ERROR PROXY SYSTEM CANT BE USED

[SoufianLabed]

Hello,

I'm following this tutorial in docker env : https://docs.opal.ac/getting-started/quickstart/opal-playground/publishing-data-update

Once i run the command below, opal try a get request on https://api.country.is/23.54.6.78

"curl -w '\n' --request POST 'http://localhost:8181/v1/data/app/rbac/allow'
--header 'Content-Type: application/json'
--data-raw '{"input": {"user": "bob", "action": "read", "object": "id123", "type": "finance"}}'"

An error occurs : Cannot connect to host api.country.is:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)')]

After investigating, i found that the error is from aiohttp who doesn't use the proxy system cause in some files the aiohttp client session is not instancied with trust_env=true parameter who allows to use system proxy. (exemple : /opal_client/policy_store/opa_client.py)

Is there any way to use opa-client behind a proxy or am I wrong on something I did ?

Thanks for your help.

OPAL version

• Version: [0.7.15]

[maya-barak]

Hey @SoufianLabed :)
We will take a look and get back to you.

[danyi1212]

Hey @SoufianLabed , thank you for sharing that 🌟
The is certainly something we could add to OPAL, to support going though proxy for outbound requests.

As you've mentioned, we are using aiohttp inside OPAL. Looking at the documentation for configuring a proxy, which could be done either explicitly, or using trust_env=True to receive the proxy configuration from Environment Variables urllib.request.getproxies().

This feature could be enabled by a configuration for OPAL to set up a proxy for outbound requests. Though, that should be done individually for each component of OPAL - the OPA Engine (like the one you've requested), Policy Store, Data Sources, etc.

Considering OPAL is usually run inside a Docker container, configuring the proxy at the container level might be trickier, so I would opt to add an explicit with a configuration like OPAL_POLICY_STORE_PROXY_URL="http://my-proxy.example.com/", right after OPAL_POLICY_STORE_URL. This config later can be used to set proxy=opal_client_config.OPAL_POLICY_STORE_PROXY_URL inside the opa_client.py when opening the session.

Would you like to contribute that as a PR adding this capability?
We appreciate it a lot and would gladly help you implementing it 🙂 💎

[SoufianLabed]

Hey,

Thanks for your answer,

I have two questions :

• is there any workaround ?
• What's the plan for this PR, create the variable in the config file and use it (if present) everywhere ClientSession is instancied ?

Thanks

Soufian

[danyi1212]

1. As a workaround - I can't think of a way to configure it to use a forward proxy, other than explicitly configuring it for aiohttp. It might be worth consulting with ChatGPT or similar about quick alternatives.

2. Yes, it should be a dedicated configuration for each component in OPAL. AFAIK you may want to configure different proxy each component. For example, the Policy Store accessing GitHub uses proxy-x and the Data Fetcher uses a different proxy-y accessing the data API.

Let me know what you think 🌟