policy

package

v0.32.0 Latest Latest Go to latest Published: Mar 3, 2026 License: Apache-2.0 Imports: 52 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/docker/buildx

Links

Documentation ¶

Index ¶

func AddUnknowns(req *gwpb.ResolveSourceMetaRequest, unk []string) error
func AddUnknownsWithLogger(logf func(logrus.Level, string), req *gwpb.ResolveSourceMetaRequest, ...) error
func MultiPolicyCallback(callbacks ...policysession.PolicyCallback) policysession.PolicyCallback
func ResolveInputUnknowns(ctx context.Context, input *Input, rootSource *pb.SourceOp, unknowns []string, ...) (bool, *gwpb.ResolveSourceMetaRequest, error)
type Actor
type AttestationBundle
type AttestationSignature
type Commit
type Decision
type Env
type File
- func LoadTestModules(root fs.StatFS, path string) (map[string]*ast.Module, []File, error)
type Git
type HTTP
type Image
type ImageProvenance
type ImageProvenanceCompleteness
type ImageProvenanceConfigSource
type Input
- func SourceToInput(ctx context.Context, verifier PolicyVerifierProvider, ...) (Input, error)
- func (inp Input) Unknowns() []string
type Local
type Opt
type PGPSignature
type Policy
- func NewPolicy(opt Opt) *Policy
- func (p *Policy) CheckPolicy(ctx context.Context, req *policysession.CheckPolicyRequest) (*policysession.DecisionResponse, *gwpb.ResolveSourceMetaRequest, error)
- func (p *Policy) IsPolicyError(err error) bool
- func (p *Policy) Print(ctx print.Context, msg string) error
type PolicyVerifier
type PolicyVerifierProvider
- func SignatureVerifier(cfg *confutil.Config) PolicyVerifierProvider
type SSHSignature
type SignatureKind
type SignatureType
type SignerInfo
type SourceMetadataResolver
type Tag
type TestOptions
type TestOptionsProvider
type TestResult
type TestSummary
- func RunPolicyTests(ctx context.Context, path string, opts TestOptions) (TestSummary, error)
type TrustedTimestamp

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func AddUnknowns ¶

func AddUnknowns(req *gwpb.ResolveSourceMetaRequest, unk []string) error

func AddUnknownsWithLogger ¶

func AddUnknownsWithLogger(logf func(logrus.Level, string), req *gwpb.ResolveSourceMetaRequest, unk []string) error

func MultiPolicyCallback ¶

func MultiPolicyCallback(callbacks ...policysession.PolicyCallback) policysession.PolicyCallback

MultiPolicyCallback returns a policy callback that requires all policies to allow.

func ResolveInputUnknowns ¶ added in v0.32.0

func ResolveInputUnknowns(ctx context.Context, input *Input, rootSource *pb.SourceOp, unknowns []string, rootPlatform *pb.Platform, defaultPlatform *ocispecs.Platform, resolver SourceMetadataResolver, verifier PolicyVerifierProvider, logf func(logrus.Level, string)) (bool, *gwpb.ResolveSourceMetaRequest, error)

Types ¶

type Actor ¶

type Actor struct {
	Name  string     `json:"name,omitempty"`
	Email string     `json:"email,omitempty"`
	When  *time.Time `json:"when,omitempty"`
}

type AttestationBundle ¶

type AttestationBundle struct{}

type AttestationSignature ¶

type AttestationSignature struct {
	SignatureKind   SignatureKind                             `json:"kind,omitempty"`
	SignatureType   SignatureType                             `json:"type,omitempty"`
	Timestamps      []policytypes.TimestampVerificationResult `json:"timestamps,omitempty"`
	DockerReference string                                    `json:"dockerReference,omitempty"`
	IsDHI           bool                                      `json:"isDHI,omitempty"`
	Signer          *SignerInfo                               `json:"signer,omitempty"`
	// contains filtered or unexported fields
}

type Commit ¶

type Commit struct {
	Tree      string   `json:"tree,omitempty"`
	Parents   []string `json:"parents,omitempty"`
	Author    Actor    `json:"author,omitzero"`
	Committer Actor    `json:"committer,omitzero"`
	Message   string   `json:"message,omitempty"`

	PGPSignature *PGPSignature `json:"pgpSignature,omitempty"`
	SSHSignature *SSHSignature `json:"sshSignature,omitempty"`
	// contains filtered or unexported fields
}

type Decision ¶

type Decision struct {
	Allow        *bool    `json:"allow,omitempty"`
	DenyMessages []string `json:"deny_msg,omitempty"`
}

type Env ¶

type Env struct {
	Args     map[string]*string `json:"args,omitempty"`
	Labels   map[string]string  `json:"labels,omitempty"`
	Filename string             `json:"filename,omitempty"`
	Target   string             `json:"target,omitempty"`
	Depth    int                `json:"depth"`
}

type File ¶

type File struct {
	Filename string
	Data     []byte
}

func LoadTestModules ¶

func LoadTestModules(root fs.StatFS, path string) (map[string]*ast.Module, []File, error)

type Git ¶

type Git struct {
	Schema      string `json:"schema,omitempty"`
	Host        string `json:"host,omitempty"`
	Remote      string `json:"remote,omitempty"`
	FullURL     string `json:"fullURL,omitempty"`
	TagName     string `json:"tagName,omitempty"`
	Branch      string `json:"branch,omitempty"`
	Ref         string `json:"ref,omitempty"`
	Subdir      string `json:"subDir,omitempty"`
	IsCommitRef bool   `json:"isCommitRef,omitempty"`

	IsSHA256       bool   `json:"isSHA256,omitempty"`
	Checksum       string `json:"checksum,omitempty"`
	CommitChecksum string `json:"commitChecksum,omitempty"`
	IsAnnotatedTag bool   `json:"isAnnotatedTag,omitempty"`

	Tag    *Tag    `json:"tag,omitempty"`
	Commit *Commit `json:"commit,omitempty"`
}

type HTTP ¶

type HTTP struct {
	URL     string              `json:"url,omitempty"`
	Schema  string              `json:"schema,omitempty"`
	Host    string              `json:"host,omitempty"`
	Path    string              `json:"path,omitempty"`
	Query   map[string][]string `json:"query,omitempty"`
	HasAuth bool                `json:"hasAuth,omitempty"`

	Checksum string `json:"checksum,omitempty"`

	Signature         *PGPSignature      `json:"signature,omitempty"`
	AttestationBundle *AttestationBundle `json:"attestationBundle,omitempty"`
}

type Image ¶

type Image struct {
	Ref          string `json:"ref,omitempty"`
	Host         string `json:"host,omitempty"`
	Repo         string `json:"repo,omitempty"`
	FullRepo     string `json:"fullRepo,omitempty"` // domain + repo
	Tag          string `json:"tag,omitempty"`      // unset if canonical ref
	Platform     string `json:"platform,omitempty"`
	OS           string `json:"os,omitempty"`
	Architecture string `json:"arch,omitempty"`
	Variant      string `json:"variant,omitempty"`
	IsCanonical  bool   `json:"isCanonical,omitempty"`

	Checksum string `json:"checksum,omitempty"`

	// Config based
	CreatedTime string            `json:"createdTime,omitempty"`
	Env         []string          `json:"env,omitempty"`
	Labels      map[string]string `json:"labels,omitempty"`
	User        string            `json:"user,omitempty"`
	Volumes     []string          `json:"volumes,omitempty"`
	WorkingDir  string            `json:"workingDir,omitempty"`

	HasProvenance bool                   `json:"hasProvenance,omitempty"`
	Provenance    *ImageProvenance       `json:"provenance,omitempty"`
	Signatures    []AttestationSignature `json:"signatures,omitempty"`
}

type ImageProvenance ¶ added in v0.32.0

type ImageProvenance struct {
	PredicateType string `json:"predicateType,omitempty"`
	BuildType     string `json:"buildType,omitempty"`
	BuilderID     string `json:"builderID,omitempty"`

	InvocationID string `json:"invocationID,omitempty"`
	StartedOn    string `json:"startedOn,omitempty"`
	FinishedOn   string `json:"finishedOn,omitempty"`

	ConfigSource *ImageProvenanceConfigSource `json:"configSource,omitempty"`
	Frontend     string                       `json:"frontend,omitempty"`
	BuildArgs    map[string]string            `json:"buildArgs,omitempty"`
	RawArgs      map[string]string            `json:"rawArgs,omitempty"`
	Reproducible *bool                        `json:"reproducible,omitempty"`
	Hermetic     *bool                        `json:"hermetic,omitempty"`

	Completeness *ImageProvenanceCompleteness `json:"completeness,omitempty"`
	Materials    []Input                      `json:"materials,omitempty"`
	// contains filtered or unexported fields
}

type ImageProvenanceCompleteness ¶ added in v0.32.0

type ImageProvenanceCompleteness struct {
	Parameters  *bool `json:"parameters,omitempty"`
	Environment *bool `json:"environment,omitempty"`
	Materials   *bool `json:"materials,omitempty"`
}

type ImageProvenanceConfigSource ¶ added in v0.32.0

type ImageProvenanceConfigSource struct {
	URI    string            `json:"uri,omitempty"`
	Digest map[string]string `json:"digest,omitempty"`
	Path   string            `json:"path,omitempty"`
}

type Input ¶

type Input struct {
	Env   Env    `json:"env,omitzero"`
	Local *Local `json:"local,omitempty"`
	Image *Image `json:"image,omitempty"`
	HTTP  *HTTP  `json:"http,omitempty"`
	Git   *Git   `json:"git,omitempty"`
	// contains filtered or unexported fields
}

func SourceToInput ¶

func SourceToInput(ctx context.Context, verifier PolicyVerifierProvider, src *gwpb.ResolveSourceMetaResponse, platform *ocispecs.Platform, logf func(logrus.Level, string)) (Input, error)

func (Input) Unknowns ¶ added in v0.32.0

func (inp Input) Unknowns() []string

type Local ¶

type Local struct {
	Name string `json:"name,omitempty"`
}

type Opt ¶

type Opt struct {
	Files            []File
	Env              Env
	Log              func(logrus.Level, string)
	FS               func() (fs.StatFS, func() error, error)
	VerifierProvider PolicyVerifierProvider
	DefaultPlatform  *ocispecs.Platform
	SourceResolver   *sourcemeta.Resolver
}

type PGPSignature ¶

type PGPSignature struct {
	Version int    `json:"version,omitempty"`
	KeyID   string `json:"keyID,omitempty"`
}

type Policy ¶

type Policy struct {
	// contains filtered or unexported fields
}

func NewPolicy ¶

func NewPolicy(opt Opt) *Policy

func (*Policy) CheckPolicy ¶

func (p *Policy) CheckPolicy(ctx context.Context, req *policysession.CheckPolicyRequest) (*policysession.DecisionResponse, *gwpb.ResolveSourceMetaRequest, error)

func (*Policy) IsPolicyError ¶ added in v0.32.0

func (p *Policy) IsPolicyError(err error) bool

func (*Policy) Print ¶

func (p *Policy) Print(ctx print.Context, msg string) error

type PolicyVerifier ¶ added in v0.32.0

type PolicyVerifier interface {
	VerifyImage(context.Context, policyimage.ReferrersProvider, ocispecs.Descriptor, *ocispecs.Platform) (*policytypes.SignatureInfo, error)
	VerifyArtifact(context.Context, digest.Digest, []byte, ...policyverifier.ArtifactVerifyOpt) (*policytypes.SignatureInfo, error)
}

type PolicyVerifierProvider ¶

type PolicyVerifierProvider func() (PolicyVerifier, error)

func SignatureVerifier ¶

func SignatureVerifier(cfg *confutil.Config) PolicyVerifierProvider

type SSHSignature ¶

type SSHSignature struct {
	Version int    `json:"version,omitempty"`
	PubKey  string `json:"pubKey,omitempty"`
}

type SignatureKind ¶

type SignatureKind string

const (
	SignatureKindDockerGithubBuilder  SignatureKind = "docker-github-builder"
	SignatureKindDockerHardenedImage  SignatureKind = "docker-hardened-image"
	SignatureKindSelfSignedGithubRepo SignatureKind = "self-signed-github-repo"
	SignatureKindSelfSigned           SignatureKind = "self-signed"
	SignatureKindUntrusted            SignatureKind = "untrusted"
)

type SignatureType ¶

type SignatureType string

const (
	SignatureTypeBundleV03       SignatureType = "bundle-v0.3"
	SignatureTypeSimpleSigningV1 SignatureType = "simplesigning-v1"
)

type SignerInfo ¶

type SignerInfo struct {
	// certificate.Summary with deprecated fields removed
	CertificateIssuer                   string `json:"certificateIssuer"`
	SubjectAlternativeName              string `json:"subjectAlternativeName"`
	Issuer                              string `json:"issuer,omitempty"`                              // OID 1.3.6.1.4.1.57264.1.8 and 1.3.6.1.4.1.57264.1.1 (Deprecated)
	BuildSignerURI                      string `json:"buildSignerURI,omitempty"`                      //nolint:tagliatelle // 1.3.6.1.4.1.57264.1.9
	BuildSignerDigest                   string `json:"buildSignerDigest,omitempty"`                   // 1.3.6.1.4.1.57264.1.10
	RunnerEnvironment                   string `json:"runnerEnvironment,omitempty"`                   // 1.3.6.1.4.1.57264.1.11
	SourceRepositoryURI                 string `json:"sourceRepositoryURI,omitempty"`                 //nolint:tagliatelle  // 1.3.6.1.4.1.57264.1.12
	SourceRepositoryDigest              string `json:"sourceRepositoryDigest,omitempty"`              // 1.3.6.1.4.1.57264.1.13
	SourceRepositoryRef                 string `json:"sourceRepositoryRef,omitempty"`                 // 1.3.6.1.4.1.57264.1.14
	SourceRepositoryIdentifier          string `json:"sourceRepositoryIdentifier,omitempty"`          // 1.3.6.1.4.1.57264.1.15
	SourceRepositoryOwnerURI            string `json:"sourceRepositoryOwnerURI,omitempty"`            //nolint:tagliatelle // 1.3.6.1.4.1.57264.1.16
	SourceRepositoryOwnerIdentifier     string `json:"sourceRepositoryOwnerIdentifier,omitempty"`     // 1.3.6.1.4.1.57264.1.17
	BuildConfigURI                      string `json:"buildConfigURI,omitempty"`                      //nolint:tagliatelle // 1.3.6.1.4.1.57264.1.18
	BuildConfigDigest                   string `json:"buildConfigDigest,omitempty"`                   // 1.3.6.1.4.1.57264.1.19
	BuildTrigger                        string `json:"buildTrigger,omitempty"`                        // 1.3.6.1.4.1.57264.1.20
	RunInvocationURI                    string `json:"runInvocationURI,omitempty"`                    //nolint:tagliatelle // 1.3.6.1.4.1.57264.1.21
	SourceRepositoryVisibilityAtSigning string `json:"sourceRepositoryVisibilityAtSigning,omitempty"` // 1.3.6.1.4.1.57264.1.22
}

type SourceMetadataResolver ¶ added in v0.32.0

type SourceMetadataResolver interface {
	ResolveSourceMetadata(context.Context, *pb.SourceOp, sourceresolver.Opt) (*sourceresolver.MetaResponse, error)
}

type Tag ¶

type Tag struct {
	Object  string `json:"object,omitempty"`
	Type    string `json:"type,omitempty"`
	Tag     string `json:"tag,omitempty"`
	Tagger  Actor  `json:"tagger,omitzero"`
	Message string `json:"message,omitempty"`

	PGPSignature *PGPSignature `json:"pgpSignature,omitempty"`
	SSHSignature *SSHSignature `json:"sshSignature,omitempty"`
	// contains filtered or unexported fields
}

type TestOptions ¶

type TestOptions struct {
	Run      string
	Filename string
	Root     fs.StatFS
	Provider *TestOptionsProvider
}

type TestOptionsProvider ¶ added in v0.32.0

type TestOptionsProvider struct {
	Resolve          func(context.Context, *pb.SourceOp, *gwpb.ResolveSourceMetaRequest) (*gwpb.ResolveSourceMetaResponse, error)
	Platform         func(context.Context) (*ocispecs.Platform, error)
	VerifierProvider PolicyVerifierProvider
}

type TestResult ¶

type TestResult struct {
	Name           string
	Package        string
	Passed         bool
	Allow          *bool
	DenyMessages   []string
	Input          *Input
	Decision       *Decision
	MissingInput   []string
	MetadataNeeded []string
}

type TestSummary ¶

type TestSummary struct {
	Results []TestResult
	Failed  int
}

func RunPolicyTests ¶

func RunPolicyTests(ctx context.Context, path string, opts TestOptions) (TestSummary, error)

type TrustedTimestamp ¶

type TrustedTimestamp struct {
	Tlog      bool      `json:"tlog,omitempty"`
	URI       string    `json:"uri,omitempty"`
	Timestamp time.Time `json:"timestamp,omitzero"`
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL