diff --git a/Cargo.toml b/Cargo.toml index e7b4f7d..f60b801 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -2,7 +2,7 @@ name = "kubewarden-policy-sdk" description = "Kubewarden Policy SDK for the Rust language" repository = "https://github.com/kubewarden/policy-sdk-rust" -version = "0.6.2" +version = "0.6.3" authors = [ "Flavio Castelli ", "Rafael Fernández López " diff --git a/src/host_capabilities/mod.rs b/src/host_capabilities/mod.rs index 581fec9..94348f6 100644 --- a/src/host_capabilities/mod.rs +++ b/src/host_capabilities/mod.rs @@ -6,17 +6,38 @@ pub mod net; pub mod oci; pub mod verification; -/// Describes the different kinds of request a waPC guest can make to -/// our host. +/// SigstoreVerificationInputV1 is used for the v1/verify callback #[derive(Serialize, Deserialize, Debug)] -pub enum CallbackRequestType { - /// Require the computation of the manifest digest of an OCI object (be +pub enum SigstoreVerificationInputV1 { + /// Require the verification of the manifest digest of an OCI object (be /// it an image or anything else that can be stored into an OCI registry) - OciManifestDigest { + /// to be signed by Sigstore, using public keys mode + SigstorePubKeyVerify { /// String pointing to the object (e.g.: `registry.testing.lan/busybox:1.0.0`) image: String, + /// List of PEM encoded keys that must have been used to sign the OCI object + pub_keys: Vec, + /// Optional - Annotations that must have been provided by all signers when they signed the OCI artifact + annotations: Option>, }, + // Require the verification of the manifest digest of an OCI object to be + // signed by Sigstore, using keyless mode + SigstoreKeylessVerify { + /// String pointing to the object (e.g.: `registry.testing.lan/busybox:1.0.0`) + image: String, + /// List of keyless signatures that must be found + keyless: Vec, + /// Optional - Annotations that must have been provided by all signers when they signed the OCI artifact + annotations: Option>, + }, +} + +/// SigstoreVerificationInputV2 is used for the v2/verify callback +/// From now on we use serde internally tagged. +#[derive(Serialize, Deserialize, Debug)] +#[serde(tag = "type")] +pub enum SigstoreVerificationInputV2 { /// Require the verification of the manifest digest of an OCI object (be /// it an image or anything else that can be stored into an OCI registry) /// to be signed by Sigstore, using public keys mode @@ -64,7 +85,4 @@ pub enum CallbackRequestType { /// Optional - Annotations that must have been provided by all signers when they signed the OCI artifact annotations: Option>, }, - - /// Lookup the addresses for a given hostname via DNS - DNSLookupHost { host: String }, } diff --git a/src/host_capabilities/verification.rs b/src/host_capabilities/verification.rs index 43a6df6..a5f2151 100644 --- a/src/host_capabilities/verification.rs +++ b/src/host_capabilities/verification.rs @@ -1,11 +1,10 @@ +use crate::host_capabilities::SigstoreVerificationInputV2; use anyhow::{anyhow, Result}; use serde::{Deserialize, Serialize}; use std::collections::HashMap; #[cfg(test)] use tests::mock_wapc as wapc_guest; -use crate::host_capabilities::CallbackRequestType; - /// VerificationResponse holds the response of a sigstore signatures verification #[derive(Serialize, Deserialize, Clone)] pub struct VerificationResponse { @@ -45,13 +44,13 @@ pub fn verify_pub_keys_image( pub_keys: Vec, annotations: Option>, ) -> Result { - let req = CallbackRequestType::SigstorePubKeyVerify { + let input = SigstoreVerificationInputV2::SigstorePubKeyVerify { image: image.to_string(), pub_keys, annotations, }; - verify(req) + verify(input) } /// verify sigstore signatures of an image using keyless @@ -64,13 +63,13 @@ pub fn verify_keyless_exact_match( keyless: Vec, annotations: Option>, ) -> Result { - let req = CallbackRequestType::SigstoreKeylessVerify { + let input = SigstoreVerificationInputV2::SigstoreKeylessVerify { image: image.to_string(), keyless, annotations, }; - verify(req) + verify(input) } /// verify sigstore signatures of an image using keyless. Here, the provided @@ -86,13 +85,13 @@ pub fn verify_keyless_prefix_match( keyless_prefix: Vec, annotations: Option>, ) -> Result { - let req = CallbackRequestType::SigstoreKeylessPrefixVerify { + let input = SigstoreVerificationInputV2::SigstoreKeylessPrefixVerify { image: image.to_string(), keyless_prefix, annotations, }; - verify(req) + verify(input) } /// verify sigstore signatures of an image using keyless signatures made via @@ -108,20 +107,20 @@ pub fn verify_keyless_github_actions( repo: Option, annotations: Option>, ) -> Result { - let req = CallbackRequestType::SigstoreGithubActionsVerify { + let input = SigstoreVerificationInputV2::SigstoreGithubActionsVerify { image: image.to_string(), owner, repo, annotations, }; - verify(req) + verify(input) } -fn verify(req: CallbackRequestType) -> Result { - let msg = serde_json::to_vec(&req) +fn verify(input: SigstoreVerificationInputV2) -> Result { + let msg = serde_json::to_vec(&input) .map_err(|e| anyhow!("error serializing the validation request: {}", e))?; - let response_raw = wapc_guest::host_call("kubewarden", "oci", "v1/verify", &msg) + let response_raw = wapc_guest::host_call("kubewarden", "oci", "v2/verify", &msg) .map_err(|e| anyhow!("{}", e))?; let response: VerificationResponse = serde_json::from_slice(&response_raw)?;