rego-v1: Future-proofing sdk pkg tests to be 1.0 compatible (#7027)

Signed-off-by: Johan Fylling <[email protected]>

sdk/opa.go

@@ -39,17 +39,17 @@ import (
 // OPA represents an instance of the policy engine. OPA can be started with
 // several options that control configuration, logging, and lifecycle.
 type OPA struct {
-	id           string
-	state        *state
-	mtx          sync.Mutex
-	logger       logging.Logger
-	console      logging.Logger
-	plugins      map[string]plugins.Factory
-	store        storage.Store
-	hooks        hooks.Hooks
-	config       []byte
-	v1Compatible bool
-	managerOpts  []func(*plugins.Manager)
+	id          string
+	state       *state
+	mtx         sync.Mutex
+	logger      logging.Logger
+	console     logging.Logger
+	plugins     map[string]plugins.Factory
+	store       storage.Store
+	hooks       hooks.Hooks
+	config      []byte
+	regoVersion ast.RegoVersion
+	managerOpts []func(*plugins.Manager)
 }
 
 type state struct {
@@ -89,9 +89,13 @@ func New(ctx context.Context, opts Options) (*OPA, error) {
 	opa.logger = opts.Logger
 	opa.console = opts.ConsoleLogger
 	opa.plugins = opts.Plugins
-	opa.v1Compatible = opts.V1Compatible
 	opa.managerOpts = opts.ManagerOpts
 
+	opa.regoVersion = opts.RegoVersion
+	if opts.V1Compatible {
+		opa.regoVersion = ast.RegoV1
+	}
+
 	return opa, opa.configure(ctx, opa.config, opts.Ready, opts.block)
 }
 
@@ -137,13 +141,12 @@ func (opa *OPA) configure(ctx context.Context, bs []byte, ready chan struct{}, b
 		plugins.Info(info),
 		plugins.Logger(opa.logger),
 		plugins.ConsoleLogger(opa.console),
+		plugins.WithParserOptions(ast.ParserOptions{RegoVersion: opa.regoVersion}),
 		plugins.EnablePrintStatements(opa.logger.GetLevel() >= logging.Info),
 		plugins.PrintHook(loggingPrintHook{logger: opa.logger}),
 		plugins.WithHooks(opa.hooks),
 	}
-	if opa.v1Compatible {
-		opts = append(opts, plugins.WithParserOptions(ast.ParserOptions{RegoVersion: ast.RegoV1}))
-	}
+
 	opts = append(opts, opa.managerOpts...)
 	manager, err := plugins.New(
 		bs,

sdk/opa_test.go

@@ -332,12 +332,13 @@ func TestDecisionWithStrictBuiltinErrors(t *testing.T) {
 		sdktest.MockBundle("/bundles/bundle.tar.gz", map[string]string{
 			"main.rego": `
 package example
+import rego.v1
 
-erroring_function(number) = output {
+erroring_function(number) = output if {
 	output := number / 0
 }
 
-allow {
+allow if {
 	erroring_function(1)
 }
 `,
@@ -394,8 +395,9 @@ func TestDecisionWithTrace(t *testing.T) {
 		sdktest.MockBundle("/bundles/bundle.tar.gz", map[string]string{
 			"main.rego": `
 package system
+import rego.v1
 
-main {
+main if {
 	trace("foobar")
 	true
 }
@@ -820,8 +822,9 @@ func TestPartial(t *testing.T) {
 		sdktest.MockBundle("/bundles/bundle.tar.gz", map[string]string{
 			"main.rego": `
 package test
+import rego.v1
 
-allow {
+allow if {
 	data.junk.x = input.y
 }
 `,
@@ -899,12 +902,13 @@ func TestPartialWithStrictBuiltinErrors(t *testing.T) {
 		sdktest.MockBundle("/bundles/bundle.tar.gz", map[string]string{
 			"main.rego": `
 package example
+import rego.v1
 
-erroring_function(number) = output {
+erroring_function(number) = output if {
 	output := number / 0
 }
 
-allow {
+allow if {
 	erroring_function(1)
 }
 `,
@@ -970,8 +974,9 @@ func TestPartialWithTrace(t *testing.T) {
 		sdktest.MockBundle("/bundles/bundle.tar.gz", map[string]string{
 			"main.rego": `
 package system
+import rego.v1
 
-main {
+main if {
 	trace("foobar")
 }
 `,
@@ -1051,8 +1056,9 @@ func TestPartialWithMetrics(t *testing.T) {
 		sdktest.MockBundle("/bundles/bundle.tar.gz", map[string]string{
 			"main.rego": `
 package test
+import rego.v1
 
-allow {
+allow if {
 	data.junk.x = input.y
 }
 `,
@@ -1135,8 +1141,9 @@ func TestPartialWithInstrumentationAndProfile(t *testing.T) {
 		sdktest.MockBundle("/bundles/bundle.tar.gz", map[string]string{
 			"main.rego": `
 package test
+import rego.v1
 
-allow {
+allow if {
 	data.junk.x = input.y
 }
 `,
@@ -1240,8 +1247,9 @@ func TestPartialWithProvenance(t *testing.T) {
 		sdktest.MockBundle("/bundles/bundle.tar.gz", map[string]string{
 			"main.rego": `
 package test
+import rego.v1
 
-allow {
+allow if {
 	data.junk.x = input.y
 }
 `,
@@ -1315,8 +1323,9 @@ func TestPartialWithConfigurableID(t *testing.T) {
 		sdktest.MockBundle("/bundles/bundle.tar.gz", map[string]string{
 			"main.rego": `
 package test
+import rego.v1
 
-allow {
+allow if {
 	data.junk.x = input.y
 }
 `,
@@ -1520,10 +1529,11 @@ loopback = input
 `,
 			"log.rego": `
 package system.log
+import rego.v1
 
-mask["/input/secret"]
-mask["/input/top/secret"]
-mask["/input/dossier/1/highly"]
+mask contains "/input/secret"
+mask contains "/input/top/secret"
+mask contains "/input/dossier/1/highly"
 `,
 		}),
 	)
@@ -2041,6 +2051,7 @@ main := v { v := 7 }`,
 				Logger:       logger,
 				Ready:        readyCh,
 				Config:       strings.NewReader(c),
+				RegoVersion:  ast.RegoV0,
 				V1Compatible: tc.v1Compatible,
 			})
 			if err != nil {
@@ -2199,6 +2210,7 @@ bundles:
 					Logger:       logger,
 					Ready:        readyCh,
 					Config:       strings.NewReader(c),
+					RegoVersion:  ast.RegoV0,
 					V1Compatible: tc.v1Compatible,
 				})
 				if err != nil {
@@ -2594,19 +2606,20 @@ func TestOpaRuntimeEnvironmentVariableDefinedInOS(t *testing.T) {
 		sdktest.MockBundle("/bundles/bundle.tar.gz", map[string]string{
 			"main.rego": `
 package system
+import rego.v1
 
 rt := opa.runtime()
 
-grant {
+grant if {
 	authenticatedUser
 }
 
-claims := payload {
+claims := payload if {
 	io.jwt.verify_hs256(input.token, opa.runtime().env.TOKEN_VERIFY_KEY)
 	[_, payload, _] := io.jwt.decode(input.token)
 }
 
-authenticatedUser := a {
+authenticatedUser := a if {
 	claims
 	a := count(claims) > 0
 }
@@ -2659,19 +2672,20 @@ func TestOpaRuntimeEnvironmentVariableDefinedInConfig(t *testing.T) {
 		sdktest.MockBundle("/bundles/bundle.tar.gz", map[string]string{
 			"main.rego": `
 package system
+import rego.v1
 
 rt := opa.runtime()
 
-grant {
+grant if {
 	authenticatedUser
 }
 
-claims := payload {
+claims := payload if {
 	io.jwt.verify_hs256(input.token, opa.runtime().config.env.TOKEN_VERIFY_KEY)
 	[_, payload, _] := io.jwt.decode(input.token)
 }
 
-authenticatedUser := a {
+authenticatedUser := a if {
 	claims
 	a := count(claims) > 0
 }
@@ -2724,13 +2738,16 @@ func TestPrintStatements(t *testing.T) {
 
 	ctx := context.Background()
 
-	s := sdktest.MustNewServer(sdktest.MockBundle("/bundles/b.tar.gz", map[string]string{
-		"x.rego": `
+	s := sdktest.MustNewServer(
+		sdktest.RawBundles(true), // non-raw bundles will be compiled server-side, which will change print location depending on parser rego-version (v1 drops rego.v1 import).
+		sdktest.MockBundle("/bundles/b.tar.gz", map[string]string{
+			"x.rego": `
 package foo
+import rego.v1
 
-p { print("XXX") }
+p if { print("XXX") }
 `,
-	}))
+		}))
 
 	defer s.Stop()
 
@@ -2771,7 +2788,7 @@ p { print("XXX") }
 
 	e := entries[len(entries)-1]
 
-	if e.Message != "XXX" || e.Fields["line"].(string) != "/x.rego:4" {
+	if e.Message != "XXX" || e.Fields["line"].(string) != "/x.rego:5" {
 		t.Fatal("expected print output but got:", e)
 	}
 }

sdk/options.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"io"
 
+	"github.com/open-policy-agent/opa/ast"
 	"github.com/sirupsen/logrus"
 
 	"github.com/open-policy-agent/opa/hooks"
@@ -60,6 +61,10 @@ type Options struct {
 	// See https://www.openpolicyagent.org/docs/latest/opa-1/ for more information.
 	V1Compatible bool
 
+	// RegoVersion sets the version of the Rego language to use.
+	// If V1Compatible is set to true, this field is ignored and the Rego version is set to RegoV1.
+	RegoVersion ast.RegoVersion
+
 	// ManagerOpts allows customization of the plugin manager.
 	// The given options get appended to the list of options already provided by the SDK and eventually
 	// overriding them.