policy

README

policy

This package is for attestation policy mapping and evaluation.

Documentation

Index

• Constants
• func CreateAttestationResolver(resolver oci.ImageDetailsResolver, policyMapping *mapping.PolicyMapping) (attestation.Resolver, error)
• func CreateImageDetailsResolver(imageSource *oci.ImageSpec) (oci.ImageDetailsResolver, error)
• func RegoFunctions(regoOpts *RegoFnOpts) []*tester.Builtin
• func VerifySubject(ctx context.Context, subject []intoto.Subject, resolver attestation.Resolver) error
• type Evaluator
  • func GetMockPolicy() Evaluator
  • func NewRegoEvaluator(debug bool, attestationVerifier attestation.Verifier) Evaluator
• type File
• type Input
• type MockPolicyEvaluator
  • func (pe *MockPolicyEvaluator) Evaluate(ctx context.Context, resolver attestation.Resolver, pctx *Policy, input *Input) (*Result, error)
• type Options
• type Parameters
• type Policy
• type RegoFnOpts
  • func NewRegoFunctionOptions(resolver attestation.Resolver, verifier attestation.Verifier) *RegoFnOpts
• type Resolver
  • func NewResolver(tufClient tuf.Downloader, opts *Options) *Resolver
  • func (r *Resolver) ResolvePolicy(_ context.Context, imageName string, platform *v1.Platform) (*Policy, error)
• type Result
  • func AllowedResult() *Result
• type Summary
• type Violation

Constants

const (
	DefaultQuery = "result := data.attest.result"
)

Functions

func CreateAttestationResolver

func CreateAttestationResolver(resolver oci.ImageDetailsResolver, policyMapping *mapping.PolicyMapping) (attestation.Resolver, error)

func CreateImageDetailsResolver

func CreateImageDetailsResolver(imageSource *oci.ImageSpec) (oci.ImageDetailsResolver, error)

func RegoFunctions

func RegoFunctions(regoOpts *RegoFnOpts) []*tester.Builtin

func VerifySubject

func VerifySubject(ctx context.Context, subject []intoto.Subject, resolver attestation.Resolver) error

VerifySubject verifies if any of the given subject PURLs matches the image name and platform from resolver. Tags are not taken into account when attempting to match because sometimes the user may not have specified a tag, and maybe there isn't a purl subject with that particular tag (because of post build tagging?).

Types

type Evaluator

type Evaluator interface {
	Evaluate(ctx context.Context, resolver attestation.Resolver, pctx *Policy, input *Input) (*Result, error)
}

func GetMockPolicy

func GetMockPolicy() Evaluator

func NewRegoEvaluator

func NewRegoEvaluator(debug bool, attestationVerifier attestation.Verifier) Evaluator

type File

type File struct {
	Path    string
	Content []byte
}

type Input

type Input struct {
	Digest         string     `json:"digest"`
	PURL           string     `json:"purl"`
	Tag            string     `json:"tag,omitempty"`
	Domain         string     `json:"domain"`
	NormalizedName string     `json:"normalized_name"`
	FamiliarName   string     `json:"familiar_name"`
	Platform       string     `json:"platform"`
	Parameters     Parameters `json:"parameters"`
}

type MockPolicyEvaluator

type MockPolicyEvaluator struct {
	EvaluateFunc func(ctx context.Context, resolver attestation.Resolver, pctx *Policy, input *Input) (*Result, error)
}

func (*MockPolicyEvaluator) Evaluate

func (pe *MockPolicyEvaluator) Evaluate(ctx context.Context, resolver attestation.Resolver, pctx *Policy, input *Input) (*Result, error)

type Options

type Options struct {
	TUFClientOptions    *tuf.ClientOptions
	DisableTUF          bool
	LocalTargetsDir     string
	LocalPolicyDir      string
	PolicyID            string
	ReferrersRepo       string
	AttestationStyle    mapping.AttestationStyle
	Debug               bool
	AttestationVerifier attestation.Verifier
	// extra parameters to pass through to rego as policy inputs
	Parameters Parameters
}

type Parameters

type Parameters map[string]string

type Policy

type Policy struct {
	InputFiles   []*File
	Query        string
	Mapping      *mapping.PolicyMapping
	ResolvedName string
	URI          string
	Digest       map[string]string
}

type RegoFnOpts

type RegoFnOpts struct {
	// contains filtered or unexported fields
}

func NewRegoFunctionOptions

func NewRegoFunctionOptions(resolver attestation.Resolver, verifier attestation.Verifier) *RegoFnOpts

this is exported for testing here and in clients of the library.

type Resolver

type Resolver struct {
	// contains filtered or unexported fields
}

func NewResolver

func NewResolver(tufClient tuf.Downloader, opts *Options) *Resolver

func (*Resolver) ResolvePolicy

func (r *Resolver) ResolvePolicy(_ context.Context, imageName string, platform *v1.Platform) (*Policy, error)

type Result

type Result struct {
	Success    bool        `json:"success"`
	Violations []Violation `json:"violations"`
	Summary    Summary     `json:"summary"`
}

func AllowedResult

func AllowedResult() *Result

type Summary

type Summary struct {
	Subjects   []intoto.Subject                 `json:"subjects"`
	Inputs     []attestation.ResourceDescriptor `json:"input_attestations"`
	SLSALevels []string                         `json:"slsa_levels"`
	Verifier   string                           `json:"verifier"`
	PolicyURI  string                           `json:"policy_uri"`
}

type Violation

type Violation struct {
	Type        string            `json:"type"`
	Description string            `json:"description"`
	Attestation *intoto.Statement `json:"attestation"`
	Details     map[string]any    `json:"details"`
}