-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle http.send errors in-band #2187
Comments
I think part of the issue is that most of the builtin functions today lack any sort of error handling mechanism. They'll either do the right thing, be undefined, or halt evaluation by raising an error. We could maybe just modify the Longer term we may want to think about what could be done for other builtin functions that require (or would be nice to have) similar error handling treatment. Having a consistent pattern would be ideal. |
Yep, I agree that propagating the error from most builtins makes sense. I think that |
I found a case that I can't easily work around. I have a test suite where the test cases are expressed in Rego. One test case is that TLS is configured properly. If it is configured properly, the HTTPS request fails with a TLS alert. I can't handle this properly because from the test harness there is no way to know whether the Rego check expects the error or not. The harness also doesn't know that it is an error to not get the alert. |
Proposal:
|
@patrick-east Do you have any thoughts about the proposal above? If we do that, would we need extra flags to switch the behavior? |
Apologies for the delay! Unfortunately this fell off my radar 😞 I like the proposal (would lean towards the new |
Thinking out loud a bit ... Rather than a per-request flag which seems burdensome, could we make a builtin API to specify HTTP client behaviors? Maybe it would be enough to expose the setting only in the Go API, and not force Rego police authors to toggle it ... |
Adding another parameter on the request object doesn't feel like a huge deal to me. If policy authors find it annoying they could always wrap That said, I'm not opposed to another version of |
Adding this into the backlog as something we need to work on. I'm wondering if we should just change the default behaviour to return network errors as data. I doubt anyone is relying on network errors halting policy evaluation. |
We have a separate case too: JWT parsing builtin. It fails the eval for us, but we would probably like to return a more meaningful error / go into a different auth flow - but right now it just crashes the eval and returns 500 |
This change updates how errors from http.send are handled. By default, an error returned by `http.send` halts the policy evaluation. This commit allows users to return errors in the response object returned by `http.send` instead of halting evaluation. Fixes: open-policy-agent#2187 Signed-off-by: Ashutosh Narkar <[email protected]>
This change updates how errors from http.send are handled. By default, an error returned by `http.send` halts the policy evaluation. This commit allows users to return errors in the response object returned by `http.send` instead of halting evaluation. Fixes: #2187 Signed-off-by: Ashutosh Narkar <[email protected]>
Expected Behavior
Rego programs should be able to handle errors from the builtin
http.send
.Actual Behavior
If the
http.send
builtin gets an error, this is returned from the(*Rego) Eval()
and can't be handled within a Rego program.In my context, I have a test harness that queries Rego rules. These rules might be expressed using
http.send
. If theEval
fails because of the HTTP client failure, then I will retry (up til the timeout), but theEval
might fail for some other reason that's permanently fatal (e.g syntax). The rules already handle expecting HTTP status, so I'd like to be able to handle the builtin failing in a consistent way.The text was updated successfully, but these errors were encountered: