Categorygithub.com/Microsoft/hcsshiminternalregopolicyinterpreter
package
0.13.0-rc.2
Repository: https://github.com/microsoft/hcsshim.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
13
Dependents
1
Files
562 SLOC

# README

Rego Policy Interpreter

This module provides a general purpose Rego Policy interpreter. This is used both by the security_policy package, as well as the policy engine simulator.

Metadata

Each rule in a policy can optionally return a series of metadata commands in addition to allowed which will then be made available in the data.metadata namespace for use by the policy in future rule evaluations. A metadata command has the following format:

{
    {
        "name": "<metadata key>",
        "action": "<add|update|remove>",
        "key": "<key>",
        "value": "<optional value>"
    }
}

Metadata values can be any Rego object, i.e. arbitrary JSON. Importantly, the Go code does not need to understand what they are or what they contain, just place them in the specified point in the hierarchy such that the policy can find them in later rule evaluations. To give a sense of how this works, here are a sequence of rule results and the resulting metadata state:

Initial State

{
    "metadata": {}
}

Result 1

{
    "allowed": true,
    "metadata": [{
        "name": "devices",
        "action": "add",
        "key": "/dev/layer0",
        "value": "5c5d1ae1aff5e1f36d5300de46592efe4ccb7889e60a4b82bbaf003c2248f2a7"
    }]
}

State 1

{
    "metadata": {
        "devices": {
            "/dev/layer0": "5c5d1ae1aff5e1f36d5300de46592efe4ccb7889e60a4b82bbaf003c2248f2a7"
        }
    }
}

Result 2

{
    "allowed": true,
    "metadata": [{
        "name": "matches",
        "action": "add",
        "key": "container1",
        "value": [{<container>}, {<container>}, {<container>}]
    }]
}

State 2

{
    "metadata": {
        "devices": {
            "/dev/layer0": "5c5d1ae1aff5e1f36d5300de46592efe4ccb7889e60a4b82bbaf003c2248f2a7"
        },
        "matches": {
            "container1": [{<container>}, {<container>}, {<container>}]
        }
    }
}

Result 3

{
    "allowed": true,
    "metadata": [{
        "name": "matches",
        "action": "update",
        "key": "container1",
        "value": [{<container>}]
    }]
}

State 3

{
    "metadata": {
        "devices": {
            "/dev/layer0": "5c5d1ae1aff5e1f36d5300de46592efe4ccb7889e60a4b82bbaf003c2248f2a7"
        },
        "matches": {
            "container1": [{<container>}]
        }
    }
}

Result 4

{
    "allowed": true,
    "metadata": [{
        "name": "devices",
        "action": "remove",
        "key": "/dev/layer0"
    }]
}

State 4

{
    "metadata": {
        "devices": {},
        "matches": {
            "container1": [{<container>}]
        }
    }
}

# Functions

ModuleID computes a unique ID for a Module from its issuer and feed.
NewRegoPolicyInterpreter creates a new RegoPolicyInterpreter, using the code provided.

# Constants

Logs the output of Rego print() statements in the policy.
Logs the full metadata state after each query.
No description provided by the author
Logs the result objects returned from each query.

# Structs

No description provided by the author
No description provided by the author

# Type aliases

No description provided by the author
The result from a policy query.