policy

package

v0.6.8 Latest Latest Go to latest Published: Oct 23, 2024 License: Apache-2.0 Imports: 30 Imported by: 1

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/docker/attest

Links

Open Source Insights

README ¶

policy

This package is for attestation policy mapping and evaluation.

Documentation ¶

Index ¶

Constants
func CreateAttestationResolver(resolver oci.ImageDetailsResolver, policyMapping *mapping.PolicyMapping) (attestation.Resolver, error)
func CreateImageDetailsResolver(imageSource *oci.ImageSpec) (oci.ImageDetailsResolver, error)
func RegoFunctions(regoOpts *RegoFnOpts) []*tester.Builtin
func VerifySubject(ctx context.Context, subject []intoto.Subject, resolver attestation.Resolver) error
type Evaluator
- func GetMockPolicy() Evaluator
- func NewRegoEvaluator(debug bool, attestationVerifier attestation.Verifier) Evaluator
type File
type Input
type MockPolicyEvaluator
- func (pe *MockPolicyEvaluator) Evaluate(ctx context.Context, resolver attestation.Resolver, pctx *Policy, input *Input) (*Result, error)
type Options
type Parameters
type Policy
type RegoFnOpts
- func NewRegoFunctionOptions(resolver attestation.Resolver, verifier attestation.Verifier) *RegoFnOpts
type Resolver
- func NewResolver(tufClient tuf.Downloader, opts *Options) *Resolver
- func (r *Resolver) ResolvePolicy(_ context.Context, imageName string, platform *v1.Platform) (*Policy, error)
type Result
- func AllowedResult() *Result
type Summary
type Violation

Constants ¶

View Source

const (
	DefaultQuery = "result := data.attest.result"
)

Variables ¶

This section is empty.

Functions ¶

func CreateAttestationResolver ¶

func CreateAttestationResolver(resolver oci.ImageDetailsResolver, policyMapping *mapping.PolicyMapping) (attestation.Resolver, error)

func CreateImageDetailsResolver ¶

func CreateImageDetailsResolver(imageSource *oci.ImageSpec) (oci.ImageDetailsResolver, error)

func RegoFunctions ¶

func RegoFunctions(regoOpts *RegoFnOpts) []*tester.Builtin

func VerifySubject ¶

func VerifySubject(ctx context.Context, subject []intoto.Subject, resolver attestation.Resolver) error

VerifySubject verifies if any of the given subject PURLs matches the image name and platform from resolver. Tags are not taken into account when attempting to match because sometimes the user may not have specified a tag, and maybe there isn't a purl subject with that particular tag (because of post build tagging?).

Types ¶

type Evaluator ¶

type Evaluator interface {
	Evaluate(ctx context.Context, resolver attestation.Resolver, pctx *Policy, input *Input) (*Result, error)
}

func GetMockPolicy ¶

func GetMockPolicy() Evaluator

func NewRegoEvaluator ¶

func NewRegoEvaluator(debug bool, attestationVerifier attestation.Verifier) Evaluator

type File ¶

type File struct {
	Path    string
	Content []byte
}

type Input ¶

type Input struct {
	Digest         string     `json:"digest"`
	PURL           string     `json:"purl"`
	Tag            string     `json:"tag,omitempty"`
	Domain         string     `json:"domain"`
	NormalizedName string     `json:"normalized_name"`
	FamiliarName   string     `json:"familiar_name"`
	Platform       string     `json:"platform"`
	Parameters     Parameters `json:"parameters"`
}

type MockPolicyEvaluator ¶

type MockPolicyEvaluator struct {
	EvaluateFunc func(ctx context.Context, resolver attestation.Resolver, pctx *Policy, input *Input) (*Result, error)
}

func (*MockPolicyEvaluator) Evaluate ¶

func (pe *MockPolicyEvaluator) Evaluate(ctx context.Context, resolver attestation.Resolver, pctx *Policy, input *Input) (*Result, error)

type Options ¶

type Options struct {
	TUFClientOptions    *tuf.ClientOptions
	DisableTUF          bool
	LocalTargetsDir     string
	LocalPolicyDir      string
	PolicyID            string
	ReferrersRepo       string
	AttestationStyle    mapping.AttestationStyle
	Debug               bool
	AttestationVerifier attestation.Verifier
	// extra parameters to pass through to rego as policy inputs
	Parameters Parameters
}

type Parameters ¶ added in v0.6.6

type Parameters map[string]string

type Policy ¶

type Policy struct {
	InputFiles   []*File
	Query        string
	Mapping      *mapping.PolicyMapping
	ResolvedName string
	URI          string
	Digest       map[string]string
}

type RegoFnOpts ¶ added in v0.6.0

type RegoFnOpts struct {
	// contains filtered or unexported fields
}

func NewRegoFunctionOptions ¶ added in v0.6.0

func NewRegoFunctionOptions(resolver attestation.Resolver, verifier attestation.Verifier) *RegoFnOpts

this is exported for testing here and in clients of the library.

type Resolver ¶

type Resolver struct {
	// contains filtered or unexported fields
}

func NewResolver ¶

func NewResolver(tufClient tuf.Downloader, opts *Options) *Resolver

func (*Resolver) ResolvePolicy ¶

func (r *Resolver) ResolvePolicy(_ context.Context, imageName string, platform *v1.Platform) (*Policy, error)

type Result ¶

type Result struct {
	Success    bool        `json:"success"`
	Violations []Violation `json:"violations"`
	Summary    Summary     `json:"summary"`
}

func AllowedResult ¶

func AllowedResult() *Result

type Summary ¶

type Summary struct {
	Subjects   []intoto.Subject                 `json:"subjects"`
	Inputs     []attestation.ResourceDescriptor `json:"input_attestations"`
	SLSALevels []string                         `json:"slsa_levels"`
	Verifier   string                           `json:"verifier"`
	PolicyURI  string                           `json:"policy_uri"`
}

type Violation ¶

type Violation struct {
	Type        string            `json:"type"`
	Description string            `json:"description"`
	Attestation *intoto.Statement `json:"attestation"`
	Details     map[string]any    `json:"details"`
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL