bundle: Fixing issue where --v0-compatible isn't respected for custom bundles
#7338
Conversation
…om bundles where the bundle has been manually constructed containing v0 Rego modules and no `rego_version`/`file_rego_versions` fields are declared in the bundle manifest. This affects bundle deactivation in the bundle store lifecycle used when for `opa run` in server mode (`-s`). Signed-off-by: Johan Fylling <[email protected]>
✅ Deploy Preview for openpolicyagent ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
| @@ -1204,10 +1206,6 @@ func (b *Bundle) SetRegoVersion(v ast.RegoVersion) { | |||
| // If there is no defined version for the given path, the default version def is returned. | |||
| // If the version does not correspond to ast.RegoV0 or ast.RegoV1, an error is returned. | |||
| func (b *Bundle) RegoVersionForFile(path string, def ast.RegoVersion) (ast.RegoVersion, error) { | |||
| if def == ast.RegoUndefined { | |||
| def = ast.DefaultRegoVersion | |||
| } | |||
There was a problem hiding this comment.
This was a "magic", undocumented behavior that even confused our own internal usage.
There was a problem hiding this comment.
[comment]: I did wonder about this when I was looking at the sources recently. Thanks for addressing this!
| @@ -827,7 +827,7 @@ func writeModuleRegoVersionToStore(ctx context.Context, store storage.Store, txn | |||
|
|
|||
| if regoVersion == ast.RegoUndefined { | |||
| var err error | |||
| regoVersion, err = b.RegoVersionForFile(mf.Path, ast.RegoUndefined) | |||
There was a problem hiding this comment.
This was the root cause of the issue. If no rego-version was declared for the module in the bundle, we'd always default to v1, and not the runtime rego-version (i.e. --v0-compatible enabled/disabled).
| }, | ||
| }, | ||
| { | ||
| note: "custom bundle without rego-version, lazy, --v0-compatible", |
There was a problem hiding this comment.
This test-case fails without the fix.
| "modules":{ | ||
| "example/example.rego":{ | ||
| "rego_version":1 | ||
| } |
There was a problem hiding this comment.
No explicit rego-version set for runtime and bundle, so both default to the same version (v1) and is therefore not recorded into the stored meta data.
Signed-off-by: Johan Fylling <[email protected]>
v1/bundle/bundle.go
Outdated
| } else if regoVersion != ast.RegoUndefined { | ||
| modulePopts.RegoVersion = regoVersion |
There was a problem hiding this comment.
[comment/question]: It is not obvious to me exactly when this condition could occur, even after diving into the sources for bundle.RegoVersionForFile. As best I can tell though, getting both an error and a regoVersion that isn't the default ast.RegoUndefined value should be pretty difficult.
If there's an obvious edge-case I'm missing, could we add a quick comment to explain it here? 😅
There was a problem hiding this comment.
This is merely a safeguard against the world changing around us. You're correct that ast.RegoUndefined isn't an expected value here, but I think this is buried deeply enough that a future code change that alters this expectation could cause an issue here that is hard to detect. Also, if we get a ast.RegoUndefined returned here, we know that the correct course of action is to let the configured parser-options take precedence.
I'll add a comment 👍
| @@ -1204,10 +1206,6 @@ func (b *Bundle) SetRegoVersion(v ast.RegoVersion) { | |||
| // If there is no defined version for the given path, the default version def is returned. | |||
| // If the version does not correspond to ast.RegoV0 or ast.RegoV1, an error is returned. | |||
| func (b *Bundle) RegoVersionForFile(path string, def ast.RegoVersion) (ast.RegoVersion, error) { | |||
| if def == ast.RegoUndefined { | |||
| def = ast.DefaultRegoVersion | |||
| } | |||
There was a problem hiding this comment.
[comment]: I did wonder about this when I was looking at the sources recently. Thanks for addressing this!
v1/plugins/plugins.go
Outdated
| if m.parserOptions.RegoVersion == ast.RegoUndefined { | ||
| m.parserOptions.RegoVersion = ast.DefaultRegoVersion | ||
| } |
There was a problem hiding this comment.
[question]: Is this where the "default to the ast.DefaultRegoVersion if none provided" logic needed to move to?
There was a problem hiding this comment.
Yes. If a plugins.Manager has ast.RegoUndefined as rego-version, then any consumer of the manager would simply do the correct thing depending on what v0/v1 package it comes from, which is why this has gone undetected. Defaulting to v1 here if no rego-version has been provided through the options is however more consistent with user expectations.
Signed-off-by: Johan Fylling <[email protected]>
where the bundle has been manually constructed containing v0 Rego modules and no
rego_version/file_rego_versionsfields are declared in the bundle manifest.This affects bundle deactivation in the bundle store lifecycle used when for
opa runin server mode (-s).