OPA - ambiguity between union and set comprehension operator due to bracket removal

Question

OPA - ambiguity between union and set comprehension operator due to bracket removal

Closed this issue 2 months ago · 1 comments

Short description

OPA information:

Version: 0.61.0
Build Commit: ea7a3e13c8fdceadeb199904facb4990fcb010f8
Build Timestamp: 2024-01-25T13:06:02Z
Build Hostname: Mac-1706188202317.local
Go Version: go1.21.5
Platform: darwin/amd64
WebAssembly: available

Consider the policy below

package play

x := {1,2,3}
y := {4,5,6}

r := {"response": (x|y)}

Ideally, when data.play.r is queried, return value should be {"response": [1,2,3,4,5,6]}.
However, when we build the policy to create a bundle (tar.gz) file (using opa build ...), the bundle contains a formatted version of this policy, please see below.

package play

x := {1, 2, 3}

y := {4, 5, 6}

r := {"response": x | y}

When data.play.r is queried now, return value is {"response": [1,2,3]}.

In conclusion, the intention was to have a union operator, but OPA formats the policy (with the right intentions ofcourse), but now takes the operator to be comprehension operator.

Steps To Reproduce

With the policy above, follow below steps.

opa build -b ., while inside the directory that contains the policy.
opa run -b bundle.tar.gz, and then query data.play.r
Repeat the experiment by running opa run authz.rego, where authz.rego is the policy described above, and query data.play.r again.

Answer 1 · 2024-02-14T06:01:53.000Z

Hi there! 👋 And thanks for reporting this. Clearly it's a bug in the formatter, and tbh one I thought had been fixed in the past. As a workaround in the meantime, you could move the union to a separate assignment where it can't be mistaken for a comprehension.

package play

x := {1, 2, 3}

y := {4, 5, 6}

z := x | y

r := {"response": z}