Upgrade dependent version: github.com/open-policy-agent/opa (#5315)

Upgrade dependent version: github.com/open-policy-agent/opa v0.18.0 -> v0.45.0 Signed-off-by: hongzhouzi <hongzhouzi@kubesphere.io> Signed-off-by: hongzhouzi <hongzhouzi@kubesphere.io>
2022-10-31 10:58:55 +08:00
parent 668fca1773
commit ef03b1e3df
363 changed files with 277341 additions and 13544 deletions
--- a/vendor/github.com/open-policy-agent/opa/topdown/save.go
+++ b/vendor/github.com/open-policy-agent/opa/topdown/save.go
@@ -57,7 +57,7 @@ func (ss *saveSet) contains(t *ast.Term, b *bindings) bool {
 	return false
 }

-// ContainsRecursive retruns true if the term t is or contains a term that is
+// ContainsRecursive returns true if the term t is or contains a term that is
 // contained in the save set. This function will close over the binding list
 // when it encounters vars.
 func (ss *saveSet) ContainsRecursive(t *ast.Term, b *bindings) bool {
@@ -279,7 +279,7 @@ func newSaveSupport() *saveSupport {
 }

 func (s *saveSupport) List() []*ast.Module {
-	result := []*ast.Module{}
+	result := make([]*ast.Module, 0, len(s.modules))
 	for _, module := range s.modules {
 		result = append(result, module)
 	}
@@ -321,7 +321,7 @@ func (s *saveSupport) Insert(path ast.Ref, rule *ast.Rule) {
 // being saved. This check allows the evaluator to evaluate statements
 // completely during partial evaluation as long as they do not depend on any
 // kind of unknown value or statements that would generate saves.
-func saveRequired(c *ast.Compiler, ss *saveSet, b *bindings, x interface{}, rec bool) bool {
+func saveRequired(c *ast.Compiler, ic *inliningControl, icIgnoreInternal bool, ss *saveSet, b *bindings, x interface{}, rec bool) bool {

 	var found bool

@@ -344,9 +344,11 @@ func saveRequired(c *ast.Compiler, ss *saveSet, b *bindings, x interface{}, rec
 			case ast.Ref:
 				if ss.Contains(node, b) {
 					found = true
+				} else if ic.Disabled(v.ConstantPrefix(), icIgnoreInternal) {
+					found = true
 				} else {
-					for _, rule := range c.GetRulesDynamic(v) {
-						if saveRequired(c, ss, b, rule, true) {
+					for _, rule := range c.GetRulesDynamicWithOpts(v, ast.RulesOptions{IncludeHiddenModules: false}) {
+						if saveRequired(c, ic, icIgnoreInternal, ss, b, rule, true) {
 							found = true
 							break
 						}
@@ -373,10 +375,57 @@ func ignoreExprDuringPartial(expr *ast.Expr) bool {
 }

 func ignoreDuringPartial(bi *ast.Builtin) bool {
+	// Note(philipc): We keep this legacy check around to avoid breaking
+	// existing library users.
+	//nolint:staticcheck // We specifically ignore our own linter warning here.
 	for _, ignore := range ast.IgnoreDuringPartialEval {
 		if bi == ignore {
 			return true
 		}
 	}
+	// Otherwise, ensure all non-deterministic builtins are thrown out.
+	return bi.Nondeterministic
+}
+
+type inliningControl struct {
+	shallow bool
+	disable []disableInliningFrame
+}
+
+type disableInliningFrame struct {
+	internal bool
+	refs     []ast.Ref
+}
+
+func (i *inliningControl) PushDisable(refs []ast.Ref, internal bool) {
+	if i == nil {
+		return
+	}
+	i.disable = append(i.disable, disableInliningFrame{
+		internal: internal,
+		refs:     refs,
+	})
+}
+
+func (i *inliningControl) PopDisable() {
+	if i == nil {
+		return
+	}
+	i.disable = i.disable[:len(i.disable)-1]
+}
+
+func (i *inliningControl) Disabled(ref ast.Ref, ignoreInternal bool) bool {
+	if i == nil {
+		return false
+	}
+	for _, frame := range i.disable {
+		if !frame.internal || !ignoreInternal {
+			for _, other := range frame.refs {
+				if other.HasPrefix(ref) || ref.HasPrefix(other) {
+					return true
+				}
+			}
+		}
+	}
 	return false
 }