fix e2e tests, pass ProcessAnnotation in bundle downloaders

srenatus · srenatus · commit b7b798fd0f74 · 2026-05-07T14:36:17.000+02:00
Signed-off-by: Stephan Renatus &lt;stephan.renatus@gmail.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -49,6 +49,11 @@ The resulting decision log entry will contain:
 
 Embedding projects can change the default by setting `config.DefaultIncludeRuleMetadata = true`.
 
+Note: when using `include_rule_metadata` via the configuration file, policies must be loaded
+via the bundle plugin (i.e. configured through `services` and `bundles` in the config) for
+annotations to be processed correctly. Policies loaded from command-line paths are parsed
+before the configuration is available.
+
 ## 1.16.1
 
 This is a patch release addressing a regression ([#8590](https://github.com/open-policy-agent/opa/pull/8590)) in the plugin manager that may cause the service to hang on shutdown.
diff --git a/e2e/cli/evaluated_rules.txtar b/e2e/cli/evaluated_rules.txtar
@@ -2,8 +2,12 @@
 # have metadata annotations with id fields, and in the response when
 # the ?ids query parameter is used.
 
-exec $OPA run --server --addr unix://opa.sock --log-format json --log-level info --set decision_logs.console=true ./policy/ &opa&
-retry curl -sf --unix-socket opa.sock 'http://localhost/health'
+exec $OPA build -o bundles/bundle.tar.gz --bundle policy/
+
+http_server bundles
+
+exec $OPA run --server --addr unix://opa.sock --log-format json --log-level info --config-file config.yaml &opa&
+retry curl -sf --unix-socket opa.sock 'http://localhost/health?bundles'
 
 # POST to v1/data — rule with id "allow-admin" should be evaluated.
 exec curl -sf --unix-socket opa.sock -H 'Content-Type: application/json' -d '{"input": {"role": "admin"}}' http://localhost/v1/data/authz/allow
@@ -31,6 +35,21 @@ wait opa
 # All requests that matched allow-admin should have ids in the decision log.
 jq -s stderr '[.[] | select(.msg == "Decision Log" and .ids == ["allow-admin"])] | length == 3'
 
+-- config.yaml --
+include_rule_metadata: true
+services:
+  bundle-server:
+    url: "http://${HTTP_ADDR}"
+bundles:
+  test:
+    service: bundle-server
+    resource: bundle.tar.gz
+    polling:
+      min_delay_seconds: 300
+      max_delay_seconds: 300
+decision_logs:
+  console: true
+
 -- policy/authz.rego --
 package authz
 
@@ -58,3 +77,5 @@ violations contains msg if {
 	input.dept == "eng"
 	msg := "admin not allowed in eng"
 }
+
+-- bundles/.gitkeep --
diff --git a/e2e/cli/evaluated_rules_file_logger.txtar b/e2e/cli/evaluated_rules_file_logger.txtar
@@ -1,8 +1,12 @@
 # Verify that evaluated rule IDs appear in decision logs written via the
 # file_logger plugin (slog-based path).
 
-exec $OPA run --server --addr unix://opa.sock --log-format json --log-level info --config-file config.yaml ./policy/ &opa&
-retry curl -sf --unix-socket opa.sock 'http://localhost/health'
+exec $OPA build -o bundles/bundle.tar.gz --bundle policy/
+
+http_server bundles
+
+exec $OPA run --server --addr unix://opa.sock --log-format json --log-level info --config-file config.yaml &opa&
+retry curl -sf --unix-socket opa.sock 'http://localhost/health?bundles'
 
 # POST to v1/data — rule with id "allow-admin" should be evaluated.
 exec curl -sf --unix-socket opa.sock -H 'Content-Type: application/json' -d '{"input": {"role": "admin"}}' http://localhost/v1/data/authz/allow
@@ -22,6 +26,17 @@ jq -s decisions.log '[.[] | select(.ids == ["allow-admin"])] | length == 1'
 jq -s decisions.log '[.[] | select(.path == "authz/allow" and (.ids == null))] | length == 1'
 
 -- config.yaml --
+include_rule_metadata: true
+services:
+  bundle-server:
+    url: "http://${HTTP_ADDR}"
+bundles:
+  test:
+    service: bundle-server
+    resource: bundle.tar.gz
+    polling:
+      min_delay_seconds: 300
+      max_delay_seconds: 300
 plugins:
   file_logger:
     path: decisions.log
@@ -40,3 +55,5 @@ allow if input.role == "admin"
 # METADATA
 # id: allow-editor
 allow if input.role == "editor"
+
+-- bundles/.gitkeep --
diff --git a/e2e/cli/rule_metadata_dl.txtar b/e2e/cli/rule_metadata_dl.txtar
@@ -1,8 +1,12 @@
 # Verify that custom metadata from evaluated rule annotations appears in
 # decision logs when include_rule_metadata is enabled.
 
-exec $OPA run --server --addr unix://opa.sock --log-format json --log-level info --set decision_logs.console=true --set include_rule_metadata=true ./policy/ &opa&
-retry curl -sf --unix-socket opa.sock 'http://localhost/health'
+exec $OPA build -o bundles/bundle.tar.gz --bundle policy/
+
+http_server bundles
+
+exec $OPA run --server --addr unix://opa.sock --log-format json --log-level info --config-file config.yaml &opa&
+retry curl -sf --unix-socket opa.sock 'http://localhost/health?bundles'
 
 # Evaluate allow — triggers allow-admin rule.
 exec curl -sf --unix-socket opa.sock -H 'Content-Type: application/json' -d '{"input": {"role": "admin"}}' http://localhost/v1/data/authz/allow
@@ -21,6 +25,21 @@ jq -s stderr '[.[] | select(.msg == "Decision Log" and .path == "authz/allow")]
 # Extract the decision log for violations and compare sorted rule_metadata.
 jq -s stderr '[.[] | select(.msg == "Decision Log" and .path == "authz/violations")] | .[0].custom.rule_metadata | sort_by(.id) == [{"id": "no-admin-in-eng", "severity": "critical", "category": "org-policy"}, {"id": "no-admin-role", "severity": "high", "category": "compliance"}]'
 
+-- config.yaml --
+include_rule_metadata: true
+services:
+  bundle-server:
+    url: "http://${HTTP_ADDR}"
+bundles:
+  test:
+    service: bundle-server
+    resource: bundle.tar.gz
+    polling:
+      min_delay_seconds: 300
+      max_delay_seconds: 300
+decision_logs:
+  console: true
+
 -- policy/authz.rego --
 package authz
 
@@ -54,3 +73,5 @@ violations contains "admin not allowed in eng" if {
 	input.role == "admin"
 	input.dept == "eng"
 }
+
+-- bundles/.gitkeep --
diff --git a/v1/download/download.go b/v1/download/download.go
@@ -347,6 +347,7 @@ func (d *Downloader) download(ctx context.Context, m metrics.Metrics) (*download
 
 			reader := bundle.NewCustomReader(loader).
 				WithRegoVersion(d.bundleParserOpts.RegoVersion).
+				WithProcessAnnotations(d.bundleParserOpts.ProcessAnnotation).
 				WithMetrics(m).
 				WithBundleVerificationConfig(d.bvc).
 				WithBundleEtag(etag).
diff --git a/v1/download/oci_download.go b/v1/download/oci_download.go
@@ -276,7 +276,8 @@ func (d *OCIDownloader) download(ctx context.Context, m metrics.Metrics) (*downl
 		WithMetrics(m).
 		WithBundleVerificationConfig(d.bvc).
 		WithBundleEtag(etag).
-		WithRegoVersion(d.bundleParserOpts.RegoVersion)
+		WithRegoVersion(d.bundleParserOpts.RegoVersion).
+		WithProcessAnnotations(d.bundleParserOpts.ProcessAnnotation)
 	bundleInfo, err := reader.Read()
 	if err != nil {
 		return &downloaderResponse{}, fmt.Errorf("unexpected error %w", err)
diff --git a/v1/plugins/bundle/plugin.go b/v1/plugins/bundle/plugin.go
@@ -880,6 +880,7 @@ func (fl *fileLoader) oneShot(ctx context.Context) (err error) {
 		WithLazyLoadingMode(bundle.HasExtension()).
 		WithSizeLimitBytes(fl.sizeLimitBytes).
 		WithRegoVersion(fl.bundleParserOpts.RegoVersion).
+		WithProcessAnnotations(fl.bundleParserOpts.ProcessAnnotation).
 		Read()
 	u.Error = err
 	if err == nil {
diff --git a/v1/rego/rego_evaluated_test.go b/v1/rego/rego_evaluated_test.go
@@ -3,25 +3,26 @@ package rego
 import (
 	"testing"
 
+	"github.com/open-policy-agent/opa/v1/ast"
 	"github.com/open-policy-agent/opa/v1/topdown"
 )
 
 func TestEvaluatedRules(t *testing.T) {
-	module := `package test
+	module := ast.MustParseModuleWithOpts(`package test
 
 # METADATA
 # id: rule1
 p if input.foo
 
 # METADATA
 # id: rule2
-p if input.bar`
+p if input.bar`, ast.ParserOptions{ProcessAnnotation: true})
 
 	t.Run("records matching rule", func(t *testing.T) {
 		tracker := &topdown.EvaluatedRuleTracker{}
 		rs, err := New(
 			Query("data.test.p"),
-			Module("test.rego", module),
+			ParsedModule(module),
 			Input(map[string]any{"foo": true}),
 			EvaluatedRuleTracker(tracker),
 		).Eval(t.Context())
@@ -40,7 +41,7 @@ p if input.bar`
 		tracker := &topdown.EvaluatedRuleTracker{}
 		_, _ = New(
 			Query("data.test.p"),
-			Module("test.rego", module),
+			ParsedModule(module),
 			Input(map[string]any{"baz": true}),
 			EvaluatedRuleTracker(tracker),
 		).Eval(t.Context())
@@ -53,7 +54,7 @@ p if input.bar`
 	t.Run("nil tracker is safe", func(t *testing.T) {
 		_, err := New(
 			Query("data.test.p"),
-			Module("test.rego", module),
+			ParsedModule(module),
 			Input(map[string]any{"foo": true}),
 			EvaluatedRuleTracker(nil),
 		).Eval(t.Context())
@@ -65,7 +66,7 @@ p if input.bar`
 	t.Run("prepared query", func(t *testing.T) {
 		pq, err := New(
 			Query("data.test.p"),
-			Module("test.rego", module),
+			ParsedModule(module),
 		).PrepareForEval(t.Context())
 		if err != nil {
 			t.Fatal(err)
@@ -88,7 +89,7 @@ p if input.bar`
 	})
 
 	t.Run("function called multiple times is deduplicated", func(t *testing.T) {
-		mod := `package test
+		mod := ast.MustParseModuleWithOpts(`package test
 
 # METADATA
 # id: is-allowed
@@ -98,11 +99,12 @@ result if {
 	is_allowed("alice")
 	is_allowed("bob")
 	is_allowed("charlie")
-}`
+}`, ast.ParserOptions{ProcessAnnotation: true})
+
 		tracker := &topdown.EvaluatedRuleTracker{}
 		rs, err := New(
 			Query("data.test.result"),
-			Module("test.rego", mod),
+			ParsedModule(mod),
 			EvaluatedRuleTracker(tracker),
 		).Eval(t.Context())
 		if err != nil {
diff --git a/v1/sdk/opa_evaluated_rules_test.go b/v1/sdk/opa_evaluated_rules_test.go
@@ -76,7 +76,8 @@ xs contains "b" if false
 		},
 		"decision_logs": {
 			"console": true
-		}
+		},
+		"include_rule_metadata": true
 	}`, server.URL())
 
 	testLogger := test.New()
