Documentation
¶
Index ¶
- Constants
- func EvaluateRegoPolicy(attestor attestation.Attestor, policies []RegoPolicy) error
- type Attestation
- type CertConstraint
- type ErrArtifactCycle
- type ErrConstraintCheckFailed
- type ErrInvalidOption
- type ErrKeyIDMismatch
- type ErrMismatchArtifact
- type ErrMissingAttestation
- type ErrNoCollections
- type ErrPolicyDenied
- type ErrPolicyExpired
- type ErrRegoInvalidData
- type ErrUnknownStep
- type ErrVerifyArtifactsFailed
- type Functionary
- type Policy
- func (in *Policy) DeepCopy() *Policy
- func (in *Policy) DeepCopyInto(out *Policy)
- func (p Policy) PublicKeyVerifiers() (map[string]cryptoutil.Verifier, error)
- func (p Policy) TimestampAuthorityTrustBundles() (map[string]TrustBundle, error)
- func (p Policy) TrustBundles() (map[string]TrustBundle, error)
- func (p Policy) Verify(ctx context.Context, opts ...VerifyOption) (bool, map[string]StepResult, error)
- type PublicKey
- type RegoPolicy
- type RejectedCollection
- type Root
- type Step
- type StepResult
- type TrustBundle
- type VerifyOption
Constants ¶
const (
AllowAllConstraint = "*"
)
const PolicyPredicate = "https://witness.testifysec.com/policy/v0.1"
Variables ¶
This section is empty.
Functions ¶
func EvaluateRegoPolicy ¶
func EvaluateRegoPolicy(attestor attestation.Attestor, policies []RegoPolicy) error
Types ¶
type Attestation ¶
type Attestation struct {
Type string `json:"type"`
RegoPolicies []RegoPolicy `json:"regopolicies"`
}
+kubebuilder:object:generate=true
func (*Attestation) DeepCopy ¶
func (in *Attestation) DeepCopy() *Attestation
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Attestation.
func (*Attestation) DeepCopyInto ¶
func (in *Attestation) DeepCopyInto(out *Attestation)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertConstraint ¶
type CertConstraint struct {
CommonName string `json:"commonname"`
DNSNames []string `json:"dnsnames"`
Emails []string `json:"emails"`
Organizations []string `json:"organizations"`
URIs []string `json:"uris"`
Roots []string `json:"roots"`
Extensions certificate.Extensions `json:"extensions"`
}
+kubebuilder:object:generate=true
func (CertConstraint) Check ¶
func (cc CertConstraint) Check(verifier *cryptoutil.X509Verifier, trustBundles map[string]TrustBundle) error
func (*CertConstraint) DeepCopy ¶
func (in *CertConstraint) DeepCopy() *CertConstraint
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertConstraint.
func (*CertConstraint) DeepCopyInto ¶
func (in *CertConstraint) DeepCopyInto(out *CertConstraint)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ErrArtifactCycle ¶
type ErrArtifactCycle string
func (ErrArtifactCycle) Error ¶
func (e ErrArtifactCycle) Error() string
type ErrConstraintCheckFailed ¶
type ErrConstraintCheckFailed struct {
// contains filtered or unexported fields
}
func (ErrConstraintCheckFailed) Error ¶
func (e ErrConstraintCheckFailed) Error() string
type ErrInvalidOption ¶
func (ErrInvalidOption) Error ¶
func (e ErrInvalidOption) Error() string
type ErrKeyIDMismatch ¶
func (ErrKeyIDMismatch) Error ¶
func (e ErrKeyIDMismatch) Error() string
type ErrMismatchArtifact ¶
type ErrMismatchArtifact struct {
Artifact cryptoutil.DigestSet
Material cryptoutil.DigestSet
Path string
}
func (ErrMismatchArtifact) Error ¶
func (e ErrMismatchArtifact) Error() string
type ErrMissingAttestation ¶
func (ErrMissingAttestation) Error ¶
func (e ErrMissingAttestation) Error() string
type ErrNoCollections ¶ added in v0.4.0
type ErrNoCollections struct {
Step string
}
func (ErrNoCollections) Error ¶ added in v0.4.0
func (e ErrNoCollections) Error() string
type ErrPolicyDenied ¶
type ErrPolicyDenied struct {
Reasons []string
}
func (ErrPolicyDenied) Error ¶
func (e ErrPolicyDenied) Error() string
type ErrPolicyExpired ¶
func (ErrPolicyExpired) Error ¶
func (e ErrPolicyExpired) Error() string
type ErrRegoInvalidData ¶
func (ErrRegoInvalidData) Error ¶
func (e ErrRegoInvalidData) Error() string
type ErrUnknownStep ¶
type ErrUnknownStep string
func (ErrUnknownStep) Error ¶
func (e ErrUnknownStep) Error() string
type ErrVerifyArtifactsFailed ¶ added in v0.4.0
type ErrVerifyArtifactsFailed struct {
Reasons []string
}
func (ErrVerifyArtifactsFailed) Error ¶ added in v0.4.0
func (e ErrVerifyArtifactsFailed) Error() string
type Functionary ¶
type Functionary struct {
Type string `json:"type"`
CertConstraint CertConstraint `json:"certConstraint,omitempty"`
PublicKeyID string `json:"publickeyid,omitempty"`
}
+kubebuilder:object:generate=true
func (*Functionary) DeepCopy ¶
func (in *Functionary) DeepCopy() *Functionary
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Functionary.
func (*Functionary) DeepCopyInto ¶
func (in *Functionary) DeepCopyInto(out *Functionary)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (Functionary) Validate ¶ added in v0.3.0
func (f Functionary) Validate(verifier cryptoutil.Verifier, trustBundles map[string]TrustBundle) error
type Policy ¶
type Policy struct {
Expires metav1.Time `json:"expires"`
Roots map[string]Root `json:"roots,omitempty"`
TimestampAuthorities map[string]Root `json:"timestampauthorities,omitempty"`
PublicKeys map[string]PublicKey `json:"publickeys,omitempty"`
Steps map[string]Step `json:"steps"`
}
+kubebuilder:object:generate=true
func (*Policy) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.
func (*Policy) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (Policy) PublicKeyVerifiers ¶
func (p Policy) PublicKeyVerifiers() (map[string]cryptoutil.Verifier, error)
PublicKeyVerifiers returns verifiers for each of the policy's embedded public keys grouped by the key's ID
func (Policy) TimestampAuthorityTrustBundles ¶
func (p Policy) TimestampAuthorityTrustBundles() (map[string]TrustBundle, error)
func (Policy) TrustBundles ¶
func (p Policy) TrustBundles() (map[string]TrustBundle, error)
TrustBundles returns the policy's x509 roots and intermediates grouped by the root's ID
func (Policy) Verify ¶
func (p Policy) Verify(ctx context.Context, opts ...VerifyOption) (bool, map[string]StepResult, error)
type PublicKey ¶
+kubebuilder:object:generate=true
func (*PublicKey) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicKey.
func (*PublicKey) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RegoPolicy ¶
+kubebuilder:object:generate=true
func (*RegoPolicy) DeepCopy ¶
func (in *RegoPolicy) DeepCopy() *RegoPolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RegoPolicy.
func (*RegoPolicy) DeepCopyInto ¶
func (in *RegoPolicy) DeepCopyInto(out *RegoPolicy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RejectedCollection ¶
type RejectedCollection struct {
Collection source.CollectionVerificationResult
Reason error
}
type Root ¶
type Root struct {
Certificate []byte `json:"certificate"`
Intermediates [][]byte `json:"intermediates,omitempty"`
}
+kubebuilder:object:generate=true
func (*Root) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Root.
func (*Root) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Step ¶
type Step struct {
Name string `json:"name"`
Functionaries []Functionary `json:"functionaries"`
Attestations []Attestation `json:"attestations"`
ArtifactsFrom []string `json:"artifactsFrom,omitempty"`
}
+kubebuilder:object:generate=true
func (*Step) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Step.
func (*Step) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type StepResult ¶
type StepResult struct {
Step string
Passed []source.CollectionVerificationResult
Rejected []RejectedCollection
}
StepResult contains information about the verified collections for each step. Passed contains the collections that passed any rego policies and all expected attestations exist. Rejected contains the rejected collections and the error that caused them to be rejected.
func (StepResult) Analyze ¶ added in v0.4.0
func (r StepResult) Analyze() bool
Analyze inspects the StepResult to determine if the step passed or failed. We do this rather than failing at the first point of failure in the verification flow in order to save the failure reasons so we can present them all at the end of the verification process.
func (StepResult) Error ¶
func (r StepResult) Error() string
func (StepResult) HasErrors ¶
func (r StepResult) HasErrors() bool
func (StepResult) HasPassed ¶
func (r StepResult) HasPassed() bool
type TrustBundle ¶
type TrustBundle struct {
Root *x509.Certificate
Intermediates []*x509.Certificate
}
type VerifyOption ¶
type VerifyOption func(*verifyOptions)
func WithSearchDepth ¶
func WithSearchDepth(depth int) VerifyOption
func WithSubjectDigests ¶
func WithSubjectDigests(subjectDigests []string) VerifyOption
func WithVerifiedSource ¶
func WithVerifiedSource(verifiedSource source.VerifiedSourcer) VerifyOption
Source Files