Invalid partial evaluation result (__localcp0__)
nkey0 opened this issue · 6 comments
./opa run --server --log-level debug policy.rego
{"current_version":"0.58.0","level":"debug","msg":"OPA is up to date.","time":"2023-11-03T10:32:03+01:00"}This is basic policy:
package test
import future.keywords.if
default allow := false
allowed(_) if {
input.subject.on_duty
}
allow if {
allowed(input.project)
}and query:
curl 'http://localhost:8181/v1/compile?pretty=true' -H 'content-type: application/json' --data-raw '{"query": "data.test.allow == true", "input":{"subject":{"on_duty":true}}, "unknowns": ["input.project"]}' {
"result": {
"queries": [
[
{
"index": 0,
"terms": [
{
"type": "ref",
"value": [
{
"type": "var",
"value": "eq"
}
]
},
{
"type": "var",
"value": "__localcp0__"
},
{
"type": "ref",
"value": [
{
"type": "var",
"value": "input"
},
{
"type": "string",
"value": "project"
}
]
}
]
}
]
]
}
}Expected result:
{
"result": {
"queries": [
[]
]
}
}Workaround:
package test
import future.keywords.if
default allow := false
allowed(_) if {
input.subject.on_duty
}
allow if {
allowed(1)
}@srenatus any ideas on what's happening here? Any pointers to a potential fix would be helpful too.
Hm it's a bit of an odd policy.... Passing the argument only ensures that it's defined. Probably an edge case but accounted for. I'd have to dive in fully, I'll try to have a look tomorrow.
Hm it's a bit of an odd policy....
Yes, but it real case it looks like:
allowed(_) if {
input.subject.on_duty
}
allowed(project) if {
project.owner == input.subject.user
}Like "allow owner to read project. allow duty to read all projects.".
This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue.