From 82cb07541a1864232c9cb5a7bdab9bdc0dd6e6d8 Mon Sep 17 00:00:00 2001 From: Amruta Kale Date: Mon, 19 Apr 2021 00:40:15 +0530 Subject: [PATCH] runtime: logged a warning This commit gives a message stating authetication will be ineffective when you run the opa server with authentication as TOKEN and no authorization Fixes #3380 Signed-off-by: Amruta Kale --- runtime/runtime.go | 4 ++++ runtime/runtime_test.go | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/runtime/runtime.go b/runtime/runtime.go index 6770dfef12..51c903c424 100644 --- a/runtime/runtime.go +++ b/runtime/runtime.go @@ -305,6 +305,10 @@ func (rt *Runtime) Serve(ctx context.Context) error { "diagnostic-addrs": *rt.Params.DiagnosticAddrs, }).Info("Initializing server.") + if rt.Params.Authorization == server.AuthorizationOff && rt.Params.Authentication == server.AuthenticationToken { + logrus.Error("Token authentication enabled without authorization. Authentication will be ineffective. See https://www.openpolicyagent.org/docs/latest/security/#authentication-and-authorization for more information.") + } + // NOTE(tsandall): at some point, hopefully we can remove this because the // Go runtime will just do the right thing. Until then, try to set // GOMAXPROCS based on the CPU quota applied to the process. diff --git a/runtime/runtime_test.go b/runtime/runtime_test.go index c7ca1c90a5..96c0ea424a 100644 --- a/runtime/runtime_test.go +++ b/runtime/runtime_test.go @@ -20,6 +20,7 @@ import ( "time" "github.com/open-policy-agent/opa/internal/report" + "github.com/open-policy-agent/opa/server" "github.com/sirupsen/logrus" @@ -302,6 +303,38 @@ func TestCheckOPAUpdateLoopWithNewUpdate(t *testing.T) { testCheckOPAUpdateLoop(t, baseURL, "OPA is out of date.") } +func TestCheckAuthIneffective(t *testing.T) { + ctx, cancel := context.WithCancel(context.Background()) + var output bytes.Buffer + + params := NewParams() + params.Authentication = server.AuthenticationToken + params.Authorization = server.AuthorizationOff + params.Output = &output + params.Addrs = &[]string{":0"} + params.GracefulShutdownPeriod = 1 + rt, err := NewRuntime(ctx, params) + if err != nil { + t.Fatalf("Unexpected error %v", err) + } + logrus.SetOutput(rt.Params.Output) + + done := make(chan bool) + go func() { + rt.StartServer(ctx) + done <- true + + }() + time.Sleep(2 * time.Millisecond) + + expected := "Token authentication enabled without authorization. Authentication will be ineffective. See https://www.openpolicyagent.org/docs/latest/security/#authentication-and-authorization for more information." + if !strings.Contains(output.String(), expected) { + t.Fatalf("Expected output to contain: \"%v\" but got \"%v\"", expected, output.String()) + } + cancel() + <-done +} + func getTestServer(update interface{}, statusCode int) (baseURL string, teardownFn func()) { mux := http.NewServeMux() ts := httptest.NewServer(mux)