mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
kyverno/pkg/cosign/cosign.go
Charles-Edouard Brétéché f87fa52cb7
feat: bump to k8s 1.31 (#10938) 
* feat: bump to k8s 1.31

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* tidy

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* mod

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix otel

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix otel schema

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* update linter

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* feat: fix image verification tests

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* linter issues

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* cel change

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
2024-08-28 17:09:58 +00:00

717 lines
21 KiB
Go
Raw Blame History

package cosign
import (
"bytes"
"context"
"crypto"
"crypto/x509"
"encoding/base64"
"encoding/json"
"fmt"
"regexp"
"strings"
"github.com/google/go-containerregistry/pkg/name"
"github.com/in-toto/in-toto-golang/in_toto"
"github.com/kyverno/kyverno/ext/wildcard"
"github.com/kyverno/kyverno/pkg/images"
"github.com/kyverno/kyverno/pkg/tracing"
datautils "github.com/kyverno/kyverno/pkg/utils/data"
"github.com/sigstore/cosign/v2/pkg/cosign"
"github.com/sigstore/cosign/v2/pkg/cosign/attestation"
"github.com/sigstore/cosign/v2/pkg/oci"
"github.com/sigstore/cosign/v2/pkg/oci/remote"
sigs "github.com/sigstore/cosign/v2/pkg/signature"
rekorclient "github.com/sigstore/rekor/pkg/client"
"github.com/sigstore/sigstore/pkg/cryptoutils"
"github.com/sigstore/sigstore/pkg/fulcioroots"
"github.com/sigstore/sigstore/pkg/signature"
"github.com/sigstore/sigstore/pkg/signature/payload"
"github.com/sigstore/sigstore/pkg/tuf"
"go.opentelemetry.io/otel/trace"
"go.uber.org/multierr"
)
var signatureAlgorithmMap = map[string]crypto.Hash{
"": crypto.SHA256,
"sha224": crypto.SHA224,
"sha256": crypto.SHA256,
"sha384": crypto.SHA384,
"sha512": crypto.SHA512,
}
func NewVerifier() images.ImageVerifier {
return &cosignVerifier{}
}
type cosignVerifier struct{}
func (v *cosignVerifier) VerifySignature(ctx context.Context, opts images.Options) (*images.Response, error) {
if opts.SigstoreBundle {
results, err := verifyBundleAndFetchAttestations(ctx, opts)
if err != nil {
return nil, err
}
if len(results) == 0 {
return nil, fmt.Errorf("sigstore bundle verification failed: no matching signatures found")
}
return &images.Response{Digest: results[0].Desc.Digest.String()}, nil
}
ref, err := name.ParseReference(opts.ImageRef)
if err != nil {
return nil, fmt.Errorf("failed to parse image %s", opts.ImageRef)
}
signatures, bundleVerified, err := tracing.ChildSpan3(
ctx,
"",
"VERIFY IMG SIGS",
func(ctx context.Context, span trace.Span) ([]oci.Signature, bool, error) {
cosignOpts, err := buildCosignOptions(ctx, opts)
if err != nil {
return nil, false, err
}
return client.VerifyImageSignatures(ctx, ref, cosignOpts)
},
)
if err != nil {
logger.Info("image verification failed", "error", err.Error())
return nil, err
}
logger.V(3).Info("verified image", "count", len(signatures), "bundleVerified", bundleVerified)
payload, err := extractPayload(signatures)
if err != nil {
return nil, err
}
if err := matchSignatures(signatures, opts.Subject, opts.SubjectRegExp, opts.Issuer, opts.IssuerRegExp, opts.AdditionalExtensions); err != nil {
return nil, err
}
err = checkAnnotations(payload, opts.Annotations)
if err != nil {
return nil, err
}
var digest string
if opts.Type == "" {
digest, err = extractDigest(opts.ImageRef, payload)
if err != nil {
return nil, err
}
}
return &images.Response{Digest: digest}, nil
}
func buildCosignOptions(ctx context.Context, opts images.Options) (*cosign.CheckOpts, error) {
var err error
options, err := opts.Client.Options(ctx)
if err != nil {
return nil, fmt.Errorf("constructing cosign remote options: %w", err)
}
cosignOpts := &cosign.CheckOpts{
Annotations: map[string]interface{}{},
RegistryClientOpts: []remote.Option{remote.WithRemoteOptions(options...)},
}
if opts.FetchAttestations {
cosignOpts.ClaimVerifier = cosign.IntotoSubjectClaimVerifier
} else {
cosignOpts.ClaimVerifier = cosign.SimpleClaimVerifier
}
if opts.Roots != "" {
cp, err := loadCertPool([]byte(opts.Roots))
if err != nil {
return nil, fmt.Errorf("failed to load Root certificates: %w", err)
}
cosignOpts.RootCerts = cp
}
if opts.Key != "" {
if strings.HasPrefix(strings.TrimSpace(opts.Key), "-----BEGIN PUBLIC KEY-----") {
if signatureAlgorithm, ok := signatureAlgorithmMap[opts.SignatureAlgorithm]; ok {
cosignOpts.SigVerifier, err = decodePEM([]byte(opts.Key), signatureAlgorithm)
if err != nil {
return nil, fmt.Errorf("failed to load public key from PEM: %w", err)
}
} else {
return nil, fmt.Errorf("invalid signature algorithm provided %s", opts.SignatureAlgorithm)
}
} else {
// this supports Kubernetes secrets and KMS
cosignOpts.SigVerifier, err = sigs.PublicKeyFromKeyRef(ctx, opts.Key)
if err != nil {
return nil, fmt.Errorf("failed to load public key from %s: %w", opts.Key, err)
}
}
} else {
if opts.Cert != "" {
// load cert and optionally a cert chain as a verifier
cert, err := loadCert([]byte(opts.Cert))
if err != nil {
return nil, fmt.Errorf("failed to load certificate from %s: %w", opts.Cert, err)
}
if opts.CertChain == "" {
cosignOpts.SigVerifier, err = signature.LoadVerifier(cert.PublicKey, crypto.SHA256)
if err != nil {
return nil, fmt.Errorf("failed to load signature from certificate: %w", err)
}
} else {
// Verify certificate with chain
chain, err := loadCertChain([]byte(opts.CertChain))
if err != nil {
return nil, fmt.Errorf("failed to load load certificate chain: %w", err)
}
cosignOpts.SigVerifier, err = cosign.ValidateAndUnpackCertWithChain(cert, chain, cosignOpts)
if err != nil {
return nil, fmt.Errorf("failed to load validate certificate chain: %w", err)
}
}
} else if opts.CertChain != "" {
// load cert chain as roots
cp, err := loadCertPool([]byte(opts.CertChain))
if err != nil {
return nil, fmt.Errorf("failed to load certificates: %w", err)
}
cosignOpts.RootCerts = cp
} else {
// if key, cert, and roots are not provided, default to Fulcio roots
if cosignOpts.RootCerts == nil {
roots, err := fulcioroots.Get()
if err != nil {
return nil, fmt.Errorf("failed to get roots from fulcio: %w", err)
}
cosignOpts.RootCerts = roots
if cosignOpts.RootCerts == nil {
return nil, fmt.Errorf("failed to initialize roots")
}
}
}
}
cosignOpts.IgnoreTlog = opts.IgnoreTlog
if !opts.IgnoreTlog {
cosignOpts.RekorClient, err = rekorclient.GetRekorClient(opts.RekorURL)
if err != nil {
return nil, fmt.Errorf("failed to create Rekor client from URL %s: %w", opts.RekorURL, err)
}
cosignOpts.RekorPubKeys, err = getRekorPubs(ctx, opts.RekorPubKey)
if err != nil {
return nil, fmt.Errorf("failed to load Rekor public keys: %w", err)
}
}
cosignOpts.IgnoreSCT = opts.IgnoreSCT
if !opts.IgnoreSCT {
cosignOpts.CTLogPubKeys, err = getCTLogPubs(ctx, opts.CTLogsPubKey)
if err != nil {
return nil, fmt.Errorf("failed to load CTLogs public keys: %w", err)
}
}
if opts.Repository != "" {
signatureRepo, err := name.NewRepository(opts.Repository)
if err != nil {
return nil, fmt.Errorf("failed to parse signature repository %s: %w", opts.Repository, err)
}
cosignOpts.RegistryClientOpts = append(cosignOpts.RegistryClientOpts, remote.WithTargetRepository(signatureRepo))
}
if opts.TSACertChain != "" {
leaves, intermediates, roots, err := splitPEMCertificateChain([]byte(opts.TSACertChain))
if err != nil {
return nil, fmt.Errorf("error splitting tsa certificates: %w", err)
}
if len(leaves) > 1 {
return nil, fmt.Errorf("certificate chain must contain at most one TSA certificate")
}
if len(leaves) == 1 {
cosignOpts.TSACertificate = leaves[0]
}
cosignOpts.TSAIntermediateCertificates = intermediates
cosignOpts.TSARootCertificates = roots
}
cosignOpts.ExperimentalOCI11 = opts.CosignOCI11
return cosignOpts, nil
}
func loadCertPool(roots []byte) (*x509.CertPool, error) {
cp := x509.NewCertPool()
if !cp.AppendCertsFromPEM(roots) {
return nil, fmt.Errorf("error creating root cert pool")
}
return cp, nil
}
func loadCert(pem []byte) (*x509.Certificate, error) {
var out []byte
out, err := base64.StdEncoding.DecodeString(string(pem))
if err != nil {
// not a base64
out = pem
}
certs, err := cryptoutils.UnmarshalCertificatesFromPEM(out)
if err != nil {
return nil, fmt.Errorf("failed to unmarshal certificate from PEM format: %w", err)
}
if len(certs) == 0 {
return nil, fmt.Errorf("no certs found in pem file")
}
return certs[0], nil
}
func loadCertChain(pem []byte) ([]*x509.Certificate, error) {
return cryptoutils.LoadCertificatesFromPEM(bytes.NewReader(pem))
}
func (v *cosignVerifier) FetchAttestations(ctx context.Context, opts images.Options) (*images.Response, error) {
if opts.SigstoreBundle {
results, err := verifyBundleAndFetchAttestations(ctx, opts)
if err != nil {
return nil, err
}
if len(results) == 0 {
return nil, fmt.Errorf("sigstore bundle verification failed: no matching signatures found")
}
statements, err := decodeStatementsFromBundles(results)
if err != nil {
return nil, err
}
return &images.Response{Digest: results[0].Desc.Digest.String(), Statements: statements}, nil
}
cosignOpts, err := buildCosignOptions(ctx, opts)
if err != nil {
return nil, err
}
signatures, bundleVerified, err := tracing.ChildSpan3(
ctx,
"",
"VERIFY IMG ATTESTATIONS",
func(ctx context.Context, span trace.Span) (checkedAttestations []oci.Signature, bundleVerified bool, err error) {
ref, err := name.ParseReference(opts.ImageRef)
if err != nil {
return nil, false, fmt.Errorf("failed to parse image: %w", err)
}
return client.VerifyImageAttestations(ctx, ref, cosignOpts)
},
)
if err != nil {
msg := err.Error()
logger.Info("failed to fetch attestations", "error", msg)
if strings.Contains(msg, "MANIFEST_UNKNOWN: manifest unknown") {
return nil, fmt.Errorf("not found")
}
return nil, err
}
payload, err := extractPayload(signatures)
if err != nil {
return nil, err
}
for _, signature := range signatures {
match, predicateType, err := matchType(signature, opts.Type)
if err != nil {
return nil, err
}
if !match {
logger.V(4).Info("type doesn't match, continue", "expected", opts.Type, "received", predicateType)
continue
}
if err := matchSignatures([]oci.Signature{signature}, opts.Subject, opts.SubjectRegExp, opts.Issuer, opts.IssuerRegExp, opts.AdditionalExtensions); err != nil {
return nil, err
}
}
err = checkAnnotations(payload, opts.Annotations)
if err != nil {
return nil, err
}
logger.V(3).Info("verified images", "signatures", len(signatures), "bundleVerified", bundleVerified)
inTotoStatements, digest, err := decodeStatements(signatures)
if err != nil {
return nil, err
}
return &images.Response{Digest: digest, Statements: inTotoStatements}, nil
}
func matchType(sig oci.Signature, expectedType string) (bool, string, error) {
if expectedType != "" {
statement, _, err := decodeStatement(sig)
if err != nil {
return false, "", fmt.Errorf("failed to decode type: %w", err)
}
if pType, ok := statement["type"]; ok {
if pType.(string) == expectedType {
return true, pType.(string), nil
}
}
}
return false, "", nil
}
func decodeStatements(sigs []oci.Signature) ([]map[string]interface{}, string, error) {
if len(sigs) == 0 {
return []map[string]interface{}{}, "", nil
}
var digest string
var statement map[string]interface{}
decodedStatements := make([]map[string]interface{}, len(sigs))
for i, sig := range sigs {
var err error
statement, digest, err = decodeStatement(sig)
if err != nil {
return nil, "", err
}
decodedStatements[i] = statement
}
return decodedStatements, digest, nil
}
func decodeStatement(sig oci.Signature) (map[string]interface{}, string, error) {
var digest string
pld, err := sig.Payload()
if err != nil {
return nil, "", fmt.Errorf("failed to decode payload: %w", err)
}
sci := payload.SimpleContainerImage{}
if err := json.Unmarshal(pld, &sci); err != nil {
return nil, "", fmt.Errorf("error decoding the payload: %w", err)
}
if d := sci.Critical.Image.DockerManifestDigest; d != "" {
digest = d
}
data := make(map[string]interface{})
if err := json.Unmarshal(pld, &data); err != nil {
return nil, "", fmt.Errorf("failed to unmarshal JSON payload: %v: %w", sig, err)
}
if dataPayload, ok := data["payload"]; !ok {
return nil, "", fmt.Errorf("missing payload in %v", data)
} else {
decodedStatement, err := decodePayload(dataPayload.(string))
if err != nil {
return nil, "", fmt.Errorf("failed to decode statement %s: %w", string(pld), err)
}
decodedStatement["type"] = decodedStatement["predicateType"]
return decodedStatement, digest, nil
}
}
func decodePayload(payloadBase64 string) (map[string]interface{}, error) {
statementRaw, err := base64.StdEncoding.DecodeString(payloadBase64)
if err != nil {
return nil, fmt.Errorf("failed to base64 decode payload for %v: %w", statementRaw, err)
}
var statement in_toto.Statement //nolint:staticcheck
if err := json.Unmarshal(statementRaw, &statement); err != nil {
return nil, err
}
if statement.Type != attestation.CosignCustomProvenanceV01 {
// This assumes that the following statements are JSON objects:
// - in_toto.PredicateSLSAProvenanceV01
// - in_toto.PredicateLinkV1
// - in_toto.PredicateSPDX
// any other custom predicate
return datautils.ToMap(statement)
}
return decodeCosignCustomProvenanceV01(statement)
}
func decodeCosignCustomProvenanceV01(statement in_toto.Statement) (map[string]interface{}, error) { //nolint:staticcheck
if statement.Type != attestation.CosignCustomProvenanceV01 {
return nil, fmt.Errorf("invalid statement type %s", attestation.CosignCustomProvenanceV01)
}
predicate, ok := statement.Predicate.(map[string]interface{})
if !ok {
return nil, fmt.Errorf("failed to decode CosignCustomProvenanceV01")
}
cosignPredicateData := predicate["Data"]
if cosignPredicateData == nil {
return nil, fmt.Errorf("missing predicate in CosignCustomProvenanceV01")
}
// attempt to parse as a JSON object type
data, err := stringToJSONMap(cosignPredicateData)
if err == nil {
predicate["Data"] = data
statement.Predicate = predicate
}
return datautils.ToMap(statement)
}
func stringToJSONMap(i interface{}) (map[string]interface{}, error) {
s, ok := i.(string)
if !ok {
return nil, fmt.Errorf("expected string type")
}
data := map[string]interface{}{}
if err := json.Unmarshal([]byte(s), &data); err != nil {
return nil, fmt.Errorf("failed to marshal JSON: %w", err)
}
return data, nil
}
func decodePEM(raw []byte, signatureAlgorithm crypto.Hash) (signature.Verifier, error) {
// PEM encoded file.
pubKey, err := cryptoutils.UnmarshalPEMToPublicKey(raw)
if err != nil {
return nil, fmt.Errorf("pem to public key: %w", err)
}
return signature.LoadVerifier(pubKey, signatureAlgorithm)
}
func extractPayload(verified []oci.Signature) ([]payload.SimpleContainerImage, error) {
sigPayloads := make([]payload.SimpleContainerImage, 0, len(verified))
for _, sig := range verified {
pld, err := sig.Payload()
if err != nil {
return nil, fmt.Errorf("failed to get payload: %w", err)
}
sci := payload.SimpleContainerImage{}
if err := json.Unmarshal(pld, &sci); err != nil {
return nil, fmt.Errorf("error decoding the payload: %w", err)
}
sigPayloads = append(sigPayloads, sci)
}
return sigPayloads, nil
}
func extractDigest(imgRef string, payload []payload.SimpleContainerImage) (string, error) {
for _, p := range payload {
if digest := p.Critical.Image.DockerManifestDigest; digest != "" {
return digest, nil
} else {
return "", fmt.Errorf("failed to extract image digest from signature payload for %s", imgRef)
}
}
return "", fmt.Errorf("digest not found for %s", imgRef)
}
func matchSignatures(signatures []oci.Signature, subject, subjectRegExp, issuer, issuerRegExp string, extensions map[string]string) error {
if subject == "" && issuer == "" && len(extensions) == 0 {
return nil
}
var errs []error
for _, sig := range signatures {
cert, err := sig.Cert()
if err != nil {
return fmt.Errorf("failed to read certificate: %w", err)
}
if cert == nil {
return fmt.Errorf("certificate not found")
}
if err := matchCertificateData(cert, subject, subjectRegExp, issuer, issuerRegExp, extensions); err != nil {
errs = append(errs, err)
} else {
// only one signature certificate needs to match the required subject, issuer, and extensions
return nil
}
}
if len(errs) > 0 {
err := multierr.Combine(errs...)
return err
}
return fmt.Errorf("invalid signature")
}
func matchCertificateData(cert *x509.Certificate, subject, subjectRegExp, issuer, issuerRegExp string, extensions map[string]string) error {
if subject != "" || subjectRegExp != "" {
if sans := cryptoutils.GetSubjectAlternateNames(cert); len(sans) > 0 {
subjectMatched := false
if subject != "" {
for _, s := range sans {
if wildcard.Match(subject, s) {
subjectMatched = true
break
}
}
}
if subjectRegExp != "" {
regex, err := regexp.Compile(subjectRegExp)
if err != nil {
return fmt.Errorf("invalid regexp for subject: %s : %w", subjectRegExp, err)
}
for _, s := range sans {
if regex.MatchString(s) {
subjectMatched = true
break
}
}
}
if !subjectMatched {
sub := ""
if subject != "" {
sub = subject
} else if subjectRegExp != "" {
sub = subjectRegExp
}
return fmt.Errorf("subject mismatch: expected %s, received %s", sub, strings.Join(sans, ", "))
}
}
}
if err := matchExtensions(cert, issuer, issuerRegExp, extensions); err != nil {
return err
}
return nil
}
func matchExtensions(cert *x509.Certificate, issuer, issuerRegExp string, extensions map[string]string) error {
ce := cosign.CertExtensions{Cert: cert}
if issuer != "" || issuerRegExp != "" {
val := ce.GetIssuer()
if issuer != "" {
if !wildcard.Match(issuer, val) {
return fmt.Errorf("issuer mismatch: expected %s, received %s", issuer, val)
}
}
if issuerRegExp != "" {
if regex, err := regexp.Compile(issuerRegExp); err != nil {
return fmt.Errorf("invalid regexp for issuer: %s : %w", issuerRegExp, err)
} else if !regex.MatchString(val) {
return fmt.Errorf("issuer mismatch: expected %s, received %s", issuerRegExp, val)
}
}
}
for requiredKey, requiredValue := range extensions {
val, err := extractCertExtensionValue(requiredKey, ce)
if err != nil {
return err
}
if !wildcard.Match(requiredValue, val) {
return fmt.Errorf("extension mismatch: expected %s for key %s, received %s", requiredValue, requiredKey, val)
}
}
return nil
}
func extractCertExtensionValue(key string, ce cosign.CertExtensions) (string, error) {
switch key {
case cosign.CertExtensionOIDCIssuer, cosign.CertExtensionMap[cosign.CertExtensionOIDCIssuer]:
return ce.GetIssuer(), nil
case cosign.CertExtensionGithubWorkflowTrigger, cosign.CertExtensionMap[cosign.CertExtensionGithubWorkflowTrigger]:
return ce.GetCertExtensionGithubWorkflowTrigger(), nil
case cosign.CertExtensionGithubWorkflowSha, cosign.CertExtensionMap[cosign.CertExtensionGithubWorkflowSha]:
return ce.GetExtensionGithubWorkflowSha(), nil
case cosign.CertExtensionGithubWorkflowName, cosign.CertExtensionMap[cosign.CertExtensionGithubWorkflowName]:
return ce.GetCertExtensionGithubWorkflowName(), nil
case cosign.CertExtensionGithubWorkflowRepository, cosign.CertExtensionMap[cosign.CertExtensionGithubWorkflowRepository]:
return ce.GetCertExtensionGithubWorkflowRepository(), nil
case cosign.CertExtensionGithubWorkflowRef, cosign.CertExtensionMap[cosign.CertExtensionGithubWorkflowRef]:
return ce.GetCertExtensionGithubWorkflowRef(), nil
default:
return "", fmt.Errorf("invalid certificate extension %s", key)
}
}
func checkAnnotations(payload []payload.SimpleContainerImage, annotations map[string]string) error {
for _, p := range payload {
for key, val := range annotations {
if val != p.Optional[key] {
return fmt.Errorf("annotations mismatch: %s does not match expected value %s for key %s",
p.Optional[key], val, key)
}
}
}
return nil
}
func getRekorPubs(ctx context.Context, rekorPubKey string) (*cosign.TrustedTransparencyLogPubKeys, error) {
if rekorPubKey == "" {
return cosign.GetRekorPubs(ctx)
}
publicKeys := cosign.NewTrustedTransparencyLogPubKeys()
if err := publicKeys.AddTransparencyLogPubKey([]byte(rekorPubKey), tuf.Active); err != nil {
return nil, fmt.Errorf("failed to get rekor public keys: %w", err)
}
return &publicKeys, nil
}
func getCTLogPubs(ctx context.Context, ctlogPubKey string) (*cosign.TrustedTransparencyLogPubKeys, error) {
if ctlogPubKey == "" {
return cosign.GetCTLogPubs(ctx)
}
publicKeys := cosign.NewTrustedTransparencyLogPubKeys()
if err := publicKeys.AddTransparencyLogPubKey([]byte(ctlogPubKey), tuf.Active); err != nil {
return nil, fmt.Errorf("failed to get transparency log public keys: %w", err)
}
return &publicKeys, nil
}
func splitPEMCertificateChain(pem []byte) (leaves, intermediates, roots []*x509.Certificate, err error) {
certs, err := cryptoutils.UnmarshalCertificatesFromPEM(pem)
if err != nil {
return nil, nil, nil, err
}
for _, cert := range certs {
if !cert.IsCA {
leaves = append(leaves, cert)
} else {
// root certificates are self-signed
if bytes.Equal(cert.RawSubject, cert.RawIssuer) {
roots = append(roots, cert)
} else {
intermediates = append(intermediates, cert)
}
}
}
return leaves, intermediates, roots, nil
}
View git blame Copy permalink