sigstore · vaikas · Jun 7, 2022 · Jun 3, 2022 · Jun 6, 2022 · Jun 6, 2022
diff --git a/.github/workflows/kind-cluster-image-policy-with-attestations.yaml b/.github/workflows/kind-cluster-image-policy-with-attestations.yaml
@@ -90,6 +90,7 @@ jobs:
         kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook
 
     - name: Run Cluster Image Policy Tests with attestations
+      timeout-minutes: 15
       run: |
         ./test/e2e_test_cluster_image_policy_with_attestations.sh
 

diff --git a/.github/workflows/kind-cluster-image-policy.yaml b/.github/workflows/kind-cluster-image-policy.yaml
@@ -41,7 +41,7 @@ jobs:
     env:
       KNATIVE_VERSION: "1.1.0"
       KO_DOCKER_REPO: "registry.local:5000/policy-controller"
-      SCAFFOLDING_RELEASE_VERSION: "v0.2.2"
+      SCAFFOLDING_RELEASE_VERSION: "v0.2.8"
       GO111MODULE: on
       GOFLAGS: -ldflags=-s -ldflags=-w
       KOCACHE: ~/ko
@@ -90,6 +90,7 @@ jobs:
         kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook
 
     - name: Run Cluster Image Policy Tests
+      timeout-minutes: 15
       run: |
         ./test/e2e_test_cluster_image_policy.sh
 

diff --git a/config/300-clusterimagepolicy.yaml b/config/300-clusterimagepolicy.yaml
@@ -125,8 +125,12 @@ spec:
                               properties:
                                 issuer:
                                   type: string
+                                issuerRegExp:
+                                  type: string
                                 subject:
                                   type: string
+                                subjectRegExp:
+                                  type: string
                           url:
                             type: string
                       name:
@@ -272,8 +276,12 @@ spec:
                               properties:
                                 issuer:
                                   type: string
+                                issuerRegExp:
+                                  type: string
                                 subject:
                                   type: string
+                                subjectRegExp:
+                                  type: string
                           url:
                             type: string
                       name:

diff --git a/pkg/apis/policy/v1alpha1/clusterimagepolicy_conversion.go b/pkg/apis/policy/v1alpha1/clusterimagepolicy_conversion.go
@@ -103,7 +103,7 @@ func (authority *Authority) ConvertTo(ctx context.Context, sink *v1beta1.Authori
 			URL: authority.Keyless.URL.DeepCopy(),
 		}
 		for _, id := range authority.Keyless.Identities {
-			sink.Keyless.Identities = append(sink.Keyless.Identities, v1beta1.Identity{Issuer: id.Issuer, Subject: id.Subject})
+			sink.Keyless.Identities = append(sink.Keyless.Identities, v1beta1.Identity{Issuer: id.Issuer, Subject: id.Subject, IssuerRegExp: id.IssuerRegExp, SubjectRegExp: id.SubjectRegExp})
 		}
 		if authority.Keyless.CACert != nil {
 			sink.Keyless.CACert = &v1beta1.KeyRef{}
@@ -175,7 +175,7 @@ func (authority *Authority) ConvertFrom(ctx context.Context, source *v1beta1.Aut
 			URL: source.Keyless.URL.DeepCopy(),
 		}
 		for _, id := range source.Keyless.Identities {
-			authority.Keyless.Identities = append(authority.Keyless.Identities, Identity{Issuer: id.Issuer, Subject: id.Subject})
+			authority.Keyless.Identities = append(authority.Keyless.Identities, Identity{Issuer: id.Issuer, Subject: id.Subject, IssuerRegExp: id.IssuerRegExp, SubjectRegExp: id.SubjectRegExp})
 		}
 		if source.Keyless.CACert != nil {
 			authority.Keyless.CACert = &KeyRef{}

diff --git a/pkg/apis/policy/v1alpha1/clusterimagepolicy_conversion_test.go b/pkg/apis/policy/v1alpha1/clusterimagepolicy_conversion_test.go
@@ -47,6 +47,23 @@ func TestConversionRoundTripV1alpha1(t *testing.T) {
 				},
 			},
 		},
+	}, {name: "key and keyless, regexp",
+		in: &ClusterImagePolicy{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "test-cip",
+			},
+			Spec: ClusterImagePolicySpec{
+				Images: []ImagePattern{{Glob: "*"}},
+				Authorities: []Authority{
+					{Key: &KeyRef{
+						SecretRef: &v1.SecretReference{Name: "mysecret"}}},
+					{Keyless: &KeylessRef{
+						Identities: []Identity{{SubjectRegExp: "subjectregexp", IssuerRegExp: "issuerregexp"}},
+						CACert:     &KeyRef{KMS: "kms", Data: "data", SecretRef: &v1.SecretReference{Name: "secret"}},
+					}},
+				},
+			},
+		},
 	}, {name: "source and attestations",
 		in: &ClusterImagePolicy{
 			ObjectMeta: metav1.ObjectMeta{

diff --git a/pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go b/pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go
@@ -178,13 +178,19 @@ type ConfigMapReference struct {
 	Namespace string `json:"namespace,omitempty"`
 }
 
-// Identity may contain the issuer and/or the subject found in the transparency log.
-// Either field supports a pattern glob.
+// Identity may contain the issuer and/or the subject found in the transparency
+// log.
+// Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp
+// apply a regexp for matching.
 type Identity struct {
 	// +optional
 	Issuer string `json:"issuer,omitempty"`
 	// +optional
 	Subject string `json:"subject,omitempty"`
+	// +optional
+	IssuerRegExp string `json:"issuerRegExp,omitempty"`
+	// +optional
+	SubjectRegExp string `json:"subjectRegExp,omitempty"`
 }
 
 // ClusterImagePolicyList is a list of ClusterImagePolicy resources

diff --git a/pkg/apis/policy/v1alpha1/clusterimagepolicy_validation.go b/pkg/apis/policy/v1alpha1/clusterimagepolicy_validation.go
@@ -193,14 +193,20 @@ func (p *Policy) Validate(ctx context.Context) *apis.FieldError {
 
 func (identity *Identity) Validate(ctx context.Context) *apis.FieldError {
 	var errs *apis.FieldError
-	if identity.Issuer == "" && identity.Subject == "" {
-		errs = errs.Also(apis.ErrMissingOneOf("issuer", "subject"))
+	if identity.Issuer == "" && identity.Subject == "" && identity.IssuerRegExp == "" && identity.SubjectRegExp == "" {
+		errs = errs.Also(apis.ErrMissingField("issuer", "subject", "issuerRegExp", "subjectRegExp"))
 	}
-	if identity.Issuer != "" {
-		errs = errs.Also(ValidateRegex(identity.Issuer).ViaField("issuer"))
+	if identity.Issuer != "" && identity.IssuerRegExp != "" {
+		errs = errs.Also(apis.ErrMultipleOneOf("issuer", "issuerRegExp"))
 	}
-	if identity.Subject != "" {
-		errs = errs.Also(ValidateRegex(identity.Subject).ViaField("subject"))
+	if identity.Subject != "" && identity.SubjectRegExp != "" {
+		errs = errs.Also(apis.ErrMultipleOneOf("subject", "subjectRegExp"))
+	}
+	if identity.IssuerRegExp != "" {
+		errs = errs.Also(ValidateRegex(identity.IssuerRegExp).ViaField("issuerRegExp"))
+	}
+	if identity.SubjectRegExp != "" {
+		errs = errs.Also(ValidateRegex(identity.SubjectRegExp).ViaField("subjectRegExp"))
 	}
 	return errs
 }

diff --git a/pkg/apis/policy/v1alpha1/clusterimagepolicy_validation_test.go b/pkg/apis/policy/v1alpha1/clusterimagepolicy_validation_test.go
@@ -646,10 +646,73 @@ func TestIdentitiesValidation(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:        "Should fail when identities fields are empty",
+			expectErr:   true,
+			errorString: "missing field(s): spec.authorities[0].keyless.identities[0].issuer, spec.authorities[0].keyless.identities[0].issuerRegExp, spec.authorities[0].keyless.identities[0].subject, spec.authorities[0].keyless.identities[0].subjectRegExp",
+			policy: ClusterImagePolicy{
+				Spec: ClusterImagePolicySpec{
+					Images: []ImagePattern{
+						{
+							Glob: "globbityglob",
+						},
+					},
+					Authorities: []Authority{
+						{
+							Keyless: &KeylessRef{
+								Identities: []Identity{{Issuer: ""}},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:        "Should fail with both issuer and issuerRegExp",
+			expectErr:   true,
+			errorString: "expected exactly one, got both: spec.authorities[0].keyless.identities[0].issuer, spec.authorities[0].keyless.identities[0].issuerRegExp",
+			policy: ClusterImagePolicy{
+				Spec: ClusterImagePolicySpec{
+					Images: []ImagePattern{
+						{
+							Glob: "globbityglob",
+						},
+					},
+					Authorities: []Authority{
+						{
+							Keyless: &KeylessRef{
+								Identities: []Identity{{Issuer: "issuer", IssuerRegExp: "issuerregexp"}},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:        "Should fail with both subject and subjectRegExp",
+			expectErr:   true,
+			errorString: "expected exactly one, got both: spec.authorities[0].keyless.identities[0].subject, spec.authorities[0].keyless.identities[0].subjectRegExp",
+			policy: ClusterImagePolicy{
+				Spec: ClusterImagePolicySpec{
+					Images: []ImagePattern{
+						{
+							Glob: "globbityglob",
+						},
+					},
+					Authorities: []Authority{
+						{
+							Keyless: &KeylessRef{
+								Identities: []Identity{{Subject: "subject", SubjectRegExp: "subjectregexp"}},
+							},
+						},
+					},
+				},
+			},
+		},
 		{
 			name:        "Should fail when issuer has invalid regex",
 			expectErr:   true,
-			errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].issuer\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`",
+			errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].issuerRegExp\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`",
 			policy: ClusterImagePolicy{
 				Spec: ClusterImagePolicySpec{
 					Images: []ImagePattern{
@@ -660,7 +723,7 @@ func TestIdentitiesValidation(t *testing.T) {
 					Authorities: []Authority{
 						{
 							Keyless: &KeylessRef{
-								Identities: []Identity{{Issuer: "****"}},
+								Identities: []Identity{{IssuerRegExp: "****"}},
 							},
 						},
 					},
@@ -670,7 +733,7 @@ func TestIdentitiesValidation(t *testing.T) {
 		{
 			name:        "Should fail when subject has invalid regex",
 			expectErr:   true,
-			errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].subject\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`",
+			errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].subjectRegExp\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`",
 			policy: ClusterImagePolicy{
 				Spec: ClusterImagePolicySpec{
 					Images: []ImagePattern{
@@ -681,7 +744,7 @@ func TestIdentitiesValidation(t *testing.T) {
 					Authorities: []Authority{
 						{
 							Keyless: &KeylessRef{
-								Identities: []Identity{{Subject: "****"}},
+								Identities: []Identity{{SubjectRegExp: "****"}},
 							},
 						},
 					},
@@ -700,7 +763,7 @@ func TestIdentitiesValidation(t *testing.T) {
 					Authorities: []Authority{
 						{
 							Keyless: &KeylessRef{
-								Identities: []Identity{{Subject: ".*subject.*", Issuer: ".*issuer.*"}},
+								Identities: []Identity{{SubjectRegExp: ".*subject.*", IssuerRegExp: ".*issuer.*"}},
 							},
 						},
 					},

diff --git a/pkg/apis/policy/v1beta1/clusterimagepolicy_types.go b/pkg/apis/policy/v1beta1/clusterimagepolicy_types.go
@@ -178,13 +178,19 @@ type ConfigMapReference struct {
 	Namespace string `json:"namespace,omitempty"`
 }
 
-// Identity may contain the issuer and/or the subject found in the transparency log.
-// Either field supports a pattern glob.
+// Identity may contain the issuer and/or the subject found in the transparency
+// log.
+// Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp
+// apply a regexp for matching.
 type Identity struct {
 	// +optional
 	Issuer string `json:"issuer,omitempty"`
 	// +optional
 	Subject string `json:"subject,omitempty"`
+	// +optional
+	IssuerRegExp string `json:"issuerRegExp,omitempty"`
+	// +optional
+	SubjectRegExp string `json:"subjectRegExp,omitempty"`
 }
 
 // ClusterImagePolicyList is a list of ClusterImagePolicy resources

diff --git a/pkg/apis/policy/v1beta1/clusterimagepolicy_validation.go b/pkg/apis/policy/v1beta1/clusterimagepolicy_validation.go
@@ -193,14 +193,20 @@ func (p *Policy) Validate(ctx context.Context) *apis.FieldError {
 
 func (identity *Identity) Validate(ctx context.Context) *apis.FieldError {
 	var errs *apis.FieldError
-	if identity.Issuer == "" && identity.Subject == "" {
-		errs = errs.Also(apis.ErrMissingOneOf("issuer", "subject"))
+	if identity.Issuer == "" && identity.Subject == "" && identity.IssuerRegExp == "" && identity.SubjectRegExp == "" {
+		errs = errs.Also(apis.ErrMissingField("issuer", "subject", "issuerRegExp", "subjectRegExp"))
 	}
-	if identity.Issuer != "" {
-		errs = errs.Also(ValidateRegex(identity.Issuer).ViaField("issuer"))
+	if identity.Issuer != "" && identity.IssuerRegExp != "" {
+		errs = errs.Also(apis.ErrMultipleOneOf("issuer", "issuerRegExp"))
 	}
-	if identity.Subject != "" {
-		errs = errs.Also(ValidateRegex(identity.Subject).ViaField("subject"))
+	if identity.Subject != "" && identity.SubjectRegExp != "" {
+		errs = errs.Also(apis.ErrMultipleOneOf("subject", "subjectRegExp"))
+	}
+	if identity.IssuerRegExp != "" {
+		errs = errs.Also(ValidateRegex(identity.IssuerRegExp).ViaField("issuerRegExp"))
+	}
+	if identity.SubjectRegExp != "" {
+		errs = errs.Also(ValidateRegex(identity.SubjectRegExp).ViaField("subjectRegExp"))
 	}
 	return errs
 }