refactor!: return CertificateVerficationResponse{} in VerifyCert()

pkg/capabilities/VerifyCert() returns a `(bool, err)`. In the case that it returns `(false, err)`, the error is not a runtime error but it may contain the reason for the failed certificate verification. Return a ``(CertificateVerficationResponse{},err)` instead, which contains the bool trusted and a reason, or a runtime error. Signed-off-by: Víctor Cuadrado Juan <[email protected]>
kubewarden · Feb 15, 2024 · 1875ec1 · 1875ec1
1 parent 35f9419
commit 1875ec1
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 9 deletions.
diff --git a/pkg/capabilities/crypto/crypto.go b/pkg/capabilities/crypto/crypto.go
@@ -1,11 +1,10 @@
 package crypto
 
 import (
+	"encoding/json"
 	"fmt"
 
 	cap "github.com/kubewarden/policy-sdk-go/pkg/capabilities"
-
-	"encoding/json"
 )
 
 type CryptoHost struct {
@@ -38,7 +37,7 @@ func (e CertificateEncoding) MarshalJSON() ([]byte, error) {
 //     (intermediates first, root last). If empty, certificate is assumed trusted.
 //   - not_after: string in RFC 3339 time format, to check expiration against.
 //     If None, certificate is assumed never expired.
-func VerifyCert(h *cap.Host, cert Certificate, certChain []Certificate, notAfter string) (bool, error) {
+func VerifyCert(h *cap.Host, cert Certificate, certChain []Certificate, notAfter string) (CertificateVerificationResponse, error) {
 	requestObj := CertificateVerificationRequest{
 		Cert:      cert,
 		CertChain: certChain,
@@ -47,23 +46,28 @@ func VerifyCert(h *cap.Host, cert Certificate, certChain []Certificate, notAfter
 
 	payload, err := json.Marshal(requestObj)
 	if err != nil {
-		return false, fmt.Errorf("cannot serialize request object: %w", err)
+		return CertificateVerificationResponse{}, fmt.Errorf("cannot serialize request object: %w", err)
 	}
 
 	// perform callback
 	responsePayload, err := h.Client.HostCall("kubewarden", "crypto", "v1/is_certificate_trusted", payload)
 	if err != nil {
-		return false, err
+		return CertificateVerificationResponse{}, err
 	}
 
 	responseObj := CertificateVerificationResponse{}
 	if err := json.Unmarshal(responsePayload, &responseObj); err != nil {
-		return false, fmt.Errorf("cannot unmarshall response object: %w", err)
+		return CertificateVerificationResponse{}, fmt.Errorf("cannot unmarshall response object: %w", err)
 	}
 
 	if responseObj.Trusted {
-		return true, nil
+		return CertificateVerificationResponse{
+			Trusted: true,
+		}, nil
 	} else {
-		return false, fmt.Errorf(responseObj.Reason)
+		return CertificateVerificationResponse{
+			Trusted: false,
+			Reason:  responseObj.Reason,
+		}, nil
 	}
 }
diff --git a/pkg/capabilities/crypto/crypto_test.go b/pkg/capabilities/crypto/crypto_test.go
@@ -52,7 +52,7 @@ func TestV1IsCertificateTrusted(t *testing.T) {
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
-	if !res {
+	if !res.Trusted {
 		t.Fatalf("expected trusted image, got untrusted")
 	}
 }