Documentation ¶
Index ¶
- Constants
- Variables
- func GetRuleEventType(rule *eval.Rule) (eval.EventType, error)
- func LoadPolicies(policiesDir string, ruleSet *RuleSet) *multierror.Error
- type ActionDefinition
- type Approvers
- type CombinePolicy
- type ErrFieldTypeUnknown
- type ErrMacroLoad
- type ErrNoApprover
- type ErrNoEventTypeBucket
- type ErrPoliciesLoad
- type ErrPolicyLoad
- type ErrRuleLoad
- type ErrValueTypeUnknown
- type FieldCapabilities
- type FieldCapability
- type FieldCombinations
- type FilterValue
- type FilterValues
- type Logger
- type Macro
- type MacroDefinition
- type MacroID
- type NullLogger
- type Opts
- func (o *Opts) AddMacro(macro *eval.Macro) *Opts
- func (o *Opts) WithConstants(constants map[string]interface{}) *Opts
- func (o *Opts) WithEventTypeEnabled(eventTypes map[eval.EventType]bool) *Opts
- func (o *Opts) WithLegacyFields(fields map[eval.Field]eval.Field) *Opts
- func (o *Opts) WithLogger(logger Logger) *Opts
- func (o *Opts) WithReservedRuleIDs(ruleIds []RuleID) *Opts
- func (o *Opts) WithStateScopes(stateScopes map[Scope]VariableProviderFactory) *Opts
- func (o *Opts) WithSupportedDiscarders(discarders map[eval.Field]bool) *Opts
- func (o *Opts) WithUserContext(ctx interface{}) *Opts
- func (o *Opts) WithVariables(variables map[string]eval.VariableValue) *Opts
- type Policy
- type Rule
- type RuleBucket
- type RuleDefinition
- type RuleID
- type RuleSet
- func (rs *RuleSet) AddFields(fields []eval.EventType)
- func (rs *RuleSet) AddListener(listener RuleSetListener)
- func (rs *RuleSet) AddMacro(macroDef *MacroDefinition) (*eval.Macro, error)
- func (rs *RuleSet) AddMacros(macros []*MacroDefinition) *multierror.Error
- func (rs *RuleSet) AddPolicyVersion(filename string, version string)
- func (rs *RuleSet) AddRule(ruleDef *RuleDefinition) (*eval.Rule, error)
- func (rs *RuleSet) AddRules(rules []*RuleDefinition) *multierror.Error
- func (rs *RuleSet) Evaluate(event eval.Event) bool
- func (rs *RuleSet) GetApprovers(fieldCaps map[eval.EventType]FieldCapabilities) (map[eval.EventType]Approvers, error)
- func (rs *RuleSet) GetBucket(eventType eval.EventType) *RuleBucket
- func (rs *RuleSet) GetEventApprovers(eventType eval.EventType, fieldCaps FieldCapabilities) (Approvers, error)
- func (rs *RuleSet) GetEventTypes() []eval.EventType
- func (rs *RuleSet) GetFieldValues(field eval.Field) []eval.FieldValue
- func (rs *RuleSet) GetRules() map[eval.RuleID]*Rule
- func (rs *RuleSet) HasRulesForEventType(eventType eval.EventType) bool
- func (rs *RuleSet) IsDiscarder(event eval.Event, field eval.Field) (bool, error)
- func (rs *RuleSet) ListMacroIDs() []MacroID
- func (rs *RuleSet) ListRuleIDs() []RuleID
- func (rs *RuleSet) NotifyDiscarderFound(event eval.Event, field eval.Field, eventType eval.EventType)
- func (rs *RuleSet) NotifyRuleMatch(rule *Rule, event eval.Event)
- type RuleSetListener
- type Scope
- type SetDefinition
- type VariableProvider
- type VariableProviderFactory
Constants ¶
const ( NoPolicy CombinePolicy = "" MergePolicy = "merge" OverridePolicy = "override" )
Combine policies
Variables ¶
var ( // ErrRuleWithoutEvent is returned when no event type was inferred from the rule ErrRuleWithoutEvent = errors.New("no event in the rule definition") // ErrRuleWithMultipleEvents is returned when multiple event type were inferred from the rule ErrRuleWithMultipleEvents = errors.New("rule with multiple events is not supported") // ErrDefinitionIDConflict is returned when mlultiple rule use the same ID ErrDefinitionIDConflict = errors.New("multiple definition with the same ID") // ErrInternalIDConflict is returned when a user defined rule use an internal ID ErrInternalIDConflict = errors.New("internal rule ID conflict") // ErrEventTypeNotEnabled is returned when an event is not enabled ErrEventTypeNotEnabled = errors.New("event type not enabled") // ErrCannotMergeExpression is returned when trying to merge SECL expression ErrCannotMergeExpression = errors.New("cannot merge expression") )
Functions ¶
func GetRuleEventType ¶ added in v0.34.0
GetRuleEventType return the rule EventType. Currently rules support only one eventType
func LoadPolicies ¶
LoadPolicies loads the policies listed in the configuration and apply them to the given ruleset
Types ¶
type ActionDefinition ¶ added in v0.35.0
type ActionDefinition struct {
Set *SetDefinition `yaml:"set"`
}
ActionDefinition describes a rule action section
func (*ActionDefinition) Check ¶ added in v0.35.0
func (a *ActionDefinition) Check() error
Check returns an error if the action in invalid
type Approvers ¶
type Approvers map[eval.Field]FilterValues
Approvers are just filter values indexed by field
type CombinePolicy ¶ added in v0.35.0
type CombinePolicy = string
CombinePolicy represents the policy to use to combine rules and macros
type ErrFieldTypeUnknown ¶
type ErrFieldTypeUnknown struct {
Field string
}
ErrFieldTypeUnknown is returned when a field has an unknown type
func (*ErrFieldTypeUnknown) Error ¶
func (e *ErrFieldTypeUnknown) Error() string
type ErrMacroLoad ¶
type ErrMacroLoad struct { Definition *MacroDefinition Err error }
ErrMacroLoad is on macro definition error
func (ErrMacroLoad) Error ¶
func (e ErrMacroLoad) Error() string
type ErrNoApprover ¶
type ErrNoApprover struct {
Fields []string
}
ErrNoApprover is returned when no approver was found for a set of rules
func (ErrNoApprover) Error ¶
func (e ErrNoApprover) Error() string
type ErrNoEventTypeBucket ¶
type ErrNoEventTypeBucket struct {
EventType string
}
ErrNoEventTypeBucket is returned when no bucket could be found for an event type
func (ErrNoEventTypeBucket) Error ¶
func (e ErrNoEventTypeBucket) Error() string
type ErrPoliciesLoad ¶
ErrPoliciesLoad is returned on policies dir error
func (ErrPoliciesLoad) Error ¶
func (e ErrPoliciesLoad) Error() string
type ErrPolicyLoad ¶
ErrPolicyLoad is returned on policy file error
func (ErrPolicyLoad) Error ¶
func (e ErrPolicyLoad) Error() string
type ErrRuleLoad ¶
type ErrRuleLoad struct { Definition *RuleDefinition Err error }
ErrRuleLoad is on rule definition error
func (ErrRuleLoad) Error ¶
func (e ErrRuleLoad) Error() string
type ErrValueTypeUnknown ¶
type ErrValueTypeUnknown struct {
Field string
}
ErrValueTypeUnknown is returned when the value of a field has an unknown type
func (*ErrValueTypeUnknown) Error ¶
func (e *ErrValueTypeUnknown) Error() string
type FieldCapabilities ¶
type FieldCapabilities []FieldCapability
FieldCapabilities holds a list of field capabilities
func (FieldCapabilities) GetFields ¶
func (fcs FieldCapabilities) GetFields() []eval.Field
GetFields returns all the fields of FieldCapabilities
func (FieldCapabilities) Validate ¶
func (fcs FieldCapabilities) Validate(filterValues FilterValues) bool
Validate ensures all the filter values match field capabilities
type FieldCapability ¶
type FieldCapability struct { Field eval.Field Types eval.FieldValueType ValidateFnc func(FilterValue) bool FilterWeight int }
FieldCapability represents a field and the type of its value (scalar, pattern, bitmask, ...)
type FieldCombinations ¶
FieldCombinations - array all the combinations of field
func (FieldCombinations) Len ¶
func (a FieldCombinations) Len() int
func (FieldCombinations) Less ¶
func (a FieldCombinations) Less(i, j int) bool
func (FieldCombinations) Swap ¶
func (a FieldCombinations) Swap(i, j int)
type FilterValue ¶
type FilterValue struct { Field eval.Field Value interface{} Type eval.FieldValueType // contains filtered or unexported fields }
FilterValue represents a field, its value, its type and whether it's a used to compare with or against its value
type FilterValues ¶
type FilterValues []FilterValue
FilterValues is a list of FilterValue
func (FilterValues) Merge ¶
func (fv FilterValues) Merge(n ...FilterValue) FilterValues
Merge merges to FilterValues ensuring there is no duplicate value
type Logger ¶
type Logger interface { // Infof is used to print a info level log Infof(format string, params ...interface{}) // Tracef is used to print a trace level log Tracef(format string, params ...interface{}) // Debugf is used to print a trace level log Debugf(format string, params ...interface{}) // Errorf is used to print an error Errorf(format string, params ...interface{}) }
Logger interface used to remove the dependency of this package to the logger of the agent
type Macro ¶
type Macro struct { *eval.Macro Definition *MacroDefinition }
Macro describes a macro of a ruleset
type MacroDefinition ¶
type MacroDefinition struct { ID MacroID `yaml:"id"` Expression string `yaml:"expression"` Values []string `yaml:"values"` Combine CombinePolicy `yaml:"combine"` }
MacroDefinition holds the definition of a macro
func (*MacroDefinition) MergeWith ¶ added in v0.35.0
func (m *MacroDefinition) MergeWith(m2 *MacroDefinition) error
MergeWith merges macro m2 into m
type NullLogger ¶
type NullLogger struct{}
NullLogger is a default implementation of the Logger interface
func (NullLogger) Debugf ¶
func (l NullLogger) Debugf(format string, params ...interface{})
Debugf is used to print a trace level log
func (NullLogger) Errorf ¶
func (l NullLogger) Errorf(format string, params ...interface{})
Errorf is used to print an error
func (NullLogger) Infof ¶
func (l NullLogger) Infof(format string, params ...interface{})
Infof is used to print an info
func (NullLogger) Tracef ¶
func (l NullLogger) Tracef(format string, params ...interface{})
Tracef is used to print a trace level log
type Opts ¶
type Opts struct { eval.Opts SupportedDiscarders map[eval.Field]bool ReservedRuleIDs []RuleID EventTypeEnabled map[eval.EventType]bool StateScopes map[Scope]VariableProviderFactory Logger Logger }
Opts defines rules set options
func (*Opts) WithConstants ¶ added in v0.34.0
WithConstants set constants
func (*Opts) WithEventTypeEnabled ¶ added in v0.34.0
WithEventTypeEnabled set event types enabled
func (*Opts) WithLegacyFields ¶ added in v0.34.0
WithLegacyFields set legacy fields
func (*Opts) WithLogger ¶ added in v0.34.0
WithLogger set logger
func (*Opts) WithReservedRuleIDs ¶ added in v0.34.0
WithReservedRuleIDs set reserved rule ids
func (*Opts) WithStateScopes ¶ added in v0.35.0
func (o *Opts) WithStateScopes(stateScopes map[Scope]VariableProviderFactory) *Opts
WithStateScopes set state scopes
func (*Opts) WithSupportedDiscarders ¶ added in v0.34.0
WithSupportedDiscarders set supported discarders
func (*Opts) WithUserContext ¶ added in v0.34.0
WithUserContext set user context
func (*Opts) WithVariables ¶ added in v0.34.0
func (o *Opts) WithVariables(variables map[string]eval.VariableValue) *Opts
WithVariables set variables
type Policy ¶
type Policy struct { Name string Version string `yaml:"version"` Rules []*RuleDefinition `yaml:"rules"` Macros []*MacroDefinition `yaml:"macros"` }
Policy represents a policy file which is composed of a list of rules and macros
func LoadPolicy ¶
LoadPolicy loads a YAML file and returns a new policy
func (*Policy) GetValidMacroAndRules ¶
func (p *Policy) GetValidMacroAndRules() ([]*MacroDefinition, []*RuleDefinition, *multierror.Error)
GetValidMacroAndRules returns valid macro, rules definitions
type Rule ¶
type Rule struct { *eval.Rule Definition *RuleDefinition }
Rule describes a rule of a ruleset
type RuleBucket ¶
type RuleBucket struct {
// contains filtered or unexported fields
}
RuleBucket groups rules with the same event type
func (*RuleBucket) AddRule ¶
func (rb *RuleBucket) AddRule(rule *Rule) error
AddRule adds a rule to the bucket
func (*RuleBucket) GetApprovers ¶
func (rb *RuleBucket) GetApprovers(event eval.Event, fieldCaps FieldCapabilities) (Approvers, error)
GetApprovers returns the approvers for an event
func (*RuleBucket) GetRules ¶
func (rb *RuleBucket) GetRules() []*Rule
GetRules returns the bucket rules
type RuleDefinition ¶
type RuleDefinition struct { ID RuleID `yaml:"id"` Version string `yaml:"version"` Expression string `yaml:"expression"` Description string `yaml:"description"` Tags map[string]string `yaml:"tags"` Disabled bool `yaml:"disabled"` Combine CombinePolicy `yaml:"combine"` Actions []ActionDefinition `yaml:"actions"` Policy *Policy }
RuleDefinition holds the definition of a rule
func (*RuleDefinition) GetTags ¶
func (rd *RuleDefinition) GetTags() []string
GetTags returns the tags associated to a rule
func (*RuleDefinition) MergeWith ¶ added in v0.35.0
func (rd *RuleDefinition) MergeWith(rd2 *RuleDefinition) error
MergeWith merges rule rd2 into rd
type RuleSet ¶
type RuleSet struct {
// contains filtered or unexported fields
}
RuleSet holds a list of rules, grouped in bucket. An event can be evaluated against it. If the rule matches, the listeners for this rule set are notified
func NewRuleSet ¶
NewRuleSet returns a new ruleset for the specified data model
func (*RuleSet) AddFields ¶
AddFields merges the provided set of fields with the existing set of fields of the ruleset
func (*RuleSet) AddListener ¶
func (rs *RuleSet) AddListener(listener RuleSetListener)
AddListener adds a listener on the ruleset
func (*RuleSet) AddMacro ¶
func (rs *RuleSet) AddMacro(macroDef *MacroDefinition) (*eval.Macro, error)
AddMacro parses the macro AST and adds it to the list of macros of the ruleset
func (*RuleSet) AddMacros ¶
func (rs *RuleSet) AddMacros(macros []*MacroDefinition) *multierror.Error
AddMacros parses the macros AST and adds them to the list of macros of the ruleset
func (*RuleSet) AddPolicyVersion ¶
AddPolicyVersion adds the provided policy filename and version to the map of loaded policies
func (*RuleSet) AddRule ¶
func (rs *RuleSet) AddRule(ruleDef *RuleDefinition) (*eval.Rule, error)
AddRule creates the rule evaluator and adds it to the bucket of its events
func (*RuleSet) AddRules ¶
func (rs *RuleSet) AddRules(rules []*RuleDefinition) *multierror.Error
AddRules adds rules to the ruleset and generate their partials
func (*RuleSet) GetApprovers ¶
func (rs *RuleSet) GetApprovers(fieldCaps map[eval.EventType]FieldCapabilities) (map[eval.EventType]Approvers, error)
GetApprovers returns all approvers
func (*RuleSet) GetBucket ¶
func (rs *RuleSet) GetBucket(eventType eval.EventType) *RuleBucket
GetBucket returns rule bucket for the given event type
func (*RuleSet) GetEventApprovers ¶
func (rs *RuleSet) GetEventApprovers(eventType eval.EventType, fieldCaps FieldCapabilities) (Approvers, error)
GetEventApprovers returns approvers for the given event type and the fields
func (*RuleSet) GetEventTypes ¶
GetEventTypes returns all the event types handled by the ruleset
func (*RuleSet) GetFieldValues ¶
func (rs *RuleSet) GetFieldValues(field eval.Field) []eval.FieldValue
GetFieldValues returns all the values of the given field
func (*RuleSet) HasRulesForEventType ¶
HasRulesForEventType returns if there is at least one rule for the given event type
func (*RuleSet) IsDiscarder ¶
IsDiscarder partially evaluates an Event against a field
func (*RuleSet) ListMacroIDs ¶
ListMacroIDs returns the list of MacroIDs from the ruleset
func (*RuleSet) ListRuleIDs ¶
ListRuleIDs returns the list of RuleIDs from the ruleset
type RuleSetListener ¶
type RuleSetListener interface { RuleMatch(rule *Rule, event eval.Event) EventDiscarderFound(rs *RuleSet, event eval.Event, field eval.Field, eventType eval.EventType) }
RuleSetListener describes the methods implemented by an object used to be notified of events on a rule set.
type SetDefinition ¶ added in v0.35.0
type SetDefinition struct { Name string `yaml:"name"` Value interface{} `yaml:"value"` Field string `yaml:"field"` Append bool `yaml:"append"` Scope Scope `yaml:"scope"` }
SetDefinition describes the 'set' section of a rule action
type VariableProvider ¶ added in v0.35.0
type VariableProvider interface {
GetVariable(name string, value interface{}) (eval.VariableValue, error)
}
VariableProvider is the interface implemented by SECL variable providers
type VariableProviderFactory ¶ added in v0.35.0
type VariableProviderFactory func() VariableProvider
VariableProviderFactory describes a function called to instantiate a variable provider