package api

import (
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

type ImagePolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	Spec              ImagePolicySpec   `json:"spec"`
	Status            ImagePolicyStatus `json:"status,omitempty"`
}

type ImagePolicySpec struct {
	// Images holds images/repositories to be verified.
	Images []Image `json:"images"`

	// Policy defines the verification policy.
	Policy Policy `json:"policy"`
}

// Image defines the list of images assinged to a policy. For more information
// about the format, see the document about the location field:
// https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker
type Image string

type Policy struct {
	// KeyData contains inline base64 data of the public key. Can be empty if
	// the image got signed keyless.
	KeyData string `json:"keyData,omitempty"`

	// OIDCIssuer contains the expected OIDC issuer.
	// Example: "https://expected.OIDC.issuer/"
	OIDCIssuer string `json:"oidcIssuer,omitempty"`

	// SubjectEmail holds the email address of the subject.
	// Example: "expected-signing-user@example.com"
	SubjectEmail string `json:"subjectEmail,omitempty"`

	// SignedIdentity specifies what image identity the signature claims about
	// the image.
	SignedIdentity Identity `json:"signedIdentity,omitempty"`

	// FulcioCAData contains inline base64 data for the fulcio CA certificate.
	// Defaults to the base64 encoded contents of:
	// https://raw.githubusercontent.com/sigstore/root-signing/main/targets/fulcio_v1.crt.pem
	FulcioCAData string `json:"fulcioCAData,omitempty"`

	// RekorKeyData contains inline base64 data of the rekor public key.
	// Defaults to the base64 encoded contents of:
	// https://raw.githubusercontent.com/sigstore/root-signing/main/targets/rekor.pub
	RekorKeyData string `json:"rekorKeyData,omitempty"`
}

type Identity struct {
	IdentityMatchPolicy IdentityMatchPolicy `json:"identityMatchPolicy,omitempty"`
	Prefix              string              `json:"prefix,omitempty"`
	SignedPrefix        string              `json:"signedPrefix,omitempty"`
}

type ImagePolicyStatus struct {
	// TODO: DO we need conditions?
	// Conditions []Condition `json:"conditions,omitempty"`

	// PolicyJSON contains the whole policy applied to the namespace which got
	// written to disk. This includes cluster-wide policies from the
	// `openshift-config` namespace as well.
	PolicyJSON string `json:"policyJSON,omitempty"`
}