-known/jwks.json").body
	bearer_token := split(input.event.identitySource[0], " ")[1]
    # Verify the signature on the Bearer token.
    io.jwt.decode_verify(bearer_token, jwks_cached)
	# example pattern matches on the result to obtain the JWT payload.
	[_, payload, _] := io.jwt.decode(bearer_token)
}

1 reply

Open Policy Agent

My rego policy always returns false #612

Uh oh!

Uh oh!

surikalyani Jul 12, 2024

Replies: 4 comments · 2 replies

Uh oh!

ashutosh-narkar Jul 12, 2024 Maintainer

Uh oh!

ashutosh-narkar Jul 12, 2024 Maintainer

Uh oh!

surikalyani Jul 16, 2024 Author

Uh oh!

Uh oh!

srenatus Jul 16, 2024 Maintainer

Uh oh!

Uh oh!

surikalyani Jul 26, 2024 Author

Uh oh!

surikalyani Jul 26, 2024 Author

surikalyani
Jul 12, 2024

Replies: 4 comments 2 replies

ashutosh-narkar
Jul 12, 2024
Maintainer

ashutosh-narkar Jul 12, 2024
Maintainer

surikalyani
Jul 16, 2024
Author

srenatus
Jul 16, 2024
Maintainer

surikalyani
Jul 26, 2024
Author

surikalyani Jul 26, 2024
Author