Policy under System.Authz not executing

[vagrawal-nc]

Hello,

We are facing one issue in System.Authz. As per our understanding, whatever policy is written under this package “System.Authz” should always be executed before any specific policy invocation. However it is not getting executed and it getting skipped. Policy is shown below:

When allow = false still rest of the policies are returning the response which should not be as certificate validation = false.

We have provide our rego during statup as : run --server --log-level debug --set=decision_logs.console=true check.rego . There is no issue during startup OPA server.

We have followed the example given on OPA documentation - https://www.openpolicyagent.org/docs/latest/security/#tls-based-authentication-example. The only change is, we have not supplied the certificate during startup instead passing in request body under input attribute like input.certificate =

Our question is:
• Does it work only when OPA starts with Authentication as given in above example or it will work without authentication enabled during startup ?
• Does above policy require any changes.

Thanks

[srenatus]

Heya! It's a bit hard to help when it would require that someone types your policy from the screenshot. Would you be able to copy the code instead?

That said, one thing stands out:

import data.strings

This is not necessary to use the strings.X builtins. They are available without any extra imports.

Also you can try on your CLI if the parse_certificate call gives you what you'd expect:

cat file.pem | opa eval --stdin-input --format=pretty 'crypto.x509.parse_certificates(input)

[vagrawal-nc]

Hi @srenatus - Thanks for your response. Apologies, I have copied my rego policy below now.

Everything works fine when I call the policy directly and pass the input like as below. There is no issue in Policy or the outcome.
{
"input": {
"certificate": ""
}
}

The only doubt I have is, since Check.Rego was used during the OPA startup then will it be executed every time whenever a specific policy will be called before and denied the response unless it matches the condition "certificate[0].Subject.CommonName == "XXXXX"" in other policy execution. Currently when calling any policy then it is returning the response even though no certificate was sent over the request. I was expecting since we have Check.Rego in place, it should have denied immediately.

Check.Rego:

package system.authz

import future.keywords.if
import future.keywords.in

default allow := {
"allowed": false,
"reason": "Access denied: unknown caller"}

allow := {"allowed": true} if {
certificate = crypto.x509.parse_certificates(input.certificate)
certificate[0].Subject.CommonName == "XXXXX"
} else := {
"allowed": false,
"reason": "Invalid Certificate",
}

Thanks,

[anderseknert]

We have provide our rego during statup as:

run --server --log-level debug --set=decision_logs.console=true check.rego

You're not activating the authz handler unless you provide the --authentication/--authorization flags.

[vagrawal-nc]

Thanks @anderseknert for your quick response.