Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heimdall fails to start when configuration happens via environment variables #769

Closed
3 tasks done
dadrus opened this issue Jul 19, 2023 · 2 comments · Fixed by #768
Closed
3 tasks done

Heimdall fails to start when configuration happens via environment variables #769

dadrus opened this issue Jul 19, 2023 · 2 comments · Fixed by #768
Labels
bug Something isn't working

Comments

@dadrus
Copy link
Owner

dadrus commented Jul 19, 2023

Preflight checklist

  • I agree to follow this project's Code of Conduct.
  • I have read and am following this repository's Contribution Guidelines."
  • I could not find a solution in the existing issues, docs, nor discussions.

Describe the bug

When using environment variables to configure mechanisms to be used by heimdall, it fails to start.

In the given case it is the setting of the HEIMDALLCFG_RULES_MECHANISMS_AUTHENTICATORS_2_CONFIG_IDENTITY_INFO_ENDPOINT=http://kratos/sessions/whoami environment variable, which leads to the log output provided below

How can the bug be reproduced

Create a minimal config file with the rules section from below and start heimdall with e.g.

$ HEIMDALLCFG_RULES_MECHANISMS_AUTHENTICATORS_2_CONFIG_IDENTITY_INFO_ENDPOINT=http://kratos/sessions/whoami heimdall -c <path to the config file> serve decision

Relevant log output

configuration error: jsonschema: '/rules/mechanisms/authenticators/2/config/subject' does not validate with file:///heimdall/config.schema.json#/properties/rules/properties/mechanisms/$ref/properties/authenticators/items/anyOf/0/$ref/properties/config/properties/subject/type: expected string, but got object

Relevant configuration

rules:
  mechanisms:
    authenticators:
      - id: anonymous_authenticator
        type: anonymous
      - id: noop
        type: noop
      - id: kratos_session_cookie
        type: generic
        config:
          authentication_data_source:
            - cookie: ory_kratos_session
          forward_cookies:
            - ory_kratos_session
          subject:
            id: "identity.id"
          cache_ttl: 5m
          session_lifespan:
            active: active
            issued_at: issued_at
            not_before: authenticated_at
            not_after: expires_at
            time_format: "2006-01-02T15:04:05.999999Z07"
            validity_leeway: 10s

Version

v0.10.1-alpha

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Binary

Additional Context

This issue has been discussed in Discord
@dadrus dadrus added the bug Something isn't working label Jul 19, 2023
@dadrus
Copy link
Owner Author

dadrus commented Jul 19, 2023

There are multiple things here:

  1. The usage of the environment variable is not correct. Instead of HEIMDALLCFG_RULES_MECHANISMS_AUTHENTICATORS_2_CONFIG_IDENTITY_INFO_ENDPOINT the variable name must be HEIMDALLCFG_RULES_MECHANISMS_AUTHENTICATORS_2_CONFIG_IDENTITY__INFO__ENDPOINT_URL. Please notice the multiple underscores in IDENTITY__INFO__ENDPOINT and the _URL part. The two underscores are required because the name of the corresponding property in the config file is identity_info_endpoint and the underscores in the name must be escaped with an underscore to inform the parser, that these underscores should not be used as separators for structured objects. The _URL part is required because the endpoint is actually an object and the option to omit the structure of that object by providing only the value for the url is supported for config file based configuration only.
  2. The json schema validation happens before the config file is parsed, respectively before the values from environment variables are merged into the resulting object. This is actually the reason for the error message.

@dadrus
Copy link
Owner Author

dadrus commented Jul 19, 2023

In addition to the comment above, which implies wrong usage, there is actually indeed a bug: If the configuration, like provided above is updated to contain the identity_info_endpoint property with some value, which should be overridden and the env variable is set as described in 1, that value is not taken into account, effectively making env based configuration impossible. At least for all structured config entries, which are made in an array.

Here an example: One can override

rules:
  mechanisms:
    authenticators:
      - id: anonymous_authenticator
        type: anonymous

with HEIMDALLCFG_RULES_MECHANISMS_AUTHENTICATORS_0_TYPE=none (even it doesn't make sense), but it is impossible to configure the given authenticator to set the subject id to "anon" via HEIMDALLCFG_RULES_MECHANISMS_AUTHENTICATORS_0_CONFIG_SUBJECT=anon

This was referenced Jul 19, 2023
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Loading of structured configuration from env variables dadrus/heimdall
1 participant
@dadrus