Master: Renovate: Automerge Update dependency without new findings
This MR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| openpolicyagent/opa | ironbank-docker | minor |
0.51.0-static -> 0.52.0-static
|
| openpolicyagent/opa | minor |
0.51.0 -> 0.52.0
|
|
| openpolicyagent/opa | stage | minor |
0.51.0-static -> 0.52.0-static
|
Release Notes
open-policy-agent/opa
v0.52.0
This release contains some enhancements, bugfixes, and a new builtin function.
Allow Adding Labels via Discovery
Previously OPA did not allow any updates to the labels provided in the boot configuration via the discovered (ie. service) config. This was done to avoid breaking the discovery configuration. But there are use cases where labels can serve as a convenient way to pass information that could be used in policies, status updates or decision logs. This change allows additional labels to be configured in the service config which are then made available during runtime.
See the Discovery documentation for more details.
Authored by @mjungsbluth.
New Built-In Function: crypto.hmac.equal
crypto.hmac.equal provides a convenient way to compare hashes generated by the MD5, SHA-1, SHA-256 and SHA-512 hashing algorithms.
Below is a real world example of how this built-in function can be utilized. Imagine our server is registered as a
GitHub webhook which subscribes to certain events on GitHub.com. Now we want to limit requests to those coming from GitHub.
One of the ways to do that is to first set up a secret token and validate the information. Once we create the token on GitHub,
we'll set up an environment variable that stores this token and makes it available to OPA via the opa.runtime built-in.
In the case of GitHub webhooks the validation is done by comparing the hash signature received in the X-Hub-Signature-256
header and calculating a hash using the secret token and payload body. The check_signature rule implements this logic.
package example
import input.attributes.request.http as http_request
allow {
http_request.method == "POST"
input.parsed_path = ["workflows", "github", "webhooks"]
check_signature
}
check_signature {
secret_key := opa.runtime().env.GITHUB_SECRET_KEY
hash_body := crypto.hmac.sha256(http_request.raw_body, secret_key)
expected_signature := concat("", ["sha256=", hash_body])
header_signature = http_request.headers["X-Hub-Signature-256"]
crypto.hmac.equal(header_signature, expected_signature)
}See the documentation on the new built-in for all the details.
Authored by @sandokandias.
Extend Authentication Methods Supported by OCI Downloader
Previously the OCI Downloader had support for only three types of authentication methods, namely Client TLS Certificates,
Basic Authentication and Bearer Token. This change adds support for other authentication methods such as AWS Signature,
GCP Metadata Token. See the documentation
for more details.
Authored by @DerGut.
Update Profiler Output With Number of Generated Expressions
The number of EVAL/REDO counts in the profile result are sometimes difficult to understand. This is mainly due to the fact that the compiler rewrites expressions and assigns the same location to each generated expression and the profiler keys the counters by the location. To provide more clarity, the profile output now includes the number of generated expressions for each given expression thereby helping to better understand the result and also how the evaluation works.
Here is an example of the updated profiler output with the new NUM GEN EXMR column:
+----------+----------+----------+--------------+-------------+
| TIME | NUM EVAL | NUM REDO | NUM GEN EXMR | LOCATION |
+----------+----------+----------+--------------+-------------+
| 20.291µs | 3 | 3 | 3 | test.rego:7 |
| 1µs | 1 | 1 | 1 | test.rego:6 |
| 2.333µs | 1 | 1 | 1 | test.rego:5 |
| 6.333µs | 1 | 1 | 1 | test.rego:4 |
| 84.75µs | 1 | 1 | 1 | data |