Class: Google::Apis::BinaryauthorizationV1::VerificationRule

Inherits:

Object

• Object
• Google::Apis::BinaryauthorizationV1::VerificationRule

Includes:

Core::Hashable, Core::JsonObjectSupport

Defined in:

lib/google/apis/binaryauthorization_v1/classes.rb,
lib/google/apis/binaryauthorization_v1/representations.rb,
lib/google/apis/binaryauthorization_v1/representations.rb

Overview

Specifies verification rules for evaluating the SLSA attestations including: which builders to trust, where to fetch the SLSA attestations generated by those builders, and other builder-specific evaluation rules such as which source repositories are trusted. An image is considered verified by the rule if any of the fetched SLSA attestations is verified.

Instance Attribute Summary

• #attestation_source ⇒ Google::Apis::BinaryauthorizationV1::AttestationSource

  Specifies the locations for fetching the provenance attestations.

• #config_based_build_required ⇒ Boolean (also: #config_based_build_required?)

  If true, require the image to be built from a top-level configuration.

• #custom_constraints ⇒ String

  Optional.

• #trusted_builder ⇒ String

  Each verification rule is used for evaluation against provenances generated by a specific builder (group).

• #trusted_source_repo_patterns ⇒ Array<String>

  List of trusted source code repository URL patterns.

Instance Method Summary

• #initialize(**args) ⇒ VerificationRule constructor

  A new instance of VerificationRule.

• #update!(**args) ⇒ Object

  Update properties of this object.

Constructor Details

#initialize(**args) ⇒ VerificationRule

Returns a new instance of VerificationRule.

# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1865

def initialize(**args)
   update!(**args)
end

Instance Attribute Details

#attestation_source ⇒ Google::Apis::BinaryauthorizationV1::AttestationSource

Specifies the locations for fetching the provenance attestations. Corresponds to the JSON property attestationSource

Returns:

• (Google::Apis::BinaryauthorizationV1::AttestationSource)

# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1819

def attestation_source
  @attestation_source
end

#config_based_build_required ⇒ Boolean Also known as: config_based_build_required?

If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration. Corresponds to the JSON property configBasedBuildRequired

Returns:

• (Boolean)

# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1826

def config_based_build_required
  @config_based_build_required
end

#custom_constraints ⇒ String

Optional. A CEL expression for specifying custom constraints on the provenance payload. This can be used when users want to specify expectations on provenance fields that are not covered by the general check. For example, users can use this field to require that certain parameters should never be used during the build process. Corresponds to the JSON property customConstraints

Returns:

• (String)

# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1836

def custom_constraints
  @custom_constraints
end

#trusted_builder ⇒ String

Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group). Corresponds to the JSON property trustedBuilder

Returns:

• (String)

# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1845

def trusted_builder
  @trusted_builder
end

#trusted_source_repo_patterns ⇒ Array<String>

List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my- project/my-repo-name matches the following URLs: - source.cloud.google.com/ my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my- repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. ( So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/ my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub Corresponds to the JSON property trustedSourceRepoPatterns

Returns:

• (Array<String>)

# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1863

def trusted_source_repo_patterns
  @trusted_source_repo_patterns
end

Instance Method Details

#update!(**args) ⇒ Object

Update properties of this object

# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1870

def update!(**args)
  @attestation_source = args[:attestation_source] if args.key?(:attestation_source)
  @config_based_build_required = args[:config_based_build_required] if args.key?(:config_based_build_required)
  @custom_constraints = args[:custom_constraints] if args.key?(:custom_constraints)
  @trusted_builder = args[:trusted_builder] if args.key?(:trusted_builder)
  @trusted_source_repo_patterns = args[:trusted_source_repo_patterns] if args.key?(:trusted_source_repo_patterns)
end