ast+cmd: Allowing bundle to contain calls to unknown Rego functions w…

…hen inspected Fixes: #6591 Signed-off-by: Johan Fylling <johan.dev@fylling.se>
open-policy-agent · Feb 15, 2024 · 0d70329 · 0d70329
1 parent 1f6b75c
commit 0d70329
Show file tree

Hide file tree

Showing 3 changed files with 105 additions and 1 deletion.
diff --git a/ast/check.go b/ast/check.go
@@ -93,6 +93,8 @@ func (tc *typeChecker) WithInputType(tpe types.Type) *typeChecker {
 	return tc
 }
 
+// WithAllowUndefinedFunctionCalls sets the type checker to allow references to undefined functions.
+// Additionally, the 'CheckUndefinedFuncs' and 'CheckSafetyRuleBodies' compiler stages are skipped.
 func (tc *typeChecker) WithAllowUndefinedFunctionCalls(allow bool) *typeChecker {
 	tc.allowUndefinedFuncs = allow
 	return tc

diff --git a/ast/compile.go b/ast/compile.go
@@ -1585,7 +1585,7 @@ func (c *Compiler) compile() {
 			}
 		}
 
-		if c.allowUndefinedFuncCalls && s.name == "CheckUndefinedFuncs" {
+		if c.allowUndefinedFuncCalls && (s.name == "CheckUndefinedFuncs" || s.name == "CheckSafetyRuleBodies") {
 			continue
 		}
 

diff --git a/cmd/inspect_test.go b/cmd/inspect_test.go
@@ -774,3 +774,105 @@ func TestCallToUnknownBuiltInFunction(t *testing.T) {
 		}
 	})
 }
+
+func TestCallToUnknownRegoFunction(t *testing.T) {
+	files := [][2]string{
+		{"/policy.rego", `package test
+import data.x.y
+
+p {
+	y(1) == true
+}
+		`},
+	}
+
+	buf := archive.MustWriteTarGz(files)
+
+	test.WithTempFS(nil, func(rootDir string) {
+		bundleFile := filepath.Join(rootDir, "bundle.tar.gz")
+
+		bf, err := os.Create(bundleFile)
+		if err != nil {
+			t.Fatalf("Unexpected error: %v", err)
+		}
+
+		_, err = bf.Write(buf.Bytes())
+		if err != nil {
+			t.Fatalf("Unexpected error: %v", err)
+		}
+
+		var out bytes.Buffer
+		params := newInspectCommandParams()
+		err = params.outputFormat.Set(evalJSONOutput)
+		if err != nil {
+			t.Fatalf("Unexpected error: %s", err)
+		}
+
+		err = doInspect(params, bundleFile, &out)
+		if err != nil {
+			t.Fatalf("Unexpected error %v", err)
+		}
+
+		bs := out.Bytes()
+		output := strings.TrimSpace(string(bs))
+		// Note: unknown data.x.y() function doesn't appear in the output, but also didn't cause an error.
+		expected := strings.TrimSpace(`{
+  "manifest": {
+    "revision": "",
+    "roots": [
+      ""
+    ]
+  },
+  "signatures_config": {},
+  "namespaces": {
+    "data.test": [
+      "/policy.rego"
+    ]
+  },
+  "capabilities": {
+    "builtins": [
+      {
+        "name": "eq",
+        "decl": {
+          "args": [
+            {
+              "type": "any"
+            },
+            {
+              "type": "any"
+            }
+          ],
+          "result": {
+            "type": "boolean"
+          },
+          "type": "function"
+        },
+        "infix": "="
+      },
+      {
+        "name": "equal",
+        "decl": {
+          "args": [
+            {
+              "type": "any"
+            },
+            {
+              "type": "any"
+            }
+          ],
+          "result": {
+            "type": "boolean"
+          },
+          "type": "function"
+        },
+        "infix": "=="
+      }
+    ]
+  }
+}`)
+
+		if output != expected {
+			t.Fatalf("Unexpected output. Expected:\n\n%s\n\nGot:\n\n%s", expected, output)
+		}
+	})
+}