bundle

package
v1.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 27, 2025 License: Apache-2.0 Imports: 43 Imported by: 6

Documentation

Overview

Package bundle implements bundle loading.

Package bundle provide helpers that assist in creating the verification and signing key configuration

Package bundle provide helpers that assist in the creating a signed bundle

Package bundle provide helpers that assist in the bundle signature verification process

Index

Constants

View Source 
const (
	RegoExt        = ".rego"
	WasmFile       = "policy.wasm"
	PlanFile       = "plan.json"
	ManifestExt    = ".manifest"
	SignaturesFile = "signatures.json"

	DefaultSizeLimitBytes = (1024 * 1024 * 1024) // limit bundle reads to 1GB to protect against gzip bombs
	DeltaBundleType       = "delta"
	SnapshotBundleType    = "snapshot"
)

Common file extensions and file names.

Variables

View Source 
var BundlesBasePath = storage.MustParsePath("/system/bundles")

BundlesBasePath is the storage path used for storing bundle metadata

View Source 
var ModulesInfoBasePath = storage.MustParsePath("/system/modules")

Functions

func Activate 

func Activate(opts *ActivateOpts) error

Activate the bundle(s) by loading into the given Store. This will load policies, data, and record the manifest in storage. The compiler provided will have had the polices compiled on it.

func ActivateLegacy 

func ActivateLegacy(opts *ActivateOpts) error

ActivateLegacy calls Activate for the bundles but will also write their manifest to the older unnamed store location. Deprecated: Use Activate with named bundles instead.

func Deactivate 

func Deactivate(opts *DeactivateOpts) error

Deactivate the bundle(s). This will erase associated data, policies, and the manifest entry from the store.

func EraseManifestFromStore 

func EraseManifestFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) error

EraseManifestFromStore will remove the manifest from storage. This function is called when the bundle is deactivated.

func EtagStoragePath 

func EtagStoragePath(name string) storage.Path

EtagStoragePath is the storage path used for the given named bundle etag.

func GenerateSignedToken 

func GenerateSignedToken(files []FileInfo, sc *SigningConfig, keyID string) (string, error)

GenerateSignedToken will retrieve the Signer implementation based on the Plugin specified in SigningConfig, and call its implementation of GenerateSignedToken. The signer generates a signed token given the list of files to be included in the payload and the bundle signing config. The keyID if non-empty, represents the value for the "keyid" claim in the token.

func IsStructuredDoc 

func IsStructuredDoc(name string) bool

IsStructuredDoc checks if the file name equals a structured file extension ex. ".json"

func LegacyEraseManifestFromStore 

func LegacyEraseManifestFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) error

LegacyEraseManifestFromStore will erase the bundle manifest from the older single (unnamed) bundle manifest location. Deprecated: Use WriteManifestToStore and named bundles instead.

func LegacyReadRevisionFromStore 

func LegacyReadRevisionFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) (string, error)

LegacyReadRevisionFromStore will read the bundle manifest revision from the older single (unnamed) bundle manifest location. Deprecated: Use ReadBundleRevisionFromStore and named bundles instead.

func LegacyWriteManifestToStore 

func LegacyWriteManifestToStore(ctx context.Context, store storage.Store, txn storage.Transaction, manifest Manifest) error

LegacyWriteManifestToStore will write the bundle manifest to the older single (unnamed) bundle manifest location. Deprecated: Use WriteManifestToStore and named bundles instead.

func ManifestStoragePath 

func ManifestStoragePath(name string) storage.Path

ManifestStoragePath is the storage path used for the given named bundle manifest.

func NewIterator 

func NewIterator(raw []Raw) storage.Iterator

func ReadBundleEtagFromStore 

func ReadBundleEtagFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) (string, error)

ReadBundleEtagFromStore returns the etag for the specified bundle. If the bundle is not activated, this function will return storage NotFound error.

func ReadBundleMetadataFromStore 

func ReadBundleMetadataFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) (map[string]interface{}, error)

ReadBundleMetadataFromStore returns the metadata in the specified bundle. If the bundle is not activated, this function will return storage NotFound error.

func ReadBundleNamesFromStore 

func ReadBundleNamesFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) ([]string, error)

ReadBundleNamesFromStore will return a list of bundle names which have had their metadata stored.

func ReadBundleRevisionFromStore 

func ReadBundleRevisionFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) (string, error)

ReadBundleRevisionFromStore returns the revision in the specified bundle. If the bundle is not activated, this function will return storage NotFound error.

func ReadBundleRootsFromStore 

func ReadBundleRootsFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) ([]string, error)

ReadBundleRootsFromStore returns the roots in the specified bundle. If the bundle is not activated, this function will return storage NotFound error.

func ReadWasmModulesFromStore 

func ReadWasmModulesFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) (map[string][]byte, error)

ReadWasmModulesFromStore will write Wasm module resolver metadata from the store.

func RegisterSigner 

func RegisterSigner(id string, s Signer) error

RegisterSigner registers a Signer under the given id

func RegisterVerifier 

func RegisterVerifier(id string, v Verifier) error

RegisterVerifier registers a Verifier under the given id

func RootPathsContain 

func RootPathsContain(roots []string, path string) bool

RootPathsContain takes a set of bundle root paths and returns true if the path is contained.

func RootPathsOverlap 

func RootPathsOverlap(pathA string, pathB string) bool

RootPathsOverlap takes in two bundle root paths and returns true if they overlap.

func VerifyBundleFile 

func VerifyBundleFile(path string, data bytes.Buffer, files map[string]FileInfo) error

VerifyBundleFile verifies the hash of a file in the bundle matches to that provided in the bundle's signature

func VerifyBundleSignature 

func VerifyBundleSignature(sc SignaturesConfig, bvc *VerificationConfig) (map[string]FileInfo, error)

VerifyBundleSignature will retrieve the Verifier implementation based on the Plugin specified in SignaturesConfig, and call its implementation of VerifyBundleSignature. VerifyBundleSignature verifies the bundle signature using the given public keys or secret. If a signature is verified, it keeps track of the files specified in the JWT payload

func Write 

func Write(w io.Writer, bundle Bundle) error

Write is deprecated. Use NewWriter instead.

func WriteEtagToStore 

func WriteEtagToStore(ctx context.Context, store storage.Store, txn storage.Transaction, name, etag string) error

WriteEtagToStore will write the bundle etag into the storage. This function is called when the bundle is activated.

func WriteManifestToStore 

func WriteManifestToStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string, manifest Manifest) error

WriteManifestToStore will write the manifest into the storage. This function is called when the bundle is activated.

Types

type ActivateOpts 

type ActivateOpts struct {
	Ctx                      context.Context
	Store                    storage.Store
	Txn                      storage.Transaction
	TxnCtx                   *storage.Context
	Compiler                 *ast.Compiler
	Metrics                  metrics.Metrics
	Bundles                  map[string]*Bundle     // Optional
	ExtraModules             map[string]*ast.Module // Optional
	AuthorizationDecisionRef ast.Ref
	ParserOptions            ast.ParserOptions
	// contains filtered or unexported fields
}

ActivateOpts defines options for the Activate API call.

type Bundle 

type Bundle struct {
	Signatures  SignaturesConfig
	Manifest    Manifest
	Data        map[string]interface{}
	Modules     []ModuleFile
	Wasm        []byte // Deprecated. Use WasmModules instead
	WasmModules []WasmModuleFile
	PlanModules []PlanModuleFile
	Patch       Patch
	Etag        string
	Raw         []Raw
	// contains filtered or unexported fields
}

Bundle represents a loaded bundle. The bundle can contain data and policies.

func Merge 

func Merge(bundles []*Bundle) (*Bundle, error)

Merge accepts a set of bundles and merges them into a single result bundle. If there are any conflicts during the merge (e.g., with roots) an error is returned. The result bundle will have an empty revision except in the special case where a single bundle is provided (and in that case the bundle is just returned unmodified.)

func MergeWithRegoVersion 

func MergeWithRegoVersion(bundles []*Bundle, regoVersion ast.RegoVersion, usePath bool) (*Bundle, error)

MergeWithRegoVersion creates a merged bundle from the provided bundles, similar to Merge. If more than one bundle is provided, the rego version of the result bundle is set to the provided regoVersion. Any Rego files in a bundle of conflicting rego version will be marked in the result's manifest with the rego version of its original bundle. If the Rego file already had an overriding rego version, it will be preserved. If a single bundle is provided, it will retain any rego version information it already had. If it has none, the provided regoVersion will be applied to it. If usePath is true, per-file rego-versions will be calculated using the file's ModuleFile.Path; otherwise, the file's ModuleFile.URL will be used.

func (Bundle) Copy 

func (b Bundle) Copy() Bundle

Copy returns a deep copy of the bundle.

func (Bundle) Equal 

func (b Bundle) Equal(other Bundle) bool

Equal returns true if this bundle's contents equal the other bundle's contents.

func (*Bundle) FormatModules 

func (b *Bundle) FormatModules(useModulePath bool) error

FormatModules formats Rego modules Modules will be formatted to comply with ast.DefaultRegoVersion, but Rego compatibility of individual parsed modules will be respected (e.g. if 'rego.v1' is imported).

func (*Bundle) FormatModulesForRegoVersion 

func (b *Bundle) FormatModulesForRegoVersion(version ast.RegoVersion, preserveModuleRegoVersion bool, useModulePath bool) error

FormatModulesForRegoVersion formats Rego modules to comply with a given Rego version

func (*Bundle) GenerateSignature 

func (b *Bundle) GenerateSignature(signingConfig *SigningConfig, keyID string, useModulePath bool) error

GenerateSignature generates the signature for the given bundle.

func (*Bundle) ParsedModules 

func (b *Bundle) ParsedModules(bundleName string) map[string]*ast.Module

ParsedModules returns a map of parsed modules with names that are unique and human readable for the given a bundle name.

func (*Bundle) RegoVersion 

func (b *Bundle) RegoVersion(def ast.RegoVersion) ast.RegoVersion

func (*Bundle) RegoVersionForFile 

func (b *Bundle) RegoVersionForFile(path string, def ast.RegoVersion) (ast.RegoVersion, error)

RegoVersionForFile returns the rego-version for the specified file path. If there is no defined version for the given path, the default version def is returned. If the version does not correspond to ast.RegoV0 or ast.RegoV1, an error is returned.

func (*Bundle) SetRegoVersion 

func (b *Bundle) SetRegoVersion(v ast.RegoVersion)

func (*Bundle) Type 

func (b *Bundle) Type() string

Type returns the type of the bundle.

type DeactivateOpts 

type DeactivateOpts struct {
	Ctx           context.Context
	Store         storage.Store
	Txn           storage.Transaction
	BundleNames   map[string]struct{}
	ParserOptions ast.ParserOptions
}

DeactivateOpts defines options for the Deactivate API call

type DecodedSignature 

type DecodedSignature struct {
	Files    []FileInfo `json:"files"`
	KeyID    string     `json:"keyid"` // Deprecated, use kid in the JWT header instead.
	Scope    string     `json:"scope"`
	IssuedAt int64      `json:"iat"`
	Issuer   string     `json:"iss"`
}

DecodedSignature represents the decoded JWT payload.

type DefaultSigner 

type DefaultSigner struct{}

DefaultSigner is the default bundle signing implementation. It signs bundles by generating a JWT and signing it using a locally-accessible private key.

func (*DefaultSigner) GenerateSignedToken 

func (*DefaultSigner) GenerateSignedToken(files []FileInfo, sc *SigningConfig, keyID string) (string, error)

GenerateSignedToken generates a signed token given the list of files to be included in the payload and the bundle signing config. The keyID if non-empty, represents the value for the "keyid" claim in the token

type DefaultVerifier 

type DefaultVerifier struct{}

DefaultVerifier is the default bundle verification implementation. It verifies bundles by checking the JWT signature using a locally-accessible public key.

func (*DefaultVerifier) VerifyBundleSignature 

func (*DefaultVerifier) VerifyBundleSignature(sc SignaturesConfig, bvc *VerificationConfig) (map[string]FileInfo, error)

VerifyBundleSignature verifies the bundle signature using the given public keys or secret. If a signature is verified, it keeps track of the files specified in the JWT payload

type Descriptor 

type Descriptor struct {
	// contains filtered or unexported fields
}

Descriptor contains information about a file and can be used to read the file contents.

func NewDescriptor 

func NewDescriptor(url, path string, reader io.Reader) *Descriptor

func (*Descriptor) Close 

func (d *Descriptor) Close() error

Close the file, on some Loader implementations this might be a no-op. It should *always* be called regardless of file.

func (*Descriptor) Path 

func (d *Descriptor) Path() string

Path returns the path of the file.

func (*Descriptor) Read 

func (d *Descriptor) Read(dest io.Writer, n int64) (int64, error)

Read will read all the contents from the file the Descriptor refers to into the dest writer up n bytes. Will return an io.EOF error if EOF is encountered before n bytes are read.

func (*Descriptor) URL 

func (d *Descriptor) URL() string

URL returns the url of the file.

func (*Descriptor) WithCloser 

func (d *Descriptor) WithCloser(closer io.Closer) *Descriptor

type DirectoryLoader 

type DirectoryLoader interface {
	// NextFile must return io.EOF if there is no next value. The returned
	// descriptor should *always* be closed when no longer needed.
	NextFile() (*Descriptor, error)
	WithFilter(filter filter.LoaderFilter) DirectoryLoader
	WithPathFormat(PathFormat) DirectoryLoader
	WithSizeLimitBytes(sizeLimitBytes int64) DirectoryLoader
	WithFollowSymlinks(followSymlinks bool) DirectoryLoader
}

DirectoryLoader defines an interface which can be used to load files from a directory by iterating over each one in the tree.

func NewDirectoryLoader 

func NewDirectoryLoader(root string) DirectoryLoader

NewDirectoryLoader returns a basic DirectoryLoader implementation that will load files from a given root directory path.

func NewFSLoader 

func NewFSLoader(filesystem fs.FS) (DirectoryLoader, error)

NewFSLoader returns a basic DirectoryLoader implementation that will load files from a fs.FS interface

func NewFSLoaderWithRoot 

func NewFSLoaderWithRoot(filesystem fs.FS, root string) DirectoryLoader

NewFSLoaderWithRoot returns a basic DirectoryLoader implementation that will load files from a fs.FS interface at the supplied root

func NewTarballLoader 

func NewTarballLoader(r io.Reader) DirectoryLoader

NewTarballLoader is deprecated. Use NewTarballLoaderWithBaseURL instead.

func NewTarballLoaderWithBaseURL 

func NewTarballLoaderWithBaseURL(r io.Reader, baseURL string) DirectoryLoader

NewTarballLoaderWithBaseURL returns a new DirectoryLoader that reads files out of a gzipped tar archive. The file URLs will be prefixed with the baseURL.

type FileInfo 

type FileInfo struct {
	Name      string `json:"name"`
	Hash      string `json:"hash"`
	Algorithm string `json:"algorithm"`
}

FileInfo contains the hashing algorithm used, resulting digest etc.

func NewFile 

func NewFile(name, hash, alg string) FileInfo

NewFile returns a new FileInfo.

type HashingAlgorithm 

type HashingAlgorithm string

HashingAlgorithm represents a subset of hashing algorithms implemented in Go 

const (
	MD5       HashingAlgorithm = "MD5"
	SHA1      HashingAlgorithm = "SHA-1"
	SHA224    HashingAlgorithm = "SHA-224"
	SHA256    HashingAlgorithm = "SHA-256"
	SHA384    HashingAlgorithm = "SHA-384"
	SHA512    HashingAlgorithm = "SHA-512"
	SHA512224 HashingAlgorithm = "SHA-512-224"
	SHA512256 HashingAlgorithm = "SHA-512-256"
)

Supported values for HashingAlgorithm

func (HashingAlgorithm) String 

func (alg HashingAlgorithm) String() string

String returns the string representation of a HashingAlgorithm

type KeyConfig 

type KeyConfig = keys.Config

KeyConfig holds the keys used to sign or verify bundles and tokens Moved to own package, alias kept for backwards compatibility

type Manifest 

type Manifest struct {
	Revision      string         `json:"revision"`
	Roots         *[]string      `json:"roots,omitempty"`
	WasmResolvers []WasmResolver `json:"wasm,omitempty"`
	// RegoVersion is the global Rego version for the bundle described by this Manifest.
	// The Rego version of individual files can be overridden in FileRegoVersions.
	// We don't use ast.RegoVersion here, as this iota type's order isn't guaranteed to be stable over time.
	// We use a pointer so that we can support hand-made bundles that don't have an explicit version appropriately.
	// E.g. in OPA 0.x if --v1-compatible is used when consuming the bundle, and there is no specified version,
	// we should default to v1; if --v1-compatible isn't used, we should default to v0. In OPA 1.0, no --x-compatible
	// flag and no explicit bundle version should default to v1.
	RegoVersion *int `json:"rego_version,omitempty"`
	// FileRegoVersions is a map from file paths to Rego versions.
	// This allows individual files to override the global Rego version specified by RegoVersion.
	FileRegoVersions map[string]int         `json:"file_rego_versions,omitempty"`
	Metadata         map[string]interface{} `json:"metadata,omitempty"`
	// contains filtered or unexported fields
}

Manifest represents the manifest from a bundle. The manifest may contain metadata such as the bundle revision.

func (*Manifest) AddRoot 

func (m *Manifest) AddRoot(r string)

AddRoot adds r to the roots of m. This function is idempotent.

func (Manifest) Copy 

func (m Manifest) Copy() Manifest

Copy returns a deep copy of the manifest.

func (Manifest) Empty 

func (m Manifest) Empty() bool

func (Manifest) Equal 

func (m Manifest) Equal(other Manifest) bool

Equal returns true if m is semantically equivalent to other.

func (*Manifest) Init 

func (m *Manifest) Init()

Init initializes the manifest. If you instantiate a manifest manually, call Init to ensure that the roots are set properly.

func (*Manifest) RegoVersionForFile added in v1.0.1 

func (m *Manifest) RegoVersionForFile(path string) (ast.RegoVersion, error)

func (*Manifest) SetRegoVersion 

func (m *Manifest) SetRegoVersion(v ast.RegoVersion)

func (Manifest) String 

func (m Manifest) String() string

type ModuleFile 

type ModuleFile struct {
	URL          string
	Path         string
	RelativePath string
	Raw          []byte
	Parsed       *ast.Module
}

ModuleFile represents a single module contained in a bundle.

type Patch 

type Patch struct {
	Data []PatchOperation `json:"data,omitempty"`
}

Patch contains an array of objects wherein each object represents the patch operation to be applied to the bundle data.

type PatchOperation 

type PatchOperation struct {
	Op    string      `json:"op"`
	Path  string      `json:"path"`
	Value interface{} `json:"value"`
}

PatchOperation models a single patch operation against a document.

type PathFormat 

type PathFormat int64
const (
	Chrooted PathFormat = iota
	SlashRooted
	Passthrough
)

type PlanModuleFile 

type PlanModuleFile struct {
	URL  string
	Path string
	Raw  []byte
}

PlanModuleFile represents a single plan module contained in a bundle.

NOTE(tsandall): currently the plans are just opaque binary blobs. In the future we could inject the entrypoints so that the plans could be executed inside of OPA proper like we do for Wasm modules.

type Raw 

type Raw struct {
	Path  string
	Value []byte
	// contains filtered or unexported fields
}

Raw contains raw bytes representing the bundle's content

type Reader 

type Reader struct {
	// contains filtered or unexported fields
}

Reader contains the reader to load the bundle from.

func NewCustomReader 

func NewCustomReader(loader DirectoryLoader) *Reader

NewCustomReader returns a new Reader configured to use the specified DirectoryLoader.

func NewReader 

func NewReader(r io.Reader) *Reader

NewReader is deprecated. Use NewCustomReader instead.

func (*Reader) IncludeManifestInData 

func (r *Reader) IncludeManifestInData(includeManifestInData bool) *Reader

IncludeManifestInData sets whether the manifest metadata should be included in the bundle's data.

func (*Reader) ParserOptions 

func (r *Reader) ParserOptions() ast.ParserOptions

func (*Reader) Read 

func (r *Reader) Read() (Bundle, error)

Read returns a new Bundle loaded from the reader.

func (*Reader) WithBaseDir 

func (r *Reader) WithBaseDir(dir string) *Reader

WithBaseDir sets a base directory for file paths of loaded Rego modules. This will *NOT* affect the loaded path of data files.

func (*Reader) WithBundleEtag 

func (r *Reader) WithBundleEtag(etag string) *Reader

WithBundleEtag sets the given etag value on the bundle

func (*Reader) WithBundleName 

func (r *Reader) WithBundleName(name string) *Reader

WithBundleName specifies the bundle name

func (*Reader) WithBundlePersistence 

func (r *Reader) WithBundlePersistence(persist bool) *Reader

WithBundlePersistence specifies if the downloaded bundle will eventually be persisted to disk.

func (*Reader) WithBundleVerificationConfig 

func (r *Reader) WithBundleVerificationConfig(config *VerificationConfig) *Reader

WithBundleVerificationConfig sets the key configuration used to verify a signed bundle

func (*Reader) WithCapabilities 

func (r *Reader) WithCapabilities(caps *ast.Capabilities) *Reader

WithCapabilities sets the supported capabilities when loading the files 

func (r *Reader) WithFollowSymlinks(yes bool) *Reader

func (*Reader) WithJSONOptions deprecated 

func (r *Reader) WithJSONOptions(*astJSON.Options) *Reader

WithJSONOptions sets the JSON options on the parser (now a no-op).

Deprecated: Use SetOptions in the json package instead, where a longer description of why this is deprecated also can be found.

func (*Reader) WithLazyLoadingMode 

func (r *Reader) WithLazyLoadingMode(yes bool) *Reader

WithLazyLoadingMode sets the bundle loading mode. If true, bundles will be read in lazy mode. In this mode, data files in the bundle will not be deserialized and the check to validate that the bundle data does not contain paths outside the bundle's roots will not be performed while reading the bundle.

func (*Reader) WithMetrics 

func (r *Reader) WithMetrics(m metrics.Metrics) *Reader

WithMetrics sets the metrics object to be used while loading bundles

func (*Reader) WithProcessAnnotations 

func (r *Reader) WithProcessAnnotations(yes bool) *Reader

WithProcessAnnotations enables annotation processing during .rego file parsing.

func (*Reader) WithRegoVersion 

func (r *Reader) WithRegoVersion(version ast.RegoVersion) *Reader

func (*Reader) WithSizeLimitBytes 

func (r *Reader) WithSizeLimitBytes(n int64) *Reader

WithSizeLimitBytes sets the size limit to apply to files in the bundle. If files are larger than this, an error will be returned by the reader.

func (*Reader) WithSkipBundleVerification 

func (r *Reader) WithSkipBundleVerification(skipVerify bool) *Reader

WithSkipBundleVerification skips verification of a signed bundle

type SignatureHasher 

type SignatureHasher interface {
	HashFile(v interface{}) ([]byte, error)
}

SignatureHasher computes a signature digest for a file with (structured or unstructured) data and policy

func NewSignatureHasher 

func NewSignatureHasher(alg HashingAlgorithm) (SignatureHasher, error)

NewSignatureHasher returns a signature hasher suitable for a particular hashing algorithm

type SignaturesConfig 

type SignaturesConfig struct {
	Signatures []string `json:"signatures,omitempty"`
	Plugin     string   `json:"plugin,omitempty"`
}

SignaturesConfig represents an array of JWTs that encapsulate the signatures for the bundle.

type Signer 

type Signer interface {
	GenerateSignedToken([]FileInfo, *SigningConfig, string) (string, error)
}

Signer is the interface expected for implementations that generate bundle signatures.

func GetSigner 

func GetSigner(id string) (Signer, error)

GetSigner returns the Signer registered under the given id

type SigningConfig 

type SigningConfig struct {
	Plugin     string
	Key        string
	Algorithm  string
	ClaimsPath string
}

SigningConfig represents the key configuration used to generate a signed bundle

func NewSigningConfig 

func NewSigningConfig(key, alg, claimsPath string) *SigningConfig

NewSigningConfig return a new SigningConfig

func (*SigningConfig) GetClaims 

func (s *SigningConfig) GetClaims() (map[string]interface{}, error)

GetClaims returns the claims by reading the file specified in the signing config

func (*SigningConfig) GetPrivateKey 

func (s *SigningConfig) GetPrivateKey() (interface{}, error)

GetPrivateKey returns the private key or secret from the signing config

func (*SigningConfig) WithPlugin 

func (s *SigningConfig) WithPlugin(plugin string) *SigningConfig

WithPlugin sets the signing plugin in the signing config

type VerificationConfig 

type VerificationConfig struct {
	PublicKeys map[string]*KeyConfig
	KeyID      string   `json:"keyid"`
	Scope      string   `json:"scope"`
	Exclude    []string `json:"exclude_files"`
}

VerificationConfig represents the key configuration used to verify a signed bundle

func NewVerificationConfig 

func NewVerificationConfig(keys map[string]*KeyConfig, id, scope string, exclude []string) *VerificationConfig

NewVerificationConfig return a new VerificationConfig

func (*VerificationConfig) GetPublicKey 

func (vc *VerificationConfig) GetPublicKey(id string) (*KeyConfig, error)

GetPublicKey returns the public key corresponding to the given key id

func (*VerificationConfig) ValidateAndInjectDefaults 

func (vc *VerificationConfig) ValidateAndInjectDefaults(keys map[string]*KeyConfig) error

ValidateAndInjectDefaults validates the config and inserts default values

type Verifier 

type Verifier interface {
	VerifyBundleSignature(SignaturesConfig, *VerificationConfig) (map[string]FileInfo, error)
}

Verifier is the interface expected for implementations that verify bundle signatures.

func GetVerifier 

func GetVerifier(id string) (Verifier, error)

GetVerifier returns the Verifier registered under the given id

type WasmModuleFile 

type WasmModuleFile struct {
	URL         string
	Path        string
	Entrypoints []ast.Ref
	Raw         []byte
}

WasmModuleFile represents a single wasm module contained in a bundle.

type WasmResolver 

type WasmResolver struct {
	Entrypoint  string             `json:"entrypoint,omitempty"`
	Module      string             `json:"module,omitempty"`
	Annotations []*ast.Annotations `json:"annotations,omitempty"`
}

WasmResolver maps a wasm module to an entrypoint ref.

func ReadWasmMetadataFromStore 

func ReadWasmMetadataFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) ([]WasmResolver, error)

ReadWasmMetadataFromStore will read Wasm module resolver metadata from the store.

func (*WasmResolver) Equal 

func (wr *WasmResolver) Equal(other *WasmResolver) bool

type Writer 

type Writer struct {
	// contains filtered or unexported fields
}

Writer implements bundle serialization.

func NewWriter 

func NewWriter(w io.Writer) *Writer

NewWriter returns a bundle writer that writes to w.

func (*Writer) DisableFormat 

func (w *Writer) DisableFormat(yes bool) *Writer

DisableFormat configures the writer to just write out raw bytes instead of formatting modules before serialization.

func (*Writer) UseModulePath 

func (w *Writer) UseModulePath(yes bool) *Writer

UseModulePath configures the writer to use the module file path instead of the module file URL during serialization. This is for backwards compatibility.

func (*Writer) Write 

func (w *Writer) Write(bundle Bundle) error

Write writes the bundle to the writer's output stream.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.