Documentation ¶
Overview ¶
Package bundle implements bundle loading.
Deprecated: This package is intended for older projects transitioning from OPA v0.x and will remain for the lifetime of OPA v1.x, but its use is not recommended. For newer features and behaviours, such as defaulting to the Rego v1 syntax, use the corresponding components in the github.com/open-policy-agent/opa/v1 package instead. See https://www.openpolicyagent.org/docs/latest/v0-compatibility/ for more information.
Package bundle provide helpers that assist in creating the verification and signing key configuration ¶
Package bundle provide helpers that assist in the creating a signed bundle ¶
Package bundle provide helpers that assist in the bundle signature verification process
Index ¶
- Constants
- Variables
- func Activate(opts *ActivateOpts) error
- func ActivateLegacy(opts *ActivateOpts) error
- func Deactivate(opts *DeactivateOpts) error
- func EraseManifestFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) error
- func EtagStoragePath(name string) storage.Path
- func GenerateSignedToken(files []FileInfo, sc *SigningConfig, keyID string) (string, error)
- func LegacyEraseManifestFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) error
- func LegacyReadRevisionFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) (string, error)
- func LegacyWriteManifestToStore(ctx context.Context, store storage.Store, txn storage.Transaction, ...) error
- func ManifestStoragePath(name string) storage.Path
- func NewIterator(raw []Raw) storage.Iterator
- func ReadBundleEtagFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) (string, error)
- func ReadBundleMetadataFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) (map[string]interface{}, error)
- func ReadBundleNamesFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) ([]string, error)
- func ReadBundleRevisionFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) (string, error)
- func ReadBundleRootsFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) ([]string, error)
- func ReadWasmModulesFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) (map[string][]byte, error)
- func RegisterSigner(id string, s Signer) error
- func RegisterVerifier(id string, v Verifier) error
- func RootPathsContain(roots []string, path string) bool
- func RootPathsOverlap(pathA string, pathB string) bool
- func VerifyBundleSignature(sc SignaturesConfig, bvc *VerificationConfig) (map[string]FileInfo, error)
- func Write(w io.Writer, bundle Bundle) error
- func WriteEtagToStore(ctx context.Context, store storage.Store, txn storage.Transaction, ...) error
- func WriteManifestToStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string, ...) error
- type ActivateOpts
- type Bundle
- type DeactivateOpts
- type DecodedSignature
- type DefaultSigner
- type DefaultVerifier
- type Descriptor
- type DirectoryLoader
- func NewDirectoryLoader(root string) DirectoryLoader
- func NewFSLoader(filesystem fs.FS) (DirectoryLoader, error)
- func NewFSLoaderWithRoot(filesystem fs.FS, root string) DirectoryLoader
- func NewTarballLoader(r io.Reader) DirectoryLoader
- func NewTarballLoaderWithBaseURL(r io.Reader, baseURL string) DirectoryLoader
- type FileInfo
- type HashingAlgorithm
- type KeyConfig
- type Manifest
- type ModuleFile
- type Patch
- type PatchOperation
- type PathFormat
- type PlanModuleFile
- type Raw
- type Reader
- type SignatureHasher
- type SignaturesConfig
- type Signer
- type SigningConfig
- type VerificationConfig
- type Verifier
- type WasmModuleFile
- type WasmResolver
- type Writer
Constants ¶
const ( RegoExt = v1.RegoExt WasmFile = v1.WasmFile PlanFile = v1.PlanFile ManifestExt = v1.ManifestExt SignaturesFile = v1.SignaturesFile DefaultSizeLimitBytes = v1.DefaultSizeLimitBytes DeltaBundleType = v1.DeltaBundleType SnapshotBundleType = v1.SnapshotBundleType )
Common file extensions and file names.
const ( Chrooted = v1.Chrooted SlashRooted = v1.SlashRooted Passthrough = v1.Passthrough )
const ( MD5 = v1.MD5 SHA1 = v1.SHA1 SHA224 = v1.SHA224 SHA256 = v1.SHA256 SHA384 = v1.SHA384 SHA512 = v1.SHA512 SHA512224 = v1.SHA512224 SHA512256 = v1.SHA512256 )
Supported values for HashingAlgorithm
Variables ¶
var BundlesBasePath = v1.BundlesBasePath
BundlesBasePath is the storage path used for storing bundle metadata
Functions ¶
func Activate ¶ added in v0.14.0
func Activate(opts *ActivateOpts) error
Activate the bundle(s) by loading into the given Store. This will load policies, data, and record the manifest in storage. The compiler provided will have had the polices compiled on it.
func ActivateLegacy ¶ added in v0.14.0
func ActivateLegacy(opts *ActivateOpts) error
ActivateLegacy calls Activate for the bundles but will also write their manifest to the older unnamed store location. Deprecated: Use Activate with named bundles instead.
func Deactivate ¶ added in v0.14.0
func Deactivate(opts *DeactivateOpts) error
Deactivate the bundle(s). This will erase associated data, policies, and the manifest entry from the store.
func EraseManifestFromStore ¶ added in v0.13.0
func EraseManifestFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) error
EraseManifestFromStore will remove the manifest from storage. This function is called when the bundle is deactivated.
func EtagStoragePath ¶ added in v0.40.0
EtagStoragePath is the storage path used for the given named bundle etag.
func GenerateSignedToken ¶ added in v0.22.0
func GenerateSignedToken(files []FileInfo, sc *SigningConfig, keyID string) (string, error)
GenerateSignedToken will retrieve the Signer implementation based on the Plugin specified in SigningConfig, and call its implementation of GenerateSignedToken. The signer generates a signed token given the list of files to be included in the payload and the bundle signing config. The keyID if non-empty, represents the value for the "keyid" claim in the token.
func LegacyEraseManifestFromStore ¶ added in v0.13.0
func LegacyEraseManifestFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) error
LegacyEraseManifestFromStore will erase the bundle manifest from the older single (unnamed) bundle manifest location. Deprecated: Use WriteManifestToStore and named bundles instead.
func LegacyReadRevisionFromStore ¶ added in v0.13.0
func LegacyReadRevisionFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) (string, error)
LegacyReadRevisionFromStore will read the bundle manifest revision from the older single (unnamed) bundle manifest location. Deprecated: Use ReadBundleRevisionFromStore and named bundles instead.
func LegacyWriteManifestToStore ¶ added in v0.13.0
func LegacyWriteManifestToStore(ctx context.Context, store storage.Store, txn storage.Transaction, manifest Manifest) error
LegacyWriteManifestToStore will write the bundle manifest to the older single (unnamed) bundle manifest location. Deprecated: Use WriteManifestToStore and named bundles instead.
func ManifestStoragePath ¶ added in v0.13.0
ManifestStoragePath is the storage path used for the given named bundle manifest.
func NewIterator ¶ added in v0.42.0
func ReadBundleEtagFromStore ¶ added in v0.40.0
func ReadBundleEtagFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) (string, error)
ReadBundleEtagFromStore returns the etag for the specified bundle. If the bundle is not activated, this function will return storage NotFound error.
func ReadBundleMetadataFromStore ¶ added in v0.29.0
func ReadBundleMetadataFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) (map[string]interface{}, error)
ReadBundleMetadataFromStore returns the metadata in the specified bundle. If the bundle is not activated, this function will return storage NotFound error.
func ReadBundleNamesFromStore ¶ added in v0.13.0
func ReadBundleNamesFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) ([]string, error)
ReadBundleNamesFromStore will return a list of bundle names which have had their metadata stored.
func ReadBundleRevisionFromStore ¶ added in v0.13.0
func ReadBundleRevisionFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) (string, error)
ReadBundleRevisionFromStore returns the revision in the specified bundle. If the bundle is not activated, this function will return storage NotFound error.
func ReadBundleRootsFromStore ¶ added in v0.13.0
func ReadBundleRootsFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) ([]string, error)
ReadBundleRootsFromStore returns the roots in the specified bundle. If the bundle is not activated, this function will return storage NotFound error.
func ReadWasmModulesFromStore ¶ added in v0.25.0
func ReadWasmModulesFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) (map[string][]byte, error)
ReadWasmModulesFromStore will write Wasm module resolver metadata from the store.
func RegisterSigner ¶ added in v0.28.0
RegisterSigner registers a Signer under the given id
func RegisterVerifier ¶ added in v0.28.0
RegisterVerifier registers a Verifier under the given id
func RootPathsContain ¶ added in v0.20.0
RootPathsContain takes a set of bundle root paths and returns true if the path is contained.
func RootPathsOverlap ¶ added in v0.14.0
RootPathsOverlap takes in two bundle root paths and returns true if they overlap.
func VerifyBundleSignature ¶ added in v0.22.0
func VerifyBundleSignature(sc SignaturesConfig, bvc *VerificationConfig) (map[string]FileInfo, error)
VerifyBundleSignature will retrieve the Verifier implementation based on the Plugin specified in SignaturesConfig, and call its implementation of VerifyBundleSignature. VerifyBundleSignature verifies the bundle signature using the given public keys or secret. If a signature is verified, it keeps track of the files specified in the JWT payload
func WriteEtagToStore ¶ added in v0.40.0
func WriteEtagToStore(ctx context.Context, store storage.Store, txn storage.Transaction, name, etag string) error
WriteEtagToStore will write the bundle etag into the storage. This function is called when the bundle is activated.
Types ¶
type ActivateOpts ¶ added in v0.14.0
type ActivateOpts = v1.ActivateOpts
ActivateOpts defines options for the Activate API call.
type Bundle ¶
Bundle represents a loaded bundle. The bundle can contain data and policies.
func Merge ¶ added in v0.20.0
Merge accepts a set of bundles and merges them into a single result bundle. If there are any conflicts during the merge (e.g., with roots) an error is returned. The result bundle will have an empty revision except in the special case where a single bundle is provided (and in that case the bundle is just returned unmodified.)
func MergeWithRegoVersion ¶ added in v0.64.0
func MergeWithRegoVersion(bundles []*Bundle, regoVersion ast.RegoVersion, usePath bool) (*Bundle, error)
MergeWithRegoVersion creates a merged bundle from the provided bundles, similar to Merge. If more than one bundle is provided, the rego version of the result bundle is set to the provided regoVersion. Any Rego files in a bundle of conflicting rego version will be marked in the result's manifest with the rego version of its original bundle. If the Rego file already had an overriding rego version, it will be preserved. If a single bundle is provided, it will retain any rego version information it already had. If it has none, the provided regoVersion will be applied to it. If usePath is true, per-file rego-versions will be calculated using the file's ModuleFile.Path; otherwise, the file's ModuleFile.URL will be used.
type DeactivateOpts ¶ added in v0.14.0
type DeactivateOpts = v1.DeactivateOpts
DeactivateOpts defines options for the Deactivate API call
type DecodedSignature ¶ added in v0.22.0
type DecodedSignature = v1.DecodedSignature
DecodedSignature represents the decoded JWT payload.
type DefaultSigner ¶ added in v0.28.0
type DefaultSigner v1.DefaultSigner
DefaultSigner is the default bundle signing implementation. It signs bundles by generating a JWT and signing it using a locally-accessible private key.
type DefaultVerifier ¶ added in v0.28.0
type DefaultVerifier = v1.DefaultVerifier
DefaultVerifier is the default bundle verification implementation. It verifies bundles by checking the JWT signature using a locally-accessible public key.
type Descriptor ¶ added in v0.15.1
type Descriptor = v1.Descriptor
Descriptor contains information about a file and can be used to read the file contents.
func NewDescriptor ¶ added in v0.61.0
func NewDescriptor(url, path string, reader io.Reader) *Descriptor
type DirectoryLoader ¶ added in v0.15.1
type DirectoryLoader = v1.DirectoryLoader
DirectoryLoader defines an interface which can be used to load files from a directory by iterating over each one in the tree.
func NewDirectoryLoader ¶ added in v0.15.1
func NewDirectoryLoader(root string) DirectoryLoader
NewDirectoryLoader returns a basic DirectoryLoader implementation that will load files from a given root directory path.
func NewFSLoader ¶ added in v0.29.4
func NewFSLoader(filesystem fs.FS) (DirectoryLoader, error)
NewFSLoader returns a basic DirectoryLoader implementation that will load files from a fs.FS interface
func NewFSLoaderWithRoot ¶ added in v0.52.0
func NewFSLoaderWithRoot(filesystem fs.FS, root string) DirectoryLoader
NewFSLoaderWithRoot returns a basic DirectoryLoader implementation that will load files from a fs.FS interface at the supplied root
func NewTarballLoader ¶ added in v0.15.1
func NewTarballLoader(r io.Reader) DirectoryLoader
NewTarballLoader is deprecated. Use NewTarballLoaderWithBaseURL instead.
func NewTarballLoaderWithBaseURL ¶ added in v0.20.0
func NewTarballLoaderWithBaseURL(r io.Reader, baseURL string) DirectoryLoader
NewTarballLoaderWithBaseURL returns a new DirectoryLoader that reads files out of a gzipped tar archive. The file URLs will be prefixed with the baseURL.
type FileInfo ¶ added in v0.22.0
FileInfo contains the hashing algorithm used, resulting digest etc.
type HashingAlgorithm ¶ added in v0.22.0
type HashingAlgorithm = v1.HashingAlgorithm
HashingAlgorithm represents a subset of hashing algorithms implemented in Go
type KeyConfig ¶ added in v0.22.0
KeyConfig holds the keys used to sign or verify bundles and tokens Moved to own package, alias kept for backwards compatibility
type Manifest ¶
Manifest represents the manifest from a bundle. The manifest may contain metadata such as the bundle revision.
type ModuleFile ¶
type ModuleFile = v1.ModuleFile
ModuleFile represents a single module contained in a bundle.
type Patch ¶ added in v0.37.0
Patch contains an array of objects wherein each object represents the patch operation to be applied to the bundle data.
type PatchOperation ¶ added in v0.37.0
type PatchOperation = v1.PatchOperation
PatchOperation models a single patch operation against a document.
type PathFormat ¶ added in v0.52.0
type PathFormat = v1.PathFormat
type PlanModuleFile ¶ added in v0.37.0
type PlanModuleFile = v1.PlanModuleFile
PlanModuleFile represents a single plan module contained in a bundle.
NOTE(tsandall): currently the plans are just opaque binary blobs. In the future we could inject the entrypoints so that the plans could be executed inside of OPA proper like we do for Wasm modules.
type Reader ¶ added in v0.10.2
Reader contains the reader to load the bundle from.
func NewCustomReader ¶ added in v0.14.0
func NewCustomReader(loader DirectoryLoader) *Reader
NewCustomReader returns a new Reader configured to use the specified DirectoryLoader.
type SignatureHasher ¶ added in v0.22.0
type SignatureHasher = v1.SignatureHasher
SignatureHasher computes a signature digest for a file with (structured or unstructured) data and policy
func NewSignatureHasher ¶ added in v0.22.0
func NewSignatureHasher(alg HashingAlgorithm) (SignatureHasher, error)
NewSignatureHasher returns a signature hasher suitable for a particular hashing algorithm
type SignaturesConfig ¶ added in v0.22.0
type SignaturesConfig = v1.SignaturesConfig
SignaturesConfig represents an array of JWTs that encapsulate the signatures for the bundle.
type Signer ¶ added in v0.28.0
Signer is the interface expected for implementations that generate bundle signatures.
type SigningConfig ¶ added in v0.22.0
type SigningConfig = v1.SigningConfig
SigningConfig represents the key configuration used to generate a signed bundle
func NewSigningConfig ¶ added in v0.22.0
func NewSigningConfig(key, alg, claimsPath string) *SigningConfig
NewSigningConfig return a new SigningConfig
type VerificationConfig ¶ added in v0.22.0
type VerificationConfig = v1.VerificationConfig
VerificationConfig represents the key configuration used to verify a signed bundle
func NewVerificationConfig ¶ added in v0.22.0
func NewVerificationConfig(keys map[string]*KeyConfig, id, scope string, exclude []string) *VerificationConfig
NewVerificationConfig return a new VerificationConfig
type Verifier ¶ added in v0.28.0
Verifier is the interface expected for implementations that verify bundle signatures.
func GetVerifier ¶ added in v0.28.0
GetVerifier returns the Verifier registered under the given id
type WasmModuleFile ¶ added in v0.25.0
type WasmModuleFile = v1.WasmModuleFile
WasmModuleFile represents a single wasm module contained in a bundle.
type WasmResolver ¶ added in v0.25.0
type WasmResolver = v1.WasmResolver
WasmResolver maps a wasm module to an entrypoint ref.