common

package

v0.0.0-...-320551d Latest Latest Go to latest Published: Oct 1, 2020 License: Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/IBM/integrity-enforcer

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func MatchBigInt(pattern string, value *big.Int) bool
func MatchPattern(pattern, value string) bool
func MatchPatternWithArray(pattern string, valueArray []string) bool
func MatchWithPatternArray(value string, patternArray []string) bool
func SplitRule(rules string) []string
type CheckError
- func (self *CheckError) MakeMessage() string
type IntegrityValue
type MutationEvalResult
type ObjectMetadata
type Owner
- func (self *Owner) IsIntegrityVerified() bool
type OwnerList
- func (self *OwnerList) OwnerRefs() []ResourceRef
- func (self *OwnerList) VerifiedOwners() []*Owner
type ParsedRequest
- func NewParsedRequest(request *v1beta1.AdmissionRequest) *ParsedRequest
type ReasonCode
type ReqContext
- func NewReqContext(req *v1beta1.AdmissionRequest) *ReqContext
- func (reqc *ReqContext) GroupVersion() string
- func (rc *ReqContext) IsAppEnforcePolicyRequest() bool
- func (rc *ReqContext) IsCreateRequest() bool
- func (rc *ReqContext) IsCreator() bool
- func (rc *ReqContext) IsDeleteRequest() bool
- func (rc *ReqContext) IsEnforcePolicyRequest() bool
- func (rc *ReqContext) IsIEDefaultPolicyRequest() bool
- func (rc *ReqContext) IsIEPolicyRequest() bool
- func (rc *ReqContext) IsResourceSignatureRequest() bool
- func (rc *ReqContext) IsSecret() bool
- func (rc *ReqContext) IsServiceAccount() bool
- func (rc *ReqContext) IsSignPolicyRequest() bool
- func (rc *ReqContext) IsUpdateRequest() bool
- func (reqc *ReqContext) Map() map[string]string
- func (reqc *ReqContext) OwnerRef() *ResourceRef
- func (reqc *ReqContext) ResourceRef() *ResourceRef
type ResolveOwnerResult
type ResourceAnnotation
- func NewResourceAnnotation(values map[string]string) *ResourceAnnotation
- func (self *ResourceAnnotation) CreatedBy() string
- func (self *ResourceAnnotation) IntegrityVerified() bool
- func (self *ResourceAnnotation) SignatureAnnotations() *SignatureAnnotation
type ResourceLabel
- func NewResourceLabel(values map[string]string) *ResourceLabel
- func (self *ResourceLabel) CreatedBy() string
- func (self *ResourceLabel) IntegrityVerified() bool
type ResourceRef
- func (self *ResourceRef) Equals(ref *ResourceRef) bool
type SignPolicyEvalResult
- func (self *SignPolicyEvalResult) GetSignerName() string
type SignatureAnnotation
type SignerInfo
- func NewSignerInfoFromCert(cert *x509.Certificate) *SignerInfo
- func NewSignerInfoFromPKIXName(dn pkix.Name) *SignerInfo
- func (self *SignerInfo) GetName() string

Constants ¶

View Source

const (
	SignatureCustomResourceAPIVersion = "research.ibm.com/v1alpha1"
	SignatureCustomResourceKind       = "ResourceSignature"
	PolicyCustomResourceAPIVersion    = "research.ibm.com/v1alpha1"
	PolicyCustomResourceKind          = "EnforcePolicy"

	IEPolicyCustomResourceAPIVersion      = "research.ibm.com/v1alpha1"
	IEPolicyCustomResourceKind            = "IntegrityEnforcerPolicy"
	DefaultPolicyCustomResourceAPIVersion = "research.ibm.com/v1alpha1"
	DefaultPolicyCustomResourceKind       = "IEDefaultPolicy"
	SignerPolicyCustomResourceAPIVersion  = "research.ibm.com/v1alpha1"
	SignerPolicyCustomResourceKind        = "SignPolicy"
	AppPolicyCustomResourceAPIVersion     = "research.ibm.com/v1alpha1"
	AppPolicyCustomResourceKind           = "AppEnforcePolicy"
)

View Source

const (
	ResourceIntegrityLabelKey = "integrity-enforcer.ibm.com/resourceIntegrity"
	ReasonLabelKey            = "integrity-enforcer.ibm.com/reason"

	LabelValueVerified   = "verified"
	LabelValueUnverified = "unverified"
)

View Source

const (
	REASON_INTERNAL = iota //
	REASON_RULE_MATCH
	REASON_VALID_SIG
	REASON_VERIFIED_OWNER
	REASON_UPDATE_BY_SA
	REASON_VERIFIED_SA
	REASON_NO_MUTATION
	REASON_IE_ADMIN
	REASON_IGNORED_SA
	REASON_NOT_PROTECTED
	REASON_BLOCK_DELETE
	REASON_NOT_ENFORCED
	REASON_SKIP_DELETE
	REASON_ABORTED
	REASON_BREAK_GLASS
	REASON_DETECTION
	REASON_INVALID_SIG
	REASON_NO_SIG
	REASON_NO_POLICY
	REASON_UNEXPECTED
	REASON_ERROR
)

View Source

const (
	HashTypeDefault      = "default"
	HashTypeHelmSecret   = "helmSecret"
	HashTypeHelmResource = "helmResource"
)

Variables ¶

View Source

var CommonMessageMask = []string{
	fmt.Sprintf("metadata.labels.\"%s\"", ResourceIntegrityLabelKey),
	fmt.Sprintf("metadata.labels.\"%s\"", ReasonLabelKey),
	"metadata.annotations.sigOwnerApiVersion",
	"metadata.annotations.sigOwnerKind",
	"metadata.annotations.sigOwnerName",
	"metadata.annotations.signOwnerRefType",
	"metadata.annotations.resourceSignatureName",
	"metadata.annotations.message",
	"metadata.annotations.signature",
	"metadata.annotations.certificate",
	"metadata.annotations.signPaths",
	"metadata.annotations.namespace",
	"metadata.annotations.kubectl.\"kubernetes.io/last-applied-configuration\"",
	"metadata.managedFields",
	"metadata.creationTimestamp",
	"metadata.generation",
	"metadata.annotations.deprecated.daemonset.template.generation",
	"metadata.namespace",
	"metadata.resourceVersion",
	"metadata.selfLink",
	"metadata.uid",
}

View Source

var ReasonCodeMap = map[int]ReasonCode{
	REASON_INTERNAL: {
		Message: "internal request",
		Code:    "internal",
	},
	REASON_RULE_MATCH: {
		Message: "allowed by rule",
		Code:    "rule-match",
	},
	REASON_VALID_SIG: {
		Message: "allowed by valid signer's signature",
		Code:    "valid-sig",
	},
	REASON_VERIFIED_OWNER: {
		Message: "owned by verified owner",
		Code:    "verified-owner",
	},
	REASON_UPDATE_BY_SA: {
		Message: "updated by creator",
		Code:    "updated-by-sa",
	},
	REASON_VERIFIED_SA: {
		Message: "operated by verified sa",
		Code:    "verified-sa",
	},
	REASON_NO_MUTATION: {
		Message: "allowed because no mutation found",
		Code:    "no-mutation",
	},
	REASON_IE_ADMIN: {
		Message: "IE admin operation",
		Code:    "ie-admin",
	},
	REASON_IGNORED_SA: {
		Message: "ignored sa",
		Code:    "ignored-sa",
	},
	REASON_NOT_PROTECTED: {
		Message: "not protected",
		Code:    "unprotected",
	},
	REASON_BLOCK_DELETE: {
		Message: "block delete IE resouce",
		Code:    "block-delete",
	},
	REASON_SKIP_DELETE: {
		Message: "skip delete request",
		Code:    "skip-delete",
	},
	REASON_ABORTED: {
		Message: "aborted",
		Code:    "aborted",
	},
	REASON_BREAK_GLASS: {
		Message: "allowed by breakglass mode",
		Code:    "breakglass",
	},
	REASON_DETECTION: {
		Message: "allowed by detection mode",
		Code:    "detection",
	},
	REASON_INVALID_SIG: {
		Message: "Failed to verify signature",
		Code:    "invalid-signature",
	},
	REASON_NO_SIG: {
		Message: "No signature found",
		Code:    "no-signature",
	},
	REASON_NO_POLICY: {
		Message: "No signer policies",
		Code:    "no-signer-policy",
	},
	REASON_UNEXPECTED: {
		Message: "unexpected",
		Code:    "unexpected",
	},
	REASON_ERROR: {
		Message: "error",
		Code:    "error",
	},
}

Functions ¶

func MatchBigInt ¶

func MatchBigInt(pattern string, value *big.Int) bool

func MatchPattern ¶

func MatchPattern(pattern, value string) bool

func MatchPatternWithArray ¶

func MatchPatternWithArray(pattern string, valueArray []string) bool

func MatchWithPatternArray ¶

func MatchWithPatternArray(value string, patternArray []string) bool

func SplitRule ¶

func SplitRule(rules string) []string

Types ¶

type CheckError ¶

type CheckError struct {
	Msg    string `json:"msg"`
	Reason string `json:"reason"`
	Error  error  `json:"error"`
}

func (*CheckError) MakeMessage ¶

func (self *CheckError) MakeMessage() string

type IntegrityValue ¶

type IntegrityValue struct {
	ServiceAccount string `json:"spec.maIntegrity.serviceAccount"`
	Signature      string `json:"spec.maIntegrity.signature"`
}

type MutationEvalResult ¶

type MutationEvalResult struct {
	IsMutated bool        `json:"isMutated"`
	Diff      string      `json:"diff"`
	Filtered  string      `json:"filtered"`
	Checked   bool        `json:"checked"`
	Error     *CheckError `json:"error"`
}

type ObjectMetadata ¶

type ObjectMetadata struct {
	K8sCreatedBy          string              `json:"k8sCreatedBy"`
	K8sServiceAccountName string              `json:"k8sServiceAccountName"`
	K8sServiceAccountUid  string              `json:"k8sServiceAccountUid"`
	OwnerRef              *ResourceRef        `json:"ownerRef"`
	Annotations           *ResourceAnnotation `json:"annotations"`
	Labels                *ResourceLabel      `json:"labels"`
}

type Owner ¶

type Owner struct {
	Ref        *ResourceRef
	OwnerRef   *ResourceRef
	Annotation *ResourceAnnotation
	Label      *ResourceLabel
}

func (*Owner) IsIntegrityVerified ¶

func (self *Owner) IsIntegrityVerified() bool

type OwnerList ¶

type OwnerList struct {
	Owners []*Owner
}

func (*OwnerList) OwnerRefs ¶

func (self *OwnerList) OwnerRefs() []ResourceRef

func (*OwnerList) VerifiedOwners ¶

func (self *OwnerList) VerifiedOwners() []*Owner

type ParsedRequest ¶

type ParsedRequest struct {
	UID     string
	JsonStr string
}

func NewParsedRequest ¶

func NewParsedRequest(request *v1beta1.AdmissionRequest) *ParsedRequest

type ReasonCode ¶

type ReasonCode struct {
	Message string `json:"message"`
	Code    string `json:"code"`
}

type ReqContext ¶

type ReqContext struct {
	ResourceScope   string          `json:"resourceScope,omitempty"`
	DryRun          bool            `json:"dryRun"`
	RawObject       []byte          `json:"-"`
	RawOldObject    []byte          `json:"-"`
	RequestJsonStr  string          `json:"request"`
	RequestUid      string          `json:"requestUid"`
	Namespace       string          `json:"namespace"`
	Name            string          `json:"name"`
	ApiGroup        string          `json:"apiGroup"`
	ApiVersion      string          `json:"apiVersion"`
	Kind            string          `json:"kind"`
	Operation       string          `json:"operation"`
	IntegrityValue  *IntegrityValue `json:"integrityValues"`
	OrgMetadata     *ObjectMetadata `json:"orgMetadata"`
	ClaimedMetadata *ObjectMetadata `json:"claimedMetadata"`
	UserInfo        string          `json:"userInfo"`
	ObjLabels       string          `json:"objLabels"`
	ObjMetaName     string          `json:"objMetaName"`
	UserName        string          `json:"userName"`
	UserGroups      []string        `json:"userGroups"`
	Type            string          `json:"Type"`
	ObjectHashType  string          `json:"objectHashType"`
	ObjectHash      string          `json:"objectHash"`
}

func NewReqContext ¶

func NewReqContext(req *v1beta1.AdmissionRequest) *ReqContext

func (*ReqContext) GroupVersion ¶

func (reqc *ReqContext) GroupVersion() string

func (*ReqContext) IsAppEnforcePolicyRequest ¶

func (rc *ReqContext) IsAppEnforcePolicyRequest() bool

func (*ReqContext) IsCreateRequest ¶

func (rc *ReqContext) IsCreateRequest() bool

func (*ReqContext) IsCreator ¶

func (rc *ReqContext) IsCreator() bool

func (*ReqContext) IsDeleteRequest ¶

func (rc *ReqContext) IsDeleteRequest() bool

func (*ReqContext) IsEnforcePolicyRequest ¶

func (rc *ReqContext) IsEnforcePolicyRequest() bool

func (*ReqContext) IsIEDefaultPolicyRequest ¶

func (rc *ReqContext) IsIEDefaultPolicyRequest() bool

func (*ReqContext) IsIEPolicyRequest ¶

func (rc *ReqContext) IsIEPolicyRequest() bool

func (*ReqContext) IsResourceSignatureRequest ¶

func (rc *ReqContext) IsResourceSignatureRequest() bool

func (*ReqContext) IsSecret ¶

func (rc *ReqContext) IsSecret() bool

func (*ReqContext) IsServiceAccount ¶

func (rc *ReqContext) IsServiceAccount() bool

func (*ReqContext) IsSignPolicyRequest ¶

func (rc *ReqContext) IsSignPolicyRequest() bool

func (*ReqContext) IsUpdateRequest ¶

func (rc *ReqContext) IsUpdateRequest() bool

func (*ReqContext) Map ¶

func (reqc *ReqContext) Map() map[string]string

func (*ReqContext) OwnerRef ¶

func (reqc *ReqContext) OwnerRef() *ResourceRef

func (*ReqContext) ResourceRef ¶

func (reqc *ReqContext) ResourceRef() *ResourceRef

type ResolveOwnerResult ¶

type ResolveOwnerResult struct {
	Owners   *OwnerList  `json:"owners"`
	Verified bool        `json:"verified"`
	Checked  bool        `json:"checked"`
	Error    *CheckError `json:"error"`
}

type ResourceAnnotation ¶

type ResourceAnnotation struct {
	// contains filtered or unexported fields
}

func NewResourceAnnotation ¶

func NewResourceAnnotation(values map[string]string) *ResourceAnnotation

func (*ResourceAnnotation) CreatedBy ¶

func (self *ResourceAnnotation) CreatedBy() string

func (*ResourceAnnotation) IntegrityVerified ¶

func (self *ResourceAnnotation) IntegrityVerified() bool

func (*ResourceAnnotation) SignatureAnnotations ¶

func (self *ResourceAnnotation) SignatureAnnotations() *SignatureAnnotation

type ResourceLabel ¶

type ResourceLabel struct {
	// contains filtered or unexported fields
}

func NewResourceLabel ¶

func NewResourceLabel(values map[string]string) *ResourceLabel

func (*ResourceLabel) CreatedBy ¶

func (self *ResourceLabel) CreatedBy() string

func (*ResourceLabel) IntegrityVerified ¶

func (self *ResourceLabel) IntegrityVerified() bool

type ResourceRef ¶

type ResourceRef struct {
	Name       string
	Namespace  string
	Kind       string
	ApiVersion string
}

func (*ResourceRef) Equals ¶

func (self *ResourceRef) Equals(ref *ResourceRef) bool

type SignPolicyEvalResult ¶

type SignPolicyEvalResult struct {
	Signer        *SignerInfo `json:"signer"`
	SignerName    string      `json:"signerName"`
	Checked       bool        `json:"checked"`
	Allow         bool        `json:"allow"`
	MatchedPolicy string      `json:"matchedPolicy"`
	Error         *CheckError `json:"error"`
}

func (*SignPolicyEvalResult) GetSignerName ¶

func (self *SignPolicyEvalResult) GetSignerName() string

type SignatureAnnotation ¶

type SignatureAnnotation struct {
	ResourceSignatureName string
	SignatureType         string
	Signature             string
	Certificate           string
	Message               string
	MessageScope          string
	MutableAttrs          string
}

type SignerInfo ¶

type SignerInfo struct {
	Email              string
	Name               string
	Comment            string
	Uid                string
	Country            string
	Organization       string
	OrganizationalUnit string
	Locality           string
	Province           string
	StreetAddress      string
	PostalCode         string
	CommonName         string
	SerialNumber       *big.Int
}

func NewSignerInfoFromCert ¶

func NewSignerInfoFromCert(cert *x509.Certificate) *SignerInfo

func NewSignerInfoFromPKIXName ¶

func NewSignerInfoFromPKIXName(dn pkix.Name) *SignerInfo

func (*SignerInfo) GetName ¶

func (self *SignerInfo) GetName() string

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL