Bump github.com/open-policy-agent/opa from 0.16.2 to 0.26.0

[dependabot-preview]

Bumps github.com/open-policy-agent/opa from 0.16.2 to 0.26.0.

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v0.26.0

This release contains a number of enhancements and bug fixes.

Built-in Functions

• This release includes a number of built-in function improvements for Wasm compiled policies. The following built-in functions have been implemented natively and no longer need to be supplied by SDKs: graph.reachable, json.filter, json.remove, object.get, object.remove, and object.union.

• This release fixes several bugs in the Wasm implementation of certain regex built-in functions (#2962), format_int (#2923) and round (#2999).

• This release adds ceil and floor built-in functions. Previously these could be implemented in Rego using round however these are more convenient.

Enhancements

• OPA has been extended support OAuth2 JWT Bearer Grant Type and OAuth2 Client Credential JWT authentication options for communicating with control plane services. This change allows OPA to use services that rely on Ping Identity as well as GCP service accounts for authentication. OPA has also been extended to support custom authentication plugins (thanks @gshively11).

• OPA plugins can now enter a "WARN" state to indicate they are operating in a degraded capacity (thanks @gshively11).

• The opa bench command can now benchmark partial evaluation queries. The options to enable partial evaluation are shared with opa eval. See opa bench --help for details.

• Wasm compiled policies now contain source locations that are included inside of runtime error messages (such as object key conflicts.) In addition, Wasm compiled policies only export the minimal set of APIs described on the WebAssembly#exports page.

Fixes

• ast: Fix parsing of numbers to reject leading zeroes (#2947) authored by @LCartwright.
• bundle: Fix loader to only verify bundle keys if configured to do so (#3028).
• cmd: Fix build to avoid packaging policy.wasm twice (#3007).
• cmd: Fix pretty-printed PE output to hide spurious blank lines
• server: Fix false-positive in bundle root check that would prevent data updates in some cases (#2868).
• server: Fix query cache to respect ?instrument option (#3000).
• server: Fix server to support discovery on inter-query cache configuration
• topdown: Fix PE to avoid generating expressions that do not type check (#3012).
• wasm: Fix planner to avoid generating a conflict error in some cases (#2926).
• wasm: Fix planner to generate correct virtual document iteration instructions (#3065).
• wasm, topdown: Fix with keyword handle to ensure last statement wins (#3010).
• wasm: Fix planner to handle assignment conflicts correctly when else keyword is used (#3031).

Documentation

• Add new section on integrating policies with OAuth2 and OIDC.
• Update Kubernetes admission control tutorial to work as non-root user.
• Fix link to signing documentation (#3027) authored by @princespaghetti.

Backwards Compatibility

• Previously, OPA deduplicated sets and objects in all cases except when iterating over/referring directly to values generated by partial rules. This inconsistency would only be noticed when running ad-hoc queries or within policies when aggregating the results of array comprehensions (e.g., count([1 | p[x]]) could observe duplicates in p.) This release removes the inconsistency by deduplicating sets and objects in all cases (#429). This was the second oldest open issue on the project.

Deprecations

• OPA now logs warnings when it receives legacy bundle config sections instead of the bundles section introduced in v0.13.0.

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

0.26.0

This release contains a number of enhancements and bug fixes.

Built-in Functions

• This release includes a number of built-in function improvements for Wasm compiled policies. The following built-in functions have been implemented natively and no longer need to be supplied by SDKs: graph.reachable, json.filter, json.remove, object.get, object.remove, and object.union.

• This release fixes several bugs in the Wasm implementation of certain regex built-in functions (#2962), format_int (#2923) and round (#2999).

• This release adds ceil and floor built-in functions. Previously these could be implemented in Rego using round however these are more convenient.

Enhancements

• OPA has been extended support OAuth2 JWT Bearer Grant Type and OAuth2 Client Credential JWT authentication options for communicating with control plane services. This change allows OPA to use services that rely on Ping Identity as well as GCP service accounts for authentication. OPA has also been extended to support custom authentication plugins (thanks @gshively11).

• OPA plugins can now enter a "WARN" state to indicate they are operating in a degraded capacity (thanks @gshively11).

• The opa bench command can now benchmark partial evaluation queries. The options to enable partial evaluation are shared with opa eval. See opa bench --help for details.

• Wasm compiled policies now contain source locations that are included inside of runtime error messages (such as object key conflicts.) In addition, Wasm compiled policies only export the minimal set of APIs described on the WebAssembly#exports page.

Fixes

• ast: Fix parsing of numbers to reject leading zeroes (#2947) authored by @LCartwright.
• bundle: Fix loader to only verify bundle keys if configured to do so (#3028).
• cmd: Fix build to avoid packaging policy.wasm twice (#3007).
• cmd: Fix pretty-printed PE output to hide spurious blank lines
• server: Fix false-positive in bundle root check that would prevent data updates in some cases (#2868).
• server: Fix query cache to respect ?instrument option (#3000).
• server: Fix server to support discovery on inter-query cache configuration
• topdown: Fix PE to avoid generating expressions that do not type check (#3012).
• wasm: Fix planner to avoid generating a conflict error in some cases (#2926).
• wasm: Fix planner to generate correct virtual document iteration instructions (#3065).
• wasm, topdown: Fix with keyword handle to ensure last statement wins (#3010).
• wasm: Fix planner to handle assignment conflicts correctly when else keyword is used (#3031).

Documentation

• Add new section on integrating policies with OAuth2 and OIDC.
• Update Kubernetes admission control tutorial to work as non-root user.
• Fix link to signing documentation (#3027) authored by @princespaghetti.

Backwards Compatibility

• Previously, OPA deduplicated sets and objects in all cases except when iterating over/referring directly to values generated by partial rules. This inconsistency would only be noticed when running ad-hoc queries or within policies when aggregating the results of array comprehensions (e.g., count([1 | p[x]]) could observe duplicates in p.) This release removes the inconsistency by deduplicating sets and objects in all cases (#429). This was the second oldest open issue on the project.

Deprecations

• OPA now logs warnings when it receives legacy bundle config sections instead of the bundles section introduced in v0.13.0.

... (truncated)

Commits

• 62d3900 Prepare v0.26.0 release
• 36ba445 OAuth2 JWT bearer grant type and JWT client auth
• 2d4f7c0 Adding Java spring integration
• 87c3f07 topdown: Deduplicate when iterating partial rules
• f40e935 wasm: Update generated binaries
• e9cc855 wasm: Add native support for json.filter builtin function
• a2d14c2 wasm: Update generated binaries
• ba5cda1 wasm: Add native support for json.remove builtin function
• 5200779 wasm: Update generated binaries
• 44bdd10 wasm: (explicitly) export only what should be (#3061)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

Superseded by #28.