options

package
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 21, 2026 License: Apache-2.0 Imports: 3 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	DefaultMaxInputSize        int64 = 10 * 1024 * 1024 // 10 MiB
	DefaultMaxJSONDepth        int   = 100
	DefaultMaxPoliciesPerSet   int   = 1000
	DefaultMaxGroupsPerSet     int   = 100
	DefaultMaxBlocksPerGroup   int   = 100
	DefaultMaxPoliciesPerBlock int   = 100
	DefaultMaxTenetsPerPolicy  int   = 500
	DefaultMaxParallelFetches  int   = 50
	DefaultMaxTotalFetches     int   = 100
)

Default limit values

Variables

View Source 
var (
	ErrInputSizeExceeded        = &LimitError{Limit: "input size"}
	ErrJSONDepthExceeded        = &LimitError{Limit: "JSON depth"}
	ErrPoliciesPerSetExceeded   = &LimitError{Limit: "policies per set"}
	ErrGroupsPerSetExceeded     = &LimitError{Limit: "groups per set"}
	ErrBlocksPerGroupExceeded   = &LimitError{Limit: "blocks per group"}
	ErrPoliciesPerBlockExceeded = &LimitError{Limit: "policies per block"}
	ErrTenetsPerPolicyExceeded  = &LimitError{Limit: "tenets per policy"}
	ErrParallelFetchesExceeded  = &LimitError{Limit: "parallel fetches"}
	ErrTotalFetchesExceeded     = &LimitError{Limit: "total fetches"}
)

Sentinel errors for specific limit violations

View Source 
var DefaultCompileOptions = CompileOptions{
	ParseOptions: DefaultParseOptions,
}
View Source 
var DefaultLimits = Limits{
	MaxInputSize:        DefaultMaxInputSize,
	MaxJSONDepth:        DefaultMaxJSONDepth,
	MaxPoliciesPerSet:   DefaultMaxPoliciesPerSet,
	MaxGroupsPerSet:     DefaultMaxGroupsPerSet,
	MaxBlocksPerGroup:   DefaultMaxBlocksPerGroup,
	MaxPoliciesPerBlock: DefaultMaxPoliciesPerBlock,
	MaxTenetsPerPolicy:  DefaultMaxTenetsPerPolicy,
	MaxParallelFetches:  DefaultMaxParallelFetches,
	MaxTotalFetches:     DefaultMaxTotalFetches,
}

DefaultLimits provides sensible default limits for DoS protection.

View Source 
var DefaultParseOptions = ParseOptions{
	VerificationOptions: DefaultVerificationOptions,
	VerifySignatures:    true,
	Limits:              DefaultLimits,
}
View Source 
var DefaultSignerOptions = SignerOptions{}
View Source 
var DefaultVerificationOptions = VerificationOptions{}
View Source 
var ErrUnsupportedOptionsType = errors.New("unsupported options type")

Functions

This section is empty.

Types

type CompileOptions added in v0.2.0 

type CompileOptions struct {
	ParseOptions
}

type LimitError added in v0.4.2 

type LimitError struct {
	// Limit is the name of the limit that was exceeded
	Limit string
	// Max is the configured maximum value
	Max int64
	// Actual is the actual value that exceeded the limit
	Actual int64
	// Context provides additional context (e.g., file path, URL)
	Context string
}

LimitError represents a limit violation error with context.

func NewCollectionSizeError added in v0.4.2 

func NewCollectionSizeError(limitName string, maxVal, actual int, context string) *LimitError

NewCollectionSizeError creates a new collection size limit error.

func NewInputSizeError added in v0.4.2 

func NewInputSizeError(maxVal, actual int64, context string) *LimitError

NewInputSizeError creates a new input size limit error.

func NewJSONDepthError added in v0.4.2 

func NewJSONDepthError(maxVal, actual int, context string) *LimitError

NewJSONDepthError creates a new JSON depth limit error.

func NewTotalFetchesError added in v0.4.2 

func NewTotalFetchesError(maxVal, actual int, context string) *LimitError

NewTotalFetchesError creates a new total fetches limit error.

func (*LimitError) Error added in v0.4.2 

func (e *LimitError) Error() string

type Limits added in v0.4.2 

type Limits struct {
	// MaxInputSize is the maximum size in bytes for input files and network responses.
	// Default: 10 MiB
	MaxInputSize int64

	// MaxJSONDepth is the maximum nesting depth allowed in JSON/HJSON input.
	// Prevents stack overflow attacks from deeply nested structures.
	// Default: 100
	MaxJSONDepth int

	// MaxPoliciesPerSet is the maximum number of policies allowed in a PolicySet.
	// Default: 1000
	MaxPoliciesPerSet int

	// MaxGroupsPerSet is the maximum number of policy groups allowed in a PolicySet.
	// Default: 100
	MaxGroupsPerSet int

	// MaxBlocksPerGroup is the maximum number of blocks allowed in a PolicyGroup.
	// Default: 100
	MaxBlocksPerGroup int

	// MaxPoliciesPerBlock is the maximum number of policies allowed per block in a PolicyGroup.
	// Default: 100
	MaxPoliciesPerBlock int

	// MaxTenetsPerPolicy is the maximum number of tenets allowed in a Policy.
	// Default: 500
	MaxTenetsPerPolicy int

	// MaxParallelFetches is the maximum number of concurrent remote fetches.
	// Default: 50
	MaxParallelFetches int

	// MaxTotalFetches is the maximum total number of remote fetches during compilation.
	// Prevents exponential expansion attacks.
	// Default: 100
	MaxTotalFetches int
}

Limits defines limits to protect against denial-of-service attacks when reading and processing policies.

type OptFn added in v0.2.0 

type OptFn func(Options) error

func WithIdentityString added in v0.2.0 

func WithIdentityString(istrings ...string) OptFn

func WithLimits added in v0.4.2 

func WithLimits(limits Limits) OptFn

WithLimits sets all limits at once.

func WithMaxBlocksPerGroup added in v0.4.2 

func WithMaxBlocksPerGroup(maxVal int) OptFn

WithMaxBlocksPerGroup sets the maximum blocks per group limit.

func WithMaxGroupsPerSet added in v0.4.2 

func WithMaxGroupsPerSet(maxVal int) OptFn

WithMaxGroupsPerSet sets the maximum groups per set limit.

func WithMaxInputSize added in v0.4.2 

func WithMaxInputSize(size int64) OptFn

WithMaxInputSize sets the maximum input size limit.

func WithMaxJSONDepth added in v0.4.2 

func WithMaxJSONDepth(depth int) OptFn

WithMaxJSONDepth sets the maximum JSON nesting depth limit.

func WithMaxParallelFetches added in v0.4.2 

func WithMaxParallelFetches(maxVal int) OptFn

WithMaxParallelFetches sets the maximum parallel fetches limit.

func WithMaxPoliciesPerBlock added in v0.4.2 

func WithMaxPoliciesPerBlock(maxVal int) OptFn

WithMaxPoliciesPerBlock sets the maximum policies per block limit.

func WithMaxPoliciesPerSet added in v0.4.2 

func WithMaxPoliciesPerSet(maxVal int) OptFn

WithMaxPoliciesPerSet sets the maximum policies per set limit.

func WithMaxTenetsPerPolicy added in v0.4.2 

func WithMaxTenetsPerPolicy(maxVal int) OptFn

WithMaxTenetsPerPolicy sets the maximum tenets per policy limit.

func WithMaxTotalFetches added in v0.4.2 

func WithMaxTotalFetches(maxVal int) OptFn

WithMaxTotalFetches sets the maximum total fetches limit.

func WithParseOptions added in v0.2.0 

func WithParseOptions(newopts *ParseOptions) OptFn

WithParseOptions replaces all parse options with a new set

func WithPublicKey added in v0.2.0 

func WithPublicKey(keys ...key.PublicKeyProvider) OptFn

func WithVerifySignatures added in v0.2.0 

func WithVerifySignatures(doVerify bool) OptFn

WithVerifySignatures controls is policy signatures are verified when parsed

type Options added in v0.2.0 

type Options any

type ParseOptions added in v0.2.0 

type ParseOptions struct {
	VerificationOptions
	VerifySignatures bool
	Limits           Limits
}

ParseOptions control how the parses processes data

type SignerOptFn 

type SignerOptFn func(*SignerOptions)

type SignerOptions 

type SignerOptions struct{}

type VerificationOptions added in v0.2.0 

type VerificationOptions struct {
	PublicKeys      []key.PublicKeyProvider
	IdentityStrings []string
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.