search

confidential-containers / trustee

Attestation and Secret Delivery Components
Apache License 2.0
56 stars 81 forks source link

KBS: Be more tolerant to policy rego files #367

Open davidhadas opened 4 months ago

davidhadas commented 4 months ago

KBC fails to set policy in KBS and AS unless the rego file ends with an empty line. Either make the code more tolerant or make it clear in docuemtation.

Example:

$ cat -n allow_all.rego
     1
     2  package policy
     3
     4  default allow = true

$ cat -n allow_all_modified.rego
     1
     2  package policy
     3
     4  default allow = true
     5

$ kbs-client --url "http://192.168.122.182:30713" config --auth-private-key ./privateKey set-resource-policy --policy-file allow_all.rego
Error: Request Failed, Response: "{\"type\":\"https://github.com/confidential-containers/kbs/errors/PolicyEndpoint\",\"detail\":\"Policy error: Set policy error Base64 decode OPA policy string failed: InvalidPadding\"}"

$ kbs-client --url "http://192.168.122.182:30713" config --auth-private-key ./privateKey set-resource-policy --policy-file allow_all_modified.rego
Set resource policy success
 policy: CnBhY2thZ2UgcG9saWN5CgpkZWZhdWx0IGFsbG93ID0gdHJ1ZQoK

same issue with set-attestation-policy

Xynnn007 commented 4 months ago

cc @jialez0 this might be related to encoding things

fitzthum commented 4 months ago

Duplicate of https://github.com/confidential-containers/trustee/issues/281

https://github.com/confidential-containers/trustee/pull/357 might help with this (note that we add a test for a policy with extra lines) but this issue might happen before we actually get to the OPA module and that PR will only fix the resource policy not the attestation one.

Either way, maybe we should close this and discuss on the existing issue.