Provide built-in(s) to do conversion between different string encoding types (base64, hex, etc)

[me-viper]

What is the underlying problem you're trying to solve?

When dealing with web stuff it's common to receive non-string inputs as base64 encoded strings. On the other hand, opa built-ins convert non-string stuff into hex strings. This creates issues when comparison is needed, for example:

example if {
    sig := sprintf("%s %s%s %s", [input.method, input.path, input.queryString, input.protocol])
    hash := crypto.hmac.sha256(sig, data.nbo.key) # hex encoded string
    signature := input.signature # base64 endoded string
    # Can't do that. It's possible to convert both to string and do the comparison but that is asking for trouble.
    crypto.hmac.equal(hash, signature)
}

Describe the ideal solution

Some built-in(s) that enables to do conversion between hex encoded strings and base64 encoded strings.

hex.to_base64(s)
hex.to_base64url(s)
base64.to_hex(s)
base64.to_base64url(s)
...

Maybe something more generic like:

convert_encoing(s, source_type, d, destination_type)
where type: base64, base64url or hex

Or something that returns byte array:

hex.bytes(s)
base64.bytes(s)
base64url.bytes(s)

Describe a "Good Enough" solution

N/A

Additional Context

N/A

[srenatus]

There's another avenue worth exploring: If you're using Wasm, and your Wasm SDK allows you to provide "SDK-dependent" builtins, you can

1. create your own capabilities file, adding the type signature of a builtin you'd like to have
2. use opa built -t wasm --capabilities caps.json ... to build the Wasm module
3. use the Wasm module with the described builtin provided through your SDK.

It's probably the quickest way to get what you want, compared to adding the new builtins as native and Wasm implementations.... Worth trying, at least.

[me-viper]

Yes, we're already doing that. It works, writing tests for policies require extra hoops though.

But it would be nice to have it out of box since base64 inputs are very common in web scenarios.
I can do a PR if I get an input on how these built-ins should look like.

[me-viper]

Personally, I'd go byte conversion way:

string hex.from_bytes(byte[])
byte[] hex.to_bytes(string)
...
base64.from_bytes()
base64.to_bytes()
...

Kinda low level but in the end, we're dealing with bytes anyway.

[anderseknert]

From the issue description, I'm thinking we could just have crypto.hmac.equal accept either hex or base64 encoding for any of its arguments?

[me-viper]

Yes. It will be the minimum that works.

[anderseknert]

👍 I wouldn't mind that change... you see any issues with that @srenatus?

[stale]

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue.