diff --git a/go.mod b/go.mod index 8feff65bad..263a0f1429 100644 --- a/go.mod +++ b/go.mod @@ -61,7 +61,7 @@ require ( github.com/onsi/ginkgo v1.16.5 github.com/onsi/ginkgo/v2 v2.27.2 github.com/onsi/gomega v1.38.2 - github.com/open-policy-agent/opa v1.10.1 + github.com/open-policy-agent/opa v1.11.1 github.com/opencloud-eu/icap-client v0.0.0-20250930132611-28a2afe62d89 github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76 github.com/opencloud-eu/reva/v2 v2.41.0 @@ -172,7 +172,7 @@ require ( github.com/containerd/errdefs v1.0.0 // indirect github.com/containerd/errdefs/pkg v0.3.0 // indirect github.com/containerd/log v0.1.0 // indirect - github.com/containerd/platforms v1.0.0-rc.1 // indirect + github.com/containerd/platforms v1.0.0-rc.2 // indirect github.com/coreos/go-semver v0.3.1 // indirect github.com/coreos/go-systemd/v22 v22.6.0 // indirect github.com/cornelk/hashmap v1.0.8 // indirect @@ -237,7 +237,7 @@ require ( github.com/gofrs/uuid v4.4.0+incompatible // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.5.2 // indirect - github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect + github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect github.com/golang/snappy v0.0.4 // indirect github.com/gomodule/redigo v1.9.3 // indirect github.com/google/go-querystring v1.1.0 // indirect @@ -271,7 +271,7 @@ require ( github.com/lestrrat-go/dsig-secp256k1 v1.0.0 // indirect github.com/lestrrat-go/httpcc v1.0.1 // indirect github.com/lestrrat-go/httprc/v3 v3.0.1 // indirect - github.com/lestrrat-go/jwx/v3 v3.0.11 // indirect + github.com/lestrrat-go/jwx/v3 v3.0.12 // indirect github.com/lestrrat-go/option v1.0.1 // indirect github.com/lestrrat-go/option/v2 v2.0.0 // indirect github.com/libregraph/oidc-go v1.1.0 // indirect @@ -302,7 +302,7 @@ require ( github.com/moby/sys/userns v0.1.0 // indirect github.com/moby/term v0.5.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect - github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect github.com/morikuni/aec v1.0.0 // indirect github.com/mschoch/smat v0.2.0 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect @@ -341,7 +341,7 @@ require ( github.com/samber/lo v1.51.0 // indirect github.com/samber/slog-common v0.19.0 // indirect github.com/samber/slog-zerolog/v2 v2.9.0 // indirect - github.com/segmentio/asm v1.2.0 // indirect + github.com/segmentio/asm v1.2.1 // indirect github.com/segmentio/kafka-go v0.4.49 // indirect github.com/segmentio/ksuid v1.0.4 // indirect github.com/sercand/kuberesolver/v5 v5.1.1 // indirect @@ -367,9 +367,9 @@ require ( github.com/tklauser/numcpus v0.8.0 // indirect github.com/toorop/go-dkim v0.0.0-20201103131630-e1cd1a0a5208 // indirect github.com/trustelem/zxcvbn v1.0.1 // indirect - github.com/urfave/cli/v2 v2.27.5 // indirect + github.com/urfave/cli/v2 v2.27.7 // indirect github.com/valyala/fastjson v1.6.4 // indirect - github.com/vektah/gqlparser/v2 v2.5.30 // indirect + github.com/vektah/gqlparser/v2 v2.5.31 // indirect github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect github.com/wk8/go-ordered-map v1.0.0 // indirect github.com/xanzy/ssh-agent v0.3.3 // indirect diff --git a/go.sum b/go.sum index 327e2f5617..57fa264b08 100644 --- a/go.sum +++ b/go.sum @@ -198,8 +198,8 @@ github.com/bufbuild/protocompile v0.14.1 h1:iA73zAf/fyljNjQKwYzUHD6AD4R8KMasmwa/ github.com/bufbuild/protocompile v0.14.1/go.mod h1:ppVdAIhbr2H8asPk6k4pY7t9zB1OU5DoEw9xY/FUi1c= github.com/butonic/go-micro/v4 v4.11.1-0.20241115112658-b5d4de5ed9b3 h1:h8Z0hBv5tg/uZMKu8V47+DKWYVQg0lYP8lXDQq7uRpE= github.com/butonic/go-micro/v4 v4.11.1-0.20241115112658-b5d4de5ed9b3/go.mod h1:eE/tD53n3KbVrzrWxKLxdkGw45Fg1qaNLWjpJMvIUF4= -github.com/bytecodealliance/wasmtime-go/v37 v37.0.0 h1:DPjdn2V3JhXHMoZ2ymRqGK+y1bDyr9wgpyYCvhjMky8= -github.com/bytecodealliance/wasmtime-go/v37 v37.0.0/go.mod h1:Pf1l2JCTUFMnOqDIwkjzx1qfVJ09xbaXETKgRVE4jZ0= +github.com/bytecodealliance/wasmtime-go/v39 v39.0.1 h1:RibaT47yiyCRxMOj/l2cvL8cWiWBSqDXHyqsa9sGcCE= +github.com/bytecodealliance/wasmtime-go/v39 v39.0.1/go.mod h1:miR4NYIEBXeDNamZIzpskhJ0z/p8al+lwMWylQ/ZJb4= github.com/c-bata/go-prompt v0.2.5/go.mod h1:vFnjEGDIIA/Lib7giyE4E9c50Lvl8j0S+7FVlAwDAVw= github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4= github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= @@ -239,8 +239,8 @@ github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151X github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= -github.com/containerd/platforms v1.0.0-rc.1 h1:83KIq4yy1erSRgOVHNk1HYdPvzdJ5CnsWaRoJX4C41E= -github.com/containerd/platforms v1.0.0-rc.1/go.mod h1:J71L7B+aiM5SdIEqmd9wp6THLVRzJGXfNuWCZCllLA4= +github.com/containerd/platforms v1.0.0-rc.2 h1:0SPgaNZPVWGEi4grZdV8VRYQn78y+nm6acgLGv/QzE4= +github.com/containerd/platforms v1.0.0-rc.2/go.mod h1:J71L7B+aiM5SdIEqmd9wp6THLVRzJGXfNuWCZCllLA4= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-oidc/v3 v3.17.0 h1:hWBGaQfbi0iVviX4ibC7bk8OKT5qNr4klBaCHVNvehc= @@ -511,8 +511,9 @@ github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4er github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ= +github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= @@ -776,8 +777,8 @@ github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZ github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E= github.com/lestrrat-go/httprc/v3 v3.0.1 h1:3n7Es68YYGZb2Jf+k//llA4FTZMl3yCwIjFIk4ubevI= github.com/lestrrat-go/httprc/v3 v3.0.1/go.mod h1:2uAvmbXE4Xq8kAUjVrZOq1tZVYYYs5iP62Cmtru00xk= -github.com/lestrrat-go/jwx/v3 v3.0.11 h1:yEeUGNUuNjcez/Voxvr7XPTYNraSQTENJgtVTfwvG/w= -github.com/lestrrat-go/jwx/v3 v3.0.11/go.mod h1:XSOAh2SiXm0QgRe3DulLZLyt+wUuEdFo81zuKTLcvgQ= +github.com/lestrrat-go/jwx/v3 v3.0.12 h1:p25r68Y4KrbBdYjIsQweYxq794CtGCzcrc5dGzJIRjg= +github.com/lestrrat-go/jwx/v3 v3.0.12/go.mod h1:HiUSaNmMLXgZ08OmGBaPVvoZQgJVOQphSrGr5zMamS8= github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU= github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= github.com/lestrrat-go/option/v2 v2.0.0 h1:XxrcaJESE1fokHy3FpaQ/cXW8ZsIdWcdFzzLOcID3Ss= @@ -897,8 +898,9 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 h1:RWengNIwukTxcDr9M+97sNutRR1RKhG96O6jWumTTnw= github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= @@ -955,8 +957,8 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= -github.com/open-policy-agent/opa v1.10.1 h1:haIvxZSPky8HLjRrvQwWAjCPLg8JDFSZMbbG4yyUHgY= -github.com/open-policy-agent/opa v1.10.1/go.mod h1:7uPI3iRpOalJ0BhK6s1JALWPU9HvaV1XeBSSMZnr/PM= +github.com/open-policy-agent/opa v1.11.1 h1:4bMlG6DjRZTRAswRyF+KUCgxHu1Gsk0h9EbZ4W9REvM= +github.com/open-policy-agent/opa v1.11.1/go.mod h1:QimuJO4T3KYxWzrmAymqlFvsIanCjKrGjmmC8GgAdgE= github.com/opencloud-eu/go-micro-plugins/v4/store/nats-js-kv v0.0.0-20250512152754-23325793059a h1:Sakl76blJAaM6NxylVkgSzktjo2dS504iDotEFJsh3M= github.com/opencloud-eu/go-micro-plugins/v4/store/nats-js-kv v0.0.0-20250512152754-23325793059a/go.mod h1:pjcozWijkNPbEtX5SIQaxEW/h8VAVZYTLx+70bmB3LY= github.com/opencloud-eu/icap-client v0.0.0-20250930132611-28a2afe62d89 h1:W1ms+lP5lUUIzjRGDg93WrQfZJZCaV1ZP3KeyXi8bzY= @@ -1107,8 +1109,8 @@ github.com/samber/slog-zerolog/v2 v2.9.0 h1:6LkOabJmZdNLaUWkTC3IVVA+dq7b/V0FM6lz github.com/samber/slog-zerolog/v2 v2.9.0/go.mod h1:gnQW9VnCfM34v2pRMUIGMsZOVbYLqY/v0Wxu6atSVGc= github.com/scaleway/scaleway-sdk-go v1.0.0-beta.7.0.20210127161313-bd30bebeac4f/go.mod h1:CJJ5VAbozOl0yEw7nHB9+7BXTJbIn6h7W+f6Gau5IP8= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= -github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys= -github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs= +github.com/segmentio/asm v1.2.1 h1:DTNbBqs57ioxAD4PrArqftgypG4/qNpXoJx8TVXxPR0= +github.com/segmentio/asm v1.2.1/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs= github.com/segmentio/kafka-go v0.4.49 h1:GJiNX1d/g+kG6ljyJEoi9++PUMdXGAxb7JGPiDCuNmk= github.com/segmentio/kafka-go v0.4.49/go.mod h1:Y1gn60kzLEEaW28YshXyk2+VCUKbJ3Qr6DrnT3i4+9E= github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c= @@ -1239,15 +1241,15 @@ github.com/tus/tusd/v2 v2.8.0/go.mod h1:3/zEOVQQIwmJhvNam8phV4x/UQt68ZmZiTzeuJUN github.com/uber-go/atomic v1.3.2/go.mod h1:/Ct5t2lcmbJ4OSe/waGBoaVvVqtO0bmtfVNex1PFV8g= github.com/urfave/cli v1.22.4/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI= -github.com/urfave/cli/v2 v2.27.5 h1:WoHEJLdsXr6dDWoJgMq/CboDmyY/8HMMH1fTECbih+w= -github.com/urfave/cli/v2 v2.27.5/go.mod h1:3Sevf16NykTbInEnD0yKkjDAeZDS0A6bzhBH5hrMvTQ= +github.com/urfave/cli/v2 v2.27.7 h1:bH59vdhbjLv3LAvIu6gd0usJHgoTTPhCFib8qqOwXYU= +github.com/urfave/cli/v2 v2.27.7/go.mod h1:CyNAG/xg+iAOg0N4MPGZqVmv2rCoP267496AOXUZjA4= github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= github.com/valyala/fastjson v1.6.4 h1:uAUNq9Z6ymTgGhcm0UynUAB6tlbakBrz6CQFax3BXVQ= github.com/valyala/fastjson v1.6.4/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY= github.com/valyala/fasttemplate v1.0.1/go.mod h1:UQGH1tvbgY+Nz5t2n7tXsz52dQxojPUpymEIMZ47gx8= github.com/valyala/fasttemplate v1.1.0/go.mod h1:UQGH1tvbgY+Nz5t2n7tXsz52dQxojPUpymEIMZ47gx8= -github.com/vektah/gqlparser/v2 v2.5.30 h1:EqLwGAFLIzt1wpx1IPpY67DwUujF1OfzgEyDsLrN6kE= -github.com/vektah/gqlparser/v2 v2.5.30/go.mod h1:D1/VCZtV3LPnQrcPBeR/q5jkSQIPti0uYCP/RI0gIeo= +github.com/vektah/gqlparser/v2 v2.5.31 h1:YhWGA1mfTjID7qJhd1+Vxhpk5HTgydrGU9IgkWBTJ7k= +github.com/vektah/gqlparser/v2 v2.5.31/go.mod h1:c1I28gSOVNzlfc4WuDlqU7voQnsqI6OG2amkBAFmgts= github.com/vinyldns/go-vinyldns v0.0.0-20200917153823-148a5f6b8f14/go.mod h1:RWc47jtnVuQv6+lY3c768WtXCas/Xi+U5UFc5xULmYg= github.com/vmihailenco/msgpack/v5 v5.4.1 h1:cQriyiUvjTwOHg8QZaPihLWeRAAVoCpE00IUPn0Bjt8= github.com/vmihailenco/msgpack/v5 v5.4.1/go.mod h1:GaZTsDaehaPpQVyxrf5mtQlH+pc21PIudVV/E3rRQok= diff --git a/vendor/github.com/containerd/platforms/defaults_windows.go b/vendor/github.com/containerd/platforms/defaults_windows.go index 0165adea7e..64e2846674 100644 --- a/vendor/github.com/containerd/platforms/defaults_windows.go +++ b/vendor/github.com/containerd/platforms/defaults_windows.go @@ -38,5 +38,5 @@ func DefaultSpec() specs.Platform { // Default returns the current platform's default platform specification. func Default() MatchComparer { - return Only(DefaultSpec()) + return &windowsMatchComparer{Matcher: NewMatcher(DefaultSpec())} } diff --git a/vendor/github.com/containerd/platforms/platform_windows_compat.go b/vendor/github.com/containerd/platforms/platform_windows_compat.go index 7f3d9966bc..f31ebe0c9e 100644 --- a/vendor/github.com/containerd/platforms/platform_windows_compat.go +++ b/vendor/github.com/containerd/platforms/platform_windows_compat.go @@ -42,18 +42,30 @@ const ( // rs5 (version 1809, codename "Redstone 5") corresponds to Windows Server // 2019 (ltsc2019), and Windows 10 (October 2018 Update). rs5 = 17763 + // ltsc2019 (Windows Server 2019) is an alias for [RS5]. + ltsc2019 = rs5 // v21H2Server corresponds to Windows Server 2022 (ltsc2022). v21H2Server = 20348 + // ltsc2022 (Windows Server 2022) is an alias for [v21H2Server] + ltsc2022 = v21H2Server // v22H2Win11 corresponds to Windows 11 (2022 Update). v22H2Win11 = 22621 + + // v23H2 is the 23H2 release in the Windows Server annual channel. + v23H2 = 25398 + + // Windows Server 2025 build 26100 + v25H1Server = 26100 + ltsc2025 = v25H1Server ) // List of stable ABI compliant ltsc releases // Note: List must be sorted in ascending order var compatLTSCReleases = []uint16{ - v21H2Server, + ltsc2022, + ltsc2025, } // CheckHostAndContainerCompat checks if given host and container @@ -70,18 +82,27 @@ func checkWindowsHostAndContainerCompat(host, ctr windowsOSVersion) bool { } // If host is < WS 2022, exact version match is required - if host.Build < v21H2Server { + if host.Build < ltsc2022 { return host.Build == ctr.Build } - var supportedLtscRelease uint16 + // Find the latest LTSC version that is earlier than the host version. + // This is the earliest version of container that the host can run. + // + // If the host version is an LTSC, then it supports compatibility with + // everything from the previous LTSC up to itself, so we want supportedLTSCRelease + // to be the previous entry. + // + // If no match is found, then we know that the host is LTSC2022 exactly, + // since we already checked that it's not less than LTSC2022. + var supportedLTSCRelease uint16 = ltsc2022 for i := len(compatLTSCReleases) - 1; i >= 0; i-- { - if host.Build >= compatLTSCReleases[i] { - supportedLtscRelease = compatLTSCReleases[i] + if host.Build > compatLTSCReleases[i] { + supportedLTSCRelease = compatLTSCReleases[i] break } } - return ctr.Build >= supportedLtscRelease && ctr.Build <= host.Build + return supportedLTSCRelease <= ctr.Build && ctr.Build <= host.Build } func getWindowsOSVersion(osVersionPrefix string) windowsOSVersion { @@ -114,18 +135,6 @@ func getWindowsOSVersion(osVersionPrefix string) windowsOSVersion { } } -func winRevision(v string) int { - parts := strings.Split(v, ".") - if len(parts) < 4 { - return 0 - } - r, err := strconv.Atoi(parts[3]) - if err != nil { - return 0 - } - return r -} - type windowsVersionMatcher struct { windowsOSVersion } @@ -149,8 +158,7 @@ type windowsMatchComparer struct { func (c *windowsMatchComparer) Less(p1, p2 specs.Platform) bool { m1, m2 := c.Match(p1), c.Match(p2) if m1 && m2 { - r1, r2 := winRevision(p1.OSVersion), winRevision(p2.OSVersion) - return r1 > r2 + return p1.OSVersion > p2.OSVersion } return m1 && !m2 } diff --git a/vendor/github.com/lestrrat-go/jwx/v3/.golangci.yml b/vendor/github.com/lestrrat-go/jwx/v3/.golangci.yml index 214a9edaa8..30dc4c519b 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/.golangci.yml +++ b/vendor/github.com/lestrrat-go/jwx/v3/.golangci.yml @@ -106,6 +106,9 @@ linters: - revive path: jwt/internal/types/ text: "var-naming: avoid meaningless package names" + - linters: + - godoclint + path: (^|/)internal/ paths: - third_party$ - builtin$ diff --git a/vendor/github.com/lestrrat-go/jwx/v3/Changes b/vendor/github.com/lestrrat-go/jwx/v3/Changes index 29910bf35c..9f27fd9b98 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/Changes +++ b/vendor/github.com/lestrrat-go/jwx/v3/Changes @@ -4,6 +4,49 @@ Changes v3 has many incompatibilities with v2. To see the full list of differences between v2 and v3, please read the Changes-v3.md file (https://github.com/lestrrat-go/jwx/blob/develop/v3/Changes-v3.md) +v3.0.12 20 Oct 2025 + * [jwe] As part of the next change, now per-recipient headers that are empty + are no longer serialized in flattened JSON serialization. + + * [jwe] Introduce `jwe.WithLegacyHeaderMerging(bool)` option to control header + merging behavior in during JWE encryption. This only applies to flattened + JSON serialization. + + Previously, when using flattened JSON serialization (i.e. you specified + JSON serialization via `jwe.WithJSON()` and only supplied one key), per-recipient + headers were merged into the protected headers during encryption, and then + were left to be included in the final serialization as-is. This caused duplicate + headers to be present in both the protected headers and the per-recipient headers. + + Since there maybe users who rely on this behavior already, instead of changing the + default behavior to fix this duplication, a new option to `jwe.Encrypt()` was added + to allow clearing the per-recipient headers after merging to leave the `"headers"` + field empty. This in effect makes the flattened JSON serialization more similar to + the compact serialization, where there are no per-recipient headers present, and + leaves the headers disjoint. + + Note that in compact mode, there are no per-recipient headers and thus the + headers need to be merged regardless. In full JSON serialization, we never + merge the headers, so it is left up to the user to keep the headers disjoint. + + * [jws] Calling the deprecated `jws.NewSigner()` function for the time will cause + legacy signers to be loaded automatically. Previously, you had to explicitly + call `jws.Settings(jws.WithLegacySigners(true))` to enable legacy signers. + + We incorrectly assumed that users would not be using `jws.NewSigner()`, and thus + disabled legacy signers by default. However, it turned out that some users + were using `jws.NewSigner()` in their code, which lead to breakages in + existing code. In hindsight we should have known that any API made public before will + be used by _somebody_. + + As a side effect, jws.Settings(jws.WithLegacySigners(...)) is now a no-op. + + However, please do note that jws.Signer (and similar) objects were always intended to be + used for _registering_ new signing/verifying algorithms, and not for end users to actually + use them directly. If you are using them for other purposes, please consider changing + your code, as it is more than likely that we will somehow deprecate/remove/discouraged + their use in the future. + v3.0.11 14 Sep 2025 * [jwk] Add `(jwk.Cache).Shutdown()` method that delegates to the httprc controller object, to shutdown the cache. diff --git a/vendor/github.com/lestrrat-go/jwx/v3/MODULE.bazel b/vendor/github.com/lestrrat-go/jwx/v3/MODULE.bazel index 167e9b5c89..c9bdc9b730 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/MODULE.bazel +++ b/vendor/github.com/lestrrat-go/jwx/v3/MODULE.bazel @@ -9,9 +9,9 @@ bazel_dep(name = "rules_go", version = "0.55.1") bazel_dep(name = "gazelle", version = "0.44.0") bazel_dep(name = "aspect_bazel_lib", version = "2.11.0") -# Go SDK setup - using Go 1.24.4 to match the toolchain in go.mod +# Go SDK setup from go.mod go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk") -go_sdk.download(version = "1.24.4") +go_sdk.from_file(go_mod = "//:go.mod") # Go dependencies from go.mod go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps") diff --git a/vendor/github.com/lestrrat-go/jwx/v3/formatkind_string_gen.go b/vendor/github.com/lestrrat-go/jwx/v3/formatkind_string_gen.go index 38abd1bc47..ab7287214f 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/formatkind_string_gen.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/formatkind_string_gen.go @@ -22,8 +22,9 @@ const _FormatKind_name = "InvalidFormatUnknownFormatJWEJWSJWKJWKSJWT" var _FormatKind_index = [...]uint8{0, 13, 26, 29, 32, 35, 39, 42} func (i FormatKind) String() string { - if i < 0 || i >= FormatKind(len(_FormatKind_index)-1) { + idx := int(i) - 0 + if i < 0 || idx >= len(_FormatKind_index)-1 { return "FormatKind(" + strconv.FormatInt(int64(i), 10) + ")" } - return _FormatKind_name[_FormatKind_index[i]:_FormatKind_index[i+1]] + return _FormatKind_name[_FormatKind_index[idx]:_FormatKind_index[idx+1]] } diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jwe/jwe.go b/vendor/github.com/lestrrat-go/jwx/v3/jwe/jwe.go index 5728021ec7..5b9c92771a 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jwe/jwe.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jwe/jwe.go @@ -99,15 +99,20 @@ func (b *recipientBuilder) Build(r Recipient, cek []byte, calg jwa.ContentEncryp rawKey = raw } - // Extract ECDH-ES specific parameters if needed + // Extract ECDH-ES specific parameters if needed. var apu, apv []byte - if b.headers != nil { - if val, ok := b.headers.AgreementPartyUInfo(); ok { - apu = val - } - if val, ok := b.headers.AgreementPartyVInfo(); ok { - apv = val - } + + hdr := b.headers + if hdr == nil { + hdr = NewHeaders() + } + + if val, ok := hdr.AgreementPartyUInfo(); ok { + apu = val + } + + if val, ok := hdr.AgreementPartyVInfo(); ok { + apv = val } // Create the encrypter using the new jwebb pattern @@ -116,20 +121,20 @@ func (b *recipientBuilder) Build(r Recipient, cek []byte, calg jwa.ContentEncryp return nil, fmt.Errorf(`jwe.Encrypt: recipientBuilder: failed to create encrypter: %w`, err) } - if hdrs := b.headers; hdrs != nil { - _ = r.SetHeaders(hdrs) - } + _ = r.SetHeaders(hdr) - if err := r.Headers().Set(AlgorithmKey, b.alg); err != nil { + // Populate headers with stuff that we automatically set + if err := hdr.Set(AlgorithmKey, b.alg); err != nil { return nil, fmt.Errorf(`failed to set header: %w`, err) } if keyID != "" { - if err := r.Headers().Set(KeyIDKey, keyID); err != nil { + if err := hdr.Set(KeyIDKey, keyID); err != nil { return nil, fmt.Errorf(`failed to set header: %w`, err) } } + // Handle the encrypted key var rawCEK []byte enckey, err := enc.EncryptKey(cek) if err != nil { @@ -143,8 +148,9 @@ func (b *recipientBuilder) Build(r Recipient, cek []byte, calg jwa.ContentEncryp } } + // finally, anything specific should go here if hp, ok := enckey.(populater); ok { - if err := hp.Populate(r.Headers()); err != nil { + if err := hp.Populate(hdr); err != nil { return nil, fmt.Errorf(`failed to populate: %w`, err) } } @@ -154,7 +160,9 @@ func (b *recipientBuilder) Build(r Recipient, cek []byte, calg jwa.ContentEncryp // Encrypt generates a JWE message for the given payload and returns // it in serialized form, which can be in either compact or -// JSON format. Default is compact. +// JSON format. Default is compact. When JSON format is specified and +// there is only one recipient, the resulting serialization is +// automatically converted to flattened JSON serialization format. // // You must pass at least one key to `jwe.Encrypt()` by using `jwe.WithKey()` // option. @@ -172,6 +180,10 @@ func (b *recipientBuilder) Build(r Recipient, cek []byte, calg jwa.ContentEncryp // // Look for options that return `jwe.EncryptOption` or `jws.EncryptDecryptOption` // for a complete list of options that can be passed to this function. +// +// As of v3.0.12, users can specify `jwe.WithLegacyHeaderMerging()` to +// disable header merging behavior that was the default prior to v3.0.12. +// Read the documentation for `jwe.WithLegacyHeaderMerging()` for more information. func Encrypt(payload []byte, options ...EncryptOption) ([]byte, error) { ec := encryptContextPool.Get() defer encryptContextPool.Put(ec) @@ -410,10 +422,26 @@ func (dc *decryptContext) decryptContent(msg *Message, alg jwa.KeyEncryptionAlgo Tag(msg.tag). CEK(dc.cek) - if v, ok := recipient.Headers().Algorithm(); !ok || v != alg { - // algorithms don't match + // The "alg" header can be in either protected/unprotected headers. + // prefer per-recipient headers (as it might be the case that the algorithm differs + // by each recipient), then look at protected headers. + var algMatched bool + for _, hdr := range []Headers{recipient.Headers(), protectedHeaders} { + v, ok := hdr.Algorithm() + if !ok { + continue + } + + if v == alg { + algMatched = true + break + } + // if we found something but didn't match, it's a failure return nil, fmt.Errorf(`jwe.Decrypt: key (%q) and recipient (%q) algorithms do not match`, alg, v) } + if !algMatched { + return nil, fmt.Errorf(`jwe.Decrypt: failed to find "alg" header in either protected or per-recipient headers`) + } h2, err := protectedHeaders.Clone() if err != nil { @@ -534,11 +562,12 @@ func (dc *decryptContext) decryptContent(msg *Message, alg jwa.KeyEncryptionAlgo // encryptContext holds the state during JWE encryption, similar to JWS signContext type encryptContext struct { - calg jwa.ContentEncryptionAlgorithm - compression jwa.CompressionAlgorithm - format int - builders []*recipientBuilder - protected Headers + calg jwa.ContentEncryptionAlgorithm + compression jwa.CompressionAlgorithm + format int + builders []*recipientBuilder + protected Headers + legacyHeaderMerging bool } var encryptContextPool = pool.New(allocEncryptContext, freeEncryptContext) @@ -561,6 +590,7 @@ func freeEncryptContext(ec *encryptContext) *encryptContext { } func (ec *encryptContext) ProcessOptions(options []EncryptOption) error { + ec.legacyHeaderMerging = true var mergeProtected bool var useRawCEK bool for _, option := range options { @@ -577,7 +607,11 @@ func (ec *encryptContext) ProcessOptions(options []EncryptOption) error { if v == jwa.DIRECT() || v == jwa.ECDH_ES() { useRawCEK = true } - ec.builders = append(ec.builders, &recipientBuilder{alg: v, key: wk.key, headers: wk.headers}) + ec.builders = append(ec.builders, &recipientBuilder{ + alg: v, + key: wk.key, + headers: wk.headers, + }) case identContentEncryptionAlgorithm{}: var c jwa.ContentEncryptionAlgorithm if err := option.Value(&c); err != nil { @@ -616,6 +650,12 @@ func (ec *encryptContext) ProcessOptions(options []EncryptOption) error { return err } ec.format = fmtOpt + case identLegacyHeaderMerging{}: + var v bool + if err := option.Value(&v); err != nil { + return err + } + ec.legacyHeaderMerging = v } } @@ -732,7 +772,8 @@ func (ec *encryptContext) EncryptMessage(payload []byte, cek []byte) ([]byte, er } } - recipients := recipientSlicePool.GetCapacity(len(ec.builders)) + lbuilders := len(ec.builders) + recipients := recipientSlicePool.GetCapacity(lbuilders) defer recipientSlicePool.Put(recipients) for i, builder := range ec.builders { @@ -767,14 +808,55 @@ func (ec *encryptContext) EncryptMessage(payload []byte, cek []byte) ([]byte, er } } - // If there's only one recipient, you want to include that in the - // protected header - if len(recipients) == 1 { + // fmtCompact does not have per-recipient headers, nor a "header" field. + // In this mode, we're going to have to merge everything to the protected + // header. + if ec.format == fmtCompact { + // We have already established that the number of builders is 1 in + // ec.ProcessOptions(). But we're going to be pedantic + if lbuilders != 1 { + return nil, fmt.Errorf(`internal error: expected exactly one recipient builder (got %d)`, lbuilders) + } + + // when we're using compact format, we can safely merge per-recipient + // headers into the protected header, if any h, err := protected.Merge(recipients[0].Headers()) if err != nil { - return nil, fmt.Errorf(`failed to merge protected headers: %w`, err) + return nil, fmt.Errorf(`failed to merge protected headers for compact serialization: %w`, err) } protected = h + // per-recipient headers, if any, will be ignored in compact format + } else { + // If it got here, it's JSON (could be pretty mode, too). + if lbuilders == 1 { + // If it got here, then we're doing flattened JSON serialization. + // In this mode, we should merge per-recipient headers into the protected header, + // but we also need to make sure that the "header" field is reset so that + // it does not contain the same fields as the protected header. + // + // However, old behavior was to merge per-recipient headers into the + // protected header when there was only one recipient, AND leave the + // original "header" field as is, so we need to support that for backwards compatibility. + // + // The legacy merging only takes effect when there is exactly one recipient. + // + // This behavior can be disabled by passing jwe.WithLegacyHeaderMerging(false) + // If the user has explicitly asked for merging, do it + h, err := protected.Merge(recipients[0].Headers()) + if err != nil { + return nil, fmt.Errorf(`failed to merge protected headers for flattenend JSON format: %w`, err) + } + protected = h + + if !ec.legacyHeaderMerging { + // Clear per-recipient headers, since they have been merged. + // But we only do it when legacy merging is disabled. + // Note: we should probably introduce a Reset() method in v4 + if err := recipients[0].SetHeaders(NewHeaders()); err != nil { + return nil, fmt.Errorf(`failed to clear per-recipient headers after merging: %w`, err) + } + } + } } aad, err := protected.Encode() diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jwe/message.go b/vendor/github.com/lestrrat-go/jwx/v3/jwe/message.go index 13cf3dec83..7aad833f26 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jwe/message.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jwe/message.go @@ -265,14 +265,23 @@ func (m *Message) MarshalJSON() ([]byte, error) { if recipients := m.Recipients(); len(recipients) > 0 { if len(recipients) == 1 { // Use flattened format if hdrs := recipients[0].Headers(); hdrs != nil { - buf.Reset() - if err := enc.Encode(hdrs); err != nil { - return nil, fmt.Errorf(`failed to encode %s field: %w`, HeadersKey, err) + var skipHeaders bool + if zeroer, ok := hdrs.(isZeroer); ok { + if zeroer.isZero() { + skipHeaders = true + } + } + + if !skipHeaders { + buf.Reset() + if err := enc.Encode(hdrs); err != nil { + return nil, fmt.Errorf(`failed to encode %s field: %w`, HeadersKey, err) + } + fields = append(fields, jsonKV{ + Key: HeadersKey, + Value: strings.TrimSpace(buf.String()), + }) } - fields = append(fields, jsonKV{ - Key: HeadersKey, - Value: strings.TrimSpace(buf.String()), - }) } if ek := recipients[0].EncryptedKey(); len(ek) > 0 { @@ -369,13 +378,18 @@ func (m *Message) UnmarshalJSON(buf []byte) error { // field. TODO: do both of these conditions need to meet, or just one? if proxy.Headers != nil || len(proxy.EncryptedKey) > 0 { recipient := NewRecipient() - hdrs := NewHeaders() - if err := json.Unmarshal(proxy.Headers, hdrs); err != nil { - return fmt.Errorf(`failed to decode headers field: %w`, err) - } - if err := recipient.SetHeaders(hdrs); err != nil { - return fmt.Errorf(`failed to set new headers: %w`, err) + // `"heders"` could be empty. If that's the case, just skip the + // following unmarshaling step + if proxy.Headers != nil { + hdrs := NewHeaders() + if err := json.Unmarshal(proxy.Headers, hdrs); err != nil { + return fmt.Errorf(`failed to decode headers field: %w`, err) + } + + if err := recipient.SetHeaders(hdrs); err != nil { + return fmt.Errorf(`failed to set new headers: %w`, err) + } } if v := proxy.EncryptedKey; len(v) > 0 { diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jwe/options.go b/vendor/github.com/lestrrat-go/jwx/v3/jwe/options.go index c9137eecf4..0437ea8733 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jwe/options.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jwe/options.go @@ -6,8 +6,9 @@ import ( "github.com/lestrrat-go/option/v2" ) -// Specify contents of the protected header. Some fields such as -// "enc" and "zip" will be overwritten when encryption is performed. +// WithProtectedHeaders is used to specify contents of the protected header. +// Some fields such as "enc" and "zip" will be overwritten when encryption is +// performed. // // There is no equivalent for unprotected headers in this implementation func WithProtectedHeaders(h Headers) EncryptOption { diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jwe/options.yaml b/vendor/github.com/lestrrat-go/jwx/v3/jwe/options.yaml index b7fb0262de..359d80944d 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jwe/options.yaml +++ b/vendor/github.com/lestrrat-go/jwx/v3/jwe/options.yaml @@ -169,4 +169,42 @@ options: If set to an invalid value, the default value is used. In v2, this option was called MaxBufferSize. - This option has a global effect. \ No newline at end of file + This option has a global effect. + - ident: LegacyHeaderMerging + interface: EncryptOption + argument_type: bool + option_name: WithLegacyHeaderMerging + comment: | + WithLegacyHeaderMerging specifies whether to perform legacy header merging + when encrypting a JWE message in JSON serialization, when there is a single recipient. + This behavior is enabled by default for backwards compatibility. + + When a JWE message is encrypted in JSON serialization, and there is only + one recipient, this library automatically serializes the message in + flattened JSON serialization format. In older versions of this library, + the protected headers and the per-recipient headers were merged together + before computing the AAD (Additional Authenticated Data), but the per-recipient + headers were kept as-is in the `header` field of the recipient object. + + This behavior is not compliant with the JWE specification, which states that + the headers must be disjoint. + + Passing this option with a value of `false` disables this legacy behavior, + and while the per-recipient headers and protected headers are still merged + for the purpose of computing AAD, the per-recipient headers are cleared + after merging, so that the resulting JWE message is compliant with the + specification. + + This option has no effect when there are multiple recipients, or when + the serialization format is compact serialization. For multiple recipients + (i.e. full JSON serialization), the protected headers and per-recipient + headers are never merged, and it is the caller's responsibility to ensure + that the headers are disjoint. In compact serialization, there are no per-recipient + headers; in fact, the protected headers are the only headers that exist, + and therefore there is no possibility of header collision after merging + (note: while per-recipient headers do not make sense in compact serialization, + this library does not prevent you from setting them -- they are all just + merged into the protected headers). + + In future versions, the new behavior will be the default. New users are + encouraged to set this option to `false` now to avoid future issues. \ No newline at end of file diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jwe/options_gen.go b/vendor/github.com/lestrrat-go/jwx/v3/jwe/options_gen.go index 2a15c141b4..2d28eecb44 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jwe/options_gen.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jwe/options_gen.go @@ -147,6 +147,7 @@ type identFS struct{} type identKey struct{} type identKeyProvider struct{} type identKeyUsed struct{} +type identLegacyHeaderMerging struct{} type identMaxDecompressBufferSize struct{} type identMaxPBES2Count struct{} type identMergeProtectedHeaders struct{} @@ -193,6 +194,10 @@ func (identKeyUsed) String() string { return "WithKeyUsed" } +func (identLegacyHeaderMerging) String() string { + return "WithLegacyHeaderMerging" +} + func (identMaxDecompressBufferSize) String() string { return "WithMaxDecompressBufferSize" } @@ -292,6 +297,43 @@ func WithKeyUsed(v any) DecryptOption { return &decryptOption{option.New(identKeyUsed{}, v)} } +// WithLegacyHeaderMerging specifies whether to perform legacy header merging +// when encrypting a JWE message in JSON serialization, when there is a single recipient. +// This behavior is enabled by default for backwards compatibility. +// +// When a JWE message is encrypted in JSON serialization, and there is only +// one recipient, this library automatically serializes the message in +// flattened JSON serialization format. In older versions of this library, +// the protected headers and the per-recipient headers were merged together +// before computing the AAD (Additional Authenticated Data), but the per-recipient +// headers were kept as-is in the `header` field of the recipient object. +// +// This behavior is not compliant with the JWE specification, which states that +// the headers must be disjoint. +// +// Passing this option with a value of `false` disables this legacy behavior, +// and while the per-recipient headers and protected headers are still merged +// for the purpose of computing AAD, the per-recipient headers are cleared +// after merging, so that the resulting JWE message is compliant with the +// specification. +// +// This option has no effect when there are multiple recipients, or when +// the serialization format is compact serialization. For multiple recipients +// (i.e. full JSON serialization), the protected headers and per-recipient +// headers are never merged, and it is the caller's responsibility to ensure +// that the headers are disjoint. In compact serialization, there are no per-recipient +// headers; in fact, the protected headers are the only headers that exist, +// and therefore there is no possibility of header collision after merging +// (note: while per-recipient headers do not make sense in compact serialization, +// this library does not prevent you from setting them -- they are all just +// merged into the protected headers). +// +// In future versions, the new behavior will be the default. New users are +// encouraged to set this option to `false` now to avoid future issues. +func WithLegacyHeaderMerging(v bool) EncryptOption { + return &encryptOption{option.New(identLegacyHeaderMerging{}, v)} +} + // WithMaxDecompressBufferSize specifies the maximum buffer size for used when // decompressing the payload of a JWE message. If a compressed JWE payload // exceeds this amount when decompressed, jwe.Decrypt will return an error. diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jwk/cache.go b/vendor/github.com/lestrrat-go/jwx/v3/jwk/cache.go index b83b56c790..6d5b00f056 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jwk/cache.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jwk/cache.go @@ -270,7 +270,7 @@ func (cs *cachedSet) cached() (Set, error) { return cs.r.Resource(), nil } -// Add is a no-op for `jwk.CachedSet`, as the `jwk.Set` should be treated read-only +// AddKey is a no-op for `jwk.CachedSet`, as the `jwk.Set` should be treated read-only func (*cachedSet) AddKey(_ Key) error { return fmt.Errorf(`(jwk.Cachedset).AddKey: jwk.CachedSet is immutable`) } diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jwk/fetch.go b/vendor/github.com/lestrrat-go/jwx/v3/jwk/fetch.go index 910a2101d4..2c80a369dc 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jwk/fetch.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jwk/fetch.go @@ -40,7 +40,7 @@ type CachedFetcher struct { cache *Cache } -// Creates a new `jwk.CachedFetcher` object. +// NewCachedFetcher creates a new `jwk.CachedFetcher` object. func NewCachedFetcher(cache *Cache) *CachedFetcher { return &CachedFetcher{cache} } diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jwk/x509.go b/vendor/github.com/lestrrat-go/jwx/v3/jwk/x509.go index c0a7c4c4d9..f06063c6ed 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jwk/x509.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jwk/x509.go @@ -118,7 +118,7 @@ func NewPEMDecoder() PEMDecoder { type pemDecoder struct{} -// DecodePEM decodes a key in PEM encoded ASN.1 DER format. +// Decode decodes a key in PEM encoded ASN.1 DER format. // and returns a raw key. func (pemDecoder) Decode(src []byte) (any, []byte, error) { block, rest := pem.Decode(src) diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jws/jws.go b/vendor/github.com/lestrrat-go/jwx/v3/jws/jws.go index 1fa77438b9..92a84e7f07 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jws/jws.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jws/jws.go @@ -586,11 +586,14 @@ func AlgorithmsForKey(key any) ([]jwa.SignatureAlgorithm, error) { return algs, nil } +// Settings allows you to set global settings for this JWS operations. +// +// Currently, the only setting available is `jws.WithLegacySigners()`, +// which for various reason is now a no-op. func Settings(options ...GlobalOption) { for _, option := range options { switch option.Ident() { case identLegacySigners{}: - enableLegacySigners() } } } diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/header.go b/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/header.go index d50c38eeb1..cac3987ea5 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/header.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/header.go @@ -26,7 +26,7 @@ func (e headerNotFoundError) Is(target error) bool { } } -// ErrHeaderdNotFound returns an error that can be passed to `errors.Is` to check if the error is +// ErrHeaderNotFound returns an error that can be passed to `errors.Is` to check if the error is // the result of the field not being found func ErrHeaderNotFound() error { return headerNotFoundError{} diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jws/legacy.go b/vendor/github.com/lestrrat-go/jwx/v3/jws/legacy.go index a6687d68cb..767ad723a3 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jws/legacy.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jws/legacy.go @@ -2,11 +2,14 @@ package jws import ( "fmt" + "sync" "github.com/lestrrat-go/jwx/v3/jwa" "github.com/lestrrat-go/jwx/v3/jws/legacy" ) +var enableLegacySignersOnce = &sync.Once{} + func enableLegacySigners() { for _, alg := range []jwa.SignatureAlgorithm{jwa.HS256(), jwa.HS384(), jwa.HS512()} { if err := RegisterSigner(alg, func(alg jwa.SignatureAlgorithm) SignerFactory { @@ -74,7 +77,7 @@ func legacySignerFor(alg jwa.SignatureAlgorithm) (Signer, error) { muSigner.Lock() s, ok := signers[alg] if !ok { - v, err := NewSigner(alg) + v, err := newLegacySigner(alg) if err != nil { muSigner.Unlock() return nil, fmt.Errorf(`failed to create payload signer: %w`, err) diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jws/legacy/legacy.go b/vendor/github.com/lestrrat-go/jwx/v3/jws/legacy/legacy.go index 84a2527428..fe69b55e05 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jws/legacy/legacy.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jws/legacy/legacy.go @@ -23,7 +23,7 @@ type Signer interface { Algorithm() jwa.SignatureAlgorithm } -// This is for legacy support only. +// Verifier is for legacy support only. type Verifier interface { // Verify checks whether the payload and signature are valid for // the given key. diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jws/options.go b/vendor/github.com/lestrrat-go/jwx/v3/jws/options.go index 729e561936..4c217c3483 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jws/options.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jws/options.go @@ -38,7 +38,7 @@ type withKey struct { public Headers } -// This exists as an escape hatch to modify the header values after the fact +// Protected exists as an escape hatch to modify the header values after the fact func (w *withKey) Protected(v Headers) Headers { if w.protected == nil && v != nil { w.protected = v @@ -221,7 +221,7 @@ type withInsecureNoSignature struct { protected Headers } -// This exists as an escape hatch to modify the header values after the fact +// Protected exists as an escape hatch to modify the header values after the fact func (w *withInsecureNoSignature) Protected(v Headers) Headers { if w.protected == nil && v != nil { w.protected = v diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jws/options.yaml b/vendor/github.com/lestrrat-go/jwx/v3/jws/options.yaml index 303ab3a32e..79dbb72500 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jws/options.yaml +++ b/vendor/github.com/lestrrat-go/jwx/v3/jws/options.yaml @@ -227,8 +227,4 @@ options: interface: GlobalOption constant_value: true comment: | - WithLegacySigners specifies whether the JWS package should use legacy - signers for signing JWS messages. - - Usually there's no need to use this option, as the new signers and - verifiers are loaded by default. + WithLegacySigners is a no-op option that exists only for backwards compatibility. diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jws/options_gen.go b/vendor/github.com/lestrrat-go/jwx/v3/jws/options_gen.go index b97cf7e8dd..7013e86bd7 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jws/options_gen.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jws/options_gen.go @@ -356,11 +356,7 @@ func WithKeyUsed(v any) VerifyOption { return &verifyOption{option.New(identKeyUsed{}, v)} } -// WithLegacySigners specifies whether the JWS package should use legacy -// signers for signing JWS messages. -// -// Usually there's no need to use this option, as the new signers and -// verifiers are loaded by default. +// WithLegacySigners is a no-op option that exists only for backwards compatibility. func WithLegacySigners() GlobalOption { return &globalOption{option.New(identLegacySigners{}, true)} } diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jws/signer.go b/vendor/github.com/lestrrat-go/jwx/v3/jws/signer.go index 340666931f..99005e859a 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jws/signer.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jws/signer.go @@ -2,6 +2,7 @@ package jws import ( "fmt" + "strings" "sync" "github.com/lestrrat-go/jwx/v3/jwa" @@ -33,6 +34,19 @@ func (fn SignerFactoryFn) Create() (Signer, error) { return fn() } +func init() { + // register the signers using jwsbb. These will be used by default. + for _, alg := range jwa.SignatureAlgorithms() { + if alg == jwa.NoSignature() { + continue + } + + if err := RegisterSigner(alg, defaultSigner{alg: alg}); err != nil { + panic(fmt.Sprintf("RegisterSigner failed: %v", err)) + } + } +} + // SignerFor returns a Signer2 for the given signature algorithm. // // Currently, this function will never fail. It will always return a @@ -43,6 +57,9 @@ func (fn SignerFactoryFn) Create() (Signer, error) { // 3. If no Signer2 or legacy Signer(Factory) is registered, it will return a // default signer that uses jwsbb.Sign. // +// 1 and 2 will take care of 99% of the cases. The only time 3 will happen is +// when you are using a custom algorithm that is not supported out of the box. +// // jwsbb.Sign knows how to handle a static set of algorithms, so if the // algorithm is not supported, it will return an error when you call // `Sign` on the default signer. @@ -80,6 +97,14 @@ var signerDB = make(map[jwa.SignatureAlgorithm]SignerFactory) // Unlike the `UnregisterSigner` function, this function automatically // calls `jwa.RegisterSignatureAlgorithm` to register the algorithm // in this module's algorithm database. +// +// For backwards compatibility, this function also accepts +// `SignerFactory` implementations, but this usage is deprecated. +// You should use `Signer2` implementations instead. +// +// If you want to completely remove an algorithm, you must call +// `jwa.UnregisterSignatureAlgorithm` yourself after calling +// `UnregisterSigner`. func RegisterSigner(alg jwa.SignatureAlgorithm, f any) error { jwa.RegisterSignatureAlgorithm(alg) switch s := f.(type) { @@ -87,22 +112,10 @@ func RegisterSigner(alg jwa.SignatureAlgorithm, f any) error { muSigner2DB.Lock() signer2DB[alg] = s muSigner2DB.Unlock() - - // delete the other signer, if there was one - muSignerDB.Lock() - delete(signerDB, alg) - muSignerDB.Unlock() case SignerFactory: muSignerDB.Lock() signerDB[alg] = s muSignerDB.Unlock() - - // Remove previous signer, if there was one - removeSigner(alg) - - muSigner2DB.Lock() - delete(signer2DB, alg) - muSigner2DB.Unlock() default: return fmt.Errorf(`jws.RegisterSigner: unsupported type %T for algorithm %q`, f, alg) } @@ -132,11 +145,25 @@ func UnregisterSigner(alg jwa.SignatureAlgorithm) { } // NewSigner creates a signer that signs payloads using the given signature algorithm. -// This function is deprecated. You should use `SignerFor()` instead. +// This function is deprecated, and will either be removed to re-purposed using +// a different signature. // -// This function only exists for backwards compatibility, but will not work -// unless you enable the legacy support mode by calling jws.Settings(jws.WithLegacySigners(true)). +// When you want to load a Signer object, you should use `SignerFor()` instead. func NewSigner(alg jwa.SignatureAlgorithm) (Signer, error) { + s, err := newLegacySigner(alg) + if err == nil { + return s, nil + } + + if strings.HasPrefix(err.Error(), `jws.NewSigner: unsupported signature algorithm`) { + // When newLegacySigner fails, automatically trigger to enable signers + enableLegacySignersOnce.Do(enableLegacySigners) + return newLegacySigner(alg) + } + return nil, err +} + +func newLegacySigner(alg jwa.SignatureAlgorithm) (Signer, error) { muSignerDB.RLock() f, ok := signerDB[alg] muSignerDB.RUnlock() diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jwt/token_options.go b/vendor/github.com/lestrrat-go/jwx/v3/jwt/token_options.go index 0f54e05611..088c4263be 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jwt/token_options.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jwt/token_options.go @@ -66,7 +66,7 @@ func (o *TokenOptionSet) Enable(flag TokenOption) { *o = TokenOptionSet(o.Value() | uint64(flag)) } -// Enable sets the appropriate value to disable the option in the +// Disable sets the appropriate value to disable the option in the // option set func (o *TokenOptionSet) Disable(flag TokenOption) { *o = TokenOptionSet(o.Value() & ^uint64(flag)) diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jwt/token_options_gen.go b/vendor/github.com/lestrrat-go/jwx/v3/jwt/token_options_gen.go index 7e7cbf14aa..c1f333d13b 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jwt/token_options_gen.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jwt/token_options_gen.go @@ -17,9 +17,9 @@ const _TokenOption_name = "FlattenAudienceMaxPerTokenOption" var _TokenOption_index = [...]uint8{0, 15, 32} func (i TokenOption) String() string { - i -= 1 - if i >= TokenOption(len(_TokenOption_index)-1) { - return "TokenOption(" + strconv.FormatInt(int64(i+1), 10) + ")" + idx := int(i) - 1 + if i < 1 || idx >= len(_TokenOption_index)-1 { + return "TokenOption(" + strconv.FormatInt(int64(i), 10) + ")" } - return _TokenOption_name[_TokenOption_index[i]:_TokenOption_index[i+1]] + return _TokenOption_name[_TokenOption_index[idx]:_TokenOption_index[idx+1]] } diff --git a/vendor/github.com/modern-go/reflect2/safe_type.go b/vendor/github.com/modern-go/reflect2/safe_type.go index ee4e7bb6ed..5646309e09 100644 --- a/vendor/github.com/modern-go/reflect2/safe_type.go +++ b/vendor/github.com/modern-go/reflect2/safe_type.go @@ -6,10 +6,12 @@ import ( ) type safeType struct { - reflect.Type - cfg *frozenConfig + Type reflect.Type + cfg *frozenConfig } +var _ Type = &safeType{} + func (type2 *safeType) New() interface{} { return reflect.New(type2.Type).Interface() } @@ -18,6 +20,22 @@ func (type2 *safeType) UnsafeNew() unsafe.Pointer { panic("does not support unsafe operation") } +func (type2 *safeType) Kind() reflect.Kind { + return type2.Type.Kind() +} + +func (type2 *safeType) Len() int { + return type2.Type.Len() +} + +func (type2 *safeType) NumField() int { + return type2.Type.NumField() +} + +func (type2 *safeType) String() string { + return type2.Type.String() +} + func (type2 *safeType) Elem() Type { return type2.cfg.Type2(type2.Type.Elem()) } diff --git a/vendor/github.com/open-policy-agent/opa/ast/visit.go b/vendor/github.com/open-policy-agent/opa/ast/visit.go index f4f2459ecc..f785b8c104 100644 --- a/vendor/github.com/open-policy-agent/opa/ast/visit.go +++ b/vendor/github.com/open-policy-agent/opa/ast/visit.go @@ -10,16 +10,19 @@ import v1 "github.com/open-policy-agent/opa/v1/ast" // can return a Visitor w which will be used to visit the children of the AST // element v. If the Visit function returns nil, the children will not be // visited. +// // Deprecated: use GenericVisitor or another visitor implementation type Visitor = v1.Visitor // BeforeAndAfterVisitor wraps Visitor to provide hooks for being called before // and after the AST has been visited. +// // Deprecated: use GenericVisitor or another visitor implementation type BeforeAndAfterVisitor = v1.BeforeAndAfterVisitor // Walk iterates the AST by calling the Visit function on the Visitor // v for x before recursing. +// // Deprecated: use GenericVisitor.Walk func Walk(v Visitor, x any) { v1.Walk(v, x) @@ -27,6 +30,7 @@ func Walk(v Visitor, x any) { // WalkBeforeAndAfter iterates the AST by calling the Visit function on the // Visitor v for x before recursing. +// // Deprecated: use GenericVisitor.Walk func WalkBeforeAndAfter(v BeforeAndAfterVisitor, x any) { v1.WalkBeforeAndAfter(v, x) diff --git a/vendor/github.com/open-policy-agent/opa/bundle/store.go b/vendor/github.com/open-policy-agent/opa/bundle/store.go index 9659d67bde..85b8515eb2 100644 --- a/vendor/github.com/open-policy-agent/opa/bundle/store.go +++ b/vendor/github.com/open-policy-agent/opa/bundle/store.go @@ -100,24 +100,28 @@ func Deactivate(opts *DeactivateOpts) error { } // LegacyWriteManifestToStore will write the bundle manifest to the older single (unnamed) bundle manifest location. +// // Deprecated: Use WriteManifestToStore and named bundles instead. func LegacyWriteManifestToStore(ctx context.Context, store storage.Store, txn storage.Transaction, manifest Manifest) error { return v1.LegacyWriteManifestToStore(ctx, store, txn, manifest) } // LegacyEraseManifestFromStore will erase the bundle manifest from the older single (unnamed) bundle manifest location. +// // Deprecated: Use WriteManifestToStore and named bundles instead. func LegacyEraseManifestFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) error { return v1.LegacyEraseManifestFromStore(ctx, store, txn) } // LegacyReadRevisionFromStore will read the bundle manifest revision from the older single (unnamed) bundle manifest location. +// // Deprecated: Use ReadBundleRevisionFromStore and named bundles instead. func LegacyReadRevisionFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) (string, error) { return v1.LegacyReadRevisionFromStore(ctx, store, txn) } // ActivateLegacy calls Activate for the bundles but will also write their manifest to the older unnamed store location. +// // Deprecated: Use Activate with named bundles instead. func ActivateLegacy(opts *ActivateOpts) error { return v1.ActivateLegacy(opts) diff --git a/vendor/github.com/open-policy-agent/opa/capabilities/v1.10.1.json b/vendor/github.com/open-policy-agent/opa/capabilities/v1.11.0.json similarity index 99% rename from vendor/github.com/open-policy-agent/opa/capabilities/v1.10.1.json rename to vendor/github.com/open-policy-agent/opa/capabilities/v1.11.0.json index 0a37621d0c..d58fc6760f 100644 --- a/vendor/github.com/open-policy-agent/opa/capabilities/v1.10.1.json +++ b/vendor/github.com/open-policy-agent/opa/capabilities/v1.11.0.json @@ -40,7 +40,8 @@ "type": "boolean" }, "type": "function" - } + }, + "deprecated": true }, { "name": "and", @@ -95,7 +96,8 @@ "type": "boolean" }, "type": "function" - } + }, + "deprecated": true }, { "name": "array.concat", @@ -385,7 +387,8 @@ "type": "array" }, "type": "function" - } + }, + "deprecated": true }, { "name": "cast_boolean", @@ -399,7 +402,8 @@ "type": "boolean" }, "type": "function" - } + }, + "deprecated": true }, { "name": "cast_null", @@ -413,7 +417,8 @@ "type": "null" }, "type": "function" - } + }, + "deprecated": true }, { "name": "cast_object", @@ -435,7 +440,8 @@ "type": "object" }, "type": "function" - } + }, + "deprecated": true }, { "name": "cast_set", @@ -452,7 +458,8 @@ "type": "set" }, "type": "function" - } + }, + "deprecated": true }, { "name": "cast_string", @@ -466,7 +473,8 @@ "type": "string" }, "type": "function" - } + }, + "deprecated": true }, { "name": "ceil", @@ -2975,7 +2983,8 @@ "type": "boolean" }, "type": "function" - } + }, + "deprecated": true }, { "name": "net.lookup_ip_addr", @@ -3493,7 +3502,8 @@ "type": "boolean" }, "type": "function" - } + }, + "deprecated": true }, { "name": "regex.find_all_string_submatch_n", @@ -3808,7 +3818,8 @@ "type": "set" }, "type": "function" - } + }, + "deprecated": true }, { "name": "sort", diff --git a/vendor/github.com/open-policy-agent/opa/capabilities/v1.11.1.json b/vendor/github.com/open-policy-agent/opa/capabilities/v1.11.1.json new file mode 100644 index 0000000000..d58fc6760f --- /dev/null +++ b/vendor/github.com/open-policy-agent/opa/capabilities/v1.11.1.json @@ -0,0 +1,4878 @@ +{ + "builtins": [ + { + "name": "abs", + "decl": { + "args": [ + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "all", + "decl": { + "args": [ + { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "deprecated": true + }, + { + "name": "and", + "decl": { + "args": [ + { + "of": { + "type": "any" + }, + "type": "set" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "result": { + "of": { + "type": "any" + }, + "type": "set" + }, + "type": "function" + }, + "infix": "\u0026" + }, + { + "name": "any", + "decl": { + "args": [ + { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "deprecated": true + }, + { + "name": "array.concat", + "decl": { + "args": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "result": { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "array.reverse", + "decl": { + "args": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "result": { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "array.slice", + "decl": { + "args": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "assign", + "decl": { + "args": [ + { + "type": "any" + }, + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "infix": ":=" + }, + { + "name": "base64.decode", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "base64.encode", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "base64.is_valid", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "base64url.decode", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "base64url.encode", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "base64url.encode_no_pad", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "bits.and", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "bits.lsh", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "bits.negate", + "decl": { + "args": [ + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "bits.or", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "bits.rsh", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "bits.xor", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "cast_array", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + "type": "function" + }, + "deprecated": true + }, + { + "name": "cast_boolean", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "deprecated": true + }, + { + "name": "cast_null", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "null" + }, + "type": "function" + }, + "deprecated": true + }, + { + "name": "cast_object", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "function" + }, + "deprecated": true + }, + { + "name": "cast_set", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "of": { + "type": "any" + }, + "type": "set" + }, + "type": "function" + }, + "deprecated": true + }, + { + "name": "cast_string", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "string" + }, + "type": "function" + }, + "deprecated": true + }, + { + "name": "ceil", + "decl": { + "args": [ + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "concat", + "decl": { + "args": [ + { + "type": "string" + }, + { + "of": [ + { + "dynamic": { + "type": "string" + }, + "type": "array" + }, + { + "of": { + "type": "string" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "contains", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "count", + "decl": { + "args": [ + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "crypto.hmac.equal", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "crypto.hmac.md5", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "crypto.hmac.sha1", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "crypto.hmac.sha256", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "crypto.hmac.sha512", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "crypto.md5", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "crypto.parse_private_keys", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "dynamic": { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "crypto.sha1", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "crypto.sha256", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "crypto.x509.parse_and_verify_certificates", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "static": [ + { + "type": "boolean" + }, + { + "dynamic": { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "array" + } + ], + "type": "array" + }, + "type": "function" + } + }, + { + "name": "crypto.x509.parse_and_verify_certificates_with_options", + "decl": { + "args": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "result": { + "static": [ + { + "type": "boolean" + }, + { + "dynamic": { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "array" + } + ], + "type": "array" + }, + "type": "function" + } + }, + { + "name": "crypto.x509.parse_certificate_request", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "function" + } + }, + { + "name": "crypto.x509.parse_certificates", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "dynamic": { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "crypto.x509.parse_keypair", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "function" + } + }, + { + "name": "crypto.x509.parse_rsa_private_key", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "function" + } + }, + { + "name": "div", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + }, + "infix": "/" + }, + { + "name": "endswith", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "eq", + "decl": { + "args": [ + { + "type": "any" + }, + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "infix": "=" + }, + { + "name": "equal", + "decl": { + "args": [ + { + "type": "any" + }, + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "infix": "==" + }, + { + "name": "floor", + "decl": { + "args": [ + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "format_int", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "glob.match", + "decl": { + "args": [ + { + "type": "string" + }, + { + "of": [ + { + "type": "null" + }, + { + "dynamic": { + "type": "string" + }, + "type": "array" + } + ], + "type": "any" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "glob.quote_meta", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "graph.reachable", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + }, + "type": "object" + }, + { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "of": { + "type": "any" + }, + "type": "set" + }, + "type": "function" + } + }, + { + "name": "graph.reachable_paths", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + }, + "type": "object" + }, + { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "of": { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + "type": "set" + }, + "type": "function" + } + }, + { + "name": "graphql.is_valid", + "decl": { + "args": [ + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "any" + }, + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "graphql.parse", + "decl": { + "args": [ + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "any" + }, + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "any" + } + ], + "result": { + "static": [ + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "array" + }, + "type": "function" + } + }, + { + "name": "graphql.parse_and_verify", + "decl": { + "args": [ + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "any" + }, + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "any" + } + ], + "result": { + "static": [ + { + "type": "boolean" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "array" + }, + "type": "function" + } + }, + { + "name": "graphql.parse_query", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "function" + } + }, + { + "name": "graphql.parse_schema", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "function" + } + }, + { + "name": "graphql.schema_is_valid", + "decl": { + "args": [ + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "gt", + "decl": { + "args": [ + { + "type": "any" + }, + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "infix": "\u003e" + }, + { + "name": "gte", + "decl": { + "args": [ + { + "type": "any" + }, + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "infix": "\u003e=" + }, + { + "name": "hex.decode", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "hex.encode", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "http.send", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "result": { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "function" + }, + "nondeterministic": true + }, + { + "name": "indexof", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "indexof_n", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "dynamic": { + "type": "number" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "internal.member_2", + "decl": { + "args": [ + { + "type": "any" + }, + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "infix": "in" + }, + { + "name": "internal.member_3", + "decl": { + "args": [ + { + "type": "any" + }, + { + "type": "any" + }, + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "infix": "in" + }, + { + "name": "internal.print", + "decl": { + "args": [ + { + "dynamic": { + "of": { + "type": "any" + }, + "type": "set" + }, + "type": "array" + } + ], + "type": "function" + } + }, + { + "name": "internal.test_case", + "decl": { + "args": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "type": "function" + } + }, + { + "name": "intersection", + "decl": { + "args": [ + { + "of": { + "of": { + "type": "any" + }, + "type": "set" + }, + "type": "set" + } + ], + "result": { + "of": { + "type": "any" + }, + "type": "set" + }, + "type": "function" + } + }, + { + "name": "io.jwt.decode", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "static": [ + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "type": "string" + } + ], + "type": "array" + }, + "type": "function" + } + }, + { + "name": "io.jwt.decode_verify", + "decl": { + "args": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "result": { + "static": [ + { + "type": "boolean" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "array" + }, + "type": "function" + }, + "nondeterministic": true + }, + { + "name": "io.jwt.encode_sign", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "result": { + "type": "string" + }, + "type": "function" + }, + "nondeterministic": true + }, + { + "name": "io.jwt.encode_sign_raw", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + }, + "nondeterministic": true + }, + { + "name": "io.jwt.verify_eddsa", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_es256", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_es384", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_es512", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_hs256", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_hs384", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_hs512", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_ps256", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_ps384", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_ps512", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_rs256", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_rs384", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_rs512", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "is_array", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "is_boolean", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "is_null", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "is_number", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "is_object", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "is_set", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "is_string", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "json.filter", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "of": [ + { + "dynamic": { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "type": "any" + }, + "type": "array" + }, + { + "of": { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "json.is_valid", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "json.marshal", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "json.marshal_with_options", + "decl": { + "args": [ + { + "type": "any" + }, + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "static": [ + { + "key": "indent", + "value": { + "type": "string" + } + }, + { + "key": "prefix", + "value": { + "type": "string" + } + }, + { + "key": "pretty", + "value": { + "type": "boolean" + } + } + ], + "type": "object" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "json.match_schema", + "decl": { + "args": [ + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "any" + }, + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "any" + } + ], + "result": { + "static": [ + { + "type": "boolean" + }, + { + "dynamic": { + "static": [ + { + "key": "desc", + "value": { + "type": "string" + } + }, + { + "key": "error", + "value": { + "type": "string" + } + }, + { + "key": "field", + "value": { + "type": "string" + } + }, + { + "key": "type", + "value": { + "type": "string" + } + } + ], + "type": "object" + }, + "type": "array" + } + ], + "type": "array" + }, + "type": "function" + } + }, + { + "name": "json.patch", + "decl": { + "args": [ + { + "type": "any" + }, + { + "dynamic": { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "static": [ + { + "key": "op", + "value": { + "type": "string" + } + }, + { + "key": "path", + "value": { + "type": "any" + } + } + ], + "type": "object" + }, + "type": "array" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "json.remove", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "of": [ + { + "dynamic": { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "type": "any" + }, + "type": "array" + }, + { + "of": { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "json.unmarshal", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "json.verify_schema", + "decl": { + "args": [ + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "any" + } + ], + "result": { + "static": [ + { + "type": "boolean" + }, + { + "of": [ + { + "type": "null" + }, + { + "type": "string" + } + ], + "type": "any" + } + ], + "type": "array" + }, + "type": "function" + } + }, + { + "name": "lower", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "lt", + "decl": { + "args": [ + { + "type": "any" + }, + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "infix": "\u003c" + }, + { + "name": "lte", + "decl": { + "args": [ + { + "type": "any" + }, + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "infix": "\u003c=" + }, + { + "name": "max", + "decl": { + "args": [ + { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "min", + "decl": { + "args": [ + { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "minus", + "decl": { + "args": [ + { + "of": [ + { + "type": "number" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + }, + { + "of": [ + { + "type": "number" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "of": [ + { + "type": "number" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + }, + "type": "function" + }, + "infix": "-" + }, + { + "name": "mul", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + }, + "infix": "*" + }, + { + "name": "neq", + "decl": { + "args": [ + { + "type": "any" + }, + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "infix": "!=" + }, + { + "name": "net.cidr_contains", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "net.cidr_contains_matches", + "decl": { + "args": [ + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "type": "any" + }, + "type": "array" + }, + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "type": "any" + } + }, + "type": "object" + }, + { + "of": { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + }, + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "type": "any" + }, + "type": "array" + }, + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "type": "any" + } + }, + "type": "object" + }, + { + "of": { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "of": { + "static": [ + { + "type": "any" + }, + { + "type": "any" + } + ], + "type": "array" + }, + "type": "set" + }, + "type": "function" + } + }, + { + "name": "net.cidr_expand", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "of": { + "type": "string" + }, + "type": "set" + }, + "type": "function" + } + }, + { + "name": "net.cidr_intersects", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "net.cidr_is_valid", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "net.cidr_merge", + "decl": { + "args": [ + { + "of": [ + { + "dynamic": { + "of": [ + { + "type": "string" + } + ], + "type": "any" + }, + "type": "array" + }, + { + "of": { + "type": "string" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "of": { + "type": "string" + }, + "type": "set" + }, + "type": "function" + } + }, + { + "name": "net.cidr_overlap", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "deprecated": true + }, + { + "name": "net.lookup_ip_addr", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "of": { + "type": "string" + }, + "type": "set" + }, + "type": "function" + }, + "nondeterministic": true + }, + { + "name": "numbers.range", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "dynamic": { + "type": "number" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "numbers.range_step", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "dynamic": { + "type": "number" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "object.filter", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "object.get", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "type": "any" + }, + { + "type": "any" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "object.keys", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "result": { + "of": { + "type": "any" + }, + "type": "set" + }, + "type": "function" + } + }, + { + "name": "object.remove", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "object.subset", + "decl": { + "args": [ + { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + }, + { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "object.union", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "object.union_n", + "decl": { + "args": [ + { + "dynamic": { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "array" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "opa.runtime", + "decl": { + "result": { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "function" + }, + "nondeterministic": true + }, + { + "name": "or", + "decl": { + "args": [ + { + "of": { + "type": "any" + }, + "type": "set" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "result": { + "of": { + "type": "any" + }, + "type": "set" + }, + "type": "function" + }, + "infix": "|" + }, + { + "name": "plus", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + }, + "infix": "+" + }, + { + "name": "print", + "decl": { + "type": "function", + "variadic": { + "type": "any" + } + } + }, + { + "name": "product", + "decl": { + "args": [ + { + "of": [ + { + "dynamic": { + "type": "number" + }, + "type": "array" + }, + { + "of": { + "type": "number" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "providers.aws.sign_req", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "type": "number" + } + ], + "result": { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "function" + } + }, + { + "name": "rand.intn", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + }, + "nondeterministic": true + }, + { + "name": "re_match", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "deprecated": true + }, + { + "name": "regex.find_all_string_submatch_n", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "number" + } + ], + "result": { + "dynamic": { + "dynamic": { + "type": "string" + }, + "type": "array" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "regex.find_n", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "number" + } + ], + "result": { + "dynamic": { + "type": "string" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "regex.globs_match", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "regex.is_valid", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "regex.match", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "regex.replace", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "regex.split", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "dynamic": { + "type": "string" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "regex.template_match", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "rego.metadata.chain", + "decl": { + "result": { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "rego.metadata.rule", + "decl": { + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "rego.parse_module", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "function" + } + }, + { + "name": "rem", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + }, + "infix": "%" + }, + { + "name": "replace", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "round", + "decl": { + "args": [ + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "semver.compare", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "semver.is_valid", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "set_diff", + "decl": { + "args": [ + { + "of": { + "type": "any" + }, + "type": "set" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "result": { + "of": { + "type": "any" + }, + "type": "set" + }, + "type": "function" + }, + "deprecated": true + }, + { + "name": "sort", + "decl": { + "args": [ + { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "split", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "dynamic": { + "type": "string" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "sprintf", + "decl": { + "args": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "startswith", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "strings.any_prefix_match", + "decl": { + "args": [ + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "string" + }, + "type": "array" + }, + { + "of": { + "type": "string" + }, + "type": "set" + } + ], + "type": "any" + }, + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "string" + }, + "type": "array" + }, + { + "of": { + "type": "string" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "strings.any_suffix_match", + "decl": { + "args": [ + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "string" + }, + "type": "array" + }, + { + "of": { + "type": "string" + }, + "type": "set" + } + ], + "type": "any" + }, + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "string" + }, + "type": "array" + }, + { + "of": { + "type": "string" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "strings.count", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "strings.render_template", + "decl": { + "args": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "strings.replace_n", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "strings.reverse", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "substring", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "sum", + "decl": { + "args": [ + { + "of": [ + { + "dynamic": { + "type": "number" + }, + "type": "array" + }, + { + "of": { + "type": "number" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "time.add_date", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + }, + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "time.clock", + "decl": { + "args": [ + { + "of": [ + { + "type": "number" + }, + { + "static": [ + { + "type": "number" + }, + { + "type": "string" + } + ], + "type": "array" + } + ], + "type": "any" + } + ], + "result": { + "static": [ + { + "type": "number" + }, + { + "type": "number" + }, + { + "type": "number" + } + ], + "type": "array" + }, + "type": "function" + } + }, + { + "name": "time.date", + "decl": { + "args": [ + { + "of": [ + { + "type": "number" + }, + { + "static": [ + { + "type": "number" + }, + { + "type": "string" + } + ], + "type": "array" + } + ], + "type": "any" + } + ], + "result": { + "static": [ + { + "type": "number" + }, + { + "type": "number" + }, + { + "type": "number" + } + ], + "type": "array" + }, + "type": "function" + } + }, + { + "name": "time.diff", + "decl": { + "args": [ + { + "of": [ + { + "type": "number" + }, + { + "static": [ + { + "type": "number" + }, + { + "type": "string" + } + ], + "type": "array" + } + ], + "type": "any" + }, + { + "of": [ + { + "type": "number" + }, + { + "static": [ + { + "type": "number" + }, + { + "type": "string" + } + ], + "type": "array" + } + ], + "type": "any" + } + ], + "result": { + "static": [ + { + "type": "number" + }, + { + "type": "number" + }, + { + "type": "number" + }, + { + "type": "number" + }, + { + "type": "number" + }, + { + "type": "number" + } + ], + "type": "array" + }, + "type": "function" + } + }, + { + "name": "time.format", + "decl": { + "args": [ + { + "of": [ + { + "type": "number" + }, + { + "static": [ + { + "type": "number" + }, + { + "type": "string" + } + ], + "type": "array" + }, + { + "static": [ + { + "type": "number" + }, + { + "type": "string" + }, + { + "type": "string" + } + ], + "type": "array" + } + ], + "type": "any" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "time.now_ns", + "decl": { + "result": { + "type": "number" + }, + "type": "function" + }, + "nondeterministic": true + }, + { + "name": "time.parse_duration_ns", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "time.parse_ns", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "time.parse_rfc3339_ns", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "time.weekday", + "decl": { + "args": [ + { + "of": [ + { + "type": "number" + }, + { + "static": [ + { + "type": "number" + }, + { + "type": "string" + } + ], + "type": "array" + } + ], + "type": "any" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "to_number", + "decl": { + "args": [ + { + "of": [ + { + "type": "null" + }, + { + "type": "boolean" + }, + { + "type": "number" + }, + { + "type": "string" + } + ], + "type": "any" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "trace", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "trim", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "trim_left", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "trim_prefix", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "trim_right", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "trim_space", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "trim_suffix", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "type_name", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "union", + "decl": { + "args": [ + { + "of": { + "of": { + "type": "any" + }, + "type": "set" + }, + "type": "set" + } + ], + "result": { + "of": { + "type": "any" + }, + "type": "set" + }, + "type": "function" + } + }, + { + "name": "units.parse", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "units.parse_bytes", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "upper", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "urlquery.decode", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "urlquery.decode_object", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "dynamic": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "function" + } + }, + { + "name": "urlquery.encode", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "urlquery.encode_object", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "string" + }, + "type": "array" + }, + { + "of": { + "type": "string" + }, + "type": "set" + } + ], + "type": "any" + } + }, + "type": "object" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "uuid.parse", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "function" + } + }, + { + "name": "uuid.rfc4122", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + }, + "nondeterministic": true + }, + { + "name": "walk", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "static": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "type": "any" + } + ], + "type": "array" + }, + "type": "function" + }, + "relation": true + }, + { + "name": "yaml.is_valid", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "yaml.marshal", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "yaml.unmarshal", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + } + ], + "wasm_abi_versions": [ + { + "version": 1, + "minor_version": 1 + }, + { + "version": 1, + "minor_version": 2 + } + ], + "features": [ + "keywords_in_refs", + "rego_v1" + ] +} diff --git a/vendor/github.com/open-policy-agent/opa/internal/compiler/wasm/wasm.go b/vendor/github.com/open-policy-agent/opa/internal/compiler/wasm/wasm.go index 25cbc13b47..81dcac92b8 100644 --- a/vendor/github.com/open-policy-agent/opa/internal/compiler/wasm/wasm.go +++ b/vendor/github.com/open-policy-agent/opa/internal/compiler/wasm/wasm.go @@ -32,7 +32,7 @@ const ( opaWasmABIMinorVersionVar = "opa_wasm_abi_minor_version" ) -// nolint: deadcode,varcheck +// nolint: varcheck const ( opaTypeNull int32 = iota + 1 opaTypeBoolean @@ -414,7 +414,7 @@ func (c *Compiler) initModule() error { }, }, }, - Init: bytes.Repeat([]byte{0}, int(heapBase-offset)), + Init: make([]byte, int(heapBase-offset)), }) return nil @@ -1058,9 +1058,11 @@ func (c *Compiler) compileBlock(block *ir.Block) ([]instruction.Instruction, err }, }) case *ir.AssignIntStmt: - instrs = append(instrs, instruction.GetLocal{Index: c.local(stmt.Target)}) - instrs = append(instrs, instruction.I64Const{Value: stmt.Value}) - instrs = append(instrs, instruction.Call{Index: c.function(opaValueNumberSetInt)}) + instrs = append(instrs, + instruction.GetLocal{Index: c.local(stmt.Target)}, + instruction.I64Const{Value: stmt.Value}, + instruction.Call{Index: c.function(opaValueNumberSetInt)}, + ) case *ir.ScanStmt: if err := c.compileScan(stmt, &instrs); err != nil { return nil, err @@ -1073,12 +1075,14 @@ func (c *Compiler) compileBlock(block *ir.Block) ([]instruction.Instruction, err } case *ir.DotStmt: if loc, ok := stmt.Source.Value.(ir.Local); ok { - instrs = append(instrs, instruction.GetLocal{Index: c.local(loc)}) - instrs = append(instrs, c.instrRead(stmt.Key)) - instrs = append(instrs, instruction.Call{Index: c.function(opaValueGet)}) - instrs = append(instrs, instruction.TeeLocal{Index: c.local(stmt.Target)}) - instrs = append(instrs, instruction.I32Eqz{}) - instrs = append(instrs, instruction.BrIf{Index: 0}) + instrs = append(instrs, + instruction.GetLocal{Index: c.local(loc)}, + c.instrRead(stmt.Key), + instruction.Call{Index: c.function(opaValueGet)}, + instruction.TeeLocal{Index: c.local(stmt.Target)}, + instruction.I32Eqz{}, + instruction.BrIf{Index: 0}, + ) } else { // Booleans and string sources would lead to the BrIf (since opa_value_get // on them returns 0), so let's skip trying that. @@ -1086,97 +1090,131 @@ func (c *Compiler) compileBlock(block *ir.Block) ([]instruction.Instruction, err break } case *ir.LenStmt: - instrs = append(instrs, c.instrRead(stmt.Source)) - instrs = append(instrs, instruction.Call{Index: c.function(opaValueLength)}) - instrs = append(instrs, instruction.Call{Index: c.function(opaNumberSize)}) - instrs = append(instrs, instruction.SetLocal{Index: c.local(stmt.Target)}) + instrs = append(instrs, + c.instrRead(stmt.Source), + instruction.Call{Index: c.function(opaValueLength)}, + instruction.Call{Index: c.function(opaNumberSize)}, + instruction.SetLocal{Index: c.local(stmt.Target)}, + ) case *ir.EqualStmt: - instrs = append(instrs, c.instrRead(stmt.A)) - instrs = append(instrs, c.instrRead(stmt.B)) - instrs = append(instrs, instruction.Call{Index: c.function(opaValueCompare)}) - instrs = append(instrs, instruction.BrIf{Index: 0}) + instrs = append(instrs, + c.instrRead(stmt.A), + c.instrRead(stmt.B), + instruction.Call{Index: c.function(opaValueCompare)}, + instruction.BrIf{Index: 0}, + ) case *ir.NotEqualStmt: - instrs = append(instrs, c.instrRead(stmt.A)) - instrs = append(instrs, c.instrRead(stmt.B)) - instrs = append(instrs, instruction.Call{Index: c.function(opaValueCompare)}) - instrs = append(instrs, instruction.I32Eqz{}) - instrs = append(instrs, instruction.BrIf{Index: 0}) + instrs = append(instrs, + c.instrRead(stmt.A), + c.instrRead(stmt.B), + instruction.Call{Index: c.function(opaValueCompare)}, + instruction.I32Eqz{}, + instruction.BrIf{Index: 0}, + ) case *ir.MakeNullStmt: - instrs = append(instrs, instruction.Call{Index: c.function(opaNull)}) - instrs = append(instrs, instruction.SetLocal{Index: c.local(stmt.Target)}) + instrs = append(instrs, + instruction.Call{Index: c.function(opaNull)}, + instruction.SetLocal{Index: c.local(stmt.Target)}, + ) case *ir.MakeNumberIntStmt: - instrs = append(instrs, instruction.I64Const{Value: stmt.Value}) - instrs = append(instrs, instruction.Call{Index: c.function(opaNumberInt)}) - instrs = append(instrs, instruction.SetLocal{Index: c.local(stmt.Target)}) + instrs = append(instrs, + instruction.I64Const{Value: stmt.Value}, + instruction.Call{Index: c.function(opaNumberInt)}, + instruction.SetLocal{Index: c.local(stmt.Target)}, + ) case *ir.MakeNumberRefStmt: - instrs = append(instrs, instruction.I32Const{Value: c.stringAddr(stmt.Index)}) - instrs = append(instrs, instruction.I32Const{Value: int32(len(c.policy.Static.Strings[stmt.Index].Value))}) - instrs = append(instrs, instruction.Call{Index: c.function(opaNumberRef)}) - instrs = append(instrs, instruction.SetLocal{Index: c.local(stmt.Target)}) + instrs = append(instrs, + instruction.I32Const{Value: c.stringAddr(stmt.Index)}, + instruction.I32Const{Value: int32(len(c.policy.Static.Strings[stmt.Index].Value))}, + instruction.Call{Index: c.function(opaNumberRef)}, + instruction.SetLocal{Index: c.local(stmt.Target)}, + ) case *ir.MakeArrayStmt: - instrs = append(instrs, instruction.I32Const{Value: stmt.Capacity}) - instrs = append(instrs, instruction.Call{Index: c.function(opaArrayWithCap)}) - instrs = append(instrs, instruction.SetLocal{Index: c.local(stmt.Target)}) + instrs = append(instrs, + instruction.I32Const{Value: stmt.Capacity}, + instruction.Call{Index: c.function(opaArrayWithCap)}, + instruction.SetLocal{Index: c.local(stmt.Target)}, + ) case *ir.MakeObjectStmt: - instrs = append(instrs, instruction.Call{Index: c.function(opaObject)}) - instrs = append(instrs, instruction.SetLocal{Index: c.local(stmt.Target)}) + instrs = append(instrs, + instruction.Call{Index: c.function(opaObject)}, + instruction.SetLocal{Index: c.local(stmt.Target)}, + ) case *ir.MakeSetStmt: - instrs = append(instrs, instruction.Call{Index: c.function(opaSet)}) - instrs = append(instrs, instruction.SetLocal{Index: c.local(stmt.Target)}) + instrs = append(instrs, + instruction.Call{Index: c.function(opaSet)}, + instruction.SetLocal{Index: c.local(stmt.Target)}, + ) case *ir.IsArrayStmt: if loc, ok := stmt.Source.Value.(ir.Local); ok { - instrs = append(instrs, instruction.GetLocal{Index: c.local(loc)}) - instrs = append(instrs, instruction.Call{Index: c.function(opaValueType)}) - instrs = append(instrs, instruction.I32Const{Value: opaTypeArray}) - instrs = append(instrs, instruction.I32Ne{}) - instrs = append(instrs, instruction.BrIf{Index: 0}) + instrs = append(instrs, + instruction.GetLocal{Index: c.local(loc)}, + instruction.Call{Index: c.function(opaValueType)}, + instruction.I32Const{Value: opaTypeArray}, + instruction.I32Ne{}, + instruction.BrIf{Index: 0}, + ) } else { instrs = append(instrs, instruction.Br{Index: 0}) break } case *ir.IsObjectStmt: if loc, ok := stmt.Source.Value.(ir.Local); ok { - instrs = append(instrs, instruction.GetLocal{Index: c.local(loc)}) - instrs = append(instrs, instruction.Call{Index: c.function(opaValueType)}) - instrs = append(instrs, instruction.I32Const{Value: opaTypeObject}) - instrs = append(instrs, instruction.I32Ne{}) - instrs = append(instrs, instruction.BrIf{Index: 0}) + instrs = append(instrs, + instruction.GetLocal{Index: c.local(loc)}, + instruction.Call{Index: c.function(opaValueType)}, + instruction.I32Const{Value: opaTypeObject}, + instruction.I32Ne{}, + instruction.BrIf{Index: 0}, + ) } else { instrs = append(instrs, instruction.Br{Index: 0}) break } case *ir.IsSetStmt: if loc, ok := stmt.Source.Value.(ir.Local); ok { - instrs = append(instrs, instruction.GetLocal{Index: c.local(loc)}) - instrs = append(instrs, instruction.Call{Index: c.function(opaValueType)}) - instrs = append(instrs, instruction.I32Const{Value: opaTypeSet}) - instrs = append(instrs, instruction.I32Ne{}) - instrs = append(instrs, instruction.BrIf{Index: 0}) + instrs = append(instrs, + instruction.GetLocal{Index: c.local(loc)}, + instruction.Call{Index: c.function(opaValueType)}, + instruction.I32Const{Value: opaTypeSet}, + instruction.I32Ne{}, + instruction.BrIf{Index: 0}, + ) } else { instrs = append(instrs, instruction.Br{Index: 0}) break } case *ir.IsUndefinedStmt: - instrs = append(instrs, instruction.GetLocal{Index: c.local(stmt.Source)}) - instrs = append(instrs, instruction.I32Const{Value: 0}) - instrs = append(instrs, instruction.I32Ne{}) - instrs = append(instrs, instruction.BrIf{Index: 0}) + instrs = append(instrs, + instruction.GetLocal{Index: c.local(stmt.Source)}, + instruction.I32Const{Value: 0}, + instruction.I32Ne{}, + instruction.BrIf{Index: 0}, + ) case *ir.ResetLocalStmt: - instrs = append(instrs, instruction.I32Const{Value: 0}) - instrs = append(instrs, instruction.SetLocal{Index: c.local(stmt.Target)}) + instrs = append(instrs, + instruction.I32Const{Value: 0}, + instruction.SetLocal{Index: c.local(stmt.Target)}, + ) case *ir.IsDefinedStmt: - instrs = append(instrs, instruction.GetLocal{Index: c.local(stmt.Source)}) - instrs = append(instrs, instruction.I32Eqz{}) - instrs = append(instrs, instruction.BrIf{Index: 0}) + instrs = append(instrs, + instruction.GetLocal{Index: c.local(stmt.Source)}, + instruction.I32Eqz{}, + instruction.BrIf{Index: 0}, + ) case *ir.ArrayAppendStmt: - instrs = append(instrs, instruction.GetLocal{Index: c.local(stmt.Array)}) - instrs = append(instrs, c.instrRead(stmt.Value)) - instrs = append(instrs, instruction.Call{Index: c.function(opaArrayAppend)}) + instrs = append(instrs, + instruction.GetLocal{Index: c.local(stmt.Array)}, + c.instrRead(stmt.Value), + instruction.Call{Index: c.function(opaArrayAppend)}, + ) case *ir.ObjectInsertStmt: - instrs = append(instrs, instruction.GetLocal{Index: c.local(stmt.Object)}) - instrs = append(instrs, c.instrRead(stmt.Key)) - instrs = append(instrs, c.instrRead(stmt.Value)) - instrs = append(instrs, instruction.Call{Index: c.function(opaObjectInsert)}) + instrs = append(instrs, + instruction.GetLocal{Index: c.local(stmt.Object)}, + c.instrRead(stmt.Key), + c.instrRead(stmt.Value), + instruction.Call{Index: c.function(opaObjectInsert)}, + ) case *ir.ObjectInsertOnceStmt: tmp := c.genLocal() instrs = append(instrs, instruction.Block{ @@ -1203,14 +1241,18 @@ func (c *Compiler) compileBlock(block *ir.Block) ([]instruction.Instruction, err }, }) case *ir.ObjectMergeStmt: - instrs = append(instrs, instruction.GetLocal{Index: c.local(stmt.A)}) - instrs = append(instrs, instruction.GetLocal{Index: c.local(stmt.B)}) - instrs = append(instrs, instruction.Call{Index: c.function(opaValueMerge)}) - instrs = append(instrs, instruction.SetLocal{Index: c.local(stmt.Target)}) + instrs = append(instrs, + instruction.GetLocal{Index: c.local(stmt.A)}, + instruction.GetLocal{Index: c.local(stmt.B)}, + instruction.Call{Index: c.function(opaValueMerge)}, + instruction.SetLocal{Index: c.local(stmt.Target)}, + ) case *ir.SetAddStmt: - instrs = append(instrs, instruction.GetLocal{Index: c.local(stmt.Set)}) - instrs = append(instrs, c.instrRead(stmt.Value)) - instrs = append(instrs, instruction.Call{Index: c.function(opaSetAdd)}) + instrs = append(instrs, + instruction.GetLocal{Index: c.local(stmt.Set)}, + c.instrRead(stmt.Value), + instruction.Call{Index: c.function(opaSetAdd)}, + ) default: var buf bytes.Buffer err := ir.Pretty(&buf, stmt) @@ -1226,8 +1268,7 @@ func (c *Compiler) compileBlock(block *ir.Block) ([]instruction.Instruction, err func (c *Compiler) compileScan(scan *ir.ScanStmt, result *[]instruction.Instruction) error { var instrs = *result - instrs = append(instrs, instruction.I32Const{Value: 0}) - instrs = append(instrs, instruction.SetLocal{Index: c.local(scan.Key)}) + instrs = append(instrs, instruction.I32Const{Value: 0}, instruction.SetLocal{Index: c.local(scan.Key)}) body, err := c.compileScanBlock(scan) if err != nil { return err @@ -1242,23 +1283,21 @@ func (c *Compiler) compileScan(scan *ir.ScanStmt, result *[]instruction.Instruct } func (c *Compiler) compileScanBlock(scan *ir.ScanStmt) ([]instruction.Instruction, error) { - var instrs []instruction.Instruction - - // Execute iterator. - instrs = append(instrs, instruction.GetLocal{Index: c.local(scan.Source)}) - instrs = append(instrs, instruction.GetLocal{Index: c.local(scan.Key)}) - instrs = append(instrs, instruction.Call{Index: c.function(opaValueIter)}) - - // Check for emptiness. - instrs = append(instrs, instruction.TeeLocal{Index: c.local(scan.Key)}) - instrs = append(instrs, instruction.I32Eqz{}) - instrs = append(instrs, instruction.BrIf{Index: 1}) - - // Load value. - instrs = append(instrs, instruction.GetLocal{Index: c.local(scan.Source)}) - instrs = append(instrs, instruction.GetLocal{Index: c.local(scan.Key)}) - instrs = append(instrs, instruction.Call{Index: c.function(opaValueGet)}) - instrs = append(instrs, instruction.SetLocal{Index: c.local(scan.Value)}) + instrs := []instruction.Instruction{ + // Execute iterator. + instruction.GetLocal{Index: c.local(scan.Source)}, + instruction.GetLocal{Index: c.local(scan.Key)}, + instruction.Call{Index: c.function(opaValueIter)}, + // Check for emptiness. + instruction.TeeLocal{Index: c.local(scan.Key)}, + instruction.I32Eqz{}, + instruction.BrIf{Index: 1}, + // Load value. + instruction.GetLocal{Index: c.local(scan.Source)}, + instruction.GetLocal{Index: c.local(scan.Key)}, + instruction.Call{Index: c.function(opaValueGet)}, + instruction.SetLocal{Index: c.local(scan.Value)}, + } // Loop body. nested, err := c.compileBlock(scan.Block) @@ -1278,8 +1317,7 @@ func (c *Compiler) compileNot(not *ir.NotStmt, result *[]instruction.Instruction // generate and initialize condition variable cond := c.genLocal() - instrs = append(instrs, instruction.I32Const{Value: 1}) - instrs = append(instrs, instruction.SetLocal{Index: cond}) + instrs = append(instrs, instruction.I32Const{Value: 1}, instruction.SetLocal{Index: cond}) nested, err := c.compileBlock(not.Block) if err != nil { @@ -1287,14 +1325,15 @@ func (c *Compiler) compileNot(not *ir.NotStmt, result *[]instruction.Instruction } // unset condition variable if end of block is reached - nested = append(nested, instruction.I32Const{Value: 0}) - nested = append(nested, instruction.SetLocal{Index: cond}) - instrs = append(instrs, instruction.Block{Instrs: nested}) - - // break out of block if condition variable was unset - instrs = append(instrs, instruction.GetLocal{Index: cond}) - instrs = append(instrs, instruction.I32Eqz{}) - instrs = append(instrs, instruction.BrIf{Index: 0}) + instrs = append(instrs, instruction.Block{Instrs: append(nested, + instruction.I32Const{Value: 0}, + instruction.SetLocal{Index: cond}, + )}, + // break out of block if condition variable was unset + instruction.GetLocal{Index: cond}, + instruction.I32Eqz{}, + instruction.BrIf{Index: 0}, + ) *result = instrs return nil @@ -1304,34 +1343,36 @@ func (c *Compiler) compileWithStmt(with *ir.WithStmt, result *[]instruction.Inst var instrs = *result save := c.genLocal() - instrs = append(instrs, instruction.Call{Index: c.function(opaMemoizePush)}) - instrs = append(instrs, instruction.GetLocal{Index: c.local(with.Local)}) - instrs = append(instrs, instruction.SetLocal{Index: save}) + instrs = append(instrs, + instruction.Call{Index: c.function(opaMemoizePush)}, + instruction.GetLocal{Index: c.local(with.Local)}, + instruction.SetLocal{Index: save}, + ) if len(with.Path) == 0 { - instrs = append(instrs, c.instrRead(with.Value)) - instrs = append(instrs, instruction.SetLocal{Index: c.local(with.Local)}) + instrs = append(instrs, c.instrRead(with.Value), instruction.SetLocal{Index: c.local(with.Local)}) } else { instrs = c.compileUpsert(with.Local, with.Path, with.Value, with.Location, instrs) } undefined := c.genLocal() - instrs = append(instrs, instruction.I32Const{Value: 1}) - instrs = append(instrs, instruction.SetLocal{Index: undefined}) + instrs = append(instrs, instruction.I32Const{Value: 1}, instruction.SetLocal{Index: undefined}) nested, err := c.compileBlock(with.Block) if err != nil { return err } - nested = append(nested, instruction.I32Const{Value: 0}) - nested = append(nested, instruction.SetLocal{Index: undefined}) - instrs = append(instrs, instruction.Block{Instrs: nested}) - instrs = append(instrs, instruction.GetLocal{Index: save}) - instrs = append(instrs, instruction.SetLocal{Index: c.local(with.Local)}) - instrs = append(instrs, instruction.Call{Index: c.function(opaMemoizePop)}) - instrs = append(instrs, instruction.GetLocal{Index: undefined}) - instrs = append(instrs, instruction.BrIf{Index: 0}) + nested = append(nested, instruction.I32Const{Value: 0}, instruction.SetLocal{Index: undefined}) + + instrs = append(instrs, + instruction.Block{Instrs: nested}, + instruction.GetLocal{Index: save}, + instruction.SetLocal{Index: c.local(with.Local)}, + instruction.Call{Index: c.function(opaMemoizePop)}, + instruction.GetLocal{Index: undefined}, + instruction.BrIf{Index: 0}, + ) *result = instrs @@ -1339,37 +1380,38 @@ func (c *Compiler) compileWithStmt(with *ir.WithStmt, result *[]instruction.Inst } func (c *Compiler) compileUpsert(local ir.Local, path []int, value ir.Operand, _ ir.Location, instrs []instruction.Instruction) []instruction.Instruction { - lcopy := c.genLocal() // holds copy of local - instrs = append(instrs, instruction.GetLocal{Index: c.local(local)}) - instrs = append(instrs, instruction.SetLocal{Index: lcopy}) - - // Shallow copy the local if defined otherwise initialize to an empty object. - instrs = append(instrs, instruction.Block{ - Instrs: []instruction.Instruction{ - instruction.Block{Instrs: []instruction.Instruction{ - instruction.GetLocal{Index: lcopy}, - instruction.I32Eqz{}, - instruction.BrIf{Index: 0}, - instruction.GetLocal{Index: lcopy}, - instruction.Call{Index: c.function(opaValueShallowCopy)}, + instrs = append(instrs, + instruction.GetLocal{Index: c.local(local)}, + instruction.SetLocal{Index: lcopy}, + // Shallow copy the local if defined otherwise initialize to an empty object. + instruction.Block{ + Instrs: []instruction.Instruction{ + instruction.Block{Instrs: []instruction.Instruction{ + instruction.GetLocal{Index: lcopy}, + instruction.I32Eqz{}, + instruction.BrIf{Index: 0}, + instruction.GetLocal{Index: lcopy}, + instruction.Call{Index: c.function(opaValueShallowCopy)}, + instruction.TeeLocal{Index: lcopy}, + instruction.SetLocal{Index: c.local(local)}, + instruction.Br{Index: 1}, + }}, + instruction.Call{Index: c.function(opaObject)}, instruction.TeeLocal{Index: lcopy}, instruction.SetLocal{Index: c.local(local)}, - instruction.Br{Index: 1}, - }}, - instruction.Call{Index: c.function(opaObject)}, - instruction.TeeLocal{Index: lcopy}, - instruction.SetLocal{Index: c.local(local)}, - }, - }) + }, + }) // Initialize the locals that specify the path of the upsert operation. lpath := make(map[int]uint32, len(path)) for i := range path { lpath[i] = c.genLocal() - instrs = append(instrs, instruction.I32Const{Value: c.opaStringAddr(path[i])}) - instrs = append(instrs, instruction.SetLocal{Index: lpath[i]}) + instrs = append(instrs, + instruction.I32Const{Value: c.opaStringAddr(path[i])}, + instruction.SetLocal{Index: lpath[i]}, + ) } // Generate a block that traverses the path of the upsert operation, @@ -1379,36 +1421,34 @@ func (c *Compiler) compileUpsert(local ir.Local, path []int, value ir.Operand, _ ltemp := c.genLocal() for i := range len(path) - 1 { - - // Lookup the next part of the path. - inner = append(inner, instruction.GetLocal{Index: lcopy}) - inner = append(inner, instruction.GetLocal{Index: lpath[i]}) - inner = append(inner, instruction.Call{Index: c.function(opaValueGet)}) - inner = append(inner, instruction.SetLocal{Index: ltemp}) - - // If the next node is missing, break. - inner = append(inner, instruction.GetLocal{Index: ltemp}) - inner = append(inner, instruction.I32Eqz{}) - inner = append(inner, instruction.BrIf{Index: uint32(i)}) - - // If the next node is not an object, break. - inner = append(inner, instruction.GetLocal{Index: ltemp}) - inner = append(inner, instruction.Call{Index: c.function(opaValueType)}) - inner = append(inner, instruction.I32Const{Value: opaTypeObject}) - inner = append(inner, instruction.I32Ne{}) - inner = append(inner, instruction.BrIf{Index: uint32(i)}) - - // Otherwise, shallow copy the next node node and insert into the copy - // before continuing. - inner = append(inner, instruction.GetLocal{Index: ltemp}) - inner = append(inner, instruction.Call{Index: c.function(opaValueShallowCopy)}) - inner = append(inner, instruction.SetLocal{Index: ltemp}) - inner = append(inner, instruction.GetLocal{Index: lcopy}) - inner = append(inner, instruction.GetLocal{Index: lpath[i]}) - inner = append(inner, instruction.GetLocal{Index: ltemp}) - inner = append(inner, instruction.Call{Index: c.function(opaObjectInsert)}) - inner = append(inner, instruction.GetLocal{Index: ltemp}) - inner = append(inner, instruction.SetLocal{Index: lcopy}) + inner = append(inner, + // Lookup the next part of the path. + instruction.GetLocal{Index: lcopy}, + instruction.GetLocal{Index: lpath[i]}, + instruction.Call{Index: c.function(opaValueGet)}, + instruction.SetLocal{Index: ltemp}, + // If the next node is missing, break. + instruction.GetLocal{Index: ltemp}, + instruction.I32Eqz{}, + instruction.BrIf{Index: uint32(i)}, + // If the next node is not an object, break. + instruction.GetLocal{Index: ltemp}, + instruction.Call{Index: c.function(opaValueType)}, + instruction.I32Const{Value: opaTypeObject}, + instruction.I32Ne{}, + instruction.BrIf{Index: uint32(i)}, + // Otherwise, shallow copy the next node node and insert into the copy + // before continuing. + instruction.GetLocal{Index: ltemp}, + instruction.Call{Index: c.function(opaValueShallowCopy)}, + instruction.SetLocal{Index: ltemp}, + instruction.GetLocal{Index: lcopy}, + instruction.GetLocal{Index: lpath[i]}, + instruction.GetLocal{Index: ltemp}, + instruction.Call{Index: c.function(opaObjectInsert)}, + instruction.GetLocal{Index: ltemp}, + instruction.SetLocal{Index: lcopy}, + ) } inner = append(inner, instruction.Br{Index: uint32(len(path) - 1)}) @@ -1418,27 +1458,29 @@ func (c *Compiler) compileUpsert(local ir.Local, path []int, value ir.Operand, _ lval := c.genLocal() for i := range len(path) - 1 { - block = append(block, instruction.Block{Instrs: inner}) - block = append(block, instruction.Call{Index: c.function(opaObject)}) - block = append(block, instruction.SetLocal{Index: lval}) - block = append(block, instruction.GetLocal{Index: lcopy}) - block = append(block, instruction.GetLocal{Index: lpath[i]}) - block = append(block, instruction.GetLocal{Index: lval}) - block = append(block, instruction.Call{Index: c.function(opaObjectInsert)}) - block = append(block, instruction.GetLocal{Index: lval}) - block = append(block, instruction.SetLocal{Index: lcopy}) + block = append(block, + instruction.Block{Instrs: inner}, + instruction.Call{Index: c.function(opaObject)}, + instruction.SetLocal{Index: lval}, + instruction.GetLocal{Index: lcopy}, + instruction.GetLocal{Index: lpath[i]}, + instruction.GetLocal{Index: lval}, + instruction.Call{Index: c.function(opaObjectInsert)}, + instruction.GetLocal{Index: lval}, + instruction.SetLocal{Index: lcopy}, + ) inner = block block = nil } // Finish by inserting the statement's value into the shallow copied node. - instrs = append(instrs, instruction.Block{Instrs: inner}) - instrs = append(instrs, instruction.GetLocal{Index: lcopy}) - instrs = append(instrs, instruction.GetLocal{Index: lpath[len(path)-1]}) - instrs = append(instrs, c.instrRead(value)) - instrs = append(instrs, instruction.Call{Index: c.function(opaObjectInsert)}) - - return instrs + return append(instrs, + instruction.Block{Instrs: inner}, + instruction.GetLocal{Index: lcopy}, + instruction.GetLocal{Index: lpath[len(path)-1]}, + c.instrRead(value), + instruction.Call{Index: c.function(opaObjectInsert)}, + ) } func (c *Compiler) compileCallDynamicStmt(stmt *ir.CallDynamicStmt, result *[]instruction.Instruction) error { diff --git a/vendor/github.com/open-policy-agent/opa/internal/file/archive/tarball.go b/vendor/github.com/open-policy-agent/opa/internal/file/archive/tarball.go index 6b8ba48d15..93396aa96f 100644 --- a/vendor/github.com/open-policy-agent/opa/internal/file/archive/tarball.go +++ b/vendor/github.com/open-policy-agent/opa/internal/file/archive/tarball.go @@ -4,39 +4,72 @@ import ( "archive/tar" "bytes" "compress/gzip" + "encoding/json" + "errors" + "io" "strings" ) -// MustWriteTarGz write the list of file names and content -// into a tarball. -func MustWriteTarGz(files [][2]string) *bytes.Buffer { - var buf bytes.Buffer - gw := gzip.NewWriter(&buf) - defer gw.Close() - tw := tar.NewWriter(gw) - defer tw.Close() - for _, file := range files { - if err := WriteFile(tw, file[0], []byte(file[1])); err != nil { - panic(err) - } - } - return &buf +type TarGzWriter struct { + *tar.Writer + + gw *gzip.Writer } -// WriteFile adds a file header with content to the given tar writer -func WriteFile(tw *tar.Writer, path string, bs []byte) error { +func NewTarGzWriter(w io.Writer) *TarGzWriter { + gw := gzip.NewWriter(w) + tw := tar.NewWriter(gw) + return &TarGzWriter{ + Writer: tw, + gw: gw, + } +} + +func (tgw *TarGzWriter) WriteFile(path string, bs []byte) (err error) { hdr := &tar.Header{ - Name: "/" + strings.TrimLeft(path, "/"), + Name: path, Mode: 0600, Typeflag: tar.TypeReg, Size: int64(len(bs)), } - if err := tw.WriteHeader(hdr); err != nil { + if err = tgw.WriteHeader(hdr); err == nil { + _, err = tgw.Write(bs) + } + + return err +} + +func (tgw *TarGzWriter) WriteJSONFile(path string, v any) error { + buf := &bytes.Buffer{} + if err := json.NewEncoder(buf).Encode(v); err != nil { return err } - _, err := tw.Write(bs) - return err + return tgw.WriteFile(path, buf.Bytes()) +} + +func (tgw *TarGzWriter) Close() error { + return errors.Join(tgw.Writer.Close(), tgw.gw.Close()) +} + +// MustWriteTarGz writes the list of file names and content into a tarball. +// Paths are prefixed with "/". +func MustWriteTarGz(files [][2]string) *bytes.Buffer { + buf := &bytes.Buffer{} + tgw := NewTarGzWriter(buf) + defer tgw.Close() + + for _, file := range files { + if !strings.HasPrefix(file[0], "/") { + file[0] = "/" + file[0] + } + + if err := tgw.WriteFile(file[0], []byte(file[1])); err != nil { + panic(err) + } + } + + return buf } diff --git a/vendor/github.com/open-policy-agent/opa/internal/gojsonschema/utils.go b/vendor/github.com/open-policy-agent/opa/internal/gojsonschema/utils.go index ca071930f2..95754fab7f 100644 --- a/vendor/github.com/open-policy-agent/opa/internal/gojsonschema/utils.go +++ b/vendor/github.com/open-policy-agent/opa/internal/gojsonschema/utils.go @@ -23,7 +23,7 @@ // // created 26-02-2013 -// nolint: deadcode,unused,varcheck // Package in development (2021). +// nolint:unused,varcheck // Package in development (2021). package gojsonschema import ( diff --git a/vendor/github.com/open-policy-agent/opa/internal/providers/aws/signing_v4.go b/vendor/github.com/open-policy-agent/opa/internal/providers/aws/signing_v4.go index 07aa568fa2..c463ccbff8 100644 --- a/vendor/github.com/open-policy-agent/opa/internal/providers/aws/signing_v4.go +++ b/vendor/github.com/open-policy-agent/opa/internal/providers/aws/signing_v4.go @@ -158,6 +158,8 @@ func SignV4(headers map[string][]string, method string, theURL *url.URL, body [] // include the values for the signed headers orderedKeys := util.KeysSorted(headersToSign) for _, k := range orderedKeys { + // TODO: fix later + //nolint:perfsprint canonicalReq += k + ":" + strings.Join(headersToSign[k], ",") + "\n" } canonicalReq += "\n" // linefeed to terminate headers diff --git a/vendor/github.com/open-policy-agent/opa/internal/ref/ref.go b/vendor/github.com/open-policy-agent/opa/internal/ref/ref.go index 653794b0a9..9590b8886b 100644 --- a/vendor/github.com/open-policy-agent/opa/internal/ref/ref.go +++ b/vendor/github.com/open-policy-agent/opa/internal/ref/ref.go @@ -7,16 +7,16 @@ package ref import ( "errors" - "strings" "github.com/open-policy-agent/opa/v1/ast" "github.com/open-policy-agent/opa/v1/storage" + "github.com/open-policy-agent/opa/v1/util" ) // ParseDataPath returns a ref from the slash separated path s rooted at data. // All path segments are treated as identifier strings. func ParseDataPath(s string) (ast.Ref, error) { - path, ok := storage.ParsePath("/" + strings.TrimPrefix(s, "/")) + path, ok := storage.ParsePath(util.WithPrefix(s, "/")) if !ok { return nil, errors.New("invalid path") } diff --git a/vendor/github.com/open-policy-agent/opa/internal/report/report.go b/vendor/github.com/open-policy-agent/opa/internal/report/report.go index bc71d66a3c..eab948499f 100644 --- a/vendor/github.com/open-policy-agent/opa/internal/report/report.go +++ b/vendor/github.com/open-policy-agent/opa/internal/report/report.go @@ -81,8 +81,6 @@ type GHResponse struct { // New returns an instance of the Reporter func New(opts Options) (Reporter, error) { - r := GHVersionCollector{} - url := cmp.Or(os.Getenv("OPA_TELEMETRY_SERVICE_URL"), ExternalServiceURL) restConfig := fmt.Appendf(nil, `{ @@ -93,7 +91,7 @@ func New(opts Options) (Reporter, error) { if err != nil { return nil, err } - r.client = client + r := GHVersionCollector{client: client} // heap_usage_bytes is always present, so register it unconditionally r.RegisterGatherer("heap_usage_bytes", readRuntimeMemStats) @@ -135,19 +133,17 @@ func createDataResponse(ghResp GHResponse) (*DataResponse, error) { return nil, errors.New("server response does not contain tag_name") } - v := strings.TrimPrefix(version.Version, "v") - sv, err := semver.NewVersion(v) + sv, err := semver.Parse(version.Version) if err != nil { - return nil, fmt.Errorf("failed to parse current version %q: %w", v, err) + return nil, fmt.Errorf("failed to parse current version %q: %w", version.Version, err) } - latestV := strings.TrimPrefix(ghResp.TagName, "v") - latestSV, err := semver.NewVersion(latestV) + latestSV, err := semver.Parse(ghResp.TagName) if err != nil { - return nil, fmt.Errorf("failed to parse latest version %q: %w", latestV, err) + return nil, fmt.Errorf("failed to parse latest version %q: %w", ghResp.TagName, err) } - isLatest := sv.Compare(*latestSV) >= 0 + isLatest := sv.Compare(latestSV) >= 0 // Note: alternatively, we could look through the assets in the GH API response to find a matching asset, // and use its URL. However, this is not guaranteed to be more robust, and wouldn't use the 'openpolicyagent.org' domain. diff --git a/vendor/github.com/open-policy-agent/opa/internal/runtime/init/init.go b/vendor/github.com/open-policy-agent/opa/internal/runtime/init/init.go index de8ef87401..5b4bb21b8b 100644 --- a/vendor/github.com/open-policy-agent/opa/internal/runtime/init/init.go +++ b/vendor/github.com/open-policy-agent/opa/internal/runtime/init/init.go @@ -18,6 +18,7 @@ import ( "github.com/open-policy-agent/opa/v1/loader" "github.com/open-policy-agent/opa/v1/metrics" "github.com/open-policy-agent/opa/v1/storage" + "github.com/open-policy-agent/opa/v1/util" ) // InsertAndCompileOptions contains the input for the operation. @@ -246,13 +247,9 @@ func WalkPaths(paths []string, filter loader.Filter, asBundle bool) (*WalkPathsR cleanedPath = fp } - if !strings.HasPrefix(cleanedPath, "/") { - cleanedPath = "/" + cleanedPath - } - result.FileDescriptors = append(result.FileDescriptors, &Descriptor{ Root: path, - Path: cleanedPath, + Path: util.WithPrefix(cleanedPath, "/"), }) } } diff --git a/vendor/github.com/open-policy-agent/opa/internal/semver/semver.go b/vendor/github.com/open-policy-agent/opa/internal/semver/semver.go index 23c6c186d9..725f86318a 100644 --- a/vendor/github.com/open-policy-agent/opa/internal/semver/semver.go +++ b/vendor/github.com/open-policy-agent/opa/internal/semver/semver.go @@ -14,237 +14,234 @@ // Semantic Versions http://semver.org -// Package semver has been vendored from: +// This file was originally vendored from: // https://github.com/coreos/go-semver/tree/e214231b295a8ea9479f11b70b35d5acf3556d9b/semver -// A number of the original functions of the package have been removed since -// they are not required for our built-ins. +// There isn't a single line left from the original source today, but being generous about +// attribution won't hurt. package semver import ( - "bytes" "fmt" "regexp" "strconv" "strings" + + "github.com/open-policy-agent/opa/v1/util" ) +// reMetaIdentifier matches pre-release and metadata identifiers against the spec requirements +var reMetaIdentifier = regexp.MustCompile(`^[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*$`) + // Version represents a parsed SemVer type Version struct { Major int64 Minor int64 Patch int64 - PreRelease PreRelease - Metadata string + PreRelease string `json:"PreRelease,omitempty"` + Metadata string `json:"Metadata,omitempty"` } -// PreRelease represents a pre-release suffix string -type PreRelease string +// Parse constructs new semver Version from version string. +func Parse(version string) (v Version, err error) { + version = strings.TrimPrefix(version, "v") -func splitOff(input *string, delim string) (val string) { - parts := strings.SplitN(*input, delim, 2) - - if len(parts) == 2 { - *input = parts[0] - val = parts[1] + version, v.Metadata = cut(version, '+') + if v.Metadata != "" && !reMetaIdentifier.MatchString(v.Metadata) { + return v, fmt.Errorf("invalid metadata identifier: %s", v.Metadata) } - return val + version, v.PreRelease = cut(version, '-') + if v.PreRelease != "" && !reMetaIdentifier.MatchString(v.PreRelease) { + return v, fmt.Errorf("invalid pre-release identifier: %s", v.PreRelease) + } + + if strings.Count(version, ".") != 2 { + return v, fmt.Errorf("%s should contain major, minor, and patch versions", version) + } + + major, after := cut(version, '.') + if v.Major, err = strconv.ParseInt(major, 10, 64); err != nil { + return v, err + } + + minor, after := cut(after, '.') + if v.Minor, err = strconv.ParseInt(minor, 10, 64); err != nil { + return v, err + } + + if v.Patch, err = strconv.ParseInt(after, 10, 64); err != nil { + return v, err + } + + return v, nil } -// NewVersion constructs new SemVers from strings -func NewVersion(version string) (*Version, error) { - v := Version{} - - if err := v.Set(version); err != nil { - return nil, err +// MustParse is like Parse but panics if the version string is invalid instead of returning an error. +func MustParse(version string) Version { + v, err := Parse(version) + if err != nil { + panic(err) } - return &v, nil + return v } -// Set parses and updates v from the given version string. Implements flag.Value -func (v *Version) Set(version string) error { - metadata := splitOff(&version, "+") - preRelease := PreRelease(splitOff(&version, "-")) - dotParts := strings.SplitN(version, ".", 3) - - if len(dotParts) != 3 { - return fmt.Errorf("%s is not in dotted-tri format", version) - } - - if err := validateIdentifier(string(preRelease)); err != nil { - return fmt.Errorf("failed to validate pre-release: %v", err) - } - - if err := validateIdentifier(metadata); err != nil { - return fmt.Errorf("failed to validate metadata: %v", err) - } - - parsed := make([]int64, 3) - - for i, v := range dotParts[:3] { - val, err := strconv.ParseInt(v, 10, 64) - parsed[i] = val - if err != nil { - return err - } - } - - v.Metadata = metadata - v.PreRelease = preRelease - v.Major = parsed[0] - v.Minor = parsed[1] - v.Patch = parsed[2] - return nil -} - -func (v Version) String() string { - var buffer bytes.Buffer - - fmt.Fprintf(&buffer, "%d.%d.%d", v.Major, v.Minor, v.Patch) - - if v.PreRelease != "" { - fmt.Fprintf(&buffer, "-%s", v.PreRelease) - } - - if v.Metadata != "" { - fmt.Fprintf(&buffer, "+%s", v.Metadata) - } - - return buffer.String() -} - -// Compare tests if v is less than, equal to, or greater than versionB, -// returning -1, 0, or +1 respectively. -func (v Version) Compare(versionB Version) int { - if cmp := recursiveCompare(v.Slice(), versionB.Slice()); cmp != 0 { - return cmp - } - return preReleaseCompare(v, versionB) -} - -// Slice converts the comparable parts of the semver into a slice of integers. -func (v Version) Slice() []int64 { - return []int64{v.Major, v.Minor, v.Patch} -} - -// Slice splits the pre-release suffix string -func (p PreRelease) Slice() []string { - preRelease := string(p) - return strings.Split(preRelease, ".") -} - -func preReleaseCompare(versionA Version, versionB Version) int { - a := versionA.PreRelease - b := versionB.PreRelease - - /* Handle the case where if two versions are otherwise equal it is the - * one without a PreRelease that is greater */ - if len(a) == 0 && (len(b) > 0) { - return 1 - } else if len(b) == 0 && (len(a) > 0) { - return -1 - } - - // If there is a prerelease, check and compare each part. - return recursivePreReleaseCompare(a.Slice(), b.Slice()) -} - -func recursiveCompare(versionA []int64, versionB []int64) int { - if len(versionA) == 0 { - return 0 - } - - a := versionA[0] - b := versionB[0] - - if a > b { - return 1 - } else if a < b { - return -1 - } - - return recursiveCompare(versionA[1:], versionB[1:]) -} - -func recursivePreReleaseCompare(versionA []string, versionB []string) int { - // A larger set of pre-release fields has a higher precedence than a smaller set, - // if all of the preceding identifiers are equal. - if len(versionA) == 0 { - if len(versionB) > 0 { - return -1 - } - return 0 - } else if len(versionB) == 0 { - // We're longer than versionB so return 1. - return 1 - } - - a := versionA[0] - b := versionB[0] - - aInt := false - bInt := false - - aI, err := strconv.Atoi(versionA[0]) - if err == nil { - aInt = true - } - - bI, err := strconv.Atoi(versionB[0]) - if err == nil { - bInt = true - } - - // Numeric identifiers always have lower precedence than non-numeric identifiers. - if aInt && !bInt { - return -1 - } else if !aInt && bInt { - return 1 - } - - // Handle Integer Comparison - if aInt && bInt { - if aI > bI { - return 1 - } else if aI < bI { - return -1 - } - } - - // Handle String Comparison - if a > b { - return 1 - } else if a < b { - return -1 - } - - return recursivePreReleaseCompare(versionA[1:], versionB[1:]) -} - -// validateIdentifier makes sure the provided identifier satisfies semver spec -func validateIdentifier(id string) error { - if id != "" && !reIdentifier.MatchString(id) { - return fmt.Errorf("%s is not a valid semver identifier", id) - } - return nil -} - -// reIdentifier is a regular expression used to check that pre-release and metadata -// identifiers satisfy the spec requirements -var reIdentifier = regexp.MustCompile(`^[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*$`) - // Compare compares two semver strings. func Compare(a, b string) int { - aV, err := NewVersion(strings.TrimPrefix(a, "v")) + aV, err := Parse(a) if err != nil { return -1 } - bV, err := NewVersion(strings.TrimPrefix(b, "v")) + bV, err := Parse(b) if err != nil { return 1 } - return aV.Compare(*bV) + return aV.Compare(bV) +} + +// AppendText appends the textual representation of the version to b and returns the extended buffer. +// This method conforms to the encoding.TextAppender interface, and is useful for serializing the Version +// without allocating, provided the caller has pre-allocated sufficient space in b. +func (v Version) AppendText(b []byte) ([]byte, error) { + if b == nil { + b = make([]byte, 0, length(v)) + } + + b = append(strconv.AppendInt(b, v.Major, 10), '.') + b = append(strconv.AppendInt(b, v.Minor, 10), '.') + b = strconv.AppendInt(b, v.Patch, 10) + + if v.PreRelease != "" { + b = append(append(b, '-'), v.PreRelease...) + } + if v.Metadata != "" { + b = append(append(b, '+'), v.Metadata...) + } + + return b, nil +} + +// String returns the string representation of the version. +func (v Version) String() string { + bs := make([]byte, 0, length(v)) + bs, _ = v.AppendText(bs) + + return string(bs) +} + +// Compare tests if v is less than, equal to, or greater than other, returning -1, 0, or +1 respectively. +// Comparison is based on the SemVer specification (https://semver.org/#spec-item-11). +func (v Version) Compare(other Version) int { + if v.Major > other.Major { + return 1 + } else if v.Major < other.Major { + return -1 + } + + if v.Minor > other.Minor { + return 1 + } else if v.Minor < other.Minor { + return -1 + } + + if v.Patch > other.Patch { + return 1 + } else if v.Patch < other.Patch { + return -1 + } + + if v.PreRelease == other.PreRelease { + return 0 + } + + // if two versions are otherwise equal it is the one without a pre-release that is greater + if v.PreRelease == "" && other.PreRelease != "" { + return 1 + } + if other.PreRelease == "" && v.PreRelease != "" { + return -1 + } + + a, afterA := cut(v.PreRelease, '.') + b, afterB := cut(other.PreRelease, '.') + + for { + if a == "" && b != "" { + return -1 + } + if a != "" && b == "" { + return 1 + } + + aIsInt := isAllDecimals(a) + bIsInt := isAllDecimals(b) + + // numeric identifiers have lower precedence than non-numeric + if aIsInt && !bIsInt { + return -1 + } else if !aIsInt && bIsInt { + return 1 + } + + if aIsInt && bIsInt { + aInt, _ := strconv.Atoi(a) + bInt, _ := strconv.Atoi(b) + + if aInt > bInt { + return 1 + } else if aInt < bInt { + return -1 + } + } else { + // string comparison + if a > b { + return 1 + } else if a < b { + return -1 + } + } + + // a larger set of pre-release fields has a higher precedence than a + // smaller set, if all of the preceding identifiers are equal. + if afterA != "" && afterB == "" { + return 1 + } else if afterA == "" && afterB != "" { + return -1 + } + + a, afterA = cut(afterA, '.') + b, afterB = cut(afterB, '.') + } +} + +func isAllDecimals(s string) bool { + for _, r := range s { + if r < '0' || r > '9' { + return false + } + } + return s != "" +} + +// length allows calculating the length of the version for pre-allocation. +func length(v Version) int { + n := util.NumDigitsInt64(v.Major) + util.NumDigitsInt64(v.Minor) + util.NumDigitsInt64(v.Patch) + 2 + if v.PreRelease != "" { + n += len(v.PreRelease) + 1 + } + if v.Metadata != "" { + n += len(v.Metadata) + 1 + } + return n +} + +// cut is a *slightly* faster version of strings.Cut only accepting +// single byte separators, and skipping the boolean return value. +func cut(s string, sep byte) (before, after string) { + if i := strings.IndexByte(s, sep); i >= 0 { + return s[:i], s[i+1:] + } + return s, "" } diff --git a/vendor/github.com/open-policy-agent/opa/loader/loader.go b/vendor/github.com/open-policy-agent/opa/loader/loader.go index 9b2f91d4e9..a319f2c64d 100644 --- a/vendor/github.com/open-policy-agent/opa/loader/loader.go +++ b/vendor/github.com/open-policy-agent/opa/loader/loader.go @@ -77,6 +77,7 @@ func Schemas(schemaPath string) (*ast.SchemaSet, error) { } // All returns a Result object loaded (recursively) from the specified paths. +// // Deprecated: Use FileLoader.Filtered() instead. func All(paths []string) (*Result, error) { return NewFileLoader().Filtered(paths, nil) @@ -85,6 +86,7 @@ func All(paths []string) (*Result, error) { // Filtered returns a Result object loaded (recursively) from the specified // paths while applying the given filters. If any filter returns true, the // file/directory is excluded. +// // Deprecated: Use FileLoader.Filtered() instead. func Filtered(paths []string, filter Filter) (*Result, error) { return NewFileLoader().Filtered(paths, filter) @@ -93,6 +95,7 @@ func Filtered(paths []string, filter Filter) (*Result, error) { // AsBundle loads a path as a bundle. If it is a single file // it will be treated as a normal tarball bundle. If a directory // is supplied it will be loaded as an unzipped bundle tree. +// // Deprecated: Use FileLoader.AsBundle() instead. func AsBundle(path string) (*bundle.Bundle, error) { return NewFileLoader().AsBundle(path) diff --git a/vendor/github.com/open-policy-agent/opa/rego/rego.go b/vendor/github.com/open-policy-agent/opa/rego/rego.go index bdcf6c291a..0727dae69a 100644 --- a/vendor/github.com/open-policy-agent/opa/rego/rego.go +++ b/vendor/github.com/open-policy-agent/opa/rego/rego.go @@ -68,6 +68,7 @@ func EvalInstrument(instrument bool) EvalOption { } // EvalTracer configures a tracer for a Prepared Query's evaluation +// // Deprecated: Use EvalQueryTracer instead. func EvalTracer(tracer topdown.Tracer) EvalOption { return v1.EvalTracer(tracer) @@ -441,6 +442,7 @@ func Trace(yes bool) func(r *Rego) { } // Tracer returns an argument that adds a query tracer to r. +// // Deprecated: Use QueryTracer instead. func Tracer(t topdown.Tracer) func(r *Rego) { return v1.Tracer(t) diff --git a/vendor/github.com/open-policy-agent/opa/v1/ast/annotations.go b/vendor/github.com/open-policy-agent/opa/v1/ast/annotations.go index 36f854c618..47c543004c 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/ast/annotations.go +++ b/vendor/github.com/open-policy-agent/opa/v1/ast/annotations.go @@ -752,10 +752,7 @@ func (c *CompileAnnotation) Compare(other *CompileAnnotation) int { return -1 } - if cmp := slices.CompareFunc(c.Unknowns, other.Unknowns, - func(x, y Ref) int { - return x.Compare(y) - }); cmp != 0 { + if cmp := slices.CompareFunc(c.Unknowns, other.Unknowns, RefCompare); cmp != 0 { return cmp } return c.MaskRule.Compare(other.MaskRule) diff --git a/vendor/github.com/open-policy-agent/opa/v1/ast/builtins.go b/vendor/github.com/open-policy-agent/opa/v1/ast/builtins.go index 3d72aeab1f..3ed6e7398e 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/ast/builtins.go +++ b/vendor/github.com/open-policy-agent/opa/v1/ast/builtins.go @@ -26,11 +26,16 @@ func RegisterBuiltin(b *Builtin) { BuiltinMap[b.Infix] = b InternStringTerm(b.Infix) + InternVarValue(b.Infix) } - InternStringTerm(b.Name) if strings.Contains(b.Name, ".") { - InternStringTerm(strings.Split(b.Name, ".")...) + parts := strings.Split(b.Name, ".") + InternStringTerm(parts...) + InternVarValue(parts[0]) + } else { + InternStringTerm(b.Name) + InternVarValue(b.Name) } } @@ -3397,7 +3402,7 @@ var SetDiff = &Builtin{ ), types.SetOfAny, ), - deprecated: true, + Deprecated: true, CanSkipBctx: true, } @@ -3411,7 +3416,7 @@ var NetCIDROverlap = &Builtin{ ), types.B, ), - deprecated: true, + Deprecated: true, CanSkipBctx: true, } @@ -3423,7 +3428,7 @@ var CastArray = &Builtin{ types.Args(types.A), types.NewArray(nil, types.A), ), - deprecated: true, + Deprecated: true, CanSkipBctx: true, } @@ -3437,7 +3442,7 @@ var CastSet = &Builtin{ types.Args(types.A), types.SetOfAny, ), - deprecated: true, + Deprecated: true, CanSkipBctx: true, } @@ -3449,7 +3454,7 @@ var CastString = &Builtin{ types.Args(types.A), types.S, ), - deprecated: true, + Deprecated: true, CanSkipBctx: true, } @@ -3460,7 +3465,7 @@ var CastBoolean = &Builtin{ types.Args(types.A), types.B, ), - deprecated: true, + Deprecated: true, CanSkipBctx: true, } @@ -3471,7 +3476,7 @@ var CastNull = &Builtin{ types.Args(types.A), types.Nl, ), - deprecated: true, + Deprecated: true, CanSkipBctx: true, } @@ -3482,11 +3487,11 @@ var CastObject = &Builtin{ types.Args(types.A), types.NewObject(nil, types.NewDynamicProperty(types.A, types.A)), ), - deprecated: true, + Deprecated: true, CanSkipBctx: true, } -// RegexMatchDeprecated declares `re_match` which has been deprecated. Use `regex.match` instead. +// RegexMatchDeprecated declares `re_match` which has been Deprecated. Use `regex.match` instead. var RegexMatchDeprecated = &Builtin{ Name: "re_match", Decl: types.NewFunction( @@ -3496,7 +3501,7 @@ var RegexMatchDeprecated = &Builtin{ ), types.B, ), - deprecated: true, + Deprecated: true, CanSkipBctx: false, } @@ -3513,7 +3518,7 @@ var All = &Builtin{ ), types.B, ), - deprecated: true, + Deprecated: true, CanSkipBctx: true, } @@ -3530,7 +3535,7 @@ var Any = &Builtin{ ), types.B, ), - deprecated: true, + Deprecated: true, CanSkipBctx: true, } @@ -3548,7 +3553,7 @@ type Builtin struct { Decl *types.Function `json:"decl"` // Built-in function type declaration. Infix string `json:"infix,omitempty"` // Unique name of infix operator. Default should be unset. Relation bool `json:"relation,omitempty"` // Indicates if the built-in acts as a relation. - deprecated bool `json:"-"` // Indicates if the built-in has been deprecated. + Deprecated bool `json:"deprecated,omitempty"` // Indicates if the built-in has been deprecated. CanSkipBctx bool `json:"-"` // Built-in needs no data from the built-in context. Nondeterministic bool `json:"nondeterministic,omitempty"` // Indicates if the built-in returns non-deterministic results. } @@ -3573,12 +3578,12 @@ func (b *Builtin) Minimal() *Builtin { return &cpy } -// IsDeprecated returns true if the Builtin function is deprecated and will be removed in a future release. +// IsDeprecated returns true if the Builtin function is Deprecated and will be removed in a future release. func (b *Builtin) IsDeprecated() bool { - return b.deprecated + return b.Deprecated } -// IsDeterministic returns true if the Builtin function returns non-deterministic results. +// IsNondeterministic returns true if the Builtin function returns non-deterministic results. func (b *Builtin) IsNondeterministic() bool { return b.Nondeterministic } diff --git a/vendor/github.com/open-policy-agent/opa/v1/ast/capabilities.go b/vendor/github.com/open-policy-agent/opa/v1/ast/capabilities.go index 844cb66f0b..0461aab8bc 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/ast/capabilities.go +++ b/vendor/github.com/open-policy-agent/opa/v1/ast/capabilities.go @@ -228,13 +228,8 @@ func LoadCapabilitiesVersions() ([]string, error) { // MinimumCompatibleVersion returns the minimum compatible OPA version based on // the built-ins, features, and keywords in c. func (c *Capabilities) MinimumCompatibleVersion() (string, bool) { - var maxVersion semver.Version - // this is the oldest OPA release that includes capabilities - if err := maxVersion.Set("0.17.0"); err != nil { - panic("unreachable") - } - + maxVersion := semver.MustParse("0.17.0") minVersionIndex := minVersionIndexOnce() for _, bi := range c.Builtins { diff --git a/vendor/github.com/open-policy-agent/opa/v1/ast/check.go b/vendor/github.com/open-policy-agent/opa/v1/ast/check.go index 0da7e26514..48711b686e 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/ast/check.go +++ b/vendor/github.com/open-policy-agent/opa/v1/ast/check.go @@ -383,10 +383,6 @@ func (tc *typeChecker) checkExpr(env *TypeEnv, expr *Expr) *Error { } func (tc *typeChecker) checkExprBuiltin(env *TypeEnv, expr *Expr) *Error { - - args := expr.Operands() - pre := getArgTypes(env, args) - // NOTE(tsandall): undefined functions will have been caught earlier in the // compiler. We check for undefined functions before the safety check so // that references to non-existent functions result in undefined function @@ -424,12 +420,14 @@ func (tc *typeChecker) checkExprBuiltin(env *TypeEnv, expr *Expr) *Error { namedFargs.Args = append(namedFargs.Args, ftpe.NamedResult()) } + args := expr.Operands() + if len(args) > len(fargs.Args) && fargs.Variadic == nil { - return newArgError(expr.Location, name, "too many arguments", pre, namedFargs) + return newArgError(expr.Location, name, "too many arguments", getArgTypes(env, args), namedFargs) } if len(args) < len(ftpe.FuncArgs().Args) { - return newArgError(expr.Location, name, "too few arguments", pre, namedFargs) + return newArgError(expr.Location, name, "too few arguments", getArgTypes(env, args), namedFargs) } for i := range args { diff --git a/vendor/github.com/open-policy-agent/opa/v1/ast/compile.go b/vendor/github.com/open-policy-agent/opa/v1/ast/compile.go index 62e22bf937..f03718e806 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/ast/compile.go +++ b/vendor/github.com/open-policy-agent/opa/v1/ast/compile.go @@ -440,6 +440,7 @@ func (c *Compiler) WithDebug(sink io.Writer) *Compiler { } // WithBuiltins is deprecated. +// // Deprecated: Use WithCapabilities instead. func (c *Compiler) WithBuiltins(builtins map[string]*Builtin) *Compiler { c.customBuiltins = maps.Clone(builtins) @@ -447,6 +448,7 @@ func (c *Compiler) WithBuiltins(builtins map[string]*Builtin) *Compiler { } // WithUnsafeBuiltins is deprecated. +// // Deprecated: Use WithCapabilities instead. func (c *Compiler) WithUnsafeBuiltins(unsafeBuiltins map[string]struct{}) *Compiler { maps.Copy(c.unsafeBuiltinsMap, unsafeBuiltins) diff --git a/vendor/github.com/open-policy-agent/opa/v1/ast/compilehelper.go b/vendor/github.com/open-policy-agent/opa/v1/ast/compilehelper.go index 7d81d45e6d..4ea122f3cb 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/ast/compilehelper.go +++ b/vendor/github.com/open-policy-agent/opa/v1/ast/compilehelper.go @@ -33,7 +33,8 @@ func CompileModulesWithOpt(modules map[string]string, opts CompileOpts) (*Compil compiler := NewCompiler(). WithDefaultRegoVersion(opts.ParserOptions.RegoVersion). - WithEnablePrintStatements(opts.EnablePrintStatements) + WithEnablePrintStatements(opts.EnablePrintStatements). + WithCapabilities(opts.ParserOptions.Capabilities) compiler.Compile(parsed) if compiler.Failed() { diff --git a/vendor/github.com/open-policy-agent/opa/v1/ast/env.go b/vendor/github.com/open-policy-agent/opa/v1/ast/env.go index 12d4be8918..91b82debcc 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/ast/env.go +++ b/vendor/github.com/open-policy-agent/opa/v1/ast/env.go @@ -29,6 +29,7 @@ func newTypeEnv(f func() *typeChecker) *TypeEnv { } // Get returns the type of x. +// // Deprecated: Use GetByValue or GetByRef instead, as they are more efficient. func (env *TypeEnv) Get(x any) types.Type { if term, ok := x.(*Term); ok { diff --git a/vendor/github.com/open-policy-agent/opa/v1/ast/errors.go b/vendor/github.com/open-policy-agent/opa/v1/ast/errors.go index 75160afc6e..4a72b7931a 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/ast/errors.go +++ b/vendor/github.com/open-policy-agent/opa/v1/ast/errors.go @@ -99,19 +99,24 @@ func (e *Error) Error() string { } } - msg := fmt.Sprintf("%v: %v", e.Code, e.Message) - + sb := strings.Builder{} if len(prefix) > 0 { - msg = prefix + ": " + msg + sb.WriteString(prefix) + sb.WriteString(": ") } + sb.WriteString(e.Code) + sb.WriteString(": ") + sb.WriteString(e.Message) + if e.Details != nil { for _, line := range e.Details.Lines() { - msg += "\n\t" + line + sb.WriteString("\n\t") + sb.WriteString(line) } } - return msg + return sb.String() } // NewError returns a new Error object. diff --git a/vendor/github.com/open-policy-agent/opa/v1/ast/index.go b/vendor/github.com/open-policy-agent/opa/v1/ast/index.go index 845447b6dc..d38827bf75 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/ast/index.go +++ b/vendor/github.com/open-policy-agent/opa/v1/ast/index.go @@ -884,7 +884,6 @@ func indexValue(b Value) (Value, bool) { } func globDelimiterToString(delim *Term) (string, bool) { - arr, ok := delim.Value.(*Array) if !ok { return "", false @@ -895,14 +894,16 @@ func globDelimiterToString(delim *Term) (string, bool) { if arr.Len() == 0 { result = "." } else { + sb := strings.Builder{} for i := range arr.Len() { term := arr.Elem(i) s, ok := term.Value.(String) if !ok { return "", false } - result += string(s) + sb.WriteString(string(s)) } + result = sb.String() } return result, true diff --git a/vendor/github.com/open-policy-agent/opa/v1/ast/interning.go b/vendor/github.com/open-policy-agent/opa/v1/ast/interning.go index fc5a89f69a..8c5b7fc6eb 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/ast/interning.go +++ b/vendor/github.com/open-policy-agent/opa/v1/ast/interning.go @@ -28,7 +28,7 @@ var ( InternedEmptyString = StringTerm("") InternedEmptyObject = ObjectTerm() - InternedEmptyArray = ArrayTerm() + InternedEmptyArray = NewTerm(InternedEmptyArrayValue) InternedEmptySet = SetTerm() InternedEmptyArrayValue = NewArray() @@ -40,6 +40,15 @@ var ( internedStringTerms = map[string]*Term{ "": InternedEmptyString, } + + internedVarValues = map[string]Value{ + "input": Var("input"), + "data": Var("data"), + "key": Var("key"), + "value": Var("value"), + + "i": Var("i"), "j": Var("j"), "k": Var("k"), "v": Var("v"), "x": Var("x"), "y": Var("y"), "z": Var("z"), + } ) // InternStringTerm interns the given strings as terms. Note that Interning is @@ -56,6 +65,20 @@ func InternStringTerm(str ...string) { } } +// InternVarValue interns the given variable names as Var Values. Note that Interning is +// considered experimental and should not be relied upon by external code. +// WARNING: This must **only** be called at initialization time, as the +// interned terms are shared globally, and the underlying map is not thread-safe. +func InternVarValue(names ...string) { + for _, name := range names { + if _, ok := internedVarValues[name]; ok { + continue + } + + internedVarValues[name] = Var(name) + } +} + // HasInternedValue returns true if the given value is interned, otherwise false. func HasInternedValue[T internable](v T) bool { switch value := any(v).(type) { @@ -94,6 +117,16 @@ func InternedValue[T internable](v T) Value { return InternedValueOr(v, internedTermValue) } +// InternedVarValue returns an interned Var Value for the given name. If the +// name is not interned, a new Var Value is returned. +func InternedVarValue(name string) Value { + if v, ok := internedVarValues[name]; ok { + return v + } + + return Var(name) +} + // InternedValueOr returns an interned Value for scalar v. Calls supplier // to produce a Value if the value is not interned. func InternedValueOr[T internable](v T, supplier func(T) Value) Value { diff --git a/vendor/github.com/open-policy-agent/opa/v1/ast/parser.go b/vendor/github.com/open-policy-agent/opa/v1/ast/parser.go index 8355186cb9..d5d73e8f81 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/ast/parser.go +++ b/vendor/github.com/open-policy-agent/opa/v1/ast/parser.go @@ -26,6 +26,7 @@ import ( "github.com/open-policy-agent/opa/v1/ast/internal/tokens" astJSON "github.com/open-policy-agent/opa/v1/ast/json" "github.com/open-policy-agent/opa/v1/ast/location" + "github.com/open-policy-agent/opa/v1/util" ) // DefaultMaxParsingRecursionDepth is the default maximum recursion @@ -57,6 +58,21 @@ const ( RegoV1 ) +var ( + // this is the name to use for instantiating an empty set, e.g., `set()`. + setConstructor = RefTerm(VarTerm("set")) + + preAllocWildcards = [...]Value{ + Var("$0"), Var("$1"), Var("$2"), Var("$3"), Var("$4"), Var("$5"), + Var("$6"), Var("$7"), Var("$8"), Var("$9"), Var("$10"), + } + + // use static references to avoid allocations, and + // copy them to the call term only when needed + memberWithKeyRef = MemberWithKey.Ref() + memberRef = Member.Ref() +) + func (v RegoVersion) Int() int { if v == RegoV1 { return 1 @@ -88,17 +104,17 @@ func RegoVersionFromInt(i int) RegoVersion { // can do efficient shallow copies of these values when doing a // save() and restore(). type state struct { - s *scanner.Scanner - lastEnd int - skippedNL bool - tok tokens.Token - tokEnd int - lit string - loc Location errors Errors - hints []string comments []*Comment + hints []string + s *scanner.Scanner + loc Location + lit string + lastEnd int + tokEnd int wildcard int + tok tokens.Token + skippedNL bool } func (s *state) String() string { @@ -451,7 +467,6 @@ func (p *Parser) Parse() ([]Statement, []*Comment, Errors) { // next type of statement. If a statement can be parsed, continue from that // point trying to parse packages, imports, etc. in the same order. for p.s.tok != tokens.EOF { - s := p.save() if pkg := p.parsePackage(); pkg != nil { @@ -512,12 +527,12 @@ func (p *Parser) Parse() ([]Statement, []*Comment, Errors) { } func (p *Parser) parseAnnotations(stmts []Statement) []Statement { - annotStmts, errs := parseAnnotations(p.s.comments) for _, err := range errs { p.error(err.Location, err.Message) } + stmts = slices.Grow(stmts, len(annotStmts)) for _, annotStmt := range annotStmts { stmts = append(stmts, annotStmt) } @@ -545,11 +560,11 @@ func parseAnnotations(comments []*Comment) ([]*Annotations, Errors) { } } - var stmts []*Annotations + stmts := make([]*Annotations, 0, len(blocks)) + var errs Errors for _, b := range blocks { - a, err := b.Parse() - if err != nil { + if a, err := b.Parse(); err != nil { errs = append(errs, &Error{ Code: ParseErr, Message: err.Error(), @@ -564,14 +579,13 @@ func parseAnnotations(comments []*Comment) ([]*Annotations, Errors) { } func (p *Parser) parsePackage() *Package { - - var pkg Package - pkg.SetLoc(p.s.Loc()) - if p.s.tok != tokens.Package { return nil } + var pkg Package + pkg.SetLoc(p.s.Loc()) + p.scanWS() // Make sure we allow the first term of refs to be the 'package' keyword. @@ -633,14 +647,13 @@ func (p *Parser) parsePackage() *Package { } func (p *Parser) parseImport() *Import { - - var imp Import - imp.SetLoc(p.s.Loc()) - if p.s.tok != tokens.Import { return nil } + var imp Import + imp.SetLoc(p.s.Loc()) + p.scanWS() // Make sure we allow the first term of refs to be the 'import' keyword. @@ -952,7 +965,7 @@ func (p *Parser) parseRules() []*Rule { next.Head.keywords = rule.Head.keywords for i := range next.Head.Args { if v, ok := next.Head.Args[i].Value.(Var); ok && v.IsWildcard() { - next.Head.Args[i].Value = Var(p.genwildcard()) + next.Head.Args[i].Value = p.genwildcard() } } setLocRecursive(next.Head, loc) @@ -972,7 +985,7 @@ func (p *Parser) parseElse(head *Head) *Rule { rule.Head.generatedValue = false for i := range rule.Head.Args { if v, ok := rule.Head.Args[i].Value.(Var); ok && v.IsWildcard() { - rule.Head.Args[i].Value = Var(p.genwildcard()) + rule.Head.Args[i].Value = p.genwildcard() } } rule.Head.SetLoc(p.s.Loc()) @@ -1281,14 +1294,11 @@ func (p *Parser) parseLiteralExpr(negated bool) *Expr { } func (p *Parser) parseWith() []*With { - withs := []*With{} for { + with := With{Location: p.s.Loc()} - with := With{ - Location: p.s.Loc(), - } p.scan() if p.s.tok != tokens.Ident { @@ -1525,11 +1535,6 @@ func (p *Parser) parseTermInfixCallInList() *Term { return p.parseTermIn(nil, false, p.s.loc.Offset) } -// use static references to avoid allocations, and -// copy them to the call term only when needed -var memberWithKeyRef = MemberWithKey.Ref() -var memberRef = Member.Ref() - func (p *Parser) parseTermIn(lhs *Term, keyVal bool, offset int) *Term { if !p.enter() { return nil @@ -1898,9 +1903,6 @@ func (p *Parser) parseRawString() *Term { return StringTerm(p.s.lit[1 : len(p.s.lit)-1]).SetLocation(p.s.Loc()) } -// this is the name to use for instantiating an empty set, e.g., `set()`. -var setConstructor = RefTerm(VarTerm("set")) - func (p *Parser) parseCall(operator *Term, offset int) (term *Term) { if !p.enter() { return nil @@ -1978,7 +1980,7 @@ func (p *Parser) parseRef(head *Term, offset int) (term *Term) { term = p.parseRef(term, offset) } } - end = p.s.tokEnd + end = p.s.lastEnd return term case tokens.LBrack: p.scan() @@ -2042,7 +2044,6 @@ func (p *Parser) parseArray() (term *Term) { // Does this represent a set comprehension or a set containing binary OR // call? We resolve the ambiguity by prioritizing comprehensions. head := p.parseTerm() - if head == nil { return nil } @@ -2286,7 +2287,7 @@ func (p *Parser) parseTermList(end tokens.Token, r []*Term) []*Term { } continue default: - p.illegal(fmt.Sprintf("expected %q or %q", tokens.Comma, end)) + p.illegal("expected %q or %q", tokens.Comma, end) return nil } } @@ -2316,12 +2317,12 @@ func (p *Parser) parseTermPairList(end tokens.Token, r [][2]*Term) [][2]*Term { } continue default: - p.illegal(fmt.Sprintf("expected %q or %q", tokens.Comma, end)) + p.illegal("expected %q or %q", tokens.Comma, end) return nil } } default: - p.illegal(fmt.Sprintf("expected %q", tokens.Colon)) + p.illegal("expected %q", tokens.Colon) return nil } } @@ -2353,48 +2354,69 @@ func (p *Parser) parseTermOpName(ref Ref, values ...tokens.Token) *Term { } func (p *Parser) parseVar() *Term { - - s := p.s.lit - - term := VarTerm(s).SetLocation(p.s.Loc()) - - // Update wildcard values with unique identifiers - if term.Equal(Wildcard) { - term.Value = Var(p.genwildcard()) + if p.s.lit == WildcardString { + // Update wildcard values with unique identifiers + return NewTerm(p.genwildcard()).SetLocation(p.s.Loc()) } - return term + return VarTerm(p.s.lit).SetLocation(p.s.Loc()) } -func (p *Parser) genwildcard() string { - c := p.s.wildcard +func (p *Parser) genwildcard() Value { + var v Value + if p.s.wildcard < len(preAllocWildcards) { + v = preAllocWildcards[p.s.wildcard] + } else { + v = Var(WildcardPrefix + strconv.Itoa(p.s.wildcard)) + } p.s.wildcard++ - return fmt.Sprintf("%v%d", WildcardPrefix, c) + + return v } -func (p *Parser) error(loc *location.Location, reason string) { - p.errorf(loc, "%s", reason) -} - -func (p *Parser) errorf(loc *location.Location, f string, a ...any) { - msg := strings.Builder{} - msg.WriteString(fmt.Sprintf(f, a...)) - - switch len(p.s.hints) { +func writeHints(msg *strings.Builder, hints []string) { + switch len(hints) { case 0: // nothing to do case 1: msg.WriteString(" (hint: ") - msg.WriteString(p.s.hints[0]) - msg.WriteRune(')') + msg.WriteString(hints[0]) + msg.WriteByte(')') default: msg.WriteString(" (hints: ") - for i, h := range p.s.hints { + for i, h := range hints { if i > 0 { msg.WriteString(", ") } msg.WriteString(h) } - msg.WriteRune(')') + msg.WriteByte(')') + } +} + +func (p *Parser) error(loc *location.Location, reason string) { + msg := reason + if len(p.s.hints) > 0 { + sb := &strings.Builder{} + sb.WriteString(reason) + writeHints(sb, p.s.hints) + msg = sb.String() + } + + p.s.errors = append(p.s.errors, &Error{ + Code: ParseErr, + Message: msg, + Location: loc, + Details: newParserErrorDetail(p.s.s.Bytes(), loc.Offset), + }) + p.s.hints = nil +} + +func (p *Parser) errorf(loc *location.Location, f string, a ...any) { + msg := &strings.Builder{} + fmt.Fprintf(msg, f, a...) + + if len(p.s.hints) > 0 { + writeHints(msg, p.s.hints) } p.s.errors = append(p.s.errors, &Error{ @@ -2406,28 +2428,25 @@ func (p *Parser) errorf(loc *location.Location, f string, a ...any) { p.s.hints = nil } -func (p *Parser) hint(f string, a ...any) { - p.s.hints = append(p.s.hints, fmt.Sprintf(f, a...)) +func (p *Parser) hint(s string) { + p.s.hints = append(p.s.hints, s) } func (p *Parser) illegal(note string, a ...any) { - tok := p.s.tok.String() - if p.s.tok == tokens.Illegal { p.errorf(p.s.Loc(), "illegal token") return } + tok := p.s.tok.String() + tokType := "token" - if tokens.IsKeyword(p.s.tok) { - tokType = "keyword" - } else if _, ok := allFutureKeywords[p.s.tok.String()]; ok { + if _, ok := allFutureKeywords[tok]; ok || tokens.IsKeyword(p.s.tok) { tokType = "keyword" } - note = fmt.Sprintf(note, a...) if len(note) > 0 { - p.errorf(p.s.Loc(), "unexpected %s %s: %s", tok, tokType, note) + p.errorf(p.s.Loc(), "unexpected %s %s: %s", tok, tokType, fmt.Sprintf(note, a...)) } else { p.errorf(p.s.Loc(), "unexpected %s %s", tok, tokType) } @@ -2999,10 +3018,7 @@ func (p *Parser) futureImport(imp *Import, allowedFutureKeywords map[string]toke return } - kwds := make([]string, 0, len(allowedFutureKeywords)) - for k := range allowedFutureKeywords { - kwds = append(kwds, k) - } + kwds := util.Keys(allowedFutureKeywords) switch len(path) { case 2: // all keywords imported, nothing to do @@ -3052,10 +3068,7 @@ func (p *Parser) regoV1Import(imp *Import) { } // import all future keywords with the rego.v1 import - kwds := make([]string, 0, len(futureKeywordsV0)) - for k := range futureKeywordsV0 { - kwds = append(kwds, k) - } + kwds := util.Keys(futureKeywordsV0) p.s.s.SetRegoV1Compatible() for _, kw := range kwds { diff --git a/vendor/github.com/open-policy-agent/opa/v1/ast/policy.go b/vendor/github.com/open-policy-agent/opa/v1/ast/policy.go index 62c82f51ec..8d34f3011b 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/ast/policy.go +++ b/vendor/github.com/open-policy-agent/opa/v1/ast/policy.go @@ -86,7 +86,11 @@ var ReservedVars = NewVarSet( ) // Wildcard represents the wildcard variable as defined in the language. -var Wildcard = &Term{Value: Var("_")} +var ( + WildcardString = "_" + WildcardValue Value = Var(WildcardString) + Wildcard = &Term{Value: WildcardValue} +) // WildcardPrefix is the special character that all wildcard variables are // prefixed with when the statement they are contained in is parsed. @@ -375,8 +379,10 @@ func (mod *Module) String() string { appendAnnotationStrings := func(buf []string, node Node) []string { if as, ok := byNode[node]; ok { for i := range as { - buf = append(buf, "# METADATA") - buf = append(buf, "# "+as[i].String()) + buf = append(buf, + "# METADATA", + "# "+as[i].String(), + ) } } return buf @@ -726,6 +732,7 @@ func (rule *Rule) SetLoc(loc *Location) { // Path returns a ref referring to the document produced by this rule. If rule // is not contained in a module, this function panics. +// // Deprecated: Poor handling of ref rules. Use `(*Rule).Ref()` instead. func (rule *Rule) Path() Ref { if rule.Module == nil { diff --git a/vendor/github.com/open-policy-agent/opa/v1/ast/syncpools.go b/vendor/github.com/open-policy-agent/opa/v1/ast/syncpools.go index 82977c836b..c709dc2bbd 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/ast/syncpools.go +++ b/vendor/github.com/open-policy-agent/opa/v1/ast/syncpools.go @@ -1,33 +1,40 @@ package ast import ( + "bytes" "strings" "sync" + + "github.com/open-policy-agent/opa/v1/util" ) -type termPtrPool struct { - pool sync.Pool -} +var ( + TermPtrPool = util.NewSyncPool[Term]() + BytesReaderPool = util.NewSyncPool[bytes.Reader]() + IndexResultPool = util.NewSyncPool[IndexResult]() + bbPool = util.NewSyncPool[bytes.Buffer]() + // Needs custom pool because of custom Put logic. + sbPool = &stringBuilderPool{ + pool: sync.Pool{ + New: func() any { + return &strings.Builder{} + }, + }, + } + // Needs custom pool because of custom Put logic. + varVisitorPool = &vvPool{ + pool: sync.Pool{ + New: func() any { + return NewVarVisitor() + }, + }, + } +) -type stringBuilderPool struct { - pool sync.Pool -} - -type indexResultPool struct { - pool sync.Pool -} - -type vvPool struct { - pool sync.Pool -} - -func (p *termPtrPool) Get() *Term { - return p.pool.Get().(*Term) -} - -func (p *termPtrPool) Put(t *Term) { - p.pool.Put(t) -} +type ( + stringBuilderPool struct{ pool sync.Pool } + vvPool struct{ pool sync.Pool } +) func (p *stringBuilderPool) Get() *strings.Builder { return p.pool.Get().(*strings.Builder) @@ -38,16 +45,6 @@ func (p *stringBuilderPool) Put(sb *strings.Builder) { p.pool.Put(sb) } -func (p *indexResultPool) Get() *IndexResult { - return p.pool.Get().(*IndexResult) -} - -func (p *indexResultPool) Put(x *IndexResult) { - if x != nil { - p.pool.Put(x) - } -} - func (p *vvPool) Get() *VarVisitor { return p.pool.Get().(*VarVisitor) } @@ -58,35 +55,3 @@ func (p *vvPool) Put(vv *VarVisitor) { p.pool.Put(vv) } } - -var TermPtrPool = &termPtrPool{ - pool: sync.Pool{ - New: func() any { - return &Term{} - }, - }, -} - -var sbPool = &stringBuilderPool{ - pool: sync.Pool{ - New: func() any { - return &strings.Builder{} - }, - }, -} - -var varVisitorPool = &vvPool{ - pool: sync.Pool{ - New: func() any { - return NewVarVisitor() - }, - }, -} - -var IndexResultPool = &indexResultPool{ - pool: sync.Pool{ - New: func() any { - return &IndexResult{} - }, - }, -} diff --git a/vendor/github.com/open-policy-agent/opa/v1/ast/term.go b/vendor/github.com/open-policy-agent/opa/v1/ast/term.go index 18f8a423d9..b6dec8da5c 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/ast/term.go +++ b/vendor/github.com/open-policy-agent/opa/v1/ast/term.go @@ -2,7 +2,6 @@ // Use of this source code is governed by an Apache2 // license that can be found in the LICENSE file. -// nolint: deadcode // Public API. package ast import ( @@ -824,7 +823,7 @@ type Var string // VarTerm creates a new Term with a Variable value. func VarTerm(v string) *Term { - return &Term{Value: Var(v)} + return &Term{Value: InternedVarValue(v)} } // Equal returns true if the other Value is a Variable and has the same value @@ -881,7 +880,7 @@ func (v Var) String() string { // illegal variable name character (WildcardPrefix) to avoid conflicts. When // we serialize the variable here, we need to make sure it's parseable. if v.IsWildcard() { - return Wildcard.String() + return WildcardString } return string(v) } @@ -1154,12 +1153,6 @@ func IsVarCompatibleString(s string) bool { return varRegexp.MatchString(s) } -var bbPool = &sync.Pool{ - New: func() any { - return new(bytes.Buffer) - }, -} - func (ref Ref) String() string { // Note(anderseknert): // Options tried in the order of cheapness, where after some effort, @@ -1181,7 +1174,7 @@ func (ref Ref) String() string { _var := ref[0].Value.String() - bb := bbPool.Get().(*bytes.Buffer) + bb := bbPool.Get() bb.Reset() defer bbPool.Put(bb) diff --git a/vendor/github.com/open-policy-agent/opa/v1/ast/version_index.json b/vendor/github.com/open-policy-agent/opa/v1/ast/version_index.json index b02f785299..32cf2e50f6 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/ast/version_index.json +++ b/vendor/github.com/open-policy-agent/opa/v1/ast/version_index.json @@ -3,1476 +3,1062 @@ "abs": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "all": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "and": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "any": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "array.concat": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "array.reverse": { "Major": 0, "Minor": 36, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "array.slice": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "assign": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "base64.decode": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "base64.encode": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "base64.is_valid": { "Major": 0, "Minor": 24, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "base64url.decode": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "base64url.encode": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "base64url.encode_no_pad": { "Major": 0, "Minor": 25, "Patch": 0, - "PreRelease": "rc2", - "Metadata": "" + "PreRelease": "rc2" }, "bits.and": { "Major": 0, "Minor": 18, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "bits.lsh": { "Major": 0, "Minor": 18, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "bits.negate": { "Major": 0, "Minor": 18, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "bits.or": { "Major": 0, "Minor": 18, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "bits.rsh": { "Major": 0, "Minor": 18, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "bits.xor": { "Major": 0, "Minor": 18, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "cast_array": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "cast_boolean": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "cast_null": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "cast_object": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "cast_set": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "cast_string": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "ceil": { "Major": 0, "Minor": 26, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "concat": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "contains": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "count": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "crypto.hmac.equal": { "Major": 0, "Minor": 52, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "crypto.hmac.md5": { "Major": 0, "Minor": 36, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "crypto.hmac.sha1": { "Major": 0, "Minor": 36, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "crypto.hmac.sha256": { "Major": 0, "Minor": 36, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "crypto.hmac.sha512": { "Major": 0, "Minor": 36, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "crypto.md5": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "crypto.parse_private_keys": { "Major": 0, "Minor": 55, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "crypto.sha1": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "crypto.sha256": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "crypto.x509.parse_and_verify_certificates": { "Major": 0, "Minor": 31, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "crypto.x509.parse_and_verify_certificates_with_options": { "Major": 0, "Minor": 63, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "crypto.x509.parse_certificate_request": { "Major": 0, "Minor": 21, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "crypto.x509.parse_certificates": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "crypto.x509.parse_keypair": { "Major": 0, "Minor": 53, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "crypto.x509.parse_rsa_private_key": { "Major": 0, "Minor": 33, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "div": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "endswith": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "eq": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "equal": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "floor": { "Major": 0, "Minor": 26, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "format_int": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "glob.match": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "glob.quote_meta": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "graph.reachable": { "Major": 0, "Minor": 20, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "graph.reachable_paths": { "Major": 0, "Minor": 37, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "graphql.is_valid": { "Major": 0, "Minor": 41, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "graphql.parse": { "Major": 0, "Minor": 41, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "graphql.parse_and_verify": { "Major": 0, "Minor": 41, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "graphql.parse_query": { "Major": 0, "Minor": 41, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "graphql.parse_schema": { "Major": 0, "Minor": 41, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "graphql.schema_is_valid": { "Major": 0, "Minor": 46, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "gt": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "gte": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "hex.decode": { "Major": 0, "Minor": 25, "Patch": 0, - "PreRelease": "rc2", - "Metadata": "" + "PreRelease": "rc2" }, "hex.encode": { "Major": 0, "Minor": 25, "Patch": 0, - "PreRelease": "rc2", - "Metadata": "" + "PreRelease": "rc2" }, "http.send": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "indexof": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "indexof_n": { "Major": 0, "Minor": 37, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "internal.member_2": { "Major": 0, "Minor": 34, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "internal.member_3": { "Major": 0, "Minor": 34, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "internal.print": { "Major": 0, "Minor": 34, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "internal.test_case": { "Major": 1, "Minor": 2, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "intersection": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "io.jwt.decode": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "io.jwt.decode_verify": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "io.jwt.encode_sign": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "io.jwt.encode_sign_raw": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "io.jwt.verify_eddsa": { "Major": 1, "Minor": 8, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "io.jwt.verify_es256": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "io.jwt.verify_es384": { "Major": 0, "Minor": 20, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "io.jwt.verify_es512": { "Major": 0, "Minor": 20, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "io.jwt.verify_hs256": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "io.jwt.verify_hs384": { "Major": 0, "Minor": 20, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "io.jwt.verify_hs512": { "Major": 0, "Minor": 20, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "io.jwt.verify_ps256": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "io.jwt.verify_ps384": { "Major": 0, "Minor": 20, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "io.jwt.verify_ps512": { "Major": 0, "Minor": 20, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "io.jwt.verify_rs256": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "io.jwt.verify_rs384": { "Major": 0, "Minor": 20, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "io.jwt.verify_rs512": { "Major": 0, "Minor": 20, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "is_array": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "is_boolean": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "is_null": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "is_number": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "is_object": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "is_set": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "is_string": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "json.filter": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "json.is_valid": { "Major": 0, "Minor": 25, "Patch": 0, - "PreRelease": "rc1", - "Metadata": "" + "PreRelease": "rc1" }, "json.marshal": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "json.marshal_with_options": { "Major": 0, "Minor": 64, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "json.match_schema": { "Major": 0, "Minor": 50, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "json.patch": { "Major": 0, "Minor": 25, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "json.remove": { "Major": 0, "Minor": 18, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "json.unmarshal": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "json.verify_schema": { "Major": 0, "Minor": 50, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "lower": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "lt": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "lte": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "max": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "min": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "minus": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "mul": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "neq": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "net.cidr_contains": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "net.cidr_contains_matches": { "Major": 0, "Minor": 19, "Patch": 0, - "PreRelease": "rc1", - "Metadata": "" + "PreRelease": "rc1" }, "net.cidr_expand": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "net.cidr_intersects": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "net.cidr_is_valid": { "Major": 0, "Minor": 46, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "net.cidr_merge": { "Major": 0, "Minor": 24, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "net.cidr_overlap": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "net.lookup_ip_addr": { "Major": 0, "Minor": 35, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "numbers.range": { "Major": 0, "Minor": 22, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "numbers.range_step": { "Major": 0, "Minor": 56, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "object.filter": { "Major": 0, "Minor": 17, - "Patch": 2, - "PreRelease": "", - "Metadata": "" + "Patch": 2 }, "object.get": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "object.keys": { "Major": 0, "Minor": 47, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "object.remove": { "Major": 0, "Minor": 17, - "Patch": 2, - "PreRelease": "", - "Metadata": "" + "Patch": 2 }, "object.subset": { "Major": 0, "Minor": 42, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "object.union": { "Major": 0, "Minor": 17, - "Patch": 2, - "PreRelease": "", - "Metadata": "" + "Patch": 2 }, "object.union_n": { "Major": 0, "Minor": 37, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "opa.runtime": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "or": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "plus": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "print": { "Major": 0, "Minor": 34, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "product": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "providers.aws.sign_req": { "Major": 0, "Minor": 47, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "rand.intn": { "Major": 0, "Minor": 31, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "re_match": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "regex.find_all_string_submatch_n": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "regex.find_n": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "regex.globs_match": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "regex.is_valid": { "Major": 0, "Minor": 23, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "regex.match": { "Major": 0, "Minor": 23, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "regex.replace": { "Major": 0, "Minor": 45, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "regex.split": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "regex.template_match": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "rego.metadata.chain": { "Major": 0, "Minor": 40, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "rego.metadata.rule": { "Major": 0, "Minor": 40, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "rego.parse_module": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "rem": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "replace": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "round": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "semver.compare": { "Major": 0, "Minor": 22, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "semver.is_valid": { "Major": 0, "Minor": 22, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "set_diff": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "sort": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "split": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "sprintf": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "startswith": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "strings.any_prefix_match": { "Major": 0, "Minor": 44, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "strings.any_suffix_match": { "Major": 0, "Minor": 44, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "strings.count": { "Major": 0, "Minor": 67, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "strings.render_template": { "Major": 0, "Minor": 59, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "strings.replace_n": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "strings.reverse": { "Major": 0, "Minor": 36, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "substring": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "sum": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "time.add_date": { "Major": 0, "Minor": 19, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "time.clock": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "time.date": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "time.diff": { "Major": 0, "Minor": 28, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "time.format": { "Major": 0, "Minor": 48, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "time.now_ns": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "time.parse_duration_ns": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "time.parse_ns": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "time.parse_rfc3339_ns": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "time.weekday": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "to_number": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "trace": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "trim": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "trim_left": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "trim_prefix": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "trim_right": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "trim_space": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "trim_suffix": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "type_name": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "union": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "units.parse": { "Major": 0, "Minor": 41, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "units.parse_bytes": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "upper": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "urlquery.decode": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "urlquery.decode_object": { "Major": 0, "Minor": 24, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "urlquery.encode": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "urlquery.encode_object": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "uuid.parse": { "Major": 0, "Minor": 57, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "uuid.rfc4122": { "Major": 0, "Minor": 20, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "walk": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "yaml.is_valid": { "Major": 0, "Minor": 25, "Patch": 0, - "PreRelease": "rc1", - "Metadata": "" + "PreRelease": "rc1" }, "yaml.marshal": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "yaml.unmarshal": { "Major": 0, "Minor": 17, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 } }, "features": { "keywords_in_refs": { "Major": 1, "Minor": 6, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "rego_v1": { "Major": 1, "Minor": 0, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "rego_v1_import": { "Major": 0, "Minor": 59, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "rule_head_ref_string_prefixes": { "Major": 0, "Minor": 46, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "rule_head_refs": { "Major": 0, "Minor": 59, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 } }, "keywords": { "contains": { "Major": 0, "Minor": 42, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "every": { "Major": 0, "Minor": 38, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "if": { "Major": 0, "Minor": 42, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 }, "in": { "Major": 0, "Minor": 34, - "Patch": 0, - "PreRelease": "", - "Metadata": "" + "Patch": 0 } } } diff --git a/vendor/github.com/open-policy-agent/opa/v1/ast/visit.go b/vendor/github.com/open-policy-agent/opa/v1/ast/visit.go index 4ae6569ad7..fd3dcdea29 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/ast/visit.go +++ b/vendor/github.com/open-policy-agent/opa/v1/ast/visit.go @@ -8,6 +8,7 @@ package ast // can return a Visitor w which will be used to visit the children of the AST // element v. If the Visit function returns nil, the children will not be // visited. +// // Deprecated: use GenericVisitor or another visitor implementation type Visitor interface { Visit(v any) (w Visitor) @@ -15,6 +16,7 @@ type Visitor interface { // BeforeAndAfterVisitor wraps Visitor to provide hooks for being called before // and after the AST has been visited. +// // Deprecated: use GenericVisitor or another visitor implementation type BeforeAndAfterVisitor interface { Visitor @@ -24,6 +26,7 @@ type BeforeAndAfterVisitor interface { // Walk iterates the AST by calling the Visit function on the Visitor // v for x before recursing. +// // Deprecated: use GenericVisitor.Walk func Walk(v Visitor, x any) { if bav, ok := v.(BeforeAndAfterVisitor); !ok { @@ -37,6 +40,7 @@ func Walk(v Visitor, x any) { // WalkBeforeAndAfter iterates the AST by calling the Visit function on the // Visitor v for x before recursing. +// // Deprecated: use GenericVisitor.Walk func WalkBeforeAndAfter(v BeforeAndAfterVisitor, x any) { Walk(v, x) diff --git a/vendor/github.com/open-policy-agent/opa/v1/bundle/bundle.go b/vendor/github.com/open-policy-agent/opa/v1/bundle/bundle.go index 5b418c360b..bf00e96ca2 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/bundle/bundle.go +++ b/vendor/github.com/open-policy-agent/opa/v1/bundle/bundle.go @@ -6,9 +6,7 @@ package bundle import ( - "archive/tar" "bytes" - "compress/gzip" "encoding/hex" "encoding/json" "errors" @@ -24,6 +22,8 @@ import ( "sync" "github.com/gobwas/glob" + "golang.org/x/sync/errgroup" + "github.com/open-policy-agent/opa/internal/file/archive" "github.com/open-policy-agent/opa/internal/merge" "github.com/open-policy-agent/opa/v1/ast" @@ -51,6 +51,10 @@ const ( SnapshotBundleType = "snapshot" ) +var ( + empty Bundle +) + // Bundle represents a loaded bundle. The bundle can contain data and policies. type Bundle struct { Signatures SignaturesConfig @@ -96,7 +100,7 @@ type SignaturesConfig struct { // isEmpty returns if the SignaturesConfig is empty. func (s SignaturesConfig) isEmpty() bool { - return reflect.DeepEqual(s, SignaturesConfig{}) + return s.Signatures == nil && s.Plugin == "" } // DecodedSignature represents the decoded JWT payload. @@ -186,7 +190,6 @@ func (m *Manifest) SetRegoVersion(v ast.RegoVersion) { // Equal returns true if m is semantically equivalent to other. func (m Manifest) Equal(other Manifest) bool { - // This is safe since both are passed by value. m.Init() other.Init() @@ -323,7 +326,6 @@ func (ss stringSet) Equal(other stringSet) bool { } func (m *Manifest) validateAndInjectDefaults(b Bundle) error { - m.Init() // Validate roots in bundle. @@ -337,7 +339,7 @@ func (m *Manifest) validateAndInjectDefaults(b Bundle) error { for i := range len(roots) - 1 { for j := i + 1; j < len(roots); j++ { if RootPathsOverlap(roots[i], roots[j]) { - return fmt.Errorf("manifest has overlapped roots: '%v' and '%v'", roots[i], roots[j]) + return fmt.Errorf("manifest has overlapped roots: '%s' and '%s'", roots[i], roots[j]) } } } @@ -349,7 +351,7 @@ func (m *Manifest) validateAndInjectDefaults(b Bundle) error { found = RootPathsContain(roots, path) } if !found { - return fmt.Errorf("manifest roots %v do not permit '%v' in module '%v'", roots, module.Parsed.Package, module.Path) + return fmt.Errorf("manifest roots %v do not permit '%v' in module '%s'", roots, module.Parsed.Package, module.Path) } } @@ -368,7 +370,7 @@ func (m *Manifest) validateAndInjectDefaults(b Bundle) error { // Ensure wasm module entrypoint in within bundle roots if !RootPathsContain(roots, wmConfig.Entrypoint) { - return fmt.Errorf("manifest roots %v do not permit '%v' entrypoint for wasm module '%v'", roots, wmConfig.Entrypoint, wmConfig.Module) + return fmt.Errorf("manifest roots %v do not permit '%s' entrypoint for wasm module '%s'", roots, wmConfig.Entrypoint, wmConfig.Module) } if _, ok := seenEps[wmConfig.Entrypoint]; ok { @@ -504,14 +506,13 @@ func NewReader(r io.Reader) *Reader { // NewCustomReader returns a new Reader configured to use the // specified DirectoryLoader. func NewCustomReader(loader DirectoryLoader) *Reader { - nr := Reader{ + return &Reader{ loader: loader, - metrics: metrics.New(), + metrics: metrics.NoOp(), files: make(map[string]FileInfo), sizeLimitBytes: DefaultSizeLimitBytes + 1, lazyLoadingMode: HasExtension(), } - return &nr } // IncludeManifestInData sets whether the manifest metadata should be @@ -620,24 +621,17 @@ func (r *Reader) ParserOptions() ast.ParserOptions { // Read returns a new Bundle loaded from the reader. func (r *Reader) Read() (Bundle, error) { - - var bundle Bundle - var descriptors []*Descriptor - var err error - var raw []Raw - - bundle.Signatures, bundle.Patch, descriptors, err = preProcessBundle(r.loader, r.skipVerify, r.sizeLimitBytes) + bundle, descriptors, err := preProcessBundle(r.loader, r.skipVerify, r.sizeLimitBytes) if err != nil { - return bundle, err + return empty, err } bundle.lazyLoadingMode = r.lazyLoadingMode bundle.sizeLimitBytes = r.sizeLimitBytes if bundle.Type() == SnapshotBundleType { - err = r.checkSignaturesAndDescriptors(bundle.Signatures) - if err != nil { - return bundle, err + if err := r.checkSignaturesAndDescriptors(bundle.Signatures); err != nil { + return empty, err } bundle.Data = map[string]any{} @@ -647,7 +641,7 @@ func (r *Reader) Read() (Bundle, error) { for _, f := range descriptors { buf, err := readFile(f, r.sizeLimitBytes) if err != nil { - return bundle, err + return empty, err } // verify the file content @@ -663,7 +657,7 @@ func (r *Reader) Read() (Bundle, error) { delete(r.files, path) } else { if err = r.verifyBundleFile(path, buf); err != nil { - return bundle, err + return empty, err } } } @@ -690,7 +684,7 @@ func (r *Reader) Read() (Bundle, error) { p = modulePathWithPrefix(r.name, fullPath) } - raw = append(raw, Raw{Path: p, Value: bs, module: &mf}) + bundle.Raw = append(bundle.Raw, Raw{Path: p, Value: bs, module: &mf}) } } else if filepath.Base(path) == WasmFile { bundle.WasmModules = append(bundle.WasmModules, WasmModuleFile{ @@ -706,7 +700,7 @@ func (r *Reader) Read() (Bundle, error) { }) } else if filepath.Base(path) == dataFile { if r.lazyLoadingMode { - raw = append(raw, Raw{Path: path, Value: buf.Bytes()}) + bundle.Raw = append(bundle.Raw, Raw{Path: path, Value: buf.Bytes()}) continue } @@ -717,16 +711,16 @@ func (r *Reader) Read() (Bundle, error) { r.metrics.Timer(metrics.RegoDataParse).Stop() if err != nil { - return bundle, fmt.Errorf("bundle load failed on %v: %w", r.fullPath(path), err) + return empty, fmt.Errorf("bundle load failed on %v: %w", r.fullPath(path), err) } - if err := insertValue(&bundle, path, value); err != nil { - return bundle, err + if err := insertValue(bundle, path, value); err != nil { + return empty, err } } else if filepath.Base(path) == yamlDataFile || filepath.Base(path) == ymlDataFile { if r.lazyLoadingMode { - raw = append(raw, Raw{Path: path, Value: buf.Bytes()}) + bundle.Raw = append(bundle.Raw, Raw{Path: path, Value: buf.Bytes()}) continue } @@ -737,16 +731,16 @@ func (r *Reader) Read() (Bundle, error) { r.metrics.Timer(metrics.RegoDataParse).Stop() if err != nil { - return bundle, fmt.Errorf("bundle load failed on %v: %w", r.fullPath(path), err) + return empty, fmt.Errorf("bundle load failed on %v: %w", r.fullPath(path), err) } - if err := insertValue(&bundle, path, value); err != nil { - return bundle, err + if err := insertValue(bundle, path, value); err != nil { + return empty, err } } else if strings.HasSuffix(path, ManifestExt) { if err := util.NewJSONDecoder(&buf).Decode(&bundle.Manifest); err != nil { - return bundle, fmt.Errorf("bundle load failed on manifest decode: %w", err) + return empty, fmt.Errorf("bundle load failed on manifest decode: %w", err) } } } @@ -754,52 +748,63 @@ func (r *Reader) Read() (Bundle, error) { // Parse modules popts := r.ParserOptions() popts.RegoVersion = bundle.RegoVersion(popts.EffectiveRegoVersion()) - for _, mf := range modules { - modulePopts := popts + + g := &errgroup.Group{} + r.metrics.Timer(metrics.RegoModuleParse).Start() + + for i, mf := range modules { + mpopts := popts if regoVersion, err := bundle.RegoVersionForFile(mf.RelativePath, popts.EffectiveRegoVersion()); err != nil { - return bundle, err + return *bundle, err } else if regoVersion != ast.RegoUndefined { - // We don't expect ast.RegoUndefined here, but don't override configured rego-version if we do just to be extra protective - modulePopts.RegoVersion = regoVersion + // We don't expect ast.RegoUndefined here, but don't override + // configured rego-version if we do just to be extra protective + mpopts.RegoVersion = regoVersion } - r.metrics.Timer(metrics.RegoModuleParse).Start() - mf.Parsed, err = ast.ParseModuleWithOpts(mf.Path, util.ByteSliceToString(mf.Raw), modulePopts) - r.metrics.Timer(metrics.RegoModuleParse).Stop() - if err != nil { - return bundle, err - } - bundle.Modules = append(bundle.Modules, mf) + + g.Go(func() (err error) { + if mf.Parsed, err = ast.ParseModuleWithOpts(mf.Path, util.ByteSliceToString(mf.Raw), mpopts); err == nil { + modules[i] = mf + } + return err + }) } + err = g.Wait() + r.metrics.Timer(metrics.RegoModuleParse).Stop() + if err != nil { + return empty, err + } + + bundle.Modules = modules + if bundle.Type() == DeltaBundleType { if len(bundle.Data) != 0 { - return bundle, errors.New("delta bundle expected to contain only patch file but data files found") + return empty, errors.New("delta bundle expected to contain only patch file but data files found") } if len(bundle.Modules) != 0 { - return bundle, errors.New("delta bundle expected to contain only patch file but policy files found") + return empty, errors.New("delta bundle expected to contain only patch file but policy files found") } if len(bundle.WasmModules) != 0 { - return bundle, errors.New("delta bundle expected to contain only patch file but wasm files found") + return empty, errors.New("delta bundle expected to contain only patch file but wasm files found") } if r.persist { - return bundle, errors.New("'persist' property is true in config. persisting delta bundle to disk is not supported") + return empty, errors.New( + "'persist' property is true in config. persisting delta bundle to disk is not supported") } } // check if the bundle signatures specify any files that weren't found in the bundle if bundle.Type() == SnapshotBundleType && len(r.files) != 0 { - extra := []string{} - for k := range r.files { - extra = append(extra, k) - } - return bundle, fmt.Errorf("file(s) %v specified in bundle signatures but not found in the target bundle", extra) + return empty, fmt.Errorf( + "file(s) %v specified in bundle signatures but not found in the target bundle", util.Keys(r.files)) } - if err := bundle.Manifest.validateAndInjectDefaults(bundle); err != nil { - return bundle, err + if err := bundle.Manifest.validateAndInjectDefaults(*bundle); err != nil { + return empty, err } // Inject the wasm module entrypoint refs into the WasmModuleFile structs @@ -812,36 +817,33 @@ func (r *Reader) Read() (Bundle, error) { for _, entrypoint := range entrypoints { ref, err := ast.PtrRef(ast.DefaultRootDocument, entrypoint) if err != nil { - return bundle, fmt.Errorf("failed to parse wasm module entrypoint '%s': %s", entrypoint, err) + return empty, fmt.Errorf("failed to parse wasm module entrypoint '%s': %s", entrypoint, err) } bundle.WasmModules[i].Entrypoints = append(bundle.WasmModules[i].Entrypoints, ref) } } if r.includeManifestInData { - var metadata map[string]any - b, err := json.Marshal(&bundle.Manifest) if err != nil { - return bundle, fmt.Errorf("bundle load failed on manifest marshal: %w", err) + return empty, fmt.Errorf("bundle load failed on manifest marshal: %w", err) } - err = util.UnmarshalJSON(b, &metadata) - if err != nil { - return bundle, fmt.Errorf("bundle load failed on manifest unmarshal: %w", err) + var metadata map[string]any + if err := util.UnmarshalJSON(b, &metadata); err != nil { + return empty, fmt.Errorf("bundle load failed on manifest unmarshal: %w", err) } // For backwards compatibility always write to the old unnamed manifest path // This will *not* be correct if >1 bundle is in use... if err := bundle.insertData(legacyManifestStoragePath, metadata); err != nil { - return bundle, fmt.Errorf("bundle load failed on %v: %w", legacyRevisionStoragePath, err) + return empty, fmt.Errorf("bundle load failed on %v: %w", legacyRevisionStoragePath, err) } } bundle.Etag = r.etag - bundle.Raw = raw - return bundle, nil + return *bundle, nil } func (r *Reader) isFileExcluded(path string) bool { @@ -869,10 +871,9 @@ func (r *Reader) checkSignaturesAndDescriptors(signatures SignaturesConfig) erro } // verify the JWT signatures included in the `.signatures.json` file - if err := r.verifyBundleSignature(signatures); err != nil { - return err - } + return r.verifyBundleSignature(signatures) } + return nil } @@ -931,19 +932,10 @@ func (w *Writer) DisableFormat(yes bool) *Writer { // Write writes the bundle to the writer's output stream. func (w *Writer) Write(bundle Bundle) error { - gw := gzip.NewWriter(w.w) - tw := tar.NewWriter(gw) + tw := archive.NewTarGzWriter(w.w) - bundleType := bundle.Type() - - if bundleType == SnapshotBundleType { - var buf bytes.Buffer - - if err := json.NewEncoder(&buf).Encode(bundle.Data); err != nil { - return err - } - - if err := archive.WriteFile(tw, "data.json", buf.Bytes()); err != nil { + if bundle.Type() == SnapshotBundleType { + if err := tw.WriteJSONFile("/data.json", bundle.Data); err != nil { return err } @@ -953,7 +945,7 @@ func (w *Writer) Write(bundle Bundle) error { path = module.Path } - if err := archive.WriteFile(tw, path, module.Raw); err != nil { + if err := tw.WriteFile(util.WithPrefix(path, "/"), module.Raw); err != nil { return err } } @@ -969,55 +961,48 @@ func (w *Writer) Write(bundle Bundle) error { if err := w.writePlan(tw, bundle); err != nil { return err } - } else if bundleType == DeltaBundleType { - if err := writePatch(tw, bundle); err != nil { + } else if bundle.Type() == DeltaBundleType { + if err := tw.WriteJSONFile("/patch.json", bundle.Patch); err != nil { return err } } - if err := writeManifest(tw, bundle); err != nil { - return err + if !bundle.Manifest.Empty() { + if err := tw.WriteJSONFile("/.manifest", bundle.Manifest); err != nil { + return err + } } - if err := tw.Close(); err != nil { - return err - } - - return gw.Close() + return tw.Close() } -func (w *Writer) writeWasm(tw *tar.Writer, bundle Bundle) error { +func (w *Writer) writeWasm(tw *archive.TarGzWriter, bundle Bundle) error { for _, wm := range bundle.WasmModules { path := wm.URL if w.usePath { path = wm.Path } - err := archive.WriteFile(tw, path, wm.Raw) - if err != nil { + if err := tw.WriteFile(util.WithPrefix(path, "/"), wm.Raw); err != nil { return err } } - if len(bundle.Wasm) > 0 { - err := archive.WriteFile(tw, "/"+WasmFile, bundle.Wasm) - if err != nil { - return err - } + if len(bundle.Wasm) == 0 { + return nil } - return nil + return tw.WriteFile(util.WithPrefix(WasmFile, "/"), bundle.Wasm) } -func (w *Writer) writePlan(tw *tar.Writer, bundle Bundle) error { +func (w *Writer) writePlan(tw *archive.TarGzWriter, bundle Bundle) error { for _, wm := range bundle.PlanModules { path := wm.URL if w.usePath { path = wm.Path } - err := archive.WriteFile(tw, path, wm.Raw) - if err != nil { + if err := tw.WriteFile(util.WithPrefix(path, "/"), wm.Raw); err != nil { return err } } @@ -1025,34 +1010,7 @@ func (w *Writer) writePlan(tw *tar.Writer, bundle Bundle) error { return nil } -func writeManifest(tw *tar.Writer, bundle Bundle) error { - - if bundle.Manifest.Empty() { - return nil - } - - var buf bytes.Buffer - - if err := json.NewEncoder(&buf).Encode(bundle.Manifest); err != nil { - return err - } - - return archive.WriteFile(tw, ManifestExt, buf.Bytes()) -} - -func writePatch(tw *tar.Writer, bundle Bundle) error { - - var buf bytes.Buffer - - if err := json.NewEncoder(&buf).Encode(bundle.Patch); err != nil { - return err - } - - return archive.WriteFile(tw, patchFile, buf.Bytes()) -} - -func writeSignatures(tw *tar.Writer, bundle Bundle) error { - +func writeSignatures(tw *archive.TarGzWriter, bundle Bundle) error { if bundle.Signatures.isEmpty() { return nil } @@ -1062,7 +1020,7 @@ func writeSignatures(tw *tar.Writer, bundle Bundle) error { return err } - return archive.WriteFile(tw, fmt.Sprintf(".%v", SignaturesFile), bs) + return tw.WriteFile(util.WithPrefix(SignaturesFile, "/."), bs) } func hashBundleFiles(hash SignatureHasher, b *Bundle) ([]FileInfo, error) { @@ -1115,8 +1073,7 @@ func hashBundleFiles(hash SignatureHasher, b *Bundle) ([]FileInfo, error) { return files, err } - bs, err = hash.HashFile(result) - if err != nil { + if bs, err = hash.HashFile(result); err != nil { return files, err } @@ -1227,10 +1184,6 @@ func (b *Bundle) GenerateSignature(signingConfig *SigningConfig, keyID string, u return err } - if b.Signatures.isEmpty() { - b.Signatures = SignaturesConfig{} - } - if signingConfig.Plugin != "" { b.Signatures.Plugin = signingConfig.Plugin } @@ -1243,7 +1196,6 @@ func (b *Bundle) GenerateSignature(signingConfig *SigningConfig, keyID string, u // ParsedModules returns a map of parsed modules with names that are // unique and human readable for the given a bundle name. func (b *Bundle) ParsedModules(bundleName string) map[string]*ast.Module { - mods := make(map[string]*ast.Module, len(b.Modules)) for _, mf := range b.Modules { @@ -1255,9 +1207,10 @@ func (b *Bundle) ParsedModules(bundleName string) map[string]*ast.Module { func (b *Bundle) RegoVersion(def ast.RegoVersion) ast.RegoVersion { if v := b.Manifest.RegoVersion; v != nil { - if *v == 0 { + switch *v { + case 0: return ast.RegoV0 - } else if *v == 1 { + case 1: return ast.RegoV1 } } @@ -1328,10 +1281,6 @@ func (m *Manifest) numericRegoVersionForFile(path string) (*int, error) { // Equal returns true if this bundle's contents equal the other bundle's // contents. func (b Bundle) Equal(other Bundle) bool { - if !reflect.DeepEqual(b.Data, other.Data) { - return false - } - if len(b.Modules) != len(other.Modules) { return false } @@ -1357,6 +1306,10 @@ func (b Bundle) Equal(other Bundle) bool { return false } + if !reflect.DeepEqual(b.Data, other.Data) { + return false + } + return bytes.Equal(b.Wasm, other.Wasm) } @@ -1487,7 +1440,6 @@ func Merge(bundles []*Bundle) (*Bundle, error) { // If usePath is true, per-file rego-versions will be calculated using the file's ModuleFile.Path; otherwise, the file's // ModuleFile.URL will be used. func MergeWithRegoVersion(bundles []*Bundle, regoVersion ast.RegoVersion, usePath bool) (*Bundle, error) { - if len(bundles) == 0 { return nil, errors.New("expected at least one bundle") } @@ -1512,7 +1464,6 @@ func MergeWithRegoVersion(bundles []*Bundle, regoVersion ast.RegoVersion, usePat var result Bundle for _, b := range bundles { - if b.Manifest.Roots == nil { return nil, errors.New("bundle manifest not initialized") } @@ -1607,16 +1558,11 @@ func bundleRelativePath(m ModuleFile, usePath bool) string { } func bundleAbsolutePath(m ModuleFile, usePath bool) string { - var p string + p := m.URL if usePath { p = m.Path - } else { - p = m.URL } - if !path.IsAbs(p) { - p = "/" + p - } - return path.Clean(p) + return path.Clean(util.WithPrefix(p, "/")) } // RootPathsOverlap takes in two bundle root paths and returns true if they overlap. @@ -1642,7 +1588,6 @@ func rootPathSegments(path string) []string { } func rootContains(root []string, other []string) bool { - // A single segment, empty string root always contains the other. if len(root) == 1 && root[0] == "" { return true @@ -1674,7 +1619,7 @@ func getNormalizedPath(path string) []string { // other hand, if the path is empty, filepath.Dir will return '.'. // Note: filepath.Dir can return paths with '\' separators, always use // filepath.ToSlash to keep them normalized. - dirpath := strings.TrimLeft(normalizePath(filepath.Dir(path)), "/.") + dirpath := strings.TrimLeft(filepath.ToSlash(filepath.Dir(path)), "/.") var key []string if dirpath != "" { key = strings.Split(dirpath, "/") @@ -1701,56 +1646,52 @@ func dfs(value any, path string, fn func(string, any) (bool, error)) error { } func modulePathWithPrefix(bundleName string, modulePath string) string { - // Default prefix is just the bundle name - prefix := bundleName - // Bundle names are sometimes just file paths, some of which // are full urls (file:///foo/). Parse these and only use the path. parsed, err := url.Parse(bundleName) if err == nil { - prefix = filepath.Join(parsed.Host, parsed.Path) + return path.Join(parsed.Host, parsed.Path, modulePath) } - // Note: filepath.Join can return paths with '\' separators, always use - // filepath.ToSlash to keep them normalized. - return normalizePath(filepath.Join(prefix, modulePath)) + return path.Join(bundleName, modulePath) } // IsStructuredDoc checks if the file name equals a structured file extension ex. ".json" func IsStructuredDoc(name string) bool { - return filepath.Base(name) == dataFile || filepath.Base(name) == yamlDataFile || - filepath.Base(name) == SignaturesFile || filepath.Base(name) == ManifestExt + base := filepath.Base(name) + return base == dataFile || base == yamlDataFile || base == SignaturesFile || base == ManifestExt } -func preProcessBundle(loader DirectoryLoader, skipVerify bool, sizeLimitBytes int64) (SignaturesConfig, Patch, []*Descriptor, error) { +func preProcessBundle(loader DirectoryLoader, skipVerify bool, sizeLimitBytes int64) (*Bundle, []*Descriptor, error) { + bundle := &Bundle{} descriptors := []*Descriptor{} - var signatures SignaturesConfig - var patch Patch for { f, err := loader.NextFile() - if err == io.EOF { - break - } - if err != nil { - return signatures, patch, nil, fmt.Errorf("bundle read failed: %w", err) + if err == io.EOF { + break + } + return bundle, nil, fmt.Errorf("bundle read failed: %w", err) } - // check for the signatures file - if !skipVerify && strings.HasSuffix(f.Path(), SignaturesFile) { + isSignaturesFile := strings.HasSuffix(f.Path(), SignaturesFile) + + if !skipVerify && isSignaturesFile { buf, err := readFile(f, sizeLimitBytes) if err != nil { - return signatures, patch, nil, err + return bundle, nil, err } - if err := util.NewJSONDecoder(&buf).Decode(&signatures); err != nil { - return signatures, patch, nil, fmt.Errorf("bundle load failed on signatures decode: %w", err) + if err := util.NewJSONDecoder(&buf).Decode(&bundle.Signatures); err != nil { + return bundle, nil, fmt.Errorf("bundle load failed on signatures decode: %w", err) } - } else if !strings.HasSuffix(f.Path(), SignaturesFile) { + } else if !isSignaturesFile { descriptors = append(descriptors, f) - if filepath.Base(f.Path()) == patchFile { + base := filepath.Base(f.Path()) + + if base == patchFile { var b bytes.Buffer tee := io.TeeReader(f.reader, &b) @@ -1758,18 +1699,19 @@ func preProcessBundle(loader DirectoryLoader, skipVerify bool, sizeLimitBytes in buf, err := readFile(f, sizeLimitBytes) if err != nil { - return signatures, patch, nil, err + return bundle, nil, err } - if err := util.NewJSONDecoder(&buf).Decode(&patch); err != nil { - return signatures, patch, nil, fmt.Errorf("bundle load failed on patch decode: %w", err) + if err := util.NewJSONDecoder(&buf).Decode(&bundle.Patch); err != nil { + return bundle, nil, fmt.Errorf("bundle load failed on patch decode: %w", err) } f.reader = &b } } } - return signatures, patch, descriptors, nil + + return bundle, descriptors, nil } func readFile(f *Descriptor, sizeLimitBytes int64) (bytes.Buffer, error) { @@ -1839,7 +1781,3 @@ func fstatFileSize(f *os.File) (int64, error) { } return fileInfo.Size(), nil } - -func normalizePath(p string) string { - return filepath.ToSlash(p) -} diff --git a/vendor/github.com/open-policy-agent/opa/v1/bundle/file.go b/vendor/github.com/open-policy-agent/opa/v1/bundle/file.go index d008c3d44c..4897ee7b91 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/bundle/file.go +++ b/vendor/github.com/open-policy-agent/opa/v1/bundle/file.go @@ -352,12 +352,10 @@ func (t *tarballLoader) NextFile() (*Descriptor, error) { for { header, err := t.tr.Next() - - if err == io.EOF { - break - } - if err != nil { + if err == io.EOF { + break + } return nil, err } @@ -365,7 +363,6 @@ func (t *tarballLoader) NextFile() (*Descriptor, error) { if header.Typeflag == tar.TypeReg { if t.filter != nil { - if t.filter(filepath.ToSlash(header.Name), header.FileInfo(), getdepth(header.Name, false)) { continue } @@ -504,9 +501,9 @@ func getdepth(path string, isDir bool) int { } func getFileStoragePath(path string) (storage.Path, error) { - fpath := strings.TrimLeft(normalizePath(filepath.Dir(path)), "/.") + fpath := strings.TrimLeft(filepath.ToSlash(filepath.Dir(path)), "/.") if strings.HasSuffix(path, RegoExt) { - fpath = strings.Trim(normalizePath(path), "/") + fpath = strings.Trim(filepath.ToSlash(path), "/") } p, ok := storage.ParsePathEscaped("/" + fpath) diff --git a/vendor/github.com/open-policy-agent/opa/v1/bundle/store.go b/vendor/github.com/open-policy-agent/opa/v1/bundle/store.go index 992bf78f63..e79aea5200 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/bundle/store.go +++ b/vendor/github.com/open-policy-agent/opa/v1/bundle/store.go @@ -571,12 +571,11 @@ func doDFS(obj map[string]json.RawMessage, path string, roots []string) error { } for key := range obj { - newPath := filepath.Join(strings.Trim(path, "/"), key) // Note: filepath.Join can return paths with '\' separators, always use // filepath.ToSlash to keep them normalized. - newPath = strings.TrimLeft(normalizePath(newPath), "/.") + newPath = strings.TrimLeft(filepath.ToSlash(newPath), "/.") contains := false prefix := false @@ -1191,17 +1190,20 @@ func applyPatches(ctx context.Context, store storage.Store, txn storage.Transact // Helpers for the older single (unnamed) bundle style manifest storage. // LegacyManifestStoragePath is the older unnamed bundle path for manifests to be stored. +// // Deprecated: Use ManifestStoragePath and named bundles instead. var legacyManifestStoragePath = storage.MustParsePath("/system/bundle/manifest") var legacyRevisionStoragePath = append(legacyManifestStoragePath, "revision") // LegacyWriteManifestToStore will write the bundle manifest to the older single (unnamed) bundle manifest location. +// // Deprecated: Use WriteManifestToStore and named bundles instead. func LegacyWriteManifestToStore(ctx context.Context, store storage.Store, txn storage.Transaction, manifest Manifest) error { return write(ctx, store, txn, legacyManifestStoragePath, manifest) } // LegacyEraseManifestFromStore will erase the bundle manifest from the older single (unnamed) bundle manifest location. +// // Deprecated: Use WriteManifestToStore and named bundles instead. func LegacyEraseManifestFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) error { err := store.Write(ctx, txn, storage.RemoveOp, legacyManifestStoragePath, nil) @@ -1212,12 +1214,14 @@ func LegacyEraseManifestFromStore(ctx context.Context, store storage.Store, txn } // LegacyReadRevisionFromStore will read the bundle manifest revision from the older single (unnamed) bundle manifest location. +// // Deprecated: Use ReadBundleRevisionFromStore and named bundles instead. func LegacyReadRevisionFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) (string, error) { return readRevisionFromStore(ctx, store, txn, legacyRevisionStoragePath) } // ActivateLegacy calls Activate for the bundles but will also write their manifest to the older unnamed store location. +// // Deprecated: Use Activate with named bundles instead. func ActivateLegacy(opts *ActivateOpts) error { opts.legacy = true diff --git a/vendor/github.com/open-policy-agent/opa/v1/loader/loader.go b/vendor/github.com/open-policy-agent/opa/v1/loader/loader.go index 42a59d031f..d97e3e5409 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/loader/loader.go +++ b/vendor/github.com/open-policy-agent/opa/v1/loader/loader.go @@ -495,6 +495,7 @@ func loadOneSchema(path string) (any, error) { } // All returns a Result object loaded (recursively) from the specified paths. +// // Deprecated: Use FileLoader.Filtered() instead. func All(paths []string) (*Result, error) { return NewFileLoader().Filtered(paths, nil) @@ -503,6 +504,7 @@ func All(paths []string) (*Result, error) { // Filtered returns a Result object loaded (recursively) from the specified // paths while applying the given filters. If any filter returns true, the // file/directory is excluded. +// // Deprecated: Use FileLoader.Filtered() instead. func Filtered(paths []string, filter Filter) (*Result, error) { return NewFileLoader().Filtered(paths, filter) @@ -511,6 +513,7 @@ func Filtered(paths []string, filter Filter) (*Result, error) { // AsBundle loads a path as a bundle. If it is a single file // it will be treated as a normal tarball bundle. If a directory // is supplied it will be loaded as an unzipped bundle tree. +// // Deprecated: Use FileLoader.AsBundle() instead. func AsBundle(path string) (*bundle.Bundle, error) { return NewFileLoader().AsBundle(path) @@ -631,11 +634,10 @@ func (l *Result) mergeDocument(path string, doc any) error { } func (l *Result) withParent(p string) *Result { - path := append(l.path, p) return &Result{ Documents: l.Documents, Modules: l.Modules, - path: path, + path: append(l.path, p), } } diff --git a/vendor/github.com/open-policy-agent/opa/v1/plugins/rest/auth.go b/vendor/github.com/open-policy-agent/opa/v1/plugins/rest/auth.go index 8ec337bd1e..14c2f266ac 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/plugins/rest/auth.go +++ b/vendor/github.com/open-policy-agent/opa/v1/plugins/rest/auth.go @@ -250,9 +250,8 @@ func convertPointsToBase64(alg string, r, s []byte) (string, error) { copy(rBytesPadded[keyBytes-len(r):], r) sBytesPadded := make([]byte, keyBytes) copy(sBytesPadded[keyBytes-len(s):], s) - signatureEnc := append(rBytesPadded, sBytesPadded...) - return base64.RawURLEncoding.EncodeToString(signatureEnc), nil + return base64.RawURLEncoding.EncodeToString(append(rBytesPadded, sBytesPadded...)), nil } func retrieveCurveBits(alg string) (int, error) { diff --git a/vendor/github.com/open-policy-agent/opa/v1/rego/rego.go b/vendor/github.com/open-policy-agent/opa/v1/rego/rego.go index 2c4d8a8d91..f524f2b1bc 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/rego/rego.go +++ b/vendor/github.com/open-policy-agent/opa/v1/rego/rego.go @@ -25,6 +25,7 @@ import ( "github.com/open-policy-agent/opa/v1/bundle" "github.com/open-policy-agent/opa/v1/ir" "github.com/open-policy-agent/opa/v1/loader" + "github.com/open-policy-agent/opa/v1/loader/filter" "github.com/open-policy-agent/opa/v1/metrics" "github.com/open-policy-agent/opa/v1/plugins" "github.com/open-policy-agent/opa/v1/resolver" @@ -44,7 +45,7 @@ const ( wasmVarPrefix = "^" ) -// nolint: deadcode,varcheck +// nolint:varcheck const ( targetWasm = "wasm" targetRego = "rego" @@ -235,6 +236,7 @@ func EvalInstrument(instrument bool) EvalOption { } // EvalTracer configures a tracer for a Prepared Query's evaluation +// // Deprecated: Use EvalQueryTracer instead. func EvalTracer(tracer topdown.Tracer) EvalOption { return func(e *EvalContext) { @@ -670,6 +672,7 @@ type Rego struct { regoVersion ast.RegoVersion compilerHook func(*ast.Compiler) evalMode *ast.CompilerEvalMode + filter filter.LoaderFilter } func (r *Rego) RegoVersion() ast.RegoVersion { @@ -1046,6 +1049,12 @@ func LoadBundle(path string) func(r *Rego) { } } +func WithFilter(f filter.LoaderFilter) func(r *Rego) { + return func(r *Rego) { + r.filter = f + } +} + // ParsedBundle returns an argument that adds a bundle to be loaded. func ParsedBundle(name string, b *bundle.Bundle) func(r *Rego) { return func(r *Rego) { @@ -1115,6 +1124,7 @@ func Trace(yes bool) func(r *Rego) { } // Tracer returns an argument that adds a query tracer to r. +// // Deprecated: Use QueryTracer instead. func Tracer(t topdown.Tracer) func(r *Rego) { return func(r *Rego) { @@ -2044,6 +2054,7 @@ func (r *Rego) loadBundles(_ context.Context, _ storage.Transaction, m metrics.M WithSkipBundleVerification(r.skipBundleVerification). WithRegoVersion(r.regoVersion). WithCapabilities(r.capabilities). + WithFilter(r.filter). AsBundle(path) if err != nil { return fmt.Errorf("loading error: %s", err) diff --git a/vendor/github.com/open-policy-agent/opa/v1/storage/inmem/inmem.go b/vendor/github.com/open-policy-agent/opa/v1/storage/inmem/inmem.go index cdc43424dd..9fa145a051 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/storage/inmem/inmem.go +++ b/vendor/github.com/open-policy-agent/opa/v1/storage/inmem/inmem.go @@ -349,10 +349,25 @@ func (h *handle) Unregister(_ context.Context, txn storage.Transaction) { } func (db *store) runOnCommitTriggers(ctx context.Context, txn storage.Transaction, event storage.TriggerEvent) { - if db.returnASTValuesOnRead && len(db.triggers) > 0 { - // FIXME: Not very performant for large data. + // While it's unlikely, the API allows one trigger to be configured to want + // data conversion, and another that doesn't. So let's handle that properly. + var wantsDataConversion bool + if db.returnASTValuesOnRead && len(event.Data) > 0 { + for _, t := range db.triggers { + if !t.SkipDataConversion { + wantsDataConversion = true + break + } + } + } - dataEvents := make([]storage.DataEvent, 0, len(event.Data)) + var converted storage.TriggerEvent + if wantsDataConversion { + converted = storage.TriggerEvent{ + Policy: event.Policy, + Data: make([]storage.DataEvent, 0, len(event.Data)), + Context: event.Context, + } for _, dataEvent := range event.Data { if astData, ok := dataEvent.Data.(ast.Value); ok { @@ -360,25 +375,21 @@ func (db *store) runOnCommitTriggers(ctx context.Context, txn storage.Transactio if err != nil { panic(err) } - dataEvents = append(dataEvents, storage.DataEvent{ + converted.Data = append(converted.Data, storage.DataEvent{ Path: dataEvent.Path, Data: jsn, Removed: dataEvent.Removed, }) - } else { - dataEvents = append(dataEvents, dataEvent) } } - - event = storage.TriggerEvent{ - Policy: event.Policy, - Data: dataEvents, - Context: event.Context, - } } for _, t := range db.triggers { - t.OnCommit(ctx, txn, event) + if wantsDataConversion && !t.SkipDataConversion { + t.OnCommit(ctx, txn, converted) + } else { + t.OnCommit(ctx, txn, event) + } } } diff --git a/vendor/github.com/open-policy-agent/opa/v1/storage/interface.go b/vendor/github.com/open-policy-agent/opa/v1/storage/interface.go index a783caae09..8407c878c2 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/storage/interface.go +++ b/vendor/github.com/open-policy-agent/opa/v1/storage/interface.go @@ -210,6 +210,10 @@ func (e TriggerEvent) DataChanged() bool { // TriggerConfig contains the trigger registration configuration. type TriggerConfig struct { + // SkipDataConversion when set to true, avoids converting data passed to + // trigger functions from the store to Go types, and instead passes the + // original representation (e.g., ast.Value). + SkipDataConversion bool // OnCommit is invoked when a transaction is successfully committed. The // callback is invoked with a handle to the write transaction that diff --git a/vendor/github.com/open-policy-agent/opa/v1/topdown/builtins/builtins.go b/vendor/github.com/open-policy-agent/opa/v1/topdown/builtins/builtins.go index 7a1bdede6b..98d80b5f9b 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/topdown/builtins/builtins.go +++ b/vendor/github.com/open-policy-agent/opa/v1/topdown/builtins/builtins.go @@ -209,8 +209,7 @@ func SetOperand(x ast.Value, pos int) (ast.Set, error) { return s, nil } -// StringOperand converts x to a string. If the cast fails, a descriptive error is -// returned. +// StringOperand returns x as [ast.String], or a descriptive error if the conversion fails. func StringOperand(x ast.Value, pos int) (ast.String, error) { s, ok := x.(ast.String) if !ok { @@ -219,6 +218,17 @@ func StringOperand(x ast.Value, pos int) (ast.String, error) { return s, nil } +// StringOperandByteSlice returns x a []byte, assuming x is [ast.String], or a descriptive error +// if that is not the case. The returned byte slice points directly at the underlying array backing +// the string, and should not be modified. +func StringOperandByteSlice(x ast.Value, pos int) ([]byte, error) { + s, err := StringOperand(x, pos) + if err != nil { + return nil, err + } + return util.StringToByteSlice(string(s)), nil +} + // ObjectOperand converts x to an object. If the cast fails, a descriptive // error is returned. func ObjectOperand(x ast.Value, pos int) (ast.Object, error) { diff --git a/vendor/github.com/open-policy-agent/opa/v1/topdown/crypto.go b/vendor/github.com/open-policy-agent/opa/v1/topdown/crypto.go index 144c01ee95..f4ca23fae5 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/topdown/crypto.go +++ b/vendor/github.com/open-policy-agent/opa/v1/topdown/crypto.go @@ -255,17 +255,17 @@ func extractVerifyOpts(options ast.Object) (verifyOpt x509.VerifyOptions, err er } func builtinCryptoX509ParseKeyPair(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { - certificate, err := builtins.StringOperand(operands[0].Value, 1) + certificate, err := builtins.StringOperandByteSlice(operands[0].Value, 1) if err != nil { return err } - key, err := builtins.StringOperand(operands[1].Value, 1) + key, err := builtins.StringOperandByteSlice(operands[1].Value, 1) if err != nil { return err } - certs, err := getTLSx509KeyPairFromString([]byte(certificate), []byte(key)) + certs, err := getTLSx509KeyPairFromString(certificate, key) if err != nil { return err } @@ -326,10 +326,7 @@ func builtinCryptoX509ParseCertificateRequest(_ BuiltinContext, operands []*ast. } func builtinCryptoJWKFromPrivateKey(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { - var x any - - a := operands[0].Value - input, err := builtins.StringOperand(a, 1) + input, err := builtins.StringOperand(operands[0].Value, 1) if err != nil { return err } @@ -371,6 +368,7 @@ func builtinCryptoJWKFromPrivateKey(_ BuiltinContext, operands []*ast.Term, iter return err } + var x any if err := util.UnmarshalJSON(jsonKey, &x); err != nil { return err } @@ -430,53 +428,51 @@ func toHexEncodedString(src []byte) string { } func builtinCryptoMd5(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { - s, err := builtins.StringOperand(operands[0].Value, 1) + bs, err := builtins.StringOperandByteSlice(operands[0].Value, 1) if err != nil { return err } - md5sum := md5.Sum([]byte(s)) + md5sum := md5.Sum(bs) return iter(ast.StringTerm(toHexEncodedString(md5sum[:]))) } func builtinCryptoSha1(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { - s, err := builtins.StringOperand(operands[0].Value, 1) + bs, err := builtins.StringOperandByteSlice(operands[0].Value, 1) if err != nil { return err } - sha1sum := sha1.Sum([]byte(s)) + sha1sum := sha1.Sum(bs) return iter(ast.StringTerm(toHexEncodedString(sha1sum[:]))) } func builtinCryptoSha256(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { - s, err := builtins.StringOperand(operands[0].Value, 1) + bs, err := builtins.StringOperandByteSlice(operands[0].Value, 1) if err != nil { return err } - sha256sum := sha256.Sum256([]byte(s)) + sha256sum := sha256.Sum256(bs) return iter(ast.StringTerm(toHexEncodedString(sha256sum[:]))) } func hmacHelper(operands []*ast.Term, iter func(*ast.Term) error, h func() hash.Hash) error { - a1 := operands[0].Value - message, err := builtins.StringOperand(a1, 1) + message, err := builtins.StringOperandByteSlice(operands[0].Value, 1) if err != nil { return err } - a2 := operands[1].Value - key, err := builtins.StringOperand(a2, 2) + key, err := builtins.StringOperandByteSlice(operands[1].Value, 2) if err != nil { return err } - mac := hmac.New(h, []byte(key)) - mac.Write([]byte(message)) + mac := hmac.New(h, key) + mac.Write(message) messageDigest := mac.Sum(nil) return iter(ast.StringTerm(hex.EncodeToString(messageDigest))) @@ -499,21 +495,17 @@ func builtinCryptoHmacSha512(_ BuiltinContext, operands []*ast.Term, iter func(* } func builtinCryptoHmacEqual(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { - a1 := operands[0].Value - mac1, err := builtins.StringOperand(a1, 1) + mac1, err := builtins.StringOperandByteSlice(operands[0].Value, 1) if err != nil { return err } - a2 := operands[1].Value - mac2, err := builtins.StringOperand(a2, 2) + mac2, err := builtins.StringOperandByteSlice(operands[1].Value, 2) if err != nil { return err } - res := hmac.Equal([]byte(mac1), []byte(mac2)) - - return iter(ast.InternedTerm(res)) + return iter(ast.InternedTerm(hmac.Equal(mac1, mac2))) } func init() { @@ -668,7 +660,7 @@ func addCACertsFromFile(pool *x509.CertPool, filePath string) (*x509.CertPool, e pool = x509.NewCertPool() } - caCert, err := readCertFromFile(filePath) + caCert, err := os.ReadFile(filePath) if err != nil { return nil, err } @@ -703,17 +695,7 @@ func addCACertsFromEnv(pool *x509.CertPool, envName string) (*x509.CertPool, err return nil, fmt.Errorf("could not add CA certificates from envvar %q: %w", envName, err) } - return pool, err -} - -// ReadCertFromFile reads a cert from file -func readCertFromFile(localCertFile string) ([]byte, error) { - // Read in the cert file - certPEM, err := os.ReadFile(localCertFile) - if err != nil { - return nil, err - } - return certPEM, nil + return pool, nil } var beginPrefix = []byte("-----BEGIN ") @@ -771,13 +753,3 @@ func getTLSx509KeyPairFromString(certPemBlock []byte, keyPemBlock []byte) (*tls. return &cert, nil } - -// ReadKeyFromFile reads a key from file -func readKeyFromFile(localKeyFile string) ([]byte, error) { - // Read in the cert file - key, err := os.ReadFile(localKeyFile) - if err != nil { - return nil, err - } - return key, nil -} diff --git a/vendor/github.com/open-policy-agent/opa/v1/topdown/encoding.go b/vendor/github.com/open-policy-agent/opa/v1/topdown/encoding.go index 541b50d0a9..1d11d39981 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/topdown/encoding.go +++ b/vendor/github.com/open-policy-agent/opa/v1/topdown/encoding.go @@ -5,7 +5,6 @@ package topdown import ( - "bytes" "encoding/base64" "encoding/hex" "encoding/json" @@ -21,7 +20,6 @@ import ( ) func builtinJSONMarshal(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { - asJSON, err := ast.JSON(operands[0].Value) if err != nil { return err @@ -32,11 +30,10 @@ func builtinJSONMarshal(_ BuiltinContext, operands []*ast.Term, iter func(*ast.T return err } - return iter(ast.StringTerm(string(bs))) + return iter(ast.StringTerm(util.ByteSliceToString(bs))) } func builtinJSONMarshalWithOpts(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { - asJSON, err := ast.JSON(operands[0].Value) if err != nil { return err @@ -101,36 +98,34 @@ func builtinJSONMarshalWithOpts(_ BuiltinContext, operands []*ast.Term, iter fun } var bs []byte - if shouldPrettyPrint { bs, err = json.MarshalIndent(asJSON, prefixWith, indentWith) } else { bs, err = json.Marshal(asJSON) } - if err != nil { return err } + s := util.ByteSliceToString(bs) + if shouldPrettyPrint { // json.MarshalIndent() function will not prefix the first line of emitted JSON - return iter(ast.StringTerm(prefixWith + string(bs))) + return iter(ast.StringTerm(prefixWith + s)) } - return iter(ast.StringTerm(string(bs))) + return iter(ast.StringTerm(s)) } func builtinJSONUnmarshal(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { - - str, err := builtins.StringOperand(operands[0].Value, 1) + bs, err := builtins.StringOperandByteSlice(operands[0].Value, 1) if err != nil { return err } var x any - - if err := util.UnmarshalJSON([]byte(str), &x); err != nil { + if err := util.UnmarshalJSON(bs, &x); err != nil { return err } v, err := ast.InterfaceToValue(x) @@ -141,22 +136,21 @@ func builtinJSONUnmarshal(_ BuiltinContext, operands []*ast.Term, iter func(*ast } func builtinJSONIsValid(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { - - str, err := builtins.StringOperand(operands[0].Value, 1) + bs, err := builtins.StringOperandByteSlice(operands[0].Value, 1) if err != nil { return iter(ast.InternedTerm(false)) } - return iter(ast.InternedTerm(json.Valid([]byte(str)))) + return iter(ast.InternedTerm(json.Valid(bs))) } func builtinBase64Encode(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { - str, err := builtins.StringOperand(operands[0].Value, 1) + bs, err := builtins.StringOperandByteSlice(operands[0].Value, 1) if err != nil { return err } - return iter(ast.StringTerm(base64.StdEncoding.EncodeToString([]byte(str)))) + return iter(ast.StringTerm(base64.StdEncoding.EncodeToString(bs))) } func builtinBase64Decode(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { @@ -183,20 +177,20 @@ func builtinBase64IsValid(_ BuiltinContext, operands []*ast.Term, iter func(*ast } func builtinBase64UrlEncode(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { - str, err := builtins.StringOperand(operands[0].Value, 1) + bs, err := builtins.StringOperandByteSlice(operands[0].Value, 1) if err != nil { return err } - return iter(ast.StringTerm(base64.URLEncoding.EncodeToString([]byte(str)))) + return iter(ast.StringTerm(base64.URLEncoding.EncodeToString(bs))) } func builtinBase64UrlEncodeNoPad(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { - str, err := builtins.StringOperand(operands[0].Value, 1) + bs, err := builtins.StringOperandByteSlice(operands[0].Value, 1) if err != nil { return err } - return iter(ast.StringTerm(base64.RawURLEncoding.EncodeToString([]byte(str)))) + return iter(ast.StringTerm(base64.RawURLEncoding.EncodeToString(bs))) } func builtinBase64UrlDecode(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { @@ -306,45 +300,39 @@ func builtinURLQueryDecodeObject(_ BuiltinContext, operands []*ast.Term, iter fu } func builtinYAMLMarshal(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { - asJSON, err := ast.JSON(operands[0].Value) if err != nil { return err } - var buf bytes.Buffer - encoder := json.NewEncoder(&buf) - if err := encoder.Encode(asJSON); err != nil { - return err - } - - bs, err := yaml.JSONToYAML(buf.Bytes()) + bs, err := yaml.Marshal(asJSON) if err != nil { return err } - return iter(ast.StringTerm(string(bs))) + return iter(ast.StringTerm(util.ByteSliceToString(bs))) } func builtinYAMLUnmarshal(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { - - str, err := builtins.StringOperand(operands[0].Value, 1) + bs, err := builtins.StringOperandByteSlice(operands[0].Value, 1) if err != nil { return err } - bs, err := yaml.YAMLToJSON([]byte(str)) + js, err := yaml.YAMLToJSON(bs) if err != nil { return err } - buf := bytes.NewBuffer(bs) - decoder := util.NewJSONDecoder(buf) + reader := ast.BytesReaderPool.Get() + defer ast.BytesReaderPool.Put(reader) + reader.Reset(js) + var val any - err = decoder.Decode(&val) - if err != nil { + if err = util.NewJSONDecoder(reader).Decode(&val); err != nil { return err } + v, err := ast.InterfaceToValue(val) if err != nil { return err @@ -353,22 +341,22 @@ func builtinYAMLUnmarshal(_ BuiltinContext, operands []*ast.Term, iter func(*ast } func builtinYAMLIsValid(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { - str, err := builtins.StringOperand(operands[0].Value, 1) + bs, err := builtins.StringOperandByteSlice(operands[0].Value, 1) if err != nil { return iter(ast.InternedTerm(false)) } var x any - err = yaml.Unmarshal([]byte(str), &x) + err = yaml.Unmarshal(bs, &x) return iter(ast.InternedTerm(err == nil)) } func builtinHexEncode(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { - str, err := builtins.StringOperand(operands[0].Value, 1) + bs, err := builtins.StringOperandByteSlice(operands[0].Value, 1) if err != nil { return err } - return iter(ast.StringTerm(hex.EncodeToString([]byte(str)))) + return iter(ast.StringTerm(hex.EncodeToString(bs))) } func builtinHexDecode(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { diff --git a/vendor/github.com/open-policy-agent/opa/v1/topdown/eval.go b/vendor/github.com/open-policy-agent/opa/v1/topdown/eval.go index f05fd9d94a..023bb0025f 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/topdown/eval.go +++ b/vendor/github.com/open-policy-agent/opa/v1/topdown/eval.go @@ -119,25 +119,52 @@ type eval struct { defined bool } -type evp struct { - pool sync.Pool +type ( + evfp struct{ pool sync.Pool } + evbp struct{ pool sync.Pool } +) + +func (ep *evfp) Put(e *evalFunc) { + if e != nil { + e.e, e.terms, e.ir = nil, nil, nil + ep.pool.Put(e) + } } -func (ep *evp) Put(e *eval) { - ep.pool.Put(e) +func (ep *evfp) Get() *evalFunc { + return ep.pool.Get().(*evalFunc) } -func (ep *evp) Get() *eval { - return ep.pool.Get().(*eval) +func (ep *evbp) Put(e *evalBuiltin) { + if e != nil { + e.e, e.bi, e.bctx, e.f, e.terms = nil, nil, nil, nil, nil + ep.pool.Put(e) + } } -var evalPool = evp{ - pool: sync.Pool{ - New: func() any { - return &eval{} +func (ep *evbp) Get() *evalBuiltin { + return ep.pool.Get().(*evalBuiltin) +} + +var ( + evalPool = util.NewSyncPool[eval]() + deecPool = util.NewSyncPool[deferredEarlyExitContainer]() + resolverPool = util.NewSyncPool[evalResolver]() + evalFuncPool = &evfp{ + pool: sync.Pool{ + New: func() any { + return &evalFunc{} + }, }, - }, -} + } + evalBuiltinPool = &evbp{ + pool: sync.Pool{ + New: func() any { + return &evalBuiltin{} + }, + }, + } +) func (e *eval) Run(iter evalIterator) error { if !e.traceEnabled { @@ -401,9 +428,11 @@ func (e *eval) evalExpr(iter evalIterator) error { } return nil } - expr := e.query[e.index] - e.traceEval(expr) + expr := e.query[e.index] + if e.traceEnabled { + e.traceEval(expr) + } if len(expr.With) > 0 { return e.evalWith(iter) @@ -521,7 +550,7 @@ func (e *eval) evalStep(iter evalIterator) error { // generateVar inlined here to avoid extra allocations in hot path rterm := ast.VarTerm(e.fmtVarTerm()) err = e.unify(terms, rterm, func() error { - if e.saveSet.Contains(rterm, e.bindings) { + if e.saveSet != nil && e.saveSet.Contains(rterm, e.bindings) { return e.saveExpr(ast.NewExpr(rterm), e.bindings, func() error { return iter(e) }) @@ -888,7 +917,6 @@ func (e *eval) evalNotPartialSupport(negationID uint64, expr *ast.Expr, unknowns } func (e *eval) evalCall(terms []*ast.Term, iter unifyIterator) error { - ref := terms[0].Value.(ast.Ref) mock, mocked := e.functionMocks.Get(ref) @@ -912,8 +940,8 @@ func (e *eval) evalCall(terms []*ast.Term, iter unifyIterator) error { if ref[0].Equal(ast.DefaultRootDocument) { if mocked { - f := e.compiler.TypeEnv.Get(ref).(*types.Function) - return e.evalCallValue(f.Arity(), terms, mock, iter) + arity := e.compiler.TypeEnv.GetByRef(ref).(*types.Function).Arity() + return e.evalCallValue(arity, terms, mock, iter) } var ir *ast.IndexResult @@ -928,11 +956,13 @@ func (e *eval) evalCall(terms []*ast.Term, iter unifyIterator) error { return err } - eval := evalFunc{ - e: e, - terms: terms, - ir: ir, - } + eval := evalFuncPool.Get() + defer evalFuncPool.Put(eval) + + eval.e = e + eval.terms = terms + eval.ir = ir + return eval.eval(iter) } @@ -991,13 +1021,14 @@ func (e *eval) evalCall(terms []*ast.Term, iter unifyIterator) error { } } - eval := evalBuiltin{ - e: e, - bi: bi, - bctx: bctx, - f: f, - terms: terms[1:], - } + eval := evalBuiltinPool.Get() + defer evalBuiltinPool.Put(eval) + + eval.e = e + eval.bi = bi + eval.bctx = bctx + eval.f = f + eval.terms = terms[1:] return eval.eval(iter) } @@ -1054,7 +1085,9 @@ func (e *eval) biunify(a, b *ast.Term, b1, b2 *bindings, iter unifyIterator) err case ast.Var, ast.Ref, *ast.ArrayComprehension: return e.biunifyValues(a, b, b1, b2, iter) case *ast.Array: - return e.biunifyArrays(vA, vB, b1, b2, iter) + if vA.Len() == vB.Len() { + return e.biunifyArraysRec(vA, vB, b1, b2, iter, 0) + } } case ast.Object: switch vB := b.Value.(type) { @@ -1069,13 +1102,6 @@ func (e *eval) biunify(a, b *ast.Term, b1, b2 *bindings, iter unifyIterator) err return nil } -func (e *eval) biunifyArrays(a, b *ast.Array, b1, b2 *bindings, iter unifyIterator) error { - if a.Len() != b.Len() { - return nil - } - return e.biunifyArraysRec(a, b, b1, b2, iter, 0) -} - func (e *eval) biunifyArraysRec(a, b *ast.Array, b1, b2 *bindings, iter unifyIterator, idx int) error { if idx == a.Len() { return iter() @@ -1643,7 +1669,7 @@ func (e *eval) getRules(ref ast.Ref, args []*ast.Term) (*ast.IndexResult, error) return nil, nil } - resolver := resolverPool.Get().(*evalResolver) + resolver := resolverPool.Get() defer func() { resolver.e = nil resolver.args = nil @@ -1698,14 +1724,6 @@ type evalResolver struct { args []*ast.Term } -var ( - resolverPool = sync.Pool{ - New: func() any { - return &evalResolver{} - }, - } -) - func (e *evalResolver) Resolve(ref ast.Ref) (ast.Value, error) { e.e.instr.startTimer(evalOpResolve) @@ -2052,8 +2070,7 @@ type evalFunc struct { terms []*ast.Term } -func (e evalFunc) eval(iter unifyIterator) error { - +func (e *evalFunc) eval(iter unifyIterator) error { if e.ir.Empty() { return nil } @@ -2065,13 +2082,13 @@ func (e evalFunc) eval(iter unifyIterator) error { argCount = len(e.ir.Default.Head.Args) } - if len(e.ir.Else) > 0 && e.e.unknown(e.e.query[e.e.index], e.e.bindings) { - // Partial evaluation of ordered rules is not supported currently. Save the - // expression and continue. This could be revisited in the future. - return e.e.saveCall(argCount, e.terms, iter) - } - if e.e.partial() { + if len(e.ir.Else) > 0 && e.e.unknown(e.e.query[e.e.index], e.e.bindings) { + // Partial evaluation of ordered rules is not supported currently. Save the + // expression and continue. This could be revisited in the future. + return e.e.saveCall(argCount, e.terms, iter) + } + var mustGenerateSupport bool if defRule := e.ir.Default; defRule != nil { @@ -2109,7 +2126,7 @@ func (e evalFunc) eval(iter unifyIterator) error { return e.evalValue(iter, argCount, e.ir.EarlyExit) } -func (e evalFunc) evalValue(iter unifyIterator, argCount int, findOne bool) error { +func (e *evalFunc) evalValue(iter unifyIterator, argCount int, findOne bool) error { var cacheKey ast.Ref if !e.e.partial() { var hit bool @@ -2194,7 +2211,7 @@ func (e evalFunc) evalValue(iter unifyIterator, argCount int, findOne bool) erro }) } -func (e evalFunc) evalCache(argCount int, iter unifyIterator) (ast.Ref, bool, error) { +func (e *evalFunc) evalCache(argCount int, iter unifyIterator) (ast.Ref, bool, error) { plen := len(e.terms) if plen == argCount+2 { // func name + output = 2 plen -= 1 @@ -2226,7 +2243,7 @@ func (e evalFunc) evalCache(argCount int, iter unifyIterator) (ast.Ref, bool, er return cacheKey, false, nil } -func (e evalFunc) evalOneRule(iter unifyIterator, rule *ast.Rule, args []*ast.Term, cacheKey ast.Ref, prev *ast.Term, findOne bool) (*ast.Term, error) { +func (e *evalFunc) evalOneRule(iter unifyIterator, rule *ast.Rule, args []*ast.Term, cacheKey ast.Ref, prev *ast.Term, findOne bool) (*ast.Term, error) { child := evalPool.Get() defer evalPool.Put(child) @@ -2288,7 +2305,7 @@ func (e evalFunc) evalOneRule(iter unifyIterator, rule *ast.Rule, args []*ast.Te return result, err } -func (e evalFunc) partialEvalSupport(declArgsLen int, iter unifyIterator) error { +func (e *evalFunc) partialEvalSupport(declArgsLen int, iter unifyIterator) error { path := e.e.namespaceRef(e.terms[0].Value.(ast.Ref)) if !e.e.saveSupport.Exists(path) { @@ -2316,7 +2333,7 @@ func (e evalFunc) partialEvalSupport(declArgsLen int, iter unifyIterator) error return e.e.saveCall(declArgsLen, append([]*ast.Term{term}, e.terms[1:]...), iter) } -func (e evalFunc) partialEvalSupportRule(rule *ast.Rule, path ast.Ref) error { +func (e *evalFunc) partialEvalSupportRule(rule *ast.Rule, path ast.Ref) error { child := evalPool.Get() defer evalPool.Put(child) @@ -2395,12 +2412,6 @@ func (dc *deferredEarlyExitContainer) copyError() *deferredEarlyExitError { return &cpy } -var deecPool = sync.Pool{ - New: func() any { - return &deferredEarlyExitContainer{} - }, -} - type evalTree struct { e *eval bindings *bindings @@ -2486,7 +2497,7 @@ func (e evalTree) enumerate(iter unifyIterator) error { return err } - dc := deecPool.Get().(*deferredEarlyExitContainer) + dc := deecPool.Get() dc.deferred = nil defer deecPool.Put(dc) diff --git a/vendor/github.com/open-policy-agent/opa/v1/topdown/http.go b/vendor/github.com/open-policy-agent/opa/v1/topdown/http.go index 36c622e5a4..a522425c0d 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/topdown/http.go +++ b/vendor/github.com/open-policy-agent/opa/v1/topdown/http.go @@ -314,7 +314,6 @@ func validateHTTPRequestOperand(term *ast.Term, pos int) (ast.Object, error) { } return obj, nil - } // canonicalizeHeaders returns a copy of the headers where the keys are in @@ -333,7 +332,7 @@ func canonicalizeHeaders(headers map[string]any) map[string]any { // a DialContext that opens a socket (specified in the http call). // The url is expected to contain socket=/path/to/socket (url encoded) // Ex. "unix://localhost/end/point?socket=%2Ftmp%2Fhttp.sock" -func useSocket(rawURL string, tlsConfig *tls.Config) (bool, string, *http.Transport) { +func useSocket(rawURL string) (bool, string, *http.Transport) { u, err := url.Parse(rawURL) if err != nil { return false, "", nil @@ -362,7 +361,6 @@ func useSocket(rawURL string, tlsConfig *tls.Config) (bool, string, *http.Transp tr.DialContext = func(ctx context.Context, _, _ string) (net.Conn, error) { return http.DefaultTransport.(*http.Transport).DialContext(ctx, "unix", socket) } - tr.TLSClientConfig = tlsConfig tr.DisableKeepAlives = true return true, u.String(), tr @@ -533,6 +531,10 @@ func createHTTPRequest(bctx BuiltinContext, obj ast.Object) (*http.Request, *htt } } + if len(customHeaders) != 0 { + customHeaders = canonicalizeHeaders(customHeaders) + } + isTLS := false client := &http.Client{ Timeout: timeout, @@ -579,13 +581,6 @@ func createHTTPRequest(bctx BuiltinContext, obj ast.Object) (*http.Request, *htt tlsConfig.Certificates = append(tlsConfig.Certificates, cert) } - // Use system certs if no CA cert is provided - // or system certs flag is not set - if len(tlsCaCert) == 0 && tlsCaCertFile == "" && tlsCaCertEnvVar == "" && tlsUseSystemCerts == nil { - trueValue := true - tlsUseSystemCerts = &trueValue - } - // Check the system certificates config first so that we // load additional certificated into the correct pool. if tlsUseSystemCerts != nil && *tlsUseSystemCerts && runtime.GOOS != "windows" { @@ -629,21 +624,31 @@ func createHTTPRequest(bctx BuiltinContext, obj ast.Object) (*http.Request, *htt tlsConfig.RootCAs = pool } + // If Host header is set, use it for TLS server name. + if host, hasHost := customHeaders["Host"]; hasHost { + // Only default the ServerName if the caller has + // specified the host. If we don't specify anything, + // Go will default to the target hostname. This name + // is not the same as the default that Go populates + // `req.Host` with, which is why we don't just set + // this unconditionally. + isTLS = true + tlsConfig.ServerName, _ = host.(string) + } + + if tlsServerName != "" { + isTLS = true + tlsConfig.ServerName = tlsServerName + } + var transport *http.Transport - if isTLS { - if ok, parsedURL, tr := useSocket(url, &tlsConfig); ok { - transport = tr - url = parsedURL - } else { - transport = http.DefaultTransport.(*http.Transport).Clone() - transport.TLSClientConfig = &tlsConfig - transport.DisableKeepAlives = true - } - } else { - if ok, parsedURL, tr := useSocket(url, nil); ok { - transport = tr - url = parsedURL - } + if ok, parsedURL, tr := useSocket(url); ok { + transport = tr + url = parsedURL + } else if isTLS { + transport = http.DefaultTransport.(*http.Transport).Clone() + transport.TLSClientConfig = &tlsConfig + transport.DisableKeepAlives = true } if bctx.RoundTripper != nil { @@ -676,8 +681,6 @@ func createHTTPRequest(bctx BuiltinContext, obj ast.Object) (*http.Request, *htt // Add custom headers if len(customHeaders) != 0 { - customHeaders = canonicalizeHeaders(customHeaders) - for k, v := range customHeaders { header, ok := v.(string) if !ok { @@ -697,21 +700,9 @@ func createHTTPRequest(bctx BuiltinContext, obj ast.Object) (*http.Request, *htt if host, hasHost := customHeaders["Host"]; hasHost { host := host.(string) // We already checked that it's a string. req.Host = host - - // Only default the ServerName if the caller has - // specified the host. If we don't specify anything, - // Go will default to the target hostname. This name - // is not the same as the default that Go populates - // `req.Host` with, which is why we don't just set - // this unconditionally. - tlsConfig.ServerName = host } } - if tlsServerName != "" { - tlsConfig.ServerName = tlsServerName - } - if len(bctx.DistributedTracingOpts) > 0 { client.Transport = tracing.NewTransport(client.Transport, bctx.DistributedTracingOpts) } @@ -1192,7 +1183,8 @@ func newInterQueryCacheData(bctx BuiltinContext, resp *http.Response, respBody [ RespBody: respBody, Status: resp.Status, StatusCode: resp.StatusCode, - Headers: resp.Header} + Headers: resp.Header, + } return &cv, nil } @@ -1222,7 +1214,8 @@ func (c *interQueryCacheData) Clone() (cache.InterQueryCacheValue, error) { RespBody: dup, Status: c.Status, StatusCode: c.StatusCode, - Headers: c.Headers.Clone()}, nil + Headers: c.Headers.Clone(), + }, nil } type responseHeaders struct { @@ -1384,7 +1377,6 @@ func parseMaxAgeCacheDirective(cc map[string]string) (deltaSeconds, error) { } func formatHTTPResponseToAST(resp *http.Response, forceJSONDecode, forceYAMLDecode bool) (ast.Value, []byte, error) { - resultRawBody, err := io.ReadAll(resp.Body) if err != nil { return nil, nil, err diff --git a/vendor/github.com/open-policy-agent/opa/v1/topdown/query.go b/vendor/github.com/open-policy-agent/opa/v1/topdown/query.go index aadcc060cf..f81402eb32 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/topdown/query.go +++ b/vendor/github.com/open-policy-agent/opa/v1/topdown/query.go @@ -121,6 +121,7 @@ func (q *Query) WithInput(input *ast.Term) *Query { } // WithTracer adds a query tracer to use during evaluation. This is optional. +// // Deprecated: Use WithQueryTracer instead. func (q *Query) WithTracer(tracer Tracer) *Query { qt, ok := tracer.(QueryTracer) diff --git a/vendor/github.com/open-policy-agent/opa/v1/topdown/regex.go b/vendor/github.com/open-policy-agent/opa/v1/topdown/regex.go index 1d2906ee2e..f5780f9b78 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/topdown/regex.go +++ b/vendor/github.com/open-policy-agent/opa/v1/topdown/regex.go @@ -7,6 +7,7 @@ package topdown import ( "fmt" "regexp" + "regexp/syntax" "sync" gintersect "github.com/yashtewari/glob-intersection" @@ -15,25 +16,24 @@ import ( "github.com/open-policy-agent/opa/v1/topdown/builtins" ) -const regexCacheMaxSize = 100 -const regexInterQueryValueCacheHits = "rego_builtin_regex_interquery_value_cache_hits" +const ( + regexCacheMaxSize = 100 + regexInterQueryValueCacheHits = "rego_builtin_regex_interquery_value_cache_hits" +) -var regexpCacheLock = sync.Mutex{} -var regexpCache map[string]*regexp.Regexp +var ( + regexpCacheLock = sync.RWMutex{} + regexpCache = make(map[string]*regexp.Regexp) +) func builtinRegexIsValid(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { - - s, err := builtins.StringOperand(operands[0].Value, 1) - if err != nil { - return iter(ast.InternedTerm(false)) + if s, err := builtins.StringOperand(operands[0].Value, 1); err == nil { + if _, err = syntax.Parse(string(s), syntax.Perl); err == nil { + return iter(ast.InternedTerm(true)) + } } - _, err = regexp.Compile(string(s)) - if err != nil { - return iter(ast.InternedTerm(false)) - } - - return iter(ast.InternedTerm(true)) + return iter(ast.InternedTerm(false)) } func builtinRegexMatch(bctx BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { @@ -107,7 +107,8 @@ func builtinRegexSplit(bctx BuiltinContext, operands []*ast.Term, iter func(*ast func getRegexp(bctx BuiltinContext, pat string) (*regexp.Regexp, error) { if bctx.InterQueryBuiltinValueCache != nil { // TODO: Use named cache - val, ok := bctx.InterQueryBuiltinValueCache.Get(ast.String(pat)) + var key ast.Value = ast.String(pat) + val, ok := bctx.InterQueryBuiltinValueCache.Get(key) if ok { res, valid := val.(*regexp.Regexp) if !valid { @@ -124,20 +125,23 @@ func getRegexp(bctx BuiltinContext, pat string) (*regexp.Regexp, error) { if err != nil { return nil, err } - bctx.InterQueryBuiltinValueCache.Insert(ast.String(pat), re) + bctx.InterQueryBuiltinValueCache.Insert(key, re) return re, nil } - regexpCacheLock.Lock() - defer regexpCacheLock.Unlock() + regexpCacheLock.RLock() re, ok := regexpCache[pat] + numCached := len(regexpCache) + regexpCacheLock.RUnlock() if !ok { var err error re, err = regexp.Compile(pat) if err != nil { return nil, err } - if len(regexpCache) >= regexCacheMaxSize { + + regexpCacheLock.Lock() + if numCached >= regexCacheMaxSize { // Delete a (semi-)random key to make room for the new one. for k := range regexpCache { delete(regexpCache, k) @@ -145,21 +149,24 @@ func getRegexp(bctx BuiltinContext, pat string) (*regexp.Regexp, error) { } } regexpCache[pat] = re + regexpCacheLock.Unlock() } return re, nil } func getRegexpTemplate(pat string, delimStart, delimEnd byte) (*regexp.Regexp, error) { - regexpCacheLock.Lock() - defer regexpCacheLock.Unlock() + regexpCacheLock.RLock() re, ok := regexpCache[pat] + regexpCacheLock.RUnlock() if !ok { var err error re, err = compileRegexTemplate(pat, delimStart, delimEnd) if err != nil { return nil, err } + regexpCacheLock.Lock() regexpCache[pat] = re + regexpCacheLock.Unlock() } return re, nil } @@ -268,7 +275,6 @@ func builtinRegexReplace(bctx BuiltinContext, operands []*ast.Term, iter func(*a } func init() { - regexpCache = map[string]*regexp.Regexp{} RegisterBuiltinFunc(ast.RegexIsValid.Name, builtinRegexIsValid) RegisterBuiltinFunc(ast.RegexMatch.Name, builtinRegexMatch) RegisterBuiltinFunc(ast.RegexMatchDeprecated.Name, builtinRegexMatch) diff --git a/vendor/github.com/open-policy-agent/opa/v1/topdown/semver.go b/vendor/github.com/open-policy-agent/opa/v1/topdown/semver.go index 3b79ebd586..1b2ac79038 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/topdown/semver.go +++ b/vendor/github.com/open-policy-agent/opa/v1/topdown/semver.go @@ -23,34 +23,25 @@ func builtinSemVerCompare(_ BuiltinContext, operands []*ast.Term, iter func(*ast return err } - versionA, err := semver.NewVersion(string(versionStringA)) + versionA, err := semver.Parse(string(versionStringA)) if err != nil { return fmt.Errorf("operand 1: string %s is not a valid SemVer", versionStringA) } - versionB, err := semver.NewVersion(string(versionStringB)) + versionB, err := semver.Parse(string(versionStringB)) if err != nil { return fmt.Errorf("operand 2: string %s is not a valid SemVer", versionStringB) } - result := versionA.Compare(*versionB) - - return iter(ast.InternedTerm(result)) + return iter(ast.InternedTerm(versionA.Compare(versionB))) } func builtinSemVerIsValid(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { versionString, err := builtins.StringOperand(operands[0].Value, 1) - if err != nil { - return iter(ast.InternedTerm(false)) + if err == nil { + _, err = semver.Parse(string(versionString)) } - result := true - - _, err = semver.NewVersion(string(versionString)) - if err != nil { - result = false - } - - return iter(ast.InternedTerm(result)) + return iter(ast.InternedTerm(err == nil)) } func init() { diff --git a/vendor/github.com/open-policy-agent/opa/v1/topdown/tokens.go b/vendor/github.com/open-policy-agent/opa/v1/topdown/tokens.go index aea15dd26a..8e9b6779d4 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/topdown/tokens.go +++ b/vendor/github.com/open-policy-agent/opa/v1/topdown/tokens.go @@ -428,7 +428,7 @@ func builtinJWTVerify(bctx BuiltinContext, jwt ast.Value, keyStr ast.Value, hash // If a match is found, verify using only that key. Only applicable when a JWKS was provided. if header.kid != "" { if key := getKeyByKid(header.kid, keys); key != nil { - err = verify(key.key, getInputSHA([]byte(token.header+"."+token.payload), hasher), []byte(signature)) + err = verify(key.key, getInputSHA([]byte(token.header+"."+token.payload), hasher), signature) return done(err == nil) } @@ -440,7 +440,7 @@ func builtinJWTVerify(bctx BuiltinContext, jwt ast.Value, keyStr ast.Value, hash if key.alg == "" { // No algorithm provided for the key - this is likely a certificate and not a JWKS, so // we'll need to verify to find out - err = verify(key.key, getInputSHA([]byte(token.header+"."+token.payload), hasher), []byte(signature)) + err = verify(key.key, getInputSHA([]byte(token.header+"."+token.payload), hasher), signature) if err == nil { return done(true) } @@ -448,7 +448,7 @@ func builtinJWTVerify(bctx BuiltinContext, jwt ast.Value, keyStr ast.Value, hash if header.alg != key.alg { continue } - err = verify(key.key, getInputSHA([]byte(token.header+"."+token.payload), hasher), []byte(signature)) + err = verify(key.key, getInputSHA([]byte(token.header+"."+token.payload), hasher), signature) if err == nil { return done(true) } @@ -509,7 +509,7 @@ func builtinJWTVerifyHS(bctx BuiltinContext, operands []*ast.Term, hashF func() return err } - valid := hmac.Equal([]byte(signature), mac.Sum(nil)) + valid := hmac.Equal(signature, mac.Sum(nil)) putTokenInCache(bctx, jwt, astSecret, nil, nil, valid) @@ -662,7 +662,7 @@ func (constraints *tokenConstraints) validate() error { } // verify verifies a JWT using the constraints and the algorithm from the header -func (constraints *tokenConstraints) verify(kid, alg, header, payload, signature string) error { +func (constraints *tokenConstraints) verify(kid, alg, header, payload string, signature []byte) error { // Construct the payload plaintext := append(append([]byte(header), '.'), []byte(payload)...) @@ -670,7 +670,7 @@ func (constraints *tokenConstraints) verify(kid, alg, header, payload, signature if constraints.keys != nil { if kid != "" { if key := getKeyByKid(kid, constraints.keys); key != nil { - err := jwsbb.Verify(key.key, alg, plaintext, []byte(signature)) + err := jwsbb.Verify(key.key, alg, plaintext, signature) if err != nil { return errSignatureNotVerified } @@ -681,7 +681,7 @@ func (constraints *tokenConstraints) verify(kid, alg, header, payload, signature verified := false for _, key := range constraints.keys { if key.alg == "" { - err := jwsbb.Verify(key.key, alg, plaintext, []byte(signature)) + err := jwsbb.Verify(key.key, alg, plaintext, signature) if err == nil { verified = true break @@ -690,7 +690,7 @@ func (constraints *tokenConstraints) verify(kid, alg, header, payload, signature if alg != key.alg { continue } - err := jwsbb.Verify(key.key, alg, plaintext, []byte(signature)) + err := jwsbb.Verify(key.key, alg, plaintext, signature) if err == nil { verified = true break @@ -704,7 +704,7 @@ func (constraints *tokenConstraints) verify(kid, alg, header, payload, signature return nil } if constraints.secret != "" { - err := jwsbb.Verify([]byte(constraints.secret), alg, plaintext, []byte(signature)) + err := jwsbb.Verify([]byte(constraints.secret), alg, plaintext, signature) if err != nil { return errSignatureNotVerified } @@ -1170,17 +1170,17 @@ func decodeJWT(a ast.Value) (*JSONWebToken, error) { return &JSONWebToken{header: parts[0], payload: parts[1], signature: parts[2]}, nil } -func (token *JSONWebToken) decodeSignature() (string, error) { +func (token *JSONWebToken) decodeSignature() ([]byte, error) { decodedSignature, err := getResult(builtinBase64UrlDecode, ast.StringTerm(token.signature)) if err != nil { - return "", err + return nil, err } - signatureAst, err := builtins.StringOperand(decodedSignature.Value, 1) + signatureBs, err := builtins.StringOperandByteSlice(decodedSignature.Value, 1) if err != nil { - return "", err + return nil, err } - return string(signatureAst), err + return signatureBs, nil } // Extract, validate and return the JWT header as an ast.Object. diff --git a/vendor/github.com/open-policy-agent/opa/v1/topdown/trace.go b/vendor/github.com/open-policy-agent/opa/v1/topdown/trace.go index c9df12b4c5..49748dcace 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/topdown/trace.go +++ b/vendor/github.com/open-policy-agent/opa/v1/topdown/trace.go @@ -170,6 +170,7 @@ func (evt *Event) equalNodes(other *Event) bool { } // Tracer defines the interface for tracing in the top-down evaluation engine. +// // Deprecated: Use QueryTracer instead. type Tracer interface { Enabled() bool @@ -230,6 +231,7 @@ func (b *BufferTracer) Enabled() bool { } // Trace adds the event to the buffer. +// // Deprecated: Use TraceEvent instead. func (b *BufferTracer) Trace(evt *Event) { *b = append(*b, evt) @@ -806,7 +808,7 @@ func printPrettyVars(w *bytes.Buffer, exprVars map[string]varInfo) { w.WriteString("\n\nWhere:\n") for _, info := range byName { - w.WriteString(fmt.Sprintf("\n%s: %s", info.Title(), iStrs.Truncate(info.Value(), maxPrettyExprVarWidth))) + fmt.Fprintf(w, "\n%s: %s", info.Title(), iStrs.Truncate(info.Value(), maxPrettyExprVarWidth)) } return @@ -878,7 +880,7 @@ func printArrows(w *bytes.Buffer, l []varInfo, printValueAt int) { valueStr := iStrs.Truncate(info.Value(), maxPrettyExprVarWidth) if (i > 0 && col == l[i-1].col) || (i < len(l)-1 && col == l[i+1].col) { // There is another var on this column, so we need to include the name to differentiate them. - w.WriteString(fmt.Sprintf("%s: %s", info.Title(), valueStr)) + fmt.Fprintf(w, "%s: %s", info.Title(), valueStr) } else { w.WriteString(valueStr) } diff --git a/vendor/github.com/open-policy-agent/opa/v1/types/types.go b/vendor/github.com/open-policy-agent/opa/v1/types/types.go index 366903f0cb..794f80ea2b 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/types/types.go +++ b/vendor/github.com/open-policy-agent/opa/v1/types/types.go @@ -716,6 +716,7 @@ func (t *Function) NamedFuncArgs() FuncArgs { } // Args returns the function's arguments as a slice, ignoring variadic arguments. +// // Deprecated: Use FuncArgs instead. func (t *Function) Args() []Type { cpy := make([]Type, len(t.args)) diff --git a/vendor/github.com/open-policy-agent/opa/v1/util/graph.go b/vendor/github.com/open-policy-agent/opa/v1/util/graph.go index f0e8242454..acb62590b6 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/util/graph.go +++ b/vendor/github.com/open-policy-agent/opa/v1/util/graph.go @@ -77,13 +77,10 @@ func dfsRecursive(t Traversal, eq Equals, u, z T, path []T) []T { } for _, v := range t.Edges(u) { if eq(v, z) { - path = append(path, z) - path = append(path, u) - return path + return append(path, z, u) } if p := dfsRecursive(t, eq, v, z, path); len(p) > 0 { - path = append(p, u) - return path + return append(p, u) } } return path diff --git a/vendor/github.com/open-policy-agent/opa/v1/util/performance.go b/vendor/github.com/open-policy-agent/opa/v1/util/performance.go index c7bd57ea04..ab18bf644f 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/util/performance.go +++ b/vendor/github.com/open-policy-agent/opa/v1/util/performance.go @@ -1,13 +1,40 @@ package util import ( - "math" "slices" "strings" "sync" "unsafe" ) +// SyncPool is a generic sync.Pool for type T, providing some convenience +// over sync.Pool directly: [SyncPool.Put] ensures that nil values are not +// put into the pool, and [SyncPool.Get] returns a pointer to T without having +// to do a type assertion at the call site. +type SyncPool[T any] struct { + pool sync.Pool +} + +func NewSyncPool[T any]() *SyncPool[T] { + return &SyncPool[T]{ + pool: sync.Pool{ + New: func() any { + return new(T) + }, + }, + } +} + +func (p *SyncPool[T]) Get() *T { + return p.pool.Get().(*T) +} + +func (p *SyncPool[T]) Put(x *T) { + if x != nil { + p.pool.Put(x) + } +} + // NewPtrSlice returns a slice of pointers to T with length n, // with only 2 allocations performed no matter the size of n. // See: @@ -44,6 +71,12 @@ func StringToByteSlice[T ~string](s T) []byte { // NumDigitsInt returns the number of digits in n. // This is useful for pre-allocating buffers for string conversion. func NumDigitsInt(n int) int { + return NumDigitsInt64(int64(n)) +} + +// NumDigitsInt64 returns the number of digits in n. +// This is useful for pre-allocating buffers for string conversion. +func NumDigitsInt64(n int64) int { if n == 0 { return 1 } @@ -52,7 +85,12 @@ func NumDigitsInt(n int) int { n = -n } - return int(math.Log10(float64(n))) + 1 + count := 0 + for n > 0 { + n /= 10 + count++ + } + return count } // NumDigitsUint returns the number of digits in n. @@ -62,16 +100,10 @@ func NumDigitsUint(n uint64) int { return 1 } - return int(math.Log10(float64(n))) + 1 -} - -// KeysCount returns the number of keys in m that satisfy predicate p. -func KeysCount[K comparable, V any](m map[K]V, p func(K) bool) int { count := 0 - for k := range m { - if p(k) { - count++ - } + for n > 0 { + n /= 10 + count++ } return count } @@ -129,5 +161,7 @@ func (sp *SlicePool[T]) Get(length int) *[]T { // Put returns a pointer to a slice of type T to the pool. func (sp *SlicePool[T]) Put(s *[]T) { - sp.pool.Put(s) + if s != nil { + sp.pool.Put(s) + } } diff --git a/vendor/github.com/open-policy-agent/opa/v1/util/read_gzip_body.go b/vendor/github.com/open-policy-agent/opa/v1/util/read_gzip_body.go index 92c0df8b08..97dacd0c96 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/util/read_gzip_body.go +++ b/vendor/github.com/open-policy-agent/opa/v1/util/read_gzip_body.go @@ -3,29 +3,21 @@ package util import ( "bytes" "compress/gzip" - "encoding/binary" "errors" "io" "net/http" "strings" - "sync" "github.com/open-policy-agent/opa/v1/util/decoding" ) -var gzipReaderPool = sync.Pool{ - New: func() any { - reader := new(gzip.Reader) - return reader - }, -} +var gzipReaderPool = NewSyncPool[gzip.Reader]() // Note(philipc): Originally taken from server/server.go -// The DecodingLimitHandler handles validating that the gzip payload is within the -// allowed max size limit. Thus, in the event of a forged payload size trailer, -// the worst that can happen is that we waste memory up to the allowed max gzip -// payload size, but not an unbounded amount of memory, as was potentially -// possible before. +// The DecodingLimitHandler handles setting the max size limits in the context. +// This function enforces those limits. For gzip payloads, we use a LimitReader +// to ensure we don't decompress more than the allowed maximum, preventing +// memory exhaustion from forged gzip trailers. func ReadMaybeCompressedBody(r *http.Request) ([]byte, error) { length := r.ContentLength if maxLenConf, ok := decoding.GetServerDecodingMaxLen(r.Context()); ok { @@ -40,16 +32,7 @@ func ReadMaybeCompressedBody(r *http.Request) ([]byte, error) { if strings.Contains(r.Header.Get("Content-Encoding"), "gzip") { gzipMaxLength, _ := decoding.GetServerDecodingGzipMaxLen(r.Context()) - // Note(philipc): The last 4 bytes of a well-formed gzip blob will - // always be a little-endian uint32, representing the decompressed - // content size, modulo 2^32. We validate that the size is safe, - // earlier in DecodingLimitHandler. - sizeDecompressed := int64(binary.LittleEndian.Uint32(content[len(content)-4:])) - if sizeDecompressed > gzipMaxLength { - return nil, errors.New("gzip payload too large") - } - - gzReader := gzipReaderPool.Get().(*gzip.Reader) + gzReader := gzipReaderPool.Get() defer func() { gzReader.Close() gzipReaderPool.Put(gzReader) @@ -59,11 +42,16 @@ func ReadMaybeCompressedBody(r *http.Request) ([]byte, error) { return nil, err } - decompressed := bytes.NewBuffer(make([]byte, 0, sizeDecompressed)) - if _, err = io.CopyN(decompressed, gzReader, sizeDecompressed); err != nil { + decompressed := bytes.NewBuffer(make([]byte, 0, len(content))) + limitReader := io.LimitReader(gzReader, gzipMaxLength+1) + if _, err := decompressed.ReadFrom(limitReader); err != nil { return nil, err } + if int64(decompressed.Len()) > gzipMaxLength { + return nil, errors.New("gzip payload too large") + } + return decompressed.Bytes(), nil } diff --git a/vendor/github.com/open-policy-agent/opa/v1/util/strings.go b/vendor/github.com/open-policy-agent/opa/v1/util/strings.go new file mode 100644 index 0000000000..8ea0aedc35 --- /dev/null +++ b/vendor/github.com/open-policy-agent/opa/v1/util/strings.go @@ -0,0 +1,13 @@ +package util + +import "strings" + +// WithPrefix ensures that the string s starts with the given prefix. +// If s already starts with prefix, it is returned unchanged. +func WithPrefix(s, prefix string) string { + if strings.HasPrefix(s, prefix) { + return s + } + + return prefix + s +} diff --git a/vendor/github.com/open-policy-agent/opa/v1/version/version.go b/vendor/github.com/open-policy-agent/opa/v1/version/version.go index 2aef6b113f..e6dc9ab0f2 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/version/version.go +++ b/vendor/github.com/open-policy-agent/opa/v1/version/version.go @@ -10,7 +10,7 @@ import ( "runtime/debug" ) -var Version = "1.10.1" +var Version = "1.11.1" // GoVersion is the version of Go this was built with var GoVersion = runtime.Version() diff --git a/vendor/github.com/segmentio/asm/LICENSE b/vendor/github.com/segmentio/asm/LICENSE index 29e1ab6b05..5e93dab621 100644 --- a/vendor/github.com/segmentio/asm/LICENSE +++ b/vendor/github.com/segmentio/asm/LICENSE @@ -1,21 +1,16 @@ -MIT License +MIT No Attribution -Copyright (c) 2021 Segment +Copyright 2023 Segment -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: +Permission is hereby granted, free of charge, to any person obtaining a copy of this +software and associated documentation files (the "Software"), to deal in the Software +without restriction, including without limitation the rights to use, copy, modify, +merge, publish, distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so. -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, +INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A +PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT +HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/vendor/github.com/segmentio/asm/base64/decode_arm64.s b/vendor/github.com/segmentio/asm/base64/decode_arm64.s index 4374d5ce17..67d206f8cc 100644 --- a/vendor/github.com/segmentio/asm/base64/decode_arm64.s +++ b/vendor/github.com/segmentio/asm/base64/decode_arm64.s @@ -130,7 +130,12 @@ loop: ADVANCE_LOOP(loop) // Store results and continue done: - RETURN() + // RETURN() replacing the macro to please go vet. + SUB R0, R3; + SUB R1, R4; + MOVD R3, ret+56(FP); + MOVD R4, ret1+64(FP); + RET // func decodeStdARM64(dst []byte, src []byte, lut *int8) (int, int) @@ -145,7 +150,12 @@ loop: ADVANCE_LOOP(loop) // Store results and continue done: - RETURN() + // RETURN() replacing the macro to please go vet. + SUB R0, R3; + SUB R1, R4; + MOVD R3, ret+56(FP); + MOVD R4, ret1+64(FP); + RET DATA ·mask_lut+0x00(SB)/1, $0xa8 diff --git a/vendor/github.com/urfave/cli/v2/flag_string_slice.go b/vendor/github.com/urfave/cli/v2/flag_string_slice.go index 28f4798f55..66bdf1afcd 100644 --- a/vendor/github.com/urfave/cli/v2/flag_string_slice.go +++ b/vendor/github.com/urfave/cli/v2/flag_string_slice.go @@ -150,8 +150,8 @@ func (f *StringSliceFlag) Apply(set *flag.FlagSet) error { setValue = f.Value.clone() default: setValue = new(StringSlice) - setValue.WithSeparatorSpec(f.separator) } + setValue.WithSeparatorSpec(f.separator) setValue.keepSpace = f.KeepSpace diff --git a/vendor/github.com/urfave/cli/v2/godoc-current.txt b/vendor/github.com/urfave/cli/v2/godoc-current.txt index 3e29faabac..2f3d76e319 100644 --- a/vendor/github.com/urfave/cli/v2/godoc-current.txt +++ b/vendor/github.com/urfave/cli/v2/godoc-current.txt @@ -136,7 +136,10 @@ var SubcommandHelpTemplate = `NAME: {{template "helpNameTemplate" .}} USAGE: - {{if .UsageText}}{{wrap .UsageText 3}}{{else}}{{.HelpName}} {{if .VisibleFlags}}command [command options]{{end}}{{if .ArgsUsage}} {{.ArgsUsage}}{{else}}{{if .Args}} [arguments...]{{end}}{{end}}{{end}}{{if .Description}} + {{template "usageTemplate" .}}{{if .Category}} + +CATEGORY: + {{.Category}}{{end}}{{if .Description}} DESCRIPTION: {{template "descriptionTemplate" .}}{{end}}{{if .VisibleCommands}} diff --git a/vendor/github.com/urfave/cli/v2/help.go b/vendor/github.com/urfave/cli/v2/help.go index f1b9e7f18f..d27e8ce385 100644 --- a/vendor/github.com/urfave/cli/v2/help.go +++ b/vendor/github.com/urfave/cli/v2/help.go @@ -54,7 +54,7 @@ var helpCommand = &Command{ cCtx = cCtx.parentContext } - // Case 4. $ app hello foo + // Case 4. $ app help foo // foo is the command for which help needs to be shown if argsPresent { return ShowCommandHelp(cCtx, firstArg) diff --git a/vendor/github.com/urfave/cli/v2/template.go b/vendor/github.com/urfave/cli/v2/template.go index 8abc5ba421..ccb22f1d53 100644 --- a/vendor/github.com/urfave/cli/v2/template.go +++ b/vendor/github.com/urfave/cli/v2/template.go @@ -83,7 +83,10 @@ var SubcommandHelpTemplate = `NAME: {{template "helpNameTemplate" .}} USAGE: - {{if .UsageText}}{{wrap .UsageText 3}}{{else}}{{.HelpName}} {{if .VisibleFlags}}command [command options]{{end}}{{if .ArgsUsage}} {{.ArgsUsage}}{{else}}{{if .Args}} [arguments...]{{end}}{{end}}{{end}}{{if .Description}} + {{template "usageTemplate" .}}{{if .Category}} + +CATEGORY: + {{.Category}}{{end}}{{if .Description}} DESCRIPTION: {{template "descriptionTemplate" .}}{{end}}{{if .VisibleCommands}} diff --git a/vendor/github.com/vektah/gqlparser/v2/ast/directive.go b/vendor/github.com/vektah/gqlparser/v2/ast/directive.go index b11867c2e4..54dd45b1e7 100644 --- a/vendor/github.com/vektah/gqlparser/v2/ast/directive.go +++ b/vendor/github.com/vektah/gqlparser/v2/ast/directive.go @@ -39,5 +39,8 @@ type Directive struct { } func (d *Directive) ArgumentMap(vars map[string]interface{}) map[string]interface{} { + if d.Definition == nil { + return nil + } return arg2map(d.Definition.Arguments, d.Arguments, vars) } diff --git a/vendor/github.com/vektah/gqlparser/v2/ast/selection.go b/vendor/github.com/vektah/gqlparser/v2/ast/selection.go index 1858dc2136..efc78efea1 100644 --- a/vendor/github.com/vektah/gqlparser/v2/ast/selection.go +++ b/vendor/github.com/vektah/gqlparser/v2/ast/selection.go @@ -37,5 +37,8 @@ type Argument struct { } func (f *Field) ArgumentMap(vars map[string]interface{}) map[string]interface{} { + if f.Definition == nil { + return nil + } return arg2map(f.Definition.Arguments, f.Arguments, vars) } diff --git a/vendor/github.com/vektah/gqlparser/v2/ast/value.go b/vendor/github.com/vektah/gqlparser/v2/ast/value.go index 45fa8016b5..c731b77b25 100644 --- a/vendor/github.com/vektah/gqlparser/v2/ast/value.go +++ b/vendor/github.com/vektah/gqlparser/v2/ast/value.go @@ -29,9 +29,10 @@ type Value struct { Comment *CommentGroup // Require validation - Definition *Definition - VariableDefinition *VariableDefinition - ExpectedType *Type + Definition *Definition + VariableDefinition *VariableDefinition + ExpectedType *Type + ExpectedTypeHasDefault bool } type ChildValue struct { diff --git a/vendor/github.com/vektah/gqlparser/v2/validator/core/walk.go b/vendor/github.com/vektah/gqlparser/v2/validator/core/walk.go index 09a3016fd4..532450863a 100644 --- a/vendor/github.com/vektah/gqlparser/v2/validator/core/walk.go +++ b/vendor/github.com/vektah/gqlparser/v2/validator/core/walk.go @@ -182,6 +182,7 @@ func (w *Walker) walkValue(value *ast.Value) { fieldDef := value.Definition.Fields.ForName(child.Name) if fieldDef != nil { child.Value.ExpectedType = fieldDef.Type + child.Value.ExpectedTypeHasDefault = fieldDef.DefaultValue != nil && fieldDef.DefaultValue.Kind != ast.NullValue child.Value.Definition = w.Schema.Types[fieldDef.Type.Name()] } } @@ -208,6 +209,7 @@ func (w *Walker) walkValue(value *ast.Value) { func (w *Walker) walkArgument(argDef *ast.ArgumentDefinition, arg *ast.Argument) { if argDef != nil { arg.Value.ExpectedType = argDef.Type + arg.Value.ExpectedTypeHasDefault = argDef.DefaultValue != nil && argDef.DefaultValue.Kind != ast.NullValue arg.Value.Definition = w.Schema.Types[argDef.Type.Name()] } diff --git a/vendor/github.com/vektah/gqlparser/v2/validator/rules/rules.go b/vendor/github.com/vektah/gqlparser/v2/validator/rules/rules.go index 803543ed17..e94151b06e 100644 --- a/vendor/github.com/vektah/gqlparser/v2/validator/rules/rules.go +++ b/vendor/github.com/vektah/gqlparser/v2/validator/rules/rules.go @@ -77,6 +77,7 @@ func (r *Rules) AddRule(name string, ruleFunc core.RuleFunc) { // GetInner returns the internal rule map. // If the map is not initialized, it returns an empty map. +// This returns a copy of the rules map, not the original map. func (r *Rules) GetInner() map[string]core.RuleFunc { if r == nil { return nil // impossible nonsense, hopefully @@ -84,7 +85,13 @@ func (r *Rules) GetInner() map[string]core.RuleFunc { if r.rules == nil { return make(map[string]core.RuleFunc) } - return r.rules + + rules := make(map[string]core.RuleFunc) + for k, v := range r.rules { + rules[k] = v + } + + return rules } // RemoveRule removes a rule with the specified name from the rule set. diff --git a/vendor/github.com/vektah/gqlparser/v2/validator/rules/variables_in_allowed_position.go b/vendor/github.com/vektah/gqlparser/v2/validator/rules/variables_in_allowed_position.go index b2af7e1923..e183233465 100644 --- a/vendor/github.com/vektah/gqlparser/v2/validator/rules/variables_in_allowed_position.go +++ b/vendor/github.com/vektah/gqlparser/v2/validator/rules/variables_in_allowed_position.go @@ -25,6 +25,11 @@ var VariablesInAllowedPositionRule = Rule{ } } + // If the expected type has a default, the given variable can be null + if value.ExpectedTypeHasDefault { + tmp.NonNull = false + } + if !value.VariableDefinition.Type.IsCompatible(&tmp) { addError( Message( diff --git a/vendor/modules.txt b/vendor/modules.txt index 2ff0e7d9af..900130bde5 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -288,7 +288,7 @@ github.com/containerd/errdefs/pkg/internal/cause # github.com/containerd/log v0.1.0 ## explicit; go 1.20 github.com/containerd/log -# github.com/containerd/platforms v1.0.0-rc.1 +# github.com/containerd/platforms v1.0.0-rc.2 ## explicit; go 1.20 github.com/containerd/platforms # github.com/coreos/go-oidc/v3 v3.17.0 @@ -716,8 +716,8 @@ github.com/golang-jwt/jwt/v4 # github.com/golang-jwt/jwt/v5 v5.3.0 ## explicit; go 1.21 github.com/golang-jwt/jwt/v5 -# github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da -## explicit +# github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 +## explicit; go 1.20 github.com/golang/groupcache/lru # github.com/golang/protobuf v1.5.4 ## explicit; go 1.17 @@ -942,8 +942,8 @@ github.com/lestrrat-go/httprc/v3 github.com/lestrrat-go/httprc/v3/errsink github.com/lestrrat-go/httprc/v3/proxysink github.com/lestrrat-go/httprc/v3/tracesink -# github.com/lestrrat-go/jwx/v3 v3.0.11 -## explicit; go 1.24.4 +# github.com/lestrrat-go/jwx/v3 v3.0.12 +## explicit; go 1.24.0 github.com/lestrrat-go/jwx/v3 github.com/lestrrat-go/jwx/v3/cert github.com/lestrrat-go/jwx/v3/internal/base64 @@ -1130,7 +1130,7 @@ github.com/moby/term/windows # github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd ## explicit github.com/modern-go/concurrent -# github.com/modern-go/reflect2 v1.0.2 +# github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee ## explicit; go 1.12 github.com/modern-go/reflect2 # github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 @@ -1275,7 +1275,7 @@ github.com/onsi/gomega/matchers/support/goraph/edge github.com/onsi/gomega/matchers/support/goraph/node github.com/onsi/gomega/matchers/support/goraph/util github.com/onsi/gomega/types -# github.com/open-policy-agent/opa v1.10.1 +# github.com/open-policy-agent/opa v1.11.1 ## explicit; go 1.24.6 github.com/open-policy-agent/opa/ast github.com/open-policy-agent/opa/ast/json @@ -1928,7 +1928,7 @@ github.com/samber/slog-common # github.com/samber/slog-zerolog/v2 v2.9.0 ## explicit; go 1.21 github.com/samber/slog-zerolog/v2 -# github.com/segmentio/asm v1.2.0 +# github.com/segmentio/asm v1.2.1 ## explicit; go 1.18 github.com/segmentio/asm/base64 github.com/segmentio/asm/cpu @@ -2148,14 +2148,14 @@ github.com/tus/tusd/v2/pkg/handler ## explicit; go 1.13 github.com/unrolled/secure github.com/unrolled/secure/cspbuilder -# github.com/urfave/cli/v2 v2.27.5 +# github.com/urfave/cli/v2 v2.27.7 ## explicit; go 1.18 github.com/urfave/cli/v2 # github.com/valyala/fastjson v1.6.4 ## explicit; go 1.12 github.com/valyala/fastjson github.com/valyala/fastjson/fastfloat -# github.com/vektah/gqlparser/v2 v2.5.30 +# github.com/vektah/gqlparser/v2 v2.5.31 ## explicit; go 1.22 github.com/vektah/gqlparser/v2/ast github.com/vektah/gqlparser/v2/gqlerror