search

microsoft / regorus

Regorus - A fast, lightweight Rego (OPA policy language) interpreter written in Rust.
MIT License
106 stars 27 forks source link

Objects can be created with `undefined` keys and values #170

Closed balcanuc closed 4 months ago

balcanuc commented 4 months ago

In object expressions, "undefined" values are added to the object instead of making the expression itself undefined.

ORIGINAL TITLE: Different behavior of Regorus vs OPA for when invoking count

---- Original Description --- Regorus it is behaving differently for count(expr) in case that the expression to be evaluated is null or scalar. The OPA is doing evaluation like the expression is undefined but regorus evaluation fails with error.

Repro scenario:

Step 1: Create bug.rego file with following content

package test
import rego.v1

foo := input.a

some_id := {
    "count_value": count(foo) > 2,
}

Step 2: Create bug.json file with following content

{
    "a":null
}

Step 3: run command below (assuming you already run cargo install --example regorus --path .

./target/release/examples/regorus eval -d ./bug.rego -i ./bug.json data.test

The output is

Error:
--> ./bug.rego:7:26
  |
7 |     "count_value": count(foo) > 2,
  |                          ^
error: `count` requires array/object/set/string argument. Got `null`.

However, if you go to the https://play.openpolicyagent.org/ and fill in the content of the bug.rego into the input the content of bug.json and click Evaluate, you'll get following output

{
    "foo": null
}

Is it possible to change the regorus so the evaluation output to be similar to OPA evaluation?

unexge commented 4 months ago

Seems like this is related to Regorus enabling strict built-in errors by default. If you pass --non-strict it works:

$ ./target/release/examples/regorus eval -d examples/bug.rego -i ./examples/bug.json data.test --non-strict
{
  "result": [
    {
      "expressions": [
        {
          "value": {
            "foo": null,
            "some_id": {
              "count_value": "<undefined>"
            }
          },
          "text": "data.test",
          "location": {
            "row": 1,
            "col": 1
          }
        }
      ]
    }
  ]
}

And you also get same error on OPA Playground if you enable strict built-in errors by via "Options > Built-in Error Behaviour > Strict".

anakrish commented 4 months ago

Thanks for reporting this, @balcanuc. As @unexge pointed out, Regorus defaults to strict evaluation - raising errors in many scenarios. Using the non-strict mode would suppress the errors and generate undefined instead, just like OPA.

I noticed in the output supplied by @unexge that "undefined" has propagated into the object instead of making the object expression itself undefined. This is a bug.

anakrish commented 4 months ago

@balcanuc A note about strict mode. OPA is moving towards their v1 release which will introduce many breaking changes. See https://www.openpolicyagent.org/docs/latest/policy-language/#the-regov1-import.

most Strict mode constraints and checks are implied and enforced. See the strict mode constraints and checks table for details.

Examples such as yours might error out by default in OPA v1.