Separate RegExp matching of issuer/subject from strict

.github/workflows/kind-cluster-image-policy-with-attestations.yaml

@@ -90,6 +90,7 @@ jobs:
         kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook
 
     - name: Run Cluster Image Policy Tests with attestations
+      timeout-minutes: 15
       run: |
         ./test/e2e_test_cluster_image_policy_with_attestations.sh
 

.github/workflows/kind-cluster-image-policy.yaml

@@ -41,7 +41,7 @@ jobs:
     env:
       KNATIVE_VERSION: "1.1.0"
       KO_DOCKER_REPO: "registry.local:5000/policy-controller"
-      SCAFFOLDING_RELEASE_VERSION: "v0.2.2"
+      SCAFFOLDING_RELEASE_VERSION: "v0.2.8"
       GO111MODULE: on
       GOFLAGS: -ldflags=-s -ldflags=-w
       KOCACHE: ~/ko
@@ -90,6 +90,7 @@ jobs:
         kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook
 
     - name: Run Cluster Image Policy Tests
+      timeout-minutes: 15
       run: |
         ./test/e2e_test_cluster_image_policy.sh
 

config/300-clusterimagepolicy.yaml

@@ -125,8 +125,12 @@ spec:
                               properties:
                                 issuer:
                                   type: string
+                                issuerRegExp:
+                                  type: string
                                 subject:
                                   type: string
+                                subjectRegExp:
+                                  type: string
                           url:
                             type: string
                       name:

pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go

@@ -178,13 +178,19 @@ type ConfigMapReference struct {
 	Namespace string `json:"namespace,omitempty"`
 }
 
-// Identity may contain the issuer and/or the subject found in the transparency log.
-// Either field supports a pattern glob.
+// Identity may contain the issuer and/or the subject found in the transparency
+// log.
+// Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp
+// apply a regexp for matching.
 type Identity struct {
 	// +optional
 	Issuer string `json:"issuer,omitempty"`
 	// +optional
 	Subject string `json:"subject,omitempty"`
+	// +optional
+	IssuerRegExp string `json:"issuerRegExp,omitempty"`
+	// +optional
+	SubjectRegExp string `json:"subjectRegExp,omitempty"`
 }
 
 // ClusterImagePolicyList is a list of ClusterImagePolicy resources

pkg/apis/policy/v1alpha1/clusterimagepolicy_validation.go

@@ -193,14 +193,14 @@ func (p *Policy) Validate(ctx context.Context) *apis.FieldError {
 
 func (identity *Identity) Validate(ctx context.Context) *apis.FieldError {
 	var errs *apis.FieldError
-	if identity.Issuer == "" && identity.Subject == "" {
-		errs = errs.Also(apis.ErrMissingOneOf("issuer", "subject"))
+	if identity.Issuer == "" && identity.Subject == "" && identity.IssuerRegExp == "" && identity.SubjectRegExp == "" {
+		errs = errs.Also(apis.ErrMissingOneOf("issuer", "subject", "issuerRegExp", "subjectRegExp"))
 	}
-	if identity.Issuer != "" {
-		errs = errs.Also(ValidateRegex(identity.Issuer).ViaField("issuer"))
+	if identity.IssuerRegExp != "" {
+		errs = errs.Also(ValidateRegex(identity.IssuerRegExp).ViaField("issuerRegExp"))
 	}
-	if identity.Subject != "" {
-		errs = errs.Also(ValidateRegex(identity.Subject).ViaField("subject"))
+	if identity.SubjectRegExp != "" {
+		errs = errs.Also(ValidateRegex(identity.SubjectRegExp).ViaField("subjectRegExp"))
 	}
 	return errs
 }

pkg/apis/policy/v1alpha1/clusterimagepolicy_validation_test.go

@@ -649,7 +649,7 @@ func TestIdentitiesValidation(t *testing.T) {
 		{
 			name:        "Should fail when issuer has invalid regex",
 			expectErr:   true,
-			errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].issuer\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`",
+			errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].issuerRegExp\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`",
 			policy: ClusterImagePolicy{
 				Spec: ClusterImagePolicySpec{
 					Images: []ImagePattern{
@@ -660,7 +660,7 @@ func TestIdentitiesValidation(t *testing.T) {
 					Authorities: []Authority{
 						{
 							Keyless: &KeylessRef{
-								Identities: []Identity{{Issuer: "****"}},
+								Identities: []Identity{{IssuerRegExp: "****"}},
 							},
 						},
 					},
@@ -670,7 +670,7 @@ func TestIdentitiesValidation(t *testing.T) {
 		{
 			name:        "Should fail when subject has invalid regex",
 			expectErr:   true,
-			errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].subject\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`",
+			errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].subjectRegExp\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`",
 			policy: ClusterImagePolicy{
 				Spec: ClusterImagePolicySpec{
 					Images: []ImagePattern{
@@ -681,7 +681,7 @@ func TestIdentitiesValidation(t *testing.T) {
 					Authorities: []Authority{
 						{
 							Keyless: &KeylessRef{
-								Identities: []Identity{{Subject: "****"}},
+								Identities: []Identity{{SubjectRegExp: "****"}},
 							},
 						},
 					},

pkg/apis/policy/v1beta1/clusterimagepolicy_types.go

@@ -178,13 +178,19 @@ type ConfigMapReference struct {
 	Namespace string `json:"namespace,omitempty"`
 }
 
-// Identity may contain the issuer and/or the subject found in the transparency log.
-// Either field supports a pattern glob.
+// Identity may contain the issuer and/or the subject found in the transparency
+// log.
+// Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp
+// apply a regexp for matching.
 type Identity struct {
 	// +optional
 	Issuer string `json:"issuer,omitempty"`
 	// +optional
 	Subject string `json:"subject,omitempty"`
+	// +optional
+	IssuerRegExp string `json:"issuerRegExp,omitempty"`
+	// +optional
+	SubjectRegExp string `json:"subjectRegExp,omitempty"`
 }
 
 // ClusterImagePolicyList is a list of ClusterImagePolicy resources

pkg/apis/policy/v1beta1/clusterimagepolicy_validation.go

@@ -193,14 +193,14 @@ func (p *Policy) Validate(ctx context.Context) *apis.FieldError {
 
 func (identity *Identity) Validate(ctx context.Context) *apis.FieldError {
 	var errs *apis.FieldError
-	if identity.Issuer == "" && identity.Subject == "" {
-		errs = errs.Also(apis.ErrMissingOneOf("issuer", "subject"))
+	if identity.Issuer == "" && identity.Subject == "" && identity.IssuerRegExp == "" && identity.SubjectRegExp == "" {
+		errs = errs.Also(apis.ErrMissingOneOf("issuer", "subject", "issuerRegExp", "subjectRegExp"))
 	}
-	if identity.Issuer != "" {
-		errs = errs.Also(ValidateRegex(identity.Issuer).ViaField("issuer"))
+	if identity.IssuerRegExp != "" {
+		errs = errs.Also(ValidateRegex(identity.IssuerRegExp).ViaField("issuerRegExp"))
 	}
-	if identity.Subject != "" {
-		errs = errs.Also(ValidateRegex(identity.Subject).ViaField("subject"))
+	if identity.SubjectRegExp != "" {
+		errs = errs.Also(ValidateRegex(identity.SubjectRegExp).ViaField("subjectRegExp"))
 	}
 	return errs
 }

pkg/apis/policy/v1beta1/clusterimagepolicy_validation_test.go

@@ -615,7 +615,7 @@ func TestIdentitiesValidation(t *testing.T) {
 		{
 			name:        "Should fail when issuer has invalid regex",
 			expectErr:   true,
-			errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].issuer\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`",
+			errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].issuerRegExp\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`",
 			policy: ClusterImagePolicy{
 				Spec: ClusterImagePolicySpec{
 					Images: []ImagePattern{
@@ -626,7 +626,7 @@ func TestIdentitiesValidation(t *testing.T) {
 					Authorities: []Authority{
 						{
 							Keyless: &KeylessRef{
-								Identities: []Identity{{Issuer: "****"}},
+								Identities: []Identity{{IssuerRegExp: "****"}},
 							},
 						},
 					},
@@ -636,7 +636,7 @@ func TestIdentitiesValidation(t *testing.T) {
 		{
 			name:        "Should fail when subject has invalid regex",
 			expectErr:   true,
-			errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].subject\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`",
+			errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].subjectRegExp\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`",
 			policy: ClusterImagePolicy{
 				Spec: ClusterImagePolicySpec{
 					Images: []ImagePattern{
@@ -647,7 +647,7 @@ func TestIdentitiesValidation(t *testing.T) {
 					Authorities: []Authority{
 						{
 							Keyless: &KeylessRef{
-								Identities: []Identity{{Subject: "****"}},
+								Identities: []Identity{{SubjectRegExp: "****"}},
 							},
 						},
 					},
@@ -666,7 +666,7 @@ func TestIdentitiesValidation(t *testing.T) {
 					Authorities: []Authority{
 						{
 							Keyless: &KeylessRef{
-								Identities: []Identity{{Subject: ".*subject.*", Issuer: ".*issuer.*"}},
+								Identities: []Identity{{SubjectRegExp: ".*subject.*", IssuerRegExp: ".*issuer.*"}},
 							},
 						},
 					},

pkg/cosign/kubernetes/webhook/validation.go

@@ -91,7 +91,7 @@ func validSignatures(ctx context.Context, ref name.Reference, verifier signature
 func validSignaturesWithFulcio(ctx context.Context, ref name.Reference, fulcioRoots *x509.CertPool, rekorClient *client.Rekor, identities []v1alpha1.Identity, opts ...ociremote.Option) ([]oci.Signature, error) {
 	ids := make([]cosign.Identity, len(identities))
 	for i, id := range identities {
-		ids[i] = cosign.Identity{Issuer: id.Issuer, Subject: id.Subject}
+		ids[i] = cosign.Identity{Issuer: id.Issuer, Subject: id.Subject, IssuerRegExp: id.IssuerRegExp, SubjectRegExp: id.SubjectRegExp}
 	}
 	sigs, _, err := cosignVerifySignatures(ctx, ref, &cosign.CheckOpts{
 		RegistryClientOpts: opts,
@@ -118,7 +118,7 @@ func validAttestations(ctx context.Context, ref name.Reference, verifier signatu
 func validAttestationsWithFulcio(ctx context.Context, ref name.Reference, fulcioRoots *x509.CertPool, rekorClient *client.Rekor, identities []v1alpha1.Identity, opts ...ociremote.Option) ([]oci.Signature, error) {
 	ids := make([]cosign.Identity, len(identities))
 	for i, id := range identities {
-		ids[i] = cosign.Identity{Issuer: id.Issuer, Subject: id.Subject}
+		ids[i] = cosign.Identity{Issuer: id.Issuer, Subject: id.Subject, IssuerRegExp: id.IssuerRegExp, SubjectRegExp: id.SubjectRegExp}
 	}
 
 	attestations, _, err := cosignVerifyAttestations(ctx, ref, &cosign.CheckOpts{

pkg/cosign/verify.go

@@ -58,10 +58,13 @@ import (
 )
 
 // Identity specifies an issuer/subject to verify a signature against.
-// Both Issuer/Subject support regexp.
+// Both IssuerRegExp/SubjectRegExp support regexp while Issuer/Subject are for
+// strict matching.
 type Identity struct {
-	Issuer  string
-	Subject string
+	Issuer        string
+	Subject       string
+	IssuerRegExp  string
+	SubjectRegExp string
 }
 
 // CheckOpts are the options for checking signatures.
@@ -223,33 +226,46 @@ func CheckCertificatePolicy(cert *x509.Certificate, co *CheckOpts) error {
 	if len(co.Identities) > 0 {
 		for _, identity := range co.Identities {
 			issuerMatches := false
+			switch {
 			// Check the issuer first
-			if identity.Issuer != "" {
+			case identity.IssuerRegExp != "":
 				issuer := getIssuer(cert)
-				if regex, err := regexp.Compile(identity.Issuer); err != nil {
-					return fmt.Errorf("malformed issuer in identity: %s : %w", identity.Issuer, err)
+				if regex, err := regexp.Compile(identity.IssuerRegExp); err != nil {
+					return fmt.Errorf("malformed issuer in identity: %s : %w", identity.IssuerRegExp, err)
 				} else if regex.MatchString(issuer) {
 					issuerMatches = true
 				}
-			} else {
+			case identity.Issuer != "":
+				if identity.Issuer == getIssuer(cert) {
+					issuerMatches = true
+				}
+			default:
 				// No issuer constraint on this identity, so checks out
 				issuerMatches = true
 			}
 
 			// Then the subject
 			subjectMatches := false
-			if identity.Subject != "" {
-				regex, err := regexp.Compile(identity.Subject)
+			switch {
+			case identity.SubjectRegExp != "":
+				regex, err := regexp.Compile(identity.SubjectRegExp)
 				if err != nil {
-					return fmt.Errorf("malformed subject in identity: %s : %w", identity.Subject, err)
+					return fmt.Errorf("malformed subject in identity: %s : %w", identity.SubjectRegExp, err)
 				}
 				for _, san := range getSubjectAlternateNames(cert) {
 					if regex.MatchString(san) {
 						subjectMatches = true
 						break
 					}
 				}
-			} else {
+			case identity.Subject != "":
+				for _, san := range getSubjectAlternateNames(cert) {
+					if san == identity.Subject {
+						subjectMatches = true
+						break
+					}
+				}
+			default:
 				// No subject constraint on this identity, so checks out
 				subjectMatches = true
 			}

pkg/cosign/verify_test.go

@@ -652,16 +652,13 @@ func TestValidateAndUnpackCertWithIdentities(t *testing.T) {
 		{identities: nil /* No matches required, checks out */},
 		{identities: []Identity{ // Strict match on both
 			{Subject: emailSubject, Issuer: oidcIssuer}},
-			emailAddresses:   []string{emailSubject},
-			wantErrSubstring: ""},
+			emailAddresses: []string{emailSubject}},
 		{identities: []Identity{ // just issuer
 			{Issuer: oidcIssuer}},
-			emailAddresses:   []string{emailSubject},
-			wantErrSubstring: ""},
+			emailAddresses: []string{emailSubject}},
 		{identities: []Identity{ // just subject
 			{Subject: emailSubject}},
-			emailAddresses:   []string{emailSubject},
-			wantErrSubstring: ""},
+			emailAddresses: []string{emailSubject}},
 		{identities: []Identity{ // mis-match
 			{Subject: "wrongsubject", Issuer: oidcIssuer},
 			{Subject: emailSubject, Issuer: "wrongissuer"}},
@@ -670,29 +667,28 @@ func TestValidateAndUnpackCertWithIdentities(t *testing.T) {
 		{identities: []Identity{ // one good identity, other does not match
 			{Subject: "wrongsubject", Issuer: "wrongissuer"},
 			{Subject: emailSubject, Issuer: oidcIssuer}},
-			emailAddresses:   []string{emailSubject},
-			wantErrSubstring: ""},
+			emailAddresses: []string{emailSubject}},
 		{identities: []Identity{ // illegal regex for subject
-			{Subject: "****", Issuer: oidcIssuer}},
+			{SubjectRegExp: "****", Issuer: oidcIssuer}},
 			emailAddresses:   []string{emailSubject},
 			wantErrSubstring: "malformed subject in identity"},
 		{identities: []Identity{ // illegal regex for issuer
-			{Subject: emailSubject, Issuer: "****"}},
+			{Subject: emailSubject, IssuerRegExp: "****"}},
 			wantErrSubstring: "malformed issuer in identity"},
 		{identities: []Identity{ // regex matches
-			{Subject: ".*example.com", Issuer: ".*accounts.google.*"}},
+			{SubjectRegExp: ".*example.com", IssuerRegExp: ".*accounts.google.*"}},
 			emailAddresses:   []string{emailSubject},
 			wantErrSubstring: ""},
 		{identities: []Identity{ // regex matches dnsNames
-			{Subject: ".*ubject.example.com", Issuer: ".*accounts.google.*"}},
+			{SubjectRegExp: ".*ubject.example.com", IssuerRegExp: ".*accounts.google.*"}},
 			dnsNames:         dnsSubjects,
 			wantErrSubstring: ""},
 		{identities: []Identity{ // regex matches ip
-			{Subject: "1.2.3.*", Issuer: ".*accounts.google.*"}},
+			{SubjectRegExp: "1.2.3.*", IssuerRegExp: ".*accounts.google.*"}},
 			ipAddresses:      ipSubjects,
 			wantErrSubstring: ""},
 		{identities: []Identity{ // regex matches urls
-			{Subject: ".*url.examp.*", Issuer: ".*accounts.google.*"}},
+			{SubjectRegExp: ".*url.examp.*", IssuerRegExp: ".*accounts.google.*"}},
 			uris:             uriSubjects,
 			wantErrSubstring: ""},
 	}

test/testdata/policy-controller/e2e/cip-keyless-with-identities-mismatch.yaml

@@ -23,7 +23,7 @@ spec:
   - keyless:
       url: http://fulcio.fulcio-system.svc
       identities:
-      - issuer: .*kubernetes.securenamespace.*
-        subject: .*kubernetes.io/namespaces/securenamespace/serviceaccounts/default
+      - issuerRegExp: .*kubernetes.securenamespace.*
+        subjectRegExp: .*kubernetes.io/namespaces/securenamespace/serviceaccounts/default
     ctlog:
       url: http://rekor.rekor-system.svc

test/testdata/policy-controller/e2e/cip-keyless-with-identities.yaml

@@ -23,7 +23,7 @@ spec:
   - keyless:
       url: http://fulcio.fulcio-system.svc
       identities:
-      - issuer: .*kubernetes.default.*
-        subject: .*kubernetes.io/namespaces/default/serviceaccounts/default
+      - issuerRegExp: .*kubernetes.default.*
+        subjectRegExp: .*kubernetes.io/namespaces/default/serviceaccounts/default
     ctlog:
       url: http://rekor.rekor-system.svc