Bump github.com/open-policy-agent/opa from 0.22.0 to 0.27.1

[dependabot]

Bumps github.com/open-policy-agent/opa from 0.22.0 to 0.27.1.

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v0.27.1

This release contains a fix for crashes experienced when configuring OPA to use S3 signing as service credentials (#3255).

In addition to that, we have a small number of enhancements and fixes:

Tooling

• The eval subcommand now allows using --import without using --package. Authored by @onelittlenightmusic, #3240.

Compiler

• The ast package now exports another method for JSON conversion, ast.JSONWithOpts, that allows further options to be set (#3244.

Server

• REST plugins using s3_signing as credentials method can now include the specified service in the signature (SigV4). Authored by @cogwirrel, #3210.

Documentation

• Remove soon-to-be deprecated any and all from the Policy Reference (#3241) -- see also #2437.
• Add missing discovery.service field to Discovery configuration table (#3237).
• Fix dead links to the Envoy pages (#3248).

WebAssembly

• Executions using the internal Wasm SDK will now be interrupted when the provided context is done (cancelled or deadline reached).
• The generated Wasm modules could become much smaller: unused functions are replaced by unreachable stubs, and the heavyweight runtime components related to regular expressions are excluded when none of the regex-related builtins are used: glob.match, regex.is_valid, regex.match, regex.is_valid, and regex.find_all_string_submatch_n.
• The Wasm runtime now allows passing in the time to be used for evaluation, enabling callers to control the time-of-day observed by Wasm compiled policies.
• Wasmtime runtime has been updated to the latest version (v0.24.0).

v0.27.0

This release contains a number of enhancements and bug fixes.

Tooling

• The eval subcommand now supports a -s/--schema flag that accepts a JSON schema for the input document. The schema is used when type checking the policy so that invalid references to (or operations on) input data are caught at compile time. In the future, the schema support will be expanded to accept multiple schemas and rule-level annotations. See the new Schemas documentation for details. Authored by @aavarghese and @vazirim.
• The eval, test, bench and REPL subcommands now supports a -t/--target flag to set the evaluation engine to use. The default engine is rego referring to the standard Rego interpreter in OPA. Users can now select wasm to enable Wasm compilation and execution of policies (#2878).
• The eval subcommand now supports a raw option for -f/--format that is useful in bash scripts. Authored by @jaspervdj-luminal.
• The test framework now supports "skippable" tests. Prefix the test name with todo_ to have the test runner skip the test, e.g., todo_test_allow { ... }.
• The eval subcommand now correctly supports the --ignore flag. Previously the flag was not being applied.

Server

• The POST /v1/compile API now supports a ?metrics query parameter similar to other APIs. Authored by @jkbschmid.
• The directory used for persisting downloaded bundles can now be configured. See the Configuration page for details.
• The HTTP Decision Logger plugin no longer blocks server shutdown for the grace period when there are no logs to upload.
• The Bundle plugin now unregisters listeners correctly. This issue would cause listeners to be invoked when bundle updates were dispatched even if the listener was unregistered (#3190).
• The server now correctly decodes policy IDs in the HTTP request URL. Authored by @mattmahn (#2116).
• The server now configures the http_request_duration_seconds metric (for all of the server endpoitns) with smaller, more granular buckets that better map to actual response latencies from OPA. Authored by @luong-komorebi (#3196).

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

0.27.1

This release contains a fix for crashes experienced when configuring OPA to use S3 signing as service credentials (#3255).

In addition to that, we have a small number of enhancements and fixes:

Tooling

• The eval subcommand now allows using --import without using --package. Authored by @onelittlenightmusic, #3240.

Compiler

• The ast package now exports another method for JSON conversion, ast.JSONWithOpts, that allows further options to be set (#3244.

Server

• REST plugins using s3_signing as credentials method can now include the specified service in the signature (SigV4). Authored by @cogwirrel, #3210.

Documentation

• Remove soon-to-be deprecated any and all from the Policy Reference (#3241) -- see also #2437.
• Add missing discovery.service field to Discovery configuration table (#3237).
• Fix dead links to the Envoy pages (#3248).

WebAssembly

• Executions using the internal Wasm SDK will now be interrupted when the provided context is done (cancelled or deadline reached).
• The generated Wasm modules could become much smaller: unused functions are replaced by unreachable stubs, and the heavyweight runtime components related to regular expressions are excluded when none of the regex-related builtins are used: glob.match, regex.is_valid, regex.match, regex.is_valid, and regex.find_all_string_submatch_n.
• The Wasm runtime now allows passing in the time to be used for evaluation, enabling callers to control the time-of-day observed by Wasm compiled policies.
• Wasmtime runtime has been updated to the latest version (v0.24.0).

0.27.0

This release contains a number of enhancements and bug fixes.

Tooling

• The eval subcommand now supports a -s/--schema flag that accepts a JSON schema for the input document. The schema is used when type checking the policy so that invalid references to (or operations on) input data are caught at compile time. In the future, the schema support will be expanded to accept multiple schemas and rule-level annotations. See the new Schemas documentation for details. Authored by @aavarghese and @vazirim.
• The eval, test, bench and REPL subcommands now supports a -t/--target flag to set the evaluation engine to use. The default engine is rego referring to the standard Rego interpreter in OPA. Users can now select wasm to enable Wasm compilation and execution of policies (#2878).
• The eval subcommand now supports a raw option for -f/--format that is useful in bash scripts. Authored by @jaspervdj-luminal.
• The test framework now supports "skippable" tests. Prefix the test name with todo_ to have the test runner skip the test, e.g., todo_test_allow { ... }.
• The eval subcommand now correctly supports the --ignore flag. Previously the flag was not being applied.

Server

• The POST /v1/compile API now supports a ?metrics query parameter similar to other APIs. Authored by @jkbschmid.
• The directory used for persisting downloaded bundles can now be configured. See the Configuration page for details.
• The HTTP Decision Logger plugin no longer blocks server shutdown for the grace period when there are no logs to upload.
• The Bundle plugin now unregisters listeners correctly. This issue would cause listeners to be invoked when bundle updates were dispatched even if the listener was unregistered (#3190).
• The server now correctly decodes policy IDs in the HTTP request URL. Authored by @mattmahn (#2116).

... (truncated)

Commits

• e514c03 prep 0.27.1 release (#3258)
• bcb7229 wasm: fix offset bug
• 83a7079 Fix crash in v0.27.0 when s3_signing is configured (#3256)
• c5b0b08 wasm: exclude re2 code if no entrypoint found (#3253)
• 6957b6a wasm: Update generated binaries
• 5a1ed9c wasm: replace unused functions by stub (#3206)
• 79a5a55 deps: bump wasmtime 0.23.0 -> 0.24.0 (#3246)
• 7614c62 Fix envoy links
• 885fd69 ast: Add ast.JSONWithOpt to complement ast.JSON
• 24a2cb7 wasm: Add support for time option via rego package
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codecov]

Codecov Report

Merging #616 (6ca44d8) into master (6103c45) will decrease coverage by 0.11%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master     #616      +/-   ##
==========================================
- Coverage   78.09%   77.97%   -0.12%     
==========================================
  Files         104      104              
  Lines        2597     2597              
==========================================
- Hits         2028     2025       -3     
- Misses        422      424       +2     
- Partials      147      148       +1     

Impacted Files	Coverage Δ
pkg/policy/opa/engine.go	64.31% <0.00%> (-1.25%)	⬇️

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

[dependabot]

Superseded by #723.