open-policy-agent
Issue with naming convention of modules when activating bundles
Short description
Ref. https://openpolicyagent.slack.com/archives/CBR63TK2A/p1658915694205819
When OPA is activating a delta bundle there is an issue with naming/id of modules when compileModules is run here: https://github.com/open-policy-agent/opa/blob/cbfdcba53aee3764d50f994b1bfbe7cbb84005c6/bundle/store.go#L770
There is a difference between the keys in compiler.Moduels and extraModules even though the policies and paths are the same. This is caused by an issue in https://github.com/open-policy-agent/opa/blob/cbfdcba53aee3764d50f994b1bfbe7cbb84005c6/storage/disk/disk.go#L295 and https://github.com/open-policy-agent/opa/blob/cbfdcba53aee3764d50f994b1bfbe7cbb84005c6/storage/disk/disk.go#L310 Update.Path.String() will create the module name that is prefixed with / while all other modules will not.
Example:
bundle/policy/a.rego
/bundle/policy/a.rego
These policies should refer to the same but when it is compiled the new policy at path [bundly policy a]
will go from this
package foo
default allow = false
allow {
...
}
to something like this
package foo
default allow = false
allow {
...
}
default allow = false
allow {
...
}
This will cause Bundle activation failed: ... rego_type_error: rego_type_error: multiple default rules named allow found ... when activating the delta bundle.
This can be seen in TestDeltaBundleLazyModeLifecycleDiskStorage and changing https://github.com/open-policy-agent/opa/blob/cbfdcba53aee3764d50f994b1bfbe7cbb84005c6/bundle/store_test.go#L1425 to
mod1 := "package a\n default p = true"
which will break the test
Bug introduced by https://github.com/open-policy-agent/opa/commit/f60dfafa1b072c0504349e77f8a9abf89f195f09, and is apparent from OPA versions 0.42.x
Found a fix and will shortly create a PR
