My rego policy always returns false

[surikalyani]

This is how I set up OPA in docker

I am trying to validate AWS cognito access token . Its not working , and dont know how to debug or add more logging .

# this policy will be available at /v1/data/example/allow
package example
# import dependencies
import rego.v1
import input.attributes.request.http as http_request
jwks_request(url) = http.send({
    "url": url,
    "method": "GET",
    "force_cache": true,
    "force_cache_duration_seconds": 3600
})
# by default, do not allow access
default allow := false
# The token is verified and valid at the current time.
allow if{

	#read JKWS cert from Token signing key URL
	jwks_cached := jwks_request("https://cognito-idp.ca-central-1.amazonaws.com/ca-central-1_XXXXXXX/.well-known/jwks.json").body
	bearer_token := split(input.event.identitySource[0], " ")[1]
    # Verify the signature on the Bearer token.
    io.jwt.decode_verify(bearer_token, jwks_cached)
	# example pattern matches on the result to obtain the JWT payload.
	[_, payload, _] := io.jwt.decode(bearer_token)
}

input.json

{
	"input": {
		"version": "2.0",
		"type": "REQUEST",
		"identitySource": [
			"Bearer eyJraWQiOiIrS0x5K3FqYnpETFUxaHN6NkFTeVhOUFpGajlLOVNGejR2OG9qdThcL1Z4Zz0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI3YzlkOTVlOC0zMDYxLTcwOTUtMDdjMy04NTBlYmQzNjNkYTAiLCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAuY2EtY2VudHJhbC0xLmFtYXpvbmF3cy5jb21cL2NhLWNlbnRyYWwtMV9VeG54ZUswb0UiLCJjbGllbnRfaWQiOiIyMDhyNGpvY3ZpbGtqOG9jdGFmdDdqaHFlYSIsIm9yaWdpbl9qdGkiOiIyYTJiZjZjOC0xYjZlLTQ0YTYtYTQxZC1hMjhjMWVhYmU1MDciLCJldmVudF9pZCI6ImM0Yzg4MTM5LWYyYzMtNDdlMy04ZGJlLWViMGQ3NzZmMDE1YSIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoiYXdzLmNvZ25pdG8uc2lnbmluLnVzZXIuYWRtaW4iLCJhdXRoX3RpbWUiOjE3MjA4MTE4NjksImV4cCI6MTcyMDgxNTQ2OSwiaWF0IjoxNzIwODExODY5LCJqdGkiOiI1Njk5ODliMS0xNWExLTRkYjUtOTIwOC0wOGNlNjY5NzQyMjUiLCJ1c2VybmFtZSI6IjdjOWQ5NWU4LTMwNjEtNzA5NS0wN2MzLTg1MGViZDM2M2RhMCJ9.j9g4ePa5u9YyfzdQaoRdYx-3Yu_3mooTwLUhdR8wzdbseY9p3IFUHMLoMyrXryxBhIq9XlkNRThVthQwO7ie6AxnZjZKocBzbo4oWGiYDf6iCUeifn2PGOw8pTMtDO6OD_otpD64iPUHK52ubK8kwgmoTcPDOtwHKprv01U4eqnGw4Oe77xl18swY8Y1wFjvzwhuJ7PY9SecEHZUDvg-CYfDJPOBPSaRrfLFr0PuE3Dz3EHAZrEgJ29cHiYeQJk7274OhwaxLuxHrPCdVm6eMl5YzspgrLVVUN5j8z-nZ65RoNeMgDlpyYoRf7WV4Dhg4jmKUVzxBLnwcpT7FZoPpQ"
		],
		"routeKey": "PUT /v1/auth/change_password"
}
}

Not sure how to debug why its not working . Do I need to add --authentication=token when I start OPA as service ?

[ashutosh-narkar]

If you provide the policy and data loaded in OPA and the input you use to query OPA, we could help investigate.

[ashutosh-narkar]

Also it is good practice to Unit test your policies.

[surikalyani]

Thanks for reply! I have updated my question

[srenatus]

Your policy says

bearer_token := split(input.event.identitySource[0], " ")[1]

but your input doesn't have "event". I think you could try

bearer_token := split(input.dentitySource[0], " ")[1]

Also, decode_verify already returns the payload, you don't need to decode again after it, see here. This alone should to the trick:

some payload
[true, _, payload] = io.jwt.decode_verify(...)

Also, I don't think passing in your jwks_cached like that is enough. The second argument is a "constraints" object, try using {"cert": jwks_cached} instead.

Unrelated -- if you're not using envoy,

import input.attributes.request.http as http_request

has no effect whatsoever.

[surikalyani]

I think my updated policy is not used by OPA server inside docker . HOw to update policy OPA is using
This is my original rego policy

# import dependencies
import rego.v1

# by default, do not allow access
default allow := false

# allow when a valid JWT is provided, which matches expected client ID
allow if {
	jwt := split(input.event.identitySource[0], " ")[1]
	[_, payload, _] := io.jwt.decode(jwt)

	# @todo: check for expiry, check signature, check user is enabled

	valid := payload.client_id == input.client_id
	token := {"valid": valid, "username": payload.username}

	token.valid
}

This is my updated policy

# this policy will be available at /v1/data/example/allow
package example
# import dependencies
import rego.v1
import input.attributes.request.http as http_request
jwks_request(url) = http.send({
    "url": url,
    "method": "GET",
    "force_cache": true,
    "force_cache_duration_seconds": 3600
})
# by default, do not allow access
default allow := false
# The token is verified and valid at the current time.
allow if{

	#read JKWS cert from Token signing key URL
	jwks_cached := jwks_request("https://cognito-idp.ca-central-1.amazonaws.com/ca-central-1_XXXXXXX/.well-known/jwks.json").body
	bearer_token := split(input.event.identitySource[0], " ")[1]
    # Verify the signature on the Bearer token.
    io.jwt.decode_verify(bearer_token, jwks_cached)
	# example pattern matches on the result to obtain the JWT payload.
	[_, payload, _] := io.jwt.decode(bearer_token)
}

[surikalyani]