fix e2e tests, pass ProcessAnnotation in bundle downloaders

srenatus · srenatus · commit 1fcccfb3e91b · 2026-05-07T14:23:45.000+02:00
Signed-off-by: Stephan Renatus &lt;stephan.renatus@gmail.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -49,6 +49,11 @@ The resulting decision log entry will contain:
 
 Embedding projects can change the default by setting `config.DefaultIncludeRuleMetadata = true`.
 
+Note: when using `include_rule_metadata` via the configuration file, policies must be loaded
+via the bundle plugin (i.e. configured through `services` and `bundles` in the config) for
+annotations to be processed correctly. Policies loaded from command-line paths are parsed
+before the configuration is available.
+
 ## 1.16.1
 
 This is a patch release addressing a regression ([#8590](https://github.com/open-policy-agent/opa/pull/8590)) in the plugin manager that may cause the service to hang on shutdown.
diff --git a/e2e/cli/evaluated_rules.txtar b/e2e/cli/evaluated_rules.txtar
@@ -2,8 +2,12 @@
 # have metadata annotations with id fields, and in the response when
 # the ?ids query parameter is used.
 
-exec $OPA run --server --addr unix://opa.sock --log-format json --log-level info --set decision_logs.console=true ./policy/ &opa&
-retry curl -sf --unix-socket opa.sock 'http://localhost/health'
+exec $OPA build -o bundles/bundle.tar.gz --bundle policy/
+
+http_server bundles
+
+exec $OPA run --server --addr unix://opa.sock --log-format json --log-level info --config-file config.yaml &opa&
+retry curl -sf --unix-socket opa.sock 'http://localhost/health?bundles'
 
 # POST to v1/data — rule with id "allow-admin" should be evaluated.
 exec curl -sf --unix-socket opa.sock -H 'Content-Type: application/json' -d '{"input": {"role": "admin"}}' http://localhost/v1/data/authz/allow
@@ -31,6 +35,21 @@ wait opa
 # All requests that matched allow-admin should have ids in the decision log.
 jq -s stderr '[.[] | select(.msg == "Decision Log" and .ids == ["allow-admin"])] | length == 3'
 
+-- config.yaml --
+include_rule_metadata: true
+services:
+  bundle-server:
+    url: "http://${HTTP_ADDR}"
+bundles:
+  test:
+    service: bundle-server
+    resource: bundle.tar.gz
+    polling:
+      min_delay_seconds: 300
+      max_delay_seconds: 300
+decision_logs:
+  console: true
+
 -- policy/authz.rego --
 package authz
 
@@ -58,3 +77,5 @@ violations contains msg if {
 	input.dept == "eng"
 	msg := "admin not allowed in eng"
 }
+
+-- bundles/.gitkeep --
diff --git a/e2e/cli/evaluated_rules_file_logger.txtar b/e2e/cli/evaluated_rules_file_logger.txtar
@@ -1,8 +1,12 @@
 # Verify that evaluated rule IDs appear in decision logs written via the
 # file_logger plugin (slog-based path).
 
-exec $OPA run --server --addr unix://opa.sock --log-format json --log-level info --config-file config.yaml ./policy/ &opa&
-retry curl -sf --unix-socket opa.sock 'http://localhost/health'
+exec $OPA build -o bundles/bundle.tar.gz --bundle policy/
+
+http_server bundles
+
+exec $OPA run --server --addr unix://opa.sock --log-format json --log-level info --config-file config.yaml &opa&
+retry curl -sf --unix-socket opa.sock 'http://localhost/health?bundles'
 
 # POST to v1/data — rule with id "allow-admin" should be evaluated.
 exec curl -sf --unix-socket opa.sock -H 'Content-Type: application/json' -d '{"input": {"role": "admin"}}' http://localhost/v1/data/authz/allow
@@ -22,6 +26,17 @@ jq -s decisions.log '[.[] | select(.ids == ["allow-admin"])] | length == 1'
 jq -s decisions.log '[.[] | select(.path == "authz/allow" and (.ids == null))] | length == 1'
 
 -- config.yaml --
+include_rule_metadata: true
+services:
+  bundle-server:
+    url: "http://${HTTP_ADDR}"
+bundles:
+  test:
+    service: bundle-server
+    resource: bundle.tar.gz
+    polling:
+      min_delay_seconds: 300
+      max_delay_seconds: 300
 plugins:
   file_logger:
     path: decisions.log
@@ -40,3 +55,5 @@ allow if input.role == "admin"
 # METADATA
 # id: allow-editor
 allow if input.role == "editor"
+
+-- bundles/.gitkeep --
diff --git a/e2e/cli/rule_metadata_dl.txtar b/e2e/cli/rule_metadata_dl.txtar
@@ -1,8 +1,12 @@
 # Verify that custom metadata from evaluated rule annotations appears in
 # decision logs when include_rule_metadata is enabled.
 
-exec $OPA run --server --addr unix://opa.sock --log-format json --log-level info --set decision_logs.console=true --set include_rule_metadata=true ./policy/ &opa&
-retry curl -sf --unix-socket opa.sock 'http://localhost/health'
+exec $OPA build -o bundles/bundle.tar.gz --bundle policy/
+
+http_server bundles
+
+exec $OPA run --server --addr unix://opa.sock --log-format json --log-level info --config-file config.yaml &opa&
+retry curl -sf --unix-socket opa.sock 'http://localhost/health?bundles'
 
 # Evaluate allow — triggers allow-admin rule.
 exec curl -sf --unix-socket opa.sock -H 'Content-Type: application/json' -d '{"input": {"role": "admin"}}' http://localhost/v1/data/authz/allow
@@ -21,6 +25,21 @@ jq -s stderr '[.[] | select(.msg == "Decision Log" and .path == "authz/allow")]
 # Extract the decision log for violations and compare sorted rule_metadata.
 jq -s stderr '[.[] | select(.msg == "Decision Log" and .path == "authz/violations")] | .[0].custom.rule_metadata | sort_by(.id) == [{"id": "no-admin-in-eng", "severity": "critical", "category": "org-policy"}, {"id": "no-admin-role", "severity": "high", "category": "compliance"}]'
 
+-- config.yaml --
+include_rule_metadata: true
+services:
+  bundle-server:
+    url: "http://${HTTP_ADDR}"
+bundles:
+  test:
+    service: bundle-server
+    resource: bundle.tar.gz
+    polling:
+      min_delay_seconds: 300
+      max_delay_seconds: 300
+decision_logs:
+  console: true
+
 -- policy/authz.rego --
 package authz
 
@@ -54,3 +73,5 @@ violations contains "admin not allowed in eng" if {
 	input.role == "admin"
 	input.dept == "eng"
 }
+
+-- bundles/.gitkeep --
diff --git a/v1/download/download.go b/v1/download/download.go
@@ -347,6 +347,7 @@ func (d *Downloader) download(ctx context.Context, m metrics.Metrics) (*download
 
 			reader := bundle.NewCustomReader(loader).
 				WithRegoVersion(d.bundleParserOpts.RegoVersion).
+				WithProcessAnnotations(d.bundleParserOpts.ProcessAnnotation).
 				WithMetrics(m).
 				WithBundleVerificationConfig(d.bvc).
 				WithBundleEtag(etag).
diff --git a/v1/download/oci_download.go b/v1/download/oci_download.go
@@ -276,7 +276,8 @@ func (d *OCIDownloader) download(ctx context.Context, m metrics.Metrics) (*downl
 		WithMetrics(m).
 		WithBundleVerificationConfig(d.bvc).
 		WithBundleEtag(etag).
-		WithRegoVersion(d.bundleParserOpts.RegoVersion)
+		WithRegoVersion(d.bundleParserOpts.RegoVersion).
+		WithProcessAnnotations(d.bundleParserOpts.ProcessAnnotation)
 	bundleInfo, err := reader.Read()
 	if err != nil {
 		return &downloaderResponse{}, fmt.Errorf("unexpected error %w", err)
diff --git a/v1/plugins/bundle/plugin.go b/v1/plugins/bundle/plugin.go
@@ -880,6 +880,7 @@ func (fl *fileLoader) oneShot(ctx context.Context) (err error) {
 		WithLazyLoadingMode(bundle.HasExtension()).
 		WithSizeLimitBytes(fl.sizeLimitBytes).
 		WithRegoVersion(fl.bundleParserOpts.RegoVersion).
+		WithProcessAnnotations(fl.bundleParserOpts.ProcessAnnotation).
 		Read()
 	u.Error = err
 	if err == nil {
diff --git a/v1/rego/rego.go b/v1/rego/rego.go
@@ -691,6 +691,7 @@ type Rego struct {
 	enablePrintStatements       bool
 	distributedTracingOpts      tracing.Options
 	strict                      bool
+	processAnnotations          bool
 	targetPrepState             TargetPluginEval
 	regoVersion                 ast.RegoVersion
 	compilerHook                func(*ast.Compiler)
@@ -1397,6 +1398,13 @@ func EvaluatedRuleTracker(t *topdown.EvaluatedRuleTracker) func(r *Rego) {
 	}
 }
 
+// ProcessAnnotations enables metadata annotation processing during module parsing.
+func ProcessAnnotations(yes bool) func(r *Rego) {
+	return func(r *Rego) {
+		r.processAnnotations = yes
+	}
+}
+
 // New returns a new Rego object.
 func New(options ...func(r *Rego)) *Rego {
 	r := &Rego{
@@ -2000,8 +2008,9 @@ func (r *Rego) parseModules(ctx context.Context, txn storage.Transaction, m metr
 	var errs Errors
 
 	popts := ast.ParserOptions{
-		RegoVersion:  r.regoVersion,
-		Capabilities: r.capabilities,
+		ProcessAnnotation: r.processAnnotations,
+		RegoVersion:       r.regoVersion,
+		Capabilities:      r.capabilities,
 	}
 
 	// Parse any modules that are saved to the store, but only if
diff --git a/v1/rego/rego_evaluated_test.go b/v1/rego/rego_evaluated_test.go
@@ -23,6 +23,7 @@ p if input.bar`
 			Query("data.test.p"),
 			Module("test.rego", module),
 			Input(map[string]any{"foo": true}),
+			ProcessAnnotations(true),
 			EvaluatedRuleTracker(tracker),
 		).Eval(t.Context())
 		if err != nil {
@@ -42,6 +43,7 @@ p if input.bar`
 			Query("data.test.p"),
 			Module("test.rego", module),
 			Input(map[string]any{"baz": true}),
+			ProcessAnnotations(true),
 			EvaluatedRuleTracker(tracker),
 		).Eval(t.Context())
 
@@ -55,6 +57,7 @@ p if input.bar`
 			Query("data.test.p"),
 			Module("test.rego", module),
 			Input(map[string]any{"foo": true}),
+			ProcessAnnotations(true),
 			EvaluatedRuleTracker(nil),
 		).Eval(t.Context())
 		if err != nil {
@@ -66,6 +69,7 @@ p if input.bar`
 		pq, err := New(
 			Query("data.test.p"),
 			Module("test.rego", module),
+			ProcessAnnotations(true),
 		).PrepareForEval(t.Context())
 		if err != nil {
 			t.Fatal(err)
@@ -103,6 +107,7 @@ result if {
 		rs, err := New(
 			Query("data.test.result"),
 			Module("test.rego", mod),
+			ProcessAnnotations(true),
 			EvaluatedRuleTracker(tracker),
 		).Eval(t.Context())
 		if err != nil {
diff --git a/v1/sdk/opa_evaluated_rules_test.go b/v1/sdk/opa_evaluated_rules_test.go
@@ -76,7 +76,8 @@ xs contains "b" if false
 		},
 		"decision_logs": {
 			"console": true
-		}
+		},
+		"include_rule_metadata": true
 	}`, server.URL())
 
 	testLogger := test.New()
