From 2ccb1a20734edf04f097afeafc316af4c45a010c Mon Sep 17 00:00:00 2001 From: Ville Aikas <11279988+vaikas@users.noreply.github.com> Date: Thu, 2 Jun 2022 18:28:39 +0300 Subject: [PATCH] fix: fix #1930 for AWS KMS formats (#1946) * fix: fix #1930 for AWS KMS formats Signed-off-by: Ville Aikas * use v2 of aws go-sdk, didn't realize there was one. Signed-off-by: Ville Aikas * Fix the lint + add missing authorities section to test crds. doh. Signed-off-by: Ville Aikas * can't even Signed-off-by: Ville Aikas * Actually validate keyless ca-cert as keyref. Yikes. Signed-off-by: Ville Aikas * also v1beta1. Signed-off-by: Ville Aikas --- config/300-clusterimagepolicy.yaml | 4 +- go.mod | 2 +- .../v1alpha1/clusterimagepolicy_types.go | 1 + .../v1alpha1/clusterimagepolicy_validation.go | 47 +++++++ .../clusterimagepolicy_validation_test.go | 116 +++++++++++++++++- .../v1beta1/clusterimagepolicy_types.go | 1 + .../v1beta1/clusterimagepolicy_validation.go | 47 ++++++- .../clusterimagepolicy_validation_test.go | 116 +++++++++++++++++- .../invalid/invalid-keyref-awskms.yaml | 34 +++++ .../valid/valid-keylessref-awskms.yaml | 34 +++++ .../valid/valid-keyref-awskms.yaml | 30 +++++ 11 files changed, 426 insertions(+), 6 deletions(-) create mode 100644 test/testdata/policy-controller/invalid/invalid-keyref-awskms.yaml create mode 100644 test/testdata/policy-controller/valid/valid-keylessref-awskms.yaml create mode 100644 test/testdata/policy-controller/valid/valid-keyref-awskms.yaml diff --git a/config/300-clusterimagepolicy.yaml b/config/300-clusterimagepolicy.yaml index e8d5d8ce4a3..8942909101e 100644 --- a/config/300-clusterimagepolicy.yaml +++ b/config/300-clusterimagepolicy.yaml @@ -86,7 +86,7 @@ spec: description: Data contains the inline public key type: string kms: - description: KMS contains the KMS url of the public key + description: KMS contains the KMS url of the public key Supported formats differ based on the KMS system used. type: string secretRef: type: object @@ -107,7 +107,7 @@ spec: description: Data contains the inline public key type: string kms: - description: KMS contains the KMS url of the public key + description: KMS contains the KMS url of the public key Supported formats differ based on the KMS system used. type: string secretRef: type: object diff --git a/go.mod b/go.mod index d3276ad6a94..7e257c4d7f8 100644 --- a/go.mod +++ b/go.mod @@ -8,6 +8,7 @@ require ( github.com/ThalesIgnite/crypto11 v1.2.5 github.com/armon/go-metrics v0.4.0 github.com/armon/go-radix v1.0.0 + github.com/aws/aws-sdk-go-v2 v1.14.0 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20220228164355-396b2034c795 github.com/cenkalti/backoff/v3 v3.2.2 github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21 @@ -122,7 +123,6 @@ require ( github.com/ReneKroon/ttlcache/v2 v2.11.0 // indirect github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect github.com/aws/aws-sdk-go v1.43.45 // indirect - github.com/aws/aws-sdk-go-v2 v1.14.0 // indirect github.com/aws/aws-sdk-go-v2/config v1.14.0 // indirect github.com/aws/aws-sdk-go-v2/credentials v1.9.0 // indirect github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.11.0 // indirect diff --git a/pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go b/pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go index 682f368512f..e382d39ae14 100644 --- a/pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go +++ b/pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go @@ -104,6 +104,7 @@ type KeyRef struct { // +optional Data string `json:"data,omitempty"` // KMS contains the KMS url of the public key + // Supported formats differ based on the KMS system used. // +optional KMS string `json:"kms,omitempty"` } diff --git a/pkg/apis/policy/v1alpha1/clusterimagepolicy_validation.go b/pkg/apis/policy/v1alpha1/clusterimagepolicy_validation.go index 7881a9c816d..e47b79bbf19 100644 --- a/pkg/apis/policy/v1alpha1/clusterimagepolicy_validation.go +++ b/pkg/apis/policy/v1alpha1/clusterimagepolicy_validation.go @@ -17,13 +17,18 @@ package v1alpha1 import ( "context" "fmt" + "net" "path/filepath" "regexp" + "strings" + "github.com/aws/aws-sdk-go-v2/aws/arn" "github.com/sigstore/cosign/pkg/apis/utils" "knative.dev/pkg/apis" ) +const awsKMSPrefix = "awskms://" + // Validate implements apis.Validatable func (c *ClusterImagePolicy) Validate(ctx context.Context) *apis.FieldError { return c.Spec.Validate(ctx).ViaField("spec") @@ -54,6 +59,7 @@ func (image *ImagePattern) Validate(ctx context.Context) *apis.FieldError { } errs = errs.Also(ValidateGlob(image.Glob).ViaField("glob")) + return errs } @@ -104,6 +110,11 @@ func (key *KeyRef) Validate(ctx context.Context) *apis.FieldError { } else if key.KMS != "" && key.SecretRef != nil { errs = errs.Also(apis.ErrMultipleOneOf("data", "kms", "secretref")) } + if key.KMS != "" { + if strings.HasPrefix(key.KMS, awsKMSPrefix) { + errs = errs.Also(validateAWSKMS(key.KMS).ViaField("kms")) + } + } return errs } @@ -122,6 +133,9 @@ func (keyless *KeylessRef) Validate(ctx context.Context) *apis.FieldError { errs = errs.Also(apis.ErrMissingField("identities")) } + if keyless.CACert != nil { + errs = errs.Also(keyless.DeepCopy().CACert.Validate(ctx).ViaField("ca-cert")) + } for i, identity := range keyless.Identities { errs = errs.Also(identity.Validate(ctx).ViaFieldIndex("identities", i)) } @@ -209,3 +223,36 @@ func ValidateRegex(regex string) *apis.FieldError { return nil } + +// validateAWSKMS validates that the KMS conforms to AWS +// KMS format: +// awskms://$ENDPOINT/$KEYID +// Where: +// $ENDPOINT is optional +// $KEYID is either the key ARN or an alias ARN +// Reasoning for only supporting these formats is that other +// formats require additional configuration via ENV variables. +func validateAWSKMS(kms string) *apis.FieldError { + parts := strings.Split(kms, "/") + if len(parts) < 4 { + return apis.ErrInvalidValue(kms, apis.CurrentField, "malformed AWS KMS format, should be: 'awskms://$ENDPOINT/$KEYID'") + } + endpoint := parts[2] + // missing endpoint is fine, only validate if not empty + if endpoint != "" { + _, _, err := net.SplitHostPort(endpoint) + if err != nil { + return apis.ErrInvalidValue(kms, apis.CurrentField, fmt.Sprintf("malformed endpoint: %s", err)) + } + } + keyID := parts[3] + arn, err := arn.Parse(keyID) + if err != nil { + return apis.ErrInvalidValue(kms, apis.CurrentField, fmt.Sprintf("failed to parse either key or alias arn: %s", err)) + } + // Only support key or alias ARN. + if arn.Resource != "key" && arn.Resource != "alias" { + return apis.ErrInvalidValue(kms, apis.CurrentField, fmt.Sprintf("Got ARN: %+v Resource: %s", arn, arn.Resource)) + } + return nil +} diff --git a/pkg/apis/policy/v1alpha1/clusterimagepolicy_validation_test.go b/pkg/apis/policy/v1alpha1/clusterimagepolicy_validation_test.go index 679f835b534..2384ace9244 100644 --- a/pkg/apis/policy/v1alpha1/clusterimagepolicy_validation_test.go +++ b/pkg/apis/policy/v1alpha1/clusterimagepolicy_validation_test.go @@ -16,6 +16,7 @@ package v1alpha1 import ( "context" + "strings" "testing" "github.com/stretchr/testify/require" @@ -23,6 +24,8 @@ import ( "knative.dev/pkg/apis" ) +const validPublicKey = "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaEOVJCFtduYr3xqTxeRWSW32CY/s\nTBNZj4oIUPl8JvhVPJ1TKDPlNcuT4YphSt6t3yOmMvkdQbCj8broX6vijw==\n-----END PUBLIC KEY-----" + func TestImagePatternValidation(t *testing.T) { tests := []struct { name string @@ -282,7 +285,7 @@ func TestKeylessValidation(t *testing.T) { Host: "myhost", }, CACert: &KeyRef{ - Data: "---certificate---", + Data: validPublicKey, }, }, }, @@ -384,6 +387,37 @@ func TestAuthoritiesValidation(t *testing.T) { }, }, }, + { + name: "Should fail with invalid AWS KMS for Keyful", + expectErr: true, + errorString: "invalid value: awskms://localhost:8888/arn:butnotvalid: spec.authorities[0].key.kms\nfailed to parse either key or alias arn: arn: not enough sections", + policy: ClusterImagePolicy{ + Spec: ClusterImagePolicySpec{ + Images: []ImagePattern{{Glob: "gcr.io/*"}}, + Authorities: []Authority{ + { + Key: &KeyRef{KMS: "awskms://localhost:8888/arn:butnotvalid"}, + Sources: []Source{{OCI: "registry.example.com"}}, + }, + }, + }, + }, + }, + { + name: "Should fail with invalid AWS KMS for Keyless", + expectErr: true, + errorString: "invalid value: awskms://localhost:8888/arn:butnotvalid: spec.authorities[0].keyless.ca-cert.kms\nfailed to parse either key or alias arn: arn: not enough sections", + policy: ClusterImagePolicy{ + Spec: ClusterImagePolicySpec{ + Images: []ImagePattern{{Glob: "gcr.io/*"}}, + Authorities: []Authority{ + { + Keyless: &KeylessRef{CACert: &KeyRef{KMS: "awskms://localhost:8888/arn:butnotvalid"}}, + }, + }, + }, + }, + }, { name: "Should fail when source oci is empty", expectErr: true, @@ -710,3 +744,83 @@ func TestIdentitiesValidation(t *testing.T) { }) } } + +func TestAWSKMSValidation(t *testing.T) { + // Note the error messages betweeen the kms / cacert validation is + // identical, with the only difference being `kms` or `ca-cert.kms`. Reason + // for the ca-cert.kms is because it's embedded within the ca-cert that + // we pass in. So we put a KMSORCACERT into the err string that we then + // replace based on the tests so we don't have to write identical tests + // for both of them. + tests := []struct { + name string + expectErr bool + errorString string + kms string + }{ + { + name: "malformed, only 2 slashes ", + expectErr: true, + errorString: "invalid value: awskms://1234abcd-12ab-34cd-56ef-1234567890ab: KMSORCACERT\nmalformed AWS KMS format, should be: 'awskms://$ENDPOINT/$KEYID'", + kms: "awskms://1234abcd-12ab-34cd-56ef-1234567890ab", + }, + { + name: "fails with invalid host", + expectErr: true, + errorString: "invalid value: awskms://localhost:::4566/alias/exampleAlias: KMSORCACERT\nmalformed endpoint: address localhost:::4566: too many colons in address", + kms: "awskms://localhost:::4566/alias/exampleAlias", + }, + { + name: "fails with non-arn alias", + expectErr: true, + errorString: "invalid value: awskms://localhost:4566/alias/exampleAlias: KMSORCACERT\nfailed to parse either key or alias arn: arn: invalid prefix", + kms: "awskms://localhost:4566/alias/exampleAlias", + }, + { + name: "Should fail when arn is invalid", + expectErr: true, + errorString: "invalid value: awskms://localhost:4566/arn:sonotvalid: KMSORCACERT\nfailed to parse either key or alias arn: arn: not enough sections", + kms: "awskms://localhost:4566/arn:sonotvalid", + }, + { + name: "works with valid arn key and endpoint", + kms: "awskms://localhost:4566/arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", + }, + { + name: "works with valid arn key and no endpoint", + kms: "awskms:///arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", + }, + { + name: "works with valid arn alias and endpoint", + kms: "awskms://localhost:4566/arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias", + }, + { + name: "works with valid arn alias and no endpoint", + kms: "awskms:///arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias", + }, + } + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + // First test with KeyRef + keyRef := KeyRef{KMS: test.kms} + err := keyRef.Validate(context.TODO()) + if test.expectErr { + require.NotNil(t, err) + kmsErrString := strings.Replace(test.errorString, "KMSORCACERT", "kms", 1) + require.EqualError(t, err, kmsErrString) + } else { + require.Nil(t, err) + } + // Then with Keyless with CACert as KeyRef + keylessRef := KeylessRef{CACert: &keyRef} + err = keylessRef.Validate(context.TODO()) + if test.expectErr { + require.NotNil(t, err) + caCertErrString := strings.Replace(test.errorString, "KMSORCACERT", "ca-cert.kms", 1) + require.EqualError(t, err, caCertErrString) + } else { + require.Nil(t, err) + } + }) + } +} diff --git a/pkg/apis/policy/v1beta1/clusterimagepolicy_types.go b/pkg/apis/policy/v1beta1/clusterimagepolicy_types.go index 3840189755d..2f1210c38a9 100644 --- a/pkg/apis/policy/v1beta1/clusterimagepolicy_types.go +++ b/pkg/apis/policy/v1beta1/clusterimagepolicy_types.go @@ -104,6 +104,7 @@ type KeyRef struct { // +optional Data string `json:"data,omitempty"` // KMS contains the KMS url of the public key + // Supported formats differ based on the KMS system used. // +optional KMS string `json:"kms,omitempty"` } diff --git a/pkg/apis/policy/v1beta1/clusterimagepolicy_validation.go b/pkg/apis/policy/v1beta1/clusterimagepolicy_validation.go index 86a05e664ea..8976570d715 100644 --- a/pkg/apis/policy/v1beta1/clusterimagepolicy_validation.go +++ b/pkg/apis/policy/v1beta1/clusterimagepolicy_validation.go @@ -17,13 +17,18 @@ package v1beta1 import ( "context" "fmt" + "net" "path/filepath" "regexp" + "strings" + "github.com/aws/aws-sdk-go-v2/aws/arn" "github.com/sigstore/cosign/pkg/apis/utils" "knative.dev/pkg/apis" ) +const awsKMSPrefix = "awskms://" + // Validate implements apis.Validatable func (c *ClusterImagePolicy) Validate(ctx context.Context) *apis.FieldError { return c.Spec.Validate(ctx).ViaField("spec") @@ -105,6 +110,11 @@ func (key *KeyRef) Validate(ctx context.Context) *apis.FieldError { } else if key.KMS != "" && key.SecretRef != nil { errs = errs.Also(apis.ErrMultipleOneOf("data", "kms", "secretref")) } + if key.KMS != "" { + if strings.HasPrefix(key.KMS, awsKMSPrefix) { + errs = errs.Also(validateAWSKMS(key.KMS).ViaField("kms")) + } + } return errs } @@ -123,6 +133,9 @@ func (keyless *KeylessRef) Validate(ctx context.Context) *apis.FieldError { errs = errs.Also(apis.ErrMissingField("identities")) } + if keyless.CACert != nil { + errs = errs.Also(keyless.DeepCopy().CACert.Validate(ctx).ViaField("ca-cert")) + } for i, identity := range keyless.Identities { errs = errs.Also(identity.Validate(ctx).ViaFieldIndex("identities", i)) } @@ -203,7 +216,6 @@ func ValidateGlob(glob string) *apis.FieldError { } func ValidateRegex(regex string) *apis.FieldError { - // It's a regexp, so pull out the regex _, err := regexp.Compile(regex) if err != nil { return apis.ErrInvalidValue(regex, apis.CurrentField, fmt.Sprintf("regex is invalid: %v", err)) @@ -211,3 +223,36 @@ func ValidateRegex(regex string) *apis.FieldError { return nil } + +// validateAWSKMS validates that the KMS conforms to AWS +// KMS format: +// awskms://$ENDPOINT/$KEYID +// Where: +// $ENDPOINT is optional +// $KEYID is either the key ARN or an alias ARN +// Reasoning for only supporting these formats is that other +// formats require additional configuration via ENV variables. +func validateAWSKMS(kms string) *apis.FieldError { + parts := strings.Split(kms, "/") + if len(parts) < 4 { + return apis.ErrInvalidValue(kms, apis.CurrentField, "malformed AWS KMS format, should be: 'awskms://$ENDPOINT/$KEYID'") + } + endpoint := parts[2] + // missing endpoint is fine, only validate if not empty + if endpoint != "" { + _, _, err := net.SplitHostPort(endpoint) + if err != nil { + return apis.ErrInvalidValue(kms, apis.CurrentField, fmt.Sprintf("malformed endpoint: %s", err)) + } + } + keyID := parts[3] + arn, err := arn.Parse(keyID) + if err != nil { + return apis.ErrInvalidValue(kms, apis.CurrentField, fmt.Sprintf("failed to parse either key or alias arn: %s", err)) + } + // Only support key or alias ARN. + if arn.Resource != "key" && arn.Resource != "alias" { + return apis.ErrInvalidValue(kms, apis.CurrentField, fmt.Sprintf("Got ARN: %+v Resource: %s", arn, arn.Resource)) + } + return nil +} diff --git a/pkg/apis/policy/v1beta1/clusterimagepolicy_validation_test.go b/pkg/apis/policy/v1beta1/clusterimagepolicy_validation_test.go index 3dad6b9b51d..65cfe223f90 100644 --- a/pkg/apis/policy/v1beta1/clusterimagepolicy_validation_test.go +++ b/pkg/apis/policy/v1beta1/clusterimagepolicy_validation_test.go @@ -16,6 +16,7 @@ package v1beta1 import ( "context" + "strings" "testing" "github.com/stretchr/testify/require" @@ -23,6 +24,8 @@ import ( "knative.dev/pkg/apis" ) +const validPublicKey = "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaEOVJCFtduYr3xqTxeRWSW32CY/s\nTBNZj4oIUPl8JvhVPJ1TKDPlNcuT4YphSt6t3yOmMvkdQbCj8broX6vijw==\n-----END PUBLIC KEY-----" + func TestImagePatternValidation(t *testing.T) { tests := []struct { name string @@ -169,6 +172,22 @@ func TestKeyValidation(t *testing.T) { }, }, }, + { + name: "Should fail with invalid AWS KMS for Keyful", + expectErr: true, + errorString: "invalid value: awskms://localhost:8888/arn:butnotvalid: spec.authorities[0].key.kms\nfailed to parse either key or alias arn: arn: not enough sections", + policy: ClusterImagePolicy{ + Spec: ClusterImagePolicySpec{ + Images: []ImagePattern{{Glob: "gcr.io/*"}}, + Authorities: []Authority{ + { + Key: &KeyRef{KMS: "awskms://localhost:8888/arn:butnotvalid"}, + Sources: []Source{{OCI: "registry.example.com"}}, + }, + }, + }, + }, + }, { name: "Should pass when key has only one property: %v", errorString: "", @@ -248,7 +267,7 @@ func TestKeylessValidation(t *testing.T) { Host: "myhost", }, CACert: &KeyRef{ - Data: "---certificate---", + Data: validPublicKey, }, }, }, @@ -278,6 +297,21 @@ func TestKeylessValidation(t *testing.T) { }, }, }, + { + name: "Should fail with invalid AWS KMS for Keyless", + expectErr: true, + errorString: "invalid value: awskms://localhost:8888/arn:butnotvalid: spec.authorities[0].keyless.ca-cert.kms\nfailed to parse either key or alias arn: arn: not enough sections", + policy: ClusterImagePolicy{ + Spec: ClusterImagePolicySpec{ + Images: []ImagePattern{{Glob: "gcr.io/*"}}, + Authorities: []Authority{ + { + Keyless: &KeylessRef{CACert: &KeyRef{KMS: "awskms://localhost:8888/arn:butnotvalid"}}, + }, + }, + }, + }, + }, } for _, test := range tests { @@ -676,3 +710,83 @@ func TestIdentitiesValidation(t *testing.T) { }) } } + +func TestAWSKMSValidation(t *testing.T) { + // Note the error messages betweeen the kms / cacert validation is + // identical, with the only difference being `kms` or `ca-cert.kms`. Reason + // for the ca-cert.kms is because it's embedded within the ca-cert that + // we pass in. So we put a KMSORCACERT into the err string that we then + // replace based on the tests so we don't have to write identical tests + // for both of them. + tests := []struct { + name string + expectErr bool + errorString string + kms string + }{ + { + name: "malformed, only 2 slashes ", + expectErr: true, + errorString: "invalid value: awskms://1234abcd-12ab-34cd-56ef-1234567890ab: KMSORCACERT\nmalformed AWS KMS format, should be: 'awskms://$ENDPOINT/$KEYID'", + kms: "awskms://1234abcd-12ab-34cd-56ef-1234567890ab", + }, + { + name: "fails with invalid host", + expectErr: true, + errorString: "invalid value: awskms://localhost:::4566/alias/exampleAlias: KMSORCACERT\nmalformed endpoint: address localhost:::4566: too many colons in address", + kms: "awskms://localhost:::4566/alias/exampleAlias", + }, + { + name: "fails with non-arn alias", + expectErr: true, + errorString: "invalid value: awskms://localhost:4566/alias/exampleAlias: KMSORCACERT\nfailed to parse either key or alias arn: arn: invalid prefix", + kms: "awskms://localhost:4566/alias/exampleAlias", + }, + { + name: "Should fail when arn is invalid", + expectErr: true, + errorString: "invalid value: awskms://localhost:4566/arn:sonotvalid: KMSORCACERT\nfailed to parse either key or alias arn: arn: not enough sections", + kms: "awskms://localhost:4566/arn:sonotvalid", + }, + { + name: "works with valid arn key and endpoint", + kms: "awskms://localhost:4566/arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", + }, + { + name: "works with valid arn key and no endpoint", + kms: "awskms:///arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", + }, + { + name: "works with valid arn alias and endpoint", + kms: "awskms://localhost:4566/arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias", + }, + { + name: "works with valid arn alias and no endpoint", + kms: "awskms:///arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias", + }, + } + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + // First test with KeyRef + keyRef := KeyRef{KMS: test.kms} + err := keyRef.Validate(context.TODO()) + if test.expectErr { + require.NotNil(t, err) + kmsErrString := strings.Replace(test.errorString, "KMSORCACERT", "kms", 1) + require.EqualError(t, err, kmsErrString) + } else { + require.Nil(t, err) + } + // Then with Keyless with CACert as KeyRef + keylessRef := KeylessRef{CACert: &keyRef} + err = keylessRef.Validate(context.TODO()) + if test.expectErr { + require.NotNil(t, err) + caCertErrString := strings.Replace(test.errorString, "KMSORCACERT", "ca-cert.kms", 1) + require.EqualError(t, err, caCertErrString) + } else { + require.Nil(t, err) + } + }) + } +} diff --git a/test/testdata/policy-controller/invalid/invalid-keyref-awskms.yaml b/test/testdata/policy-controller/invalid/invalid-keyref-awskms.yaml new file mode 100644 index 00000000000..2b5bfcc6b20 --- /dev/null +++ b/test/testdata/policy-controller/invalid/invalid-keyref-awskms.yaml @@ -0,0 +1,34 @@ +# Copyright 2022 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +apiVersion: policy.sigstore.dev/v1alpha1 +kind: ClusterImagePolicy +metadata: + name: image-policy +spec: + images: + - glob: images.* + authorities: + - key: + # keyid is not supported + kms: "awskms:///1234abcd-12ab-34cd-56ef-1234567890ab" + - key: + # keyid with hostname is still not supported + kms: "awskms://localhost:4566/1234abcd-12ab-34cd-56ef-1234567890ab" + - key: + # alias is not supported + kms: "awskms:///alias/ExampleAlias" + = key: + # alias is not supported, even if you give a hostname + kms: "awskms://localhost:4566/alias/ExampleAlias" diff --git a/test/testdata/policy-controller/valid/valid-keylessref-awskms.yaml b/test/testdata/policy-controller/valid/valid-keylessref-awskms.yaml new file mode 100644 index 00000000000..a141b61e596 --- /dev/null +++ b/test/testdata/policy-controller/valid/valid-keylessref-awskms.yaml @@ -0,0 +1,34 @@ +# Copyright 2022 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +apiVersion: policy.sigstore.dev/v1alpha1 +kind: ClusterImagePolicy +metadata: + name: image-policy +spec: + images: + - glob: images.* + authorities: + - keyless: + ca-cert: + kms: "awskms:///arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" + - keyless: + ca-cert: + kms: "awskms://localhost:4566/arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" + - keyless: + ca-cert: + kms: "awskms:///arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias" + - keyless: + ca-cert: + kms: "awskms://localhost:4566/arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias" diff --git a/test/testdata/policy-controller/valid/valid-keyref-awskms.yaml b/test/testdata/policy-controller/valid/valid-keyref-awskms.yaml new file mode 100644 index 00000000000..97030cb66d6 --- /dev/null +++ b/test/testdata/policy-controller/valid/valid-keyref-awskms.yaml @@ -0,0 +1,30 @@ +# Copyright 2022 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +apiVersion: policy.sigstore.dev/v1alpha1 +kind: ClusterImagePolicy +metadata: + name: image-policy +spec: + images: + - glob: images.* + authorities: + - key: + kms: "awskms:///arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" + - key: + kms: "awskms://localhost:4566/arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" + - key: + kms: "awskms:///arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias" + - key: + kms: "awskms://localhost:4566/arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias"