-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure OPA strict mode compliance #429
Conversation
1839c6e
to
1de0f97
Compare
I guess that answered my question about whether versioning was needed 😄 |
Hi @anderseknert - Yup, assuming these are all backward compatible with no change in behavior, they can just be a patch version bumps. |
1de0f97
to
1c8907a
Compare
@apeabody all versions now bumped accordingly, and the tests seemingly pleased. |
artifacthub/library/general/allowedrepos/1.0.0/artifacthub-pkg.yml
Outdated
Show resolved
Hide resolved
1c8907a
to
8de9c2e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution @anderseknert!
A second maintainer will also need to review.
Quick question about not being able to override The question is... will the below linked Rego code eventually break? |
@maxsmythe no, that's fine! You can still override |
@anderseknert Awesome, thanks for clarifying! |
9a5dc4a
to
348e7dc
Compare
@sozercan - We are now testing with both OPA versions, when convenient PTAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like unit tests are failing. Could you PTAL?
Ahh, looks like it is the
|
Hi Gatekeeper friends! 👋😃 In order to ensure the Gatekeeper library works with future updates of OPA, and to better catch some common mistakes in Rego policy in the future, this PR aims to fix all errors reported from `opa check --strict src`, and to make sure future changes are compliant with the OPA [strict mode](https://www.openpolicyagent.org/docs/latest/policy-language/#strict-mode) checks. The errors raised from strict mode, and which are fixed with this PR, include: * `input` must not be shadowed/assigned * Unused function args — use wildcards (`_`) in their place * Unused local assignment * Deprecated built-in functions * `re_match` -> `regex.match` * `all` -> these were not needed * `any` -> `strings.any_prefix_match` and `strings.any_suffix_match` as these were always used together with `startswith`/`endswith` The by far most noisy fix was the first one, i.e. `input` getting shadowed in basically all tests. Changed to use `inp` for a name as `in` is of course another name we don't want to shadow 😅 The changes here do not change semantics of the code. I did however also make some additional fixes where e.g. the unused function args error showed that a function wasn't needed in the first place, and so on. Naturally, all tests pass as before. Two things I'm not sure about: 1. The code introduces the `strings.any_prefix_match` and `strings.any_suffix_match` built-in functions in one policy. These were introduced in OPA v0.44.0, which is quite a few OPA and Gatekeeper versions ago. I could not find information on what the minimum version of OPA or Gatekeeper must be supported in the Rego code in this library. If needed, that change can be reverted. 2. https://github.com/open-policy-agent/gatekeeper-library mentions Versioning. Should I update the versions of each policy changed with this PR? To make sure the code stays compliant, I've added the `opa check --strict` command to execute with the `test.sh` script, before the unit tests run. Signed-off-by: Anders Eknert <anders@styra.com>
5a6a6cc
to
5b44a5a
Compare
Yes, some new tests overloading |
Hi Gatekeeper friends! 👋😃
In order to ensure the Gatekeeper library works with future updates of OPA, and to better catch some common mistakes in Rego policy, this PR aims to fix all errors reported from
opa check --strict src
, and to make sure future changes are compliant with the OPA strict mode checks.The errors raised from strict mode, and which are fixed with this PR, include:
input
must not be shadowed/assigned_
) in their placere_match
->regex.match
all
-> these were not neededany
->strings.any_prefix_match
andstrings.any_suffix_match
as these were always used together with
startswith
/endswith
The by far most noisy fix was the first one, i.e.
input
getting shadowed in basically all tests. Changed to useinp
for a name asin
is of course another name we don't want to shadow 😅The changes here do not change semantics of the code. I did however also make some additional fixes where e.g. the unused function args error showed that a function wasn't needed in the first place, and so on. Naturally, all tests pass as before.
Two things I'm not sure about:
strings.any_prefix_match
andstrings.any_suffix_match
built-in functions in one policy. These were introduced in OPA v0.44.0, which is quite a few OPA and Gatekeeper versions ago. I could not find information on what the minimum version of OPA or Gatekeeper must be supported in the Rego code in this library. If needed, that change can be reverted.To make sure the code stays compliant, I've added the
opa check --strict
command to execute with thetest.sh
script, before the unit tests run.