»Sentinel Runtime Release Notes
These are the release notes for the Sentinel runtime.
Sentinel integrations and embedded runtimes may not always have the latest version installed, depending on the product's individual release cycle. For more information, contact the support team for your specific integration.
»0.18.3 (June 1, 2021)
runtime/initwd: Fixed an issue for remote source installation where duplicate sub-directories resulted in incorrect installation.
imports/static: Fixed an issue where global configuration that contained an empty map could not be accessed without raising selector issues.
»0.18.2 (May 18, 2021)
runtime/localast: Fixed an issue where import expressions inside lists and maps were not being evaluated correctly.
»0.18.1 (May 11, 2021)
imports/json: Fixed an issue where empty maps where failing when passed at any level to
»0.18.0 (March 25, 2021)
imports/http: Added support for POST actions within the
httpimport through addition of the
postfunction. Additionally, support for adding a body to the
requestobject has been added via
»0.17.4 (February 2, 2021)
runtime/format: Fixed a nesting issue with the rule printer where nesting state leaks were leading to all collection values eventually being truncated, regardless of their nesting level.
»0.17.3 (January 15, 2021)
runtime/initwd: Fixed an issue where local file installation failed on Windows when using
»0.17.2 (January 13, 2021)
cmd/test: Fixed an issue where duplicate log messages were being printed with
»0.17.1 (January 7, 2021)
cmd/test: Fixed an issue where hard-coded path separator caused
sentinel testissues in Windows.
»0.17.0 (January 5, 2021)
- Map Expression
map. A new quantifier expression,
maphas been added.
maptakes a collection and applies an operation to each element in the collection, returning a list of results with the resulting values.
- Emptiness checks
is not empty. Two new expressions,
is not emptyhave been added. As they are aliases to the
- Comparable maps Maps (the data type) are now comparable. Maps are equal if they are of equal length and both their corresponding keys and values are comparable and equal.
- Rich Return Types Rules can now process and return non-boolean data.
Scalar, list, and map types are supported. When non-boolean values are used,
the presence of a non-zero or non-zero-length
mainrule determines policy failure. More details can be found on https://docs.hashicorp.com/sentinel/language#main.
sentinel testnow have options for JSON output. For more details, see the CLI documentation.
imports/base64: Added a new import,
base64, to assist with encoding and decoding base64 strings.
»0.16.1 (October 21, 2020)
runtime/eval: Fixed an issue where
containsto ensure any instance of
undefinedwould correctly result in
runtime/eval: Fixed an issue in
allexpressions to ensure correct boolean logic when dealing with a collection containing
imports: Fixed an issue where import processes were not killed, which caused non-graceful closures for the clients.
lang/scanner: Fixed an issue where inline
#style comments were not being consumed.
»0.16.0 (October 14, 2020)
cmd/doc: Removal of the deprecated
denylist, as per inclusive language changes.
imports/version: Added a new import,
version, which supplies helpers for dealing with semantic versioning.
cmd/apply: Added an
HCLbased configuration file, which will eventually deprecate the legacy
cmd/apply: Added support for download remote policies and modules.
cmd/test: Added support for downloading remote test modules.
cmd/apply: Added support for evaluating a policy based on it's key within the configuration.
cmd/apply: Added support for running all policies in a configuration by default.
»0.15.6 (July 7, 2020)
- This release changes lower-level components that are used to manage policies within HashiCorp's Sentinel Integrations. There are no user-facing changes.
»0.15.5 (May 20, 2020)
- This release changes lower-level components that are used to manage policies within HashiCorp's Sentinel integrations. There are no user-facing changes.
»0.15.4 (May 13, 2020)
imports: Fixed an issue with the standard imports that was affecting the handling of null data within lists.
»0.15.3 (April 16, 2020)
runtime/localast: Fixed an issue where
IndexExprwere not rewritten, as well as ensuring
SelectorExpruses any nested rewrites.
lang/printer: Fixed issue printing deeply nested structures and/or loops.
imports/decimal: Added alias methods to improve consistency of method names within the
decimalimport. The alias methods are
isnan, as well as both
sentinel applywill now output the policy description when a trace is forced via
Stringoutput formatting of Policy docstring for
»0.15.2 (April 2, 2020)
lang/printer: Fixed an issue with the
printerthat was causing a panic when a
#line comment was used with no text following it.
imports/types: Fixed an issue with the
typesimport where calls to
type_offor undefined types were incorrectly returning as map types. These will now be correctly be identified as undefined as expected.
»0.15.1 (March 6, 2020)
sentinel: Fixed how modules are managed internally in the runtime to correct race conditions in concurrent scenarios and to allow for per-evaluation module restrictions. This functionality is only of interest to embedded applications with long-lived runtimes and is currently not implemented in any HashiCorp integration.
»0.15.0 (March 5, 2020)
- Windows Digital Signature. Our windows releases for this version and up will be signed and verified according to Microsoft's requirements.
cmd/config: Modules can now be loaded off of local disk using the Sentinel CLI. For information on how to do so, see the Sentinel documentation.
runtime/eval: Changed modules so that they now have singleton scope when loaded. Importing a module under two different aliases, or within a nested module, will now share scopes - modification of state in one will alter the other.
lang/object: Introduced an interface to allow the duplication of various types, like collections.
runtime/eval: Changed how collection data is returned from modules. This data is now duplicated to prevent accidental or deliberate circumvention of the prohibition on assignment to import data, and brings behavior to parity with binary imports.
»0.14.4 (February 6, 2020)
imports/time: Changed the
addtimespace function in the
timeimport to allow it to take float types as durations. These values will be truncated to the appropriate integer-value duration.
lang/parser: Fixed an issue where out-of-place right-hand braces were being parsed as empty statements, instead of raising syntax errors.
»0.14.3 (January 22, 2020)
cmd/test: Fail when an assertion is not found in a trace.
cmd/test: Added a message to notify when no rules were evaluated in a test.
lang/printer: Fixed an issue where import aliases (the
import "foo/bar" as baz) were being removed when formatting with
imports/http: Fixed an issue with the http import where the client library's debug logs were being printed to standard error.
»0.14.2 (January 15, 2020)
With this release, we are discontinuing support for MacOS 32-bit. 64-bit builds are now the only builds available for MacOS.
lang/printer: A newline is now added to files formatted via
lang/printer: Fixed an issue in printing where multi-line expressions would indent infinitely. They will now only indent once at the most. This is mostly seen when using
runtime/encoding: Fixed an issue where if a plugin returned a deeply embedded undefined value, the value was instead decoded into a map.
»0.14.1 (January 6, 2020)
lang/parser: Fixed an issue where reserved words could not be used as selectors when the selector expression was the last lexeme on a line.
»0.14.0 (December 18, 2019)
- Filter Expression
filter. A new quantifier expression,
filterhas been added.
filterreturns a subset of the provided collection based on a boolean condition that is asserted for each element.
- Apple Notarization. Our darwin releases for this version and up will be signed and notarized according to Apple's requirements.
»0.13.1 (November 25, 2019)
runtime/eval: Parameters are no longer allowed in mock files. Adding one to a mock will result in a runtime error.
runtime/eval: Fixed an issue where import calls from within mocks were failing under certain circumstances.
intshould now correctly provide the truncated integer representation of a decimal number, not the rounded one.
»0.13.0 (November 15, 2019)
- Policy Parameters. The new policy
allows authors to use a
paramdeclaration at the top of a policy to supply values that are expected to come from outside of a policy. See the linked documentation for more details.
httpimport is a new addition to the standard library enabling the use of HTTP-accessible data from outside the runtime in policy rules.
runtime/eval: Fixed an issue where loading other imports before a mocked import would cause those imports to no longer be visible from within the policy.
»0.12.0 (October 7, 2019)
casestatement. This statement is a selection control mechanism to conditionally execute a branch based on expression equality, allowing simplification of complex conditional chains that may otherwise need to be written with
else if. See the Case Statements section of the Sentinel language specification for more details.
lang/semantic: Added a semantic check to ensure usage of append is not using a return value.
runtime/eval: Corrected an issue where calling a method on an import object value that was the result of a method call on another import object value would have erroneously tried to call an import of the name of the "parent" import object value. Example: in
a = subject.new(); b = a.call(); c = b.call(),
b.call()would attempt to call a method named
callon the root namespace for an import named
a. This has now been corrected so that
b.call()will now correctly call the
callmethod for the respective object namespace residing in the import named
imports: Some standard imports may have been returning null for some unknown keys in objects when they should have been returning undefined. This was due to an SDK issue which was corrected in SDK version 0.3.2, which has now been corrected.
sentinel testwill now correctly fail a policy if it encounters an error.
sentinel testwill now correctly display errors and other output that were missing due to a formatting issue.
appendbuiltin now correctly returns undefined for all calls, as called for by the Specification. Note that in most cases, the semantic check outlined above will trigger an error if the return value is used.
»0.11.0 (September 5, 2019)
- New builtin function:
range(). This function existed in the spec in earlier versions but was removed as it lacked an implementation. This has now been implemented and re-added to the spec. See the Range section of the Sentinel Specification for more details.
- Lists are now comparable. Lists are equal if their corresponding elements are comparable and equal.
- Method calls on values returned by imports are now supported. See the Imports section of the Sentinel Specification for more details.
imports/decimal: This is a new import designed to do exact precision mathematical calculations.
runtime/eval: Compound call expressions that refer to imports (example: foo.bar().baz() when
foois a loaded import) will now function as expected. Previously, this was only supported up to the first call (example:
imports/time: Timespaces returned by calls such as
time.noware now callable. Example:
t = time.now; t.after(some_previous_time)will now function.
runtime/eval: The implementation of comparison of non-comparable types has now changed. Rather than triggering a runtime error, non-comparable types will now return false when attempting to compare.
»0.10.4 (August 15, 2019)
runtime/encoding: Fixed an issue with conversion of null values that could lead to crashes in imports.
»0.10.3 (July 15, 2019)
command/config: Parsing a configuration file where malformed data is encountered after apparently properly-formed data will now report an error. An example would be a situation where misplaced braces would cause a JSON object to only parse part of the configuration file.
»0.10.2 (June 25, 2019)
lang/parser: Corrected an issue where parsing certain compound binary expressions where the negation predicate (
not) was in use would cause the negation to have no effect. Example:
foo else "bar" not in "baz"would have been parsed and evaluated as
foo else "bar" in "baz", effectively producing the opposite result.
»0.10.1 (May 9, 2019)
sentinel testnow displays policies without tests as an unknown result with [no test files], instead of the somewhat erroneous behavior of displaying it as a PASS. A full test run with a mixture of passing tests and no tests still results in an overall successful result.
»0.10.0 (April 18, 2019)
- Mixed-number arithmetic operations are now allowed. Addition (
+), subtraction (
-), multiplication (
*), division (
/), and remainder operations (
%) are no longer restricted to number values of the same type, and can mix integer and floating point. The result of these operations is always a floating-point number.
- Remainder (modulo,
%) operations are now allowed on floating-point numbers.
lang/parser: Fixed a bug that affected the use of
inin a compound expression.
runtime/eval: Fixed error messages on evaluation errors with
into indicate that strings are an allowed type along with lists and maps.
»0.9.2 (March 15, 2019)
This is a dependency update related to the changes mentioned in 0.9.1. No other changes have been made.
»0.9.1 (March 14, 2019)
This is a patch release that is required to integrate with the latest versions of the Sentinel SDK. No other changes have been made.
»0.9.0 (January 28, 2019)
imports/strings: Added a
joinfunction to the
stringsimport. This can be used to join a list into a string with a specific separator. Multi-dimensional lists and all Sentinel primitives are supported.
»0.8.1 (January 17, 2019)
lang/eval: Fixed a bug that prevents the effective use of
»0.8.0 (January 14, 2019)
- Mocks can now be represented by Sentinel code. This allows for the mocking of functions and other complex data structures that cannot be represented in JSON. For more information on using this feature via mocks, click here.
- Import validation has now been moved to the semantic checking phase. This
should result in better reporting of validation errors. In addition, import
validation will now enforce the use of an
asidentifier when an import path is not a valid identifier on its own (example:
»0.7.0 (December 12, 2018)
- There have been changes to the runtime in how scope is handled over multiple policy executions. Scope is now correctly unique per single policy execution, and values set or builtins that are overridden in one policy will no longer affect those values within another.
»0.6.0 (November 30, 2018)
imports/runtime: This new import allows for one to check various aspects of the Sentinel runtime as it may be embedded in the simulator or a specific implementation. For now, it allows the version to be checked.
»0.5.1 (November 28, 2018)
imports/time: Added the
zone_stringattributes to assist with validation of a timespace's zone.
command/fmt: Added a new -check flag. This option does not commit changes, but instead checks to see what files need formatting and outputs them on stdout.
command/test: Ensure that passing test results are correctly output one per line. Tests are also now run in a deterministic fashion based on lexicographical (alphabetical) order.
weekday_namewill now show up correctly in a returned timespace result.
»0.5.0 (November 5, 2018)
spec: Selectors can now contain any reserved word (example:
rule) or keyword operator (example:
not). This only works for the selector part of the expression (after the first period) - the first primary expression (before the first period) still needs to be an identifier that does not conflict with reserved words.
- The simulator should now display import function call names correctly in import errors.
»0.4.0 (October 1, 2018)
builtin: Added the
boolbuilt-in type conversion function. Booleans will also now accepted as conversion into other values as well, with the full list of behaviors available in the spec.
»0.3.2 (September 27, 2018)
sentinel applynow prints out messages output by the
print()function when a trace is output on policy failure, or when a trace is forced with
imports/time: Added the
weekday_namekeys to the timespace, which return full-English names for the month and day of the week.
sentinel fmt -Will no longer print out the filter status message on the output stream when
-write=falseIs not explicitly stated. This brings the behavior of the command in line with the help text.
runtime: Index operations on the right-hand-side that have negative indexes that go out of range (example:
length(list) * -1 - 1) now correctly return
undefined. left-hand-side index assignments with a out-of-range negative index still return runtime errors.
»0.3.1 (August 3, 2018)
runtime: Basic index assignment has been implemented as per the spec.
runtime: Index expressions for lists with negative indexes will no longer panic if the list index is less than
length(list) * -1.
»0.3.0 (July 20, 2018)
- New standard import:
types. This can be used to dynamicaly detect the type of some value.
»0.2.0 (April 11, 2018)
- New standard import:
json. Marshal and unmarshal JSON documents and access their contents as native Sentinel values.
continue. These are now both specified and implemented.
breakallows loop exiting and
continueallows immediate execution of the next iteration.
print()map values are now ordered alphabetically by keys.
- command/test: If no
testblock exists, test behaves like it is asserting
- runtime: default maximum stack depth to 500
print()map values now appear like more typical maps.
- runtime: division by zero is an error, not a crash
- runtime: plugins that send map values with
nullvalues now decode properly into native Sentinel values.
»0.1.0 (September 19, 2017)