From 1f5882f09f07405c57deea481efe32a69e01a557 Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Sat, 11 Jan 2025 09:38:53 +0000 Subject: [PATCH 1/2] Upgrade to OPA v1 Signed-off-by: Sorin Dumitru --- go.mod | 15 +++--- go.sum | 50 ++++++++++--------- .../api/middleware/authorization_test.go | 2 +- pkg/server/authpolicy/defaults.go | 4 +- pkg/server/authpolicy/policy.go | 10 ++-- pkg/server/authpolicy/policy_test.go | 4 +- 6 files changed, 45 insertions(+), 40 deletions(-) diff --git a/go.mod b/go.mod index b5182f4059..7151464806 100644 --- a/go.mod +++ b/go.mod @@ -64,7 +64,7 @@ require ( github.com/lib/pq v1.10.9 github.com/mattn/go-sqlite3 v1.14.24 github.com/mitchellh/cli v1.1.5 - github.com/open-policy-agent/opa v0.70.0 + github.com/open-policy-agent/opa v1.0.0 github.com/prometheus/client_golang v1.20.5 github.com/shirou/gopsutil/v4 v4.24.12 github.com/sigstore/cosign/v2 v2.4.1 @@ -156,7 +156,7 @@ require ( github.com/evanphx/json-patch/v5 v5.9.0 // indirect github.com/fatih/color v1.16.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect - github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/fsnotify/fsnotify v1.8.0 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-chi/chi v4.1.2+incompatible // indirect github.com/go-ini/ini v1.67.0 // indirect @@ -283,15 +283,16 @@ require ( github.com/yusufpapurcu/wmi v1.2.4 // indirect go.mongodb.org/mongo-driver v1.14.0 // indirect go.opencensus.io v0.24.0 // indirect + go.opentelemetry.io/auto/sdk v1.1.0 // indirect go.opentelemetry.io/contrib/detectors/gcp v1.31.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect - go.opentelemetry.io/otel v1.31.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect + go.opentelemetry.io/otel v1.33.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.22.0 // indirect - go.opentelemetry.io/otel/metric v1.31.0 // indirect - go.opentelemetry.io/otel/sdk v1.31.0 // indirect + go.opentelemetry.io/otel/metric v1.33.0 // indirect + go.opentelemetry.io/otel/sdk v1.33.0 // indirect go.opentelemetry.io/otel/sdk/metric v1.31.0 // indirect - go.opentelemetry.io/otel/trace v1.31.0 // indirect + go.opentelemetry.io/otel/trace v1.33.0 // indirect go.uber.org/atomic v1.11.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect diff --git a/go.sum b/go.sum index a2aa58864b..8d62344eea 100644 --- a/go.sum +++ b/go.sum @@ -779,8 +779,8 @@ github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7z github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= -github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= -github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M= +github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa h1:RDBNVkRviHZtvDvId8XSGPu3rmpmSe+wKRcEWNgsfWU= github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA= github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= @@ -1026,8 +1026,8 @@ github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks= github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3/go.mod h1:o//XUCC/F+yRGJoPO/VU0GSB0f8Nhgmxx0VIRUvaC0w= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0 h1:TmHmbvxPmaegwhDubVz0lICL0J5Ka2vwTzhoePEXsGE= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0/go.mod h1:qztMSjm835F2bXf+5HKAPIS5qsmQDqZna/PgVt4rWtI= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -1258,8 +1258,8 @@ github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAl github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4= github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= -github.com/open-policy-agent/opa v0.70.0 h1:B3cqCN2iQAyKxK6+GI+N40uqkin+wzIrM7YA60t9x1U= -github.com/open-policy-agent/opa v0.70.0/go.mod h1:Y/nm5NY0BX0BqjBriKUiV81sCl8XOjjvqQG7dXrggtI= +github.com/open-policy-agent/opa v1.0.0 h1:fZsEwxg1knpPvUn0YDJuJZBcbVg4G3zKpWa3+CnYK+I= +github.com/open-policy-agent/opa v1.0.0/go.mod h1:+JyoH12I0+zqyC1iX7a2tmoQlipwAEGvOhVJMhmy+rM= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= @@ -1324,8 +1324,8 @@ github.com/redis/go-redis/v9 v9.7.0 h1:HhLSs+B6O021gwzl+locl0zEDnyNkxMtf/Z3NNBMa github.com/redis/go-redis/v9 v9.7.0/go.mod h1:f6zhXITC7JUJIlPEiBOTXxJgPLdZcA93GewI7inzyWw= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= -github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= +github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= +github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= @@ -1489,34 +1489,36 @@ go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= +go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= +go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= go.opentelemetry.io/contrib/detectors/gcp v1.31.0 h1:G1JQOreVrfhRkner+l4mrGxmfqYCAuy76asTDAo0xsA= go.opentelemetry.io/contrib/detectors/gcp v1.31.0/go.mod h1:tzQL6E1l+iV44YFTkcAeNQqzXUiekSYP9jjJjXwEd00= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 h1:r6I7RJCN86bpD/FQwedZ0vSixDpwuWREjW9oRMsmqDc= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0/go.mod h1:B9yO6b04uB80CzjedvewuqDhxJxi11s7/GtiGa8bAjI= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8= -go.opentelemetry.io/otel v1.31.0 h1:NsJcKPIW0D0H3NgzPDHmo0WW6SptzPdqg/L1zsIm2hY= -go.opentelemetry.io/otel v1.31.0/go.mod h1:O0C14Yl9FgkjqcCZAsE053C13OaddMYr/hz6clDkEJE= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 h1:R3X6ZXmNPRR8ul6i3WgFURCHzaXjHdm0karRG/+dj3s= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0/go.mod h1:QWFXnDavXWwMx2EEcZsf3yxgEKAqsxQ+Syjp+seyInw= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q= +go.opentelemetry.io/otel v1.33.0 h1:/FerN9bax5LoK51X/sI0SVYrjSE0/yUL7DpxW4K3FWw= +go.opentelemetry.io/otel v1.33.0/go.mod h1:SUUkR6csvUQl+yjReHu5uM3EtVV7MBm5FHKRlNx4I8I= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 h1:Vh5HayB/0HHfOQA7Ctx69E/Y/DcQSMPpKANYVMQ7fBA= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0/go.mod h1:cpgtDBaqD/6ok/UG0jT15/uKjAY8mRA53diogHBg3UI= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 h1:5pojmb1U1AogINhN3SurB+zm/nIcusopeBNp42f45QM= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0/go.mod h1:57gTHJSE5S1tqg+EKsLPlTWhpHMsWlVmer+LA926XiA= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.22.0 h1:FyjCyI9jVEfqhUh2MoSkmolPjfh5fp2hnV0b0irxH4Q= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.22.0/go.mod h1:hYwym2nDEeZfG/motx0p7L7J1N1vyzIThemQsb4g2qY= go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0 h1:WDdP9acbMYjbKIyJUhTvtzj601sVJOqgWdUxSdR/Ysc= go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0/go.mod h1:BLbf7zbNIONBLPwvFnwNHGj4zge8uTCM/UPIVW1Mq2I= -go.opentelemetry.io/otel/metric v1.31.0 h1:FSErL0ATQAmYHUIzSezZibnyVlft1ybhy4ozRPcF2fE= -go.opentelemetry.io/otel/metric v1.31.0/go.mod h1:C3dEloVbLuYoX41KpmAhOqNriGbA+qqH6PQ5E5mUfnY= -go.opentelemetry.io/otel/sdk v1.31.0 h1:xLY3abVHYZ5HSfOg3l2E5LUj2Cwva5Y7yGxnSW9H5Gk= -go.opentelemetry.io/otel/sdk v1.31.0/go.mod h1:TfRbMdhvxIIr/B2N2LQW2S5v9m3gOQ/08KsbbO5BPT0= +go.opentelemetry.io/otel/metric v1.33.0 h1:r+JOocAyeRVXD8lZpjdQjzMadVZp2M4WmQ+5WtEnklQ= +go.opentelemetry.io/otel/metric v1.33.0/go.mod h1:L9+Fyctbp6HFTddIxClbQkjtubW6O9QS3Ann/M82u6M= +go.opentelemetry.io/otel/sdk v1.33.0 h1:iax7M131HuAm9QkZotNHEfstof92xM+N8sr3uHXc2IM= +go.opentelemetry.io/otel/sdk v1.33.0/go.mod h1:A1Q5oi7/9XaMlIWzPSxLRWOI8nG3FnzHJNbiENQuihM= go.opentelemetry.io/otel/sdk/metric v1.31.0 h1:i9hxxLJF/9kkvfHppyLL55aW7iIJz4JjxTeYusH7zMc= go.opentelemetry.io/otel/sdk/metric v1.31.0/go.mod h1:CRInTMVvNhUKgSAMbKyTMxqOBC0zgyxzW55lZzX43Y8= -go.opentelemetry.io/otel/trace v1.31.0 h1:ffjsj1aRouKewfr85U2aGagJ46+MvodynlQ1HYdmJys= -go.opentelemetry.io/otel/trace v1.31.0/go.mod h1:TXZkRk7SM2ZQLtR6eoAWQFIHPvzQ06FJAsO1tJg480A= +go.opentelemetry.io/otel/trace v1.33.0 h1:cCJuF7LRjUFso9LPnEAHJDB2pqzp+hbO8eu1qqW2d/s= +go.opentelemetry.io/otel/trace v1.33.0/go.mod h1:uIcdVUZMpTAmz0tI1z04GoVSezK37CbGV4fr1f2nBck= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.opentelemetry.io/proto/otlp v0.15.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= -go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= -go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= +go.opentelemetry.io/proto/otlp v1.4.0 h1:TA9WRvW6zMwP+Ssb6fLoUIuirti1gGbP28GcKG1jgeg= +go.opentelemetry.io/proto/otlp v1.4.0/go.mod h1:PPBWZIP98o2ElSqI35IHfu7hIhSwvc5N38Jw8pXuGFY= go.step.sm/crypto v0.54.2 h1:3LSA5nYDQvcd484OSx7xsS3XDqQ7/WZjVqvq0+a0fWc= go.step.sm/crypto v0.54.2/go.mod h1:1+OjUozd5aA3TkBJfr5Aobd6vNt9F70n1DagcoBh3Pc= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= diff --git a/pkg/server/api/middleware/authorization_test.go b/pkg/server/api/middleware/authorization_test.go index 879a5dd644..c36d000394 100644 --- a/pkg/server/api/middleware/authorization_test.go +++ b/pkg/server/api/middleware/authorization_test.go @@ -10,7 +10,7 @@ import ( "net/url" "testing" - "github.com/open-policy-agent/opa/storage/inmem" + "github.com/open-policy-agent/opa/v1/storage/inmem" "github.com/sirupsen/logrus/hooks/test" "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/spiffe/spire-api-sdk/proto/spire/api/types" diff --git a/pkg/server/authpolicy/defaults.go b/pkg/server/authpolicy/defaults.go index 07120b597b..1a62f8df78 100644 --- a/pkg/server/authpolicy/defaults.go +++ b/pkg/server/authpolicy/defaults.go @@ -4,8 +4,8 @@ import ( "context" _ "embed" - "github.com/open-policy-agent/opa/storage/inmem" - "github.com/open-policy-agent/opa/util" + "github.com/open-policy-agent/opa/v1/storage/inmem" + "github.com/open-policy-agent/opa/v1/util" ) var ( diff --git a/pkg/server/authpolicy/policy.go b/pkg/server/authpolicy/policy.go index 7ca2a38c20..d642b50bca 100644 --- a/pkg/server/authpolicy/policy.go +++ b/pkg/server/authpolicy/policy.go @@ -6,10 +6,11 @@ import ( "fmt" "os" - "github.com/open-policy-agent/opa/rego" - "github.com/open-policy-agent/opa/storage" - "github.com/open-policy-agent/opa/storage/inmem" - "github.com/open-policy-agent/opa/util" + "github.com/open-policy-agent/opa/v1/ast" + "github.com/open-policy-agent/opa/v1/rego" + "github.com/open-policy-agent/opa/v1/storage" + "github.com/open-policy-agent/opa/v1/storage/inmem" + "github.com/open-policy-agent/opa/v1/util" ) const ( @@ -109,6 +110,7 @@ func NewEngineFromRego(ctx context.Context, regoPolicy string, dataStore storage rego.Package("spire"), rego.Module("spire.rego", regoPolicy), rego.Store(dataStore), + rego.SetRegoVersion(ast.RegoV0), ) pr, err := rego.PartialResult(ctx) if err != nil { diff --git a/pkg/server/authpolicy/policy_test.go b/pkg/server/authpolicy/policy_test.go index dc91d0dfb5..3fd756d2b6 100644 --- a/pkg/server/authpolicy/policy_test.go +++ b/pkg/server/authpolicy/policy_test.go @@ -7,8 +7,8 @@ import ( "path/filepath" "testing" - "github.com/open-policy-agent/opa/storage/inmem" - "github.com/open-policy-agent/opa/util" + "github.com/open-policy-agent/opa/v1/storage/inmem" + "github.com/open-policy-agent/opa/v1/util" "github.com/spiffe/spire/pkg/server/authpolicy" "github.com/stretchr/testify/require" ) From 4916ee21d96427a1398a55a390e413b12bd728b0 Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Sat, 11 Jan 2025 10:16:20 +0000 Subject: [PATCH 2/2] Default to using rego v1 for OPA policies Signed-off-by: Sorin Dumitru --- doc/spire_server.md | 9 +++++---- pkg/server/api/middleware/authorization_test.go | 5 +++-- pkg/server/authpolicy/defaults.go | 3 ++- pkg/server/authpolicy/policy.go | 12 +++++++++--- pkg/server/authpolicy/policy.rego | 10 +++++----- pkg/server/authpolicy/policy_test.go | 9 +++++---- 6 files changed, 29 insertions(+), 19 deletions(-) diff --git a/doc/spire_server.md b/doc/spire_server.md index d3ea65efec..ea9a63cf87 100644 --- a/doc/spire_server.md +++ b/doc/spire_server.md @@ -109,10 +109,11 @@ This may be useful for templating configuration files, for example across differ |:-----------------------|---------------------------------------------------|---------| | `local` | Local OPA configuration for authorization policy. | | -| auth_opa_policy_engine.local | Description | Default | -|:------------------------------|----------------------------------------------------------|----------------| -| `rego_path` | File to retrieve OPA rego policy for authorization. | | -| `policy_data_path` | File to retrieve databindings for policy evaluation. | | +| auth_opa_policy_engine.local | Description | Default | +|:------------------------------|------------------------------------------------------------------------------|----------------| +| `rego_path` | File to retrieve OPA rego policy for authorization. | | +| `policy_data_path` | File to retrieve databindings for policy evaluation. | | +| `use_rego_v0` | Use rego V0 when evaluating the policy. Will be removed in a future version. | false | ### Profiling Names diff --git a/pkg/server/api/middleware/authorization_test.go b/pkg/server/api/middleware/authorization_test.go index c36d000394..38fa43cb79 100644 --- a/pkg/server/api/middleware/authorization_test.go +++ b/pkg/server/api/middleware/authorization_test.go @@ -10,6 +10,7 @@ import ( "net/url" "testing" + "github.com/open-policy-agent/opa/v1/ast" "github.com/open-policy-agent/opa/v1/storage/inmem" "github.com/sirupsen/logrus/hooks/test" "github.com/spiffe/go-spiffe/v2/spiffeid" @@ -324,7 +325,7 @@ func TestWithAuthorizationPreprocess(t *testing.T) { tt := tt t.Run(tt.name, func(t *testing.T) { ctx := context.Background() - policyEngine, err := authpolicy.NewEngineFromRego(ctx, tt.rego, inmem.NewFromObject(map[string]any{})) + policyEngine, err := authpolicy.NewEngineFromRego(ctx, tt.rego, inmem.NewFromObject(map[string]any{}), ast.RegoV1) require.NoError(t, err, "failed to initialize policy engine") // Set up an authorization middleware with one method. @@ -490,7 +491,7 @@ func condCheckRego(cond string) string { } default allow = false - allow=true { + allow=true if { %s } ` diff --git a/pkg/server/authpolicy/defaults.go b/pkg/server/authpolicy/defaults.go index 1a62f8df78..ff43f6a892 100644 --- a/pkg/server/authpolicy/defaults.go +++ b/pkg/server/authpolicy/defaults.go @@ -4,6 +4,7 @@ import ( "context" _ "embed" + "github.com/open-policy-agent/opa/v1/ast" "github.com/open-policy-agent/opa/v1/storage/inmem" "github.com/open-policy-agent/opa/v1/util" ) @@ -23,5 +24,5 @@ func DefaultAuthPolicy(ctx context.Context) (*Engine, error) { } store := inmem.NewFromObject(json) - return NewEngineFromRego(ctx, defaultPolicyRego, store) + return NewEngineFromRego(ctx, defaultPolicyRego, store, ast.RegoV1) } diff --git a/pkg/server/authpolicy/policy.go b/pkg/server/authpolicy/policy.go index d642b50bca..f4e102115c 100644 --- a/pkg/server/authpolicy/policy.go +++ b/pkg/server/authpolicy/policy.go @@ -33,6 +33,7 @@ type OpaEngineConfig struct { type LocalOpaProviderConfig struct { RegoPath string `hcl:"rego_path"` PolicyDataPath string `hcl:"policy_data_path"` + UseRegoV0 bool `hcl:"use_rego_v0"` } // Input represents context associated with an access request. @@ -100,17 +101,22 @@ func newEngine(ctx context.Context, cfg *OpaEngineConfig) (*Engine, error) { store = inmem.NewFromObject(map[string]any{}) } - return NewEngineFromRego(ctx, string(module), store) + version := ast.RegoV1 + if cfg.LocalOpaProvider.UseRegoV0 { + version = ast.RegoV0 + } + + return NewEngineFromRego(ctx, string(module), store, version) } // NewEngineFromRego is a helper to create the Engine object -func NewEngineFromRego(ctx context.Context, regoPolicy string, dataStore storage.Store) (*Engine, error) { +func NewEngineFromRego(ctx context.Context, regoPolicy string, dataStore storage.Store, version ast.RegoVersion) (*Engine, error) { rego := rego.New( rego.Query("data.spire.result"), rego.Package("spire"), rego.Module("spire.rego", regoPolicy), rego.Store(dataStore), - rego.SetRegoVersion(ast.RegoV0), + rego.SetRegoVersion(version), ) pr, err := rego.PartialResult(ctx) if err != nil { diff --git a/pkg/server/authpolicy/policy.rego b/pkg/server/authpolicy/policy.rego index b22e283576..52f7e46fce 100644 --- a/pkg/server/authpolicy/policy.rego +++ b/pkg/server/authpolicy/policy.rego @@ -32,7 +32,7 @@ default allow = false # Admin allow check -allow_if_admin = true { +allow_if_admin = true if { r := data.apis[_] r.full_method == input.full_method @@ -40,7 +40,7 @@ allow_if_admin = true { } # Local allow check -allow_if_local = true { +allow_if_local = true if { r := data.apis[_] r.full_method == input.full_method @@ -49,7 +49,7 @@ allow_if_local = true { # Downstream allow check -allow_if_downstream = true { +allow_if_downstream = true if { r := data.apis[_] r.full_method == input.full_method @@ -58,7 +58,7 @@ allow_if_downstream = true { # Agent allow check -allow_if_agent = true { +allow_if_agent = true if { r := data.apis[_] r.full_method == input.full_method @@ -66,7 +66,7 @@ allow_if_agent = true { } # Any allow check -allow = true { +allow = true if { r := data.apis[_] r.full_method == input.full_method diff --git a/pkg/server/authpolicy/policy_test.go b/pkg/server/authpolicy/policy_test.go index 3fd756d2b6..30a23c5d20 100644 --- a/pkg/server/authpolicy/policy_test.go +++ b/pkg/server/authpolicy/policy_test.go @@ -7,6 +7,7 @@ import ( "path/filepath" "testing" + "github.com/open-policy-agent/opa/v1/ast" "github.com/open-policy-agent/opa/v1/storage/inmem" "github.com/open-policy-agent/opa/v1/util" "github.com/spiffe/spire/pkg/server/authpolicy" @@ -220,7 +221,7 @@ func TestPolicy(t *testing.T) { ctx := context.Background() // Check with NewEngineFromRego - pe, err := authpolicy.NewEngineFromRego(ctx, tt.rego, store) + pe, err := authpolicy.NewEngineFromRego(ctx, tt.rego, store, ast.RegoV1) require.Nil(t, err, "failed to create policy engine") res, err := pe.Eval(ctxIn, tt.input) @@ -432,7 +433,7 @@ func TestNewEngineFromRego(t *testing.T) { // a bad store store := inmem.New() - _, err := authpolicy.NewEngineFromRego(ctx, tt.rego, store) + _, err := authpolicy.NewEngineFromRego(ctx, tt.rego, store, ast.RegoV1) require.Equal(t, err == nil, tt.success) }) } @@ -450,7 +451,7 @@ func condCheckRego(cond string) string { } default allow = false - allow=true { + allow=true if { %s } ` @@ -479,7 +480,7 @@ var badEvalPolicy = ` } default allow = false - allow=true { + allow=true if { %s } `