rules

package
v0.35.0-rc.7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 22, 2022 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	NoPolicy       CombinePolicy = ""
	MergePolicy                  = "merge"
	OverridePolicy               = "override"
)

Combine policies

Variables

View Source 
var (
	// ErrRuleWithoutEvent is returned when no event type was inferred from the rule
	ErrRuleWithoutEvent = errors.New("no event in the rule definition")

	// ErrRuleWithMultipleEvents is returned when multiple event type were inferred from the rule
	ErrRuleWithMultipleEvents = errors.New("rule with multiple events is not supported")

	// ErrDefinitionIDConflict is returned when mlultiple rule use the same ID
	ErrDefinitionIDConflict = errors.New("multiple definition with the same ID")

	// ErrInternalIDConflict is returned when a user defined rule use an internal ID
	ErrInternalIDConflict = errors.New("internal rule ID conflict")

	// ErrEventTypeNotEnabled is returned when an event is not enabled
	ErrEventTypeNotEnabled = errors.New("event type not enabled")

	// ErrCannotMergeExpression is returned when trying to merge SECL expression
	ErrCannotMergeExpression = errors.New("cannot merge expression")
)

Functions

func GetRuleEventType added in v0.34.0 

func GetRuleEventType(rule *eval.Rule) (eval.EventType, error)

GetRuleEventType return the rule EventType. Currently rules support only one eventType

func LoadPolicies 

func LoadPolicies(policiesDir string, ruleSet *RuleSet) *multierror.Error

LoadPolicies loads the policies listed in the configuration and apply them to the given ruleset

Types

type ActionDefinition added in v0.35.0 

type ActionDefinition struct {
	Set *SetDefinition `yaml:"set"`
}

ActionDefinition describes a rule action section

func (*ActionDefinition) Check added in v0.35.0 

func (a *ActionDefinition) Check() error

Check returns an error if the action in invalid

type Approvers 

type Approvers map[eval.Field]FilterValues

Approvers are just filter values indexed by field

type CombinePolicy added in v0.35.0 

type CombinePolicy = string

CombinePolicy represents the policy to use to combine rules and macros

type ErrFieldTypeUnknown 

type ErrFieldTypeUnknown struct {
	Field string
}

ErrFieldTypeUnknown is returned when a field has an unknown type

func (*ErrFieldTypeUnknown) Error 

func (e *ErrFieldTypeUnknown) Error() string

type ErrMacroLoad 

type ErrMacroLoad struct {
	Definition *MacroDefinition
	Err        error
}

ErrMacroLoad is on macro definition error

func (ErrMacroLoad) Error 

func (e ErrMacroLoad) Error() string

type ErrNoApprover 

type ErrNoApprover struct {
	Fields []string
}

ErrNoApprover is returned when no approver was found for a set of rules

func (ErrNoApprover) Error 

func (e ErrNoApprover) Error() string

type ErrNoEventTypeBucket 

type ErrNoEventTypeBucket struct {
	EventType string
}

ErrNoEventTypeBucket is returned when no bucket could be found for an event type

func (ErrNoEventTypeBucket) Error 

func (e ErrNoEventTypeBucket) Error() string

type ErrPoliciesLoad 

type ErrPoliciesLoad struct {
	Name string
	Err  error
}

ErrPoliciesLoad is returned on policies dir error

func (ErrPoliciesLoad) Error 

func (e ErrPoliciesLoad) Error() string

type ErrPolicyLoad 

type ErrPolicyLoad struct {
	Name string
	Err  error
}

ErrPolicyLoad is returned on policy file error

func (ErrPolicyLoad) Error 

func (e ErrPolicyLoad) Error() string

type ErrRuleLoad 

type ErrRuleLoad struct {
	Definition *RuleDefinition
	Err        error
}

ErrRuleLoad is on rule definition error

func (ErrRuleLoad) Error 

func (e ErrRuleLoad) Error() string

type ErrValueTypeUnknown 

type ErrValueTypeUnknown struct {
	Field string
}

ErrValueTypeUnknown is returned when the value of a field has an unknown type

func (*ErrValueTypeUnknown) Error 

func (e *ErrValueTypeUnknown) Error() string

type FieldCapabilities 

type FieldCapabilities []FieldCapability

FieldCapabilities holds a list of field capabilities

func (FieldCapabilities) GetFields 

func (fcs FieldCapabilities) GetFields() []eval.Field

GetFields returns all the fields of FieldCapabilities

func (FieldCapabilities) Validate 

func (fcs FieldCapabilities) Validate(filterValues FilterValues) bool

Validate ensures all the filter values match field capabilities

type FieldCapability 

type FieldCapability struct {
	Field        eval.Field
	Types        eval.FieldValueType
	ValidateFnc  func(FilterValue) bool
	FilterWeight int
}

FieldCapability represents a field and the type of its value (scalar, pattern, bitmask, ...)

type FieldCombinations 

type FieldCombinations [][]eval.Field

FieldCombinations - array all the combinations of field

func (FieldCombinations) Len 

func (a FieldCombinations) Len() int

func (FieldCombinations) Less 

func (a FieldCombinations) Less(i, j int) bool

func (FieldCombinations) Swap 

func (a FieldCombinations) Swap(i, j int)

type FilterValue 

type FilterValue struct {
	Field eval.Field
	Value interface{}
	Type  eval.FieldValueType
	// contains filtered or unexported fields
}

FilterValue represents a field, its value, its type and whether it's a used to compare with or against its value

type FilterValues 

type FilterValues []FilterValue

FilterValues is a list of FilterValue

func (FilterValues) Merge 

func (fv FilterValues) Merge(n ...FilterValue) FilterValues

Merge merges to FilterValues ensuring there is no duplicate value

type Logger 

type Logger interface {
	// Infof is used to print a info level log
	Infof(format string, params ...interface{})
	// Tracef is used to print a trace level log
	Tracef(format string, params ...interface{})
	// Debugf is used to print a trace level log
	Debugf(format string, params ...interface{})
	// Errorf is used to print an error
	Errorf(format string, params ...interface{})
}

Logger interface used to remove the dependency of this package to the logger of the agent

type Macro 

type Macro struct {
	*eval.Macro
	Definition *MacroDefinition
}

Macro describes a macro of a ruleset

type MacroDefinition 

type MacroDefinition struct {
	ID         MacroID       `yaml:"id"`
	Expression string        `yaml:"expression"`
	Values     []string      `yaml:"values"`
	Combine    CombinePolicy `yaml:"combine"`
}

MacroDefinition holds the definition of a macro

func (*MacroDefinition) MergeWith added in v0.35.0 

func (m *MacroDefinition) MergeWith(m2 *MacroDefinition) error

MergeWith merges macro m2 into m

type MacroID 

type MacroID = string

MacroID represents the ID of a macro

type NullLogger 

type NullLogger struct{}

NullLogger is a default implementation of the Logger interface

func (NullLogger) Debugf 

func (l NullLogger) Debugf(format string, params ...interface{})

Debugf is used to print a trace level log

func (NullLogger) Errorf 

func (l NullLogger) Errorf(format string, params ...interface{})

Errorf is used to print an error

func (NullLogger) Infof 

func (l NullLogger) Infof(format string, params ...interface{})

Infof is used to print an info

func (NullLogger) Tracef 

func (l NullLogger) Tracef(format string, params ...interface{})

Tracef is used to print a trace level log

type Opts 

type Opts struct {
	eval.Opts
	SupportedDiscarders map[eval.Field]bool
	ReservedRuleIDs     []RuleID
	EventTypeEnabled    map[eval.EventType]bool
	StateScopes         map[Scope]VariableProviderFactory
	Logger              Logger
}

Opts defines rules set options

func (*Opts) AddMacro added in v0.34.0 

func (o *Opts) AddMacro(macro *eval.Macro) *Opts

AddMacro add a macro

func (*Opts) WithConstants added in v0.34.0 

func (o *Opts) WithConstants(constants map[string]interface{}) *Opts

WithConstants set constants

func (*Opts) WithEventTypeEnabled added in v0.34.0 

func (o *Opts) WithEventTypeEnabled(eventTypes map[eval.EventType]bool) *Opts

WithEventTypeEnabled set event types enabled

func (*Opts) WithLegacyFields added in v0.34.0 

func (o *Opts) WithLegacyFields(fields map[eval.Field]eval.Field) *Opts

WithLegacyFields set legacy fields

func (*Opts) WithLogger added in v0.34.0 

func (o *Opts) WithLogger(logger Logger) *Opts

WithLogger set logger

func (*Opts) WithReservedRuleIDs added in v0.34.0 

func (o *Opts) WithReservedRuleIDs(ruleIds []RuleID) *Opts

WithReservedRuleIDs set reserved rule ids

func (*Opts) WithStateScopes added in v0.35.0 

func (o *Opts) WithStateScopes(stateScopes map[Scope]VariableProviderFactory) *Opts

WithStateScopes set state scopes

func (*Opts) WithSupportedDiscarders added in v0.34.0 

func (o *Opts) WithSupportedDiscarders(discarders map[eval.Field]bool) *Opts

WithSupportedDiscarders set supported discarders

func (*Opts) WithUserContext added in v0.34.0 

func (o *Opts) WithUserContext(ctx interface{}) *Opts

WithUserContext set user context

func (*Opts) WithVariables added in v0.34.0 

func (o *Opts) WithVariables(variables map[string]eval.VariableValue) *Opts

WithVariables set variables

type Policy 

type Policy struct {
	Name    string
	Version string             `yaml:"version"`
	Rules   []*RuleDefinition  `yaml:"rules"`
	Macros  []*MacroDefinition `yaml:"macros"`
}

Policy represents a policy file which is composed of a list of rules and macros

func LoadPolicy 

func LoadPolicy(r io.Reader, name string) (*Policy, error)

LoadPolicy loads a YAML file and returns a new policy

func (*Policy) GetValidMacroAndRules 

func (p *Policy) GetValidMacroAndRules() ([]*MacroDefinition, []*RuleDefinition, *multierror.Error)

GetValidMacroAndRules returns valid macro, rules definitions

type Rule 

type Rule struct {
	*eval.Rule
	Definition *RuleDefinition
}

Rule describes a rule of a ruleset

type RuleBucket 

type RuleBucket struct {
	// contains filtered or unexported fields
}

RuleBucket groups rules with the same event type

func (*RuleBucket) AddRule 

func (rb *RuleBucket) AddRule(rule *Rule) error

AddRule adds a rule to the bucket

func (*RuleBucket) GetApprovers 

func (rb *RuleBucket) GetApprovers(event eval.Event, fieldCaps FieldCapabilities) (Approvers, error)

GetApprovers returns the approvers for an event

func (*RuleBucket) GetRules 

func (rb *RuleBucket) GetRules() []*Rule

GetRules returns the bucket rules

type RuleDefinition 

type RuleDefinition struct {
	ID          RuleID             `yaml:"id"`
	Version     string             `yaml:"version"`
	Expression  string             `yaml:"expression"`
	Description string             `yaml:"description"`
	Tags        map[string]string  `yaml:"tags"`
	Disabled    bool               `yaml:"disabled"`
	Combine     CombinePolicy      `yaml:"combine"`
	Actions     []ActionDefinition `yaml:"actions"`
	Policy      *Policy
}

RuleDefinition holds the definition of a rule

func (*RuleDefinition) GetTags 

func (rd *RuleDefinition) GetTags() []string

GetTags returns the tags associated to a rule

func (*RuleDefinition) MergeWith added in v0.35.0 

func (rd *RuleDefinition) MergeWith(rd2 *RuleDefinition) error

MergeWith merges rule rd2 into rd

type RuleID 

type RuleID = string

RuleID represents the ID of a rule

type RuleSet 

type RuleSet struct {
	// contains filtered or unexported fields
}

RuleSet holds a list of rules, grouped in bucket. An event can be evaluated against it. If the rule matches, the listeners for this rule set are notified

func NewRuleSet 

func NewRuleSet(model eval.Model, eventCtor func() eval.Event, opts *Opts) *RuleSet

NewRuleSet returns a new ruleset for the specified data model

func (*RuleSet) AddFields 

func (rs *RuleSet) AddFields(fields []eval.EventType)

AddFields merges the provided set of fields with the existing set of fields of the ruleset

func (*RuleSet) AddListener 

func (rs *RuleSet) AddListener(listener RuleSetListener)

AddListener adds a listener on the ruleset

func (*RuleSet) AddMacro 

func (rs *RuleSet) AddMacro(macroDef *MacroDefinition) (*eval.Macro, error)

AddMacro parses the macro AST and adds it to the list of macros of the ruleset

func (*RuleSet) AddMacros 

func (rs *RuleSet) AddMacros(macros []*MacroDefinition) *multierror.Error

AddMacros parses the macros AST and adds them to the list of macros of the ruleset

func (*RuleSet) AddPolicyVersion 

func (rs *RuleSet) AddPolicyVersion(filename string, version string)

AddPolicyVersion adds the provided policy filename and version to the map of loaded policies

func (*RuleSet) AddRule 

func (rs *RuleSet) AddRule(ruleDef *RuleDefinition) (*eval.Rule, error)

AddRule creates the rule evaluator and adds it to the bucket of its events

func (*RuleSet) AddRules 

func (rs *RuleSet) AddRules(rules []*RuleDefinition) *multierror.Error

AddRules adds rules to the ruleset and generate their partials

func (*RuleSet) Evaluate 

func (rs *RuleSet) Evaluate(event eval.Event) bool

Evaluate the specified event against the set of rules

func (*RuleSet) GetApprovers 

func (rs *RuleSet) GetApprovers(fieldCaps map[eval.EventType]FieldCapabilities) (map[eval.EventType]Approvers, error)

GetApprovers returns all approvers

func (*RuleSet) GetBucket 

func (rs *RuleSet) GetBucket(eventType eval.EventType) *RuleBucket

GetBucket returns rule bucket for the given event type

func (*RuleSet) GetEventApprovers 

func (rs *RuleSet) GetEventApprovers(eventType eval.EventType, fieldCaps FieldCapabilities) (Approvers, error)

GetEventApprovers returns approvers for the given event type and the fields

func (*RuleSet) GetEventTypes 

func (rs *RuleSet) GetEventTypes() []eval.EventType

GetEventTypes returns all the event types handled by the ruleset

func (*RuleSet) GetFieldValues 

func (rs *RuleSet) GetFieldValues(field eval.Field) []eval.FieldValue

GetFieldValues returns all the values of the given field

func (*RuleSet) GetRules 

func (rs *RuleSet) GetRules() map[eval.RuleID]*Rule

GetRules returns the active rules

func (*RuleSet) HasRulesForEventType 

func (rs *RuleSet) HasRulesForEventType(eventType eval.EventType) bool

HasRulesForEventType returns if there is at least one rule for the given event type

func (*RuleSet) IsDiscarder 

func (rs *RuleSet) IsDiscarder(event eval.Event, field eval.Field) (bool, error)

IsDiscarder partially evaluates an Event against a field

func (*RuleSet) ListMacroIDs 

func (rs *RuleSet) ListMacroIDs() []MacroID

ListMacroIDs returns the list of MacroIDs from the ruleset

func (*RuleSet) ListRuleIDs 

func (rs *RuleSet) ListRuleIDs() []RuleID

ListRuleIDs returns the list of RuleIDs from the ruleset

func (*RuleSet) NotifyDiscarderFound 

func (rs *RuleSet) NotifyDiscarderFound(event eval.Event, field eval.Field, eventType eval.EventType)

NotifyDiscarderFound notifies all the ruleset listeners that a discarder was found for an event

func (*RuleSet) NotifyRuleMatch 

func (rs *RuleSet) NotifyRuleMatch(rule *Rule, event eval.Event)

NotifyRuleMatch notifies all the ruleset listeners that an event matched a rule

type RuleSetListener 

type RuleSetListener interface {
	RuleMatch(rule *Rule, event eval.Event)
	EventDiscarderFound(rs *RuleSet, event eval.Event, field eval.Field, eventType eval.EventType)
}

RuleSetListener describes the methods implemented by an object used to be notified of events on a rule set.

type Scope added in v0.35.0 

type Scope string

Scope describes the scope variables

type SetDefinition added in v0.35.0 

type SetDefinition struct {
	Name   string      `yaml:"name"`
	Value  interface{} `yaml:"value"`
	Field  string      `yaml:"field"`
	Append bool        `yaml:"append"`
	Scope  Scope       `yaml:"scope"`
}

SetDefinition describes the 'set' section of a rule action

type VariableProvider added in v0.35.0 

type VariableProvider interface {
	GetVariable(name string, value interface{}) (eval.VariableValue, error)
}

VariableProvider is the interface implemented by SECL variable providers

type VariableProviderFactory added in v0.35.0 

type VariableProviderFactory func() VariableProvider

VariableProviderFactory describes a function called to instantiate a variable provider

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.