Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue-6559 Add ability to create decision labels within a policy #6681

Open
wants to merge 114 commits into
base: main
Choose a base branch
from
Open

Issue-6559 Add ability to create decision labels within a policy #6681

wants to merge 114 commits into from

Conversation

tsidebottom
Copy link

Why the changes in this PR are needed?

Adds a DecisionLabel Field (a Map Object) to the Decision Log output to track Policy Result Data.

What are the changes in this PR?

  • A new field (DecisionLabel) was added to the Decision Log
  • This field was propagated backwards through the Policy Evaluation process
    • includes updates to files in Topdown, Rego, and SDK domains
  • A new builtin (DecisionLabelAdd) was created to populate the new field during evaluation

Notes to assist PR review:

Further comments:

Addresses #6559

@netlify Netlify
Copy link

netlify bot commented Apr 5, 2024
edited

Deploy Preview for openpolicyagent ready!

Name Link
🔨 Latest commit 4070f53
🔍 Latest deploy log https://app.netlify.com/sites/openpolicyagent/deploys/6621259b68b7f400085fb353
😎 Deploy Preview https://deploy-preview-6681--openpolicyagent.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@ashutosh-narkar
Copy link
Member

Thanks for the contribution @tsidebottom. FYI we've added some comments on #6559 about the proposed feature including the latest one here. It would be helpful to identify alternate ways of achieving what's needed for #6559. Thanks.

ashutosh-narkar and others added 28 commits April 17, 2024 13:52
@ashutosh-narkar @tsidebottom
topdown/http: Respect raise_error flag during input validation
9f44854 
Currently the `raise_error` flag is not honored during the
input validation step. So `http.send` will return an error if
input validation fails irrespective of the `raise_error` flag
status. This change attempts to fix that.
Also the description of the `raise_error` flag is updated to
reflect actual behavior.

Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Updating the Decision Log to include new Field
6d20abb 
DecisionLabel will be populated by the Custom Built-in.

Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Adding new Built-in to builtins.go
5ce2305 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Creating shell files for the actual Built-in
7cd3dac 
Actual definition and code will go here.

Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Update decision_label_add.go
f448f68 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Early work on Builtin Code
f40c4cb 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Add DecisionLabel to Rego
7cd66e1 
Added to the EvalContext Struct.

Created a method to pull the DecisionLabel object in from the SDK (opa.go; that update is coming shortly).

Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Started adding Decision Label to Rego instance
689db4c 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Added DecisionLabel to Rego Struct and Populated
f837330 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Changed how DecisionLabel is assigned to the EvalContext
0458e28 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Mimicked NDBuiltinCache for DecisionLabel
86cf054 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
(Hopefully) fixed the Object Functions for DecisionLabel
588b7e2 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Added DecisionLabel to BuiltinContext Struct
b7f9b66 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Added DecisionLabel to the BuiltinContext instantiation
d1f2340 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Added Builtin Code
07aec2e 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Made the error to return from Builtin
1fce17f 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Fixing Typo in DecisionLabel Object Name
e3fef3e 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Added test for DecisionLabel field
efb46c1 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Added test for DecisionLabel Field
207fb34 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Added test for DecisionLabel Field
b77ad1f 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
More Typos
4a69899 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Started new builtin test file
34d2b30 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Update decision_label_add_test.go
e99b651 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Update decision_label_add_test.go
6ae291b 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Aligned Map Types and removed unintended Recursion
c62c9d4 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Updating Tests to conform to new Input Types
c464aee 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Potential Update for nil interface{} test failure
c29960f 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Add DecisionLabel to list of Decision Log fields
46fc50f 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
yarivg and others added 24 commits April 17, 2024 13:52
@yarivg @tsidebottom
add env0 integration & organization files (open-policy-agent#6658)
0d89511 
Signed-off-by: yarivg <yarivgavriel2@gmail.com>
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@charlieegan3 @tsidebottom
docs: Add Rego comparisons and update env0 (open-policy-agent#6663)
ea137bf 
These integrations feature on the learning rego page and the terraform
pages respectively.

Signed-off-by: Charlie Egan <charlie@styra.com>
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@koponen-styra @tsidebottom
server: Remove an unnecessary AST-to-JSON conversion for the eval input.
a165fb1 
The cost of this can become non-trivial with larger inputs.

Signed-off-by: Teemu Koponen <koponen@styra.com>
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@xico42 @tsidebottom
sdk: expose manager options
aa632b5 
This commit adds the possibility to configure the plugin manager with
custom options.

It will allow SDK users to override the options already provided by the
SDK and to futher customize it with configurations that were not
previously available. This is an advanced feature as it requires
some knowledge about the inner workings of OPA.

One use case for this is to provide a prometheus registerer and have the
status plugin metrics available for the client to use it in a
/metrics endpoint, for example.

resolves open-policy-agent#6662

Signed-off-by: Francisco Rodrigues <ednofco@gmail.com>
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@philipaconrad @dxh9845 @tsidebottom
compile/compile: Fix panic from CLI + metadata entrypoint overlaps.
16ca6ad 
This commit fixes a panic that could occur when `opa build` was provided
an entrypoint from both a CLI flag, and via entrypoint metadata
annotation.

The fix is simple: deduplicate the slice of entrypoint refs that the
compiler uses, before compiling WASM or Plan targets.

Fixes: open-policy-agent#6661

Co-authored-by: Daniel Herzig <danielherzig96@gmail.com>
Signed-off-by: Philip Conrad <philipaconrad@gmail.com>
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@koponen-styra @tsidebottom
server: Remove unnecessary AST-to-JSON conversions.
6a86953 
This time for v0QueryPath, v1DataGet, and v1DataPost.

Signed-off-by: Teemu Koponen <koponen@styra.com>
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@srenatus @tsidebottom
build(go): bump 1.22.1 -> 1.22.2 (open-policy-agent#6672)
c5147b4 
https://go.dev/doc/devel/release#go1.22.2

Signed-off-by: Stephan Renatus <stephan@styra.com>
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@dependabot @tsidebottom
build(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 (open-policy…
bb98609 
…-agent#6671)

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.22.0 to 0.23.0.
- [Commits](golang/net@v0.22.0...v0.23.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@dependabot @tsidebottom
build(deps): bump google.golang.org/grpc from 1.62.1 to 1.63.0 (open-…
1565092 
…policy-agent#6673)

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.62.1 to 1.63.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.62.1...v1.63.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@dependabot @tsidebottom
build(deps): bump github.com/prometheus/client_model from 0.5.0 to 0.6.1
1c14d55 
Bumps [github.com/prometheus/client_model](https://github.com/prometheus/client_model) from 0.5.0 to 0.6.1.
- [Release notes](https://github.com/prometheus/client_model/releases)
- [Commits](prometheus/client_model@v0.5.0...v0.6.1)

---
updated-dependencies:
- dependency-name: github.com/prometheus/client_model
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@charlieegan3 @tsidebottom
server: Retry cert reloading & test case step
322ad38 
In workflow runs like this:
https://github.com/open-policy-agent/opa/actions/runs/7803493290/job/21283458848#step:3:317

We can see two problems. This commit is meant to address them.

First, the test failed with this message:

```
expected unknown certificate authority error but got: Get "https://127.0.0.1:38699/v1/data": write tcp 127.0.0.1:52786->127.0.0.1:38699: write: connection reset by peer
```

Now this step in the test is retried like the other steps in the test
since it can fail too.

Second, the error `failed to reload TLS config` appears many times in
the logs for that test. This issue is caused by the server attempting to
read the new cert, key, and CA contents from disk while they are still
being written to. This PR also introduces a 100ms pause between upto 5
attempts to reload the config for any given change to the state on disk.
This should mean that the error is seen only when is is actually an
issue and the reload has failed after a reasonable time. In most cases,
running locally, the reload happens without error on the first run.

Signed-off-by: Charlie Egan <charlie@styra.com>
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@sean-r-williams @tsidebottom
topdown: Add json.marshal_with_options() builtin for indented/"pret…
18af050 
…ty-printed" and/or line-prefixed JSON (open-policy-agent#6636)

Fixes open-policy-agent#6630

Signed-off-by: Sean Williams <72675818+sean-r-williams@users.noreply.github.com>
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@srenatus @tsidebottom
go.{mod,sum}: update (open-policy-agent#6678)
4de5051 
This reflects the reality -- we hadn't been sure why the dependabot update had
not increased the stanza when it should have; but doing so now should unbreak
the nightly tests.

Signed-off-by: Stephan Renatus <stephan@styra.com>
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@dependabot @tsidebottom
build(deps): bump golang.org/x/net from 0.23.0 to 0.24.0 (open-policy…
5a08d27 
…-agent#6680)

Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@dependabot @tsidebottom
build(deps): bump github.com/containerd/containerd from 1.7.14 to 1.7.15
593c877 
Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.7.14 to 1.7.15.
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](containerd/containerd@v1.7.14...v1.7.15)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@dependabot @tsidebottom
build(deps): bump google.golang.org/grpc from 1.63.0 to 1.63.2
6eb1929 
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.63.0 to 1.63.2.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.63.0...v1.63.2)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@johanfylling @tsidebottom
deps: Improving deps command performance (open-policy-agent#6688)
248337c 
Improving memory footprint and execution time of deps command for policies with high dependency connectivity.

Fixes: open-policy-agent#6685
Signed-off-by: Johan Fylling <johan.dev@fylling.se>
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Removed MustJSON as a test
76686c9 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@kd-labs @tsidebottom
fixes open-policy-agent#6206; using cuboid rather than cube
db398bd 
Signed-off-by: kunal.das <kd.kunaldas92@gmail.com>
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@johanfylling @tsidebottom
Add rego_version attribute to bundle manifest (open-policy-agent#6579)
b0579b3 
Adding a global `rego_version` attribute to bundle manifest, to inform OPA runtime about what rego-version (v0/v1) to use to parse/compile contained Rego files.
The rego-version of individual Rego files can be overridden through the `file_rego_versions` manifest attribute.

Implements: open-policy-agent#6578

Signed-off-by: Johan Fylling <johan.dev@fylling.se>
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@xico42 @tsidebottom
sdk: fix bug while activating v1 bundle with the bundle plugin (open-…
1cea30f 
…policy-agent#6689)

Fixing issue where active parser options aren't propagated to module reload during bundle activation.

Signed-off-by: Francisco Rodrigues <ednofco@gmail.com>
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Updating test input format
3952857 
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@johanfylling @tsidebottom
docs: Updating OPA v1.0 docs
27a308a 
Documenting bundle rego-version.

Signed-off-by: Johan Fylling <johan.dev@fylling.se>
Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Removed Test for impossible Scenario
b837581 
The DecisionLabel is no longer a Field of the DecisionOptions Struct because the field will always be nil. It is now generated directly within the Decision() Function where it can be populated. Due to this, the scenario being tested is impossible. For coverage, the scenario being tested by TestDecisionLoggingWithDecisionLabel is formally covered by the tests which confirm the proper function of the DecisionLabelAdd Builtin Function.

Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
tsidebottom and others added 5 commits April 17, 2024 13:59
@tsidebottom
Merge branch 'main' into main
ed9ada0 
Signed-off-by: Thomas Sidebottom <91754088+tsidebottom@users.noreply.github.com>
@tsidebottom
Update decision_label_add_test.go
aa3ebd5 
Using `goimports` to format the imports

Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Added new Builtin to capabilities.json
4070f53 
The DecisionLabelAdd Builtin was added to the capabilities.json file to allow it to be tracked.

Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Adding DecisionLabelAdd to builtin_metadata.json
4430cb1 
I missed this even after the GitHub Check told me to look here...

Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
@tsidebottom
Finished adding Builtin to builtin_metadata.json
af3a710 
I added it to the list, but I forgot to add the actual description of the Builtin. Using the Check Generated Job version.

Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet