feat!: Add KeylessGithubActionsInfo{}

This adds a `github_actions` object that wraps `owner`, `repo` in serialization. Co-authored-by: raulcabello <[email protected]> Co-authored-by: Víctor Cuadrado Juan <[email protected]>
kubewarden · Jul 13, 2022 · 4ae83b1 · 4ae83b1
1 parent edbc71a
commit 4ae83b1
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 12 deletions.
diff --git a/src/host_capabilities/mod.rs b/src/host_capabilities/mod.rs
@@ -1,4 +1,6 @@
-use crate::host_capabilities::verification::{KeylessInfo, KeylessPrefixInfo};
+use crate::host_capabilities::verification::{
+    KeylessGithubActionsInfo, KeylessInfo, KeylessPrefixInfo,
+};
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 
@@ -78,10 +80,8 @@ pub enum SigstoreVerificationInputV2 {
     SigstoreGithubActionsVerify {
         /// String pointing to the object (e.g.: `registry.testing.lan/busybox:1.0.0`)
         image: String,
-        /// owner of the repository. E.g: octocat
-        owner: String,
-        /// Optional - Repo of the GH Action workflow that signed the artifact. E.g: example-repo
-        repo: Option<String>,
+        // GitHub Actions information that must be found in the signature
+        github_actions: KeylessGithubActionsInfo,
         /// Optional - Annotations that must have been provided by all signers when they signed the OCI artifact
         annotations: Option<HashMap<String, String>>,
     },

diff --git a/src/host_capabilities/verification.rs b/src/host_capabilities/verification.rs
@@ -34,6 +34,16 @@ pub struct KeylessPrefixInfo {
     pub url_prefix: String,
 }
 
+/// KeylessGithubActionsInfo holds information about a keyless signature
+/// performed in GitHub Actions
+#[derive(Serialize, Deserialize, Debug, Clone)]
+pub struct KeylessGithubActionsInfo {
+    /// owner of the repository. E.g: octocat
+    pub owner: String,
+    /// Optional - repo of the GH Action workflow that signed the artifact. E.g: example-repo
+    pub repo: Option<String>,
+}
+
 /// verify sigstore signatures of an image using public keys
 /// # Arguments
 /// * `image` -  image to be verified
@@ -103,14 +113,12 @@ pub fn verify_keyless_prefix_match(
 /// * `annotations` - annotations that must have been provided by all signers when they signed the OCI artifact
 pub fn verify_keyless_github_actions(
     image: &str,
-    owner: String,
-    repo: Option<String>,
+    github_actions: KeylessGithubActionsInfo,
     annotations: Option<HashMap<String, String>>,
 ) -> Result<VerificationResponse> {
     let input = SigstoreVerificationInputV2::SigstoreGithubActionsVerify {
         image: image.to_string(),
-        owner,
-        repo,
+        github_actions,
         annotations,
     };
 
@@ -277,7 +285,14 @@ mod tests {
             })
             .unwrap())
         });
-        let res = verify_keyless_github_actions("image", "owner".to_string(), None, None);
+        let res = verify_keyless_github_actions(
+            "image",
+            KeylessGithubActionsInfo {
+                owner: "owner".to_string(),
+                repo: Some("repo".to_string()),
+            },
+            None,
+        );
 
         assert_eq!(res.unwrap().is_trusted, true)
     }
@@ -289,8 +304,14 @@ mod tests {
         ctx.expect()
             .times(1)
             .returning(|_, _, _, _| Err(Box::new(core::fmt::Error {})));
-        let res = verify_keyless_github_actions("image", "owner".to_string(), None, None);
-
+        let res = verify_keyless_github_actions(
+            "image",
+            KeylessGithubActionsInfo {
+                owner: "owner".to_string(),
+                repo: Some("repo".to_string()),
+            },
+            None,
+        );
         assert!(res.is_err())
     }
 }