Partial evaluation incorrectly evaluates case (true OR undefined) when using default values #7512
Comments
|
Thanks for the write-up! To make it easier to grok the output, I've run it with with defaults without defaults Since these are two different policies, we can't expect the same results. However, let's have a look at the case _with defaults, and what a full eval would give us:
So this looks like the basic invariant of PE is not invalidated: full eval with the combined input is the same as PE + subsequent full eval with the previously unknown input. Now, it's annoying to deal with default rules in PE results, I know that. #1418 is going to improve that. Do you think there's anything here going beyond what that issue describes? |
|
@srenatus thank you for the answer! First of all, the policies in my issue actually can be rewritten as one policy. Also, in order to reproduce the issue we do not need any defined value - just the undefined one. So, the policy would be written as: package main
default allow := false
allow := true
allow if {
input.undefined
}Secondly, I'm not sure that #1418 is related to the current issue directly, because when implemented it should inline default values if the other rules fail, which is not the case here. |
|
To put it simply, to convince me that there's a bug here, this is what is needed: A set of inputs, where one part is known and the other unknown, such that
From my pen and paper exercise above, that isn't the case here. Have I been missing something? |
|
Yes, you're correct so I think we can say calling this issue a bug was a misidentification. It is better to say that we have some sort of inconvenience of PE usage, because of this issue in cases when we could use only PE to achieve our goals, we have to use both PE and full eval (e.g. to build filtering upon PE and decide if we even need to apply any filters; to check if query could be satisfied only using partial input). So I would label this as By saying that #1418 is not related to this issue I meant that improving default values inlining not necessarily will improve and resolve current case |
Short description
OPA version -
1.30.0Example policies:
main.rego
support.rego
input.json
{"defined": true}CLI command:
Output:
{ "partial": { "queries": [ [ { "index": 0, "terms": { "type": "ref", "value": [ { "type": "var", "value": "data" }, { "type": "string", "value": "partial" }, { "type": "string", "value": "support" }, { "type": "string", "value": "allow" } ] } } ] ], "modules": [ { "package": { "path": [ { "type": "var", "value": "data" }, { "type": "string", "value": "partial" }, { "type": "string", "value": "support" } ] }, "rules": [ { "body": [ { "index": 0, "terms": { "type": "boolean", "value": true } } ], "default": true, "head": { "name": "allow", "value": { "type": "boolean", "value": false }, "ref": [ { "type": "var", "value": "allow" } ] } }, { "body": [ { "index": 0, "terms": { "type": "boolean", "value": true } } ], "head": { "name": "allow", "value": { "type": "boolean", "value": true }, "ref": [ { "type": "var", "value": "allow" } ] } }, { "body": [ { "index": 0, "terms": { "type": "ref", "value": [ { "type": "var", "value": "input" }, { "type": "string", "value": "undefined" } ] } } ], "head": { "name": "allow", "value": { "type": "boolean", "value": true }, "ref": [ { "type": "var", "value": "allow" } ] } } ] } ] } }Expecting to have an empty query in the output list (indicating that query can be already evaluated), but it does not appear. Also one of modules contains rule
allow := true if { true }, which could be propagated to the whole output, resulting in empty query.N.B: if we remove defaults from the policies, the output is correct:
main.rego
support.rego
CLI output
{ "partial": { "queries": [ [], [ { "index": 0, "terms": { "type": "ref", "value": [ { "type": "var", "value": "input" }, { "type": "string", "value": "undefined" } ] } } ] ] } }Expected behavior
Additional context
The text was updated successfully, but these errors were encountered: