This is a bug fix release addressing the following issues:
Runtime, Tooling, SDK
plugins/logs: Previously while passing the decision log plugins's status to the Status API, the plugin held the mutex while a status upload was in process. This had the potential to block new decisions from being written to the plugin's buffer. To avoid this situation, a local copy of plugin's status is created (#5966) authored by @ashutosh-narkar
download: Public docker repositories require an authorization handshake where the client needs to respond to challenges marked by the WWW-Authenticate header of a 401 Unauthorized response. Errors were returned when downloading a public image as it was assumed that authorization is not necessary for public repositories. This fix addresses this issue by challenging any 401 Unauthorized responses by passing it to the docker.Authorizer (#5902) authored by @DerGut
opa fmt: Fix panic encountered while processing policies with comprehensions written on multiple lines with comments in these lines (#5798) authored by @Trolloldem
Topdown and Rego
built-in function object.subset: Fix an issue in object.subset related to incorrect results being generated when arrays are provided as an input (#5968) authored by @DCRUNNN
planner: Fix the optimization check for overlapping ref rules (#5964) authored by @srenatus
v0.53.0
This release contains some enhancements, bugfixes, and a new builtin function.
Runtime, Tooling, SDK
status: Ensure Status plugin is correctly reconfigured to register or unregister Prometheus Collectors based on the state provided in OPA's active config (#5918) authored by @johanfylling
opa eval: Update OPA eval's --profile-sort flag description to highlight the valid options to sort the profile results (#5924) authored by @ecbenezra
opa fmt: Fix cases in which invalid code was generated due to parentheses being improperly handled (#5537) authored by @Trolloldem
rest: Allow users to configure the AWS STS domain when using Web Identity Credentials (#5915) authored by @johanfylling
status: Add an OPA environment information Gauge to Prometheus metrics to capture information like OPA version (#5852) authored by @jmoghisi
server: Add ability to configure Unix socket permissions if OPA is listening on a Unix socket (#5888) authored by @ashutosh-narkar
loader: Allow extensions to the loader package that provide ability to register handlers for certain file extensions. This feature is currently EXPERIMENTAL (#5940) authored by @srenatus
Topdown and Rego
New built-in function crypto.x509.parse_keypair: Returns a key pair from a pair of PEM or base64 encoded strings of data. See the documentation on the new built-in for all the details. (#5853) authored by @volck.
ast: Abort query evaluation if the compiler has errors. These errors will be exposed via the Status API if enabled (#5947) authored by @johanfylling
io.jwt.decode_verify: Fix issue where token verification succeeded in case where iss constraint was required but JWT did not contain it (#5850) authored by @AleksanderBrzozowski
wasm: Fix memory leaks in WASM when incrementally adding or removing data (#5785) and (#5901) authored by @ctelfer-sophos
http.send: Add a new option to the http.send input object which allows policy authors to specify a retry count for executing a HTTP request. Retries are performed with an exponential backoff delay (#5891) authored by @ashutosh-narkar
ast: Fix issue with _ matching only scalars in rule indexing for arrays (#5916) authored by @jaspervdj
rego: Allow for extending the Rego evaluation targets with plugins (#5939) authored by @srenatus
Miscellaneous
Add PITS Global Data Recovery Services to ADOPTERS.md (authored by @pheianox)
Avoid unnecessary byte/string conversion by using alternative functions/methods (#5944) authored by @Juneezee
This is a bug fix release addressing the following issues:
Runtime, Tooling, SDK
plugins/logs: Previously while passing the decision log plugins's status to the Status API, the plugin held the mutex while a status upload was in process. This had the potential to block new decisions from being written to the plugin's buffer. To avoid this situation, a local copy of plugin's status is created (#5966) authored by @ashutosh-narkar
download: Public docker repositories require an authorization handshake where the client needs to respond to challenges marked by the WWW-Authenticate header of a 401 Unauthorized response. Errors were returned when downloading a public image as it was assumed that authorization is not necessary for public repositories. This fix addresses this issue by challenging any 401 Unauthorized responses by passing it to the docker.Authorizer (#5902) authored by @DerGut
opa fmt: Fix panic encountered while processing policies with comprehensions written on multiple lines with comments in these lines (#5798) authored by @Trolloldem
Topdown and Rego
built-in function object.subset: Fix an issue in object.subset related to incorrect results being generated when arrays are provided as an input (#5968) authored by @DCRUNNN
planner: Fix the optimization check for overlapping ref rules (#5964) authored by @srenatus
0.53.0
This release contains some enhancements, bugfixes, and a new builtin function.
Runtime, Tooling, SDK
status: Ensure Status plugin is correctly reconfigured to register or unregister Prometheus Collectors based on the state provided in OPA's active config (#5918) authored by @johanfylling
opa eval: Update OPA eval's --profile-sort flag description to highlight the valid options to sort the profile results (#5924) authored by @ecbenezra
opa fmt: Fix cases in which invalid code was generated due to parentheses being improperly handled (#5537) authored by @Trolloldem
rest: Allow users to configure the AWS STS domain when using Web Identity Credentials (#5915) authored by @johanfylling
status: Add an OPA environment information Gauge to Prometheus metrics to capture information like OPA version (#5852) authored by @jmoghisi
server: Add ability to configure Unix socket permissions if OPA is listening on a Unix socket (#5888) authored by @ashutosh-narkar
loader: Allow extensions to the loader package that provide ability to register handlers for certain file extensions. This feature is currently EXPERIMENTAL (#5940) authored by @srenatus
Topdown and Rego
New built-in function crypto.x509.parse_keypair: Returns a key pair from a pair of PEM or base64 encoded strings of data. See the documentation on the new built-in for all the details. (#5853) authored by @volck.
ast: Abort query evaluation if the compiler has errors. These errors will be exposed via the Status API if enabled (#5947) authored by @johanfylling
io.jwt.decode_verify: Fix issue where token verification succeeded in case where iss constraint was required but JWT did not contain it (#5850) authored by @AleksanderBrzozowski
wasm: Fix memory leaks in WASM when incrementally adding or removing data (#5785) and (#5901) authored by @ctelfer-sophos
http.send: Add a new option to the http.send input object which allows policy authors to specify a retry count for executing a HTTP request. Retries are performed with an exponential backoff delay (#5891) authored by @ashutosh-narkar
ast: Fix issue with _ matching only scalars in rule indexing for arrays (#5916) authored by @jaspervdj
rego: Allow for extending the Rego evaluation targets with plugins (#5939) authored by @srenatus
Miscellaneous
Add PITS Global Data Recovery Services to ADOPTERS.md (authored by @pheianox)
Avoid unnecessary byte/string conversion by using alternative functions/methods (#5944) authored by @Juneezee
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps github.com/open-policy-agent/opa from 0.28.0 to 0.53.1.
Release notes
Sourced from github.com/open-policy-agent/opa's releases.
... (truncated)
Changelog
Sourced from github.com/open-policy-agent/opa's changelog.
... (truncated)
Commits
947d65b
Prepare v0.53.1 releasee861bba
planner: adjust check introduced in #5839 (#5965)3282e91
fix: Fixing the issue of the object.subset method failing to correctly compar...59e1ac0
fmt:fixfmt
panic in comprehension with comments276d8bf
download: Pass request to docker.Authorizerfaa5e46
plugins/logs: Make a local copy of plugin's status5017e8c
Prepare v0.53.0 release6109e6a
Aborting query-eval if the compiler has errors (#5949)d3811e2
fix: CVE-2022-3517 (#5941)dfe947a
build(deps): bump oras.land/oras-go/v2 from 2.1.0 to 2.2.0 (#5952)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)