Upgrade opa from 0.x to 1.x

docs/modules/ROOT/pages/ec_opa_bench.adoc

@@ -13,8 +13,6 @@ Example with bundle and input data:
 
 	opa bench -b ./policy-bundle -i input.json 'data.authz.allow'
 
-To enable more detailed analysis use the --metrics and --benchmem flags.
-
 To run benchmarks against a running OPA server to evaluate server overhead use the --e2e flag.
 
 The optional "gobench" output format conforms to the Go Benchmark Data Format.
@@ -48,7 +46,7 @@ ec opa bench <query> [flags]
 -I, --stdin-input:: read input document from stdin (Default: false)
 -t, --target:: set the runtime to exercise (Default: rego)
 -u, --unknowns:: set paths to treat as unknown during partial evaluation (Default: [input])
---v0-compatible:: opt-in to OPA features and behaviors prior to the OPA v1.0 release. Takes precedence over --v1-compatible (Default: false)
+--v0-compatible:: opt-in to OPA features and behaviors prior to the OPA v1.0 release (Default: false)
 --v1-compatible:: opt-in to OPA features and behaviors that are enabled by default in OPA v1.0 (Default: false)
 
 == Options inherited from parent commands

docs/modules/ROOT/pages/ec_opa_build.adoc

@@ -182,12 +182,13 @@ ec opa build <path> [<path> [...]] [flags]
 --scope:: scope to use for bundle signature verification
 --signing-alg:: name of the signing algorithm (Default: RS256)
 --signing-key:: set the secret (HMAC) or path of the PEM file containing the private key (RSA and ECDSA)
---signing-plugin:: name of the plugin to use for signing/verification (see https://www.openpolicyagent.org/docs/latest/management-bundles/#signature-plugin
+--signing-plugin:: name of the plugin to use for signing/verification (see https://www.openpolicyagent.org/docs/latest/management-bundles/#signature-plugin)
 -t, --target:: set the output bundle target type (Default: rego)
---v0-compatible:: opt-in to OPA features and behaviors prior to the OPA v1.0 release. Takes precedence over --v1-compatible (Default: false)
+--v0-compatible:: opt-in to OPA features and behaviors prior to the OPA v1.0 release (Default: false)
 --v1-compatible:: opt-in to OPA features and behaviors that are enabled by default in OPA v1.0 (Default: false)
 --verification-key:: set the secret (HMAC) or path of the PEM file containing the public key (RSA and ECDSA)
 --verification-key-id:: name assigned to the verification key used for bundle verification (Default: default)
+--wasm-include-print:: enable print statements inside of WebAssembly modules compiled by the compiler (Default: false)
 
 == Options inherited from parent commands
 

docs/modules/ROOT/pages/ec_opa_capabilities.adoc

@@ -54,8 +54,9 @@ ec opa capabilities [flags]
 == Options
 
 --current:: print current capabilities (Default: false)
---file:: print current capabilities
+--file:: print capabilities defined by a file
 -h, --help:: help for capabilities (Default: false)
+--v0-compatible:: opt-in to OPA features and behaviors prior to the OPA v1.0 release (Default: false)
 --version:: print capabilities of a specific version
 
 == Options inherited from parent commands

docs/modules/ROOT/pages/ec_opa_check.adoc

@@ -6,9 +6,9 @@ Check Rego source files
 
 Check Rego source files for parse and compilation errors.
 
-	If the 'check' command succeeds in parsing and compiling the source file(s), no output
-	is produced. If the parsing or compiling fails, 'check' will output the errors
-	and exit with a non-zero exit code.
+If the 'check' command succeeds in parsing and compiling the source file(s), no output
+is produced. If the parsing or compiling fails, 'check' will output the errors
+and exit with a non-zero exit code.
 [source,shell]
 ----
 ec opa check <path> [path [...]] [flags]
@@ -21,10 +21,11 @@ ec opa check <path> [path [...]] [flags]
 -h, --help:: help for check (Default: false)
 --ignore:: set file and directory names to ignore during loading (e.g., '.*' excludes hidden files) (Default: [])
 -m, --max-errors:: set the number of errors to allow before compilation fails early (Default: 10)
---rego-v1:: check for Rego v1 compatibility (policies must also be compatible with current OPA version) (Default: false)
+--rego-v1:: check for Rego v0 and v1 compatibility (policies must be compatible with both Rego versions) (Default: false)
 -s, --schema:: set schema file path or directory path
 -S, --strict:: enable compiler strict mode (Default: false)
---v0-compatible:: opt-in to OPA features and behaviors prior to the OPA v1.0 release. Takes precedence over --v1-compatible (Default: false)
+--v0-compatible:: opt-in to OPA features and behaviors prior to the OPA v1.0 release (Default: false)
+--v0-v1:: check for Rego v0 and v1 compatibility (policies must be compatible with both Rego versions) (Default: false)
 --v1-compatible:: opt-in to OPA features and behaviors that are enabled by default in OPA v1.0 (Default: false)
 
 == Options inherited from parent commands

docs/modules/ROOT/pages/ec_opa_deps.adoc

@@ -9,14 +9,17 @@ Print dependencies of provided query.
 Dependencies are categorized as either base documents, which is any data loaded
 from the outside world, or virtual documents, i.e values that are computed from rules.
 
-Example
--------
+[source,shell]
+----
+ec opa deps <query> [flags]
+----
+
+== Examples
+
 Given a policy like this:
 
 	package policy
 
-	import rego.v1
-
 	allow if is_admin
 
 	is_admin if "admin" in input.user.roles
@@ -36,10 +39,6 @@ From the output we're able to determine that the allow rule depends on
 the input.user.roles base document, as well as the virtual document (rule)
 data.policy.is_admin.
 
-[source,shell]
-----
-ec opa deps <query> [flags]
-----
 == Options
 
 -b, --bundle:: set bundle file(s) or directory path(s). This flag can be repeated.

docs/modules/ROOT/pages/ec_opa_eval.adoc

@@ -5,9 +5,13 @@ Evaluate a Rego query
 == Synopsis
 
 Evaluate a Rego query and print the result.
+[source,shell]
+----
+ec opa eval <query> [flags]
+----
+
+== Examples
 
-Examples
---------
 
 To evaluate a simple query:
 
@@ -107,10 +111,6 @@ Note that the metaschemas http://json-schema.org/draft-04/schema, http://json-sc
 and http://json-schema.org/draft-07/schema, are always available, even without network
 access.
 
-[source,shell]
-----
-ec opa eval <query> [flags]
-----
 == Options
 
 -b, --bundle:: set bundle file(s) or directory path(s). This flag can be repeated.
@@ -132,6 +132,7 @@ ec opa eval <query> [flags]
 -i, --input:: set input file path
 --instrument:: enable query instrumentation metrics (implies --metrics) (Default: false)
 --metrics:: report query performance metrics (Default: false)
+--nondeterminstic-builtins:: evaluate nondeterministic builtins (if all arguments are known) during partial eval (Default: false)
 -O, --optimize:: set optimization level (Default: 0)
 --optimize-store-for-read-speed:: optimize default in-memory store for read speed. Has possible negative impact on memory footprint and write speed. See https://www.openpolicyagent.org/docs/latest/policy-performance/#storage-optimization for more details. (Default: false)
 --package:: set query package
@@ -150,7 +151,7 @@ ec opa eval <query> [flags]
 -t, --target:: set the runtime to exercise (Default: rego)
 --timeout:: set eval timeout (default unlimited) (Default: 0s)
 -u, --unknowns:: set paths to treat as unknown during partial evaluation (Default: [input])
---v0-compatible:: opt-in to OPA features and behaviors prior to the OPA v1.0 release. Takes precedence over --v1-compatible (Default: false)
+--v0-compatible:: opt-in to OPA features and behaviors prior to the OPA v1.0 release (Default: false)
 --v1-compatible:: opt-in to OPA features and behaviors that are enabled by default in OPA v1.0 (Default: false)
 --var-values:: show local variable values in pretty trace output (Default: false)
 

docs/modules/ROOT/pages/ec_opa_exec.adoc

@@ -49,7 +49,7 @@ ec opa exec <path> [<path> [...]] [flags]
 --set-file:: override config values with files on the command line (use commas to specify multiple values) (Default: [])
 -I, --stdin-input:: read input document from stdin rather than a static file (Default: false)
 --timeout:: set exec timeout with a Go-style duration, such as '5m 30s'. (default unlimited) (Default: 0s)
---v0-compatible:: opt-in to OPA features and behaviors prior to the OPA v1.0 release. Takes precedence over --v1-compatible (Default: false)
+--v0-compatible:: opt-in to OPA features and behaviors prior to the OPA v1.0 release (Default: false)
 --v1-compatible:: opt-in to OPA features and behaviors that are enabled by default in OPA v1.0 (Default: false)
 
 == Options inherited from parent commands

docs/modules/ROOT/pages/ec_opa_fmt.adoc

@@ -11,7 +11,7 @@ is provided - this tool will use stdin.
 The format of the output is not defined specifically; whatever this tool outputs
 is considered correct format (with the exception of bugs).
 
-If the '-w' option is supplied, the 'fmt' command with overwrite the source file
+If the '-w' option is supplied, the 'fmt' command will overwrite the source file
 instead of printing to stdout.
 
 If the '-d' option is supplied, the 'fmt' command will output a diff between the
@@ -23,19 +23,41 @@ to stdout from the 'fmt' command.
 
 If the '--fail' option is supplied, the 'fmt' command will return a non zero exit
 code if a file would be reformatted.
+
+The 'fmt' command can be run in several compatibility modes for consuming and outputting
+different Rego versions:
+
+* `opa fmt`:
+  * v1 Rego is formatted to v1
+  * `rego.v1`/`future.keywords` imports are NOT removed
+  * `rego.v1`/`future.keywords` imports are NOT added if missing
+  * v0 rego is rejected
+* `opa fmt --v0-compatible`:
+  * v0 Rego is formatted to v0
+  * v1 Rego is rejected
+* `opa fmt --v0-v1`:
+  * v0 Rego is formatted to be compatible with v0 AND v1
+  * v1 Rego is rejected
+* `opa fmt --v0-v1 --v1-compatible`:
+  * v1 Rego is formatted to be compatible with v0 AND v1
+  * v0 Rego is rejected
+
 [source,shell]
 ----
 ec opa fmt [path [...]] [flags]
 ----
 == Options
 
---check-result:: assert that the formatted code is valid and can be successfully parsed (default true) (Default: true)
+--capabilities:: set capabilities version or capabilities.json file path
+--check-result:: assert that the formatted code is valid and can be successfully parsed (Default: true)
 -d, --diff:: only display a diff of the changes (Default: false)
+--drop-v0-imports:: drop v0 imports from the formatted code, such as 'rego.v1' and 'future.keywords' (Default: false)
 --fail:: non zero exit code on reformat (Default: false)
 -h, --help:: help for fmt (Default: false)
 -l, --list:: list all files who would change when formatted (Default: false)
---rego-v1:: format module(s) to be compatible with both Rego v1 and current OPA version) (Default: false)
---v0-compatible:: opt-in to OPA features and behaviors prior to the OPA v1.0 release. Takes precedence over --v1-compatible (Default: false)
+--rego-v1:: format module(s) to be compatible with both Rego v0 and v1 (Default: false)
+--v0-compatible:: opt-in to OPA features and behaviors prior to the OPA v1.0 release (Default: false)
+--v0-v1:: format module(s) to be compatible with both Rego v0 and v1 (Default: false)
 --v1-compatible:: opt-in to OPA features and behaviors that are enabled by default in OPA v1.0 (Default: false)
 -w, --write:: overwrite the original source file (Default: false)
 

docs/modules/ROOT/pages/ec_opa_inspect.adoc

@@ -23,7 +23,7 @@ Example:
     bundle.tar.gz
     $ opa inspect bundle.tar.gz
 
-You can provide exactly one OPA bundle, path to a bundle directory, or direct path to a Rego file to the 'inspect' command 
+You can provide exactly one OPA bundle, path to a bundle directory, or direct path to a Rego file to the 'inspect' command
 on the command-line. If you provide a path referring to a directory, the 'inspect' command will load that path as a bundle
 and summarize its structure and contents. If you provide a path referring to a Rego file, the 'inspect' command will load
 that file and summarize its structure and contents.
@@ -37,6 +37,7 @@ ec opa inspect <path> [<path> [...]] [flags]
 -a, --annotations:: list annotations (Default: false)
 -f, --format:: set output format (Default: pretty)
 -h, --help:: help for inspect (Default: false)
+--v0-compatible:: opt-in to OPA features and behaviors prior to the OPA v1.0 release (Default: false)
 --v1-compatible:: opt-in to OPA features and behaviors that are enabled by default in OPA v1.0 (Default: false)
 
 == Options inherited from parent commands

docs/modules/ROOT/pages/ec_opa_parse.adoc

@@ -14,6 +14,7 @@ ec opa parse <path> [flags]
 -f, --format:: set output format (Default: pretty)
 -h, --help:: help for parse (Default: false)
 --json-include:: include or exclude optional elements. By default comments are included. Current options: locations, comments. E.g. --json-include locations,-comments will include locations and exclude comments.
+--v0-compatible:: opt-in to OPA features and behaviors prior to the OPA v1.0 release (Default: false)
 --v1-compatible:: opt-in to OPA features and behaviors that are enabled by default in OPA v1.0 (Default: false)
 
 == Options inherited from parent commands

docs/modules/ROOT/pages/ec_opa_run.adoc

@@ -114,9 +114,10 @@ OPA will automatically perform type checking based on a schema inferred from kno
 resulting from the schema check. Currently this check is performed on OPA's Authorization Policy Input document and will
 be expanded in the future. To disable this, use the --skip-known-schema-check flag.
 
-The --v1-compatible flag can be used to opt-in to OPA features and behaviors that will be enabled by default in a future OPA v1.0 release.
-Current behaviors enabled by this flag include:
-- setting OPA's listening address to "localhost:8181" by default.
+The --v0-compatible flag can be used to opt-in to OPA features and behaviors that were the default in OPA v0.x.
+Behaviors enabled by this flag include:
+- setting OPA's listening address to ":8181" by default, corresponding to listening on every network interface.
+- expecting v0 Rego syntax in policy modules instead of the default v1 Rego syntax.
 
 The --tls-cipher-suites flag can be used to specify the list of enabled TLS 1.0–1.2 cipher suites. Note that TLS 1.3
 cipher suites are not configurable. Following are the supported TLS 1.0 - 1.2 cipher suites (IANA):
@@ -135,7 +136,7 @@ ec opa run [flags]
 ----
 == Options
 
--a, --addr:: set listening address of the server (e.g., [ip]:<port> for TCP, unix://<path> for UNIX domain socket) (Default: [:8181])
+-a, --addr:: set listening address of the server (e.g., [ip]:<port> for TCP, unix://<path> for UNIX domain socket) (Default: [localhost:8181])
 --authentication:: set authentication scheme (Default: off)
 --authorization:: set authorization scheme (Default: off)
 -b, --bundle:: load paths as bundle files or root directories (Default: false)
@@ -172,7 +173,7 @@ ec opa run [flags]
 --tls-cipher-suites:: set list of enabled TLS 1.0–1.2 cipher suites (IANA) (Default: [])
 --tls-private-key-file:: set path of TLS private key file
 --unix-socket-perm:: specify the permissions for the Unix domain socket if used to listen for incoming connections (Default: 755)
---v0-compatible:: opt-in to OPA features and behaviors prior to the OPA v1.0 release. Takes precedence over --v1-compatible (Default: false)
+--v0-compatible:: opt-in to OPA features and behaviors prior to the OPA v1.0 release (Default: false)
 --v1-compatible:: opt-in to OPA features and behaviors that are enabled by default in OPA v1.0 (Default: false)
 --verification-key:: set the secret (HMAC) or path of the PEM file containing the public key (RSA and ECDSA)
 --verification-key-id:: name assigned to the verification key used for bundle verification (Default: default)

docs/modules/ROOT/pages/ec_opa_sign.adoc

@@ -98,7 +98,7 @@ ec opa sign <path> [<path> [...]] [flags]
 -o, --output-file-path:: set the location for the .signatures.json file (Default: .)
 --signing-alg:: name of the signing algorithm (Default: RS256)
 --signing-key:: set the secret (HMAC) or path of the PEM file containing the private key (RSA and ECDSA)
---signing-plugin:: name of the plugin to use for signing/verification (see https://www.openpolicyagent.org/docs/latest/management-bundles/#signature-plugin
+--signing-plugin:: name of the plugin to use for signing/verification (see https://www.openpolicyagent.org/docs/latest/management-bundles/#signature-plugin)
 
 == Options inherited from parent commands
 

docs/modules/ROOT/pages/ec_opa_test.adoc

@@ -5,7 +5,7 @@ Execute Rego test cases
 == Synopsis
 
 Execute Rego test cases.
-	
+
 The 'test' command takes a file or directory path as input and executes all
 test cases discovered in matching files. Test cases are rules whose names have the prefix "test_".
 
@@ -21,8 +21,6 @@ Example policy (example/authz.rego):
 
 	package authz
 
-	import rego.v1
-
 	allow if {
 		input.path == ["users"]
 		input.method == "POST"
@@ -37,8 +35,6 @@ Example test (example/authz_test.rego):
 
 	package authz_test
 
-	import rego.v1
-
 	import data.authz.allow
 
 	test_post_allowed if {
@@ -95,12 +91,13 @@ ec opa test <path> [path [...]] [flags]
 -h, --help:: help for test (Default: false)
 --ignore:: set file and directory names to ignore during loading (e.g., '.*' excludes hidden files) (Default: [])
 -m, --max-errors:: set the number of errors to allow before compilation fails early (Default: 10)
--r, --run:: run only test cases matching the regular expression.
+-p, --parallel:: the number of tests that can run in parallel, defaulting to the number of CPUs (explicitly set with 0). Benchmarks are always run sequentially. (Default: 16)
+-r, --run:: run only test cases matching the regular expression
 -s, --schema:: set schema file path or directory path
 -t, --target:: set the runtime to exercise (Default: rego)
 --threshold:: set coverage threshold and exit with non-zero status if coverage is less than threshold % (Default: 0)
 --timeout:: set test timeout (default 5s, 30s when benchmarking) (Default: 0s)
---v0-compatible:: opt-in to OPA features and behaviors prior to the OPA v1.0 release. Takes precedence over --v1-compatible (Default: false)
+--v0-compatible:: opt-in to OPA features and behaviors prior to the OPA v1.0 release (Default: false)
 --v1-compatible:: opt-in to OPA features and behaviors that are enabled by default in OPA v1.0 (Default: false)
 --var-values:: show local variable values in test output (Default: false)
 -v, --verbose:: set verbose reporting mode (Default: false)