Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

opa inspect failure on custom funcs in policies #6457

Closed
simar7 opened this issue Dec 6, 2023 · 6 comments · Fixed by #6462
Closed

opa inspect failure on custom funcs in policies #6457

simar7 opened this issue Dec 6, 2023 · 6 comments · Fixed by #6462
Labels
bug

Comments

@simar7
Copy link

simar7 commented Dec 6, 2023

Short description

Since version v0.59.0, any bundles that include custom functions in their policies have now started to fail as undefined function.

Steps To Reproduce

  1. Create a bundle with a policy that contains a custom function
  2. Package the bundle
  3. Run opa inspect on the bundle
  4. Observe: rego_type_error: undefined function custom.func.name.here

Expected behavior

While the error seems correct, there also doesn't seem to be a way to define and load a custom function used in policies either to enable opa inspect to not throw any errors.

Additional context

These custom functions are defined loaded via the Go SDK during OPA initialization. They work just fine when done so, but during opa inspect they fail as the OPA cli has no way to know about the definitions of these custom functions.

This error has started since v0.59.0. Prior versions are unaffected.
@simar7 simar7 added the bug label Dec 6, 2023
@simar7 simar7 changed the title opa inspect failure on custom funcs in policies opa inspect failure on custom funcs in policies Dec 6, 2023
simar7 added a commit to aquasecurity/trivy-checks that referenced this issue Dec 6, 2023
@simar7
pin opa version to v0.58.0
20f0d23 
See: open-policy-agent/opa#6457
simar7 added a commit to aquasecurity/trivy-checks that referenced this issue Dec 6, 2023
@simar7
pin opa version to v0.58.0
bda1e8b 
See: open-policy-agent/opa#6457
simar7 added a commit to aquasecurity/trivy-checks that referenced this issue Dec 6, 2023
@simar7
pin opa version to v0.58.0
ee39206 
See: open-policy-agent/opa#6457
@anderseknert
Copy link
Member

Thanks for reporting this @simar7. We'll look into it.

johanfylling added a commit to johanfylling/opa that referenced this issue Dec 7, 2023
@johanfylling
ast+cmd: Allowing bundle to contain calls to unknown functions when i…
7377f1e 
…nspected

Fixes: open-policy-agent#6457
Signed-off-by: Johan Fylling <johan.dev@fylling.se>
@johanfylling johanfylling mentioned this issue Dec 7, 2023
Merged
@ashutosh-narkar
Copy link
Member

@simar7 it would be helpful if you could provide a simple policy that fails inspect. Just having a custom function in a policy should not fail inspect. So if you help with a simple repro case that would be good.

@simar7
Copy link
Author

simar7 commented Dec 11, 2023

@simar7 it would be helpful if you could provide a simple policy that fails inspect. Just having a custom function in a policy should not fail inspect. So if you help with a simple repro case that would be good.

Any bundle with a policy that has a custom function fails it. Here's an example as done in the PR https://github.com/open-policy-agent/opa/pull/6462/files#diff-29da7cb39323409b7f0e930998e9da29487fdc6c3f8c52d838efa9b48827f7d2R571-R577

Keep in mind this custom function is loaded via the Go SDK later on during runtime. During inspect, there's no such setup.

ashutosh-narkar pushed a commit to johanfylling/opa that referenced this issue Dec 11, 2023
@johanfylling @ashutosh-narkar
ast+cmd: Allowing bundle to contain calls to unknown functions when i…
1e4d3e3 
…nspected

Fixes: open-policy-agent#6457
Signed-off-by: Johan Fylling <johan.dev@fylling.se>
@ashutosh-narkar
Copy link
Member

Thanks for the context. So if you try to build a bundle with that policy it will fail too. This is true for pre-OPA 0.59.0. I imagine you're not using OPA tooling to build the bundle. You mention this was working pre-OPA 0.59.0. Is this correct?

johanfylling added a commit that referenced this issue Dec 20, 2023
@johanfylling
ast+cmd: Allowing bundle to contain calls to unknown functions when i…
9f63fdb 
…nspected (#6462)

Fixes: #6457

Signed-off-by: Johan Fylling <johan.dev@fylling.se>
@HarshPathakhp
Copy link

HarshPathakhp commented Feb 14, 2024
edited

Hi @johanfylling @ashutosh-narkar
I think the fix here solves the problem only partially. I have an example below for which inspect still fails.

package play
import data.x.y as y

default r := false
r {
    y(1) == true
}

Tried this on 0.61.0. Steps to reproduce as below -

  1. tar -czvf bundle.tar.gz authz.rego
  2. opa inspect bundle.tar.gz

The error complains of an unsafe expression error: 1 error occurred: bundle/authz.rego:6: rego_unsafe_var_error: expression is unsafe

Unlike the author of this post, my dependency is coming from another bundle, which is loaded at runtime in OPA. However, I can't run the inspect command. It was working before v0.59.0

@johanfylling
Copy link
Contributor

johanfylling commented Feb 15, 2024
edited

Thank you for reporting this @HarshPathakhp! I've created a separate bug report for tracking this issue: #6591.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ast+cmd: Allowing bundle to contain calls to unknown functions when inspected johanfylling/opa
5 participants
@anderseknert @simar7 @ashutosh-narkar @johanfylling @HarshPathakhp