Add Github actions and subject prefix verification to sdk

Cargo.toml

@@ -2,7 +2,7 @@
 name = "kubewarden-policy-sdk"
 description = "Kubewarden Policy SDK for the Rust language"
 repository = "https://github.com/kubewarden/policy-sdk-rust"
-version = "0.6.2"
+version = "0.6.3"
 authors = [
   "Flavio Castelli <[email protected]>",
   "Rafael Fernández López <[email protected]>"

src/host_capabilities/mod.rs

@@ -6,17 +6,38 @@ pub mod net;
 pub mod oci;
 pub mod verification;
 
-/// Describes the different kinds of request a waPC guest can make to
-/// our host.
+/// SigstoreVerificationInputV1 is used for the v1/verify callback
 #[derive(Serialize, Deserialize, Debug)]
-pub enum CallbackRequestType {
-    /// Require the computation of the manifest digest of an OCI object (be
+pub enum SigstoreVerificationInputV1 {
+    /// Require the verification of the manifest digest of an OCI object (be
     /// it an image or anything else that can be stored into an OCI registry)
-    OciManifestDigest {
+    /// to be signed by Sigstore, using public keys mode
+    SigstorePubKeyVerify {
         /// String pointing to the object (e.g.: `registry.testing.lan/busybox:1.0.0`)
         image: String,
+        /// List of PEM encoded keys that must have been used to sign the OCI object
+        pub_keys: Vec<String>,
+        /// Optional - Annotations that must have been provided by all signers when they signed the OCI artifact
+        annotations: Option<HashMap<String, String>>,
     },
 
+    // Require the verification of the manifest digest of an OCI object to be
+    // signed by Sigstore, using keyless mode
+    SigstoreKeylessVerify {
+        /// String pointing to the object (e.g.: `registry.testing.lan/busybox:1.0.0`)
+        image: String,
+        /// List of keyless signatures that must be found
+        keyless: Vec<KeylessInfo>,
+        /// Optional - Annotations that must have been provided by all signers when they signed the OCI artifact
+        annotations: Option<HashMap<String, String>>,
+    },
+}
+
+/// SigstoreVerificationInputV2 is used for the v2/verify callback
+/// From now on we use serde internally tagged.
+#[derive(Serialize, Deserialize, Debug)]
+#[serde(tag = "type")]
+pub enum SigstoreVerificationInputV2 {
     /// Require the verification of the manifest digest of an OCI object (be
     /// it an image or anything else that can be stored into an OCI registry)
     /// to be signed by Sigstore, using public keys mode
@@ -64,7 +85,4 @@ pub enum CallbackRequestType {
         /// Optional - Annotations that must have been provided by all signers when they signed the OCI artifact
         annotations: Option<HashMap<String, String>>,
     },
-
-    /// Lookup the addresses for a given hostname via DNS
-    DNSLookupHost { host: String },
 }

src/host_capabilities/verification.rs

@@ -1,11 +1,10 @@
+use crate::host_capabilities::SigstoreVerificationInputV2;
 use anyhow::{anyhow, Result};
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 #[cfg(test)]
 use tests::mock_wapc as wapc_guest;
 
-use crate::host_capabilities::CallbackRequestType;
-
 /// VerificationResponse holds the response of a sigstore signatures verification
 #[derive(Serialize, Deserialize, Clone)]
 pub struct VerificationResponse {
@@ -45,13 +44,13 @@ pub fn verify_pub_keys_image(
     pub_keys: Vec<String>,
     annotations: Option<HashMap<String, String>>,
 ) -> Result<VerificationResponse> {
-    let req = CallbackRequestType::SigstorePubKeyVerify {
+    let input = SigstoreVerificationInputV2::SigstorePubKeyVerify {
         image: image.to_string(),
         pub_keys,
         annotations,
     };
 
-    verify(req)
+    verify(input)
 }
 
 /// verify sigstore signatures of an image using keyless
@@ -64,13 +63,13 @@ pub fn verify_keyless_exact_match(
     keyless: Vec<KeylessInfo>,
     annotations: Option<HashMap<String, String>>,
 ) -> Result<VerificationResponse> {
-    let req = CallbackRequestType::SigstoreKeylessVerify {
+    let input = SigstoreVerificationInputV2::SigstoreKeylessVerify {
         image: image.to_string(),
         keyless,
         annotations,
     };
 
-    verify(req)
+    verify(input)
 }
 
 /// verify sigstore signatures of an image using keyless. Here, the provided
@@ -86,13 +85,13 @@ pub fn verify_keyless_prefix_match(
     keyless_prefix: Vec<KeylessPrefixInfo>,
     annotations: Option<HashMap<String, String>>,
 ) -> Result<VerificationResponse> {
-    let req = CallbackRequestType::SigstoreKeylessPrefixVerify {
+    let input = SigstoreVerificationInputV2::SigstoreKeylessPrefixVerify {
         image: image.to_string(),
         keyless_prefix,
         annotations,
     };
 
-    verify(req)
+    verify(input)
 }
 
 /// verify sigstore signatures of an image using keyless signatures made via
@@ -108,20 +107,20 @@ pub fn verify_keyless_github_actions(
     repo: Option<String>,
     annotations: Option<HashMap<String, String>>,
 ) -> Result<VerificationResponse> {
-    let req = CallbackRequestType::SigstoreGithubActionsVerify {
+    let input = SigstoreVerificationInputV2::SigstoreGithubActionsVerify {
         image: image.to_string(),
         owner,
         repo,
         annotations,
     };
 
-    verify(req)
+    verify(input)
 }
 
-fn verify(req: CallbackRequestType) -> Result<VerificationResponse> {
-    let msg = serde_json::to_vec(&req)
+fn verify(input: SigstoreVerificationInputV2) -> Result<VerificationResponse> {
+    let msg = serde_json::to_vec(&input)
         .map_err(|e| anyhow!("error serializing the validation request: {}", e))?;
-    let response_raw = wapc_guest::host_call("kubewarden", "oci", "v1/verify", &msg)
+    let response_raw = wapc_guest::host_call("kubewarden", "oci", "v2/verify", &msg)
         .map_err(|e| anyhow!("{}", e))?;
 
     let response: VerificationResponse = serde_json::from_slice(&response_raw)?;