opa

opa copied to clipboard

Allow Capabilities to be set through Configuration

5

The `http.send()` and `net.lookup_ip_addr()` built-in functions can be allow-listed by host through the `allow_net` Capabilities param. This feature is, however, limited to the `eval` command. If capabilities could also be...

johanfylling

TL;DR: if you are checking for membership in a partial set iteratively (in another partial rule, or in a comprehension), and it seems very slow, try copying the partial set...

charlesdaniels

Every keyword in test is timeing out after 5 sec due to --verbose mode

3

## Short description * OPA version: `0.58.0` * Executing: `docker run ... opa test --verbose` results in a timeout exit after 5s * Executing: `docker run ... opa test` works...

marcaurele

As one of the most common errors, we should strive to make type error messages as easy to understand as possible. Simplified / silly example, but it'll work well for...

anderseknert

Back-to-back metadata blocks triggers misleading parse error

2

If a policy has two `METADATA` blocks declared back-to-back, with no empty lines in-between, e.g.: ```rego package play # METADATA # title: Ps # scope: document # METADATA # title:...

johanfylling

In the docs, a section should be added where, for each deprecated built-in, an alternative function call or snippet of Rego is described. When running `opa check` and `opa fmt`...

johanfylling

Fail on unknown METADATA attributes when using strict-mode

8

A danger of using custom annotations not organized into the `custom` annotation in a `METADATA` comment block is that your policy is vulnerable to future OPA updates. E.g. the following...

johanfylling

Allow parameterized tests

19

It would be very useful if the unit test system allowed for some type of simple "data driven" parameterization of tests where one of the mocked inputs could be parameterized...

anderseknert

Invalid partial evaluation result (__localcp0__)

6

```bash ./opa run --server --log-level debug policy.rego {"current_version":"0.58.0","level":"debug","msg":"OPA is up to date.","time":"2023-11-03T10:32:03+01:00"} ``` This is basic policy: ```rego package test import future.keywords.if default allow := false allowed(_) if { input.subject.on_duty...

nkey0

[Performance] Trie index cache when one input is data reference

5

## Short description any_prefix_match and any_suffix_match builtin constructs a trie index [internally](https://github.com/open-policy-agent/opa/blob/8a8dd09f78f93f7e4164ee84af36c3056147ff6d/topdown/strings.go#L93-L113) every time the builtin is invoked. If the input is a reference to data there is possibility of...

prasanthj