trustpolicy

package
v1.3.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 20, 2025 License: Apache-2.0 Imports: 14 Imported by: 10

Documentation

Overview

Package trustpolicy provides functionalities for trust policy document and trust policy statements.

Index

Constants

This section is empty.

Variables

View Source 
var (
	LevelStrict = &VerificationLevel{
		Name: "strict",
		Enforcement: map[ValidationType]ValidationAction{
			TypeIntegrity:          ActionEnforce,
			TypeAuthenticity:       ActionEnforce,
			TypeAuthenticTimestamp: ActionEnforce,
			TypeExpiry:             ActionEnforce,
			TypeRevocation:         ActionEnforce,
		},
	}

	LevelPermissive = &VerificationLevel{
		Name: "permissive",
		Enforcement: map[ValidationType]ValidationAction{
			TypeIntegrity:          ActionEnforce,
			TypeAuthenticity:       ActionEnforce,
			TypeAuthenticTimestamp: ActionLog,
			TypeExpiry:             ActionLog,
			TypeRevocation:         ActionLog,
		},
	}

	LevelAudit = &VerificationLevel{
		Name: "audit",
		Enforcement: map[ValidationType]ValidationAction{
			TypeIntegrity:          ActionEnforce,
			TypeAuthenticity:       ActionLog,
			TypeAuthenticTimestamp: ActionLog,
			TypeExpiry:             ActionLog,
			TypeRevocation:         ActionLog,
		},
	}

	LevelSkip = &VerificationLevel{
		Name: "skip",
		Enforcement: map[ValidationType]ValidationAction{
			TypeIntegrity:          ActionSkip,
			TypeAuthenticity:       ActionSkip,
			TypeAuthenticTimestamp: ActionSkip,
			TypeExpiry:             ActionSkip,
			TypeRevocation:         ActionSkip,
		},
	}
)
View Source 
var (
	ValidationTypes = []ValidationType{
		TypeIntegrity,
		TypeAuthenticity,
		TypeAuthenticTimestamp,
		TypeExpiry,
		TypeRevocation,
	}

	ValidationActions = []ValidationAction{
		ActionEnforce,
		ActionLog,
		ActionSkip,
	}

	VerificationLevels = []*VerificationLevel{
		LevelStrict,
		LevelPermissive,
		LevelAudit,
		LevelSkip,
	}
)

Functions

This section is empty.

Types

type Document 

type Document struct {
	// Version of the policy document
	Version string `json:"version"`

	// TrustPolicies include each policy statement
	TrustPolicies []TrustPolicy `json:"trustPolicies"`
}

Document represents a trustpolicy.json document

func LoadDocument 

func LoadDocument() (*Document, error)

LoadDocument retrieves a trust policy document from the local file system.

func (*Document) GetApplicableTrustPolicy 

func (policyDoc *Document) GetApplicableTrustPolicy(artifactReference string) (*TrustPolicy, error)

GetApplicableTrustPolicy returns a pointer to the deep copied TrustPolicy statement that applies to the given registry scope. If no applicable trust policy is found, returns an error see https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/trust-store-trust-policy.md#selecting-a-trust-policy-based-on-artifact-uri

func (*Document) Validate 

func (policyDoc *Document) Validate() error

Validate validates a policy document according to its version's rule set. if any rule is violated, returns an error

type SignatureVerification 

type SignatureVerification struct {
	VerificationLevel string                              `json:"level"`
	Override          map[ValidationType]ValidationAction `json:"override,omitempty"`
	VerifyTimestamp   TimestampOption                     `json:"verifyTimestamp,omitempty"`
}

SignatureVerification represents verification configuration in a trust policy

func (*SignatureVerification) GetVerificationLevel 

func (signatureVerification *SignatureVerification) GetVerificationLevel() (*VerificationLevel, error)

GetVerificationLevel returns VerificationLevel struct for the given SignatureVerification struct throws error if SignatureVerification is invalid

type TimestampOption added in v1.2.0 

type TimestampOption string

TimestampOption is an enum for timestamp verifiction options such as Always, AfterCertExpiry. 

const (
	// OptionAlways denotes always perform timestamp verification
	OptionAlways TimestampOption = "always"

	// OptionAfterCertExpiry denotes perform timestamp verification only if
	// the signing certificate chain has expired
	OptionAfterCertExpiry TimestampOption = "afterCertExpiry"
)

type TrustPolicy 

type TrustPolicy struct {
	// Name of the policy statement
	Name string `json:"name"`

	// RegistryScopes that this policy statement affects
	RegistryScopes []string `json:"registryScopes"`

	// SignatureVerification setting for this policy statement
	SignatureVerification SignatureVerification `json:"signatureVerification"`

	// TrustStores this policy statement uses
	TrustStores []string `json:"trustStores"`

	// TrustedIdentities this policy statement pins
	TrustedIdentities []string `json:"trustedIdentities"`
}

TrustPolicy represents a policy statement in the policy document

type ValidationAction 

type ValidationAction string

ValidationAction is an enum for signature verification actions such as Enforced, Logged, Skipped. 

const (
	ActionEnforce ValidationAction = "enforce"
	ActionLog     ValidationAction = "log"
	ActionSkip    ValidationAction = "skip"
)

type ValidationType 

type ValidationType string

ValidationType is an enum for signature verification types such as Integrity, Authenticity, etc. 

const (
	TypeIntegrity          ValidationType = "integrity"
	TypeAuthenticity       ValidationType = "authenticity"
	TypeAuthenticTimestamp ValidationType = "authenticTimestamp"
	TypeExpiry             ValidationType = "expiry"
	TypeRevocation         ValidationType = "revocation"
)

type VerificationLevel 

type VerificationLevel struct {
	Name        string
	Enforcement map[ValidationType]ValidationAction
}

VerificationLevel encapsulates the signature verification preset and its actions for each verification type

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.