Merge pull request #8 from ticketmaster/fix-opa-library-deps-paths

Correct context for generated files and transitive deps

Author: ffortier

examples/generated_files/BUILD.bazel

@@ -0,0 +1,13 @@
+load("@rules_opa//opa:defs.bzl", "opa_library")
+
+genrule(
+    name = "data",
+    outs = ["data.json"],
+    cmd = "echo '{\"hello\": \"world\"}' > $@",
+)
+
+opa_library(
+    name = "bundle",
+    data = [":data"],
+    deps = ["//examples/simple"],
+)

examples/simple/BUILD.bazel

@@ -1,18 +1,23 @@
-load("@rules_opa//opa:defs.bzl", "opa_check", "opa_eval_binary", "opa_library", "opa_test")
+load("@rules_opa//opa:defs.bzl", "opa_binary", "opa_check", "opa_eval_binary", "opa_library", "opa_test")
 
 opa_library(
     name = "simple",
     srcs = ["main.rego"],
     data = ["data.json"],
     strip_prefix = package_name(),
+    visibility = ["//examples:__subpackages__"],
+)
+
+opa_binary(
+    name = "simple_bin",
+    deps = [":simple"],
 )
 
 opa_library(
     name = "simple_wasm",
     entrypoints = ["main/allow"],
     signing_alg = "HS256",
     signing_key = "mysecret",
-    strip_prefix = package_name(),
     target = "wasm",
     deps = [":simple"],
 )
@@ -21,7 +26,7 @@ opa_test(
     name = "simple_test",
     size = "small",
     srcs = ["main_test.rego"],
-    bundle = ":simple",
+    deps = [":simple"],
 )
 
 opa_check(
@@ -34,7 +39,7 @@ opa_check(
 
 opa_eval_binary(
     name = "check_bob",
-    bundle = ":simple",
     input = '{"name":"bob"}',
     query = "data.main.allow",
+    deps = [":simple"],
 )

examples/simple/main.rego

@@ -9,3 +9,5 @@ import future.keywords
 allow if {
 	input.name in data.admins
 }
+
+#

opa/defs.bzl

@@ -3,11 +3,13 @@ load("//opa/private:opa_library.bzl", _OpaInfo = "OpaInfo", _opa_library = "opa_
 load("//opa/private:opa_test.bzl", _opa_test = "opa_test")
 load("//opa/private:opa_check.bzl", _opa_check = "opa_check")
 load("//opa/private:opa_eval_binary.bzl", _opa_eval_binary = "opa_eval_binary")
+load("//opa/private:opa_binary.bzl", _opa_binary = "opa_binary")
 
 opa_toolchain = _opa_toolchain
 opa_library = _opa_library
 opa_test = _opa_test
 opa_check = _opa_check
 opa_eval_binary = _opa_eval_binary
+opa_binary = _opa_binary
 OpaInfo = _OpaInfo
 OpacInfo = _OpacInfo

opa/private/opa_binary.bzl

@@ -0,0 +1,36 @@
+load(":opa_library.bzl", "OpaInfo")
+
+def _opa_binary_impl(ctx):
+    toolchain = ctx.toolchains["//tools:toolchain_type"].opacinfo
+    binary_file = ctx.actions.declare_file("%s_binary.sh" % (ctx.label.name))
+
+    if len(ctx.attr.deps) != 1:
+        fail("opa_binary only allow a single deps")
+
+    bundle = ctx.attr.deps[0][OpaInfo].bundle
+
+    runfiles = ctx.runfiles(files = [toolchain.opa, bundle])
+
+    ctx.actions.write(
+        output = binary_file,
+        content = "%s run -b %s" % (toolchain.opa.short_path, bundle.short_path),
+        is_executable = True,
+    )
+
+    return [
+        DefaultInfo(
+            executable = binary_file,
+            runfiles = runfiles,
+        ),
+    ]
+
+opa_binary = rule(
+    implementation = _opa_binary_impl,
+    attrs = {
+        "deps": attr.label_list(
+            providers = [OpaInfo],
+        ),
+    },
+    executable = True,
+    toolchains = ["//tools:toolchain_type"],
+)

opa/private/opa_eval.sh.tpl

@@ -3,32 +3,34 @@ load(":opa_library.bzl", "OpaInfo")
 def _opa_eval_binary_impl(ctx):
     exec_file = ctx.actions.declare_file("%s_exec.sh" % (ctx.label.name))
     toolchain = ctx.toolchains["//tools:toolchain_type"].opacinfo
-    runfiles = ctx.runfiles(files = [toolchain.opa] + ctx.attr.bundle[OpaInfo].file_deps.to_list())
 
-    args = []
+    if len(ctx.attr.deps) != 1:
+        fail("opa_binary only allow a single deps")
+
+    bundle = ctx.attr.deps[0][OpaInfo].bundle
+
+    runfiles = ctx.runfiles(files = [toolchain.opa, bundle])
+
+    args = ["eval", "-b", bundle.short_path]
+    suffix = ""
 
     if ctx.attr.partial:
         args.append("--partial")
     if ctx.file.input_file:
         args.append("--input %s" % (ctx.file.input_file.short_path))
     if ctx.attr.input:
         args.append("--stdin-input")
+        suffix = "<< 'EOF'\n%s\nEOF" % (ctx.attr.input)
     if ctx.attr.unknowns:
         args.append("--unknowns %s" % (",".join(ctx.attr.unknowns)))
 
     args.append("--format=%s" % (ctx.attr.format))
     args.append(ctx.attr.query)
 
-    ctx.actions.expand_template(
+    ctx.actions.write(
         output = exec_file,
-        template = ctx.file._template,
+        content = "%s %s %s" % (toolchain.opa.short_path, " ".join(args), suffix),
         is_executable = True,
-        substitutions = {
-            "{OPA_SHORTPATH}": toolchain.opa.short_path,
-            "{STDIN}": ctx.attr.input,
-            "{STRIP_PREFIX}": ctx.attr.bundle[OpaInfo].strip_prefix,
-            "{ARGS}": " ".join(args),
-        },
     )
 
     return [
@@ -42,7 +44,7 @@ opa_eval_binary = rule(
     implementation = _opa_eval_binary_impl,
     executable = True,
     attrs = {
-        "bundle": attr.label(
+        "deps": attr.label_list(
             providers = [OpaInfo],
             mandatory = True,
             doc = "The bundle to evaluate",

opa/private/opa_eval_binary.bzl

@@ -1,6 +1,9 @@
-load("@bazel_skylib//lib:paths.bzl", "paths")
-
-OpaInfo = provider("opa", fields = ["bundle", "target", "file_deps", "strip_prefix"])
+OpaInfo = provider("opa", fields = {
+    "bundle": "The bundle file",
+    "target": "The bundle target (wasm, rego or plan)",
+    "file_deps": "A depset containing all the source files",
+    "file_aliases": "A flat list of all the files with their alias in the bundle",
+})
 
 def _opa_toolchain(ctx):
     return ctx.toolchains["//tools:toolchain_type"].opacinfo
@@ -40,53 +43,56 @@ def _run_opa_signer(ctx, bundle_file, signed_bundle_file):
         executable = ctx.executable._opa_signer,
     )
 
+def _file_alias(file, strip_prefix):
+    return "%s:%s" % (file.path, file.short_path.removeprefix(strip_prefix).removeprefix("/"))
+
 def _run_opa_build(ctx, bundle_file):
     toolchain = _opa_toolchain(ctx)
+    wd = ctx.actions.declare_directory("%s_work" % (ctx.label.name))
     args = ctx.actions.args()
 
-    strip_prefix = paths.normalize(ctx.attr.strip_prefix)
-    opa_relative_path = toolchain.opa.path
-    bundle_relative_path = bundle_file.path
+    srcs = ctx.files.srcs or []
+    data = ctx.files.data or []
+
+    file_aliases = [_file_alias(file, ctx.attr.strip_prefix or "") for file in srcs + data]
 
-    if strip_prefix != ".":
-        rel = [".." for _ in strip_prefix.split("/")]
-        opa_relative_path = paths.normalize("/".join(rel + [toolchain.opa.path]))
-        bundle_relative_path = paths.normalize("/".join(rel + [bundle_file.path]))
+    for dep in ctx.attr.deps:
+        file_aliases.extend(dep[OpaInfo].file_aliases)
 
-    args.add("build")
-    args.add("-t")
-    args.add(ctx.attr.target)
-    args.add("-o")
-    args.add("%s" % (bundle_relative_path))
+    args.add("-d").add(wd.path)
+    args.add("-o").add(bundle_file, format = "%s:bundle.tar.gz")
+    args.add("-i").add_all(file_aliases).add("--")
+    args.add(toolchain.opa).add("build")
+    args.add("-t").add(ctx.attr.target)
+    args.add("-o").add("bundle.tar.gz")
 
     if ctx.attr.optimize:
         args.add(ctx.attr.optimize, format = "--optimize=%s")
 
     for entrypoint in ctx.attr.entrypoints:
-        args.add(entrypoint, format = "-e %s")
+        args.add("-e").add(entrypoint)
 
     args.add(".")
 
-    srcs = ctx.files.srcs if ctx.files.srcs else []
-    data = ctx.files.data if ctx.files.data else []
-
-    ctx.actions.run_shell(
+    ctx.actions.run(
+        executable = ctx.executable._opa_ctx,
         inputs = depset(srcs + data, transitive = [d[OpaInfo].file_deps for d in ctx.attr.deps]),
-        outputs = [bundle_file],
+        outputs = [bundle_file, wd],
         arguments = [args],
         tools = [toolchain.opa],
         progress_message = "Bundling policies",
         mnemonic = "OpaBuild",
-        command = "cd %s && %s $@" % (strip_prefix, opa_relative_path),
     )
 
+    return file_aliases
+
 def _opa_library_impl(ctx):
     if ctx.attr.target == "wasm" and len(ctx.attr.entrypoints) == 0:
         fail("At least one entrypoint is required for a wasm target")
 
     bundle_file = ctx.actions.declare_file("%s.tar.gz" % (ctx.attr.name))
 
-    _run_opa_build(ctx, bundle_file)
+    file_aliases = _run_opa_build(ctx, bundle_file)
 
     output_files = [bundle_file]
 
@@ -97,13 +103,13 @@ def _opa_library_impl(ctx):
         _run_opa_signer(ctx, bundle_file, signed_bundle_file)
         output_files = [signed_bundle_file] + output_files
 
-    srcs = ctx.files.srcs if ctx.files.srcs else []
-    data = ctx.files.data if ctx.files.data else []
+    srcs = ctx.files.srcs or []
+    data = ctx.files.data or []
 
     return [
         OpaInfo(
             bundle = bundle_file,
-            strip_prefix = paths.normalize(ctx.attr.strip_prefix),
+            file_aliases = file_aliases,
             target = ctx.attr.target,
             file_deps = depset(srcs + data, transitive = [d[OpaInfo].file_deps for d in ctx.attr.deps]),
         ),
@@ -172,6 +178,11 @@ wasm    The wasm target emits a bundle containing a WebAssembly module compiled
             executable = True,
             cfg = "exec",
         ),
+        "_opa_ctx": attr.label(
+            default = "//tools:opa_ctx",
+            executable = True,
+            cfg = "exec",
+        ),
     },
     toolchains = ["//tools:toolchain_type"],
 )

opa/private/opa_library.bzl

@@ -2,18 +2,24 @@ load(":opa_library.bzl", "OpaInfo")
 
 def _opa_test_impl(ctx):
     toolchain = ctx.toolchains["//tools:toolchain_type"].opacinfo
-    tester_file = ctx.actions.declare_file("%s_tester.sh" % (ctx.label.name))
-    bundle = ctx.attr.bundle[OpaInfo]
-    runfiles = ctx.runfiles(files = ctx.files.srcs + [toolchain.opa] + bundle.file_deps.to_list())
+    test_file = ctx.actions.declare_file("%s_test.sh" % (ctx.label.name))
+
+    if len(ctx.attr.deps) != 1:
+        fail("opa_test only allow a single deps")
+
+    bundle = ctx.attr.deps[0][OpaInfo].bundle
+
+    runfiles = ctx.runfiles(files = [toolchain.opa, bundle] + ctx.files.srcs)
 
     ctx.actions.write(
-        output = tester_file,
-        content = "%s test -v %s" % (toolchain.opa.short_path, bundle.strip_prefix),
+        output = test_file,
+        content = "%s test %s %s" % (toolchain.opa.short_path, bundle.short_path, " ".join([f.short_path for f in ctx.files.srcs])),
+        is_executable = True,
     )
 
     return [
         DefaultInfo(
-            executable = tester_file,
+            executable = test_file,
             runfiles = runfiles,
         ),
     ]
@@ -27,7 +33,7 @@ opa_test = rule(
             mandatory = True,
             doc = "Rego files to test",
         ),
-        "bundle": attr.label(
+        "deps": attr.label_list(
             providers = [OpaInfo],
             doc = "The bundle to test",
         ),

opa/private/opa_test.bzl

@@ -33,9 +33,13 @@ opa_toolchain = rule(
         ),
         "opa_signer": attr.label(
             executable = True,
-            # allow_single_file = True,
-            mandatory = True,
             cfg = "exec",
+            default = "//tools:opa_signer",
+        ),
+        "opa_ctx": attr.label(
+            executable = True,
+            cfg = "exec",
+            default = "//tools:opa_ctx",
         ),
     },
 )