Documentation
¶
Index ¶
Constants ¶
const DefaultGitHubCacheTTL = time.Minute
DefaultGitHubCacheTTL is the default time-to-live for GitHubSource cache.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type FileSource ¶
type FileSource struct {
// contains filtered or unexported fields
}
FileSource loads Rego files from local filesystem paths once at construction time. The contents do not change for the lifetime of the process, matching the existing --policy behavior.
func NewFileSource ¶
func NewFileSource(paths []string) (*FileSource, error)
NewFileSource reads .rego files from the given paths (files or directories, recursively) using opaq.Files semantics. Returns an error if any path is invalid or files fail to load.
type GitHubSource ¶
type GitHubSource struct {
// contains filtered or unexported fields
}
GitHubSource fetches Rego policy files from a GitHub repository's default branch HEAD. Results are cached in memory for TTL; sha-based change detection avoids re-fetching content when the branch HEAD has not moved. On any fetch or validation failure, the previously known good snapshot is returned.
func NewGitHubSource ¶
func NewGitHubSource(opts GitHubSourceOpts) (*GitHubSource, error)
NewGitHubSource constructs a GitHubSource. If opts.Client is nil, App credentials are required and a github.Client is built using bradleyfalzon/ghinstallation/v2.
type GitHubSourceOpts ¶
type GitHubSourceOpts struct {
Owner string
Repo string
// Paths within the repository to recursively scan for .rego files.
// An empty slice scans the repository root.
Paths []string
// TTL for the in-memory cache. Zero means DefaultGitHubCacheTTL.
TTL time.Duration
// Optional pre-built client. When non-nil, App credentials below are ignored.
Client *github.Client
// GitHub App credentials. Required when Client is nil.
AppID int64
InstallationID int64
PrivateKey []byte
}
GitHubSourceOpts configures a GitHubSource.
Either Client must be provided directly (typically for testing), or all of AppID, InstallationID, and PrivateKey must be provided so that a GitHub App installation token can be obtained.
type Loader ¶
type Loader struct {
// contains filtered or unexported fields
}
Loader composes one or more Sources into a single PolicyClient. It rebuilds the underlying *opaq.Client when the combined version of all sources changes, otherwise it returns a cached client.
Loader satisfies interfaces.PolicyClient.
func NewLoader ¶
NewLoader creates a Loader from the given sources. At least one source SHOULD be supplied, otherwise Query will return ErrNoPolicy.
func (*Loader) HasSources ¶
HasSources reports whether the Loader has any sources configured.
func (*Loader) Prime ¶
Prime forces an initial build of the underlying opaq client. Calling Prime at configure time ensures that Sources() returns the loaded policy contents before the first Query, and surfaces any source-side errors (e.g. an unreachable GitHub repository) at startup rather than on first evaluation.
type Snapshot ¶
type Snapshot struct {
// Files maps a unique key (e.g. file path or "github://...") to the Rego
// source. Keys MUST be unique across all sources composed in a single
// Loader.
Files map[string]string
// Version changes whenever Files changes.
Version string
}
Snapshot is the content of a policy source at a specific point in time. Version is an opaque identifier that changes when Files content changes, so callers can decide whether downstream artifacts (compiled clients) need to be rebuilt.
Source Files