Prepare v0.52.0 release

Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
open-policy-agent · Apr 27, 2023 · 8d2c137 · 8d2c137
1 parent f2c8474
commit 8d2c137
Show file tree

Hide file tree

Showing 4 changed files with 4,933 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,7 +3,131 @@
 All notable changes to this project will be documented in this file. This
 project adheres to [Semantic Versioning](http://semver.org/).
 
-## Unreleased
+## 0.52.0
+
+This release contains some enhancements, bugfixes, and a new builtin function.
+
+### Allow Adding Labels via Discovery
+
+Previously OPA did not allow any updates to the labels provided in the boot configuration via the discovered (ie. service)
+config. This was done to avoid breaking the discovery configuration. But there are use cases where labels can serve as a convenient
+way to pass information that could be used in policies, status updates or decision logs. This change allows
+additional labels to be configured in the service config which are then made available during runtime.
+
+See [the Discovery documentation](https://www.openpolicyagent.org/docs/v0.52.0/management-discovery/#limitations)
+for more details.
+
+Authored by @mjungsbluth.
+
+### New Built-In Function: crypto.hmac.equal
+
+`crypto.hmac.equal` provides a convenient way to compare hashes generated by the MD5, SHA-1, SHA-256 and SHA-512 hashing algorithms.
+
+Below is a real world example of how this built-in function can be utilized. Imagine our server is registered as a
+GitHub webhook which subscribes to certain events on GitHub.com. Now we want to limit requests to those coming from GitHub.
+One of the ways to do that is to first set up a secret token and validate the information. Once we create the token on GitHub,
+we'll set up an environment variable that stores this token and makes it available to OPA via the `opa.runtime` built-in.
+In the case of GitHub webhooks the validation is done by comparing the hash signature received in the `X-Hub-Signature-256`
+header and calculating a hash using the secret token and payload body. The `check_signature` rule implements this logic.
+
+```rego
+package example
+
+import input.attributes.request.http as http_request
+
+allow {
+    http_request.method == "POST"
+    input.parsed_path = ["workflows", "github", "webhooks"]
+    check_signature
+}
+
+check_signature {
+    secret_key := opa.runtime().env.GITHUB_SECRET_KEY
+    hash_body := crypto.hmac.sha256(http_request.raw_body, secret_key)
+    expected_signature := concat("", ["sha256=", hash_body])
+    header_signature = http_request.headers["X-Hub-Signature-256"]
+    crypto.hmac.equal(header_signature, expected_signature)
+}
+```
+
+See [the documentation on the new built-in](https://www.openpolicyagent.org/docs/v0.52.0/policy-reference/#builtin-crypto-cryptohmacequal)
+for all the details.
+
+Authored by @sandokandias.
+
+### Extend Authentication Methods Supported by OCI Downloader
+
+Previously the OCI Downloader had support for only three types of authentication methods, namely `Client TLS Certificates`,
+`Basic Authentication` and `Bearer Token`. This change adds support for other authentication methods such as [AWS Signature](https://www.openpolicyagent.org/docs/v0.52.0/configuration/#aws-signature),
+[GCP Metadata Token](https://www.openpolicyagent.org/docs/v0.52.0/configuration/#gcp-metadata-token). See [the documentation](https://www.openpolicyagent.org/docs/v0.52.0/configuration/#using-private-image-from-oci-repositories)
+for more details.
+
+Authored by @DerGut.
+
+### Update Profiler Output With Number of Generated Expressions
+
+The number of EVAL/REDO counts in the profile result are sometimes difficult to understand. This is mainly due to the
+fact that the compiler rewrites expressions and assigns the same location to each generated expression and the profiler
+keys the counters by the location. To provide more clarity, the profile output now includes the number of generated
+expressions for each given expression thereby helping to better understand the result and also how the evaluation works.
+
+Here is an example of the updated profiler output with the new `NUM GEN EXPR` column:
+
+```ruby
++----------+----------+----------+--------------+-------------+
+|   TIME   | NUM EVAL | NUM REDO | NUM GEN EXPR |  LOCATION   |
++----------+----------+----------+--------------+-------------+
+| 20.291µs | 3        | 3        | 3            | test.rego:7 |
+| 1µs      | 1        | 1        | 1            | test.rego:6 |
+| 2.333µs  | 1        | 1        | 1            | test.rego:5 |
+| 6.333µs  | 1        | 1        | 1            | test.rego:4 |
+| 84.75µs  | 1        | 1        | 1            | data        |
++----------+----------+----------+--------------+-------------+
+```
+
+See [the Profiling documentation](https://www.openpolicyagent.org/docs/v0.52.0/policy-performance/#profiling)
+for more details.
+
+Authored by @ashutosh-narkar.
+
+### Runtime, Tooling, SDK
+
+- bundle: Add ability to load bundles from an arbitrary filesystem ([#5833](https://github.com/open-policy-agent/opa/issues/5833)) authored by @kjothen
+- server: Add a note to explicitly point out if OPA binds to the 0.0.0.0 interface on server initialization ([#5090](https://github.com/open-policy-agent/opa/issues/5090)) authored by @Parsifal-M
+- Include trace and span identifier in decision logs to help with correlating logs and trace data ([#5230](https://github.com/open-policy-agent/opa/issues/5230)) authored by @ashutosh-narkar
+
+### Topdown and Rego
+
+- ast: Disallow partial object rules to have other partial object rule within their immediate extent ([#5855](https://github.com/open-policy-agent/opa/issues/5855)) authored by @johanfylling
+- ast: Disallow multi-value rules to have other rules in their extent ([#5813](https://github.com/open-policy-agent/opa/issues/5813)) authored by @johanfylling
+- ast: Set result of groundness check on indexer's AllRules func so that rule evaluation for complete rules is not skipped ([#5857](https://github.com/open-policy-agent/opa/issues/5857)) authored by @ashutosh-narkar
+- rego: Fix duplicate text in error message during module parsing ([#5837](https://github.com/open-policy-agent/opa/pull/5837)) authored by @TzlilSwimmer123
+- planner: Fix bugs that have an impact on IR ([#5829](https://github.com/open-policy-agent/opa/pull/5829)) and Wasm usage ([#5839](https://github.com/open-policy-agent/opa/pull/5839)) authored by @srenatus
+- ast: Include information about the location of rule value and reference in the AST's JSON representation based on the provided custom parsing options ([#5790](https://github.com/open-policy-agent/opa/issues/5790)) authored by @Trolloldem
+- ast: Fix issue with unset annotation data when custom parsing options provided ([#5826](https://github.com/open-policy-agent/opa/issues/5826)) authored by @charlieegan3
+
+### Docs
+
+- docs/rest-api: Update Compile API docs to include some use-cases ([#5858](https://github.com/open-policy-agent/opa/pull/5858)) authored by @charlieegan3
+- docs/extensions: Add Nondeterministic field to the Rego object initialization in the code example for the Custom Built-in Function section ([#5861](https://github.com/open-policy-agent/opa/pull/5861)) (authored by @RmStorm)
+
+
+### Website + Ecosystem
+
+- Ecosystem:
+  - Reposaur ([#5854](https://github.com/open-policy-agent/opa/pull/5854)) authored by @charlieegan3
+  - Update logo for Torque integration ([#5810](https://github.com/open-policy-agent/opa/pull/5810)) authored by @shirabendor-quali
+
+- Website:
+  - Reorganize the `MISCELLANEOUS` section to improve content navigation ([#4614](https://github.com/open-policy-agent/opa/issues/4614)) authored by @lakhanjindam
+
+### Miscellaneous
+
+- Dependency bumps, notably:
+  - golang from 1.20.2 to 1.20.3
+  - golang.org/x/net from 0.8.0 to 0.9.0
+  - github.com/prometheus/client_golang from 1.14.0 to 1.15.0
+
 
 ## 0.51.0