Prepare for OPA 1.0 (#1317)

Go: - Use OPA v1 packages - Add function to parse Rego of unknown version - Allow providing the Rego version via config or .manifest files - Make `regal fix` formatter consider version to format for Rego: - Remove `import rego.v1` (via `opa fmt`) - Add `config.capabilities.is_opa_v1` - Use that to disable `use-if`, `use-contains`, `use-rego-v1` - Update tests for 1.0 compliance Docs: - Remove `import rego.v1` from all examples - `regal fix` doesn't work well - Many failing e2e tests, despite some effort - Test LSP functionality Signed-off-by: Anders Eknert <[email protected]> Co-authored-by: Charlie Egan <[email protected]>
StyraInc · Jan 13, 2025 · d569e50 · d569e50
1 parent cf1632a
commit d569e50
Show file tree

Hide file tree

Showing 414 changed files with 2,072 additions and 1,418 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -14,7 +14,7 @@ updates:
       interval: "monthly"
     ignore:
       # update OPA manually to bump version in README too
-      - dependency-name: "github.com/open-policy-agent/opa"
+      - dependency-name: "github.com/open-policy-agent/opa/v1"
     groups:
       dependencies:
         patterns:

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -63,8 +63,8 @@ jobs:
       - uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
         if: matrix.os.name == 'linux'
         with:
-          version: v1.61.0
-      - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+          version: v1.63.1
+      - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: regal-${{ matrix.os.name }}
           path: regal

diff --git a/.golangci.yaml b/.golangci.yaml
@@ -11,7 +11,6 @@ linters:
     - testpackage
     - goconst
     - gochecknoinits
-    - gomnd
     - mnd
     - inamedparam
     - err113
@@ -21,7 +20,6 @@ linters:
     - ireturn
     - funlen
     - gomoddirectives # need replacements for wasip1
-    - execinquery # deprecated
     - exportloopref # deprecated
 linters-settings:
   tagliatelle:

diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -0,0 +1,40 @@
+{
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "name": "regal lint bundle",
+      "type": "go",
+      "request": "launch",
+      "mode": "auto",
+      "program": "${workspaceFolder}",
+      "args": [
+        "lint",
+        "--enable-print",
+        "bundle"
+      ]
+    },
+    {
+      "name": "regal fix --dry-run bundle",
+      "type": "go",
+      "request": "launch",
+      "mode": "auto",
+      "program": "${workspaceFolder}",
+      "args": [
+        "fix",
+        "--dry-run",
+        "bundle"
+      ]
+    },
+    {
+      "name": "regal test bundle",
+      "type": "go",
+      "request": "launch",
+      "mode": "auto",
+      "program": "${workspaceFolder}",
+      "args": [
+        "test",
+        "bundle"
+      ]
+    }
+  ]
+}
diff --git a/README.md b/README.md
@@ -22,6 +22,14 @@ development, whether you're an experienced Rego developer or just starting out.
 
 \- [Merriam Webster](https://www.merriam-webster.com/dictionary/regal)
 
+## **New!** Regal and OPA 1.0
+
+OPA 1.0 was [just released](https://blog.openpolicyagent.org/announcing-opa-1-0-a-new-standard-for-policy-as-code-a6d8427ee828),
+and starting from version v0.30.0, Regal supports working with both OPA 1.0 policies and Rego from earlier versions
+of OPA. While everything should work without additional configuration, we recommend checking out our documentation on
+using Regal with [OPA 1.0](https://docs.styra.com/regal/opa-one-dot-zero) for the best possible experience managing
+projects of any given Rego version, or even a mix of them.
+
 ## Goals
 
 - Deliver an outstanding policy development experience by providing the best possible tools for that purpose
@@ -105,8 +113,6 @@ First, author some Rego!
 ```rego
 package authz
 
-import rego.v1
-
 default allow = false
 
 allow if {
@@ -292,7 +298,9 @@ The following rules are currently available:
 
 <!-- RULES_TABLE_END -->
 
-By default, all rules except for those in the `custom` category are currently **enabled**.
+Rules in all category except for those in `custom` are **enabled** by default. Some rules however — like `use-contains`
+and `use-if` — are conditionally enabled only when a version of OPA/Rego before 1.0 is targeted. See the configuration
+options below if you want to use Regal to lint "legacy" policies.
 
 **Aggregate Rules**
 
@@ -387,6 +395,9 @@ project:
     # declares the 'main' and 'lib/jwt' directories as project roots
     - main
     - lib/jwt
+    # may also be provided as an object with additional options
+    - path: lib/legacy
+      rego-version: 0
 ```
 
 Regal will automatically search for a configuration file (`.regal/config.yaml`) in the current directory, and if not
@@ -507,8 +518,6 @@ alternatively on the same line to the right of the expression:
 ```rego
 package policy
 
-import rego.v1
-
 # regal ignore:prefer-snake-case
 camelCase := "yes"
 
@@ -540,6 +549,37 @@ for the `regal lint` command:
 
 **Note:** all CLI flags override configuration provided in file.
 
+## Configuring Rego Version
+
+From OPA 1.0 and onwards, it is no longer necessary to include `import rego.v1` in your policies in order to use
+keywords like `if` and `contains`. Since Regal works with with both 1.0+ policies and older versions of Rego, the linter
+will first try to parse a policy as 1.0 and if that fails, parse using "v0" rules. This process isn't 100% foolproof,
+as some policies are valid in both versions. Additionally, parsing the same file multiple times adds some overhead that
+can be skipped if the version is known beforehand. To help Regal determine (and enforce) the version of your policies,
+the `rego-version` attribute can be set in the `project` configuration:
+
+```yaml
+project:
+  # Rego version 1.0, set to 0 for pre-1.0 policies
+  rego-version: 1
+```
+
+It is also possible to set the Rego version for individual project roots (see below for more information):
+
+```yaml
+project:
+  roots:
+    - path: lib/legacy
+      rego-version: 0
+    - path: main
+      rego-version: 1
+```
+
+Additionally, Regal will scan the project for any `.manifest` files, and user any `rego_version` found in the manifest
+for all policies under that directory.
+
+Note: the `rego-version` attribute in the configuration file has precedence over `rego_version` found in manifest files.
+
 ## Project Roots
 
 While many projects consider the project's root directory (in editors often referred to as **workspace**) their
@@ -790,6 +830,7 @@ in the near future:
 
 ### Linter
 
+- [x] Full support for both OPA 1.0 policies and older versions of Rego
 - [ ] Allow remediation of more `style` category rules using the `regal fix` command
 - [ ] Add [unused-rule](https://github.com/StyraInc/regal/issues/358) linter
 - [x] Add [unused-output-variable](https://github.com/StyraInc/regal/issues/60) linter