policy

package
v0.6.102 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 6, 2024 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

View Source
const (
	Now           = "now"
	AtAttestation = "attestation"
	DateFormat    = "2006-01-02"
)

Variables

View Source
var (
	PolicySourcesFrom      = source.PolicySourcesFrom
	CreateWorkDir          = utils.CreateWorkDir
	PolicyCacheFromContext = cache.PolicyCacheFromContext
)

Functions

func ValidatePolicy added in v0.4.0

func ValidatePolicy(ctx context.Context, policyConfig string) error

Types

type FakeKubernetesClient

type FakeKubernetesClient struct {
	Policy     ecc.EnterpriseContractPolicySpec
	Snapshot   app.SnapshotSpec
	FetchError bool
}

func (*FakeKubernetesClient) FetchEnterpriseContractPolicy

func (c *FakeKubernetesClient) FetchEnterpriseContractPolicy(ctx context.Context, ref string) (*ecc.EnterpriseContractPolicy, error)

func (*FakeKubernetesClient) FetchSnapshot

func (c *FakeKubernetesClient) FetchSnapshot(ctx context.Context, ref string) (*app.Snapshot, error)

type Options

type Options struct {
	EffectiveTime string
	Identity      cosign.Identity
	IgnoreRekor   bool
	PolicyRef     string
	PublicKey     string
	RekorURL      string
}

type Policy

type Policy interface {
	PublicKeyPEM() ([]byte, error)
	CheckOpts() (*cosign.CheckOpts, error)
	WithSpec(spec ecc.EnterpriseContractPolicySpec) Policy
	Spec() ecc.EnterpriseContractPolicySpec
	EffectiveTime() time.Time
	AttestationTime(time.Time)
	Identity() cosign.Identity
	Keyless() bool
	SigstoreOpts() (SigstoreOpts, error)
}

func NewInertPolicy

func NewInertPolicy(ctx context.Context, policyRef string) (Policy, error)

NewInertPolicy construct and return a new instance of Policy that doesn't perform strict checks on the consistency of the policy.

The policyRef parameter is expected to be either a JSON-encoded instance of EnterpriseContractPolicySpec, or reference to the location of the EnterpriseContractPolicy resource in Kubernetes using the format: [namespace/]name

If policyRef is blank, an empty EnterpriseContractPolicySpec is used.

func NewInputPolicy

func NewInputPolicy(ctx context.Context, policyRef string, effectiveTime string) (Policy, error)

NewInputPolicy constructs and returns a new instance of Policy that doesn't perform strict checks on the consistency of the policy, but can evaluate based on provided effectiveTime

The policyRef parameter is expected to be either a YAML/JSON-encoded instance of EnterpriseContractPolicySpec, or reference to the location of the EnterpriseContractPolicy resource in Kubernetes using the format: [namespace/]name

If policyRef is blank, an empty EnterpriseContractPolicySpec is used.

func NewOfflinePolicy

func NewOfflinePolicy(ctx context.Context, effectiveTime string) (Policy, error)

NewOfflinePolicy construct and return a new instance of Policy that is used in offline scenarios, i.e. without cluster or specific services access, and no signature verification being performed.

func NewPolicy

func NewPolicy(ctx context.Context, opts Options) (Policy, error)

NewPolicy construct and return a new instance of Policy.

The policyRef parameter is expected to be either a JSON-encoded instance of EnterpriseContractPolicySpec, or reference to the location of the EnterpriseContractPolicy resource in Kubernetes using the format: [namespace/]name

If policyRef is blank, an empty EnterpriseContractPolicySpec is used.

rekorUrl and publicKey provide a mechanism to overwrite the attributes, of same name, in the EnterpriseContractPolicySpec.

The public key is resolved as part of object construction. If the public key is a reference to a kubernetes resource, for example, the cluster will be contacted.

func PreProcessPolicy added in v0.6.53

func PreProcessPolicy(ctx context.Context, policyOptions Options) (Policy, *cache.PolicyCache, error)

PreProcessPolicy fetches policy sources and returns a policy object with pinned SHA/image digest URL where applicable, along with a policy cache object.

type SigstoreOpts added in v0.4.0

type SigstoreOpts struct {
	CertificateIdentity         string `json:"certificate_identity"`
	CertificateIdentityRegExp   string `json:"certificate_identity_regexp"`
	CertificateOIDCIssuer       string `json:"certificate_oidc_issuer"`
	CertificateOIDCIssuerRegExp string `json:"certificate_oidc_issuer_regexp"`
	IgnoreRekor                 bool   `json:"ignore_rekor"`
	PublicKey                   string `json:"public_key"`
	RekorURL                    string `json:"rekor_url"`
}

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL