package bundle

import "github.com/open-policy-agent/opa/bundle"

Package bundle implements bundle loading.

Deprecated: This package is intended for older projects transitioning from OPA v0.x and will remain for the lifetime of OPA v1.x, but its use is not recommended. For newer features and behaviours, such as defaulting to the Rego v1 syntax, use the corresponding components in the github.com/open-policy-agent/opa/v1 package instead. See https://www.openpolicyagent.org/docs/latest/v0-compatibility/ for more information.

Package bundle provide helpers that assist in creating the verification and signing key configuration

Package bundle provide helpers that assist in the creating a signed bundle

Package bundle provide helpers that assist in the bundle signature verification process

Index

Constants 

const (
	RegoExt        = v1.RegoExt
	WasmFile       = v1.WasmFile
	PlanFile       = v1.PlanFile
	ManifestExt    = v1.ManifestExt
	SignaturesFile = v1.SignaturesFile

	DefaultSizeLimitBytes = v1.DefaultSizeLimitBytes
	DeltaBundleType       = v1.DeltaBundleType
	SnapshotBundleType    = v1.SnapshotBundleType
)

Common file extensions and file names. 

const (
	Chrooted    = v1.Chrooted
	SlashRooted = v1.SlashRooted
	Passthrough = v1.Passthrough
)
const (
	MD5       = v1.MD5
	SHA1      = v1.SHA1
	SHA224    = v1.SHA224
	SHA256    = v1.SHA256
	SHA384    = v1.SHA384
	SHA512    = v1.SHA512
	SHA512224 = v1.SHA512224
	SHA512256 = v1.SHA512256
)

Supported values for HashingAlgorithm

Variables 

var BundlesBasePath = v1.BundlesBasePath

BundlesBasePath is the storage path used for storing bundle metadata

Functions

func Activate 

func Activate(opts *ActivateOpts) error

Activate the bundle(s) by loading into the given Store. This will load policies, data, and record the manifest in storage. The compiler provided will have had the polices compiled on it.

func ActivateLegacy 

func ActivateLegacy(opts *ActivateOpts) error

ActivateLegacy calls Activate for the bundles but will also write their manifest to the older unnamed store location. Deprecated: Use Activate with named bundles instead.

func Deactivate 

func Deactivate(opts *DeactivateOpts) error

Deactivate the bundle(s). This will erase associated data, policies, and the manifest entry from the store.

func EraseManifestFromStore 

func EraseManifestFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) error

EraseManifestFromStore will remove the manifest from storage. This function is called when the bundle is deactivated.

func EtagStoragePath 

func EtagStoragePath(name string) storage.Path

EtagStoragePath is the storage path used for the given named bundle etag.

func GenerateSignedToken 

func GenerateSignedToken(files []FileInfo, sc *SigningConfig, keyID string) (string, error)

GenerateSignedToken will retrieve the Signer implementation based on the Plugin specified in SigningConfig, and call its implementation of GenerateSignedToken. The signer generates a signed token given the list of files to be included in the payload and the bundle signing config. The keyID if non-empty, represents the value for the "keyid" claim in the token.

func LegacyEraseManifestFromStore 

func LegacyEraseManifestFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) error

LegacyEraseManifestFromStore will erase the bundle manifest from the older single (unnamed) bundle manifest location. Deprecated: Use WriteManifestToStore and named bundles instead.

func LegacyReadRevisionFromStore 

func LegacyReadRevisionFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) (string, error)

LegacyReadRevisionFromStore will read the bundle manifest revision from the older single (unnamed) bundle manifest location. Deprecated: Use ReadBundleRevisionFromStore and named bundles instead.

func LegacyWriteManifestToStore 

func LegacyWriteManifestToStore(ctx context.Context, store storage.Store, txn storage.Transaction, manifest Manifest) error

LegacyWriteManifestToStore will write the bundle manifest to the older single (unnamed) bundle manifest location. Deprecated: Use WriteManifestToStore and named bundles instead.

func ManifestStoragePath 

func ManifestStoragePath(name string) storage.Path

ManifestStoragePath is the storage path used for the given named bundle manifest.

func NewIterator 

func NewIterator(raw []Raw) storage.Iterator

func ReadBundleEtagFromStore 

func ReadBundleEtagFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) (string, error)

ReadBundleEtagFromStore returns the etag for the specified bundle. If the bundle is not activated, this function will return storage NotFound error.

func ReadBundleMetadataFromStore 

func ReadBundleMetadataFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) (map[string]interface{}, error)

ReadBundleMetadataFromStore returns the metadata in the specified bundle. If the bundle is not activated, this function will return storage NotFound error.

func ReadBundleNamesFromStore 

func ReadBundleNamesFromStore(ctx context.Context, store storage.Store, txn storage.Transaction) ([]string, error)

ReadBundleNamesFromStore will return a list of bundle names which have had their metadata stored.

func ReadBundleRevisionFromStore 

func ReadBundleRevisionFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) (string, error)

ReadBundleRevisionFromStore returns the revision in the specified bundle. If the bundle is not activated, this function will return storage NotFound error.

func ReadBundleRootsFromStore 

func ReadBundleRootsFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) ([]string, error)

ReadBundleRootsFromStore returns the roots in the specified bundle. If the bundle is not activated, this function will return storage NotFound error.

func ReadWasmModulesFromStore 

func ReadWasmModulesFromStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string) (map[string][]byte, error)

ReadWasmModulesFromStore will write Wasm module resolver metadata from the store.

func RegisterSigner 

func RegisterSigner(id string, s Signer) error

RegisterSigner registers a Signer under the given id

func RegisterVerifier 

func RegisterVerifier(id string, v Verifier) error

RegisterVerifier registers a Verifier under the given id

func RootPathsContain 

func RootPathsContain(roots []string, path string) bool

RootPathsContain takes a set of bundle root paths and returns true if the path is contained.

func RootPathsOverlap 

func RootPathsOverlap(pathA string, pathB string) bool

RootPathsOverlap takes in two bundle root paths and returns true if they overlap.

func VerifyBundleSignature 

func VerifyBundleSignature(sc SignaturesConfig, bvc *VerificationConfig) (map[string]FileInfo, error)

VerifyBundleSignature will retrieve the Verifier implementation based on the Plugin specified in SignaturesConfig, and call its implementation of VerifyBundleSignature. VerifyBundleSignature verifies the bundle signature using the given public keys or secret. If a signature is verified, it keeps track of the files specified in the JWT payload

func Write 

func Write(w io.Writer, bundle Bundle) error

Write is deprecated. Use NewWriter instead.

func WriteEtagToStore 

func WriteEtagToStore(ctx context.Context, store storage.Store, txn storage.Transaction, name, etag string) error

WriteEtagToStore will write the bundle etag into the storage. This function is called when the bundle is activated.

func WriteManifestToStore 

func WriteManifestToStore(ctx context.Context, store storage.Store, txn storage.Transaction, name string, manifest Manifest) error

WriteManifestToStore will write the manifest into the storage. This function is called when the bundle is activated.

Types

type ActivateOpts 

type ActivateOpts = v1.ActivateOpts

ActivateOpts defines options for the Activate API call.

type Bundle 

type Bundle = v1.Bundle

Bundle represents a loaded bundle. The bundle can contain data and policies.

func Merge 

func Merge(bundles []*Bundle) (*Bundle, error)

Merge accepts a set of bundles and merges them into a single result bundle. If there are any conflicts during the merge (e.g., with roots) an error is returned. The result bundle will have an empty revision except in the special case where a single bundle is provided (and in that case the bundle is just returned unmodified.)

func MergeWithRegoVersion 

func MergeWithRegoVersion(bundles []*Bundle, regoVersion ast.RegoVersion, usePath bool) (*Bundle, error)

MergeWithRegoVersion creates a merged bundle from the provided bundles, similar to Merge. If more than one bundle is provided, the rego version of the result bundle is set to the provided regoVersion. Any Rego files in a bundle of conflicting rego version will be marked in the result's manifest with the rego version of its original bundle. If the Rego file already had an overriding rego version, it will be preserved. If a single bundle is provided, it will retain any rego version information it already had. If it has none, the provided regoVersion will be applied to it. If usePath is true, per-file rego-versions will be calculated using the file's ModuleFile.Path; otherwise, the file's ModuleFile.URL will be used.

type DeactivateOpts 

type DeactivateOpts = v1.DeactivateOpts

DeactivateOpts defines options for the Deactivate API call

type DecodedSignature 

type DecodedSignature = v1.DecodedSignature

DecodedSignature represents the decoded JWT payload.

type DefaultSigner 

type DefaultSigner v1.DefaultSigner

DefaultSigner is the default bundle signing implementation. It signs bundles by generating a JWT and signing it using a locally-accessible private key.

type DefaultVerifier 

type DefaultVerifier = v1.DefaultVerifier

DefaultVerifier is the default bundle verification implementation. It verifies bundles by checking the JWT signature using a locally-accessible public key.

type Descriptor 

type Descriptor = v1.Descriptor

Descriptor contains information about a file and can be used to read the file contents.

func NewDescriptor 

func NewDescriptor(url, path string, reader io.Reader) *Descriptor

type DirectoryLoader 

type DirectoryLoader = v1.DirectoryLoader

DirectoryLoader defines an interface which can be used to load files from a directory by iterating over each one in the tree.

func NewDirectoryLoader 

func NewDirectoryLoader(root string) DirectoryLoader

NewDirectoryLoader returns a basic DirectoryLoader implementation that will load files from a given root directory path.

func NewFSLoader 

func NewFSLoader(filesystem fs.FS) (DirectoryLoader, error)

NewFSLoader returns a basic DirectoryLoader implementation that will load files from a fs.FS interface

func NewFSLoaderWithRoot 

func NewFSLoaderWithRoot(filesystem fs.FS, root string) DirectoryLoader

NewFSLoaderWithRoot returns a basic DirectoryLoader implementation that will load files from a fs.FS interface at the supplied root

func NewTarballLoader 

func NewTarballLoader(r io.Reader) DirectoryLoader

NewTarballLoader is deprecated. Use NewTarballLoaderWithBaseURL instead.

func NewTarballLoaderWithBaseURL 

func NewTarballLoaderWithBaseURL(r io.Reader, baseURL string) DirectoryLoader

NewTarballLoaderWithBaseURL returns a new DirectoryLoader that reads files out of a gzipped tar archive. The file URLs will be prefixed with the baseURL.

type FileInfo 

type FileInfo = v1.FileInfo

FileInfo contains the hashing algorithm used, resulting digest etc.

func NewFile 

func NewFile(name, hash, alg string) FileInfo

NewFile returns a new FileInfo.

type HashingAlgorithm 

type HashingAlgorithm = v1.HashingAlgorithm

HashingAlgorithm represents a subset of hashing algorithms implemented in Go

type KeyConfig 

type KeyConfig = v1.KeyConfig

KeyConfig holds the keys used to sign or verify bundles and tokens Moved to own package, alias kept for backwards compatibility

type Manifest 

type Manifest = v1.Manifest

Manifest represents the manifest from a bundle. The manifest may contain metadata such as the bundle revision.

type ModuleFile 

type ModuleFile = v1.ModuleFile

ModuleFile represents a single module contained in a bundle.

type Patch 

type Patch = v1.Patch

Patch contains an array of objects wherein each object represents the patch operation to be applied to the bundle data.

type PatchOperation 

type PatchOperation = v1.PatchOperation

PatchOperation models a single patch operation against a document.

type PathFormat 

type PathFormat = v1.PathFormat

type PlanModuleFile 

type PlanModuleFile = v1.PlanModuleFile

PlanModuleFile represents a single plan module contained in a bundle.

NOTE(tsandall): currently the plans are just opaque binary blobs. In the future we could inject the entrypoints so that the plans could be executed inside of OPA proper like we do for Wasm modules.

type Raw 

type Raw = v1.Raw

Raw contains raw bytes representing the bundle's content

type Reader 

type Reader = v1.Reader

Reader contains the reader to load the bundle from.

func NewCustomReader 

func NewCustomReader(loader DirectoryLoader) *Reader

NewCustomReader returns a new Reader configured to use the specified DirectoryLoader.

func NewReader 

func NewReader(r io.Reader) *Reader

NewReader is deprecated. Use NewCustomReader instead.

type SignatureHasher 

type SignatureHasher = v1.SignatureHasher

SignatureHasher computes a signature digest for a file with (structured or unstructured) data and policy

func NewSignatureHasher 

func NewSignatureHasher(alg HashingAlgorithm) (SignatureHasher, error)

NewSignatureHasher returns a signature hasher suitable for a particular hashing algorithm

type SignaturesConfig 

type SignaturesConfig = v1.SignaturesConfig

SignaturesConfig represents an array of JWTs that encapsulate the signatures for the bundle.

type Signer 

type Signer v1.Signer

Signer is the interface expected for implementations that generate bundle signatures.

func GetSigner 

func GetSigner(id string) (Signer, error)

GetSigner returns the Signer registered under the given id

type SigningConfig 

type SigningConfig = v1.SigningConfig

SigningConfig represents the key configuration used to generate a signed bundle

func NewSigningConfig 

func NewSigningConfig(key, alg, claimsPath string) *SigningConfig

NewSigningConfig return a new SigningConfig

type VerificationConfig 

type VerificationConfig = v1.VerificationConfig

VerificationConfig represents the key configuration used to verify a signed bundle

func NewVerificationConfig 

func NewVerificationConfig(keys map[string]*KeyConfig, id, scope string, exclude []string) *VerificationConfig

NewVerificationConfig return a new VerificationConfig

type Verifier 

type Verifier v1.Verifier

Verifier is the interface expected for implementations that verify bundle signatures.

func GetVerifier 

func GetVerifier(id string) (Verifier, error)

GetVerifier returns the Verifier registered under the given id

type WasmModuleFile 

type WasmModuleFile = v1.WasmModuleFile

WasmModuleFile represents a single wasm module contained in a bundle.

type WasmResolver 

type WasmResolver = v1.WasmResolver

WasmResolver maps a wasm module to an entrypoint ref.

type Writer 

type Writer = v1.Writer

Writer implements bundle serialization.

func NewWriter 

func NewWriter(w io.Writer) *Writer

NewWriter returns a bundle writer that writes to w.

Source Files

bundle.go doc.go file.go filefs.go hash.go keys.go sign.go store.go verify.go

Version
v1.4.2 (latest)
Published
May 2, 2025
Platform
linux/amd64
Imports
6 packages
Last checked
2 hours ago

Tools for package owners.