From 213d780b1842a69376d73308a79003128fac6e59 Mon Sep 17 00:00:00 2001 From: Sanskar Jaiswal Date: Fri, 6 Oct 2023 17:25:18 +0530 Subject: [PATCH] cosign: change `cosignIdentityMatch` to `oidcMatchIdentity` Signed-off-by: Sanskar Jaiswal --- api/v1beta2/ocirepository_types.go | 17 +-- api/v1beta2/zz_generated.deepcopy.go | 36 +++--- .../source.toolkit.fluxcd.io_helmcharts.yaml | 18 +-- ...rce.toolkit.fluxcd.io_ocirepositories.yaml | 18 +-- docs/api/v1beta2/source.md | 109 +++++++++--------- docs/spec/v1beta2/helmcharts.md | 12 +- docs/spec/v1beta2/ocirepositories.md | 14 +-- internal/controller/helmchart_controller.go | 10 +- .../controller/helmchart_controller_test.go | 12 +- .../controller/ocirepository_controller.go | 10 +- .../ocirepository_controller_test.go | 12 +- internal/oci/verifier.go | 8 +- 12 files changed, 139 insertions(+), 137 deletions(-) diff --git a/api/v1beta2/ocirepository_types.go b/api/v1beta2/ocirepository_types.go index 97593442e..6af2f4730 100644 --- a/api/v1beta2/ocirepository_types.go +++ b/api/v1beta2/ocirepository_types.go @@ -191,25 +191,26 @@ type OCIRepositoryVerification struct { // +optional SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"` - // CosignIdentityMatch specifies the identity matching criteria to use + // OIDCMatchIdentity specifies the identity matching criteria to use // while verifying an OCI artifact which was signed using Cosign keyless // signing. - CosignIdentityMatch *CosignIdentityMatch `json:"cosignIdentityMatch,omitempty"` + // +optional + OIDCMatchIdentity *OIDCMatchIdentity `json:"oidcMatchIdentity,omitempty"` } -// CosignIdentityMatch specifies options for verifying the certificate identity, +// OIDCMatchIdentity specifies options for verifying the certificate identity, // i.e. the issuer and the subject of the certificate. -type CosignIdentityMatch struct { - // IssuerRegExp specifies the regex pattern to match against to verify +type OIDCMatchIdentity struct { + // Issuer specifies the regex pattern to match against to verify // the OIDC issuer in the Fulcio certificate. The pattern must be a // valid Go regular expression. // +optional - IssuerRegExp string `json:"issuerRegExp,omitempty"` - // SubjectRegExp specifies the regex pattern to match against to verify + Issuer string `json:"issuer,omitempty"` + // Subject specifies the regex pattern to match against to verify // the identity in the Fulcio certificate. The pattern must be a // valid Go regular expression. // +optional - SubjectRegExp string `json:"subjectRegExp,omitempty"` + Subject string `json:"subject,omitempty"` } // OCIRepositoryStatus defines the observed state of OCIRepository diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go index 8b2e41dff..19b3dbae3 100644 --- a/api/v1beta2/zz_generated.deepcopy.go +++ b/api/v1beta2/zz_generated.deepcopy.go @@ -185,21 +185,6 @@ func (in *BucketStatus) DeepCopy() *BucketStatus { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *CosignIdentityMatch) DeepCopyInto(out *CosignIdentityMatch) { - *out = *in -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CosignIdentityMatch. -func (in *CosignIdentityMatch) DeepCopy() *CosignIdentityMatch { - if in == nil { - return nil - } - out := new(CosignIdentityMatch) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GitRepository) DeepCopyInto(out *GitRepository) { *out = *in @@ -849,9 +834,9 @@ func (in *OCIRepositoryVerification) DeepCopyInto(out *OCIRepositoryVerification *out = new(meta.LocalObjectReference) **out = **in } - if in.CosignIdentityMatch != nil { - in, out := &in.CosignIdentityMatch, &out.CosignIdentityMatch - *out = new(CosignIdentityMatch) + if in.OIDCMatchIdentity != nil { + in, out := &in.OIDCMatchIdentity, &out.OIDCMatchIdentity + *out = new(OIDCMatchIdentity) **out = **in } } @@ -865,3 +850,18 @@ func (in *OCIRepositoryVerification) DeepCopy() *OCIRepositoryVerification { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCMatchIdentity) DeepCopyInto(out *OIDCMatchIdentity) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCMatchIdentity. +func (in *OIDCMatchIdentity) DeepCopy() *OIDCMatchIdentity { + if in == nil { + return nil + } + out := new(OIDCMatchIdentity) + in.DeepCopyInto(out) + return out +} diff --git a/config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml b/config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml index 5e72ca06b..244d2376c 100644 --- a/config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml +++ b/config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml @@ -411,19 +411,19 @@ spec: Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified. properties: - cosignIdentityMatch: - description: CosignIdentityMatch specifies the identity matching + oidcMatchIdentity: + description: OIDCMatchIdentity specifies the identity matching criteria to use while verifying an OCI artifact which was signed using Cosign keyless signing. properties: - issuerRegExp: - description: IssuerRegExp specifies the regex pattern to match - against to verify the OIDC issuer in the Fulcio certificate. - The pattern must be a valid Go regular expression. + issuer: + description: Issuer specifies the regex pattern to match against + to verify the OIDC issuer in the Fulcio certificate. The + pattern must be a valid Go regular expression. type: string - subjectRegExp: - description: SubjectRegExp specifies the regex pattern to - match against to verify the identity in the Fulcio certificate. + subject: + description: Subject specifies the regex pattern to match + against to verify the identity in the Fulcio certificate. The pattern must be a valid Go regular expression. type: string type: object diff --git a/config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml b/config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml index 00f8f946d..18d434162 100644 --- a/config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml +++ b/config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml @@ -164,19 +164,19 @@ spec: public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic. properties: - cosignIdentityMatch: - description: CosignIdentityMatch specifies the identity matching + oidcMatchIdentity: + description: OIDCMatchIdentity specifies the identity matching criteria to use while verifying an OCI artifact which was signed using Cosign keyless signing. properties: - issuerRegExp: - description: IssuerRegExp specifies the regex pattern to match - against to verify the OIDC issuer in the Fulcio certificate. - The pattern must be a valid Go regular expression. + issuer: + description: Issuer specifies the regex pattern to match against + to verify the OIDC issuer in the Fulcio certificate. The + pattern must be a valid Go regular expression. type: string - subjectRegExp: - description: SubjectRegExp specifies the regex pattern to - match against to verify the identity in the Fulcio certificate. + subject: + description: Subject specifies the regex pattern to match + against to verify the identity in the Fulcio certificate. The pattern must be a valid Go regular expression. type: string type: object diff --git a/docs/api/v1beta2/source.md b/docs/api/v1beta2/source.md index 7085b245c..9fac0409a 100644 --- a/docs/api/v1beta2/source.md +++ b/docs/api/v1beta2/source.md @@ -1614,56 +1614,6 @@ github.com/fluxcd/pkg/apis/meta.ReconcileRequestStatus -

CosignIdentityMatch -

-

-(Appears on: -OCIRepositoryVerification) -

-

CosignIdentityMatch specifies options for verifying the certificate identity, -i.e. the issuer and the subject of the certificate.

-
-
- - - - - - - - - - - - - - - - - -
FieldDescription
-issuerRegExp
- -string - -
-(Optional) -

IssuerRegExp specifies the regex pattern to match against to verify -the OIDC issuer in the Fulcio certificate. The pattern must be a -valid Go regular expression.

-
-subjectRegExp
- -string - -
-(Optional) -

SubjectRegExp specifies the regex pattern to match against to verify -the identity in the Fulcio certificate. The pattern must be a -valid Go regular expression.

-
-
-

GitRepositoryInclude

@@ -3347,15 +3297,16 @@ trusted public keys.

-cosignIdentityMatch
+oidcMatchIdentity
- -CosignIdentityMatch + +OIDCMatchIdentity -

CosignIdentityMatch specifies the identity matching criteria to use +(Optional) +

OIDCMatchIdentity specifies the identity matching criteria to use while verifying an OCI artifact which was signed using Cosign keyless signing.

@@ -3364,6 +3315,56 @@ signing.

+

OIDCMatchIdentity +

+

+(Appears on: +OCIRepositoryVerification) +

+

OIDCMatchIdentity specifies options for verifying the certificate identity, +i.e. the issuer and the subject of the certificate.

+
+
+ + + + + + + + + + + + + + + + + +
FieldDescription
+issuer
+ +string + +
+(Optional) +

Issuer specifies the regex pattern to match against to verify +the OIDC issuer in the Fulcio certificate. The pattern must be a +valid Go regular expression.

+
+subject
+ +string + +
+(Optional) +

Subject specifies the regex pattern to match against to verify +the identity in the Fulcio certificate. The pattern must be a +valid Go regular expression.

+
+
+

Source

Source interface must be supported by all API types. diff --git a/docs/spec/v1beta2/helmcharts.md b/docs/spec/v1beta2/helmcharts.md index c422b185f..532206d1f 100644 --- a/docs/spec/v1beta2/helmcharts.md +++ b/docs/spec/v1beta2/helmcharts.md @@ -308,10 +308,10 @@ For publicly available HelmCharts, which are signed using the you can enable the verification by omitting the `.verify.secretRef` field. To verify that the subject and the OIDC issuer present in the Fulcio certificate -you can specify `.spec.verify.cosignIdentityMatch`. It provides two fields: +you can specify `.spec.verify.oidcMatchIdentity`. It provides two fields: -- `.issuerRegExp`, to sepcify a regexp that matches against the OIDC issuer. -- `.subjectRegExp`, to specify a regexp that matches against the identity in +- `.issuer`, to sepcify a regexp that matches against the OIDC issuer. +- `.subject`, to specify a regexp that matches against the identity in the certificate. Both values should follow the [Go regular expression syntax](https://golang.org/s/re2syntax). @@ -333,9 +333,9 @@ spec: version: ">=6.1.6" verify: provider: cosign - cosignIdentityMatch: - subjectRegExp: "stefanprodan" - issuerRegExp: "^https://token.actions.githubusercontent.com$" + oidcMatchIdentity: + subject: "stefanprodan" + issuer: "^https://token.actions.githubusercontent.com$" ``` ```yaml diff --git a/docs/spec/v1beta2/ocirepositories.md b/docs/spec/v1beta2/ocirepositories.md index b23895211..56e4c89fc 100644 --- a/docs/spec/v1beta2/ocirepositories.md +++ b/docs/spec/v1beta2/ocirepositories.md @@ -506,7 +506,7 @@ signatures. The field offers two subfields: - `.provider`, to specify the verification provider. Only supports `cosign` at present. - `.secretRef.name`, to specify a reference to a Secret in the same namespace as the OCIRepository, containing the Cosign public keys of trusted authors. -- `.cosignIdentityMatch`, to specify the identity matching criteria if the +- `.oidcMatchIdentity`, to specify the identity matching criteria if the artifact was signed using Cosign keyless signing. ```yaml @@ -558,10 +558,10 @@ For publicly available OCI artifacts, which are signed using the you can enable the verification by omitting the `.verify.secretRef` field. To verify that the subject and the OIDC issuer present in the Fulcio certificate -you can specify `.spec.verify.cosignIdentityMatch`. It provides two fields: +you can specify `.spec.verify.oidcMatchIdentity`. It provides two fields: -- `.issuerRegExp`, to sepcify a regexp that matches against the OIDC issuer. -- `.subjectRegExp`, to specify a regexp that matches against the identity in +- `.issuer`, to sepcify a regexp that matches against the OIDC issuer. +- `.subject`, to specify a regexp that matches against the identity in the certificate. Both values should follow the [Go regular expression syntax](https://golang.org/s/re2syntax). @@ -578,9 +578,9 @@ spec: url: oci://ghcr.io/stefanprodan/manifests/podinfo verify: provider: cosign - cosignIdentityMatch: - subjectRegExp: "stefanprodan" - issuerRegExp: "^https://token.actions.githubusercontent.com$" + oidcMatchIdentity: + subject: "stefanprodan" + issuer: "^https://token.actions.githubusercontent.com$" ``` The controller verifies the signatures using the Fulcio root CA and the Rekor diff --git a/internal/controller/helmchart_controller.go b/internal/controller/helmchart_controller.go index 4b4207610..9734910bf 100644 --- a/internal/controller/helmchart_controller.go +++ b/internal/controller/helmchart_controller.go @@ -1338,13 +1338,13 @@ func (r *HelmChartReconciler) makeVerifiers(ctx context.Context, obj *helmv1.Hel } // if no secret is provided, add a keyless verifier - if obj.Spec.Verify.CosignIdentityMatch != nil { - if obj.Spec.Verify.CosignIdentityMatch.IssuerRegExp != "" { - defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithIssuerRegexp(obj.Spec.Verify.CosignIdentityMatch.IssuerRegExp)) + if obj.Spec.Verify.OIDCMatchIdentity != nil { + if obj.Spec.Verify.OIDCMatchIdentity.Issuer != "" { + defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithIssuerRegexp(obj.Spec.Verify.OIDCMatchIdentity.Issuer)) } - if obj.Spec.Verify.CosignIdentityMatch.SubjectRegExp != "" { - defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithSubjectRegexp(obj.Spec.Verify.CosignIdentityMatch.SubjectRegExp)) + if obj.Spec.Verify.OIDCMatchIdentity.Subject != "" { + defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithSubjectRegexp(obj.Spec.Verify.OIDCMatchIdentity.Subject)) } } verifier, err := soci.NewCosignVerifier(ctx, defaultCosignOciOpts...) diff --git a/internal/controller/helmchart_controller_test.go b/internal/controller/helmchart_controller_test.go index c34099a28..cb261b6e0 100644 --- a/internal/controller/helmchart_controller_test.go +++ b/internal/controller/helmchart_controller_test.go @@ -2560,9 +2560,9 @@ func TestHelmChartRepository_reconcileSource_verifyOCISourceSignature_keyless(t version: "6.5.1", want: sreconcile.ResultSuccess, beforeFunc: func(obj *helmv1.HelmChart) { - obj.Spec.Verify.CosignIdentityMatch = &helmv1.CosignIdentityMatch{ - SubjectRegExp: "stefanprodan", - IssuerRegExp: "^https://token.actions.githubusercontent.com$", + obj.Spec.Verify.OIDCMatchIdentity = &helmv1.OIDCMatchIdentity{ + Subject: "stefanprodan", + Issuer: "^https://token.actions.githubusercontent.com$", } }, assertConditions: []metav1.Condition{ @@ -2578,9 +2578,9 @@ func TestHelmChartRepository_reconcileSource_verifyOCISourceSignature_keyless(t wantErr: true, want: sreconcile.ResultEmpty, beforeFunc: func(obj *helmv1.HelmChart) { - obj.Spec.Verify.CosignIdentityMatch = &helmv1.CosignIdentityMatch{ - SubjectRegExp: "intruder", - IssuerRegExp: "^https://honeypot.com$", + obj.Spec.Verify.OIDCMatchIdentity = &helmv1.OIDCMatchIdentity{ + Subject: "intruder", + Issuer: "^https://honeypot.com$", } }, assertConditions: []metav1.Condition{ diff --git a/internal/controller/ocirepository_controller.go b/internal/controller/ocirepository_controller.go index 3a152218b..08c214ee8 100644 --- a/internal/controller/ocirepository_controller.go +++ b/internal/controller/ocirepository_controller.go @@ -665,13 +665,13 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv // if no secret is provided, try keyless verification ctrl.LoggerFrom(ctx).Info("no secret reference is provided, trying to verify the image using keyless method") - if obj.Spec.Verify.CosignIdentityMatch != nil { - if obj.Spec.Verify.CosignIdentityMatch.IssuerRegExp != "" { - defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithIssuerRegexp(obj.Spec.Verify.CosignIdentityMatch.IssuerRegExp)) + if obj.Spec.Verify.OIDCMatchIdentity != nil { + if obj.Spec.Verify.OIDCMatchIdentity.Issuer != "" { + defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithIssuerRegexp(obj.Spec.Verify.OIDCMatchIdentity.Issuer)) } - if obj.Spec.Verify.CosignIdentityMatch.SubjectRegExp != "" { - defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithSubjectRegexp(obj.Spec.Verify.CosignIdentityMatch.SubjectRegExp)) + if obj.Spec.Verify.OIDCMatchIdentity.Subject != "" { + defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithSubjectRegexp(obj.Spec.Verify.OIDCMatchIdentity.Subject)) } } verifier, err := soci.NewCosignVerifier(ctxTimeout, defaultCosignOciOpts...) diff --git a/internal/controller/ocirepository_controller_test.go b/internal/controller/ocirepository_controller_test.go index 69d989852..3dbb98a3d 100644 --- a/internal/controller/ocirepository_controller_test.go +++ b/internal/controller/ocirepository_controller_test.go @@ -1467,9 +1467,9 @@ func TestOCIRepository_reconcileSource_verifyOCISourceSignature_keyless(t *testi }, want: sreconcile.ResultSuccess, beforeFunc: func(obj *ociv1.OCIRepository) { - obj.Spec.Verify.CosignIdentityMatch = &ociv1.CosignIdentityMatch{ - SubjectRegExp: "stefanprodan", - IssuerRegExp: "^https://token.actions.githubusercontent.com$", + obj.Spec.Verify.OIDCMatchIdentity = &ociv1.OIDCMatchIdentity{ + Subject: "stefanprodan", + Issuer: "^https://token.actions.githubusercontent.com$", } }, assertConditions: []metav1.Condition{ @@ -1487,9 +1487,9 @@ func TestOCIRepository_reconcileSource_verifyOCISourceSignature_keyless(t *testi wantErr: true, want: sreconcile.ResultEmpty, beforeFunc: func(obj *ociv1.OCIRepository) { - obj.Spec.Verify.CosignIdentityMatch = &ociv1.CosignIdentityMatch{ - SubjectRegExp: "intruder", - IssuerRegExp: "^https://honeypot.com$", + obj.Spec.Verify.OIDCMatchIdentity = &ociv1.OIDCMatchIdentity{ + Subject: "intruder", + Issuer: "^https://honeypot.com$", } }, assertConditions: []metav1.Condition{ diff --git a/internal/oci/verifier.go b/internal/oci/verifier.go index 1adbacc8e..770753e73 100644 --- a/internal/oci/verifier.go +++ b/internal/oci/verifier.go @@ -64,15 +64,15 @@ func WithRemoteOptions(opts ...remote.Option) Options { } } -func WithSubjectRegexp(subjectRegExp string) Options { +func WithSubjectRegexp(subject string) Options { return func(opts *options) { - opts.SubjectRegExp = subjectRegExp + opts.SubjectRegExp = subject } } -func WithIssuerRegexp(issuerRegExp string) Options { +func WithIssuerRegexp(issuer string) Options { return func(opts *options) { - opts.IssuerRegExp = issuerRegExp + opts.IssuerRegExp = issuer } }