Documentation
¶
Index ¶
- Variables
- type Ampel
- func (ampel *Ampel) AttestResult(w io.Writer, result *papi.Result) error
- func (ampel *Ampel) AttestResults(w io.Writer, results papi.Results) error
- func (ampel *Ampel) CheckStatus(ctx context.Context, opts *StatusOptions, catalog *oscal.Catalog, ...) (*Status, error)
- func (ampel *Ampel) Verify(ctx context.Context, opts *VerificationOptions, policy any, ...) (papi.Results, error)
- func (ampel *Ampel) VerifySubjectWithPolicy(ctx context.Context, opts *VerificationOptions, policy *papi.Policy, ...) (*papi.Result, error)
- func (ampel *Ampel) VerifySubjectWithPolicySet(ctx context.Context, originalOptions *VerificationOptions, ...) (*papi.ResultSet, error)
- type AmpelStatusChecker
- type AmpelVerifier
- type PolicyError
- type Status
- type StatusOptions
- type VerificationOptions
Constants ¶
This section is empty.
Variables ¶
View Source
var DefaultVerificationOptions = VerificationOptions{ EvaluatorOptions: options.Default, DefaultEvaluator: class.Class("cel@v0"), ResultsAttestationPath: "results.intoto.json", GitCommitShaHack: true, ContextProviders: []context.Provider{}, EnforceExpiration: true, AllowEmptySetChains: true, AttestFormat: "ampel", }
View Source
var ErrMissingAttestations = errors.New("required attestations missing to verify subject")
View Source
var ResultsAttestationFormats = []string{
"ampel",
"vsa",
}
View Source
var WithCollector = func(repository attestation.Repository) fnOpt { return func(a *Ampel) error { return a.Collector.AddRepository(repository) } }
View Source
var WithCollectorInit = func(init string) fnOpt { return func(ampel *Ampel) error { if err := ampel.Collector.AddRepositoryFromString(init); err != nil { return err } return nil } }
WithCollectorInit adds a collector from an init string
View Source
var WithCollectorInits = func(init []string) fnOpt { return func(ampel *Ampel) error { for _, s := range init { if err := ampel.Collector.AddRepositoryFromString(s); err != nil { return err } } return nil } }
WithCollectorInit adds multiple collectors from a list of init strings
View Source
var WithCollectors = func(repos []attestation.Repository) fnOpt { return func(a *Ampel) error { return a.Collector.AddRepository(repos...) } }
Functions ¶
This section is empty.
Types ¶
type Ampel ¶
Ampel is the attestation verifier
func (*Ampel) AttestResult ¶
AttestResult writes an attestation capturing an evaluation result
func (*Ampel) AttestResults ¶
AttestResult writes an attestation capturing an evaluation result
func (*Ampel) CheckStatus ¶
func (ampel *Ampel) CheckStatus(ctx context.Context, opts *StatusOptions, catalog *oscal.Catalog, subject attestation.Subject) (*Status, error)
CheckStatus matches an artifacts requirements against an OSCAL catalog or profile
func (*Ampel) Verify ¶
func (ampel *Ampel) Verify( ctx context.Context, opts *VerificationOptions, policy any, subject attestation.Subject, ) (papi.Results, error)
Verify checks a subject against a policy using the available evidence
func (*Ampel) VerifySubjectWithPolicy ¶
func (ampel *Ampel) VerifySubjectWithPolicy( ctx context.Context, opts *VerificationOptions, policy *papi.Policy, subject attestation.Subject, ) (*papi.Result, error)
VerifySubjectWithPolicy verifies a subject against a single policy
func (*Ampel) VerifySubjectWithPolicySet ¶
func (ampel *Ampel) VerifySubjectWithPolicySet( ctx context.Context, originalOptions *VerificationOptions, policySet *papi.PolicySet, subject attestation.Subject, ) (*papi.ResultSet, error)
VerifySubjectWithPolicySet runs a subject through a policy set.
type AmpelStatusChecker ¶
type AmpelStatusChecker interface {
GatherResults(context.Context, *StatusOptions, attestation.Subject) ([]attestation.Envelope, error)
ParseAttestedResults(context.Context, *StatusOptions, []attestation.Envelope) ([]attestation.Predicate, error)
CheckIdentities(*StatusOptions, []attestation.Envelope) (bool, error)
ComputeComplianceStatus(*oscal.Catalog, []attestation.Predicate) (*Status, error)
}
type AmpelVerifier ¶
type AmpelVerifier interface {
// CheckPolicy verifies the policy is sound to evaluate before running it
CheckPolicy(context.Context, *VerificationOptions, *papi.Policy) error
CheckPolicySet(context.Context, *VerificationOptions, *papi.PolicySet) error
GatherAttestations(context.Context, *VerificationOptions, *collector.Agent, *papi.Policy, attestation.Subject, []attestation.Envelope) ([]attestation.Envelope, error)
ParseAttestations(context.Context, *VerificationOptions, attestation.Subject) ([]attestation.Envelope, error)
BuildEvaluators(*VerificationOptions, *papi.Policy) (map[class.Class]evaluator.Evaluator, error)
BuildTransformers(*VerificationOptions, *papi.Policy) (map[transformer.Class]transformer.Transformer, error)
Transform(*VerificationOptions, map[transformer.Class]transformer.Transformer, *papi.Policy, attestation.Subject, []attestation.Predicate) (attestation.Subject, []attestation.Predicate, error)
// CheckIdentities verifies that attestations are signed by the policy identities
CheckIdentities(context.Context, *VerificationOptions, []*papi.Identity, []attestation.Envelope) (bool, [][]*papi.Identity, []error, error)
FilterAttestations(*VerificationOptions, attestation.Subject, []attestation.Envelope, [][]*papi.Identity) ([]attestation.Predicate, error)
AssertResult(*papi.Policy, *papi.Result) error
AttestResults(context.Context, *VerificationOptions, papi.Results) error
// AttestResultToWriter takes an evaluation result and writes an attestation to the supplied io.Writer
AttestResultToWriter(io.Writer, *papi.Result) error
// AttestResultSetToWriter takes an policy resultset and writes an attestation to the supplied io.Writer
AttestResultSetToWriter(io.Writer, *papi.ResultSet) error
// VerifySubject runs the verification process.
VerifySubject(context.Context, *VerificationOptions, map[class.Class]evaluator.Evaluator, *papi.Policy, map[string]any, attestation.Subject, []attestation.Predicate) (*papi.Result, error)
// ProcessChainedSubjects proceses the chain of attestations to find the ultimate
// subject a policy is supposed to operate on
ProcessChainedSubjects(context.Context, *VerificationOptions, map[class.Class]evaluator.Evaluator, *collector.Agent, *papi.Policy, map[string]any, attestation.Subject, []attestation.Envelope) (attestation.Subject, []*papi.ChainedSubject, bool, error)
// ProcessPolicySetChainedSubjects executesd a PolicySet's ChainLink and returns
// the resulting list of subjects from the evaluator.
ProcessPolicySetChainedSubjects(context.Context, *VerificationOptions, map[class.Class]evaluator.Evaluator, *collector.Agent, *papi.PolicySet, map[string]any, attestation.Subject, []attestation.Envelope) ([]attestation.Subject, []*papi.ChainedSubject, bool, error)
// AssembleEvalContextValues builds the policy context values by mixing defaults and defined values
AssembleEvalContextValues(context.Context, *VerificationOptions, map[string]*papi.ContextVal) (map[string]any, error)
}
AmpelImplementation
type PolicyError ¶
type PolicyError struct {
Guidance string
// contains filtered or unexported fields
}
type StatusOptions ¶
type StatusOptions struct {
ResultFiles []string
}
type VerificationOptions ¶
type VerificationOptions struct {
// Embed the evaluator options
options.EvaluatorOptions
// Collectors is a collection of configured attestation fetchers
Collectors []attestation.Fetcher
// ContextProviders has a list of providers to read contextual data
ContextProviders []context.Provider
// AttestationFiles are additional attestations passed manually
AttestationFiles []string
// Attestations are preparsed attestations the policy evaluator receives
// when called, usually preparsed by the PolicySet evaluator.
Attestations []attestation.Envelope
// DefaultEvaluator is the default evaluator we use when a policy does
// not define one.
DefaultEvaluator class.Class
// AttestResults will generate an attestation of the evaluation results
AttestResults bool
// AttestFormat specifies the format used when AttestResults is true
AttestFormat string
// ResultsAttestationPath stores the path to write the results attestation
ResultsAttestationPath string
// SetExitCode sets a non-zero exit code on artifact verification
SetExitCode bool
// Policies to evaluate from a PolicySet. Default is to evaluate all.
Policies []string
// GitCommitShaHack enables a hack to duplicate gitCommit subjects of read
// attestations as sha1 when reading attestations
GitCommitShaHack bool
// IdentityStrings feeds the signature identities to add to the policy
// definitions when verifying signatures.
IdentityStrings []string
// Keys is a list of public key providers that will be used to verify signed
// items. These keys will be supplied to verifiers when checking signatures of
// signed stuff (ie DSSE envelopes). It is up to the policy to recognize any
// of the matched keys as valid identities.
//
// Note that each signature will be verified against all keys loaded, so clients
// are advised to load only those keys required for each policy evaluation.
Keys []key.PublicKeyProvider
// EnforceExpiration forces evaluations to fail when the policy or policy set
// expiration date has passed. If no expiration date is set, this setting is ignored.
EnforceExpiration bool
// AllowEmptySetChains prevents the policy from failing if the chain selectors
// don't return any mutated subjects.
AllowEmptySetChains bool
}
func NewVerificationOptions ¶
func NewVerificationOptions() VerificationOptions
func (*VerificationOptions) Validate ¶
func (opts *VerificationOptions) Validate() error
Validate checks the options set
func (*VerificationOptions) WithContextProvider ¶
func (vo *VerificationOptions) WithContextProvider(provider context.Provider) *VerificationOptions
Source Files
Click to show internal directories.
Click to hide internal directories.