Sourced from github.com/open-policy-agent/opa's releases.

v0.37.0

This release contains a number of fixes and enhancements.

This is the first release that includes a binary and a docker image for linux/arm64, opa_linux_arm64_static and openpolicyagent/opa:0.37.0-static. Thanks to @​ngraef for contributing the build changes necessary.

Strict Mode

There have been numerous possible checks in the compiler that fall into this category:

1. They would help avoid common mistakes; but
2. Introducing them would potentially break some uncommon, but legitimate use.

We've thus far refrained from introducing them. Now, a new "strict mode" allows you to opt-in to these checks, and we encourage you to do so!

With OPA 1.0, they will become the new default behaviour.

For more details, see the docs on Compiler Strict Mode.

Delta Bundles

Delta bundles provide a more efficient way to make data changes by containing patches to data instead of snapshots. Using them together with HTTP Long Polling, you can propagate small changes to bundles without waiting for polling delays.

See the documentation for more details.

Tooling and Runtime

• Bundles bug fix: Roundtrip manifest before hashing to allow changing the manifest and still using signature verification of bundles (#4233), reported by @​CristianJena

• The test runner now also supports custom builtins, when invoked through the Golang interface (authored by @​MIA-Deltat1995)

• The compile package and the opa build command support a new output format: "plan". It represents a query plan, steps needed to take to evaluate a query (with policies). The plan format is a JSON encoding of the intermediate representation (IR) used for compiling queries and policies into Wasm.

  When calling opa build -t plan ..., the plan can be found in plan.json at the top- level directory of the resulting bundle.tar.gz. See the documentation for details..

... (truncated)

Sourced from github.com/open-policy-agent/opa's changelog.

0.37.0

This release contains a number of fixes and enhancements.

This is the first release that includes a binary and a docker image for linux/arm64, opa_linux_arm64_static and openpolicyagent/opa:0.37.0-static. Thanks to @​ngraef for contributing the build changes necessary.

Strict Mode

There have been numerous possible checks in the compiler that fall into this category:

1. They would help avoid common mistakes; but
2. Introducing them would potentially break some uncommon, but legitimate use.

We've thus far refrained from introducing them. Now, a new "strict mode" allows you to opt-in to these checks, and we encourage you to do so!

With OPA 1.0, they will become the new default behaviour.

For more details, see the docs on Compiler Strict Mode.

Delta Bundles

Delta bundles provide a more efficient way to make data changes by containing patches to data instead of snapshots. Using them together with HTTP Long Polling, you can propagate small changes to bundles without waiting for polling delays.

See the documentation for more details.

Tooling and Runtime

• Bundles bug fix: Roundtrip manifest before hashing to allow changing the manifest and still using signature verification of bundles (#4233), reported by @​CristianJena

• The test runner now also supports custom builtins, when invoked through the Golang interface (authored by @​MIA-Deltat1995)

• The compile package and the opa build command support a new output format: "plan". It represents a query plan, steps needed to take to evaluate a query (with policies). The plan format is a JSON encoding of the intermediate representation (IR) used for compiling queries and policies into Wasm.

  When calling opa build -t plan ..., the plan can be found in plan.json at the top- level directory of the resulting bundle.tar.gz. See the documentation for details..

... (truncated)

• ad4f4f1 Prepare 0.37.0 release (#4309)
• a18f53d compile: adds metadata field to .manifest (#4306)
• 01ca4a6 build(deps): bump ansi-regex in /docs/website/scripts/live-blocks (#4308)
• 42a559c build(deps): bump github.com/prometheus/client_golang (#4307)
• 503a520 ast: Deprecating any() and all() built-in functions (#4271)
• 59810d0 ast: Making input and data reserved keywords in strict-mode (#4301)
• dd02a7f Add support for delta bundles
• cb867a1 ast/compile: 'every' rewriting steps (#4231)
• d12fb7c docs: Update generated CLI docs
• 4449d96 docs: add explanation of the IR
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from github.com/open-policy-agent/opa's releases.

v0.40.0

This release contains a number of fixes and enhancements.

Metadata introspection

The rich metadata added in the v0.38.0 release can now be introspected from the policies themselves!

package example
METADATA
title: Edits by owner only
description: |
Only the owner is allowed to edit their data.
deny[{"allowed": false, "message": rego.metadata.rule().description}] {
input.user != input.owner
}

This snippet will evaluate to

[{
  "allowed": false,
  "message": "Only the owner is allowed to edit their data.\n"
}]

Both the rule's metadata can be accessed, via rego.metadata.rule(), and the entire chain of metadata attached to the rule via the various scopes that different metadata annotations can have, via rego.metadata.chain().

All the details can be found in the documentation of these new built-in functions.

Function mocking

It is now possible to mock functions in tests! Both built-in and non-built-in functions can be mocked:

package authz
import data.jwks.cert
import data.helpers.extract_token
allow {
[true, _, _] = io.jwt.decode_verify(extract_token(input.headers), {"cert": cert, "iss": "corp.issuer.com"})
}
test_allow {
allow
with input.headers as []
with data.jwks.cert as "mock-cert"
with io.jwt.decode_verify as [true, {}, {}] # mocked built-in
with extract_token as "my-jwt"              # mocked non-built-in
}

For further information about policy testing with data and function mock, see the Policy Testing docs. All details about with can be found in its Policy Language section.

... (truncated)

Sourced from github.com/open-policy-agent/opa's changelog.

0.40.0

This release contains a number of fixes and enhancements.

Metadata introspection

The rich metadata added in the v0.38.0 release can now be introspected from the policies themselves!

package example
METADATA
title: Edits by owner only
description: |
Only the owner is allowed to edit their data.
deny[{"allowed": false, "message": rego.metadata.rule().description}] {
input.user != input.owner
}

This snippet will evaluate to

[{
  "allowed": false,
  "message": "Only the owner is allowed to edit their data.\n"
}]

Both the rule's metadata can be accessed, via rego.metadata.rule(), and the entire chain of metadata attached to the rule via the various scopes that different metadata annotations can have, via rego.metadata.chain().

All the details can be found in the documentation of these new built-in functions.

Function mocking

It is now possible to mock functions in tests! Both built-in and non-built-in functions can be mocked:

package authz
import data.jwks.cert
import data.helpers.extract_token
allow {
[true, _, _] = io.jwt.decode_verify(extract_token(input.headers), {"cert": cert, "iss": "corp.issuer.com"})
}
test_allow {
allow
with input.headers as []
with data.jwks.cert as "mock-cert"
with io.jwt.decode_verify as [true, {}, {}] # mocked built-in

... (truncated)

• b3c8d80 Prepare v0.40.0 Release (#4631)
• 39125a0 downloader: support for downloading bundles from an OCI registry (#4558)
• 2f6b417 format: keep whitespaces for multiple indented same-line withs (#4635)
• 7e50293 ast+topdown+planner: replacement of non-built-in functions via 'with' (#4616)
• 02c1c1e bundle/status: Include bundle type in status information
• 654b245 docs: update version in kubernetes examples (#4627)
• 8e79fc9 build(deps): bump github.com/fsnotify/fsnotify v1.5.2 -> v1.5.4 (#4628)
• 4154d99 Dockerfile: add source annotation (#4626)
• b481f00 topdown/net: require prefix length for IPv6 in net.cidr_merge (#4613)
• eb94b73 website: add playground button to navbar (#4622)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from github.com/open-policy-agent/opa's releases.

v0.42.0

This release contains a number of fixes and enhancements.

New built-in function: object.subset

This function checks if a collection is a subset of another collection. It works on objects, sets, and arrays.

If both arguments are objects, then the operation is recursive, e.g. {"c": {"x": {10, 15, 20}} is considered a subset of {"a": "b", "c": {"x": {10, 15, 20, 25}, "y": "z"}.

See the built-in functions docs for all details

This implementation fixes #4358 and was authored by @​charlesdaniels.

New keywords: "contains" and "if"

These new keywords let you increase the expressiveness of your policy code:

Before

package authz
allow { not denied } # `denied` left out for presentation purposes
deny[msg] {
count(violations) > 0
msg := sprintf("there are %d violations", [count(violations)])
}

After

package authz
import future.keywords
allow if not denied # one expression only => no { ... } needed!
deny contains msg if {
count(violations) > 0
msg := sprintf("there are %d violations", [count(violations)])
}

Note that rule bodies containing only one expression can be abbreviated when using if.

To use the new keywords, use import future.keywords.contains and import future.keywords.if; or import all of them at once via import future.keywords. When these future imports are present, the pretty printer (opa fmt) will introduce contains and if where applicable.

if is allowed in all places to separate the rule head from the body, like

</tr></table> 

... (truncated)

Sourced from github.com/open-policy-agent/opa's changelog.

0.42.0

This release contains a number of fixes and enhancements.

New built-in function: object.subset

This function checks if a collection is a subset of another collection. It works on objects, sets, and arrays.

If both arguments are objects, then the operation is recursive, e.g. {"c": {"x": {10, 15, 20}} is considered a subset of {"a": "b", "c": {"x": {10, 15, 20, 25}, "y": "z"}.

See the built-in functions docs for all details

This implementation fixes #4358 and was authored by @​charlesdaniels.

New keywords: "contains" and "if"

These new keywords let you increase the expressiveness of your policy code:

Before

package authz
allow { not denied } # `denied` left out for presentation purposes
deny[msg] {
count(violations) > 0
msg := sprintf("there are %d violations", [count(violations)])
}

After

package authz
import future.keywords
allow if not denied # one expression only => no { ... } needed!
deny contains msg if {
count(violations) > 0
msg := sprintf("there are %d violations", [count(violations)])
}

Note that rule bodies containing only one expression can be abbreviated when using if.

To use the new keywords, use import future.keywords.contains and import future.keywords.if; or import all of them at once via import future.keywords. When these future imports are present, the

... (truncated)

• 9b5fb9b Prepare release v0.42.0 (#4834)
• 7305b16 server: pass IQBC to authorizer (#4838)
• a52e317 topdown/pe: plug nested every expressions (#4827)
• a453d2e build(deps): bump github.com/stretchr/testify from 1.7.5 to 1.8.0 (#4835)
• d5b8a61 release process: fix metadata logic (#4836)
• 2f169d9 build(deps): bump aquasecurity/trivy-action from 0.5.0 to 0.5.1 (#4833)
• 53b8192 docs/configuration: Fix profile_credentials AWS docs (#4831)
• 568f020 docs/wasm: fix markup (#4828)
• c0c902c topdown/eval: fix 'every' term plugging on save (#4775)
• 8a3bf90 ast/compile: reorder body for safety differently (#4801)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from github.com/open-policy-agent/opa's releases.

v0.43.1

This is a security release fixing the following vulnerabilities:

• CVE-2022-36085: Respect unsafeBuiltinMap for 'with' replacements in the compiler

  See https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr for all details.

• CVE-2022-27664 and CVE-2022-32190.

  Fixed by updating the Go version used in our builds to 1.18.6, see https://groups.google.com/g/golang-announce/c/x49AQzIVX-s. Note that CVE-2022-32190 is most likely not relevant for OPA's usage of net/url. But since these CVEs tend to come up in security assessment tooling regardless, it's better to get it out of the way.

v0.43.0

This release contains a number of fixes, enhancements, and performance improvements.

Object Insertion Optimization

Rego Object insertion operations did not scale linearly (#4625) in the past, and experienced noticeable reallocation/memory movement overheads once the Object grew past 120k-150k keys in size.

This release introduces different handling of Object internals during insert operations to avoid pathological reallocation behavior, and allows linear performance scaling up into the 500k key range and beyond.

Tooling, SDK, and Runtime

• Add lines covered/not covered counts to test coverage report (authored by @​FarisR99)
• Plugins: Status and logs plugins now accept any HTTP 2xx status code (authored by @​lvisterin)
• Runtime: Generalize OS check for MacOS to other Unix-likes (authored by @​iamleot)

Bundles Fixes

The Bundles system received several bugfixes and performance improvements in this release:

• Bundle: opa bundle command now supports .yml files (#4859) authored by @​Joffref reported by @​rdrgmnzsakt
• Plugins/Bundle: Use unique temporary files for persisting activated bundles to disk (#4782) authored by @​FredrikAppelros reported by @​FredrikAppelros
• Server: Old policy path is now checked for bundle ownership before update (#4846)
• Storage+Bundle: Old bundle data is now cleaned before new bundle activation (#4940)
• Bundle: Paths are now normalized before bundle root check occurs to ensure checks are os-independent

Storage Fixes

The Storage system received mostly bugfixes, with a notable performance improvement for large bundles in this release:

• storage/inmem: Speed up bundle activation by avoiding unnecessary read operations (#4898)
• storage/inmem: Paths are now created during truncate operations if they did not exist before
• storage/disk: Symlinks work with relative paths now (#4869)

Rego and Topdown

... (truncated)

Sourced from github.com/open-policy-agent/opa's changelog.

0.43.1

This is a security release fixing the following vulnerabilities:

• CVE-2022-36085: Respect unsafeBuiltinMap for 'with' replacements in the compiler

  See https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr for all details.

• CVE-2022-27664 and CVE-2022-32190.

  Fixed by updating the Go version used in our builds to 1.18.6, see https://groups.google.com/g/golang-announce/c/x49AQzIVX-s. Note that CVE-2022-32190 is most likely not relevant for OPA's usage of net/url. But since these CVEs tend to come up in security assessment tooling regardless, it's better to get it out of the way.

0.43.0

This release contains a number of fixes, enhancements, and performance improvements.

Object Insertion Optimization

Rego Object insertion operations did not scale linearly (#4625) in the past, and experienced noticeable reallocation/memory movement overheads once the Object grew past 120k-150k keys in size.

This release introduces different handling of Object internals during insert operations to avoid pathological reallocation behavior, and allows linear performance scaling up into the 500k key range and beyond.

Tooling, SDK, and Runtime

• Add lines covered/not covered counts to test coverage report (authored by @​FarisR99)
• Plugins: Status and logs plugins now accept any HTTP 2xx status code (authored by @​lvisterin)
• Runtime: Generalize OS check for MacOS to other Unix-likes (authored by @​iamleot)

Bundles Fixes

The Bundles system received several bugfixes and performance improvements in this release:

• Bundle: opa bundle command now supports .yml files (#4859) authored by @​Joffref reported by @​rdrgmnzsakt
• Plugins/Bundle: Use unique temporary files for persisting activated bundles to disk (#4782) authored by @​FredrikAppelros reported by @​FredrikAppelros
• Server: Old policy path is now checked for bundle ownership before update (#4846)
• Storage+Bundle: Old bundle data is now cleaned before new bundle activation (#4940)
• Bundle: Paths are now normalized before bundle root check occurs to ensure checks are os-independent

Storage Fixes

The Storage system received mostly bugfixes, with a notable performance improvement for large bundles in this release:

... (truncated)

• 196c92d Release v0.43.1
• 3e8c754 ast/compile: respect unsafeBuiltinMap for 'with' replacements
• b78756f build: bump golang: 1.18 -> 1.18.6
• d75bbdd Prepare v0.43.0 release (#4949)
• a99e5a9 docs: add warning about importing 'future.keywords' (#4947)
• 8f63046 storage+bundle: Clean old bundle data before new activation (#4944)
• 462d518 docs: Add note about counter_server_query_cache_hit metric (#4946)
• eff91f7 build(deps): bump aquasecurity/trivy-action from 0.6.0 to 0.6.1 (#4941)
• 1c1957c topdown/copypropagation: keep refs into livevars (#4936)
• 7f78653 build: run 'make generate' in release container (#4934)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.