fix: returns error with illegal args with unknowns flag (#7127)

[kd-labs]

Why the changes in this PR are needed?

• This fixes opa eval: panic when given bad input for --unknowns #7127 when multiple unknowns are passed as array to unknowns flag

What are the changes in this PR?

• We are doing a regex match for the presence of array in the argument passed to unknowns flag. If it matches with array then we return error.

Notes to assist PR review:

Further comments:

[srenatus]

Thanks for looking into this! It's got the right shape, I'm just wondering if we could attempt to parse the argument, to have exactly the same guards as would happen later on 🤔 Would you be up for trying this approach?

Thanks again for contributing. 🎉

[srenatus]

I wonder if we can attempt to parse it using ast.ParseTerm, like

t, err := ast.ParseTerm(unknwn)
if err != nil { ... }

and then check t.Value's type, like

switch t.Value.(type) {
case ast.Ref: // OK
default:
  return errors.New(errIllegalUnknownsArg.Error())
}

That way, we should be able to capture more illegal inputs than using the regexp. For example, proficient rego users could attempt to pass a set of things like {data.unknown, input.foobar} using {..} which isn't captured by the regular expression.

[kd-labs]

sure...will look into it

[kd-labs]

done

[srenatus]

Thank you! Just one small ask for the tests. This is a nice contribution 👏

[srenatus]

Please, could you add cases for these?

• input
• input.users
  just to be sure that it'll all end up a ref.

[kd-labs]

I've made the required changes in the test cases. could you plz review

[srenatus]

Hmm. Can't we simplify this? 🤔

Suggested change

	return errors.New(errIllegalUnknownsArg.Error())
	return errIllegalUnknownsArg

[kd-labs]

done

[srenatus]

[nit]

Suggested change

	//* check if illegal arguments is passed with unknowns flag
	// check if illegal arguments is passed with unknowns flag

[kd-labs]

done

[srenatus]

LGTM thanks!