This is bugfix release to resolve an issue in the release pipeline. Everything else is
the same as 0.46.0, which contains a mix of bugfixes, optimizations, and new features:
New language feature: refs in rule heads
With this version of OPA, we can use a shorthand for defining deeply-nested structures
in Rego:
Before, we had to use multiple packages, and hence multiple files to define a structure
like this:
{
"method": {
"get": {
"allowed": true
}
"post": {
"allowed": true
}
}
}package method.get
default allowed := false
allowed { ... }package method.post
default allowed := false
allowed { ... }Now, we can define those rules in single package (and file):
package method
import future.keywords.if
default get.allowed := false
get.allowed if { ... }
default post.allowed := false
post.allowed if { ... }Note that in this example, the use of the future keyword if is mandatory
for backwards-compatibility: without it, get.allowed would be interpreted
as get["allowed"], a definition of a partial set rule.
Currently, variables may only appear in the last part of the rule head:
package method
import future.keywords.if
endpoints[ep].allowed if ep := "/v1/data" # invalid
repos.get.endpoint[x] if x := "/v1/data" # validThe valid rule defines this structure:
{
"method": {
"repos": {
"get": {
"endpoint": {
"/v1/data": true
}
}
}
}
}To define a nested key-value pair, we would use
package method
import future.keywords.if
repos.get.endpoint[x] = y if {
x := "/v1/data"
y := "example"
}Multi-value rules (previously referred to as "partial set rules") that are
nested like this need to use contains future keyword, to differentiate them
from the "last part is a variable" case mentioned just above:
package method
import future.keywords.contains
repos.get.endpoint contains x if x := "/v1/data"This rule defines the same structure, but with multiple values instead of a key:
{
"method": {
"repos": {
"get": {
"endpoint": ["/v1/data"]
}
}
}
}To ensure that it's safe to build OPA policies for older OPA versions, a new
capabilities field was introduced: "features". It's a free-form string array:
{
"features": [
"rule_head_ref_string_prefixes"
]
}If this key is not present, the compiler will reject ref-heads. This could be
case when building bundles for older OPA version using their capabilities.
Entrypoint annotations in rule metadata
It is now possible to annotate a rule with entrypoint: true, and it will
automatically be picked up by the tooling that expected --entrypoint (-e)
parameters before.
For example, to build this rego policy into a wasm module, you had to pass
an entrypoint:
package test
allow {
input.x
}opa build --target wasm --entrypoint test/allow policy.rego
With the annotation:
package test
# METADATA
# entrypoint: true
allow {
input.x
}opa build --target wasm policy.rego
The places where entrypoints are taken from metadata are:
- Building optimized bundles
- Building Wasm bundles
- Building Plan bundles
- Using optimization with
opa eval
Knowing a module's entrypoints can also help in different analysis tasks.
New Built-in Functon: graphql.schema_is_valid
The new built-in allows checking schemas:
schema := `
extend type User {
id: ID!
}
extend type Product {
upc: String!
}
union _Entity = Product | User
extend type Query {
entity: _Entity
}
`
valid_schema_example {
graphql.schema_is_valid(schema)
}Requested by @olegroom.
New Built-in Functon: net.cidr_is_valid
The new built-in function allows checking if a string is a valid CIDR.
valid_cidr_example {
net.cidr_is_valid("192.168.0.0/24")
}Authored by @ricardomaraschini.
Tooling, SDK, and Runtime
-
opa build: exit with failure on empty signing key (#4972) authored by @Joffref reported by @caldwecr -
opa exec: add--failand--fail-definedflags (#5007) authored by @byronic reported by @phantlantis -
opa exec: convert slashes of explicit bundles (Windows) (#5134) reported by @peterchenadded -
opa test: check coverage limit range[0, 100](#5284) authored by @hzliangbin reported by @aholmis -
opa build+opa check: respect capabilities for parsing, i.e. future keywords (#5323) reported by @TheLunaticScripter -
opa bench --e2e: support providing OPA config (#4899) -
opa eval: new explain mode,--explain=debug, that includes unifcations in traces (authored by @jaspervdj) -
Decision logs: Allow rule-based dropping of decision log entries (#3945) authored by @mariusblarsen and @iamatwork
-
Decision Logs: Include the
req_idattribute in the decision logs (#5006) reported and authored by @humbertoc-silva -
Plugins: export OpenTelemetry TracerProvider for use in plugins (authored by @vinhph0906)
Compiler + Topdown
-
graph.reachable_path: fix issue with missing subpaths (#4666) authored by @fredallen-wk -
http.send: Ensureforce_cacheattribute ignoresDateheader (#4960) reported by @bartandacc -
with: Allow replacing functions with rules (#5299) -
Evaluation: Skip default functions in full extent (#5202) reported by @ericjkao
-
Evaluation: capture more cases of conflicts in function evaluation (#5272)
-
Rule Indexing: fix incorrect results from indexing
glob.matcheven if output is captured (#5283) -
Builtins: Refactor registration functions and signatures (authored by @philipaconrad)
-
Compiler: Speed up typechecker when working with Refs (authored by @philipaconrad)
-
Trace: add
UnifyOpto tracer events (authored by @jaspervdj)
Documentation
- Envoy Tutorial: use latest proxy_init (v8)
- Envoy Plugin: Add note about new config param to skip body parsing
- Policy Reference: Add
semverexamples - Contributing Code: Provide some tips for style fixes
Website + Ecosystem
- Website: Make "outdated version" banner red if looked-at version is ancient
- Ecosystem: Add CircleCI and Topaz
Miscellaneous
-
Code Cleanup:
- Don't use the deprecated
ioutilfunctions - Use
t.Setenvin tests - Use
t.TempDirto create temporary test directory (authored by @Juneezee) - Linters: add
unconvertandtenv
- Don't use the deprecated
-
internal/strvals: port helm strvals fix (CLI --set arguments), reported by @pjbgf, helm fix authored by @mattfarina
-
Wasm: Update README
-
Dependency bumps, notably:
- Golang: 1.19.2 -> 1.19.3
- golang.org/x/text 0.3.7 -> 0.4.0
- oras.land/oras-go 1.2.0 -> 1.2.1