engine

package
v0.0.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 19, 2023 License: Apache-2.0 Imports: 31 Imported by: 0

Documentation

Overview

Package engine provides an implementation of the policy-engine-related objects, interfaces and functionality.

Index

Constants

View Source 
const (
	// RepositoryEventEntityType is the entity type for repositories
	RepositoryEventEntityType = "repository"
	// VersionedArtifactEventEntityType is the entity type for versioned artifacts
	VersionedArtifactEventEntityType = "versioned_artifact"
	// PullRequestEventEntityType is the entity type for pull requests
	PullRequestEventEntityType = "pull_request"
)
View Source 
const (
	// EntityTypeEventKey is the key for the entity type
	EntityTypeEventKey = "entity_type"
	// ProviderEventKey is the key for the provider
	ProviderEventKey = "provider"
	// GroupIDEventKey is the key for the group ID
	GroupIDEventKey = "group_id"
	// RepositoryIDEventKey is the key for the repository ID
	RepositoryIDEventKey = "repository_id"
	// ArtifactIDEventKey is the key for the artifact ID
	ArtifactIDEventKey = "artifact_id"
	// PullRequestIDEventKey is the key for the pull request ID
	PullRequestIDEventKey = "pull_request_id"
)
View Source 
const (
	// InternalEntityEventTopic is the topic for internal webhook events
	InternalEntityEventTopic = "internal.entity.event"
)

Variables

View Source 
var (
	// ErrInvalidRuleTypeDefinition is returned when a rule type definition is invalid
	ErrInvalidRuleTypeDefinition = errors.New("invalid rule type definition")
)
View Source 
var (
	// ErrValidationFailed is returned when a policy fails validation
	ErrValidationFailed = fmt.Errorf("validation failed")
)

Functions

func GetRulesForEntity 

func GetRulesForEntity(p *pb.Policy, entity pb.Entity) ([]*pb.Policy_Rule, error)

GetRulesForEntity returns the rules for the given entity

func GetRulesFromPolicyOfType 

func GetRulesFromPolicyOfType(p *pb.Policy, rt *pb.RuleType) ([]*pb.Policy_Rule, error)

GetRulesFromPolicyOfType returns the rules from the policy of the given type

func MergeDatabaseGetIntoPolicies 

func MergeDatabaseGetIntoPolicies(ppl []db.GetPolicyByGroupAndIDRow, ectx *EntityContext) map[string]*pb.Policy

MergeDatabaseGetIntoPolicies merges the database get policies into the given policies map. This assumes that the policies belong to the same group.

TODO(jaosorior): This will have to consider the project tree once we migrate to that

func MergeDatabaseListIntoPolicies 

func MergeDatabaseListIntoPolicies(ppl []db.ListPoliciesByGroupIDRow, ectx *EntityContext) map[string]*pb.Policy

MergeDatabaseListIntoPolicies merges the database list policies into the given policies map. This assumes that the policies belong to the same group.

TODO(jaosorior): This will have to consider the project tree once we migrate to that

func ParseJSON 

func ParseJSON(r io.Reader) (*pb.Policy, error)

ParseJSON parses a JSON pipeline policy and validates it

func ParseRuleType 

func ParseRuleType(r io.Reader) (*pb.RuleType, error)

ParseRuleType parses a rule type from a reader

func ParseYAML 

func ParseYAML(r io.Reader) (*pb.Policy, error)

ParseYAML parses a YAML pipeline policy and validates it

func ReadPolicyFromFile 

func ReadPolicyFromFile(fpath string) (*pb.Policy, error)

ReadPolicyFromFile reads a pipeline policy from a file and returns it as a protobuf

func RuleDefFromDB 

func RuleDefFromDB(r *db.RuleType) (*pb.RuleType_Definition, error)

RuleDefFromDB converts a rule type definition from the database to a protobuf rule type definition

func RuleTypePBFromDB 

func RuleTypePBFromDB(rt *db.RuleType, ectx *EntityContext) (*pb.RuleType, error)

RuleTypePBFromDB converts a rule type from the database to a protobuf rule type

func TraverseAllRulesForPipeline 

func TraverseAllRulesForPipeline(p *pb.Policy, fn func(*pb.Policy_Rule) error) error

TraverseAllRulesForPipeline traverses all rules for the given pipeline policy

func TraverseRules 

func TraverseRules(rules []*pb.Policy_Rule, fn func(*pb.Policy_Rule) error) error

TraverseRules traverses the rules and calls the given function for each rule TODO: do we want to collect and return _all_ errors, rather than just the first, to prevent whack-a-mole fixing?

func ValidatePolicy 

func ValidatePolicy(p *pb.Policy) error

ValidatePolicy validates a pipeline policy

func ValidateRuleTypeDefinition 

func ValidateRuleTypeDefinition(def *pb.RuleType_Definition) error

ValidateRuleTypeDefinition validates a rule type definition

func WithEntityContext 

func WithEntityContext(ctx context.Context, c *EntityContext) context.Context

WithEntityContext stores an EntityContext in the current context.

Types

type EntityContext 

type EntityContext struct {
	Group    Group
	Provider string
}

EntityContext is the context of an entity. This is relevant for getting the full information about an entity.

func EntityFromContext 

func EntityFromContext(ctx context.Context) *EntityContext

EntityFromContext extracts the current EntityContext, WHICH MAY BE NIL!

func GetContextFromInput 

func GetContextFromInput(ctx context.Context, in *pb.Context, q db.Querier) (*EntityContext, error)

GetContextFromInput returns the context from the input. The input is the context from the gRPC request which merely holds user-friendly information about an object.

func (*EntityContext) GetGroup 

func (c *EntityContext) GetGroup() Group

GetGroup returns the group of the entity

func (*EntityContext) GetProvider 

func (c *EntityContext) GetProvider() string

GetProvider returns the provider of the entity

type EntityInfoWrapper added in v0.0.3 

type EntityInfoWrapper struct {
	Provider      string
	GroupID       int32
	Entity        protoreflect.ProtoMessage
	Type          pb.Entity
	OwnershipData map[string]int32
}

EntityInfoWrapper is a helper struct to gather information about entities from events. It's able to build message.Message structures from the information it gathers.

It's also able to read the message.Message that contains a payload with a protobuf message that's specific to the entity type.

It also assumes the following metadata keys are present:

- EntityTypeEventKey - entity_type - GroupIDEventKey - group_id - RepositoryIDEventKey - repository_id - ArtifactIDEventKey - artifact_id (only for versioned artifacts)

Entity type is used to determine the type of the protobuf message and the entity type in the database. It may be one of the following:

- RepositoryEventEntityType - repository - VersionedArtifactEventEntityType - versioned_artifact

func NewEntityInfoWrapper added in v0.0.3 

func NewEntityInfoWrapper() *EntityInfoWrapper

NewEntityInfoWrapper creates a new EntityInfoWrapper

func (*EntityInfoWrapper) AsPullRequest added in v0.0.3 

func (eiw *EntityInfoWrapper) AsPullRequest()

AsPullRequest sets the entity type to a pull request

func (*EntityInfoWrapper) AsRepository added in v0.0.3 

func (eiw *EntityInfoWrapper) AsRepository() *EntityInfoWrapper

AsRepository sets the entity type to a repository

func (*EntityInfoWrapper) AsVersionedArtifact added in v0.0.3 

func (eiw *EntityInfoWrapper) AsVersionedArtifact() *EntityInfoWrapper

AsVersionedArtifact sets the entity type to a versioned artifact

func (*EntityInfoWrapper) BuildMessage added in v0.0.3 

func (eiw *EntityInfoWrapper) BuildMessage() (*message.Message, error)

BuildMessage builds a message.Message from the information

func (*EntityInfoWrapper) Publish added in v0.0.3 

func (eiw *EntityInfoWrapper) Publish(evt *events.Eventer) error

Publish builds a message.Message and publishes it to the event bus

func (*EntityInfoWrapper) ToMessage added in v0.0.3 

func (eiw *EntityInfoWrapper) ToMessage(msg *message.Message) error

ToMessage sets the information to a message.Message

func (*EntityInfoWrapper) WithArtifactID added in v0.0.3 

func (eiw *EntityInfoWrapper) WithArtifactID(id int32) *EntityInfoWrapper

WithArtifactID sets the artifact ID

func (*EntityInfoWrapper) WithGroupID added in v0.0.3 

func (eiw *EntityInfoWrapper) WithGroupID(id int32) *EntityInfoWrapper

WithGroupID sets the group ID

func (*EntityInfoWrapper) WithProvider added in v0.0.3 

func (eiw *EntityInfoWrapper) WithProvider(provider string) *EntityInfoWrapper

WithProvider sets the provider

func (*EntityInfoWrapper) WithPullRequest added in v0.0.3 

func (eiw *EntityInfoWrapper) WithPullRequest(p *pb.PullRequest) *EntityInfoWrapper

WithPullRequest sets the entity to a repository

func (*EntityInfoWrapper) WithPullRequestID added in v0.0.3 

func (eiw *EntityInfoWrapper) WithPullRequestID(id int32) *EntityInfoWrapper

WithPullRequestID sets the pull request ID

func (*EntityInfoWrapper) WithRepository added in v0.0.3 

func (eiw *EntityInfoWrapper) WithRepository(r *pb.RepositoryResult) *EntityInfoWrapper

WithRepository sets the entity to a repository

func (*EntityInfoWrapper) WithRepositoryID added in v0.0.3 

func (eiw *EntityInfoWrapper) WithRepositoryID(id int32) *EntityInfoWrapper

WithRepositoryID sets the repository ID

func (*EntityInfoWrapper) WithVersionedArtifact added in v0.0.3 

func (eiw *EntityInfoWrapper) WithVersionedArtifact(va *pb.VersionedArtifact) *EntityInfoWrapper

WithVersionedArtifact sets the entity to a versioned artifact

type Executor 

type Executor struct {
	// contains filtered or unexported fields
}

Executor is the engine that executes the rules for a given event

func NewExecutor 

func NewExecutor(querier db.Store, authCfg *config.AuthConfig) (*Executor, error)

NewExecutor creates a new executor

func (*Executor) HandleEntityEvent added in v0.0.3 

func (e *Executor) HandleEntityEvent(msg *message.Message) error

HandleEntityEvent handles events coming from webhooks/signals as well as the init event.

func (*Executor) Register 

func (e *Executor) Register(r events.Registrar)

Register implements the Consumer interface.

type Group 

type Group struct {
	ID   int32
	Name string
}

Group is a construct relevant to an entity's context. This is relevant for getting the full information about an entity.

func (Group) GetID 

func (g Group) GetID() int32

GetID returns the ID of the group

func (Group) GetName 

func (g Group) GetName() string

GetName returns the name of the group

type RuleMeta 

type RuleMeta struct {
	// Name is the name of the rule
	Name string
	// Provider is the ID of the provider that this rule is for
	Provider string
	// Organization is the ID of the organization that this rule is for
	Organization *string
	// Group is the ID of the group that this rule is for
	Group *string
}

RuleMeta is the metadata for a rule TODO: We probably should care about a version

func (*RuleMeta) String 

func (r *RuleMeta) String() string

String returns a string representation of the rule meta

type RuleTypeEngine 

type RuleTypeEngine struct {
	Meta RuleMeta
	// contains filtered or unexported fields
}

RuleTypeEngine is the engine for a rule type

func NewRuleTypeEngine 

func NewRuleTypeEngine(rt *pb.RuleType, cli ghclient.RestAPI, accessToken string) (*RuleTypeEngine, error)

NewRuleTypeEngine creates a new rule type engine

func (*RuleTypeEngine) Eval 

func (r *RuleTypeEngine) Eval(ctx context.Context, ent protoreflect.ProtoMessage, pol, params map[string]any) error

Eval runs the rule type engine against the given entity

func (*RuleTypeEngine) GetID 

func (r *RuleTypeEngine) GetID() string

GetID returns the ID of the rule type. The ID is meant to be a serializable unique identifier for the rule type.

func (*RuleTypeEngine) GetRuleInstanceValidator 

func (r *RuleTypeEngine) GetRuleInstanceValidator() *RuleValidator

GetRuleInstanceValidator returns the rule instance validator for this rule type. By instance we mean a rule that has been instantiated in a policy from a given rule type.

type RuleValidationError 

type RuleValidationError struct {
	Err string
	// RuleType is a rule name
	RuleType string
}

RuleValidationError is used to report errors from evaluating a rule, including attribution of the particular error encountered.

func (*RuleValidationError) Error 

func (e *RuleValidationError) Error() string

Error implements error.Error

func (*RuleValidationError) String 

func (e *RuleValidationError) String() string

String implements fmt.Stringer

type RuleValidator 

type RuleValidator struct {
	// contains filtered or unexported fields
}

RuleValidator validates a rule against a schema

func NewRuleValidator 

func NewRuleValidator(rt *pb.RuleType) (*RuleValidator, error)

NewRuleValidator creates a new rule validator

func (*RuleValidator) ValidateParamsAgainstSchema 

func (r *RuleValidator) ValidateParamsAgainstSchema(params *structpb.Struct) error

ValidateParamsAgainstSchema validates the given parameters against the schema for this rule type

func (*RuleValidator) ValidateRuleDefAgainstSchema 

func (r *RuleValidator) ValidateRuleDefAgainstSchema(contextualPolicy map[string]any) error

ValidateRuleDefAgainstSchema validates the given contextual policy against the schema for this rule type

Source Files

View all Source files

Directories

Path Synopsis
Package errors provides errors for the evaluator engine
 Package errors provides errors for the evaluator engine
Package eval provides necessary interfaces and implementations for evaluating rules.
 Package eval provides necessary interfaces and implementations for evaluating rules.
jq
Package jq provides the jq policy evaluator
 Package jq provides the jq policy evaluator
rego
Package rego provides the rego rule evaluator
 Package rego provides the rego rule evaluator
vulncheck
Package vulncheck provides the vulnerability check evaluator
 Package vulncheck provides the vulnerability check evaluator
Package ingester provides necessary interfaces and implementations for ingesting data for rules.
 Package ingester provides necessary interfaces and implementations for ingesting data for rules.
artifact
Package artifact provides the artifact ingestion engine
 Package artifact provides the artifact ingestion engine
builtin
Package builtin provides the builtin ingestion engine
 Package builtin provides the builtin ingestion engine
diff
Package diff provides the diff rule data ingest engine
 Package diff provides the diff rule data ingest engine
git
Package git provides the git rule data ingest engine
 Package git provides the git rule data ingest engine
rest
Package rest provides the REST rule data ingest engine
 Package rest provides the REST rule data ingest engine
Package interfaces provides necessary interfaces and implementations for implementing engine plugins
 Package interfaces provides necessary interfaces and implementations for implementing engine plugins

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.