opa eval on windows uses drive letter as json object for the data document

[JimFicarra]

Short description

opa eval on windows using absolute paths for the data files is consuming the drive letter as an json object. Looks related to related to #1505 but is happening at the command line directly, outside of any plugin. Worth noting that evals were producing undefined in the JetBrains OPA Plugin which led to me troubleshooting this outside of the plugin/IDE and directly in the command line.

Oddly, the rego policy doesn't seem affected by this.

Windows 10 21H1 OS Builds 19043.1415)
OPA version

Version: 0.35.0
Build Commit: a54537a
Build Timestamp: 2021-12-01T02:12:22Z
Build Hostname: 7fa65b633221
Go Version: go1.17.3
WebAssembly: available

Steps To Reproduce

Using the RBAC example from the rego playground:

1. Place the data.json, policy.rego, input.json in a directory
2. Execute the OPA eval (opa.exe in the path) with absolute paths to show the documents under data

c:\junk\opa2>opa.exe eval -f pretty -d c:\junk\opa2\data.json -d c:\junk\opa2\policy.rego -i c:\junk\opa2\input.json data

This yields:

{
  "app": {
    "rbac": {
      "allow": false,
      "user_is_granted": []
    }
  },
  "c": {
    "role_grants": {
      "billing": [
        {
          "action": "read",
          "type": "finance"
        },
        {
          "action": "update",
          "type": "finance"
        }
      ],
      "customer": [
        {
          "action": "read",
          "type": "dog"
        },
        {
          "action": "read",
          "type": "cat"
        },
        {
          "action": "adopt",
          "type": "dog"
        },
        {
          "action": "adopt",
          "type": "cat"
        }
      ],
      "employee": [
        {
          "action": "read",
          "type": "dog"
        },
        {
          "action": "read",
          "type": "cat"
        },
        {
          "action": "update",
          "type": "dog"
        },
        {
          "action": "update",
          "type": "cat"
        }
      ]
    },
    "user_roles": {
      "alice": [
        "admin"
      ],
      "bob": [
        "employee",
        "billing"
      ],
      "eve": [
        "customer"
      ]
    }
  }
}

As in #1505, the drive letter becomes an object in the json for the data document

Expected behavior

I expect that the drive letter used in the absolute path is not parsed as a json object at the command line

Additional context

It's worth noting that while the input and policy json files provided at the command line also use absolute pathing, they are not parsed with the drive letter as a json object.

Example of eval on input

c:\junk\opa2>opa.exe eval -f pretty -d c:\junk\opa2\data.json -d c:\junk\opa2\policy.rego -i c:\junk\opa2\input.json input
{
  "action": "read",
  "object": "id123",
  "type": "dog",
  "user": "alice"
}

Example of eval on policy namespace under the data document

c:\junk\opa2>opa.exe eval -f pretty -d c:\junk\opa2\data.json -d c:\junk\opa2\policy.rego -i c:\junk\opa2\input.json data.app
{
  "rbac": {
    "allow": false,
    "user_is_granted": []
  }
}

Workaround

Seems that referencing the documents with a path relative to the root of the current drive is a workaround

c:\junk\opa2>opa.exe eval -f pretty -d \junk\opa2\data.json -d \junk\opa2\policy.rego -i \junk\opa2\input.json data

yields

{
  "app": {
    "rbac": {
      "allow": true,
      "user_is_admin": true,
      "user_is_granted": []
    }
  },
  "role_grants": {
    "billing": [
      {
        "action": "read",
        "type": "finance"
      },
      {
        "action": "update",
        "type": "finance"
      }
    ],
    "customer": [
      {
        "action": "read",
        "type": "dog"
      },
      {
        "action": "read",
        "type": "cat"
      },
      {
        "action": "adopt",
        "type": "dog"
      },
      {
        "action": "adopt",
        "type": "cat"
      }
    ],
    "employee": [
      {
        "action": "read",
        "type": "dog"
      },
      {
        "action": "read",
        "type": "cat"
      },
      {
        "action": "update",
        "type": "dog"
      },
      {
        "action": "update",
        "type": "cat"
      }
    ]
  },
  "user_roles": {
    "alice": [
      "admin"
    ],
    "bob": [
      "employee",
      "billing"
    ],
    "eve": [
      "customer"
    ]
  }
}

This pathing from root also works in the JetBrains OPA Plugin

[JimFicarra]

Additional Note

I did a deeper review on #1505 - looks like using file:/// url is another work around that the vscode plugin was modified to use, but it was stated that a subsequent release of opa was supposed to fix it, which I assume meant the exe to have the capability to properly parse the drive letter w/out making it part of the json object.

Or is opa.exe using file:/// url syntax supposed to be the permanent fix?

If so:

• It's not super intuitive and is hard to troubleshoot w/out peeling back some layers to troubleshoot
• I did not see it documented (had to find the bug reference and dig through the code )

[srenatus]

Heya, sorry for the radio silence.

Yeah it seems like there's some ambiguity here, and I don't see how it could be fixed, except for using file:// to disambiguate.

Where would you have expected this being documented...? 🤔 I wonder if we need a "specific to Windows" section in the docs, or something.

The code reference you've found is the help output of the eval command, i.e. what you see when you use opa eval --help. (#3915 would surface those in the website... it might actually be a good thing to do...)

[stale]

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days.

[srenatus]

The CLI docs are up. Let's close this, it's not clear how we can improve this in code. Feel free to reopen of you think otherwise. 😃