Initialization error for input check

[Starry-x]

Short description

When I was upgrading OPA to the version after 0.57.0, the custom input.other_token field in my code stopped working. The input is passed from the request after starting OPA. Now it cannot be started.

Examples:

• Version: all versions after 0.57.0
• Input: {"input": {"other_token": "Bearer xxx"}}
• Policy:

  bearer_token = t {
  v := input.other_token
  startswith(v, "Bearer ")
  t := substring(v, count("Bearer "), -1)
  }

• Error:

  error: initialization error: 1 error occurred: rules/utils/jwt.rego:10: rego_type_error: undefined ref: input.other_token
      input.other_token
            ^
            have: "other_token"
            want (one of): ["body" "client_certificates" "headers" "identity" "method" "params" "path"]

  -->

Expected behavior

OPA can start.

Additional context

I found it can be start by add --skip-known-schema-check, but this is not safe. I wonder if this can be resolved at the code level?

[anderseknert]

Hi there! That schema is only checked for the system.authz package, which is used for authentication/authorization policies protecting OPA's own REST API. Using that package name for other purposes is not recommended, so if that's the case I would suggest renaming it to something else.