diff --git a/app/Makefile b/app/Makefile
index c692212e12ab2fc6ffafda89958fc7b416c6082e..d9ee7418cc45e5eba6a57e46522f8b54624c2df8 100644
--- a/app/Makefile
+++ b/app/Makefile
@@ -106,8 +106,8 @@ scan:
docker scan $(IMAGE_NAME):$(TAG)
#local: LOG_LEVEL_TRANSLATE := DEBUG
-#local: LOG_LEVEL := DEBUG
#local: aws_set_token_green echoenv
+local: LOG_LEVEL := DEBUG
local: OPA_URL := http://localhost:$(OPA_PORT)
local: CLOUD_PROVIDER := LOCAL
local: DISABLE_OPA_CACHE := False
@@ -437,19 +437,20 @@ gcp_opa_ttab:
aws_opa_ttab:
ttab -t OPA make local_opa
+local_opa: ENTITLEMENTS_BASE_URL := ${BASE_URL}
+local_opa: LEGAL_BASE_URL := ${BASE_URL}
local_opa:
- opa run --server
+ opa run -l debug --server
local_opa_ttab:
ttab -t OPA make local_opa
opa:
- docker run \
+ docker run -it --rm --platform linux/amd64 \
-v ${PWD}:/conf \
-e ENTITLEMENTS_BASE_URL=${BASE_URL} \
-e LEGAL_BASE_URL=${BASE_URL} \
--name $(OPA_NAME) -p 8181:8181 openpolicyagent/opa \
- --config-file=tests/opa.yaml \
run --server
opa2:
diff --git a/cache/README.md b/cache/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..9e97971b3bf0500b3433ff0bb29d8b1e507873c0
--- /dev/null
+++ b/cache/README.md
@@ -0,0 +1,16 @@
+# Testing Cache
+
+## cache.rego
+This rego is a demo of how bad rego's can fill up your cache and not get cache hits.
+This one in particular is useful for testing `caching.inter_query_builtin_cache.max_size_bytes` in OPA config.
+
+### Recommended steps for testing:
+These commands will only work in M24
+
+- Install [AdminCLI](https://osdu.pages.opengroup.org/ui/admincli/install/)
+- Download [eval_legal.json](https://community.opengroup.org/osdu/ui/admincli/-/raw/master/admincli/resources/eval_legal.json)
+- Download [cache.rego](https://community.opengroup.org/osdu/platform/security-and-compliance/policy/-/raw/master/cache/cache.rego)
+- Upload cache.rego to policy via `admincli add -f cache.rego -t cache`
+- Verify policy is in place `admincli ls cache`
+- Run a single eval: `admincli eval -f eval_legal.json -t cache --force --no-cache`
+- Run eval 100 times: - `admincli eval -f eval_legal.json -t cache --force --no-cache --count=100 --quiet`
diff --git a/cache/cache.rego b/cache/cache.rego
new file mode 100644
index 0000000000000000000000000000000000000000..2309b485c1fc7c5cc802a4a64c8d6709e617d04e
--- /dev/null
+++ b/cache/cache.rego
@@ -0,0 +1,153 @@
+package osdu.partition["osdu"].cache
+
+import input
+
+uuid1 = uuid.rfc4122("abc")
+uuid2 = uuid.rfc4122("foo")
+uuid3 = uuid.rfc4122("123")
+
+headers1 = {
+ "Content-Type": "application/json",
+ "data-partition-id": input.datapartitionid,
+ "Authorization": sprintf("Bearer %v", [input.token]),
+ "Accept": "application/json",
+ "correlation-id": uuid1
+}
+
+headers2 = {
+ "Content-Type": "application/json",
+ "data-partition-id": input.datapartitionid,
+ "Authorization": sprintf("Bearer %v", [input.token]),
+ "Accept": "application/json",
+ "correlation-id": uuid2
+}
+
+headers3 = {
+ "Content-Type": "application/json",
+ "data-partition-id": input.datapartitionid,
+ "Authorization": sprintf("Bearer %v", [input.token]),
+ "Accept": "application/json",
+ "uuid": uuid3
+}
+
+body = {
+ "names": { x | x := input.records[_].legal.legaltags[_] }
+}
+
+legal_base_url = sprintf("%s%s",[opa.runtime().env["LEGAL_BASE_URL"],"/api/legal/v1/legaltags"])
+
+entitlement_base_url = sprintf("%s%s",[opa.runtime().env["ENTITLEMENTS_BASE_URL"],"/api/entitlements/v2/groups"])
+
+legal_response1 := http.send({
+ "method": "GET",
+ "url": sprintf("%s%s",[opa.runtime().env["LEGAL_BASE_URL"],"/api/legal/v1/legaltags"]),
+ "body": body,
+ "headers": headers1,
+ "max_retry_attempts": 5,
+ "force_cache": true,
+ "force_cache_duration_seconds": 14400
+ })
+
+legal_response2 := http.send({
+ "method": "GET",
+ "url": sprintf("%s%s",[opa.runtime().env["LEGAL_BASE_URL"],"/api/legal/v1/legaltags"]),
+ "body": body,
+ "headers": headers2,
+ "max_retry_attempts": 5,
+ "force_cache": true,
+ "force_cache_duration_seconds": 14400
+ })
+
+legal_response3 := http.send({
+ "method": "GET",
+ "url": sprintf("%s%s",[opa.runtime().env["LEGAL_BASE_URL"],"/api/legal/v1/legaltags"]),
+ "body": body,
+ "headers": headers3,
+ "max_retry_attempts": 5,
+ "force_cache": true,
+ "force_cache_duration_seconds": 14400
+ })
+
+groups_response1 := http.send({
+ "method": "GET",
+ "url": sprintf("%s%s",[opa.runtime().env["ENTITLEMENTS_BASE_URL"],"/api/entitlements/v2/groups"]),
+ "headers": headers1,
+ "max_retry_attempts": 5,
+ "force_cache": true,
+ "force_cache_duration_seconds": 14400
+ })
+
+groups_response2 := http.send({
+ "method": "GET",
+ "url": sprintf("%s%s",[opa.runtime().env["ENTITLEMENTS_BASE_URL"],"/api/entitlements/v2/groups"]),
+ "headers": headers2,
+ "max_retry_attempts": 5,
+ "force_cache": true,
+ "force_cache_duration_seconds": 14400
+ })
+
+groups_response3 := http.send({
+ "method": "GET",
+ "url": sprintf("%s%s",[opa.runtime().env["ENTITLEMENTS_BASE_URL"],"/api/entitlements/v2/groups"]),
+ "headers": headers3,
+ "max_retry_attempts": 5,
+ "force_cache": true,
+ "force_cache_duration_seconds": 14400
+ })
+
+policy_response1 := http.send({
+ "method": "GET",
+ "url": sprintf("%s%s",[opa.runtime().env["ENTITLEMENTS_BASE_URL"],"/api/policy/v1/config"]),
+ "headers": headers1,
+ "max_retry_attempts": 5,
+ "force_cache": true,
+ "force_cache_duration_seconds": 14400
+ })
+
+policy_response2 := http.send({
+ "method": "GET",
+ "url": sprintf("%s%s",[opa.runtime().env["ENTITLEMENTS_BASE_URL"],"/api/policy/v1/config"]),
+ "headers": headers2,
+ "max_retry_attempts": 5,
+ "force_cache": true,
+ "force_cache_duration_seconds": 14400
+ })
+
+policy_response3:= http.send({
+ "method": "GET",
+ "url": sprintf("%s%s",[opa.runtime().env["ENTITLEMENTS_BASE_URL"],"/api/policy/v1/config"]),
+ "headers": headers3,
+ "max_retry_attempts": 5,
+ "force_cache": true,
+ "force_cache_duration_seconds": 14400
+ })
+
+search_response1 := http.send({
+ "method": "POST",
+ "url": sprintf("%s%s",[opa.runtime().env["ENTITLEMENTS_BASE_URL"],"/api/search/v2/query"]),
+ "body": {"kind": "*:*:*:*", "query": "", "limit": 1000},
+ "headers": headers1,
+ "max_retry_attempts": 5,
+ "force_cache": true,
+ "force_cache_duration_seconds": 14400
+ })
+
+search_response2 := http.send({
+ "method": "POST",
+ "url": sprintf("%s%s",[opa.runtime().env["ENTITLEMENTS_BASE_URL"],"/api/search/v2/query"]),
+ "body": {"kind": "*:*:*:*", "query": "", "limit": 1000},
+ "headers": headers2,
+ "max_retry_attempts": 5,
+ "force_cache": true,
+ "force_cache_duration_seconds": 14400
+ })
+
+search_response3 := http.send({
+ "method": "POST",
+ "url": sprintf("%s%s",[opa.runtime().env["ENTITLEMENTS_BASE_URL"],"/api/search/v2/query"]),
+ "body": {"kind": "*:*:*:*", "query": "", "limit": 1000},
+ "headers": headers3,
+ "max_retry_attempts": 5,
+ "force_cache": true,
+ "force_cache_duration_seconds": 14400
+ })
diff --git a/devops/aws/opa/values.yaml b/devops/aws/opa/values.yaml
index 7db06002ef2df396ee369e62ce3e3aed80713d23..1c44a2ccc599f155e69033ecd55e8c12c0833881 100644
--- a/devops/aws/opa/values.yaml
+++ b/devops/aws/opa/values.yaml
@@ -12,4 +12,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-image: openpolicyagent/opa:0.67.1
+image: openpolicyagent/opa:0.68.0
diff --git a/docs/docs/opa.md b/docs/docs/opa.md
index 4e65248377204b773d3c699a79ccf9d6ec6f1e69..bc74a8f1a94333b84b7c7d5592241ed5a6214154 100644
--- a/docs/docs/opa.md
+++ b/docs/docs/opa.md
@@ -13,7 +13,7 @@
| M21 | v0.56 or later |
| M22 | v0.62.1 or later |
| M23 | v0.62.1 or later |
-| M24 | v0.66.0 or later |
+| M24 | v0.67.1 or later |
| M25 | v0.68.0 or later |
## Role
diff --git a/docs/docs/releasenotes.md b/docs/docs/releasenotes.md
index e9ccaaa8e99e4d95e6fa0397726b8cafb48260ad..261830ac184966283dbbf56bfefe6f770f7e280e 100644
--- a/docs/docs/releasenotes.md
+++ b/docs/docs/releasenotes.md
@@ -5,8 +5,6 @@ Policy Service v0.28.0 2025/01
### M25 Minor Changes
- Documentation updates.
-- Added max cache OPA config `caching.inter_query_builtin_cache.max_size_bytes` to AWS.
-- Added cache info (if configured) to config API.
- Min. OPA release recommendation update v0.68 or later
### M25 Features
@@ -17,11 +15,13 @@ Policy Service v0.27.0 2024/09
### M24 Minor Changes
- Documentation updates
+- Added max cache OPA config `caching.inter_query_builtin_cache.max_size_bytes` to AWS.
+- Added cache info (if configured) to config API.
- Default policy cache updates (ignore headers and TTL adjustment) - requires OPA v0.66 or later
### M24 Bug Fixes
- Vulnerability fixes
-- Min. OPA release recommendation update v0.66 or later
+- Min. OPA release recommendation update v0.67.1 or later
### M24 Features
diff --git a/docs/docs/testing.md b/docs/docs/testing.md
index d058cbbfb7c68d722bbbda1ddd0abc1e33992867..407d26358d92e8d6deeef450a803691ddcba933a 100644
--- a/docs/docs/testing.md
+++ b/docs/docs/testing.md
@@ -47,11 +47,11 @@ The [test directory](https://community.opengroup.org/osdu/platform/security-and-
* `OPA_COMPILE_CACHE_TTL` - Added in M20
* `OPA_DATAAPI_CACHE_MAXSIZE` - Added in M20
* `OPA_DATAAPI_CACHE_TTL` - Added in M20
-* `OPA_DATA_CACHE_INFO` - Added in M25
-* `OPA_COMPILE_CACHE_INFO` - Added in M25
-* `OPA_DOCUMENT_CACHE_INFO` - Added in M25
-* `OPA_FETCH_CACHE_INFO` - Added in M25
-* `OPA_LIST_CACHE_INFO` - Added in M25
+* `OPA_DATA_CACHE_INFO` - Added in M24
+* `OPA_COMPILE_CACHE_INFO` - Added in M24
+* `OPA_DOCUMENT_CACHE_INFO` - Added in M24
+* `OPA_FETCH_CACHE_INFO` - Added in M24
+* `OPA_LIST_CACHE_INFO` - Added in M24
### BUNDLE_PAUSE