Open Policy Agent - v0.52.0

This release contains some enhancements, bugfixes, and a new builtin function.

Allow Adding Labels via Discovery

Previously OPA did not allow any updates to the labels provided in the boot configuration via the discovered (ie. service)
config. This was done to avoid breaking the discovery configuration. But there are use cases where labels can serve as a convenient
way to pass information that could be used in policies, status updates or decision logs. This change allows
additional labels to be configured in the service config which are then made available during runtime.

See the Discovery documentation for more details.

Authored by @mjungsbluth.

New Built-In Function: crypto.hmac.equal

crypto.hmac.equal provides a convenient way to compare hashes generated by the MD5, SHA-1, SHA-256 and SHA-512 hashing algorithms.

Below is a real world example of how this built-in function can be utilized. Imagine our server is registered as a
GitHub webhook which subscribes to certain events on Now we want to limit requests to those coming from GitHub.
One of the ways to do that is to first set up a secret token and validate the information. Once we create the token on GitHub,
we'll set up an environment variable that stores this token and makes it available to OPA via the opa.runtime built-in.
In the case of GitHub webhooks the validation is done by comparing the hash signature received in the X-Hub-Signature-256
header and calculating a hash using the secret token and payload body. The check_signature rule implements this logic.

package example

import input.attributes.request.http as http_request

allow {
    http_request.method == "POST"
    input.parsed_path = ["workflows", "github", "webhooks"]

check_signature {
    secret_key := opa.runtime().env.GITHUB_SECRET_KEY
    hash_body := crypto.hmac.sha256(http_request.raw_body, secret_key)
    expected_signature := concat("", ["sha256=", hash_body])
    header_signature = http_request.headers["X-Hub-Signature-256"]
    crypto.hmac.equal(header_signature, expected_signature)

See the documentation on the new built-in for all the details.

Authored by @sandokandias.

Extend Authentication Methods Supported by OCI Downloader

Previously the OCI Downloader had support for only three types of authentication methods, namely Client TLS Certificates,
Basic Authentication and Bearer Token. This change adds support for other authentication methods such as AWS Signature,
GCP Metadata Token. See the documentation
for more details.

Authored by @DerGut.

Update Profiler Output With Number of Generated Expressions

The number of EVAL/REDO counts in the profile result are sometimes difficult to understand. This is mainly due to the
fact that the compiler rewrites expressions and assigns the same location to each generated expression and the profiler
keys the counters by the location. To provide more clarity, the profile output now includes the number of generated
expressions for each given expression thereby helping to better understand the result and also how the evaluation works.

Here is an example of the updated profiler output with the new NUM GEN EXPR column:

| 20.291µs | 3        | 3        | 3            | test.rego:7 |
| 1µs      | 1        | 1        | 1            | test.rego:6 |
| 2.333µs  | 1        | 1        | 1            | test.rego:5 |
| 6.333µs  | 1        | 1        | 1            | test.rego:4 |
| 84.75µs  | 1        | 1        | 1            | data        |

See the Profiling documentation for more details.

Authored by @ashutosh-narkar.

Runtime, Tooling, SDK

  • bundle: Add ability to load bundles from an arbitrary filesystem (#5833) authored by @kjothen
  • server: Add a note to explicitly point out if OPA binds to the interface on server initialization (#5090) authored by @Parsifal-M
  • Include trace and span identifier in decision logs to help with correlating logs and trace data (#5230) authored by @ashutosh-narkar

Topdown and Rego

  • ast: Disallow partial object rules to have other partial object rule within their immediate extent (#5855) authored by @johanfylling
  • ast: Disallow multi-value rules to have other rules in their extent (#5813) authored by @johanfylling
  • ast: Set result of groundness check on indexer's AllRules func so that rule evaluation for complete rules is not skipped (#5857) authored by @ashutosh-narkar
  • rego: Fix duplicate text in error message during module parsing (#5837) authored by @TzlilSwimmer123
  • planner: Fix bugs that have an impact on IR (#5829) and Wasm usage (#5839) authored by @srenatus
  • ast: Include information about the location of rule value and reference in the AST's JSON representation based on the provided custom parsing options (#5790) authored by @Trolloldem
  • ast: Fix issue with unset annotation data when custom parsing options provided (#5826) authored by @charlieegan3


  • docs/rest-api: Update Compile API docs to include some use-cases (#5858) authored by @charlieegan3
  • docs/extensions: Add Nondeterministic field to the Rego object initialization in the code example for the Custom Built-in Function section (#5861) (authored by @RmStorm)

Website + Ecosystem

  • Ecosystem:
  • Reposaur (#5854) authored by @charlieegan3
  • Update logo for Torque integration (#5810) authored by @shirabendor-quali

  • Website:

  • Reorganize the MISCELLANEOUS section to improve content navigation (#4614) authored by @lakhanjindam


  • Dependency bumps, notably:
  • golang from 1.20.2 to 1.20.3
  • from 0.8.0 to 0.9.0
  • from 1.14.0 to 1.15.0


April 27, 2023, 6:26 p.m.
Register or login to:
  • 🔍View and search all Open Policy Agent releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google