runtime: logged a warning (#3392)

This commit gives a message stating authetication will be ineffective when you run the opa server with authentication as TOKEN and no authorization Fixes #3380 Signed-off-by: Amruta Kale <[email protected]>
open-policy-agent · Apr 21, 2021 · 27c8d75 · 27c8d75
1 parent 4778996
commit 27c8d75
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 0 deletions.
diff --git a/runtime/runtime.go b/runtime/runtime.go
@@ -305,6 +305,10 @@ func (rt *Runtime) Serve(ctx context.Context) error {
 		"diagnostic-addrs": *rt.Params.DiagnosticAddrs,
 	}).Info("Initializing server.")
 
+	if rt.Params.Authorization == server.AuthorizationOff && rt.Params.Authentication == server.AuthenticationToken {
+		logrus.Error("Token authentication enabled without authorization. Authentication will be ineffective. See https://www.openpolicyagent.org/docs/latest/security/#authentication-and-authorization for more information.")
+	}
+
 	// NOTE(tsandall): at some point, hopefully we can remove this because the
 	// Go runtime will just do the right thing. Until then, try to set
 	// GOMAXPROCS based on the CPU quota applied to the process.

diff --git a/runtime/runtime_test.go b/runtime/runtime_test.go
@@ -20,6 +20,7 @@ import (
 	"time"
 
 	"github.com/open-policy-agent/opa/internal/report"
+	"github.com/open-policy-agent/opa/server"
 
 	"github.com/sirupsen/logrus"
 
@@ -302,6 +303,38 @@ func TestCheckOPAUpdateLoopWithNewUpdate(t *testing.T) {
 	testCheckOPAUpdateLoop(t, baseURL, "OPA is out of date.")
 }
 
+func TestCheckAuthIneffective(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	var output bytes.Buffer
+
+	params := NewParams()
+	params.Authentication = server.AuthenticationToken
+	params.Authorization = server.AuthorizationOff
+	params.Output = &output
+	params.Addrs = &[]string{":0"}
+	params.GracefulShutdownPeriod = 1
+	rt, err := NewRuntime(ctx, params)
+	if err != nil {
+		t.Fatalf("Unexpected error %v", err)
+	}
+	logrus.SetOutput(rt.Params.Output)
+
+	done := make(chan bool)
+	go func() {
+		rt.StartServer(ctx)
+		done <- true
+
+	}()
+	time.Sleep(2 * time.Millisecond)
+
+	expected := "Token authentication enabled without authorization. Authentication will be ineffective. See https://www.openpolicyagent.org/docs/latest/security/#authentication-and-authorization for more information."
+	if !strings.Contains(output.String(), expected) {
+		t.Fatalf("Expected output to contain: \"%v\" but got \"%v\"", expected, output.String())
+	}
+	cancel()
+	<-done
+}
+
 func getTestServer(update interface{}, statusCode int) (baseURL string, teardownFn func()) {
 	mux := http.NewServeMux()
 	ts := httptest.NewServer(mux)