Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OPA panic on bundle deactivate when running a rego v0 bundle tarball from a policy image #7297

Closed
carabasdaniel opened this issue Jan 22, 2025 · 0 comments · Fixed by #7300
Closed

OPA panic on bundle deactivate when running a rego v0 bundle tarball from a policy image #7297

carabasdaniel opened this issue Jan 22, 2025 · 0 comments · Fixed by #7300
Labels
bug

Comments

@carabasdaniel
Copy link
Contributor

Short description

OPA seems to throw a panic when running bundle.Deactivate on a rego v0 bundle tarball.

Examples:

  • OPA v1.0.0
  • Bundle contains a single hello.rego file in the policies folder
package policies.hello

# default to a "closed" system,
# only grant access when explicitly granted

default allowed = false
default visible = false
default enabled = false

allowed {
    input.role == "web-admin"
}

enabled {
    visible
}

visible {
    input.app == "web-console"
}
  • Bundle manifest
{"revision":"","roots":["policies"],"rego_version":0,"metadata":{ <some builtins> }}
  • In the usage scenario I'm using OPA as a library and the returned output looks like this:
panic: Unable deactivate bundle: 3 errors occurred:                                                                                                                                                    
│     hello.rego:12: rego_parse_error: `if` keyword is required before rule body                                                          
│     hello.rego:16: rego_parse_error: `if` keyword is required before rule body                                                          
│     hello.rego:20: rego_parse_error: `if` keyword is required before rule body

Steps To Reproduce ( when using OPA as a library )

  1. Build a policy image or bundle tarball with the above mentioned rego file and manifest
  2. Spin up the bundle
  3. Slightly modify the bundle by adding another rule
  4. Call the bundle.Reconfigure method and on the bundle.Deactivate method it should throw the above mentioned panic

Expected behavior

If using rego v0 it should behave as OPA v0.70.0 did and during the bundle.Deactivation process take into consideration the specified rego version not use rego v1 with a v0 bundle
johanfylling added a commit to johanfylling/opa that referenced this issue Jan 22, 2025
@johanfylling
Fixing issue where bundle plugin would panic on reconfiguration if mo…
d940765 
…dule rego-version is missing in bundle manifest

* Passing runtime rego-version to deactivation options
* Preferring to pull rego-version from parsed modules if present

Fixes: open-policy-agent#7297
Signed-off-by: Johan Fylling <[email protected]>
@johanfylling johanfylling mentioned this issue Jan 22, 2025
Merged
@BrewTestBot BrewTestBot mentioned this issue Jan 27, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixing issue where bundle plugin could panic on reconfiguration johanfylling/opa
1 participant
@carabasdaniel