search

open-policy-agent / opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
https://www.openpolicyagent.org
Apache License 2.0
9.55k stars 1.32k forks source link

panic during partial evaluation of an expression #1132

Closed liorlevtov closed 5 years ago

liorlevtov commented 5 years ago

Expected Behavior

not panic

Actual Behavior

panic

Steps to Reproduce the Problem

. ./opa_darwin_amd64 eval -f pretty -d bundles/local_bundle.tar.gz --explain=full --metrics -i /Users/liorlevtov/1.json -u input 'data.lum_idlocal.evaluator.access[]' -p

Additional Info

local_bundle.tar.gz 1.json.zip ` ./opa_darwin_amd64 eval -f pretty -d bundles/local_bundle.tar.gz --explain=full --metrics -i /Users/liorlevtov/1.json -u input 'data.lum_idlocal.evaluator.access[]' -p panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x140ab1f]

goroutine 1 [running]: github.com/open-policy-agent/opa/ast.(IndexResult).Empty(...) /go/src/github.com/open-policy-agent/opa/ast/index.go:46 github.com/open-policy-agent/opa/topdown.evalFunc.eval(0xc42030fc20, 0xc420470d00, 0x5, 0x8, 0xc420374ab0, 0x2, 0x2, 0xc4202b9f50, 0x0, 0xc420055800) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:1173 +0x7f github.com/open-policy-agent/opa/topdown.(eval).evalCall(0xc42030fc20, 0xc420374ab0, 0x2, 0x2, 0xc4202b9f50, 0xc4204fc9e0, 0xc4203f8f00) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:468 +0x767 github.com/open-policy-agent/opa/topdown.(eval).evalStep(0xc42030fc20, 0xc4201ba320, 0xc4200a5950, 0x1735549) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:209 +0x500 github.com/open-policy-agent/opa/topdown.(eval).evalExpr(0xc42030fc20, 0xc4201ba320, 0x1ad0da0, 0x1) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:185 +0x18c github.com/open-policy-agent/opa/topdown.(eval).next(0xc42030fc20, 0xc4201ba320, 0xc42030dc00, 0x0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:86 +0x39 github.com/open-policy-agent/opa/topdown.(eval).evalStep.func3(0xc42030d060, 0xc4202bc5a0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:226 +0x26d github.com/open-policy-agent/opa/topdown.(eval).biunifyValues(0xc42030fc20, 0xc42030dce0, 0xc4202bc5a0, 0xc42030d200, 0xc42030d060, 0xc4202b94d0, 0xaee5a00dd6387daa, 0x3c7834c88569acea) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:676 +0x468 github.com/open-policy-agent/opa/topdown.(eval).biunify(0xc42030fc20, 0xc42030dce0, 0xc4202bc5a0, 0xc42030d200, 0xc42030d060, 0xc4202b94d0, 0x4, 0x3c7834c88569acea) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:569 +0x219 github.com/open-policy-agent/opa/topdown.evalTerm.eval(0xc42030fc20, 0xc420470cc0, 0x5, 0x8, 0x5, 0xc42030d060, 0xc42030dce0, 0xc42030d200, 0xc4202bc5a0, 0xc42030d060, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:1905 +0x234 github.com/open-policy-agent/opa/topdown.evalVirtualPartial.evalTerm(0xc42030fc20, 0xc420470cc0, 0x5, 0x8, 0xc4202b9500, 0x5, 0x5, 0x3, 0xc4202b9560, 0xc42030d060, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:1661 +0x116 github.com/open-policy-agent/opa/topdown.evalVirtualPartial.evalOneRule.func1.1(0xc4202ba7e0, 0xc4205b5600, 0x0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:1629 +0x10e github.com/open-policy-agent/opa/topdown.(eval).evalExpr(0xc4202ba7e0, 0xc4201ba640, 0xc4202b9d10, 0x1426720) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:170 +0x1b8 github.com/open-policy-agent/opa/topdown.(eval).next(0xc4202ba7e0, 0xc4201ba640, 0x172f052, 0x4) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:86 +0x39 github.com/open-policy-agent/opa/topdown.(eval).evalStep.func1(0xc4202ba7e0, 0x17b1680) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:204 +0x4c github.com/open-policy-agent/opa/topdown.(eval).saveUnify(0xc4202ba7e0, 0xc42030d600, 0xc42051c8e0, 0xc42030d200, 0xc4202bca20, 0xc4202b9c50, 0x0, 0x0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:916 +0x3b9 github.com/open-policy-agent/opa/topdown.(eval).biunifyValues(0xc4202ba7e0, 0xc42030d600, 0xc42051c8e0, 0xc42030d200, 0xc4202bca20, 0xc4202b9c50, 0xc42030d620, 0xc4205b5918) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:648 +0x17f github.com/open-policy-agent/opa/topdown.(eval).biunify(0xc4202ba7e0, 0xc42030d600, 0xc42051c8e0, 0xc42030d200, 0xc4202bca20, 0xc4202b9c50, 0x136900e, 0x16c4940) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:557 +0x629 github.com/open-policy-agent/opa/topdown.evalTerm.eval(0xc4202ba7e0, 0xc420204f80, 0x2, 0x2, 0x2, 0xc4202bca20, 0xc42030d600, 0xc42030d200, 0xc42051c8e0, 0xc4202bca20, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:1905 +0x234 github.com/open-policy-agent/opa/topdown.evalTerm.next(0xc4202ba7e0, 0xc420204f80, 0x2, 0x2, 0x1, 0xc4202bca20, 0xc42030dce0, 0xc42030d200, 0xc42051c8e0, 0xc4202bca20, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:1932 +0xd7 github.com/open-policy-agent/opa/topdown.evalTerm.eval(0xc4202ba7e0, 0xc420204f80, 0x2, 0x2, 0x1, 0xc4202bca20, 0xc42030dce0, 0xc42030d200, 0xc42051c8e0, 0xc4202bca20, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:1915 +0x10d github.com/open-policy-agent/opa/topdown.(eval).biunifyRef(0xc4202ba7e0, 0xc42051c840, 0xc42051c8e0, 0xc4202bca20, 0xc4202bca20, 0xc4202b9c50, 0x2, 0x172e785) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:747 +0x220 github.com/open-policy-agent/opa/topdown.(eval).biunifyValues(0xc4202ba7e0, 0xc42051c840, 0xc42051c8e0, 0xc4202bca20, 0xc4202bca20, 0xc4202b9c50, 0xc4205b5cf8, 0x138dd82) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:639 +0x701 github.com/open-policy-agent/opa/topdown.(eval).biunify(0xc4202ba7e0, 0xc42051c840, 0xc42051c8e0, 0xc4202bca20, 0xc4202bca20, 0xc4202b9c50, 0x1, 0xc4202b9c50) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:538 +0x11f github.com/open-policy-agent/opa/topdown.(eval).unify(0xc4202ba7e0, 0xc42051c840, 0xc42051c8e0, 0xc4202b9c50, 0xc4202bcbc0, 0xc4204fc9b8) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:530 +0x57 github.com/open-policy-agent/opa/topdown.(eval).evalStep(0xc4202ba7e0, 0xc4201ba640, 0xc4200a5540, 0x16a5420) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:202 +0x402 github.com/open-policy-agent/opa/topdown.(eval).evalExpr(0xc4202ba7e0, 0xc4201ba640, 0x0, 0x0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:185 +0x18c github.com/open-policy-agent/opa/topdown.(eval).next(0xc4202ba7e0, 0xc4201ba640, 0xc4200a5450, 0x0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:86 +0x39 github.com/open-policy-agent/opa/topdown.(eval).evalStep.func1(0xc4205b6020, 0x1321f69) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:204 +0x4c github.com/open-policy-agent/opa/topdown.evalTree.finish.func1(0x17b4d40, 0xc4205b5ff0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:1307 +0x26 github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec(0xc4202ba7e0, 0x17b94c0, 0xc4202b8630, 0x17b94c0, 0xc4202b8630, 0xc42030d200, 0xc4202bca20, 0xc4202b7040, 0xc4203a9f00, 0xa, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:616 +0x2b0 github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec.func1(0xc42030d720, 0xc42030d720) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:623 +0x95 github.com/open-policy-agent/opa/topdown.(eval).biunifyValues(0xc4202ba7e0, 0xc42030d720, 0xc42030d720, 0xc42030d200, 0xc4202bca20, 0xc42013c230, 0xc42030d700, 0x16e20e0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:691 +0x352 github.com/open-policy-agent/opa/topdown.(eval).biunify(0xc4202ba7e0, 0xc42030d720, 0xc42030d720, 0xc42030d200, 0xc4202bca20, 0xc42013c230, 0x100cacd, 0xc42000e000) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:547 +0x81e github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec(0xc4202ba7e0, 0x17b94c0, 0xc4202b8630, 0x17b94c0, 0xc4202b8630, 0xc42030d200, 0xc4202bca20, 0xc4202b7040, 0xc4203a9f00, 0xa, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:622 +0x1d1 github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec.func1(0xc42030d6c0, 0xc42030d6c0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:623 +0x95 github.com/open-policy-agent/opa/topdown.(eval).biunifyValues(0xc4202ba7e0, 0xc42030d6c0, 0xc42030d6c0, 0xc42030d200, 0xc4202bca20, 0xc42013c1c0, 0xc42030d6a0, 0x16e20e0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:691 +0x352 github.com/open-policy-agent/opa/topdown.(eval).biunify(0xc4202ba7e0, 0xc42030d6c0, 0xc42030d6c0, 0xc42030d200, 0xc4202bca20, 0xc42013c1c0, 0x100cacd, 0xc42000e000) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:547 +0x81e github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec(0xc4202ba7e0, 0x17b94c0, 0xc4202b8630, 0x17b94c0, 0xc4202b8630, 0xc42030d200, 0xc4202bca20, 0xc4202b7040, 0xc4203a9f00, 0xa, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:622 +0x1d1 github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec.func1(0xc42030d660, 0xc42030d660) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:623 +0x95 github.com/open-policy-agent/opa/topdown.(eval).biunifyValues(0xc4202ba7e0, 0xc42030d660, 0xc42030d660, 0xc42030d200, 0xc4202bca20, 0xc42013c150, 0xc42030d640, 0x16e20e0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:691 +0x352 github.com/open-policy-agent/opa/topdown.(eval).biunify(0xc4202ba7e0, 0xc42030d660, 0xc42030d660, 0xc42030d200, 0xc4202bca20, 0xc42013c150, 0x100cacd, 0xc42000e000) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:557 +0x629 github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec(0xc4202ba7e0, 0x17b94c0, 0xc4202b8630, 0x17b94c0, 0xc4202b8630, 0xc42030d200, 0xc4202bca20, 0xc4202b7040, 0xc4203a9f00, 0xa, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:622 +0x1d1 github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec.func1(0xc42030d600, 0xc42030d600) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:623 +0x95 github.com/open-policy-agent/opa/topdown.(eval).biunifyValues(0xc4202ba7e0, 0xc42030d600, 0xc42030d600, 0xc42030d200, 0xc4202bca20, 0xc42013c070, 0xc42030d5e0, 0x16e20e0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:691 +0x352 github.com/open-policy-agent/opa/topdown.(eval).biunify(0xc4202ba7e0, 0xc42030d600, 0xc42030d600, 0xc42030d200, 0xc4202bca20, 0xc42013c070, 0x100cacd, 0xc42000e000) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:557 +0x629 github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec(0xc4202ba7e0, 0x17b94c0, 0xc4202b8630, 0x17b94c0, 0xc4202b8630, 0xc42030d200, 0xc4202bca20, 0xc4202b7040, 0xc4203a9f00, 0xa, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:622 +0x1d1 github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec.func1(0xc42030d5a0, 0xc42030d5a0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:623 +0x95 github.com/open-policy-agent/opa/topdown.(eval).biunifyValues(0xc4202ba7e0, 0xc42030d5a0, 0xc42030d5a0, 0xc42030d200, 0xc4202bca20, 0xc42013c000, 0xc42030d580, 0x16e20e0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:691 +0x352 github.com/open-policy-agent/opa/topdown.(eval).biunify(0xc4202ba7e0, 0xc42030d5a0, 0xc42030d5a0, 0xc42030d200, 0xc4202bca20, 0xc42013c000, 0x100cacd, 0xc42000e000) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:547 +0x81e github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec(0xc4202ba7e0, 0x17b94c0, 0xc4202b8630, 0x17b94c0, 0xc4202b8630, 0xc42030d200, 0xc4202bca20, 0xc4202b7040, 0xc4203a9f00, 0xa, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:622 +0x1d1 github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec.func1(0xc42030d540, 0xc42030d540) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:623 +0x95 github.com/open-policy-agent/opa/topdown.(eval).biunifyValues(0xc4202ba7e0, 0xc42030d540, 0xc42030d540, 0xc42030d200, 0xc4202bca20, 0xc42011df80, 0xc42030d520, 0x16e20e0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:691 +0x352 github.com/open-policy-agent/opa/topdown.(eval).biunify(0xc4202ba7e0, 0xc42030d540, 0xc42030d540, 0xc42030d200, 0xc4202bca20, 0xc42011df80, 0xc42039c8c0, 0xc) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:557 +0x629 github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec(0xc4202ba7e0, 0x17b94c0, 0xc4202b8630, 0x17b94c0, 0xc4202b8630, 0xc42030d200, 0xc4202bca20, 0xc4202b7040, 0xc4203a9f00, 0xa, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:622 +0x1d1 github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec.func1(0x0, 0x0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:623 +0x95 github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec(0xc4202ba7e0, 0x17b94c0, 0xc4202b8690, 0x17b94c0, 0xc4202b8690, 0xc42030d200, 0xc4202bca20, 0xc42011dea0, 0xc4204fc870, 0x1, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:616 +0x2b0 github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec.func1(0xc42030d480, 0xc42030d480) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:623 +0x95 github.com/open-policy-agent/opa/topdown.(eval).biunifyValues(0xc4202ba7e0, 0xc42030d480, 0xc42030d480, 0xc42030d200, 0xc4202bca20, 0xc42011df10, 0xc42030d460, 0x16e20e0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:691 +0x352 github.com/open-policy-agent/opa/topdown.(eval).biunify(0xc4202ba7e0, 0xc42030d480, 0xc42030d480, 0xc42030d200, 0xc4202bca20, 0xc42011df10, 0x1410890, 0xc4202b8690) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:557 +0x629 github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec(0xc4202ba7e0, 0x17b94c0, 0xc4202b8690, 0x17b94c0, 0xc4202b8690, 0xc42030d200, 0xc4202bca20, 0xc42011dea0, 0xc4204fc870, 0x1, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:622 +0x1d1 github.com/open-policy-agent/opa/topdown.(eval).biunifyObjects(0xc4202ba7e0, 0x17b94c0, 0xc4202b8690, 0x17b94c0, 0xc4202b8690, 0xc42030d200, 0xc4202bca20, 0xc42011dea0, 0xc42030d4c0, 0x0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:611 +0x1b8 github.com/open-policy-agent/opa/topdown.(eval).biunify(0xc4202ba7e0, 0xc42030d4e0, 0xc42030d4e0, 0xc42030d200, 0xc4202bca20, 0xc42011dea0, 0x100cacd, 0xc42000e000) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:571 +0x307 github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec(0xc4202ba7e0, 0x17b94c0, 0xc4202b8630, 0x17b94c0, 0xc4202b8630, 0xc42030d200, 0xc4202bca20, 0xc4202b7040, 0xc4203a9f00, 0xa, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:622 +0x1d1 github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec.func1(0xc42030d400, 0xc42030d400) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:623 +0x95 github.com/open-policy-agent/opa/topdown.(eval).biunifyValues(0xc4202ba7e0, 0xc42030d400, 0xc42030d400, 0xc42030d200, 0xc4202bca20, 0xc42011dd50, 0xc42030d3e0, 0x16e20e0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:691 +0x352 github.com/open-policy-agent/opa/topdown.(eval).biunify(0xc4202ba7e0, 0xc42030d400, 0xc42030d400, 0xc42030d200, 0xc4202bca20, 0xc42011dd50, 0x100cacd, 0xc42000e000) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:557 +0x629 github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec(0xc4202ba7e0, 0x17b94c0, 0xc4202b8630, 0x17b94c0, 0xc4202b8630, 0xc42030d200, 0xc4202bca20, 0xc4202b7040, 0xc4203a9f00, 0xa, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:622 +0x1d1 github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec.func1(0xc42030d3a0, 0xc42030d3a0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:623 +0x95 github.com/open-policy-agent/opa/topdown.(eval).biunifyValues(0xc4202ba7e0, 0xc42030d3a0, 0xc42030d3a0, 0xc42030d200, 0xc4202bca20, 0xc42011dce0, 0xc42030d380, 0x16e20e0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:691 +0x352 github.com/open-policy-agent/opa/topdown.(eval).biunify(0xc4202ba7e0, 0xc42030d3a0, 0xc42030d3a0, 0xc42030d200, 0xc4202bca20, 0xc42011dce0, 0x100cacd, 0xc42000e000) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:557 +0x629 github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec(0xc4202ba7e0, 0x17b94c0, 0xc4202b8630, 0x17b94c0, 0xc4202b8630, 0xc42030d200, 0xc4202bca20, 0xc4202b7040, 0xc4203a9f00, 0xa, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:622 +0x1d1 github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec.func1(0xc42030d340, 0xc42030d340) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:623 +0x95 github.com/open-policy-agent/opa/topdown.(eval).biunifyValues(0xc4202ba7e0, 0xc42030d340, 0xc42030d340, 0xc42030d200, 0xc4202bca20, 0xc42011dc00, 0xc42030d320, 0x16e20e0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:691 +0x352 github.com/open-policy-agent/opa/topdown.(eval).biunify(0xc4202ba7e0, 0xc42030d340, 0xc42030d340, 0xc42030d200, 0xc4202bca20, 0xc42011dc00, 0x1410890, 0xc4202b8630) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:557 +0x629 github.com/open-policy-agent/opa/topdown.(eval).biunifyObjectsRec(0xc4202ba7e0, 0x17b94c0, 0xc4202b8630, 0x17b94c0, 0xc4202b8630, 0xc42030d200, 0xc4202bca20, 0xc4202b7040, 0xc4203a9f00, 0xa, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:622 +0x1d1 github.com/open-policy-agent/opa/topdown.(eval).biunifyObjects(0xc4202ba7e0, 0x17b94c0, 0xc4202b8630, 0x17b94c0, 0xc4202b8630, 0xc42030d200, 0xc4202bca20, 0xc4202b7040, 0x0, 0x0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:611 +0x1b8 github.com/open-policy-agent/opa/topdown.(eval).biunify(0xc4202ba7e0, 0xc42030dce0, 0xc4202bcba0, 0xc42030d200, 0xc4202bca20, 0xc4202b7040, 0x5, 0x5) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:571 +0x307 github.com/open-policy-agent/opa/topdown.evalTree.finish(0xc4202ba7e0, 0xc420470ac0, 0x5, 0x8, 0xc4202b9b60, 0x5, 0x5, 0x5, 0xc4202bca20, 0xc42030dce0, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:1306 +0x13f github.com/open-policy-agent/opa/topdown.evalTree.eval(0xc4202ba7e0, 0xc420470ac0, 0x5, 0x8, 0xc4202b9b60, 0x5, 0x5, 0x5, 0xc4202bca20, 0xc42030dce0, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:1280 +0x183 github.com/open-policy-agent/opa/topdown.evalTree.next(0xc4202ba7e0, 0xc420470ac0, 0x5, 0x8, 0xc4202b9b60, 0x5, 0x5, 0x4, 0xc4202bca20, 0xc42030dce0, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:1340 +0x11b github.com/open-policy-agent/opa/topdown.evalTree.enumerate.func1(0xc4202bca20, 0xc42051c720) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:1355 +0x5c github.com/open-policy-agent/opa/topdown.(eval).biunifyValues(0xc4202ba7e0, 0xc4202bcb40, 0xc42051c720, 0xc4202bca20, 0xc4202bca20, 0xc4204b0400, 0xc4202b6ff0, 0xc4205b7be8) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:676 +0x468 github.com/open-policy-agent/opa/topdown.(eval).biunify(0xc4202ba7e0, 0xc4202bcb40, 0xc42051c720, 0xc4202bca20, 0xc4202bca20, 0xc4204b0400, 0x0, 0x0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:552 +0x6f5 github.com/open-policy-agent/opa/topdown.evalTree.enumerate(0xc4202ba7e0, 0xc420470ac0, 0x5, 0x8, 0xc4202b9b60, 0x5, 0x5, 0x4, 0xc4202bca20, 0xc42030dce0, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:1354 +0x1c8 github.com/open-policy-agent/opa/topdown.evalTree.eval(0xc4202ba7e0, 0xc420470ac0, 0x5, 0x8, 0xc4202b9b60, 0x5, 0x5, 0x4, 0xc4202bca20, 0xc42030dce0, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:1289 +0x129 github.com/open-policy-agent/opa/topdown.evalTree.next(0xc4202ba7e0, 0xc420470ac0, 0x5, 0x8, 0xc4202b9b60, 0x5, 0x5, 0x3, 0xc4202bca20, 0xc42030dce0, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:1340 +0x11b github.com/open-policy-agent/opa/topdown.evalTree.eval(0xc4202ba7e0, 0xc420470ac0, 0x5, 0x8, 0xc4202b9b60, 0x5, 0x5, 0x3, 0xc4202bca20, 0xc42030dce0, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:1286 +0xcf github.com/open-policy-agent/opa/topdown.evalTree.next(0xc4202ba7e0, 0xc420470ac0, 0x5, 0x8, 0xc4202b9b60, 0x5, 0x5, 0x2, 0xc4202bca20, 0xc42030dce0, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:1340 +0x11b github.com/open-policy-agent/opa/topdown.evalTree.eval(0xc4202ba7e0, 0xc420470ac0, 0x5, 0x8, 0xc4202b9b60, 0x5, 0x5, 0x2, 0xc4202bca20, 0xc42030dce0, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:1286 +0xcf github.com/open-policy-agent/opa/topdown.evalTree.next(0xc4202ba7e0, 0xc420470ac0, 0x5, 0x8, 0xc4202b9b60, 0x5, 0x5, 0x1, 0xc4202bca20, 0xc42030dce0, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:1340 +0x11b github.com/open-policy-agent/opa/topdown.evalTree.eval(0xc4202ba7e0, 0xc420470ac0, 0x5, 0x8, 0xc4202b9b60, 0x5, 0x5, 0x1, 0xc4202bca20, 0xc42030dce0, ...) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:1286 +0xcf github.com/open-policy-agent/opa/topdown.(eval).biunifyRef(0xc4202ba7e0, 0xc42051c760, 0xc42030dce0, 0xc4202bca20, 0xc42030d200, 0xc4202b9b30, 0xc4202bca00, 0x16e20e0) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:716 +0x3e9 github.com/open-policy-agent/opa/topdown.(eval).biunifyValues(0xc4202ba7e0, 0xc42030dce0, 0xc42051c760, 0xc42030d200, 0xc4202bca20, 0xc4202b9b30, 0xc4205b85c8, 0x138dd82) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:641 +0x695 github.com/open-policy-agent/opa/topdown.(eval).biunify(0xc4202ba7e0, 0xc42030dce0, 0xc42051c760, 0xc42030d200, 0xc4202bca20, 0xc4202b9b30, 0x1, 0xc4202b9b30) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:569 +0x219 github.com/open-policy-agent/opa/topdown.(eval).unify(0xc4202ba7e0, 0xc42051c680, 0xc42051c760, 0xc4202b9b30, 0xc4202bca80, 0xc4204fc9a8) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:530 +0x57 github.com/open-policy-agent/opa/topdown.(eval).evalStep(0xc4202ba7e0, 0xc4201ba640, 0xc4200a54f0, 0x1c93000) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:202 +0x402 github.com/open-policy-agent/opa/topdown.(eval).evalExpr(0xc4202ba7e0, 0xc4201ba640, 0x1, 0xc4201ba640) /go/src/github.com/open-policy-agent/opa/topdown/eval.go:185 +0x18c`

v0.10.2

tsandall commented 5 years ago

I've reviewed the policy and found a bug in the semantic checks in the compiler. One of the semantic checks asserts that all function references are applied (because the evaluation engine doesn't support these). E.g., if you have a function f(x) { x == 1 } then f(1) and f(2) are OK but just f is not.

In the attached policy the condition_map contains references functions in the module (to perform what appears to be dynamic dispatch):

condition_map = {   "9622565997022192867" : cond_9622565997022192867    ,"2483101345549640966" : cond_2483101345549640966   }

The problem is that the compiler is not catching these references to functions that are embedded within composites (objects, arrays, etc.) As a result, the policy compiles but when the evaluation engine encounters the reference condition_map[rule.Hash](rule) it panics because the rule index returns an empty result (which should not be possible.)

I'm going to submit a PR that fixes the semantic check to catch the case above however that's going to break the policy. I think that's the best immediate path forward--however, we can revisit it in the future.

In the short term, if you do need this kind of dispatch mechanism, an alternative would be to encode the condition ID in the function signature:

condition_func("9622565997022192867", rule) {
  # ...
}

condition_func("2483101345549640966", rule) {
  # ...
}

And then invoke it:

condition_func(rule.Hash, rule)