regression: Using --set with null value no longer translates to empty object #3846

anderseknert · 2021-10-01T09:59:47Z

Expected Behavior

As documented, configuration attributes accepting empty objects as values, when set with command line args and --set, should translate null values into an empty object.

Actual Behavior

Setting object attributes to null assigns them an actual null value.

Steps to Reproduce the Problem

Set any value that accepts and empty object to null.

opa run -s --set "services.test.headers=null"

 curl -s localhost:8181/v1/config | jq
{
  "result": {
    "default_authorization_decision": "/system/authz/allow",
    "default_decision": "/system/main",
    "labels": {
      "id": "5bae0115-664d-4eaa-bdfe-f6f880e26568",
      "version": "0.33.0-dev"
    },
    "services": {
      "test": {
        "headers": null
      }
    }
  }
}

Note how headers is of type object and should not be "nullable".

A more serious problem is how this essentially breaks the AWS metadata credentials options when not using a config file:

opa run -s 
--set "services.local.url=http://localhost" 
--set "services.local.credentials.s3_signing.environment_credentials=null" 
--set "bundles.authz.service=local"

Results in:

"Bundle load failed: request failed: a AWS credential service must be specified when S3 signing is enabled

Which is a consequence of null being treated literally as nil:

	if ap.AWSEnvironmentCredentials == nil && ap.AWSWebIdentityCredentials == nil && ap.AWSMetadataCredentials == nil {
		return nil, errors.New("a AWS credential service must be specified when S3 signing is enabled")
	}

Additional Info

Reported by @Sulbigar here.

The text was updated successfully, but these errors were encountered:

This commit updates the parser for --set options to return empty struct as return value when null is specified. This is needed to set an empty object with the CLI overrides for a null typed value. Fixes: open-policy-agent#3846 Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>

This commit updates the parser for --set options to return empty struct as return value when null is specified. This is needed to set an empty object with the CLI overrides for a null typed value. Fixes: #3846 Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>

This commit updates the parser for --set options to return empty struct as return value when null is specified. This is needed to set an empty object with the CLI overrides for a null typed value. Fixes: open-policy-agent#3846 Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com> Signed-off-by: Dolev Farhi <farhi.dolev@gmail.com>

anderseknert added the bug label Oct 1, 2021

ashutosh-narkar added the investigating Issues being actively investigated label Oct 4, 2021

ashutosh-narkar self-assigned this Oct 5, 2021

ashutosh-narkar mentioned this issue Oct 5, 2021

internal: Update the return value for typed value null #3862

Merged

ashutosh-narkar closed this as completed in #3862 Oct 6, 2021

ashutosh-narkar added this to Open Policy Agent Aug 5, 2024

ashutosh-narkar moved this to Done in Open Policy Agent Aug 5, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

regression: Using --set with null value no longer translates to empty object #3846

regression: Using --set with null value no longer translates to empty object #3846

anderseknert commented Oct 1, 2021

regression: Using --set with null value no longer translates to empty object #3846

regression: Using --set with null value no longer translates to empty object #3846

Comments

anderseknert commented Oct 1, 2021

Expected Behavior

Actual Behavior

Steps to Reproduce the Problem

Additional Info