v1

package
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 21, 2026 License: Apache-2.0 Imports: 20 Imported by: 29

Documentation

Index

Constants

View Source 
const (
	ContextTypeBool   = "bool"
	ContextTypeString = "string"
	ContextTypeInt    = "int"
)
View Source 
const (
	SigstoreModeExact  string = "exact"
	SigstoreModeRegexp string = "regexp"
)
View Source 
const (
	StatusFAIL     = "FAIL"
	StatusPASS     = "PASS"
	StatusSOFTFAIL = "SOFTFAIL"
)

Variables

View Source 
var ContextTypes = []string{
	ContextTypeBool,
	ContextTypeString,
	ContextTypeInt,
}
View Source 
var File_carabiner_policy_v1_policy_proto protoreflect.FileDescriptor
View Source 
var File_carabiner_policy_v1_result_proto protoreflect.FileDescriptor

Functions

This section is empty.

Types

type Assessment 

type Assessment struct {
	Message string `protobuf:"bytes,1,opt,name=message,proto3" json:"message,omitempty"`
	// contains filtered or unexported fields
}

func (*Assessment) Descriptor deprecated 

func (*Assessment) Descriptor() ([]byte, []int)

Deprecated: Use Assessment.ProtoReflect.Descriptor instead.

func (*Assessment) GetMessage 

func (x *Assessment) GetMessage() string

func (*Assessment) ProtoMessage 

func (*Assessment) ProtoMessage()

func (*Assessment) ProtoReflect 

func (x *Assessment) ProtoReflect() protoreflect.Message

func (*Assessment) Reset 

func (x *Assessment) Reset()

func (*Assessment) String 

func (x *Assessment) String() string

type BlockEvalResult added in v0.4.1 

type BlockEvalResult struct {

	// status holds the PASS/FAIL/SOFTFAIL status label of the whole PolicySet evaluation
	Status string           `protobuf:"bytes,1,opt,name=status,proto3" json:"status,omitempty"`
	Id     string           `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"`
	Meta   *PolicyBlockMeta `protobuf:"bytes,3,opt,name=meta,proto3" json:"meta,omitempty"`
	// results from each of the policies in the set
	Results []*Result `protobuf:"bytes,4,rep,name=results,proto3" json:"results,omitempty"`
	// error captures an error that failed the evaluation at the PolicySet level
	Error *Error `protobuf:"bytes,5,opt,name=error,proto3" json:"error,omitempty"`
	// contains filtered or unexported fields
}

BlockEvalResult groups the evaluation results of a group

func (*BlockEvalResult) Descriptor deprecated added in v0.4.1 

func (*BlockEvalResult) Descriptor() ([]byte, []int)

Deprecated: Use BlockEvalResult.ProtoReflect.Descriptor instead.

func (*BlockEvalResult) GetError added in v0.4.1 

func (x *BlockEvalResult) GetError() *Error

func (*BlockEvalResult) GetId added in v0.4.1 

func (x *BlockEvalResult) GetId() string

func (*BlockEvalResult) GetMeta added in v0.4.1 

func (x *BlockEvalResult) GetMeta() *PolicyBlockMeta

func (*BlockEvalResult) GetResults added in v0.4.1 

func (x *BlockEvalResult) GetResults() []*Result

func (*BlockEvalResult) GetStatus added in v0.4.1 

func (x *BlockEvalResult) GetStatus() string

func (*BlockEvalResult) ProtoMessage added in v0.4.1 

func (*BlockEvalResult) ProtoMessage()

func (*BlockEvalResult) ProtoReflect added in v0.4.1 

func (x *BlockEvalResult) ProtoReflect() protoreflect.Message

func (*BlockEvalResult) Reset added in v0.4.1 

func (x *BlockEvalResult) Reset()

func (*BlockEvalResult) String added in v0.4.1 

func (x *BlockEvalResult) String() string
type ChainLink struct {

	// Types that are valid to be assigned to Source:
	//
	//	*ChainLink_Predicate
	Source isChainLink_Source `protobuf_oneof:"source"`
	// contains filtered or unexported fields
}

func (*ChainLink) Descriptor deprecated 

func (*ChainLink) Descriptor() ([]byte, []int)

Deprecated: Use ChainLink.ProtoReflect.Descriptor instead.

func (*ChainLink) GetPredicate 

func (x *ChainLink) GetPredicate() *ChainedPredicate

func (*ChainLink) GetSource 

func (x *ChainLink) GetSource() isChainLink_Source

func (*ChainLink) ProtoMessage 

func (*ChainLink) ProtoMessage()

func (*ChainLink) ProtoReflect 

func (x *ChainLink) ProtoReflect() protoreflect.Message

func (*ChainLink) Reset 

func (x *ChainLink) Reset()

func (*ChainLink) String 

func (x *ChainLink) String() string
type ChainLink_Predicate struct {
	Predicate *ChainedPredicate `protobuf:"bytes,1,opt,name=predicate,proto3,oneof"` // ChainedOutput output = 2;
}

type ChainProvider added in v0.4.1 

type ChainProvider interface {
	GetChain() []*ChainLink
}

type ChainedOutput 

type ChainedOutput struct {
	Policy string `protobuf:"bytes,1,opt,name=policy,proto3" json:"policy,omitempty"`
	Tenet  string `protobuf:"bytes,2,opt,name=tenet,proto3" json:"tenet,omitempty"`
	// contains filtered or unexported fields
}

func (*ChainedOutput) Descriptor deprecated 

func (*ChainedOutput) Descriptor() ([]byte, []int)

Deprecated: Use ChainedOutput.ProtoReflect.Descriptor instead.

func (*ChainedOutput) GetPolicy 

func (x *ChainedOutput) GetPolicy() string

func (*ChainedOutput) GetTenet 

func (x *ChainedOutput) GetTenet() string

func (*ChainedOutput) ProtoMessage 

func (*ChainedOutput) ProtoMessage()

func (*ChainedOutput) ProtoReflect 

func (x *ChainedOutput) ProtoReflect() protoreflect.Message

func (*ChainedOutput) Reset 

func (x *ChainedOutput) Reset()

func (*ChainedOutput) String 

func (x *ChainedOutput) String() string

type ChainedPredicate 

type ChainedPredicate struct {
	Type       string          `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"`
	Selector   string          `protobuf:"bytes,2,opt,name=selector,proto3" json:"selector,omitempty"`
	Runtime    string          `protobuf:"bytes,3,opt,name=runtime,proto3" json:"runtime,omitempty"`
	Identities []*v11.Identity `protobuf:"bytes,5,rep,name=identities,proto3" json:"identities,omitempty"`
	// contains filtered or unexported fields
}

ChainedPredicate links a subject to another by extracting data from attestations of the first. The spec requires a `selector` to be executed by the specified `runtime` on an attestation of type `type`.

The selector exec is expected to return either a hash string or a struct that looks like an in-toto resource descriptor which becomes the new effective subject during the evaluation.

func (*ChainedPredicate) Descriptor deprecated 

func (*ChainedPredicate) Descriptor() ([]byte, []int)

Deprecated: Use ChainedPredicate.ProtoReflect.Descriptor instead.

func (*ChainedPredicate) GetIdentities 

func (x *ChainedPredicate) GetIdentities() []*v11.Identity

func (*ChainedPredicate) GetRuntime 

func (x *ChainedPredicate) GetRuntime() string

func (*ChainedPredicate) GetSelector 

func (x *ChainedPredicate) GetSelector() string

func (*ChainedPredicate) GetType 

func (x *ChainedPredicate) GetType() string

func (*ChainedPredicate) ProtoMessage 

func (*ChainedPredicate) ProtoMessage()

func (*ChainedPredicate) ProtoReflect 

func (x *ChainedPredicate) ProtoReflect() protoreflect.Message

func (*ChainedPredicate) Reset 

func (x *ChainedPredicate) Reset()

func (*ChainedPredicate) String 

func (x *ChainedPredicate) String() string

type ChainedSubject 

type ChainedSubject struct {

	// source resource descriptor. The source provides evidence (attestations)
	// to compute a new resource descriptor (the destination) which becomes the
	// effective subject of the policy.
	Source *v1.ResourceDescriptor `protobuf:"bytes,1,opt,name=source,proto3" json:"source,omitempty"`
	// destination resource descriptor, computed from one of the source's attestations
	Destination *v1.ResourceDescriptor `protobuf:"bytes,2,opt,name=destination,proto3" json:"destination,omitempty"`
	// The link records how the source and destination are connected by keeping
	// track of the ingested attestation.
	Link *ChainedSubjectLink `protobuf:"bytes,3,opt,name=link,proto3" json:"link,omitempty"`
	// contains filtered or unexported fields
}

ChainedSubject is a resource descitor synthesized by analyzing the source descriptor's evidence (an attestation) and computing a new descriptor from its predicate data.

func (*ChainedSubject) Descriptor deprecated 

func (*ChainedSubject) Descriptor() ([]byte, []int)

Deprecated: Use ChainedSubject.ProtoReflect.Descriptor instead.

func (*ChainedSubject) GetDestination 

func (x *ChainedSubject) GetDestination() *v1.ResourceDescriptor
func (x *ChainedSubject) GetLink() *ChainedSubjectLink

func (*ChainedSubject) GetSource 

func (x *ChainedSubject) GetSource() *v1.ResourceDescriptor

func (*ChainedSubject) ProtoMessage 

func (*ChainedSubject) ProtoMessage()

func (*ChainedSubject) ProtoReflect 

func (x *ChainedSubject) ProtoReflect() protoreflect.Message

func (*ChainedSubject) Reset 

func (x *ChainedSubject) Reset()

func (*ChainedSubject) String 

func (x *ChainedSubject) String() string
type ChainedSubjectLink struct {

	// Predicate type of the linker attestation
	Type string `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"`
	// attestation coordinates
	Attestation *v1.ResourceDescriptor `protobuf:"bytes,2,opt,name=attestation,proto3" json:"attestation,omitempty"`
	// identities used to verify the attestation at ingestion time (if any)
	Identities []*v11.Identity `protobuf:"bytes,3,rep,name=identities,proto3" json:"identities,omitempty"`
	// contains filtered or unexported fields
}

ChainedSubjectLink links two subject with a signed attestation. A chained subject sits in the middle of two resource descriptors. The source descriptor matches the link's attestation subjects. The destination descriptor is computed by extracting data from the attestation predicate.

func (*ChainedSubjectLink) Descriptor deprecated 

func (*ChainedSubjectLink) Descriptor() ([]byte, []int)

Deprecated: Use ChainedSubjectLink.ProtoReflect.Descriptor instead.

func (*ChainedSubjectLink) GetAttestation 

func (x *ChainedSubjectLink) GetAttestation() *v1.ResourceDescriptor

func (*ChainedSubjectLink) GetIdentities added in v0.1.2 

func (x *ChainedSubjectLink) GetIdentities() []*v11.Identity

func (*ChainedSubjectLink) GetType 

func (x *ChainedSubjectLink) GetType() string

func (*ChainedSubjectLink) ProtoMessage 

func (*ChainedSubjectLink) ProtoMessage()

func (*ChainedSubjectLink) ProtoReflect 

func (x *ChainedSubjectLink) ProtoReflect() protoreflect.Message

func (*ChainedSubjectLink) Reset 

func (x *ChainedSubjectLink) Reset()

func (*ChainedSubjectLink) String 

func (x *ChainedSubjectLink) String() string

type ChangeLog added in v0.4.5 

type ChangeLog struct {

	// Changelog message
	Message string `protobuf:"bytes,1,opt,name=message,proto3" json:"message,omitempty"`
	// Recorded date of the change
	Date *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=date,proto3,oneof" json:"date,omitempty"`
	// Version number when the change was introduced
	Version *string `protobuf:"bytes,3,opt,name=version,proto3,oneof" json:"version,omitempty"`
	// contains filtered or unexported fields
}

ChangeLog records a change in the policy or policyset code.

func (*ChangeLog) Descriptor deprecated added in v0.4.5 

func (*ChangeLog) Descriptor() ([]byte, []int)

Deprecated: Use ChangeLog.ProtoReflect.Descriptor instead.

func (*ChangeLog) GetDate added in v0.4.5 

func (x *ChangeLog) GetDate() *timestamppb.Timestamp

func (*ChangeLog) GetMessage added in v0.4.5 

func (x *ChangeLog) GetMessage() string

func (*ChangeLog) GetVersion added in v0.4.5 

func (x *ChangeLog) GetVersion() string

func (*ChangeLog) ProtoMessage added in v0.4.5 

func (*ChangeLog) ProtoMessage()

func (*ChangeLog) ProtoReflect added in v0.4.5 

func (x *ChangeLog) ProtoReflect() protoreflect.Message

func (*ChangeLog) Reset added in v0.4.5 

func (x *ChangeLog) Reset()

func (*ChangeLog) String added in v0.4.5 

func (x *ChangeLog) String() string

type CommonProvider added in v0.4.1 

type CommonProvider interface {
	GetCommon() *PolicySetCommon
}

type ContextVal 

type ContextVal struct {

	// Data type of the context value. Enforced values are "string", "int", "bool", "float".
	Type string `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"`
	// Required flag. If set to true, policies will not evaluate if the context value is not set.
	Required *bool `protobuf:"varint,2,opt,name=required,proto3,oneof" json:"required,omitempty"`
	// Value field. If the ContextVal is typed, the data should be castable to the type defined in Type.
	Value *structpb.Value `protobuf:"bytes,3,opt,name=value,proto3,oneof" json:"value,omitempty"`
	// Default value when ContextVal is not set. If the ContextVal is typed, the
	// default value should be castable into the type defined in type
	Default *structpb.Value `protobuf:"bytes,4,opt,name=default,proto3,oneof" json:"default,omitempty"`
	// Human readable description of the ContextValue
	Description *string `protobuf:"bytes,5,opt,name=description,proto3,oneof" json:"description,omitempty"`
	// Expression is an evaluator-language snippet resolved at evaluation time
	// to produce the context value dynamically (e.g. from the subject under
	// evaluation). It is mutually exclusive with both `value` and `default`,
	// since an expression is a burned-in computation with no static fallback.
	Expression *string `protobuf:"bytes,6,opt,name=expression,proto3,oneof" json:"expression,omitempty"`
	// Runtime selects the evaluator used to resolve `expression`. When empty,
	// the policy's default runtime is used.
	Runtime *string `protobuf:"bytes,7,opt,name=runtime,proto3,oneof" json:"runtime,omitempty"`
	// contains filtered or unexported fields
}

ContextVal defines a contextual value needed by a policy. Context values are defined from external sources at runtime and if required will cause the policy to fail if unset.

func (*ContextVal) Descriptor deprecated 

func (*ContextVal) Descriptor() ([]byte, []int)

Deprecated: Use ContextVal.ProtoReflect.Descriptor instead.

func (*ContextVal) GetDefault 

func (x *ContextVal) GetDefault() *structpb.Value

func (*ContextVal) GetDescription added in v0.2.1 

func (x *ContextVal) GetDescription() string

func (*ContextVal) GetExpression added in v0.5.0 

func (x *ContextVal) GetExpression() string

func (*ContextVal) GetRequired 

func (x *ContextVal) GetRequired() bool

func (*ContextVal) GetRuntime added in v0.5.0 

func (x *ContextVal) GetRuntime() string

func (*ContextVal) GetType 

func (x *ContextVal) GetType() string

func (*ContextVal) GetValue 

func (x *ContextVal) GetValue() *structpb.Value

func (*ContextVal) Merge 

func (cv *ContextVal) Merge(cv2 *ContextVal)

Merge merges the values set in cv2 into cv. If values are not set nothing is replaced.

Static (value/default) and dynamic (expression/runtime) forms are mutually exclusive, so when cv2 introduces one form, any stale fields of the other form on cv are cleared before applying cv2's values. This keeps a merged ContextVal within the shape Validate() accepts.

func (*ContextVal) ProtoMessage 

func (*ContextVal) ProtoMessage()

func (*ContextVal) ProtoReflect 

func (x *ContextVal) ProtoReflect() protoreflect.Message

func (*ContextVal) Reset 

func (x *ContextVal) Reset()

func (*ContextVal) String 

func (x *ContextVal) String() string

func (*ContextVal) Validate added in v0.3.0 

func (cv *ContextVal) Validate() error

Validate checks if the context is valid

type Control 

type Control struct {

	// Control ID string.
	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	// Human readable description of the control
	Title string `protobuf:"bytes,2,opt,name=title,proto3" json:"title,omitempty"`
	// Framework identifier string
	Framework string `protobuf:"bytes,3,opt,name=framework,proto3" json:"framework,omitempty"`
	// Control class/family within its framework
	Class string `protobuf:"bytes,4,opt,name=class,proto3" json:"class,omitempty"`
	// Subitem identifier of control checks
	Item string `protobuf:"bytes,5,opt,name=item,proto3" json:"item,omitempty"`
	// contains filtered or unexported fields
}

Control is a mapping tying the policy to an framework control

func (*Control) Descriptor deprecated 

func (*Control) Descriptor() ([]byte, []int)

Deprecated: Use Control.ProtoReflect.Descriptor instead.

func (*Control) GetClass 

func (x *Control) GetClass() string

func (*Control) GetFramework 

func (x *Control) GetFramework() string

func (*Control) GetId 

func (x *Control) GetId() string

func (*Control) GetItem added in v0.4.2 

func (x *Control) GetItem() string

func (*Control) GetTitle 

func (x *Control) GetTitle() string

func (*Control) Label added in v0.2.1 

func (ctl *Control) Label() string

Label returns the unified label for the control

func (*Control) ProtoMessage 

func (*Control) ProtoMessage()

func (*Control) ProtoReflect 

func (x *Control) ProtoReflect() protoreflect.Message

func (*Control) Reset 

func (x *Control) Reset()

func (*Control) String 

func (x *Control) String() string

type Error 

type Error struct {

	// Message contains the condition that failed to be met, causing the policy to fail.
	Message string `protobuf:"bytes,1,opt,name=message,proto3" json:"message,omitempty"`
	// Guidance is an optional text record that is surfaced to the user with
	// suggestions to make the policy evaluation pass.
	Guidance string `protobuf:"bytes,2,opt,name=guidance,proto3" json:"guidance,omitempty"`
	// contains filtered or unexported fields
}

The error structure is returned when a policy is evaluated successfully but the evaluation fails.

func (*Error) Descriptor deprecated 

func (*Error) Descriptor() ([]byte, []int)

Deprecated: Use Error.ProtoReflect.Descriptor instead.

func (*Error) GetGuidance 

func (x *Error) GetGuidance() string

func (*Error) GetMessage 

func (x *Error) GetMessage() string

func (*Error) ProtoMessage 

func (*Error) ProtoMessage()

func (*Error) ProtoReflect 

func (x *Error) ProtoReflect() protoreflect.Message

func (*Error) Reset 

func (x *Error) Reset()

func (*Error) String 

func (x *Error) String() string

type EvalResult 

type EvalResult struct {

	// id transferred from the tenet identifier
	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	// status is holds the PASS/FAIL/SOFTFAIL status of the eval
	Status string `protobuf:"bytes,2,opt,name=status,proto3" json:"status,omitempty"`
	// date when the evaluation was done
	Date *timestamppb.Timestamp `protobuf:"bytes,3,opt,name=date,proto3" json:"date,omitempty"`
	// output holds the data structure of the evaluated outputs
	Output *structpb.Struct `protobuf:"bytes,4,opt,name=output,proto3" json:"output,omitempty"`
	// statements imported as evidence to evaluate the tenet
	Statements []*StatementRef `protobuf:"bytes,5,rep,name=statements,proto3" json:"statements,omitempty"`
	// error struct when evaluation failed
	Error *Error `protobuf:"bytes,6,opt,name=error,proto3" json:"error,omitempty"`
	// assessment outcome when evaluation passed
	Assessment *Assessment `protobuf:"bytes,7,opt,name=assessment,proto3" json:"assessment,omitempty"`
	// contains filtered or unexported fields
}

EvalResult captures the results of a tenet evaluation. A policy `Result` contains a list of EvalResults, one for each of its tenets.

func (*EvalResult) Descriptor deprecated 

func (*EvalResult) Descriptor() ([]byte, []int)

Deprecated: Use EvalResult.ProtoReflect.Descriptor instead.

func (*EvalResult) GetAssessment 

func (x *EvalResult) GetAssessment() *Assessment

func (*EvalResult) GetDate 

func (x *EvalResult) GetDate() *timestamppb.Timestamp

func (*EvalResult) GetError 

func (x *EvalResult) GetError() *Error

func (*EvalResult) GetId 

func (x *EvalResult) GetId() string

func (*EvalResult) GetOutput 

func (x *EvalResult) GetOutput() *structpb.Struct

func (*EvalResult) GetStatements 

func (x *EvalResult) GetStatements() []*StatementRef

func (*EvalResult) GetStatus 

func (x *EvalResult) GetStatus() string

func (*EvalResult) MarshalJSON 

func (er *EvalResult) MarshalJSON() ([]byte, error)

func (*EvalResult) ProtoMessage 

func (*EvalResult) ProtoMessage()

func (*EvalResult) ProtoReflect 

func (x *EvalResult) ProtoReflect() protoreflect.Message

func (*EvalResult) Reset 

func (x *EvalResult) Reset()

func (*EvalResult) String 

func (x *EvalResult) String() string

type FrameworkRef 

type FrameworkRef struct {

	// String identifier for the framework
	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	// Security framework name
	Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
	// Link to the framework definition
	Definition *v1.ResourceDescriptor `protobuf:"bytes,3,opt,name=definition,proto3" json:"definition,omitempty"`
	// contains filtered or unexported fields
}

FrameworkRef is a reference to a security framework. The reference binds the controls tested by each the policy to the the framework definition.

func (*FrameworkRef) Descriptor deprecated 

func (*FrameworkRef) Descriptor() ([]byte, []int)

Deprecated: Use FrameworkRef.ProtoReflect.Descriptor instead.

func (*FrameworkRef) GetDefinition 

func (x *FrameworkRef) GetDefinition() *v1.ResourceDescriptor

func (*FrameworkRef) GetId 

func (x *FrameworkRef) GetId() string

func (*FrameworkRef) GetName 

func (x *FrameworkRef) GetName() string

func (*FrameworkRef) ProtoMessage 

func (*FrameworkRef) ProtoMessage()

func (*FrameworkRef) ProtoReflect 

func (x *FrameworkRef) ProtoReflect() protoreflect.Message

func (*FrameworkRef) Reset 

func (x *FrameworkRef) Reset()

func (*FrameworkRef) String 

func (x *FrameworkRef) String() string

type Meta 

type Meta struct {

	// Runtime identifier. Defines the runtime and version. Eg cel/v0
	Runtime string `protobuf:"bytes,1,opt,name=runtime,proto3" json:"runtime,omitempty"`
	// Human readable description o the policy.
	Description string `protobuf:"bytes,2,opt,name=description,proto3" json:"description,omitempty"`
	// AssertMode. Controls if one tenet or all must pass for the policy to pass.
	AssertMode string `protobuf:"bytes,3,opt,name=assert_mode,json=assertMode,proto3" json:"assert_mode,omitempty"`
	// Control references. Reference to framework controls the policy verifies.
	Controls []*Control `protobuf:"bytes,4,rep,name=controls,proto3" json:"controls,omitempty"`
	// Version is an integer marking the policy version. Optional.
	Version int64 `protobuf:"varint,5,opt,name=version,proto3" json:"version,omitempty"`
	// Enforce controls if a FAILED policy returns FAILED or SOFTFAIL. Values "Y"/"N"
	Enforce string `protobuf:"bytes,6,opt,name=enforce,proto3" json:"enforce,omitempty"`
	// Expiration date. Policies can expire as defined by this optional field.
	Expiration *timestamppb.Timestamp `protobuf:"bytes,7,opt,name=expiration,proto3,oneof" json:"expiration,omitempty"`
	// Origin captures the origin of a policy when the compiler gathers its data.
	Origin *v1.ResourceDescriptor `protobuf:"bytes,8,opt,name=origin,proto3,oneof" json:"origin,omitempty"`
	// Policy changelog
	Changelog []*ChangeLog `protobuf:"bytes,9,rep,name=changelog,proto3" json:"changelog,omitempty"`
	// contains filtered or unexported fields
}

Meta contains information about the policy itself

func (*Meta) Descriptor deprecated 

func (*Meta) Descriptor() ([]byte, []int)

Deprecated: Use Meta.ProtoReflect.Descriptor instead.

func (*Meta) GetAssertMode 

func (x *Meta) GetAssertMode() string

func (*Meta) GetChangelog added in v0.4.5 

func (x *Meta) GetChangelog() []*ChangeLog

func (*Meta) GetControls 

func (x *Meta) GetControls() []*Control

func (*Meta) GetDescription 

func (x *Meta) GetDescription() string

func (*Meta) GetEnforce 

func (x *Meta) GetEnforce() string

func (*Meta) GetExpiration 

func (x *Meta) GetExpiration() *timestamppb.Timestamp

func (*Meta) GetOrigin added in v0.2.1 

func (x *Meta) GetOrigin() *v1.ResourceDescriptor

func (*Meta) GetRuntime 

func (x *Meta) GetRuntime() string

func (*Meta) GetVersion 

func (x *Meta) GetVersion() int64

func (*Meta) ProtoMessage 

func (*Meta) ProtoMessage()

func (*Meta) ProtoReflect 

func (x *Meta) ProtoReflect() protoreflect.Message

func (*Meta) Reset 

func (x *Meta) Reset()

func (*Meta) String 

func (x *Meta) String() string

type Output 

type Output struct {
	Code  string          `protobuf:"bytes,1,opt,name=code,proto3" json:"code,omitempty"`
	Value *structpb.Value `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"`
	// contains filtered or unexported fields
}

func (*Output) Descriptor deprecated 

func (*Output) Descriptor() ([]byte, []int)

Deprecated: Use Output.ProtoReflect.Descriptor instead.

func (*Output) GetCode 

func (x *Output) GetCode() string

func (*Output) GetValue 

func (x *Output) GetValue() *structpb.Value

func (*Output) ProtoMessage 

func (*Output) ProtoMessage()

func (*Output) ProtoReflect 

func (x *Output) ProtoReflect() protoreflect.Message

func (*Output) Reset 

func (x *Output) Reset()

func (*Output) String 

func (x *Output) String() string

type Policy 

type Policy struct {
	Id           string                 `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	Source       *PolicyRef             `protobuf:"bytes,2,opt,name=source,proto3" json:"source,omitempty"`
	Meta         *Meta                  `protobuf:"bytes,3,opt,name=meta,proto3" json:"meta,omitempty"`
	Context      map[string]*ContextVal `` /* 141-byte string literal not displayed */
	Chain        []*ChainLink           `protobuf:"bytes,5,rep,name=chain,proto3" json:"chain,omitempty"`
	Identities   []*v11.Identity        `protobuf:"bytes,6,rep,name=identities,proto3" json:"identities,omitempty"`
	Predicates   *PredicateSpec         `protobuf:"bytes,7,opt,name=predicates,proto3" json:"predicates,omitempty"`
	Transformers []*Transformer         `protobuf:"bytes,8,rep,name=transformers,proto3" json:"transformers,omitempty"`
	Tenets       []*Tenet               `protobuf:"bytes,9,rep,name=tenets,proto3" json:"tenets,omitempty"`
	// contains filtered or unexported fields
}

func (*Policy) ContextMap 

func (p *Policy) ContextMap() map[string]any

ContextMap compiles the context data values into a map, filling the fields with their defaults when needed. Entries whose value is resolved dynamically via an `expression` are skipped: they cannot be known without an evaluator and an evaluation context.

func (*Policy) Descriptor deprecated 

func (*Policy) Descriptor() ([]byte, []int)

Deprecated: Use Policy.ProtoReflect.Descriptor instead.

func (*Policy) GetChain 

func (x *Policy) GetChain() []*ChainLink

func (*Policy) GetContext 

func (x *Policy) GetContext() map[string]*ContextVal

func (*Policy) GetId 

func (x *Policy) GetId() string

func (*Policy) GetIdentities 

func (x *Policy) GetIdentities() []*v11.Identity

func (*Policy) GetMeta 

func (x *Policy) GetMeta() *Meta

func (*Policy) GetOrigin added in v0.2.1 

func (p *Policy) GetOrigin() attestation.Subject

GetOrigin returns the coordinates where the predicate data originated from.

func (*Policy) GetPredicates 

func (x *Policy) GetPredicates() *PredicateSpec

func (*Policy) GetSource 

func (x *Policy) GetSource() *PolicyRef

func (*Policy) GetTenets 

func (x *Policy) GetTenets() []*Tenet

func (*Policy) GetTransformers 

func (x *Policy) GetTransformers() []*Transformer

func (*Policy) ProtoMessage 

func (*Policy) ProtoMessage()

func (*Policy) ProtoReflect 

func (x *Policy) ProtoReflect() protoreflect.Message

func (*Policy) PublicKeys added in v0.2.1 

func (p *Policy) PublicKeys() ([]key.PublicKeyProvider, error)

PublicKeys returns any public keys defined in the policy identities

func (*Policy) Reset 

func (x *Policy) Reset()

func (*Policy) SetOrigin added in v0.2.1 

func (p *Policy) SetOrigin(origin attestation.Subject)

SetOrigin sets the origin of the policy. It is designed to match the signature of the attestation.Predicate method, but if the argument is a resource descriptor, then we will clone it and use its value.

func (*Policy) String 

func (x *Policy) String() string

func (*Policy) TestsControl 

func (policy *Policy) TestsControl(ctrl *Control) bool

func (*Policy) Validate 

func (p *Policy) Validate() error

Validate validates the policy structure to ensure fields and structural values are correct. Still needs work.

type PolicyBlock added in v0.4.0 

type PolicyBlock struct {

	// ID string identifying the block
	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	// Meta contains the metadata describing the
	Meta *PolicyBlockMeta `protobuf:"bytes,2,opt,name=meta,proto3" json:"meta,omitempty"`
	// Policies is the list of policies grouped in the block
	Policies []*Policy `protobuf:"bytes,3,rep,name=policies,proto3" json:"policies,omitempty"`
	// contains filtered or unexported fields
}

PolicyBlock groups policies in the PolicySet to apply properties to more than one policy at once.

func (*PolicyBlock) Descriptor deprecated added in v0.4.0 

func (*PolicyBlock) Descriptor() ([]byte, []int)

Deprecated: Use PolicyBlock.ProtoReflect.Descriptor instead.

func (*PolicyBlock) GetId added in v0.4.0 

func (x *PolicyBlock) GetId() string

func (*PolicyBlock) GetMeta added in v0.4.0 

func (x *PolicyBlock) GetMeta() *PolicyBlockMeta

func (*PolicyBlock) GetPolicies added in v0.4.0 

func (x *PolicyBlock) GetPolicies() []*Policy

func (*PolicyBlock) ProtoMessage added in v0.4.0 

func (*PolicyBlock) ProtoMessage()

func (*PolicyBlock) ProtoReflect added in v0.4.0 

func (x *PolicyBlock) ProtoReflect() protoreflect.Message

func (*PolicyBlock) Reset added in v0.4.0 

func (x *PolicyBlock) Reset()

func (*PolicyBlock) String added in v0.4.0 

func (x *PolicyBlock) String() string

type PolicyBlockMeta added in v0.4.1 

type PolicyBlockMeta struct {

	// Description of the policy block
	Description string `protobuf:"bytes,1,opt,name=description,proto3" json:"description,omitempty"`
	// Assert mode to consider the policy block passing (OR or AND)
	AssertMode string `protobuf:"bytes,2,opt,name=assert_mode,json=assertMode,proto3" json:"assert_mode,omitempty"`
	// Enforce the block (ON or OFF)
	Enforce string `protobuf:"bytes,3,opt,name=enforce,proto3" json:"enforce,omitempty"`
	// Framework controls fronted by the block
	Controls []*Control `protobuf:"bytes,4,rep,name=controls,proto3" json:"controls,omitempty"`
	// contains filtered or unexported fields
}

PolicyBlockMeta defines the metadata definition of a policy block

func (*PolicyBlockMeta) Descriptor deprecated added in v0.4.1 

func (*PolicyBlockMeta) Descriptor() ([]byte, []int)

Deprecated: Use PolicyBlockMeta.ProtoReflect.Descriptor instead.

func (*PolicyBlockMeta) GetAssertMode added in v0.4.1 

func (x *PolicyBlockMeta) GetAssertMode() string

func (*PolicyBlockMeta) GetControls added in v0.4.1 

func (x *PolicyBlockMeta) GetControls() []*Control

func (*PolicyBlockMeta) GetDescription added in v0.4.1 

func (x *PolicyBlockMeta) GetDescription() string

func (*PolicyBlockMeta) GetEnforce added in v0.4.1 

func (x *PolicyBlockMeta) GetEnforce() string

func (*PolicyBlockMeta) ProtoMessage added in v0.4.1 

func (*PolicyBlockMeta) ProtoMessage()

func (*PolicyBlockMeta) ProtoReflect added in v0.4.1 

func (x *PolicyBlockMeta) ProtoReflect() protoreflect.Message

func (*PolicyBlockMeta) Reset added in v0.4.1 

func (x *PolicyBlockMeta) Reset()

func (*PolicyBlockMeta) String added in v0.4.1 

func (x *PolicyBlockMeta) String() string

type PolicyGroup added in v0.4.0 

type PolicyGroup struct {

	// Group identifier
	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	// Group metadata
	Meta *PolicyGroupMeta `protobuf:"bytes,2,opt,name=meta,proto3" json:"meta,omitempty"`
	// Common groups the common data elements to be share by all the
	// policies in the group.
	Common *PolicySetCommon `protobuf:"bytes,3,opt,name=common,proto3" json:"common,omitempty"`
	// Group reference
	Source *PolicyGroupRef `protobuf:"bytes,4,opt,name=source,proto3" json:"source,omitempty"`
	// Policy blocks modeling the group begaviour.
	Blocks []*PolicyBlock `protobuf:"bytes,5,rep,name=blocks,proto3" json:"blocks,omitempty"`
	// Chain is the evidence chain to compute a set of subjects to which
	// PolicyGroup will apply.
	Chain []*ChainLink `protobuf:"bytes,6,rep,name=chain,proto3" json:"chain,omitempty"`
	// contains filtered or unexported fields
}

PolicyGroup captures the structure of a policy set in a

func (*PolicyGroup) Descriptor deprecated added in v0.4.0 

func (*PolicyGroup) Descriptor() ([]byte, []int)

Deprecated: Use PolicyGroup.ProtoReflect.Descriptor instead.

func (*PolicyGroup) GetBlocks added in v0.4.0 

func (x *PolicyGroup) GetBlocks() []*PolicyBlock

func (*PolicyGroup) GetChain added in v0.4.1 

func (x *PolicyGroup) GetChain() []*ChainLink

func (*PolicyGroup) GetCommon added in v0.4.1 

func (x *PolicyGroup) GetCommon() *PolicySetCommon

func (*PolicyGroup) GetId added in v0.4.0 

func (x *PolicyGroup) GetId() string

func (*PolicyGroup) GetMeta added in v0.4.0 

func (x *PolicyGroup) GetMeta() *PolicyGroupMeta

func (*PolicyGroup) GetOrigin added in v0.4.1 

func (grp *PolicyGroup) GetOrigin() attestation.Subject

GetOrigin returns the coordinates where the predicate data originated from.

func (*PolicyGroup) GetSource added in v0.4.0 

func (x *PolicyGroup) GetSource() *PolicyGroupRef

func (*PolicyGroup) ProtoMessage added in v0.4.0 

func (*PolicyGroup) ProtoMessage()

func (*PolicyGroup) ProtoReflect added in v0.4.0 

func (x *PolicyGroup) ProtoReflect() protoreflect.Message

func (*PolicyGroup) PublicKeys added in v0.4.1 

func (grp *PolicyGroup) PublicKeys() ([]key.PublicKeyProvider, error)

PublicKeys returns any public keys defined in the policy identities

func (*PolicyGroup) Reset added in v0.4.0 

func (x *PolicyGroup) Reset()

func (*PolicyGroup) SetOrigin added in v0.4.1 

func (grp *PolicyGroup) SetOrigin(origin attestation.Subject)

SetOrigin sets the origin of the policy. It is designed to match the signature of the attestation.Predicate method, but if the argument is a resource descriptor, then we will clone it and use its value.

func (*PolicyGroup) String added in v0.4.0 

func (x *PolicyGroup) String() string

func (*PolicyGroup) Validate added in v0.4.0 

func (grp *PolicyGroup) Validate() error

Validate checks the consistency of the policy group

type PolicyGroupMeta added in v0.4.0 

type PolicyGroupMeta struct {

	// Description of the policy block
	Description string `protobuf:"bytes,1,opt,name=description,proto3" json:"description,omitempty"`
	// Version of the group
	Version int64 `protobuf:"varint,2,opt,name=version,proto3" json:"version,omitempty"`
	// Control fronted by the policy group
	Controls []*Control `protobuf:"bytes,3,rep,name=controls,proto3" json:"controls,omitempty"`
	// Enforce the block (ON or OFF)
	Enforce string `protobuf:"bytes,4,opt,name=enforce,proto3" json:"enforce,omitempty"`
	// Expiration date of the policy group
	Expiration *timestamppb.Timestamp `protobuf:"bytes,5,opt,name=expiration,proto3,oneof" json:"expiration,omitempty"`
	// Source of the group data when compiled from remote sources
	Origin *v1.ResourceDescriptor `protobuf:"bytes,6,opt,name=origin,proto3,oneof" json:"origin,omitempty"`
	// Runtime engine identifier. Defaults to cel/v0 in AMPEL.
	Runtime string `protobuf:"bytes,7,opt,name=runtime,proto3" json:"runtime,omitempty"`
	// PolicyGroup changelog
	Changelog []*ChangeLog `protobuf:"bytes,8,rep,name=changelog,proto3" json:"changelog,omitempty"`
	// Assert mode to consider the policy group passing (OR or AND)
	AssertMode string `protobuf:"bytes,9,opt,name=assert_mode,json=assertMode,proto3" json:"assert_mode,omitempty"`
	// contains filtered or unexported fields
}

GroupMeta is the metadata definition of a policy group

func (*PolicyGroupMeta) Descriptor deprecated added in v0.4.0 

func (*PolicyGroupMeta) Descriptor() ([]byte, []int)

Deprecated: Use PolicyGroupMeta.ProtoReflect.Descriptor instead.

func (*PolicyGroupMeta) GetAssertMode added in v0.5.0 

func (x *PolicyGroupMeta) GetAssertMode() string

func (*PolicyGroupMeta) GetChangelog added in v0.4.5 

func (x *PolicyGroupMeta) GetChangelog() []*ChangeLog

func (*PolicyGroupMeta) GetControls added in v0.4.0 

func (x *PolicyGroupMeta) GetControls() []*Control

func (*PolicyGroupMeta) GetDescription added in v0.4.0 

func (x *PolicyGroupMeta) GetDescription() string

func (*PolicyGroupMeta) GetEnforce added in v0.4.0 

func (x *PolicyGroupMeta) GetEnforce() string

func (*PolicyGroupMeta) GetExpiration added in v0.4.0 

func (x *PolicyGroupMeta) GetExpiration() *timestamppb.Timestamp

func (*PolicyGroupMeta) GetOrigin added in v0.4.0 

func (x *PolicyGroupMeta) GetOrigin() *v1.ResourceDescriptor

func (*PolicyGroupMeta) GetRuntime added in v0.4.1 

func (x *PolicyGroupMeta) GetRuntime() string

func (*PolicyGroupMeta) GetVersion added in v0.4.0 

func (x *PolicyGroupMeta) GetVersion() int64

func (*PolicyGroupMeta) ProtoMessage added in v0.4.0 

func (*PolicyGroupMeta) ProtoMessage()

func (*PolicyGroupMeta) ProtoReflect added in v0.4.0 

func (x *PolicyGroupMeta) ProtoReflect() protoreflect.Message

func (*PolicyGroupMeta) Reset added in v0.4.0 

func (x *PolicyGroupMeta) Reset()

func (*PolicyGroupMeta) String added in v0.4.0 

func (x *PolicyGroupMeta) String() string

type PolicyGroupRef added in v0.4.0 

type PolicyGroupRef struct {

	// Group ID
	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	// Pinned version of the group
	Version int64 `protobuf:"varint,2,opt,name=version,proto3" json:"version,omitempty"`
	// Expected identity when the group file is signed
	Identity *v11.Identity `protobuf:"bytes,3,opt,name=identity,proto3" json:"identity,omitempty"`
	// Source location when referenced remotely
	Location *v1.ResourceDescriptor `protobuf:"bytes,4,opt,name=location,proto3" json:"location,omitempty"`
	// contains filtered or unexported fields
}

PolicyGroupRef references a group remotely

func (*PolicyGroupRef) Descriptor deprecated added in v0.4.0 

func (*PolicyGroupRef) Descriptor() ([]byte, []int)

Deprecated: Use PolicyGroupRef.ProtoReflect.Descriptor instead.

func (*PolicyGroupRef) GetId added in v0.4.0 

func (x *PolicyGroupRef) GetId() string

func (*PolicyGroupRef) GetIdentity added in v0.4.0 

func (x *PolicyGroupRef) GetIdentity() *v11.Identity

func (*PolicyGroupRef) GetLocation added in v0.4.0 

func (x *PolicyGroupRef) GetLocation() *v1.ResourceDescriptor

func (*PolicyGroupRef) GetSourceURL added in v0.4.0 

func (ref *PolicyGroupRef) GetSourceURL() string

GetSourceURL returns the URL to fetch the policy. First, it will try the DownloadLocation, if empty returns the UR

func (*PolicyGroupRef) GetVersion added in v0.4.0 

func (x *PolicyGroupRef) GetVersion() int64

func (*PolicyGroupRef) ProtoMessage added in v0.4.0 

func (*PolicyGroupRef) ProtoMessage()

func (*PolicyGroupRef) ProtoReflect added in v0.4.0 

func (x *PolicyGroupRef) ProtoReflect() protoreflect.Message

func (*PolicyGroupRef) Reset added in v0.4.0 

func (x *PolicyGroupRef) Reset()

func (*PolicyGroupRef) SetVersion added in v0.4.0 

func (ref *PolicyGroupRef) SetVersion(v int64)

func (*PolicyGroupRef) String added in v0.4.0 

func (x *PolicyGroupRef) String() string

type PolicyRef 

type PolicyRef struct {
	Id       string                 `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	Version  int64                  `protobuf:"varint,2,opt,name=version,proto3" json:"version,omitempty"`
	Identity *v11.Identity          `protobuf:"bytes,3,opt,name=identity,proto3" json:"identity,omitempty"`
	Location *v1.ResourceDescriptor `protobuf:"bytes,4,opt,name=location,proto3" json:"location,omitempty"`
	// contains filtered or unexported fields
}

func (*PolicyRef) Descriptor deprecated 

func (*PolicyRef) Descriptor() ([]byte, []int)

Deprecated: Use PolicyRef.ProtoReflect.Descriptor instead.

func (*PolicyRef) GetId 

func (x *PolicyRef) GetId() string

func (*PolicyRef) GetIdentity 

func (x *PolicyRef) GetIdentity() *v11.Identity

func (*PolicyRef) GetLocation 

func (x *PolicyRef) GetLocation() *v1.ResourceDescriptor

func (*PolicyRef) GetSourceURL 

func (ref *PolicyRef) GetSourceURL() string

GetSourceURL returns the URL to fetch the policy. First, it will try the DownloadLocation, if empty returns the UR

func (*PolicyRef) GetVersion 

func (x *PolicyRef) GetVersion() int64

func (*PolicyRef) ProtoMessage 

func (*PolicyRef) ProtoMessage()

func (*PolicyRef) ProtoReflect 

func (x *PolicyRef) ProtoReflect() protoreflect.Message

func (*PolicyRef) Reset 

func (x *PolicyRef) Reset()

func (*PolicyRef) SetVersion added in v0.4.0 

func (ref *PolicyRef) SetVersion(v int64)

func (*PolicyRef) String 

func (x *PolicyRef) String() string

func (*PolicyRef) Validate 

func (ref *PolicyRef) Validate() error

Validate returns an error if the reference is not valid

type PolicySet 

type PolicySet struct {

	// ID is the policySet identifier
	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	// Meta holds the PolicySet metadata information
	Meta *PolicySetMeta `protobuf:"bytes,2,opt,name=meta,proto3" json:"meta,omitempty"`
	// Common groups the common data elements to be share by all the
	// policies in the set.
	Common *PolicySetCommon `protobuf:"bytes,3,opt,name=common,proto3" json:"common,omitempty"`
	// Policies is the list of policies grouped in the PolicySet
	Policies []*Policy `protobuf:"bytes,4,rep,name=policies,proto3" json:"policies,omitempty"`
	// Chain is the evidence chain to compute a set of subjects to which
	// all the policies will apply.
	Chain []*ChainLink `protobuf:"bytes,5,rep,name=chain,proto3" json:"chain,omitempty"`
	// PolicyGroup definitions
	Groups []*PolicyGroup `protobuf:"bytes,6,rep,name=groups,proto3" json:"groups,omitempty"`
	// contains filtered or unexported fields
}

func (*PolicySet) ContextMap 

func (s *PolicySet) ContextMap() map[string]any

ContextMap compiles the context data values into a map, filling the fields with their defaults when needed. Entries whose value is resolved dynamically via an `expression` are skipped: they cannot be known without an evaluator and an evaluation context.

func (*PolicySet) Descriptor deprecated 

func (*PolicySet) Descriptor() ([]byte, []int)

Deprecated: Use PolicySet.ProtoReflect.Descriptor instead.

func (*PolicySet) GetChain added in v0.2.1 

func (x *PolicySet) GetChain() []*ChainLink

func (*PolicySet) GetCommon 

func (x *PolicySet) GetCommon() *PolicySetCommon

func (*PolicySet) GetData 

func (set *PolicySet) GetData() []byte

GetData returns the policy set data marshaled as json.

func (*PolicySet) GetGroups added in v0.4.0 

func (x *PolicySet) GetGroups() []*PolicyGroup

func (*PolicySet) GetId 

func (x *PolicySet) GetId() string

func (*PolicySet) GetMeta 

func (x *PolicySet) GetMeta() *PolicySetMeta

func (*PolicySet) GetOrigin 

func (s *PolicySet) GetOrigin() attestation.Subject

GetOrigin returns the coordinates where the predicate data originated from.

func (*PolicySet) GetParsed 

func (set *PolicySet) GetParsed() any

GetParsed returns the PolicySet go struct.

func (*PolicySet) GetPolicies 

func (x *PolicySet) GetPolicies() []*Policy

func (*PolicySet) GetType 

func (set *PolicySet) GetType() attestation.PredicateType

func (*PolicySet) GetVerification 

func (set *PolicySet) GetVerification() attestation.Verification

GetVerification returns the signature verification generated from the envelope parser. The verification may contain details about the integrity, identity and signature guarding the PolicySet.

func (*PolicySet) ProtoMessage 

func (*PolicySet) ProtoMessage()

func (*PolicySet) ProtoReflect 

func (x *PolicySet) ProtoReflect() protoreflect.Message

func (*PolicySet) PublicKeys added in v0.2.1 

func (s *PolicySet) PublicKeys() ([]key.PublicKeyProvider, error)

PublicKeys returns any public keys defined in the policy identities

func (*PolicySet) Reset 

func (x *PolicySet) Reset()

func (*PolicySet) SetOrigin 

func (s *PolicySet) SetOrigin(origin attestation.Subject)

SetOrigin sets the origin of the policy. It is designed to match the signature of the attestation.Predicate method, but if the argument is a resource descriptor, then we will clone it and use its value.

func (*PolicySet) SetType 

func (set *PolicySet) SetType(attestation.PredicateType) error

func (*PolicySet) SetVerification 

func (set *PolicySet) SetVerification(attestation.Verification)

SetVerification gets the signature verification data from the envelope parser before discarding the envelope. This is supposed the be stored for later retrieval. Note: Currently NOOP.

func (*PolicySet) String 

func (x *PolicySet) String() string

func (*PolicySet) Validate 

func (set *PolicySet) Validate() error

type PolicySetCommon 

type PolicySetCommon struct {
	Identities []*v11.Identity        `protobuf:"bytes,1,rep,name=identities,proto3" json:"identities,omitempty"`
	References []*PolicyRef           `protobuf:"bytes,2,rep,name=references,proto3" json:"references,omitempty"`
	Context    map[string]*ContextVal `` /* 141-byte string literal not displayed */
	// contains filtered or unexported fields
}

func (*PolicySetCommon) Descriptor deprecated 

func (*PolicySetCommon) Descriptor() ([]byte, []int)

Deprecated: Use PolicySetCommon.ProtoReflect.Descriptor instead.

func (*PolicySetCommon) GetContext 

func (x *PolicySetCommon) GetContext() map[string]*ContextVal

func (*PolicySetCommon) GetIdentities 

func (x *PolicySetCommon) GetIdentities() []*v11.Identity

func (*PolicySetCommon) GetReferences 

func (x *PolicySetCommon) GetReferences() []*PolicyRef

func (*PolicySetCommon) ProtoMessage 

func (*PolicySetCommon) ProtoMessage()

func (*PolicySetCommon) ProtoReflect 

func (x *PolicySetCommon) ProtoReflect() protoreflect.Message

func (*PolicySetCommon) Reset 

func (x *PolicySetCommon) Reset()

func (*PolicySetCommon) String 

func (x *PolicySetCommon) String() string

type PolicySetMeta 

type PolicySetMeta struct {

	// Runtime to use as default for policies. Defines the runtime and version
	// to use when evaluating policy code. Defaults to cel/v0 in AMPEL.
	Runtime string `protobuf:"bytes,1,opt,name=runtime,proto3" json:"runtime,omitempty"`
	// Human description of the PolicySet
	Description string `protobuf:"bytes,2,opt,name=description,proto3" json:"description,omitempty"`
	// Expiration date. When set, the policyset will fail if the expiration date
	// has passed.
	Expiration *timestamppb.Timestamp `protobuf:"bytes,3,opt,name=expiration,proto3" json:"expiration,omitempty"`
	// Version of the PolicySet.
	Version int64 `protobuf:"varint,4,opt,name=version,proto3" json:"version,omitempty"`
	// Enforce marks if the policy engine returns FAIL or SOFTFAIL if policies
	// fail. Values "ON"/"OFF", defaults to "ON"
	Enforce string `protobuf:"bytes,5,opt,name=enforce,proto3" json:"enforce,omitempty"`
	// Framework references checked by this policy set. The references give
	// meaning to control references in the policies.
	Frameworks []*FrameworkRef `protobuf:"bytes,6,rep,name=frameworks,proto3" json:"frameworks,omitempty"`
	// Origin of the policyset's data, recorded when compiled.
	Origin *v1.ResourceDescriptor `protobuf:"bytes,7,opt,name=origin,proto3,oneof" json:"origin,omitempty"`
	// PolicySet changelog, records the changes in the policy code
	Changelog []*ChangeLog `protobuf:"bytes,8,rep,name=changelog,proto3" json:"changelog,omitempty"`
	// contains filtered or unexported fields
}

PolicySetMeta captures data about a policy set.

func (*PolicySetMeta) Descriptor deprecated 

func (*PolicySetMeta) Descriptor() ([]byte, []int)

Deprecated: Use PolicySetMeta.ProtoReflect.Descriptor instead.

func (*PolicySetMeta) GetChangelog added in v0.4.5 

func (x *PolicySetMeta) GetChangelog() []*ChangeLog

func (*PolicySetMeta) GetDescription 

func (x *PolicySetMeta) GetDescription() string

func (*PolicySetMeta) GetEnforce 

func (x *PolicySetMeta) GetEnforce() string

func (*PolicySetMeta) GetExpiration 

func (x *PolicySetMeta) GetExpiration() *timestamppb.Timestamp

func (*PolicySetMeta) GetFrameworks 

func (x *PolicySetMeta) GetFrameworks() []*FrameworkRef

func (*PolicySetMeta) GetOrigin added in v0.2.1 

func (x *PolicySetMeta) GetOrigin() *v1.ResourceDescriptor

func (*PolicySetMeta) GetRuntime 

func (x *PolicySetMeta) GetRuntime() string

func (*PolicySetMeta) GetVersion 

func (x *PolicySetMeta) GetVersion() int64

func (*PolicySetMeta) ProtoMessage 

func (*PolicySetMeta) ProtoMessage()

func (*PolicySetMeta) ProtoReflect 

func (x *PolicySetMeta) ProtoReflect() protoreflect.Message

func (*PolicySetMeta) Reset 

func (x *PolicySetMeta) Reset()

func (*PolicySetMeta) String 

func (x *PolicySetMeta) String() string

type PredicateSpec 

type PredicateSpec struct {
	Types []string `protobuf:"bytes,1,rep,name=types,proto3" json:"types,omitempty"`
	Limit int32    `protobuf:"varint,2,opt,name=limit,proto3" json:"limit,omitempty"`
	// contains filtered or unexported fields
}

func (*PredicateSpec) Descriptor deprecated 

func (*PredicateSpec) Descriptor() ([]byte, []int)

Deprecated: Use PredicateSpec.ProtoReflect.Descriptor instead.

func (*PredicateSpec) GetLimit 

func (x *PredicateSpec) GetLimit() int32

func (*PredicateSpec) GetTypes 

func (x *PredicateSpec) GetTypes() []string

func (*PredicateSpec) ProtoMessage 

func (*PredicateSpec) ProtoMessage()

func (*PredicateSpec) ProtoReflect 

func (x *PredicateSpec) ProtoReflect() protoreflect.Message

func (*PredicateSpec) Reset 

func (x *PredicateSpec) Reset()

func (*PredicateSpec) String 

func (x *PredicateSpec) String() string

type RemoteReference added in v0.4.0 

type RemoteReference interface {
	GetId() string
	GetIdentity() *sapi.Identity
	GetLocation() *intoto.ResourceDescriptor
	GetSourceURL() string
	GetVersion() int64
	SetVersion(int64)
}

RemoteReference is an interface to handle policy and group references

type Result 

type Result struct {

	// status holds the PASS/FAIL/SOFTFAIL status label of the Policy evaluation
	Status string `protobuf:"bytes,1,opt,name=status,proto3" json:"status,omitempty"`
	// Time when the policy evaluation started
	DateStart *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=date_start,json=dateStart,proto3" json:"date_start,omitempty"`
	// Time when the policy evaluation concluded
	DateEnd *timestamppb.Timestamp `protobuf:"bytes,3,opt,name=date_end,json=dateEnd,proto3" json:"date_end,omitempty"`
	// Reference to the policy code
	Policy *PolicyRef `protobuf:"bytes,4,opt,name=policy,proto3" json:"policy,omitempty"`
	// eval_results holds each of the tenet's evaluation results
	EvalResults []*EvalResult `protobuf:"bytes,5,rep,name=eval_results,json=evalResults,proto3" json:"eval_results,omitempty"`
	// meta from the original policy
	Meta *Meta `protobuf:"bytes,6,opt,name=meta,proto3" json:"meta,omitempty"`
	// context data loaded into the policy runtime
	Context *structpb.Struct `protobuf:"bytes,7,opt,name=context,proto3" json:"context,omitempty"`
	// chain holds the custody chain configuration when a policy uses chained subjects
	Chain []*ChainedSubject `protobuf:"bytes,8,rep,name=chain,proto3" json:"chain,omitempty"`
	// original subject under scrutiny. This may not be the effective subject if
	// the policy uses chained subjects.
	Subject *v1.ResourceDescriptor `protobuf:"bytes,9,opt,name=subject,proto3" json:"subject,omitempty"`
	// contains filtered or unexported fields
}

Result captures the results of a policy evaluation. This structure is computed after evaluating all the policy's tenets.

func (*Result) Descriptor deprecated 

func (*Result) Descriptor() ([]byte, []int)

Deprecated: Use Result.ProtoReflect.Descriptor instead.

func (*Result) GetChain 

func (x *Result) GetChain() []*ChainedSubject

func (*Result) GetContext 

func (x *Result) GetContext() *structpb.Struct

func (*Result) GetDateEnd 

func (x *Result) GetDateEnd() *timestamppb.Timestamp

func (*Result) GetDateStart 

func (x *Result) GetDateStart() *timestamppb.Timestamp

func (*Result) GetEvalResults 

func (x *Result) GetEvalResults() []*EvalResult

func (*Result) GetMeta 

func (x *Result) GetMeta() *Meta

func (*Result) GetPolicy 

func (x *Result) GetPolicy() *PolicyRef

func (*Result) GetStatus 

func (x *Result) GetStatus() string

func (*Result) GetSubject 

func (x *Result) GetSubject() *v1.ResourceDescriptor

func (*Result) MarshalJSON 

func (r *Result) MarshalJSON() ([]byte, error)

func (*Result) ProtoMessage 

func (*Result) ProtoMessage()

func (*Result) ProtoReflect 

func (x *Result) ProtoReflect() protoreflect.Message

func (*Result) Reset 

func (x *Result) Reset()

func (*Result) String 

func (x *Result) String() string

type ResultGroup added in v0.4.1 

type ResultGroup struct {

	// status holds the PASS/FAIL/SOFTFAIL status label of the Policy evaluation
	Status string `protobuf:"bytes,1,opt,name=status,proto3" json:"status,omitempty"`
	// Time when the policy evaluation started
	DateStart *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=date_start,json=dateStart,proto3" json:"date_start,omitempty"`
	// Time when the policy evaluation concluded
	DateEnd *timestamppb.Timestamp `protobuf:"bytes,3,opt,name=date_end,json=dateEnd,proto3" json:"date_end,omitempty"`
	// Reference to the policy code
	Group *PolicyGroupRef `protobuf:"bytes,4,opt,name=group,proto3" json:"group,omitempty"`
	// eval_results holds each of the tenet's evaluation results
	EvalResults []*BlockEvalResult `protobuf:"bytes,5,rep,name=eval_results,json=evalResults,proto3" json:"eval_results,omitempty"`
	// meta from the original policy
	Meta *PolicyGroupMeta `protobuf:"bytes,6,opt,name=meta,proto3" json:"meta,omitempty"`
	// context data loaded into the policy runtime
	Context *structpb.Struct `protobuf:"bytes,7,opt,name=context,proto3" json:"context,omitempty"`
	// chain holds the custody chain configuration when a policy uses chained subjects
	Chain []*ChainedSubject `protobuf:"bytes,8,rep,name=chain,proto3" json:"chain,omitempty"`
	// original subject under scrutiny. This may not be the effective subject if
	// the policy uses chained subjects.
	Subject *v1.ResourceDescriptor `protobuf:"bytes,9,opt,name=subject,proto3" json:"subject,omitempty"`
	// The ResultSet common struct varies from its policySet siblingas here,
	// the contextual information has the computed values, not the definitions.
	Common *ResultSetCommon `protobuf:"bytes,10,opt,name=common,proto3" json:"common,omitempty"`
	// Error contains the reason that caused the group evaluationto fail
	Error string `protobuf:"bytes,11,opt,name=Error,proto3" json:"Error,omitempty"`
	// contains filtered or unexported fields
}

ResultGroup cpatures the results of a PolicyGroup evaluation. This structure holds the results for all blocks in the group/

func (*ResultGroup) Descriptor deprecated added in v0.4.1 

func (*ResultGroup) Descriptor() ([]byte, []int)

Deprecated: Use ResultGroup.ProtoReflect.Descriptor instead.

func (*ResultGroup) GetChain added in v0.4.1 

func (x *ResultGroup) GetChain() []*ChainedSubject

func (*ResultGroup) GetCommon added in v0.4.1 

func (x *ResultGroup) GetCommon() *ResultSetCommon

func (*ResultGroup) GetContext added in v0.4.1 

func (x *ResultGroup) GetContext() *structpb.Struct

func (*ResultGroup) GetDateEnd added in v0.4.1 

func (x *ResultGroup) GetDateEnd() *timestamppb.Timestamp

func (*ResultGroup) GetDateStart added in v0.4.1 

func (x *ResultGroup) GetDateStart() *timestamppb.Timestamp

func (*ResultGroup) GetError added in v0.4.1 

func (x *ResultGroup) GetError() string

func (*ResultGroup) GetEvalResults added in v0.4.1 

func (x *ResultGroup) GetEvalResults() []*BlockEvalResult

func (*ResultGroup) GetGroup added in v0.4.1 

func (x *ResultGroup) GetGroup() *PolicyGroupRef

func (*ResultGroup) GetMeta added in v0.4.1 

func (x *ResultGroup) GetMeta() *PolicyGroupMeta

func (*ResultGroup) GetStatus added in v0.4.1 

func (x *ResultGroup) GetStatus() string

func (*ResultGroup) GetSubject added in v0.4.1 

func (x *ResultGroup) GetSubject() *v1.ResourceDescriptor

func (*ResultGroup) ProtoMessage added in v0.4.1 

func (*ResultGroup) ProtoMessage()

func (*ResultGroup) ProtoReflect added in v0.4.1 

func (x *ResultGroup) ProtoReflect() protoreflect.Message

func (*ResultGroup) Reset added in v0.4.1 

func (x *ResultGroup) Reset()

func (*ResultGroup) String added in v0.4.1 

func (x *ResultGroup) String() string

type ResultSet 

type ResultSet struct {

	// Reference to the PolicySet that produced the ResultSet
	PolicySet *PolicyRef `protobuf:"bytes,1,opt,name=policy_set,json=policySet,proto3" json:"policy_set,omitempty"`
	// meta block transferred from the PolicySet
	Meta *PolicySetMeta `protobuf:"bytes,2,opt,name=meta,proto3" json:"meta,omitempty"`
	// status holds the PASS/FAIL/SOFTFAIL status label of the whole PolicySet evaluation
	Status string `protobuf:"bytes,3,opt,name=status,proto3" json:"status,omitempty"`
	// date_start time when the evaluation started
	DateStart *timestamppb.Timestamp `protobuf:"bytes,4,opt,name=date_start,json=dateStart,proto3" json:"date_start,omitempty"`
	// date_end time when the evaluation finished
	DateEnd *timestamppb.Timestamp `protobuf:"bytes,5,opt,name=date_end,json=dateEnd,proto3" json:"date_end,omitempty"`
	// subject under evaluation
	Subject *v1.ResourceDescriptor `protobuf:"bytes,6,opt,name=subject,proto3" json:"subject,omitempty"`
	// results from each of the policies in the set
	Results []*Result `protobuf:"bytes,7,rep,name=results,proto3" json:"results,omitempty"`
	// groups holds the results from policy groups
	Groups []*ResultGroup `protobuf:"bytes,8,rep,name=groups,proto3" json:"groups,omitempty"`
	// error captures an error that failed the evaluation at the PolicySet level
	Error *Error `protobuf:"bytes,9,opt,name=error,proto3" json:"error,omitempty"`
	// The ResultSet common struct varies from its policySet siblingas here,
	// the contextual information has the computed values, not the definitions.
	Common *ResultSetCommon `protobuf:"bytes,10,opt,name=common,proto3" json:"common,omitempty"`
	// contains filtered or unexported fields
}

ResultSet reflects the evaluation of a PolicySet. It contains a `Result` entry for each policy in the set, its overall result status and the original set metadata.

func (*ResultSet) Assert 

func (rs *ResultSet) Assert() error

Assert reads the set's results and computes the finish date and set eval status.

func (*ResultSet) Descriptor deprecated 

func (*ResultSet) Descriptor() ([]byte, []int)

Deprecated: Use ResultSet.ProtoReflect.Descriptor instead.

func (*ResultSet) GetCommon added in v0.3.1 

func (x *ResultSet) GetCommon() *ResultSetCommon

func (*ResultSet) GetDateEnd 

func (x *ResultSet) GetDateEnd() *timestamppb.Timestamp

func (*ResultSet) GetDateStart 

func (x *ResultSet) GetDateStart() *timestamppb.Timestamp

func (*ResultSet) GetError added in v0.2.1 

func (x *ResultSet) GetError() *Error

func (*ResultSet) GetGroups added in v0.4.1 

func (x *ResultSet) GetGroups() []*ResultGroup

func (*ResultSet) GetMeta 

func (x *ResultSet) GetMeta() *PolicySetMeta

func (*ResultSet) GetPolicySet added in v0.2.1 

func (x *ResultSet) GetPolicySet() *PolicyRef

func (*ResultSet) GetResults 

func (x *ResultSet) GetResults() []*Result

func (*ResultSet) GetStatus 

func (x *ResultSet) GetStatus() string

func (*ResultSet) GetSubject 

func (x *ResultSet) GetSubject() *v1.ResourceDescriptor

func (*ResultSet) MarshalJSON 

func (rs *ResultSet) MarshalJSON() ([]byte, error)

func (*ResultSet) ProtoMessage 

func (*ResultSet) ProtoMessage()

func (*ResultSet) ProtoReflect 

func (x *ResultSet) ProtoReflect() protoreflect.Message

func (*ResultSet) Reset 

func (x *ResultSet) Reset()

func (*ResultSet) String 

func (x *ResultSet) String() string

type ResultSetCommon added in v0.3.1 

type ResultSetCommon struct {

	// Context contains the computed common context values
	Context *structpb.Struct `protobuf:"bytes,9,opt,name=context,proto3" json:"context,omitempty"`
	// contains filtered or unexported fields
}

ResultSetCommon

func (*ResultSetCommon) Descriptor deprecated added in v0.3.1 

func (*ResultSetCommon) Descriptor() ([]byte, []int)

Deprecated: Use ResultSetCommon.ProtoReflect.Descriptor instead.

func (*ResultSetCommon) GetContext added in v0.3.1 

func (x *ResultSetCommon) GetContext() *structpb.Struct

func (*ResultSetCommon) ProtoMessage added in v0.3.1 

func (*ResultSetCommon) ProtoMessage()

func (*ResultSetCommon) ProtoReflect added in v0.3.1 

func (x *ResultSetCommon) ProtoReflect() protoreflect.Message

func (*ResultSetCommon) Reset added in v0.3.1 

func (x *ResultSetCommon) Reset()

func (*ResultSetCommon) String added in v0.3.1 

func (x *ResultSetCommon) String() string

type Results 

type Results interface {
	GetStatus() string
}

type StatementRef 

type StatementRef struct {

	// type holds the predicate type of the referenced attestation
	Type string `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"`
	// attestation is a resource descriptor that records the attestation coordinates
	Attestation *v1.ResourceDescriptor `protobuf:"bytes,2,opt,name=attestation,proto3" json:"attestation,omitempty"`
	// identities captures the identities matched when verifying
	// the statement.
	Identities []*v11.Identity `protobuf:"bytes,3,rep,name=identities,proto3" json:"identities,omitempty"`
	// contains filtered or unexported fields
}

StatementRef records the data of an ingested attestation

func (*StatementRef) Descriptor deprecated 

func (*StatementRef) Descriptor() ([]byte, []int)

Deprecated: Use StatementRef.ProtoReflect.Descriptor instead.

func (*StatementRef) GetAttestation 

func (x *StatementRef) GetAttestation() *v1.ResourceDescriptor

func (*StatementRef) GetIdentities added in v0.1.2 

func (x *StatementRef) GetIdentities() []*v11.Identity

func (*StatementRef) GetType 

func (x *StatementRef) GetType() string

func (*StatementRef) ProtoMessage 

func (*StatementRef) ProtoMessage()

func (*StatementRef) ProtoReflect 

func (x *StatementRef) ProtoReflect() protoreflect.Message

func (*StatementRef) Reset 

func (x *StatementRef) Reset()

func (*StatementRef) String 

func (x *StatementRef) String() string

type Tenet 

type Tenet struct {
	Id         string             `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	Runtime    string             `protobuf:"bytes,2,opt,name=runtime,proto3" json:"runtime,omitempty"`
	Code       string             `protobuf:"bytes,3,opt,name=code,proto3" json:"code,omitempty"`
	Predicates *PredicateSpec     `protobuf:"bytes,4,opt,name=predicates,proto3" json:"predicates,omitempty"`
	Outputs    map[string]*Output `` /* 141-byte string literal not displayed */
	Error      *Error             `protobuf:"bytes,6,opt,name=error,proto3" json:"error,omitempty"`
	Title      string             `protobuf:"bytes,7,opt,name=title,proto3" json:"title,omitempty"`
	Assessment *Assessment        `protobuf:"bytes,8,opt,name=assessment,proto3" json:"assessment,omitempty"`
	// contains filtered or unexported fields
}

Tenet is the foundational condition of a policy. It is held as a truth that needs to be proven for the policy to pass.

func (*Tenet) Descriptor deprecated 

func (*Tenet) Descriptor() ([]byte, []int)

Deprecated: Use Tenet.ProtoReflect.Descriptor instead.

func (*Tenet) GetAssessment 

func (x *Tenet) GetAssessment() *Assessment

func (*Tenet) GetCode 

func (x *Tenet) GetCode() string

func (*Tenet) GetError 

func (x *Tenet) GetError() *Error

func (*Tenet) GetId 

func (x *Tenet) GetId() string

func (*Tenet) GetOutputs 

func (x *Tenet) GetOutputs() map[string]*Output

func (*Tenet) GetPredicates 

func (x *Tenet) GetPredicates() *PredicateSpec

func (*Tenet) GetRuntime 

func (x *Tenet) GetRuntime() string

func (*Tenet) GetTitle 

func (x *Tenet) GetTitle() string

func (*Tenet) ProtoMessage 

func (*Tenet) ProtoMessage()

func (*Tenet) ProtoReflect 

func (x *Tenet) ProtoReflect() protoreflect.Message

func (*Tenet) Reset 

func (x *Tenet) Reset()

func (*Tenet) String 

func (x *Tenet) String() string

type Transformer 

type Transformer struct {

	// Transformer identifier string, currently only internal:ID ids are recognized.
	// Optional @vM or @vM.m suffix selects a transformer version.
	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	// Configuration struct for the transformer, implementation specific
	Config *structpb.Struct `protobuf:"bytes,2,opt,name=config,proto3,oneof" json:"config,omitempty"`
	// contains filtered or unexported fields
}

Transformer loads and configures a transformer to operate on the policy data before the predicates reach the runtime. Transformers are loaded by their id string and need to be compiled into the AMPEL engine.

func (*Transformer) Descriptor deprecated 

func (*Transformer) Descriptor() ([]byte, []int)

Deprecated: Use Transformer.ProtoReflect.Descriptor instead.

func (*Transformer) GetConfig added in v0.4.7 

func (x *Transformer) GetConfig() *structpb.Struct

func (*Transformer) GetId 

func (x *Transformer) GetId() string

func (*Transformer) ProtoMessage 

func (*Transformer) ProtoMessage()

func (*Transformer) ProtoReflect 

func (x *Transformer) ProtoReflect() protoreflect.Message

func (*Transformer) Reset 

func (x *Transformer) Reset()

func (*Transformer) String 

func (x *Transformer) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.