https://cerbos.dev logo
#help
Title
# help
a

Alex Tuca

05/03/2023, 7:04 AM
Hi! Is there any way I can debug a policy while running? The tests that I wrote for it pass but it does not while running live and I can't quite figure out what the difference is between the requests. (moved from community, posted there by mistake)
r

Rob Crowe

05/03/2023, 7:21 AM
We usually use the audit logs to help with this; it will output the principal, resource values so you can check what values you're seeing compared to what you expected in your policies.
a

Alex Tuca

05/03/2023, 8:12 AM
Thanks! Now I've tried to use a custom config but I get an error regarding the JWT - "failed to find key with ID" but I don't get where it's getting that ID from. Is it generated automatically?
r

Rob Crowe

05/03/2023, 8:17 AM
https://docs.cerbos.dev/cerbos/latest/configuration/auxdata.html I'm assuming it's the
kid
(key id) that is in a claim in the JWT. Cerbos needs to use that ID to lookup the key, to check the signing signature
c

Charith (Cerbos)

05/03/2023, 8:22 AM
For debugging, you can add
includeMeta
to the request to see details about which policy matched and so on. If you have policy tests, adding
--verbose
to the test runner will give you a step-by-step evaluation record for the failed policies as well. Finally, you can load the policy into the Cerbos REPL and execute its rules with your inputs to see how they are evaluated. You can find more information about these tools in https://cerbos.dev/blog/how-to-use-cerbos-effectively
a

Alex Tuca

05/03/2023, 8:29 AM
You are right, it's the kid claim - I can't realize though why it does not match, since I've set the data to the base64-encoded public key and set pem to true...
c

Charith (Cerbos)

05/03/2023, 8:40 AM
Can you post your configuration file here with the sensitive values blanked out?
a

Alex Tuca

05/03/2023, 8:42 AM
audit:
accessLogsEnabled: true
backend: 'file'
decisionLogsEnabled: true
file:
path: stdout
auxData:
jwt:
keySets:
- id: ${KEY_KID} # kid claim from the JWT
local:
data: ${FUSION_SIGN_KEY}
pem: true
server:
httpListenAddr: ":3592"
storage:
driver: "disk"
disk:
directory: "/config/policies"
watchForChanges: true
logRequestPayloads: true
c

Charith (Cerbos)

05/03/2023, 8:46 AM
Ah, the keySet ID in Cerbos config is not your KID. It's just any identifier you'd like to use to identify that particular key set. If you have multiple key sets, we find the correct one to use based on the
auxData.keySetId
value sent in your request (number 16 in https://docs.cerbos.dev/cerbos/latest/api/index.html#check-resources)
If you only have one key set, then you don't need to send
keySetId
in the request.
a

Alex Tuca

05/03/2023, 8:57 AM
At first I had it set to "default" (I'm not sending any keySetId in the request), I've changed it now since I saw the error hoping that it would fi it. Unfortunately, it didn't
c

Charith (Cerbos)

05/03/2023, 8:58 AM
What's the full error message?
a

Alex Tuca

05/03/2023, 8:59 AM
{"log.level":"error","@timestamp":"2023-05-03T08:59:17.969Z","log.logger":"cerbos.grpc","message":"Failed to extract auxData","grpc.start_time":"2023-05-03T08:59:17Z","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"CheckResources","peer.address":"192.168.112.1:58118","cerbos":{"call_id":"01GZGDCQJ91JC8WBGS52T48GWZ"},"error":"failed to parse JWT: key provider 0 failed: failed to find key with key ID \"a3RRnlKKn1hs9E9b_SzgBmgzS18\" in key set"}
c

Charith (Cerbos)

05/03/2023, 9:03 AM
Right, so this error suggests that your JWT is signed with a key that does not exist in the key set you have configured Cerbos with.
a

Alex Tuca

05/03/2023, 9:15 AM
I supposed that would be the meaning, the issue is that I'm fairly sure it is the same key so I'm probably not passing it properly to Cerbos. Just to make sure - I need to base64encode the whole body of the PEM-encoded public key (------BEGIN PUBLIC KEY------ etcetc ------END PUBLIC KEY) and set data to this value and pem to true?
c

Charith (Cerbos)

05/03/2023, 9:21 AM
Oh, it needs to be a JWK(S). So, essentially a JSON object describing the key. Here's an example: https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-set-properties
It looks like you're using FusionAuth. You might be able to get the keyset by accessing
/.well-known/jwks.json
on the server. (I am not a FusionAuth expert, so I could be wrong here.)
a

Alex Tuca

05/03/2023, 9:35 AM
Using the jwks endpoint worked! This means that Fusion is not using the key I thought it was...I'll look into that separately. Thanks a lot!
5 Views