Adding --v1-compatible flag to opa build and opa eval
#6478
Conversation
✅ Deploy Preview for openpolicyagent ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
ast/parser.go
Outdated
| @@ -105,8 +114,8 @@ type ParserOptions struct { | |||
| FutureKeywords []string | |||
| SkipRules bool | |||
| JSONOptions *astJSON.Options | |||
| RegoVersion RegoVersion | |||
There was a problem hiding this comment.
This is a breaking change. We could also keep the old RegoV1Compatible parameter, but I think that'll just be confusing. It's unlikely anyone is using this yet, so I feel this isn't a huge transgression.
There was a problem hiding this comment.
Should we deprecate the old one and remove it in a future release? I agree not many must be using this.
There was a problem hiding this comment.
I've added it back and added a deprecation notice.
| @@ -103,7 +103,11 @@ type FileLoader interface { | |||
| WithCapabilities(*ast.Capabilities) FileLoader | |||
| WithJSONOptions(*astJSON.Options) FileLoader | |||
|
|
|||
| // WithRegoV1Compatible | |||
| // Deprecated: use WithRegoVersion instead | |||
There was a problem hiding this comment.
I think it's unlikely many users are using this already, so we can probably remove the WithRegoV1Compatible func now.
|
In terms of naming the flag |
| if params.regoV1 { | ||
| regoArgs = append(regoArgs, rego.SetRegoVersion(ast.RegoV1)) | ||
| } | ||
|
|
There was a problem hiding this comment.
For both eval and build, we need to document how the new flag works either in docs or the help text.
There was a problem hiding this comment.
For sure 👍 . I'm thinking we should update the OPA 1.0 page.
It's not included here as I didn't want to spend time on writing that text before we locked down the flag name.
|
Let's go with |
johanfylling
changed the title
--rego-v1 flag to opa build and opa eval--v1-compatible flag to opa build and opa eval
johanfylling
force-pushed
the
rego-v1/flag_on_all_commands
branch
3 times, most recently
from
ecd0189
to
ee3291d
Compare
Fixes: open-policy-agent#6463 Signed-off-by: Johan Fylling <johan.dev@fylling.se>
Fixes: open-policy-agent#6463 Signed-off-by: Johan Fylling <johan.dev@fylling.se>
Signed-off-by: Johan Fylling <johan.dev@fylling.se>
…at-v1) Signed-off-by: Johan Fylling <johan.dev@fylling.se>
Signed-off-by: Johan Fylling <johan.dev@fylling.se>
…goVersion()` Suggested by @ashutosh-narkar Signed-off-by: Johan Fylling <johan.dev@fylling.se>
Requested by @ashutosh-narkar Signed-off-by: Johan Fylling <johan.dev@fylling.se>
Signed-off-by: Johan Fylling <johan.dev@fylling.se>
Signed-off-by: Johan Fylling <johan.dev@fylling.se>
ashutosh-narkar
force-pushed
the
rego-v1/flag_on_all_commands
branch
from
ee3291d
to
b811b7b
Compare
Signed-off-by: Johan Fylling <johan.dev@fylling.se>
Adding `--v1-compatible` flag to `opa test` Fixes: open-policy-agent#6463 Signed-off-by: Johan Fylling <johan.dev@fylling.se>
Fixes: open-policy-agent#6463 Signed-off-by: Johan Fylling <johan.dev@fylling.se>
Fixes: open-policy-agent#6463 Signed-off-by: Johan Fylling <johan.dev@fylling.se>
|
Added support for commands: |
Signed-off-by: Johan Fylling <johan.dev@fylling.se>
ast/parser.go
Outdated
| // RegoV1Compatible additionally affects the Rego version. Use EffectiveRegoVersion to get the effective Rego version. | ||
| RegoVersion RegoVersion | ||
| // RegoV1Compatible is equivalent to setting RegoVersion to RegoV0CompatV1. | ||
| // Setting RegoV1Compatible only has effect if RegoVersion is RegoV0. |
There was a problem hiding this comment.
Aren't we kind of changing the meaning of RegoV1Compatible? It's fine I guess since I don't expect this has much usage.
There was a problem hiding this comment.
True. I've changed this to make RegoV1Compatible take precedence.
cmd/build_test.go
Outdated
| `, | ||
| }, | ||
| // Note: the rego.v1 import isn't added to the optimized module. | ||
| // This is ok, as the bundle was built with the --rego-v1 flag, |
There was a problem hiding this comment.
Do we mean the --v1-compatible flag or --rego-v1 flag?
cmd/fmt.go
Outdated
| @@ -206,6 +223,8 @@ func init() { | |||
| formatCommand.Flags().BoolVarP(&fmtParams.list, "list", "l", false, "list all files who would change when formatted") | |||
| formatCommand.Flags().BoolVarP(&fmtParams.diff, "diff", "d", false, "only display a diff of the changes") | |||
| formatCommand.Flags().BoolVar(&fmtParams.fail, "fail", false, "non zero exit code on reformat") | |||
| formatCommand.Flags().BoolVar(&fmtParams.regoV1, "rego-v1", false, "format as Rego v1") | |||
| addRegoV1FlagWithDescription(formatCommand.Flags(), &fmtParams.regoV1, false, "format as Rego v1") | |||
There was a problem hiding this comment.
Similar to opa check the resulting policy will also be compatible with the current OPA version?
There was a problem hiding this comment.
Yes. Changing description.
| @@ -26,7 +26,7 @@ type Opts struct { | |||
| // carry along their original source locations. | |||
| IgnoreLocations bool | |||
|
|
|||
| RegoV1 bool | |||
| RegoVersion ast.RegoVersion | |||
There was a problem hiding this comment.
Probably need to deprecate RegoV1
rego/rego_test.go
Outdated
| @@ -1167,6 +1167,83 @@ func TestPrepareAndPartial(t *testing.T) { | |||
| } | |||
| } | |||
|
|
|||
| func TestPartialWitRegoV1(t *testing.T) { | |||
There was a problem hiding this comment.
Nit: TestPartialWithRegoV1
rego/rego_test.go
Outdated
| t.Fatal(err) | ||
| } | ||
|
|
||
| fmt.Println(partialQuery) |
There was a problem hiding this comment.
Nit: We can remove this
| "policy.rego": `package test | ||
| x contains y if { y := 1 }`, | ||
| }, | ||
| expectedErr: "rego_parse_error: var cannot be used for rule name", // FIXME: Improve error message |
There was a problem hiding this comment.
Is this something to address in this PR?
There was a problem hiding this comment.
I believe this might require a larger set of changes in the parser. Let's not delay this PR and risk it not getting in this release, and fix this in the next release instead.
docs/content/opa-1.md
Outdated
| * `check`* | ||
| * `fmt`* | ||
| * `eval` | ||
| * `test` |
There was a problem hiding this comment.
Do you think it would be helpful to add a short note about what the --v1-compatible flag does in each command. For example, in test it will parse modules/bundles per v1 syntax.
* Changing `ParserOptions.RegoV1Compatible` take precedence over `ParserOptions.RegoVersion` * Fixing comment in test * Updating `fmt --rego-v1` CLI description Signed-off-by: Johan Fylling <johan.dev@fylling.se>
* Changing `ParserOptions.RegoV1Compatible` take precedence over `ParserOptions.RegoVersion` * Fixing comment in test * Updating `fmt --rego-v1` CLI description * Adding back `Opts.RegoV1` and deprecating. * Making `Opts.RegoV1` take precedence over `Opts.RegoVersion` Signed-off-by: Johan Fylling <johan.dev@fylling.se>
* Changing `ParserOptions.RegoV1Compatible` take precedence over `ParserOptions.RegoVersion` * Fixing comment in test * Updating `fmt --rego-v1` CLI description * Adding back `Opts.RegoV1` and deprecating. * Making `Opts.RegoV1` take precedence over `Opts.RegoVersion` * `TestPartialWitRegoV1` -> `TestPartialWithRegoV1` Signed-off-by: Johan Fylling <johan.dev@fylling.se>
* Changing `ParserOptions.RegoV1Compatible` take precedence over `ParserOptions.RegoVersion` * Fixing comment in test * Updating `fmt --rego-v1` CLI description * Adding back `Opts.RegoV1` and deprecating. * Making `Opts.RegoV1` take precedence over `Opts.RegoVersion` * `TestPartialWitRegoV1` -> `TestPartialWithRegoV1` * removing `Println` in test Signed-off-by: Johan Fylling <johan.dev@fylling.se>
* Changing `ParserOptions.RegoV1Compatible` take precedence over `ParserOptions.RegoVersion` * Fixing comment in test * Updating `fmt --rego-v1` CLI description * Adding back `Opts.RegoV1` and deprecating. * Making `Opts.RegoV1` take precedence over `Opts.RegoVersion` * `TestPartialWitRegoV1` -> `TestPartialWithRegoV1` * removing `Println` in test * Updating docs with per-command behavioural descriptions for `--v1-compatible`. Signed-off-by: Johan Fylling <johan.dev@fylling.se>
This PR implements a small subset of the commands in #6463; namely
buildandeval. I'm not including more commands here to keep the scope of the PR tight, in part to make it easier to review, but also so that implementation of the remaining commands can be parallelized between multiple developers.When applied, the
--rego-v1flag will causeopa buildandopa evalto behave strictly as they would in OPA 1.0 in regards to module parsing, compilation, and PE. The difference to the behavior of e.g.opa fmt --rego-v1is that this strict 1.0 behavior allows for policies using thefuturekeywords without first importingfuture.keywordsorrego.v1. E.g.:An open question is what this flag should be named. A couple of options:
--rego-v1: The current naming in this PR. This was selected because this flag already exists on thefmtandcheckcommands. I'm now reevaluating this choice, as--rego-v1on e.g.fmtmeans the policy will be formatted to be compatible with both Rego in OPA 0.x and 1.0, whereas forevalit enforces compatibility with only 1.0. In addition to this behavioral difference, reusing the--rego.v1flag means that we can't provide exactly OPA 1.0 behavior forfmtandcheckin addition to this current v0/v1 compatibility.--v1-compatible: This flag already exists inopa run, and will apply configuration default values as if OPA 1.0. E.g., the server defaults to listen tolocalhostinstead of0.0.0.0(currently the only change). It could be argued that module processing is part of this "OPA 1.0 compatibility mode".--rego-version=<version>: Allow the user to explicitly select what version/flavor of Rego to use. In this PR, we have internally have three flavors of Rego (we could allow the user to either select between no1 and no3; or all three, but that might become confusing):rego-v0: The current, default Rego version.rego-v0-compat-v1: A flavor of Rego compatible with both v0 and v1. What is currently enforced inopa check --rego-v1andopa fmt --rego-v1.rego-v1: The future Rego version of OPA 1.0.