How to make opa-envoy-plugin return different status code (401/403)

[27149chen]

opa-envoy-plugin extends OPA with a gRPC server, and it always returns 403 for all denied requests. But opa can be used for both authentication and authorization, I want to return 401 when authentication is failed, is the opa-envoy-plugin able to do that?

[srenatus]

The policy primer docs for envoy have an example of an object response. I would think that you can make use of that, see this sketch:

package envoy.authz

default response = {
  "allowed": false,
  "body": "Unauthorized Request",
  "http_status": 403
}

response = r {
  not is_authenticated
  r := {
    "allowed": false,
    "http_status": 401
  }
}

where is_authenticated is the rule in which you establish authentication.

Note that the query path for this example is envoy/authz/response -- I've always found allow for an object response slightly off the mark.

[27149chen]

@srenatus , there are several ways to implement it in opa, but now the problem is in opa-envoy-plugin, the grpc wrapper. It just checks the "allow" path (a boolean value), and make the decision, see the code below:

allowed, err := result.IsAllowed()
if err != nil {
    return nil, stop, errors.Wrap(err, "failed to get response status")
}

status := int32(code.Code_PERMISSION_DENIED)
if allowed {
    status = int32(code.Code_OK)
}
resp.Status = &rpc_status.Status{Code: status}

[srenatus]

Hrm. The docs link was to the subsection focusing on opa-envoy-plugin, we had moved that section from the project README into the main docs at some point.

Please have a look at the code below your snippet: https://github.com/open-policy-agent/opa-envoy-plugin/blob/67d0a80f1611672e4c942860f568c3298d534b0a/internal/internal.go#L339-L373 -- for object responses the response status is going to be overwritten based on the result object, as documented.

			httpStatus, err := result.GetResponseEnvoyHTTPStatus()
			if err != nil {
				return nil, stop, errors.Wrap(err, "failed to get response http status")
			}

			deniedResponse := &ext_authz_v3.DeniedHttpResponse{
				Headers: responseHeaders,
				Body:    body,
				Status:  httpStatus,
			}

			resp.HttpResponse = &ext_authz_v3.CheckResponse_DeniedResponse{
				DeniedResponse: deniedResponse,
			}

Please share your policy and config and we can see what's going wrong. This should "just work".

[27149chen]

@srenatus oh, sorry, I missed this piece of code... I checked, it works! thank you very much.
btw, I can not find any docs for it, can you forward to me?

[srenatus]

The original link I've shown is about the plug-in and its object response: https://www.openpolicyagent.org/docs/latest/envoy-primer/#example-policy-with-object-response