diff --git a/src/lib.rs b/src/lib.rs index 5db5b652..30a178c7 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -30,7 +30,7 @@ use policy_evaluator::{ wasmtime, }; use rayon::prelude::*; -use std::{net::SocketAddr, sync::Arc}; +use std::{fs, net::SocketAddr, sync::Arc}; use tokio::{ sync::{oneshot, Semaphore}, time, @@ -63,28 +63,42 @@ impl PolicyServer { let (callback_handler_shutdown_channel_tx, callback_handler_shutdown_channel_rx) = oneshot::channel(); - let repo = SigstoreTrustRoot::new(Some(config.sigstore_cache_dir.as_path())).await?; - let fulcio_certs: Vec = repo - .fulcio_certs() - .expect("Cannot fetch Fulcio certificates from TUF repository") - .into_iter() - .map(|c| c.into_owned()) - .collect(); - let manual_root = ManualTrustRoot { - fulcio_certs: Some(fulcio_certs), - rekor_keys: Some( - repo.rekor_keys() - .expect("Cannot fetch Rekor keys from TUF repository") - .iter() - .map(|k| k.to_vec()) - .collect(), - ), + let manual_root = if config.verification_config.is_some() { + if !config.sigstore_cache_dir.exists() { + fs::create_dir_all(&config.sigstore_cache_dir).map_err(|e| { + anyhow!("Cannot create directory to cache sigstore data: {}", e) + })?; + } + + let repo = SigstoreTrustRoot::new(Some(config.sigstore_cache_dir.as_path())).await?; + + let fulcio_certs: Vec = repo + .fulcio_certs() + .expect("Cannot fetch Fulcio certificates from TUF repository") + .into_iter() + .map(|c| c.into_owned()) + .collect(); + + let manual_root = ManualTrustRoot { + fulcio_certs: Some(fulcio_certs), + rekor_keys: Some( + repo.rekor_keys() + .expect("Cannot fetch Rekor keys from TUF repository") + .iter() + .map(|k| k.to_vec()) + .collect(), + ), + }; + + Some(Arc::new(manual_root)) + } else { + None }; let mut callback_handler_builder = CallbackHandlerBuilder::new(callback_handler_shutdown_channel_rx) .registry_config(config.sources.clone()) - .trust_root(Some(Arc::new(manual_root))); + .trust_root(manual_root.clone()); let kube_client: Option = match kube::Client::try_default().await { Ok(client) => Some(client), @@ -119,12 +133,7 @@ impl PolicyServer { let callback_sender_channel = callback_handler.sender_channel(); // Download policies - let mut downloader = Downloader::new( - config.sources.clone(), - config.verification_config.is_some(), - Some(config.sigstore_cache_dir.clone()), - ) - .await?; + let mut downloader = Downloader::new(config.sources.clone(), manual_root.clone()).await?; let fetched_policies = downloader .download_policies( diff --git a/src/policy_downloader.rs b/src/policy_downloader.rs index 09b351e7..a771c090 100644 --- a/src/policy_downloader.rs +++ b/src/policy_downloader.rs @@ -8,10 +8,9 @@ use policy_evaluator::{ }, policy_metadata::Metadata, }; -use sigstore::trust::{ManualTrustRoot, TrustRoot}; +use sigstore::trust::ManualTrustRoot; use std::{ collections::{HashMap, HashSet}, - fs, path::{Path, PathBuf}, sync::Arc, }; @@ -38,12 +37,11 @@ impl<'v> Downloader<'v> { /// sigstore. pub async fn new( sources: Option, - enable_verification: bool, - sigstore_cache_dir: Option, + manual_root: Option>>, ) -> Result { - let verifier = if enable_verification { + let verifier = if let Some(manual_root) = manual_root { info!("Fetching sigstore data from remote TUF repository"); - Some(create_verifier(sources.clone(), sigstore_cache_dir).await?) + Some(create_verifier(sources.clone(), manual_root).await?) } else { None }; @@ -222,34 +220,9 @@ impl<'v> Downloader<'v> { /// TUF repository of the sigstore project async fn create_verifier<'v>( sources: Option, - sigstore_cache_dir: Option, + manual_root: Arc>, ) -> Result> { - if let Some(cache_dir) = sigstore_cache_dir.clone() { - if !cache_dir.exists() { - fs::create_dir_all(cache_dir) - .map_err(|e| anyhow!("Cannot create directory to cache sigstore data: {}", e))?; - } - } - - let repo = - sigstore::trust::sigstore::SigstoreTrustRoot::new(sigstore_cache_dir.as_deref()).await?; - let fulcio_certs: Vec = repo - .fulcio_certs() - .unwrap() - .into_iter() - .map(|c| c.into_owned()) - .collect(); - let manual_root = ManualTrustRoot { - fulcio_certs: Some(fulcio_certs), - rekor_keys: Some( - repo.rekor_keys() - .unwrap() - .iter() - .map(|k| k.to_vec()) - .collect(), - ), - }; - let verifier = Verifier::new(sources, Some(Arc::new(manual_root))).await?; + let verifier = Verifier::new(sources, Some(manual_root)).await?; Ok(verifier) } @@ -257,6 +230,7 @@ async fn create_verifier<'v>( #[cfg(test)] mod tests { use super::*; + use policy_evaluator::policy_fetcher::sigstore::trust::TrustRoot; use tempfile::TempDir; #[tokio::test] @@ -299,7 +273,7 @@ mod tests { let policy_download_dir = TempDir::new().expect("Cannot create temp dir"); - let mut downloader = Downloader::new(None, true, None).await.unwrap(); + let mut downloader = Downloader::new(None, None).await.unwrap(); let fetched_policies = downloader .download_policies( @@ -340,8 +314,31 @@ mod tests { serde_yaml::from_str(policies_cfg).expect("Cannot parse policy cfg"); let policy_download_dir = TempDir::new().expect("Cannot create temp dir"); + let repo = sigstore::trust::sigstore::SigstoreTrustRoot::new(None) + .await + .unwrap(); + + let fulcio_certs: Vec = repo + .fulcio_certs() + .expect("Cannot fetch Fulcio certificates from TUF repository") + .into_iter() + .map(|c| c.into_owned()) + .collect(); + + let manual_root = ManualTrustRoot { + fulcio_certs: Some(fulcio_certs), + rekor_keys: Some( + repo.rekor_keys() + .expect("Cannot fetch Rekor keys from TUF repository") + .iter() + .map(|k| k.to_vec()) + .collect(), + ), + }; - let mut downloader = Downloader::new(None, true, None).await.unwrap(); + let mut downloader = Downloader::new(None, Some(Arc::new(manual_root))) + .await + .unwrap(); let fetched_policies = downloader .download_policies(