policy

package
v0.5.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 11, 2024 License: Apache-2.0 Imports: 23 Imported by: 1

README

policy

This package is for attestation policy mapping and evaluation.

Documentation

Index

Constants

View Source 
const (
	DefaultQuery = "result := data.attest.result"
)

Variables

This section is empty.

Functions

func CreateAttestationResolver 

func CreateAttestationResolver(resolver oci.ImageDetailsResolver, mapping *config.PolicyMapping) (attestation.Resolver, error)

func CreateImageDetailsResolver 

func CreateImageDetailsResolver(imageSource *oci.ImageSpec) (oci.ImageDetailsResolver, error)

func RegoFunctions 

func RegoFunctions(resolver attestation.Resolver) []*tester.Builtin

func VerifySubject 

func VerifySubject(ctx context.Context, subject []intoto.Subject, resolver attestation.Resolver) error

VerifySubject verifies if any of the given subject PURLs matches the image name and platform from resolver. Tags are not taken into account when attempting to match because sometimes the user may not have specified a tag, and maybe there isn't a purl subject with that particular tag (because of post build tagging?).

Types

type Evaluator 

type Evaluator interface {
	Evaluate(ctx context.Context, resolver attestation.Resolver, pctx *Policy, input *Input) (*Result, error)
}

func GetMockPolicy 

func GetMockPolicy() Evaluator

func NewRegoEvaluator 

func NewRegoEvaluator(debug bool) Evaluator

type File 

type File struct {
	Path    string
	Content []byte
}

type Input 

type Input struct {
	Digest         string `json:"digest"`
	PURL           string `json:"purl"`
	Tag            string `json:"tag,omitempty"`
	Domain         string `json:"domain"`
	NormalizedName string `json:"normalized_name"`
	FamiliarName   string `json:"familiar_name"`
	Platform       string `json:"platform"`
}

type MockPolicyEvaluator 

type MockPolicyEvaluator struct {
	EvaluateFunc func(ctx context.Context, resolver attestation.Resolver, pctx *Policy, input *Input) (*Result, error)
}

func (*MockPolicyEvaluator) Evaluate 

func (pe *MockPolicyEvaluator) Evaluate(ctx context.Context, resolver attestation.Resolver, pctx *Policy, input *Input) (*Result, error)

type Options 

type Options struct {
	TUFClientOptions *tuf.ClientOptions
	DisableTUF       bool
	LocalTargetsDir  string
	LocalPolicyDir   string
	PolicyID         string
	ReferrersRepo    string
	AttestationStyle config.AttestationStyle
	Debug            bool
}

type Policy 

type Policy struct {
	InputFiles   []*File
	Query        string
	Mapping      *config.PolicyMapping
	ResolvedName string
	URI          string
	Digest       map[string]string
}

type Resolver 

type Resolver struct {
	// contains filtered or unexported fields
}

func NewResolver 

func NewResolver(tufClient tuf.Downloader, opts *Options) *Resolver

func (*Resolver) ResolvePolicy 

func (r *Resolver) ResolvePolicy(_ context.Context, imageName string) (*Policy, error)

type Result 

type Result struct {
	Success    bool        `json:"success"`
	Violations []Violation `json:"violations"`
	Summary    Summary     `json:"summary"`
}

func AllowedResult 

func AllowedResult() *Result

type Summary 

type Summary struct {
	Subjects   []intoto.Subject `json:"subjects"`
	SLSALevels []string         `json:"slsa_levels"`
	Verifier   string           `json:"verifier"`
	PolicyURI  string           `json:"policy_uri"`
}

type Violation 

type Violation struct {
	Type        string            `json:"type"`
	Description string            `json:"description"`
	Attestation *intoto.Statement `json:"attestation"`
	Details     map[string]any    `json:"details"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.