From 95169988771b3b303884bca6fd1a63f54c387721 Mon Sep 17 00:00:00 2001 From: Ville Aikas <11279988+vaikas@users.noreply.github.com> Date: Thu, 14 Apr 2022 12:29:05 -0700 Subject: [PATCH] Validate issuer/subject regexp in validate webhook. (#1761) Signed-off-by: Ville Aikas --- .../v1alpha1/clusterimagepolicy_validation.go | 6 ++ .../clusterimagepolicy_validation_test.go | 61 +++++++++++++++++++ .../keylessref-with-malformed-issuer.yaml | 25 ++++++++ .../keylessref-with-malformed-subject.yaml | 25 ++++++++ .../cosigned/valid/valid-policy-regex.yaml | 4 ++ 5 files changed, 121 insertions(+) create mode 100644 test/testdata/cosigned/invalid/keylessref-with-malformed-issuer.yaml create mode 100644 test/testdata/cosigned/invalid/keylessref-with-malformed-subject.yaml diff --git a/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation.go b/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation.go index edc12b907ac..c16db8736a7 100644 --- a/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation.go +++ b/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation.go @@ -135,6 +135,12 @@ func (identity *Identity) Validate(ctx context.Context) *apis.FieldError { if identity.Issuer == "" && identity.Subject == "" { errs = errs.Also(apis.ErrMissingOneOf("issuer", "subject")) } + if identity.Issuer != "" { + errs = errs.Also(ValidateRegex(identity.Issuer).ViaField("issuer")) + } + if identity.Subject != "" { + errs = errs.Also(ValidateRegex(identity.Subject).ViaField("subject")) + } return errs } diff --git a/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation_test.go b/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation_test.go index 5d04662e836..b3213cc67a8 100644 --- a/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation_test.go +++ b/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation_test.go @@ -439,6 +439,67 @@ func TestIdentitiesValidation(t *testing.T) { }, }, }, + { + name: "Should fail when issuer has invalid regex", + expectErr: true, + errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].issuer\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`", + policy: ClusterImagePolicy{ + Spec: ClusterImagePolicySpec{ + Images: []ImagePattern{ + { + Glob: "globbityglob", + }, + }, + Authorities: []Authority{ + { + Keyless: &KeylessRef{ + Identities: []Identity{{Issuer: "****"}}, + }, + }, + }, + }, + }, + }, + { + name: "Should fail when subject has invalid regex", + expectErr: true, + errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].subject\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`", + policy: ClusterImagePolicy{ + Spec: ClusterImagePolicySpec{ + Images: []ImagePattern{ + { + Glob: "globbityglob", + }, + }, + Authorities: []Authority{ + { + Keyless: &KeylessRef{ + Identities: []Identity{{Subject: "****"}}, + }, + }, + }, + }, + }, + }, + { + name: "Should pass when subject and issuer have valid regex", + policy: ClusterImagePolicy{ + Spec: ClusterImagePolicySpec{ + Images: []ImagePattern{ + { + Glob: "globbityglob", + }, + }, + Authorities: []Authority{ + { + Keyless: &KeylessRef{ + Identities: []Identity{{Subject: ".*subject.*", Issuer: ".*issuer.*"}}, + }, + }, + }, + }, + }, + }, { name: "Should pass when identities is valid", expectErr: false, diff --git a/test/testdata/cosigned/invalid/keylessref-with-malformed-issuer.yaml b/test/testdata/cosigned/invalid/keylessref-with-malformed-issuer.yaml new file mode 100644 index 00000000000..7b04359ee99 --- /dev/null +++ b/test/testdata/cosigned/invalid/keylessref-with-malformed-issuer.yaml @@ -0,0 +1,25 @@ +# Copyright 2022 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +apiVersion: cosigned.sigstore.dev/v1alpha1 +kind: ClusterImagePolicy +metadata: + name: image-policy +spec: + images: + - glob: image* + authorities: + - keyless: + identities: + - issuer: **** diff --git a/test/testdata/cosigned/invalid/keylessref-with-malformed-subject.yaml b/test/testdata/cosigned/invalid/keylessref-with-malformed-subject.yaml new file mode 100644 index 00000000000..fbfd5f57288 --- /dev/null +++ b/test/testdata/cosigned/invalid/keylessref-with-malformed-subject.yaml @@ -0,0 +1,25 @@ +# Copyright 2022 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +apiVersion: cosigned.sigstore.dev/v1alpha1 +kind: ClusterImagePolicy +metadata: + name: image-policy +spec: + images: + - glob: image* + authorities: + - keyless: + identities: + - subject: **** diff --git a/test/testdata/cosigned/valid/valid-policy-regex.yaml b/test/testdata/cosigned/valid/valid-policy-regex.yaml index a82ae479d84..804ff4127ec 100644 --- a/test/testdata/cosigned/valid/valid-policy-regex.yaml +++ b/test/testdata/cosigned/valid/valid-policy-regex.yaml @@ -33,6 +33,10 @@ spec: - keyless: identities: - issuer: "issue-details1" + subject: ".*subject.*" + - keyless: + identities: + - issuer: "issue.*" - key: data: | -----BEGIN PUBLIC KEY-----