Custom response objects for error cases

[gituserjava]

I am writing policies which will return custom responses in error cases. I am trying to return the path in error response but I am getting illegal default rule (value cannot contain ref). Please advise how I can send the path in response in error cases.

package envoy.authz

import input.attributes.request.http as http_request

default allow = {
  "allowed": false,
  "headers": {"x-ext-auth-allow": "no"},
  "body": {
           "message": "Unauthorized Request",
           "path": http_request.path
   },
  "http_status": 301
}

allow = response {
  input.attributes.request.http.method == "GET"
  response := {
    "allowed": true,
    "headers": {"x-ext-auth-allow": "yes"}
  }
}

Input:

{
  "attributes": {
    "request": {
      "http": {
        "method": "GET",
        "path": "/people",
        "headers": {
          "authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiZ3Vlc3QiLCJzdWIiOiJZV3hwWTJVPSIsIm5iZiI6MTUxNDg1MTEzOSwiZXhwIjoxNjQxMDgxNTM5fQ.K5DnnbbIOspRbpCr2IKXE9cPVatGOCBrBQobQmBmaeU"
        }
      }
    }
  }
}

[anderseknert]

Since the purpose of the default keyword is to provide a fallback in case of an undefined value, it would be pretty bad if also the fallback was allowed to be undefined. In your case, you could use an else condition, and a default value for the path to make sure something is always returned, even when no input is provided with the request.

package envoy.authz

import input.attributes.request.http as http_request

default request_path = ""
request_path = http_request.path

allow = response {
    input.attributes.request.http.method == "GET"
    response := {
        "allowed": true,
        "headers": {"x-ext-auth-allow": "yes"}
    }
} else = {
    "allowed": false,
    "headers": {"x-ext-auth-allow": "no"},
    "body": {
      "message": "Unauthorized Request",
      "path": request_path
    },
    "http_status": 301
}