Cerbos v0.40.0

Highlights

Constants are a new way of defining structured, constant values that can be referenced in policy conditions. They differ from Variables in two ways:

  • They must be static constant values. Dynamic values calculated using CEL expressions are not allowed.

  • They can be defined with YAML primitives such as lists, maps, numbers, strings etc. Variables, on the other hand, always have to be defined as strings — which make them awkward for defining lists or maps.

This release includes several enhancements to the policy testing framework to help reduce repetition, increase readability and increase reliability.

Multiple principals and/or resources can be referenced in a test expectation instead of just a single principal and a resource. This helps get rid of repetition and reduces the verbosity of test cases.

Before After 
  - name: Multiple principals and resources
    input:
      principals:
        - bev
        - barb
      resources:
        - leave_request
        - cancelled_leave_request
      actions:
        - edit
        - view
      auxData: myJWT
    expected:
      - principal: bev
        resource:  leave_request
        actions:
          edit: EFFECT_ALLOW
          view: EFFECT_ALLOW

      - principal: bev
        resource:  cancelled_leave_request
        actions:
          edit: EFFECT_ALLOW
          view: EFFECT_ALLOW

      - principal: barb
        resource:  leave_request
        actions:
          edit: EFFECT_ALLOW
          view: EFFECT_ALLOW

      - principal: barb
        resource:  cancelled_leave_request
        actions:
          edit: EFFECT_ALLOW
          view: EFFECT_ALLOW
 
  - name: Multiple principals and resources
    input:
      principals:
        - bev
        - barb
      resources:
        - leave_request
        - cancelled_leave_request
      actions:
        - edit
        - view
    expected:
      - principals:
          - bev
          - barb
        resources:
          - leave_request
          - cancelled_leave_request
        actions:
          edit: EFFECT_ALLOW
          view: EFFECT_ALLOW

Test fixtures now allow creating groups of principals or resources. These grouped principals or resources can be referenced by their group name in the test cases to further avoid duplication and make tests more readable.

principalGroups:
  managers:
    - bev
    - barb

resourceGroups:
  all_leave_requests:
    - leave_request
    - cancelled_leave_request

tests:
  - name: Grouped principals and resources
    input:
      principalGroups:
        - managers
      resourceGroups:
        - all_leave_requests
      actions:
        - edit
        - view
    expected:
      - principalGroups:
          - managers
        resources:
          - all_leave_requests
        actions:
          edit: EFFECT_ALLOW
          view: EFFECT_ALLOW

Tests that exercise policies with time-based conditions must define the value of now at the test suite level or at individual test case level. This ensures that tests are not flaky depending on the time of day the tests are run.

This is the last Cerbos release with support for SQL Server as a policy storage backend. It will be removed in the next release of Cerbos. This is due to low uptake and the lack of resources and expertise to maintain and support it going forward.

This release also includes several updates related to the experimental role policy feature. That feature is still at alpha level and is not recommended for production use.

Changelog

Bug Fixes

  • A policy with only conditional DENY rule must produce ALWAYS_DENIED (#2369)

  • Command execution fails with cerbos run since v0.39 (#2358)

  • Inspect policy output expressions (#2392)

  • Populate path field of validation errors (#2363)

  • Remove whitespace chomp for priorityClassName so valid yaml is rendered (#2337)

Features

  • Allow default policy version to be configured in tests (#2352)

  • Define constants for use in condition expressions (#2364)

  • Multiple principals and/or resources in a test case (#2338)

  • Support constants in cerbosctl (#2365)

  • Use groups of principals and/or resources in test cases (#2340)

Enhancements

  • Add user-agent to default allowed headers for CORS (#2345)

  • Introduce policy scope FALL_THROUGH_ON_ALLOW strategy (#2325)

  • Make --verbose less noisy in combination with --run (#2351)

  • Make now fully deterministic (#2353)

  • Make scopePermissions a required field on role policies (#2333)

  • Query plan scope permissions support for resource and principal policies (#2361)

  • BREAKING Report an error if a test exercised time-based policy conditions without specifying now (#2354)

  • Role policies parent roles field (#2349)

  • Validate fixtures files with JSON schemas to improve error messages (#2346)

Documentation

  • Remove extraneous space that breaks rendering (#2347)

  • Update gRPC API section (#2387)

Chores

  • Add RAG use case (#2374)

  • Add SQL Server deprecation notice (#2390)

  • Bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 in /tools (#2378)

  • Bump version to 0.40.0

  • Increase E2E test timeout (#2359)

  • Replace deprecated snapshot.name_template field in GoReleaser config (#2370)

  • Revert to upstream go-yaml (#2383)

  • Skip SQL Server tests when container fails (#2339)

  • Update AWS Helm docs (#2372)

  • Update bufbuild/buf-setup-action action to v1.45.0 (#2334)

  • Update bufbuild/buf-setup-action action to v1.47.2 (#2382)

  • Update dependency node to v22 (#2377)

  • Update dependency verdaccio to v6 (#2357)

  • Update generated API module version before tagging (#2350)

  • Update github actions deps (#2332)

  • Update github actions deps (#2375)

  • Update go deps (#2331)

  • Update go deps (#2335)

  • Update go deps (#2355)

  • Update go deps (#2360)

  • Update go deps (#2367)

  • Update go deps (#2376)

  • Update go deps (#2381)

  • Update go deps (#2385)

  • Update node.js deps (#2356)

  • Update node.js deps (#2386)

  • Update pnpm to v9.12.3 (#2368)

  • Update required Go version (#2371)

  • Use latest cloud-api and protobufs (#2388)