Sentinel Runtime Release Notes

These are the release notes for the Sentinel runtime.

Each version of the runtime is released with a corresponding version of Sentinel CLI. To download the CLI, see the downloads page.

Sentinel integrations and embedded runtimes may not always have the latest version installed, depending on the product's individual release cycle. For more information, contact the support team for your specific integration.

0.15.1 (March 6, 2020)

BUG FIXES:

  • sentinel: Fixed how modules are managed internally in the runtime to correct race conditions in concurrent scenarios and to allow for per-evaluation module restrictions. This functionality is only of interest to embedded applications with long-lived runtimes and is currently not implemented in any HashiCorp integration.

0.15.0 (March 5, 2020)

NOTES:

  • Windows Digital Signature. Our windows releases for this version and up will be signed and verified according to Microsoft's requirements.

FEATURES:

  • cmd/config: Modules can now be loaded off of local disk using the Sentinel CLI. For information on how to do so, see the Sentinel documentation.

IMPROVEMENTS:

  • runtime/eval: Changed modules so that they now have singleton scope when loaded. Importing a module under two different aliases, or within a nested module, will now share scopes - modification of state in one will alter the other.
  • lang/object: Introduced an interface to allow the duplication of various types, like collections.
  • runtime/eval: Changed how collection data is returned from modules. This data is now duplicated to prevent accidental or deliberate circumvention of the prohibition on assignment to import data, and brings behavior to parity with binary imports.

0.14.4 (February 6, 2020)

IMPROVEMENTS:

  • imports/time: Changed the add timespace function in the time import to allow it to take float types as durations. These values will be truncated to the appropriate integer-value duration.

BUG FIXES:

  • lang/parser: Fixed an issue where out-of-place right-hand braces were being parsed as empty statements, instead of raising syntax errors.

0.14.3 (January 22, 2020)

IMPROVEMENTS:

  • cmd/test: Fail when an assertion is not found in a trace.
  • cmd/test: Added a message to notify when no rules were evaluated in a test.

BUG FIXES:

  • lang/printer: Fixed an issue where import aliases (the as baz in import "foo/bar" as baz) were being removed when formatting with sentinel fmt.
  • imports/http: Fixed an issue with the http import where the client library's debug logs were being printed to standard error.

0.14.2 (January 15, 2020)

NOTES:

With this release, we are discontinuing support for MacOS 32-bit. 64-bit builds are now the only builds available for MacOS.

IMPROVEMENTS:

  • lang/printer: A newline is now added to files formatted via sentinel fmt.

BUG FIXES:

  • lang/printer: Fixed an issue in printing where multi-line expressions would indent infinitely. They will now only indent once at the most. This is mostly seen when using sentinel fmt.
  • runtime/encoding: Fixed an issue where if a plugin returned a deeply embedded undefined value, the value was instead decoded into a map.

0.14.1 (January 6, 2020)

BUG FIXES:

  • lang/parser: Fixed an issue where reserved words could not be used as selectors when the selector expression was the last lexeme on a line.

0.14.0 (December 18, 2019)

LANGUAGE CHANGES:

  • Filter Expression filter. A new quantifier expression, filter has been added. filter returns a subset of the provided collection based on a boolean condition that is asserted for each element.

NOTES:

  • Apple Notarization. Our darwin releases for this version and up will be signed and notarized according to Apple's requirements.

0.13.1 (November 25, 2019)

BUG FIXES:

  • runtime/eval: Parameters are no longer allowed in mock files. Adding one to a mock will result in a runtime error.
  • runtime/eval: Fixed an issue where import calls from within mocks were failing under certain circumstances.
  • imports/decimal: int should now correctly provide the truncated integer representation of a decimal number, not the rounded one.

0.13.0 (November 15, 2019)

LANGUAGE CHANGES:

  • Policy Parameters. The new policy parameters feature allows authors to use a param declaration at the top of a policy to supply values that are expected to come from outside of a policy. See the linked documentation for more details.

FEATURES:

  • imports/http: The http import is a new addition to the standard library enabling the use of HTTP-accessible data from outside the runtime in policy rules.

BUG FIXES:

  • runtime/eval: Fixed an issue where loading other imports before a mocked import would cause those imports to no longer be visible from within the policy.

0.12.0 (October 7, 2019)

LANGUAGE CHANGES:

  • New case statement. This statement is a selection control mechanism to conditionally execute a branch based on expression equality, allowing simplification of complex conditional chains that may otherwise need to be written with else if. See the Case Statements section of the Sentinel language specification for more details.

IMPROVEMENTS:

  • lang/semantic: Added a semantic check to ensure usage of append is not using a return value.

BUG FIXES:

  • runtime/eval: Corrected an issue where calling a method on an import object value that was the result of a method call on another import object value would have erroneously tried to call an import of the name of the "parent" import object value. Example: in a = subject.new(); b = a.call(); c = b.call(), b.call() would attempt to call a method named call on the root namespace for an import named a. This has now been corrected so that b.call() will now correctly call the call method for the respective object namespace residing in the import named subject.
  • imports: Some standard imports may have been returning null for some unknown keys in objects when they should have been returning undefined. This was due to an SDK issue which was corrected in SDK version 0.3.2, which has now been corrected.
  • cmd/test: sentinel test will now correctly fail a policy if it encounters an error.
  • cmd/test: sentinel test will now correctly display errors and other output that were missing due to a formatting issue.
  • runtime/eval: The append builtin now correctly returns undefined for all calls, as called for by the Specification. Note that in most cases, the semantic check outlined above will trigger an error if the return value is used.

0.11.0 (September 5, 2019)

LANGUAGE CHANGES:

  • New builtin function: range(). This function existed in the spec in earlier versions but was removed as it lacked an implementation. This has now been implemented and re-added to the spec. See the Range section of the Sentinel Specification for more details.
  • Lists are now comparable. Lists are equal if their corresponding elements are comparable and equal.
  • Method calls on values returned by imports are now supported. See the Imports section of the Sentinel Specification for more details.

FEATURES:

  • imports/decimal: This is a new import designed to do exact precision mathematical calculations.
  • runtime/eval: Compound call expressions that refer to imports (example: foo.bar().baz() when foo is a loaded import) will now function as expected. Previously, this was only supported up to the first call (example: foo.bar()).
  • imports/time: Timespaces returned by calls such as time.now are now callable. Example: t = time.now; t.after(some_previous_time) will now function.

IMPROVEMENTS:

  • runtime/eval: The implementation of comparison of non-comparable types has now changed. Rather than triggering a runtime error, non-comparable types will now return false when attempting to compare.

0.10.4 (August 15, 2019)

BUG FIXES:

  • runtime/encoding: Fixed an issue with conversion of null values that could lead to crashes in imports.

0.10.3 (July 15, 2019)

BUG FIXES:

  • command/config: Parsing a configuration file where malformed data is encountered after apparently properly-formed data will now report an error. An example would be a situation where misplaced braces would cause a JSON object to only parse part of the configuration file.

0.10.2 (June 25, 2019)

BUG FIXES:

  • lang/parser: Corrected an issue where parsing certain compound binary expressions where the negation predicate (not) was in use would cause the negation to have no effect. Example: foo else "bar" not in "baz" would have been parsed and evaluated as foo else "bar" in "baz", effectively producing the opposite result.

0.10.1 (May 9, 2019)

BUG FIXES:

  • command/test: sentinel test now displays policies without tests as an unknown result with [no test files], instead of the somewhat erroneous behavior of displaying it as a PASS. A full test run with a mixture of passing tests and no tests still results in an overall successful result.

0.10.0 (April 18, 2019)

LANGUAGE CHANGES:

  • Mixed-number arithmetic operations are now allowed. Addition (+), subtraction (-), multiplication (*), division (/), and remainder operations (%) are no longer restricted to number values of the same type, and can mix integer and floating point. The result of these operations is always a floating-point number.
  • Remainder (modulo, %) operations are now allowed on floating-point numbers.

BUG FIXES:

  • lang/parser: Fixed a bug that affected the use of not with contains, matches, or in in a compound expression.
  • runtime/eval: Fixed error messages on evaluation errors with contains and in to indicate that strings are an allowed type along with lists and maps.

0.9.2 (March 15, 2019)

This is a dependency update related to the changes mentioned in 0.9.1. No other changes have been made.

0.9.1 (March 14, 2019)

This is a patch release that is required to integrate with the latest versions of the Sentinel SDK. No other changes have been made.

0.9.0 (January 28, 2019)

FEATURES:

  • imports/strings: Added a join function to the strings import. This can be used to join a list into a string with a specific separator. Multi-dimensional lists and all Sentinel primitives are supported.

0.8.1 (January 17, 2019)

BUG FIXES:

  • lang/eval: Fixed a bug that prevents the effective use of return statements in for loops.

0.8.0 (January 14, 2019)

FEATURES:

  • Mocks can now be represented by Sentinel code. This allows for the mocking of functions and other complex data structures that cannot be represented in JSON. For more information on using this feature via mocks, click here.

IMPROVEMENTS:

  • Import validation has now been moved to the semantic checking phase. This should result in better reporting of validation errors. In addition, import validation will now enforce the use of an as identifier when an import path is not a valid identifier on its own (example: import "foo/bar").

0.7.0 (December 12, 2018)

BUG FIXES:

  • There have been changes to the runtime in how scope is handled over multiple policy executions. Scope is now correctly unique per single policy execution, and values set or builtins that are overridden in one policy will no longer affect those values within another.

0.6.0 (November 30, 2018)

FEATURES:

  • imports/runtime: This new import allows for one to check various aspects of the Sentinel runtime as it may be embedded in the simulator or a specific implementation. For now, it allows the version to be checked.

0.5.1 (November 28, 2018)

IMPROVEMENTS:

  • imports/time: Added the zone and zone_string attributes to assist with validation of a timespace's zone.
  • command/fmt: Added a new -check flag. This option does not commit changes, but instead checks to see what files need formatting and outputs them on stdout.

BUG FIXES:

  • command/test: Ensure that passing test results are correctly output one per line. Tests are also now run in a deterministic fashion based on lexicographical (alphabetical) order.
  • imports/time: month_name and weekday_name will now show up correctly in a returned timespace result.

0.5.0 (November 5, 2018)

IMPROVEMENTS:

  • spec: Selectors can now contain any reserved word (example: rule) or keyword operator (example: any, all, is, not). This only works for the selector part of the expression (after the first period) - the first primary expression (before the first period) still needs to be an identifier that does not conflict with reserved words.

BUG FIXES:

  • The simulator should now display import function call names correctly in import errors.

0.4.0 (October 1, 2018)

FEATURES:

  • builtin: Added the bool built-in type conversion function. Booleans will also now accepted as conversion into other values as well, with the full list of behaviors available in the spec.

0.3.2 (September 27, 2018)

FEATURES:

  • command/apply: sentinel apply now prints out messages output by the print() function when a trace is output on policy failure, or when a trace is forced with -trace.
  • imports/time: Added the month_name and weekday_name keys to the timespace, which return full-English names for the month and day of the week.

BUG FIXES:

  • command/fmt: sentinel fmt - Will no longer print out the filter status message on the output stream when -write=false Is not explicitly stated. This brings the behavior of the command in line with the help text.
  • runtime: Index operations on the right-hand-side that have negative indexes that go out of range (example: length(list) * -1 - 1) now correctly return undefined. left-hand-side index assignments with a out-of-range negative index still return runtime errors.

0.3.1 (August 3, 2018)

BUG FIXES:

  • runtime: Basic index assignment has been implemented as per the spec.
  • runtime: Index expressions for lists with negative indexes will no longer panic if the list index is less than length(list) * -1.

0.3.0 (July 20, 2018)

FEATURES:

  • New standard import: types. This can be used to dynamicaly detect the type of some value.

0.2.0 (April 11, 2018)

FEATURES:

  • New standard import: json. Marshal and unmarshal JSON documents and access their contents as native Sentinel values.
  • break and continue. These are now both specified and implemented. break allows loop exiting and continue allows immediate execution of the next iteration.

IMPROVEMENTS:

  • runtime: print() map values are now ordered alphabetically by keys.

BUG FIXES:

  • command/test: If no test block exists, test behaves like it is asserting main: true.
  • runtime: default maximum stack depth to 500
  • runtime: print() map values now appear like more typical maps.
  • runtime: division by zero is an error, not a crash
  • runtime: plugins that send map values with null values now decode properly into native Sentinel values.

0.1.0 (September 19, 2017)

Initial release.