move cleanUpTrustpolicy call

Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>

Author: jagpreetstamber

internal/controller/helmchart_controller.go

@@ -1401,8 +1401,9 @@ func (r *HelmChartReconciler) makeVerifiers(ctx context.Context, obj *helmv1.Hel
 			return nil, err
 		}
 
+		trustPolicy := notation.CleanTrustPolicy(&doc, ctrl.LoggerFrom(ctx))
 		defaultNotaryOciOpts := []notation.Options{
-			notation.WithTrustStore(&doc),
+			notation.WithTrustStore(trustPolicy),
 			notation.WithRemoteOptions(verifyOpts...),
 			notation.WithAuth(clientOpts.Authenticator),
 			notation.WithKeychain(clientOpts.Keychain),

internal/controller/ocirepository_controller.go

@@ -729,8 +729,9 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv
 
 		verifiedResult := soci.VerificationResultFailed
 
+		trustPolicy := notation.CleanTrustPolicy(&doc, ctrl.LoggerFrom(ctx))
 		defaultNotationOciOpts := []notation.Options{
-			notation.WithTrustStore(&doc),
+			notation.WithTrustStore(trustPolicy),
 			notation.WithRemoteOptions(opt...),
 			notation.WithAuth(auth),
 			notation.WithKeychain(keychain),

internal/oci/notation/notation.go

@@ -71,7 +71,7 @@ func WithInsecureRegistry(insecure bool) Options {
 // WithTrustStore sets the trust store configuration.
 func WithTrustStore(trustStore *trustpolicy.Document) Options {
 	return func(opts *options) {
-		opts.trustPolicy = trustStore
+		opts.trustPolicy = cleanTrustPolicy(trustStore, opts.logger)
 	}
 }
 
@@ -165,7 +165,7 @@ func NewNotationVerifier(opts ...Options) (*NotationVerifier, error) {
 		cert: o.rootCertificate,
 	}
 
-	trustpolicy := cleanTrustPolicy(o.trustPolicy, o.logger)
+	trustpolicy := o.trustPolicy
 	if trustpolicy == nil {
 		return nil, fmt.Errorf("trust policy cannot be empty")
 	}
@@ -185,15 +185,15 @@ func NewNotationVerifier(opts ...Options) (*NotationVerifier, error) {
 	}, nil
 }
 
-// cleanTrustPolicy cleans the given trust policy by removing trust stores and trusted identities
+// CleanTrustPolicy cleans the given trust policy by removing trust stores and trusted identities
 // for trust policy statements that are set to skip signature verification but still have configured trust stores and/or trusted identities.
 // It takes a pointer to a trustpolicy.Document and a logger from the logr package as input parameters.
 // If the trustPolicy is nil, it returns nil.
 // Otherwise, it iterates over the trustPolicy.TrustPolicies and checks if each trust policy statement's
 // SignatureVerification.VerificationLevel is set to trustpolicy.LevelSkip.Name.
 // If it is, it logs a warning message and removes the trust stores and trusted identities for that trust policy statement.
 // Finally, it returns the modified trustPolicy.
-func cleanTrustPolicy(trustPolicy *trustpolicy.Document, logger logr.Logger) *trustpolicy.Document {
+func CleanTrustPolicy(trustPolicy *trustpolicy.Document, logger logr.Logger) *trustpolicy.Document {
 	if trustPolicy == nil {
 		return nil
 	}

internal/oci/notation/notation_test.go

@@ -330,7 +330,7 @@ func TestCleanTrustPolicy(t *testing.T) {
 			logger := logr.New(l)
 
 			if tc.want == nil {
-				cleanedPolicy := cleanTrustPolicy(nil, logger)
+				cleanedPolicy := CleanTrustPolicy(nil, logger)
 				if !reflect.DeepEqual(cleanedPolicy, tc.want) {
 					t.Errorf("got %#v, want %#v", cleanedPolicy, tc.want)
 				}
@@ -342,7 +342,7 @@ func TestCleanTrustPolicy(t *testing.T) {
 				TrustPolicies: tc.policy,
 			}
 
-			cleanedPolicy := cleanTrustPolicy(&policy, logger)
+			cleanedPolicy := CleanTrustPolicy(&policy, logger)
 
 			if !reflect.DeepEqual(cleanedPolicy, tc.want) {
 				t.Errorf("got %#v, want %#v", cleanedPolicy, tc.want)