diff --git a/doc/authorization_policy_engine.md b/doc/authorization_policy_engine.md index 26b4d7a3f..906aa464e 100644 --- a/doc/authorization_policy_engine.md +++ b/doc/authorization_policy_engine.md @@ -18,7 +18,6 @@ server { local { rego_path = "./conf/server/policy.rego" policy_data_path = "./conf/server/policy_data.json" - use_rego_v1 = true } } } diff --git a/doc/spire_server.md b/doc/spire_server.md index 59997162e..14156c0d4 100644 --- a/doc/spire_server.md +++ b/doc/spire_server.md @@ -115,7 +115,6 @@ This may be useful for templating configuration files, for example across differ |:------------------------------|-------------------------------------------------------------------------------------------|----------------| | `rego_path` | File to retrieve OPA rego policy for authorization. | | | `policy_data_path` | File to retrieve databindings for policy evaluation. | | -| `use_rego_v1` | Use rego V1 when evaluating the policy. This will become the default in a future release. | false | ### Profiling Names diff --git a/pkg/server/api/middleware/authorization_test.go b/pkg/server/api/middleware/authorization_test.go index 30fba9480..562822146 100644 --- a/pkg/server/api/middleware/authorization_test.go +++ b/pkg/server/api/middleware/authorization_test.go @@ -10,7 +10,6 @@ import ( "net/url" "testing" - "github.com/open-policy-agent/opa/v1/ast" "github.com/open-policy-agent/opa/v1/storage/inmem" "github.com/sirupsen/logrus/hooks/test" "github.com/spiffe/go-spiffe/v2/spiffeid" @@ -324,7 +323,7 @@ func TestWithAuthorizationPreprocess(t *testing.T) { } { t.Run(tt.name, func(t *testing.T) { ctx := context.Background() - policyEngine, err := authpolicy.NewEngineFromRego(ctx, tt.rego, inmem.NewFromObject(map[string]any{}), ast.RegoV1) + policyEngine, err := authpolicy.NewEngineFromRego(ctx, tt.rego, inmem.NewFromObject(map[string]any{})) require.NoError(t, err, "failed to initialize policy engine") // Set up an authorization middleware with one method. diff --git a/pkg/server/authpolicy/defaults.go b/pkg/server/authpolicy/defaults.go index ff43f6a89..1a62f8df7 100644 --- a/pkg/server/authpolicy/defaults.go +++ b/pkg/server/authpolicy/defaults.go @@ -4,7 +4,6 @@ import ( "context" _ "embed" - "github.com/open-policy-agent/opa/v1/ast" "github.com/open-policy-agent/opa/v1/storage/inmem" "github.com/open-policy-agent/opa/v1/util" ) @@ -24,5 +23,5 @@ func DefaultAuthPolicy(ctx context.Context) (*Engine, error) { } store := inmem.NewFromObject(json) - return NewEngineFromRego(ctx, defaultPolicyRego, store, ast.RegoV1) + return NewEngineFromRego(ctx, defaultPolicyRego, store) } diff --git a/pkg/server/authpolicy/policy.go b/pkg/server/authpolicy/policy.go index 5a3892f37..67336ed29 100644 --- a/pkg/server/authpolicy/policy.go +++ b/pkg/server/authpolicy/policy.go @@ -34,7 +34,6 @@ type OpaEngineConfig struct { type LocalOpaProviderConfig struct { RegoPath string `hcl:"rego_path"` PolicyDataPath string `hcl:"policy_data_path"` - UseRegoV1 bool `hcl:"use_rego_v1"` } // Input represents context associated with an access request. @@ -65,12 +64,12 @@ func NewEngineFromConfigOrDefault(ctx context.Context, logger logrus.FieldLogger if cfg == nil { return DefaultAuthPolicy(ctx) } - return newEngine(ctx, logger, cfg) + return newEngine(ctx, cfg) } // newEngine returns a new policy engine. Or nil if no // config is provided. -func newEngine(ctx context.Context, logger logrus.FieldLogger, cfg *OpaEngineConfig) (*Engine, error) { +func newEngine(ctx context.Context, cfg *OpaEngineConfig) (*Engine, error) { switch { case cfg == nil: return nil, errors.New("policy engine configuration is nil") @@ -102,24 +101,17 @@ func newEngine(ctx context.Context, logger logrus.FieldLogger, cfg *OpaEngineCon store = inmem.NewFromObject(map[string]any{}) } - version := ast.RegoV0 - if cfg.LocalOpaProvider.UseRegoV1 { - version = ast.RegoV1 - } else { - logger.Warn("Using rego.v0 policy format, which will be depracated in SPIRE 1.13; Update the policy to rego.v1 and specify 'use_rego_v1 = true' in the configuration.") - } - - return NewEngineFromRego(ctx, string(module), store, version) + return NewEngineFromRego(ctx, string(module), store) } // NewEngineFromRego is a helper to create the Engine object -func NewEngineFromRego(ctx context.Context, regoPolicy string, dataStore storage.Store, version ast.RegoVersion) (*Engine, error) { +func NewEngineFromRego(ctx context.Context, regoPolicy string, dataStore storage.Store) (*Engine, error) { rego := rego.New( rego.Query("data.spire.result"), rego.Package("spire"), rego.Module("spire.rego", regoPolicy), rego.Store(dataStore), - rego.SetRegoVersion(version), + rego.SetRegoVersion(ast.RegoV1), ) pr, err := rego.PartialResult(ctx) if err != nil { diff --git a/pkg/server/authpolicy/policy_test.go b/pkg/server/authpolicy/policy_test.go index af91e0a75..c32c76cca 100644 --- a/pkg/server/authpolicy/policy_test.go +++ b/pkg/server/authpolicy/policy_test.go @@ -7,7 +7,6 @@ import ( "path/filepath" "testing" - "github.com/open-policy-agent/opa/v1/ast" "github.com/open-policy-agent/opa/v1/storage/inmem" "github.com/open-policy-agent/opa/v1/util" "github.com/sirupsen/logrus/hooks/test" @@ -221,7 +220,7 @@ func TestPolicy(t *testing.T) { ctx := context.Background() // Check with NewEngineFromRego - pe, err := authpolicy.NewEngineFromRego(ctx, tt.rego, store, ast.RegoV1) + pe, err := authpolicy.NewEngineFromRego(ctx, tt.rego, store) require.Nil(t, err, "failed to create policy engine") res, err := pe.Eval(ctxIn, tt.input) @@ -242,7 +241,6 @@ func TestPolicy(t *testing.T) { LocalOpaProvider: &authpolicy.LocalOpaProviderConfig{ RegoPath: regoFile, PolicyDataPath: permsFile, - UseRegoV1: true, }, } log, _ := test.NewNullLogger() @@ -434,7 +432,7 @@ func TestNewEngineFromRego(t *testing.T) { // a bad store store := inmem.New() - _, err := authpolicy.NewEngineFromRego(ctx, tt.rego, store, ast.RegoV1) + _, err := authpolicy.NewEngineFromRego(ctx, tt.rego, store) require.Equal(t, err == nil, tt.success) }) }