build: WASM_ENABLED=1 for all platforms, bump go to 1.16.3

Notes:
- If there are other users of the 'build-windows' make target they would
  likely be annoyed by the change that's now apt-get'ting packages
- We could build a builder image instead of installing the package every
  time.
- ci-go-*: run as root now, so we're able to install the packages for
  windows.
- tests: skip tests that depend on not being run as root when root. The
  change to ci-go-* makes that necessary; the impact is rather limited
  right now. We can reconsider if there are more tests depending on not
  being run as root.

- build: add '-buildmode=exe' to GOFLAGS

  Primarily for the windows build, but I don't think it should be wrong
  for the others either:

  golang/go#40795

  See https://golang.org/cmd/go/#hdr-Build_modes:

  > -buildmode=exe
  > Build the listed main packages and everything they import into
  > executables. Packages not named main are ignored.

- go: fix version as 1.16.3

  This was discussed in this PR, but not the other one. We'd rather keep
  this an exact match.

- build: update go module related env vars

  With 1.16, https://blog.golang.org/go116-module-changes,

  > The go command now builds packages in module-aware mode by default.

  Also, since we've added the `go 1.15` directive to go.mod, we can drop
  all -mod=vendor flags, https://golang.org/ref/mod#go-mod-file-go,

  > At go 1.14 or higher, automatic vendoring may be enabled. If the file
  > vendor/modules.txt is present and consistent with go.mod, there is no
  > need to explicitly use the -mod=vendor flag.

- build: replace build-docker by build-linux

  Turns out the binaries were identical now.

- workflow: adapt github workflows
- build: override docker id/gid in 'image' target, to keep existing
  behaviour.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

.github/workflows/post-merge.yaml

@@ -57,10 +57,61 @@ jobs:
         run: make ci-go-test-coverage
         timeout-minutes: 30
 
+  release-build:
+    name: Release Build (linux, windows)
+    runs-on: ubuntu-18.04
+    needs: generate
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - name: Build Linux and Windows
+        run: make ci-go-build-linux ci-go-build-windows
+        timeout-minutes: 30
+        env:
+          TELEMETRY_URL: ${{ secrets.TELEMETRY_URL }}
+
+      - name: Upload binaries
+        uses: actions/upload-artifact@v2
+        if: always()
+        with:
+          name: binaries
+          path: _release
+
+  release-build-darwin:
+    name: Release Build (darwin)
+    runs-on: macos-latest
+    needs: generate
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - id: go_version
+        name: Read go version
+        run: echo "::set-output name=go_version::$(cat .go-version)"
+
+      - name: Install Go (${{ steps.go_version.outputs.go_version }})
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ steps.go_version.outputs.go_version }}
+
+      - name: Build Darwin
+        run: make build-darwin
+        timeout-minutes: 30
+        env:
+          TELEMETRY_URL: ${{ secrets.TELEMETRY_URL }}
+
+      - name: Upload binaries (darwin)
+        uses: actions/upload-artifact@v2
+        if: always()
+        with:
+          name: binaries
+          path: _release
+
   deploy-edge:
     name: Push Edge Release
     runs-on: ubuntu-18.04
-    needs: generate
+    needs: [release-build, release-build-darwin]
     steps:
       - name: Check out code
         uses: actions/checkout@v2
@@ -69,10 +120,11 @@ jobs:
         run: make ci-release-test
         timeout-minutes: 60
 
-      - name: Build Release Binaries
-        env:
-          TELEMETRY_URL: ${{ secrets.TELEMETRY_URL }}
-        run: make release-local
+      - name: Download release binaries
+        uses: actions/download-artifact@v2
+        with:
+          name: binaries
+          path: _release
 
       - name: Deploy OPA Edge
         env:

.github/workflows/post-tag.yaml

@@ -6,8 +6,60 @@ on:
       - '*'
 
 jobs:
+  release-build:
+    name: Release Build (linux, windows)
+    runs-on: ubuntu-18.04
+    needs: generate
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - name: Build Linux and Windows
+        run: make ci-go-build-linux ci-go-build-windows
+        timeout-minutes: 30
+        env:
+          TELEMETRY_URL: ${{ secrets.TELEMETRY_URL }}
+
+      - name: Upload binaries
+        uses: actions/upload-artifact@v2
+        if: always()
+        with:
+          name: binaries
+          path: _release
+
+  release-build-darwin:
+    name: Release Build (darwin)
+    runs-on: macos-latest
+    needs: generate
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - id: go_version
+        name: Read go version
+        run: echo "::set-output name=go_version::$(cat .go-version)"
+
+      - name: Install Go (${{ steps.go_version.outputs.go_version }})
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ steps.go_version.outputs.go_version }}
+
+      - name: Build Darwin
+        run: make build-darwin
+        timeout-minutes: 30
+        env:
+          TELEMETRY_URL: ${{ secrets.TELEMETRY_URL }}
+
+      - name: Upload binaries (darwin)
+        uses: actions/upload-artifact@v2
+        if: always()
+        with:
+          name: binaries
+          path: _release
+
   build:
     name: Push Latest Release
+    needs: [release-build, release-build-darwin]
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
@@ -21,10 +73,11 @@ jobs:
         run: make ci-release-test
         timeout-minutes: 60
 
-      - name: Build Release Binaries
-        env:
-          TELEMETRY_URL: ${{ secrets.TELEMETRY_URL }}
-        run: make release
+      - name: Download release binaries
+        uses: actions/download-artifact@v2
+        with:
+          name: binaries
+          path: _release
 
       - name: Build and Deploy OPA Docker Images
         id: build-and-deploy

.github/workflows/pull-request.yaml

@@ -13,10 +13,44 @@ jobs:
       - name: Check out code
         uses: actions/checkout@v2
 
-      - name: Build Golang
-        run: make ci-go-build-all-platforms
+      - name: Build Linux and Windows
+        run: make ci-go-build-linux ci-go-build-windows
         timeout-minutes: 30
 
+      - name: Upload binaries
+        uses: actions/upload-artifact@v2
+        if: always()
+        with:
+          name: binaries
+          path: _release
+
+  go-build-darwin:
+    name: Go Build (darwin)
+    runs-on: macos-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - id: go_version
+        name: Read go version
+        run: echo "::set-output name=go_version::$(cat .go-version)"
+
+      - name: Install Go (${{ steps.go_version.outputs.go_version }})
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ steps.go_version.outputs.go_version }}
+
+      - name: Build Darwin
+        run: make build-darwin
+        timeout-minutes: 30
+
+      - name: Upload binaries (darwin)
+        uses: actions/upload-artifact@v2
+        if: always()
+        with:
+          name: binaries
+          path: _release
+
   go-test:
     name: Go Test
     runs-on: ubuntu-18.04

.go-version

@@ -1 +1 @@
-1.16
+1.16.3

Dockerfile

@@ -19,7 +19,7 @@ MAINTAINER Torin Sandall <torinsandall@gmail.com>
 USER ${USER}
 
 ARG BIN_DIR=.
-COPY ${BIN_DIR}/opa_docker_amd64 /opa
+COPY ${BIN_DIR}/opa_linux_amd64 /opa
 
 ENTRYPOINT ["/opa"]
 CMD ["run"]

Makefile

@@ -7,8 +7,11 @@ VERSION := $(shell ./build/get-build-version.sh)
 CGO_ENABLED ?= 1
 WASM_ENABLED ?= 1
 
-# Force modules on and to use the vendor directory.
-GO := CGO_ENABLED=$(CGO_ENABLED) GO111MODULE=on GOFLAGS=-mod=vendor go
+# See https://golang.org/cmd/go/#hdr-Build_modes:
+# > -buildmode=exe
+# > Build the listed main packages and everything they import into
+# > executables. Packages not named main are ignored.
+GO := CGO_ENABLED=$(CGO_ENABLED) GOFLAGS="-buildmode=exe" go
 GO_TEST_TIMEOUT := -timeout 30m
 
 GO_TAGS := -tags=
@@ -22,6 +25,12 @@ GOOS := $(shell go env GOOS)
 
 DOCKER_RUNNING := $(shell docker ps >/dev/null 2>&1 && echo 1 || echo 0)
 
+# We use root because the windows build, invoked through the ci-go-build-windows
+# target, installs the gcc mingw32 cross-compiler.
+# For image-quick, it's overridden, so that the built binary isn't root-owned.
+DOCKER_UID ?= 0
+DOCKER_GID ?= 0
+
 ifeq ($(shell tty > /dev/null && echo 1 || echo 0), 1)
 DOCKER_FLAGS := --rm -it
 else
@@ -79,7 +88,8 @@ generate: wasm-lib-build
 build: go-build
 
 .PHONY: image
-image: ci-go-build-docker
+image:
+	DOCKER_UID=$(shell id -u) DOCKER_GID=$(shell id -g) $(MAKE) ci-go-build-linux
 	@$(MAKE) image-quick
 
 .PHONY: install
@@ -221,7 +231,7 @@ wasm-rego-testgen-install:
 
 CI_GOLANG_DOCKER_MAKE := $(DOCKER) run \
 	$(DOCKER_FLAGS) \
-	-u $(shell id -u):$(shell id -g) \
+	-u $(DOCKER_UID):$(DOCKER_GID) \
 	-v $(PWD):/src \
 	-w /src \
 	-e GOCACHE=/src/.go/cache \
@@ -247,31 +257,30 @@ ci-check-working-copy: generate
 .PHONY: ci-wasm
 ci-wasm: wasm-test
 
-.PHONY: build-docker
-build-docker: ensure-release-dir
-	$(GO) build $(GO_TAGS) -o $(RELEASE_DIR)/opa_docker_$(GOARCH) -ldflags $(LDFLAGS)
-
 .PHONY: build-linux
 build-linux: ensure-release-dir
-	@$(MAKE) build GOOS=linux CGO_ENABLED=0 WASM_ENABLED=0
+	@$(MAKE) build GOOS=linux
+	chmod +x opa_linux_$(GOARCH)
 	mv opa_linux_$(GOARCH) $(RELEASE_DIR)/
 
 .PHONY: build-darwin
 build-darwin: ensure-release-dir
-	@$(MAKE) build GOOS=darwin CGO_ENABLED=0 WASM_ENABLED=0
+	@$(MAKE) build GOOS=darwin
+	chmod +x opa_darwin_$(GOARCH)
 	mv opa_darwin_$(GOARCH) $(RELEASE_DIR)/
 
 .PHONY: build-windows
 build-windows: ensure-release-dir
-	@$(MAKE) build GOOS=windows CGO_ENABLED=0 WASM_ENABLED=0
+	build/ensure-windows-toolchain.sh
+	@$(MAKE) build GOOS=windows CC=x86_64-w64-mingw32-gcc
 	mv opa_windows_$(GOARCH) $(RELEASE_DIR)/opa_windows_$(GOARCH).exe
 
 .PHONY: ensure-release-dir
 ensure-release-dir:
 	mkdir -p $(RELEASE_DIR)
 
 .PHONY: build-all-platforms
-build-all-platforms: build-docker build-linux build-darwin build-windows
+build-all-platforms: build-linux build-darwin build-windows
 
 .PHONY: image-quick
 image-quick:

build/ensure-windows-toolchain.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+set -exo pipefail
+CC=x86_64-w64-mingw32-gcc
+PKG=gcc-mingw-w64-x86-64
+
+type -f ${CC} 2>/dev/null && exit 0
+
+apt-get update && \
+  apt-get install --no-install-recommends -y ${PKG}

build/gen-man.sh

@@ -1,3 +1,3 @@
 #!/bin/sh
 
-GOFLAGS=-mod=vendor GO111MODULE=on GOOS="" GOARCH="" go run ./build/generate-man $@
+GOOS="" GOARCH="" go run ./build/generate-man $@

build/gen-run-go.sh

@@ -2,4 +2,4 @@
 
 set -e
 
-GOFLAGS=-mod=vendor GO111MODULE=on GOOS="" GOARCH="" go run -tags generate $@
+GOOS= GOARCH= CC= go run -tags generate $@

build/run-goimports.sh

@@ -1,3 +1,3 @@
 #!/bin/sh
 
-GOFLAGS=-mod=vendor GO111MODULE=on GOOS="" GOARCH="" go run -tags=opa_wasm ./vendor/golang.org/x/tools/cmd/goimports -local github.com/open-policy-agent/opa $@
+GOOS="" GOARCH="" go run -tags=opa_wasm ./vendor/golang.org/x/tools/cmd/goimports -local github.com/open-policy-agent/opa $@

cmd/build_test.go

@@ -169,6 +169,10 @@ func TestBuildErrorVerifyNonBundle(t *testing.T) {
 }
 
 func TestBuildVerificationConfigError(t *testing.T) {
+	if os.Getuid() == 0 {
+		t.Skip("cannot be run as root")
+	}
+
 	files := map[string]string{
 		"public.pem": "foo",
 	}

keys/keys_test.go

@@ -131,9 +131,31 @@ ypZ/TdlnuGC1cOpAVyU7k32IJ9CRbt3nwEf5U54LRXLLQjFixWZHwKdDiMTF4ws0
 		if !reflect.DeepEqual(kc, expected) {
 			t.Fatalf("Expected key config %v but got %v", expected, kc)
 		}
+	})
+}
+
+func TestNewKeyConfigFileError(t *testing.T) {
+	if os.Geteuid() == 0 {
+		t.Skip("cannot run as root")
+	}
+	publicKey := `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9KaakMv1XKKDaSch3PFR
+3a27oaHp1GNTTNqvb1ZaHZXp+wuhYDwc/MTE67x9GCifvQBWzEGorgTq7aisiOyl
+vKifwz6/wQ+62WHKG/sqKn2Xikp3P63aBIPlZcHbkyyRmL62yeyuzYoGvLEYel+m
+z5SiKGBwviSY0Th2L4e5sGJuk2HOut6emxDi+E2Fuuj5zokFJvIT6Urlq8f3h6+l
+GeR6HUOXqoYVf7ff126GP7dticTVBgibxkkuJFmpvQSW6xmxruT4k6iwjzbZHY7P
+ypZ/TdlnuGC1cOpAVyU7k32IJ9CRbt3nwEf5U54LRXLLQjFixWZHwKdDiMTF4ws0
++wIDAQAB
+-----END PUBLIC KEY-----`
+
+	files := map[string]string{
+		"public.pem": publicKey,
+	}
+
+	test.WithTempFS(files, func(rootDir string) {
 
 		// simulate error while reading file
-		err = os.Chmod(filepath.Join(rootDir, "public.pem"), 0111)
+		err := os.Chmod(filepath.Join(rootDir, "public.pem"), 0111)
 		if err != nil {
 			t.Fatalf("Unexpected error %v", err)
 		}