update dependencies (#6267)

Signed-off-by: hongming <coder.scala@gmail.com>
2024-11-06 10:27:06 +08:00
parent faf255a084
commit cfebd96a1f
4263 changed files with 341374 additions and 132036 deletions
--- a/vendor/github.com/open-policy-agent/opa/rego/rego.go
+++ b/vendor/github.com/open-policy-agent/opa/rego/rego.go
@@ -99,31 +99,33 @@ type preparedQuery struct {
 // EvalContext defines the set of options allowed to be set at evaluation
 // time. Any other options will need to be set on a new Rego object.
 type EvalContext struct {
-	hasInput               bool
-	time                   time.Time
-	seed                   io.Reader
-	rawInput               *interface{}
-	parsedInput            ast.Value
-	metrics                metrics.Metrics
-	txn                    storage.Transaction
-	instrument             bool
-	instrumentation        *topdown.Instrumentation
-	partialNamespace       string
-	queryTracers           []topdown.QueryTracer
-	compiledQuery          compiledQuery
-	unknowns               []string
-	disableInlining        []ast.Ref
-	parsedUnknowns         []*ast.Term
-	indexing               bool
-	earlyExit              bool
-	interQueryBuiltinCache cache.InterQueryCache
-	ndBuiltinCache         builtins.NDBCache
-	resolvers              []refResolver
-	sortSets               bool
-	copyMaps               bool
-	printHook              print.Hook
-	capabilities           *ast.Capabilities
-	strictBuiltinErrors    bool
+	hasInput                    bool
+	time                        time.Time
+	seed                        io.Reader
+	rawInput                    *interface{}
+	parsedInput                 ast.Value
+	metrics                     metrics.Metrics
+	txn                         storage.Transaction
+	instrument                  bool
+	instrumentation             *topdown.Instrumentation
+	partialNamespace            string
+	queryTracers                []topdown.QueryTracer
+	compiledQuery               compiledQuery
+	unknowns                    []string
+	disableInlining             []ast.Ref
+	parsedUnknowns              []*ast.Term
+	indexing                    bool
+	earlyExit                   bool
+	interQueryBuiltinCache      cache.InterQueryCache
+	interQueryBuiltinValueCache cache.InterQueryValueCache
+	ndBuiltinCache              builtins.NDBCache
+	resolvers                   []refResolver
+	sortSets                    bool
+	copyMaps                    bool
+	printHook                   print.Hook
+	capabilities                *ast.Capabilities
+	strictBuiltinErrors         bool
+	virtualCache                topdown.VirtualCache
 }

 func (e *EvalContext) RawInput() *interface{} {
@@ -146,6 +148,10 @@ func (e *EvalContext) InterQueryBuiltinCache() cache.InterQueryCache {
 	return e.interQueryBuiltinCache
 }

+func (e *EvalContext) InterQueryBuiltinValueCache() cache.InterQueryValueCache {
+	return e.interQueryBuiltinValueCache
+}
+
 func (e *EvalContext) PrintHook() print.Hook {
 	return e.printHook
 }
@@ -306,6 +312,14 @@ func EvalInterQueryBuiltinCache(c cache.InterQueryCache) EvalOption {
 	}
 }

+// EvalInterQueryBuiltinValueCache sets the inter-query value cache that built-in functions can utilize
+// during evaluation.
+func EvalInterQueryBuiltinValueCache(c cache.InterQueryValueCache) EvalOption {
+	return func(e *EvalContext) {
+		e.interQueryBuiltinValueCache = c
+	}
+}
+
 // EvalNDBuiltinCache sets the non-deterministic builtin cache that built-in functions can
 // use during evaluation.
 func EvalNDBuiltinCache(c builtins.NDBCache) EvalOption {
@@ -342,6 +356,14 @@ func EvalPrintHook(ph print.Hook) EvalOption {
 	}
 }

+// EvalVirtualCache sets the topdown.VirtualCache to use for evaluation. This is
+// optional, and if not set, the default cache is used.
+func EvalVirtualCache(vc topdown.VirtualCache) EvalOption {
+	return func(e *EvalContext) {
+		e.virtualCache = vc
+	}
+}
+
 func (pq preparedQuery) Modules() map[string]*ast.Module {
 	mods := make(map[string]*ast.Module)

@@ -537,64 +559,66 @@ type loadPaths struct {

 // Rego constructs a query and can be evaluated to obtain results.
 type Rego struct {
-	query                  string
-	parsedQuery            ast.Body
-	compiledQueries        map[queryType]compiledQuery
-	pkg                    string
-	parsedPackage          *ast.Package
-	imports                []string
-	parsedImports          []*ast.Import
-	rawInput               *interface{}
-	parsedInput            ast.Value
-	unknowns               []string
-	parsedUnknowns         []*ast.Term
-	disableInlining        []string
-	shallowInlining        bool
-	skipPartialNamespace   bool
-	partialNamespace       string
-	modules                []rawModule
-	parsedModules          map[string]*ast.Module
-	compiler               *ast.Compiler
-	store                  storage.Store
-	ownStore               bool
-	txn                    storage.Transaction
-	metrics                metrics.Metrics
-	queryTracers           []topdown.QueryTracer
-	tracebuf               *topdown.BufferTracer
-	trace                  bool
-	instrumentation        *topdown.Instrumentation
-	instrument             bool
-	capture                map[*ast.Expr]ast.Var // map exprs to generated capture vars
-	termVarID              int
-	dump                   io.Writer
-	runtime                *ast.Term
-	time                   time.Time
-	seed                   io.Reader
-	capabilities           *ast.Capabilities
-	builtinDecls           map[string]*ast.Builtin
-	builtinFuncs           map[string]*topdown.Builtin
-	unsafeBuiltins         map[string]struct{}
-	loadPaths              loadPaths
-	bundlePaths            []string
-	bundles                map[string]*bundle.Bundle
-	skipBundleVerification bool
-	interQueryBuiltinCache cache.InterQueryCache
-	ndBuiltinCache         builtins.NDBCache
-	strictBuiltinErrors    bool
-	builtinErrorList       *[]topdown.Error
-	resolvers              []refResolver
-	schemaSet              *ast.SchemaSet
-	target                 string // target type (wasm, rego, etc.)
-	opa                    opa.EvalEngine
-	generateJSON           func(*ast.Term, *EvalContext) (interface{}, error)
-	printHook              print.Hook
-	enablePrintStatements  bool
-	distributedTacingOpts  tracing.Options
-	strict                 bool
-	pluginMgr              *plugins.Manager
-	plugins                []TargetPlugin
-	targetPrepState        TargetPluginEval
-	regoVersion            ast.RegoVersion
+	query                       string
+	parsedQuery                 ast.Body
+	compiledQueries             map[queryType]compiledQuery
+	pkg                         string
+	parsedPackage               *ast.Package
+	imports                     []string
+	parsedImports               []*ast.Import
+	rawInput                    *interface{}
+	parsedInput                 ast.Value
+	unknowns                    []string
+	parsedUnknowns              []*ast.Term
+	disableInlining             []string
+	shallowInlining             bool
+	skipPartialNamespace        bool
+	partialNamespace            string
+	modules                     []rawModule
+	parsedModules               map[string]*ast.Module
+	compiler                    *ast.Compiler
+	store                       storage.Store
+	ownStore                    bool
+	ownStoreReadAst             bool
+	txn                         storage.Transaction
+	metrics                     metrics.Metrics
+	queryTracers                []topdown.QueryTracer
+	tracebuf                    *topdown.BufferTracer
+	trace                       bool
+	instrumentation             *topdown.Instrumentation
+	instrument                  bool
+	capture                     map[*ast.Expr]ast.Var // map exprs to generated capture vars
+	termVarID                   int
+	dump                        io.Writer
+	runtime                     *ast.Term
+	time                        time.Time
+	seed                        io.Reader
+	capabilities                *ast.Capabilities
+	builtinDecls                map[string]*ast.Builtin
+	builtinFuncs                map[string]*topdown.Builtin
+	unsafeBuiltins              map[string]struct{}
+	loadPaths                   loadPaths
+	bundlePaths                 []string
+	bundles                     map[string]*bundle.Bundle
+	skipBundleVerification      bool
+	interQueryBuiltinCache      cache.InterQueryCache
+	interQueryBuiltinValueCache cache.InterQueryValueCache
+	ndBuiltinCache              builtins.NDBCache
+	strictBuiltinErrors         bool
+	builtinErrorList            *[]topdown.Error
+	resolvers                   []refResolver
+	schemaSet                   *ast.SchemaSet
+	target                      string // target type (wasm, rego, etc.)
+	opa                         opa.EvalEngine
+	generateJSON                func(*ast.Term, *EvalContext) (interface{}, error)
+	printHook                   print.Hook
+	enablePrintStatements       bool
+	distributedTacingOpts       tracing.Options
+	strict                      bool
+	pluginMgr                   *plugins.Manager
+	plugins                     []TargetPlugin
+	targetPrepState             TargetPluginEval
+	regoVersion                 ast.RegoVersion
 }

 // Function represents a built-in function that is callable in Rego.
@@ -984,6 +1008,15 @@ func Store(s storage.Store) func(r *Rego) {
 	}
 }

+// StoreReadAST returns an argument that sets whether the store should eagerly convert data to AST values.
+//
+// Only applicable when no store has been set on the Rego object through the Store option.
+func StoreReadAST(enabled bool) func(r *Rego) {
+	return func(r *Rego) {
+		r.ownStoreReadAst = enabled
+	}
+}
+
 // Transaction returns an argument that sets the transaction to use for storage
 // layer operations.
 //
@@ -1105,6 +1138,14 @@ func InterQueryBuiltinCache(c cache.InterQueryCache) func(r *Rego) {
 	}
 }

+// InterQueryBuiltinValueCache sets the inter-query value cache that built-in functions can utilize
+// during evaluation.
+func InterQueryBuiltinValueCache(c cache.InterQueryValueCache) func(r *Rego) {
+	return func(r *Rego) {
+		r.interQueryBuiltinValueCache = c
+	}
+}
+
 // NDBuiltinCache sets the non-deterministic builtins cache.
 func NDBuiltinCache(c builtins.NDBCache) func(r *Rego) {
 	return func(r *Rego) {
@@ -1235,7 +1276,7 @@ func New(options ...func(r *Rego)) *Rego {
 	}

 	if r.store == nil {
-		r.store = inmem.New()
+		r.store = inmem.NewWithOpts(inmem.OptReturnASTValuesOnRead(r.ownStoreReadAst))
 		r.ownStore = true
 	} else {
 		r.ownStore = false
@@ -1300,6 +1341,7 @@ func (r *Rego) Eval(ctx context.Context) (ResultSet, error) {
 		EvalInstrument(r.instrument),
 		EvalTime(r.time),
 		EvalInterQueryBuiltinCache(r.interQueryBuiltinCache),
+		EvalInterQueryBuiltinValueCache(r.interQueryBuiltinValueCache),
 		EvalSeed(r.seed),
 	}

@@ -1377,6 +1419,7 @@ func (r *Rego) Partial(ctx context.Context) (*PartialQueries, error) {
 		EvalMetrics(r.metrics),
 		EvalInstrument(r.instrument),
 		EvalInterQueryBuiltinCache(r.interQueryBuiltinCache),
+		EvalInterQueryBuiltinValueCache(r.interQueryBuiltinValueCache),
 	}

 	if r.ndBuiltinCache != nil {
@@ -1496,7 +1539,7 @@ func (r *Rego) Compile(ctx context.Context, opts ...CompileOption) (*CompileResu
 	return r.compileWasm(modules, queries, compileQueryType) // TODO(sr) control flow is funky here
 }

-func (r *Rego) compileWasm(modules []*ast.Module, queries []ast.Body, qType queryType) (*CompileResult, error) {
+func (r *Rego) compileWasm(_ []*ast.Module, queries []ast.Body, qType queryType) (*CompileResult, error) {
 	policy, err := r.planQuery(queries, qType)
 	if err != nil {
 		return nil, err
@@ -1761,14 +1804,15 @@ func (r *Rego) prepare(ctx context.Context, qType queryType, extras []extraStage
 		return err
 	}

-	futureImports := []*ast.Import{}
+	queryImports := []*ast.Import{}
 	for _, imp := range imports {
-		if imp.Path.Value.(ast.Ref).HasPrefix(ast.Ref([]*ast.Term{ast.FutureRootDocument})) {
-			futureImports = append(futureImports, imp)
+		path := imp.Path.Value.(ast.Ref)
+		if path.HasPrefix([]*ast.Term{ast.FutureRootDocument}) || path.HasPrefix([]*ast.Term{ast.RegoRootDocument}) {
+			queryImports = append(queryImports, imp)
 		}
 	}

-	r.parsedQuery, err = r.parseQuery(futureImports, r.metrics)
+	r.parsedQuery, err = r.parseQuery(queryImports, r.metrics)
 	if err != nil {
 		return err
 	}
@@ -1870,7 +1914,7 @@ func (r *Rego) loadFiles(ctx context.Context, txn storage.Transaction, m metrics
 	return nil
 }

-func (r *Rego) loadBundles(ctx context.Context, txn storage.Transaction, m metrics.Metrics) error {
+func (r *Rego) loadBundles(_ context.Context, _ storage.Transaction, m metrics.Metrics) error {
 	if len(r.bundlePaths) == 0 {
 		return nil
 	}
@@ -1921,7 +1965,7 @@ func (r *Rego) parseRawInput(rawInput *interface{}, m metrics.Metrics) (ast.Valu
 	return ast.InterfaceToValue(*rawPtr)
 }

-func (r *Rego) parseQuery(futureImports []*ast.Import, m metrics.Metrics) (ast.Body, error) {
+func (r *Rego) parseQuery(queryImports []*ast.Import, m metrics.Metrics) (ast.Body, error) {
 	if r.parsedQuery != nil {
 		return r.parsedQuery, nil
 	}
@@ -1929,7 +1973,12 @@ func (r *Rego) parseQuery(futureImports []*ast.Import, m metrics.Metrics) (ast.B
 	m.Timer(metrics.RegoQueryParse).Start()
 	defer m.Timer(metrics.RegoQueryParse).Stop()

-	popts, err := future.ParserOptionsFromFutureImports(futureImports)
+	popts, err := future.ParserOptionsFromFutureImports(queryImports)
+	if err != nil {
+		return nil, err
+	}
+	popts.RegoVersion = r.regoVersion
+	popts, err = parserOptionsFromRegoVersionImport(queryImports, popts)
 	if err != nil {
 		return nil, err
 	}
@@ -1937,6 +1986,17 @@ func (r *Rego) parseQuery(futureImports []*ast.Import, m metrics.Metrics) (ast.B
 	return ast.ParseBodyWithOpts(r.query, popts)
 }

+func parserOptionsFromRegoVersionImport(imports []*ast.Import, popts ast.ParserOptions) (ast.ParserOptions, error) {
+	for _, imp := range imports {
+		path := imp.Path.Value.(ast.Ref)
+		if ast.Compare(path, ast.RegoV1CompatibleRef) == 0 {
+			popts.RegoVersion = ast.RegoV1
+			return popts, nil
+		}
+	}
+	return popts, nil
+}
+
 func (r *Rego) compileModules(ctx context.Context, txn storage.Transaction, m metrics.Metrics) error {

 	// Only compile again if there are new modules.
@@ -2019,7 +2079,7 @@ func (r *Rego) prepareImports() ([]*ast.Import, error) {
 	return imports, nil
 }

-func (r *Rego) compileQuery(query ast.Body, imports []*ast.Import, m metrics.Metrics, extras []extraStage) (ast.QueryCompiler, ast.Body, error) {
+func (r *Rego) compileQuery(query ast.Body, imports []*ast.Import, _ metrics.Metrics, extras []extraStage) (ast.QueryCompiler, ast.Body, error) {
 	var pkg *ast.Package

 	if r.pkg != "" {
@@ -2081,11 +2141,13 @@ func (r *Rego) eval(ctx context.Context, ectx *EvalContext) (ResultSet, error) {
 		WithIndexing(ectx.indexing).
 		WithEarlyExit(ectx.earlyExit).
 		WithInterQueryBuiltinCache(ectx.interQueryBuiltinCache).
+		WithInterQueryBuiltinValueCache(ectx.interQueryBuiltinValueCache).
 		WithStrictBuiltinErrors(r.strictBuiltinErrors).
 		WithBuiltinErrorList(r.builtinErrorList).
 		WithSeed(ectx.seed).
 		WithPrintHook(ectx.printHook).
-		WithDistributedTracingOpts(r.distributedTacingOpts)
+		WithDistributedTracingOpts(r.distributedTacingOpts).
+		WithVirtualCache(ectx.virtualCache)

 	if !ectx.time.IsZero() {
 		q = q.WithTime(ectx.time)
@@ -2138,7 +2200,6 @@ func (r *Rego) eval(ctx context.Context, ectx *EvalContext) (ResultSet, error) {
 }

 func (r *Rego) evalWasm(ctx context.Context, ectx *EvalContext) (ResultSet, error) {
-
 	input := ectx.rawInput
 	if ectx.parsedInput != nil {
 		i := interface{}(ectx.parsedInput)
@@ -2367,6 +2428,7 @@ func (r *Rego) partial(ctx context.Context, ectx *EvalContext) (*PartialQueries,
 		WithSkipPartialNamespace(r.skipPartialNamespace).
 		WithShallowInlining(r.shallowInlining).
 		WithInterQueryBuiltinCache(ectx.interQueryBuiltinCache).
+		WithInterQueryBuiltinValueCache(ectx.interQueryBuiltinValueCache).
 		WithStrictBuiltinErrors(ectx.strictBuiltinErrors).
 		WithSeed(ectx.seed).
 		WithPrintHook(ectx.printHook)
@@ -2405,6 +2467,49 @@ func (r *Rego) partial(ctx context.Context, ectx *EvalContext) (*PartialQueries,
 		return nil, err
 	}

+	// If the target rego-version is v0, and the rego.v1 import is available, then we attempt to apply it to support modules.
+	if r.regoVersion == ast.RegoV0 && (r.capabilities == nil || r.capabilities.ContainsFeature(ast.FeatureRegoV1Import)) {
+
+		for i, mod := range support {
+			// We can't apply the RegoV0CompatV1 version to the support module if it contains rules or vars that
+			// conflict with future keywords.
+			applyRegoVersion := true
+
+			ast.WalkRules(mod, func(r *ast.Rule) bool {
+				name := r.Head.Name
+				if name == "" && len(r.Head.Reference) > 0 {
+					name = r.Head.Reference[0].Value.(ast.Var)
+				}
+				if ast.IsFutureKeyword(name.String()) {
+					applyRegoVersion = false
+					return true
+				}
+				return false
+			})
+
+			if applyRegoVersion {
+				ast.WalkVars(mod, func(v ast.Var) bool {
+					if ast.IsFutureKeyword(v.String()) {
+						applyRegoVersion = false
+						return true
+					}
+					return false
+				})
+			}
+
+			if applyRegoVersion {
+				support[i].SetRegoVersion(ast.RegoV0CompatV1)
+			} else {
+				support[i].SetRegoVersion(r.regoVersion)
+			}
+		}
+	} else {
+		// If the target rego-version is not v0, then we apply the target rego-version to the support modules.
+		for i := range support {
+			support[i].SetRegoVersion(r.regoVersion)
+		}
+	}
+
 	pq := &PartialQueries{
 		Queries: queries,
 		Support: support,
@@ -2413,7 +2518,7 @@ func (r *Rego) partial(ctx context.Context, ectx *EvalContext) (*PartialQueries,
 	return pq, nil
 }

-func (r *Rego) rewriteQueryToCaptureValue(qc ast.QueryCompiler, query ast.Body) (ast.Body, error) {
+func (r *Rego) rewriteQueryToCaptureValue(_ ast.QueryCompiler, query ast.Body) (ast.Body, error) {

 	checkCapture := iteration(query) || len(query) > 1

@@ -2530,7 +2635,7 @@ type transactionCloser func(ctx context.Context, err error) error
 // regardless of status.
 func (r *Rego) getTxn(ctx context.Context) (storage.Transaction, transactionCloser, error) {

-	noopCloser := func(ctx context.Context, err error) error {
+	noopCloser := func(_ context.Context, _ error) error {
 		return nil // no-op default
 	}