From 70fea7e26aef28085c24bd07d7c41eab36cc0a17 Mon Sep 17 00:00:00 2001 From: Phil Hunt Date: Wed, 11 Sep 2024 12:06:28 -0700 Subject: [PATCH] Issue #52 Update to 0.7 IDQL Signed-off-by: Phil Hunt --- cmd/hexaAuthZen/resources/data.json | 82 +++---- cmd/hexaBundleServer/resources/data.json | 190 ++++++--------- .../resources/hexaIndustries-data.json | 80 +++---- cmd/hexaIndustriesDemo/demo_test.go | 82 +++---- deployments/authZen/data.json | 82 +++---- go.mod | 84 +++---- go.sum | 217 +++++++++--------- pkg/bundleTestSupport/bundleTestSupport.go | 82 ++----- .../badDataBundle/bundle/hexaPolicyV2.rego | 163 +++++++------ pkg/decisionsupportproviders/opa_provider.go | 18 +- pkg/hexaConstants/constants.go | 4 +- pkg/mockopasupport/mock_opa_support.go | 82 +++---- server/conditionEvaluator/evaluator.go | 2 +- .../test/bundle/bundle_test/data-V1.json | 201 ++++++---------- .../hexaFilter/test/bundle/hexaPolicyV2.rego | 183 --------------- .../hexaFilter/test/opaHexaPolicyV1_test.go | 207 ++++++++--------- 16 files changed, 653 insertions(+), 1106 deletions(-) delete mode 100644 server/hexaFilter/test/bundle/hexaPolicyV2.rego diff --git a/cmd/hexaAuthZen/resources/data.json b/cmd/hexaAuthZen/resources/data.json index ba2c88f..2904a0f 100644 --- a/cmd/hexaAuthZen/resources/data.json +++ b/cmd/hexaAuthZen/resources/data.json @@ -3,101 +3,81 @@ { "meta": { "policyId": "GetUsers", - "version": "0.6", + "version": "0.7", "description": "Get information (e.g. email, picture) associated with a user" }, - "subject": { - "members": ["anyAuthenticated"] - }, + "subjects": [ + "anyAuthenticated" + ], "actions": [ - { - "actionUri": "can_read_user" - } + "can_read_user" ], - "object": { - "resource_id": "todo" - } + "object": "todo" }, { "meta": { "policyId": "GetTodos", - "version": "0.6", - + "version": "0.7", "description": "Get the list of todos. Always returns true for every user??" }, - "subject": { - "members": ["anyAuthenticated"] - }, + "subjects": [ + "anyAuthenticated" + ], "actions": [ - { - "actionUri": "can_read_todos" - } + "can_read_todos" ], - "object": { - "resource_id": "todo" - } + "object": "todo" }, { "meta": { - "version": "0.6", + "version": "0.7", "description": "Create a new Todo", "policyId": "PostTodo" }, - "subject": { - "members": ["role:admin","role:editor"] - }, + "subjects": [ + "role:admin", + "role:editor" + ], "actions": [ - { - "actionUri": "can_create_todo" - } + "can_create_todo" ], - "object": { - "resource_id": "todo" - } + "object": "todo" }, { "meta": { - "version": "0.6", + "version": "0.7", "description": "Edit(complete) a todo.", "policyId": "PutTodo" }, - "subject": { - "members": ["anyAuthenticated"] - }, + "subjects": [ + "anyAuthenticated" + ], "actions": [ - { - "actionUri": "can_update_todo" - } + "can_update_todo" ], "condition": { "rule": "subject.roles co evil_genius or resource.ownerID eq subject.claims.email", "action": "allow" }, - "object": { - "resource_id": "todo" - } + "object": "todo" }, { "meta": { - "version": "0.6", + "version": "0.7", "description": "Delete a todo if admin or owner of todo", "policyId": "DeleteTodo" }, - "subject": { - "members": ["anyAuthenticated"] - }, + "subjects": [ + "anyAuthenticated" + ], "actions": [ - { - "actionUri": "can_delete_todo" - } + "can_delete_todo" ], "condition": { "rule": "subject.roles co admin or resource.ownerID eq subject.claims.email", "action": "allow" }, - "object": { - "resource_id": "todo" - } + "object": "todo" } ] } \ No newline at end of file diff --git a/cmd/hexaBundleServer/resources/data.json b/cmd/hexaBundleServer/resources/data.json index 3da49a5..23ed246 100644 --- a/cmd/hexaBundleServer/resources/data.json +++ b/cmd/hexaBundleServer/resources/data.json @@ -3,27 +3,19 @@ { "meta": { "policyId": "TestBasicCanary", - "version": "0.6", + "version": "0.7", "date": "2021-08-01 21:32:44 UTC", "description": "Access enabling user self service for users with role" }, - "subject": { - "members": ["anyAuthenticated"] - }, + "subjects": [ + "anyAuthenticated" + ], "actions": [ - { - "actionUri": "ietf:http:POST:/testpath*" - }, - { - "actionUri": "ietf:http:PUT:/testpath*" - }, - { - "actionUri": "ietf:http:GET:/testpath*" - } + "http:POST:/testpath*", + "http:PUT:/testpath*", + "http:GET:/testpath*" ], - "object": { - "resource_id": "CanaryProfileService" - }, + "object": "CanaryProfileService", "condition": { "rule": "subject.type eq basic", "action": "allow" @@ -32,56 +24,40 @@ { "meta": { "policyId": "TestBasicCanaryCondition", - "version": "0.6", + "version": "0.7", "date": "2021-08-01 21:32:44 UTC", "description": "Access enabling user self service for users with role with condition" }, - "subject": { - "members": ["anyAuthenticated"] - }, + "subjects": [ + "anyAuthenticated" + ], "actions": [ - { - "actionUri": "ietf:http:POST:/testpath*" - }, - { - "actionUri": "ietf:http:PUT:/testpath*" - }, - { - "actionUri": "ietf:http:GET:/testpath*" - } + "http:POST:/testpath*", + "http:PUT:/testpath*", + "http:GET:/testpath*" ], "condition": { "rule": "req.ip sw 127.0.0.1 and subject.type eq basic", "action": "allow" }, - "object": { - "resource_id": "CanaryProfileService" - } + "object": "CanaryProfileService" }, { "meta": { - "version": "0.6", + "version": "0.7", "date": "2021-08-01 21:32:44 UTC", "description": "Tests any authenticated JWT user", "policyId": "TestJwtCanary" }, - "subject": { - "members": ["anyAuthenticated"] - }, + "subjects": [ + "anyAuthenticated" + ], "actions": [ - { - "actionUri": "ietf:http:POST:/testpath*" - }, - { - "actionUri": "ietf:http:!PUT:/testpath*" - }, - { - "actionUri": "ietf:http:GET:/testpath*" - } + "http:POST:/testpath*", + "http:!PUT:/testpath*", + "http:GET:/testpath*" ], - "object": { - "resource_id": "CanaryProfileService" - }, + "object": "CanaryProfileService", "condition": { "rule": "subject.type eq jwt and subject.iss eq testIssuer and subject.aud co testAudience", "action": "allow" @@ -89,109 +65,79 @@ }, { "meta": { - "version": "0.6", + "version": "0.7", "date": "2021-08-01 21:32:44 UTC", "description": "Access enabling user self service for users with role", "policyId": "TestIPMaskCanary" }, - "subject": { - "comment": "any used, but the condition is what restricts subjects", - "members": ["net:127.0.0.1/24"] - }, + "subjects": [ + "net:127.0.0.1/24" + ], "actions": [ - { - "actionUri": "ietf:http:POST:/testpath*" - }, - { - "actionUri": "ietf:http:!PUT:/testpath*" - }, - { - "actionUri": "ietf:http:GET:/testpath*" - } + "http:POST:/testpath*", + "http:!PUT:/testpath*", + "http:GET:/testpath*" ], "condition": { "rule": "req.method eq GET", "action": "allow" }, - "object": { - "resource_id": "CanaryProfileService" - } + "object": "CanaryProfileService" }, { "meta": { - "version": "0.6", + "version": "0.7", "date": "2021-08-01 21:32:44 UTC", "description": "Access enabling user self service for users with role", "policyId": "TestIPMaskCanaryPOST" }, - "subject": { - "members": ["net:192.1.0.1/24"] - }, + "subjects": [ + "net:192.1.0.1/24" + ], "actions": [ - { - "actionUri": "ietf:http:POST:/testpath*" - }, - { - "actionUri": "ietf:http:!PUT:/testpath*" - }, - { - "actionUri": "ietf:http:GET:/testpath*" - } + "http:POST:/testpath*", + "http:!PUT:/testpath*", + "http:GET:/testpath*" ], - "object": { - "resource_id": "CanaryProfileService" - } + "object": "CanaryProfileService" }, { "meta": { - "version": "0.6", + "version": "0.7", "date": "2021-08-01 21:32:44 UTC", "description": "Access enabling user self service for users with role", "policyId": "TestIPMaskCanaryNotDelete" }, - "subject": { - "members": ["any"] - }, + "subjects": [ + "any" + ], "actions": [ - { - "actionUri": "ietf:http:POST:/testpath*" - }, - { - "actionUri": "ietf:http:!PUT:/testpath*" - }, - { - "actionUri": "ietf:http:GET:/testpath*" + "http:POST:/testpath*", + "http:!PUT:/testpath*", + "http:GET:/testpath*" } ], "condition": { "rule": "req.ip sw 127 and req.method NE DELETE", "action": "allow" }, - "object": { - "resource_id": "CanaryProfileService" - } + "object": "CanaryProfileService" }, { "meta": { - "version": "0.6", + "version": "0.7", "date": "2021-08-01 21:32:44 UTC", "description": "Test that allows jwt authenticated specific subject *and* has a role", "policyId": "TestJwtRole" }, - "subject": { - "members" : ["user:BaSicBob"] - }, + "subjects": [ + "user:BaSicBob" + ], "actions": [ - { - "actionUri": "ietf:http:POST:/testpath*" - }, - { - "actionUri": "ietf:http:GET:/testpath*" - } + "http:POST:/testpath*", + "http:GET:/testpath*" ], - "object": { - "resource_id": "CanaryProfileService" - }, + "object": "CanaryProfileService", "condition": { "rule": "subject.type eq jwt and subject.iss eq testIssuer and subject.aud co testAudience and subject.roles co abc", "action": "allow" @@ -199,28 +145,22 @@ }, { "meta": { - "version": "0.6", + "version": "0.7", "date": "2021-08-01 21:32:44 UTC", "description": "test that allows JWT authenticated subjects with a role or specific users", "policyId": "TestJwtMember" }, - "subject": { - "members": ["role:abc","user:JwtAlice","user:BasicBoB"] - }, + "subjects": [ + "role:abc", + "user:JwtAlice", + "user:BasicBoB" + ], "actions": [ - { - "actionUri": "ietf:http:POST:/testpath*" - }, - { - "actionUri": "ietf:http:PUT:/testpath*" - }, - { - "actionUri": "ietf:http:GET:/testpath*" - } + "http:POST:/testpath*", + "http:PUT:/testpath*", + "http:GET:/testpath*" ], - "object": { - "resource_id": "CanaryProfileService" - }, + "object": "CanaryProfileService", "condition": { "rule": "subject.type eq jwt and subject.iss eq testIssuer and subject.aud co testAudience", "action": "allow" diff --git a/cmd/hexaBundleServer/resources/hexaIndustries-data.json b/cmd/hexaBundleServer/resources/hexaIndustries-data.json index 28cf08d..f647480 100644 --- a/cmd/hexaBundleServer/resources/hexaIndustries-data.json +++ b/cmd/hexaBundleServer/resources/hexaIndustries-data.json @@ -2,85 +2,59 @@ "policies": [ { "meta": { - "version": "0.6", + "version": "0.7", "policyId": "getRootPage", "description": "Retrieve the root page open to anyone" }, "actions": [ - { - "actionUri": "http:GET:/dashboard" - } + "http:GET:/dashboard" ], - "subject": { - "members": [ - "any", - "anyauthenticated" - ] - }, - "object": { - "resource_id": "hexaIndustries" - } + "subjects": [ + "any", + "anyauthenticated" + ], + "object": "hexaIndustries" }, { "meta": { - "version": "0.6", + "version": "0.7", "policyId": "getSales" }, "actions": [ - { - "actionUri": "sales" - } + "sales" ], - "subject": { - "members": [ - "role:sales", - "role:marketing" - ] - }, - "object": { - "resource_id": "hexaIndustries" - } + "subjects": [ + "role:sales", + "role:marketing" + ], + "object": "hexaIndustries" }, { "meta": { - "version": "0.6", + "version": "0.7", "policyId": "getAccounting" }, "actions": [ - { - "actionUri": "http:GET:/accounting" - }, - { - "actionUri": "http:POST:/accounting" - } + "http:GET:/accounting", + "http:POST:/accounting" ], - "subject": { - "members": [ - "role:accounting" - ] - }, - "object": { - "resource_id": "hexaIndustries" - } + "subjects": [ + "role:accounting" + ], + "object": "hexaIndustries" }, { "meta": { - "version": "0.6", + "version": "0.7", "policyId": "getHumanResources" }, "actions": [ - { - "actionUri": "http:GET:/humanresources" - } + "http:GET:/humanresources" ], - "subject": { - "members": [ - "role:humanresources" - ] - }, - "object": { - "resource_id": "hexaIndustries" - } + "subjects": [ + "role:humanresources" + ], + "object": "hexaIndustries" } ] } \ No newline at end of file diff --git a/cmd/hexaIndustriesDemo/demo_test.go b/cmd/hexaIndustriesDemo/demo_test.go index 1227df4..b8b70f8 100644 --- a/cmd/hexaIndustriesDemo/demo_test.go +++ b/cmd/hexaIndustriesDemo/demo_test.go @@ -272,89 +272,63 @@ func (ts *testSuite) TestTls() { } -var testPolicyString = ` -{ +var testPolicyString = `{ "policies": [ { "meta": { - "version": "0.6", + "version": "0.7", "policyId": "getRootPage", "description": "Retrieve the root page open to anyone" }, "actions": [ - { - "actionUri": "http:GET:/dashboard" - } + "http:GET:/dashboard" ], - "subject": { - "members": [ - "any" - ] - }, - "object": { - "resource_id": "hexaIndustries" - } + "subjects": [ + "any", + "anyauthenticated" + ], + "object": "hexaIndustries" }, { "meta": { - "version": "0.6", + "version": "0.7", "policyId": "getSales" }, "actions": [ - { - "actionUri": "sales" - } + "sales" ], - "subject": { - "members": [ - "role:sales", - "role:marketing" - ] - }, - "object": { - "resource_id": "hexaIndustries" - } + "subjects": [ + "role:sales", + "role:marketing" + ], + "object": "hexaIndustries" }, { "meta": { - "version": "0.6", + "version": "0.7", "policyId": "getAccounting" }, "actions": [ - { - "actionUri": "http:GET:/accounting" - }, - { - "actionUri": "http:POST:/accounting" - } + "http:GET:/accounting", + "http:POST:/accounting" ], - "subject": { - "members": [ - "role:accounting" - ] - }, - "object": { - "resource_id": "hexaIndustries" - } + "subjects": [ + "role:accounting" + ], + "object": "hexaIndustries" }, { "meta": { - "version": "0.6", + "version": "0.7", "policyId": "getHumanResources" }, "actions": [ - { - "actionUri": "http:GET:/humanresources" - } + "http:GET:/humanresources" ], - "subject": { - "members": [ - "role:humanresources" - ] - }, - "object": { - "resource_id": "hexaIndustries" - } + "subjects": [ + "role:humanresources" + ], + "object": "hexaIndustries" } ] }` diff --git a/deployments/authZen/data.json b/deployments/authZen/data.json index 32defd9..46a6259 100644 --- a/deployments/authZen/data.json +++ b/deployments/authZen/data.json @@ -3,101 +3,81 @@ { "meta": { "policyId": "GetUsers", - "version": "0.6", + "version": "0.7", "description": "Get information (e.g. email, picture) associated with a user" }, - "subject": { - "members": ["anyAuthenticated"] - }, + "subjects": [ + "anyAuthenticated" + ], "actions": [ - { - "actionUri": "can_read_user" - } + "can_read_user" ], - "object": { - "resource_id": "todo" - } + "object": "todo" }, { "meta": { "policyId": "GetTodos", - "version": "0.6", - + "version": "0.7", "description": "Get the list of todos. Always returns true for every user??" }, - "subject": { - "members": ["anyAuthenticated"] - }, + "subjects": [ + "anyAuthenticated" + ], "actions": [ - { - "actionUri": "can_read_todos" - } + "can_read_todos" ], - "object": { - "resource_id": "todo" - } + "object": "todo" }, { "meta": { - "version": "0.6", + "version": "0.7", "description": "Create a new Todo", "policyId": "PostTodo" }, - "subject": { - "members": ["role:admin","role:editor"] - }, + "subjects": [ + "role:admin", + "role:editor" + ], "actions": [ - { - "actionUri": "can_create_todo" - } + "can_create_todo" ], - "object": { - "resource_id": "todo" - } + "object": "todo" }, { "meta": { - "version": "0.6", + "version": "0.7", "description": "Edit(complete) a todo.", "policyId": "PutTodo" }, - "subject": { - "members": ["anyAuthenticated"] - }, + "subjects": [ + "anyAuthenticated" + ], "actions": [ - { - "actionUri": "can_update_todo" - } + "can_update_todo" ], "condition": { "rule": "subject.roles co evil_genius or ( subject.roles co editor and resource.ownerID eq subject.claims.id )", "action": "allow" }, - "object": { - "resource_id": "todo" - } + "object": "todo" }, { "meta": { - "version": "0.6", + "version": "0.7", "description": "Delete a todo if admin or owner of todo", "policyId": "DeleteTodo" }, - "subject": { - "members": ["anyAuthenticated"] - }, + "subjects": [ + "anyAuthenticated" + ], "actions": [ - { - "actionUri": "can_delete_todo" - } + "can_delete_todo" ], "condition": { "rule": "subject.roles co admin or ( subject.roles co editor and resource.ownerID eq subject.claims.id )", "action": "allow" }, - "object": { - "resource_id": "todo" - } + "object": "todo" } ] } \ No newline at end of file diff --git a/go.mod b/go.mod index 9f514f9..7d033f4 100644 --- a/go.mod +++ b/go.mod @@ -4,18 +4,20 @@ go 1.23 toolchain go1.23.0 +// replace github.com/hexa-org/policy-mapper => ../policy-mapper + require ( github.com/golang-jwt/jwt/v5 v5.2.1 github.com/gorilla/mux v1.8.1 - github.com/hexa-org/policy-mapper v0.6.15 - github.com/open-policy-agent/opa v0.67.1 + github.com/hexa-org/policy-mapper v0.7.0-alpha.2 + github.com/open-policy-agent/opa v0.68.0 github.com/stretchr/testify v1.9.0 github.com/tidwall/gjson v1.17.3 - golang.org/x/net v0.28.0 + golang.org/x/net v0.29.0 ) require ( - cloud.google.com/go/auth v0.9.0 // indirect + cloud.google.com/go/auth v0.9.4 // indirect cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect cloud.google.com/go/compute/metadata v0.5.0 // indirect github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect @@ -25,31 +27,31 @@ require ( github.com/OneOfOne/xxhash v1.2.8 // indirect github.com/agnivade/levenshtein v1.1.1 // indirect github.com/alexedwards/scs/v2 v2.8.0 // indirect - github.com/aws/aws-sdk-go-v2 v1.30.4 // indirect + github.com/aws/aws-sdk-go-v2 v1.30.5 // indirect github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.4 // indirect - github.com/aws/aws-sdk-go-v2/config v1.27.28 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.17.28 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.16 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.16 // indirect + github.com/aws/aws-sdk-go-v2/config v1.27.33 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.32 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect - github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.16 // indirect + github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.17 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.18 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.18 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.16 // indirect - github.com/aws/aws-sdk-go-v2/service/s3 v1.60.0 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.22.5 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.5 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.30.4 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.19 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.17 // indirect + github.com/aws/aws-sdk-go-v2/service/s3 v1.61.2 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.30.7 // indirect github.com/aws/smithy-go v1.20.4 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect github.com/cespare/xxhash v1.1.0 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect - github.com/containerd/containerd v1.7.20 // indirect - github.com/containerd/errdefs v0.1.0 // indirect + github.com/containerd/containerd v1.7.22 // indirect + github.com/containerd/errdefs v0.2.0 // indirect github.com/containerd/log v0.1.0 // indirect github.com/containerd/platforms v0.2.1 // indirect github.com/coreos/go-oidc/v3 v3.11.0 // indirect @@ -66,7 +68,7 @@ require ( github.com/go-logr/stdr v1.2.2 // indirect github.com/go-playground/locales v0.14.1 // indirect github.com/go-playground/universal-translator v0.18.1 // indirect - github.com/go-playground/validator/v10 v10.22.0 // indirect + github.com/go-playground/validator/v10 v10.22.1 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gofrs/flock v0.12.1 // indirect github.com/gogo/protobuf v1.3.2 // indirect @@ -77,7 +79,7 @@ require ( github.com/google/flatbuffers v24.3.25+incompatible // indirect github.com/google/s2a-go v0.1.8 // indirect github.com/google/uuid v1.6.0 - github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 // indirect github.com/hashicorp/hcl v1.0.0 // indirect github.com/hhsnopek/etag v0.0.0-20171206181245-aea95f647346 // indirect @@ -92,13 +94,13 @@ require ( github.com/olekukonko/tablewriter v0.0.5 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0 // indirect - github.com/pelletier/go-toml/v2 v2.2.2 // indirect + github.com/pelletier/go-toml/v2 v2.2.3 // indirect github.com/peterh/liner v1.2.2 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect - github.com/prometheus/client_golang v1.20.1 // indirect + github.com/prometheus/client_golang v1.20.3 // indirect github.com/prometheus/client_model v0.6.1 // indirect - github.com/prometheus/common v0.55.0 // indirect + github.com/prometheus/common v0.59.1 // indirect github.com/prometheus/procfs v0.15.1 // indirect github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect github.com/rivo/uniseg v0.4.7 // indirect @@ -121,27 +123,27 @@ require ( github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/yashtewari/glob-intersection v0.2.0 // indirect go.opencensus.io v0.24.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect - go.opentelemetry.io/otel v1.28.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 // indirect - go.opentelemetry.io/otel/metric v1.28.0 // indirect - go.opentelemetry.io/otel/sdk v1.28.0 // indirect - go.opentelemetry.io/otel/trace v1.28.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect + go.opentelemetry.io/otel v1.30.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.30.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.30.0 // indirect + go.opentelemetry.io/otel/metric v1.30.0 // indirect + go.opentelemetry.io/otel/sdk v1.30.0 // indirect + go.opentelemetry.io/otel/trace v1.30.0 // indirect go.opentelemetry.io/proto/otlp v1.3.1 // indirect go.uber.org/automaxprocs v1.5.3 // indirect go.uber.org/multierr v1.11.0 // indirect - golang.org/x/crypto v0.26.0 // indirect - golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa - golang.org/x/oauth2 v0.22.0 // indirect + golang.org/x/crypto v0.27.0 // indirect + golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 + golang.org/x/oauth2 v0.23.0 // indirect golang.org/x/sync v0.8.0 // indirect - golang.org/x/sys v0.24.0 // indirect - golang.org/x/text v0.17.0 // indirect + golang.org/x/sys v0.25.0 // indirect + golang.org/x/text v0.18.0 // indirect golang.org/x/time v0.6.0 // indirect - google.golang.org/api v0.193.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240820151423-278611b39280 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240820151423-278611b39280 // indirect - google.golang.org/grpc v1.65.0 // indirect + google.golang.org/api v0.197.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect + google.golang.org/grpc v1.66.2 // indirect google.golang.org/protobuf v1.34.2 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/go.sum b/go.sum index 0f3c84b..47723d9 100644 --- a/go.sum +++ b/go.sum @@ -1,14 +1,14 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go/auth v0.9.0 h1:cYhKl1JUhynmxjXfrk4qdPc6Amw7i+GC9VLflgT0p5M= -cloud.google.com/go/auth v0.9.0/go.mod h1:2HsApZBr9zGZhC9QAXsYVYaWk8kNUt37uny+XVKi7wM= +cloud.google.com/go/auth v0.9.4 h1:DxF7imbEbiFu9+zdKC6cKBko1e8XeJnipNqIbWZ+kDI= +cloud.google.com/go/auth v0.9.4/go.mod h1:SHia8n6//Ya940F1rLimhJCjjx7KE17t0ctFEci3HkA= cloud.google.com/go/auth/oauth2adapt v0.2.4 h1:0GWE/FUsXhf6C+jAkWgYm7X9tK8cuEIfy19DBn6B6bY= cloud.google.com/go/auth/oauth2adapt v0.2.4/go.mod h1:jC/jOpwFP6JBxhB3P5Rr0a9HLMC/Pe3eaL4NmdvqPtc= cloud.google.com/go/compute/metadata v0.5.0 h1:Zr0eK8JbFv6+Wi4ilXAR8FJ3wyNdpxHKJNPos6LTZOY= cloud.google.com/go/compute/metadata v0.5.0/go.mod h1:aHnloV2TPI38yx4s9+wAZhHykWvVCfu7hQbF+9CWoiY= github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk= github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.13.0 h1:GJHeeA2N7xrG3q30L2UXDyuWRzDM900/65j70wcM4Ww= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.13.0/go.mod h1:l38EPgmsp71HHLq9j7De57JcKOWPyhrsW1Awm1JS6K0= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 h1:nyQWyZvwGTvunIMxi1Y9uXkcyr+I7TeNrr/foo4Kpk8= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0/go.mod h1:l38EPgmsp71HHLq9j7De57JcKOWPyhrsW1Awm1JS6K0= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 h1:tfLQ34V6F7tVSwoTf/4lH5sE0o6eCJuNDTmH09nDpbc= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg= github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY= @@ -38,52 +38,52 @@ github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmO github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= -github.com/aws/aws-sdk-go-v2 v1.30.4 h1:frhcagrVNrzmT95RJImMHgabt99vkXGslubDaDagTk8= -github.com/aws/aws-sdk-go-v2 v1.30.4/go.mod h1:CT+ZPWXbYrci8chcARI3OmI/qgd+f6WtuLOoaIA8PR0= +github.com/aws/aws-sdk-go-v2 v1.30.5 h1:mWSRTwQAb0aLE17dSzztCVJWI9+cRMgqebndjwDyK0g= +github.com/aws/aws-sdk-go-v2 v1.30.5/go.mod h1:CT+ZPWXbYrci8chcARI3OmI/qgd+f6WtuLOoaIA8PR0= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.4 h1:70PVAiL15/aBMh5LThwgXdSQorVr91L127ttckI9QQU= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.4/go.mod h1:/MQxMqci8tlqDH+pjmoLu1i0tbWCUP1hhyMRuFxpQCw= -github.com/aws/aws-sdk-go-v2/config v1.27.28 h1:OTxWGW/91C61QlneCtnD62NLb4W616/NM1jA8LhJqbg= -github.com/aws/aws-sdk-go-v2/config v1.27.28/go.mod h1:uzVRVtJSU5EFv6Fu82AoVFKozJi2ZCY6WRCXj06rbvs= -github.com/aws/aws-sdk-go-v2/credentials v1.17.28 h1:m8+AHY/ND8CMHJnPoH7PJIRakWGa4gbfbxuY9TGTUXM= -github.com/aws/aws-sdk-go-v2/credentials v1.17.28/go.mod h1:6TF7dSc78ehD1SL6KpRIPKMA1GyyWflIkjqg+qmf4+c= -github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.14.9 h1:aVVgQDwvAGq8Olf9nb+sQgSujPEybAg4ptxm+L2zisY= -github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.14.9/go.mod h1:uCzvi36pXcTcGHwWXPHXkhaK9F4AjNo+IByRSv7BRe4= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12 h1:yjwoSyDZF8Jth+mUk5lSPJCkMC0lMy6FaCD51jm6ayE= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12/go.mod h1:fuR57fAgMk7ot3WcNQfb6rSEn+SUffl7ri+aa8uKysI= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.16 h1:TNyt/+X43KJ9IJJMjKfa3bNTiZbUP7DeCxfbTROESwY= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.16/go.mod h1:2DwJF39FlNAUiX5pAc0UNeiz16lK2t7IaFcm0LFHEgc= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.16 h1:jYfy8UPmd+6kJW5YhY0L1/KftReOGxI/4NtVSTh9O/I= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.16/go.mod h1:7ZfEPZxkW42Afq4uQB8H2E2e6ebh6mXTueEpYzjCzcs= +github.com/aws/aws-sdk-go-v2/config v1.27.33 h1:Nof9o/MsmH4oa0s2q9a0k7tMz5x/Yj5k06lDODWz3BU= +github.com/aws/aws-sdk-go-v2/config v1.27.33/go.mod h1:kEqdYzRb8dd8Sy2pOdEbExTTF5v7ozEXX0McgPE7xks= +github.com/aws/aws-sdk-go-v2/credentials v1.17.32 h1:7Cxhp/BnT2RcGy4VisJ9miUPecY+lyE9I8JvcZofn9I= +github.com/aws/aws-sdk-go-v2/credentials v1.17.32/go.mod h1:P5/QMF3/DCHbXGEGkdbilXHsyTBX5D3HSwcrSc9p20I= +github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.15.2 h1:ss2pLhKcLRqzzWR08Z3arJN1R/9gcjDbzlYHyYNZ/F0= +github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.15.2/go.mod h1:luXuuIR1T/EQo8PO3rkxKajO0hMRa7NYUhComrBpgW0= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 h1:pfQ2sqNpMVK6xz2RbqLEL0GH87JOwSxPV2rzm8Zsb74= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13/go.mod h1:NG7RXPUlqfsCLLFfi0+IpKN4sCB9D9fw/qTaSB+xRoU= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 h1:pI7Bzt0BJtYA0N/JEC6B8fJ4RBrEMi1LBrkMdFYNSnQ= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17/go.mod h1:Dh5zzJYMtxfIjYW+/evjQ8uj2OyR/ve2KROHGHlSFqE= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17 h1:Mqr/V5gvrhA2gvgnF42Zh5iMiQNcOYthFYwCyrnuWlc= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17/go.mod h1:aLJpZlCmjE+V+KtN1q1uyZkfnUWpQGpbsn89XPKyzfU= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.16 h1:mimdLQkIX1zr8GIPY1ZtALdBQGxcASiBd2MOp8m/dMc= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.16/go.mod h1:YHk6owoSwrIsok+cAH9PENCOGoH5PU2EllX4vLtSrsY= -github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.41.4 h1:jkvdmVYoVWVrAIjgt9aiR9e7GRK2DnxrMnvKjA5EJd0= -github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.41.4/go.mod h1:aynIysFCBIq18wfN2GrIYAeofOnQKV3LtkjyrQKfaFY= -github.com/aws/aws-sdk-go-v2/service/dynamodb v1.34.3 h1:nEhZKd1JQ4EB1tekcqW1oIVpDC1ZFrjrp/cLC5MXjFQ= -github.com/aws/aws-sdk-go-v2/service/dynamodb v1.34.3/go.mod h1:q9vzW3Xr1KEXa8n4waHiFt1PrppNDlMymlYP+xpsFbY= -github.com/aws/aws-sdk-go-v2/service/dynamodbstreams v1.22.3 h1:r27/FnxLPixKBRIlslsvhqscBuMK8uysCYG9Kfgm098= -github.com/aws/aws-sdk-go-v2/service/dynamodbstreams v1.22.3/go.mod h1:jqOFyN+QSWSoQC+ppyc4weiO8iNQXbzRbxDjQ1ayYd4= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.17 h1:Roo69qTpfu8OlJ2Tb7pAYVuF0CpuUMB0IYWwYP/4DZM= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.17/go.mod h1:NcWPxQzGM1USQggaTVwz6VpqMZPX1CvDJLDh6jnOCa4= +github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.43.4 h1:C8uf+nwieFWZtdPTCYOM8u/UyaIsDPfr95TJrfYekwQ= +github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.43.4/go.mod h1:hsciKQ2xFfOPEuebyKmFo7wOSVNoLuzmCi6Qtol4UDc= +github.com/aws/aws-sdk-go-v2/service/dynamodb v1.34.8 h1:XTz8pSCsPiM9FpT+gTPIL6ryiu/T4Z3dpR/FBtPaBXA= +github.com/aws/aws-sdk-go-v2/service/dynamodb v1.34.8/go.mod h1:N3YdUYxyxhiuAelUgCpSVBuBI1klobJxZrDtL+olu10= +github.com/aws/aws-sdk-go-v2/service/dynamodbstreams v1.22.7 h1:VTBHXWkSeFgT3sfYB4U92qMgzHl0nz9H1tYNHHutLg0= +github.com/aws/aws-sdk-go-v2/service/dynamodbstreams v1.22.7/go.mod h1:F/ybU7YfgFcktSp+biKgiHjyscGhlZxOz4QFFQqHXGw= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 h1:KypMCbLPPHEmf9DgMGw51jMj77VfGPAN2Kv4cfhlfgI= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4/go.mod h1:Vz1JQXliGcQktFTN/LN6uGppAIRoLBR2bMvIMP0gOjc= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.18 h1:GckUnpm4EJOAio1c8o25a+b3lVfwVzC9gnSBqiiNmZM= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.18/go.mod h1:Br6+bxfG33Dk3ynmkhsW2Z/t9D4+lRqdLDNCKi85w0U= -github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.9.16 h1:lhAX5f7KpgwyieXjbDnRTjPEUI0l3emSRyxXj1PXP8w= -github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.9.16/go.mod h1:AblAlCwvi7Q/SFowvckgN+8M3uFPlopSYeLlbNDArhA= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.18 h1:tJ5RnkHCiSH0jyd6gROjlJtNwov0eGYNz8s8nFcR0jQ= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.18/go.mod h1:++NHzT+nAF7ZPrHPsA+ENvsXkOO8wEu+C6RXltAG4/c= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.16 h1:jg16PhLPUiHIj8zYIW6bqzeQSuHVEiWnGA0Brz5Xv2I= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.16/go.mod h1:Uyk1zE1VVdsHSU7096h/rwnXDzOzYQVl+FNPhPw7ShY= -github.com/aws/aws-sdk-go-v2/service/s3 v1.60.0 h1:2QXGJvG19QwqXUvgcdoCOZPyLuvZf8LiXPCN4P53TdI= -github.com/aws/aws-sdk-go-v2/service/s3 v1.60.0/go.mod h1:BSPI0EfnYUuNHPS0uqIo5VrRwzie+Fp+YhQOUs16sKI= -github.com/aws/aws-sdk-go-v2/service/sso v1.22.5 h1:zCsFCKvbj25i7p1u94imVoO447I/sFv8qq+lGJhRN0c= -github.com/aws/aws-sdk-go-v2/service/sso v1.22.5/go.mod h1:ZeDX1SnKsVlejeuz41GiajjZpRSWR7/42q/EyA/QEiM= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.5 h1:SKvPgvdvmiTWoi0GAJ7AsJfOz3ngVkD/ERbs5pUnHNI= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.5/go.mod h1:20sz31hv/WsPa3HhU3hfrIet2kxM4Pe0r20eBZ20Tac= -github.com/aws/aws-sdk-go-v2/service/sts v1.30.4 h1:iAckBT2OeEK/kBDyN/jDtpEExhjeeA/Im2q4X0rJZT8= -github.com/aws/aws-sdk-go-v2/service/sts v1.30.4/go.mod h1:vmSqFK+BVIwVpDAGZB3CoCXHzurt4qBE8lf+I/kRTh0= -github.com/aws/aws-sdk-go-v2/service/verifiedpermissions v1.17.3 h1:RvKL61+VcqZIL9dS3BE0bQTyN1lCrDCv3cz9kdkNm6k= -github.com/aws/aws-sdk-go-v2/service/verifiedpermissions v1.17.3/go.mod h1:AmO4nIKOKHzJCbVn467c4keHpzmZwy7s98zEsLjcJos= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.19 h1:FLMkfEiRjhgeDTCjjLoc3URo/TBkgeQbocA78lfkzSI= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.19/go.mod h1:Vx+GucNSsdhaxs3aZIKfSUjKVGsxN25nX2SRcdhuw08= +github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.9.18 h1:GACdEPdpBE59I7pbfvu0/Mw1wzstlP3QtPHklUxybFE= +github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.9.18/go.mod h1:K+xV06+Wni4TSaOOJ1Y35e5tYOCUBYbebLKmJQQa8yY= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 h1:rfprUlsdzgl7ZL2KlXiUAoJnI/VxfHCvDFr2QDFj6u4= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19/go.mod h1:SCWkEdRq8/7EK60NcvvQ6NXKuTcchAD4ROAsC37VEZE= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.17 h1:u+EfGmksnJc/x5tq3A+OD7LrMbSSR/5TrKLvkdy/fhY= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.17/go.mod h1:VaMx6302JHax2vHJWgRo+5n9zvbacs3bLU/23DNQrTY= +github.com/aws/aws-sdk-go-v2/service/s3 v1.61.2 h1:Kp6PWAlXwP1UvIflkIP6MFZYBNDCa4mFCGtxrpICVOg= +github.com/aws/aws-sdk-go-v2/service/s3 v1.61.2/go.mod h1:5FmD/Dqq57gP+XwaUnd5WFPipAuzrf0HmupX27Gvjvc= +github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 h1:pIaGg+08llrP7Q5aiz9ICWbY8cqhTkyy+0SHvfzQpTc= +github.com/aws/aws-sdk-go-v2/service/sso v1.22.7/go.mod h1:eEygMHnTKH/3kNp9Jr1n3PdejuSNcgwLe1dWgQtO0VQ= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 h1:/Cfdu0XV3mONYKaOt1Gr0k1KvQzkzPyiKUdlWJqy+J4= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7/go.mod h1:bCbAxKDqNvkHxRaIMnyVPXPo+OaPRwvmgzMxbz1VKSA= +github.com/aws/aws-sdk-go-v2/service/sts v1.30.7 h1:NKTa1eqZYw8tiHSRGpP0VtTdub/8KNk8sDkNPFaOKDE= +github.com/aws/aws-sdk-go-v2/service/sts v1.30.7/go.mod h1:NXi1dIAGteSaRLqYgarlhP/Ij0cFT+qmCwiJqWh/U5o= +github.com/aws/aws-sdk-go-v2/service/verifiedpermissions v1.17.6 h1:OALTvlqxlJysbfpPN02yEaQbq+i0mupm14m28IadjXs= +github.com/aws/aws-sdk-go-v2/service/verifiedpermissions v1.17.6/go.mod h1:/il6CcYy1TceX8GhBT8qbEUiqIGP/R+OvlztiT8OMEw= github.com/aws/smithy-go v1.20.4 h1:2HK1zBdPgRbjFOHlfeQZfpC4r72MOb9bZkiFwggKO+4= github.com/aws/smithy-go v1.20.4/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -100,17 +100,17 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b h1:ga8SEFjZ60pxLcmhnThWgvH2wg8376yUJmPhEH4H3kw= -github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 h1:QVw89YDxXxEe+l8gU8ETbOasdwEV+avkR75ZzsVV9WI= +github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM= github.com/containerd/cgroups/v3 v3.0.2 h1:f5WFqIVSgo5IZmtTT3qVBo6TzI1ON6sycSBKkymb9L0= github.com/containerd/cgroups/v3 v3.0.2/go.mod h1:JUgITrzdFqp42uI2ryGA+ge0ap/nxzYgkGmIcetmErE= -github.com/containerd/containerd v1.7.20 h1:Sl6jQYk3TRavaU83h66QMbI2Nqg9Jm6qzwX57Vsn1SQ= -github.com/containerd/containerd v1.7.20/go.mod h1:52GsS5CwquuqPuLncsXwG0t2CiUce+KsNHJZQJvAgR0= +github.com/containerd/containerd v1.7.22 h1:nZuNnNRA6T6jB975rx2RRNqqH2k6ELYKDZfqTHqwyy0= +github.com/containerd/containerd v1.7.22/go.mod h1:e3Jz1rYRUZ2Lt51YrH9Rz0zPyJBOlSvB3ghr2jbVD8g= github.com/containerd/continuity v0.4.2 h1:v3y/4Yz5jwnvqPKJJ+7Wf93fyWoCB3F5EclWG023MDM= github.com/containerd/continuity v0.4.2/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ= -github.com/containerd/errdefs v0.1.0 h1:m0wCRBiu1WJT/Fr+iOoQHMQS/eP5myQ8lCv4Dz5ZURM= -github.com/containerd/errdefs v0.1.0/go.mod h1:YgWiiHtLmSeBrvpw+UfPijzbLaB77mEG1WwJTDETIV0= +github.com/containerd/errdefs v0.2.0 h1:XllDESRfJtVrMwMmR2mCabxyvBK4UlbyyiWI3MvRw0o= +github.com/containerd/errdefs v0.2.0/go.mod h1:C28ixlj3dKhQS9hsQ13b+HIb4X7+s2G4FYhbSPcRDLM= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= @@ -141,8 +141,8 @@ github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+m github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= -github.com/envoyproxy/go-control-plane v0.12.0 h1:4X+VP1GHd1Mhj6IB5mMeGbLCleqxjletLK6K0rbxyZI= -github.com/envoyproxy/go-control-plane v0.12.0/go.mod h1:ZBTaoJ23lqITozF0M6G4/IragXCQKCnYbmlmtHvwRG0= +github.com/envoyproxy/go-control-plane v0.13.0 h1:HzkeUz1Knt+3bK+8LG1bxOO/jzWZmdxpwC51i202les= +github.com/envoyproxy/go-control-plane v0.13.0/go.mod h1:GRaKG3dwvFoTg4nj7aXdZnvMg4d7nvT/wl9WgVXn3Q8= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= @@ -172,8 +172,8 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY= github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY= github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY= -github.com/go-playground/validator/v10 v10.22.0 h1:k6HsTZ0sTnROkhS//R0O+55JgM8C4Bx7ia+JlgcnOao= -github.com/go-playground/validator/v10 v10.22.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM= +github.com/go-playground/validator/v10 v10.22.1 h1:40JcKH+bBNGFczGuoBYgX4I6m/i27HYW8P9FDk5PbgA= +github.com/go-playground/validator/v10 v10.22.1/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E= @@ -205,8 +205,8 @@ github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= -github.com/google/cel-go v0.20.1 h1:nDx9r8S3L4pE61eDdt8igGj8rf5kjYR3ILxWIpWNi84= -github.com/google/cel-go v0.20.1/go.mod h1:kWcIzTsPX0zmQ+H3TirHstLLf9ep5QTsZBN9u4dOYLg= +github.com/google/cel-go v0.21.0 h1:cl6uW/gxN+Hy50tNYvI691+sXxioCnstFzLp2WO4GCI= +github.com/google/cel-go v0.21.0/go.mod h1:rHUlWCcBKgyEk+eV03RPdZUekPp6YcJwV0FxuUksYxc= github.com/google/flatbuffers v1.12.1/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/flatbuffers v24.3.25+incompatible h1:CX395cjN9Kke9mmalRoL3d81AtFUxJM+yDthflgJGkI= github.com/google/flatbuffers v24.3.25+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= @@ -225,8 +225,8 @@ github.com/google/s2a-go v0.1.8/go.mod h1:6iNWHTpQ+nfNRN5E00MSdfDwVesa8hhS32PhPO github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs= -github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= +github.com/googleapis/enterprise-certificate-proxy v0.3.4 h1:XYIDZApgAnrN1c855gTgghdIA6Stxb52D5RnLI1SLyw= +github.com/googleapis/enterprise-certificate-proxy v0.3.4/go.mod h1:YKe7cfqYXjKGpGvmSg28/fFvhNzinZQm8DGnaburhGA= github.com/googleapis/gax-go/v2 v2.13.0 h1:yitjD5f7jQHhyDsnhKEBU52NdvvdSeGzlAnDPT0hH1s= github.com/googleapis/gax-go/v2 v2.13.0/go.mod h1:Z/fvTZXF8/uw7Xu5GuslPw+bplx6SS338j1Is2S+B7A= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= @@ -235,8 +235,8 @@ github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjw github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= -github.com/hexa-org/policy-mapper v0.6.15 h1:M6iWrUWbtrF/1j/d2j0zOA5RLpU5R8qDiuGSviDXSec= -github.com/hexa-org/policy-mapper v0.6.15/go.mod h1:BDbdYIbnZj1aexvYl3BXRoFBv9CpdcuKfmDB2u2FNXU= +github.com/hexa-org/policy-mapper v0.7.0-alpha.2 h1:LHZoCTgpS53IhEeyuR00nLPp3KY4kA3klpSM+IrLTgA= +github.com/hexa-org/policy-mapper v0.7.0-alpha.2/go.mod h1:RMF+I1t2Wc5tRmy5mYiHjDww+ZzPEe/mA2xITGyyKRQ= github.com/hhsnopek/etag v0.0.0-20171206181245-aea95f647346 h1:Odeq5rB6OZSkib5gqTG+EM1iF0bUVjYYd33XB1ULv00= github.com/hhsnopek/etag v0.0.0-20171206181245-aea95f647346/go.mod h1:4ggHM2qnyyZjenBb7RpwVzIj+JMsu9kHCVxMjB30hGs= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= @@ -277,37 +277,41 @@ github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vygl78= github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI= +github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g= +github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec= github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= -github.com/open-policy-agent/opa v0.67.1 h1:rzy26J6g1X+CKknAcx0Vfbt41KqjuSzx4E0A8DAZf3E= -github.com/open-policy-agent/opa v0.67.1/go.mod h1:aqKlHc8E2VAAylYE9x09zJYr/fYzGX+JKne89UGqFzk= +github.com/open-policy-agent/opa v0.68.0 h1:Jl3U2vXRjwk7JrHmS19U3HZO5qxQRinQbJ2eCJYSqJQ= +github.com/open-policy-agent/opa v0.68.0/go.mod h1:5E5SvaPwTpwt2WM177I9Z3eT7qUpmOGjk1ZdHs+TZ4w= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= -github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM= -github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs= +github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M= +github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc= github.com/peterh/liner v1.2.2 h1:aJ4AOodmL+JxOZZEL2u9iJf8omNRpqHc/EbrK+3mAXw= github.com/peterh/liner v1.2.2/go.mod h1:xFwJyiKIXJZUKItq5dGHZSTBRAuG/CpeNpWLyiNRNwI= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g= github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U= -github.com/prometheus/client_golang v1.20.1 h1:IMJXHOD6eARkQpxo8KkhgEVFlBNm+nkrFUyGlIu7Na8= -github.com/prometheus/client_golang v1.20.1/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= +github.com/prometheus/client_golang v1.20.3 h1:oPksm4K8B+Vt35tUhw6GbSNSgVlVSBH0qELP/7u83l4= +github.com/prometheus/client_golang v1.20.3/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= -github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= -github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8= +github.com/prometheus/common v0.59.1 h1:LXb1quJHWm1P6wq/U824uxYi4Sg0oGvNeUm1z5dJoX0= +github.com/prometheus/common v0.59.1/go.mod h1:GpWM7dewqmVYcd7SmRaiWVe9SSqjf0UrwnYnpEZNuT0= github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM= @@ -361,7 +365,6 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8= @@ -390,20 +393,20 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= -go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo= -go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 h1:R3X6ZXmNPRR8ul6i3WgFURCHzaXjHdm0karRG/+dj3s= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0/go.mod h1:QWFXnDavXWwMx2EEcZsf3yxgEKAqsxQ+Syjp+seyInw= -go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q= -go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s= -go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE= -go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg= -go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g= -go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8= +go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= +go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.30.0 h1:lsInsfvhVIfOI6qHVyysXMNDnjO9Npvl7tlDPJFBVd4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.30.0/go.mod h1:KQsVNh4OjgjTG0G6EiNi1jVpnaeeKsKMRwbLN+f1+8M= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.30.0 h1:m0yTiGDLUvVYaTFbAvCkVYIYcvwKt3G7OLoN77NUs/8= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.30.0/go.mod h1:wBQbT4UekBfegL2nx0Xk1vBcnzyBPsIVm9hRG4fYcr4= +go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w= +go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ= +go.opentelemetry.io/otel/sdk v1.30.0 h1:cHdik6irO49R5IysVhdn8oaiR9m8XluDaJAs4DfOrYE= +go.opentelemetry.io/otel/sdk v1.30.0/go.mod h1:p14X4Ok8S+sygzblytT1nqG98QG2KYKv++HE0LY/mhg= +go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc= +go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o= go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8= @@ -416,18 +419,18 @@ golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnf golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw= -golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54= +golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= +golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa h1:ELnwvuAXPNtPk1TJRuGkI9fDTwym6AYBu0qzT8AcHdI= -golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ= +golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk= +golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= -golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0= +golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -437,11 +440,11 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= -golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= +golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= +golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA= -golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs= +golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -459,12 +462,12 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20211117180635-dee7805ff2e1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20221010170243-090e33056c14/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= -golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= +golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= -golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= +golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U= golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -475,32 +478,32 @@ golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBn golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= -golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= +golang.org/x/tools v0.25.0 h1:oFU9pkj/iJgs+0DT+VMHrx+oBKs/LJMV+Uvg78sl+fE= +golang.org/x/tools v0.25.0/go.mod h1:/vtpO8WL1N9cQC3FN5zPqb//fRXskFHbLKk4OW1Q7rg= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/api v0.193.0 h1:eOGDoJFsLU+HpCBaDJex2fWiYujAw9KbXgpOAMePoUs= -google.golang.org/api v0.193.0/go.mod h1:Po3YMV1XZx+mTku3cfJrlIYR03wiGrCOsdpC67hjZvw= +google.golang.org/api v0.197.0 h1:x6CwqQLsFiA5JKAiGyGBjc2bNtHtLddhJCE2IKuhhcQ= +google.golang.org/api v0.197.0/go.mod h1:AuOuo20GoQ331nq7DquGHlU6d+2wN2fZ8O0ta60nRNw= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto/googleapis/api v0.0.0-20240820151423-278611b39280 h1:YDFM9oOjiFhaMAVgbDxfxW+66nRrsvzQzJ51wp3OxC0= -google.golang.org/genproto/googleapis/api v0.0.0-20240820151423-278611b39280/go.mod h1:fO8wJzT2zbQbAjbIoos1285VfEIYKDDY+Dt+WpTkh6g= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240820151423-278611b39280 h1:XQMA2e105XNlEZ8NRF0HqnUOZzP14sUSsgL09kpdNnU= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240820151423-278611b39280/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1:hjSy6tcFQZ171igDaN5QHOw2n6vx40juYbC/x67CEhc= +google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= -google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= +google.golang.org/grpc v1.66.2 h1:3QdXkuq3Bkh7w+ywLdLvM56cmGvQHUMZpiCzt6Rqaoo= +google.golang.org/grpc v1.66.2/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= diff --git a/pkg/bundleTestSupport/bundleTestSupport.go b/pkg/bundleTestSupport/bundleTestSupport.go index c2f69ce..f638f22 100644 --- a/pkg/bundleTestSupport/bundleTestSupport.go +++ b/pkg/bundleTestSupport/bundleTestSupport.go @@ -23,101 +23,60 @@ var dataString = ` { "meta": { "policyId": "GetUsers", - "version": "0.6", + "version": "0.7", "description": "Get information (e.g. email, picture) associated with a user" }, - "subject": { - "members": ["anyAuthenticated"] - }, - "actions": [ - { - "actionUri": "can_read_user" - } - ], - "object": { - "resource_id": "todo" - } + "subjects": ["anyAuthenticated"], + "actions": ["can_read_user"], + "object": "todo" }, { "meta": { "policyId": "GetTodos", - "version": "0.6", - + "version": "0.7", "description": "Get the list of todos. Always returns true for every user??" }, - "subject": { - "members": ["anyAuthenticated"] - }, - "actions": [ - { - "actionUri": "can_read_todos" - } - ], - "object": { - "resource_id": "todo" - } + "subjects": ["anyAuthenticated"], + "actions": ["can_read_todos"], + "object": "todo" }, { "meta": { - "version": "0.6", + "version": "0.7", "description": "Create a new Todo", "policyId": "PostTodo" }, - "subject": { - "members": ["role:admin","role:editor"] - }, - "actions": [ - { - "actionUri": "can_create_todo" - } - ], - "object": { - "resource_id": "todo" - } + "subjects": ["role:admin","role:editor"], + "actions": ["can_create_todo"], + "object": "todo" }, { "meta": { - "version": "0.6", + "version": "0.7", "description": "Edit(complete) a todo.", "policyId": "PutTodo" }, - "subject": { - "members": ["anyAuthenticated"] - }, - "actions": [ - { - "actionUri": "can_update_todo" - } - ], + "subjects": ["anyAuthenticated"], + "actions": ["can_update_todo"], "condition": { "rule": "subject.roles co evil_genius or ( subject.roles co editor and resource.ownerID eq subject.claims.id )", "action": "allow" }, - "object": { - "resource_id": "todo" - } + "object": "todo" }, { "meta": { - "version": "0.6", + "version": "0.7", "description": "Delete a todo if admin or owner of todo", "policyId": "DeleteTodo" }, - "subject": { - "members": ["anyAuthenticated"] - }, - "actions": [ - { - "actionUri": "can_delete_todo" - } - ], + "subjects": ["anyAuthenticated"], + "actions": ["can_delete_todo"], "condition": { "rule": "subject.roles co admin or ( subject.roles co editor and resource.ownerID eq subject.claims.id )", "action": "allow" }, - "object": { - "resource_id": "todo" - } + "object": "todo" } ] }` @@ -145,6 +104,7 @@ func GetTestBundlePath(bundle string) string { } func InitTestEmptyBundleDir(t *testing.T) string { + t.Helper() tempDir, err := os.MkdirTemp("", "policy-opa-empty-*") assert.NoError(t, err, "No error creating tempdir") diff --git a/pkg/bundleTestSupport/test/badDataBundle/bundle/hexaPolicyV2.rego b/pkg/bundleTestSupport/test/badDataBundle/bundle/hexaPolicyV2.rego index 82ae00f..164ea63 100644 --- a/pkg/bundleTestSupport/test/badDataBundle/bundle/hexaPolicyV2.rego +++ b/pkg/bundleTestSupport/test/badDataBundle/bundle/hexaPolicyV2.rego @@ -1,183 +1,204 @@ package hexaPolicy -# Rego Policy Interpreter for IDQL V0.62.1b (IDQL) +# Rego Hexa Policy Interpreter v0.7.0 import rego.v1 -import data.policies +import data.bundle.policies -# Returns whether the current operation is allowed -allow if { - count(allowSet) > 0 +hexa_rego_version := "0.7.0" + +policies_evaluated := count(policies) + +# Returns the list of matching policy names based on current request +allow_set contains policy_id if { + some policy in policies + + # return id of the policy + policy_id := sprintf("%s", [policy.meta.policyId]) + + subject_match(policy.subject, input.subject, input.req) + + actions_match(policy.actions, input.req) + + object_match(policy.object, input.req) + + condition_match(policy, input) +} + +scopes contains scope if { + some policy in policies + policy.meta.policyId in allow_set + + scope := { + "policyId": policy.meta.policyId, + "scope": policy.scope + } } # Returns the list of possible actions allowed (e.g. for UI buttons) -actionRights contains name if { +action_rights contains name if { some policy in policies - policy.meta.policyId in allowSet + policy.meta.policyId in allow_set some action in policy.actions - name := sprintf("%s/%s", [policy.meta.policyId, action.actionUri]) + name := sprintf("%s:%s", [policy.meta.policyId, action]) } -# Returns the list of matching policy names based on current request -allowSet contains name if { - some policy in policies - subjectMatch(policy.subject, input.subject, input.req) - actionsMatch(policy.actions, input.req) - objectMatch(policy.object, input.req) - conditionMatch(policy, input) - - name := policy.meta.policyId # this will be id of the policy +# Returns whether the current operation is allowed +allow if { + count(allow_set) > 0 } -subjectMatch(psubject, _, _) if { - # Match if no members value specified - not psubject.members +subject_match(psubject, _, _) if { + # Match if no value specified - treat as wildcard + not psubject } -subjectMatch(psubject, insubject, req) if { - # Match if no members value specified - some member in psubject.members - subjectMemberMatch(member, insubject, req) +subject_match(psubject, insubject, req) if { + # Match if a member matches + some member in psubject + subject_member_match(member, insubject, req) } -subjectMemberMatch(member, _, _) if { +subject_member_match(member, _, _) if { # If policy is any that we will skip processing of subject lower(member) == "any" } -subjectMemberMatch(member, insubj, _) if { +subject_member_match(member, insubj, _) if { # anyAutheticated - A match occurs if input.subject has a value other than anonymous and exists. insubj.sub # check sub exists lower(member) == "anyauthenticated" } # Check for match based on user: -subjectMemberMatch(member, insubj, _) if { +subject_member_match(member, insubj, _) if { startswith(lower(member), "user:") user := substring(member, 5, -1) lower(user) == lower(insubj.sub) } # Check for match if sub ends with domain -subjectMemberMatch(member, insubj, _) if { +subject_member_match(member, insubj, _) if { startswith(lower(member), "domain:") domain := lower(substring(member, 7, -1)) endswith(lower(insubj.sub), domain) } # Check for match based on role -subjectMemberMatch(member, insubj, _) if { +subject_member_match(member, insubj, _) if { startswith(lower(member), "role:") role := substring(member, 5, -1) role in insubj.roles } -subjectMemberMatch(member, _, req) if { - startswith(lower(member), "net:") +subject_member_match(member, _, req) if { + startswith(lower(member), "net:") cidr := substring(member, 4, -1) - addr := split(req.ip, ":") # Split because IP is address:port + addr := split(req.ip, ":") # Split because IP is address:port net.cidr_contains(cidr, addr[0]) } -actionsMatch(actions, _) if { +actions_match(actions, _) if { # no actions is a match not actions } -actionsMatch(actions, req) if { +actions_match(actions, req) if { some action in actions - actionMatch(action, req) + action_match(action, req) } -actionMatch(action, req) if { +action_match(action, req) if { # Check for match based on ietf http - checkIetfMatch(action.actionUri, req) + check_http_match(action, req) } -actionMatch(action, req) if { - action.actionUri # check for an action +action_match(action, req) if { + action # check for an action count(req.actionUris) > 0 # Check for a match based on req.ActionUris and actionUri - checkUrnMatch(action.actionUri, req.actionUris) + check_urn_match(action, req.actionUris) } -checkUrnMatch(policyUri, actionUris) if { +check_urn_match(policyUri, actionUris) if { some action in actionUris lower(policyUri) == lower(action) } -checkIetfMatch(actionUri, req) if { +check_http_match(actionUri, req) if { # first match the rule against literals - components := split(lower(actionUri), ":") - count(components) > 2 - components[0] == "ietf" - startswith(components[1], "http") + comps := split(lower(actionUri), ":") + count(comps) > 1 + + startswith(lower(comps[0]), "http") + startswith(lower(req.protocol), "http") - startswith(lower(input.req.protocol), "http") - checkHttpMethod(components[2], req.method) + check_http_method(comps[1], req.method) - checkPath(components[3], req) + pathcomps := array.slice(comps, 2, count(comps)) + path := concat(":", pathcomps) + check_path(path, req) } -objectMatch(object, req) if { - not object - not object.resource_id +object_match(object, _) if { + not object } -objectMatch(object, req) if { - object.resource_id +object_match(object, req) if { + object - some reqUri in req.resourceIds - lower(object.resource_id) == lower(reqUri) + some request_uri in req.resourceIds + lower(object) == lower(request_uri) } -checkHttpMethod(allowMask, _) if { +check_http_method(allowMask, _) if { contains(allowMask, "*") } -checkHttpMethod(allowMask, reqMethod) if { +check_http_method(allowMask, reqMethod) if { startswith(allowMask, "!") not contains(allowMask, lower(reqMethod)) } -checkHttpMethod(allowMask, reqMethod) if { +check_http_method(allowMask, reqMethod) if { not startswith(allowMask, "!") contains(allowMask, lower(reqMethod)) } -checkPath(path, req) if { +check_path(path, req) if { path # if path specified it must match - glob.match(path, ["*"], req.path) + glob.match(path, ["*"], req.path) } -checkPath(path, _) if { +check_path(path, _) if { not path # if path not specified, it will not be matched } -conditionMatch(policy, _) if { +condition_match(policy, _) if { not policy.condition # Most policies won't have a condition } -conditionMatch(policy, inreq) if { +condition_match(policy, inreq) if { policy.condition - not policy.condition.action # Default is to allow + not policy.condition.action # Default is to allow hexaFilter(policy.condition.rule, inreq) # HexaFilter evaluations the rule for a match against input } -conditionMatch(policy, inreq) if { +condition_match(policy, inreq) if { policy.condition - action(policy.condition.action) # if defined, action must be "allow" + action_allow(policy.condition.action) # if defined, action must be "allow" hexaFilter(policy.condition.rule, inreq) # HexaFilter evaluations the rule for a match against input } -conditionMatch(policy, inreq) if { - # If action is deny, then hexaFilter must be false +condition_match(policy, inreq) if { + # If action is deny, then hexaFilter must be false policy.condition - not action(policy.condition.action) + not action_allow(policy.condition.action) not hexaFilter(policy.condition.rule, inreq) # HexaFilter evaluations the rule for a match against input } -action(val) if lower(val) == "allow" +# Evaluate whether the condition is set to allow +action_allow(val) if lower(val) == "allow" diff --git a/pkg/decisionsupportproviders/opa_provider.go b/pkg/decisionsupportproviders/opa_provider.go index 8b3c3d4..45c13b3 100644 --- a/pkg/decisionsupportproviders/opa_provider.go +++ b/pkg/decisionsupportproviders/opa_provider.go @@ -64,13 +64,19 @@ type ScopeObligation struct { Scope hexapolicy.ScopeInfo `json:"scope"` } +type PolicyParseError struct { + PolicyId string `json:"policyId"` + Error string `json:"error"` +} + type HexaOpaResult struct { - ActionRights []string `json:"action_rights"` - AllowSet []string `json:"allow_set"` - Allow bool `json:"allow"` - PoliciesEvaluated int `json:"policies_evaluated"` - HexaRegoVersion string `json:"hexa_rego_version"` - Scopes []ScopeObligation `json:"scopes"` + ActionRights []string `json:"action_rights"` + AllowSet []string `json:"allow_set"` + Allow bool `json:"allow"` + PoliciesEvaluated int `json:"policies_evaluated"` + HexaRegoVersion string `json:"hexa_rego_version"` + Scopes []ScopeObligation `json:"scopes,omitempty"` + PolicyErrors []PolicyParseError `json:"error_idql,omitempty"` } type OpaResponse struct { diff --git a/pkg/hexaConstants/constants.go b/pkg/hexaConstants/constants.go index 4eac0cf..6cc8bc1 100644 --- a/pkg/hexaConstants/constants.go +++ b/pkg/hexaConstants/constants.go @@ -1,6 +1,6 @@ package hexaConstants const ( - HexaOpaVersion = "V0.67.1" - HexaRegoVersion = "0.6.15" + HexaOpaVersion = "V0.68.0" + HexaRegoVersion = "0.7" ) diff --git a/pkg/mockopasupport/mock_opa_support.go b/pkg/mockopasupport/mock_opa_support.go index 16b616c..3adf7cc 100644 --- a/pkg/mockopasupport/mock_opa_support.go +++ b/pkg/mockopasupport/mock_opa_support.go @@ -111,89 +111,63 @@ func (m *MockOPA) Shutdown() { _ = os.RemoveAll(m.BundleDir) } -var policyString = ` -{ +var policyString = `{ "policies": [ { "meta": { - "version": "0.6", + "version": "0.7", "policyId": "getRootPage", "description": "Retrieve the root page open to anyone" }, "actions": [ - { - "actionUri": "http:GET:/dashboard" - } + "http:GET:/dashboard" ], - "subject": { - "members": [ - "any" - ] - }, - "object": { - "resource_id": "hexaIndustries" - } + "subjects": [ + "any", + "anyauthenticated" + ], + "object": "hexaIndustries" }, { "meta": { - "version": "0.6", + "version": "0.7", "policyId": "getSales" }, "actions": [ - { - "actionUri": "sales" - } + "sales" ], - "subject": { - "members": [ - "role:sales", - "role:marketing" - ] - }, - "object": { - "resource_id": "hexaIndustries" - } + "subjects": [ + "role:sales", + "role:marketing" + ], + "object": "hexaIndustries" }, { "meta": { - "version": "0.6", + "version": "0.7", "policyId": "getAccounting" }, "actions": [ - { - "actionUri": "http:GET:/accounting" - }, - { - "actionUri": "http:POST:/accounting" - } + "http:GET:/accounting", + "http:POST:/accounting" ], - "subject": { - "members": [ - "role:accounting" - ] - }, - "object": { - "resource_id": "hexaIndustries" - } + "subjects": [ + "role:accounting" + ], + "object": "hexaIndustries" }, { "meta": { - "version": "0.6", + "version": "0.7", "policyId": "getHumanResources" }, "actions": [ - { - "actionUri": "http:GET:/humanresources" - } + "http:GET:/humanresources" ], - "subject": { - "members": [ - "role:humanresources" - ] - }, - "object": { - "resource_id": "hexaIndustries" - } + "subjects": [ + "role:humanresources" + ], + "object": "hexaIndustries" } ] }` diff --git a/server/conditionEvaluator/evaluator.go b/server/conditionEvaluator/evaluator.go index d8848c8..ba7250f 100644 --- a/server/conditionEvaluator/evaluator.go +++ b/server/conditionEvaluator/evaluator.go @@ -26,7 +26,7 @@ func Evaluate(expression string, input string) (bool, error) { log.Print("condition evaluation error: " + err.Error()) return false, err } - return evalWalk(*ast, input) + return evalWalk(ast, input) } func getAttributeValue(input string, path string) gjson.Result { diff --git a/server/hexaFilter/test/bundle/bundle_test/data-V1.json b/server/hexaFilter/test/bundle/bundle_test/data-V1.json index 3da49a5..f616d60 100644 --- a/server/hexaFilter/test/bundle/bundle_test/data-V1.json +++ b/server/hexaFilter/test/bundle/bundle_test/data-V1.json @@ -3,27 +3,19 @@ { "meta": { "policyId": "TestBasicCanary", - "version": "0.6", + "version": "0.7", "date": "2021-08-01 21:32:44 UTC", "description": "Access enabling user self service for users with role" }, - "subject": { - "members": ["anyAuthenticated"] - }, + "subjects": [ + "anyAuthenticated" + ], "actions": [ - { - "actionUri": "ietf:http:POST:/testpath*" - }, - { - "actionUri": "ietf:http:PUT:/testpath*" - }, - { - "actionUri": "ietf:http:GET:/testpath*" - } - ], - "object": { - "resource_id": "CanaryProfileService" - }, + "http:POST:/testpath*", + "http:PUT:/testpath*", + "http:GET:/testpath*" + ], + "object": "CanaryProfileService", "condition": { "rule": "subject.type eq basic", "action": "allow" @@ -32,56 +24,40 @@ { "meta": { "policyId": "TestBasicCanaryCondition", - "version": "0.6", + "version": "0.7", "date": "2021-08-01 21:32:44 UTC", "description": "Access enabling user self service for users with role with condition" }, - "subject": { - "members": ["anyAuthenticated"] - }, + "subjects": [ + "anyAuthenticated" + ], "actions": [ - { - "actionUri": "ietf:http:POST:/testpath*" - }, - { - "actionUri": "ietf:http:PUT:/testpath*" - }, - { - "actionUri": "ietf:http:GET:/testpath*" - } + "http:POST:/testpath*", + "http:PUT:/testpath*", + "http:GET:/testpath*" ], "condition": { "rule": "req.ip sw 127.0.0.1 and subject.type eq basic", "action": "allow" }, - "object": { - "resource_id": "CanaryProfileService" - } + "object": "CanaryProfileService" }, { "meta": { - "version": "0.6", + "version": "0.7", "date": "2021-08-01 21:32:44 UTC", "description": "Tests any authenticated JWT user", "policyId": "TestJwtCanary" }, - "subject": { - "members": ["anyAuthenticated"] - }, + "subjects": [ + "anyAuthenticated" + ], "actions": [ - { - "actionUri": "ietf:http:POST:/testpath*" - }, - { - "actionUri": "ietf:http:!PUT:/testpath*" - }, - { - "actionUri": "ietf:http:GET:/testpath*" - } - ], - "object": { - "resource_id": "CanaryProfileService" - }, + "http:POST:/testpath*", + "http:!PUT:/testpath*", + "http:GET:/testpath*" + ], + "object": "CanaryProfileService", "condition": { "rule": "subject.type eq jwt and subject.iss eq testIssuer and subject.aud co testAudience", "action": "allow" @@ -89,109 +65,78 @@ }, { "meta": { - "version": "0.6", + "version": "0.7", "date": "2021-08-01 21:32:44 UTC", "description": "Access enabling user self service for users with role", "policyId": "TestIPMaskCanary" }, - "subject": { - "comment": "any used, but the condition is what restricts subjects", - "members": ["net:127.0.0.1/24"] - }, + "subjects": [ + "net:127.0.0.1/24" + ], "actions": [ - { - "actionUri": "ietf:http:POST:/testpath*" - }, - { - "actionUri": "ietf:http:!PUT:/testpath*" - }, - { - "actionUri": "ietf:http:GET:/testpath*" - } + "http:POST:/testpath*", + "http:!PUT:/testpath*", + "http:GET:/testpath*" ], "condition": { "rule": "req.method eq GET", "action": "allow" }, - "object": { - "resource_id": "CanaryProfileService" - } + "object": "CanaryProfileService" }, { "meta": { - "version": "0.6", + "version": "0.7", "date": "2021-08-01 21:32:44 UTC", "description": "Access enabling user self service for users with role", "policyId": "TestIPMaskCanaryPOST" }, - "subject": { - "members": ["net:192.1.0.1/24"] - }, + "subjects": [ + "net:192.1.0.1/24" + ], "actions": [ - { - "actionUri": "ietf:http:POST:/testpath*" - }, - { - "actionUri": "ietf:http:!PUT:/testpath*" - }, - { - "actionUri": "ietf:http:GET:/testpath*" - } - ], - "object": { - "resource_id": "CanaryProfileService" - } + "http:POST:/testpath*", + "http:!PUT:/testpath*", + "http:GET:/testpath*" + ], + "object": "CanaryProfileService" }, { "meta": { - "version": "0.6", + "version": "0.7", "date": "2021-08-01 21:32:44 UTC", "description": "Access enabling user self service for users with role", "policyId": "TestIPMaskCanaryNotDelete" }, - "subject": { - "members": ["any"] - }, + "subjects": [ + "any" + ], "actions": [ - { - "actionUri": "ietf:http:POST:/testpath*" - }, - { - "actionUri": "ietf:http:!PUT:/testpath*" - }, - { - "actionUri": "ietf:http:GET:/testpath*" - } + "http:POST:/testpath*", + "http:!PUT:/testpath*", + "http:GET:/testpath*" ], "condition": { "rule": "req.ip sw 127 and req.method NE DELETE", "action": "allow" }, - "object": { - "resource_id": "CanaryProfileService" - } + "object": "CanaryProfileService" }, { "meta": { - "version": "0.6", + "version": "0.7", "date": "2021-08-01 21:32:44 UTC", "description": "Test that allows jwt authenticated specific subject *and* has a role", "policyId": "TestJwtRole" }, - "subject": { - "members" : ["user:BaSicBob"] - }, + "subjects": [ + "user:BaSicBob" + ], "actions": [ - { - "actionUri": "ietf:http:POST:/testpath*" - }, - { - "actionUri": "ietf:http:GET:/testpath*" - } - ], - "object": { - "resource_id": "CanaryProfileService" - }, + "http:POST:/testpath*", + "http:GET:/testpath*" + ], + "object": "CanaryProfileService", "condition": { "rule": "subject.type eq jwt and subject.iss eq testIssuer and subject.aud co testAudience and subject.roles co abc", "action": "allow" @@ -199,28 +144,22 @@ }, { "meta": { - "version": "0.6", + "version": "0.7", "date": "2021-08-01 21:32:44 UTC", "description": "test that allows JWT authenticated subjects with a role or specific users", "policyId": "TestJwtMember" }, - "subject": { - "members": ["role:abc","user:JwtAlice","user:BasicBoB"] - }, + "subjects": [ + "role:abc", + "user:JwtAlice", + "user:BasicBoB" + ], "actions": [ - { - "actionUri": "ietf:http:POST:/testpath*" - }, - { - "actionUri": "ietf:http:PUT:/testpath*" - }, - { - "actionUri": "ietf:http:GET:/testpath*" - } - ], - "object": { - "resource_id": "CanaryProfileService" - }, + "http:POST:/testpath*", + "http:PUT:/testpath*", + "http:GET:/testpath*" + ], + "object": "CanaryProfileService", "condition": { "rule": "subject.type eq jwt and subject.iss eq testIssuer and subject.aud co testAudience", "action": "allow" diff --git a/server/hexaFilter/test/bundle/hexaPolicyV2.rego b/server/hexaFilter/test/bundle/hexaPolicyV2.rego deleted file mode 100644 index 82ae00f..0000000 --- a/server/hexaFilter/test/bundle/hexaPolicyV2.rego +++ /dev/null @@ -1,183 +0,0 @@ -package hexaPolicy - -# Rego Policy Interpreter for IDQL V0.62.1b (IDQL) -import rego.v1 - -import data.policies - -# Returns whether the current operation is allowed -allow if { - count(allowSet) > 0 -} - -# Returns the list of possible actions allowed (e.g. for UI buttons) -actionRights contains name if { - some policy in policies - policy.meta.policyId in allowSet - - some action in policy.actions - name := sprintf("%s/%s", [policy.meta.policyId, action.actionUri]) -} - -# Returns the list of matching policy names based on current request -allowSet contains name if { - some policy in policies - subjectMatch(policy.subject, input.subject, input.req) - actionsMatch(policy.actions, input.req) - objectMatch(policy.object, input.req) - conditionMatch(policy, input) - - name := policy.meta.policyId # this will be id of the policy -} - -subjectMatch(psubject, _, _) if { - # Match if no members value specified - not psubject.members -} - -subjectMatch(psubject, insubject, req) if { - # Match if no members value specified - some member in psubject.members - subjectMemberMatch(member, insubject, req) -} - -subjectMemberMatch(member, _, _) if { - # If policy is any that we will skip processing of subject - lower(member) == "any" -} - -subjectMemberMatch(member, insubj, _) if { - # anyAutheticated - A match occurs if input.subject has a value other than anonymous and exists. - insubj.sub # check sub exists - lower(member) == "anyauthenticated" -} - -# Check for match based on user: -subjectMemberMatch(member, insubj, _) if { - startswith(lower(member), "user:") - user := substring(member, 5, -1) - lower(user) == lower(insubj.sub) -} - -# Check for match if sub ends with domain -subjectMemberMatch(member, insubj, _) if { - startswith(lower(member), "domain:") - domain := lower(substring(member, 7, -1)) - endswith(lower(insubj.sub), domain) -} - -# Check for match based on role -subjectMemberMatch(member, insubj, _) if { - startswith(lower(member), "role:") - role := substring(member, 5, -1) - role in insubj.roles -} - -subjectMemberMatch(member, _, req) if { - startswith(lower(member), "net:") - cidr := substring(member, 4, -1) - addr := split(req.ip, ":") # Split because IP is address:port - net.cidr_contains(cidr, addr[0]) -} - -actionsMatch(actions, _) if { - # no actions is a match - not actions -} - -actionsMatch(actions, req) if { - some action in actions - actionMatch(action, req) -} - -actionMatch(action, req) if { - # Check for match based on ietf http - checkIetfMatch(action.actionUri, req) -} - -actionMatch(action, req) if { - action.actionUri # check for an action - count(req.actionUris) > 0 - - # Check for a match based on req.ActionUris and actionUri - checkUrnMatch(action.actionUri, req.actionUris) -} - -checkUrnMatch(policyUri, actionUris) if { - some action in actionUris - lower(policyUri) == lower(action) -} - -checkIetfMatch(actionUri, req) if { - # first match the rule against literals - components := split(lower(actionUri), ":") - count(components) > 2 - components[0] == "ietf" - startswith(components[1], "http") - - startswith(lower(input.req.protocol), "http") - checkHttpMethod(components[2], req.method) - - checkPath(components[3], req) -} - -objectMatch(object, req) if { - not object - not object.resource_id -} - -objectMatch(object, req) if { - object.resource_id - - some reqUri in req.resourceIds - lower(object.resource_id) == lower(reqUri) -} - -checkHttpMethod(allowMask, _) if { - contains(allowMask, "*") -} - -checkHttpMethod(allowMask, reqMethod) if { - startswith(allowMask, "!") - - not contains(allowMask, lower(reqMethod)) -} - -checkHttpMethod(allowMask, reqMethod) if { - not startswith(allowMask, "!") - contains(allowMask, lower(reqMethod)) -} - -checkPath(path, req) if { - path # if path specified it must match - glob.match(path, ["*"], req.path) -} - -checkPath(path, _) if { - not path # if path not specified, it will not be matched -} - -conditionMatch(policy, _) if { - not policy.condition # Most policies won't have a condition -} - -conditionMatch(policy, inreq) if { - policy.condition - not policy.condition.action # Default is to allow - hexaFilter(policy.condition.rule, inreq) # HexaFilter evaluations the rule for a match against input -} - -conditionMatch(policy, inreq) if { - policy.condition - action(policy.condition.action) # if defined, action must be "allow" - hexaFilter(policy.condition.rule, inreq) # HexaFilter evaluations the rule for a match against input -} - -conditionMatch(policy, inreq) if { - # If action is deny, then hexaFilter must be false - policy.condition - not action(policy.condition.action) - not hexaFilter(policy.condition.rule, inreq) # HexaFilter evaluations the rule for a match against input -} - -action(val) if lower(val) == "allow" diff --git a/server/hexaFilter/test/opaHexaPolicyV1_test.go b/server/hexaFilter/test/opaHexaPolicyV1_test.go index 78c980b..1b8b370 100644 --- a/server/hexaFilter/test/opaHexaPolicyV1_test.go +++ b/server/hexaFilter/test/opaHexaPolicyV1_test.go @@ -2,7 +2,6 @@ package test_test import ( "bytes" - "context" "encoding/json" "fmt" "io" @@ -10,17 +9,13 @@ import ( "net/http" "os" - "github.com/hexa-org/policy-opa/server/conditionEvaluator" - "github.com/hexa-org/policy-opa/server/hexaFilter" + "github.com/hexa-org/policy-opa/api/infoModel" + "github.com/hexa-org/policy-opa/pkg/bundleTestSupport" + "github.com/hexa-org/policy-opa/pkg/decisionsupportproviders" + "github.com/hexa-org/policy-opa/server/opaHandler" "github.com/hexa-org/policy-opa/tests/utils" - "github.com/open-policy-agent/opa/ast" - "github.com/open-policy-agent/opa/rego" - "github.com/open-policy-agent/opa/storage/inmem" - "github.com/open-policy-agent/opa/types" - "github.com/open-policy-agent/opa/util" "github.com/stretchr/testify/assert" - "strings" "testing" "time" ) @@ -29,7 +24,6 @@ import ( This test suite tests Hexa IDQL Support with OPA which is implemented in Rego (bundle/hexaPolicyV2.rego) */ -const regoV1Path = "bundle/hexaPolicyV2.rego" const dataV1Path = "bundle/bundle_test/data-V1.json" func TestIdqlBasic(t *testing.T) { @@ -52,16 +46,12 @@ func TestIdqlBasic(t *testing.T) { inputStr := string(body) fmt.Println("input = " + inputStr) - results := RunRego(body, regoV1Path, dataV1Path) + results := RunRego(t, body, dataV1Path) if results == nil { log.Fatalln("Received nil OPA results!") } - if results == nil { - log.Fatalln("Received nil OPA results!") - } - - allowSet, _ := ProcessResults(results) + allowSet, _ := ProcessResults(t, results) assert.Contains(t, allowSet, "TestBasicCanary") // This policy has no codnition assert.Contains(t, allowSet, "TestBasicCanaryCondition") // THis policy matches on ip sw 127 @@ -96,18 +86,14 @@ func TestIdqlJwt(t *testing.T) { inputStr := string(body) fmt.Println("input = " + inputStr) - results := RunRego(body, regoV1Path, dataV1Path) - if results == nil { - log.Fatalln("Received nil OPA results!") - } - + results := RunRego(t, body, dataV1Path) if results == nil { log.Fatalln("Received nil OPA results!") } fmt.Println("Expecting: TestIPMaskCanary, TestIPMaskCanaryNotDelete, TestJwtCanary, TestJwtMember") - allowSet, _ := ProcessResults(results) + allowSet, _ := ProcessResults(t, results) assert.True(t, len(allowSet) == 4, "confirm 4 matches") assert.Contains(t, allowSet, "TestJwtCanary") assert.Contains(t, allowSet, "TestJwtMember") @@ -134,7 +120,7 @@ func TestIdqlIp(t *testing.T) { inputStr := string(body) fmt.Println("input = " + inputStr) - results := RunRego(body, regoV1Path, dataV1Path) + results := RunRego(t, body, dataV1Path) if results == nil { log.Fatalln("Received nil OPA results!") } @@ -144,7 +130,7 @@ func TestIdqlIp(t *testing.T) { decisions enumerated for a total of 6 (create,get, and not edit) */ - allowSet, actionRights := ProcessResults(results) + allowSet, actionRights := ProcessResults(t, results) assert.Equal(t, 6, len(actionRights)) assert.Equal(t, 2, len(allowSet)) @@ -180,12 +166,12 @@ func TestIdqlIpActions(t *testing.T) { inputStr := string(body) fmt.Println("input = " + inputStr) - results := RunRego(body, regoV1Path, dataV1Path) + results := RunRego(t, body, dataV1Path) if results == nil { log.Fatalln("Received nil OPA results!") } - allowSet, actionRights := ProcessResults(results) + allowSet, actionRights := ProcessResults(t, results) assert.Equal(t, 12, len(actionRights)) assert.Equal(t, 4, len(allowSet)) @@ -208,12 +194,12 @@ func TestIdqlIpActions(t *testing.T) { inputStr = string(body) fmt.Println("input = " + inputStr) - results = RunRego(body, regoV1Path, dataV1Path) + results = RunRego(t, body, dataV1Path) if results == nil { log.Fatalln("Received nil OPA results!") } - allowSet, actionRights = ProcessResults(results) + allowSet, actionRights = ProcessResults(t, results) assert.Equal(t, 6, len(actionRights)) assert.Equal(t, 2, len(allowSet)) @@ -235,12 +221,12 @@ func TestIdqlIpActions(t *testing.T) { inputStr = string(body) fmt.Println("input = " + inputStr) - results = RunRego(body, regoV1Path, dataV1Path) + results = RunRego(t, body, dataV1Path) if results == nil { log.Fatalln("Received nil OPA results!") } - allowSet, actionRights = ProcessResults(results) + allowSet, actionRights = ProcessResults(t, results) assert.Equal(t, 0, len(actionRights)) assert.Equal(t, 0, len(allowSet)) @@ -272,12 +258,12 @@ func TestIdqlMember(t *testing.T) { inputStr := string(body) fmt.Println("input = " + inputStr) - results := RunRego(body, regoV1Path, dataV1Path) + results := RunRego(t, body, dataV1Path) if results == nil { log.Fatalln("Received nil OPA results!") } - allowSet, actionRights := ProcessResults(results) + allowSet, actionRights := ProcessResults(t, results) assert.Equal(t, 12, len(actionRights)) assert.Equal(t, 4, len(allowSet)) @@ -310,12 +296,12 @@ func TestIdqlRole(t *testing.T) { inputStr := string(body) fmt.Println("input = " + inputStr) - results := RunRego(body, regoV1Path, dataV1Path) + results := RunRego(t, body, dataV1Path) if results == nil { log.Fatalln("Received nil OPA results!") } - allowSet, actionRights := ProcessResults(results) + allowSet, actionRights := ProcessResults(t, results) assert.Equal(t, 14, len(actionRights)) assert.Equal(t, 5, len(allowSet)) @@ -325,100 +311,91 @@ func TestIdqlRole(t *testing.T) { utils.StopServer(server) } -func RunRego(inputByte []byte, regoPath string, dataPath string) rego.ResultSet { - ctx := context.Background() - - regoBytes, err := os.ReadFile(regoPath) - if err != nil { - log.Fatalln("Error reading rego file: " + err.Error()) - } - regoString := string(regoBytes) +func RunRego(t *testing.T, inputByte []byte, dataPath string) *decisionsupportproviders.HexaOpaResult { + t.Helper() dataBytes, err := os.ReadFile(dataPath) if err != nil { - log.Fatalln("Error reading data file: " + err.Error()) - } - var dataJson map[string]interface{} - err = util.UnmarshalJSON(dataBytes, &dataJson) - if err != nil { - log.Fatalln("Error parsing data file: " + err.Error()) + assert.Fail(t, "error reading data file: "+err.Error()) } - store := inmem.NewFromObject(dataJson) - var input map[string]interface{} + bundleDir := bundleTestSupport.InitTestBundlesDir(dataBytes) + defer func(path string) { + err := os.RemoveAll(path) + if err != nil { + t.Error("Failed to clean up after test: " + err.Error()) + } + }(bundleDir) + + regoHandler := opaHandler.NewRegoHandler(bundleDir) + + var input infoModel.AzInfo err = json.Unmarshal(inputByte, &input) if err != nil { - log.Fatalln("Error parsing input data: " + err.Error()) + assert.Fail(t, "Error parsing input data: "+err.Error()) } - regoHandle := rego.New( - rego.EnablePrintStatements(true), - rego.Query("data.hexaPolicy"), - rego.Package("hexaPolicy"), - rego.Module("bundle/hexaPolicyV2.rego", regoString), - rego.Input(&input), - rego.Store(store), - rego.Function2( - ®o.Function{ - Name: hexaFilter.PluginName, - Decl: types.NewFunction(types.Args(types.A, types.S), types.S), - Memoize: true, - Nondeterministic: true, - }, - func(_ rego.BuiltinContext, a, b *ast.Term) (*ast.Term, error) { - - var expression, input string - - if err := ast.As(a.Value, &expression); err != nil { - return nil, err - } - // expression = a.Value.String() - input = b.Value.String() - - res, err := conditionEvaluator.Evaluate(expression, input) - - return ast.BooleanTerm(res), err - - }), - // rego.Trace(true), - ) - - resultSet, err := regoHandle.Eval(ctx) + + results, err := regoHandler.Evaluate(input) if err != nil { - log.Fatalln("Error evaluating rego: " + err.Error()) + assert.Fail(t, "Error evaluating policy: "+err.Error()) } - // rego.PrintTraceWithLocation(os.Stdout, regoHandle) - - ctx.Done() + return regoHandler.ProcessResults(results) + /* + regoHandle := rego.New( + rego.EnablePrintStatements(true), + rego.Query("data.hexaPolicy"), + rego.Package("hexaPolicy"), + rego.LoadBundle(bundleDir), + rego.Input(&input), + rego.Function2( + ®o.Function{ + Name: hexaFilter.PluginName, + Decl: types.NewFunction(types.Args(types.A, types.S), types.S), + Memoize: true, + Nondeterministic: true, + }, + func(_ rego.BuiltinContext, a, b *ast.Term) (*ast.Term, error) { + + var expression, input string + + if err := ast.As(a.Value, &expression); err != nil { + return nil, err + } + // expression = a.Value.String() + input = b.Value.String() + + res, err := conditionEvaluator.Evaluate(expression, input) + + return ast.BooleanTerm(res), err + + }), + rego.Trace(true), + ) + + resultSet, err := regoHandle.Eval(ctx) + if err != nil { + assert.Fail(t, "Error evaluating rego: "+err.Error()) + } + + // rego.PrintTraceWithLocation(os.Stdout, regoHandle) + + ctx.Done() - return resultSet + */ } -func ProcessResults(results rego.ResultSet) ([]string, []string) { - var rights string - var allowString string - var allowed string - result := results[0].Expressions[0] - for k, v := range result.Value.(map[string]interface{}) { - if k == "actionRights" { - rights = fmt.Sprintf("%v", v) - } - if k == "allowSet" { - allowString = fmt.Sprintf("%v", v) - } - if k == "allow" { - allowed = fmt.Sprintf("%v", v) - } +func ProcessResults(t *testing.T, results *decisionsupportproviders.HexaOpaResult) ([]string, []string) { + t.Helper() + + if results.PolicyErrors != nil && len(results.PolicyErrors) != 0 { + errBytes, _ := json.MarshalIndent(results.PolicyErrors, "", " ") + t.Error(fmt.Sprintf("Received policy parse errors:\n%s", string(errBytes))) + t.Fail() } - actionRights := strings.FieldsFunc(rights, func(r rune) bool { - return strings.ContainsRune("[ ]", r) - }) - allowSet := strings.FieldsFunc(allowString, func(r rune) bool { - return strings.ContainsRune("[ ]", r) - }) - fmt.Println("allowed: \t" + allowed) - fmt.Println("actionRights:\t" + rights) - fmt.Println("allowSet: \t" + allowString) - - return allowSet, actionRights + + resBytes, _ := json.MarshalIndent(results, "", " ") + t.Log(fmt.Sprintf("Received results:\n%s", string(resBytes))) + + return results.AllowSet, results.ActionRights }