services

package
v0.4.5-alpha Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 29, 2026 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Overview

Package services contains domain services for the Reglet domain model. These are stateless services that encapsulate business logic.

Package services contains domain services that encapsulate business logic spanning multiple entities.

Package services contains domain services for the Reglet domain model.

Package services contains domain services that encapsulate business logic spanning multiple entities. These services are stateless and can be called from engine, executor, or future workers.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CopyConfig 

func CopyConfig(src map[string]interface{}) map[string]interface{}

CopyConfig creates a shallow copy of a config map. Note: Values are interface{} and cannot be deep copied generically.

func CopyControls 

func CopyControls(src []entities.Control) []entities.Control

CopyControls creates a deep copy of a controls slice.

func CopyDefaults 

func CopyDefaults(src *entities.ControlDefaults) *entities.ControlDefaults

CopyDefaults creates a deep copy of control defaults.

func CopyLoopConfig 

func CopyLoopConfig(src *entities.LoopConfig) *entities.LoopConfig

CopyLoopConfig creates a deep copy of a loop configuration.

func CopyObservations 

func CopyObservations(src []entities.ObservationDefinition) []entities.ObservationDefinition

CopyObservations creates a deep copy of observation definitions.

func CopyStringSlice 

func CopyStringSlice(src []string) []string

CopyStringSlice creates a deep copy of a string slice.

func CopyVars 

func CopyVars(src map[string]interface{}) map[string]interface{}

CopyVars creates a shallow copy of a vars map. Note: Values are interface{} and cannot be deep copied generically. For most use cases (strings, numbers, bools), this is sufficient.

func DeepCopyProfile 

func DeepCopyProfile(original *entities.Profile) *entities.Profile

DeepCopyProfile creates a complete deep copy of a profile. This ensures the original profile remains unchanged during compilation or merging.

Types

type AndSpecification 

type AndSpecification struct {
	// contains filtered or unexported fields
}

AndSpecification combines multiple specifications with logical AND.

func NewAndSpecification 

func NewAndSpecification(specs ...ControlSpecification) *AndSpecification

NewAndSpecification creates a new AndSpecification.

func (*AndSpecification) IsSatisfiedBy 

func (s *AndSpecification) IsSatisfiedBy(ctrl entities.Control) (bool, string)

IsSatisfiedBy checks if all specifications are satisfied.

type BaseResolver 

type BaseResolver struct {
	// contains filtered or unexported fields
}

BaseResolver provides common chain-of-responsibility logic.

func (*BaseResolver) ResolveNext 

func (b *BaseResolver) ResolveNext(ctx context.Context, ref values.PluginReference) (*entities.Plugin, error)

ResolveNext delegates to next resolver in chain.

func (*BaseResolver) SetNext 

func (b *BaseResolver) SetNext(next PluginResolutionStrategy)

SetNext sets the next resolver in chain.

type CapabilityAnalyzer 

type CapabilityAnalyzer struct {
	// contains filtered or unexported fields
}

CapabilityAnalyzer extracts specific capability requirements from profiles. This is a pure domain service with no infrastructure dependencies.

func NewCapabilityAnalyzer 

func NewCapabilityAnalyzer(registry *capabilities.Registry) *CapabilityAnalyzer

NewCapabilityAnalyzer creates a new capability analyzer.

func (*CapabilityAnalyzer) ExtractCapabilities 

func (a *CapabilityAnalyzer) ExtractCapabilities(profile entities.ProfileReader) map[string]*sdkEntities.GrantSet

ExtractCapabilities analyzes profile observations to extract specific capability requirements. This enables principle of least privilege by requesting only the resources actually used, rather than the plugin's full declared capabilities.

Returns a map of plugin name to required GrantSet.

func (*CapabilityAnalyzer) ExtractCapabilitiesWithVars 

func (a *CapabilityAnalyzer) ExtractCapabilitiesWithVars(profile entities.ProfileReader, vars map[string]interface{}) map[string]*sdkEntities.GrantSet

ExtractCapabilitiesWithVars analyzes profile observations to extract specific capability requirements, expanding loop observations using the provided vars to extract specific paths.

This is the security-first implementation that ensures loop observations request only the specific resources they will access, rather than falling back to broad wildcards.

type ControlEnv 

type ControlEnv struct {
	ID       string   `expr:"id"`
	Name     string   `expr:"name"`
	Severity string   `expr:"severity"`
	Owner    string   `expr:"owner"`
	Tags     []string `expr:"tags"`
}

ControlEnv defines the variables available during filter expression evaluation.

type ControlFilter 

type ControlFilter struct {
	// contains filtered or unexported fields
}

ControlFilter implements policy selection logic based on tags, severity, and IDs.

func NewControlFilter 

func NewControlFilter() *ControlFilter

NewControlFilter initializes a new empty filter.

func (*ControlFilter) ShouldRun 

func (f *ControlFilter) ShouldRun(ctrl entities.Control) (bool, string)

ShouldRun evaluates whether a control matches the filter criteria. It returns true if the control should execute, along with a reason if skipped.

func (*ControlFilter) WithExcludedControls 

func (f *ControlFilter) WithExcludedControls(controlIDs []string) *ControlFilter

WithExcludedControls excludes specific control IDs.

func (*ControlFilter) WithExcludedTags 

func (f *ControlFilter) WithExcludedTags(tags []string) *ControlFilter

WithExcludedTags excludes controls with any of these tags.

func (*ControlFilter) WithExclusiveControls 

func (f *ControlFilter) WithExclusiveControls(controlIDs []string) *ControlFilter

WithExclusiveControls restricts execution to ONLY the specified control IDs. If set, all other filters are ignored.

func (*ControlFilter) WithFilterExpression 

func (f *ControlFilter) WithFilterExpression(program *vm.Program) *ControlFilter

WithFilterExpression applies a compiled Expr program for advanced filtering.

func (*ControlFilter) WithIncludedSeverities 

func (f *ControlFilter) WithIncludedSeverities(severities []string) *ControlFilter

WithIncludedSeverities includes only controls with these severities.

func (*ControlFilter) WithIncludedTags 

func (f *ControlFilter) WithIncludedTags(tags []string) *ControlFilter

WithIncludedTags includes only controls with any of these tags.

type ControlLevel 

type ControlLevel struct {
	Controls []entities.Control
	Level    int
}

ControlLevel represents controls at a specific dependency level

type ControlSpecification 

type ControlSpecification interface {
	// IsSatisfiedBy checks if the control meets the specification.
	// Returns true if satisfied, along with a reason if not (or empty if satisfied).
	IsSatisfiedBy(ctrl entities.Control) (bool, string)
}

ControlSpecification defines a condition that a control must meet.

type DependencyResolver 

type DependencyResolver struct{}

DependencyResolver handles control dependency graph operations

func NewDependencyResolver 

func NewDependencyResolver() *DependencyResolver

NewDependencyResolver creates a new dependency resolver service

func (*DependencyResolver) BuildControlDAG 

func (r *DependencyResolver) BuildControlDAG(controls []entities.Control) ([]ControlLevel, error)

BuildControlDAG builds a dependency graph using Kahn's algorithm. Returns controls grouped by level for parallel execution within levels.

Algorithm: Standard topological sort (Kahn's algorithm).

func (*DependencyResolver) ResolveDependencies 

func (r *DependencyResolver) ResolveDependencies(controls []entities.Control) (map[string]map[string]bool, error)

ResolveDependencies calculates transitive dependencies for each control. Returns map of controlID → set of all dependencies (direct + transitive).

Used by --include-dependencies flag to include all controls in dependency chain.

type ExcludedControlsSpecification 

type ExcludedControlsSpecification struct {
	// contains filtered or unexported fields
}

ExcludedControlsSpecification excludes specified control IDs.

func NewExcludedControlsSpecification 

func NewExcludedControlsSpecification(ids map[string]bool) *ExcludedControlsSpecification

NewExcludedControlsSpecification creates a new ExcludedControlsSpecification.

func (*ExcludedControlsSpecification) IsSatisfiedBy 

func (s *ExcludedControlsSpecification) IsSatisfiedBy(ctrl entities.Control) (bool, string)

IsSatisfiedBy checks if the control ID is NOT in the excluded list.

type ExcludedTagsSpecification 

type ExcludedTagsSpecification struct {
	// contains filtered or unexported fields
}

ExcludedTagsSpecification excludes controls with any of the specified tags.

func NewExcludedTagsSpecification 

func NewExcludedTagsSpecification(tags map[string]bool) *ExcludedTagsSpecification

NewExcludedTagsSpecification creates a new ExcludedTagsSpecification.

func (*ExcludedTagsSpecification) IsSatisfiedBy 

func (s *ExcludedTagsSpecification) IsSatisfiedBy(ctrl entities.Control) (bool, string)

IsSatisfiedBy checks if the control has NONE of the excluded tags.

type ExclusiveControlsSpecification 

type ExclusiveControlsSpecification struct {
	// contains filtered or unexported fields
}

ExclusiveControlsSpecification includes only specified control IDs.

func NewExclusiveControlsSpecification 

func NewExclusiveControlsSpecification(ids map[string]bool) *ExclusiveControlsSpecification

NewExclusiveControlsSpecification creates a new ExclusiveControlsSpecification.

func (*ExclusiveControlsSpecification) IsSatisfiedBy 

func (s *ExclusiveControlsSpecification) IsSatisfiedBy(ctrl entities.Control) (bool, string)

IsSatisfiedBy checks if the control ID is in the exclusive list.

type ExpectValidationError 

type ExpectValidationError struct {
	Expression string
	Message    string
}

ExpectValidationError represents a validation failure for an expect expression.

func (ExpectValidationError) Error 

func (e ExpectValidationError) Error() string

Error implements the error interface.

type ExpectValidator 

type ExpectValidator struct {
	// contains filtered or unexported fields
}

ExpectValidator validates expr-lang expect expressions without execution. This enables pre-flight validation during profile validation, catching syntax errors before attempting to run controls.

func NewExpectValidator 

func NewExpectValidator(opts ...ExpectValidatorOption) *ExpectValidator

NewExpectValidator creates a new expect validator with configurable limits.

func (*ExpectValidator) ValidateExpression 

func (v *ExpectValidator) ValidateExpression(expression string) error

ValidateExpression validates a single expect expression. Returns nil if valid, error describing syntax issue if invalid.

Note: This validates syntax only. Since expect expressions reference evidence data (e.g., "data.exists == true"), we cannot validate against a real environment. We use a permissive environment that accepts any field access.

func (*ExpectValidator) ValidateObservationExpects 

func (v *ExpectValidator) ValidateObservationExpects(expects []string) []ExpectValidationError

ValidateObservationExpects validates all expect expressions in an observation. Returns a slice of validation errors (empty if all expressions are valid).

func (*ExpectValidator) ValidateProfileExpects 

func (v *ExpectValidator) ValidateProfileExpects(
	controls []struct {
		ID           string
		Observations []struct {
			Expects []string
		}
	},
) map[string]map[int][]ExpectValidationError

ValidateProfileExpects validates all expect expressions across all controls in a profile. Returns a map of control ID -> observation index -> errors. This provides comprehensive validation results for display purposes.

type ExpectValidatorOption 

type ExpectValidatorOption func(*ExpectValidator)

ExpectValidatorOption defines functional options for ExpectValidator.

func WithExpectLimits 

func WithExpectLimits(maxLength, maxNodes int) ExpectValidatorOption

WithExpectLimits sets custom expression limits.

type ExpressionSpecification 

type ExpressionSpecification struct {
	// contains filtered or unexported fields
}

ExpressionSpecification filters controls using an expr program.

func NewExpressionSpecification 

func NewExpressionSpecification(program *vm.Program) *ExpressionSpecification

NewExpressionSpecification creates a new ExpressionSpecification.

func (*ExpressionSpecification) IsSatisfiedBy 

func (s *ExpressionSpecification) IsSatisfiedBy(ctrl entities.Control) (bool, string)

IsSatisfiedBy evaluates the expr program against the control.

type IncludedSeveritiesSpecification 

type IncludedSeveritiesSpecification struct {
	// contains filtered or unexported fields
}

IncludedSeveritiesSpecification includes only controls with specified severities.

func NewIncludedSeveritiesSpecification 

func NewIncludedSeveritiesSpecification(severities map[string]bool) *IncludedSeveritiesSpecification

NewIncludedSeveritiesSpecification creates a new IncludedSeveritiesSpecification.

func (*IncludedSeveritiesSpecification) IsSatisfiedBy 

func (s *IncludedSeveritiesSpecification) IsSatisfiedBy(ctrl entities.Control) (bool, string)

IsSatisfiedBy checks if the control severity is in the included list.

type IncludedTagsSpecification 

type IncludedTagsSpecification struct {
	// contains filtered or unexported fields
}

IncludedTagsSpecification includes only controls with any of the specified tags.

func NewIncludedTagsSpecification 

func NewIncludedTagsSpecification(tags map[string]bool) *IncludedTagsSpecification

NewIncludedTagsSpecification creates a new IncludedTagsSpecification.

func (*IncludedTagsSpecification) IsSatisfiedBy 

func (s *IncludedTagsSpecification) IsSatisfiedBy(ctrl entities.Control) (bool, string)

IsSatisfiedBy checks if the control has ANY of the included tags.

type IntegrityService 

type IntegrityService struct {
	// contains filtered or unexported fields
}

IntegrityService provides domain logic for plugin integrity verification.

func NewIntegrityService 

func NewIntegrityService(requireSigning bool) *IntegrityService

NewIntegrityService creates an integrity service.

func (*IntegrityService) ShouldVerifySignature 

func (s *IntegrityService) ShouldVerifySignature() bool

ShouldVerifySignature returns true if signature verification is required.

func (*IntegrityService) ValidatePlugin 

func (s *IntegrityService) ValidatePlugin(
	ctx context.Context,
	plugin *entities.Plugin,
	expectedDigest values.Digest,
) error

ValidatePlugin performs complete integrity check.

func (*IntegrityService) VerifyDigest 

func (s *IntegrityService) VerifyDigest(plugin *entities.Plugin, expected values.Digest) error

VerifyDigest checks if plugin digest matches expected value.

type PluginResolutionStrategy 

type PluginResolutionStrategy interface {
	// Resolve attempts to locate a plugin matching the reference.
	Resolve(ctx context.Context, ref values.PluginReference) (*entities.Plugin, error)

	// SetNext sets the next resolver in the chain.
	SetNext(next PluginResolutionStrategy)
}

PluginResolutionStrategy defines the interface for plugin resolution. Implements Chain of Responsibility pattern.

type ProfileCompiler 

type ProfileCompiler struct{}

ProfileCompiler transforms raw profiles into validated, immutable profiles. This is a domain service that encapsulates the compilation process.

Compilation steps: 1. Deep copy the raw profile (prevent mutation) 2. Apply default values to controls 3. Validate invariants 4. Return immutable ValidatedProfile

func NewProfileCompiler 

func NewProfileCompiler() *ProfileCompiler

NewProfileCompiler creates a new profile compiler service.

func (*ProfileCompiler) Compile 

func (c *ProfileCompiler) Compile(raw *entities.Profile) (*entities.ValidatedProfile, error)

Compile transforms a raw profile into a validated, immutable profile. The input profile is NOT modified (immutability guarantee).

Returns an error if the profile fails validation.

type ProfileMerger 

type ProfileMerger struct{}

ProfileMerger merges multiple profiles according to inheritance semantics. This is a DOMAIN SERVICE because merge semantics are business rules.

Merge Semantics:

  • Metadata: overlay wins, fallback to base if empty
  • Vars: deep merge, overlay wins on conflict
  • Plugins: concatenate and deduplicate (preserving order)
  • Controls.Defaults: deep merge, overlay wins (tags concatenate)
  • Controls.Items: merge by ID (same ID = replace, new ID = append)
  • Extends: NOT propagated (already resolved)

func NewProfileMerger 

func NewProfileMerger() *ProfileMerger

NewProfileMerger creates a new profile merger service.

func (*ProfileMerger) Merge 

func (m *ProfileMerger) Merge(
	base *entities.Profile,
	overlay *entities.Profile,
) *entities.Profile

Merge combines two profiles with overlay winning on conflicts. Returns a NEW profile (does not mutate inputs).

func (*ProfileMerger) MergeAll 

func (m *ProfileMerger) MergeAll(
	parents []*entities.Profile,
	current *entities.Profile,
) *entities.Profile

MergeAll merges multiple parents then applies the current profile. Parents are merged left-to-right (later parents win on conflict). Returns a NEW profile (does not mutate inputs).

type StatusAggregator 

type StatusAggregator struct {
	// contains filtered or unexported fields
}

StatusAggregator determines status at different levels of the execution hierarchy. It caches compiled expressions to avoid redundant compilation overhead.

func NewStatusAggregator 

func NewStatusAggregator(opts ...StatusAggregatorOption) *StatusAggregator

NewStatusAggregator creates a new status aggregator service with initialized cache. Defaults to standard limits; use WithExpressionLimits to customize.

func (*StatusAggregator) AggregateControlStatus 

func (s *StatusAggregator) AggregateControlStatus(observationStatuses []values.Status) values.Status

AggregateControlStatus determines control status from observation statuses.

Business Rule: Failure precedence for compliance reporting - If ANY observation is StatusFail → Control is StatusFail (proven non-compliance) - If ANY observation is StatusError (but no failures) → Control is StatusError (inconclusive) - If ALL observations are StatusPass → Control is StatusPass

Rationale: If 9 observations FAIL and 1 errors, the control FAILED (not errored). A proven compliance violation is more important than a technical error. Auditors need to see definitive failures, not have them masked by errors.

func (*StatusAggregator) DetermineObservationStatus 

func (s *StatusAggregator) DetermineObservationStatus(
	_ context.Context,
	evidence *execution.Evidence,
	expects []string,
) (values.Status, []execution.ExpectationResult)

DetermineObservationStatus evaluates expect expressions against evidence data.

Evaluation Rules: - ALL expect expressions must evaluate to true for observation to PASS - ANY false expression → observation FAILS - Non-boolean result or compilation error → observation ERRORS

Security: - Expression length limited to 1000 chars (DoS prevention) - Only explicitly provided variables accessible (no probing) - expr-lang prevents code execution, filesystem, network access

Performance: - Compiled expressions are cached to avoid redundant compilation - Thread-safe caching with read/write locks for concurrent execution

Returns: Status and list of expectation results

func (*StatusAggregator) StatusFromEvidenceStatus 

func (s *StatusAggregator) StatusFromEvidenceStatus(evidenceStatus bool) values.Status

StatusFromEvidenceStatus converts evidence boolean status to observation status

type StatusAggregatorOption 

type StatusAggregatorOption func(*StatusAggregator)

StatusAggregatorOption defines functional options for StatusAggregator.

func WithExpressionLimits 

func WithExpressionLimits(maxLength, maxNodes int) StatusAggregatorOption

WithExpressionLimits sets custom expression evaluation limits.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.