Skip to content

Commit

Permalink
cosign: change cosignIdentityMatch to oidcMatchIdentity
Browse files Browse the repository at this point in the history
Signed-off-by: Sanskar Jaiswal <[email protected]>
  • Loading branch information
aryan9600 committed Oct 6, 2023
1 parent 9e3cc30 commit 213d780
Show file tree
Hide file tree
Showing 12 changed files with 139 additions and 137 deletions.
17 changes: 9 additions & 8 deletions api/v1beta2/ocirepository_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -191,25 +191,26 @@ type OCIRepositoryVerification struct {
// +optional
SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`

// CosignIdentityMatch specifies the identity matching criteria to use
// OIDCMatchIdentity specifies the identity matching criteria to use
// while verifying an OCI artifact which was signed using Cosign keyless
// signing.
CosignIdentityMatch *CosignIdentityMatch `json:"cosignIdentityMatch,omitempty"`
// +optional
OIDCMatchIdentity *OIDCMatchIdentity `json:"oidcMatchIdentity,omitempty"`
}

// CosignIdentityMatch specifies options for verifying the certificate identity,
// OIDCMatchIdentity specifies options for verifying the certificate identity,
// i.e. the issuer and the subject of the certificate.
type CosignIdentityMatch struct {
// IssuerRegExp specifies the regex pattern to match against to verify
type OIDCMatchIdentity struct {
// Issuer specifies the regex pattern to match against to verify
// the OIDC issuer in the Fulcio certificate. The pattern must be a
// valid Go regular expression.
// +optional
IssuerRegExp string `json:"issuerRegExp,omitempty"`
// SubjectRegExp specifies the regex pattern to match against to verify
Issuer string `json:"issuer,omitempty"`
// Subject specifies the regex pattern to match against to verify
// the identity in the Fulcio certificate. The pattern must be a
// valid Go regular expression.
// +optional
SubjectRegExp string `json:"subjectRegExp,omitempty"`
Subject string `json:"subject,omitempty"`
}

// OCIRepositoryStatus defines the observed state of OCIRepository
Expand Down
36 changes: 18 additions & 18 deletions api/v1beta2/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 9 additions & 9 deletions config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -411,19 +411,19 @@ spec:
Chart dependencies, which are not bundled in the umbrella chart
artifact, are not verified.
properties:
cosignIdentityMatch:
description: CosignIdentityMatch specifies the identity matching
oidcMatchIdentity:
description: OIDCMatchIdentity specifies the identity matching
criteria to use while verifying an OCI artifact which was signed
using Cosign keyless signing.
properties:
issuerRegExp:
description: IssuerRegExp specifies the regex pattern to match
against to verify the OIDC issuer in the Fulcio certificate.
The pattern must be a valid Go regular expression.
issuer:
description: Issuer specifies the regex pattern to match against
to verify the OIDC issuer in the Fulcio certificate. The
pattern must be a valid Go regular expression.
type: string
subjectRegExp:
description: SubjectRegExp specifies the regex pattern to
match against to verify the identity in the Fulcio certificate.
subject:
description: Subject specifies the regex pattern to match
against to verify the identity in the Fulcio certificate.
The pattern must be a valid Go regular expression.
type: string
type: object
Expand Down
18 changes: 9 additions & 9 deletions config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -164,19 +164,19 @@ spec:
public keys used to verify the signature and specifies which provider
to use to check whether OCI image is authentic.
properties:
cosignIdentityMatch:
description: CosignIdentityMatch specifies the identity matching
oidcMatchIdentity:
description: OIDCMatchIdentity specifies the identity matching
criteria to use while verifying an OCI artifact which was signed
using Cosign keyless signing.
properties:
issuerRegExp:
description: IssuerRegExp specifies the regex pattern to match
against to verify the OIDC issuer in the Fulcio certificate.
The pattern must be a valid Go regular expression.
issuer:
description: Issuer specifies the regex pattern to match against
to verify the OIDC issuer in the Fulcio certificate. The
pattern must be a valid Go regular expression.
type: string
subjectRegExp:
description: SubjectRegExp specifies the regex pattern to
match against to verify the identity in the Fulcio certificate.
subject:
description: Subject specifies the regex pattern to match
against to verify the identity in the Fulcio certificate.
The pattern must be a valid Go regular expression.
type: string
type: object
Expand Down
109 changes: 55 additions & 54 deletions docs/api/v1beta2/source.md
Original file line number Diff line number Diff line change
Expand Up @@ -1614,56 +1614,6 @@ github.com/fluxcd/pkg/apis/meta.ReconcileRequestStatus
</table>
</div>
</div>
<h3 id="source.toolkit.fluxcd.io/v1beta2.CosignIdentityMatch">CosignIdentityMatch
</h3>
<p>
(<em>Appears on:</em>
<a href="#source.toolkit.fluxcd.io/v1beta2.OCIRepositoryVerification">OCIRepositoryVerification</a>)
</p>
<p>CosignIdentityMatch specifies options for verifying the certificate identity,
i.e. the issuer and the subject of the certificate.</p>
<div class="md-typeset__scrollwrap">
<div class="md-typeset__table">
<table>
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>issuerRegExp</code><br>
<em>
string
</em>
</td>
<td>
<em>(Optional)</em>
<p>IssuerRegExp specifies the regex pattern to match against to verify
the OIDC issuer in the Fulcio certificate. The pattern must be a
valid Go regular expression.</p>
</td>
</tr>
<tr>
<td>
<code>subjectRegExp</code><br>
<em>
string
</em>
</td>
<td>
<em>(Optional)</em>
<p>SubjectRegExp specifies the regex pattern to match against to verify
the identity in the Fulcio certificate. The pattern must be a
valid Go regular expression.</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<h3 id="source.toolkit.fluxcd.io/v1beta2.GitRepositoryInclude">GitRepositoryInclude
</h3>
<p>
Expand Down Expand Up @@ -3347,15 +3297,16 @@ trusted public keys.</p>
</tr>
<tr>
<td>
<code>cosignIdentityMatch</code><br>
<code>oidcMatchIdentity</code><br>
<em>
<a href="#source.toolkit.fluxcd.io/v1beta2.CosignIdentityMatch">
CosignIdentityMatch
<a href="#source.toolkit.fluxcd.io/v1beta2.OIDCMatchIdentity">
OIDCMatchIdentity
</a>
</em>
</td>
<td>
<p>CosignIdentityMatch specifies the identity matching criteria to use
<em>(Optional)</em>
<p>OIDCMatchIdentity specifies the identity matching criteria to use
while verifying an OCI artifact which was signed using Cosign keyless
signing.</p>
</td>
Expand All @@ -3364,6 +3315,56 @@ signing.</p>
</table>
</div>
</div>
<h3 id="source.toolkit.fluxcd.io/v1beta2.OIDCMatchIdentity">OIDCMatchIdentity
</h3>
<p>
(<em>Appears on:</em>
<a href="#source.toolkit.fluxcd.io/v1beta2.OCIRepositoryVerification">OCIRepositoryVerification</a>)
</p>
<p>OIDCMatchIdentity specifies options for verifying the certificate identity,
i.e. the issuer and the subject of the certificate.</p>
<div class="md-typeset__scrollwrap">
<div class="md-typeset__table">
<table>
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>issuer</code><br>
<em>
string
</em>
</td>
<td>
<em>(Optional)</em>
<p>Issuer specifies the regex pattern to match against to verify
the OIDC issuer in the Fulcio certificate. The pattern must be a
valid Go regular expression.</p>
</td>
</tr>
<tr>
<td>
<code>subject</code><br>
<em>
string
</em>
</td>
<td>
<em>(Optional)</em>
<p>Subject specifies the regex pattern to match against to verify
the identity in the Fulcio certificate. The pattern must be a
valid Go regular expression.</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<h3 id="source.toolkit.fluxcd.io/v1beta2.Source">Source
</h3>
<p>Source interface must be supported by all API types.
Expand Down
12 changes: 6 additions & 6 deletions docs/spec/v1beta2/helmcharts.md
Original file line number Diff line number Diff line change
Expand Up @@ -308,10 +308,10 @@ For publicly available HelmCharts, which are signed using the
you can enable the verification by omitting the `.verify.secretRef` field.

To verify that the subject and the OIDC issuer present in the Fulcio certificate
you can specify `.spec.verify.cosignIdentityMatch`. It provides two fields:
you can specify `.spec.verify.oidcMatchIdentity`. It provides two fields:

- `.issuerRegExp`, to sepcify a regexp that matches against the OIDC issuer.
- `.subjectRegExp`, to specify a regexp that matches against the identity in
- `.issuer`, to sepcify a regexp that matches against the OIDC issuer.
- `.subject`, to specify a regexp that matches against the identity in
the certificate.
Both values should follow the [Go regular expression syntax](https://golang.org/s/re2syntax).

Expand All @@ -333,9 +333,9 @@ spec:
version: ">=6.1.6"
verify:
provider: cosign
cosignIdentityMatch:
subjectRegExp: "stefanprodan"
issuerRegExp: "^https://token.actions.githubusercontent.com$"
oidcMatchIdentity:
subject: "stefanprodan"
issuer: "^https://token.actions.githubusercontent.com$"
```

```yaml
Expand Down
14 changes: 7 additions & 7 deletions docs/spec/v1beta2/ocirepositories.md
Original file line number Diff line number Diff line change
Expand Up @@ -506,7 +506,7 @@ signatures. The field offers two subfields:
- `.provider`, to specify the verification provider. Only supports `cosign` at present.
- `.secretRef.name`, to specify a reference to a Secret in the same namespace as
the OCIRepository, containing the Cosign public keys of trusted authors.
- `.cosignIdentityMatch`, to specify the identity matching criteria if the
- `.oidcMatchIdentity`, to specify the identity matching criteria if the
artifact was signed using Cosign keyless signing.

```yaml
Expand Down Expand Up @@ -558,10 +558,10 @@ For publicly available OCI artifacts, which are signed using the
you can enable the verification by omitting the `.verify.secretRef` field.

To verify that the subject and the OIDC issuer present in the Fulcio certificate
you can specify `.spec.verify.cosignIdentityMatch`. It provides two fields:
you can specify `.spec.verify.oidcMatchIdentity`. It provides two fields:

- `.issuerRegExp`, to sepcify a regexp that matches against the OIDC issuer.
- `.subjectRegExp`, to specify a regexp that matches against the identity in
- `.issuer`, to sepcify a regexp that matches against the OIDC issuer.
- `.subject`, to specify a regexp that matches against the identity in
the certificate.
Both values should follow the [Go regular expression syntax](https://golang.org/s/re2syntax).

Expand All @@ -578,9 +578,9 @@ spec:
url: oci://ghcr.io/stefanprodan/manifests/podinfo
verify:
provider: cosign
cosignIdentityMatch:
subjectRegExp: "stefanprodan"
issuerRegExp: "^https://token.actions.githubusercontent.com$"
oidcMatchIdentity:
subject: "stefanprodan"
issuer: "^https://token.actions.githubusercontent.com$"
```

The controller verifies the signatures using the Fulcio root CA and the Rekor
Expand Down
10 changes: 5 additions & 5 deletions internal/controller/helmchart_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -1338,13 +1338,13 @@ func (r *HelmChartReconciler) makeVerifiers(ctx context.Context, obj *helmv1.Hel
}

// if no secret is provided, add a keyless verifier
if obj.Spec.Verify.CosignIdentityMatch != nil {
if obj.Spec.Verify.CosignIdentityMatch.IssuerRegExp != "" {
defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithIssuerRegexp(obj.Spec.Verify.CosignIdentityMatch.IssuerRegExp))
if obj.Spec.Verify.OIDCMatchIdentity != nil {
if obj.Spec.Verify.OIDCMatchIdentity.Issuer != "" {
defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithIssuerRegexp(obj.Spec.Verify.OIDCMatchIdentity.Issuer))
}

if obj.Spec.Verify.CosignIdentityMatch.SubjectRegExp != "" {
defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithSubjectRegexp(obj.Spec.Verify.CosignIdentityMatch.SubjectRegExp))
if obj.Spec.Verify.OIDCMatchIdentity.Subject != "" {
defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithSubjectRegexp(obj.Spec.Verify.OIDCMatchIdentity.Subject))
}
}
verifier, err := soci.NewCosignVerifier(ctx, defaultCosignOciOpts...)
Expand Down
12 changes: 6 additions & 6 deletions internal/controller/helmchart_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2560,9 +2560,9 @@ func TestHelmChartRepository_reconcileSource_verifyOCISourceSignature_keyless(t
version: "6.5.1",
want: sreconcile.ResultSuccess,
beforeFunc: func(obj *helmv1.HelmChart) {
obj.Spec.Verify.CosignIdentityMatch = &helmv1.CosignIdentityMatch{
SubjectRegExp: "stefanprodan",
IssuerRegExp: "^https://token.actions.githubusercontent.com$",
obj.Spec.Verify.OIDCMatchIdentity = &helmv1.OIDCMatchIdentity{
Subject: "stefanprodan",
Issuer: "^https://token.actions.githubusercontent.com$",
}
},
assertConditions: []metav1.Condition{
Expand All @@ -2578,9 +2578,9 @@ func TestHelmChartRepository_reconcileSource_verifyOCISourceSignature_keyless(t
wantErr: true,
want: sreconcile.ResultEmpty,
beforeFunc: func(obj *helmv1.HelmChart) {
obj.Spec.Verify.CosignIdentityMatch = &helmv1.CosignIdentityMatch{
SubjectRegExp: "intruder",
IssuerRegExp: "^https://honeypot.com$",
obj.Spec.Verify.OIDCMatchIdentity = &helmv1.OIDCMatchIdentity{
Subject: "intruder",
Issuer: "^https://honeypot.com$",
}
},
assertConditions: []metav1.Condition{
Expand Down
Loading

0 comments on commit 213d780

Please sign in to comment.