engine

package

v1.62.0 Latest Latest Go to latest Published: Dec 5, 2025 License: Apache-2.0 Imports: 6 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/chainloop-dev/chainloop

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
type CommonEngineOptions
type EvaluationResult
type Option
type Options
- func ApplyOptions(opts ...Option) *Options
type Policy
type PolicyEngine
type PolicyType
- func DetectPolicyType(source []byte) PolicyType
type PolicyViolation
type RawData
type ResultFormatError
- func (e ResultFormatError) Error() string

Constants ¶

This section is empty.

Variables ¶

View Source

var BaseAllowedHostnames = []string{
	"www.chainloop.dev",
	"www.cisa.gov",
}

BaseAllowedHostnames are the default hostnames allowed for HTTP requests in policies

Functions ¶

This section is empty.

Types ¶

type CommonEngineOptions ¶ added in v1.61.1

type CommonEngineOptions struct {
	AllowedHostnames       []string
	IncludeRawData         bool
	EnablePrint            bool
	ControlPlaneConnection *grpc.ClientConn
}

CommonEngineOptions contains configuration options shared by all policy engines

type EvaluationResult ¶ added in v0.96.21

type EvaluationResult struct {
	Violations []*PolicyViolation `json:"violations"`
	Skipped    bool               `json:"skipped"`
	SkipReason string             `json:"skipReason"`
	Ignore     bool               `json:"ignore"`
	RawData    *RawData           `json:"rawData"`
}

type Option ¶ added in v1.61.1

type Option func(*Options)

Option is a unified functional option for configuring policy engines

func WithAllowedHostnames ¶ added in v1.61.1

func WithAllowedHostnames(hostnames ...string) Option

WithAllowedHostnames sets the list of allowed hostnames for HTTP requests User-provided hostnames are appended to BaseAllowedHostnames

func WithEnablePrint ¶ added in v1.61.1

func WithEnablePrint(enable bool) Option

WithEnablePrint enables print/log statements in policies

func WithExecutionTimeout ¶ added in v1.61.1

func WithExecutionTimeout(timeout time.Duration) Option

WithExecutionTimeout sets the WASM execution timeout

func WithGRPCConn ¶ added in v1.61.1

func WithGRPCConn(conn *grpc.ClientConn) Option

WithGRPCConn sets the gRPC connection for builtin functions like discover

func WithIncludeRawData ¶ added in v1.61.1

func WithIncludeRawData(include bool) Option

WithIncludeRawData sets whether to include raw input/output data in results

func WithLogger ¶ added in v1.61.1

func WithLogger(logger *zerolog.Logger) Option

WithLogger sets the WASM engine logger

func WithOperatingMode ¶ added in v1.61.1

func WithOperatingMode(mode int32) Option

WithOperatingMode sets the Rego engine operating mode (restrictive or permissive)

type Options ¶ added in v1.61.1

type Options struct {
	// Common options
	*CommonEngineOptions

	// Rego-specific options
	// OperatingMode defines whether the Rego engine runs in restrictive (0) or permissive (1) mode
	OperatingMode int32

	// WASM-specific options
	ExecutionTimeout time.Duration
	Logger           *zerolog.Logger
}

Options contains all configuration options for policy engines

func ApplyOptions ¶ added in v1.61.1

func ApplyOptions(opts ...Option) *Options

ApplyOptions applies options and returns the configured Options This automatically appends BaseAllowedHostnames to any user-provided hostnames

type Policy ¶

type Policy struct {
	// the source code for this policy
	Source []byte `json:"module"`
	// The unique policy name
	Name string `json:"name"`
}

Policy represents a loaded policy in any of the supported engines.

type PolicyEngine ¶

type PolicyEngine interface {
	// Verify verifies an input against a policy
	Verify(ctx context.Context, policy *Policy, input []byte, args map[string]any) (*EvaluationResult, error)
	// MatchesParameters evaluates the matches_parameters rule to determine if evaluation parameters match expected parameters
	MatchesParameters(ctx context.Context, policy *Policy, evaluationParams, expectedParams map[string]string) (bool, error)
	// MatchesEvaluation evaluates the matches_evaluation rule using policy violations and expected parameters
	MatchesEvaluation(ctx context.Context, policy *Policy, violations []string, expectedParams map[string]string) (bool, error)
}

type PolicyType ¶ added in v1.61.1

type PolicyType string

PolicyType represents the type of a policy (Rego or WASM)

const (
	// PolicyTypeRego indicates a Rego-based policy
	PolicyTypeRego PolicyType = "rego"
	// PolicyTypeWASM indicates a WASM-based policy
	PolicyTypeWASM PolicyType = "wasm"
)

func DetectPolicyType ¶ added in v1.61.1

func DetectPolicyType(source []byte) PolicyType

DetectPolicyType determines the policy type from source bytes WASM files start with magic bytes: 0x00 0x61 0x73 0x6d (\0asm) as documented at https://webassembly.github.io/spec/core/binary/modules.html#binary-module

type PolicyViolation ¶

type PolicyViolation struct {
	Subject   string `json:"subject"`
	Violation string `json:"violation"`
}

PolicyViolation represents a policy failure

type RawData ¶ added in v1.42.0

type RawData struct {
	Input  json.RawMessage `json:"input"`
	Output json.RawMessage `json:"output"`
}

type ResultFormatError ¶ added in v0.96.21

type ResultFormatError struct {
	Field string
}

func (ResultFormatError) Error ¶ added in v0.96.21

func (e ResultFormatError) Error() string

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
builtins
rego
builtins
wasm

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL