Merge pull request #292 from flavio/allow-fulcio-and-rekor-data-to-be…

…-none Allow fulcio and rekor data to be None
kubewarden · Jul 18, 2022 · f1c651a · f1c651a
2 parents 5671a08 + 99c2f0e
commit f1c651a
Show file tree

Hide file tree

Showing 5 changed files with 53 additions and 25 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "policy-server"
-version = "1.1.0"
+version = "1.1.1"
 authors = [
   "Flavio Castelli <[email protected]>",
   "Rafael Fernández López <[email protected]>",
@@ -11,7 +11,7 @@ edition = "2018"
 [dependencies]
 anyhow = "1.0"
 itertools = "0.10.3"
-policy-evaluator = { git = "https://github.com/kubewarden/policy-evaluator", tag = "v0.4.4" }
+policy-evaluator = { git = "https://github.com/kubewarden/policy-evaluator", tag = "v0.4.5" }
 lazy_static = "1.4.0"
 clap = { version = "3.2.10", features = [ "cargo", "env" ] }
 k8s-openapi = { version = "0.15.0", default-features = false, features = ["v1_24"] }

diff --git a/src/cli.rs b/src/cli.rs
@@ -228,6 +228,7 @@ pub(crate) fn setup_tracing(matches: &clap::ArgMatches) -> Result<()> {
         // let's filter them
         .add_directive("cranelift_codegen=off".parse().unwrap())
         .add_directive("cranelift_wasm=off".parse().unwrap())
+        .add_directive("wasmtime_cranelift=off".parse().unwrap())
         .add_directive("regalloc=off".parse().unwrap())
         .add_directive("hyper=off".parse().unwrap())
         .add_directive("h2=off".parse().unwrap())

diff --git a/src/main.rs b/src/main.rs
@@ -82,13 +82,26 @@ fn main() -> Result<()> {
     let (callback_handler_shutdown_channel_tx, callback_handler_shutdown_channel_rx) =
         oneshot::channel();
 
-    let repo = sigstore::tuf::SigstoreRepository::fetch(None)?;
-    let fulcio_and_rekor_data = FulcioAndRekorData::FromTufRepository { repo };
+    let fulcio_and_rekor_data = match sigstore::tuf::SigstoreRepository::fetch(None) {
+        Ok(repo) => Some(FulcioAndRekorData::FromTufRepository { repo }),
+        Err(e) => {
+            // We cannot rely on `tracing` yet, because the tracing system has not
+            // been initialized, this has to be done inside of an async block, which
+            // we cannot use yet
+            eprintln!("Cannot fetch TUF repository: {:?}", e);
+            eprintln!("Sigstore Verifier created without Fulcio data: keyless signatures are going to be discarded because they cannot be verified");
+            eprintln!(
+                "Sigstore Verifier created without Rekor data: transparency log data won't be used"
+            );
+            eprintln!("Sigstore capabilities are going to be limited");
+            None
+        }
+    };
 
     let mut callback_handler = CallbackHandlerBuilder::default()
         .registry_config(sources.clone(), docker_config.clone())
         .shutdown_channel(callback_handler_shutdown_channel_rx)
-        .fulcio_and_rekor_data(&fulcio_and_rekor_data)
+        .fulcio_and_rekor_data(fulcio_and_rekor_data.as_ref())
         .build()?;
     let callback_sender_channel = callback_handler.sender_channel();
 

diff --git a/src/policy_downloader.rs b/src/policy_downloader.rs
@@ -225,11 +225,24 @@ async fn create_verifier(
         None => sigstore::tuf::SigstoreRepository::fetch(None),
     })
     .await
-    .map_err(|e| anyhow!("Cannot spawn blocking task: {}", e))?
-    .map_err(|e| anyhow!("Cannot create TUF repository: {}", e))?;
-
-    let fulcio_and_rekor_data = FulcioAndRekorData::FromTufRepository { repo };
-    Verifier::new(sources, &fulcio_and_rekor_data)
+    .map_err(|e| anyhow!("Cannot spawn blocking task: {}", e))?;
+
+    let fulcio_and_rekor_data = match repo {
+        Ok(repo) => Some(FulcioAndRekorData::FromTufRepository { repo }),
+        Err(e) => {
+            // We cannot rely on `tracing` yet, because the tracing system has not
+            // been initialized, this has to be done inside of an async block, which
+            // we cannot use yet
+            eprintln!("Cannot fetch TUF repository: {:?}", e);
+            eprintln!("Sigstore Verifier created without Fulcio data: keyless signatures are going to be discarded because they cannot be verified");
+            eprintln!(
+                "Sigstore Verifier created without Rekor data: transparency log data won't be used"
+            );
+            eprintln!("Sigstore capabilities are going to be limited");
+            None
+        }
+    };
+    Verifier::new(sources, fulcio_and_rekor_data.as_ref())
 }
 
 #[cfg(test)]