v33: Config Makeover

.github/workflows/ci.yaml

@@ -1,3 +1,4 @@
+---
 name: ci
 
 on:
@@ -7,17 +8,14 @@ on:
     # Publish `main` as Docker `latest` image.
     branches:
       - main
-      - dev
-      - dev-*
-      - release-*
     # Publish `v1.2.3` tags as releases.
     tags:
       - v*
   # Run tests for all PRs
   pull_request:
 
 env:
-  VAULT_ADDR: https://vault.eng.aserto.com/
+  VAULT_ADDR: https://vault.aserto.com/
   PRE_RELEASE: ${{ github.ref == 'refs/heads/main' && 'main' || '' }}
   GO_VERSION: "1.24"
   GO_RELEASER_VERSION: "v2.8.2"
@@ -34,7 +32,7 @@ jobs:
         uses: hashicorp/vault-action@v3
         id: vault
         with:
-          url: https://vault.eng.aserto.com/
+          url: ${{ env.VAULT_ADDR }}
           token: ${{ secrets.VAULT_TOKEN }}
           secrets: |
             kv/data/github  "SSH_PRIVATE_KEY"     | SSH_PRIVATE_KEY;
@@ -84,6 +82,16 @@ jobs:
         with:
           version: ${{ env.GO_LANGCI_LINT_VERSION }}
           args: --timeout=30m
+      -
+        name: Test Setup
+        uses: gertd/action-gotestsum@v3.0.0
+        with:
+          gotestsum_version: ${{ env.GO_TESTSUM_VERSION }}
+      -
+        name: Unit Test
+        run: |
+          gotestsum --format short-verbose -- $(go list ./... | grep -v pkg/app/tests) \
+            -count=1 -timeout 120s -parallel=1 -v
       -
         name: Test Snapshot
         uses: goreleaser/goreleaser-action@v6
@@ -93,28 +101,21 @@ jobs:
           distribution: goreleaser
           version: ${{ env.GO_RELEASER_VERSION }}
           args: release --clean --snapshot --config .goreleaser-test.yml
-      -
-        name: Test Setup
-        uses: gertd/action-gotestsum@v3.0.0
-        with:
-          gotestsum_version: ${{ env.GO_TESTSUM_VERSION }}
       -
         name: Test
         run: |
-          gotestsum --format short-verbose -- -count=1 -timeout 120s -parallel=1 -v -coverprofile=cover.out -coverpkg=github.com/aserto-dev/topaz/pkg/app/tests/authz/... github.com/aserto-dev/topaz/pkg/app/tests/authz/...
-          gotestsum --format short-verbose -- -count=1 -timeout 120s -parallel=1 -v -coverprofile=cover.out -coverpkg=github.com/aserto-dev/topaz/pkg/app/tests/builtin/... github.com/aserto-dev/topaz/pkg/app/tests/builtin/...
-          gotestsum --format short-verbose -- -count=1 -timeout 120s -parallel=1 -v -coverprofile=cover.out -coverpkg=github.com/aserto-dev/topaz/pkg/app/tests/ds/... github.com/aserto-dev/topaz/pkg/app/tests/ds/...
-          gotestsum --format short-verbose -- -count=1 -timeout 120s -parallel=1 -v -coverprofile=cover.out -coverpkg=github.com/aserto-dev/topaz/pkg/app/tests/manifest/... github.com/aserto-dev/topaz/pkg/app/tests/manifest/...
-          gotestsum --format short-verbose -- -count=1 -timeout 120s -parallel=1 -v -coverprofile=cover.out -coverpkg=github.com/aserto-dev/topaz/pkg/app/tests/policy/... github.com/aserto-dev/topaz/pkg/app/tests/policy/...
-          gotestsum --format short-verbose -- -count=1 -timeout 120s -parallel=1 -v -coverprofile=cover.out -coverpkg=github.com/aserto-dev/topaz/pkg/app/tests/query/... github.com/aserto-dev/topaz/pkg/app/tests/query/...
+          gotestsum --format short-verbose -- $(go list ./pkg/app/tests/... | grep -v tests/template) \
+            -count=1 -timeout 120s -parallel=1 -v
       -
         name: Templates Test
         run: |
-          gotestsum --format short-verbose -- -count=1 -timeout 240s -parallel=1 -v -coverprofile=cover.out -coverpkg=github.com/aserto-dev/topaz/pkg/app/tests/template/... github.com/aserto-dev/topaz/pkg/app/tests/template/...
+          gotestsum --format short-verbose -- github.com/aserto-dev/topaz/pkg/app/tests/template/... \
+            -count=1 -timeout 240s -parallel=1 -v
       -
-        name: Templates Test (NoTLS)
+        name: Templates Test (With TLS)
         run: |
-          gotestsum --format short-verbose -- -count=1 -timeout 120s -parallel=1 -v -coverprofile=cover.out -coverpkg=github.com/aserto-dev/topaz/pkg/app/tests/template-no-tls/... github.com/aserto-dev/topaz/pkg/app/tests/template-no-tls/...
+          gotestsum --format short-verbose -- github.com/aserto-dev/topaz/pkg/app/tests/template-with-tls/... \
+            -count=1 -timeout 120s -parallel=1 -v
       -
         name: Upload code coverage
         uses: shogo82148/actions-goveralls@v1
@@ -126,14 +127,14 @@ jobs:
     runs-on: ubuntu-latest
     # when on a branch only push if the branch is main
     # always push when ref is a tag
-    if: github.event_name == 'push' && ( github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release-') || startsWith(github.ref, 'refs/heads/dev-') || startsWith(github.ref, 'refs/tags/v') )
+    if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v'))
     steps:
       -
         name: Read Configuration
         uses: hashicorp/vault-action@v3
         id: vault
         with:
-          url: https://vault.eng.aserto.com/
+          url: ${{ env.VAULT_ADDR }}
           token: ${{ secrets.VAULT_TOKEN }}
           secrets: |
             kv/data/github  "SSH_PRIVATE_KEY"     | SSH_PRIVATE_KEY;
@@ -208,7 +209,7 @@ jobs:
         uses: hashicorp/vault-action@v3
         id: vault
         with:
-          url: https://vault.eng.aserto.com/
+          url: ${{ env.VAULT_ADDR }}
           token: ${{ secrets.VAULT_TOKEN }}
           secrets: |
             kv/data/github  "SSH_PRIVATE_KEY"                         | SSH_PRIVATE_KEY;
@@ -261,11 +262,11 @@ jobs:
           distribution: goreleaser
           version: ${{ env.GO_RELEASER_VERSION }}
           args: release --clean
-      - 
+      -
         name: Archive deployment examples
         run: |
           cd docs/deployments/sidecar-deployment && zip topaz_deployment_examples.zip *.yaml
-      - 
+      -
         name: Upload deployment examples
         uses: svenstaro/upload-release-action@v2
         with:
@@ -279,12 +280,12 @@ jobs:
     needs: release
     runs-on: windows-latest
     steps:
-      - 
+      -
         name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - 
+      -
         name: Read Configuration
         uses: hashicorp/vault-action@v3
         id: vault
@@ -293,7 +294,7 @@ jobs:
           token: ${{ secrets.VAULT_TOKEN }}
           secrets: |
             kv/data/github  "ROOT_TOKEN"        | ROOT_TOKEN;
-      - 
+      -
         name: Download exe
         id: download_exe
         shell: bash
@@ -303,16 +304,16 @@ jobs:
           unzip -o *.zip && rm -v *.zip
         env:
           GITHUB_TOKEN: ${{ steps.vault.outputs.ROOT_TOKEN }}
-      - 
+      -
         name: Install go-msi
         run: choco install -y "go-msi"
-      - 
+      -
         name: Prepare PATH
         shell: bash
         run: |
           echo "$WIX\\bin" >> $GITHUB_PATH
           echo "C:\\Program Files\\go-msi" >> $GITHUB_PATH
-      - 
+      -
         name: Build MSI
         id: buildmsi
         shell: bash
@@ -323,7 +324,7 @@ jobs:
           msi="$(basename "$ZIP_FILE" ".zip").msi"
           printf "msi=${msi}" >> $GITHUB_OUTPUT
           go-msi make --arch amd64 --msi "$PWD/$msi" --out "$PWD/build" --version "${GITHUB_REF#refs/tags/}"
-      - 
+      -
         name: Upload MSI
         shell: bash
         run: |

.golangci.yaml

@@ -60,11 +60,10 @@ linters:
         - stdlib
         - generic
         - proto.Message
+        - http.Handler
+        - grpc.DialOption
+        - grpc.ServerOption
         - plugins.Plugin
-        - decisionlog.DecisionLogger
-        - resolvers.DirectoryResolver
-        - resolvers.RuntimeResolver
-        - v3.ReaderClient
 
     lll:
       line-length: 150
@@ -80,6 +79,9 @@ linters:
           yaml: snake
 
         overrides:
+          - pkg: pkg/console
+            rules:
+              json: camel
           - pkg: pkg/app/handlers
             rules:
               json: camel

Dockerfile.test

@@ -8,7 +8,7 @@ RUN mkdir /config && \
     mkdir /certs && \
     mkdir /db && \
     mkdir /decisions
-VOLUME ["/config", "/certs", "/db", "/decisions"]
+VOLUME ["/config", "/db", "/decisions"]
 
 WORKDIR /app
 

builtins/edge/ds/check.go

@@ -2,7 +2,6 @@ package ds
 
 import (
 	dsr3 "github.com/aserto-dev/go-directory/aserto/directory/reader/v3"
-	"github.com/aserto-dev/topaz/resolvers"
 
 	"github.com/open-policy-agent/opa/v1/ast"
 	"github.com/open-policy-agent/opa/v1/rego"
@@ -22,7 +21,7 @@ import (
 //	  "subject_id": "",
 //	  "trace": false
 //	})
-func RegisterCheck(logger *zerolog.Logger, fnName string, dr resolvers.DirectoryResolver) (*rego.Function, rego.Builtin1) {
+func RegisterCheck(logger *zerolog.Logger, fnName string, dr dsr3.ReaderClient) (*rego.Function, rego.Builtin1) {
 	return &rego.Function{
 			Name:    fnName,
 			Decl:    types.NewFunction(types.Args(types.A), types.B),
@@ -45,103 +44,7 @@ func RegisterCheck(logger *zerolog.Logger, fnName string, dr resolvers.Directory
 				})
 			}
 
-			resp, err := dr.GetDS().Check(bctx.Context, &args)
-			if err != nil {
-				traceError(&bctx, fnName, err)
-				return nil, err
-			}
-
-			return ast.BooleanTerm(resp.GetCheck()), nil
-		}
-}
-
-// RegisterCheckRelation - ds.check_relation
-//
-//	ds.check_relation: {
-//		"object_id": "",
-//		"object_type": "",
-//		"relation": "",
-//		"subject_id": "",
-//		"subject_type": "",
-//		"trace": false
-//	  }
-//
-//nolint:dupl // RegisterCheck[Relation|Permission] are not identical, obsolete and will be removed in v33.
-func RegisterCheckRelation(logger *zerolog.Logger, fnName string, dr resolvers.DirectoryResolver) (*rego.Function, rego.Builtin1) {
-	return &rego.Function{
-			Name:    fnName,
-			Decl:    types.NewFunction(types.Args(types.A), types.B),
-			Memoize: true,
-		},
-		func(bctx rego.BuiltinContext, op1 *ast.Term) (*ast.Term, error) {
-			var args dsr3.CheckRelationRequest
-
-			if err := ast.As(op1.Value, &args); err != nil {
-				traceError(&bctx, fnName, err)
-				return nil, err
-			}
-
-			if proto.Equal(&args, &dsr3.CheckRelationRequest{}) {
-				return helpMsg(fnName, &dsr3.CheckRelationRequest{
-					ObjectType:  "",
-					ObjectId:    "",
-					Relation:    "",
-					SubjectType: "",
-					SubjectId:   "",
-					Trace:       false,
-				})
-			}
-
-			//nolint: staticcheck // SA1019: client.CheckRelation is deprecated
-			resp, err := dr.GetDS().CheckRelation(bctx.Context, &args)
-			if err != nil {
-				traceError(&bctx, fnName, err)
-				return nil, err
-			}
-
-			return ast.BooleanTerm(resp.GetCheck()), nil
-		}
-}
-
-// RegisterCheckPermission - ds.check_permission
-//
-//	ds.check_permission: {
-//		"object_id": "",
-//		"object_type": "",
-//		"permission": "",
-//		"subject_id": "",
-//		"subject_type": "",
-//		"trace": false
-//	  }
-//
-//nolint:dupl // RegisterCheck[Relation|Permission] are not identical, obsolete and will be removed in v33.
-func RegisterCheckPermission(logger *zerolog.Logger, fnName string, dr resolvers.DirectoryResolver) (*rego.Function, rego.Builtin1) {
-	return &rego.Function{
-			Name:    fnName,
-			Decl:    types.NewFunction(types.Args(types.A), types.B),
-			Memoize: true,
-		},
-		func(bctx rego.BuiltinContext, op1 *ast.Term) (*ast.Term, error) {
-			var args dsr3.CheckPermissionRequest
-
-			if err := ast.As(op1.Value, &args); err != nil {
-				traceError(&bctx, fnName, err)
-				return nil, err
-			}
-
-			if proto.Equal(&args, &dsr3.CheckPermissionRequest{}) {
-				return helpMsg(fnName, &dsr3.CheckPermissionRequest{
-					ObjectType:  "",
-					ObjectId:    "",
-					Permission:  "",
-					SubjectType: "",
-					SubjectId:   "",
-					Trace:       false,
-				})
-			}
-
-			//nolint: staticcheck // SA1019: client.CheckPermission is deprecated
-			resp, err := dr.GetDS().CheckPermission(bctx.Context, &args)
+			resp, err := dr.Check(bctx.Context, &args)
 			if err != nil {
 				traceError(&bctx, fnName, err)
 				return nil, err

builtins/edge/ds/checks.go

@@ -4,7 +4,6 @@ import (
 	"bytes"
 
 	dsr3 "github.com/aserto-dev/go-directory/aserto/directory/reader/v3"
-	"github.com/aserto-dev/topaz/resolvers"
 
 	"github.com/open-policy-agent/opa/v1/ast"
 	"github.com/open-policy-agent/opa/v1/rego"
@@ -28,7 +27,7 @@ import (
 //	  "subject_id": "",
 //	  "trace": false
 //	})
-func RegisterChecks(logger *zerolog.Logger, fnName string, dr resolvers.DirectoryResolver) (*rego.Function, rego.Builtin1) {
+func RegisterChecks(logger *zerolog.Logger, fnName string, dr dsr3.ReaderClient) (*rego.Function, rego.Builtin1) {
 	return &rego.Function{
 			Name:    fnName,
 			Decl:    types.NewFunction(types.Args(types.A), types.A),
@@ -70,7 +69,7 @@ func RegisterChecks(logger *zerolog.Logger, fnName string, dr resolvers.Director
 				args.Checks = []*dsr3.CheckRequest{}
 			}
 
-			resp, err := dr.GetDS().Checks(bctx.Context, &args)
+			resp, err := dr.Checks(bctx.Context, &args)
 			if err != nil {
 				traceError(&bctx, fnName, err)
 				return nil, err

builtins/edge/ds/graph.go

@@ -4,7 +4,6 @@ import (
 	"bytes"
 
 	dsr3 "github.com/aserto-dev/go-directory/aserto/directory/reader/v3"
-	"github.com/aserto-dev/topaz/resolvers"
 
 	"github.com/open-policy-agent/opa/v1/ast"
 	"github.com/open-policy-agent/opa/v1/rego"
@@ -26,7 +25,7 @@ import (
 //	    "explain": false,
 //	    "trace": false
 //	}
-func RegisterGraph(logger *zerolog.Logger, fnName string, dr resolvers.DirectoryResolver) (*rego.Function, rego.Builtin1) {
+func RegisterGraph(logger *zerolog.Logger, fnName string, dr dsr3.ReaderClient) (*rego.Function, rego.Builtin1) {
 	return &rego.Function{
 			Name:    fnName,
 			Decl:    types.NewFunction(types.Args(types.A), types.A),
@@ -53,7 +52,7 @@ func RegisterGraph(logger *zerolog.Logger, fnName string, dr resolvers.Directory
 				})
 			}
 
-			resp, err := dr.GetDS().GetGraph(bctx.Context, &args)
+			resp, err := dr.GetGraph(bctx.Context, &args)
 			if err != nil {
 				traceError(&bctx, fnName, err)
 				return nil, err