Open Policy Agent
Store UpsertPolicy not working as anticipated #318
-
|
Hello, I am trying to use store.UpsertPolicy as was done in this test: However, in my case I don't need the additional module "Module("b.rego", "package b\np = data.a.p")" and using only the initial module inserted to the store. Probably I am missing something. Bottom line, adding policies to store are ignored if no additional module is present. Below test passes: ctx := context.Background()
store := inmem.New()
txn, _ := store.NewTransaction(ctx, storage.WriteParams)
store.UpsertPolicy(ctx, txn, "a.rego", []byte("package a\ndefault allow := true"))
store.Commit(ctx, txn)
query := rego.New(
rego.Store(store),
rego.Module("b.rego", "package test"),
rego.Query("data.a.allow"),
)
results, _ := query.Eval(ctx)
assert.NotNil(t, results)
assert.True(t, results.Allowed())Below test fails (nil): ctx := context.Background()
store := inmem.New()
txn, _ := store.NewTransaction(ctx, storage.WriteParams)
store.UpsertPolicy(ctx, txn, "a.rego", []byte("package a\ndefault allow := true"))
store.Commit(ctx, txn)
query := rego.New(
rego.Store(store),
//rego.Module("b.rego", "package test"),
rego.Query("data.a.allow"),
)
results, _ := query.Eval(ctx)
assert.NotNil(t, results)
assert.True(t, results.Allowed())Using this dependency: github.com/open-policy-agent/opa v0.47.3 Help would be appreciated, thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
Hi @yair12, thanks for sharing this use case and detailed write up. I can see what you are trying to do here and why the result is unexpected. The reason that this is happening is that the upserted policy is only parsed when there are also a list of modules supplied. Until the module is parsed, it is unavailable for queries. I believe the problematic logic can be found here: I have raised an issue for this here and will report back once I've asked some of the others on my team. Thanks again for the detailed report :) |
Beta Was this translation helpful? Give feedback.
-
|
Hi again, just to let you know that a fix for this has been merged in open-policy-agent/opa#5520. This will be featured in the next release of OPA which should be this week or early next week. |
Beta Was this translation helpful? Give feedback.
Hi @yair12, thanks for sharing this use case and detailed write up. I can see what you are trying to do here and why the result is unexpected.
The reason that this is happening is that the upserted policy is only parsed when there are also a list of modules supplied. Until the module is parsed, it is unavailable for queries.
I believe the problematic logic can be found here:
https://github.com/open-policy-agent/opa/blob/9bd1bfb4e1440009be1e8d1a126d35d091d7f043/rego/rego.go#L1683-L1685
I have raised an issue for this here and will report back once I've asked some of the others on my team.
Thanks again for the detailed report :)