Merge pull request #737 from fabriziosestito/fix/sigstore-cache-dir-e…

…rror fix: sigstore cache dir error
kubewarden · Apr 17, 2024 · b6ebc7f · b6ebc7f
2 parents 30c2cdb + a47ca54
commit b6ebc7f
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 59 deletions.
diff --git a/src/lib.rs b/src/lib.rs
@@ -30,7 +30,7 @@ use policy_evaluator::{
     wasmtime,
 };
 use rayon::prelude::*;
-use std::{net::SocketAddr, sync::Arc};
+use std::{fs, net::SocketAddr, sync::Arc};
 use tokio::{
     sync::{oneshot, Semaphore},
     time,
@@ -63,28 +63,42 @@ impl PolicyServer {
         let (callback_handler_shutdown_channel_tx, callback_handler_shutdown_channel_rx) =
             oneshot::channel();
 
-        let repo = SigstoreTrustRoot::new(Some(config.sigstore_cache_dir.as_path())).await?;
-        let fulcio_certs: Vec<rustls_pki_types::CertificateDer> = repo
-            .fulcio_certs()
-            .expect("Cannot fetch Fulcio certificates from TUF repository")
-            .into_iter()
-            .map(|c| c.into_owned())
-            .collect();
-        let manual_root = ManualTrustRoot {
-            fulcio_certs: Some(fulcio_certs),
-            rekor_keys: Some(
-                repo.rekor_keys()
-                    .expect("Cannot fetch Rekor keys from TUF repository")
-                    .iter()
-                    .map(|k| k.to_vec())
-                    .collect(),
-            ),
+        let manual_root = if config.verification_config.is_some() {
+            if !config.sigstore_cache_dir.exists() {
+                fs::create_dir_all(&config.sigstore_cache_dir).map_err(|e| {
+                    anyhow!("Cannot create directory to cache sigstore data: {}", e)
+                })?;
+            }
+
+            let repo = SigstoreTrustRoot::new(Some(config.sigstore_cache_dir.as_path())).await?;
+
+            let fulcio_certs: Vec<rustls_pki_types::CertificateDer> = repo
+                .fulcio_certs()
+                .expect("Cannot fetch Fulcio certificates from TUF repository")
+                .into_iter()
+                .map(|c| c.into_owned())
+                .collect();
+
+            let manual_root = ManualTrustRoot {
+                fulcio_certs: Some(fulcio_certs),
+                rekor_keys: Some(
+                    repo.rekor_keys()
+                        .expect("Cannot fetch Rekor keys from TUF repository")
+                        .iter()
+                        .map(|k| k.to_vec())
+                        .collect(),
+                ),
+            };
+
+            Some(Arc::new(manual_root))
+        } else {
+            None
         };
 
         let mut callback_handler_builder =
             CallbackHandlerBuilder::new(callback_handler_shutdown_channel_rx)
                 .registry_config(config.sources.clone())
-                .trust_root(Some(Arc::new(manual_root)));
+                .trust_root(manual_root.clone());
 
         let kube_client: Option<kube::Client> = match kube::Client::try_default().await {
             Ok(client) => Some(client),
@@ -119,12 +133,7 @@ impl PolicyServer {
         let callback_sender_channel = callback_handler.sender_channel();
 
         // Download policies
-        let mut downloader = Downloader::new(
-            config.sources.clone(),
-            config.verification_config.is_some(),
-            Some(config.sigstore_cache_dir.clone()),
-        )
-        .await?;
+        let mut downloader = Downloader::new(config.sources.clone(), manual_root.clone()).await?;
 
         let fetched_policies = downloader
             .download_policies(

diff --git a/src/policy_downloader.rs b/src/policy_downloader.rs
@@ -8,10 +8,9 @@ use policy_evaluator::{
     },
     policy_metadata::Metadata,
 };
-use sigstore::trust::{ManualTrustRoot, TrustRoot};
+use sigstore::trust::ManualTrustRoot;
 use std::{
     collections::{HashMap, HashSet},
-    fs,
     path::{Path, PathBuf},
     sync::Arc,
 };
@@ -38,12 +37,11 @@ impl<'v> Downloader<'v> {
     /// sigstore.
     pub async fn new(
         sources: Option<Sources>,
-        enable_verification: bool,
-        sigstore_cache_dir: Option<PathBuf>,
+        manual_root: Option<Arc<ManualTrustRoot<'static>>>,
     ) -> Result<Self> {
-        let verifier = if enable_verification {
+        let verifier = if let Some(manual_root) = manual_root {
             info!("Fetching sigstore data from remote TUF repository");
-            Some(create_verifier(sources.clone(), sigstore_cache_dir).await?)
+            Some(create_verifier(sources.clone(), manual_root).await?)
         } else {
             None
         };
@@ -222,41 +220,17 @@ impl<'v> Downloader<'v> {
 /// TUF repository of the sigstore project
 async fn create_verifier<'v>(
     sources: Option<Sources>,
-    sigstore_cache_dir: Option<PathBuf>,
+    manual_root: Arc<ManualTrustRoot<'static>>,
 ) -> Result<Verifier<'v>> {
-    if let Some(cache_dir) = sigstore_cache_dir.clone() {
-        if !cache_dir.exists() {
-            fs::create_dir_all(cache_dir)
-                .map_err(|e| anyhow!("Cannot create directory to cache sigstore data: {}", e))?;
-        }
-    }
-
-    let repo =
-        sigstore::trust::sigstore::SigstoreTrustRoot::new(sigstore_cache_dir.as_deref()).await?;
-    let fulcio_certs: Vec<rustls_pki_types::CertificateDer> = repo
-        .fulcio_certs()
-        .unwrap()
-        .into_iter()
-        .map(|c| c.into_owned())
-        .collect();
-    let manual_root = ManualTrustRoot {
-        fulcio_certs: Some(fulcio_certs),
-        rekor_keys: Some(
-            repo.rekor_keys()
-                .unwrap()
-                .iter()
-                .map(|k| k.to_vec())
-                .collect(),
-        ),
-    };
-    let verifier = Verifier::new(sources, Some(Arc::new(manual_root))).await?;
+    let verifier = Verifier::new(sources, Some(manual_root)).await?;
 
     Ok(verifier)
 }
 
 #[cfg(test)]
 mod tests {
     use super::*;
+    use policy_evaluator::policy_fetcher::sigstore::trust::TrustRoot;
     use tempfile::TempDir;
 
     #[tokio::test]
@@ -299,7 +273,7 @@ mod tests {
 
         let policy_download_dir = TempDir::new().expect("Cannot create temp dir");
 
-        let mut downloader = Downloader::new(None, true, None).await.unwrap();
+        let mut downloader = Downloader::new(None, None).await.unwrap();
 
         let fetched_policies = downloader
             .download_policies(
@@ -340,8 +314,31 @@ mod tests {
             serde_yaml::from_str(policies_cfg).expect("Cannot parse policy cfg");
 
         let policy_download_dir = TempDir::new().expect("Cannot create temp dir");
+        let repo = sigstore::trust::sigstore::SigstoreTrustRoot::new(None)
+            .await
+            .unwrap();
+
+        let fulcio_certs: Vec<rustls_pki_types::CertificateDer> = repo
+            .fulcio_certs()
+            .expect("Cannot fetch Fulcio certificates from TUF repository")
+            .into_iter()
+            .map(|c| c.into_owned())
+            .collect();
+
+        let manual_root = ManualTrustRoot {
+            fulcio_certs: Some(fulcio_certs),
+            rekor_keys: Some(
+                repo.rekor_keys()
+                    .expect("Cannot fetch Rekor keys from TUF repository")
+                    .iter()
+                    .map(|k| k.to_vec())
+                    .collect(),
+            ),
+        };
 
-        let mut downloader = Downloader::new(None, true, None).await.unwrap();
+        let mut downloader = Downloader::new(None, Some(Arc::new(manual_root)))
+            .await
+            .unwrap();
 
         let fetched_policies = downloader
             .download_policies(