diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 13df4bd..50aa4d4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,7 +43,7 @@ jobs: matrix: java-version: [11, 17, 21] opa-version: - - 0.70.0 # latest + - 1.12.1 # latest steps: - uses: actions/checkout@v6 diff --git a/core/src/test/java/com/styra/opa/wasm/testcases/Case.java b/core/src/test/java/com/styra/opa/wasm/testcases/Case.java index 359da49..0441cdd 100644 --- a/core/src/test/java/com/styra/opa/wasm/testcases/Case.java +++ b/core/src/test/java/com/styra/opa/wasm/testcases/Case.java @@ -32,6 +32,9 @@ public class Case { @JsonProperty("wasm") private String wasm; + @JsonProperty("ignore_generated_vars") + private boolean ignoreGeneratedVars; + Case() {} public String note() { @@ -70,6 +73,10 @@ public String wasm() { return wasm; } + public boolean ignoreGeneratedVars() { + return ignoreGeneratedVars; + } + @Override public String toString() { return "Case{" diff --git a/core/src/test/resources/fixtures/base/policy.rego b/core/src/test/resources/fixtures/base/policy.rego index d6a0952..42a84dc 100644 --- a/core/src/test/resources/fixtures/base/policy.rego +++ b/core/src/test/resources/fixtures/base/policy.rego @@ -1,8 +1,8 @@ package opa.wasm.test -default allowed = false +default allowed := false -allowed { +allowed if { user := input.user data.role[user] == "admin" } diff --git a/core/src/test/resources/fixtures/custom-builtins/capabilities.json b/core/src/test/resources/fixtures/custom-builtins/capabilities.json index f996754..3cbaa39 100644 --- a/core/src/test/resources/fixtures/custom-builtins/capabilities.json +++ b/core/src/test/resources/fixtures/custom-builtins/capabilities.json @@ -1,4 +1,5 @@ { + "features": ["rego_v1"], "builtins": [ { "name": "custom.zeroArgBuiltin", diff --git a/core/src/test/resources/fixtures/custom-builtins/custom-builtins-policy.rego b/core/src/test/resources/fixtures/custom-builtins/custom-builtins-policy.rego index 34e5c50..8fa929c 100644 --- a/core/src/test/resources/fixtures/custom-builtins/custom-builtins-policy.rego +++ b/core/src/test/resources/fixtures/custom-builtins/custom-builtins-policy.rego @@ -1,25 +1,27 @@ package custom_builtins -zero_arg = x { - x = custom.zeroArgBuiltin() -} +zero_arg := custom.zeroArgBuiltin() -one_arg = x { - x = custom.oneArgBuiltin(input.args[0]) -} +one_arg := custom.oneArgBuiltin(input.args[0]) -two_arg = x { - x = custom.twoArgBuiltin(input.args[0], input.args[1]) -} +two_arg := custom.twoArgBuiltin( + input.args[0], + input.args[1], +) -three_arg = x { - x = custom.threeArgBuiltin(input.args[0], input.args[1], input.args[2]) -} +three_arg := custom.threeArgBuiltin( + input.args[0], + input.args[1], + input.args[2], +) -four_arg = x { - x = custom.fourArgBuiltin(input.args[0], input.args[1], input.args[2], input.args[3]) -} +four_arg := custom.fourArgBuiltin( + input.args[0], + input.args[1], + input.args[2], + input.args[3], +) -valid_json { +valid_json if { json.is_valid("{}") } diff --git a/core/src/test/resources/fixtures/issue78-sprintf/policy.rego b/core/src/test/resources/fixtures/issue78-sprintf/policy.rego index bc555ef..ca81c75 100644 --- a/core/src/test/resources/fixtures/issue78-sprintf/policy.rego +++ b/core/src/test/resources/fixtures/issue78-sprintf/policy.rego @@ -3,7 +3,7 @@ package armo_builtins ################################################################################ # Rules -deny[msga] { +deny contains msga if { pod := input[_] pod.kind == "Pod" container := pod.spec.containers[i] @@ -29,7 +29,7 @@ deny[msga] { } -deny[msga] { +deny contains msga if { wl := input[_] spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[wl.kind] @@ -56,7 +56,7 @@ deny[msga] { } # Fails if cronjob has a container configured to run as root -deny[msga] { +deny contains msga if { wl := input[_] wl.kind == "CronJob" container = wl.spec.jobTemplate.spec.template.spec.containers[i] @@ -83,7 +83,7 @@ deny[msga] { } -get_fixed_paths(all_fixpaths, i) = [{"path":replace(all_fixpaths[0].path,"container_ndx",format_int(i,10)), "value":all_fixpaths[0].value}, {"path":replace(all_fixpaths[1].path,"container_ndx",format_int(i,10)), "value":all_fixpaths[1].value}]{ +get_fixed_paths(all_fixpaths, i) = [{"path":replace(all_fixpaths[0].path,"container_ndx",format_int(i,10)), "value":all_fixpaths[0].value}, {"path":replace(all_fixpaths[1].path,"container_ndx",format_int(i,10)), "value":all_fixpaths[1].value}] if { count(all_fixpaths) == 2 } else = [{"path":replace(all_fixpaths[0].path,"container_ndx",format_int(i,10)), "value":all_fixpaths[0].value}] @@ -93,7 +93,7 @@ get_fixed_paths(all_fixpaths, i) = [{"path":replace(all_fixpaths[0].path,"contai # if runAsUser is set to 0 and runAsNonRoot is set to false/ not set - suggest to set runAsUser to 1000 # if runAsUser is not set and runAsNonRoot is set to false/ not set - suggest to set runAsNonRoot to true # all checks are both on the pod and the container level -evaluate_workload_run_as_user(container, pod, start_of_path) = fixPath { +evaluate_workload_run_as_user(container, pod, start_of_path) = fixPath if { runAsNonRootValue := get_run_as_non_root_value(container, pod, start_of_path) runAsNonRootValue.value == false @@ -107,7 +107,7 @@ evaluate_workload_run_as_user(container, pod, start_of_path) = fixPath { # if runAsGroup is set to 0/ not set - suggest to set runAsGroup to 1000 # all checks are both on the pod and the container level -evaluate_workload_run_as_group(container, pod, start_of_path) = fixPath { +evaluate_workload_run_as_group(container, pod, start_of_path) = fixPath if { runAsGroupValue := get_run_as_group_value(container, pod, start_of_path) runAsGroupValue.value == 0 @@ -119,32 +119,32 @@ evaluate_workload_run_as_group(container, pod, start_of_path) = fixPath { # Value resolution functions -get_run_as_non_root_value(container, pod, start_of_path) = runAsNonRoot { +get_run_as_non_root_value(container, pod, start_of_path) = runAsNonRoot if { runAsNonRoot := {"value" : container.securityContext.runAsNonRoot, "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}], "defined" : true} -} else = runAsNonRoot { +} else = runAsNonRoot if { runAsNonRoot := {"value" : pod.spec.securityContext.runAsNonRoot, "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}], "defined" : true} } else = {"value" : false, "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) , "value":"true"}], "defined" : false} -get_run_as_user_value(container, pod, start_of_path) = runAsUser { +get_run_as_user_value(container, pod, start_of_path) = runAsUser if { path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [start_of_path]) runAsUser := {"value" : container.securityContext.runAsUser, "fixPath": [{"path": path, "value": "1000"}], "defined" : true} -} else = runAsUser { +} else = runAsUser if { path := sprintf("%v.securityContext.runAsUser", [start_of_path]) runAsUser := {"value" : pod.spec.securityContext.runAsUser, "fixPath": [{"path": path, "value": "1000"}],"defined" : true} } else = {"value" : 0, "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}], "defined" : false} -get_run_as_group_value(container, pod, start_of_path) = runAsGroup { +get_run_as_group_value(container, pod, start_of_path) = runAsGroup if { path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [start_of_path]) runAsGroup := {"value" : container.securityContext.runAsGroup, "fixPath": [{"path": path, "value": "1000"}],"defined" : true} -} else = runAsGroup { +} else = runAsGroup if { path := sprintf("%v.securityContext.runAsGroup", [start_of_path]) runAsGroup := {"value" : pod.spec.securityContext.runAsGroup, "fixPath":[{"path": path, "value": "1000"}], "defined" : true} } else = {"value" : 0, "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [start_of_path]), "value":"1000"}], "defined" : false } -choose_first_if_defined(l1, l2) = c { +choose_first_if_defined(l1, l2) = c if { l1.defined c := l1 } else = l2 diff --git a/core/src/test/resources/fixtures/memory/policy.rego b/core/src/test/resources/fixtures/memory/policy.rego index 2c30ee3..a0b91d2 100644 --- a/core/src/test/resources/fixtures/memory/policy.rego +++ b/core/src/test/resources/fixtures/memory/policy.rego @@ -1,5 +1,7 @@ package test -default allow = false +default allow := false -allow { input == "open sesame" } \ No newline at end of file +allow if { + input == "open sesame" +} diff --git a/core/src/test/resources/fixtures/multiple-entrypoints/example-one.rego b/core/src/test/resources/fixtures/multiple-entrypoints/example-one.rego index b42a132..1190088 100644 --- a/core/src/test/resources/fixtures/multiple-entrypoints/example-one.rego +++ b/core/src/test/resources/fixtures/multiple-entrypoints/example-one.rego @@ -2,14 +2,13 @@ package example.one import data.example.one.myCompositeRule -default myRule = false +default myRule := false +default myOtherRule := false -default myOtherRule = false - -myRule { - input.someProp == "thisValue" +myRule if { + input.someProp == "thisValue" } -myOtherRule { - input.anotherProp == "thatValue" +myOtherRule if { + input.anotherProp == "thatValue" } diff --git a/core/src/test/resources/fixtures/multiple-entrypoints/example-two.rego b/core/src/test/resources/fixtures/multiple-entrypoints/example-two.rego index ba3a4a8..35c9086 100644 --- a/core/src/test/resources/fixtures/multiple-entrypoints/example-two.rego +++ b/core/src/test/resources/fixtures/multiple-entrypoints/example-two.rego @@ -2,14 +2,13 @@ package example.two import data.example.two.coolRule -default theirRule = false +default theirRule := false +default ourRule := false -default ourRule = false - -theirRule { - input.anyProp == "aValue" +theirRule if { + input.anyProp == "aValue" } -ourRule { - input.ourProp == "inTheMiddleOfTheStreet" +ourRule if { + input.ourProp == "inTheMiddleOfTheStreet" } diff --git a/core/src/test/resources/fixtures/string-builtins/policy.rego b/core/src/test/resources/fixtures/string-builtins/policy.rego index 66a184d..c39e6a7 100644 --- a/core/src/test/resources/fixtures/string-builtins/policy.rego +++ b/core/src/test/resources/fixtures/string-builtins/policy.rego @@ -1,13 +1,13 @@ package string_builtins -invoke_sprintf = x { - x = { "printed": sprintf("hello %s your number is %d!", ["user", 321]) } +invoke_sprintf := { + "printed": sprintf("hello %s your number is %d!", ["user", 321]) } -integer_fastpath = x { - x = { "printed": sprintf("%d", [123]) } +integer_fastpath := { + "printed": sprintf("%d", [123]) } -string_example = x { - x = { "printed": sprintf("%s", ["my string"]) } +string_example := { + "printed": sprintf("%s", ["my string"]) } diff --git a/core/src/test/resources/fixtures/stringified-support/stringified-support-policy.rego b/core/src/test/resources/fixtures/stringified-support/stringified-support-policy.rego index 1adb1a2..ba62f8e 100644 --- a/core/src/test/resources/fixtures/stringified-support/stringified-support-policy.rego +++ b/core/src/test/resources/fixtures/stringified-support/stringified-support-policy.rego @@ -1,26 +1,26 @@ package stringified.support -default hasPermission = false -default plainInputBoolean = false -default plainInputNumber = false -default plainInputString = false +default hasPermission := false +default plainInputBoolean := false +default plainInputNumber := false +default plainInputString := false -hasPermission { +hasPermission if { input.secret == data.secret } -hasPermission { +hasPermission if { input.permissions[_] == data.roles["1"].permissions[_].id } -plainInputBoolean { - input = true +plainInputBoolean if { + input == true } -plainInputNumber { - input = 5 +plainInputNumber if { + input == 5 } -plainInputString { - input = "test" -} \ No newline at end of file +plainInputString if { + input == "test" +} diff --git a/core/src/test/resources/fixtures/yaml-support/yaml-support-policy.rego b/core/src/test/resources/fixtures/yaml-support/yaml-support-policy.rego index f46782f..4549220 100644 --- a/core/src/test/resources/fixtures/yaml-support/yaml-support-policy.rego +++ b/core/src/test/resources/fixtures/yaml-support/yaml-support-policy.rego @@ -22,37 +22,37 @@ x-amazon-apigateway-policy: Resource: '*' ` -canParseYAML { +canParseYAML if { resource := yaml.unmarshal(fixture) resource.info.title == "test" } -hasSemanticError { +hasSemanticError if { # see: https://github.com/eemeli/yaml/blob/395f892ec9a26b9038c8db388b675c3281ab8cd3/tests/doc/errors.js#L22 yaml.unmarshal("a:\n\t1\nb:\n\t2\n") } -hasSyntaxError { +hasSyntaxError if { # see: https://github.com/eemeli/yaml/blob/395f892ec9a26b9038c8db388b675c3281ab8cd3/tests/doc/errors.js#L49 yaml.unmarshal("{ , }\n---\n{ 123,,, }\n") } -hasReferenceError { +hasReferenceError if { # see: https://github.com/eemeli/yaml/blob/395f892ec9a26b9038c8db388b675c3281ab8cd3/tests/doc/errors.js#L245 yaml.unmarshal("{ , }\n---\n{ 123,,, }\n") } -hasYAMLWarning { +hasYAMLWarning if { # see: https://github.com/eemeli/yaml/blob/395f892ec9a26b9038c8db388b675c3281ab8cd3/tests/doc/errors.js#L224 yaml.unmarshal("%FOO\n---bar\n") } -canMarshalYAML[x] { +canMarshalYAML contains x if { string := yaml.marshal(input) x := yaml.unmarshal(string) } -isValidYAML { +isValidYAML if { yaml.is_valid(fixture) == true yaml.is_valid("foo: {") == false yaml.is_valid("{\"foo\": \"bar\"}") == true