Attestations + policy in cip.

[vaikas]

Summary

• Start of adding support for parity with verify-attestations in cosigned webhook
• Add support for cue in validating a CIP after signatures / attestations have been verified
• Fix a bug where CTLog was not plumbed through for custom verification
• Add 'name' field to authorities (gets defaulted to authority-) for making it easier to write CIP level policies

Missing:

• E2E test for doing cue validation with CIP policy. I can't figure this out, but @hectorj2f has for example rego in chore: add rego function to consume modules and evaluate them #1787 that we could start testing with.
• We should add parallel validation of Policies and then within policies parallel authorities so everything doesn't have to happen sequentially.

I'd like to get this in and start experimenting so we can get real policies implemented and get
experience on what works.

Starts putting scaffolding in place for this:
#1769

Ticket Link

Fixes

Release Note

 * Start of adding support for parity with verify-attestations in cosigned webhook
 * Add support for cue in validating a CIP _after_ signatures / attestations have been verified
 * Fix a bug where CTLog was not plumbed through for custom verification
 * Add 'name' field to authorities (gets defaulted to authority-<index>) for making it easier to write CIP level policies

[codecov-commenter]

Codecov Report

Merging #1772 (1541a0c) into main (8368bad) will increase coverage by 0.53%.
The diff coverage is 56.21%.

@@            Coverage Diff             @@
##             main    #1772      +/-   ##
==========================================
+ Coverage   31.45%   31.98%   +0.53%     
==========================================
  Files         144      145       +1     
  Lines        8896     9161     +265     
==========================================
+ Hits         2798     2930     +132     
- Misses       5761     5888     +127     
- Partials      337      343       +6     

Impacted Files	Coverage Δ
...apis/cosigned/v1alpha1/clusterimagepolicy_types.go	0.00% <0.00%> (ø)
...kg/apis/cosigned/v1alpha1/zz_generated.deepcopy.go	0.00% <0.00%> (ø)
pkg/policy/eval.go	51.85% <51.85%> (ø)
pkg/cosign/kubernetes/webhook/validation.go	74.00% <56.00%> (-6.77%)	⬇️
pkg/cosign/kubernetes/webhook/validator.go	74.44% <63.18%> (-8.13%)	⬇️
pkg/apis/config/image_policies.go	69.38% <100.00%> (ø)
...s/cosigned/v1alpha1/clusterimagepolicy_defaults.go	100.00% <100.00%> (+100.00%)	⬆️
...cosigned/v1alpha1/clusterimagepolicy_validation.go	94.11% <100.00%> (+1.55%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8368bad...1541a0c. Read the comment docs.

[vaikas]

Haha, this was my super hack to raise an error because I don't understand enough of cue yet :) So, we only execute this if if there's a failure and because there's a mismatch the policy will fail. So, all of these 'branches' really should be:
if len(...) < expected {
raiseEvaluationError
}

But, I don't know how to do the raiseEvaluationError, so I just added a statement that will result in an error.

[mattmoor]

Thanks for all the tests and detailed comments 🙏

[mattmoor]

attestation-%d? Why not authority-%d?

[vaikas]

I failed to update comment, I originally had it as attestation, and realized it was not good so I changed it to authority-%d, but forgot to update the comment.

[mattmoor]

Same question... attestation seems weird.

[vaikas]

lol, I originally had it as attestation, thought it seemed wierd, so changed it to authority-%d like here, but it's correct here? Or how do you mean? Above, yes I had neglected to update the comment, but the code is right here, no?

[mattmoor]

seems like a good use of switch?

[mattmoor]

Doesn't cosign attest support taking a full predicate type URL as well? Should we also allow full-blown URLs?

[vaikas]

I'd rather not pollute this with the switch only because I'd rather use the TODO (refactor where the options come from and use that), also attest may take the uri but verify-attest does not. It looks for the short name in the map and pulls the URL from it. Again, I think that should be done as part of a follow on PR to refactor that code a bit to pull the map out of the cli/options so it can be reused here.
https://github.com/sigstore/cosign/blob/main/pkg/policy/attestation.go#L43

[hectorj2f]

I can get this working in a separate PR, this PR one is big enough for now.

[hectorj2f]

As discussed, we have to use a different set of functions here, as cuejson.Validate expects the CUE to be self-contained and applied as a schema to the JSON.

[hectorj2f]

We can improve this function in a different PR.

[hectorj2f]

LGTM from now, let's iterate over it.