Unable to access environment variable

[robhafner]

I'm attempting to access the 'OAUTH_TOKEN_VERIFY_KEY' environment variable via the opa.runtime built-in function to provide the verify key for our oauth token in the following manner.

claims := payload {
io.jwt.verify_rs256(input.token, opa.runtime().env.OAUTH_TOKEN_VERIFY_KEY)
[_, payload, _] := io.jwt.decode(input.token)
}

The environment variable is provided via the following configuration:

{
"services": {
"types": {
"url": "https://[our-host]/"
}
},
"bundles": {
"types": {
"resource": "/authorization/bundles/types",
"polling": {
"min_delay_seconds": 5,
"max_delay_seconds": 15
}
}
},
"decision_logs": {
"console": false
},
"env": {
"OAUTH_TOKEN_VERIFY_KEY" : "[our key]"
}
}

The config is passed in to OPA using the sdk.Options type:

opa, err := sdk.New(ctx, sdk.Options{
ID: fmt.Sprintf("%s-opa", bundleName),
Config: bytes.NewReader(config),
...
})

However, the policy does not evaluate correctly as a result of the environment variable.

Is there an example that I can refer to that illustrates how set up the environment variable so that it can be accessed in a policy?

[robhafner]

I put the following test case together which illustrates how to use an environment variable with io.jwt.verify_hs256(). If you think this test case would be useful to have in the OPA test suite, I'd be happy to create a pull request for it. Currently, I've added the test to the /sdk/opa_test.go file in my fork.

`
func TestOpaRuntimeEnvironmentVariable(t *testing.T) {
ctx := context.Background()

server := sdktest.MustNewServer(
	sdktest.MockBundle("/bundles/bundle.tar.gz", map[string]string{
		"main.rego": `

package system

rt := opa.runtime()

grant {
authenticatedUser
}

claims := payload {
io.jwt.verify_hs256(input.token, opa.runtime().config.env.TOKEN_VERIFY_KEY)
[_, payload, _] := io.jwt.decode(input.token)
}

authenticatedUser := a {
claims
a := count(claims) > 0
}
`,
}),
)

defer server.Stop()

testBundleResource := "/bundles/bundle.tar.gz"
testLabel := "a label"

config := fmt.Sprintf(`{
	"services": {
		"test": {
			"url": %q
		}
	},
	"bundles": {
		"test": {
			"resource": %q
		}
	},
	"labels": {
		"test": %q
	},
	"env": {
		"TOKEN_VERIFY_KEY" : "B41BD5F462719C6D6118E673A2389"
	}
}`, server.URL(), testBundleResource, testLabel)

opa, err := sdk.New(ctx, sdk.Options{
	Config: strings.NewReader(config),
})
if err != nil {
	t.Fatal(err)
}

defer opa.Stop(ctx)

exp := true

input := map[string]interface{}{}
input["token"] = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiQWxpY2lhIFNtaXRoc29uaWFuIiwicm9sZXMiOlsicmVhZGVyIiwid3JpdGVyIl0sInVzZXJuYW1lIjoiYWxpY2UifQ.md2KPJFH9OgBq-N0RonGdf5doGYRO_1miN8ugTSeTYc"

if result, err := opa.Decision(ctx, sdk.DecisionOptions{Path: "/system/grant", Input: input}); err != nil {
	t.Fatal(err)
} else if !reflect.DeepEqual(result.Result, exp) {
	t.Fatalf("expected %v but got %v", exp, result.Result)
}

}
`

[anderseknert]

Hi @robhafner! And thanks for the example! More tests are always welcome, so that'd be great. But first — I'm not sure I follow — wouldn't the environement variable be sourced from... well, an environment variable, rather than config? As far as I know, there's no env attribute in OPA's configuration file. Maybe I've missed something? :)

[robhafner]

I think that's where my confusion is. So I started poking in around in various tests and commits to understand further.

In this commit there is an example of a config that defines an "env" field with environment variables. See tsandall's comment on Oct 16, 2018.
open-policy-agent/opa#1015

Based upon my testing it appears an environment variable could be passed in to OPA in two ways.

1. An environment variable defined at the Operating System level.
2. An environment variable defined in an "env" section of the OPA config passed into the SDK.

I'll create a PR to illustrate both cases and let you decide if it makes sense to include them in OPA's test suite.

[anderseknert]

That's correct 👍 A PR would be great! 😃

[robhafner]

Here is the pull request!

open-policy-agent/opa#6420