policy

package module
v0.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 16, 2025 License: Apache-2.0 Imports: 23 Imported by: 1

README

🔴🟡🟢 AMPEL Policy Framework

This is the Policy Framework used by the The Amazing Multipurpose Policy Engine (and L) (AMPEL) policy engine.

The components housed on this repository include:

Policy and PolicySet Protobuf Definitions

This respository contains the protocol buffers definitions for the AMPEL policies and policy sets. In addition it includes the generated Go code libraries, including methods and other convenience functions.

The definitions and libraries depend on the in-toto/attestation protocol buffers definitions and code.

Policy Tooling

This repository also contains the policy tooling that AMPEL and policyctl depend on. The policy tooling includes:

Policy Compiler

The library that compiles the AMPEL policies from possibly distributed sources.

Policy Fetcher

A high performance utility that fetches policy data from repositories such as HTTP servers, git repositories, etc.

Policy Signer

Handles policy signing and verification.

This project is Copyright © by Carabiner Systems, Inc and released under the terms of the Apache 2.0 license.

Documentation

Index

Constants

View Source 
const (
	AssertModeAND = "AND"
	AssertModeOR  = "OR"

	EnforceOn  = "ON"
	EnforceOff = "OFF"
)

Variables

View Source 
var ErrParseInconsistency = errors.New("internal error: fetched reference ID and policy ID mismatch")

This error is thrown if a fetchedRef lists a policy ID not contained in its policy or policy set. If it's ever thrown it is definitely a bug:

View Source 
var ErrUnsupportedLocationURI = errors.New("unsupported policy location")

Functions

func PolicyOrSet 

func PolicyOrSet(set *api.PolicySet, pcy *api.Policy) any

PolicyOrSet takes a policy or policyset and returns the one that is not nill

Types

type Compiler 

type Compiler struct {
	Options CompilerOptions
	Store   StorageBackend
	// contains filtered or unexported fields
}

Compiler is the policy compiler

func NewCompiler 

func NewCompiler() *Compiler

func (*Compiler) Compile 

func (compiler *Compiler) Compile(data []byte) (set *api.PolicySet, pcy *api.Policy, err error)

Compile is the main method to assemble policies.

Compiling means fetching all the policy references and assembling a policy in memory from the fetched data.

func (*Compiler) CompileFile 

func (compiler *Compiler) CompileFile(path string) (set *api.PolicySet, pcy *api.Policy, err error)

CompileFile reads data from a local file and returns either a policy set or policy

func (*Compiler) CompileLocation 

func (compiler *Compiler) CompileLocation(location string) (set *api.PolicySet, pcy *api.Policy, err error)

CompileLocation takes a location string and parses a policy or policy set as read from it. The location will be tested, if it is a URL or VCS locator, it will be retrieved remotely. If its a local file, it will be read from disk. Anything else throws an error.

func (*Compiler) CompilePolicy 

func (compiler *Compiler) CompilePolicy(p *api.Policy) (*api.Policy, error)

Compile builds a policy set fetching any remote pieces as necessary

func (*Compiler) CompileRemote 

func (compiler *Compiler) CompileRemote(uri string) (set *api.PolicySet, pcy *api.Policy, err error)

CompileRemote reads a policy or policy set from a remote location. The location URI can be a git VCS locator using HTTPS or SSH as transport or an HTTPS URL.

func (*Compiler) CompileSet 

func (compiler *Compiler) CompileSet(set *api.PolicySet) (*api.PolicySet, error)

Compile builds a policy set fetching any remote pieces as necessary

type CompilerOptions 

type CompilerOptions struct {

	// MaxRemoteRecursion captures the maximum recursion level the
	// compiler will do to fetch remote content. Note that this setting
	// causes exponential requests, so be careful when defining a value.
	MaxRemoteRecursion int
}

type Fetcher 

type Fetcher struct{}

Fetcher is the ampel policy fetcher. It optimizes retrieval of policy data from repositories and source control systems.

func NewFetcher 

func NewFetcher() *Fetcher

func (*Fetcher) Get 

func (gf *Fetcher) Get(uri string) ([]byte, error)

func (*Fetcher) GetFromGit 

func (gf *Fetcher) GetFromGit(locator string) ([]byte, error)

GetFromGit gets data from a git repository at the specified revision

func (*Fetcher) GetFromHTTP 

func (gf *Fetcher) GetFromHTTP(url string) ([]byte, error)

GetFromHTTP retrieves data from an http endpoint

func (*Fetcher) GetGroup 

func (gf *Fetcher) GetGroup(uris []string) ([][]byte, error)

GetGroup fetches a list of uris that can be HTTP(S) URLs or SPDX VCS locators. The functions uses the vcslocator module and the k8s http agent to fetch in parallel. The returned slice if byte-slices is guarranteed to preserve the URL order. If a request fails, this function returns a single error and discards all data.

Retries are currently not supported but will probably be at a later point once the VCS locator module supports retrying.

type Parser 

type Parser struct {
	// contains filtered or unexported fields
}

Parser implements methods to read the policy and policy set json files. Note that the parser only deals with decoding json. Use the policy compiler to assemble policies with external/remote references.

func NewParser 

func NewParser() *Parser

NewParser creates a new policy parser

func (*Parser) Open 

func (p *Parser) Open(location string) (set *api.PolicySet, pcy *api.Policy, err error)

Open opens a Policy or policySet. This function supports remote locations (https URLs or VCS locators) and will eventually verify signatures after reading and parsing data (still under construction).

func (*Parser) ParsePolicy 

func (p *Parser) ParsePolicy(data []byte) (*api.Policy, error)

ParsePolicy parses a policy file

func (*Parser) ParsePolicyFile 

func (p *Parser) ParsePolicyFile(path string) (*api.Policy, error)

ParsePolicyFile parses a policy from a file

func (*Parser) ParsePolicyOrSet 

func (p *Parser) ParsePolicyOrSet(data []byte) (set *api.PolicySet, pcy *api.Policy, err error)

ParsePolicyOrSet takes json data and tries to parse a policy or a policy set out of it. Returns an error if the JSON data is none.

func (*Parser) ParsePolicySet 

func (p *Parser) ParsePolicySet(policySetData []byte) (*api.PolicySet, error)

ParseSet parses a policy set.

func (*Parser) ParsePolicySetFile 

func (p *Parser) ParsePolicySetFile(path string) (*api.PolicySet, error)

ParseFile parses a policySet from a file

type PolicyFetcher 

type PolicyFetcher interface {
	Get(string) ([]byte, error)
	GetGroup(uris []string) ([][]byte, error)
}

type Signer 

type Signer struct {
	Options options.SignerOptions
}

Signer is the policy/policy set signer object. Signing is done by wrapping the policies in an in-toto statement and the predicate/* wrappers before passing them to the sigstore signer.

func NewSigner 

func NewSigner(funcs ...options.SignerOptFn) *Signer

NewSigner returns a policy signer with the specified options

func (*Signer) SignPolicyData 

func (ps *Signer) SignPolicyData(data []byte, w io.Writer, funcs ...options.SignerOptFn) error

SignPolicyData signs raw policy data

func (*Signer) SignPolicyFile 

func (ps *Signer) SignPolicyFile(path string, w io.Writer, funcs ...options.SignerOptFn) error

SignBundleToFile signs a policy file and writes it to a filename derived from the original.

type StorageBackend 

type StorageBackend interface {
	StoreReference(*api.PolicyRef) error
	StoreReferenceWithReturn(*api.PolicyRef) (*api.PolicySet, *api.Policy, error)
	GetReferencedPolicy(*api.PolicyRef) (*api.Policy, error)
}

Storage backend is an interface that fronts systems that store and index policies

Source Files

View all Source files

Directories

Path Synopsis
api
v1

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.