policy

package
v0.1.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 25, 2022 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Index

Constants

View Source
const (
	AllowAllConstraint = "*"
)
View Source
const PolicyPredicate = "https://witness.testifysec.com/policy/v0.1"

Variables

This section is empty.

Functions

func EvaluateRegoPolicy

func EvaluateRegoPolicy(attestor attestation.Attestor, policies []RegoPolicy) error

Types

type Attestation

type Attestation struct {
	Type         string       `json:"type"`
	RegoPolicies []RegoPolicy `json:"regopolicies"`
}

type CertConstraint

type CertConstraint struct {
	CommonName    string   `json:"commonname"`
	DNSNames      []string `json:"dnsnames"`
	Emails        []string `json:"emails"`
	Organizations []string `json:"organizations"`
	URIs          []string `json:"uris"`
	Roots         []string `json:"roots"`
}

func (CertConstraint) Check added in v0.1.2

func (cc CertConstraint) Check(verifier *cryptoutil.X509Verifier, trustBundles map[string]TrustBundle) error

type ErrArtifactCycle

type ErrArtifactCycle string

func (ErrArtifactCycle) Error

func (e ErrArtifactCycle) Error() string

type ErrConstraintCheckFailed added in v0.1.2

type ErrConstraintCheckFailed struct {
	// contains filtered or unexported fields
}

func (ErrConstraintCheckFailed) Error added in v0.1.2

func (e ErrConstraintCheckFailed) Error() string

type ErrKeyIDMismatch

type ErrKeyIDMismatch struct {
	Expected string
	Actual   string
}

func (ErrKeyIDMismatch) Error

func (e ErrKeyIDMismatch) Error() string

type ErrMismatchArtifact

type ErrMismatchArtifact struct {
	Artifact cryptoutil.DigestSet
	Material cryptoutil.DigestSet
	Path     string
}

func (ErrMismatchArtifact) Error

func (e ErrMismatchArtifact) Error() string

type ErrMissingAttestation

type ErrMissingAttestation struct {
	Step        string
	Attestation string
}

func (ErrMissingAttestation) Error

func (e ErrMissingAttestation) Error() string

type ErrNoAttestations

type ErrNoAttestations string

func (ErrNoAttestations) Error

func (e ErrNoAttestations) Error() string

type ErrPolicyDenied

type ErrPolicyDenied struct {
	Reasons []string
}

func (ErrPolicyDenied) Error

func (e ErrPolicyDenied) Error() string

type ErrPolicyExpired

type ErrPolicyExpired time.Time

func (ErrPolicyExpired) Error

func (e ErrPolicyExpired) Error() string

type ErrRegoInvalidData

type ErrRegoInvalidData struct {
	Path     string
	Expected string
	Actual   interface{}
}

func (ErrRegoInvalidData) Error

func (e ErrRegoInvalidData) Error() string

type ErrUnknownStep

type ErrUnknownStep string

func (ErrUnknownStep) Error

func (e ErrUnknownStep) Error() string

type Functionary

type Functionary struct {
	Type           string         `json:"type"`
	CertConstraint CertConstraint `json:"certConstraint,omitempty"`
	PublicKeyID    string         `json:"publickeyid,omitempty"`
}

type Policy

type Policy struct {
	Expires    time.Time            `json:"expires"`
	Roots      map[string]Root      `json:"roots,omitempty"`
	PublicKeys map[string]PublicKey `json:"publickeys,omitempty"`
	Steps      map[string]Step      `json:"steps"`
}

func (Policy) PublicKeyVerifiers

func (p Policy) PublicKeyVerifiers() (map[string]cryptoutil.Verifier, error)

PublicKeyVerifiers returns verifiers for each of the policy's embedded public keys grouped by the key's ID

func (Policy) TrustBundles

func (p Policy) TrustBundles() (map[string]TrustBundle, error)

TrustBundles returns the policy's x509 roots and intermediates grouped by the root's ID

func (Policy) Verify

func (p Policy) Verify(verifiedStatements []VerifiedStatement) error

Verify will evaluate a policy using verifiedStatements. All statement signatures must be verified prior to calling this function. policy.Verify does not verify signatures.

type PublicKey

type PublicKey struct {
	KeyID string `json:"keyid"`
	Key   []byte `json:"key"`
}

type RegoPolicy

type RegoPolicy struct {
	Module []byte `json:"module"`
	Name   string `json:"name"`
}

type RejectedCollection

type RejectedCollection struct {
	Collection attestation.Collection
	Reason     error
}

type Root

type Root struct {
	Certificate   []byte   `json:"certificate"`
	Intermediates [][]byte `json:"intermediates,omitempty"`
}

type Step

type Step struct {
	Name          string        `json:"name"`
	Functionaries []Functionary `json:"functionaries"`
	Attestations  []Attestation `json:"attestations"`
	ArtifactsFrom []string      `json:"artifactsFrom,omitempty"`
}

type StepResult

type StepResult struct {
	Step     string
	Passed   []attestation.Collection
	Rejected []RejectedCollection
}

StepResult contains information about the verified collections for each step. Passed contains the collections that passed any rego policies and all expected attestations exist. Rejected contains the rejected collections and the error that caused them to be rejected.

func (StepResult) Error

func (r StepResult) Error() string

func (StepResult) HasErrors

func (r StepResult) HasErrors() bool

func (StepResult) HasPassed

func (r StepResult) HasPassed() bool

type TrustBundle

type TrustBundle struct {
	Root          *x509.Certificate
	Intermediates []*x509.Certificate
}

type VerifiedStatement

type VerifiedStatement struct {
	Verifiers []cryptoutil.Verifier
	Statement intoto.Statement
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL