Merge branch 'master' into dependabot/npm_and_yarn/documentation/mult…

…i-9423f4c335

.github/workflows/on_release.yml

@@ -86,13 +86,13 @@ jobs:
         run: sed 's/:latest/:test/g' docker/docker-compose-example.yml > docker/docker-compose-test.yml
 
       - name: Bring up stack
-        run: docker-compose -f docker/docker-compose-test.yml up -d
+        run: docker compose -f docker/docker-compose-test.yml up -d
 
       - name: Check if OPA is healthy
         run: ./scripts/wait-for.sh -t 60 http://localhost:8181/v1/data/users -- sleep 10 && curl -s "http://localhost:8181/v1/data/users" | jq '.result.bob.location.country == "US"'
 
       - name: Output container logs
-        run: docker-compose -f docker/docker-compose-test.yml logs
+        run: docker compose -f docker/docker-compose-test.yml logs
 
       # PUSH PHASE
       - name: Output local docker images

.github/workflows/pre-commit.yml

@@ -13,4 +13,13 @@ jobs:
     - uses: actions/setup-python@v4
       with:
         python-version: 3.x
-    - uses: pre-commit/action@v3.0.0
+    - name: install pre-commit
+      run: python -m pip install 'pre-commit<4'
+    - name: show environment
+      run: python -m pip freeze --local
+    - uses: actions/cache@v4
+      with:
+        path: ~/.cache/pre-commit
+        key: pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
+    - name: run pre-commit
+      run: pre-commit run --show-diff-on-failure --color=always --all-files

.github/workflows/tests.yml

@@ -25,6 +25,7 @@ jobs:
           --health-timeout 5s
           --health-retries 5
     runs-on: ubuntu-latest
+    timeout-minutes: 60
     strategy:
       matrix:
         python-version: ["3.9", "3.10", "3.11", "3.12"]
@@ -53,6 +54,7 @@ jobs:
 
   test-docker:
     runs-on: ubuntu-latest
+    timeout-minutes: 60
     steps:
       # BUILD PHASE
       - name: Checkout
@@ -115,7 +117,7 @@ jobs:
           OPAL_TESTS_POLICY_REPO_DEPLOY_KEY: ${{ secrets.OPAL_TESTS_POLICY_REPO_DEPLOY_KEY }}
         run: |
           # Prepare git for using tests policy repo
-          export OPAL_POLICY_REPO_SSH_KEY_PATH=$(realpath ./opal-tests-policy-repo-key)
+          export OPAL_POLICY_REPO_SSH_KEY_PATH=$(realpath .)/opal-tests-policy-repo-key
           echo "$OPAL_TESTS_POLICY_REPO_DEPLOY_KEY" > $OPAL_POLICY_REPO_SSH_KEY_PATH
           chmod 400 $OPAL_POLICY_REPO_SSH_KEY_PATH
 

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v5.0.0
     hooks:
       - id: check-yaml
       - id: end-of-file-fixer
@@ -18,8 +18,8 @@ repos:
     hooks:
       - id: codespell
         args: [--skip, "*.json"]
-  - repo: https://github.com/myint/docformatter
-    rev: v1.5.1
+  - repo: https://github.com/PyCQA/docformatter
+    rev: v1.7.5
     hooks:
       - id: docformatter
         args: [--in-place]

README.md

@@ -100,7 +100,7 @@ Besides Permit, OPAL is being used in Production in **Tesla**, **Walmart**, **Th
 
 ```
 curl -L https://raw.githubusercontent.com/permitio/opal/master/docker/docker-compose-example.yml \
-> docker-compose.yml && docker-compose up
+> docker-compose.yml && docker compose up
 ```
 
 <p>

app-tests/run.sh

@@ -116,8 +116,10 @@ function test_data_publish {
 function test_statistics {
     echo "- Testing statistics feature"
     # Make sure 2 servers & 2 clients (repeat few times cause different workers might response)
-    for _ in {1..10}; do
-      curl -s 'http://localhost:7002/stats' --header "Authorization: Bearer $OPAL_DATA_SOURCE_TOKEN" | grep '"client_count":2,"server_count":2'
+    for port in {7002..7003}; do
+      for _ in {1..8}; do
+        curl -s "http://localhost:${port}/stats" --header "Authorization: Bearer $OPAL_DATA_SOURCE_TOKEN" | grep '"client_count":2,"server_count":2'
+      done
     done
 }
 
@@ -156,4 +158,20 @@ function main {
   # TODO: Test statistics feature again after broadcaster restart (should first fix statistics bug)
 }
 
-main
+# Retry test in case of failure to avoid flakiness
+MAX_RETRIES=5
+RETRY_COUNT=0
+
+while [ $RETRY_COUNT -lt $MAX_RETRIES ]; do
+  echo "Running test (attempt $((RETRY_COUNT+1)) of $MAX_RETRIES)..."
+  main && break
+  RETRY_COUNT=$((RETRY_COUNT + 1))
+  echo "Test failed, retrying..."
+done
+
+if [ $RETRY_COUNT -eq $MAX_RETRIES ]; then
+  echo "Tests failed after $MAX_RETRIES attempts."
+  exit 1
+fi
+
+echo "Tests passed successfully."

docker/Dockerfile

@@ -39,7 +39,7 @@ RUN chmod +x ./wait-for.sh
 RUN ln -s /opal/wait-for.sh /usr/wait-for.sh
 
 # netcat (nc) is used by the wait-for.sh script
-RUN apt-get update && apt-get install -y netcat-traditional jq && apt-get clean
+RUN apt-get update && apt-get install -y netcat-traditional jq wget && apt-get clean
 
 # copy startup script (create link at old path to maintain backward compatibility)
 COPY ./scripts/start.sh .
@@ -116,6 +116,7 @@ COPY --from=opa-extractor /opal/opa ./opa
 
 # enable inline OPA
 ENV OPAL_INLINE_OPA_ENABLED=true
+ENV OPAL_INLINE_OPA_EXEC_PATH=/opal/opa
 # expose opa port
 EXPOSE 8181
 USER opal
@@ -134,6 +135,7 @@ COPY --from=cedar-builder /tmp/cedar-agent/target/*/cedar-agent /bin/cedar-agent
 # enable inline Cedar agent
 ENV OPAL_POLICY_STORE_TYPE=CEDAR
 ENV OPAL_INLINE_CEDAR_ENABLED=true
+ENV OPAL_INLINE_CEDAR_EXEC_PATH=/bin/cedar-agent
 ENV OPAL_INLINE_CEDAR_CONFIG='{"addr": "0.0.0.0:8180"}'
 ENV OPAL_POLICY_STORE_URL=http://localhost:8180
 # expose cedar port

docker/docker-compose-api-policy-source-example.yml

@@ -1,3 +1,5 @@
+name: opal-api-policy-source-example
+
 services:
   # When scaling the opal-server to multiple nodes and/or multiple workers, we use
   # a *broadcast* channel to sync between all the instances of opal-server.

docker/docker-compose-example-cedar.yml

@@ -1,3 +1,5 @@
+name: opal-cedar-example
+
 services:
   # When scaling the opal-server to multiple nodes and/or multiple workers, we use
   # a *broadcast* channel to sync between all the instances of opal-server.

docker/docker-compose-example.yml

@@ -1,3 +1,5 @@
+name: opal-example
+
 services:
   # When scaling the opal-server to multiple nodes and/or multiple workers, we use
   # a *broadcast* channel to sync between all the instances of opal-server.

docker/docker-compose-git-webhook.yml

@@ -1,3 +1,5 @@
+name: opal-git-webhook-example
+
 services:
   # When scaling the opal-server to multiple nodes and/or multiple workers, we use
   # a *broadcast* channel to sync between all the instances of opal-server.

docker/docker-compose-scopes-example.yml

@@ -1,3 +1,5 @@
+name: opal-scopes-example
+
 services:
   redis:
     image: redis

docker/docker-compose-with-callbacks.yml

@@ -1,3 +1,5 @@
+name: opal-callbacks-example
+
 services:
   # When scaling the opal-server to multiple nodes and/or multiple workers, we use
   # a *broadcast* channel to sync between all the instances of opal-server.

docker/docker-compose-with-kafka-example.yml

@@ -1,3 +1,4 @@
+name: opal-kafka-example
 
 services:
   # Based on: https://developer.confluent.io/quickstart/kafka-docker/

docker/docker-compose-with-oauth-initial.yml

@@ -1,3 +1,5 @@
+name: opal-oauth-example
+
 services:
   # When scaling the opal-server to multiple nodes and/or multiple workers, we use
   # a *broadcast* channel to sync between all the instances of opal-server.

docker/docker-compose-with-rate-limiting.yml

@@ -1,3 +1,5 @@
+name: opal-rate-limiting-example
+
 # This docker compose example shows how to configure OPAL's rate limiting feature
 services:
   # When scaling the opal-server to multiple nodes and/or multiple workers, we use

docker/docker-compose-with-security.yml

@@ -1,3 +1,5 @@
+name: opal-security-example
+
 # this docker compose file is relying on external environment variables!
 # run it by running the script: ./run-example-with-security.sh
 services:

docker/docker-compose-with-statistics.yml

@@ -1,3 +1,5 @@
+name: opal-statistics-example
+
 services:
   # When scaling the opal-server to multiple nodes and/or multiple workers, we use
   # a *broadcast* channel to sync between all the instances of opal-server.