Skip to content

Commit

Permalink
Remove the dependency on v1alpha1.Identity which brings in (#1790)
Browse files Browse the repository at this point in the history
unnecessary k8s libraries.
Brought up as an issue that was merged in: #1759

Signed-off-by: Ville Aikas <[email protected]>
  • Loading branch information
vaikas authored Apr 22, 2022
1 parent d9b4da1 commit afaf0a3
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 17 deletions.
6 changes: 5 additions & 1 deletion pkg/cosign/kubernetes/webhook/validation.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,12 +87,16 @@ func validSignatures(ctx context.Context, ref name.Reference, verifier signature
// validSignaturesWithFulcio expects a Fulcio Cert to verify against. An
// optional rekorClient can also be given, if nil passed, default is assumed.
func validSignaturesWithFulcio(ctx context.Context, ref name.Reference, fulcioRoots *x509.CertPool, rekorClient *client.Rekor, identities []v1alpha1.Identity, opts ...ociremote.Option) ([]oci.Signature, error) {
ids := make([]cosign.Identity, len(identities))
for i, id := range identities {
ids[i] = cosign.Identity{Issuer: id.Issuer, Subject: id.Subject}
}
sigs, _, err := cosignVerifySignatures(ctx, ref, &cosign.CheckOpts{
RegistryClientOpts: opts,
RootCerts: fulcioRoots,
RekorClient: rekorClient,
ClaimVerifier: cosign.SimpleClaimVerifier,
Identities: identities,
Identities: ids,
})
return sigs, err
}
Expand Down
11 changes: 8 additions & 3 deletions pkg/cosign/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@ import (
"time"

"github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioverifier/ctl"
"github.com/sigstore/cosign/pkg/apis/cosigned/v1alpha1"
cbundle "github.com/sigstore/cosign/pkg/cosign/bundle"
"github.com/sigstore/cosign/pkg/cosign/tuf"

Expand All @@ -58,6 +57,13 @@ import (
sigPayload "github.com/sigstore/sigstore/pkg/signature/payload"
)

// Identity specifies an issuer/subject to verify a signature against.
// Both Issuer/Subject support regexp.
type Identity struct {
Issuer string
Subject string
}

// CheckOpts are the options for checking signatures.
type CheckOpts struct {
// RegistryClientOpts are the options for interacting with the container registry.
Expand Down Expand Up @@ -94,7 +100,7 @@ type CheckOpts struct {
// Identities is an array of Identity (Subject, Issuer) matchers that have
// to be met for the signature to ve valid.
// Supercedes CertEmail / CertOidcIssuer
Identities []v1alpha1.Identity
Identities []Identity
}

func getSignedEntity(signedImgRef name.Reference, regClientOpts []ociremote.Option) (oci.SignedEntity, v1.Hash, error) {
Expand Down Expand Up @@ -189,7 +195,6 @@ func ValidateAndUnpackCert(cert *x509.Certificate, co *CheckOpts) (signature.Ver
for _, identity := range co.Identities {
issuerMatches := false
// Check the issuer first
fmt.Fprintf(os.Stderr, "Checking identity: %+v", identity)
if identity.Issuer != "" {
issuer := getIssuer(cert)
if regex, err := regexp.Compile(identity.Issuer); err != nil {
Expand Down
25 changes: 12 additions & 13 deletions pkg/cosign/verify_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,6 @@ import (
"github.com/in-toto/in-toto-golang/in_toto"
"github.com/pkg/errors"
"github.com/secure-systems-lab/go-securesystemslib/dsse"
"github.com/sigstore/cosign/pkg/apis/cosigned/v1alpha1"
"github.com/sigstore/cosign/pkg/cosign/bundle"
ctuf "github.com/sigstore/cosign/pkg/cosign/tuf"
"github.com/sigstore/cosign/pkg/oci/static"
Expand Down Expand Up @@ -558,56 +557,56 @@ func TestValidateAndUnpackCertWithIdentities(t *testing.T) {
oidcIssuer := "https://accounts.google.com"

tests := []struct {
identities []v1alpha1.Identity
identities []Identity
wantErrSubstring string
dnsNames []string
emailAddresses []string
ipAddresses []net.IP
uris []*url.URL
}{
{identities: nil /* No matches required, checks out */},
{identities: []v1alpha1.Identity{ // Strict match on both
{identities: []Identity{ // Strict match on both
{Subject: emailSubject, Issuer: oidcIssuer}},
emailAddresses: []string{emailSubject},
wantErrSubstring: ""},
{identities: []v1alpha1.Identity{ // just issuer
{identities: []Identity{ // just issuer
{Issuer: oidcIssuer}},
emailAddresses: []string{emailSubject},
wantErrSubstring: ""},
{identities: []v1alpha1.Identity{ // just subject
{identities: []Identity{ // just subject
{Subject: emailSubject}},
emailAddresses: []string{emailSubject},
wantErrSubstring: ""},
{identities: []v1alpha1.Identity{ // mis-match
{identities: []Identity{ // mis-match
{Subject: "wrongsubject", Issuer: oidcIssuer},
{Subject: emailSubject, Issuer: "wrongissuer"}},
emailAddresses: []string{emailSubject},
wantErrSubstring: "none of the expected identities matched"},
{identities: []v1alpha1.Identity{ // one good identity, other does not match
{identities: []Identity{ // one good identity, other does not match
{Subject: "wrongsubject", Issuer: "wrongissuer"},
{Subject: emailSubject, Issuer: oidcIssuer}},
emailAddresses: []string{emailSubject},
wantErrSubstring: ""},
{identities: []v1alpha1.Identity{ // illegal regex for subject
{identities: []Identity{ // illegal regex for subject
{Subject: "****", Issuer: oidcIssuer}},
emailAddresses: []string{emailSubject},
wantErrSubstring: "malformed subject in identity"},
{identities: []v1alpha1.Identity{ // illegal regex for issuer
{identities: []Identity{ // illegal regex for issuer
{Subject: emailSubject, Issuer: "****"}},
wantErrSubstring: "malformed issuer in identity"},
{identities: []v1alpha1.Identity{ // regex matches
{identities: []Identity{ // regex matches
{Subject: ".*example.com", Issuer: ".*accounts.google.*"}},
emailAddresses: []string{emailSubject},
wantErrSubstring: ""},
{identities: []v1alpha1.Identity{ // regex matches dnsNames
{identities: []Identity{ // regex matches dnsNames
{Subject: ".*ubject.example.com", Issuer: ".*accounts.google.*"}},
dnsNames: dnsSubjects,
wantErrSubstring: ""},
{identities: []v1alpha1.Identity{ // regex matches ip
{identities: []Identity{ // regex matches ip
{Subject: "1.2.3.*", Issuer: ".*accounts.google.*"}},
ipAddresses: ipSubjects,
wantErrSubstring: ""},
{identities: []v1alpha1.Identity{ // regex matches urls
{identities: []Identity{ // regex matches urls
{Subject: ".*url.examp.*", Issuer: ".*accounts.google.*"}},
uris: uriSubjects,
wantErrSubstring: ""},
Expand Down

0 comments on commit afaf0a3

Please sign in to comment.