~Currently having an issue with the ` printIndex MatchContex Ory Community #talk-oathkeeper

~Currently having an issue with the `{{ printIndex...

dry-apartment-19958

07/22/2022, 4:36 PM

Currently having an issue with the
{{ printIndex .MatchContext.RegexpCaptureGroups 1 }}
as it appears this is handled differently between different urls. I don't understand how this truly works because I don't see any documentation for this templating. <https://api.test.myapp.com/v1/objects/6bff02c6-3314-43e4-aa46-6f866bd3da02>
This url is causing access denied based on the payload I have set for
remote_json

Copy code

payload: |
            {
              "subject_id": "{{ print .Subject }}",
              "namespace": "{{ printIndex .MatchContext.RegexpCaptureGroups 1 }}",
              "object": "{{ printIndex .MatchContext.RegexpCaptureGroups 2 }}",
              "relation": "GET"
            }

~~My understanding is that using that url the payload would become:~~

Copy code

payload: |
            {
              "subject_id": "user1",
              "namespace": "objects",
              "object": "6bff02c6-3314-43e4-aa46-6f866bd3da02",
              "relation": "GET"
            }

~~However, I can't tell what it actually is because there is no logging in keto that gives me this information.~~ ANSWER: Turns out that the

<https://api.test.myapp.com/v1/>

was included in the

match: url

. If you do include it, the first match will technically be the 2nd match because Oathkeeper's Rule excludes the first element when it creates the

RegexpCaptureGroups

. So, my indices should have been

and

. An unfortunate way to test how your regex is performed involves jumping through some hoops: 1. Pull Oathkeeper repo 2.

cd oathkeeper/rule

3. Open

engine_regexp_test.go

4. Change any of the patterns and matchAagainst:

Copy code

pattern:      `<https://api.test.myapp.com/v1/><[a-z-]+>`,
matchAgainst: `<https://api.test.myapp.com/v1/objects>`,

5. Add log

t.Errorf("%v", got)

prior to the error check at the bottom 6. Run

go test -run FindStringSubmatch

and you will see an array of your groups that matched. The first element in that array is

.MatchContext.RegexpCaptureGroups 0

This isn't perfect if you have query params after your url,

?version=1

for example. But, I believe oathkeeper filters those out so you can just run this test without those params.

magnificent-energy-493

07/27/2022, 4:45 PM

Do you think we should document this somewhere? Or maybe in a Github discussion?

5 Views

Open in Slack

Previous Next