Arbitrary vars in rule refs

[johanfylling]

This PR adds the possibility to declare rules with variables at arbitrary locations int the ref; e.g.

package example

p[q].r[s] := 42 { q := "foo"; s := "bar" }

By default, the compiler won't allow rule refs to have vars in any other position than the last term; to enable general rule refs, set the OPA_ENABLE_GENERAL_RULE_REFS env var (any value). (is this the best way to do this, or do we have precedence of other ways of setting feature flags?)

Not included in this PR:

• Feature flag to enable/disable
• Partial eval
• Planner implementation
• Type-checker update
• Language definition update in docs
• fmt

[netlify]

✅ Deploy Preview for openpolicyagent ready!

Name	Link
🔨 Latest commit	ebf1503
🔍 Latest deploy log	https://app.netlify.com/sites/openpolicyagent/deploys/64f067600cca9e00073f7213
😎 Deploy Preview	https://deploy-preview-5913--openpolicyagent.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[srenatus]

Huh interesting 💡 yeah, why not. We might throw in a _WIP_

[srenatus]

Started looking at it. Still much ground to cover on my side 🔍

[srenatus]

Sorry it took me so long to get back to this. Some comments and questions inside

[srenatus]

💭 treating the environment as a global variable is better avoided, but if we can keep this as a short-term stop-gap, it's probably OK.

[johanfylling]

This is temporary, and will be removed once general refs are feature complete. Hopefully soon 🤞. I'm open to improve this if it's too much of an eyesore, though 😅 .

[srenatus]

When? 😅

[johanfylling]

This has been solved in the type-checker update I have lined up: johanfylling/opa@jf/5685/multi-var-rule-refs...generic_refs/type-check

[srenatus]

Maybe quotes help?

Suggested change

	# query: i := ["foo", "bar"][_]; data.test.p.q[i].s = x
	# query: 'i := ["foo", "bar"][_]; data.test.p.q[i].s = x'

Alternatively, you could query data.test.q and add

q = x {
    i := ["foo", "bar"][_]
    p.q[i].s = x
}

[johanfylling]

Hm, looking at this again, I actually get a result with the expected parameters, but with some added "stuff":

{{"$0": 0, "__localq0__": ["foo", "bar"], "i": "foo", "x": 1}, {"$0": 1, "__localq0__": ["foo", "bar"], "i": "bar", "x": 2}}

If I change the query to data.test.p.q[i].s = x, I get a good result:

{{"i": "bar", "x": 2}, {"i": "foo", "x": 1}}

Is this expected, or perhaps an unwanted side effect of my changes 🤔 ? Will try a similar thing on main.

[johanfylling]

main exhibit the same behavior. Running opa eval does not output bindings for $0 and __localq0__; so maybe this is a side effect of how the test works?

[srenatus]

Those should never make it out, I think; but opa eval might have some extra code to filter them. Or maybe that was the rego package, https://github.com/open-policy-agent/opa/blob/main/rego/rego.go#L2166-L2168

[srenatus]

So if they don't have the same length, but overlap, we'd accept that?

data.foo.bar = data.foo[x].z

we'd add x = "bar" to the bindings and go on?

But I might be missing something here, I haven't fully understood the topdown change yet.

[johanfylling]

We're simply binding any possibly known vars in a rule's ref before evaluating its body.

If data.foo.bar == data.foo.bar.z then I'd expect your snipped should evaluate. (is that even possible, though? 😵‍💫)

This is an interesting case to test for, though; hadn't thought about it from this angle before 🤔.

Perhaps a bit hacky test, but this should trigger this scenario:

package unification

p := i {
    foo.bar.x.y = foo[i].z
}

foo[a][b] := c {
    a := "bar"
    c := {
        "x": {
            "y": 42
        },
        "z": 42
    }[b]
}

$ OPA_ENABLE_GENERAL_RULE_REFS=true opa eval -d . 'data.unification.p'

[johanfylling]

Or am I completely misunderstanding you?

[srenatus]

What's up with these? Do they not work yet; or have they been subsumed by the tests above...? 🤔

[johanfylling]

Ah, I missed un-commenting those. Fixed 👍 .

[srenatus]

Given that generic ref head rules are the more general case, you might expect that the base case (below) is also covered by what's added above -- is that so? Or what am I missing?

[johanfylling]

I think you're right. These two branches should be possible to merge into one; given that there is no performance benefit to keeping them separate.

I think it's around here PE is breaking down too; so I'll dig around here a bit to see what improvements are necessary + possible.

[johanfylling]

It's even a bit broken as-is, given that this should be in an elseblock 😅 . I think this rule unification just won't contribute any data in applicable cases, so the result ends up being correct; but we're doing unnecessary work 🤔 .
Scratch that; I'm not even reading my own code right 😄 .

[srenatus]

Checked the commits since last week, only had a few questions. It's great to see this progress 🚀

[srenatus]

This looks so wrong but h and j could be rules defined somewhere in the package, right? 😅 (Not that it matters for formatting)

[johanfylling]

True, this isn't internally consistent; but it's valid Rego, and for this rule we're more interested to see what the formatter does with the redundant { true } body.

[ashutosh-narkar]

Left from testing probably.

[johanfylling]

Oops, yea 🤦‍♂️ 😄

[srenatus]

Nitpicks only. Yay, can't wait to get this in. Thanks for the hard work; it's like a summer project 😎

[srenatus]

📝 took me a moment to understand this, but I had overlooked that it's p.q[r].b = 42 and not p.q[r] = 42. So, the extra S keys would (could) be "a", "b", "c". ✔️

[srenatus]

I was wondering about the name for a moment, but I think it's OK. We've got another example here, FWIW.

[johanfylling]

Ah, I'll change this to EXPERIMENTAL_GENERAL_RULE_REFS, to align 👍 .

[srenatus]

Let's throw in an if here and below