Minor version upgrading OPA/Rego compatibility and closing migration …#208
Merged
matajoh merged 1 commit intomicrosoft:mainfrom Mar 31, 2026
Merged
Minor version upgrading OPA/Rego compatibility and closing migration …#208matajoh merged 1 commit intomicrosoft:mainfrom
matajoh merged 1 commit intomicrosoft:mainfrom
Conversation
matajoh
force-pushed
the
trieste-regex
branch
15 times, most recently
from
2969e01 to
8f0e8ce
Compare
…ures,
crypto/JWT support, and build system improvements.
**New Features**
- OPA Rego compatibility upgraded from v1.8.0 to v1.14.1.
- Added template string interpolation support (`$"Hello {name}!"` and
`` $`raw {expr}` ``), including the `internal.template_string` built-in.
- Added `array.flatten` built-in.
- Added `crypto.*` built-in family: hashing (MD5, SHA1, SHA256), HMAC
(MD5, SHA1, SHA256, SHA512), X.509 certificate parsing and verification,
RSA key parsing, and key pair parsing.
`crypto.x509.parse_and_verify_certificates_with_options` is not yet
implemented (no OPA conformance tests exist for it).
- Added `io.jwt.*` built-in family: `decode`, `decode_verify`, `encode_sign`,
`encode_sign_raw`, and signature verification for HS256/384/512,
RS256/384/512, PS256/384/512, ES256/384/512, and EdDSA.
EdDSA is only available with the OpenSSL backend.
- Added pluggable crypto backend architecture controlled by the
`REGOCPP_CRYPTO_BACKEND` CMake option:
- `mbedtls` (default) — Mbed TLS v3.6.2, built from source via
FetchContent with zero system dependencies on any platform.
- `openssl3` — OpenSSL 3.0+ (requires system install).
- `bcrypt` — Windows CNG (Windows only, no external dependencies).
- `""` — Crypto disabled; crypto/JWT builtins return an error at runtime.
- Added Windows CMake presets (`debug-windows`, `release-windows`,
`debug-windows-opa`, `release-windows-opa`) using the `bcrypt` backend.
- Wrapper builds (Python, Rust, .NET) now pass the crypto backend through to
CMake. Python and .NET use `bcrypt` on Windows and `mbedtls` elsewhere;
Rust uses `mbedtls` on all platforms.
**Bug Fixes**
- Fixed `numbers.range_step` behavior to match current OPA expectations.
- Fixed `strings.count` with empty substring to return `len(s)+1` instead of
looping indefinitely, matching OPA semantics.
- Fixed `split` with empty delimiter to split into individual characters,
matching OPA semantics.
- Fixed JSON object key deduplication to use last-wins semantics, matching
Go `json.Unmarshal` and OPA behavior.
- Fixed `sprintf` `%v` format to render sets using Rego display syntax
(`{1, 2, 3}` / `set()`) instead of internal angle-bracket representation.
- Fixed `to_json`/`to_key` rendering of `true`, `false`, and `null` for
synthetically constructed AST nodes with empty locations.
**Migration Notes**
- JSON objects with duplicate keys now keep only the last value for each key
("last-wins" semantics), matching Go `json.Unmarshal` and OPA behavior.
Previously, duplicate keys were preserved in the AST. If your data documents
or inputs contain duplicate keys and you relied on earlier values being
visible, those values will now be silently dropped.
- `crypto.x509.parse_and_verify_certificates` follows OPA's convention: the
last certificate in the PEM bundle is treated as the leaf (workload)
certificate; all others are treated as CA or intermediate certificates.
Revocation checking (CRL/OCSP) is not performed, matching OPA behavior.
**Build & Infrastructure**
- Upgraded Trieste dependency (switched regex engine from RE2 to TRegex).
Validated against full OPA conformance test suite including regex patterns.
- Removed RE2 from link targets across all build configurations and wrappers.
- CI: Windows PR gate job now uses `release-windows-opa` preset.
- Added test infrastructure for marking tests as `unsupported` (used for
EdDSA tests on non-OpenSSL backends).
Signed-off-by: Matthew A Johnson <matjoh@microsoft.com>
Signed-off-by: Matthew Johnson <matjoh@microsoft.com>
Signed-off-by: Matthew A Johnson <matjoh@microsoft.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Minor version upgrading OPA/Rego compatibility with new language features,
crypto/JWT support, and build system improvements.
New Features
$"Hello {name}!"and$`raw {expr}`), including theinternal.template_stringbuilt-in.array.flattenbuilt-in.crypto.*built-in family: hashing (MD5, SHA1, SHA256), HMAC(MD5, SHA1, SHA256, SHA512), X.509 certificate parsing and verification,
RSA key parsing, and key pair parsing.
crypto.x509.parse_and_verify_certificates_with_optionsis not yetimplemented (no OPA conformance tests exist for it).
io.jwt.*built-in family:decode,decode_verify,encode_sign,encode_sign_raw, and signature verification for HS256/384/512,RS256/384/512, PS256/384/512, ES256/384/512, and EdDSA.
EdDSA is only available with the OpenSSL backend.
REGOCPP_CRYPTO_BACKENDCMake option:mbedtls(default) — Mbed TLS v3.6.2, built from source viaFetchContent with zero system dependencies on any platform.
openssl3— OpenSSL 3.0+ (requires system install).bcrypt— Windows CNG (Windows only, no external dependencies).""— Crypto disabled; crypto/JWT builtins return an error at runtime.debug-windows,release-windows,debug-windows-opa,release-windows-opa) using thebcryptbackend.CMake. Python and .NET use
bcrypton Windows andmbedtlselsewhere;Rust uses
mbedtlson all platforms.Bug Fixes
numbers.range_stepbehavior to match current OPA expectations.strings.countwith empty substring to returnlen(s)+1instead oflooping indefinitely, matching OPA semantics.
splitwith empty delimiter to split into individual characters,matching OPA semantics.
Go
json.Unmarshaland OPA behavior.sprintf%vformat to render sets using Rego display syntax(
{1, 2, 3}/set()) instead of internal angle-bracket representation.to_json/to_keyrendering oftrue,false, andnullforsynthetically constructed AST nodes with empty locations.
Migration Notes
("last-wins" semantics), matching Go
json.Unmarshaland OPA behavior.Previously, duplicate keys were preserved in the AST. If your data documents
or inputs contain duplicate keys and you relied on earlier values being
visible, those values will now be silently dropped.
crypto.x509.parse_and_verify_certificatesfollows OPA's convention: thelast certificate in the PEM bundle is treated as the leaf (workload)
certificate; all others are treated as CA or intermediate certificates.
Revocation checking (CRL/OCSP) is not performed, matching OPA behavior.
Build & Infrastructure
Validated against full OPA conformance test suite including regex patterns.
release-windows-opapreset.unsupported(used forEdDSA tests on non-OpenSSL backends).
Fixes #185
Fixes #200