config

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 3, 2026 License: MIT Imports: 9 Imported by: 0

Documentation

Overview

Package config parses and validates Keep rule files, profiles, and starter packs.

Index

Constants

View Source 
const SupportedVersion = "v1"

SupportedVersion is the only rule file version currently accepted.

Variables

View Source 
var ReservedNames = map[string]bool{

	"params":  true,
	"context": true,
	"now":     true,

	"size":       true,
	"has":        true,
	"matches":    true,
	"startsWith": true,
	"endsWith":   true,
	"contains":   true,
	"exists":     true,
	"all":        true,
	"filter":     true,
	"exists_one": true,

	"containsAny":    true,
	"estimateTokens": true,
	"inTimeWindow":   true,
	"rateCount":      true,
	"lower":          true,
	"upper":          true,
	"matchesDomain":  true,
	"dayOfWeek":      true,
	"hasSecrets":     true,

	"int":       true,
	"uint":      true,
	"double":    true,
	"bool":      true,
	"string":    true,
	"bytes":     true,
	"list":      true,
	"map":       true,
	"type":      true,
	"null_type": true,

	"true":  true,
	"false": true,
	"null":  true,
}

ReservedNames is the unified set of identifiers that must not be used as def names or profile alias names because they shadow CEL built-in variables, operators, or Keep-specific functions.

Functions

func IsParamsPath 

func IsParamsPath(path string) bool

IsParamsPath returns true if the path starts with "params.".

func LoadPacks 

func LoadPacks(dir string) (map[string]*StarterPack, error)

LoadPacks reads all .yaml and .yml files from dir and parses them as starter packs. Returns packs indexed by name. Returns an empty map if dir is empty or does not exist.

func LoadProfiles 

func LoadProfiles(dir string) (map[string]*Profile, error)

LoadProfiles reads all .yaml and .yml files from dir, parses them as profiles, and validates alias names and targets. Returns profiles indexed by name. Returns an empty map if dir is empty or does not exist.

func LoadRules 

func LoadRules(dir string) (map[string]*RuleFile, error)

LoadRules reads all .yaml and .yml files from dir, parses them as rule files, validates each one, and checks scope uniqueness across all files. Returns the parsed files indexed by scope name. Errors from all files are accumulated and returned together.

func Validate 

func Validate(rf *RuleFile) error

Validate checks that rf is a well-formed rule file. It accumulates all validation errors and returns them joined.

func ValidateFieldPath 

func ValidateFieldPath(path string) error

ValidateFieldPath checks that a dot-separated path is syntactically valid. Each segment must be a valid identifier (ASCII letter or underscore followed by ASCII alphanumeric/underscores). ASCII-only identifiers are required to prevent Unicode homoglyph confusion.

Types

type Action 

type Action string

Action is what to do when a rule matches. 

const (
	ActionDeny   Action = "deny"
	ActionLog    Action = "log"
	ActionRedact Action = "redact"
)

type ErrorMode 

type ErrorMode string

ErrorMode controls behavior when a CEL expression errors at eval time. 

const (
	ErrorModeClosed ErrorMode = "closed"
	ErrorModeOpen   ErrorMode = "open"
)

type LintWarning added in v0.2.0 

type LintWarning struct {
	Scope   string
	Rule    string
	Message string
}

LintWarning is a non-fatal issue found during linting.

func Lint added in v0.2.0 

func Lint(rf *RuleFile) []LintWarning

Lint checks a rule file for style issues that are not errors but may indicate mistakes. Currently checks for uppercase characters in string literals within when expressions (case-insensitive mode normalizes inputs to lowercase, so uppercase literals would never match).

func LintAll added in v0.2.0 

func LintAll(lr *LoadResult) []LintWarning

LintAll runs lint checks across all scopes in a load result.

func (LintWarning) String added in v0.2.0 

func (w LintWarning) String() string

type LoadResult 

type LoadResult struct {
	// Scopes contains the raw parsed rule files before pack resolution.
	// Use ResolvedRules for the authoritative post-resolution rule list.
	Scopes map[string]*RuleFile

	// ResolvedRules maps scope name to the merged rule list (packs + inline).
	ResolvedRules map[string][]Rule

	// Profiles maps profile name to its parsed profile.
	Profiles map[string]*Profile
}

LoadResult holds all parsed and resolved configuration.

func LoadAll 

func LoadAll(rulesDir string, profilesDir string, packsDir string) (*LoadResult, error)

LoadAll reads rules, profiles, and packs from their respective directories, validates everything, resolves pack references and overrides, and returns the fully resolved configuration. profilesDir and packsDir may be empty strings if not needed.

type LogConfig 

type LogConfig struct {
	Format string `yaml:"format,omitempty"`
	Output string `yaml:"output,omitempty"`
}

LogConfig controls log format and output destination. Used by both relay and gateway configurations.

type Match 

type Match struct {
	Operation string `yaml:"operation,omitempty"`
	When      string `yaml:"when,omitempty"`
}

Match determines when a rule applies.

type Mode 

type Mode string

Mode controls whether rules are enforced or only audited. 

const (
	ModeEnforce   Mode = "enforce"
	ModeAuditOnly Mode = "audit_only"
)

type PackRef 

type PackRef struct {
	Name      string                 `yaml:"name"`
	Overrides map[string]interface{} `yaml:"overrides,omitempty"`
}

PackRef references a starter pack with optional overrides.

type Profile 

type Profile struct {
	Name    string            `yaml:"name"`
	Aliases map[string]string `yaml:"aliases"`
}

Profile maps short alias names to parameter field paths.

type RedactPattern 

type RedactPattern struct {
	Match   string `yaml:"match"`
	Replace string `yaml:"replace"`
}

RedactPattern is a regex pattern and its replacement.

type RedactSpec 

type RedactSpec struct {
	Target   string          `yaml:"target"`
	Secrets  bool            `yaml:"secrets,omitempty"`
	Patterns []RedactPattern `yaml:"patterns,omitempty"`
}

RedactSpec defines what to redact and how.

type Rule 

type Rule struct {
	Name        string      `yaml:"name"`
	Description string      `yaml:"description,omitempty"`
	Match       Match       `yaml:"match,omitempty"`
	Action      Action      `yaml:"action"`
	Message     string      `yaml:"message,omitempty"`
	Redact      *RedactSpec `yaml:"redact,omitempty"`
}

Rule is an atomic unit of policy.

func ResolvePacks 

func ResolvePacks(rf *RuleFile, packs map[string]*StarterPack) ([]Rule, error)

ResolvePacks takes a rule file's pack references, looks them up in the loaded packs, applies overrides, and returns the merged rule list (pack rules first, then inline rules).

type RuleFile 

type RuleFile struct {
	Version       string            `yaml:"version,omitempty"`
	Scope         string            `yaml:"scope"`
	Profile       string            `yaml:"profile,omitempty"`
	Mode          Mode              `yaml:"mode,omitempty"`
	OnError       ErrorMode         `yaml:"on_error,omitempty"`
	CaseSensitive bool              `yaml:"case_sensitive,omitempty"`
	Defs          map[string]string `yaml:"defs,omitempty"`
	Packs         []PackRef         `yaml:"packs,omitempty"`
	Rules         []Rule            `yaml:"rules"`
}

RuleFile is the parsed representation of a single YAML rule file.

func ParseRuleFile added in v0.2.1 

func ParseRuleFile(data []byte) (*RuleFile, error)

ParseRuleFile parses and validates a single rule file from raw YAML bytes. It does not resolve pack references — callers that need pack resolution should use LoadAll instead.

type StarterPack 

type StarterPack struct {
	Name    string `yaml:"name"`
	Profile string `yaml:"profile,omitempty"`
	Rules   []Rule `yaml:"rules"`
}

StarterPack is a reusable set of rules.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.