pub enum PluginSource {
LocalDir {
path: PathBuf,
},
LocalArchive {
path: PathBuf,
},
Url {
url: String,
sha256: Option<String>,
allow_unverified: bool,
allow_untrusted_host: bool,
allow_unsigned: bool,
signed_by: Option<String>,
insecure: bool,
},
}Expand description
Where a plugin’s installed bundle came from. Recorded verbatim so
update/reinstall can re-fetch from the same place.
Variants§
LocalDir
Installed from a local directory (copied or referenced in place — the
installer decides which; either way this records the ORIGINAL path the
user pointed at, not necessarily plugin_dir).
LocalArchive
Installed by unpacking a local .tar.gz archive.
Url
Installed by fetching a URL. Three trust layers, all enforced by
bamboo-server’s plugin_source.rs before this record is written:
- Host allowlist (source authorization) — was the URL’s host
fetched from an operator-trusted host (
allow_untrusted_hostopts out). - Signature (publisher authenticity) — did the bundle’s
.sigverify against a trusted ed25519 key (signed_by;allow_unsignedopts out of requiring one). - Checksum (integrity) —
sha256is the user-verified hash of the downloaded BUNDLE (theplugin.json, or the archive containing it) —Somein the normal case, confirmed against a caller-supplied expected hash BEFORE anything was extracted/trusted.
sha256 is None either when the install explicitly opted out of
checksum verification (allow_unverified: true, no hash supplied), OR
when a verified signature (signed_by: Some(_)) already established
integrity+authenticity more strongly than a pasted checksum could —
see plugin_source.rs’s module docs for why a valid signature
supersedes the checksum requirement. An install refuses outright
rather than silently trusting an unpinned/unsigned download from an
untrusted host, so every None/false combination here always means
a deliberate, recorded risk acceptance, never an oversight.
insecure is the convenience AGGREGATE over the three per-layer
opt-outs above: true when this install waived all three at once,
either via a per-install --insecure flag / "insecure": true on the
request, or because plugin_trust.enforcement was off at install
time (see bamboo-server’s plugin_source.rs module docs). Recorded
separately from the three individual allow_* fields so plugin list/audit can tell “an operator deliberately accepted ALL risk for
this source” apart from “these three flags happened to all be set
individually” — functionally identical, but a meaningfully different
signal for review. #[serde(default)] so a pre-existing
installed.json row (written before this field existed) loads as
false rather than failing to deserialize.
Fields
allow_unverified: boolRecorded for audit: true when this install ran with
allow_unverified and no sha256. #[serde(default)] so a
pre-existing installed.json row (written before this field
existed, back when only the per-platform binary artifact was
pinned) loads as false rather than failing to deserialize.
allow_untrusted_host: boolRecorded for audit: true when this install ran with
allow_untrusted_host against a host outside
plugin_trust.trusted_hosts. #[serde(default)] for backward
compat with rows written before this field existed.
allow_unsigned: boolRecorded for audit: true when this install ran with
allow_unsigned (no valid signature from a trusted key).
#[serde(default)] for backward compat.
signed_by: Option<String>The label of the plugin_trust.trusted_keys entry the bundle’s
.sig verified against, or None if the install proceeded
unsigned (allow_unsigned: true). #[serde(default)] for
backward compat with rows written before signing existed.
insecure: boolTrue when this install ran with ALL THREE trust layers waived at
once via the --insecure / "insecure": true aggregate opt-out,
or because plugin_trust.enforcement was off — see this
variant’s doc comment above. #[serde(default)] for backward
compat with rows written before this field existed.
Trait Implementations§
Source§impl Clone for PluginSource
impl Clone for PluginSource
Source§fn clone(&self) -> PluginSource
fn clone(&self) -> PluginSource
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read moreSource§impl Debug for PluginSource
impl Debug for PluginSource
Source§impl<'de> Deserialize<'de> for PluginSource
impl<'de> Deserialize<'de> for PluginSource
Source§fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>where
__D: Deserializer<'de>,
fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>where
__D: Deserializer<'de>,
impl Eq for PluginSource
Source§impl PartialEq for PluginSource
impl PartialEq for PluginSource
Source§impl Serialize for PluginSource
impl Serialize for PluginSource
impl StructuralPartialEq for PluginSource
Auto Trait Implementations§
impl Freeze for PluginSource
impl RefUnwindSafe for PluginSource
impl Send for PluginSource
impl Sync for PluginSource
impl Unpin for PluginSource
impl UnsafeUnpin for PluginSource
impl UnwindSafe for PluginSource
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> DeserializeOwned for Twhere
T: for<'de> Deserialize<'de>,
Source§impl<Q, K> Equivalent<K> for Q
impl<Q, K> Equivalent<K> for Q
Source§impl<Q, K> Equivalent<K> for Q
impl<Q, K> Equivalent<K> for Q
Source§fn equivalent(&self, key: &K) -> bool
fn equivalent(&self, key: &K) -> bool
key and return true if they are equal.