search

open-policy-agent / opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
https://www.openpolicyagent.org
Apache License 2.0
9.56k stars 1.33k forks source link

WithPartialEval losses r.Runtime #6787

Open nkey0 opened 3 months ago

nkey0 commented 3 months ago

Version: 0.64.1

In practice it is not possible to use opa.runtime().env with partial eval.

This is a test to reproduce issue:

func TestPartialEvalLoosesRuntime(t *testing.T) {
    module := `
    package test
    x = opa.runtime()
    `

    noPartial, _ := rego.New(
        rego.Query("data.test.x"),
        rego.Runtime(ast.BooleanTerm(true)),
        rego.Module("", module),
        rego.Package("foo"),
    ).PrepareForEval(context.Background())

    partial, _ := rego.New(
        rego.Query("data.test.x"),
        rego.Runtime(ast.BooleanTerm(true)),
        rego.Module("", module),
        rego.Package("foo"),
    ).PrepareForEval(context.Background(), rego.WithPartialEval())

    rs1, _ := noPartial.Eval(context.Background())
    rs2, _ := partial.Eval(context.Background())

    if !rs1.Allowed() {
        t.Fatal()
    }
    if !rs2.Allowed() {
        t.Fatal()
    }
}
anderseknert commented 3 months ago

Hi there! and thanks for filing this issue.

I believe that's the case for all non-deterministic built-in functions: https://github.com/open-policy-agent/opa/blob/main/ast/builtins.go#L310

I remember some discussions about allowing these to be evaluated at compile time vs. eval time, but I don't remember the specifics. @srenatus, perhaps?

stale[bot] commented 2 months ago

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue.