v0.20.2

Fixes

• format: Fix panic with else blocks and comments (#2420)

v0.20.1

This release fixes an issue in the Docker image build. The default ca-certificates were not being included because the Docker image is FROM scratch now.

v0.20.0

Major Features

This release includes a number of features, optimizations, and bug fixes.

Version Reporting

OPA now determines the latest stable release version using https://telemetry.openpolicyagent.org.

The only information provided to the telemetry service is the version (e.g., 0.20.0), a UUIDv4 generated on startup, and the build platform/architecture (e.g., darwin, amd64).

This feature is on by default in opa run however it can be easily disabled by specifying --skip-version-check on the command-line. If you are inside the REPL, type help to see the latest version information. If you are running OPA as a server, OPA will log an INFO level message indicating if OPA is out of date. Version checking is best-effort. Any errors that occur while communicating with https://telemetry.openpolicyagent.org are only logged at DEBUG level.

For more information see https://openpolicyagent.org/docs/latest/privacy/.

New opa build command

The opa build command can now be used to package OPA policy and data files into bundles that can be easily distributed via HTTP. See opa build --help for details. This change is backwards incompatible. If you were previously relying on opa build to compile policies to wasm, you can still do so:

# before v0.20.0
opa build -d policy.rego 'data.example.allow'

# v0.20.0 and newer
opa build policy.rego -e example/allow -t wasm

Built-in Functions

This release includes a number of new built-in functions:

• graph.reachable for computing the transitive closure from edge sets. This function allows users to write policies that traverse organization charts, security groups, etc. (thanks to @jaspervdj-luminal!)
• io.jwt.verify_rs512 and other variants (rs/es/hs/ps, 384/512) were added (thanks to @GBrawl!)
• uuid.rfc4122 for generating UUIDv4s (thanks to @reneklootwijk!)

This release also includes a few fixes to existing built-in functions:

• units.parse_bytes now supports units without the B or b suffix (thanks to @GBrawl!)
• io.jwt.verify_decode now supports floating-point nbf and exp claims (thanks to @GBrawl!)
• array.slice clamping logic fixed to prevent panic (#2320).

Operations

• The opa run command now supports a --diagnostic-addr flag that causes the server to expose the /health and /metric endpoint on a different address. This makes it easier to secure sidecar deployments in Kubernetes because the main API endpoints can be served on localhost and the diagnostic endpoints can be served on 0.0.0.0 so that the kubelet and other components can access them (#2002). The envoy tutorial has been updated to show this in action.

• The AWS credential provided has been updated to support the standard AWS_SESSION_TOKEN and AWS_SECURITY_TOKEN environment variables. These are used when signing S3 bundle requests for an AWS IAM assumed role (thanks to @kpiotrowski!)

WebAssembly

This release includes a number of improvements for wasm compiled policies.

• UTF-8 and UTF-16 strings are now fully supported in the internal string representation (#1885)
• Numeric values are implemented on top of arbitrary-precision floating point numbers to avoid loss-of-precision issues.
• The arithmetic, set, array, and type checking built-in function categories are now supported by the wasm library. This means they do not have to be implemented by the language-specific opa-wasm SDKs.
• The set and object implementations now use a chained hash set under the hood (#2225)

Performance

• OPA will attempt to index collections generated by comprehensions to ensure linear runtime for policies performing "group-by" operations (e.g., inverting an objects.) For more information see the Policy Performance page (#2276).

Tooling

• The OPA extension for VS Code now supports Go To Definition inside policies.
  This feature uses the new opa oracle find-definition command.
• The opa test command now includes location information on trace output.
• The opa fmt command now preserves else block style when possible (thanks to @mikaelcabot!)

Documentation

This release includes several improvements to the website and documentation.

• Improved terraform tutorial example (#1772)(thanks to @princespaghetti!)
• Fixed token validation logic in envoy tutorial example (#2395) (thanks to @princespaghetti!)
• Usability issues on the frontpage have been resolved (#2205, #2206 (thanks to @arunbsar!)
• The Policy Performance page now includes resource utilization guidelines (#1601)
• By popular demand, the "document model" explanation has been brought back into existence. It now lives in the Philosophy section (#2284).
• The Ecosystem page implements a simple sorting algorithm that ranks items by amount of related content.
• The policy cheat sheet has been merged into the Policy Reference page.

Fixes

• REPL now correctly displays booleans in tabled output (#2338, thanks to @timakin!)
• Discovery now supports service configuration updates. This makes token refresh easier in distributed environments on AWS. (#2058)
• Fixed compiler panic if body omitted from else statement (#2353)
• Fixed panic in /health API with the envoy plugin (#2396)
• Partial Evaluation no longer generates unsafe queries for certain negated expressions (#2045)
• Partial Evaluation no longer saves an incorrect binding list in some cases (#2368)
• Output variable analysis no longer visits closures. This makes the analysis easier to use outside of the safety check.
• Rules parsed from expressions now have location information set correctly.

Miscellaneous

• If you are building OPA for debian systems, the Makefile now supports a make deb target. The target requires dpkg-deb to be installed. Thanks to @keshto
  for contributing this!
• OPA is now built, by default, with CGO disabled. Also, the default Docker image (openpolicyagent/opa) is back to using FROM scratch.

Backwards Compatibility

• An internal utility function that unmarshals JSON (util.UnmarshalJSON) has been fixed to return an error if the input bytes contain garbage following a valid JSON value. In the past, the util.UnmarshalJSON function would just return the valid JSON value and ignore the garbage following it. This change is backwards incompatible since clients that were previously transmitting bad data will now receive an error, however, we think it's important to surface errors rather than hide them (#2331).

• The Go plugin/shared library loading feature that was deprecated in v0.14.0 has finally been removed completely. If you are interested in extending OPA, see the Extensions for how to do so at compile-time (#2049).

• The github.com/open-policy-agent/opa/metrics#Counter interface has been extended to require an Add(uint64) function. This change only affects users that have implemented their own version of the github.com/open-policy-agent/opa/metrics#Metrics interface (which is the factory for counters.)

• As mentioned above, the opa build command-line syntax has changed. We think this is the right time to refresh the command and we are more confident that the new syntax will remain stable going forward.

Deprecation

• This release deprecates opa test -l flag. Since we now display the trace with line information, this flag is no longer needed.

• In the next release we plan to deprecate the ?watch and ?partial HTTP API parameters. The ?watch feature is unused and introduces significant complexity in the server implementation. The ?partial parameter lazily invokes Partial Evaluation inline with policy invocation. This is useful for development and debug purposes, however, it's not recommended for enforcement points to use (since PE optimization can introduce significant latency.) Users should rely on the new opa build command to perform PE on their policies. See opa build --help for more information.

v0.19.2

Fixes

• plugins: Fix race between manager and plugin startup (#2343)

v0.19.1

Fixes

• cmd/fmt: Only list files if there were changes (#2295)

v0.19.0

New Parser

This release includes a new parser implementation that resolves a number
of existing issues with the old parser. As part of implementing the new parser
a small number of backwards incompatible changes have been made.

Backwards Compatibility

The new parser contains a small number of backwards incompatible changes that
correct questionable behaviour from the old parser. These changes affect
a very small number of actual policies and we feel confident in the decision to
break backwards compatibility here.

• Numbers no longer lose-precision #501
• Leading commas do not cause objects to lose values #2198
• Rules wrapped with braces no longer parse #2199
• Rule names can no longer contain dots/hyphens #2200
• Object comprehensions now have priority over logical OR in all cases #2201

In addition there are a few small changes backwards incompatible changes in APIs:

• The message field on rego_parse_error objects contains a human-readable description
  of the parse error. The old parser would often report "no match found" to indicate
  the input contained invalid syntax. The new parser has slightly more specific
  errors. If you integrated with OPA and implemented error handling based on the
  content of these human-readable error message strings, your integration may be affected.
• The github.com/open-policy-agent/opa/format#Bytes function has been removed (it was unused.)

Benchmark Results

The output below shows the Go benchstat result for master (5a5d2a4) compared to the new parser.

name                                 old time/op    new time/op    delta
ParseModuleRulesBase/1-16               210µs ± 1%       4µs ± 1%  -98.02%  (p=0.008 n=5+5)
ParseModuleRulesBase/10-16             1.39ms ± 1%    0.03ms ± 0%  -97.93%  (p=0.008 n=5+5)
ParseModuleRulesBase/100-16            13.5ms ± 1%     0.3ms ± 1%  -97.93%  (p=0.008 n=5+5)
ParseModuleRulesBase/1000-16            148ms ± 5%       3ms ± 6%  -97.77%  (p=0.008 n=5+5)
ParseStatementBasicCall-16              141µs ± 5%       3µs ± 1%  -97.92%  (p=0.008 n=5+5)
ParseStatementMixedJSON-16             9.06ms ± 2%    0.07ms ± 1%  -99.19%  (p=0.008 n=5+5)
ParseStatementSimpleArray/1-16          131µs ± 6%       2µs ± 1%  -98.10%  (p=0.008 n=5+5)
ParseStatementSimpleArray/10-16         499µs ± 6%       7µs ± 2%  -98.54%  (p=0.008 n=5+5)
ParseStatementSimpleArray/100-16       4.00ms ± 2%    0.06ms ± 4%  -98.58%  (p=0.008 n=5+5)
ParseStatementSimpleArray/1000-16      42.0ms ± 3%     0.5ms ± 4%  -98.70%  (p=0.008 n=5+5)
ParseStatementNestedObjects/1x1-16      233µs ± 6%       4µs ± 3%  -98.49%  (p=0.008 n=5+5)
ParseStatementNestedObjects/5x1-16      514µs ± 0%       9µs ± 4%  -98.33%  (p=0.008 n=5+5)
ParseStatementNestedObjects/10x1-16     911µs ± 5%      14µs ± 5%  -98.46%  (p=0.008 n=5+5)
ParseStatementNestedObjects/1x5-16     4.24ms ± 1%    0.01ms ± 1%  -99.82%  (p=0.016 n=4+5)
ParseStatementNestedObjects/1x10-16     138ms ± 1%       0ms ± 1%  -99.99%  (p=0.008 n=5+5)
ParseStatementNestedObjects/5x5-16      714ms ± 0%       5ms ± 5%  -99.26%  (p=0.016 n=4+5)
ParseBasicABACModule-16                3.12ms ± 3%    0.04ms ± 4%  -98.63%  (p=0.008 n=5+5)

name                                 old alloc/op   new alloc/op   delta
ParseModuleRulesBase/1-16              99.2kB ± 0%     5.7kB ± 0%  -94.30%  (p=0.008 n=5+5)
ParseModuleRulesBase/10-16              600kB ± 0%      29kB ± 0%  -95.16%  (p=0.008 n=5+5)
ParseModuleRulesBase/100-16            5.72MB ± 0%    0.27MB ± 0%  -95.34%  (p=0.008 n=5+5)
ParseModuleRulesBase/1000-16           58.0MB ± 0%     2.7MB ± 0%  -95.42%  (p=0.008 n=5+5)
ParseStatementBasicCall-16             70.2kB ± 0%     5.0kB ± 0%  -92.82%  (p=0.008 n=5+5)
ParseStatementMixedJSON-16             3.64MB ± 0%    0.06MB ± 0%  -98.34%  (p=0.008 n=5+5)
ParseStatementSimpleArray/1-16         63.7kB ± 0%     4.8kB ± 0%  -92.42%  (p=0.008 n=5+5)
ParseStatementSimpleArray/10-16         205kB ± 0%       8kB ± 0%  -96.00%  (p=0.008 n=5+5)
ParseStatementSimpleArray/100-16       1.64MB ± 0%    0.05MB ± 0%  -97.19%  (p=0.008 n=5+5)
ParseStatementSimpleArray/1000-16      16.5MB ± 0%     0.4MB ± 0%  -97.50%  (p=0.008 n=5+5)
ParseStatementNestedObjects/1x1-16     98.6kB ± 0%     5.7kB ± 0%  -94.22%  (p=0.008 n=5+5)
ParseStatementNestedObjects/5x1-16      224kB ± 0%       9kB ± 0%  -96.05%  (p=0.008 n=5+5)
ParseStatementNestedObjects/10x1-16     381kB ± 0%      13kB ± 0%  -96.63%  (p=0.008 n=5+5)
ParseStatementNestedObjects/1x5-16     1.76MB ± 0%    0.01MB ± 0%  -99.38%  (p=0.008 n=5+5)
ParseStatementNestedObjects/1x10-16    56.2MB ± 0%     0.0MB ± 0%  -99.97%  (p=0.008 n=5+5)
ParseStatementNestedObjects/5x5-16      280MB ± 0%       4MB ± 0%  -98.67%  (p=0.008 n=5+5)
ParseBasicABACModule-16                1.27MB ± 0%    0.04MB ± 0%  -97.08%  (p=0.008 n=5+5)

name                                 old allocs/op  new allocs/op  delta
ParseModuleRulesBase/1-16               2.28k ± 0%     0.07k ± 0%  -96.75%  (p=0.008 n=5+5)
ParseModuleRulesBase/10-16              16.1k ± 0%      0.5k ± 0%  -96.59%  (p=0.008 n=5+5)
ParseModuleRulesBase/100-16              159k ± 0%        5k ± 0%  -96.64%  (p=0.008 n=5+5)
ParseModuleRulesBase/1000-16            1.62M ± 0%     0.05M ± 0%  -96.72%  (p=0.008 n=5+5)
ParseStatementBasicCall-16              1.36k ± 0%     0.05k ± 0%  -96.25%  (p=0.008 n=5+5)
ParseStatementMixedJSON-16               105k ± 0%        1k ± 0%     ~     (p=0.079 n=4+5)
ParseStatementSimpleArray/1-16          1.34k ± 0%     0.04k ± 0%  -97.09%  (p=0.008 n=5+5)
ParseStatementSimpleArray/10-16         5.49k ± 0%     0.12k ± 0%  -97.90%  (p=0.008 n=5+5)
ParseStatementSimpleArray/100-16        47.8k ± 0%      0.8k ± 0%     ~     (p=0.079 n=4+5)
ParseStatementSimpleArray/1000-16        481k ± 0%        8k ± 0%  -98.33%  (p=0.008 n=5+5)
ParseStatementNestedObjects/1x1-16      2.38k ± 0%     0.05k ± 0%  -97.82%  (p=0.008 n=5+5)
ParseStatementNestedObjects/5x1-16      6.02k ± 0%     0.12k ± 0%  -97.94%  (p=0.008 n=5+5)
ParseStatementNestedObjects/10x1-16     10.6k ± 0%      0.2k ± 0%  -98.01%  (p=0.008 n=5+5)
ParseStatementNestedObjects/1x5-16      51.2k ± 0%      0.1k ± 0%     ~     (p=0.079 n=4+5)
ParseStatementNestedObjects/1x10-16     1.66M ± 0%     0.00M ± 0%  -99.99%  (p=0.008 n=5+5)
ParseStatementNestedObjects/5x5-16      8.16M ± 0%     0.07M ± 0%  -99.13%  (p=0.008 n=5+5)
ParseBasicABACModule-16                 36.5k ± 0%      0.7k ± 0%  -98.09%  (p=0.008 n=5+5)

Fixes and Enhancements

• ast: Add rules/functions that contain errors to the type env (#2155)
• ast: Fix panic when rule args contain call expressions (#2081)
• ast: Fix bug in term rewritten when 'input' is passed as an argument (#2084)
• bundle: Remove extra root name in bundle file ids (#2117)
• cmd/fmt: Fix to always write formatted file to stdout (#2235)
• cmd/test: --explain now turns on verbose output (#2069)
• cmd/test: Default -v traces show notes and fails (#2068)
• docs/website: Fix mobile docs nav menu (#2074)
• format: Print var if wildcard is used multiple times (#2053)
• plugins/bundle: Update the downloader's e-tag based on bundle activation (#2220)
• plugins: Add support to specify bearer token path (which enables token refresh) (#2241)
• profiler: Fix panic when location is missing by grouping expressions missing a location (#2134)
• rego: Avoid re-using transactions in compiler (#2197)
• repl: Add unset-package command (#2140)
• server: Do not return partial modules /v1/policies output (#2036)
• server: Specify partial evaluation namespace to avoid conflicts (#2247)
• topdown: Add time.add_date builtin (#1990)
• topdown: Fix partial evaluation to save comprehensions correctly (#2243)
• topdown: Improve pretty trace location details (#2143)
• topdown: Include HTTP response headers in http.send output (#2238)
• Multiple important improvements to http.send() thanks to @jpeach

Miscellaneous

• [Added man target in the Makefile for man page generation!](https://github.com/open-policy-agent/opa/co...

v0.19.0-rc1

⚠️ This is a release candidate. If you run into issues, please provide feedback! ⚠️

New Parser

The next minor release includes a new parser implementation that resolves a number
of existing issues with the old parser. As part of implementing the new parser
a small number of backwards incompatible changes have been made.

Backwards Compatibility

The new parser contains a small number of backwards incompatible changes that
correct questionable behaviour from the old parser. These changes affect
a very small number of actual policies and we feel confident in the decision to
break backwards compatibility here.

• Numbers no longer lose-precision #501
• Leading commas do not cause objects to lose values #2198
• Rules wrapped with braces no longer parse #2199
• Rule names can no longer contain dots/hyphens #2200
• Object comprehensions now have priority over logical OR in all cases #2201

In addition there are a few small changes backwards incompatible changes in APIs:

• The message field on rego_parse_error objects contains a human-readable description
  of the parse error. The old parser would often report "no match found" to indicate
  the input contained invalid syntax. The new parser has slightly more specific
  errors. If you integrated with OPA and implemented error handling based on the
  content of these human-readable error message strings, your integration may be affected.
• The github.com/open-policy-agent/opa/format#Bytes function has been removed (it was unused.)

Benchmark Results

The output below shows the Go benchstat result for master (5a5d2a4) compared to the new parser.

name                                 old time/op    new time/op    delta
ParseModuleRulesBase/1-16               210µs ± 1%       4µs ± 1%  -98.02%  (p=0.008 n=5+5)
ParseModuleRulesBase/10-16             1.39ms ± 1%    0.03ms ± 0%  -97.93%  (p=0.008 n=5+5)
ParseModuleRulesBase/100-16            13.5ms ± 1%     0.3ms ± 1%  -97.93%  (p=0.008 n=5+5)
ParseModuleRulesBase/1000-16            148ms ± 5%       3ms ± 6%  -97.77%  (p=0.008 n=5+5)
ParseStatementBasicCall-16              141µs ± 5%       3µs ± 1%  -97.92%  (p=0.008 n=5+5)
ParseStatementMixedJSON-16             9.06ms ± 2%    0.07ms ± 1%  -99.19%  (p=0.008 n=5+5)
ParseStatementSimpleArray/1-16          131µs ± 6%       2µs ± 1%  -98.10%  (p=0.008 n=5+5)
ParseStatementSimpleArray/10-16         499µs ± 6%       7µs ± 2%  -98.54%  (p=0.008 n=5+5)
ParseStatementSimpleArray/100-16       4.00ms ± 2%    0.06ms ± 4%  -98.58%  (p=0.008 n=5+5)
ParseStatementSimpleArray/1000-16      42.0ms ± 3%     0.5ms ± 4%  -98.70%  (p=0.008 n=5+5)
ParseStatementNestedObjects/1x1-16      233µs ± 6%       4µs ± 3%  -98.49%  (p=0.008 n=5+5)
ParseStatementNestedObjects/5x1-16      514µs ± 0%       9µs ± 4%  -98.33%  (p=0.008 n=5+5)
ParseStatementNestedObjects/10x1-16     911µs ± 5%      14µs ± 5%  -98.46%  (p=0.008 n=5+5)
ParseStatementNestedObjects/1x5-16     4.24ms ± 1%    0.01ms ± 1%  -99.82%  (p=0.016 n=4+5)
ParseStatementNestedObjects/1x10-16     138ms ± 1%       0ms ± 1%  -99.99%  (p=0.008 n=5+5)
ParseStatementNestedObjects/5x5-16      714ms ± 0%       5ms ± 5%  -99.26%  (p=0.016 n=4+5)
ParseBasicABACModule-16                3.12ms ± 3%    0.04ms ± 4%  -98.63%  (p=0.008 n=5+5)

name                                 old alloc/op   new alloc/op   delta
ParseModuleRulesBase/1-16              99.2kB ± 0%     5.7kB ± 0%  -94.30%  (p=0.008 n=5+5)
ParseModuleRulesBase/10-16              600kB ± 0%      29kB ± 0%  -95.16%  (p=0.008 n=5+5)
ParseModuleRulesBase/100-16            5.72MB ± 0%    0.27MB ± 0%  -95.34%  (p=0.008 n=5+5)
ParseModuleRulesBase/1000-16           58.0MB ± 0%     2.7MB ± 0%  -95.42%  (p=0.008 n=5+5)
ParseStatementBasicCall-16             70.2kB ± 0%     5.0kB ± 0%  -92.82%  (p=0.008 n=5+5)
ParseStatementMixedJSON-16             3.64MB ± 0%    0.06MB ± 0%  -98.34%  (p=0.008 n=5+5)
ParseStatementSimpleArray/1-16         63.7kB ± 0%     4.8kB ± 0%  -92.42%  (p=0.008 n=5+5)
ParseStatementSimpleArray/10-16         205kB ± 0%       8kB ± 0%  -96.00%  (p=0.008 n=5+5)
ParseStatementSimpleArray/100-16       1.64MB ± 0%    0.05MB ± 0%  -97.19%  (p=0.008 n=5+5)
ParseStatementSimpleArray/1000-16      16.5MB ± 0%     0.4MB ± 0%  -97.50%  (p=0.008 n=5+5)
ParseStatementNestedObjects/1x1-16     98.6kB ± 0%     5.7kB ± 0%  -94.22%  (p=0.008 n=5+5)
ParseStatementNestedObjects/5x1-16      224kB ± 0%       9kB ± 0%  -96.05%  (p=0.008 n=5+5)
ParseStatementNestedObjects/10x1-16     381kB ± 0%      13kB ± 0%  -96.63%  (p=0.008 n=5+5)
ParseStatementNestedObjects/1x5-16     1.76MB ± 0%    0.01MB ± 0%  -99.38%  (p=0.008 n=5+5)
ParseStatementNestedObjects/1x10-16    56.2MB ± 0%     0.0MB ± 0%  -99.97%  (p=0.008 n=5+5)
ParseStatementNestedObjects/5x5-16      280MB ± 0%       4MB ± 0%  -98.67%  (p=0.008 n=5+5)
ParseBasicABACModule-16                1.27MB ± 0%    0.04MB ± 0%  -97.08%  (p=0.008 n=5+5)

name                                 old allocs/op  new allocs/op  delta
ParseModuleRulesBase/1-16               2.28k ± 0%     0.07k ± 0%  -96.75%  (p=0.008 n=5+5)
ParseModuleRulesBase/10-16              16.1k ± 0%      0.5k ± 0%  -96.59%  (p=0.008 n=5+5)
ParseModuleRulesBase/100-16              159k ± 0%        5k ± 0%  -96.64%  (p=0.008 n=5+5)
ParseModuleRulesBase/1000-16            1.62M ± 0%     0.05M ± 0%  -96.72%  (p=0.008 n=5+5)
ParseStatementBasicCall-16              1.36k ± 0%     0.05k ± 0%  -96.25%  (p=0.008 n=5+5)
ParseStatementMixedJSON-16               105k ± 0%        1k ± 0%     ~     (p=0.079 n=4+5)
ParseStatementSimpleArray/1-16          1.34k ± 0%     0.04k ± 0%  -97.09%  (p=0.008 n=5+5)
ParseStatementSimpleArray/10-16         5.49k ± 0%     0.12k ± 0%  -97.90%  (p=0.008 n=5+5)
ParseStatementSimpleArray/100-16        47.8k ± 0%      0.8k ± 0%     ~     (p=0.079 n=4+5)
ParseStatementSimpleArray/1000-16        481k ± 0%        8k ± 0%  -98.33%  (p=0.008 n=5+5)
ParseStatementNestedObjects/1x1-16      2.38k ± 0%     0.05k ± 0%  -97.82%  (p=0.008 n=5+5)
ParseStatementNestedObjects/5x1-16      6.02k ± 0%     0.12k ± 0%  -97.94%  (p=0.008 n=5+5)
ParseStatementNestedObjects/10x1-16     10.6k ± 0%      0.2k ± 0%  -98.01%  (p=0.008 n=5+5)
ParseStatementNestedObjects/1x5-16      51.2k ± 0%      0.1k ± 0%     ~     (p=0.079 n=4+5)
ParseStatementNestedObjects/1x10-16     1.66M ± 0%     0.00M ± 0%  -99.99%  (p=0.008 n=5+5)
ParseStatementNestedObjects/5x5-16      8.16M ± 0%     0.07M ± 0%  -99.13%  (p=0.008 n=5+5)
ParseBasicABACModule-16                 36.5k ± 0%      0.7k ± 0%  -98.09%  (p=0.008 n=5+5)

Fixes

• ast: Add rules/functions that contain errors to the type env (#2155)

Miscellaneous

• project: Add support for release candidate version tags
• rego: Improve support for registering custom built-ins
• repl: Add unset-package command (#2140)
• misc: Add sublime text syntax file
• misc: Add link to the Emacs mode for Rego on the website
• topdown: Add http.send support for setting the TLS server name
• topdown: Fix lost tls_insecure_skip_verify setting
• topdown: Add net.cidr_contains_matches built-in function

v0.18.0

Features

• Add opa bench and opa test --bench sub commands for benchmarking policy evaluation. (#1424)
• Permit verifying JWT's with a public key
• http.send improvements:
  • Allow for skipping TLS verification via tls_insecure_skip_verify option
  • Add Host header support

New Built-in Functions

• Bitwise operators (#1919)
  • bits.or
  • bits.and
  • bits.negate
  • bits.xor
  • bits.lsh
  • bits.rsh
• json.remove which works similar to object.remove but supports a JSON pointer path.

Fixes

• docs: Render tutorials as list (#2071)
• ast: Fix type check for objects with non-json keys (#2183)
• ast: Return an error when parsing an empty module (#2054)
• docs: Fix broken PAM module link (#2113)
• docs: Fix code fence in kubernetes-primer.md (#2177)
• topdown: Invoke iterator when evaluating negation (#2142)
• Correct checkptr errors found with Go 1.14
• opa parse: fix panic when parsing invalid JSON

Compatibility Notes

• The ast.ParseModule helper will now return an error if an empty module is provided.
  Previously it would return a nil error and nil module. (#2054)
• The cmd and tester packages in OPA will now require Go 1.13+ to compile. Most library users should be unaffected.

Miscellaneous

• bundle: Dedicate policy.wasm for the compiled policy.

v0.17.3

Fixes

• vendor: Update xxhash to workaround checkptr errors with Go 1.14
• cmd/parse: Fix panic when parsing encounters an error

v0.17.2

Fixes

• Add location information into pretty printed trace output. (#2070)
• Add timeout for http.send builtin (#2099)
• build: Force module mode and using only the vendor directory (#2063)
• cover: Exclude some expressions in coverage report (#1972)
• docs: How to say "ray-go" (#2106)
• topdown: Make http.send() caching use full request (#1980)
• topdown: Wrap all builtin functions for errors normalization (#2101)
• topdown: http.send use provided CA without client certs (#1976)

Miscellaneous

• Add object manipulation built-ins
• docs: Add link to Rego Playground in table of contents
• docs: Update tutorial with note about consistency
• topdown: Export builtin implementations outside the package