mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-09 17:37:12 +00:00
031c23d906
* fix: add unit tests for cosign keyed image verification Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: add unit tests for cosign keyed image verification Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
132 lines
4.4 KiB
Go
132 lines
4.4 KiB
Go
package cosign
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
"github.com/go-logr/logr"
|
|
policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
|
|
"github.com/kyverno/kyverno/pkg/imagedataloader"
|
|
"github.com/kyverno/kyverno/pkg/logging"
|
|
"github.com/pkg/errors"
|
|
"github.com/sigstore/cosign/v2/pkg/cosign"
|
|
"github.com/sigstore/cosign/v2/pkg/policy"
|
|
k8scorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
|
|
)
|
|
|
|
type cosignVerifier struct {
|
|
secretInterface k8scorev1.SecretInterface
|
|
log logr.Logger
|
|
}
|
|
|
|
func NewVerifier(secretInterface k8scorev1.SecretInterface) *cosignVerifier {
|
|
return &cosignVerifier{
|
|
log: logging.WithName("Notary"),
|
|
secretInterface: secretInterface,
|
|
}
|
|
}
|
|
|
|
func (v *cosignVerifier) VerifyImageSignature(ctx context.Context, image *imagedataloader.ImageData, attestor *policiesv1alpha1.Attestor) error {
|
|
if attestor.Cosign == nil {
|
|
return fmt.Errorf("cosign verifier only supports cosign attestor")
|
|
}
|
|
|
|
logger := v.log.WithValues("image", image.Image, "digest", image.Digest, "attestor", attestor.Name)
|
|
logger.V(2).Info("verifying cosign image signature", "image", image.Image)
|
|
|
|
cOpts, err := checkOptions(ctx, attestor.Cosign, image.RemoteOpts, image.NameOpts, v.secretInterface)
|
|
if err != nil {
|
|
err := errors.Wrapf(err, "failed to build cosign verification opts")
|
|
logger.Error(err, "image verification failed")
|
|
return err
|
|
}
|
|
cOpts.ClaimVerifier = cosign.SimpleClaimVerifier
|
|
|
|
sigs, verified, err := cosign.VerifyImageSignatures(ctx, image.NameRef, cOpts)
|
|
if err != nil {
|
|
err := errors.Wrapf(err, "failed to verify cosign signatures")
|
|
logger.Error(err, "image verification failed")
|
|
return err
|
|
} else if !verified {
|
|
if !(attestor.Cosign.CTLog.InsecureIgnoreTlog || attestor.Cosign.CTLog.InsecureIgnoreSCT) {
|
|
err := fmt.Errorf("transparency log or timestamp verification failed")
|
|
logger.Error(err, "image verification failed")
|
|
return err
|
|
}
|
|
} else if len(sigs) == 0 {
|
|
err := fmt.Errorf("signatures not found")
|
|
logger.Error(err, "image verification failed")
|
|
return err
|
|
}
|
|
|
|
if len(attestor.Cosign.Annotations) != 0 {
|
|
for _, sig := range sigs {
|
|
if err := checkSignatureAnnotations(sig, attestor.Cosign.Annotations); err != nil {
|
|
logger.Error(err, "image verification failed")
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (v *cosignVerifier) VerifyAttestationSignature(ctx context.Context, image *imagedataloader.ImageData, attestation *policiesv1alpha1.Attestation, attestor *policiesv1alpha1.Attestor) error {
|
|
if attestation.InToto == nil {
|
|
return fmt.Errorf("cosgin verifier only supports intoto referrers as attestations")
|
|
}
|
|
if attestor.Cosign == nil {
|
|
return fmt.Errorf("cosign verifier only supports cosign attestor")
|
|
}
|
|
|
|
logger := v.log.WithValues("image", image.Image, "digest", image.Digest, "attestation", attestation.Name, "attestor", attestor.Name)
|
|
logger.V(2).Info("verifying cosign attestation signature", "image", image.Image)
|
|
|
|
cOpts, err := checkOptions(ctx, attestor.Cosign, image.RemoteOpts, image.NameOpts, v.secretInterface)
|
|
if err != nil {
|
|
err := errors.Wrapf(err, "failed to build cosign verification opts")
|
|
logger.Error(err, "image verification failed")
|
|
return err
|
|
}
|
|
cOpts.ClaimVerifier = cosign.IntotoSubjectClaimVerifier
|
|
sigs, verified, err := cosign.VerifyImageAttestations(ctx, image.NameRef, cOpts)
|
|
if err != nil {
|
|
err := errors.Wrapf(err, "failed to verify cosign signatures")
|
|
logger.Error(err, "image verification failed")
|
|
return err
|
|
} else if !verified {
|
|
err := fmt.Errorf("cosign bundle verification failed")
|
|
logger.Error(err, "image verification failed")
|
|
return err
|
|
}
|
|
|
|
checkedTypes := []string{}
|
|
found := false
|
|
for _, s := range sigs {
|
|
payload, gotType, err := policy.AttestationToPayloadJSON(ctx, attestation.InToto.Type, s)
|
|
if err != nil {
|
|
return fmt.Errorf("converting to consumable policy validation: %w", err)
|
|
}
|
|
checkedTypes = append(checkedTypes, gotType)
|
|
if len(payload) == 0 {
|
|
// This is not the predicate type we're looking for.
|
|
continue
|
|
}
|
|
|
|
if err := checkSignatureAnnotations(s, attestor.Cosign.Annotations); err != nil {
|
|
logger.Error(err, "image verification failed")
|
|
return err
|
|
}
|
|
|
|
found = true
|
|
image.AddVerifiedIntotoPayloads(gotType, payload)
|
|
}
|
|
|
|
if !found {
|
|
err := fmt.Errorf("required predicate type %s not found, found %v", attestation.InToto.Type, checkedTypes)
|
|
logger.Error(err, "image verification failed")
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|