-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
--authorization=basic
breaks gzipped request decompression
#6804
Labels
Comments
Ah yep! This looks like a case where the |
philipaconrad
added a commit
to philipaconrad/opa
that referenced
this issue
Jun 17, 2024
This PR fixes an issue where an OPA running authorization policies would be unable to handle gzipped request bodies. Example OPA CLI setup: opa run -s --authorization=basic Example request: echo -n '{}' | gzip | curl -H "Content-Encoding: gzip" --data-binary @- http://127.0.0.1:8181/v1/data This would result in unhelpful error messages, like: ```json { "code": "invalid_parameter", "message": "invalid character '\\x1f' looking for beginning of value" } ``` The cause was that the request body handling system in the `server/authorizer` package did not take gzipped payloads into account. The fix was to borrow the gzip request body handling function from `server/server.go`, to transparently decompress the body when needed. Fixes: open-policy-agent#6804 Signed-off-by: Philip Conrad <[email protected]>
1 task
philipaconrad
added a commit
to philipaconrad/opa
that referenced
this issue
Jun 17, 2024
This PR fixes an issue where an OPA running authorization policies would be unable to handle gzipped request bodies. Example OPA CLI setup: opa run -s --authorization=basic Example request: echo -n '{}' | gzip | curl -H "Content-Encoding: gzip" --data-binary @- http://127.0.0.1:8181/v1/data This would result in unhelpful error messages, like: ```json { "code": "invalid_parameter", "message": "invalid character '\\x1f' looking for beginning of value" } ``` The cause was that the request body handling system in the `server/authorizer` package did not take gzipped payloads into account. The fix was to borrow the gzip request body handling function from `server/server.go`, to transparently decompress the body when needed. Fixes: open-policy-agent#6804 Signed-off-by: Philip Conrad <[email protected]>
philipaconrad
added a commit
to philipaconrad/opa
that referenced
this issue
Jun 25, 2024
This PR fixes an issue where an OPA running authorization policies would be unable to handle gzipped request bodies. Example OPA CLI setup: opa run -s --authorization=basic Example request: echo -n '{}' | gzip | curl -H "Content-Encoding: gzip" --data-binary @- http://127.0.0.1:8181/v1/data This would result in unhelpful error messages, like: ```json { "code": "invalid_parameter", "message": "invalid character '\\x1f' looking for beginning of value" } ``` The cause was that the request body handling system in the `server/authorizer` package did not take gzipped payloads into account. The fix was to borrow the gzip request body handling function from `server/server.go`, to transparently decompress the body when needed. Fixes: open-policy-agent#6804 Signed-off-by: Philip Conrad <[email protected]>
philipaconrad
added a commit
to philipaconrad/opa
that referenced
this issue
Jun 26, 2024
This PR fixes an issue where an OPA running authorization policies would be unable to handle gzipped request bodies. Example OPA CLI setup: opa run -s --authorization=basic Example request: echo -n '{}' | gzip | curl -H "Content-Encoding: gzip" --data-binary @- http://127.0.0.1:8181/v1/data This would result in unhelpful error messages, like: ```json { "code": "invalid_parameter", "message": "invalid character '\\x1f' looking for beginning of value" } ``` The cause was that the request body handling system in the `server/authorizer` package did not take gzipped payloads into account. The fix was to borrow the gzip request body handling function from `server/server.go`, to transparently decompress the body when needed. Fixes: open-policy-agent#6804 Signed-off-by: Philip Conrad <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Short description
Issue exists on OPA v0.65.0 and EOPA v1.22.0, although they have different error messages for some reason... 😕
If the
--authorization=basic
flag is passed to anopa run -s
cli command, opa will output an error on receiving a properly gzipped HTTP request with theContent-Encoding: gzip
header.Steps To Reproduce
--authorization=basic
flag, e.g.opa run -s --authorization=basic
.echo -n '{}' | gzip | curl -H "Content-Encoding: gzip" --data-binary @- http://127.0.0.1:8181/v1/data
Or with EOPA:
Expected behavior
In this case, some error about there being no
input
or path after/v1/data
, but with more policies/proper input, there should be no errors; the request should decompress as expected, and the evaluation/response should continue as expected.The text was updated successfully, but these errors were encountered: