Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Panic in Rule Matching #484

Closed
nielsole opened this issue Jul 17, 2020 · 1 comment
Closed

Panic in Rule Matching #484

nielsole opened this issue Jul 17, 2020 · 1 comment
Labels
bug Something is not working. help wanted We are looking for help on this one.

Comments

@nielsole
Copy link

Hi,

I triggered a panic in the rule parsing that I can't reproduce.
I tried setting a rule that contains a port on which oathkeeper listens.

I made a rule that looks like this:

...
       "match": {
         "url": "http://oathkeeper-poc:4455/oauth2/test",
         "methods": [
           "GET"
         ]
       },
...

The port in the URL was added in a live-reload.
Unfortunately this lead repeatedly to a panic when loading the page in the browser:

time="2020-07-17T14:41:36Z" level=info msg="started handling request" method=GET remote=${REDACTED} request=/oauth2/test
2020/07/17 14:41:36 http: panic serving ${REDACTED_INTERNAL_IP}:39276: runtime error: invalid memory address or nil pointer dereference
goroutine 30 [running]:
net/http.(*conn).serve.func1(0xc00095c000)
	/usr/local/go/src/net/http/server.go:1772 +0x139
panic(0xd13c80, 0x15ae2e0)
	/usr/local/go/src/runtime/panic.go:975 +0x3e3
github.com/ory/oathkeeper/rule.(*Rule).IsMatching(0xc0006d4000, 0xc00003dec8, 0x6, 0xc00060e260, 0x3, 0xc000612200, 0xa8f2, 0x66f5, 0x917b)
	/home/ory/rule/rule.go:176 +0x3b
github.com/ory/oathkeeper/rule.(*RepositoryMemory).Match(0xc0003ca410, 0xf93c20, 0xc000385800, 0xc00060e260, 0x3, 0xc000612200, 0x0, 0x0, 0x0)
	/home/ory/rule/repository_memory.go:132 +0x175
github.com/ory/oathkeeper/proxy.(*Proxy).Director(0xc0006ff080, 0xc0001fe300)
	/home/ory/proxy/proxy.go:127 +0x122
net/http/httputil.(*ReverseProxy).ServeHTTP(0xc0006fc0a0, 0x7fd5cef230a0, 0xc00082c028, 0xc0001fe100)
	/usr/local/go/src/net/http/httputil/reverseproxy.go:214 +0x167
github.com/urfave/negroni.Wrap.func1(0x7fd5cef230a0, 0xc00082c028, 0xc0001fe100, 0xc0003500e0)
	/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:46 +0x4d
github.com/urfave/negroni.HandlerFunc.ServeHTTP(0xc000788120, 0x7fd5cef230a0, 0xc00082c028, 0xc0001fe100, 0xc0003500e0)
	/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29 +0x4e
github.com/urfave/negroni.middleware.ServeHTTP(0xf7f480, 0xc000788120, 0xc0007881c0, 0x7fd5cef230a0, 0xc00082c028, 0xc0001fe100)
	/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38 +0x9c
github.com/ory/x/reqlog.(*Middleware).ServeHTTP(0xc00024efc0, 0x7fd5cef230a0, 0xc00082c028, 0xc0001fe100, 0xc0003500a0)
	/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:140 +0x2b5
github.com/urfave/negroni.middleware.ServeHTTP(0xf7d920, 0xc00024efc0, 0xc0007881a0, 0x7fd5cef230a0, 0xc00082c028, 0xc0001fe100)
	/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38 +0x9c
github.com/ory/oathkeeper/metrics.(*Middleware).ServeHTTP(0xc0006fc0f0, 0x7fd5cef230a0, 0xc00082c028, 0xc0001fe100, 0xc000350080)
	/home/ory/metrics/middleware.go:63 +0x90
github.com/urfave/negroni.middleware.ServeHTTP(0xf7d7e0, 0xc0006fc0f0, 0xc000788160, 0x7fd5cef230a0, 0xc00082c028, 0xc0001fe100)
	/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38 +0x9c
github.com/ory/x/metricsx.(*Service).ServeHTTP(0xc0006560f0, 0x7fd5cef230a0, 0xc00082c028, 0xc0001fe100, 0xc000350060)
	/go/pkg/mod/github.com/ory/[email protected]/metricsx/middleware.go:261 +0x92
github.com/urfave/negroni.middleware.ServeHTTP(0xf7d8e0, 0xc0006560f0, 0xc000788140, 0x7fd5cef230a0, 0xc00082c028, 0xc0001fe100)
	/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38 +0x9c
github.com/urfave/negroni.(*Negroni).ServeHTTP(0xc0003a8de0, 0xf90860, 0xc0002001c0, 0xc0001fe100)
	/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:96 +0xeb
net/http.serverHandler.ServeHTTP(0xc0002b8000, 0xf90860, 0xc0002001c0, 0xc0001fe100)
	/usr/local/go/src/net/http/server.go:2807 +0xa3
net/http.(*conn).serve(0xc00095c000, 0xf93c20, 0xc000384240)
	/usr/local/go/src/net/http/server.go:1895 +0x86c
created by net/http.(*Server).Serve
	/usr/local/go/src/net/http/server.go:2933 +0x35c

After restarting oathkeeper I couldn't reproduce the behaviour

Server Behaviour

Actual Behaviour
Panics as pasted above

Expected behavior

It doesn't make a whole lot of sense to specifiy a listening port in the matching URL, but it should not lead to a panic.
I would expect one of:

  • Configuration fails to validate/reload
  • Port is checked for the request(basically discarding the rule if it is not on the listening port)
  • Ignoring the port alltogether.

Not: I am uncertain, that the port was the cause, it might have just been coincidence.

** config.yml **

    serve:
      proxy:
        port: 4455 # run the proxy at port 4455
      api:
        host: 0.0.0.0
        port: 4456 # run the api at port 4456

    access_rules:
      matching_strategy: regexp
      repositories:
        - file:///config/rules.json

    errors:
      fallback:
        - json
      handlers:
        json:
          enabled: true
          config:
            verbose: true
        redirect:
          enabled: true
          config:
            to: https://www.ory.sh/docs

    mutators:
      header:
        enabled: true
        config:
          headers:
            X-User: "{{ print .Subject }}"
      noop:
        enabled: true
      id_token:
        enabled: true
        config:
          issuer_url: http://localhost:4455/
          jwks_url: file:///jwks.json

    authorizers:
      allow:
        enabled: true
      deny:
        enabled: true

    authenticators:
      anonymous:
        enabled: true
        config:
          subject: guest
      jwt:
        enabled: true
        config:
          jwks_urls:
          - https://${REDACTED}
          trusted_issuers:
          - https://sts.windows.net/${REDACTED}/

rules.json

    [
     {
       "id": "allow-anonymous-with-header-mutator",
       "version": "v0.36.0-beta.4",
       "upstream": {
         "url": "http://localhost:8081/"
       },
       "match": {
         "url": "http://oathkeeper-poc:4455/oauth2/test",
         "methods": [
           "GET"
         ]
       },
       "authenticators": [
         {
           "handler": "anonymous"
         }
       ],
       "authorizer": {
         "handler": "allow"
       },
       "mutators": [
         {
           "handler": "header",
           "config": {
             "headers": {
               "X-User": "{{ print .Subject }}"
             }
           }
         }
       ]
     },
     {
       "id": "allow-oauth2",
       "upstream": {
         "url": "http://localhost:8081/"
       },
       "match": {
         "url": "http://${REDACTED_OTHER_HOST}",
         "methods": [
           "GET"
         ]
       },
      "authenticators": [
        {
          "handler": "jwt",
          "config": {
            "token_from": {
              "header": "X-${REDACTED}"
            }
          }
        }
      ],
       "authorizer": { "handler": "allow" },
       "mutators": [{ "handler": "noop" }]
     }
    ]

Environment

  • oryd/oathkeeper:v0.38.2-beta.1 docker image

Additional context

This report might not be enough to find the issue, but may help corroborating panics other users have.
@aeneasr aeneasr added bug Something is not working. help wanted We are looking for help on this one. labels Jul 21, 2020
@aeneasr
Copy link
Member

aeneasr commented Jul 21, 2020

Thank you, looking for volunteers to pick this up :)

@err0r500 err0r500 mentioned this issue Jul 28, 2020
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working. help wanted We are looking for help on this one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aeneasr @nielsole