Use consistent rego syntax in prep for opa 1.0

The idea here is that once we update to opa 1.0 we'll need to always use the new `deny contains foo if` syntax. This change is supposed to make it easier by using that syntax consistently now. It requires importing `rego.v1` everywhere, but we do that consistently for all the rego in ec-policies, so let's also do it here also. See also #2274 which I'd like to rebase on this once it's merged.
enterprise-contract · Jan 21, 2025 · 473f065 · 473f065
1 parent 0749535
commit 473f065
Show file tree

Hide file tree

Showing 30 changed files with 180 additions and 118 deletions.
diff --git a/acceptance/examples/allow_all.rego b/acceptance/examples/allow_all.rego
@@ -1,4 +1,6 @@
 # Simplest never-failing policy
 package main
 
+import rego.v1
+
 allow := []
diff --git a/acceptance/examples/disallowed_functions.rego b/acceptance/examples/disallowed_functions.rego
@@ -6,8 +6,7 @@
 #   test that certain rego functions are not allowed.
 package policy.capabilities
 
-import future.keywords.contains
-import future.keywords.if
+import rego.v1
 
 # METADATA
 # title: use env var

diff --git a/acceptance/examples/fail_with_data.rego b/acceptance/examples/fail_with_data.rego
@@ -1,5 +1,7 @@
 package main
 
-deny[result] {
+import rego.v1
+
+deny contains result if {
     result := sprintf("Failure due to %s", [data.rule_data.banana_fail_reason])
 }
diff --git a/acceptance/examples/fetch_blob.rego b/acceptance/examples/fetch_blob.rego
@@ -1,8 +1,6 @@
 package blobby
 
-import future.keywords.contains
-import future.keywords.if
-import future.keywords.in
+import rego.v1
 
 # METADATA
 # custom:

diff --git a/acceptance/examples/filtering.rego b/acceptance/examples/filtering.rego
@@ -6,9 +6,7 @@
 #   showcase the filtering logic with include/exclude/collection.
 package policy.filtering
 
-import future.keywords.contains
-import future.keywords.if
-import future.keywords.in
+import rego.v1
 
 # METADATA
 # title: always pass

diff --git a/acceptance/examples/future_deny.rego b/acceptance/examples/future_deny.rego
@@ -1,6 +1,8 @@
 package main
 
-deny[{"msg": result, "effective_on": effective_on}] {
-    result := "Fails in 2099"
+import rego.v1
+
+deny contains {"msg": result, "effective_on": effective_on} if {
+  result := "Fails in 2099"
 	effective_on := "2099-01-01T00:00:00Z"
 }
diff --git a/acceptance/examples/gloomy_day.rego b/acceptance/examples/gloomy_day.rego
@@ -1,13 +1,15 @@
 # Provide one always passing rule and one always failing rule
 package gloomy
 
+import rego.v1
+
 # METADATA
 # title: Allow gloomy rule
 # description: This rule will never fail
 # custom:
 #   short_name: happy
 #   failure_msg: Always succeeds
-deny[result] {
+deny contains result if {
     false
     result := "Never fails"
 }
@@ -18,7 +20,7 @@ deny[result] {
 # custom:
 #   short_name: sad
 #   failure_msg: Always fails
-deny[result] {
+deny contains result if {
 	result := {
 		"code": "gloomy.sad",
 		"effective_on": "2022-01-01T00:00:00Z",

diff --git a/acceptance/examples/happy_day.rego b/acceptance/examples/happy_day.rego
@@ -1,6 +1,8 @@
 # Simplest never-failing policy
 package main
 
+import rego.v1
+
 # METADATA
 # title: Allow rule
 # description: This rule will never fail
@@ -10,7 +12,7 @@ package main
 #   solution: Easy
 #   collections:
 #   - A
-deny[result] {
+deny contains result if {
     false
     result := "Never denies"
 }
diff --git a/acceptance/examples/image_config.rego b/acceptance/examples/image_config.rego
@@ -1,17 +1,15 @@
 # Verify image config data from input.
 package image_config
 
-import future.keywords.contains
-import future.keywords.if
-import future.keywords.in
+import rego.v1
 
 # METADATA
 # title: Image Title Label
 # description: Check if the image has the org.opencontainers.image.title label set.
 # custom:
 #   short_name: image_title_set
 #   failure_msg: Missing image title label
-deny contains err(rego.metadata.rule()) {
+deny contains err(rego.metadata.rule()) if {
     not input.image.config.Labels["org.opencontainers.image.title"]
 }
 
@@ -21,7 +19,7 @@ deny contains err(rego.metadata.rule()) {
 # custom:
 #   short_name: parent_image_title_set
 #   failure_msg: Missing parent image title label
-deny contains err(rego.metadata.rule()) {
+deny contains err(rego.metadata.rule()) if {
     not input.image.parent.config.Labels["org.opencontainers.image.title"]
 }
 
@@ -33,7 +31,7 @@ deny contains err(rego.metadata.rule()) {
 # custom:
 #   short_name: image_distinct_title_set
 #   failure_msg: Image does not have a distinct title
-deny contains err(rego.metadata.rule()) {
+deny contains err(rego.metadata.rule()) if {
     l1 := input.image.config.Labels["org.opencontainers.image.title"]
     l2 := input.image.parent.config.Labels["org.opencontainers.image.title"]
     l1 == l2

diff --git a/acceptance/examples/keyless.rego b/acceptance/examples/keyless.rego
@@ -1,8 +1,6 @@
 package keyless
 
-import future.keywords.contains
-import future.keywords.if
-import future.keywords.in
+import rego.v1
 
 # METADATA
 # custom:

diff --git a/acceptance/examples/oci_image_files.rego b/acceptance/examples/oci_image_files.rego
@@ -2,7 +2,6 @@ package files
 
 import rego.v1
 
-
 # METADATA
 # custom:
 #   short_name: match

diff --git a/acceptance/examples/olm_manifests.rego b/acceptance/examples/olm_manifests.rego
@@ -1,8 +1,6 @@
 package olm_manifests
 
-import future.keywords.contains
-import future.keywords.if
-import future.keywords.in
+import rego.v1
 
 # METADATA
 # title: Manifests are there

diff --git a/acceptance/examples/pipeline_basic.rego b/acceptance/examples/pipeline_basic.rego
@@ -1,13 +1,15 @@
 package pipeline.main
 
+import rego.v1
+
 expected_kind := "Pipeline"
 
 # METADATA
 # title: Pipeline kind is expected
 # description: Check that the pipeline is a kind of "Pipeline"
 # custom:
 #   short_name: expected_kind
-deny[result] {
+deny contains result if {
 	expected_kind != input.kind
 	result := "invalid kind"
 }
diff --git a/acceptance/examples/purl.rego b/acceptance/examples/purl.rego
@@ -1,8 +1,6 @@
 package purl
 
-import future.keywords.contains
-import future.keywords.if
-import future.keywords.in
+import rego.v1
 
 # METADATA
 # custom:

diff --git a/acceptance/examples/reject.rego b/acceptance/examples/reject.rego
@@ -1,9 +1,7 @@
 # Simplest always-failing policy
 package main
 
-import future.keywords.contains
-import future.keywords.if
-import future.keywords.in
+import rego.v1
 
 # METADATA
 # title: Reject rule

diff --git a/acceptance/examples/rules_with_dependencies.rego b/acceptance/examples/rules_with_dependencies.rego
@@ -1,7 +1,6 @@
 package pkg
 
-import future.keywords.contains
-import future.keywords.if
+import rego.v1
 
 # METADATA
 # custom:

diff --git a/acceptance/examples/trace_debug.rego b/acceptance/examples/trace_debug.rego
@@ -1,7 +1,6 @@
 package main
 
-import future.keywords.contains
-import future.keywords.if
+import rego.v1
 
 # METADATA
 # title: Debug

diff --git a/acceptance/examples/unsupported.rego b/acceptance/examples/unsupported.rego
@@ -1,5 +1,7 @@
 package unsupported
 
-deny {
+import rego.v1
+
+deny if {
     true
 }
diff --git a/acceptance/examples/warn.rego b/acceptance/examples/warn.rego
@@ -1,6 +1,8 @@
 # Simplest always-warning policy
 package main
 
-warn[result] {
+import rego.v1
+
+warn contains result if {
     result := "Has a warning"
 }
diff --git a/acceptance/examples/with_annotations.rego b/acceptance/examples/with_annotations.rego
@@ -1,11 +1,13 @@
 package policy.release.kitty
 
+import rego.v1
+
 # METADATA
 # title: Kittens
 # description: Fluffy
 # custom:
 #   short_name: purr
 #
-deny[result] {
+deny contains result if {
     result := "Meow"
 }
diff --git a/docs/policy/release/attestation.rego b/docs/policy/release/attestation.rego
@@ -8,6 +8,8 @@
 #
 package policy.release.builtin.attestation
 
+import rego.v1
+
 # METADATA
 # title: Attestation signature
 # description: >-
@@ -23,7 +25,7 @@ package policy.release.builtin.attestation
 #   collections:
 #   - builtin
 #
-deny {
+deny if {
 	false # Here just to provide documentation
 }
 
@@ -40,6 +42,6 @@ deny {
 #   collections:
 #   - builtin
 #
-deny {
+deny if {
 	false # Here just to provide documentation
 }
diff --git a/docs/policy/release/image.rego b/docs/policy/release/image.rego
@@ -8,6 +8,8 @@
 #
 package policy.release.builtin.image
 
+import rego.v1
+
 # METADATA
 # title: Image signature
 # description: >-
@@ -23,6 +25,6 @@ package policy.release.builtin.image
 #   collections:
 #   - builtin
 #
-deny {
+deny if {
 	false # Here just to provide documentation
 }
diff --git a/internal/evaluator/__testdir__/simple/a.rego b/internal/evaluator/__testdir__/simple/a.rego
@@ -1,12 +1,14 @@
 # A set of policies
 package a
 
+import rego.v1
+
 # METADATA
 # title: Failure
 # description: Failure description.
 # custom:
 #   short_name: failure
-deny[result] {
+deny contains result if {
 	result := {
 		"code": "a.failure",
 		"msg": "Failure!",
@@ -17,7 +19,7 @@ deny[result] {
 # description: Warning description.
 # custom:
 #   short_name: warning
-warn[result] {
+warn contains result if {
 	result := {
 		"code": "a.warning",
 		"msg": "Warning!",
@@ -28,7 +30,7 @@ warn[result] {
 # description: Success description.
 # custom:
 #   short_name: success
-deny[result] {
+deny contains result if {
 	false
 	result := "Success!"
 }
diff --git a/internal/evaluator/__testdir__/simple/b.rego b/internal/evaluator/__testdir__/simple/b.rego
@@ -1,10 +1,12 @@
 # B set of policies
 package b
 
+import rego.v1
+
 # METADATA
 # custom:
 #   short_name: failure
-deny[result] {
+deny contains result if {
 	result := {
 		"code": "b.failure",
 		"msg": "Failure!",
@@ -13,7 +15,7 @@ deny[result] {
 # METADATA
 # custom:
 #   short_name: warning
-warn[result] {
+warn contains result if {
 	result := {
 		"code": "b.warning",
 		"msg": "Warning!",
@@ -22,7 +24,7 @@ warn[result] {
 # METADATA
 # custom:
 #   short_name: success
-deny[result] {
+deny contains result if {
 	false
 	result := "Success!"
 }
diff --git a/internal/evaluator/__testdir__/unconforming/no_msg.rego b/internal/evaluator/__testdir__/unconforming/no_msg.rego
@@ -1,5 +1,7 @@
 package no_msg
 
-deny {
+import rego.v1
+
+deny if {
     true
 }