chore(deps): bump github.com/open-policy-agent/opa from 0.44.0 to 0.45.0

[dependabot]

Bumps github.com/open-policy-agent/opa from 0.44.0 to 0.45.0.

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v0.45.0

This release contains a mix of bugfixes, optimizations, and new features.

Improved Decision Logging with nd_builtin_cache

OPA has several non-deterministic built-ins, such as rand.intn and http.send that can make debugging policies from decision log results a surprisingly tricky and involved process. To improve the situation around debugging policies that use those built-ins, OPA now provides an opt-in system for caching the inputs and outputs of these built-ins during policy evaluation, and can include this information in decision log entries.

A new top-level config key is used to enable the non-deterministic builtin caching feature, as shown below:

nd_builtin_cache: true

This data is exposed to OPA's decision log masking system under the /nd_builtin_cache path, which allows masking or dropping sensitive values from decision logs selectively. This can be useful in situations where only some information about a non-deterministic built-in was needed, or the arguments to the built-in involved sensitive data.

To prevent unexpected decision log size growth from non-deterministic built-ins like http.send, the new cache information is included in decision logs on a best-effort basis. If a decision log event exceeds the decision_logs.reporting.upload_size_limit_bytes limit for an OPA instance, OPA will reattempt uploading it, after dropping the non-deterministic builtin cache information from the event. This behavior will trigger a log error when it happens, and will increment the decision_logs_nd_builtin_cache_dropped metrics counter, so that it will be possible to debug cases where the cache information is unexpectedly missing from a decision log entry.

Decision Logging Example

To observe the change in decision logging we can run OPA in server mode with nd_builtin_cache enabled:

opa run -s --set=decision_logs.console=true,nd_builtin_cache=true

After sending it the query x := rand.intn("a", 15) we should see something like the following in the decision logs:

{..., "msg":"Decision Log", "nd_builtin_cache":{"rand.intn":{"[\"a\",15]":3}}, "query":"assign(x, rand.intn(\"a\", 15))", ..., "result":[{"x":3}], ..., "type":"openpolicyagent.org/decision_logs"}

The new information is included under the optional nd_builtin_cache JSON key, and shows what arguments were provided for each unique invocation of rand.intn, as well as what the output of that builtin call was (in this case, 3).

If we send the query x := rand.intn("a", 15); y := rand.intn("b", 150)" we can see how unique input arguments get recorded in the cache:

{..., "msg":"Decision Log", "nd_builtin_cache":{"rand.intn":{"[\"a\",15]":12,"[\"b\",150]":149}}, "query":"assign(x, rand.intn(\"a\", 15)); assign(y, rand.intn(\"b\", 150))", ..., "result":[{"x":12,"y":149}], ..., "type":"openpolicyagent.org/decision_logs"}

With this information, it's now easier to debug exactly why a particular rule is used or why a rule fails when non-deterministic builtins are used in a policy.

New Built-in Function: regex.replace

This release introduces a new builtin for regex-based search/replace on strings: regex.replace.

See the built-in functions docs for all the details

This implementation fixes #5162 and was authored by @​boranx.

object.union_n Optimization

The object.union_n builtin allows easily merging together an array of Objects.

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

0.45.0

This release contains a mix of bugfixes, optimizations, and new features.

Improved Decision Logging with nd_builtin_cache

OPA has several non-deterministic built-ins, such as rand.intn and http.send that can make debugging policies from decision log results a surprisingly tricky and involved process. To improve the situation around debugging policies that use those built-ins, OPA now provides an opt-in system for caching the inputs and outputs of these built-ins during policy evaluation, and can include this information in decision log entries.

A new top-level config key is used to enable the non-deterministic builtin caching feature, as shown below:

nd_builtin_cache: true

This data is exposed to OPA's decision log masking system under the /nd_builtin_cache path, which allows masking or dropping sensitive values from decision logs selectively. This can be useful in situations where only some information about a non-deterministic built-in was needed, or the arguments to the built-in involved sensitive data.

To prevent unexpected decision log size growth from non-deterministic built-ins like http.send, the new cache information is included in decision logs on a best-effort basis. If a decision log event exceeds the decision_logs.reporting.upload_size_limit_bytes limit for an OPA instance, OPA will reattempt uploading it, after dropping the non- deterministic builtin cache information from the event. This behavior will trigger a log error when it happens, and will increment the decision_logs_nd_builtin_cache_dropped metrics counter, so that it will be possible to debug cases where the cache information is unexpectedly missing from a decision log entry.

Decision Logging Example

To observe the change in decision logging we can run OPA in server mode with nd_builtin_cache enabled:

opa run -s --set=decision_logs.console=true,nd_builtin_cache=true

After sending it the query x := rand.intn("a", 15) we should see something like the following in the decision logs:

</tr></table> 

... (truncated)

Commits

• 523c285 Prepare v0.45.0 release (#5223)
• ac20ef2 server+sdk+plugins: Integrate NDBCache into decision logging. (#5147)
• 94baa1b topdown/tokens: protect against nistec panics (#5214)
• 4ea5c0f build(deps): bump tj-actions/changed-files from 29.0.9 to 32.0.0 (#5215)
• 615f6f8 build: bump golang 1.19.1 -> 1.19.2 (#5213)
• 20982c3 test/cases: add test case for rand.intn (#5207)
• f3c0630 Added Gloo Edge Tutorial with some neat examples.
• be2d753 Add IR to integration docs (#5205)
• 15b9a88 Fix typo in Future Keywords (#5192)
• b7f957d topdown/json: Fix panic in json.filter on empty JSON paths. (#5200)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[coveralls]

Coverage decreased (-0.02%) to 66.58% when pulling 179a673 on dependabot/go_modules/github.com/open-policy-agent/opa-0.45.0 into 87cd051 on main.

[desimone]

Changelog does not appear to mention anything breaking.