--authorization=basic breaks gzipped request decompression
#6804
Labels
Comments
|
Ah yep! This looks like a case where the |
philipaconrad
added a commit
to philipaconrad/opa
that referenced
this issue
Jun 17, 2024
This PR fixes an issue where an OPA running authorization policies would
be unable to handle gzipped request bodies.
Example OPA CLI setup:
opa run -s --authorization=basic
Example request:
echo -n '{}' | gzip | curl -H "Content-Encoding: gzip" --data-binary @- http://127.0.0.1:8181/v1/data
This would result in unhelpful error messages, like:
```json
{
"code": "invalid_parameter",
"message": "invalid character '\\x1f' looking for beginning of value"
}
```
The cause was that the request body handling system in the
`server/authorizer` package did not take gzipped payloads into
account. The fix was to borrow the gzip request body handling function
from `server/server.go`, to transparently decompress the body when
needed.
Fixes: open-policy-agent#6804
Signed-off-by: Philip Conrad <[email protected]>
1 task
philipaconrad
added a commit
to philipaconrad/opa
that referenced
this issue
Jun 17, 2024
This PR fixes an issue where an OPA running authorization policies would
be unable to handle gzipped request bodies.
Example OPA CLI setup:
opa run -s --authorization=basic
Example request:
echo -n '{}' | gzip | curl -H "Content-Encoding: gzip" --data-binary @- http://127.0.0.1:8181/v1/data
This would result in unhelpful error messages, like:
```json
{
"code": "invalid_parameter",
"message": "invalid character '\\x1f' looking for beginning of value"
}
```
The cause was that the request body handling system in the
`server/authorizer` package did not take gzipped payloads into
account. The fix was to borrow the gzip request body handling function
from `server/server.go`, to transparently decompress the body when
needed.
Fixes: open-policy-agent#6804
Signed-off-by: Philip Conrad <[email protected]>
philipaconrad
added a commit
to philipaconrad/opa
that referenced
this issue
Jun 25, 2024
This PR fixes an issue where an OPA running authorization policies would
be unable to handle gzipped request bodies.
Example OPA CLI setup:
opa run -s --authorization=basic
Example request:
echo -n '{}' | gzip | curl -H "Content-Encoding: gzip" --data-binary @- http://127.0.0.1:8181/v1/data
This would result in unhelpful error messages, like:
```json
{
"code": "invalid_parameter",
"message": "invalid character '\\x1f' looking for beginning of value"
}
```
The cause was that the request body handling system in the
`server/authorizer` package did not take gzipped payloads into
account. The fix was to borrow the gzip request body handling function
from `server/server.go`, to transparently decompress the body when
needed.
Fixes: open-policy-agent#6804
Signed-off-by: Philip Conrad <[email protected]>
philipaconrad
added a commit
to philipaconrad/opa
that referenced
this issue
Jun 26, 2024
This PR fixes an issue where an OPA running authorization policies would
be unable to handle gzipped request bodies.
Example OPA CLI setup:
opa run -s --authorization=basic
Example request:
echo -n '{}' | gzip | curl -H "Content-Encoding: gzip" --data-binary @- http://127.0.0.1:8181/v1/data
This would result in unhelpful error messages, like:
```json
{
"code": "invalid_parameter",
"message": "invalid character '\\x1f' looking for beginning of value"
}
```
The cause was that the request body handling system in the
`server/authorizer` package did not take gzipped payloads into
account. The fix was to borrow the gzip request body handling function
from `server/server.go`, to transparently decompress the body when
needed.
Fixes: open-policy-agent#6804
Signed-off-by: Philip Conrad <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Short description
Issue exists on OPA v0.65.0 and EOPA v1.22.0, although they have different error messages for some reason... 😕
If the
--authorization=basicflag is passed to anopa run -scli command, opa will output an error on receiving a properly gzipped HTTP request with theContent-Encoding: gzipheader.Steps To Reproduce
--authorization=basicflag, e.g.opa run -s --authorization=basic.echo -n '{}' | gzip | curl -H "Content-Encoding: gzip" --data-binary @- http://127.0.0.1:8181/v1/dataOr with EOPA:
Expected behavior
In this case, some error about there being no
inputor path after/v1/data, but with more policies/proper input, there should be no errors; the request should decompress as expected, and the evaluation/response should continue as expected.The text was updated successfully, but these errors were encountered: