Skip to content

Commit b6ebc7f

Browse files
Merge pull request #737 from fabriziosestito/fix/sigstore-cache-dir-error
fix: sigstore cache dir error
2 parents 30c2cdb + a47ca54 commit b6ebc7f

File tree

2 files changed

+65
-59
lines changed

2 files changed

+65
-59
lines changed

src/lib.rs

+33-24
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ use policy_evaluator::{
3030
wasmtime,
3131
};
3232
use rayon::prelude::*;
33-
use std::{net::SocketAddr, sync::Arc};
33+
use std::{fs, net::SocketAddr, sync::Arc};
3434
use tokio::{
3535
sync::{oneshot, Semaphore},
3636
time,
@@ -63,28 +63,42 @@ impl PolicyServer {
6363
let (callback_handler_shutdown_channel_tx, callback_handler_shutdown_channel_rx) =
6464
oneshot::channel();
6565

66-
let repo = SigstoreTrustRoot::new(Some(config.sigstore_cache_dir.as_path())).await?;
67-
let fulcio_certs: Vec<rustls_pki_types::CertificateDer> = repo
68-
.fulcio_certs()
69-
.expect("Cannot fetch Fulcio certificates from TUF repository")
70-
.into_iter()
71-
.map(|c| c.into_owned())
72-
.collect();
73-
let manual_root = ManualTrustRoot {
74-
fulcio_certs: Some(fulcio_certs),
75-
rekor_keys: Some(
76-
repo.rekor_keys()
77-
.expect("Cannot fetch Rekor keys from TUF repository")
78-
.iter()
79-
.map(|k| k.to_vec())
80-
.collect(),
81-
),
66+
let manual_root = if config.verification_config.is_some() {
67+
if !config.sigstore_cache_dir.exists() {
68+
fs::create_dir_all(&config.sigstore_cache_dir).map_err(|e| {
69+
anyhow!("Cannot create directory to cache sigstore data: {}", e)
70+
})?;
71+
}
72+
73+
let repo = SigstoreTrustRoot::new(Some(config.sigstore_cache_dir.as_path())).await?;
74+
75+
let fulcio_certs: Vec<rustls_pki_types::CertificateDer> = repo
76+
.fulcio_certs()
77+
.expect("Cannot fetch Fulcio certificates from TUF repository")
78+
.into_iter()
79+
.map(|c| c.into_owned())
80+
.collect();
81+
82+
let manual_root = ManualTrustRoot {
83+
fulcio_certs: Some(fulcio_certs),
84+
rekor_keys: Some(
85+
repo.rekor_keys()
86+
.expect("Cannot fetch Rekor keys from TUF repository")
87+
.iter()
88+
.map(|k| k.to_vec())
89+
.collect(),
90+
),
91+
};
92+
93+
Some(Arc::new(manual_root))
94+
} else {
95+
None
8296
};
8397

8498
let mut callback_handler_builder =
8599
CallbackHandlerBuilder::new(callback_handler_shutdown_channel_rx)
86100
.registry_config(config.sources.clone())
87-
.trust_root(Some(Arc::new(manual_root)));
101+
.trust_root(manual_root.clone());
88102

89103
let kube_client: Option<kube::Client> = match kube::Client::try_default().await {
90104
Ok(client) => Some(client),
@@ -119,12 +133,7 @@ impl PolicyServer {
119133
let callback_sender_channel = callback_handler.sender_channel();
120134

121135
// Download policies
122-
let mut downloader = Downloader::new(
123-
config.sources.clone(),
124-
config.verification_config.is_some(),
125-
Some(config.sigstore_cache_dir.clone()),
126-
)
127-
.await?;
136+
let mut downloader = Downloader::new(config.sources.clone(), manual_root.clone()).await?;
128137

129138
let fetched_policies = downloader
130139
.download_policies(

src/policy_downloader.rs

+32-35
Original file line numberDiff line numberDiff line change
@@ -8,10 +8,9 @@ use policy_evaluator::{
88
},
99
policy_metadata::Metadata,
1010
};
11-
use sigstore::trust::{ManualTrustRoot, TrustRoot};
11+
use sigstore::trust::ManualTrustRoot;
1212
use std::{
1313
collections::{HashMap, HashSet},
14-
fs,
1514
path::{Path, PathBuf},
1615
sync::Arc,
1716
};
@@ -38,12 +37,11 @@ impl<'v> Downloader<'v> {
3837
/// sigstore.
3938
pub async fn new(
4039
sources: Option<Sources>,
41-
enable_verification: bool,
42-
sigstore_cache_dir: Option<PathBuf>,
40+
manual_root: Option<Arc<ManualTrustRoot<'static>>>,
4341
) -> Result<Self> {
44-
let verifier = if enable_verification {
42+
let verifier = if let Some(manual_root) = manual_root {
4543
info!("Fetching sigstore data from remote TUF repository");
46-
Some(create_verifier(sources.clone(), sigstore_cache_dir).await?)
44+
Some(create_verifier(sources.clone(), manual_root).await?)
4745
} else {
4846
None
4947
};
@@ -222,41 +220,17 @@ impl<'v> Downloader<'v> {
222220
/// TUF repository of the sigstore project
223221
async fn create_verifier<'v>(
224222
sources: Option<Sources>,
225-
sigstore_cache_dir: Option<PathBuf>,
223+
manual_root: Arc<ManualTrustRoot<'static>>,
226224
) -> Result<Verifier<'v>> {
227-
if let Some(cache_dir) = sigstore_cache_dir.clone() {
228-
if !cache_dir.exists() {
229-
fs::create_dir_all(cache_dir)
230-
.map_err(|e| anyhow!("Cannot create directory to cache sigstore data: {}", e))?;
231-
}
232-
}
233-
234-
let repo =
235-
sigstore::trust::sigstore::SigstoreTrustRoot::new(sigstore_cache_dir.as_deref()).await?;
236-
let fulcio_certs: Vec<rustls_pki_types::CertificateDer> = repo
237-
.fulcio_certs()
238-
.unwrap()
239-
.into_iter()
240-
.map(|c| c.into_owned())
241-
.collect();
242-
let manual_root = ManualTrustRoot {
243-
fulcio_certs: Some(fulcio_certs),
244-
rekor_keys: Some(
245-
repo.rekor_keys()
246-
.unwrap()
247-
.iter()
248-
.map(|k| k.to_vec())
249-
.collect(),
250-
),
251-
};
252-
let verifier = Verifier::new(sources, Some(Arc::new(manual_root))).await?;
225+
let verifier = Verifier::new(sources, Some(manual_root)).await?;
253226

254227
Ok(verifier)
255228
}
256229

257230
#[cfg(test)]
258231
mod tests {
259232
use super::*;
233+
use policy_evaluator::policy_fetcher::sigstore::trust::TrustRoot;
260234
use tempfile::TempDir;
261235

262236
#[tokio::test]
@@ -299,7 +273,7 @@ mod tests {
299273

300274
let policy_download_dir = TempDir::new().expect("Cannot create temp dir");
301275

302-
let mut downloader = Downloader::new(None, true, None).await.unwrap();
276+
let mut downloader = Downloader::new(None, None).await.unwrap();
303277

304278
let fetched_policies = downloader
305279
.download_policies(
@@ -340,8 +314,31 @@ mod tests {
340314
serde_yaml::from_str(policies_cfg).expect("Cannot parse policy cfg");
341315

342316
let policy_download_dir = TempDir::new().expect("Cannot create temp dir");
317+
let repo = sigstore::trust::sigstore::SigstoreTrustRoot::new(None)
318+
.await
319+
.unwrap();
320+
321+
let fulcio_certs: Vec<rustls_pki_types::CertificateDer> = repo
322+
.fulcio_certs()
323+
.expect("Cannot fetch Fulcio certificates from TUF repository")
324+
.into_iter()
325+
.map(|c| c.into_owned())
326+
.collect();
327+
328+
let manual_root = ManualTrustRoot {
329+
fulcio_certs: Some(fulcio_certs),
330+
rekor_keys: Some(
331+
repo.rekor_keys()
332+
.expect("Cannot fetch Rekor keys from TUF repository")
333+
.iter()
334+
.map(|k| k.to_vec())
335+
.collect(),
336+
),
337+
};
343338

344-
let mut downloader = Downloader::new(None, true, None).await.unwrap();
339+
let mut downloader = Downloader::new(None, Some(Arc::new(manual_root)))
340+
.await
341+
.unwrap();
345342

346343
let fetched_policies = downloader
347344
.download_policies(

0 commit comments

Comments
 (0)