Merge branch 'main' into rego-v1/build_tag

open-policy-agent · Nov 21, 2024 · 4e96509 · 4e96509
2 parents 4d29b44 + 5601b55
commit 4e96509
Show file tree

Hide file tree

Showing 12 changed files with 626 additions and 137 deletions.
diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
@@ -113,7 +113,7 @@ jobs:
       # Equivalent to:
       # $ trivy image openpolicyagent/opa:edge-static
       - name: Run Trivy scan on image
-        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
         with:
           image-ref: 'openpolicyagent/opa:edge-static'
           format: table
@@ -143,7 +143,7 @@ jobs:
       # Equivalent to:
       # $ trivy fs .
       - name: Run Trivy scan on repo
-        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
         with:
           scan-type: fs
           format: table

diff --git a/cmd/run_test.go b/cmd/run_test.go
@@ -237,6 +237,115 @@ func TestInitRuntimeSkipKnownSchemaCheck(t *testing.T) {
 	})
 }
 
+func TestRunServerUploadPolicy(t *testing.T) {
+	v0Policy := `package test
+	p { q["a"] }
+	q[x] {
+		x = "a"
+	}`
+
+	v1Policy := `package test
+	p if { q["a"] }
+	q contains x if {
+		x = "a"
+	}`
+
+	tests := []struct {
+		note         string
+		v0Compatible bool
+		v1Compatible bool
+		module       string
+		expErr       bool
+	}{
+		{
+			note:         "v0-compatible, v0 policy",
+			v0Compatible: true,
+			v1Compatible: false,
+			module:       v0Policy,
+		},
+		{
+			note:         "v0-compatible, v1 policy",
+			v0Compatible: true,
+			v1Compatible: false,
+			module:       v1Policy,
+			expErr:       true,
+		},
+		{
+			note:         "v1-compatible, v0 policy",
+			v0Compatible: false,
+			v1Compatible: true,
+			module:       v0Policy,
+			expErr:       true,
+		},
+		{
+			note:         "v1-compatible, v1 policy",
+			v0Compatible: false,
+			v1Compatible: true,
+			module:       v1Policy,
+		},
+		{
+			note:         "v0-compatible, v1-compatible, v0 policy",
+			v0Compatible: true,
+			v1Compatible: true,
+			module:       v0Policy,
+		},
+		{
+			note:         "v0-compatible, v1-compatible, v1 policy",
+			v0Compatible: true,
+			v1Compatible: true,
+			module:       v1Policy,
+			expErr:       true,
+		},
+	}
+
+	for i, tc := range tests {
+		t.Run(tc.note, func(t *testing.T) {
+			ctx, cancel := context.WithCancel(context.Background())
+
+			params := newTestRunParams()
+			params.rt.V0Compatible = tc.v0Compatible
+			params.rt.V1Compatible = tc.v1Compatible
+
+			rt, err := initRuntime(ctx, params, nil, false)
+			if err != nil {
+				t.Fatalf("Unexpected error: %v", err)
+			}
+
+			testRuntime := e2e.WrapRuntime(ctx, cancel, rt)
+
+			done := make(chan bool)
+			go func() {
+				err := rt.Serve(ctx)
+				if err != nil {
+					t.Errorf("Unexpected error: %s", err)
+				}
+				done <- true
+			}()
+
+			err = testRuntime.WaitForServer()
+			if err != nil {
+				t.Fatalf("Unexpected error: %s", err)
+			}
+
+			// upload policy
+			err = testRuntime.UploadPolicy(fmt.Sprintf("mod%d", i), bytes.NewBufferString(tc.module))
+
+			if tc.expErr {
+				if err == nil {
+					t.Fatalf("Expected error but got nil")
+				}
+			} else {
+				if err != nil {
+					t.Fatalf("Unexpected error: %s", err)
+				}
+			}
+
+			cancel()
+			<-done
+		})
+	}
+}
+
 func TestRunServerCheckLogTimestampFormat(t *testing.T) {
 	for _, format := range []string{time.Kitchen, time.RFC3339Nano} {
 		t.Run(format, func(t *testing.T) {

diff --git a/debug/debugger.go b/debug/debugger.go
@@ -25,6 +25,7 @@ import (
 	"github.com/open-policy-agent/opa/storage/inmem"
 	"github.com/open-policy-agent/opa/topdown"
 	prnt "github.com/open-policy-agent/opa/topdown/print"
+	"github.com/open-policy-agent/opa/util"
 )
 
 // Debugger is the interface for launching OPA debugger Session(s).
@@ -350,7 +351,7 @@ func (d *debugger) LaunchEval(ctx context.Context, props LaunchEvalProperties, o
 	return s, nil
 }
 
-func readInput(path string) (interface{}, error) {
+func readInput(path string) (any, error) {
 	path, err := fileurl.Clean(path)
 	if err != nil {
 		return nil, err
@@ -361,8 +362,8 @@ func readInput(path string) (interface{}, error) {
 		return nil, err
 	}
 
-	var input interface{}
-	if err := json.Unmarshal(data, &input); err != nil {
+	var input any
+	if err := util.Unmarshal(data, &input); err != nil {
 		return nil, err
 	}
 

diff --git a/debug/debugger_test.go b/debug/debugger_test.go
@@ -570,6 +570,93 @@ p if {
 	})
 }
 
+func TestFiles(t *testing.T) {
+	ctx, cancel := context.WithDeadline(context.Background(), time.Now().Add(10*time.Second))
+	defer cancel()
+
+	files := map[string]string{
+		"mod.rego": `package test
+import rego.v1
+
+p if {
+	input.foo == "a"
+	input.bar == "b"
+	data.baz == "c"
+	data.qux == "d"
+}
+`,
+		"input.json": `{
+	"foo": "a",
+	"bar": "b"
+}`,
+		"input.yaml": `
+foo: a
+bar: b
+`,
+		"data.json": `{
+	"baz": "c",
+	"qux": "d"
+}`,
+		"data.yaml": `
+baz: c
+qux: d
+`,
+	}
+
+	for _, ext := range []string{"json", "yaml"} {
+		t.Run(ext, func(t *testing.T) {
+			test.WithTempFS(files, func(rootDir string) {
+				eh := newTestEventHandler()
+				d := NewDebugger(SetEventHandler(eh.HandleEvent))
+
+				launchProps := LaunchEvalProperties{
+					LaunchProperties: LaunchProperties{
+						DataPaths: []string{
+							path.Join(rootDir, "mod.rego"),
+							path.Join(rootDir, fmt.Sprintf("data.%s", ext)),
+						},
+						EnablePrint: true,
+					},
+					Query:     "x = data.test.p",
+					InputPath: path.Join(rootDir, fmt.Sprintf("input.%s", ext)),
+				}
+
+				s, err := d.LaunchEval(ctx, launchProps)
+				if err != nil {
+					t.Fatalf("Unexpected error launching debgug session: %v", err)
+				}
+
+				if err := s.ResumeAll(); err != nil {
+					t.Fatalf("Unexpected error resuming threads: %v", err)
+				}
+
+				// result output
+				exp := `[
+  {
+    "expressions": [
+      {
+        "value": true,
+        "text": "x = data.test.p",
+        "location": {
+          "row": 1,
+          "col": 1
+        }
+      }
+    ],
+    "bindings": {
+      "x": true
+    }
+  }
+]`
+				e := eh.WaitFor(ctx, StdoutEventType)
+				if e.Message != exp {
+					t.Fatalf("Expected message to be:\n\n%s\n\ngot:\n\n%s", exp, e.Message)
+				}
+			})
+		})
+	}
+}
+
 func topOfStack(t *testing.T, s Session) *stackFrame {
 	t.Helper()
 	stk, err := s.StackTrace(ThreadID(1))

diff --git a/docs/content/configuration.md b/docs/content/configuration.md
@@ -772,6 +772,7 @@ included in the actual bundle gzipped tarball.
 | `status.partition_name` | `string` | No | Path segment to include in status updates. |
 | `status.console` | `boolean` | No (default: `false`) | Log the status updates locally to the console. When enabled alongside a remote status update API the `service` must be configured, the default `service` selection will be disabled. |
 | `status.prometheus` | `boolean` | No (default: `false`) | Export the status (bundle and plugin) metrics to prometheus (see [the monitoring documentation](../monitoring/#prometheus)). When enabled alongside a remote status update API the `service` must be configured, the default `service` selection will be disabled. |
+| `status.prometheus_config.collectors.bundle_loading_duration_ns.buckets` | `[]float64` | No, (Only use when status.prometheus true, default: [1000, 2000, 4000, 8000, 16_000, 32_000, 64_000, 128_000, 256_000, 512_000, 1_024_000, 2_048_000, 4_096_000, 8_192_000, 16_384_000, 32_768_000, 65_536_000, 131_072_000, 262_144_000, 524_288_000]) | Specifies the buckets for the `bundle_loading_duration_ns` metric. Each value is a float, it is expressed in nanoseconds. |
 | `status.plugin` | `string` | No | Use the named plugin for status updates. If this field exists, the other configuration fields are not required. |
 | `status.trigger` | `string`  (default: `periodic`) | No | Controls how status updates are reported to the remote server. Allowed values are `periodic` and `manual` (`manual` triggers are only possible when using OPA as a Go package). |
 

diff --git a/docs/content/management-status.md b/docs/content/management-status.md
@@ -297,6 +297,10 @@ Example of minimal config to enable:
 ```yaml
 status:
     prometheus: true
+    prometheus_config:
+      collectors:
+        bundle_loading_duration_ns:
+          buckets: [1, 1000, 10_000, 1e8]
 ```
 
 When enabled the OPA instance's Prometheus endpoint exposes the metrics described on [the monitoring documentation](../monitoring/#status-metrics).