Skip to content

Releases: open-policy-agent/opa

v1.12.2

06 Jan 15:06
@github-actions github-actions
Immutable release. Only release title and notes can be modified.
v1.12.2
89c6537
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.12.2 Latest
Latest

This bug fix release address issues found in the new string interpolation feature

Contributors

anderseknert and thevilledev
Assets 19

v1.12.1

18 Dec 21:39
@github-actions github-actions
Immutable release. Only release title and notes can be modified.
v1.12.1
92dd54d

Choose a tag to compare

View all tags
v1.12.1

This bug fix release reverts a change to regex.replace that unintentionally changed its behaviour for anchored regular expressions.

  • Revert "topdown: make regex.replace respect cancellation" (authored by @srenatus)

Contributors

srenatus
Loading

v1.12.0

18 Dec 13:10
@github-actions github-actions
Immutable release. Only release title and notes can be modified.
v1.12.0
d61ac38
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.12.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Support for String Interpolation in the Rego language
  • Faster compilation and runtime
  • Fixes published in the v1.11.1 release

String Interpolation (#4733)

The Rego language has been extended to support String Interpolation,
which provides a readable means to compose strings containing dynamic values determined at evaluation time.

An interpolated string is composed of a template-string containing zero or more template-expressions that evaluates to a value at evaluation time.
The $ character prefix identifies a template-string, and template-expressions are declared by being enclosed in curly-braces ({, }).

Additionally, undefined template-expression values don't halt evaluation; instead, <undefined> will be injected into the generated string.

package interpolation

allowed_roles := ["admin", "employee"]

default role := "guest"
role := input.role

deny contains $"User {input.username}'s role was '{role}', but must be one of {allowed_roles}" if {
  not role in allowed_roles
}
{
  "deny": [
    "User <undefined>'s role was 'guest', but must be one of [\"admin\", \"employee\"]"
  ],
}

String interpolation is a more readable and less error-prone substitute for the sprintf built-in function.

Authored by @johanfylling reported by @anderseknert

Tip

Help us out!

New Rego language features are exciting, and we want to maximize their usefulness. If you come across tools and integrations in the community where string interpolation isn't properly handled, such as syntax highlighting, please reach out and let us know.

Runtime, SDK, Tooling

  • oracle: Refactor Oracle better support some and every (#8105, #8131, #8138) authored by @charlieegan3
  • plugins/bundle: Prevent ns-level polling by validating intervals (#8082) authored by @jjhwan-h
  • plugins/discovery: Initialize plugins before downloading (#8071) authored by @jt28828
  • topdown: Introduce sink for context cancellation
    • topdown: Make regex.replace respect cancellation (#8089) authored by @srenatus
    • topdown: Make replace and strings.replace_n respect cancellation (#8089) authored by @srenatus
    • topdown: Use sink for concat (#8090) authored by @srenatus
    • perf: Avoid extra allocation in sink if no cancel (#8104) authored by @anderseknert

Compiler, Topdown and Rego

  • ast/compile: Deal with error limit without panic/defer (#8087) authored by @srenatus
  • ast/parser: Check if we need to unescape at all (#8135) authored by @srenatus
  • perf: Improved visitor implementation (10% faster compilation) (#8078) authored by @anderseknert
  • perf: Reduce allocations handling terms (#8116) authored by @anderseknert
  • perf: Type-checker performance improvements (#8143) authored by @anderseknert

Docs, Website, Ecosystem

Miscellaneous

  • ast/checks_test: Fix flaky tests (#8111) authored by @srenatus
  • benchmarks: Install node v24 (#8122) authored by @srenatus
  • download: Fix when compiling with tag opa_no_oci (#8070) authored by @srenatus reported by @mg0083
  • tests: Race in TestStatusUpdateBuffer (#8133) authored by @thevilledev
  • workflow: Integrate benchmarks notebook (#8121) authored by @srenatus
  • workflows: Skip all tests in benchmarks run (#8086) authored by @srenatus
  • Dependency updates; notably:
    • build: Bump golang from 1.25.4 to 1.25.5 (#8107) authored by @srenatus
    • build(deps): Bump google.golang.org/grpc from 1.76.0 to 1.77.0

Contributors

anderseknert, srenatus, and 6 other contributors
Loading

v1.11.1

16 Dec 20:46
@github-actions github-actions
Immutable release. Only release title and notes can be modified.
v1.11.1
eb492e8

Choose a tag to compare

View all tags
v1.11.1

This is a bugfix release:

Memory exhaustion via forged gzip header

A crafted HTTP request any of OPA's HTTP endpoints would lead OPA to use a large amount of memory, triggering
an out-of-memory process exit.

This weakness in OPA's HTTP API gzip handling is as old as the gzip handling itself. A configurable limit was introduced in v0.67.0, but it has been shown that this security measure wasn't sufficient to avoid running out of memory in memory-constrained setups.

Thanks to @thevilledev for reporting and fixing this issue.

It only applies to OPA running as server (as a binary or in a container, as "sidecar"). To trigger an OOM process exit using this weakness, an adversary must be able to send an HTTP request directly to OPA. This would be the case if they are in the same network, there is no proxy in front of OPA, or if OPA was exposed to the internet, which is advised against.

By the nature of HTTP encodings, this would be effective before token-based authentication and authorization policies, so these measures do not protect against the attack vector.

If all OPA endpoints are using TLS-based authentication (mutual TLS, "mTLS"), then an adversary cannot do harm with this method.

Please note that while we're taking all of these issues seriously, OPA isn't designed for adversary environments. It's strongly advised not to expose any of its endpoints to the public internet. Furthermore, available security measures should be applied regardless, for a defense in depth approach. See the documentation for the available means of authentication and authorization in OPA.

Please also check out our Security Policy for reporting critical issues and bugs.

Decision Logs dropped (introduced in OPA v1.9.0)

When the decision logs buffer was uploaded, the buffer limit inadvertently got reset to the default upload limit (32kb).
This causes logs to be dropped that shouldn't have been dropped.

This default is overridden by the configuration value decision_logs.reporting.upload_size_limit_bytes, see the docs on decision logs.

There's a Prometheus metric for dropped events, counter_decision_logs_dropped_buffer_size_limit_bytes_exceeded,
and you can check that for unexpectedly high counts.

Reported by @johanneslarsson #8123, fixed by @sspaink.

The release is otherwise identical to v1.11.0.

Contributors

thevilledev, sspaink, and johanneslarsson
Loading

v1.11.0

26 Nov 13:24
@github-actions github-actions
Immutable release. Only release title and notes can be modified.
v1.11.0
45cbfa1
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.11.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • More efficient connection management in the http.send built-in function
  • More performant loading of large bundles containing multiple Rego files

Immutable Releases

Starting with this release, OPA releases are immutable for increased security.

Runtime, SDK, Tooling

  • v1/ast: Fix Call parsing Text attribute including an extra character (#7989) authored by @schmitd
  • ast: Export built-in deprecated field (#7912) authored by @colinjlacy
  • ast: Intern common var values + some parser improvements (#8028) authored by @anderseknert
  • ast: Support custom builtins in CompileModulesWithOpt (#8061) authored by @sspaink
  • bundle: Concurrent Rego parsing in bundle loader (#8067) authored by @anderseknert
  • cmd: Support --ignore in eval cmd when using bundle flag (--bundle) (#8062) authored by @sspaink
  • storage/inmem: Allow passing triggers (AST) data without conversion (#7958) authored by @anderseknert

Compiler, Topdown and Rego

  • topdown: Avoid unnecessary use of custom http.Transport in http.send built-in (#7927) authored by @sykesm
  • topdown: New custom SemVer implementation (#8010) authored by @anderseknert
  • topdown: Use sync.Pool for eval func objects (#8054) authored by @anderseknert

Docs, Website, Ecosystem

Miscellaneous

  • Bump golangci-lint, more gocritic linters (#8052) authored by @anderseknert
  • Tidy up and unify sync pool handling (#8068) authored by @anderseknert
  • builtins: Add StringOperandByteSlice helper (#8048) authored by @anderseknert
  • test: Add test cases for consistent cache behavior (#8015) authored by @DFrenkel
  • util/performance: Remove math.Log10, remove unused KeysCount (#8041) authored by @srenatus
  • workflow: Add Benchmarks workflow (#8072) authored by @srenatus
  • workflows/pull-request: Update macos versions (#8030) authored by @srenatus
  • Dependency updates; notably:
    • build: golang 1.25.3 -> 1.25.4 (#8051) authored by @srenatus
    • build(deps): Bump github.com/bytecodealliance/wasmtime-go from v37.0.0 to v39.0.1 (#8075) authored by @srenatus
    • build(deps): Bump github.com/containerd/containerd/v2 from 2.1.4 to 2.2.0
    • build(deps): Bump github.com/huandu/go-sqlbuilder from 1.37.0 to 1.38.1
    • build(deps): Bump github.com/lestrrat-go/jwx/v3 from 3.0.11 to 3.0.12
    • build(deps): Bump github.com/vektah/gqlparser/v2 from 2.5.30 to 2.5.31 (#8027) authored by @johanfylling
    • build(deps): Bump golang.org/x/crypto from 0.43.0 to 0.45.0
    • build(deps): Bump golang.org/x/net from 0.44.0 to 0.45.0
    • build(deps): Bump golang.org/x/time from 0.13.0 to 0.14.0
    • build(deps): Bump google.golang.org/grpc from 1.75.1 to 1.76.0
    • build(deps): Bump google.golang.org/protobuf from 1.36.9 to 1.36.10

Contributors

anderseknert, srenatus, and 8 other contributors
Loading

v1.10.1

05 Nov 09:23
@github-actions github-actions
v1.10.1
a119f30

Choose a tag to compare

View all tags
v1.10.1

This is a bugfix release for the split builtin: In v1.10.0, it was looping infinitely when used with an empty-string delimiter.

Reported by @SignalRichard, authored by @srenatus

The release is otherwise identical to v1.10.0.

Contributors

srenatus and SignalRichard
Loading

v1.10.0

31 Oct 14:20
@github-actions github-actions
v1.10.0
e6865c4
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.10.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Non-static arm64 executables for linux and darwin, supporting Wasm evaluation
  • Performance improvements to the formatter, compiler, and runtime
  • A new --fail-on-empty flag for opa test
  • Support for IS NOT NULL query statements in the Compile API

Non-static OPA binaries for linux/arm64 and darwin/arm64

Starting with this release, OPA will ship non-static arm64 executables for linux and darwin.
These binaries have support for Wasm evaluation.
Furthermore, the openpolicyagent/opa:latest docker image is a multi-platform image with arm64 support.

Runtime, Tooling

  • cmd: Add opa test --fail-on-empty to allow making bad -r or empty folders fail (#7943) reported and authored by @grosser
  • format: Performance improvements in formatter (#7967) authored by @anderseknert
  • repl: Check usage of with keyword (#7942) authored by @sspaink
  • server/failtracer: don't assume only being fed two-elem calls (#7995) authored by @srenatus
  • storage: Improve performance of storage operations (#7957) authored by @anderseknert
  • storage: Some small improvements to inmem storage (#7944) authored by @anderseknert
  • util: Fix race condition in ReadMaybeCompressedBody (#7966) authored by @anderseknert

Compiler, Topdown and Rego

Docs, Website, Ecosystem

Miscellaneous

  • ast/capabilities: Remove stale comment (#7994) authored by @srenatus
  • build: Non-static images for linux/arm64 (#7977) authored by @srenatus
  • ci: Add zig to post-merge github action (#7983) authored by @sspaink
  • e2e/authz,topdown: Fix benchmarks (#7980) authored by @srenatus
  • runtime: Fixing tests by closing watcher & set default GracefulShutdownPeriod (#7991) authored by @rMaxiQp
  • test/e2e: move http.DefaultTransport fix to init() (#7955) authored by @srenatus
  • Remove vendor/ (#7975) authored by @srenatus
  • Modernize analyzer fixes (#7965) authored by @anderseknert
  • Dependency updates; notably:
    • build: bump golang 1.25.1 -> 1.25.3 authored by @srenatus
    • build(deps): Bump github.com/olekukonko/tablewriter from 0.0.5 to 1.1.0 (#7937) authored by @jh125486
      This is a major version update containing breaking API changes. If you're affected by this, please consult the tablewriter migration guide.
    • deps(build): Bump github.com/bytecodealliance/wasmtime-go from v3.0.2 to v37.0.0 authored by @srenatus

Contributors

grosser, anderseknert, and 11 other contributors
Loading

v1.9.0

26 Sep 09:19
@github-actions github-actions
v1.9.0
c49e670
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.9.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Compile API extensions ported from EOPA
  • Improved rule indexing

Compile Rego Queries Into SQL Filters (#7887)

Compile API extensions with support for SQL filter generation previously exclusive to EOPA has been ported into OPA.

Example

With OPA running with this policy, we'll compile the query data.filters.include into SQL filters:

package filters

# METADATA
# scope: document
# compile:
#   unknowns: [input.fruits]
include if input.fruits.name == input.favorite
Example Request
POST /v1/compile/filters/include HTTP/1.1
Content-Type: application/json
Accept: application/vnd.opa.sql.postgresql+json

{
  "input": {
    "favorite": "pineapple"
  }
}
Example Response
HTTP/1.1 200 OK
Content-Type: application/vnd.opa.sql.postgresql+json

{
  "result": {
    "query": "WHERE fruits.name = E'pineapple'"
  }
}

See the documentation for more details.

Authored by @srenatus and @philipaconrad

Improved Rule Indexing For "Naked" Refs (#7897)

OPA's rule indexer is a means by which OPA can optimize evaluation performance.
Briefly, the indexer can in some cases determine that a rule won't successfully evaluate before it's evaluated based on the query input.
The indexer previously only considered terms in certain compound expressions, ignoring single terms; e.g. an expression containing a sole "naked" ref. This has now changed!

Example

Given a policy with an allow rule containing two "naked" refs: input.foo and input.bar:

package example

allow if {
    input.foo
    input.bar
}

and the input document:

{
    "foo": 1
}

before this improvement, when evaluating the query data.example.allow, we get the trace log:

query:1           Enter data.example.allow = _
query:1           | Eval data.example.allow = _
query:1           | Index data.example.allow (matched 1 rule, early exit)
policy.rego:3     | Enter data.example.allow
policy.rego:5     | | Eval input.foo
policy.rego:6     | | Eval input.bar
policy.rego:6     | | Fail input.bar
policy.rego:5     | | Redo input.foo
query:1           | Fail data.example.allow = _

Here, we can see that the allow rule is evaluated, but fails on the input.bar expression, as it's referencing an undefined value.

With the improvement to the indexer, we instead get:

query:1     Enter data.example.allow = _
query:1     | Eval data.example.allow = _
query:1     | Index data.example.allow (matched 0 rules, early exit)
query:1     | Fail data.example.allow = _

Where we can see that the allow rule was never evaluated, since the input doesn't meet the conditions established by the indexer; i.e. both input.foo and input.bar must have defined values.

Authored by @srenatus

Runtime, Tooling

  • cmd: Print eval errors to stderr (#6749) authored by @sspaink reported by @janorn
  • plugin/decision: Encoder immediately returns when event same size as limit (#7928) authored by @sspaink
  • plugin/decision: Refactor size buffer into its own type (#7884) authored by @sspaink
  • plugins/bundle: Return callback error for manually triggered bundle downloads through the SDK (#7869) authored by @sspaink reported by @victoraugustolls
  • runtime: Fix possible panic in opa run when loading bundles in watch-mode (--watch) (#7870) authored by @sspaink reported by @johanfylling

Compiler, Topdown and Rego

  • perf: Don't invoke future parser for Rego v1 (#7909) authored by @anderseknert
  • topdown: Add counter metric for http.send network requests (#7851) authored by @anivar
  • topdown: Update numbers.range_step built-in error message (#7882) authored by @charlieegan3

Docs, Website

Miscellaneous

  • Bump golangci-lint to v2.4.0 (#7878) authored by @sspaink
  • Community Guidelines: update email list (#7900) authored by @srenatus
  • ci: port binary tests to testscript (#7865) authored by @srenatus
  • dependabot: Updating e2e go deps together with core OPA deps (#7923) authored by @johanfylling
  • github_actions: Add working directory in arguments for Link Checker (#7883) authored by @sspaink
  • rego: Add comprehensive WASM performance benchmarks (#7841) authored by @anivar
  • Dependency updates; notably:
    • build: Bump go to 1.25.1
    • build(deps): Add github.com/huandu/go-sqlbuilder 1.37.0
    • build(deps): Bump github.com/lestrrat-go/jwx/v3 from 3.0.10 to 3.0.11
    • build(deps): Bump github.com/prometheus/client_golang from 1.23.0 to 1.23.2
    • build(deps): Bump golang.org/x/net from 0.43.0 to 0.44.0
    • build(deps): Bump golang.org/x/time from 0.12.0 to 0.13.0
    • build(deps): Bump google.golang.org/grpc from 1.75.0 to 1.75.1
    • build(deps): Bump google.golang.org/protobuf from 1.36.8 to 1.36.9
    • build(deps): bump go.opentelemetry.io deps from 1.37.0/0.62.0 to 1.38.0/0.63.0

Contributors

anivar, anderseknert, and 13 other contributors
Loading

v1.8.0

28 Aug 15:13
@github-actions github-actions
v1.8.0
7832826
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.8.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Support for EdDSA signatures in io.jwt built-ins, including a new io.jwt.verify_eddsa built-in.

EdDSA Support in built-ins (#7824)

Support for the EdDSA signing algorithm has been added to built-in functions in the io.jwt namespace.

This introduces the new io.jwt.verify_eddsa built-in function, and adds EdDSA support for the following built-ins:

This feature benefited greatly from the groundwork laid by @lestrrat in (#7638). 👏 🎉 🥳

Authored by @johanfylling reported by @aromeyer

Runtime

  • cmd: Add back default cmd.RootCommand definition. (#7811) authored by @philipaconrad
    Fixing a breaking change to the go API introduced in OPA v1.7.0.
  • cmd: Fix opa exec parameters (#7850, #7840) authored by @srenatus
    Fixing regressions introduced in OPA v1.7.0, where the --fail-non-empty and --stdin-input flags were dropped.
  • config: accept env vars set to "", discern from unset (#7831) authored by @srenatus reported by @ManuelNowackConfinale
  • handlers: Add thread-safe initialization for gzipPool (#7828) authored by @charlieegan3
  • plugins: Address race in config access (#7825) authored by @charlieegan3
  • plugin/bundle: Correct bundle delay behavior (#7812) authored by @charlieegan3
  • runtime: Update server init check (#7818) authored by @charlieegan3

Topdown

  • perf: Performance greatly improved for Object.Insert on existing key (#7820) authored by @anderseknert
  • topdown,bundle,plugins: Upgrade interned jwx (0.9.x) with github.com/lestrrat-go/jwx/v3 (#7638) authored by @lestrrat

Docs, Website

Miscellaneous

  • Update organization affiliations (#7842) authored by @tsandall
  • test/e2e: Avoid port exhaustion in concurrent tests (#7862) authored by @anderseknert
  • server: Make TestCertReloading less verbose (#7823) authored by @charlieegan3
  • cmd: Exec test wait for bundle server to start (#7821) authored by @charlieegan3
  • cmd: Update tests to run sync when ready (#7835) authored by @charlieegan3
  • cmd: Move accidental pkg var to local var (#7813) authored by @philipaconrad
  • internal/report: Allow overriding GitHub repo (#7867) authored by @srenatus
  • release: Adding Dockerfile for image used in *-patch build targets (#7864) authored by @johanfylling
  • Dependency updates; notably:
    • build: Bump go to 1.24.6 (#7834, #7839) authored by @johanfylling and @thevilledev
    • build(deps): Bump go-viper/mapstructure/v2 from v2.3.0 to v2.4.0 (#7857) authored by @deeglaze
    • build(deps): Bump github.com/containerd/containerd/v2 from 2.1.3 to 2.1.4
    • build(deps): Bump github.com/prometheus/client_golang from 1.22.0 to 1.23.0

Contributors

lestrrat, tsandall, and 10 other contributors
Loading

v1.7.1

31 Jul 20:55
@github-actions github-actions
v1.7.1
1565779
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.7.1

This is a bug fix release addressing two issues for users that include OPA's CLI in their own application's CLI:

  • A missing symbol in the cmd package (cmd.RootCommand)
  • A possible panic in the opa parse command
Loading