var x is unsafe

[kirk-patton]

I am finding that I can examine some variables and not others when I used the key binding OPA: Evaluate Selection.

example[t] {
	x := {"a":"b"}
	t := x
}

if x := {"a":"b"} is selected and OPA: Evaluate Selection is run, I get

// Found 1 result in 20.247µs using input.json as input.
[
  {
    "x": {
      "a": "b"
    }
  }
]

If t := x is selected and OPA: Evaluate Selection is run, I get
: rego_unsafe_var_error: var x is unsafe

If I select example[t], and OPA: Evaluate Selection is run, I get

[
  [
    [
      {
        "a": "b"
      }
    ]
  ]
]

I don't understand why I get the var is unsafe message. Is this a bug?

[tsandall]

When you select expressions inside of VS Code and run OPA: Evaluate Selection, the VS Code plugin is running a query against the policy. For example, if you select x := {"a": "b"} and evaluate it, the plugin essentially runs...

opa eval -b <workspace-dir> 'x := {"a": "b"}'

And then it prints the result.

In this case, the query is x := {"a": "b"}. That query is syntactically and semantically valid. On the other hand, if you only select t := x while syntactically valid, it's not semantically valid as there's no assignment to the variable x (which makes it unsafe). See https://www.openpolicyagent.org/docs/latest/faq/#safety for more info on the safety concept.

As you discovered you can select individual expressions as well as rule names. You can also select multiple expressions. If you select both lines in the rule body, the query should evaluate. In that case, the equivalent opa eval invocation would be (essentially):

opa eval -b <workspace-dir> 'x := {"a": "b"}; t := x'

Hope this helps!