v0.11.0

Compatibility Notes

This release includes a few small but backward incompatible
changes:

• The compiler will reject functions that redeclare arguments. A
  search of public .rego files on GitHub only returned one result
  which was contained in the OPA documentation. For example:

  f(x) {
      x := 1  # bad: redeclaration of 'x'
      x == 1  # ok
  }
  

• Errors returned by built-in calls are no longer coded as
  eval_internal_error. Instead they are returned as
  eval_builtin_error. This change is made so callers can
  differentiate between actual internal errors and built-in errors
  that are result of bad inputs from the policy.

• The ast.QueryCompiler#WithInput function and
  ast.QueryContext#Input field have been removed because they were
  unused and had no affect.

• The ast.Compiler and ast.QueryCompiler functions to register
  extra changes now require a stage and metric name.

Major Features

This release includes a few notable features and improvements:

• The some keyword allows you to declare local variables to avoid
  namespacing issues. See the Some
  Keyword
  section in the documentation for more detail.

• The opa test, eval, REPL, and HTTP API have been extended with a
  new explanation mode for filtering tracing notes. This makes it
  easier to see the output of trace(msg) calls from your policy.

• The WebAssembly (Wasm) compiler has been extended to include support for
  compiling rules into Wasm. Previously the compiler relied on partial
  evaluation to inline all rules. In some cases this is not possible
  due to limitations on Rego queries. In coming releases, the Wasm
  support will be extended to cover the entire language.

• The rego package has been extended to support prepared
  queries. Prepared queries cache the parsed and compiled query ASTs
  for re-use across multiple Eval calls. For small policies the
  speedup can be significant. See the GoDoc for details.

Fixes

• Add Kubernetes admission control debugging tips (#1039)
• Add docs on health check API endpoint (#1086)
• Add hardened configuration example to security page (#1172)
• Add support for with keyword stacking (#802)
• Fix type inferencing on object keys (#1361)
• Fix simple Kubernetes deployment example (#874)
• Fix bug in data mocking that resulted in wrong iteration behavior (#1261)
• Fix bug in set deep copy that caused panic (#1406)
• Fix bug in REPL that prevented rules from being declared (#1104)

Miscellaneous

• docs: Better documentation for providing the input document over HTTP (#1293)
• docs: Add note about HTTP_PROXY friends (#1410)
• Add CLI config overrides and ENV injection
• Add additional compiler metrics for each stage
• Add an “edge” release to the docs
• Add param to include bundle activation in /health response
• Add provenance query output
• Add support for graceful shutdown of OPA server
• Improve discovery feature documentation
• Make json logs the default and add json-pretty
• Raise error when loading empty module in bundle
• Return eval_builtin_error instead of eval_internal_error
• Rewrite == to = in queries passed to the compile API
• docs: Update bundle docs with caching info
• Update logrus to 1.4.0
• server: Add early exit on PUT /v1/policies
• topdown: Fix set unification partial eval bug
• topdown: Omit rule body from enter/redo events

v0.10.7

This release publishes the Hugo-based documentation to GitHub Pages 🎉

Fixes

• Add array.slice built-in function (#1243)
• Add net.cidr_contains and net.cidr_intersects built-ins
  (#1289). This
  change deprecates the old net.cidr_overlap built-in function. The
  latter will be supported for backwards compatibility but new
  policies should refer to net.cidr_contains.

Miscellaneous

• Bump kube-mgmt container version to 0.8 in tutorial
• Remove unnecessary resizing allocs from AST set and object
• Add Kubernetes Admission Control guide

v0.10.6

This release migrates the OPA documentation over to Hugo (from
GitBook). Going forward the OPA documentation will be generated using
Hugo and hosted on Netlify (instead of GitHub Pages). The Hugo/Netlify
stack brings us inline with the goal for other CNCF projects and
provides nice features like "preview before merge".

This release includes a small but backwards incompatible change to the
http.send built-in. Previously, http.send would always decode
responses as JSON even if the Content-Type was unset or explicitly not
JSON. If you were previously relying on HTTP responses that did not
set the Content-Type correctly, you will need to update your policy to
pass "force_json_decode": true as in the http.send parameters.

Fixes

• Fix panic in mod operation (#1245)
• Fix eval tree enumeration to return errors (#1272)
• Fix http.send to handle non-JSON responses (#1258)
• Fix backticks in SSH example that were causing problems (#1260)
• Fix IAM examples to use regex instead of glob syntax (#1282)

Miscellaneous

• Add support to register custom stages in the compiler
• Add rootless Docker image stream
• Improve hash distribution on objects
• Reduce number of allocs in set membership implementation
• docs: Add homebrew install instruction to the Getting Started tutorial
• docs: Many improvements around := vs ==, best practices, cheatsheet, etc.
• cmd: Add --fail-defined flag to eval subcommand
• server: Fix patch path escaping

v0.10.5

• These release contians a small but backwards incompatible change to
  the custom decision logger API. Custom decision loggers can now
  return an error which will cause the OPA to fail-closed.

Fixes

• Fix substring built-in bounds checking (#1235)
• Add trailing newlines when pretty printing API responses
• Add default Go metrics to Prometheus
• Add pprof endpoint to HTTP server

v0.10.4

• This release adds support for scoping bundles to specific roots
  under data. This allows bundles to be used in conjunction with
  sidecars like kube-mgmt that load local data and policy into
  OPA. See the Bundles
  page for more details.

• This release includes a small but backwards incompatible change to
  the Decision Log event format. Instead of including the OPA version
  as a top-level field, the OPA version is included in the labels. The
  OPA version field was only added in v0.10.3 so this should not
  impact many consumers.

Fixes

• Add coverage support to opa eval sub-command
• Fix path checking in server to prevent overlapping base and virtual docs (#1207)
• Fix cmd integration tests to cleanup plugin directory (#1185)
• Improve TLS support in http.send (#1067)

v0.10.3

• This release includes support for authentication via client
  certificates (thanks @srenatus!) For improvements to authentication
  see #1163.

• This release includes a backwards incompatible change to the
  plugin interface. Specifically, when plugins are registered, callers
  must provide a factory that can validate configuration before
  instantiating the plugin. This allows OPA to ensure that all
  configuration is valid before activating changes. Since plugins were
  undocumented prior to this release, this change should be low
  impact. For details on plugin development see the new Plugins page
  on the website.

• This release includes a backwards incompatible change to the HTTP
  decision logger event type. Specifically, "null" inputs are now
  handled correctly and decision logs for ad-hoc queries now populate
  the "query" field in the event instead of the "path" field. If you
  are using consuming decision log events in Go, please switch to the
  decision logger framework documented here: https://github.com/open-policy-agent/opa/blob/master/docs/book/plugins.md.

Fixes

• Add OPA version to decision logs (#1089)
• Add query metrics to decision logs (#1033)
• Add health endpoint to HTTP server (#1086)
• Add line of failure in opa test (#961)
• Fix panic caused by assignment rewriting (#1125)
• Fix parser to avoid duplicate comments in AST (#426)
• Fix semantic check for function references (#1132)
• Fix query API to return 4xx on bad request (#1081)
• Fix incorrect early exit from ref resolver (#1110)
• Fix rewriting of assignment values (#1154)
• Fix resolution inside references (#1155)
• Fix '^' location of lines starting with tabs (#1129)
• docs: Update count function doc to mention strings (#1126) (#1122)

Miscellaneous

• Add tutorial for OPA/Ceph integration using Rook
• Add metrics timer for server handler
• Add support for custom backends in decision logger
• Fix find operation on sets for non-empty refs
• Fix bug in local declaration rewriting
• Fix discovery docs to show a realistic example
• Update decision log event to include error
• Update decision log events to model paths and queries
• Update server and decision logger to represent input properly
• Update server to include decision ID in error events
• Avoid zero values in http.Transport{} in REST client

WebAssembly

• wasm: Add support for composite terms (#1113)
• wasm: Add support for not keyword (#1112)
• wasm: Add == operator
• wasm: Add checks on single term and dot stmts
• wasm: Add support for boolean and null literals
• wasm: Add support for pattern matching on composites
• wasm: Fix planner for chained iteration
• wasm: Fix pretty printer writer usage
• wasm: Output filenames in testgen errors
• wasm: Refactor assignment for better typing
• wasm: Remove module dumping from build command
• wasm: Rename ir.LoopStmt to ir.ScanStmt
• wasm: Update tester to allow for missing cases

v0.10.2

Fixes

• Add manifest metadata to bundle data (#1079) (#1062)
• Add profile command to REPL (#838)
• Add decision ID note in API docs (#1061)
• Fix formatting of trailing comments in composites (#1060)
• Fix panic caused by input being set incorrectly (#1083)
• Fix partial eval to apply saved terms (#1074)

Miscellaneous

• Add Stringer implementation for expr values
• Add Stringer implementation on metrics object
• Add helper function to compile strings
• Add note to configuration reference about -c flag
• Add support for configuration discovery
• Add support for multiple tracers
• Add trace helper to rego package
• Add code coverage percentage
• Fix REPL to check number of assignment operands
• Fix bug in test runner rule name dedup
• Fix security link in REST API reference
• Fix formatting of empty sets
• Fix incorrect reporting of module parse time
• Fix out of range errors for eq/assign in compiler
• Fix parser to limit size of exponents
• Update compiler to iterate over modules in sort order
• Update OPA front page
• Mark diagnostics feature as deprecated

v0.10.1

Fixes

• Add show debug command to REPL (#750)

Miscellaneous

• Add glob built-ins for easier path matching (thanks @aeneasr)
• Add support for specifying services as object

v0.10.0

Major Features

• Wasm compiler. This release adds initial/experimental support for
  compiling Rego policies into Wasm executables. Wasm executables can be loaded
  and executed in compatible Wasm runtimes like V8 (nodejs). You can try this
  out by running opa build.

• Data mocking. This release adds support for replacing/mocking the data
  document using the with keyword. In the past, with only supported the
  input document. This made it tricky to test context-dependent policies. With
  the new with keyword support, it's easier to write tests against contextual
  policies.

• Negation Optimization. This release includes an optimization in partial
  evaluation for dealing with negated statements (not keyword). In the past,
  OPA would generate a support rule for negated statements. This is harder for
  clients to consume and not readily optimized. The optimization computes the
  necessary cross-product of the negated query and inlines it into the caller.
  This leads to simpler partial evaluation results that are readily optimized,
  translated into other query languages (e.g., SQL and Elasticsearch),
  or compiled into Wasm.

Fixes

• Add builtin to verify and decode JWT (#884)
• Add GoDoc sample for using rego.Tracer (#1002)
• Add built-in function to get runtime info (#420)
• Add support for YAML encoded input values (#290)
• Add support for client certificates (#684)
• Add support for non-zero exit code in eval subcommand (#981)
• Fix == rewriting on embedded terms (#995)
• Fix copy propagation panic in comprehensions (#1012)
• Implement regex.find_n (#1001) (#747)
• Improve with modifier target error (#343)
• Iterate over smaller set when intersecting (#531)
• Only write one trailing newline at end of file (#1032)
• Redirect HTTP requests with trailing slashes (#972)
• Update bundle reader to allow relative data.json (#1019)
• Expose version information via REST API (#277)

Miscellaneous

• Add default decision configuration
• Add extra helpers to loader result
• Add indentation to trace in failure output
• Add router option to the HTTP server
• Add support for headers in http.send (thanks @repenno)
• Deprecating --insecure-addr flag (thanks @repenno)
• Add POST v1/query API for large inputs (thanks @rite2nikhil)
• Remove heap allocations from AST set with open addressing
• Replace siphash with xxhash in AST
• Output traces on failures in verbose mode (thanks @srenatus)
• Rewrite duplicate test rule names (thanks @srenatus)

v0.9.2

Miscellaneous Fixes

• Add option to enable http redirects (#921)
• Add copy propagation to support rules (#911)
• Add support for inlining negated expressions in partial evaluation
• Add deps subcommand to analyze base and virtual document dependencies
• Add partial evaluation support to eval subcommand
• Add net.cidr_overlap built-in function (thanks @aeneasr)
• Add regex.template_match built-in function (thanks @aeneasr)
• Add external security audit information (thanks @caniszczyk)
• Add initial support for plugin loading (thanks @vrnmthr)
• Fix copy propagator type assertion panic (#912)
• Fix panic in parser error detail construction (#948)
• Fix with value rewriting for call terms (#916)
• Fix coverage flag for test command (thanks @johscheuer)
• Fix compile operation timing in REPL
• Fix to indent 4 spaces instead of a tab (thanks @superbrothers)
• Fix REPL output in policy guide (thanks @ttripp)
• Multiple fixes in the Kubernetes admission controller tutorial (thanks @johscheuer)
• Improve formatting of empty ast.Body (#909)
• Improve Kubernetes admission control policy loading explanation (thanks @rite2nikhil)
• Update http.send test to work without internet access (#945)
• Update test runner to set Fail to true (#954)

Security Audit Fixes

• Improve token authentication docs and handler (#901)
• Link to security docs in tutorials (#917)
• Update bundle reader to cap buffer size (#920)
• Validate queries by checking unsafe builtins (#919)
• Fix XSS in debug page (#918)