Documentation ¶
Overview ¶
Package bundle implements bundle loading.
Package bundle provide helpers that assist in creating the verification and signing key configuration ¶
Package bundle provide helpers that assist in the creating a signed bundle ¶
Package bundle provide helpers that assist in the bundle signature verification process
Index ¶
- Constants
- Variables
- func Activate(opts *ActivateOpts) error
- func ActivateLegacy(opts *ActivateOpts) error
- func Deactivate(opts *DeactivateOpts) error
- func EraseManifestFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) error
- func GenerateSignedToken(files []FileInfo, sc *SigningConfig, keyID string) (string, error)
- func IsStructuredDoc(name string) bool
- func LegacyEraseManifestFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) error
- func LegacyReadRevisionFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) (string, error)
- func LegacyWriteManifestToStore(ctx context.Context, store storage.Store, txn storage.Transaction, ...) error
- func ManifestStoragePath(name string) storage.Path
- func ParseKeysConfig(raw json.RawMessage) (map[string]*KeyConfig, error)
- func ReadBundleNamesFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) ([]string, error)
- func ReadBundleRevisionFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) (string, error)
- func ReadBundleRootsFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) ([]string, error)
- func ReadWasmModulesFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) (map[string][]byte, error)
- func RootPathsContain(roots []string, path string) bool
- func RootPathsOverlap(pathA string, pathB string) bool
- func VerifyBundleFile(path string, data bytes.Buffer, files map[string]FileInfo) error
- func VerifyBundleSignature(sc SignaturesConfig, bvc *VerificationConfig) (map[string]FileInfo, error)
- func Write(w io.Writer, bundle Bundle) error
- func WriteManifestToStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string, ...) error
- type ActivateOpts
- type Bundle
- func (b Bundle) Copy() Bundle
- func (b Bundle) Equal(other Bundle) bool
- func (b *Bundle) FormatModules(useModulePath bool) error
- func (b *Bundle) GenerateSignature(signingConfig *SigningConfig, keyID string, useModulePath bool) error
- func (b *Bundle) ParsedModules(bundleName string) map[string]*ast.Module
- type DeactivateOpts
- type DecodedSignature
- type Descriptor
- type DirectoryLoader
- type FileInfo
- type HashingAlgorithm
- type KeyConfig
- type Manifest
- type ModuleFile
- type Reader
- func (r *Reader) IncludeManifestInData(includeManifestInData bool) *Reader
- func (r *Reader) Read() (Bundle, error)
- func (r *Reader) WithBaseDir(dir string) *Reader
- func (r *Reader) WithBundleVerificationConfig(config *VerificationConfig) *Reader
- func (r *Reader) WithMetrics(m metrics.Metrics) *Reader
- func (r *Reader) WithSizeLimitBytes(n int64) *Reader
- func (r *Reader) WithSkipBundleVerification(skipVerify bool) *Reader
- type SignatureHasher
- type SignaturesConfig
- type SigningConfig
- type VerificationConfig
- type WasmModuleFile
- type WasmResolver
- type Writer
Constants ¶
const ( RegoExt = ".rego" WasmFile = "policy.wasm" ManifestExt = ".manifest" SignaturesFile = "signatures.json" DefaultSizeLimitBytes = (1024 * 1024 * 1024) // limit bundle reads to 1GB to protect against gzip bombs )
Common file extensions and file names.
Variables ¶
var BundlesBasePath = storage.MustParsePath("/system/bundles")
BundlesBasePath is the storage path used for storing bundle metadata
Functions ¶
func Activate ¶ added in v0.14.0
func Activate(opts *ActivateOpts) error
Activate the bundle(s) by loading into the given Store. This will load policies, data, and record the manifest in storage. The compiler provided will have had the polices compiled on it.
func ActivateLegacy ¶ added in v0.14.0
func ActivateLegacy(opts *ActivateOpts) error
ActivateLegacy calls Activate for the bundles but will also write their manifest to the older unnamed store location. Deprecated: Use Activate with named bundles instead.
func Deactivate ¶ added in v0.14.0
func Deactivate(opts *DeactivateOpts) error
Deactivate the bundle(s). This will erase associated data, policies, and the manifest entry from the store.
func EraseManifestFromStore ¶ added in v0.13.0
func EraseManifestFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) error
EraseManifestFromStore will remove the manifest from storage. This function is called when the bundle is deactivated.
func GenerateSignedToken ¶ added in v0.22.0
func GenerateSignedToken(files []FileInfo, sc *SigningConfig, keyID string) (string, error)
GenerateSignedToken generates a signed token given the list of files to be included in the payload and the bundle signing config. The keyID if non-empty, represents the value for the "keyid" claim in the token
func IsStructuredDoc ¶ added in v0.22.0
IsStructuredDoc checks if the file name equals a structured file extension ex. ".json"
func LegacyEraseManifestFromStore ¶ added in v0.13.0
func LegacyEraseManifestFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) error
LegacyEraseManifestFromStore will erase the bundle manifest from the older single (unnamed) bundle manifest location. Deprecated: Use WriteManifestToStore and named bundles instead.
func LegacyReadRevisionFromStore ¶ added in v0.13.0
func LegacyReadRevisionFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) (string, error)
LegacyReadRevisionFromStore will read the bundle manifest revision from the older single (unnamed) bundle manifest location. Deprecated: Use ReadBundleRevisionFromStore and named bundles instead.
func LegacyWriteManifestToStore ¶ added in v0.13.0
func LegacyWriteManifestToStore(ctx context.Context, store storage.Store, txn storage.Transaction, manifest Manifest) error
LegacyWriteManifestToStore will write the bundle manifest to the older single (unnamed) bundle manifest location. Deprecated: Use WriteManifestToStore and named bundles instead.
func ManifestStoragePath ¶ added in v0.13.0
ManifestStoragePath is the storage path used for the given named bundle manifest.
func ParseKeysConfig ¶ added in v0.22.0
func ParseKeysConfig(raw json.RawMessage) (map[string]*KeyConfig, error)
ParseKeysConfig returns a map containing the public key and the signing algorithm
func ReadBundleNamesFromStore ¶ added in v0.13.0
func ReadBundleNamesFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) ([]string, error)
ReadBundleNamesFromStore will return a list of bundle names which have had their metadata stored.
func ReadBundleRevisionFromStore ¶ added in v0.13.0
func ReadBundleRevisionFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) (string, error)
ReadBundleRevisionFromStore returns the revision in the specified bundle. If the bundle is not activated, this function will return storage NotFound error.
func ReadBundleRootsFromStore ¶ added in v0.13.0
func ReadBundleRootsFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) ([]string, error)
ReadBundleRootsFromStore returns the roots in the specified bundle. If the bundle is not activated, this function will return storage NotFound error.
func ReadWasmModulesFromStore ¶ added in v0.25.0
func ReadWasmModulesFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) (map[string][]byte, error)
ReadWasmModulesFromStore will write Wasm module resolver metadata from the store.
func RootPathsContain ¶ added in v0.20.0
RootPathsContain takes a set of bundle root paths and returns true if the path is contained.
func RootPathsOverlap ¶ added in v0.14.0
RootPathsOverlap takes in two bundle root paths and returns true if they overlap.
func VerifyBundleFile ¶ added in v0.22.0
VerifyBundleFile verifies the hash of a file in the bundle matches to that provided in the bundle's signature
func VerifyBundleSignature ¶ added in v0.22.0
func VerifyBundleSignature(sc SignaturesConfig, bvc *VerificationConfig) (map[string]FileInfo, error)
VerifyBundleSignature verifies the bundle signature using the given public keys or secret. If a signature is verified, it keeps track of the files specified in the JWT payload
Types ¶
type ActivateOpts ¶ added in v0.14.0
type ActivateOpts struct { Ctx context.Context Store storage.Store Txn storage.Transaction TxnCtx *storage.Context Compiler *ast.Compiler Metrics metrics.Metrics Bundles map[string]*Bundle // Optional ExtraModules map[string]*ast.Module // Optional // contains filtered or unexported fields }
ActivateOpts defines options for the Activate API call.
type Bundle ¶
type Bundle struct { Signatures SignaturesConfig Manifest Manifest Data map[string]interface{} Modules []ModuleFile Wasm []byte // Deprecated. Use WasmModules instead WasmModules []WasmModuleFile }
Bundle represents a loaded bundle. The bundle can contain data and policies.
func Merge ¶ added in v0.20.0
Merge accepts a set of bundles and merges them into a single result bundle. If there are any conflicts during the merge (e.g., with roots) an error is returned. The result bundle will have an empty revision except in the special case where a single bundle is provided (and in that case the bundle is just returned unmodified.)
func (Bundle) Equal ¶
Equal returns true if this bundle's contents equal the other bundle's contents.
func (*Bundle) FormatModules ¶ added in v0.22.0
FormatModules formats Rego modules
func (*Bundle) GenerateSignature ¶ added in v0.22.0
func (b *Bundle) GenerateSignature(signingConfig *SigningConfig, keyID string, useModulePath bool) error
GenerateSignature generates the signature for the given bundle.
type DeactivateOpts ¶ added in v0.14.0
type DeactivateOpts struct { Ctx context.Context Store storage.Store Txn storage.Transaction BundleNames map[string]struct{} }
DeactivateOpts defines options for the Deactivate API call
type DecodedSignature ¶ added in v0.22.0
type DecodedSignature struct { Files []FileInfo `json:"files"` KeyID string `json:"keyid"` // Deprecated, use kid in the JWT header instead. Scope string `json:"scope"` IssuedAt int64 `json:"iat"` Issuer string `json:"iss"` }
DecodedSignature represents the decoded JWT payload.
type Descriptor ¶ added in v0.15.1
type Descriptor struct {
// contains filtered or unexported fields
}
Descriptor contains information about a file and can be used to read the file contents.
func (*Descriptor) Close ¶ added in v0.15.1
func (d *Descriptor) Close() error
Close the file, on some Loader implementations this might be a no-op. It should *always* be called regardless of file.
func (*Descriptor) Path ¶ added in v0.15.1
func (d *Descriptor) Path() string
Path returns the path of the file.
func (*Descriptor) Read ¶ added in v0.15.1
Read will read all the contents from the file the Descriptor refers to into the dest writer up n bytes. Will return an io.EOF error if EOF is encountered before n bytes are read.
func (*Descriptor) URL ¶ added in v0.20.0
func (d *Descriptor) URL() string
URL returns the url of the file.
type DirectoryLoader ¶ added in v0.15.1
type DirectoryLoader interface { // NextFile must return io.EOF if there is no next value. The returned // descriptor should *always* be closed when no longer needed. NextFile() (*Descriptor, error) }
DirectoryLoader defines an interface which can be used to load files from a directory by iterating over each one in the tree.
func NewDirectoryLoader ¶ added in v0.15.1
func NewDirectoryLoader(root string) DirectoryLoader
NewDirectoryLoader returns a basic DirectoryLoader implementation that will load files from a given root directory path.
func NewTarballLoader ¶ added in v0.15.1
func NewTarballLoader(r io.Reader) DirectoryLoader
NewTarballLoader is deprecated. Use NewTarballLoaderWithBaseURL instead.
func NewTarballLoaderWithBaseURL ¶ added in v0.20.0
func NewTarballLoaderWithBaseURL(r io.Reader, baseURL string) DirectoryLoader
NewTarballLoaderWithBaseURL returns a new DirectoryLoader that reads files out of a gzipped tar archive. The file URLs will be prefixed with the baseURL.
type FileInfo ¶ added in v0.22.0
type FileInfo struct { Name string `json:"name"` Hash string `json:"hash"` Algorithm string `json:"algorithm"` }
FileInfo contains the hashing algorithm used, resulting digest etc.
type HashingAlgorithm ¶ added in v0.22.0
type HashingAlgorithm string
HashingAlgorithm represents a subset of hashing algorithms implemented in Go
const ( MD5 HashingAlgorithm = "MD5" SHA1 HashingAlgorithm = "SHA-1" SHA224 HashingAlgorithm = "SHA-224" SHA256 HashingAlgorithm = "SHA-256" SHA384 HashingAlgorithm = "SHA-384" SHA512 HashingAlgorithm = "SHA-512" SHA512224 HashingAlgorithm = "SHA-512-224" SHA512256 HashingAlgorithm = "SHA-512-256" )
Supported values for HashingAlgorithm
func (HashingAlgorithm) String ¶ added in v0.22.0
func (alg HashingAlgorithm) String() string
String returns the string representation of a HashingAlgorithm
type KeyConfig ¶ added in v0.22.0
type KeyConfig struct { Key string `json:"key"` Algorithm string `json:"algorithm"` Scope string `json:"scope"` }
KeyConfig holds the actual public keys used to verify a signed bundle
func NewKeyConfig ¶ added in v0.22.0
NewKeyConfig return a new KeyConfig
type Manifest ¶
type Manifest struct { Revision string `json:"revision"` Roots *[]string `json:"roots,omitempty"` WasmResolvers []WasmResolver `json:"wasm,omitempty"` }
Manifest represents the manifest from a bundle. The manifest may contain metadata such as the bundle revision.
func (*Manifest) AddRoot ¶ added in v0.20.0
AddRoot adds r to the roots of m. This function is idempotent.
func (Manifest) Equal ¶ added in v0.20.0
Equal returns true if m is semantically equivalent to other.
type ModuleFile ¶
ModuleFile represents a single module contained in a bundle.
type Reader ¶ added in v0.10.2
type Reader struct {
// contains filtered or unexported fields
}
Reader contains the reader to load the bundle from.
func NewCustomReader ¶ added in v0.14.0
func NewCustomReader(loader DirectoryLoader) *Reader
NewCustomReader returns a new Reader configured to use the specified DirectoryLoader.
func (*Reader) IncludeManifestInData ¶ added in v0.10.2
IncludeManifestInData sets whether the manifest metadata should be included in the bundle's data.
func (*Reader) WithBaseDir ¶ added in v0.16.0
WithBaseDir sets a base directory for file paths of loaded Rego modules. This will *NOT* affect the loaded path of data files.
func (*Reader) WithBundleVerificationConfig ¶ added in v0.22.0
func (r *Reader) WithBundleVerificationConfig(config *VerificationConfig) *Reader
WithBundleVerificationConfig sets the key configuration used to verify a signed bundle
func (*Reader) WithMetrics ¶ added in v0.16.0
WithMetrics sets the metrics object to be used while loading bundles
func (*Reader) WithSizeLimitBytes ¶ added in v0.25.0
WithSizeLimitBytes sets the size limit to apply to files in the bundle. If files are larger than this, an error will be returned by the reader.
func (*Reader) WithSkipBundleVerification ¶ added in v0.22.0
WithSkipBundleVerification skips verification of a signed bundle
type SignatureHasher ¶ added in v0.22.0
SignatureHasher computes a signature digest for a file with (structured or unstructured) data and policy
func NewSignatureHasher ¶ added in v0.22.0
func NewSignatureHasher(alg HashingAlgorithm) (SignatureHasher, error)
NewSignatureHasher returns a signature hasher suitable for a particular hashing algorithm
type SignaturesConfig ¶ added in v0.22.0
type SignaturesConfig struct {
Signatures []string `json:"signatures,omitempty"`
}
SignaturesConfig represents an array of JWTs that encapsulate the signatures for the bundle.
type SigningConfig ¶ added in v0.22.0
SigningConfig represents the key configuration used to generate a signed bundle
func NewSigningConfig ¶ added in v0.22.0
func NewSigningConfig(key, alg, claimsPath string) *SigningConfig
NewSigningConfig return a new SigningConfig
func (*SigningConfig) GetClaims ¶ added in v0.22.0
func (s *SigningConfig) GetClaims() (map[string]interface{}, error)
GetClaims returns the claims by reading the file specified in the signing config
func (*SigningConfig) GetPrivateKey ¶ added in v0.22.0
func (s *SigningConfig) GetPrivateKey() (interface{}, error)
GetPrivateKey returns the private key or secret from the signing config
type VerificationConfig ¶ added in v0.22.0
type VerificationConfig struct { PublicKeys map[string]*KeyConfig KeyID string `json:"keyid"` Scope string `json:"scope"` Exclude []string `json:"exclude_files"` }
VerificationConfig represents the key configuration used to verify a signed bundle
func NewVerificationConfig ¶ added in v0.22.0
func NewVerificationConfig(keys map[string]*KeyConfig, id, scope string, exclude []string) *VerificationConfig
NewVerificationConfig return a new VerificationConfig
func (*VerificationConfig) GetPublicKey ¶ added in v0.22.0
func (vc *VerificationConfig) GetPublicKey(id string) (*KeyConfig, error)
GetPublicKey returns the public key corresponding to the given key id
func (*VerificationConfig) ValidateAndInjectDefaults ¶ added in v0.22.0
func (vc *VerificationConfig) ValidateAndInjectDefaults(keys map[string]*KeyConfig) error
ValidateAndInjectDefaults validates the config and inserts default values
type WasmModuleFile ¶ added in v0.25.0
WasmModuleFile represents a single wasm module contained in a bundle.
type WasmResolver ¶ added in v0.25.0
type WasmResolver struct { Entrypoint string `json:"entrypoint,omitempty"` Module string `json:"module,omitempty"` }
WasmResolver maps a wasm module to an entrypoint ref.
func ReadWasmMetadataFromStore ¶ added in v0.25.0
func ReadWasmMetadataFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) ([]WasmResolver, error)
ReadWasmMetadataFromStore will read Wasm module resolver metadata from the store.
type Writer ¶ added in v0.20.0
type Writer struct {
// contains filtered or unexported fields
}
Writer implements bundle serialization.
func (*Writer) DisableFormat ¶ added in v0.20.0
DisableFormat configures the writer to just write out raw bytes instead of formatting modules before serialization.
func (*Writer) UseModulePath ¶ added in v0.20.0
UseModulePath configures the writer to use the module file path instead of the module file URL during serialization. This is for backwards compatibility.