common

package
v0.0.0-...-9b5a78d Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 10, 2020 License: Apache-2.0 Imports: 14 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	IVCustomResourceAPIVersion = "apis.integrityverifier.io/v1alpha1"
	IVCustomResourceKind       = "IntegrityVerifier"

	SignatureCustomResourceAPIVersion = "apis.integrityverifier.io/v1alpha1"
	SignatureCustomResourceKind       = "ResourceSignature"

	VerifierConfigCustomResourceAPIVersion = "apis.integrityverifier.io/v1alpha1"
	VerifierConfigCustomResourceKind       = "VerifierConfig"

	SignPolicyCustomResourceAPIVersion = "apis.integrityverifier.io/v1alpha1"
	SignPolicyCustomResourceKind       = "SignPolicy"

	ProfileCustomResourceAPIVersion = "apis.integrityverifier.io/v1alpha1"
	ProfileCustomResourceKind       = "ResourceSigningProfile"

	HelmReleaseMetadataCustomResourceAPIVersion = "apis.integrityverifier.io/v1alpha1"
	HelmReleaseMetadataCustomResourceKind       = "HelmReleasemetadata"
)
View Source 
const (
	ResourceIntegrityLabelKey = "integrityverifier.io/resourceIntegrity"
	ReasonLabelKey            = "integrityverifier.io/reason"

	SignatureAnnotationKey     = "integrityverifier.io/signature"
	MessageAnnotationKey       = "integrityverifier.io/message"
	CertificateAnnotationKey   = "integrityverifier.io/certificate"
	SignatureTypeAnnotationKey = "integrityverifier.io/signatureType"
	MessageScopeAnnotationKey  = "integrityverifier.io/messageScope"
	MutableAttrsAnnotationKey  = "integrityverifier.io/mutableAttrs"

	ResSigLabelApiVer = "integrityverifier.io/sigobject-apiversion"
	ResSigLabelKind   = "integrityverifier.io/sigobject-kind"
	ResSigLabelTime   = "integrityverifier.io/sigtime"

	LabelValueVerified   = "verified"
	LabelValueUnverified = "unverified"
)
View Source 
const (
	DecisionUndetermined = "undetermined"
	DecisionAllow        = "allow"
	DecisionDeny         = "deny"
	DecisionError        = "error"
)
View Source 
const (
	REASON_INTERNAL = iota //
	REASON_VALIDATION_FAIL
	REASON_RULE_MATCH
	REASON_VALID_SIG
	REASON_VERIFIED_OWNER
	REASON_UPDATE_BY_SA
	REASON_VERIFIED_SA
	REASON_NO_MUTATION
	REASON_IV_ADMIN
	REASON_IGNORED_SA
	REASON_NOT_PROTECTED
	REASON_IGNORE_RULE_MATCHED
	REASON_BLOCK_IV_RESOURCE_OPERATION
	REASON_NOT_VERIFIED
	REASON_SKIP_DELETE
	REASON_ABORTED
	REASON_BREAK_GLASS
	REASON_DETECTION
	REASON_INVALID_SIG
	REASON_NO_SIG
	REASON_NO_POLICY
	REASON_UNEXPECTED
	REASON_ERROR
)

Variables

View Source 
var ReasonCodeMap = map[int]ReasonCode{
	REASON_INTERNAL: {
		Message: "internal request",
		Code:    "internal",
	},
	REASON_VALIDATION_FAIL: {
		Message: "Validation failed; format is wrong",
		Code:    "validation-fail",
	},
	REASON_RULE_MATCH: {
		Message: "allowed by rule",
		Code:    "rule-match",
	},
	REASON_VALID_SIG: {
		Message: "allowed by valid signer's signature",
		Code:    "valid-sig",
	},
	REASON_VERIFIED_OWNER: {
		Message: "owned by verified owner",
		Code:    "verified-owner",
	},
	REASON_UPDATE_BY_SA: {
		Message: "updated by creator",
		Code:    "updated-by-sa",
	},
	REASON_VERIFIED_SA: {
		Message: "operated by verified sa",
		Code:    "verified-sa",
	},
	REASON_NO_MUTATION: {
		Message: "allowed because no mutation found",
		Code:    "no-mutation",
	},
	REASON_IV_ADMIN: {
		Message: "IV admin operation",
		Code:    "iv-admin",
	},
	REASON_IGNORED_SA: {
		Message: "ignored sa",
		Code:    "ignored-sa",
	},
	REASON_NOT_PROTECTED: {
		Message: "not protected",
		Code:    "unprotected",
	},
	REASON_IGNORE_RULE_MATCHED: {
		Message: "ignore rule matched",
		Code:    "ignore-rule-matched",
	},
	REASON_BLOCK_IV_RESOURCE_OPERATION: {
		Message: "block oprations for IV resouce",
		Code:    "block-ivresource-operation",
	},
	REASON_SKIP_DELETE: {
		Message: "skip delete request",
		Code:    "skip-delete",
	},
	REASON_ABORTED: {
		Message: "aborted",
		Code:    "aborted",
	},
	REASON_BREAK_GLASS: {
		Message: "allowed by breakglass mode",
		Code:    "breakglass",
	},
	REASON_DETECTION: {
		Message: "allowed by detection mode",
		Code:    "detection",
	},
	REASON_INVALID_SIG: {
		Message: "Failed to verify signature",
		Code:    "invalid-signature",
	},
	REASON_NO_SIG: {
		Message: "No signature found",
		Code:    "no-signature",
	},
	REASON_NO_POLICY: {
		Message: "No signer policies",
		Code:    "no-signer-policy",
	},
	REASON_UNEXPECTED: {
		Message: "unexpected",
		Code:    "unexpected",
	},
	REASON_ERROR: {
		Message: "error",
		Code:    "error",
	},
}

Functions

func ExactMatch 

func ExactMatch(pattern, value string) bool

func ExactMatchWithPatternArray 

func ExactMatchWithPatternArray(value string, patternArray []string) bool

func GetUnionOfArrays 

func GetUnionOfArrays(array1, array2 []string) []string

func MatchBigInt 

func MatchBigInt(pattern string, value *big.Int) bool

func MatchPattern 

func MatchPattern(pattern, value string) bool

func MatchPatternWithArray 

func MatchPatternWithArray(pattern string, valueArray []string) bool

func MatchWithPatternArray 

func MatchWithPatternArray(value string, patternArray []string) bool

func SplitRule 

func SplitRule(rules string) []string

Types

type CheckError 

type CheckError struct {
	Msg    string `json:"msg"`
	Reason string `json:"reason"`
	Error  error  `json:"error"`
}

func (*CheckError) MakeMessage 

func (self *CheckError) MakeMessage() string

type DecisionType 

type DecisionType string

type MutationEvalResult 

type MutationEvalResult struct {
	IsMutated bool        `json:"isMutated"`
	Diff      string      `json:"diff"`
	Filtered  string      `json:"filtered"`
	Checked   bool        `json:"checked"`
	Error     *CheckError `json:"error"`
}

type NamespaceSelector 

type NamespaceSelector struct {
	LabelSelector *metav1.LabelSelector `json:"labelSelector,omitempty"`
	Include       []string              `json:"include,omitempty"`
	Exclude       []string              `json:"exclude,omitempty"`
}

func (*NamespaceSelector) DeepCopy 

func (s1 *NamespaceSelector) DeepCopy() *NamespaceSelector

func (*NamespaceSelector) DeepCopyInto 

func (s1 *NamespaceSelector) DeepCopyInto(s2 *NamespaceSelector)

func (*NamespaceSelector) MatchNamespace 

func (self *NamespaceSelector) MatchNamespace(namespace *v1.Namespace) bool

func (*NamespaceSelector) MatchNamespaceName 

func (self *NamespaceSelector) MatchNamespaceName(nsName string) bool

func (*NamespaceSelector) Merge 

func (s1 *NamespaceSelector) Merge(s2 *NamespaceSelector) *NamespaceSelector

type ObjectMetadata 

type ObjectMetadata struct {
	Annotations *ResourceAnnotation `json:"annotations"`
	Labels      *ResourceLabel      `json:"labels"`
}

type ParsedRequest 

type ParsedRequest struct {
	UID     string
	JsonStr string
}

func NewParsedRequest 

func NewParsedRequest(request *v1beta1.AdmissionRequest) *ParsedRequest

type ReasonCode 

type ReasonCode struct {
	Message string `json:"message"`
	Code    string `json:"code"`
}

type ReqContext 

type ReqContext struct {
	ResourceScope   string          `json:"resourceScope,omitempty"`
	DryRun          bool            `json:"dryRun"`
	RawObject       []byte          `json:"-"`
	RawOldObject    []byte          `json:"-"`
	RequestJsonStr  string          `json:"request"`
	RequestUid      string          `json:"requestUid"`
	Namespace       string          `json:"namespace"`
	Name            string          `json:"name"`
	ApiGroup        string          `json:"apiGroup"`
	ApiVersion      string          `json:"apiVersion"`
	Kind            string          `json:"kind"`
	Operation       string          `json:"operation"`
	OrgMetadata     *ObjectMetadata `json:"orgMetadata"`
	ClaimedMetadata *ObjectMetadata `json:"claimedMetadata"`
	UserInfo        string          `json:"userInfo"`
	ObjLabels       string          `json:"objLabels"`
	ObjMetaName     string          `json:"objMetaName"`
	UserName        string          `json:"userName"`
	UserGroups      []string        `json:"userGroups"`
	Type            string          `json:"Type"`
	ObjectHashType  string          `json:"objectHashType"`
	ObjectHash      string          `json:"objectHash"`
}

func NewReqContext 

func NewReqContext(req *v1beta1.AdmissionRequest) *ReqContext

func (*ReqContext) GroupVersion 

func (reqc *ReqContext) GroupVersion() string

func (*ReqContext) IsCreateRequest 

func (rc *ReqContext) IsCreateRequest() bool

func (*ReqContext) IsDeleteRequest 

func (rc *ReqContext) IsDeleteRequest() bool

func (*ReqContext) IsSecret 

func (rc *ReqContext) IsSecret() bool

func (*ReqContext) IsServiceAccount 

func (rc *ReqContext) IsServiceAccount() bool

func (*ReqContext) IsUpdateRequest 

func (rc *ReqContext) IsUpdateRequest() bool

func (*ReqContext) Map 

func (reqc *ReqContext) Map() map[string]string

func (*ReqContext) ResourceRef 

func (reqc *ReqContext) ResourceRef() *ResourceRef

type ResourceAnnotation 

type ResourceAnnotation struct {
	// contains filtered or unexported fields
}

func (*ResourceAnnotation) SignatureAnnotations 

func (self *ResourceAnnotation) SignatureAnnotations() *SignatureAnnotation

type ResourceLabel 

type ResourceLabel struct {
	// contains filtered or unexported fields
}

func NewResourceLabel 

func NewResourceLabel(values map[string]string) *ResourceLabel

func (*ResourceLabel) IntegrityVerified 

func (self *ResourceLabel) IntegrityVerified() bool

type ResourceRef 

type ResourceRef struct {
	Name       string `json:"name"`
	Namespace  string `json:"namespace"`
	Kind       string `json:"kind"`
	ApiVersion string `json:"apiVersion"`
}

func (*ResourceRef) Equals 

func (self *ResourceRef) Equals(ref *ResourceRef) bool

func (*ResourceRef) EqualsWithoutVersionCheck 

func (self *ResourceRef) EqualsWithoutVersionCheck(ref *ResourceRef) bool

type SignatureAnnotation 

type SignatureAnnotation struct {
	SignatureType string
	Signature     string
	Certificate   string
	Message       string
	MessageScope  string
	MutableAttrs  string
}

type SignatureEvalResult 

type SignatureEvalResult struct {
	Signer        *SignerInfo `json:"signer"`
	SignerName    string      `json:"signerName"`
	Checked       bool        `json:"checked"`
	Allow         bool        `json:"allow"`
	MatchedPolicy string      `json:"matchedPolicy"`
	Error         *CheckError `json:"error"`
}

func (*SignatureEvalResult) GetSignerName 

func (self *SignatureEvalResult) GetSignerName() string

type SignerInfo 

type SignerInfo struct {
	Email              string
	Name               string
	Comment            string
	Uid                string
	Country            string
	Organization       string
	OrganizationalUnit string
	Locality           string
	Province           string
	StreetAddress      string
	PostalCode         string
	CommonName         string
	SerialNumber       *big.Int
}

func (*SignerInfo) GetName 

func (self *SignerInfo) GetName() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.