Documentation ¶
Index ¶
- Variables
- func Capabilities() *ast.Capabilities
- func ScopeMatches(query map[string]string, input map[string]interface{}) bool
- type BasePolicy
- func (p *BasePolicy) ID(ctx context.Context, state *rego.State) (string, error)
- func (p *BasePolicy) InputType() string
- func (p *BasePolicy) InputTypeMatches(inputType string) bool
- func (p *BasePolicy) Metadata(ctx context.Context, state *rego.State) (Metadata, error)
- func (p *BasePolicy) Package() string
- type Builtins
- type EvalOptions
- type LegacyIaCPolicy
- type Metadata
- type MetadataReference
- type ModuleSet
- type MultiResourcePolicy
- type MultiResourceProcessor
- type Policy
- type ProcessMultiResultSet
- type RelationsCache
- type ResourceKey
- type ResourcesQuery
- type ResourcesQueryCache
- type ResourcesResolver
- type ResourcesResult
- type SingleResourcePolicy
- type SingleResourceProcessor
- func NewFugueAllowBooleanProcessor(resource *models.ResourceState, metadata *Metadata, defaultRemediation string) SingleResourceProcessor
- func NewFugueAllowInfoProcessor(resource *models.ResourceState, metadata *Metadata, defaultRemediation string) SingleResourceProcessor
- func NewFugueDenyBooleanProcessor(resource *models.ResourceState, metadata *Metadata, defaultRemediation string) SingleResourceProcessor
- func NewSingleDenyProcessor(resource *models.ResourceState, metadata *Metadata, defaultRemediation string) SingleResourceProcessor
Constants ¶
This section is empty.
Variables ¶
var FailedToEvaluateResource = errors.New("Failed to evaluate rule for resource")
FailedToEvaluateResource indicates that an error occurred while evaluating the judgement rule query for the policy for a particular resource.
var FailedToEvaluateRule = errors.New("Failed to evaluate rule")
FailedToEvaluateRule indicates that an error occurred while evaluating the judgement rule for the policy.
var FailedToPrepareForEval = errors.New("Failed to prepare for evaluation")
FailedToPrepareForEval indicates that an error occurred while preparing the judgement rule query for the policy.
var FailedToProcessResults = errors.New("Failed to process results")
FailedToProcessResults indicates that an error occurred while processing the results of the judgement rule query.
var FailedToQueryMetadata = errors.New("Failed to query metadata")
FailedToQueryMetadata indicates that an error occurred while querying the policy's metadata rule.
var FailedToQueryResources = errors.New("Failed to query resources")
FailedToQueryResources indicates that an error occurred while querying the policy's resources rule.
var RegoAPIProvider = data.FSProvider(regoApi, "regoapi")
RegoAPIProvider is a provider for the embedded 'vulnmap' and 'fugue' Rego APIs.
var SupportedInputTypes = input.Types{ input.Any, input.Arm, input.CloudFormation, input.CloudScan, input.Kubernetes, input.TerraformHCL, input.TerraformPlan, input.Terraform, }
SupportedInputTypes contains all of the input types that this package officially supports.
Functions ¶
func Capabilities ¶
func Capabilities() *ast.Capabilities
Capabilities returns a Capabilities that includes the the policy engine builtins.
Types ¶
type BasePolicy ¶
type BasePolicy struct {
// contains filtered or unexported fields
}
BasePolicy implements functionality that is shared between different concrete Policy implementations.
func NewBasePolicy ¶
func NewBasePolicy(moduleSet ModuleSet) (*BasePolicy, error)
NewBasePolicy constructs a new BasePolicy. It will return an error if the Module does not contain a recognized Judgement.
func (*BasePolicy) InputType ¶
func (p *BasePolicy) InputType() string
func (*BasePolicy) InputTypeMatches ¶
func (p *BasePolicy) InputTypeMatches(inputType string) bool
func (*BasePolicy) Package ¶
func (p *BasePolicy) Package() string
Package returns the policy's package
type Builtins ¶
type Builtins struct {
// contains filtered or unexported fields
}
func NewBuiltins ¶
func NewBuiltins( input *models.State, resourcesQuery *ResourcesQueryCache, relations *RelationsCache, ) *Builtins
func (*Builtins) ResourceTypes ¶
type EvalOptions ¶
type EvalOptions struct { RegoState *rego.State Input *models.State RelationsCache *RelationsCache ResourcesQueryCache *ResourcesQueryCache Logger logging.Logger Timeout time.Duration }
type LegacyIaCPolicy ¶
type LegacyIaCPolicy struct {
*BasePolicy
}
func (*LegacyIaCPolicy) Eval ¶
func (p *LegacyIaCPolicy) Eval( ctx context.Context, options EvalOptions, ) ([]models.RuleResults, error)
func (*LegacyIaCPolicy) InputType ¶
func (p *LegacyIaCPolicy) InputType() string
func (*LegacyIaCPolicy) InputTypeMatches ¶
func (p *LegacyIaCPolicy) InputTypeMatches(inputType string) bool
type Metadata ¶
type Metadata struct { ID string `json:"id"` Title string `json:"title"` Description string `json:"description"` Platform []string `json:"platform"` Remediation map[string]string `json:"remediation"` References map[string][]MetadataReference `json:"references"` Category string `json:"category"` Labels []string `json:"labels,omitempty"` ServiceGroup string `json:"service_group"` Controls []string `json:"controls"` Severity string `json:"severity"` Product []string `json:"product"` Kind string `json:"kind"` }
func (Metadata) ReferencesFor ¶
func (m Metadata) ReferencesFor(inputType string) []MetadataReference
func (Metadata) RemediationFor ¶
type MetadataReference ¶
type ModuleSet ¶
ModuleSet is a set of Modules that all share the same package name
func ExtractModuleSets ¶
func ExtractModuleSets(tree *ast.ModuleTreeNode) []ModuleSet
type MultiResourcePolicy ¶
type MultiResourcePolicy struct { *BasePolicy // contains filtered or unexported fields }
MultiResourcePolicy represents a policy that takes multiple resources as input.
func (*MultiResourcePolicy) Eval ¶
func (p *MultiResourcePolicy) Eval( ctx context.Context, options EvalOptions, ) ([]models.RuleResults, error)
Eval will evaluate the policy on the given input.
type MultiResourceProcessor ¶
type MultiResourceProcessor interface { ProcessValue(ast.Value) error ProcessResource(ast.Value) error Results() []models.RuleResult }
SingleResourceProcessor can turn rego results into the results model we want.
func NewFuguePolicyProcessor ¶
func NewFuguePolicyProcessor(metadata Metadata, defaultRemediation string) MultiResourceProcessor
func NewMultiDenyProcessor ¶
func NewMultiDenyProcessor(metadata Metadata, defaultRemediation string) MultiResourceProcessor
type Policy ¶
type Policy interface { Package() string Metadata(ctx context.Context, state *rego.State) (Metadata, error) ID(ctx context.Context, state *rego.State) (string, error) Eval(ctx context.Context, options EvalOptions) ([]models.RuleResults, error) InputType() string InputTypeMatches(inputType string) bool }
Policy is an interface that supports all of the ways we want to interact with policies.
func PolicyFactory ¶
type ProcessMultiResultSet ¶
type ProcessMultiResultSet func( metadata Metadata, defaultRemediation string, resources map[string]*ruleResultBuilder, ) ([]models.RuleResult, error)
ProcessSingleResultSet functions extract RuleResult models from the ResultSet of multi-resource type rules.
type ResourceKey ¶
Helper for unique resource identifiers, meant to be used as key in a `map`.
func RuleResultResourceKey ¶
func RuleResultResourceKey(r models.RuleResultResource) ResourceKey
func (ResourceKey) Correlation ¶
func (k ResourceKey) Correlation() string
func (ResourceKey) Less ¶
func (l ResourceKey) Less(r ResourceKey) bool
type ResourcesQuery ¶
type ResourcesQuery struct { ResourceType string `json:"resource_type" rego:"resource_type"` Scope map[string]string `json:"scope" rego:"scope"` }
ResourcesQuery describes a request for a specific resource type from the given scope. An empty scope is interpreted as the scope of the current input.
type ResourcesQueryCache ¶
type ResourcesQueryCache struct { ResourcesResolver ResourcesResolver // contains filtered or unexported fields }
func NewResourcesQueryCache ¶
func NewResourcesQueryCache(resolver ResourcesResolver) *ResourcesQueryCache
func (*ResourcesQueryCache) ResolveResources ¶
func (q *ResourcesQueryCache) ResolveResources(ctx context.Context, query ResourcesQuery) ([]models.ResourceState, error)
type ResourcesResolver ¶
type ResourcesResolver func(ctx context.Context, req ResourcesQuery) (ResourcesResult, error)
func NewInputResolver ¶
func NewInputResolver(input *models.State) ResourcesResolver
func (ResourcesResolver) And ¶
func (l ResourcesResolver) And(r ResourcesResolver) ResourcesResolver
func (ResourcesResolver) Or ¶
func (l ResourcesResolver) Or(r ResourcesResolver) ResourcesResolver
type ResourcesResult ¶
type ResourcesResult struct { ScopeFound bool Resources []models.ResourceState }
ResourcesResult contains an indication of whether the Scope specified in the ResourcesQuery was found and a slice of resources.
type SingleResourcePolicy ¶
type SingleResourcePolicy struct { *BasePolicy Query string // contains filtered or unexported fields }
SingleResourcePolicy represents a policy that takes a single resource as input.
func (*SingleResourcePolicy) Eval ¶
func (p *SingleResourcePolicy) Eval( ctx context.Context, options EvalOptions, ) ([]models.RuleResults, error)
Eval will evaluate the policy on the given input.
type SingleResourceProcessor ¶
type SingleResourceProcessor interface { Process(ast.Value) error Results() []models.RuleResult }
SingleResourceProcessor can turn rego results into the results model we want.
func NewFugueAllowBooleanProcessor ¶
func NewFugueAllowBooleanProcessor( resource *models.ResourceState, metadata *Metadata, defaultRemediation string, ) SingleResourceProcessor
func NewFugueAllowInfoProcessor ¶
func NewFugueAllowInfoProcessor( resource *models.ResourceState, metadata *Metadata, defaultRemediation string, ) SingleResourceProcessor
func NewFugueDenyBooleanProcessor ¶
func NewFugueDenyBooleanProcessor( resource *models.ResourceState, metadata *Metadata, defaultRemediation string, ) SingleResourceProcessor
func NewSingleDenyProcessor ¶
func NewSingleDenyProcessor( resource *models.ResourceState, metadata *Metadata, defaultRemediation string, ) SingleResourceProcessor