Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement identities, fix bug in webhook validation. #1759

Merged
merged 3 commits into from Apr 14, 2022
Merged

Implement identities, fix bug in webhook validation. #1759

merged 3 commits into from Apr 14, 2022

Conversation

vaikas
Copy link
Contributor

@vaikas vaikas commented Apr 14, 2022

Signed-off-by: Ville Aikas vaikas@chainguard.dev

Summary

  • Implement ClusterImagePolicy for Keyless for identities, so you can restrict which issuer/subject needs to be matched.
  • Also fixed the webhook validator logic that actually would prevent being able to specify both the URL as well as identities in keyless, even though it's a valid configuration as per the design spec.
  • Add e2e tests for them.

Ticket Link

Fixes

Release Note

Add support for specifying identities (issuer/subject matching) in ClusterImagePolicy
Fix bug that would now allow creation of CIP with identities

@vaikas
Implement identites, fix bug in webhook validation.
e43d2d0 
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
@vaikas vaikas changed the title Implement identites, fix bug in webhook validation. Implement identities, fix bug in webhook validation. Apr 14, 2022
@codecov-commenter
Copy link

Codecov Report

Merging #1759 (e43d2d0) into main (72060a1) will increase coverage by 0.37%.
The diff coverage is 98.41%.

@@            Coverage Diff             @@
##             main    #1759      +/-   ##
==========================================
+ Coverage   30.17%   30.54%   +0.37%     
==========================================
  Files         143      143              
  Lines        8607     8655      +48     
==========================================
+ Hits         2597     2644      +47     
- Misses       5710     5711       +1     
  Partials      300      300
Impacted Files Coverage Δ
pkg/cosign/verify.go 29.56% <98.24%> (+5.86%) ⬆️
...cosigned/v1alpha1/clusterimagepolicy_validation.go 91.42% <100.00%> (+2.43%) ⬆️
pkg/cosign/kubernetes/webhook/validation.go 83.78% <100.00%> (+0.22%) ⬆️
pkg/cosign/kubernetes/webhook/validator.go 82.56% <100.00%> (ø)
pkg/cosign/tuf/client.go 62.69% <0.00%> (-0.95%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 72060a1...e43d2d0. Read the comment docs.

@vaikas
fix lint.
e23751b 
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
@vaikas
Fix the invalid test that was incorrectly assuming identities can't b…
c5dc1aa 
…e specified.

Fix the actions yaml file typo. missing actual run, doh.

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
mattmoor
mattmoor reviewed Apr 14, 2022
View reviewed changes
pkg/cosign/verify.go

// Identities is an array of Identity (Subject, Issuer) matchers that have
// to be met for the signature to ve valid.
// Supercedes CertEmail / CertOidcIssuer
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we change those to pass a []v1alpha1.Identity?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thought about it, but did not want to change them because they would match other things than email and that would be a change in behaviour. So, I'd rather not do that as part of this PR.

pkg/cosign/verify.go
Comment on lines +190 to +191
if regex, err := regexp.Compile(identity.Issuer); err != nil {
return nil, fmt.Errorf("malformed issuer in identity: %s : %w", identity.Issuer, err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should check in the webhook that these are valid regex

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I'll do that in a follow up PR and add tests for them, ok?

pkg/cosign/verify.go
Comment on lines +203 to +206
regex, err := regexp.Compile(identity.Subject)
if err != nil {
return nil, fmt.Errorf("malformed subject in identity: %s : %w", identity.Subject, err)
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same same :)

@vaikas vaikas enabled auto-merge (squash) April 14, 2022 18:10
@vaikas vaikas merged commit 0c232da into sigstore:main Apr 14, 2022
@github-actions github-actions bot added this to the v1.8.0 milestone Apr 14, 2022
@vaikas vaikas deleted the issuer-subject branch April 14, 2022 18:18
@vaikas vaikas mentioned this pull request Apr 14, 2022
Merged
mtrmac
mtrmac reviewed Apr 22, 2022
View reviewed changes
pkg/cosign/verify.go
// Identities is an array of Identity (Subject, Issuer) matchers that have
// to be met for the signature to ve valid.
// Supercedes CertEmail / CertOidcIssuer
Identities []v1alpha1.Identity
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This causes every user of pkg/cosign to depend on k8s; updating to a recent Cosign version thus adds 1.157 million lines of code.

Please consider some other API design.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

zomg, I'm so sorry about that, didn't realize that:
#1790

@mtrmac

vaikas added a commit to vaikas/cosign that referenced this pull request Apr 22, 2022
@vaikas
Remove the dependency on v1alpha1.Identity which brings in
5d2c539 
unnecessary k8s libraries.
Brought up as an issue that was merged in: sigstore#1759

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
@vaikas vaikas mentioned this pull request Apr 22, 2022
Merged
vaikas added a commit to vaikas/cosign that referenced this pull request Apr 22, 2022
@vaikas
Remove the dependency on v1alpha1.Identity which brings in
44577bd 
unnecessary k8s libraries.
Brought up as an issue that was merged in: sigstore#1759

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
dlorenc pushed a commit that referenced this pull request Apr 22, 2022
@vaikas
Remove the dependency on v1alpha1.Identity which brings in (#1790)
afaf0a3 
unnecessary k8s libraries.
Brought up as an issue that was merged in: #1759

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
mlieberman85 pushed a commit to mlieberman85/cosign that referenced this pull request May 6, 2022
@vaikas @mlieberman85
Implement identities, fix bug in webhook validation. (sigstore#1759)
9d47fcf 
* Implement identites, fix bug in webhook validation.

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>

* fix lint.

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>

* Fix the invalid test that was incorrectly assuming identities can't be specified.
Fix the actions yaml file typo. missing actual run, doh.

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
mlieberman85 pushed a commit to mlieberman85/cosign that referenced this pull request May 6, 2022
@vaikas @mlieberman85
Remove the dependency on v1alpha1.Identity which brings in (sigstore#…
c80d32c 
…1790)

unnecessary k8s libraries.
Brought up as an issue that was merged in: sigstore#1759

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtrmac mtrmac mtrmac left review comments

@mattmoor mattmoor mattmoor approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.8.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@vaikas @codecov-commenter @mattmoor @mtrmac