-
Notifications
You must be signed in to change notification settings - Fork 11
/
policy.go
129 lines (117 loc) · 3.47 KB
/
policy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
package types
import (
"fmt"
awstypes "github.com/aws/aws-sdk-go-v2/service/dynamodb/types"
)
// Policy represents the Santa Rule Policy.
type Policy int
const (
// @deprecated
Allowlist = RulePolicyAllowlist
Blocklist = RulePolicyBlocklist
SilentBlocklist = RulePolicySilentBlocklist
Remove = RulePolicyRemove
AllowlistCompiler = RulePolicyAllowlistCompiler
AllowlistTransitive = RulePolicyAllowlistTransitive
)
const (
RulePolicyAllowlist Policy = iota + 1
RulePolicyBlocklist
RulePolicySilentBlocklist
// Remove is a "special" rule in that, when it is sent by the server, it instructs the sensor
// to delete any associated rule.
RulePolicyRemove
// AllowlistCompiler is a Transitive Allowlist policy which allows binaries created by
// a specific compiler. EnabledTransitiveRules must be set to true in the Preflight first.
RulePolicyAllowlistCompiler
// Transitive rules are created by the santa sensor itself; it is never created by the server.
// Transitive rules are destroyed upon every clean sync.
RulePolicyAllowlistTransitive
)
// UnmarshalText for JSON marshalling interface
// Use Santa defined constants
// https://github.com/google/santa/blob/main/Source/santactl/Commands/sync/SNTCommandSyncConstants.m#L98-L109
func (p *Policy) UnmarshalText(text []byte) error {
switch t := string(text); t {
case "ALLOWLIST":
*p = RulePolicyAllowlist
case "BLOCKLIST":
*p = RulePolicyBlocklist
case "SILENT_BLOCKLIST":
*p = RulePolicySilentBlocklist
case "REMOVE":
*p = RulePolicyRemove
case "ALLOWLIST_COMPILER":
*p = RulePolicyAllowlistCompiler
case "ALLOWLIST_TRANSITIVE":
*p = RulePolicyAllowlistTransitive
default:
return fmt.Errorf("unknown policy value %q", t)
}
return nil
}
// MarshalText for JSON marshalling interface
func (p Policy) MarshalText() ([]byte, error) {
switch p {
case RulePolicyAllowlist:
return []byte("ALLOWLIST"), nil
case RulePolicyBlocklist:
return []byte("BLOCKLIST"), nil
case RulePolicySilentBlocklist:
return []byte("SILENT_BLOCKLIST"), nil
case RulePolicyRemove:
return []byte("REMOVE"), nil
case RulePolicyAllowlistCompiler:
return []byte("ALLOWLIST_COMPILER"), nil
case RulePolicyAllowlistTransitive:
return []byte("ALLOWLIST_TRANSITIVE"), nil
default:
return nil, fmt.Errorf("unknown policy %d", p)
}
}
// MarshalDynamoDBAttributeValue for ddb
func (p Policy) MarshalDynamoDBAttributeValue() (awstypes.AttributeValue, error) {
var s string
switch p {
case RulePolicyAllowlist:
s = "1"
case RulePolicyBlocklist:
s = "2"
case RulePolicySilentBlocklist:
s = "3"
case RulePolicyRemove:
s = "4"
case RulePolicyAllowlistCompiler:
s = "5"
case RulePolicyAllowlistTransitive:
s = "6"
default:
return nil, fmt.Errorf("unknown policy value %q", p)
}
return &awstypes.AttributeValueMemberN{Value: s}, nil
}
// UnmarshalDynamoDBAttributeValue implements the Unmarshaler interface
func (p *Policy) UnmarshalDynamoDBAttributeValue(av awstypes.AttributeValue) error {
// return attributevalue.Unmarshal(av, p)
v, ok := av.(*awstypes.AttributeValueMemberN)
if !ok {
return fmt.Errorf("unexpected policy value type %T", av)
}
switch t := v.Value; t {
case "1":
*p = RulePolicyAllowlist
case "2":
*p = RulePolicyBlocklist
case "3":
*p = RulePolicySilentBlocklist
case "4":
*p = RulePolicyRemove
case "5":
*p = RulePolicyAllowlistCompiler
case "6":
*p = RulePolicyAllowlistTransitive
default:
return fmt.Errorf("unknown policy value %q", t)
}
return nil
}