Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

server/authorizer: Fix gzip payload handling. #6825

Merged
merged 5 commits into from
Jun 27, 2024
Merged

server/authorizer: Fix gzip payload handling. #6825

merged 5 commits into from
Jun 27, 2024

Commits on Jun 26, 2024

  1. server/authorizer: Fix gzip payload handling. 

    This PR fixes an issue where an OPA running authorization policies would
be unable to handle gzipped request bodies.

Example OPA CLI setup:

    opa run -s --authorization=basic

Example request:

    echo -n '{}' | gzip | curl -H "Content-Encoding: gzip" --data-binary @- http://127.0.0.1:8181/v1/data

This would result in unhelpful error messages, like:

```json
{
  "code": "invalid_parameter",
  "message": "invalid character '\\x1f' looking for beginning of value"
}
```

The cause was that the request body handling system in the
`server/authorizer` package did not take gzipped payloads into
account. The fix was to borrow the gzip request body handling function
from `server/server.go`, to transparently decompress the body when
needed.

Fixes: open-policy-agent#6804

Signed-off-by: Philip Conrad <[email protected]>
    @philipaconrad
    philipaconrad committed Jun 26, 2024
    Configuration menu
    Copy the full SHA
    0c0e38b View commit details
    Browse the repository at this point in the history

  2. server/server_test: Add gzip + authz policy testcases. 

    Signed-off-by: Philip Conrad <[email protected]>
    @philipaconrad
    philipaconrad committed Jun 26, 2024
    Configuration menu
    Copy the full SHA
    d23c75e View commit details
    Browse the repository at this point in the history

  3. Refactor: Move the maybe-gzip-reader out to util. 

    Signed-off-by: Philip Conrad <[email protected]>
    @philipaconrad
    philipaconrad committed Jun 26, 2024
    Configuration menu
    Copy the full SHA
    42d6c27 View commit details
    Browse the repository at this point in the history

  4. server/server_test: Add new testcase. 

    Signed-off-by: Philip Conrad <[email protected]>
    @philipaconrad
    philipaconrad committed Jun 26, 2024
    Configuration menu
    Copy the full SHA
    0af6be7 View commit details
    Browse the repository at this point in the history

  5. server/server_test: Add malicious gzip size trailer test. 

    Signed-off-by: Philip Conrad <[email protected]>
    @philipaconrad
    philipaconrad committed Jun 26, 2024
    Configuration menu
    Copy the full SHA
    0182db3 View commit details
    Browse the repository at this point in the history