Bundle validation rejects unzipped wasm bundles

[tsandall]

The wasm entrypoint validation rejects unzipped bundle because the manifest is written w/ absolute filepaths:

A bundle containing a single file (x.rego):

$ cat x.rego
package foo

p = 7

Build the bundle:

$ opa build -t wasm -e foo/p x.rego

Unzip the bundle:

$ tar xzvf ../bundle.tar.gz
tar: Removing leading `/' from member names
/data.json
/x.rego
/policy.wasm
/policy.wasm <--- unclear why archive has same file twice
/.manifest

Attempt to run inside the directory where the bundle was unzipped to:

$ opa run -b .
error: load error: bundle .: manifest references wasm module '/policy.wasm' but the module file does not exist

Inspecting the manifest reveals the problem:

$ cat .manifest
{"revision":"","roots":[""],"wasm":[{"entrypoint":"foo/p","module":"/policy.wasm"}]}

It's unclear if we need to use absolute paths in the manifest. If not, we should avoid it so that bundles can be unzipped and run through the OPA toolchain without issue.

[srenatus]

Sideline: What version have you used there? The doubled policy.wasm should have been resolved by now (#3011).

[srenatus]

Some more data, from playing around:

Extracting the bundle into a directory "bndl", running opa run -b bndl will attempt to retrieve the wasm module from the location of the calling command. So,

• if I change the module value to bndl/policy.wasm, opa run -b bndl will work;
• if I change it to policy.wasm, only opa run -b . inside the bndl directory the unzipped location will work.

[srenatus]

I think it would make sense to interpret wasm module paths as relative to the bundle directory -- so "module":"/policy.wasm" in directory bndl refers to the policy.wasm in directory bndl. 💭

[stale[bot]]

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days.