rego policy dissimilar results in golang and rego playground

[cylonchau]

Hello OPA's developer, I am so sorry to bother yours.

I have a problem, the rego policy in playground testing is ok, but in golang is fault, I refer to many tutorials cannot solve this problem.

This is my playground adderss: https://play.openpolicyagent.org/p/JFdryx8eqW

This is my rego, check input.spec.group and input.spec.resourceAttributes.verb

package k8s

import future.keywords.if
import future.keywords.in

default allow := false

allow if {
    admin_verbs := {"create", "list", "delete", "update"}
	admin_groups := {"admin"}
	groups := {v | v := input.spec.group[_]}
	count(admin_groups & groups) > 0
	input.spec.resourceAttributes.verb in admin_verbs
}

allow if {
    conf_groups := {"conf"}
    conf_verbs := {"list"}
	groups := {v | v := input.spec.group[_]}
	count(conf_groups & groups) > 0
	input.spec.resourceAttributes.verb in conf_verbs
}

This is request

{
    "apiVersion": "authorization.k8s.io/v1beta1",
    "kind": "SubjectAccessReview",
    "metadata": {
        "creationTimestamp": null
    },
    "spec": {
        "group": [
            "admin",
            "system:authenticated"
        ],
        "resourceAttributes": {
            "namespace": "default",
            "resource": "pods",
            "verb": "list",
            "version": "v1"
        },
        "uid": "searchUser",
        "user": "searchUser"
    },
    "status": {
        "allowed": false
    }
}

The result as expected in the playground.

It's my golang code

package rbac

import (
	"context"
	"fmt"

	"github.com/open-policy-agent/opa/rego"
	authoV1 "k8s.io/api/authorization/v1"
	"k8s.io/klog/v2"
)

var module = `package k8s
import future.keywords.in

default allow = false
admin_verbs := {"create", "list", "delete", "update"}
admin_groups := {"admin"}
conf_groups := {"conf"}
conf_verbs := {"list"}
allow  {
	groups := {v | v := input.spec.group[_]}
	count(admin_groups & groups) > 0
	input.spec.resourceAttributes.verb in admin_verbs
}

allow  {
	groups := {v | v := input.spec.group[_]}
	count(conf_groups & groups) > 0
	input.spec.resourceAttributes.verb in conf_verbs
}
`

func RBACChek(req authoV1.SubjectAccessReview) bool {

	query, err := rego.New(
		rego.Input(req),
		rego.Query("data.k8s == true"),
		rego.Module("k8s.allow", module),
	).PrepareForEval(context.TODO())

	if err != nil {
		klog.V(4).Info(err)
		return false
	}

	result, err := query.Eval(context.TODO())

	if err != nil {
		klog.V(4).Info("evaluation error:", err)
		return false
	} else if len(result) == 0 {
		klog.V(4).Info("undefined result", err)
		return false
		// Handle undefined result.
	}

	fmt.Printf("\n%+v\n", result.Allowed())
	fmt.Printf("\n%+v\n", result)
	return result.Allowed()

}

This is my code output, You can see that the requested parameters should be allowed, but the code returns false

root@DESKTOP-B18T1IF:/mnt/d/src/go_work/src/authwebhook# go run main.go -v 4
I1124 17:47:03.582080   18031 main.go:40] Receied: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1be
ta1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"namespace":"default","verb":"list","version":"
v1","resource":"pods"},"user":"admin","group":["admin","system:authenticated"],"uid":"admin"},"status":{"allowed":false}
}

false

[{Expressions:[false] Bindings:map[]}]

I1124 17:47:03.584494   18031 main.go:58] Returning: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1
beta1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"namespace":"default","verb":"list","version"
:"v1","resource":"pods"},"user":"admin","uid":"admin"},"status":{"allowed":false}}

[srenatus]

That query looks weird:

rego.Query("data.k8s == true"),

The playground will evaluate the full package extent, i.e. data.k8s, when you don't use "Evaluate Selection" with some rule highlighted.

But that said, I suppose the query you're looking for is probably rego.Query("data.k8s.allow").

[cylonchau]

rego.Query("data.k8s == true"), I reference this code https://github.com/open-policy-agent/opa/blob/955464e172793a7a3a55f2d4e6195d0a000975f5/rego/example_test.go#L649-L671

update code to rego.Query("data.k8s.allow") the result is the same

package rbac

import (
	"context"
	"fmt"

	"github.com/open-policy-agent/opa/rego"
	authoV1 "k8s.io/api/authorization/v1"
	"k8s.io/klog/v2"
)

var module = `package k8s
import future.keywords.in

default allow = false
admin_verbs := {"create", "list", "delete", "update"}
admin_groups := {"admin"}
conf_groups := {"conf"}
conf_verbs := {"list"}
allow  {
	groups := {v | v := input.spec.group[_]}
	count(admin_groups & groups) > 0
	input.spec.resourceAttributes.verb in admin_verbs
}

allow  {
	groups := {v | v := input.spec.group[_]}
	count(conf_groups & groups) > 0
	input.spec.resourceAttributes.verb in conf_verbs
}
`

func RBACChek(req authoV1.SubjectAccessReview) bool {

	query, err := rego.New(
		rego.Input(req),
		rego.Query("data.k8s.allow"),
		rego.Module("k8s.allow", module),
	).PrepareForEval(context.TODO())

	if err != nil {
		klog.V(4).Info(err)
		return false
	}

	result, err := query.Eval(context.TODO())

	if err != nil {
		klog.V(4).Info("evaluation error:", err)
		return false
	} else if len(result) == 0 {
		klog.V(4).Info("undefined result", err)
		return false
		// Handle undefined result.
	}

	fmt.Printf("\n%+v\n", result.Allowed())
	fmt.Printf("\n%+v\n", result)
	return result.Allowed()

}

I1124 18:21:00.982032   18413 main.go:40] Receied: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1be
ta1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"namespace":"default","verb":"list","version":"
v1","resource":"pods"},"user":"admin","group":["admin","system:authenticated"],"uid":"admin"},"status":{"allowed":false}
}

false

[{Expressions:[false] Bindings:map[]}]
I1124 18:21:00.984021   18413 main.go:58] Returning: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1
beta1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"namespace":"default","verb":"list","version"
:"v1","resource":"pods"},"user":"admin","uid":"admin"},"status":{"allowed":false}}

[srenatus]

The other thing to check is input. You could try to convert it yourself instead of relying on rego.Input() to do the right thing.
See also this comment:

// Input returns an argument that sets the Rego input document. Input should be
// a native Go value representing the input document.

IIRC it does also do some roundtripping, but it's not entirely clear that you end up with the right ast.Value, matching what your policy expects. It's safest to convert req to map[string]interface{} yourself and feed that into eval.

[cylonchau]

Thank you for your reply（＾-＾）, Is not your mentioned problem (convert to map[string]interface{} ) , maybe kubernetes lib problem. recived requset is authorization.k8s.io/v1beta1, the field "group":["conf","system:authenticated"] , the struct is Groups []string , so converted result the groups is empty, so never allow. 😅😅😅😅

[cylonchau]

change go lib, rego in golang work is ok, thank you OPA's developer srenatus. It's my really too careless