open-policy-agent / opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
https://www.openpolicyagent.org
Apache License 2.0
9.68k stars 1.34k forks source link

io.jwt.verify_es*, io.jwt.decode_verify: panic from cypto/elliptic in v0.44.0 (ecdsa) #5218

Closed srenatus closed 2 years ago

srenatus commented 2 years ago

When we've upgrade Go to 1.19.1 in v0.44.0, the stdlib code underlying io.jwt.verify_es* (256, 384, 512) and jo.jwt.decode_verify for the same algorithms changed. As a consequence, invalid token signatures could make OPA panic.

Before 0.44.0, they were just invalid. With 0.44.0, they would panic.

See this example (concrete outputs are irrelevant, and I can't share the inputs):

$ opa-0.43.0 eval -fpretty -d mult.rego data.play > /dev/null
$ opa-0.44.0 eval -fpretty -d mult.rego data.play > /dev/null
panic: crypto/elliptic: CombinedMult was called on an invalid point

goroutine 1 [running]:
crypto/elliptic.(*nistCurve[...]).CombinedMult(0x64232f0, 0x413c3d9, 0x563bc00?, {0xc000140420?, 0x1?, 0x20?}, {0xc000140440, 0x20, 0x20})
    /Users/runner/hostedtoolcache/go/1.19.1/x64/src/crypto/elliptic/nistec.go:242 +0x1a7
crypto/ecdsa.verifyGeneric(0xc000455880, {0x5b38cd0, 0x64232f0}, {0xc0001403e0?, 0xc000639e58?, 0x414a485?}, 0xc000639e58?, 0x4010027?)
    /Users/runner/hostedtoolcache/go/1.19.1/x64/src/crypto/ecdsa/ecdsa.go:385 +0x20c
crypto/ecdsa.verify(...)
    /Users/runner/hostedtoolcache/go/1.19.1/x64/src/crypto/ecdsa/ecdsa_noasm.go:20
crypto/ecdsa.Verify(0xc000455880, {0xc0001403e0, 0x20, 0x20}, 0xc000639ea8, 0xc0004558a0)
    /Users/runner/hostedtoolcache/go/1.19.1/x64/src/crypto/ecdsa/ecdsa.go:363 +0x12c
github.com/open-policy-agent/opa/topdown.verifyECDSA({0x56e12e0?, 0xc000455880}, 0x0?, {0xc0001403e0, 0x20, 0x20}, {0xc0001aa480, 0x40, 0x40})
    /Users/runner/work/opa/opa/topdown/tokens.go:795 +0x1c5
github.com/open-policy-agent/opa/topdown.verifyAsymmetric.func1({0x56e12e0, 0xc000455880}, 0x40?, {0xc000180660, 0x55, 0x60}, {0xc0001aa480, 0x40, 0x40})
    /Users/runner/work/opa/opa/topdown/tokens.go:760 +0xfc
github.com/open-policy-agent/opa/topdown.(*tokenConstraints).verify(0xc000040c00, {0x0, 0x0}, {0xc0005d0fe9, 0x5}, {0xc0001ce790?, 0x203000?}, {0xc0001ce7b9, 0x2c}, {0xc0001aa3c0, ...})
    /Users/runner/work/opa/opa/topdown/tokens.go:663 +0x4b2
github.com/open-policy-agent/opa/topdown.builtinJWTDecodeVerify({{0x5b357f0, 0xc0001a4008}, {0x5b3a600, 0xc000455100}, {0x5b2a5c0, 0xc0001ca0a0}, 0xc000019f38, {0x5b2ff30, 0xc0005d080c}, 0xc000122120, ...}, ...)
    /Users/runner/work/opa/opa/topdown/tokens.go:1020 +0x53a
github.com/open-policy-agent/opa/topdown.builtinErrorWrapper.func1({{0x5b357f0, 0xc0001a4008}, {0x5b3a600, 0xc000455100}, {0x5b2a5c0, 0xc0001ca0a0}, 0xc000019f38, {0x5b2ff30, 0xc0005d080c}, 0xc000122120, ...}, ...)
    /Users/runner/work/opa/opa/topdown/builtins.go:127 +0x85
github.com/open-policy-agent/opa/topdown.evalBuiltin.eval({0xc000268600, 0x642fc60, {{0x5b357f0, 0xc0001a4008}, {0x5b3a600, 0xc000455100}, {0x5b2a5c0, 0xc0001ca0a0}, 0xc000019f38, {0x5b2ff30, ...}, ...}, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:1735 +0x624
github.com/open-policy-agent/opa/topdown.(*eval).evalCall(0xc000268600, {0xc000001b90, 0x4, 0x6}, 0xc00001df50)
    /Users/runner/work/opa/opa/topdown/eval.go:816 +0xac5
github.com/open-policy-agent/opa/topdown.(*eval).evalStep(0xc000268600, 0xc0004775c0)
    /Users/runner/work/opa/opa/topdown/eval.go:359 +0x75c
github.com/open-policy-agent/opa/topdown.(*eval).evalExpr(0xc000268600, 0xc00001bc20)
    /Users/runner/work/opa/opa/topdown/eval.go:333 +0xec
github.com/open-policy-agent/opa/topdown.(*eval).next(...)
    /Users/runner/work/opa/opa/topdown/eval.go:165
github.com/open-policy-agent/opa/topdown.(*eval).evalExpr.func1(0xc000268600)
    /Users/runner/work/opa/opa/topdown/eval.go:334 +0x29
github.com/open-policy-agent/opa/topdown.(*eval).evalStep.func1()
    /Users/runner/work/opa/opa/topdown/eval.go:354 +0x39
github.com/open-policy-agent/opa/topdown.(*eval).biunifyValues(0xc000268600, 0xc0000039f8, 0xc000018240, 0xc00001de90, 0xc00001dad0, 0xc00001dda0)
    /Users/runner/work/opa/opa/topdown/eval.go:993 +0x57a
github.com/open-policy-agent/opa/topdown.(*eval).biunify(0xc0005d00a8?, 0xee32768?, 0x28?, 0x6f00108?, 0x30?, 0xc000700000?)
    /Users/runner/work/opa/opa/topdown/eval.go:861 +0x285
github.com/open-policy-agent/opa/topdown.evalTerm.eval({0xc000268600, {0xc000003740, 0x3, 0x3}, 0x3, 0xc00001dad0, 0xc0000039f8, 0xc00001de90, 0xc000018240, 0xc00001dad0}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2918 +0x19a
github.com/open-policy-agent/opa/topdown.evalVirtualComplete.evalTerm({0xc000268600, {0xc000003740, 0x3, 0x3}, {0xc000020348, 0x3, 0x3}, 0x2, 0xc000442f00, 0xc00001dad0, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2901 +0xf8
github.com/open-policy-agent/opa/topdown.evalVirtualComplete.evalValueRule.func1(0xc000268c00)
    /Users/runner/work/opa/opa/topdown/eval.go:2788 +0x1ab
github.com/open-policy-agent/opa/topdown.(*eval).evalExpr(0xc000268c00, 0xc000022090)
    /Users/runner/work/opa/opa/topdown/eval.go:308 +0x117
github.com/open-policy-agent/opa/topdown.(*eval).next(...)
    /Users/runner/work/opa/opa/topdown/eval.go:165
github.com/open-policy-agent/opa/topdown.(*eval).evalExpr.func1(0xc000268c00)
    /Users/runner/work/opa/opa/topdown/eval.go:334 +0x29
github.com/open-policy-agent/opa/topdown.(*eval).evalStep.func3()
    /Users/runner/work/opa/opa/topdown/eval.go:376 +0x1aa
github.com/open-policy-agent/opa/topdown.(*eval).biunifyValues(0xc000268c00, 0xc000003a28, 0xc000020468, 0xc00001de90, 0xc00001de90, 0xc00001dec0)
    /Users/runner/work/opa/opa/topdown/eval.go:993 +0x57a
github.com/open-policy-agent/opa/topdown.(*eval).biunify(0xc00063b258?, 0xc00063b170?, 0x4010027?, 0x30?, 0x5712580?, 0xc0003f8301?)
    /Users/runner/work/opa/opa/topdown/eval.go:851 +0x545
github.com/open-policy-agent/opa/topdown.(*eval).unify(0xc0005d0940?, 0xa?, 0xc00063b258?, 0x2?)
    /Users/runner/work/opa/opa/topdown/eval.go:834 +0x26
github.com/open-policy-agent/opa/topdown.(*eval).evalStep(0xc000268c00, 0xc000477570)
    /Users/runner/work/opa/opa/topdown/eval.go:368 +0x4cf
github.com/open-policy-agent/opa/topdown.(*eval).evalExpr(0xc000268c00, 0xc000022090)
    /Users/runner/work/opa/opa/topdown/eval.go:333 +0xec
github.com/open-policy-agent/opa/topdown.(*eval).eval(...)
    /Users/runner/work/opa/opa/topdown/eval.go:295
github.com/open-policy-agent/opa/topdown.evalVirtualComplete.evalValueRule({0xc000268600, {0xc000003740, 0x3, 0x3}, {0xc000020348, 0x3, 0x3}, 0x2, 0xc000442f00, 0xc00001dad0, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2772 +0x36b
github.com/open-policy-agent/opa/topdown.evalVirtualComplete.evalValue({0xc000268600, {0xc000003740, 0x3, 0x3}, {0xc000020348, 0x3, 0x3}, 0x2, 0xc000442f00, 0xc00001dad0, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2738 +0x1c8
github.com/open-policy-agent/opa/topdown.evalVirtualComplete.eval({0xc000268600, {0xc000003740, 0x3, 0x3}, {0xc000020348, 0x3, 0x3}, 0x2, 0xc000442f00, 0xc00001dad0, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2704 +0x225
github.com/open-policy-agent/opa/topdown.evalVirtual.eval({0xc000268600, {0xc000003740, 0x3, 0x3}, {0xc000020348, 0x3, 0x3}, 0x2, 0xc00001dad0, 0xc000018240, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2295 +0x3e5
github.com/open-policy-agent/opa/topdown.evalTree.next({0xc000268600, {0xc000003740, 0x3, 0x3}, {0xc000020348, 0x3, 0x3}, 0x2, 0xc00001dad0, 0xc000018240, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2090 +0x2fd
github.com/open-policy-agent/opa/topdown.evalTree.eval({0xc000268600, {0xc000003740, 0x3, 0x3}, {0xc000020348, 0x3, 0x3}, 0x2, 0xc00001dad0, 0xc000018240, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2043 +0xc5
github.com/open-policy-agent/opa/topdown.evalTree.next({0xc000268600, {0xc000003740, 0x3, 0x3}, {0xc000020348, 0x3, 0x3}, 0x1, 0xc00001dad0, 0xc000018240, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2096 +0x33f
github.com/open-policy-agent/opa/topdown.evalTree.eval({0xc000268600, {0xc000003740, 0x3, 0x3}, {0xc000020348, 0x3, 0x3}, 0x1, 0xc00001dad0, 0xc000018240, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2043 +0xc5
github.com/open-policy-agent/opa/topdown.(*eval).biunifyRef(0xc000268600, 0x5b37840?, 0xc000018240, 0xc00001dad0, 0xc00001dad0, 0x43391af?)
    /Users/runner/work/opa/opa/topdown/eval.go:1030 +0x425
github.com/open-policy-agent/opa/topdown.(*eval).biunifyValues(0xc000268600, 0xc000018240, 0xc000003d10, 0xc00001dad0, 0xc00001dad0, 0xc00001dda0)
    /Users/runner/work/opa/opa/topdown/eval.go:957 +0x1e6
github.com/open-policy-agent/opa/topdown.(*eval).biunify(0x0?, 0xc00063bdd8?, 0x4010027?, 0x28?, 0x56fd980?, 0x1?)
    /Users/runner/work/opa/opa/topdown/eval.go:842 +0x5a8
github.com/open-policy-agent/opa/topdown.(*eval).unify(0x5?, 0x0?, 0x0?, 0x4?)
    /Users/runner/work/opa/opa/topdown/eval.go:834 +0x26
github.com/open-policy-agent/opa/topdown.(*eval).evalStep(0xc000268600, 0xc000477550)
    /Users/runner/work/opa/opa/topdown/eval.go:352 +0x6a5
github.com/open-policy-agent/opa/topdown.(*eval).evalExpr(0xc000268600, 0xc00001bc20)
    /Users/runner/work/opa/opa/topdown/eval.go:333 +0xec
github.com/open-policy-agent/opa/topdown.(*eval).next(...)
    /Users/runner/work/opa/opa/topdown/eval.go:165
github.com/open-policy-agent/opa/topdown.(*eval).evalExpr.func1(0xc000268600)
    /Users/runner/work/opa/opa/topdown/eval.go:334 +0x29
github.com/open-policy-agent/opa/topdown.(*eval).evalStep.func1()
    /Users/runner/work/opa/opa/topdown/eval.go:354 +0x39
github.com/open-policy-agent/opa/topdown.(*eval).biunifyValues(0xc000268600, 0xc000003a88, 0xc000018198, 0xc00001dc20, 0xc00001dad0, 0xc00001db30)
    /Users/runner/work/opa/opa/topdown/eval.go:993 +0x57a
github.com/open-policy-agent/opa/topdown.(*eval).biunify(0x6f00108?, 0x90?, 0xc000700000?, 0xc00001bef0?, 0x0?, 0xc000700000?)
    /Users/runner/work/opa/opa/topdown/eval.go:861 +0x285
github.com/open-policy-agent/opa/topdown.evalTerm.eval({0xc000268600, {0xc0000131a0, 0x3, 0x3}, 0x3, 0xc00001dad0, 0xc000003a88, 0xc00001dc20, 0xc000018198, 0xc00001dad0}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2918 +0x19a
github.com/open-policy-agent/opa/topdown.evalVirtualComplete.evalTerm({0xc000268600, {0xc0000131a0, 0x3, 0x3}, {0xc000020210, 0x3, 0x3}, 0x2, 0xc000442e80, 0xc00001dad0, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2901 +0xf8
github.com/open-policy-agent/opa/topdown.evalVirtualComplete.evalValueRule.func1(0xc000268800)
    /Users/runner/work/opa/opa/topdown/eval.go:2788 +0x1ab
github.com/open-policy-agent/opa/topdown.(*eval).evalExpr(0xc000268800, 0xc00001bd40)
    /Users/runner/work/opa/opa/topdown/eval.go:308 +0x117
github.com/open-policy-agent/opa/topdown.(*eval).next(...)
    /Users/runner/work/opa/opa/topdown/eval.go:165
github.com/open-policy-agent/opa/topdown.(*eval).evalExpr.func1(0xc000268800)
    /Users/runner/work/opa/opa/topdown/eval.go:334 +0x29
github.com/open-policy-agent/opa/topdown.(*eval).evalStep.func3()
    /Users/runner/work/opa/opa/topdown/eval.go:376 +0x1aa
github.com/open-policy-agent/opa/topdown.(*eval).biunifyValues(0xc000268800, 0xc000003ab8, 0xc000020330, 0xc00001dc20, 0xc00001dc20, 0xc00001dc50)
    /Users/runner/work/opa/opa/topdown/eval.go:993 +0x57a
github.com/open-policy-agent/opa/topdown.(*eval).biunify(0xc00063c6d8?, 0xc00063c5f0?, 0x4010027?, 0x30?, 0x5712580?, 0xc0003f8301?)
    /Users/runner/work/opa/opa/topdown/eval.go:851 +0x545
github.com/open-policy-agent/opa/topdown.(*eval).unify(0xc0005d08e0?, 0xa?, 0xc00063c6d8?, 0x2?)
    /Users/runner/work/opa/opa/topdown/eval.go:834 +0x26
github.com/open-policy-agent/opa/topdown.(*eval).evalStep(0xc000268800, 0xc0004774e0)
    /Users/runner/work/opa/opa/topdown/eval.go:368 +0x4cf
github.com/open-policy-agent/opa/topdown.(*eval).evalExpr(0xc000268800, 0xc00001bd40)
    /Users/runner/work/opa/opa/topdown/eval.go:333 +0xec
github.com/open-policy-agent/opa/topdown.(*eval).eval(...)
    /Users/runner/work/opa/opa/topdown/eval.go:295
github.com/open-policy-agent/opa/topdown.evalVirtualComplete.evalValueRule({0xc000268600, {0xc0000131a0, 0x3, 0x3}, {0xc000020210, 0x3, 0x3}, 0x2, 0xc000442e80, 0xc00001dad0, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2772 +0x36b
github.com/open-policy-agent/opa/topdown.evalVirtualComplete.evalValue({0xc000268600, {0xc0000131a0, 0x3, 0x3}, {0xc000020210, 0x3, 0x3}, 0x2, 0xc000442e80, 0xc00001dad0, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2738 +0x1c8
github.com/open-policy-agent/opa/topdown.evalVirtualComplete.eval({0xc000268600, {0xc0000131a0, 0x3, 0x3}, {0xc000020210, 0x3, 0x3}, 0x2, 0xc000442e80, 0xc00001dad0, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2704 +0x225
github.com/open-policy-agent/opa/topdown.evalVirtual.eval({0xc000268600, {0xc0000131a0, 0x3, 0x3}, {0xc000020210, 0x3, 0x3}, 0x2, 0xc00001dad0, 0xc000018198, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2295 +0x3e5
github.com/open-policy-agent/opa/topdown.evalTree.next({0xc000268600, {0xc0000131a0, 0x3, 0x3}, {0xc000020210, 0x3, 0x3}, 0x2, 0xc00001dad0, 0xc000018198, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2090 +0x2fd
github.com/open-policy-agent/opa/topdown.evalTree.eval({0xc000268600, {0xc0000131a0, 0x3, 0x3}, {0xc000020210, 0x3, 0x3}, 0x2, 0xc00001dad0, 0xc000018198, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2043 +0xc5
github.com/open-policy-agent/opa/topdown.evalTree.next({0xc000268600, {0xc0000131a0, 0x3, 0x3}, {0xc000020210, 0x3, 0x3}, 0x1, 0xc00001dad0, 0xc000018198, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2096 +0x33f
github.com/open-policy-agent/opa/topdown.evalTree.eval({0xc000268600, {0xc0000131a0, 0x3, 0x3}, {0xc000020210, 0x3, 0x3}, 0x1, 0xc00001dad0, 0xc000018198, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2043 +0xc5
github.com/open-policy-agent/opa/topdown.(*eval).biunifyRef(0xc000268600, 0x5b37840?, 0xc000018198, 0xc00001dad0, 0xc00001dad0, 0x447299d?)
    /Users/runner/work/opa/opa/topdown/eval.go:1030 +0x425
github.com/open-policy-agent/opa/topdown.(*eval).biunifyValues(0xc000268600, 0xc000018198, 0xc000003c68, 0xc00001dad0, 0xc00001dad0, 0xc00001db30)
    /Users/runner/work/opa/opa/topdown/eval.go:957 +0x1e6
github.com/open-policy-agent/opa/topdown.(*eval).biunify(0xc000270300?, 0xc00063d258?, 0x4010027?, 0x28?, 0x56fd980?, 0x400da01?)
    /Users/runner/work/opa/opa/topdown/eval.go:842 +0x5a8
github.com/open-policy-agent/opa/topdown.(*eval).unify(0x400fc01?, 0x63d36a8?, 0xc00063d340?, 0x451383b?)
    /Users/runner/work/opa/opa/topdown/eval.go:834 +0x26
github.com/open-policy-agent/opa/topdown.(*eval).evalStep(0xc000268600, 0xc0004774c0)
    /Users/runner/work/opa/opa/topdown/eval.go:352 +0x6a5
github.com/open-policy-agent/opa/topdown.(*eval).evalExpr(0xc000268600, 0xc00001bc20)
    /Users/runner/work/opa/opa/topdown/eval.go:333 +0xec
github.com/open-policy-agent/opa/topdown.(*eval).next(...)
    /Users/runner/work/opa/opa/topdown/eval.go:165
github.com/open-policy-agent/opa/topdown.(*eval).evalExpr.func1(0xc000268600)
    /Users/runner/work/opa/opa/topdown/eval.go:334 +0x29
github.com/open-policy-agent/opa/topdown.(*eval).evalStep.func3()
    /Users/runner/work/opa/opa/topdown/eval.go:376 +0x1aa
github.com/open-policy-agent/opa/topdown.(*eval).biunifyValues(0xc000268600, 0xc000003b48, 0xc0000201f8, 0xc00001dad0, 0xc00001dad0, 0xc00001db00)
    /Users/runner/work/opa/opa/topdown/eval.go:993 +0x57a
github.com/open-policy-agent/opa/topdown.(*eval).biunify(0xc00063d750?, 0xc00063d668?, 0x4010027?, 0x30?, 0x5712580?, 0xc0003f8301?)
    /Users/runner/work/opa/opa/topdown/eval.go:851 +0x545
github.com/open-policy-agent/opa/topdown.(*eval).unify(0xc0005d0880?, 0xa?, 0xc00063d750?, 0x2?)
    /Users/runner/work/opa/opa/topdown/eval.go:834 +0x26
github.com/open-policy-agent/opa/topdown.(*eval).evalStep(0xc000268600, 0xc000477480)
    /Users/runner/work/opa/opa/topdown/eval.go:368 +0x4cf
github.com/open-policy-agent/opa/topdown.(*eval).evalExpr(0xc000268600, 0xc00001bc20)
    /Users/runner/work/opa/opa/topdown/eval.go:333 +0xec
github.com/open-policy-agent/opa/topdown.(*eval).eval(...)
    /Users/runner/work/opa/opa/topdown/eval.go:295
github.com/open-policy-agent/opa/topdown.evalVirtualComplete.evalValueRule({0xc000268000, {0xc0004551a0, 0x3, 0x4}, {0xc0000200d8, 0x3, 0x3}, 0x2, 0xc000442d40, 0xc00001d860, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2772 +0x36b
github.com/open-policy-agent/opa/topdown.evalVirtualComplete.evalValue({0xc000268000, {0xc0004551a0, 0x3, 0x4}, {0xc0000200d8, 0x3, 0x3}, 0x2, 0xc000442d40, 0xc00001d860, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2738 +0x1c8
github.com/open-policy-agent/opa/topdown.evalVirtualComplete.eval({0xc000268000, {0xc0004551a0, 0x3, 0x4}, {0xc0000200d8, 0x3, 0x3}, 0x2, 0xc000442d40, 0xc00001d860, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2704 +0x225
github.com/open-policy-agent/opa/topdown.evalVirtual.eval({0xc000268000, {0xc0004551a0, 0x3, 0x4}, {0xc0000200d8, 0x3, 0x3}, 0x2, 0xc00001d860, 0xc000020090, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2295 +0x3e5
github.com/open-policy-agent/opa/topdown.evalTree.next({0xc000268000, {0xc0004551a0, 0x3, 0x4}, {0xc0000200d8, 0x3, 0x3}, 0x2, 0xc00001d860, 0xc000020090, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2090 +0x2fd
github.com/open-policy-agent/opa/topdown.evalTree.eval({0xc000268000, {0xc0004551a0, 0x3, 0x4}, {0xc0000200d8, 0x3, 0x3}, 0x2, 0xc00001d860, 0xc000020090, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2043 +0xc5
github.com/open-policy-agent/opa/topdown.evalTree.next({0xc000268000, {0xc0004551a0, 0x3, 0x4}, {0xc0000200d8, 0x3, 0x3}, 0x1, 0xc00001d860, 0xc000020090, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2096 +0x33f
github.com/open-policy-agent/opa/topdown.evalTree.eval({0xc000268000, {0xc0004551a0, 0x3, 0x4}, {0xc0000200d8, 0x3, 0x3}, 0x1, 0xc00001d860, 0xc000020090, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2043 +0xc5
github.com/open-policy-agent/opa/topdown.(*eval).biunifyRef(0xc000268000, 0x5b37840?, 0xc000020090, 0xc00001d860, 0xc00001d860, 0x203000?)
    /Users/runner/work/opa/opa/topdown/eval.go:1030 +0x425
github.com/open-policy-agent/opa/topdown.(*eval).biunifyValues(0xc000268000, 0xc0000200c0, 0xc000020090, 0xc00001d860, 0xc00001d860, 0xc000054400)
    /Users/runner/work/opa/opa/topdown/eval.go:946 +0x112
github.com/open-policy-agent/opa/topdown.(*eval).biunify(0xc0004551a0?, 0x3?, 0x4?, 0x2?, 0x2?, 0xc00063e340?)
    /Users/runner/work/opa/opa/topdown/eval.go:842 +0x5a8
github.com/open-policy-agent/opa/topdown.(*eval).unify(...)
    /Users/runner/work/opa/opa/topdown/eval.go:834
github.com/open-policy-agent/opa/topdown.evalTree.leaves({0xc000268000, {0xc000476f90, 0x2, 0x2}, {0xc0004773e0, 0x2, 0x2}, 0x2, 0xc00001d860, 0xc000019ce0, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2211 +0x550
github.com/open-policy-agent/opa/topdown.evalTree.extent({0xc000268000, {0xc000476f90, 0x2, 0x2}, {0xc0004773e0, 0x2, 0x2}, 0x2, 0xc00001d860, 0xc000019ce0, ...})
    /Users/runner/work/opa/opa/topdown/eval.go:2165 +0xe5
github.com/open-policy-agent/opa/topdown.evalTree.finish({0xc000268000, {0xc000476f90, 0x2, 0x2}, {0xc0004773e0, 0x2, 0x2}, 0x2, 0xc00001d860, 0xc000019ce0, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2060 +0x145
github.com/open-policy-agent/opa/topdown.evalTree.eval({0xc000268000, {0xc000476f90, 0x2, 0x2}, {0xc0004773e0, 0x2, 0x2}, 0x2, 0xc00001d860, 0xc000019ce0, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2037 +0x138
github.com/open-policy-agent/opa/topdown.evalTree.next({0xc000268000, {0xc000476f90, 0x2, 0x2}, {0xc0004773e0, 0x2, 0x2}, 0x1, 0xc00001d860, 0xc000019ce0, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2096 +0x33f
github.com/open-policy-agent/opa/topdown.evalTree.eval({0xc000268000, {0xc000476f90, 0x2, 0x2}, {0xc0004773e0, 0x2, 0x2}, 0x1, 0xc00001d860, 0xc000019ce0, ...}, ...)
    /Users/runner/work/opa/opa/topdown/eval.go:2043 +0xc5
github.com/open-policy-agent/opa/topdown.(*eval).biunifyRef(0xc000268000, 0x5b37840?, 0xc000019ce0, 0xc00001d860, 0xc00001d860, 0x0?)
    /Users/runner/work/opa/opa/topdown/eval.go:1030 +0x425
github.com/open-policy-agent/opa/topdown.(*eval).biunifyValues(0xc000268000, 0xc000019cc8, 0xc000019ce0, 0xc00001d860, 0xc00001d860, 0xc00001d980)
    /Users/runner/work/opa/opa/topdown/eval.go:946 +0x112
github.com/open-policy-agent/opa/topdown.(*eval).biunify(0xe901000?, 0xc00063eac8?, 0x4010027?, 0x28?, 0x56fd980?, 0x401?)
    /Users/runner/work/opa/opa/topdown/eval.go:842 +0x5a8
github.com/open-policy-agent/opa/topdown.(*eval).unify(0xeafffff?, 0xe901100?, 0xe901000?, 0xc00063eb38?)
    /Users/runner/work/opa/opa/topdown/eval.go:834 +0x26

ℹ️ This issue is for visibility. It's been fixed in #5214. We'll now go back to the previous behaviour -- it's just invalid signatures.

srenatus commented 2 years ago

The fix will be shipped with v0.45.0.