bundle

package
v0.22.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 16, 2020 License: Apache-2.0 Imports: 35 Imported by: 95

Documentation

Overview

Package bundle implements bundle loading.

Package bundle provide helpers that assist in creating the verification and signing key configuration

Package bundle provide helpers that assist in the creating a signed bundle

Package bundle provide helpers that assist in the bundle signature verification process

Index

Constants

View Source
const (
	RegoExt        = ".rego"
	WasmFile       = "/policy.wasm"
	ManifestExt    = ".manifest"
	SignaturesFile = "signatures.json"

	BundleLimitBytes = (1024 * 1024 * 1024) + 1 // limit bundle reads to 1GB to protect against gzip bombs
)

Common file extensions and file names.

Variables

This section is empty.

Functions

func Activate added in v0.14.0

func Activate(opts *ActivateOpts) error

Activate the bundle(s) by loading into the given Store. This will load policies, data, and record the manifest in storage. The compiler provided will have had the polices compiled on it.

func ActivateLegacy added in v0.14.0

func ActivateLegacy(opts *ActivateOpts) error

ActivateLegacy calls Activate for the bundles but will also write their manifest to the older unnamed store location. Deprecated: Use Activate with named bundles instead.

func Deactivate added in v0.14.0

func Deactivate(opts *DeactivateOpts) error

Deactivate the bundle(s). This will erase associated data, policies, and the manifest entry from the store.

func EraseManifestFromStore added in v0.13.0

func EraseManifestFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) error

EraseManifestFromStore will remove the manifest from storage. This function is called when the bundle is deactivated.

func GenerateSignedToken added in v0.22.0

func GenerateSignedToken(files []FileInfo, sc *SigningConfig, keyID string) (string, error)

GenerateSignedToken generates a signed token given the list of files to be included in the payload and the bundle signing config. The keyID if non-empty, represents the value for the "keyid" claim in the token

func IsStructuredDoc added in v0.22.0

func IsStructuredDoc(name string) bool

IsStructuredDoc checks if the file name equals a structured file extension ex. ".json"

func LegacyEraseManifestFromStore added in v0.13.0

func LegacyEraseManifestFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) error

LegacyEraseManifestFromStore will erase the bundle manifest from the older single (unnamed) bundle manifest location. Deprecated: Use WriteManifestToStore and named bundles instead.

func LegacyReadRevisionFromStore added in v0.13.0

func LegacyReadRevisionFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) (string, error)

LegacyReadRevisionFromStore will read the bundle manifest revision from the older single (unnamed) bundle manifest location. Deprecated: Use ReadBundleRevisionFromStore and named bundles instead.

func LegacyWriteManifestToStore added in v0.13.0

func LegacyWriteManifestToStore(ctx context.Context, store storage.Store, txn storage.Transaction, manifest Manifest) error

LegacyWriteManifestToStore will write the bundle manifest to the older single (unnamed) bundle manifest location. Deprecated: Use WriteManifestToStore and named bundles instead.

func ManifestStoragePath added in v0.13.0

func ManifestStoragePath(name string) storage.Path

ManifestStoragePath is the storage path used for the given named bundle manifest.

func ParseKeysConfig added in v0.22.0

func ParseKeysConfig(raw json.RawMessage) (map[string]*KeyConfig, error)

ParseKeysConfig returns a map containing the public key and the signing algorithm

func ReadBundleNamesFromStore added in v0.13.0

func ReadBundleNamesFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) ([]string, error)

ReadBundleNamesFromStore will return a list of bundle names which have had their metadata stored.

func ReadBundleRevisionFromStore added in v0.13.0

func ReadBundleRevisionFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) (string, error)

ReadBundleRevisionFromStore returns the revision in the specified bundle. If the bundle is not activated, this function will return storage NotFound error.

func ReadBundleRootsFromStore added in v0.13.0

func ReadBundleRootsFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) ([]string, error)

ReadBundleRootsFromStore returns the roots in the specified bundle. If the bundle is not activated, this function will return storage NotFound error.

func RootPathsContain added in v0.20.0

func RootPathsContain(roots []string, path string) bool

RootPathsContain takes a set of bundle root paths and returns true if the path is contained.

func RootPathsOverlap added in v0.14.0

func RootPathsOverlap(pathA string, pathB string) bool

RootPathsOverlap takes in two bundle root paths and returns true if they overlap.

func VerifyBundleFile added in v0.22.0

func VerifyBundleFile(path string, data bytes.Buffer, files map[string]FileInfo) error

VerifyBundleFile verifies the hash of a file in the bundle matches to that provided in the bundle's signature

func VerifyBundleSignature added in v0.22.0

func VerifyBundleSignature(sc SignaturesConfig, bvc *VerificationConfig) (map[string]FileInfo, error)

VerifyBundleSignature verifies the bundle signature using the given public keys or secret. If a signature is verified, it keeps track of the files specified in the JWT payload

func Write

func Write(w io.Writer, bundle Bundle) error

Write is deprecated. Use NewWriter instead.

func WriteManifestToStore added in v0.13.0

func WriteManifestToStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string, manifest Manifest) error

WriteManifestToStore will write the manifest into the storage. This function is called when the bundle is activated.

Types

type ActivateOpts added in v0.14.0

type ActivateOpts struct {
	Ctx          context.Context
	Store        storage.Store
	Txn          storage.Transaction
	Compiler     *ast.Compiler
	Metrics      metrics.Metrics
	Bundles      map[string]*Bundle     // Optional
	ExtraModules map[string]*ast.Module // Optional
	// contains filtered or unexported fields
}

ActivateOpts defines options for the Activate API call.

type Bundle

type Bundle struct {
	Signatures SignaturesConfig
	Manifest   Manifest
	Data       map[string]interface{}
	Modules    []ModuleFile
	Wasm       []byte
}

Bundle represents a loaded bundle. The bundle can contain data and policies.

func Merge added in v0.20.0

func Merge(bundles []*Bundle) (*Bundle, error)

Merge accepts a set of bundles and merges them into a single result bundle. If there are any conflicts during the merge (e.g., with roots) an error is returned. The result bundle will have an empty revision except in the special case where a single bundle is provided (and in that case the bundle is just returned unmodified.) Merge currently returns an error if multiple bundles are provided and any of those bundles contain wasm modules (because wasm module merging is not implemented.)

func (Bundle) Copy added in v0.20.0

func (b Bundle) Copy() Bundle

Copy returns a deep copy of the bundle.

func (Bundle) Equal

func (b Bundle) Equal(other Bundle) bool

Equal returns true if this bundle's contents equal the other bundle's contents.

func (*Bundle) FormatModules added in v0.22.0

func (b *Bundle) FormatModules(useModulePath bool) error

FormatModules formats Rego modules

func (*Bundle) GenerateSignature added in v0.22.0

func (b *Bundle) GenerateSignature(signingConfig *SigningConfig, keyID string, useModulePath bool) error

GenerateSignature generates the signature for the given bundle.

func (*Bundle) ParsedModules added in v0.14.0

func (b *Bundle) ParsedModules(bundleName string) map[string]*ast.Module

ParsedModules returns a map of parsed modules with names that are unique and human readable for the given a bundle name.

type DeactivateOpts added in v0.14.0

type DeactivateOpts struct {
	Ctx         context.Context
	Store       storage.Store
	Txn         storage.Transaction
	BundleNames map[string]struct{}
}

DeactivateOpts defines options for the Deactivate API call

type DecodedSignature added in v0.22.0

type DecodedSignature struct {
	Files    []FileInfo `json:"files"`
	KeyID    string     `json:"keyid"`
	Scope    string     `json:"scope"`
	IssuedAt int64      `json:"iat"`
	Issuer   string     `json:"iss"`
}

DecodedSignature represents the decoded JWT payload.

type Descriptor added in v0.15.1

type Descriptor struct {
	// contains filtered or unexported fields
}

Descriptor contains information about a file and can be used to read the file contents.

func (*Descriptor) Close added in v0.15.1

func (d *Descriptor) Close() error

Close the file, on some Loader implementations this might be a no-op. It should *always* be called regardless of file.

func (*Descriptor) Path added in v0.15.1

func (d *Descriptor) Path() string

Path returns the path of the file.

func (*Descriptor) Read added in v0.15.1

func (d *Descriptor) Read(dest io.Writer, n int64) (int64, error)

Read will read all the contents from the file the Descriptor refers to into the dest writer up n bytes. Will return an io.EOF error if EOF is encountered before n bytes are read.

func (*Descriptor) URL added in v0.20.0

func (d *Descriptor) URL() string

URL returns the url of the file.

type DirectoryLoader added in v0.15.1

type DirectoryLoader interface {
	// NextFile must return io.EOF if there is no next value. The returned
	// descriptor should *always* be closed when no longer needed.
	NextFile() (*Descriptor, error)
}

DirectoryLoader defines an interface which can be used to load files from a directory by iterating over each one in the tree.

func NewDirectoryLoader added in v0.15.1

func NewDirectoryLoader(root string) DirectoryLoader

NewDirectoryLoader returns a basic DirectoryLoader implementation that will load files from a given root directory path.

func NewTarballLoader added in v0.15.1

func NewTarballLoader(r io.Reader) DirectoryLoader

NewTarballLoader is deprecated. Use NewTarballLoaderWithBaseURL instead.

func NewTarballLoaderWithBaseURL added in v0.20.0

func NewTarballLoaderWithBaseURL(r io.Reader, baseURL string) DirectoryLoader

NewTarballLoaderWithBaseURL returns a new DirectoryLoader that reads files out of a gzipped tar archive. The file URLs will be prefixed with the baseURL.

type FileInfo added in v0.22.0

type FileInfo struct {
	Name      string `json:"name"`
	Hash      string `json:"hash"`
	Algorithm string `json:"algorithm"`
}

FileInfo contains the hashing algorithm used, resulting digest etc.

func NewFile added in v0.22.0

func NewFile(name, hash, alg string) FileInfo

NewFile returns a new FileInfo.

type HashingAlgorithm added in v0.22.0

type HashingAlgorithm string

HashingAlgorithm represents a subset of hashing algorithms implemented in Go

const (
	MD5       HashingAlgorithm = "MD5"
	SHA1      HashingAlgorithm = "SHA-1"
	SHA224    HashingAlgorithm = "SHA-224"
	SHA256    HashingAlgorithm = "SHA-256"
	SHA384    HashingAlgorithm = "SHA-384"
	SHA512    HashingAlgorithm = "SHA-512"
	SHA512224 HashingAlgorithm = "SHA-512-224"
	SHA512256 HashingAlgorithm = "SHA-512-256"
)

Supported values for HashingAlgorithm

func (HashingAlgorithm) String added in v0.22.0

func (alg HashingAlgorithm) String() string

String returns the string representation of a HashingAlgorithm

type KeyConfig added in v0.22.0

type KeyConfig struct {
	Key       string `json:"key"`
	Algorithm string `json:"algorithm"`
	Scope     string `json:"scope"`
}

KeyConfig holds the actual public keys used to verify a signed bundle

func NewKeyConfig added in v0.22.0

func NewKeyConfig(key, alg, scope string) *KeyConfig

NewKeyConfig return a new KeyConfig

func (*KeyConfig) Equal added in v0.22.0

func (k *KeyConfig) Equal(other *KeyConfig) bool

Equal returns true if this key config is equal to the other.

type Manifest

type Manifest struct {
	Revision string    `json:"revision"`
	Roots    *[]string `json:"roots,omitempty"`
}

Manifest represents the manifest from a bundle. The manifest may contain metadata such as the bundle revision.

func (*Manifest) AddRoot added in v0.20.0

func (m *Manifest) AddRoot(r string)

AddRoot adds r to the roots of m. This function is idempotent.

func (Manifest) Copy added in v0.20.0

func (m Manifest) Copy() Manifest

Copy returns a deep copy of the manifest.

func (Manifest) Equal added in v0.20.0

func (m Manifest) Equal(other Manifest) bool

Equal returns true if m is semantically equivalent to other.

func (*Manifest) Init added in v0.10.4

func (m *Manifest) Init()

Init initializes the manifest. If you instantiate a manifest manually, call Init to ensure that the roots are set properly.

func (Manifest) String added in v0.20.0

func (m Manifest) String() string

type ModuleFile

type ModuleFile struct {
	URL    string
	Path   string
	Raw    []byte
	Parsed *ast.Module
}

ModuleFile represents a single module contained a bundle.

type Reader added in v0.10.2

type Reader struct {
	// contains filtered or unexported fields
}

Reader contains the reader to load the bundle from.

func NewCustomReader added in v0.14.0

func NewCustomReader(loader DirectoryLoader) *Reader

NewCustomReader returns a new Reader configured to use the specified DirectoryLoader.

func NewReader added in v0.10.2

func NewReader(r io.Reader) *Reader

NewReader is deprecated. Use NewCustomReader instead.

func (*Reader) IncludeManifestInData added in v0.10.2

func (r *Reader) IncludeManifestInData(includeManifestInData bool) *Reader

IncludeManifestInData sets whether the manifest metadata should be included in the bundle's data.

func (*Reader) Read added in v0.10.2

func (r *Reader) Read() (Bundle, error)

Read returns a new Bundle loaded from the reader.

func (*Reader) WithBaseDir added in v0.16.0

func (r *Reader) WithBaseDir(dir string) *Reader

WithBaseDir sets a base directory for file paths of loaded Rego modules. This will *NOT* affect the loaded path of data files.

func (*Reader) WithBundleVerificationConfig added in v0.22.0

func (r *Reader) WithBundleVerificationConfig(config *VerificationConfig) *Reader

WithBundleVerificationConfig sets the key configuration used to verify a signed bundle

func (*Reader) WithMetrics added in v0.16.0

func (r *Reader) WithMetrics(m metrics.Metrics) *Reader

WithMetrics sets the metrics object to be used while loading bundles

func (*Reader) WithSkipBundleVerification added in v0.22.0

func (r *Reader) WithSkipBundleVerification(skipVerify bool) *Reader

WithSkipBundleVerification skips verification of a signed bundle

type SignatureHasher added in v0.22.0

type SignatureHasher interface {
	HashFile(v interface{}) ([]byte, error)
}

SignatureHasher computes a signature digest for a file with (structured or unstructured) data and policy

func NewSignatureHasher added in v0.22.0

func NewSignatureHasher(alg HashingAlgorithm) (SignatureHasher, error)

NewSignatureHasher returns a signature hasher suitable for a particular hashing algorithm

type SignaturesConfig added in v0.22.0

type SignaturesConfig struct {
	Signatures []string `json:"signatures,omitempty"`
}

SignaturesConfig represents an array of JWTs that encapsulate the signatures for the bundle.

type SigningConfig added in v0.22.0

type SigningConfig struct {
	Key        string
	Algorithm  string
	ClaimsPath string
}

SigningConfig represents the key configuration used to generate a signed bundle

func NewSigningConfig added in v0.22.0

func NewSigningConfig(key, alg, claimsPath string) *SigningConfig

NewSigningConfig return a new SigningConfig

func (*SigningConfig) GetClaims added in v0.22.0

func (s *SigningConfig) GetClaims() (map[string]interface{}, error)

GetClaims returns the claims by reading the file specified in the signing config

func (*SigningConfig) GetPrivateKey added in v0.22.0

func (s *SigningConfig) GetPrivateKey() (interface{}, error)

GetPrivateKey returns the private key or secret from the signing config

type VerificationConfig added in v0.22.0

type VerificationConfig struct {
	PublicKeys map[string]*KeyConfig
	KeyID      string   `json:"keyid"`
	Scope      string   `json:"scope"`
	Exclude    []string `json:"exclude_files"`
}

VerificationConfig represents the key configuration used to verify a signed bundle

func NewVerificationConfig added in v0.22.0

func NewVerificationConfig(keys map[string]*KeyConfig, id, scope string, exclude []string) *VerificationConfig

NewVerificationConfig return a new VerificationConfig

func (*VerificationConfig) GetPublicKey added in v0.22.0

func (vc *VerificationConfig) GetPublicKey(id string) (*KeyConfig, error)

GetPublicKey returns the public key corresponding to the given key id

func (*VerificationConfig) ValidateAndInjectDefaults added in v0.22.0

func (vc *VerificationConfig) ValidateAndInjectDefaults(keys map[string]*KeyConfig) error

ValidateAndInjectDefaults validates the config and inserts default values

type Writer added in v0.20.0

type Writer struct {
	// contains filtered or unexported fields
}

Writer implements bundle serialization.

func NewWriter added in v0.20.0

func NewWriter(w io.Writer) *Writer

NewWriter returns a bundle writer that writes to w.

func (*Writer) DisableFormat added in v0.20.0

func (w *Writer) DisableFormat(yes bool) *Writer

DisableFormat configures the writer to just write out raw bytes instead of formatting modules before serialization.

func (*Writer) UseModulePath added in v0.20.0

func (w *Writer) UseModulePath(yes bool) *Writer

UseModulePath configures the writer to use the module file path instead of the module file URL during serialization. This is for backwards compatibility.

func (*Writer) Write added in v0.20.0

func (w *Writer) Write(bundle Bundle) error

Write writes the bundle to the writer's output stream.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL