KBS: Be more tolerant to policy rego files #367
Comments
|
cc @jialez0 this might be related to encoding things |
|
Duplicate of #281 #357 might help with this (note that we add a test for a policy with extra lines) but this issue might happen before we actually get to the OPA module and that PR will only fix the resource policy not the attestation one. Either way, maybe we should close this and discuss on the existing issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
KBC fails to set policy in KBS and AS unless the rego file ends with an empty line.
Either make the code more tolerant or make it clear in docuemtation.
Example:
$ cat -n allow_all.rego 1 2 package policy 3 4 default allow = true $ cat -n allow_all_modified.rego 1 2 package policy 3 4 default allow = true 5 $ kbs-client --url "http://192.168.122.182:30713" config --auth-private-key ./privateKey set-resource-policy --policy-file allow_all.rego Error: Request Failed, Response: "{\"type\":\"https://github.com/confidential-containers/kbs/errors/PolicyEndpoint\",\"detail\":\"Policy error: Set policy error Base64 decode OPA policy string failed: InvalidPadding\"}" $ kbs-client --url "http://192.168.122.182:30713" config --auth-private-key ./privateKey set-resource-policy --policy-file allow_all_modified.rego Set resource policy success policy: CnBhY2thZ2UgcG9saWN5CgpkZWZhdWx0IGFsbG93ID0gdHJ1ZQoKsame issue with
set-attestation-policyThe text was updated successfully, but these errors were encountered: