Fix OPA result response handling (#7763)

Also update the document with updated rego policy and updated OPA agent REST API. This PR is to fix a regression caused by PR #7637
6 years ago · 002a205c9c
parent 91ceae23d0
commit 002a205c9c
4 changed files with 43 additions and 17 deletions
--- a/docs/sts/docker-compose.yml
+++ b/docs/sts/docker-compose.yml
@ -1,7 +1,7 @@
 version: '2'
 services:
  opa:
-    image: openpolicyagent/opa:0.9.1
+    image: openpolicyagent/opa:0.11.0
    ports:
      - 8181:8181
    command:
--- a/docs/sts/opa.md
+++ b/docs/sts/opa.md
@ -15,7 +15,7 @@ cat >docker-compose.yml <<EOF
 version: '2'
 services:
  opa:
-    image: openpolicyagent/opa:0.9.1
+    image: openpolicyagent/opa:0.11.0
    ports:
      - 8181:8181
    command:
@ -45,11 +45,12 @@ package httpapi.authz

 import input as http_api

-allow {
- input.action = "s3:PutObject"
- input.owner = false
-}
+default allow = false

+allow = true {
+ http_api.action = "s3:PutObject"
+ http_api.owner = false
+}
 EOF
 ```

@ -62,7 +63,7 @@ curl -X PUT --data-binary @putobject.rego \
 ### 4. Setup MinIO with OPA
 MinIO server expects environment variable for OPA http API url as `MINIO_IAM_OPA_URL`, this environment variable takes a single entry.
 ```
-export MINIO_IAM_OPA_URL=http://localhost:8181/v1/data/httpapi/authz
+export MINIO_IAM_OPA_URL=http://localhost:8181/v1/data/httpapi/authz/allow
 minio server /mnt/data
 ```

--- a/docs/sts/putobject.rego
+++ b/docs/sts/putobject.rego
@ -2,7 +2,9 @@ package httpapi.authz

 import input as http_api

-allow {
- input.action = "s3:PutObject"
- input.owner = false
+default allow = false
+
+allow = true {
+ http_api.action = "s3:PutObject"
+ http_api.owner = false
 }
--- a/pkg/iam/policy/opa.go
+++ b/pkg/iam/policy/opa.go
@ -20,6 +20,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"os"

@ -121,14 +122,36 @@ func (o *Opa) IsAllowed(args Args) bool {
 	}
 	defer o.args.CloseRespFn(resp.Body)

-	// Handle OPA response
-	type opaResponse struct {
-		Allow bool `json:"allow"`
-	}
-	var result opaResponse
-	if err = json.NewDecoder(resp.Body).Decode(&result); err != nil {
+	// Read the body to be saved later.
+	opaRespBytes, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
 		return false
 	}

-	return result.Allow
+	// Handle large OPA responses when OPA URL is of
+	// form http://localhost:8181/v1/data/httpapi/authz
+	type opaResultAllow struct {
+		Result struct {
+			Allow bool `json:"allow"`
+		} `json:"result"`
+	}
+
+	// Handle simpler OPA responses when OPA URL is of
+	// form http://localhost:8181/v1/data/httpapi/authz/allow
+	type opaResult struct {
+		Result bool `json:"result"`
+	}
+
+	respBody := bytes.NewReader(opaRespBytes)
+
+	var result opaResult
+	if err = json.NewDecoder(respBody).Decode(&result); err != nil {
+		respBody.Seek(0, 0)
+		var resultAllow opaResultAllow
+		if err = json.NewDecoder(respBody).Decode(&resultAllow); err != nil {
+			return false
+		}
+		return resultAllow.Result.Allow
+	}
+	return result.Result
 }