From 68fb237d251217644f72a9b5ce6c05e1900f056e Mon Sep 17 00:00:00 2001
From: shuting <shuting@nirmata.com>
Date: Tue, 10 Jan 2023 17:44:31 +0800
Subject: [PATCH] fix imageRef matching (#5956)

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
---
 pkg/engine/imageVerify.go                     | 13 +++++
 .../multiple-attestors/01-assert.yaml         |  9 ++++
 .../multiple-attestors/01-policy.yaml         | 53 +++++++++++++++++++
 .../multiple-attestors/02-assert.yaml         |  8 +++
 .../multiple-attestors/02-pod.yaml            | 10 ++++
 .../multiple-attestors/99-cleanup.yaml        |  4 ++
 .../cornercases/multiple-attestors/README.md  | 11 ++++
 7 files changed, 108 insertions(+)
 create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-assert.yaml
 create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-policy.yaml
 create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/02-assert.yaml
 create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/02-pod.yaml
 create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/99-cleanup.yaml
 create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/README.md

diff --git a/pkg/engine/imageVerify.go b/pkg/engine/imageVerify.go
index 07098d943a..61f6bef251 100644
--- a/pkg/engine/imageVerify.go
+++ b/pkg/engine/imageVerify.go
@@ -339,6 +339,10 @@ func (iv *imageVerifier) verifyImage(
 	}
 
 	if len(imageVerify.Attestors) > 0 {
+		if !matchImageReferences(imageVerify.ImageReferences, imageInfo.String()) {
+			return nil, ""
+		}
+
 		ruleResp, cosignResp := iv.verifyAttestors(ctx, imageVerify.Attestors, imageVerify, imageInfo, "")
 		if ruleResp.Status != response.RuleStatusPass {
 			return ruleResp, ""
@@ -722,3 +726,12 @@ func evaluateConditions(
 	pass := variables.EvaluateAnyAllConditions(log, ctx, c)
 	return pass, nil
 }
+
+func matchImageReferences(imageReferences []string, image string) bool {
+	for _, imageRef := range imageReferences {
+		if wildcard.Match(imageRef, image) {
+			return true
+		}
+	}
+	return false
+}
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-assert.yaml
new file mode 100644
index 0000000000..a0c2dc8a1b
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-assert.yaml
@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: validate-signatures
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-policy.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-policy.yaml
new file mode 100644
index 0000000000..d0fe3cde24
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-policy.yaml
@@ -0,0 +1,53 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: validate-signatures
+  annotations:
+    pod-policies.kyverno.io/autogen-controllers: none
+spec:
+  validationFailureAction: enforce
+  webhookTimeoutSeconds: 30
+  background: false
+  rules:
+    - name: check-1
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      verifyImages:
+      - attestors:
+        - count: 1
+          entries:
+          - keys:
+              publicKeys: |-
+                -----BEGIN PUBLIC KEY-----
+                MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
+                5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
+                -----END PUBLIC KEY-----
+        imageReferences:
+        - ghcr.io/kyverno/test-verify-image:*
+        mutateDigest: true
+        required: true
+        verifyDigest: true
+    - name: check-2
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      verifyImages:
+      - attestors:
+        - count: 1
+          entries:
+          - keys:
+              publicKeys: |-
+                -----BEGIN PUBLIC KEY-----
+                MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOUD2uzRHLnx1oH6XAnF+8haL73BF
+                zh9pMI1x1/c4Nj/w+rsrgMCDyV/S8hmsXEbizhYD3QndVtV1piBDfDIb8w==
+                -----END PUBLIC KEY-----
+        imageReferences:
+        - my.local.repo/*
+        mutateDigest: false
+        required: true
+        verifyDigest: false
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/02-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/02-assert.yaml
new file mode 100644
index 0000000000..b1cd0a9ce3
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/02-assert.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: signed
+  namespace: default
+spec:
+  containers:
+  - name: signed
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/02-pod.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/02-pod.yaml
new file mode 100644
index 0000000000..775c9c20c3
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/02-pod.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: signed
+  namespace: default
+spec:
+  containers:
+  - image: ghcr.io/kyverno/test-verify-image:signed
+    imagePullPolicy: IfNotPresent
+    name: signed
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/99-cleanup.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/99-cleanup.yaml
new file mode 100644
index 0000000000..893aa6f305
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-policy.yaml,02-pod.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/README.md
new file mode 100644
index 0000000000..b3626dfecd
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/README.md
@@ -0,0 +1,11 @@
+## Description
+
+A `VerifyImages` rule specifying multiple attestors should allow pod creation with valid images.
+
+## Expected Behavior
+
+The pod `signed` should be created successfully.
+
+## Reference Issue(s)
+
+Slack discussion - https://kubernetes.slack.com/archives/CLGR9BJU9/p1673303296239259.
\ No newline at end of file