Bump github.com/open-policy-agent/opa from 0.35.0 to 0.42.0

[dependabot]

Bumps github.com/open-policy-agent/opa from 0.35.0 to 0.42.0.

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v0.42.0

This release contains a number of fixes and enhancements.

New built-in function: object.subset

This function checks if a collection is a subset of another collection. It works on objects, sets, and arrays.

If both arguments are objects, then the operation is recursive, e.g. {"c": {"x": {10, 15, 20}} is considered a subset of {"a": "b", "c": {"x": {10, 15, 20, 25}, "y": "z"}.

See the built-in functions docs for all details

This implementation fixes #4358 and was authored by @​charlesdaniels.

New keywords: "contains" and "if"

These new keywords let you increase the expressiveness of your policy code:

Before

package authz
allow { not denied } # `denied` left out for presentation purposes
deny[msg] {
count(violations) > 0
msg := sprintf("there are %d violations", [count(violations)])
}

After

package authz
import future.keywords
allow if not denied # one expression only => no { ... } needed!
deny contains msg if {
count(violations) > 0
msg := sprintf("there are %d violations", [count(violations)])
}

Note that rule bodies containing only one expression can be abbreviated when using if.

To use the new keywords, use import future.keywords.contains and import future.keywords.if; or import all of them at once via import future.keywords. When these future imports are present, the pretty printer (opa fmt) will introduce contains and if where applicable.

if is allowed in all places to separate the rule head from the body, like

</tr></table> 

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

0.42.0

This release contains a number of fixes and enhancements.

New built-in function: object.subset

This function checks if a collection is a subset of another collection. It works on objects, sets, and arrays.

If both arguments are objects, then the operation is recursive, e.g. {"c": {"x": {10, 15, 20}} is considered a subset of {"a": "b", "c": {"x": {10, 15, 20, 25}, "y": "z"}.

See the built-in functions docs for all details

This implementation fixes #4358 and was authored by @​charlesdaniels.

New keywords: "contains" and "if"

These new keywords let you increase the expressiveness of your policy code:

Before

package authz
allow { not denied } # `denied` left out for presentation purposes
deny[msg] {
count(violations) > 0
msg := sprintf("there are %d violations", [count(violations)])
}

After

package authz
import future.keywords
allow if not denied # one expression only => no { ... } needed!
deny contains msg if {
count(violations) > 0
msg := sprintf("there are %d violations", [count(violations)])
}

Note that rule bodies containing only one expression can be abbreviated when using if.

To use the new keywords, use import future.keywords.contains and import future.keywords.if; or import all of them at once via import future.keywords. When these future imports are present, the

... (truncated)

Commits

• 9b5fb9b Prepare release v0.42.0 (#4834)
• 7305b16 server: pass IQBC to authorizer (#4838)
• a52e317 topdown/pe: plug nested every expressions (#4827)
• a453d2e build(deps): bump github.com/stretchr/testify from 1.7.5 to 1.8.0 (#4835)
• d5b8a61 release process: fix metadata logic (#4836)
• 2f169d9 build(deps): bump aquasecurity/trivy-action from 0.5.0 to 0.5.1 (#4833)
• 53b8192 docs/configuration: Fix profile_credentials AWS docs (#4831)
• 568f020 docs/wasm: fix markup (#4828)
• c0c902c topdown/eval: fix 'every' term plugging on save (#4775)
• 8a3bf90 ast/compile: reorder body for safety differently (#4801)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codecov-commenter]

Codecov Report

Merging #2046 (0470811) into main (df94451) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #2046   +/-   ##
=======================================
  Coverage   26.33%   26.33%           
=======================================
  Files         129      129           
  Lines        7564     7564           
=======================================
  Hits         1992     1992           
  Misses       5317     5317           
  Partials      255      255           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update df94451...0470811. Read the comment docs.