From d6f686fa997253486941053b4b098b1a341b1b6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Fri, 2 Feb 2024 10:17:24 -0300 Subject: [PATCH] feat: update policy-evaluator enabling OCI image capability. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the Cargo files pointing to the policy-evaluator version with the new capability to allow users to fetch OCI image manifest. Signed-off-by: José Guilherme Vanz --- Cargo.lock | 125 +++++++++++++++++++++++++-------------- Cargo.toml | 2 +- src/policy_downloader.rs | 2 +- 3 files changed, 84 insertions(+), 45 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index c16474a9..e60b4bbe 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -102,9 +102,9 @@ dependencies = [ [[package]] name = "anstyle" -version = "1.0.5" +version = "1.0.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2faccea4cc4ab4a667ce676a30e8ec13922a692c99bb8f5b11f1502c72e04220" +checksum = "8901269c6307e8d93993578286ac0edf7f195079ffff5ebdeea6a59ffb7e36bc" [[package]] name = "anstyle-parse" @@ -237,7 +237,7 @@ dependencies = [ "futures-io", "futures-lite 2.2.0", "parking", - "polling 3.3.2", + "polling 3.4.0", "rustix 0.38.31", "slab", "tracing", @@ -469,7 +469,7 @@ dependencies = [ "hyper 1.1.0", "hyper-util", "pin-project-lite", - "rustls", + "rustls 0.21.10", "rustls-pemfile 2.0.0", "tokio", "tokio-rustls", @@ -599,7 +599,7 @@ checksum = "7f30e7476521f6f8af1a1c4c0b8cc94f0bee37d91763d0ca2665f299b6cd8aec" [[package]] name = "burrego" version = "0.3.4" -source = "git+https://github.com/kubewarden/policy-evaluator?tag=v0.14.2#275e402a2f02655babcb68e4a99ad06bd9891c9c" +source = "git+https://github.com/kubewarden/policy-evaluator?tag=v0.15.0#ac2377018cb3cdb1f6f16ab6c7aa51a3b772f92e" dependencies = [ "base64 0.21.7", "chrono", @@ -1573,9 +1573,9 @@ dependencies = [ [[package]] name = "fiat-crypto" -version = "0.2.5" +version = "0.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "27573eac26f4dd11e2b1916c3fe1baa56407c83c71a773a8ba17ec0bca03b6b7" +checksum = "1676f435fc1dadde4d03e43f5d62b259e1ce5f40bd4ffb21db2b42ebe59c1382" [[package]] name = "flagset" @@ -1941,9 +1941,9 @@ checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8" [[package]] name = "hermit-abi" -version = "0.3.4" +version = "0.3.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5d3d0e0f38255e7fa3cf31335b3a56f05febd18025f4db5ef7a0cfb4f8da651f" +checksum = "d0c62115964e08cb8039170eb33c1d0e2388a256930279edca206fff675f82c3" [[package]] name = "hex" @@ -2123,7 +2123,7 @@ dependencies = [ "http 0.2.11", "hyper 0.14.28", "log", - "rustls", + "rustls 0.21.10", "rustls-native-certs", "tokio", "tokio-rustls", @@ -2471,7 +2471,7 @@ dependencies = [ "kube-core", "pem 3.0.3", "pin-project", - "rustls", + "rustls 0.21.10", "rustls-pemfile 1.0.4", "secrecy", "serde", @@ -2962,6 +2962,31 @@ dependencies = [ "unicase", ] +[[package]] +name = "oci-distribution" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2a635cabf7a6eb4e5f13e9e82bd9503b7c2461bf277132e38638a935ebd684b4" +dependencies = [ + "bytes", + "chrono", + "futures-util", + "http 0.2.11", + "http-auth", + "jwt", + "lazy_static", + "olpc-cjson", + "regex", + "reqwest", + "serde", + "serde_json", + "sha2", + "thiserror", + "tokio", + "tracing", + "unicase", +] + [[package]] name = "oid" version = "0.2.1" @@ -3299,9 +3324,9 @@ checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e" [[package]] name = "pest" -version = "2.7.6" +version = "2.7.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1f200d8d83c44a45b21764d1916299752ca035d15ecd46faca3e9a2a2bf6ad06" +checksum = "219c0dcc30b6a27553f9cc242972b67f75b60eb0db71f0b5462f38b058c41546" dependencies = [ "memchr", "thiserror", @@ -3310,9 +3335,9 @@ dependencies = [ [[package]] name = "pest_derive" -version = "2.7.6" +version = "2.7.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bcd6ab1236bbdb3a49027e920e693192ebfe8913f6d60e294de57463a493cfde" +checksum = "22e1288dbd7786462961e69bfd4df7848c1e37e8b74303dbdab82c3a9cdd2809" dependencies = [ "pest", "pest_generator", @@ -3320,9 +3345,9 @@ dependencies = [ [[package]] name = "pest_generator" -version = "2.7.6" +version = "2.7.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2a31940305ffc96863a735bef7c7994a00b325a7138fdbc5bda0f1a0476d3275" +checksum = "1381c29a877c6d34b8c176e734f35d7f7f5b3adaefe940cb4d1bb7af94678e2e" dependencies = [ "pest", "pest_meta", @@ -3333,9 +3358,9 @@ dependencies = [ [[package]] name = "pest_meta" -version = "2.7.6" +version = "2.7.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a7ff62f5259e53b78d1af898941cdcdccfae7385cf7d793a6e55de5d05bb4b7d" +checksum = "d0934d6907f148c22a3acbda520c7eed243ad7487a30f51f6ce52b58b7077a8a" dependencies = [ "once_cell", "pest", @@ -3544,7 +3569,7 @@ checksum = "626dec3cac7cc0e1577a2ec3fc496277ec2baa084bebad95bb6fdbfae235f84c" [[package]] name = "policy-evaluator" version = "0.14.2" -source = "git+https://github.com/kubewarden/policy-evaluator?tag=v0.14.2#275e402a2f02655babcb68e4a99ad06bd9891c9c" +source = "git+https://github.com/kubewarden/policy-evaluator?tag=v0.15.0#ac2377018cb3cdb1f6f16ab6c7aa51a3b772f92e" dependencies = [ "anyhow", "base64 0.21.7", @@ -3577,7 +3602,7 @@ dependencies = [ "wapc", "wasi-cap-std-sync", "wasi-common", - "wasmparser 0.120.0", + "wasmparser 0.121.0", "wasmtime", "wasmtime-provider", "wasmtime-wasi", @@ -3585,10 +3610,9 @@ dependencies = [ [[package]] name = "policy-fetcher" -version = "0.8.1" -source = "git+https://github.com/kubewarden/policy-fetcher?tag=v0.8.1#fb5752de196e58df2da6134cb59212d7f6ebc291" +version = "0.8.2" +source = "git+https://github.com/kubewarden/policy-fetcher?tag=v0.8.2#3954be5dffeb3d6281e75aa5ac6d454aa3dbe832" dependencies = [ - "anyhow", "async-std", "async-stream", "async-trait", @@ -3597,17 +3621,18 @@ dependencies = [ "directories", "docker_credential", "lazy_static", - "oci-distribution", + "oci-distribution 0.10.0", "path-slash", "rayon", "regex", "reqwest", - "rustls", + "rustls 0.22.2", "serde", "serde_json", "serde_yaml", "sha2", "sigstore", + "thiserror", "tokio", "tracing", "url", @@ -3672,9 +3697,9 @@ dependencies = [ [[package]] name = "polling" -version = "3.3.2" +version = "3.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "545c980a3880efd47b2e262f6a4bb6daad6555cf3367aa9c4e52895f69537a41" +checksum = "30054e72317ab98eddd8561db0f6524df3367636884b7b21b703e4b280a84a14" dependencies = [ "cfg-if", "concurrent-queue", @@ -4005,7 +4030,7 @@ dependencies = [ "once_cell", "percent-encoding", "pin-project-lite", - "rustls", + "rustls 0.21.10", "rustls-pemfile 1.0.4", "serde", "serde_json", @@ -4171,10 +4196,24 @@ checksum = "f9d5a6813c0759e4609cd494e8e725babae6a2ca7b62a5536a13daaec6fcb7ba" dependencies = [ "log", "ring 0.17.7", - "rustls-webpki", + "rustls-webpki 0.101.7", "sct", ] +[[package]] +name = "rustls" +version = "0.22.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e87c9956bd9807afa1f77e0f7594af32566e830e088a5576d27c5b6f30f49d41" +dependencies = [ + "log", + "ring 0.17.7", + "rustls-pki-types", + "rustls-webpki 0.102.2", + "subtle", + "zeroize", +] + [[package]] name = "rustls-native-certs" version = "0.6.3" @@ -4222,6 +4261,17 @@ dependencies = [ "untrusted 0.9.0", ] +[[package]] +name = "rustls-webpki" +version = "0.102.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "faaa0a62740bedb9b2ef5afa303da42764c012f743917351dc9a237ea1663610" +dependencies = [ + "ring 0.17.7", + "rustls-pki-types", + "untrusted 0.9.0", +] + [[package]] name = "rustversion" version = "1.0.14" @@ -4557,7 +4607,7 @@ dependencies = [ "elliptic-curve", "getrandom", "lazy_static", - "oci-distribution", + "oci-distribution 0.9.4", "olpc-cjson", "openidconnect", "p256", @@ -4938,7 +4988,7 @@ version = "0.24.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081" dependencies = [ - "rustls", + "rustls 0.21.10", "tokio", ] @@ -5594,17 +5644,6 @@ dependencies = [ "semver", ] -[[package]] -name = "wasmparser" -version = "0.120.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e9148127f39cbffe43efee8d5442b16ecdba21567785268daa1ec9e134389705" -dependencies = [ - "bitflags 2.4.2", - "indexmap 2.2.2", - "semver", -] - [[package]] name = "wasmparser" version = "0.121.0" diff --git a/Cargo.toml b/Cargo.toml index 782df53a..92436f02 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -28,7 +28,7 @@ opentelemetry = { version = "0.21", default-features = false, features = [ ] } opentelemetry_sdk = { version = "0.21", features = ["rt-tokio"] } procfs = "0.16" -policy-evaluator = { git = "https://github.com/kubewarden/policy-evaluator", tag = "v0.14.2" } +policy-evaluator = { git = "https://github.com/kubewarden/policy-evaluator", tag = "v0.15.0" } rayon = "1.8" serde_json = "1.0" serde = { version = "1.0", features = ["derive"] } diff --git a/src/policy_downloader.rs b/src/policy_downloader.rs index 86e35c98..2c2ded00 100644 --- a/src/policy_downloader.rs +++ b/src/policy_downloader.rs @@ -257,7 +257,7 @@ async fn create_verifier( None } }; - Verifier::new(sources, fulcio_and_rekor_data.as_ref()) + Ok(Verifier::new(sources, fulcio_and_rekor_data.as_ref())?) } #[cfg(test)]