Partial Evaluation returning queries when unconditional result is available

[robhafner]

I'm in the process of evaluating OPA's partial evaluation feature and based upon the documentation found here I think I should expect no queries to be returned in the output when an unconditional result is available for a partial evaluation query. However, the output in the example below includes a query and so I'm not sure I understand how to interpret the response given it should be allowed. Based on the documentation I'm not sure if this is a bug or if I'm not understanding the expected output of a partial evaluation query. I'm assuming it's the latter given I'm fairly new to OPA. Any help/insight from the community would be appreciated.

input.json
{ "method": "GET", "path": ["pets", "fluffy"], "subject": { "user": "alice", "location": "SOMA" } }

example.rego
`package petclinic.authz

import future.keywords.if
import future.keywords.in

default allow := false

allow {
input.method = "GET"
input.subject.user = "alice"
}

allow {
input.method = "GET"
input.path = ["pets", name]
allowed[pet]
pet.name = name
}

allowed[pet] {
pet = data.pets[_]
pet.owner = input.subject.user
}

allowed[pet] {
pet = data.pets[_]
pet.veterinarian = input.subject.user
pet.clinic = input.subject.location
}`

command:
opa eval 'data.petclinic.authz.allow' --partial --unknowns "data.pets" --data example.rego --input input.json --format json --strict

command output
{ "partial": { "queries": [ [ { "index": 0, "terms": [ { "type": "ref", "value": [ { "type": "var", "value": "eq" } ] }, { "type": "string", "value": "alice" }, { "type": "ref", "value": [ { "type": "var", "value": "data" }, { "type": "string", "value": "pets" }, { "type": "var", "value": "$02" }, { "type": "string", "value": "owner" } ] } ] }, { "index": 1, "terms": { "type": "ref", "value": [ { "type": "var", "value": "data" }, { "type": "string", "value": "pets" }, { "type": "var", "value": "$02" } ] } }, { "index": 2, "terms": [ { "type": "ref", "value": [ { "type": "var", "value": "eq" } ] }, { "type": "ref", "value": [ { "type": "var", "value": "data" }, { "type": "string", "value": "pets" }, { "type": "var", "value": "$02" }, { "type": "string", "value": "name" } ] }, { "type": "string", "value": "fluffy" } ] } ], [ { "index": 0, "terms": [ { "type": "ref", "value": [ { "type": "var", "value": "eq" } ] }, { "type": "string", "value": "alice" }, { "type": "ref", "value": [ { "type": "var", "value": "data" }, { "type": "string", "value": "pets" }, { "type": "var", "value": "$13" }, { "type": "string", "value": "veterinarian" } ] } ] }, { "index": 1, "terms": [ { "type": "ref", "value": [ { "type": "var", "value": "eq" } ] }, { "type": "string", "value": "SOMA" }, { "type": "ref", "value": [ { "type": "var", "value": "data" }, { "type": "string", "value": "pets" }, { "type": "var", "value": "$13" }, { "type": "string", "value": "clinic" } ] } ] }, { "index": 2, "terms": { "type": "ref", "value": [ { "type": "var", "value": "data" }, { "type": "string", "value": "pets" }, { "type": "var", "value": "$13" } ] } }, { "index": 3, "terms": [ { "type": "ref", "value": [ { "type": "var", "value": "eq" } ] }, { "type": "ref", "value": [ { "type": "var", "value": "data" }, { "type": "string", "value": "pets" }, { "type": "var", "value": "$13" }, { "type": "string", "value": "name" } ] }, { "type": "string", "value": "fluffy" } ] } ], [] ] } }

OPA Version Information
opa version
Version: 0.50.2
Build Commit: 0ffef53acc0a4f4063b4155a2c54cb6f3c349139
Build Timestamp: 2023-03-21T11:36:06Z
Build Hostname: Mac-1679398659007.local
Go Version: go1.20.2
Platform: darwin/amd64
WebAssembly: available

[srenatus]

Just a hint, try format "pretty" or "source", it'll give you the PE results as rego.

[robhafner]

Thanks for the suggestion @srenatus. That certainly helps a bit. However, I'm not sure it clears up my understanding. Based upon the example in the "Unconditional Results from Partial Evaluation" section of this doc along with the statement from the doc included below, I would expect the queries array to be empty. Instead 3 queries are returned of which one is empty.

Statement:
"If the query is always true, the "queries" value in the result will contain an empty array. The empty array indicates that your query can be satisfied without any further evaluation."

+---------+---------------------------------------+
| Query 1 | "alice" = data.pets[_02].owner |
| | data.pets[_02] |
| | data.pets[_02].name = "fluffy" |
+---------+---------------------------------------+
| Query 2 | "alice" = data.pets[_13].veterinarian |
| | "SOMA" = data.pets[_13].clinic |
| | data.pets[_13] |
| | data.pets[_13].name = "fluffy" |
+---------+---------------------------------------+
| Query 3 | |
+---------+---------------------------------------+

[robhafner]

Also, the following statement in the blog suggests a single empty query or no queries at all would be returned when a request is allowed or denied unconditionally.

"In some cases, OPA can still determine that a request should be allowed or denied unconditionally. In these cases, OPA returns a single empty query or no queries at all (respectively.)"

Any chance the documentation and blog post are out sync with the current behavior of OPA?

[srenatus]

Any chance the documentation and blog post are out sync with the current behavior of OPA?

I think that's accurate. In your case, having a single empty query -- i.e. one unconditional "true" -- should be enough to drop the others. There's an issue on PE post-processing that sort of fits: there are conditions that to a human eye seem obvious to further simplify, but the evaluator doesn't have the means to do that.