policy

package
v0.1.9 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 23, 2022 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	AllowAllConstraint = "*"
)
View Source 
const PolicyPredicate = "https://witness.testifysec.com/policy/v0.1"

Variables

This section is empty.

Functions

func EvaluateRegoPolicy 

func EvaluateRegoPolicy(attestor attestation.Attestor, policies []RegoPolicy) error

Types

type Attestation 

type Attestation struct {
	Type         string       `json:"type"`
	RegoPolicies []RegoPolicy `json:"regopolicies"`
}

type CertConstraint 

type CertConstraint struct {
	CommonName    string   `json:"commonname"`
	DNSNames      []string `json:"dnsnames"`
	Emails        []string `json:"emails"`
	Organizations []string `json:"organizations"`
	URIs          []string `json:"uris"`
	Roots         []string `json:"roots"`
}

func (CertConstraint) Check added in v0.1.2 

func (cc CertConstraint) Check(verifier *cryptoutil.X509Verifier, trustBundles map[string]TrustBundle) error

type ErrArtifactCycle 

type ErrArtifactCycle string

func (ErrArtifactCycle) Error 

func (e ErrArtifactCycle) Error() string

type ErrConstraintCheckFailed added in v0.1.2 

type ErrConstraintCheckFailed struct {
	// contains filtered or unexported fields
}

func (ErrConstraintCheckFailed) Error added in v0.1.2 

func (e ErrConstraintCheckFailed) Error() string

type ErrKeyIDMismatch 

type ErrKeyIDMismatch struct {
	Expected string
	Actual   string
}

func (ErrKeyIDMismatch) Error 

func (e ErrKeyIDMismatch) Error() string

type ErrMismatchArtifact 

type ErrMismatchArtifact struct {
	Artifact cryptoutil.DigestSet
	Material cryptoutil.DigestSet
	Path     string
}

func (ErrMismatchArtifact) Error 

func (e ErrMismatchArtifact) Error() string

type ErrMissingAttestation 

type ErrMissingAttestation struct {
	Step        string
	Attestation string
}

func (ErrMissingAttestation) Error 

func (e ErrMissingAttestation) Error() string

type ErrNoAttestations 

type ErrNoAttestations string

func (ErrNoAttestations) Error 

func (e ErrNoAttestations) Error() string

type ErrPolicyDenied 

type ErrPolicyDenied struct {
	Reasons []string
}

func (ErrPolicyDenied) Error 

func (e ErrPolicyDenied) Error() string

type ErrPolicyExpired 

type ErrPolicyExpired time.Time

func (ErrPolicyExpired) Error 

func (e ErrPolicyExpired) Error() string

type ErrRegoInvalidData 

type ErrRegoInvalidData struct {
	Path     string
	Expected string
	Actual   interface{}
}

func (ErrRegoInvalidData) Error 

func (e ErrRegoInvalidData) Error() string

type ErrUnknownStep 

type ErrUnknownStep string

func (ErrUnknownStep) Error 

func (e ErrUnknownStep) Error() string

type Functionary 

type Functionary struct {
	Type           string         `json:"type"`
	CertConstraint CertConstraint `json:"certConstraint,omitempty"`
	PublicKeyID    string         `json:"publickeyid,omitempty"`
}

type Policy 

type Policy struct {
	Expires    time.Time            `json:"expires"`
	Roots      map[string]Root      `json:"roots,omitempty"`
	PublicKeys map[string]PublicKey `json:"publickeys,omitempty"`
	Steps      map[string]Step      `json:"steps"`
}

func (Policy) PublicKeyVerifiers 

func (p Policy) PublicKeyVerifiers() (map[string]cryptoutil.Verifier, error)

PublicKeyVerifiers returns verifiers for each of the policy's embedded public keys grouped by the key's ID

func (Policy) TrustBundles 

func (p Policy) TrustBundles() (map[string]TrustBundle, error)

TrustBundles returns the policy's x509 roots and intermediates grouped by the root's ID

func (Policy) Verify 

func (p Policy) Verify(verifiedStatements []VerifiedStatement) error

Verify will evaluate a policy using verifiedStatements. All statement signatures must be verified prior to calling this function. policy.Verify does not verify signatures.

type PublicKey 

type PublicKey struct {
	KeyID string `json:"keyid"`
	Key   []byte `json:"key"`
}

type RegoPolicy 

type RegoPolicy struct {
	Module []byte `json:"module"`
	Name   string `json:"name"`
}

type RejectedCollection 

type RejectedCollection struct {
	Collection attestation.Collection
	Reason     error
}

type Root 

type Root struct {
	Certificate   []byte   `json:"certificate"`
	Intermediates [][]byte `json:"intermediates,omitempty"`
}

type Step 

type Step struct {
	Name          string        `json:"name"`
	Functionaries []Functionary `json:"functionaries"`
	Attestations  []Attestation `json:"attestations"`
	ArtifactsFrom []string      `json:"artifactsFrom,omitempty"`
}

type StepResult 

type StepResult struct {
	Step     string
	Passed   []attestation.Collection
	Rejected []RejectedCollection
}

StepResult contains information about the verified collections for each step. Passed contains the collections that passed any rego policies and all expected attestations exist. Rejected contains the rejected collections and the error that caused them to be rejected.

func (StepResult) Error 

func (r StepResult) Error() string

func (StepResult) HasErrors 

func (r StepResult) HasErrors() bool

func (StepResult) HasPassed 

func (r StepResult) HasPassed() bool

type TrustBundle 

type TrustBundle struct {
	Root          *x509.Certificate
	Intermediates []*x509.Certificate
}

type VerifiedStatement 

type VerifiedStatement struct {
	Verifiers []cryptoutil.Verifier
	Statement intoto.Statement
	Reference string
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.