Documentation ¶
Overview ¶
Copyright 2022-2023 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0
Copyright 2022-2023 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0
Copyright 2022-2023 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0
Copyright 2022-2023 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0
Copyright 2022-2023 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0
Copyright 2022-2023 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0
Copyright 2022-2023 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0
Copyright 2022-2023 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0
Index ¶
- Variables
- func GetSupportedAgentBackends() []string
- func IsValidAgentBackend(name string) bool
- type Agent
- func (o *Agent) Close()
- func (o *Agent) Evaluate(ctx context.Context, sessionContext map[string]interface{}, scheme string, ...) (*ear.Appraisal, error)
- func (o *Agent) GetBackend() IBackend
- func (o *Agent) GetBackendName() string
- func (o *Agent) Init(v *viper.Viper) error
- func (o *Agent) Validate(ctx context.Context, policyRules string) error
- type IAgent
- type IBackend
- type OPA
- type Policy
- type PolicyKey
- type Store
- func (o *Store) Activate(key PolicyKey, id uuid.UUID) error
- func (o *Store) Add(id PolicyKey, name, typ, rules string) (*Policy, error)
- func (o *Store) Close() error
- func (o *Store) DeactivateAll(key PolicyKey) error
- func (o *Store) Del(key PolicyKey) error
- func (o *Store) Get(key PolicyKey) ([]*Policy, error)
- func (o *Store) GetActive(key PolicyKey) (*Policy, error)
- func (o *Store) GetPolicy(key PolicyKey, id uuid.UUID) (*Policy, error)
- func (o *Store) GetPolicyKeys() ([]PolicyKey, error)
- func (o *Store) List() ([]*Policy, error)
- func (o *Store) ListAllVersions() ([]*Policy, error)
- func (o *Store) Setup() error
- func (o *Store) Update(key PolicyKey, name, typ, rules string) (*Policy, error)
Constants ¶
This section is empty.
Variables ¶
var DefaultBackend = "opa"
DefaultBackend will be used if backend is not explicitly specfied
var ErrBadOPAResult = errors.New("bad result update from policy")
var ErrBadResult = "could not create updated AttestationResult: %w from JSON %s"
var ErrNoActivePolicy = errors.New("no active policy for key")
var ErrNoPolicy = errors.New("no policy found")
var ErrNoStatus = "backend returned outcome with no status field: %v"
var ErrNoTV = "backend returned no trust-vector field, or its not a map[string]interface{}: %v"
Functions ¶
func GetSupportedAgentBackends ¶
func GetSupportedAgentBackends() []string
GetSupportedBackends returns a string slice of supported backend names.
func IsValidAgentBackend ¶
IsValidAgentBackend returns True iff the specified string names a valid backend.
Types ¶
type Agent ¶
type Agent struct { Backend IBackend // contains filtered or unexported fields }
func (*Agent) Evaluate ¶
func (o *Agent) Evaluate( ctx context.Context, sessionContext map[string]interface{}, scheme string, policy *Policy, submod string, appraisal *ear.Appraisal, evidence *proto.EvidenceContext, endorsements []string, ) (*ear.Appraisal, error)
Evaluate the provided policy w.r.t. to the specified evidence and endorsements, and return an updated AttestationResult. The policy may overwrite the result status or any of the values in the result trust vector.
func (*Agent) GetBackend ¶
func (*Agent) GetBackendName ¶
GetBackendName returns a string containing the name of the backend used by the agent.
func (*Agent) Validate ¶
Validate performs basic validation of the provided policy rules, returning an error if it fails. the nature of the validation performed is backend-specific, however it would typically amount to a syntax check. Successful validation does not guarantee that the policy will execute correctly againt actual inputs.
type IAgent ¶
type IAgent interface { Init(v *viper.Viper) error GetBackendName() string Evaluate(ctx context.Context, appraisalContext map[string]interface{}, scheme string, policy *Policy, submod string, appraisal *ear.Appraisal, evidence *proto.EvidenceContext, endorsements []string, ) (*ear.Appraisal, error) Validate(ctx context.Context, policyRules string) error Close() }
func CreateAgent ¶
CreateAgent creates a new PolicyAgent using the backend specified in the config with "policy.backend" directive. If this directive is absent, the default backend, "opa", will be used.
type IBackend ¶
type IBackend interface { Init(v *viper.Viper) error GetName() string Evaluate( ctx context.Context, sessionContext map[string]interface{}, scheme string, policy string, result map[string]interface{}, evidence map[string]interface{}, endorsements []string, ) (map[string]interface{}, error) Validate(ctx context.Context, policy string) error Close() }
type Policy ¶
type Policy struct { // StoreKey is the identifier of this policy, unique to the store. StoreKey PolicyKey `json:"-"` // UUID is the unque identifier associated with this specific instance // of a policy. UUID uuid.UUID `json:"uuid"` // CTime is the creationg time of this policy. CTime time.Time `json:"ctime"` // Name is the name of this policy. It's a short descritor for the // rules in this policy. Name string `json:"name"` // Type identifies the policy engine used to evaluate the policy, and // therfore dictates how the Rules should be interpreted. Type string `json:"type"` // Rules of the policy to be interpreted and execute by the policy // agent. Rules string `json:"rules"` // Active indicates whether this policy instance is currently active // for the associated key. Active bool `json:"active"` }
Policy allows enforcing additional constraints on top of the regular attestation schemes.
type PolicyKey ¶
type PolicyKey struct { // TenantId is the ID of the tenant that owns this policy. TenantId string `json:"tenant_id"` // Scheme is the name of the scheme with which this policy is associated Scheme string `json:"scheme"` // Name is the name of this policy Name string `json:"name"` }
PolicyKey identifies a specific policy. This is used to retrieve the policy from the store.
func PolicyKeyFromString ¶
PolicyKeyFromString parses the specified string containing a policy store key into a PolicyID.
type Store ¶
type Store struct { KVStore kvstore.IKVStore Logger *zap.SugaredLogger }
func NewStore ¶
NewStore returns a new policy store. Config options are the same as those used for kvstore.New().
func (*Store) Activate ¶
Activate activates the policy version with the specified id for the specified key.
func (*Store) Add ¶
Add a policy with the specified ID and rules. If a policy with that ID already exists, an error is returned.
func (*Store) DeactivateAll ¶
DeactivateAll deactivates all policies associated with the key.
func (*Store) Get ¶
Get returns the slice of all Policies associated with the specified ID. Each Policy represents a different version of the same logical policy.
func (*Store) GetActive ¶
GetActive returns the current active version of the policy with the specified key, or an error if no such policy exists.
func (*Store) GetPolicy ¶
GetPolicy returns the policy with the specified UUID under the specified key.
func (*Store) GetPolicyKeys ¶
GetPolicyKeys returns a []PolicyID of the policies currently in the store.
func (*Store) List ¶
List returns []Policy containing latest versions of all policies. All policies returned will have distinct IDs. In cases where multiple policies exist for one ID in the store, the latest version will be returned.
func (*Store) ListAllVersions ¶
ListAllVersions returns a []Policy containing every policy entry in the underlying store, including multiple versions associated with a single policy ID.