ast: Adding rego_v1 feature to --v0-compatible capabilities (#7474)

to allow for using Rego v1 bundles in `opa build`/`check`/`eval`/`test`.

Before this change, a bundle with `1` as `rego_version`/`file_rego_versions` would be rejected when evaluated with the `--v0-compatible` flag with the error:

```
rego_parse_error: illegal capabilities: rego_v1 feature required for parsing v1 Rego
```

This is fixed by adding the `rego_v1` feature to the `v0` default capabilities applied when using the `--v0-compatible` flag. Note: this allows OPA to accept Rego `v1` modules inside bundles, but modules without a specified Rego version, such as freestanding non-bundle modules or modules inside bundles with no specified Rego version, are parsed as `v0`.

Signed-off-by: Johan Fylling <[email protected]>

Author: johanfylling

Diff for: cmd/build_test.go

@@ -1048,6 +1048,7 @@ func TestBuildBundleModeWithManifestRegoVersion(t *testing.T) {
 		expErrs      []string
 		v0Compatible bool
 		v1Compatible bool
+		capabilities *ast.Capabilities
 	}{
 		{
 			note: "v0 bundle rego-version",
@@ -1181,8 +1182,47 @@ p[4] {
 	input.x == 1
 }`,
 			},
+			expManifest: `{"revision":"","roots":["test1","test2"],"rego_version":0,"file_rego_versions":{"%ROOT%/bundle1/test2.rego":1,"%ROOT%/bundle2/test3.rego":1}}`,
+		},
+		{
+			note:         "multiple bundles with different rego-versions, v0-compatible, no rego_v1 capabilities feature",
+			v0Compatible: true,
+			roots:        []string{"bundle1", "bundle2"},
+			files: map[string]string{
+				"bundle1/.manifest": `{
+	"roots": ["test1"],
+	"rego_version": 0,
+	"file_rego_versions": {
+		"*/test2.rego": 1
+	}
+}`,
+				"bundle1/test1.rego": `package test1
+p[1] {
+	input.x == 1
+}`,
+				"bundle1/test2.rego": `package test1
+p contains 2 if {
+	input.x == 1
+}`,
+				"bundle2/.manifest": `{
+	"roots": ["test2"],
+	"rego_version": 1,
+	"file_rego_versions": {
+		"*/test4.rego": 0
+	}
+}`,
+				"bundle2/test3.rego": `package test2
+p contains 3 if {
+	input.x == 1
+}`,
+				"bundle2/test4.rego": `package test2
+p[4] {
+	input.x == 1
+}`,
+			},
+			capabilities: capsWithoutFeat(ast.RegoV0, ast.FeatureRegoV1),
 			expErrs: []string{
-				// capabilities inferred from --v0-compatible doesn't include rego_v1 feature, which must be respected
+				// capabilities doesn't include rego_v1 feature, which must be respected
 				"rego_parse_error: illegal capabilities: rego_v1 feature required for parsing v1 Rego",
 			},
 		},
@@ -1282,6 +1322,11 @@ p[4] {
 				params.v0Compatible = tc.v0Compatible
 				params.v1Compatible = tc.v1Compatible
 
+				if tc.capabilities != nil {
+					params.capabilities = newcapabilitiesFlag()
+					params.capabilities.C = tc.capabilities
+				}
+
 				if _, ok := tc.files["capabilities.json"]; ok {
 					_ = params.capabilities.Set(path.Join(root, "capabilities.json"))
 				}
@@ -1354,6 +1399,27 @@ p[4] {
 	}
 }
 
+func capsWithoutFeat(regoVersion ast.RegoVersion, feat ...string) *ast.Capabilities {
+	caps := ast.CapabilitiesForThisVersion(ast.CapabilitiesRegoVersion(regoVersion))
+
+	feats := make([]string, 0, len(caps.Features))
+	for _, f := range caps.Features {
+		skip := false
+		for _, skipF := range feat {
+			if f == skipF {
+				skip = true
+				break
+			}
+		}
+		if !skip {
+			feats = append(feats, f)
+		}
+	}
+	caps.Features = feats
+
+	return caps
+}
+
 func TestBuildBundleFromOtherBundles(t *testing.T) {
 	type bundleInfo map[string]string
 
@@ -1623,37 +1689,6 @@ p {
 					"policy_1.rego": `package test
 q contains 1 if {
 	input.x == 1
-}`,
-				},
-			},
-			expErrs: []string{
-				// capabilities inferred from --v0-compatible doesn't include rego_v1 feature, which must be respected
-				"rego_parse_error: illegal capabilities: rego_v1 feature required for parsing v1 Rego",
-			},
-		},
-		{
-			note:         "single v1 bundle, v0 per-file override, --v0-compatible, rego_v1 capabilities feature",
-			v0Compatible: true,
-			capabilities: func() *ast.Capabilities {
-				caps := ast.CapabilitiesForThisVersion(ast.CapabilitiesRegoVersion(ast.RegoV0))
-				caps.Features = append(caps.Features, ast.FeatureRegoV1)
-				return caps
-			}(),
-			bundles: map[string]bundleInfo{
-				"bundle.tar.gz": {
-					".manifest": `{
-	"rego_version": 1,
-	"file_rego_versions": {
-		"/policy_0.rego": 0
-	}
-}`,
-					"policy_0.rego": `package test
-p {
-	input.x == 1
-}`,
-					"policy_1.rego": `package test
-q contains 1 if {
-	input.x == 1
 }`,
 				},
 			},
@@ -1677,37 +1712,35 @@ q contains 1 if {
 			},
 		},
 		{
-			note:         "v0 bundle + v1 bundle, --v0-compatible",
+			note:         "single v1 bundle, v0 per-file override, --v0-compatible, no rego_v1 capabilities feature",
 			v0Compatible: true,
+			capabilities: capsWithoutFeat(ast.RegoV0, ast.FeatureRegoV1),
 			bundles: map[string]bundleInfo{
-				"bundle_v0.tar.gz": {
-					".manifest": `{"roots": ["test1"], "rego_version": 0}`,
-					"policy.rego": `package test1
+				"bundle.tar.gz": {
+					".manifest": `{
+	"rego_version": 1,
+	"file_rego_versions": {
+		"/policy_0.rego": 0
+	}
+}`,
+					"policy_0.rego": `package test
 p {
 	input.x == 1
 }`,
-				},
-				"bundle_v1.tar.gz": {
-					".manifest": `{"roots": ["test2"], "rego_version": 1}`,
-					"policy.rego": `package test2
+					"policy_1.rego": `package test
 q contains 1 if {
 	input.x == 1
 }`,
 				},
 			},
 			expErrs: []string{
-				// capabilities inferred from --v0-compatible doesn't include rego_v1 feature, which must be respected
+				// capabilities doesn't include rego_v1 feature, which must be respected
 				"rego_parse_error: illegal capabilities: rego_v1 feature required for parsing v1 Rego",
 			},
 		},
 		{
-			note:         "v0 bundle + v1 bundle, --v0-compatible, rego_v1 capabilities feature",
+			note:         "v0 bundle + v1 bundle, --v0-compatible",
 			v0Compatible: true,
-			capabilities: func() *ast.Capabilities {
-				caps := ast.CapabilitiesForThisVersion(ast.CapabilitiesRegoVersion(ast.RegoV0))
-				caps.Features = append(caps.Features, ast.FeatureRegoV1)
-				return caps
-			}(),
 			bundles: map[string]bundleInfo{
 				"bundle_v0.tar.gz": {
 					".manifest": `{"roots": ["test1"], "rego_version": 0}`,
@@ -1743,6 +1776,31 @@ q contains 1 if {
 `,
 			},
 		},
+		{
+			note:         "v0 bundle + v1 bundle, --v0-compatible, no rego_v1 capabilities feature",
+			v0Compatible: true,
+			capabilities: capsWithoutFeat(ast.RegoV0, ast.FeatureRegoV1),
+			bundles: map[string]bundleInfo{
+				"bundle_v0.tar.gz": {
+					".manifest": `{"roots": ["test1"], "rego_version": 0}`,
+					"policy.rego": `package test1
+p {
+	input.x == 1
+}`,
+				},
+				"bundle_v1.tar.gz": {
+					".manifest": `{"roots": ["test2"], "rego_version": 1}`,
+					"policy.rego": `package test2
+q contains 1 if {
+	input.x == 1
+}`,
+				},
+			},
+			expErrs: []string{
+				// capabilities inferred from --v0-compatible doesn't include rego_v1 feature, which must be respected
+				"rego_parse_error: illegal capabilities: rego_v1 feature required for parsing v1 Rego",
+			},
+		},
 		{
 			note:         "v0 bundle + v1 bundle, --v1-compatible",
 			v1Compatible: true,
@@ -2098,6 +2156,20 @@ p[x] {
 					x := 42
 				}`,
 			},
+			expErrs: []string{
+				"test.rego:2: rego_parse_error: `if` keyword is required before rule body",
+				"test.rego:2: rego_parse_error: `contains` keyword is required for partial set rules",
+			},
+		},
+		{
+			note:         "v0 module, not v0-compatible, v0 capabilities without rego_v1 feature",
+			capabilities: capsWithoutFeat(ast.RegoV0, ast.FeatureRegoV1),
+			files: map[string]string{
+				"test.rego": `package test
+				p[x] {
+					x := 42
+				}`,
+			},
 			expErrs: []string{
 				"rego_parse_error: illegal capabilities: rego_v1 feature required for parsing v1 Rego",
 			},
@@ -2188,6 +2260,17 @@ p contains x if {
 			files: map[string]string{
 				"test.rego": `package test
 				
+				p contains x if {
+					x := 42
+				}`,
+			},
+		},
+		{
+			note:         "v1 module, not v0-compatible, v0 capabilities without rego_v1 feature",
+			capabilities: capsWithoutFeat(ast.RegoV0, ast.FeatureRegoV1),
+			files: map[string]string{
+				"test.rego": `package test
+				
 				p contains x if {
 					x := 42
 				}`,

Diff for: cmd/capabilities_test.go

@@ -99,6 +99,7 @@ func TestCapabilitiesCurrent(t *testing.T) {
 				ast.FeatureRefHeadStringPrefixes,
 				ast.FeatureRefHeads,
 				ast.FeatureRegoV1Import,
+				ast.FeatureRegoV1,
 			},
 			expFutureKeywords: []string{
 				"in",

Diff for: cmd/check_test.go

@@ -545,6 +545,18 @@ a[x] {
 			policy: `package test
 a[x] {
 	x := 42
+}`,
+			expErrs: []string{
+				"test.rego:2: rego_parse_error: `if` keyword is required before rule body",
+				"test.rego:2: rego_parse_error: `contains` keyword is required for partial set rules",
+			},
+		},
+		{
+			note:         "v0 module, not v0-compatible, v0 capabilities without rego_v1 feature",
+			capabilities: capsWithoutFeat(ast.RegoV0, ast.FeatureRegoV1),
+			policy: `package test
+a[x] {
+	x := 42
 }`,
 			expErrs: []string{
 				"rego_parse_error: illegal capabilities: rego_v1 feature required for parsing v1 Rego",
@@ -612,6 +624,14 @@ a contains x if {
 			policy: `package test
 a contains x if {
 	x := 42
+}`,
+		},
+		{
+			note:         "v1 module, not v0-compatible, v0 capabilities without rego_v1 feature",
+			capabilities: capsWithoutFeat(ast.RegoV0, ast.FeatureRegoV1),
+			policy: `package test
+a contains x if {
+	x := 42
 }`,
 			expErrs: []string{
 				"rego_parse_error: illegal capabilities: rego_v1 feature required for parsing v1 Rego",

Diff for: cmd/eval_test.go

@@ -3050,6 +3050,20 @@ func TestEvalPolicyWithRegoV1Capability(t *testing.T) {
 					1 < 2
 				}`,
 			},
+			expErrs: []string{
+				"test.rego:2: rego_parse_error: `if` keyword is required before rule body",
+			},
+		},
+		{
+			note:         "v0 module, not v0-compatible, v0 capabilities without rego_v1 feature",
+			v0Compatible: false,
+			capabilities: capsWithoutFeat(ast.RegoV0, ast.FeatureRegoV1),
+			modules: map[string]string{
+				"test.rego": `package test
+				allow {
+					1 < 2
+				}`,
+			},
 			expErrs: []string{
 				"rego_parse_error: illegal capabilities: rego_v1 feature required for parsing v1 Rego",
 			},
@@ -3130,6 +3144,17 @@ func TestEvalPolicyWithRegoV1Capability(t *testing.T) {
 					1 < 2
 				}`,
 			},
+		},
+		{
+			note:         "v1 module, not v0-compatible, v0 capabilities without rego_v1 feature",
+			v0Compatible: false,
+			capabilities: capsWithoutFeat(ast.RegoV0, ast.FeatureRegoV1),
+			modules: map[string]string{
+				"test.rego": `package test
+				allow if {
+					1 < 2
+				}`,
+			},
 			expErrs: []string{
 				"rego_parse_error: illegal capabilities: rego_v1 feature required for parsing v1 Rego",
 			},
@@ -3430,22 +3455,22 @@ p contains 2 if {
 		},
 	}
 
-	v1CompatibleFlagCases := []struct {
+	v0CompatibleFlagCases := []struct {
 		note string
 		used bool
 	}{
 		{
-			"no --v1-compatible", false,
+			"no --v0-compatible", false,
 		},
 		{
-			"--v1-compatible", true,
+			"--v0-compatible", true,
 		},
 	}
 
 	for _, bundleType := range bundleTypeCases {
-		for _, v1CompatibleFlag := range v1CompatibleFlagCases {
+		for _, v0CompatibleFlag := range v0CompatibleFlagCases {
 			for _, tc := range tests {
-				t.Run(fmt.Sprintf("%s, %s, %s", bundleType.note, v1CompatibleFlag.note, tc.note), func(t *testing.T) {
+				t.Run(fmt.Sprintf("%s, %s, %s", bundleType.note, v0CompatibleFlag.note, tc.note), func(t *testing.T) {
 					files := map[string]string{}
 
 					if bundleType.tar {
@@ -3476,7 +3501,7 @@ p contains 2 if {
 						}
 
 						params := newEvalCommandParams()
-						params.v1Compatible = v1CompatibleFlag.used
+						params.v0Compatible = v0CompatibleFlag.used
 						if err := params.bundlePaths.Set(p); err != nil {
 							t.Fatal(err)
 						}