search

open-policy-agent / opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
https://www.openpolicyagent.org
Apache License 2.0
9.31k stars 1.29k forks source link

Running `inspect` on a WASM bundle fails if the bundle contains an annotation with the `related_resources` metadata field #6770

Open dxh9845 opened 1 month ago

dxh9845 commented 1 month ago

Short description

Running opa inspect on a built WASM bundle that has the following related_resources annotation:

package main

import data.meta.foo

# METADATA
# entrypoint: true
# related_resources:
#  - ref: https://google.com
#    description: Some description
zone_alias := foo

Will fail with the following message:

error: bundle bundle.tar.gz: bundle load failed on manifest decode: json: cannot unmarshal string into Go struct field RelatedResourceAnnotation.wasm.annotations.related_resources.ref of type url.URL

Steps To Reproduce

  1. Clone the following repo: https://github.com/dxh9845/opa-broken-wasm-build-poc/tree/dherzig/broken-annotations 
    git clone https://github.com/dxh9845/opa-broken-wasm-build-poc.git
  2. Checkout the branch containing the broken behavior: 
    git checkout dherzig/broken-annotations
  3. Run make fail to build the bundle and see the failure: 
    make fail

Expected behavior

OPA can inspect the built WASM bundle without an error.

Additional context

This works for OPA packages built for rego. However, the WASM implementation seemingly cannot handle

anderseknert commented 1 month ago

Thanks for reporting this 👍 I haven't looked into it, but it sounds somewhat related to #6529 ... at least in how they both relate to a different compilation mode messing with metadata annotations. Have you had a chance to look at the files in the bundle?

dxh9845 commented 1 month ago

Here you go:

Bundle contents

manifest.json

{
    "revision": "",
    "roots": [
        "main",
        "meta",
        "some_data"
    ],
    "wasm": [
        {
            "entrypoint": "main/zone_alias",
            "module": "/policy.wasm",
            "annotations": [
                {
                    "entrypoint": true,
                    "related_resources": [
                        {
                            "description": "Some description",
                            "ref": "https://google.com"
                        }
                    ],
                    "scope": "rule"
                }
            ]
        },
        {
            "entrypoint": "meta/foo",
            "module": "/policy.wasm",
            "annotations": [
                {
                    "entrypoint": true,
                    "scope": "rule"
                }
            ]
        }
    ]
}

bundle/main.rego

package main

import data.main.zone_alias

import data.meta.foo
anderseknert commented 1 month ago

Ah, thanks! No, this looks like a different issue then, as the metadata annotation is in the manifest. And hopefully easier to resolve 🙂

stale[bot] commented 3 days ago

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue.