Remove the need for outbound internet connection from Oathkeeper

[tsjnsn]

Is your feature request related to a problem? Please describe.

Oathkeeper without internet access doesn't function due to needing to pull a schema from github at runtime.
time="2019-08-08T15:03:53Z" level=fatal msg="The configuration is invalid and could not be loaded." error="Get https://raw.githubusercontent.com/ory/x/master/.schemas/logrusx/viper.schema.json: dial tcp 151.101.200.133:443: i/o timeout"

Describe the solution you'd like

ability to provide schema via config or build into the container

Describe alternatives you've considered

outbound proxy. does not seem like this is a good enough case for it though.

Additional context

[aeneasr]

This is currently not easy implementable because of the way JSON Schema works. The schema within Oathkeeper is built into the binary, however, that schema relies on other schemas to work by using the $ref syntax. There is currently no easy way around this.

[tsjnsn]

An option here would be to use a tool like https://github.com/APIDevTools/json-schema-ref-parser at build time to deref the schemas

[samh]

In my use case, the servers where this would be deployed are in isolated networks with no internet access at all.

But even if internet is available, if githubusercontent.com was ever offline, nobody would be able to start Oathkeeper, right?

[aeneasr]

We will try to figure something out. For now, as a workaround, is a cache proxy reasonable? on top of a modified /etc/hosts file?

We could probably dereference the json schema as part of the build process and include it in the binary to fix this for real.

[samh]

@aeneasr Thanks for your willingness to look into it! I'm willing to help with the code if I can; any pointers would be helpful.

I'm just starting to evaluate Oathkeeper now, so I don't necessarily need a workaround yet. I guess you mean serve up that file from e.g. localhost and point raw.githubusercontent.com at there using /etc/hosts? That seems reasonable as a temporary solution.

[aeneasr]

Exactly!

[samh]

Now that I think of it some more, I'm not sure about the workaround, because it's https, so I think you'd have to generate and trust a local certificate for raw.githubusercontent.com.

@aeneasr It looks like oathkeeper is using "packr" to embed .scemas/config.schema.json. Could the same be done inside https://github.com/ory/x to embed the files in the .scemas directory into that package? Then it looks like (maybe in viperx/validate.go) you could use AddSchemas to add the local copies of the schema, and gojsonschema should load them locally: https://github.com/ory/gojsonschema#loading-local-schemas.

What do you think? I'm not that familiar with Go, so I'm not clear on how packr would work with a library (also, ory/x seems to be on packr v1, while oathkeeper is using packr v2).

[aeneasr]

Yes absolutely, I think the idea to get this working would be to have a build pipeline that:

• dereferences the json schema (by downloading all the linked schemas)
• packing the whole directory in the binary
• loading the whole directory with gojsonschema

Should be straight forward but I didn't have time yet to properly test it out.