policies

package
v1.95.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 6, 2026 License: Apache-2.0 Imports: 35 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ComputeArguments added in v0.104.0 

func ComputeArguments(name string, inputs []*v1.PolicyInput, args map[string]string, bindings map[string]string, logger *zerolog.Logger) (map[string]string, error)

ComputeArguments takes a list of arguments, and matches it against the expected inputs. It also applies a set of interpolations if needed.

func ExtractDigest added in v0.96.6 

func ExtractDigest(ref string) (string, string)

func InterpolateGroupMaterial added in v0.104.0 

func InterpolateGroupMaterial(gm *v1.PolicyGroup_Material, bindings map[string]string) (*v1.PolicyGroup_Material, error)

InterpolateGroupMaterial returns a version of the group material with all template interpolations applied (only name is supported atm)

func IsProviderScheme added in v0.96.0 

func IsProviderScheme(ref string) bool

IsProviderScheme takes a policy reference and returns whether it's referencing to an external provider or not

func LoadPolicyScriptsFromSpec added in v0.96.9 

func LoadPolicyScriptsFromSpec(policy *v1.Policy, kind v1.CraftingSchema_Material_MaterialType, basePath string) ([]*engine.Policy, error)

LoadPolicyScriptsFromSpec loads all policy script that matches a given material type. It matches if: * the policy kind is unspecified, meaning that it was forced by name selector * the policy kind is specified, and it's equal to the material type

func LogPolicyEvaluations added in v0.96.21 

func LogPolicyEvaluations(evaluations []*v12.PolicyEvaluation, logger *zerolog.Logger)

func RefParts added in v1.54.0 

func RefParts(ref string) (string, string)

Types

type ChainloopGroupLoader added in v0.96.14 

type ChainloopGroupLoader struct {
	Client pb.AttestationServiceClient
	// contains filtered or unexported fields
}

ChainloopGroupLoader loads groups referenced with chainloop://provider/name URLs

func NewChainloopGroupLoader added in v0.96.14 

func NewChainloopGroupLoader(client pb.AttestationServiceClient, c cache.Cache[*groupWithReference]) *ChainloopGroupLoader

func (*ChainloopGroupLoader) Load added in v0.96.14 

func (c *ChainloopGroupLoader) Load(ctx context.Context, attachment *v1.PolicyGroupAttachment) (*v1.PolicyGroup, *PolicyDescriptor, error)

type ChainloopLoader added in v0.95.7 

type ChainloopLoader struct {
	Client pb.AttestationServiceClient
	// contains filtered or unexported fields
}

ChainloopLoader loads policies referenced with chainloop://provider/name URLs

func NewChainloopLoader added in v0.95.7 

func NewChainloopLoader(client pb.AttestationServiceClient, c cache.Cache[*policyWithReference]) *ChainloopLoader

func (*ChainloopLoader) Load added in v0.95.7 

func (c *ChainloopLoader) Load(ctx context.Context, attachment *v1.PolicyAttachment) (*v1.Policy, *PolicyDescriptor, error)

type EmbeddedLoader added in v0.95.7 

type EmbeddedLoader struct{}

EmbeddedLoader returns embedded policies

func (*EmbeddedLoader) Load added in v0.95.7 

func (e *EmbeddedLoader) Load(_ context.Context, attachment *v1.PolicyAttachment) (*v1.Policy, *PolicyDescriptor, error)

type EvalPhase added in v1.78.0 

type EvalPhase int

EvalPhase represents the phase of the attestation lifecycle where evaluation is happening. 

const (
	EvalPhaseUnspecified EvalPhase = iota
	EvalPhaseInit
	EvalPhasePush
)

type FileGroupLoader added in v0.96.14 

type FileGroupLoader struct{}

FileGroupLoader loader loads policies from filesystem and HTTPS references using Cosign's blob package

func (*FileGroupLoader) Load added in v0.96.14 

func (l *FileGroupLoader) Load(_ context.Context, attachment *v1.PolicyGroupAttachment) (*v1.PolicyGroup, *PolicyDescriptor, error)

type FileLoader added in v0.96.5 

type FileLoader struct{}

FileLoader loader loads policies from filesystem and HTTPS references using Cosign's blob package

func (*FileLoader) Load added in v0.96.5 

func (l *FileLoader) Load(_ context.Context, attachment *v1.PolicyAttachment) (*v1.Policy, *PolicyDescriptor, error)

type GroupLoader added in v0.96.14 

type GroupLoader interface {
	Load(context.Context, *v1.PolicyGroupAttachment) (*v1.PolicyGroup, *PolicyDescriptor, error)
}

GroupLoader defines the interface for policy loaders from contract attachments

type HTTPSGroupLoader added in v0.96.14 

type HTTPSGroupLoader struct{}

HTTPSGroupLoader loader loads policies from HTTP or HTTPS references

func (*HTTPSGroupLoader) Load added in v0.96.14 

func (l *HTTPSGroupLoader) Load(_ context.Context, attachment *v1.PolicyGroupAttachment) (*v1.PolicyGroup, *PolicyDescriptor, error)

type HTTPSLoader added in v0.96.5 

type HTTPSLoader struct{}

HTTPSLoader loader loads policies from HTTP or HTTPS references

func (*HTTPSLoader) Load added in v0.96.5 

func (l *HTTPSLoader) Load(_ context.Context, attachment *v1.PolicyAttachment) (*v1.Policy, *PolicyDescriptor, error)

type LoadPolicyGroupOptions added in v0.98.0 

type LoadPolicyGroupOptions struct {
	Client     v13.AttestationServiceClient
	Logger     *zerolog.Logger
	GroupCache cache.Cache[*groupWithReference]
}

type Loader added in v0.95.7 

type Loader interface {
	Load(context.Context, *v1.PolicyAttachment) (*v1.Policy, *PolicyDescriptor, error)
}

Loader defines the interface for policy loaders from contract attachments

type PolicyDescriptor added in v0.97.5 

type PolicyDescriptor struct {
	// FQ URI of the policy
	URI string
	// Policy name (only when it can be resolved by the loader)
	Name string
	// policy digest
	Digest string
	// Org name for custom policies (only supported by the remote ChainloopLoader)
	OrgName string
}

PolicyDescriptor Represents a policy reference. Used as FQ references.

func LoadPolicyGroup added in v0.98.0 

func LoadPolicyGroup(ctx context.Context, att *v1.PolicyGroupAttachment, opts *LoadPolicyGroupOptions) (*v1.PolicyGroup, *PolicyDescriptor, error)

LoadPolicyGroup loads a group (unmarshalls it) from a group attachment

func (*PolicyDescriptor) GetDigest added in v0.97.5 

func (p *PolicyDescriptor) GetDigest() string

func (*PolicyDescriptor) GetName added in v0.97.5 

func (p *PolicyDescriptor) GetName() string

func (*PolicyDescriptor) GetOrgName added in v0.97.5 

func (p *PolicyDescriptor) GetOrgName() string

func (*PolicyDescriptor) GetURI added in v0.97.5 

func (p *PolicyDescriptor) GetURI() string

type PolicyError added in v0.94.2 

type PolicyError struct {
	// contains filtered or unexported fields
}

func NewPolicyError added in v0.94.2 

func NewPolicyError(err error) *PolicyError

func (*PolicyError) Error added in v0.94.2 

func (e *PolicyError) Error() string

func (*PolicyError) Unwrap added in v0.96.0 

func (e *PolicyError) Unwrap() error

type PolicyGroupVerifier added in v0.96.14 

type PolicyGroupVerifier struct {
	*PolicyVerifier
	// contains filtered or unexported fields
}

func NewPolicyGroupVerifier added in v0.96.14 

func NewPolicyGroupVerifier(policyGroups []*v1.PolicyGroupAttachment, policies *v1.Policies, client v13.AttestationServiceClient, logger *zerolog.Logger, opts ...PolicyVerifierOption) *PolicyGroupVerifier

func (*PolicyGroupVerifier) VerifyMaterial added in v0.96.14 

func (pgv *PolicyGroupVerifier) VerifyMaterial(ctx context.Context, material *api.Attestation_Material, path string) ([]*api.PolicyEvaluation, error)

VerifyMaterial evaluates a material against groups of policies defined in the schema

func (*PolicyGroupVerifier) VerifyStatement added in v0.96.14 

func (pgv *PolicyGroupVerifier) VerifyStatement(ctx context.Context, statement *intoto.Statement) ([]*api.PolicyEvaluation, error)

type PolicyVerifier 

type PolicyVerifier struct {
	// contains filtered or unexported fields
}

func NewPolicyVerifier 

func NewPolicyVerifier(policies *v1.Policies, client v13.AttestationServiceClient, logger *zerolog.Logger, opts ...PolicyVerifierOption) *PolicyVerifier

func (*PolicyVerifier) VerifyMaterial added in v0.93.8 

func (pv *PolicyVerifier) VerifyMaterial(ctx context.Context, material *v12.Attestation_Material, artifactPath string) ([]*v12.PolicyEvaluation, error)

VerifyMaterial applies all required policies to a material

func (*PolicyVerifier) VerifyStatement added in v0.93.8 

func (pv *PolicyVerifier) VerifyStatement(ctx context.Context, statement *intoto.Statement) ([]*v12.PolicyEvaluation, error)

VerifyStatement verifies that the statement is compliant with the policies present in the schema

type PolicyVerifierOption added in v1.39.0 

type PolicyVerifierOption func(*PolicyVerifierOptions)

func WithAllowedHostnames added in v1.39.0 

func WithAllowedHostnames(hostnames ...string) PolicyVerifierOption

func WithDefaultGate added in v1.79.0 

func WithDefaultGate(defaultGate bool) PolicyVerifierOption

func WithEnablePrint added in v1.43.0 

func WithEnablePrint(enable bool) PolicyVerifierOption

func WithEvalPhase added in v1.78.0 

func WithEvalPhase(phase EvalPhase) PolicyVerifierOption

func WithGRPCConn added in v1.61.1 

func WithGRPCConn(conn *grpc.ClientConn) PolicyVerifierOption

func WithGroupCache added in v1.89.0 

func WithGroupCache(c cache.Cache[*groupWithReference]) PolicyVerifierOption

func WithIncludeRawData added in v1.42.0 

func WithIncludeRawData(include bool) PolicyVerifierOption

func WithMaxConcurrency added in v1.89.0 

func WithMaxConcurrency(n int) PolicyVerifierOption

func WithPolicyCache added in v1.89.0 

func WithPolicyCache(c cache.Cache[*policyWithReference]) PolicyVerifierOption

func WithProjectContext added in v1.95.3 

func WithProjectContext(name, version string) PolicyVerifierOption

WithProjectContext sets the project name and version that this verifier is evaluating policies for. The values are forwarded to the underlying policy engine so chainloop.* built-ins can scope their queries automatically. Either may be empty, in which case built-ins must degrade gracefully.

type PolicyVerifierOptions added in v1.39.0 

type PolicyVerifierOptions struct {
	AllowedHostnames   []string
	DefaultGate        bool
	IncludeRawData     bool
	EnablePrint        bool
	GRPCConn           *grpc.ClientConn
	EvalPhase          EvalPhase
	MaxConcurrency     int
	PolicyCache        cache.Cache[*policyWithReference]
	GroupCache         cache.Cache[*groupWithReference]
	ProjectName        string
	ProjectVersionName string
}

type ProviderRef added in v0.96.15 

type ProviderRef struct {
	Provider, OrgName, Name string
}

ProviderRef represents a policy provider reference

func ProviderParts added in v0.96.0 

func ProviderParts(reference string) *ProviderRef

ProviderParts returns the provider information for a given reference

type Verifier added in v0.96.14 

type Verifier interface {
	VerifyMaterial(ctx context.Context, m *v12.Attestation_Material, path string) ([]*v12.PolicyEvaluation, error)
	VerifyStatement(ctx context.Context, statement *intoto.Statement) ([]*v12.PolicyEvaluation, error)
}

Source Files

View all Source files

Directories

Path Synopsis
builtins
rego
rego/builtins
wasm

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.