--- - branch: MAIN date: Wed Apr 5 09:23:33 UTC 2023 files: - new: '1.24' old: '1.23' path: pkgsrc/devel/opa/Makefile pathrev: pkgsrc/devel/opa/Makefile@1.24 type: modified - new: '1.12' old: '1.11' path: pkgsrc/devel/opa/distinfo pathrev: pkgsrc/devel/opa/distinfo@1.12 type: modified - new: '1.12' old: '1.11' path: pkgsrc/devel/opa/go-modules.mk pathrev: pkgsrc/devel/opa/go-modules.mk@1.12 type: modified id: 20230405T092333Z.39aa202ea227c930920ee05d8689a9ce1074ad1e log: | opa: Update to 0.51.0 Changes: 0.51.0 ------ This release contains improvements to monitoring and an assortment of fixes and improvements. ### Monitoring #### Surface unauthorized request count from OPA HTTP API authz handler via Status API Currently when OPA's HTTP server rejects requests per the authz policy this is not accounted for via the management APIs. This change adds that count in the metric registry that is part of the Status API for more visibility. #### Surface more decision log errors via Status API Previously in 5732 we updated the decision log plugin to surface errors via the Status API. However, in that change certain events like encoder errors and log drops due to buffer size limits had no metrics associated with them. This change adds more metrics for these events so that they can be surfaced via the Status API. #### Include truncated HTTP response in logs This change updates the client debug log to include the full HTTP response in case of non-200 status codes. Recording the response in the logs can help to provide more information to debug error scenarios. ### Topdown and Rego - Wasm: Add native support for `object.union_n` built-in function (authored by @Azanul) ### Fixes - ast: Properly set the reported location of unused variables in strict-mode errors. - fmt: report wrong arity for built-in functions. - topdown: http.send(): Ensuring intra-query caching consistency. - Performance improvements to decision logging. Specifically, by removing superfluous json encoding roundtrip and double work in AST conversion of to-be-logged events. 0.50.2 ------ This is a bug fix release that addresses a regression in 0.50.1. This regression impacts policies with rules that, as its else-value, assign a comprehension containing variables. Such rules would cause the compilation of the policy to fail with a `rego_unsafe_var_error` error. 0.50.1 ------ This is a bug fix release addressing the following issues: ### Fixes - ast/compile: Guard recursive module equality check. Resolves a performance regression when using large bundles. - ast: Relaxing strict-mode check for unused args in else-branching functions ### Miscellaneous - Use normalized policy paths as compiler module keys and store IDs. Resolves an issue with bundle loading on Windows. 0.50.0 ------ This release contains a mix of new features, bugfixes, security fixes, optimizations and build updates related to OPA's published images. ### New Built-in Functions: JSON Schema Verification and Validation These new built-in functions add functionality to verify and validate JSON Schema: - `json.verify_schema`: Checks that the input is a valid JSON schema object - `json.match_schema`: Checks that the document matches the JSON schema ### Annotations scoped to `package` carries across modules `package` scoped schema annotations are now applied across modules instead of only local to the module where it's declared . This change may cause compile-time errors and behavioural changes to type checking when the `schemas` annotation is used, and to rules calling the `rego.metadata.chain()` built-in function: - Existing projects with the same package declared in multiple files will trigger a `rego_type_error: package annotation redeclared` error _if_ two or more of these are annotated with the `package` scope. - If using the `package` scope, the `schemas` annotation will be applied to type checking also for rules declared in another file than the annotation declaration, as long as the package is the same. - The chain of metadata returned by the `rego.metadata.chain()` built-in function will now contain an entry for the package even if the annotations are declared in another file, if the scope is `package`. ### Remote bundle URL shorthand for `run` command To load a remote bundle using `opa run`, the `set` directive can be provided multiple times as shown below: ``` $ opa run -s --set "services.default.url=https://example.com" \ --set "bundles.example.service=default" \ --set "bundles.example.resource=/bundles/bundle.tar.gz" \ --set "bundles.example.persist=true" ``` The following command can be used as a shorthand to easily start OPA with a remote bundle: ``` $ opa run -s https://example.com/bundles/bundle.tar.gz ``` ### Performance Improvements for `json.patch` Built-in Function Performance improvements in `json.patch` were achieved with the introduction of a new `EditTree` data structure, which is built for applying in-place modifications to an `ast.Term`, and can render the final result of all edits efficiently by applying all patches in a JSON-Patch sequence rapidly, and then collapsing all edits at the end with minimal wasted `ast.Term` copying. ### Surface decision log errors via status API Errors encountered during decision log uploads will now be surfaced via the Status API in addition to being logged. This functionality should give users greater visibility into any issues OPA may face while processing, uploading logs etc. ### Runtime, Tooling, SDK - server: Support compression of response payloads if HTTP client supports it - bundle: Ensure the bundle resulting from merging a set of bundles does not contain `nil` data - repl: Use lowercase for repl commands only and keep any provided arguments as-is - metrics: New endpoint `/metrics/alloc_bytes` to show OPA's memory utilization - server: When using OPA TLS authorization, authz policy authors will now have access to the client certificates presented as part of the TLS connection. This new data will be available under the key `client_certificates` - server: Use streaming implementation of json.Decode rather than using an intermediate buffer for the incoming request ### Topdown and Rego - ast: Extend compiler `strict` mode check to include unused arguments. This change may cause compile-time errors for policies that have unused arguments in the scope when the `strict` mode is enabled. These variables could be replaced with `_` (wildcard) or get cleaned up if they are not intended to be used in the body of the functions. - ast: Respect inlined `schemas` annotations even if `--schema` flag isn't used - ast: Force type-checker to respect `allow_net` capability when fetching remote schemas - ast/parse: Provide custom parsing options that allow location information of AST nodes to be included in their JSON representation. This location information can be used by tools that work with the OPA AST module: pkgsrc subject: 'CVS commit: pkgsrc/devel/opa' unixtime: '1680686613' user: leot