CheckPermissionError not raised properly in check permission #26
Description
In OpaClient class in the check_permission method, if a rule is not found in that policy the program will try to raise a CheckPermissionError, however this class expects two arguments: expression, message. This results in a TypeError due to the lack of the expression param.
rules = [rule.get("head", {}).get("name") for rule in ast.get("rules", [])]
if rule_name not in rules:
raise CheckPermissionError(
f"Rule '{rule_name}' not found in policy '{policy_name}'"
)If you manually run a policy with a non-existing rule, like this (extracted from OpaClient):
url = f"{self.root_url}/{package_path}/{rule_name}"
if query_params:
url = f"{url}?{urlencode(query_params)}"
response = self._session.post(
url, json={"input": input_data}, timeout=self.timeout
)
response.raise_for_status()
return response.json()The response will be a 200 (weird) and response.json will be an empty dict.
Since OPA does not treat missing rules properly, there is no error code (a.k.a. expression) for that, unlike missing policies, which return resource_not_found. The client should probably return the same error code to stay consistent with OPA.