`opa inspect` failure on custom funcs in policies

Question

`opa inspect` failure on custom funcs in policies

Closed this issue 5 months ago · 6 comments

Short description

Since version v0.59.0, any bundles that include custom functions in their policies have now started to fail as undefined function.

Steps To Reproduce

Create a bundle with a policy that contains a custom function
Package the bundle
Run opa inspect on the bundle
Observe: rego_type_error: undefined function custom.func.name.here

Expected behavior

While the error seems correct, there also doesn't seem to be a way to define and load a custom function used in policies either to enable opa inspect to not throw any errors.

Additional context

These custom functions are defined loaded via the Go SDK during OPA initialization. They work just fine when done so, but during opa inspect they fail as the OPA cli has no way to know about the definitions of these custom functions.

This error has started since v0.59.0. Prior versions are unaffected.

Answer 1 · 2023-12-06T08:55:33.000Z

Thanks for reporting this @simar7. We'll look into it.

Answer 2 · 2023-12-11T23:27:10.000Z

@simar7 it would be helpful if you could provide a simple policy that fails inspect. Just having a custom function in a policy should not fail inspect. So if you help with a simple repro case that would be good.

Answer 3 · 2023-12-11T23:33:12.000Z

@simar7 it would be helpful if you could provide a simple policy that fails inspect. Just having a custom function in a policy should not fail inspect. So if you help with a simple repro case that would be good.

Any bundle with a policy that has a custom function fails it. Here's an example as done in the PR https://github.com/open-policy-agent/opa/pull/6462/files#diff-29da7cb39323409b7f0e930998e9da29487fdc6c3f8c52d838efa9b48827f7d2R571-R577

Keep in mind this custom function is loaded via the Go SDK later on during runtime. During inspect, there's no such setup.

Answer 4 · 2023-12-11T23:52:32.000Z

Thanks for the context. So if you try to build a bundle with that policy it will fail too. This is true for pre-OPA 0.59.0. I imagine you're not using OPA tooling to build the bundle. You mention this was working pre-OPA 0.59.0. Is this correct?

Answer 5 · 2024-02-14T16:29:29.000Z

Hi @johanfylling @ashutosh-narkar
I think the fix here solves the problem only partially. I have an example below for which inspect still fails.

package play
import data.x.y as y

default r := false
r {
    y(1) == true
}

Tried this on 0.61.0. Steps to reproduce as below -

tar -czvf bundle.tar.gz authz.rego
opa inspect bundle.tar.gz

The error complains of an unsafe expression error: 1 error occurred: bundle/authz.rego:6: rego_unsafe_var_error: expression is unsafe

Unlike the author of this post, my dependency is coming from another bundle, which is loaded at runtime in OPA. However, I can't run the inspect command. It was working before v0.59.0

Answer 6 · 2024-02-15T13:05:43.000Z

Thank you for reporting this @HarshPathakhp! I've created a separate bug report for tracking this issue: #6591.