Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Action ¶
type Action string
Action identifies the type of operation being evaluated. It is optional; when empty callers should treat it as "invoke".
type AuditEvent ¶
type AuditEvent struct {
// ActorType identifies the actor type.
ActorType string `json:"actor_type,omitempty"`
// ActorID identifies the actor identifier.
ActorID string `json:"actor_id,omitempty"`
// ActorName identifies the actor display name.
ActorName string `json:"actor_name,omitempty"`
// OrgID identifies the organization identifier.
OrgID string `json:"org_id,omitempty"`
// OrgName identifies the organization name.
OrgName string `json:"org_name,omitempty"`
// Trigger identifies the operation that triggered evaluation.
Trigger Action `json:"trigger"`
// TargetType identifies the evaluated resource type.
TargetType AuditTargetType `json:"target_type"`
// ServerName identifies the server name.
ServerName string `json:"server_name"`
// ToolName identifies the tool name, when applicable.
ToolName string `json:"tool_name,omitempty"`
// PromptName identifies the prompt name, when applicable.
PromptName string `json:"prompt_name,omitempty"`
// CatalogName identifies the catalog identifier, when available.
CatalogName string `json:"catalog_name,omitempty"`
// WorkingSet identifies the working set identifier, when available.
WorkingSet string `json:"working_set,omitempty"`
// ServerType identifies the server source type, when available.
ServerType string `json:"server_type,omitempty"`
// ServerSource identifies the server source identifier, when available.
ServerSource string `json:"server_source,omitempty"`
// Transport identifies the server transport type, when available.
Transport string `json:"transport,omitempty"`
// Result identifies the policy decision outcome.
Result AuditResult `json:"result"`
// OutcomeReason identifies why the outcome occurred.
OutcomeReason AuditOutcomeReason `json:"outcome_reason,omitempty"`
// Reason provides a human-readable explanation for the outcome.
Reason string `json:"reason,omitempty"`
// PolicyID identifies the policy identifier, when available.
PolicyID string `json:"policy_id,omitempty"`
// PolicyVersion identifies the policy version, when available.
PolicyVersion string `json:"policy_version,omitempty"`
// PolicySource identifies the policy source, when available.
PolicySource string `json:"policy_source,omitempty"`
// ClientName identifies the client name, when available.
ClientName string `json:"client_name,omitempty"`
// ClientVersion identifies the client version, when available.
ClientVersion string `json:"client_version,omitempty"`
// SessionID identifies the client session identifier, when available.
SessionID string `json:"session_id,omitempty"`
// TraceID identifies the trace identifier, when available.
TraceID string `json:"trace_id,omitempty"`
// Timestamp identifies when the evaluation occurred.
Timestamp string `json:"timestamp"`
}
AuditEvent represents a policy evaluation audit event.
type AuditOutcomeReason ¶
type AuditOutcomeReason string
AuditOutcomeReason identifies why the result occurred.
const ( // AuditOutcomePolicyRule indicates a policy rule determined the outcome. AuditOutcomePolicyRule AuditOutcomeReason = "policy_rule" // AuditOutcomePolicyError indicates evaluation failed due to an error. AuditOutcomePolicyError AuditOutcomeReason = "policy_error" )
type AuditResponse ¶
type AuditResponse struct {
// Accepted indicates whether the event was accepted.
Accepted bool `json:"accepted"`
// Message provides additional response detail, when available.
Message string `json:"message,omitempty"`
}
AuditResponse represents the audit submission response.
type AuditResult ¶
type AuditResult string
AuditResult identifies the policy decision outcome.
const ( // AuditResultAllowed indicates the policy allowed the action. AuditResultAllowed AuditResult = "allowed" // AuditResultDenied indicates the policy denied the action. AuditResultDenied AuditResult = "denied" )
type AuditTargetType ¶
type AuditTargetType string
AuditTargetType identifies the resource kind for an audit event.
const ( // AuditTargetServer identifies a server target. AuditTargetServer AuditTargetType = "server" // AuditTargetTool identifies a tool target. AuditTargetTool AuditTargetType = "tool" // AuditTargetPrompt identifies a prompt target. AuditTargetPrompt AuditTargetType = "prompt" )
type Client ¶
type Client interface {
// Evaluate performs a single policy evaluation.
Evaluate(ctx context.Context, req Request) (Decision, error)
// EvaluateBatch performs multiple policy evaluations in a single call.
// Returns decisions in the same order as requests.
EvaluateBatch(ctx context.Context, reqs []Request) ([]Decision, error)
// SubmitAudit submits a policy audit event.
SubmitAudit(ctx context.Context, event AuditEvent) error
}
Client performs policy checks.
func NewDefaultClient ¶
NewDefaultClient returns a policy client appropriate for the current context.
type Decision ¶
type Decision struct {
Allowed bool `json:"allowed"`
Reason string `json:"reason,omitempty"`
// Error is the error string for evaluation failures.
Error string `json:"error,omitempty"`
}
Decision is a policy evaluation result.
func DecisionForOutput ¶
DecisionForOutput returns nil for allowed decisions so policy fields are omitted from JSON/YAML output, and returns the decision for deny or error.
type DesktopClient ¶
type DesktopClient struct {
// contains filtered or unexported fields
}
DesktopClient calls the Docker Desktop backend policy endpoint.
func NewDesktopClient ¶
func NewDesktopClient() *DesktopClient
NewDesktopClient creates a new Desktop policy client.
func (*DesktopClient) Evaluate ¶
Evaluate performs a single policy evaluation via the Desktop backend.
func (*DesktopClient) EvaluateBatch ¶
EvaluateBatch performs multiple policy evaluations in a single HTTP request.
func (*DesktopClient) SubmitAudit ¶
func (c *DesktopClient) SubmitAudit(ctx context.Context, event AuditEvent) error
SubmitAudit submits an audit event via the Desktop backend.
type NoopClient ¶
type NoopClient struct{}
NoopClient always allows.
func (NoopClient) EvaluateBatch ¶
EvaluateBatch returns allowed decisions for all requests.
func (NoopClient) SubmitAudit ¶
func (NoopClient) SubmitAudit(_ context.Context, _ AuditEvent) error
SubmitAudit ignores audit events for the noop client.
type Request ¶
type Request struct {
Catalog string `json:"catalog,omitempty"`
// WorkingSet identifies the working set (profile) for the request.
WorkingSet string `json:"workingSet,omitempty"`
Server string `json:"server,omitempty"`
// ServerType identifies the server source type for the request.
ServerType string `json:"serverType,omitempty"`
// ServerSource identifies the server source for the request.
ServerSource string `json:"serverSource,omitempty"`
// Transport identifies the server transport type for the request.
Transport string `json:"transport,omitempty"`
// Tool identifies the tool name for the request.
Tool string `json:"tool,omitempty"`
// Action identifies the action for the request.
Action Action `json:"action,omitempty"`
// Target identifies the policy target for the request.
Target *Target `json:"target,omitempty"`
}
Request is a policy evaluation request.
type Target ¶
type Target struct {
// Type identifies the target type.
Type TargetType `json:"type,omitempty"`
// Name identifies the target name.
Name string `json:"name,omitempty"`
}
Target identifies the policy target for a request.
type TargetType ¶
type TargetType string
TargetType identifies the policy target type.
const ( // TargetCatalog identifies a catalog target. TargetCatalog TargetType = "catalog" // TargetWorkingSet identifies a working set target. TargetWorkingSet TargetType = "workingSet" // TargetServer identifies a server target. TargetServer TargetType = "server" // TargetTool identifies a tool target. TargetTool TargetType = "tool" )
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.