Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove the dependency on v1alpha1.Identity which brings in unnecessary k8s deps. #1790

Merged
merged 1 commit into from
Apr 22, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion pkg/cosign/kubernetes/webhook/validation.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,12 +87,16 @@ func validSignatures(ctx context.Context, ref name.Reference, verifier signature
// validSignaturesWithFulcio expects a Fulcio Cert to verify against. An
// optional rekorClient can also be given, if nil passed, default is assumed.
func validSignaturesWithFulcio(ctx context.Context, ref name.Reference, fulcioRoots *x509.CertPool, rekorClient *client.Rekor, identities []v1alpha1.Identity, opts ...ociremote.Option) ([]oci.Signature, error) {
ids := make([]cosign.Identity, len(identities))
for i, id := range identities {
ids[i] = cosign.Identity{Issuer: id.Issuer, Subject: id.Subject}
}
sigs, _, err := cosignVerifySignatures(ctx, ref, &cosign.CheckOpts{
RegistryClientOpts: opts,
RootCerts: fulcioRoots,
RekorClient: rekorClient,
ClaimVerifier: cosign.SimpleClaimVerifier,
Identities: identities,
Identities: ids,
})
return sigs, err
}
Expand Down
11 changes: 8 additions & 3 deletions pkg/cosign/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@ import (
"time"

"github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioverifier/ctl"
"github.com/sigstore/cosign/pkg/apis/cosigned/v1alpha1"
cbundle "github.com/sigstore/cosign/pkg/cosign/bundle"
"github.com/sigstore/cosign/pkg/cosign/tuf"

Expand All @@ -58,6 +57,13 @@ import (
sigPayload "github.com/sigstore/sigstore/pkg/signature/payload"
)

// Identity specifies an issuer/subject to verify a signature against.
// Both Issuer/Subject support regexp.
type Identity struct {
Issuer string
Subject string
}

// CheckOpts are the options for checking signatures.
type CheckOpts struct {
// RegistryClientOpts are the options for interacting with the container registry.
Expand Down Expand Up @@ -94,7 +100,7 @@ type CheckOpts struct {
// Identities is an array of Identity (Subject, Issuer) matchers that have
// to be met for the signature to ve valid.
// Supercedes CertEmail / CertOidcIssuer
Identities []v1alpha1.Identity
Identities []Identity
}

func getSignedEntity(signedImgRef name.Reference, regClientOpts []ociremote.Option) (oci.SignedEntity, v1.Hash, error) {
Expand Down Expand Up @@ -189,7 +195,6 @@ func ValidateAndUnpackCert(cert *x509.Certificate, co *CheckOpts) (signature.Ver
for _, identity := range co.Identities {
issuerMatches := false
// Check the issuer first
fmt.Fprintf(os.Stderr, "Checking identity: %+v", identity)
if identity.Issuer != "" {
issuer := getIssuer(cert)
if regex, err := regexp.Compile(identity.Issuer); err != nil {
Expand Down
25 changes: 12 additions & 13 deletions pkg/cosign/verify_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,6 @@ import (
"github.com/in-toto/in-toto-golang/in_toto"
"github.com/pkg/errors"
"github.com/secure-systems-lab/go-securesystemslib/dsse"
"github.com/sigstore/cosign/pkg/apis/cosigned/v1alpha1"
"github.com/sigstore/cosign/pkg/cosign/bundle"
ctuf "github.com/sigstore/cosign/pkg/cosign/tuf"
"github.com/sigstore/cosign/pkg/oci/static"
Expand Down Expand Up @@ -558,56 +557,56 @@ func TestValidateAndUnpackCertWithIdentities(t *testing.T) {
oidcIssuer := "https://accounts.google.com"

tests := []struct {
identities []v1alpha1.Identity
identities []Identity
wantErrSubstring string
dnsNames []string
emailAddresses []string
ipAddresses []net.IP
uris []*url.URL
}{
{identities: nil /* No matches required, checks out */},
{identities: []v1alpha1.Identity{ // Strict match on both
{identities: []Identity{ // Strict match on both
{Subject: emailSubject, Issuer: oidcIssuer}},
emailAddresses: []string{emailSubject},
wantErrSubstring: ""},
{identities: []v1alpha1.Identity{ // just issuer
{identities: []Identity{ // just issuer
{Issuer: oidcIssuer}},
emailAddresses: []string{emailSubject},
wantErrSubstring: ""},
{identities: []v1alpha1.Identity{ // just subject
{identities: []Identity{ // just subject
{Subject: emailSubject}},
emailAddresses: []string{emailSubject},
wantErrSubstring: ""},
{identities: []v1alpha1.Identity{ // mis-match
{identities: []Identity{ // mis-match
{Subject: "wrongsubject", Issuer: oidcIssuer},
{Subject: emailSubject, Issuer: "wrongissuer"}},
emailAddresses: []string{emailSubject},
wantErrSubstring: "none of the expected identities matched"},
{identities: []v1alpha1.Identity{ // one good identity, other does not match
{identities: []Identity{ // one good identity, other does not match
{Subject: "wrongsubject", Issuer: "wrongissuer"},
{Subject: emailSubject, Issuer: oidcIssuer}},
emailAddresses: []string{emailSubject},
wantErrSubstring: ""},
{identities: []v1alpha1.Identity{ // illegal regex for subject
{identities: []Identity{ // illegal regex for subject
{Subject: "****", Issuer: oidcIssuer}},
emailAddresses: []string{emailSubject},
wantErrSubstring: "malformed subject in identity"},
{identities: []v1alpha1.Identity{ // illegal regex for issuer
{identities: []Identity{ // illegal regex for issuer
{Subject: emailSubject, Issuer: "****"}},
wantErrSubstring: "malformed issuer in identity"},
{identities: []v1alpha1.Identity{ // regex matches
{identities: []Identity{ // regex matches
{Subject: ".*example.com", Issuer: ".*accounts.google.*"}},
emailAddresses: []string{emailSubject},
wantErrSubstring: ""},
{identities: []v1alpha1.Identity{ // regex matches dnsNames
{identities: []Identity{ // regex matches dnsNames
{Subject: ".*ubject.example.com", Issuer: ".*accounts.google.*"}},
dnsNames: dnsSubjects,
wantErrSubstring: ""},
{identities: []v1alpha1.Identity{ // regex matches ip
{identities: []Identity{ // regex matches ip
{Subject: "1.2.3.*", Issuer: ".*accounts.google.*"}},
ipAddresses: ipSubjects,
wantErrSubstring: ""},
{identities: []v1alpha1.Identity{ // regex matches urls
{identities: []Identity{ // regex matches urls
{Subject: ".*url.examp.*", Issuer: ".*accounts.google.*"}},
uris: uriSubjects,
wantErrSubstring: ""},
Expand Down