go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data.

Go Report Card License test coverage badge Gitter
opa_val logo

go-opa-validate

go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data.

Installation

go get github.com/chen-keinan/go-opa-validate

Usage

(support json and yaml formats)

json data example: data.json

{
  "kind": "AdmissionReview",
  "request": {
    "kind": {
      "kind": "Pod",
      "version": "v1"
    },
    "object": {
      "metadata": {
        "name": "myapp"
      },
      "spec": {
        "containers": [
          {
            "image": "hooli.com/mysql",
            "name": "mysql-backend"
          }
        ]
      }
    }
  }
}

OPA policy example : denyPolicy

package example
default deny = false
deny {
	some i
	input.request.kind.kind == "Pod"
	image := input.request.object.spec.containers[i].image
	not startswith(image, "hooli.com/")
}

Full code example

package main

import (
	"fmt"
	"github.com/chen-keinan/go-opa-validate/validator"
	"io/ioutil"
	"os"
)


func main() {
	data, err := ioutil.ReadFile("./example/data.json")
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}
	policy, err := ioutil.ReadFile("./example/denyPolicy")
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}
	validateResult, err := validator.NewPolicyEval().EvaluatePolicy([]string{"example.deny"}, string(policy), string(data))
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}
	if len(validateResult) > 0 {
		fmt.Println(fmt.Sprintf("eval result for property %v with value %v",validateResult[0].ExpressionValue[0].Text ,validateResult[0].ExpressionValue[0].Value))
	}
}

Contribution

code contribution is welcome !! contribution with passing tests and linter is more than welcome :)

Owner
chenk
open-source enthusiasts, coder, passionate about technology and delivering secure software
chenk
Comments
  • chore(deps): bump github.com/open-policy-agent/opa from 0.46.1 to 0.47.3

    chore(deps): bump github.com/open-policy-agent/opa from 0.46.1 to 0.47.3

    Bumps github.com/open-policy-agent/opa from 0.46.1 to 0.47.3.

    Release notes

    Sourced from github.com/open-policy-agent/opa's releases.

    v0.47.3

    This is a bug fix release addressing an issue that prevented OPA from fetching bundles stored in S3 buckets.

    • providers/aws: Refactor + fix 2x Authorization header append issue. (#5472)

    v0.47.2

    This is a second security fix to address CVE-2022-41717/GO-2022-1144.

    We previously believed that upgrading the Golang version and its stdlib would be sufficient to address the problem. It turns out we also need to bump the x/net dependency to v0.4.0., a version that hadn't existed when v0.46.2 was released.

    This release bumps the golang.org/x/net dependency to v0.4.0, and contains no other changes over v0.46.2.

    Note that the affected code is OPA's HTTP server. So if you're using OPA as a Golang library, or if your confident that your OPA's HTTP interface is protected by other means (as it should be -- not exposed to the public internet), you're OK.

    v0.47.1

    This is a bug fix release addressing two issues: one security issue, and one bug related to formatting backwards-compatibility.

    Golang security fix CVE-2022-41717

    An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.

    Since we advise against running an OPA service exposed to the general public of the internet, potential attackers would be limited to people that are already capable of sending direct requests to the OPA service.

    opa fmt and backwards compatibility (#5449)

    In v0.46.1, it was possible that opa fmt would format a rule in such a way that:

    1. Before formatting, it was working fine with older OPA versions, and
    2. after formatting, it would only work with OPA version >= 0.46.1.

    This backwards incompatibility wasn't intended, and has now been fixed.

    v0.47.0

    This release contains a mix of bugfixes, optimizations, and new features.

    New Built-in Function: object.keys

    It is now possible to conveniently retrieve an object's keys via a built-in function.

    Before, you had to resort to constructs like

    </tr></table> 
    

    ... (truncated)

    Changelog

    Sourced from github.com/open-policy-agent/opa's changelog.

    0.47.3

    This is a bug fix release addressing an issue that prevented OPA from fetching bundles stored in S3 buckets.

    0.47.2 and 0.46.3

    This is a second security fix to address CVE-2022-41717/GO-2022-1144.

    We previously believed that upgrading the Golang version and its stdlib would be sufficient to address the problem. It turns out we also need to bump the x/net dependency to v0.4.0., a version that hadn't existed when v0.46.2 was released.

    This release bumps the golang.org/x/net dependency to v0.4.0, and contains no other changes over v0.46.2.

    Note that the affected code is OPA's HTTP server. So if you're using OPA as a Golang library, or if your confident that your OPA's HTTP interface is protected by other means (as it should be -- not exposed to the public internet), you're OK.

    0.47.1 and 0.46.2

    This is a bug fix release addressing two issues: one security issue, and one bug related to formatting backwards-compatibility.

    Golang security fix CVE-2022-41717

    An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.

    Since we advise against running an OPA service exposed to the general public of the internet, potential attackers would be limited to people that are already capable of sending direct requests to the OPA service.

    opa fmt and backwards compatibility (#5449)

    In v0.46.1, it was possible that opa fmt would format a rule in such a way that:

    1. Before formatting, it was working fine with older OPA versions, and
    2. after formatting, it would only work with OPA version >= 0.46.1.

    This backwards incompatibility wasn't intended, and has now been fixed.

    0.47.0

    This release contains a mix of bugfixes, optimizations, and new features.

    New Built-in Function: object.keys

    It is now possible to conveniently retrieve an object's keys via a built-in function.

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • chore(deps): bump github.com/open-policy-agent/opa from 0.46.1 to 0.47.2

    chore(deps): bump github.com/open-policy-agent/opa from 0.46.1 to 0.47.2

    Bumps github.com/open-policy-agent/opa from 0.46.1 to 0.47.2.

    Release notes

    Sourced from github.com/open-policy-agent/opa's releases.

    v0.47.2

    This is a second security fix to address CVE-2022-41717/GO-2022-1144.

    We previously believed that upgrading the Golang version and its stdlib would be sufficient to address the problem. It turns out we also need to bump the x/net dependency to v0.4.0., a version that hadn't existed when v0.46.2 was released.

    This release bumps the golang.org/x/net dependency to v0.4.0, and contains no other changes over v0.46.2.

    Note that the affected code is OPA's HTTP server. So if you're using OPA as a Golang library, or if your confident that your OPA's HTTP interface is protected by other means (as it should be -- not exposed to the public internet), you're OK.

    v0.47.1

    This is a bug fix release addressing two issues: one security issue, and one bug related to formatting backwards-compatibility.

    Golang security fix CVE-2022-41717

    An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.

    Since we advise against running an OPA service exposed to the general public of the internet, potential attackers would be limited to people that are already capable of sending direct requests to the OPA service.

    opa fmt and backwards compatibility (#5449)

    In v0.46.1, it was possible that opa fmt would format a rule in such a way that:

    1. Before formatting, it was working fine with older OPA versions, and
    2. after formatting, it would only work with OPA version >= 0.46.1.

    This backwards incompatibility wasn't intended, and has now been fixed.

    v0.47.0

    This release contains a mix of bugfixes, optimizations, and new features.

    New Built-in Function: object.keys

    It is now possible to conveniently retrieve an object's keys via a built-in function.

    Before, you had to resort to constructs like

    import future.keywords.in
    

    keys[k] { _ = input[k] } </tr></table>

    ... (truncated)

    Changelog

    Sourced from github.com/open-policy-agent/opa's changelog.

    0.47.2 and 0.46.3

    This is a second security fix to address CVE-2022-41717/GO-2022-1144.

    We previously believed that upgrading the Golang version and its stdlib would be sufficient to address the problem. It turns out we also need to bump the x/net dependency to v0.4.0., a version that hadn't existed when v0.46.2 was released.

    This release bumps the golang.org/x/net dependency to v0.4.0, and contains no other changes over v0.46.2.

    Note that the affected code is OPA's HTTP server. So if you're using OPA as a Golang library, or if your confident that your OPA's HTTP interface is protected by other means (as it should be -- not exposed to the public internet), you're OK.

    0.47.1 and 0.46.2

    This is a bug fix release addressing two issues: one security issue, and one bug related to formatting backwards-compatibility.

    Golang security fix CVE-2022-41717

    An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.

    Since we advise against running an OPA service exposed to the general public of the internet, potential attackers would be limited to people that are already capable of sending direct requests to the OPA service.

    opa fmt and backwards compatibility (#5449)

    In v0.46.1, it was possible that opa fmt would format a rule in such a way that:

    1. Before formatting, it was working fine with older OPA versions, and
    2. after formatting, it would only work with OPA version >= 0.46.1.

    This backwards incompatibility wasn't intended, and has now been fixed.

    0.47.0

    This release contains a mix of bugfixes, optimizations, and new features.

    New Built-in Function: object.keys

    It is now possible to conveniently retrieve an object's keys via a built-in function.

    Before, you had to resort to constructs like

    import future.keywords.in
    

    </tr></table>

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • chore(deps): bump github.com/open-policy-agent/opa from 0.41.0 to 0.43.0

    chore(deps): bump github.com/open-policy-agent/opa from 0.41.0 to 0.43.0

    Bumps github.com/open-policy-agent/opa from 0.41.0 to 0.43.0.

    Release notes

    Sourced from github.com/open-policy-agent/opa's releases.

    v0.43.0

    This release contains a number of fixes, enhancements, and performance improvements.

    Object Insertion Optimization

    Rego Object insertion operations did not scale linearly (#4625) in the past, and experienced noticeable reallocation/memory movement overheads once the Object grew past 120k-150k keys in size.

    This release introduces different handling of Object internals during insert operations to avoid pathological reallocation behavior, and allows linear performance scaling up into the 500k key range and beyond.

    Tooling, SDK, and Runtime

    • Add lines covered/not covered counts to test coverage report (authored by @​FarisR99)
    • Plugins: Status and logs plugins now accept any HTTP 2xx status code (authored by @​lvisterin)
    • Runtime: Generalize OS check for MacOS to other Unix-likes (authored by @​iamleot)

    Bundles Fixes

    The Bundles system received several bugfixes and performance improvements in this release:

    • Bundle: opa bundle command now supports .yml files (#4859) authored by @​Joffref reported by @​rdrgmnzsakt
    • Plugins/Bundle: Use unique temporary files for persisting activated bundles to disk (#4782) authored by @​FredrikAppelros reported by @​FredrikAppelros
    • Server: Old policy path is now checked for bundle ownership before update (#4846)
    • Storage+Bundle: Old bundle data is now cleaned before new bundle activation (#4940)
    • Bundle: Paths are now normalized before bundle root check occurs to ensure checks are os-independent

    Storage Fixes

    The Storage system received mostly bugfixes, with a notable performance improvement for large bundles in this release:

    • storage/inmem: Speed up bundle activation by avoiding unnecessary read operations (#4898)
    • storage/inmem: Paths are now created during truncate operations if they did not exist before
    • storage/disk: Symlinks work with relative paths now (#4869)

    Rego and Topdown

    The Rego compiler and runtime environment received a number of bugfixes, and a few new features this release, as well as a notable performance improvement for large Objects (covered above).

    • AST/Compiler: New method for obtaining parsed, but otherwise unprocessed modules is now available (#4910)
    • object.subset: Support array + set combination (#4858) authored by @​x-color
    • Compiler: Prevent erasure of print() statements in the compiler via a WithEnablePrintStatements option to compiler.Compiler and compiler.optimizer (authored by @​kevinstyra)
    • Topdown fixes:
      • AST/Builtins: type_name builtin now has more precise type metadata and improved docs
      • Topdown/copypropagation: Ref-based tautologies like input.a == input.a are no longer eliminated during the copy-propagation pass (#4848) reported by @​johanneskra
      • Topdown/parse_units: Use big.Rat for units parsing to avoid floating-point rounding issues on fractional units. (#4856) reported by @​tmos22
      • Topdown: is_valid builtins no longer error, and should always return booleans (#4760)
      • Topdown: glob.match now can be used without delimiters (#4923) authored by @​vinhph0906 reported by @​vinhph0906

    Documentation

    • Docs: Add GraphQL API authorization tutorial

    ... (truncated)

    Changelog

    Sourced from github.com/open-policy-agent/opa's changelog.

    0.43.0

    This release contains a number of fixes, enhancements, and performance improvements.

    Object Insertion Optimization

    Rego Object insertion operations did not scale linearly (#4625) in the past, and experienced noticeable reallocation/memory movement overheads once the Object grew past 120k-150k keys in size.

    This release introduces different handling of Object internals during insert operations to avoid pathological reallocation behavior, and allows linear performance scaling up into the 500k key range and beyond.

    Tooling, SDK, and Runtime

    • Add lines covered/not covered counts to test coverage report (authored by @​FarisR99)
    • Plugins: Status and logs plugins now accept any HTTP 2xx status code (authored by @​lvisterin)
    • Runtime: Generalize OS check for MacOS to other Unix-likes (authored by @​iamleot)

    Bundles Fixes

    The Bundles system received several bugfixes and performance improvements in this release:

    • Bundle: opa bundle command now supports .yml files (#4859) authored by @​Joffref reported by @​rdrgmnzsakt
    • Plugins/Bundle: Use unique temporary files for persisting activated bundles to disk (#4782) authored by @​FredrikAppelros reported by @​FredrikAppelros
    • Server: Old policy path is now checked for bundle ownership before update (#4846)
    • Storage+Bundle: Old bundle data is now cleaned before new bundle activation (#4940)
    • Bundle: Paths are now normalized before bundle root check occurs to ensure checks are os-independent

    Storage Fixes

    The Storage system received mostly bugfixes, with a notable performance improvement for large bundles in this release:

    • storage/inmem: Speed up bundle activation by avoiding unnecessary read operations (#4898)
    • storage/inmem: Paths are now created during truncate operations if they did not exist before
    • storage/disk: Symlinks work with relative paths now (#4869)

    Rego and Topdown

    The Rego compiler and runtime environment received a number of bugfixes, and a few new features this release, as well as a notable performance improvement for large Objects (covered above).

    • AST/Compiler: New method for obtaining parsed, but otherwise unprocessed modules is now available (#4910)
    • object.subset: Support array + set combination (#4858) authored by @​x-color
    • Compiler: Prevent erasure of print() statements in the compiler via a WithEnablePrintStatements option to compiler.Compiler and compiler.optimizer (authored by @​kevinstyra)
    • Topdown fixes:
      • AST/Builtins: type_name builtin now has more precise type metadata and improved docs
      • Topdown/copypropagation: Ref-based tautologies like input.a == input.a are no longer eliminated during the copy-propagation pass (#4848) reported by @​johanneskra
      • Topdown/parse_units: Use big.Rat for units parsing to avoid floating-point rounding issues on fractional units. (#4856) reported by @​tmos22

    ... (truncated)

    Commits
    • d75bbdd Prepare v0.43.0 release (#4949)
    • a99e5a9 docs: add warning about importing 'future.keywords' (#4947)
    • 8f63046 storage+bundle: Clean old bundle data before new activation (#4944)
    • 462d518 docs: Add note about counter_server_query_cache_hit metric (#4946)
    • eff91f7 build(deps): bump aquasecurity/trivy-action from 0.6.0 to 0.6.1 (#4941)
    • 1c1957c topdown/copypropagation: keep refs into livevars (#4936)
    • 7f78653 build: run 'make generate' in release container (#4934)
    • 23443da Update Styra ecosystem entry (#4938)
    • 81fd742 ast/compiler: allow retaining parsed modules (#4921)
    • bfa04b3 added/corrected aserto ecosystem resources (#4889)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • chore(deps): bump github.com/open-policy-agent/opa from 0.41.0 to 0.42.2

    chore(deps): bump github.com/open-policy-agent/opa from 0.41.0 to 0.42.2

    Bumps github.com/open-policy-agent/opa from 0.41.0 to 0.42.2.

    Release notes

    Sourced from github.com/open-policy-agent/opa's releases.

    v0.42.2

    This is a bug fix release that addresses the following:

    • storage/disk: make symlinks work with relative paths (#4869)
    • bundle: Normalize paths before bundle root check

    v0.42.1

    This is a bug fix release that addresses the following:

    1. An issue while writing data to the in-memory store at a non-root nonexistent path (#4855), reported by @​wermerb and others.
    2. Policies owned by a bundle could be replaced via the REST API because of a missing bundle scope check (#4846).
    3. Adds missing future.keywords import for the examples in the policy testing section of the docs (#4849), reported by @​robert-elles.

    v0.42.0

    This release contains a number of fixes and enhancements.

    New built-in function: object.subset

    This function checks if a collection is a subset of another collection. It works on objects, sets, and arrays.

    If both arguments are objects, then the operation is recursive, e.g. {"c": {"x": {10, 15, 20}} is considered a subset of {"a": "b", "c": {"x": {10, 15, 20, 25}, "y": "z"}.

    See the built-in functions docs for all details

    This implementation fixes #4358 and was authored by @​charlesdaniels.

    New keywords: "contains" and "if"

    These new keywords let you increase the expressiveness of your policy code:

    Before

    package authz
    allow { not denied } # `denied` left out for presentation purposes
    

    deny[msg] { count(violations) > 0 msg := sprintf("there are %d violations", [count(violations)]) }

    After

    package authz
    import future.keywords
    

    allow if not denied # one expression only => no { ... } needed! </tr></table>

    ... (truncated)

    Changelog

    Sourced from github.com/open-policy-agent/opa's changelog.

    0.42.2

    This is a bug fix release that addresses the following:

    • storage/disk: make symlinks work with relative paths (#4869)
    • bundle: Normalize paths before bundle root check

    0.42.1

    This is a bug fix release that addresses the following:

    1. An issue while writing data to the in-memory store at a non-root nonexistent path (#4855), reported by @​wermerb and others.
    2. Policies owned by a bundle could be replaced via the REST API because of a missing bundle scope check (#4846).
    3. Adds missing future.keywords import for the examples in the policy testing section of the docs (#4849), reported by @​robert-elles.

    0.42.0

    This release contains a number of fixes and enhancements.

    New built-in function: object.subset

    This function checks if a collection is a subset of another collection. It works on objects, sets, and arrays.

    If both arguments are objects, then the operation is recursive, e.g. {"c": {"x": {10, 15, 20}} is considered a subset of {"a": "b", "c": {"x": {10, 15, 20, 25}, "y": "z"}.

    See the built-in functions docs for all details

    This implementation fixes #4358 and was authored by @​charlesdaniels.

    New keywords: "contains" and "if"

    These new keywords let you increase the expressiveness of your policy code:

    Before

    package authz
    allow { not denied } # `denied` left out for presentation purposes
    

    deny[msg] { count(violations) > 0 msg := sprintf("there are %d violations", [count(violations)]) }

    After

    </tr></table> 
    

    ... (truncated)

    Commits
    • efcf506 Prepare Release 0.42.2
    • 16bae6c CI: remove trivy from PRs, add CVE-2022-1996 to ignores (#4867)
    • e6626cd bundle: Normalize paths before bundle root check
    • db3a4e7 storage/disk: make symlinks work with relative paths (#4870)
    • 60b7193 Prepare v0.42.1 release
    • 2819143 server: check old policy path for bundle ownership (#4847)
    • 22641e5 docs/policy-testing: add missing future.keywords imports (#4852)
    • fa6ccbc storage/inmem: Create path if does not exist during truncate (#4853)
    • 9b5fb9b Prepare release v0.42.0 (#4834)
    • 7305b16 server: pass IQBC to authorizer (#4838)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • chore(deps): bump github.com/open-policy-agent/opa from 0.41.0 to 0.42.1

    chore(deps): bump github.com/open-policy-agent/opa from 0.41.0 to 0.42.1

    Bumps github.com/open-policy-agent/opa from 0.41.0 to 0.42.1.

    Release notes

    Sourced from github.com/open-policy-agent/opa's releases.

    v0.42.1

    This is a bug fix release that addresses the following:

    1. An issue while writing data to the in-memory store at a non-root nonexistent path (#4855), reported by @​wermerb and others.
    2. Policies owned by a bundle could be replaced via the REST API because of a missing bundle scope check (#4846).
    3. Adds missing future.keywords import for the examples in the policy testing section of the docs (#4849), reported by @​robert-elles.

    v0.42.0

    This release contains a number of fixes and enhancements.

    New built-in function: object.subset

    This function checks if a collection is a subset of another collection. It works on objects, sets, and arrays.

    If both arguments are objects, then the operation is recursive, e.g. {"c": {"x": {10, 15, 20}} is considered a subset of {"a": "b", "c": {"x": {10, 15, 20, 25}, "y": "z"}.

    See the built-in functions docs for all details

    This implementation fixes #4358 and was authored by @​charlesdaniels.

    New keywords: "contains" and "if"

    These new keywords let you increase the expressiveness of your policy code:

    Before

    package authz
    allow { not denied } # `denied` left out for presentation purposes
    

    deny[msg] { count(violations) > 0 msg := sprintf("there are %d violations", [count(violations)]) }

    After

    package authz
    import future.keywords
    

    allow if not denied # one expression only => no { ... } needed!

    deny contains msg if { count(violations) > 0 msg := sprintf("there are %d violations", [count(violations)]) }

    ... (truncated)

    Changelog

    Sourced from github.com/open-policy-agent/opa's changelog.

    0.42.1

    This is a bug fix release that addresses the following:

    1. An issue while writing data to the in-memory store at a non-root nonexistent path (#4855), reported by @​wermerb and others.
    2. Policies owned by a bundle could be replaced via the REST API because of a missing bundle scope check (#4846).
    3. Adds missing future.keywords import for the examples in the policy testing section of the docs (#4849), reported by @​robert-elles.

    0.42.0

    This release contains a number of fixes and enhancements.

    New built-in function: object.subset

    This function checks if a collection is a subset of another collection. It works on objects, sets, and arrays.

    If both arguments are objects, then the operation is recursive, e.g. {"c": {"x": {10, 15, 20}} is considered a subset of {"a": "b", "c": {"x": {10, 15, 20, 25}, "y": "z"}.

    See the built-in functions docs for all details

    This implementation fixes #4358 and was authored by @​charlesdaniels.

    New keywords: "contains" and "if"

    These new keywords let you increase the expressiveness of your policy code:

    Before

    package authz
    allow { not denied } # `denied` left out for presentation purposes
    

    deny[msg] { count(violations) > 0 msg := sprintf("there are %d violations", [count(violations)]) }

    After

    package authz
    import future.keywords
    

    allow if not denied # one expression only => no { ... } needed!

    deny contains msg if { count(violations) > 0 </tr></table>

    ... (truncated)

    Commits
    • 60b7193 Prepare v0.42.1 release
    • 2819143 server: check old policy path for bundle ownership (#4847)
    • 22641e5 docs/policy-testing: add missing future.keywords imports (#4852)
    • fa6ccbc storage/inmem: Create path if does not exist during truncate (#4853)
    • 9b5fb9b Prepare release v0.42.0 (#4834)
    • 7305b16 server: pass IQBC to authorizer (#4838)
    • a52e317 topdown/pe: plug nested every expressions (#4827)
    • a453d2e build(deps): bump github.com/stretchr/testify from 1.7.5 to 1.8.0 (#4835)
    • d5b8a61 release process: fix metadata logic (#4836)
    • 2f169d9 build(deps): bump aquasecurity/trivy-action from 0.5.0 to 0.5.1 (#4833)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • chore(deps): bump github.com/open-policy-agent/opa from 0.45.0 to 0.46.1

    chore(deps): bump github.com/open-policy-agent/opa from 0.45.0 to 0.46.1

    Bumps github.com/open-policy-agent/opa from 0.45.0 to 0.46.1.

    Release notes

    Sourced from github.com/open-policy-agent/opa's releases.

    v0.46.1

    This is bugfix release to resolve an issue in the release pipeline. Everything else is the same as 0.46.0, which contains a mix of bugfixes, optimizations, and new features:

    New language feature: refs in rule heads

    With this version of OPA, we can use a shorthand for defining deeply-nested structures in Rego:

    Before, we had to use multiple packages, and hence multiple files to define a structure like this:

    {
      "method": {
        "get": {
          "allowed": true
        }
        "post": {
          "allowed": true
        }
      }
    }
    
    package method.get
    default allowed := false
    allowed { ... }
    
    package method.post
    default allowed := false
    allowed { ... }
    

    Now, we can define those rules in single package (and file):

    package method
    import future.keywords.if
    default get.allowed := false
    get.allowed if { ... }
    

    default post.allowed := false post.allowed if { ... }

    Note that in this example, the use of the future keyword if is mandatory

    ... (truncated)

    Changelog

    Sourced from github.com/open-policy-agent/opa's changelog.

    0.46.1

    This is bugfix release to resolve an issue in the release pipeline. Everything else is the same as 0.46.0.

    0.46.0

    This release contains a mix of bugfixes, optimizations, and new features.

    New language feature: refs in rule heads

    With this version of OPA, we can use a shorthand for defining deeply-nested structures in Rego:

    Before, we had to use multiple packages, and hence multiple files to define a structure like this:

    {
      "method": {
        "get": {
          "allowed": true
        }
        "post": {
          "allowed": true
        }
      }
    }
    
    package method.get
    default allowed := false
    allowed { ... }
    
    package method.post
    default allowed := false
    allowed { ... }
    

    Now, we can define those rules in single package (and file):

    package method
    import future.keywords.if
    default get.allowed := false
    get.allowed if { ... }
    

    </tr></table>

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • chore(deps): bump github.com/open-policy-agent/opa from 0.44.0 to 0.45.0

    chore(deps): bump github.com/open-policy-agent/opa from 0.44.0 to 0.45.0

    Bumps github.com/open-policy-agent/opa from 0.44.0 to 0.45.0.

    Release notes

    Sourced from github.com/open-policy-agent/opa's releases.

    v0.45.0

    This release contains a mix of bugfixes, optimizations, and new features.

    Improved Decision Logging with nd_builtin_cache

    OPA has several non-deterministic built-ins, such as rand.intn and http.send that can make debugging policies from decision log results a surprisingly tricky and involved process. To improve the situation around debugging policies that use those built-ins, OPA now provides an opt-in system for caching the inputs and outputs of these built-ins during policy evaluation, and can include this information in decision log entries.

    A new top-level config key is used to enable the non-deterministic builtin caching feature, as shown below:

    nd_builtin_cache: true
    

    This data is exposed to OPA's decision log masking system under the /nd_builtin_cache path, which allows masking or dropping sensitive values from decision logs selectively. This can be useful in situations where only some information about a non-deterministic built-in was needed, or the arguments to the built-in involved sensitive data.

    To prevent unexpected decision log size growth from non-deterministic built-ins like http.send, the new cache information is included in decision logs on a best-effort basis. If a decision log event exceeds the decision_logs.reporting.upload_size_limit_bytes limit for an OPA instance, OPA will reattempt uploading it, after dropping the non-deterministic builtin cache information from the event. This behavior will trigger a log error when it happens, and will increment the decision_logs_nd_builtin_cache_dropped metrics counter, so that it will be possible to debug cases where the cache information is unexpectedly missing from a decision log entry.

    Decision Logging Example

    To observe the change in decision logging we can run OPA in server mode with nd_builtin_cache enabled:

    opa run -s --set=decision_logs.console=true,nd_builtin_cache=true
    

    After sending it the query x := rand.intn("a", 15) we should see something like the following in the decision logs:

    {..., "msg":"Decision Log", "nd_builtin_cache":{"rand.intn":{"[\"a\",15]":3}}, "query":"assign(x, rand.intn(\"a\", 15))", ..., "result":[{"x":3}], ..., "type":"openpolicyagent.org/decision_logs"}
    

    The new information is included under the optional nd_builtin_cache JSON key, and shows what arguments were provided for each unique invocation of rand.intn, as well as what the output of that builtin call was (in this case, 3).

    If we send the query x := rand.intn("a", 15); y := rand.intn("b", 150)" we can see how unique input arguments get recorded in the cache:

    {..., "msg":"Decision Log", "nd_builtin_cache":{"rand.intn":{"[\"a\",15]":12,"[\"b\",150]":149}}, "query":"assign(x, rand.intn(\"a\", 15)); assign(y, rand.intn(\"b\", 150))", ..., "result":[{"x":12,"y":149}], ..., "type":"openpolicyagent.org/decision_logs"}
    

    With this information, it's now easier to debug exactly why a particular rule is used or why a rule fails when non-deterministic builtins are used in a policy.

    New Built-in Function: regex.replace

    This release introduces a new builtin for regex-based search/replace on strings: regex.replace.

    See the built-in functions docs for all the details

    This implementation fixes #5162 and was authored by @​boranx.

    object.union_n Optimization

    The object.union_n builtin allows easily merging together an array of Objects.

    ... (truncated)

    Changelog

    Sourced from github.com/open-policy-agent/opa's changelog.

    0.45.0

    This release contains a mix of bugfixes, optimizations, and new features.

    Improved Decision Logging with nd_builtin_cache

    OPA has several non-deterministic built-ins, such as rand.intn and http.send that can make debugging policies from decision log results a surprisingly tricky and involved process. To improve the situation around debugging policies that use those built-ins, OPA now provides an opt-in system for caching the inputs and outputs of these built-ins during policy evaluation, and can include this information in decision log entries.

    A new top-level config key is used to enable the non-deterministic builtin caching feature, as shown below:

    nd_builtin_cache: true
    

    This data is exposed to OPA's decision log masking system under the /nd_builtin_cache path, which allows masking or dropping sensitive values from decision logs selectively. This can be useful in situations where only some information about a non-deterministic built-in was needed, or the arguments to the built-in involved sensitive data.

    To prevent unexpected decision log size growth from non-deterministic built-ins like http.send, the new cache information is included in decision logs on a best-effort basis. If a decision log event exceeds the decision_logs.reporting.upload_size_limit_bytes limit for an OPA instance, OPA will reattempt uploading it, after dropping the non- deterministic builtin cache information from the event. This behavior will trigger a log error when it happens, and will increment the decision_logs_nd_builtin_cache_dropped metrics counter, so that it will be possible to debug cases where the cache information is unexpectedly missing from a decision log entry.

    Decision Logging Example

    To observe the change in decision logging we can run OPA in server mode with nd_builtin_cache enabled:

    opa run -s --set=decision_logs.console=true,nd_builtin_cache=true
    

    After sending it the query x := rand.intn("a", 15) we should see something like the following in the decision logs:

    </tr></table> 
    

    ... (truncated)

    Commits
    • 523c285 Prepare v0.45.0 release (#5223)
    • ac20ef2 server+sdk+plugins: Integrate NDBCache into decision logging. (#5147)
    • 94baa1b topdown/tokens: protect against nistec panics (#5214)
    • 4ea5c0f build(deps): bump tj-actions/changed-files from 29.0.9 to 32.0.0 (#5215)
    • 615f6f8 build: bump golang 1.19.1 -> 1.19.2 (#5213)
    • 20982c3 test/cases: add test case for rand.intn (#5207)
    • f3c0630 Added Gloo Edge Tutorial with some neat examples.
    • be2d753 Add IR to integration docs (#5205)
    • 15b9a88 Fix typo in Future Keywords (#5192)
    • b7f957d topdown/json: Fix panic in json.filter on empty JSON paths. (#5200)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • chore(deps): bump github.com/open-policy-agent/opa from 0.41.0 to 0.44.0

    chore(deps): bump github.com/open-policy-agent/opa from 0.41.0 to 0.44.0

    Bumps github.com/open-policy-agent/opa from 0.41.0 to 0.44.0.

    Release notes

    Sourced from github.com/open-policy-agent/opa's releases.

    v0.44.0

    This release contains a number of fixes, two new builtins, a few new features, and several performance improvements.

    Security Fixes

    This release includes the security fixes present in the recent v0.43.1 release, which mitigate CVE-2022-36085 in OPA itself, and CVE-2022-27664 and CVE-2022-32190 in our Go build tooling.

    See the Release Notes for v0.43.1 for more details.

    Set Element Addition Optimization

    Rego Set element addition operations did not scale linearly (#4999) in the past, and like the Object type before v0.43.0, experienced noticeable reallocation/memory movement overheads once the Set grew past 120k-150k elements in size.

    This release introduces different handling of Set internals during element addition operations to avoid pathological reallocation behavior, and allows linear performance scaling up into the 500k key range and beyond.

    Set union Built-in Optimization

    The Set union builtin allows applying the union operation to a set of sets.

    However, as discovered in #4979, its implementation generated unnecessary intermediate copies, which resulted in poor performance; in many cases, worse than writing the equivalent operation in pure Rego.

    This release improves the union builtin's implementation, such that only the final result set is ever modified, reducing memory allocations and GC pressure. The union builtin is now about 15-30% faster than the equivalent operation in pure Rego.

    New Built-in Functions: strings.any_prefix_match and strings.any_suffix_match

    This release introduces two new builtins, optimized for bulk matching of string prefixes and suffixes: strings.any_prefix_match, and strings.any_suffix_match. It works with sets and arrays of strings, allowing efficient matching of collections of prefixes or suffixes against a target string.

    See the built-in functions docs for all the details

    This implementation fixes #4994 and was authored by @​cube2222.

    Tooling, SDK, and Runtime

    • Logger: Allow configuration of the timestamp format (#2413)
    • loader: Add support for fs.FS (authored by @​ear7h)

    Bundles

    This release includes several bugfixes and improvements around bundle building:

    • cmd: Add optimize flag to OPA eval command to allow building optimized bundles
    • cmd/build+compile: Allow opt-out of dependents gathering to allow compilation of more bundles into WASM (#5035)
    • opa build -t wasm|plan: Fail on unmatched entrypoints (#3957)
    • opa build: Fix bundle mode to work with ignore flag
    • bundle/status: Include bundle size in status information
    • bundle: Remove raw bytes check for lazy bundle loading mode

    Storage Fixes

    This release has performance improvements and bugfixes for the disk storage system:

    ... (truncated)

    Changelog

    Sourced from github.com/open-policy-agent/opa's changelog.

    0.44.0

    This release contains a number of fixes, two new builtins, a few new features, and several performance improvements.

    Security Fixes

    This release includes the security fixes present in the recent v0.43.1 release, which mitigate CVE-2022-36085 in OPA itself, and CVE-2022-27664 and CVE-2022-32190 in our Go build tooling.

    See the Release Notes for v0.43.1 for more details.

    Set Element Addition Optimization

    Rego Set element addition operations did not scale linearly (#4999) in the past, and like the Object type before v0.43.0, experienced noticeable reallocation/memory movement overheads once the Set grew past 120k-150k elements in size.

    This release introduces different handling of Set internals during element addition operations to avoid pathological reallocation behavior, and allows linear performance scaling up into the 500k key range and beyond.

    Set union Built-in Optimization

    The Set union builtin allows applying the union operation to a set of sets.

    However, as discovered in #4979, its implementation generated unnecessary intermediate copies, which resulted in poor performance; in many cases, worse than writing the equivalent operation in pure Rego.

    This release improves the union builtin's implementation, such that only the final result set is ever modified, reducing memory allocations and GC pressure. The union builtin is now about 15-30% faster than the equivalent operation in pure Rego.

    New Built-in Functions: strings.any_prefix_match and strings.any_suffix_match

    This release introduces two new builtins, optimized for bulk matching of string prefixes and suffixes: strings.any_prefix_match, and strings.any_suffix_match. It works with sets and arrays of strings, allowing efficient matching of collections of prefixes or suffixes against a target string.

    See the built-in functions docs for all the details

    This implementation fixes #4994 and was authored by @​cube2222.

    ... (truncated)

    Commits
    • e8d488f Prepare v0.44.0 release (#5109)
    • b391076 Integrate patch release v0.43.1 (#5108)
    • 25a597b ast/compile: respect unsafeBuiltinMap for 'with' replacements (#5107)
    • 9adf9a8 build(deps): bump github.com/agnivade/levenshtein from 1.0.1 to 1.1.1 (#5085)
    • 3ed3643 builtins: update description of format_int to say it rounds down
    • b5cbbb5 opa build -t wasm|plan: fail on unmatched entrypoints
    • 15412b1 ecosystem: add some links to Rönd (#5102)
    • 1bcf82c build: bump golang: 1.19 -> 1.19.1 (#5099)
    • b7bdd61 rego/rego_test: test with test server, not httpbin.org (#5098)
    • 6a439c5 topdown: Fix key construction for NDBCache; rego: avoid NDBCache init (#5097)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • chore(deps): bump github.com/open-policy-agent/opa from 0.40.0 to 0.41.0

    chore(deps): bump github.com/open-policy-agent/opa from 0.40.0 to 0.41.0

    Bumps github.com/open-policy-agent/opa from 0.40.0 to 0.41.0.

    Release notes

    Sourced from github.com/open-policy-agent/opa's releases.

    v0.41.0

    This release contains a number of fixes and enhancements.

    GraphQL Built-in Functions

    A new set of built-in functions are now available to validate, parse and verify GraphQL query and schema! Following are the new built-ins:

    graphql.is_valid: Checks that a GraphQL query is valid against a given schema
    graphql.parse: Returns AST objects for a given GraphQL query and schema
    graphql.parse_and_verify: Returns a boolean indicating success or failure alongside the parsed ASTs for a given GraphQL query and schema
    graphql.parse_query: Returns an AST object for a GraphQL query
    graphql.parse_schema: Returns an AST object for a GraphQL schema
    

    Built-in Function Metadata

    Built-in function declarations now support additional metadata to specify name and description for function arguments and return values. The metadata can be programmatically consumed by external tools such as IDE plugins. The built-in function documentation is created using the new built-in function metadata. Check out the new look of the Built-In Reference page!

    Under the hood, a new file called builtins_metadata.json is generated via make generate which can be consumed by external tools.

    Tooling, SDK, and Runtime

    Rego and Topdown

    • units.parse: New built-in for parsing standard metric decimal and binary SI units (e.g., K, Ki, M, Mi, G, Gi)
    • format: Fix opa fmt location for non-key rules (#4695) (authored by @​jaspervdj)
    • token: Ignore keys of unknown alg when verifying JWTs with JWKS (#4699) reported by @​lenalebt

    Documentation

    • Adding Built-in Functions: Add note about capabilities.json while creating a new built-in function
    • Policy Reference: Add example for rego.metadata.rule() built-in function
    • Policy Reference: Fix grammar for import keyword (#4689) authored by @​mmzeeman reported by @​mmzeeman
    • Security: Fix command line flag name for file containing the TLS certificate (#4678) authored by @​pramodak reported by @​pramodak

    Website + Ecosystem

    • Update Kubernetes policy examples on the website to use latest kubernetes schema (apiVersion: admission.k8s.io/v1) (authored by @​vicmarbev)
    • Ecosystem:

    ... (truncated)

    Changelog

    Sourced from github.com/open-policy-agent/opa's changelog.

    0.41.0

    This release contains a number of fixes and enhancements.

    GraphQL Built-in Functions

    A new set of built-in functions are now available to validate, parse and verify GraphQL query and schema! Following are the new built-ins:

    graphql.is_valid: Checks that a GraphQL query is valid against a given schema
    graphql.parse: Returns AST objects for a given GraphQL query and schema
    graphql.parse_and_verify: Returns a boolean indicating success or failure alongside the parsed ASTs for a given GraphQL query and schema
    graphql.parse_query: Returns an AST object for a GraphQL query
    graphql.parse_schema: Returns an AST object for a GraphQL schema
    

    Built-in Function Metadata

    Built-in function declarations now support additional metadata to specify name and description for function arguments and return values. The metadata can be programmatically consumed by external tools such as IDE plugins. The built-in function documentation is created using the new built-in function metadata. Check out the new look of the Built-In Reference page!

    Under the hood, a new file called builtins_metadata.json is generated via make generate which can be consumed by external tools.

    Tooling, SDK, and Runtime

    Rego and Topdown

    • units.parse: New built-in for parsing standard metric decimal and binary SI units (e.g., K, Ki, M, Mi, G, Gi)
    • format: Fix opa fmt location for non-key rules (#4695) (authored by @​jaspervdj)
    • token: Ignore keys of unknown alg when verifying JWTs with JWKS (#4699) reported by @​lenalebt

    Documentation

    • Adding Built-in Functions: Add note about capabilities.json while creating a new built-in function
    • Policy Reference: Add example for rego.metadata.rule() built-in function
    • Policy Reference: Fix grammar for import keyword (#4689) authored by @​mmzeeman reported by @​mmzeeman
    • Security: Fix command line flag name for file containing the TLS certificate (#4678) authored by @​pramodak reported by @​pramodak

    Website + Ecosystem

    • Update Kubernetes policy examples on the website to use latest kubernetes schema (apiVersion: admission.k8s.io/v1) (authored by @​vicmarbev)
    • Ecosystem:

    ... (truncated)

    Commits
    • 0d6a109 Prepare v0.41.0 release
    • 7bfc76c build(deps): bump github.com/vektah/gqlparser/v2 from 2.4.3 to 2.4.4 (#4729)
    • e971a8f bundle: dont sign manifest when empty
    • cb6a4c0 Ignore keys of unknown alg when verifying JWTs with JWKS (#4725)
    • 1889f24 Update docs on ordering expressions
    • e1b4bee build(deps): bump github.com/go-ini/ini from 1.66.4 to 1.66.6
    • b05eba0 build(deps): bump google.golang.org/grpc from 1.46.2 to 1.47.0
    • 0502529 test: Fix too many files open error on MacOS (#4727)
    • 35f4523 Add Infracost to ADOPTERS.md (#4716)
    • 1fde1ad built-ins: Add new GraphQL builtins.
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • chore(deps): bump github.com/open-policy-agent/opa from 0.39.0 to 0.40.0

    chore(deps): bump github.com/open-policy-agent/opa from 0.39.0 to 0.40.0

    Bumps github.com/open-policy-agent/opa from 0.39.0 to 0.40.0.

    Release notes

    Sourced from github.com/open-policy-agent/opa's releases.

    v0.40.0

    This release contains a number of fixes and enhancements.

    Metadata introspection

    The rich metadata added in the v0.38.0 release can now be introspected from the policies themselves!

    package example
    

    METADATA

    title: Edits by owner only

    description: |

    Only the owner is allowed to edit their data.

    deny[{"allowed": false, "message": rego.metadata.rule().description}] { input.user != input.owner }

    This snippet will evaluate to

    [{
      "allowed": false,
      "message": "Only the owner is allowed to edit their data.\n"
    }]
    

    Both the rule's metadata can be accessed, via rego.metadata.rule(), and the entire chain of metadata attached to the rule via the various scopes that different metadata annotations can have, via rego.metadata.chain().

    All the details can be found in the documentation of these new built-in functions.

    Function mocking

    It is now possible to mock functions in tests! Both built-in and non-built-in functions can be mocked:

    package authz
    import data.jwks.cert
    import data.helpers.extract_token
    

    allow { [true, _, _] = io.jwt.decode_verify(extract_token(input.headers), {"cert": cert, "iss": "corp.issuer.com"}) }

    test_allow { allow with input.headers as [] with data.jwks.cert as "mock-cert" with io.jwt.decode_verify as [true, {}, {}] # mocked built-in with extract_token as "my-jwt" # mocked non-built-in }

    For further information about policy testing with data and function mock, see the Policy Testing docs. All details about with can be found in its Policy Language section.

    ... (truncated)

    Changelog

    Sourced from github.com/open-policy-agent/opa's changelog.

    0.40.0

    This release contains a number of fixes and enhancements.

    Metadata introspection

    The rich metadata added in the v0.38.0 release can now be introspected from the policies themselves!

    package example
    

    METADATA

    title: Edits by owner only

    description: |

    Only the owner is allowed to edit their data.

    deny[{"allowed": false, "message": rego.metadata.rule().description}] { input.user != input.owner }

    This snippet will evaluate to

    [{
      "allowed": false,
      "message": "Only the owner is allowed to edit their data.\n"
    }]
    

    Both the rule's metadata can be accessed, via rego.metadata.rule(), and the entire chain of metadata attached to the rule via the various scopes that different metadata annotations can have, via rego.metadata.chain().

    All the details can be found in the documentation of these new built-in functions.

    Function mocking

    It is now possible to mock functions in tests! Both built-in and non-built-in functions can be mocked:

    package authz
    import data.jwks.cert
    import data.helpers.extract_token
    

    allow { [true, _, _] = io.jwt.decode_verify(extract_token(input.headers), {"cert": cert, "iss": "corp.issuer.com"}) }

    test_allow { allow with input.headers as [] with data.jwks.cert as "mock-cert" with io.jwt.decode_verify as [true, {}, {}] # mocked built-in

    ... (truncated)

    Commits
    • b3c8d80 Prepare v0.40.0 Release (#4631)
    • 39125a0 downloader: support for downloading bundles from an OCI registry (#4558)
    • 2f6b417 format: keep whitespaces for multiple indented same-line withs (#4635)
    • 7e50293 ast+topdown+planner: replacement of non-built-in functions via 'with' (#4616)
    • 02c1c1e bundle/status: Include bundle type in status information
    • 654b245 docs: update version in kubernetes examples (#4627)
    • 8e79fc9 build(deps): bump github.com/fsnotify/fsnotify v1.5.2 -> v1.5.4 (#4628)
    • 4154d99 Dockerfile: add source annotation (#4626)
    • b481f00 topdown/net: require prefix length for IPv6 in net.cidr_merge (#4613)
    • eb94b73 website: add playground button to navbar (#4622)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • chore(deps): bump actions/setup-go from 2 to 3

    chore(deps): bump actions/setup-go from 2 to 3

    Bumps actions/setup-go from 2 to 3.

    Release notes

    Sourced from actions/setup-go's releases.

    v3.0.0

    What's Changed

    Breaking Changes

    With the update to Node 16, all scripts will now be run with Node 16 rather than Node 12.

    This new major release removes the stable input, so there is no need to specify additional input to use pre-release versions. This release also corrects the pre-release versions syntax to satisfy the SemVer notation (1.18.0-beta1 -> 1.18.0-beta.1, 1.18.0-rc1 -> 1.18.0-rc.1).

    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-go@v3
        with:
          go-version: '1.18.0-rc.1' 
      - run: go version
    

    Add check-latest input

    In scope of this release we add the check-latest input. If check-latest is set to true, the action first checks if the cached version is the latest one. If the locally cached version is not the most up-to-date, a Go version will then be downloaded from go-versions repository. By default check-latest is set to false. Example of usage:

    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-go@v2
        with:
          go-version: '1.16'
          check-latest: true
      - run: go version
    

    Moreover, we updated @actions/core from 1.2.6 to 1.6.0

    v2.1.5

    In scope of this release we updated matchers.json to improve the problem matcher pattern. For more information please refer to this pull request

    v2.1.4

    What's Changed

    New Contributors

    Full Changelog: https://github.com/actions/setup-go/compare/v2.1.3...v2.1.4

    v2.1.3

    • Updated communication with runner to use environment files rather then workflow commands

    v2.1.2

    This release includes vendored licenses for this action's npm dependencies.

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • chore(deps): bump github.com/open-policy-agent/opa from 0.46.1 to 0.47.4

    chore(deps): bump github.com/open-policy-agent/opa from 0.46.1 to 0.47.4

    Bumps github.com/open-policy-agent/opa from 0.46.1 to 0.47.4.

    Release notes

    Sourced from github.com/open-policy-agent/opa's releases.

    v0.47.4

    This is a bug fix release addressing a panic in opa test.

    • tester/runner: Fix panic'ing case in utility function. (#5496)

    v0.47.3

    This is a bug fix release addressing an issue that prevented OPA from fetching bundles stored in S3 buckets.

    • providers/aws: Refactor + fix 2x Authorization header append issue. (#5472)

    v0.47.2

    This is a second security fix to address CVE-2022-41717/GO-2022-1144.

    We previously believed that upgrading the Golang version and its stdlib would be sufficient to address the problem. It turns out we also need to bump the x/net dependency to v0.4.0., a version that hadn't existed when v0.46.2 was released.

    This release bumps the golang.org/x/net dependency to v0.4.0, and contains no other changes over v0.46.2.

    Note that the affected code is OPA's HTTP server. So if you're using OPA as a Golang library, or if your confident that your OPA's HTTP interface is protected by other means (as it should be -- not exposed to the public internet), you're OK.

    v0.47.1

    This is a bug fix release addressing two issues: one security issue, and one bug related to formatting backwards-compatibility.

    Golang security fix CVE-2022-41717

    An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.

    Since we advise against running an OPA service exposed to the general public of the internet, potential attackers would be limited to people that are already capable of sending direct requests to the OPA service.

    opa fmt and backwards compatibility (#5449)

    In v0.46.1, it was possible that opa fmt would format a rule in such a way that:

    1. Before formatting, it was working fine with older OPA versions, and
    2. after formatting, it would only work with OPA version >= 0.46.1.

    This backwards incompatibility wasn't intended, and has now been fixed.

    v0.47.0

    This release contains a mix of bugfixes, optimizations, and new features.

    New Built-in Function: object.keys

    ... (truncated)

    Changelog

    Sourced from github.com/open-policy-agent/opa's changelog.

    0.47.4

    This is a bug fix release addressing a panic in opa test.

    0.47.3

    This is a bug fix release addressing an issue that prevented OPA from fetching bundles stored in S3 buckets.

    0.47.2 and 0.46.3

    This is a second security fix to address CVE-2022-41717/GO-2022-1144.

    We previously believed that upgrading the Golang version and its stdlib would be sufficient to address the problem. It turns out we also need to bump the x/net dependency to v0.4.0., a version that hadn't existed when v0.46.2 was released.

    This release bumps the golang.org/x/net dependency to v0.4.0, and contains no other changes over v0.46.2.

    Note that the affected code is OPA's HTTP server. So if you're using OPA as a Golang library, or if your confident that your OPA's HTTP interface is protected by other means (as it should be -- not exposed to the public internet), you're OK.

    0.47.1 and 0.46.2

    This is a bug fix release addressing two issues: one security issue, and one bug related to formatting backwards-compatibility.

    Golang security fix CVE-2022-41717

    An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.

    Since we advise against running an OPA service exposed to the general public of the internet, potential attackers would be limited to people that are already capable of sending direct requests to the OPA service.

    opa fmt and backwards compatibility (#5449)

    In v0.46.1, it was possible that opa fmt would format a rule in such a way that:

    1. Before formatting, it was working fine with older OPA versions, and
    2. after formatting, it would only work with OPA version >= 0.46.1.

    This backwards incompatibility wasn't intended, and has now been fixed.

    0.47.0

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
runtime - an abstraction library on top of the Open Policy Agent (OPA)

runtime - an abstraction library on top of the Open Policy Agent (OPA) Introduction The "runtime" project is a library that sits on top of OPA. The go

Nov 7, 2022
A plugin for running Open Policy Agent (OPA) in AWS Lambda as a Lambda Extension.

opa-lambda-extension-plugin A custom plugin for running Open Policy Agent (OPA) in AWS Lambda as a Lambda Extension. To learn more about how Lambda Ex

Jan 2, 2023
Igo Agent is the agent of Igo, a command-line tool, through which you can quickly start Igo

igo agent 英文 | 中文 Igo Agent is the agent of Igo, a command-line tool, through which you can quickly start Igo, and other capabilities may be added lat

Dec 22, 2021
Shoes-agent - Framework for myshoes provider using agent
Shoes-agent - Framework for myshoes provider using agent

shoes-agent Framework for myshoes provider using agent. agent: agent for shoes-a

Jan 8, 2022
Feb 17, 2022
Integrated ssh-agent for windows. (pageant compatible. openSSH ssh-agent etc ..)
Integrated ssh-agent for windows. (pageant compatible. openSSH ssh-agent etc ..)

OmniSSHAgent About The chaotic windows ssh-agent has been integrated into one program. Chaos Map of SSH-Agent on Windows There are several different c

Dec 19, 2022
Hexa is the open-source, standards-based policy orchestration software for multi-cloud and hybrid businesses.

Hexa Policy Orchestrator Hexa is the open-source, standards-based policy orchestration software for multi-cloud and hybrid businesses. The Hexa projec

Dec 22, 2022
A simple webdev utility program that allows developers to quickly validate and format JSON code

Toolbox CLI A simple webdev utility program that allows developers to quickly validate and format JSON code, convert from UNIX epoch to timestamp and

Jan 4, 2022
An open-source, distributed, cloud-native CD (Continuous Delivery) product designed for developersAn open-source, distributed, cloud-native CD (Continuous Delivery) product designed for developers
An open-source, distributed, cloud-native CD (Continuous Delivery) product designed for developersAn open-source, distributed, cloud-native CD (Continuous Delivery) product designed for developers

Developer-oriented Continuous Delivery Product ⁣ English | 简体中文 Table of Contents Zadig Table of Contents What is Zadig Quick start How to use? How to

Oct 19, 2021
💧 Visual Data Preparation (VDP) is an open-source tool to seamlessly integrate Vision AI with the modern data stack
💧 Visual Data Preparation (VDP) is an open-source tool to seamlessly integrate Vision AI with the modern data stack

Website | Community | Blog Get Early Access Visual Data Preparation (VDP) is an open-source tool to streamline the end-to-end visual data processing p

Jan 5, 2023
A lightweight, cloud-native data transfer agent and aggregator
A lightweight, cloud-native data transfer agent and aggregator

English | 中文 Loggie is a lightweight, high-performance, cloud-native agent and aggregator based on Golang. It supports multiple pipeline and pluggable

Jan 6, 2023
Frep - Generate file using template from environment, arguments, json/yaml/toml config files

frep Generate file using template from environment, arguments, json/yaml/toml config files. NAME: frep - Generate file using template USAGE: fr

Nov 30, 2022
🔮 ✈️ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures

cosign-gatekeeper-provider To integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying i

Dec 8, 2022
Cmsnr - cmsnr (pronounced "commissioner") is a lightweight framework for running OPA in a sidecar alongside your applications in Kubernetes.

cmsnr Description cmsnr (pronounced "commissioner") is a lightweight framework for running OPA in a sidecar alongside your applications in Kubernetes.

Jan 13, 2022
Generic inquiry tool to OPA server for CI process, such as GitHub Actions

opaq opaq is a generic inquiry tool to OPA server. A major purpose of this tool is for inquiry in GitHub Actions. Features Data formatting: OPA server

Jan 20, 2022
OpenDILab RL Kubernetes Custom Resource and Operator Lib

DI Orchestrator DI Orchestrator is designed to manage DI (Decision Intelligence) jobs using Kubernetes Custom Resource and Operator. Prerequisites A w

Jan 5, 2023
Kubectl plugin to run curl commands against kubernetes pods

kubectl-curl Kubectl plugin to run curl commands against kubernetes pods Motivation Sending http requests to kubernetes pods is unnecessarily complica

Dec 22, 2022
Image clone controller is a kubernetes controller to safe guard against the risk of container images disappearing

Image clone controller image clone controller is a kubernetes controller to safe guard against the risk of container images disappearing from public r

Oct 10, 2021
Controller-check - Run checks against K8s controllers to verify if they meets certain conventions

controller-check Run checks against K8s controllers to verify if they meets cert

Jan 4, 2022