mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-15 17:51:20 +00:00
Merge pull request #2630 from JimBugwadia/handle_cosign_payload_variations
handle Cosign payload variations
This commit is contained in:
Jim Bugwadia
GitHub
commit
675b3608a4
2 changed files with 94 additions and 24 deletions
|
|
@ -261,9 +261,9 @@ func extractDigest(imgRef string, verified []cosign.SignedPayload, log logr.Logg
|
|||
return "", err
|
||||
}
|
||||
|
||||
log.V(4).Info("image verification response", "image", imgRef, "payload", jsonMap)
|
||||
log.V(3).Info("image verification response", "image", imgRef, "payload", jsonMap)
|
||||
|
||||
// The expected response is in the JSON format:
|
||||
// The expected payload is in one of these JSON formats:
|
||||
// {
|
||||
// "critical": {
|
||||
// "identity": {
|
||||
|
|
@ -276,32 +276,52 @@ func extractDigest(imgRef string, verified []cosign.SignedPayload, log logr.Logg
|
|||
// },
|
||||
// "optional": null
|
||||
// }
|
||||
|
||||
// some versions of Cosign seem to return "Critical" instead of "critical".
|
||||
// check for both...
|
||||
var critical map[string]interface{}
|
||||
if jsonMap["critical"] != nil {
|
||||
critical = jsonMap["critical"].(map[string]interface{})
|
||||
} else if jsonMap["Critical"] != nil {
|
||||
critical = jsonMap["Critical"].(map[string]interface{})
|
||||
} else {
|
||||
log.Info("unexpected image verification payload", "image", imgRef, "payload", jsonMap)
|
||||
continue
|
||||
}
|
||||
|
||||
//
|
||||
// {
|
||||
// "Critical": {
|
||||
// "Identity": {
|
||||
// "docker-reference": "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop"
|
||||
// },
|
||||
// "Image": {
|
||||
// "Docker-manifest-digest": "sha256:6a037d5ba27d9c6be32a9038bfe676fb67d2e4145b4f53e9c61fb3e69f06e816"
|
||||
// },
|
||||
// "Type": "Tekton container signature"
|
||||
// },
|
||||
// "Optional": {}
|
||||
// }
|
||||
//
|
||||
critical := getMapValue(jsonMap, "critical", "Critical")
|
||||
if critical != nil {
|
||||
typeStr := critical["type"].(string)
|
||||
if typeStr == "cosign container image signature" {
|
||||
identity := critical["identity"].(map[string]interface{})
|
||||
if identity != nil {
|
||||
image := critical["image"].(map[string]interface{})
|
||||
if image != nil {
|
||||
return image["docker-manifest-digest"].(string), nil
|
||||
}
|
||||
}
|
||||
image := getMapValue(critical, "image", "Image")
|
||||
if image != nil {
|
||||
digest := getStringValue(image, "docker-manifest-digest", "Docker-manifest-digest")
|
||||
return digest, nil
|
||||
}
|
||||
} else {
|
||||
log.Info("failed to extract image digest from verification response", "image", imgRef, "payload", jsonMap)
|
||||
return "", fmt.Errorf("unknown image response for " + imgRef)
|
||||
}
|
||||
}
|
||||
|
||||
return "", fmt.Errorf("digest not found for " + imgRef)
|
||||
}
|
||||
|
||||
func getMapValue(m map[string]interface{}, keys ...string) map[string]interface{} {
|
||||
for _, k := range keys {
|
||||
if m[k] != nil {
|
||||
return m[k].(map[string]interface{})
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func getStringValue(m map[string]interface{}, keys ...string) string {
|
||||
for _, k := range keys {
|
||||
if m[k] != nil {
|
||||
return m[k].(string)
|
||||
}
|
||||
}
|
||||
|
||||
return ""
|
||||
}
|
||||
|
|
|
|||
50
pkg/cosign/cosign_test.go
Normal file
50
pkg/cosign/cosign_test.go
Normal file
|
|
@ -0,0 +1,50 @@
|
|||
package cosign
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
"github.com/sigstore/cosign/pkg/cosign"
|
||||
"gotest.tools/assert"
|
||||
)
|
||||
|
||||
const cosignPayload = `{
|
||||
"critical": {
|
||||
"identity": {
|
||||
"docker-reference": "registry-v2.nirmata.io/pause"
|
||||
},
|
||||
"image": {
|
||||
"docker-manifest-digest": "sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108"
|
||||
},
|
||||
"type": "cosign container image signature"
|
||||
},
|
||||
"optional": null
|
||||
}`
|
||||
|
||||
const tektonPayload = `{
|
||||
"Critical": {
|
||||
"Identity": {
|
||||
"docker-reference": "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop"
|
||||
},
|
||||
"Image": {
|
||||
"Docker-manifest-digest": "sha256:6a037d5ba27d9c6be32a9038bfe676fb67d2e4145b4f53e9c61fb3e69f06e816"
|
||||
},
|
||||
"Type": "Tekton container signature"
|
||||
},
|
||||
"Optional": {}
|
||||
}`
|
||||
|
||||
func TestCosignPayload(t *testing.T) {
|
||||
var log logr.Logger = logr.DiscardLogger{}
|
||||
image := "registry-v2.nirmata.io/pause"
|
||||
signedPayloads := []cosign.SignedPayload{{Payload: []byte(cosignPayload)}}
|
||||
d, err := extractDigest(image, signedPayloads, log)
|
||||
assert.NilError(t, err)
|
||||
assert.Equal(t, d, "sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108")
|
||||
|
||||
image2 := "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop"
|
||||
signedPayloads2 := []cosign.SignedPayload{{Payload: []byte(tektonPayload)}}
|
||||
d2, err := extractDigest(image2, signedPayloads2, log)
|
||||
assert.NilError(t, err)
|
||||
assert.Equal(t, d2, "sha256:6a037d5ba27d9c6be32a9038bfe676fb67d2e4145b4f53e9c61fb3e69f06e816")
|
||||
}
|
||||
Loading…
Reference in a new issue