Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[8.x](backport #2857) Upgrade to opa v1.0.0 #2858

Merged
merged 1 commit into from
Dec 23, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
File renamed without changes.
2 changes: 1 addition & 1 deletion bin/opa
8 changes: 3 additions & 5 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ require (
github.com/mikefarah/yq/v4 v4.44.6
github.com/mitchellh/gox v1.0.1
github.com/mitchellh/mapstructure v1.5.0
github.com/open-policy-agent/opa v0.70.0
github.com/open-policy-agent/opa v1.0.0
github.com/pierrre/gotestcover v0.0.0-20160517101806-924dca7d15f0
github.com/samber/lo v1.47.0
github.com/spf13/viper v1.19.0
Expand Down Expand Up @@ -186,8 +186,6 @@ require (
go.opentelemetry.io/collector/pdata v1.15.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.56.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 // indirect
golang.org/x/exp v0.0.0-20241215155358-4a5509556b9e // indirect
golang.org/x/tools v0.28.0 // indirect
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
Expand Down Expand Up @@ -522,7 +520,7 @@ require (
go.uber.org/multierr v1.11.0 // indirect
golang.org/x/crypto v0.31.0 // indirect
golang.org/x/mod v0.22.0 // indirect
golang.org/x/net v0.32.0 // indirect
golang.org/x/net v0.33.0 // indirect
golang.org/x/sync v0.10.0 // indirect
golang.org/x/sys v0.28.0 // indirect
golang.org/x/term v0.27.0 // indirect
Expand All @@ -532,7 +530,7 @@ require (
google.golang.org/genproto v0.0.0-20241209162323-e6fa225c2576 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect
google.golang.org/grpc v1.69.0
google.golang.org/grpc v1.69.2
google.golang.org/protobuf v1.35.2
gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
Expand Down
12 changes: 6 additions & 6 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -1390,8 +1390,8 @@ github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAl
github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro=
github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
github.com/open-policy-agent/opa v0.70.0 h1:B3cqCN2iQAyKxK6+GI+N40uqkin+wzIrM7YA60t9x1U=
github.com/open-policy-agent/opa v0.70.0/go.mod h1:Y/nm5NY0BX0BqjBriKUiV81sCl8XOjjvqQG7dXrggtI=
github.com/open-policy-agent/opa v1.0.0 h1:fZsEwxg1knpPvUn0YDJuJZBcbVg4G3zKpWa3+CnYK+I=
github.com/open-policy-agent/opa v1.0.0/go.mod h1:+JyoH12I0+zqyC1iX7a2tmoQlipwAEGvOhVJMhmy+rM=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
Expand Down Expand Up @@ -1919,8 +1919,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190130055435-99b60b757ec1/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
Expand Down Expand Up @@ -2373,8 +2373,8 @@ google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACu
google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
google.golang.org/grpc v1.50.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
google.golang.org/grpc v1.69.0 h1:quSiOM1GJPmPH5XtU+BCoVXcDVJJAzNcoyfC2cCjGkI=
google.golang.org/grpc v1.69.0/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4=
google.golang.org/grpc v1.69.2 h1:U3S9QEtbXC0bYNvRtcoklF3xGtLViumSYxWykJS+7AU=
google.golang.org/grpc v1.69.2/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4=
google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
Expand Down
4 changes: 2 additions & 2 deletions internal/evaluator/debug_logger/factory.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ package dlogger
import (
"sync"

"github.com/open-policy-agent/opa/plugins"
"github.com/open-policy-agent/opa/util"
"github.com/open-policy-agent/opa/v1/plugins"
"github.com/open-policy-agent/opa/v1/util"
)

type Factory struct{}
Expand Down
4 changes: 2 additions & 2 deletions internal/evaluator/debug_logger/factory_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ package dlogger
import (
"testing"

"github.com/open-policy-agent/opa/plugins"
"github.com/open-policy-agent/opa/storage/inmem"
"github.com/open-policy-agent/opa/v1/plugins"
"github.com/open-policy-agent/opa/v1/storage/inmem"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
Expand Down
9 changes: 4 additions & 5 deletions internal/evaluator/debug_logger/plugin.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,15 +22,14 @@ import (
"encoding/json"
"sync"

"github.com/open-policy-agent/opa/plugins"
"github.com/open-policy-agent/opa/plugins/logs"
"github.com/open-policy-agent/opa/util"
"github.com/open-policy-agent/opa/v1/plugins"
"github.com/open-policy-agent/opa/v1/plugins/logs"
"github.com/open-policy-agent/opa/v1/util"
)

const PluginName = "debug_decision_logs"

type config struct {
}
type config struct{}

type plugin struct {
manager *plugins.Manager
Expand Down
2 changes: 1 addition & 1 deletion internal/evaluator/logger.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ package evaluator

import (
"github.com/elastic/elastic-agent-libs/logp"
"github.com/open-policy-agent/opa/logging"
"github.com/open-policy-agent/opa/v1/logging"
"go.uber.org/zap"
"go.uber.org/zap/zapcore"
)
Expand Down
2 changes: 1 addition & 1 deletion internal/evaluator/logger_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ import (
"testing"

"github.com/elastic/elastic-agent-libs/logp"
"github.com/open-policy-agent/opa/logging"
"github.com/open-policy-agent/opa/v1/logging"
"github.com/stretchr/testify/suite"
"go.uber.org/zap"
"go.uber.org/zap/zapcore"
Expand Down
6 changes: 2 additions & 4 deletions internal/evaluator/opa.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,8 @@ import (

"github.com/elastic/elastic-agent-libs/logp"
"github.com/mitchellh/mapstructure"
"github.com/open-policy-agent/opa/plugins"
"github.com/open-policy-agent/opa/sdk"
"github.com/open-policy-agent/opa/v1/plugins"
"github.com/open-policy-agent/opa/v1/sdk"

"github.com/elastic/cloudbeat/internal/config"
dlogger "github.com/elastic/cloudbeat/internal/evaluator/debug_logger"
Expand Down Expand Up @@ -84,7 +84,6 @@ func NewOpaEvaluator(ctx context.Context, log *logp.Logger, cfg *config.Config)
dlogger.PluginName: &dlogger.Factory{},
},
})

if err != nil {
return nil, fmt.Errorf("fail to init opa: %s", err.Error())
}
Expand Down Expand Up @@ -123,7 +122,6 @@ func (o *OpaEvaluator) Eval(ctx context.Context, resourceInfo fetching.ResourceI
Result: fetcherResult,
Benchmark: o.benchmark,
})

if err != nil {
return EventData{}, fmt.Errorf("error running the policy: %v", err)
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import data.compliance.policy.aws_iam.ensure_enabled_mfa as audit
import future.keywords.if

# Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password.
finding = result if {
finding := result if {
# filter
data_adapter.is_iam_user

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ test_not_evaluated if {
not_eval with input as test_data.not_evaluated_iam_user
}

rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) = test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)
rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) := test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import data.compliance.policy.aws_iam.ensure_access_keys_use as audit
import future.keywords.if

# Do not setup access keys during initial user setup for all IAM users that have a console password.
finding = result if {
finding := result if {
# filter
data_adapter.is_iam_user

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ test_not_evaluated if {
not_eval with input as test_data.not_evaluated_iam_user
}

rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) = test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)
rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) := test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import data.compliance.policy.aws_iam.validate_credentials as audit
import future.keywords.if

# Ensure credentials unused for 45 days or greater are disabled
finding = result if {
finding := result if {
# filter
data_adapter.is_iam_user

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ test_not_evaluated if {
not_eval with input as test_data.not_evaluated_iam_user
}

rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) = test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)
rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) := test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import data.compliance.policy.aws_iam.data_adapter
import future.keywords.if

# Ensure that there is only a single active access key per user.
finding = result if {
finding := result if {
# filter
data_adapter.is_iam_user

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ test_not_evaluated if {
not_eval with input as test_data.not_evaluated_iam_user
}

rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) = test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)
rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) := test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import data.compliance.policy.aws_iam.verify_keys_rotation as audit
import future.keywords.if

# Ensure access keys are rotated every 90 days or less
finding = result if {
finding := result if {
# filter
data_adapter.is_iam_user

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ test_not_evaluated if {
not_eval with input as test_data.not_evaluated_iam_user
}

rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) = test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)
rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) := test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import data.compliance.policy.aws_iam.data_adapter
import future.keywords.if

# Ensure IAM Users Receive Permissions Only Through Groups
finding = result if {
finding := result if {
# filter
data_adapter.is_iam_user

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ test_not_evaluated if {
not_eval with input as test_data.not_evaluated_iam_user
}

rule_input(inline_policies, attached_policies) = test_data.generate_iam_user_with_policies(inline_policies, attached_policies)
rule_input(inline_policies, attached_policies) := test_data.generate_iam_user_with_policies(inline_policies, attached_policies)

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,4 @@ policy_is_permissive if {
statement.Effect == "Allow"
"*" in common.ensure_array(statement.Action)
"*" in common.ensure_array(statement.Resource)
} else = false
} else := false
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ import data.compliance.cis_aws.data_adapter
import data.lib.test
import future.keywords.if

generate_input(statements) = {
generate_input(statements) := {
"subType": "aws-policy",
"resource": {"document": {"Statement": statements}},
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import future.keywords.if
import future.keywords.in

# Ensure a support role has been created to manage incidents with AWS Support
finding = result if {
finding := result if {
# filter
data_adapter.is_aws_support_access

Expand All @@ -22,4 +22,4 @@ aws_support_has_attached_roles if {
# a sanity test.
some role in data_adapter.roles
role.RoleId != ""
} else = false
} else := false
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ import data.compliance.cis_aws.data_adapter
import data.lib.test
import future.keywords.if

generate_input(roles) = {
generate_input(roles) := {
"subType": "aws-policy",
"resource": {
"Arn": "arn:aws:iam::aws:policy/AWSSupportAccess",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,9 @@ import data.compliance.policy.aws_iam.data_adapter
import future.keywords.every
import future.keywords.if

default rule_evaluation = false
default rule_evaluation := false

finding = result if {
finding := result if {
data_adapter.is_server_certificate

result := common.generate_result_without_expected(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,16 +5,16 @@ import data.compliance.lib.common
import data.lib.test
import future.keywords.if

generate_certificate_resource(certificates) = {
generate_certificate_resource(certificates) := {
"subType": "aws-iam-server-certificate",
"resource": {"certificates": certificates},
}

generate_expiration(expiration) = {"Expiration": expiration}
generate_expiration(expiration) := {"Expiration": expiration}

last_year = common.create_date_from_ns(time.add_date(time.now_ns(), -1, 0, 0))
last_year := common.create_date_from_ns(time.add_date(time.now_ns(), -1, 0, 0))

next_year = common.create_date_from_ns(time.add_date(time.now_ns(), 1, 0, 0))
next_year := common.create_date_from_ns(time.add_date(time.now_ns(), 1, 0, 0))

test_violation if {
# fails when an expired certificate exists
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import future.keywords.if
import future.keywords.in

# Ensure that IAM Access analyzer is enabled for all regions
finding = result if {
finding := result if {
# filter
data_adapter.is_access_analyzers

Expand All @@ -24,4 +24,4 @@ analyzer_exists if {
analyzer.Region == region
analyzer.Status == "ACTIVE"
}
} else = false
} else := false
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ import data.compliance.cis_aws.data_adapter
import data.lib.test
import future.keywords.if

generate_input(analyzers, regions) = {
generate_input(analyzers, regions) := {
"type": "identity-management",
"subType": "aws-access-analyzers",
"resource": {
Expand All @@ -13,7 +13,7 @@ generate_input(analyzers, regions) = {
},
}

analyzer(arn, status, region) = {
analyzer(arn, status, region) := {
"Arn": arn,
"CreatedAt": "2023-01-09T15:06:39Z",
"Name": "Analyzer",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import data.compliance.policy.aws_iam.data_adapter
import future.keywords.if

# Ensure no 'root' user account access key exists.
finding = result if {
finding := result if {
# filter
data_adapter.is_root_user

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ test_not_evaluated if {
not_eval with input as test_data.not_evaluated_iam_user
}

rule_input(access_keys, mfa_active, last_access, mfa_devices) = test_data.generate_root_user(access_keys, mfa_active, last_access, mfa_devices)
rule_input(access_keys, mfa_active, last_access, mfa_devices) := test_data.generate_root_user(access_keys, mfa_active, last_access, mfa_devices)

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
Expand Down
Loading
Loading