Documentation ¶
Index ¶
- Constants
- Variables
- func CheckRuleID(ruleID string) bool
- func GetRuleEventType(rule *eval.Rule) (eval.EventType, error)
- type ActionDefinition
- type AgentVersionFilter
- type Approvers
- type CombinePolicy
- type ErrFieldTypeUnknown
- type ErrMacroLoad
- type ErrNoApprover
- type ErrNoEventTypeBucket
- type ErrPoliciesLoad
- type ErrPolicyLoad
- type ErrRuleLoad
- type ErrValueTypeUnknown
- type FieldCapabilities
- type FieldCapability
- type FilterValue
- type FilterValues
- type Logger
- type Macro
- type MacroDefinition
- type MacroID
- type NullLogger
- type Opts
- func (o *Opts) WithEventTypeEnabled(eventTypes map[eval.EventType]bool) *Opts
- func (o *Opts) WithLogger(logger Logger) *Opts
- func (o *Opts) WithReservedRuleIDs(ruleIds []RuleID) *Opts
- func (o *Opts) WithStateScopes(stateScopes map[Scope]VariableProviderFactory) *Opts
- func (o *Opts) WithSupportedDiscarders(discarders map[eval.Field]bool) *Opts
- type PoliciesDirProvider
- type Policy
- type PolicyDef
- type PolicyLoader
- type PolicyLoaderOpts
- type PolicyProvider
- type Rule
- type RuleBucket
- type RuleDefinition
- type RuleFilter
- type RuleID
- type RuleIDFilter
- type RuleSet
- func (rs *RuleSet) AddFields(fields []eval.EventType)
- func (rs *RuleSet) AddListener(listener RuleSetListener)
- func (rs *RuleSet) AddMacro(macroDef *MacroDefinition) (*eval.Macro, error)
- func (rs *RuleSet) AddMacros(macros []*MacroDefinition) *multierror.Error
- func (rs *RuleSet) AddRule(ruleDef *RuleDefinition) (*eval.Rule, error)
- func (rs *RuleSet) AddRules(rules []*RuleDefinition) *multierror.Error
- func (rs *RuleSet) Evaluate(event eval.Event) bool
- func (rs *RuleSet) GetApprovers(fieldCaps map[eval.EventType]FieldCapabilities) (map[eval.EventType]Approvers, error)
- func (rs *RuleSet) GetBucket(eventType eval.EventType) *RuleBucket
- func (rs *RuleSet) GetEventApprovers(eventType eval.EventType, fieldCaps FieldCapabilities) (Approvers, error)
- func (rs *RuleSet) GetEventTypes() []eval.EventType
- func (rs *RuleSet) GetFieldValues(field eval.Field) []eval.FieldValue
- func (rs *RuleSet) GetPolicies() []*Policy
- func (rs *RuleSet) GetRules() map[eval.RuleID]*Rule
- func (rs *RuleSet) HasRulesForEventType(eventType eval.EventType) bool
- func (rs *RuleSet) IsDiscarder(event eval.Event, field eval.Field) (bool, error)
- func (rs *RuleSet) ListMacroIDs() []MacroID
- func (rs *RuleSet) ListRuleIDs() []RuleID
- func (rs *RuleSet) LoadPolicies(loader *PolicyLoader, opts PolicyLoaderOpts) *multierror.Error
- func (rs *RuleSet) NotifyDiscarderFound(event eval.Event, field eval.Field, eventType eval.EventType)
- func (rs *RuleSet) NotifyRuleMatch(rule *Rule, event eval.Event)
- type RuleSetListener
- type Scope
- type SetDefinition
- type VariableProvider
- type VariableProviderFactory
Constants ¶
const DefaultPolicyName = "default.policy"
DefaultPolicyName is the name of the default policy the default policy has a slightly privileged position when loading the rules
Variables ¶
var ( // ErrRuleWithoutEvent is returned when no event type was inferred from the rule ErrRuleWithoutEvent = errors.New("no event in the rule definition") // ErrRuleWithMultipleEvents is returned when multiple event type were inferred from the rule ErrRuleWithMultipleEvents = errors.New("rule with multiple events is not supported") // ErrDefinitionIDConflict is returned when mlultiple rule use the same ID ErrDefinitionIDConflict = errors.New("multiple definition with the same ID") // ErrInternalIDConflict is returned when a user defined rule use an internal ID ErrInternalIDConflict = errors.New("internal rule ID conflict") // ErrEventTypeNotEnabled is returned when an event is not enabled ErrEventTypeNotEnabled = errors.New("event type not enabled") // ErrCannotMergeExpression is returned when trying to merge SECL expression ErrCannotMergeExpression = errors.New("cannot merge expression") )
Functions ¶
func CheckRuleID ¶ added in v0.39.0
CheckRuleID validates a ruleID
Types ¶
type ActionDefinition ¶ added in v0.35.0
type ActionDefinition struct {
Set *SetDefinition `yaml:"set"`
}
ActionDefinition describes a rule action section
func (*ActionDefinition) Check ¶ added in v0.35.0
func (a *ActionDefinition) Check() error
Check returns an error if the action in invalid
type AgentVersionFilter ¶ added in v0.39.0
AgentVersionFilter defines a agent version filter
func (*AgentVersionFilter) IsAccepted ¶ added in v0.39.0
func (r *AgentVersionFilter) IsAccepted(rule *RuleDefinition) bool
IsAccepted checks whether the rule is accepted
type Approvers ¶
type Approvers map[eval.Field]FilterValues
Approvers are just filter values indexed by field
func GetApprovers ¶ added in v0.36.0
GetApprovers returns approvers for the given rules
type CombinePolicy ¶ added in v0.35.0
type CombinePolicy = string
CombinePolicy represents the policy to use to combine rules and macros
const ( NoPolicy CombinePolicy = "" MergePolicy CombinePolicy = "merge" OverridePolicy CombinePolicy = "override" )
Combine policies
type ErrFieldTypeUnknown ¶
type ErrFieldTypeUnknown struct {
Field string
}
ErrFieldTypeUnknown is returned when a field has an unknown type
func (*ErrFieldTypeUnknown) Error ¶
func (e *ErrFieldTypeUnknown) Error() string
type ErrMacroLoad ¶
type ErrMacroLoad struct { Definition *MacroDefinition Err error }
ErrMacroLoad is on macro definition error
func (ErrMacroLoad) Error ¶
func (e ErrMacroLoad) Error() string
type ErrNoApprover ¶
type ErrNoApprover struct {
Fields []string
}
ErrNoApprover is returned when no approver was found for a set of rules
func (ErrNoApprover) Error ¶
func (e ErrNoApprover) Error() string
type ErrNoEventTypeBucket ¶
type ErrNoEventTypeBucket struct {
EventType string
}
ErrNoEventTypeBucket is returned when no bucket could be found for an event type
func (ErrNoEventTypeBucket) Error ¶
func (e ErrNoEventTypeBucket) Error() string
type ErrPoliciesLoad ¶
ErrPoliciesLoad is returned on policies dir error
func (ErrPoliciesLoad) Error ¶
func (e ErrPoliciesLoad) Error() string
type ErrPolicyLoad ¶
ErrPolicyLoad is returned on policy file error
func (ErrPolicyLoad) Error ¶
func (e ErrPolicyLoad) Error() string
type ErrRuleLoad ¶
type ErrRuleLoad struct { Definition *RuleDefinition Err error }
ErrRuleLoad is on rule definition error
func (ErrRuleLoad) Error ¶
func (e ErrRuleLoad) Error() string
type ErrValueTypeUnknown ¶
type ErrValueTypeUnknown struct {
Field string
}
ErrValueTypeUnknown is returned when the value of a field has an unknown type
func (*ErrValueTypeUnknown) Error ¶
func (e *ErrValueTypeUnknown) Error() string
type FieldCapabilities ¶
type FieldCapabilities []FieldCapability
FieldCapabilities holds a list of field capabilities
func (FieldCapabilities) GetFields ¶
func (fcs FieldCapabilities) GetFields() []eval.Field
GetFields returns all the fields of FieldCapabilities
func (FieldCapabilities) Validate ¶
func (fcs FieldCapabilities) Validate(filterValues FilterValues) bool
Validate ensures all the filter values match field capabilities
type FieldCapability ¶
type FieldCapability struct { Field eval.Field Types eval.FieldValueType ValidateFnc func(FilterValue) bool FilterWeight int }
FieldCapability represents a field and the type of its value (scalar, pattern, bitmask, ...)
type FilterValue ¶
type FilterValue struct { Field eval.Field Value interface{} Type eval.FieldValueType }
FilterValue represents a field, its value, its type and whether it's a used to compare with or against its value
type FilterValues ¶
type FilterValues []FilterValue
FilterValues is a list of FilterValue
func (FilterValues) Merge ¶
func (fv FilterValues) Merge(n ...FilterValue) FilterValues
Merge merges to FilterValues ensuring there is no duplicate value
type Logger ¶
type Logger interface { // Infof is used to print a info level log Infof(format string, params ...interface{}) // Tracef is used to print a trace level log Tracef(format string, params ...interface{}) // Debugf is used to print a trace level log Debugf(format string, params ...interface{}) // Errorf is used to print an error Errorf(format string, params ...interface{}) }
Logger interface used to remove the dependency of this package to the logger of the agent
type Macro ¶
type Macro struct { *eval.Macro Definition *MacroDefinition }
Macro describes a macro of a ruleset
type MacroDefinition ¶
type MacroDefinition struct { ID MacroID `yaml:"id"` Expression string `yaml:"expression"` Values []string `yaml:"values"` Combine CombinePolicy `yaml:"combine"` }
MacroDefinition holds the definition of a macro
func (*MacroDefinition) MergeWith ¶ added in v0.35.0
func (m *MacroDefinition) MergeWith(m2 *MacroDefinition) error
MergeWith merges macro m2 into m
type NullLogger ¶
type NullLogger struct{}
NullLogger is a default implementation of the Logger interface
func (NullLogger) Debugf ¶
func (l NullLogger) Debugf(format string, params ...interface{})
Debugf is used to print a trace level log
func (NullLogger) Errorf ¶
func (l NullLogger) Errorf(format string, params ...interface{})
Errorf is used to print an error
func (NullLogger) Infof ¶
func (l NullLogger) Infof(format string, params ...interface{})
Infof is used to print an info
func (NullLogger) Tracef ¶
func (l NullLogger) Tracef(format string, params ...interface{})
Tracef is used to print a trace level log
type Opts ¶
type Opts struct { SupportedDiscarders map[eval.Field]bool ReservedRuleIDs []RuleID EventTypeEnabled map[eval.EventType]bool StateScopes map[Scope]VariableProviderFactory Logger Logger }
Opts defines rules set options
func (*Opts) WithEventTypeEnabled ¶ added in v0.34.0
WithEventTypeEnabled set event types enabled
func (*Opts) WithLogger ¶ added in v0.34.0
WithLogger set logger
func (*Opts) WithReservedRuleIDs ¶ added in v0.34.0
WithReservedRuleIDs set reserved rule ids
func (*Opts) WithStateScopes ¶ added in v0.35.0
func (o *Opts) WithStateScopes(stateScopes map[Scope]VariableProviderFactory) *Opts
WithStateScopes set state scopes
type PoliciesDirProvider ¶ added in v0.38.0
type PoliciesDirProvider struct { PoliciesDir string // contains filtered or unexported fields }
PoliciesDirProvider defines a new policy dir provider
func NewPoliciesDirProvider ¶ added in v0.38.0
func NewPoliciesDirProvider(policiesDir string, watch bool) (*PoliciesDirProvider, error)
NewPoliciesDirProvider returns providers for the given policies dir
func (*PoliciesDirProvider) Close ¶ added in v0.38.0
func (p *PoliciesDirProvider) Close() error
Close stops policy provider interface
func (*PoliciesDirProvider) LoadPolicies ¶ added in v0.38.0
func (p *PoliciesDirProvider) LoadPolicies(filters []RuleFilter) ([]*Policy, *multierror.Error)
LoadPolicies implements the policy provider interface
func (*PoliciesDirProvider) SetOnNewPoliciesReadyCb ¶ added in v0.38.0
func (p *PoliciesDirProvider) SetOnNewPoliciesReadyCb(cb func())
SetOnNewPoliciesReadyCb implements the policy provider interface
func (*PoliciesDirProvider) Start ¶ added in v0.38.0
func (p *PoliciesDirProvider) Start()
Start starts the policy dir provider
type Policy ¶
type Policy struct { Name string Source string Version string Rules []*RuleDefinition Macros []*MacroDefinition }
Policy represents a policy file which is composed of a list of rules and macros
func LoadPolicy ¶
func LoadPolicy(name string, source string, reader io.Reader, filters []RuleFilter) (*Policy, error)
LoadPolicy load a policy
func (*Policy) AddMacro ¶ added in v0.38.0
func (p *Policy) AddMacro(def *MacroDefinition)
AddMacro add a macro to the policy
func (*Policy) AddRule ¶ added in v0.38.0
func (p *Policy) AddRule(def *RuleDefinition)
AddRule add a rule to the policy
type PolicyDef ¶ added in v0.38.0
type PolicyDef struct { Version string `yaml:"version"` Rules []*RuleDefinition `yaml:"rules"` Macros []*MacroDefinition `yaml:"macros"` }
PolicyDef represents a policy file definition
type PolicyLoader ¶ added in v0.38.0
type PolicyLoader struct { sync.RWMutex Providers []PolicyProvider // contains filtered or unexported fields }
PolicyLoader defines a policy loader
func NewPolicyLoader ¶ added in v0.38.0
func NewPolicyLoader(providers ...PolicyProvider) *PolicyLoader
NewPolicyLoader returns a new loader
func (*PolicyLoader) LoadPolicies ¶ added in v0.38.0
func (p *PolicyLoader) LoadPolicies(opts PolicyLoaderOpts) ([]*Policy, *multierror.Error)
LoadPolicies loads the policies
func (*PolicyLoader) NewPolicyReady ¶ added in v0.38.0
func (p *PolicyLoader) NewPolicyReady() <-chan struct{}
NewPolicyReady returns chan to listen new policy ready event
func (*PolicyLoader) SetProviders ¶ added in v0.38.0
func (p *PolicyLoader) SetProviders(providers []PolicyProvider)
SetProviders set providers
type PolicyLoaderOpts ¶ added in v0.39.0
type PolicyLoaderOpts struct {
RuleFilters []RuleFilter
}
PolicyLoaderOpts options used during the loading
type PolicyProvider ¶ added in v0.38.0
type PolicyProvider interface { LoadPolicies([]RuleFilter) ([]*Policy, *multierror.Error) SetOnNewPoliciesReadyCb(func()) Start() Close() error }
PolicyProvider defines a rule provider
type Rule ¶
type Rule struct { *eval.Rule Definition *RuleDefinition }
Rule describes a rule of a ruleset
type RuleBucket ¶
type RuleBucket struct {
// contains filtered or unexported fields
}
RuleBucket groups rules with the same event type
func (*RuleBucket) AddRule ¶
func (rb *RuleBucket) AddRule(rule *Rule) error
AddRule adds a rule to the bucket
func (*RuleBucket) GetRules ¶
func (rb *RuleBucket) GetRules() []*Rule
GetRules returns the bucket rules
type RuleDefinition ¶
type RuleDefinition struct { ID RuleID `yaml:"id"` Version string `yaml:"version"` Expression string `yaml:"expression"` Description string `yaml:"description"` Tags map[string]string `yaml:"tags"` AgentVersionConstraint string `yaml:"agent_version"` Disabled bool `yaml:"disabled"` Combine CombinePolicy `yaml:"combine"` Actions []ActionDefinition `yaml:"actions"` Policy *Policy }
RuleDefinition holds the definition of a rule
func (*RuleDefinition) GetTags ¶
func (rd *RuleDefinition) GetTags() []string
GetTags returns the tags associated to a rule
func (*RuleDefinition) MergeWith ¶ added in v0.35.0
func (rd *RuleDefinition) MergeWith(rd2 *RuleDefinition) error
MergeWith merges rule rd2 into rd
type RuleFilter ¶ added in v0.39.0
type RuleFilter interface {
IsAccepted(rule *RuleDefinition) bool
}
RuleFilter definition of a rule filter
type RuleIDFilter ¶ added in v0.39.0
type RuleIDFilter struct {
ID string
}
RuleIDFilter defines a ID based filter
func (*RuleIDFilter) IsAccepted ¶ added in v0.39.0
func (r *RuleIDFilter) IsAccepted(rule *RuleDefinition) bool
IsAccepted checks whether the rule is accepted
type RuleSet ¶
type RuleSet struct {
// contains filtered or unexported fields
}
RuleSet holds a list of rules, grouped in bucket. An event can be evaluated against it. If the rule matches, the listeners for this rule set are notified
func NewRuleSet ¶
func NewRuleSet(model eval.Model, eventCtor func() eval.Event, opts *Opts, evalOpts *eval.Opts, macroStore *eval.MacroStore) *RuleSet
NewRuleSet returns a new ruleset for the specified data model
func (*RuleSet) AddFields ¶
AddFields merges the provided set of fields with the existing set of fields of the ruleset
func (*RuleSet) AddListener ¶
func (rs *RuleSet) AddListener(listener RuleSetListener)
AddListener adds a listener on the ruleset
func (*RuleSet) AddMacro ¶
func (rs *RuleSet) AddMacro(macroDef *MacroDefinition) (*eval.Macro, error)
AddMacro parses the macro AST and adds it to the list of macros of the ruleset
func (*RuleSet) AddMacros ¶
func (rs *RuleSet) AddMacros(macros []*MacroDefinition) *multierror.Error
AddMacros parses the macros AST and adds them to the list of macros of the ruleset
func (*RuleSet) AddRule ¶
func (rs *RuleSet) AddRule(ruleDef *RuleDefinition) (*eval.Rule, error)
AddRule creates the rule evaluator and adds it to the bucket of its events
func (*RuleSet) AddRules ¶
func (rs *RuleSet) AddRules(rules []*RuleDefinition) *multierror.Error
AddRules adds rules to the ruleset and generate their partials
func (*RuleSet) GetApprovers ¶
func (rs *RuleSet) GetApprovers(fieldCaps map[eval.EventType]FieldCapabilities) (map[eval.EventType]Approvers, error)
GetApprovers returns all approvers
func (*RuleSet) GetBucket ¶
func (rs *RuleSet) GetBucket(eventType eval.EventType) *RuleBucket
GetBucket returns rule bucket for the given event type
func (*RuleSet) GetEventApprovers ¶
func (rs *RuleSet) GetEventApprovers(eventType eval.EventType, fieldCaps FieldCapabilities) (Approvers, error)
GetEventApprovers returns approvers for the given event type and the fields
func (*RuleSet) GetEventTypes ¶
GetEventTypes returns all the event types handled by the ruleset
func (*RuleSet) GetFieldValues ¶
func (rs *RuleSet) GetFieldValues(field eval.Field) []eval.FieldValue
GetFieldValues returns all the values of the given field
func (*RuleSet) GetPolicies ¶ added in v0.39.0
GetPolicies returns the policies
func (*RuleSet) HasRulesForEventType ¶
HasRulesForEventType returns if there is at least one rule for the given event type
func (*RuleSet) IsDiscarder ¶
IsDiscarder partially evaluates an Event against a field
func (*RuleSet) ListMacroIDs ¶
ListMacroIDs returns the list of MacroIDs from the ruleset
func (*RuleSet) ListRuleIDs ¶
ListRuleIDs returns the list of RuleIDs from the ruleset
func (*RuleSet) LoadPolicies ¶ added in v0.38.0
func (rs *RuleSet) LoadPolicies(loader *PolicyLoader, opts PolicyLoaderOpts) *multierror.Error
LoadPolicies loads policies from the provided policy loader
type RuleSetListener ¶
type RuleSetListener interface { RuleMatch(rule *Rule, event eval.Event) EventDiscarderFound(rs *RuleSet, event eval.Event, field eval.Field, eventType eval.EventType) }
RuleSetListener describes the methods implemented by an object used to be notified of events on a rule set.
type SetDefinition ¶ added in v0.35.0
type SetDefinition struct { Name string `yaml:"name"` Value interface{} `yaml:"value"` Field string `yaml:"field"` Append bool `yaml:"append"` Scope Scope `yaml:"scope"` }
SetDefinition describes the 'set' section of a rule action
type VariableProvider ¶ added in v0.35.0
type VariableProvider interface {
GetVariable(name string, value interface{}) (eval.VariableValue, error)
}
VariableProvider is the interface implemented by SECL variable providers
type VariableProviderFactory ¶ added in v0.35.0
type VariableProviderFactory func() VariableProvider
VariableProviderFactory describes a function called to instantiate a variable provider