Merge pull request #1725 from codysoyland/bundle-support-rebased

codysoyland · web-flow · commit c927fd627c9c · 2025-04-23T14:57:37.000-05:00
Add support for Sigstore Bundle Spec
diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go
@@ -56,6 +56,7 @@ import (
 	"github.com/sigstore/sigstore/pkg/tuf"
 
 	"github.com/sigstore/policy-controller/pkg/apis/config"
+	pctuf "github.com/sigstore/policy-controller/pkg/tuf"
 	cwebhook "github.com/sigstore/policy-controller/pkg/webhook"
 )
 
@@ -136,7 +137,7 @@ func main() {
 
 	// Set the policy and trust root resync periods
 	ctx = clusterimagepolicy.ToContext(ctx, *policyResyncPeriod)
-	ctx = trustroot.ToContext(ctx, *trustrootResyncPeriod)
+	ctx = pctuf.ToContext(ctx, *trustrootResyncPeriod)
 
 	// This must match the set of resources we configure in
 	// cmd/webhook/main.go in the "types" map.
diff --git a/config/300-clusterimagepolicy.yaml b/config/300-clusterimagepolicy.yaml
@@ -209,6 +209,9 @@ spec:
                           trustRootRef:
                             description: Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities
                             type: string
+                      signatureFormat:
+                        description: SignatureFormat specifies the format the authority expects. Supported formats are "legacy" and "bundle". If not specified, the default is "legacy" (cosign's default).
+                        type: string
                       source:
                         description: Sources sets the configuration to specify the sources from where to consume the signatures.
                         type: array
@@ -545,6 +548,9 @@ spec:
                           trustRootRef:
                             description: Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities
                             type: string
+                      signatureFormat:
+                        description: SignatureFormat specifies the format the authority expects. Supported formats are "legacy" and "bundle". If not specified, the default is "legacy" (cosign's default).
+                        type: string
                       source:
                         description: Sources sets the configuration to specify the sources from where to consume the signatures.
                         type: array
diff --git a/docs/api-types/index-v1alpha1.md b/docs/api-types/index-v1alpha1.md
@@ -172,6 +172,7 @@ Attestation defines the type of attestation to validate and optionally apply a p
 | ctlog | CTLog sets the configuration to verify the authority against a Rekor instance. | [TLog](#tlog) | false |
 | attestations | Attestations is a list of individual attestations for this authority, once the signature for this authority has been verified. | [][Attestation](#attestation) | false |
 | rfc3161timestamp | RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance. | [RFC3161Timestamp](#rfc3161timestamp) | false |
+| signatureFormat | SignatureFormat specifies the format the authority expects. Supported formats are \"legacy\" and \"bundle\". If not specified, the default is \"legacy\" (cosign's default). | string | false |
 
 [Back to TOC](#table-of-contents)
 
diff --git a/docs/api-types/index.md b/docs/api-types/index.md
@@ -49,6 +49,7 @@ The authorities block defines the rules for discovering and validating signature
 | ctlog | CTLog sets the configuration to verify the authority against a Rekor instance. | [TLog](#tlog) | false |
 | attestations | Attestations is a list of individual attestations for this authority, once the signature for this authority has been verified. | [][Attestation](#attestation) | false |
 | rfc3161timestamp | RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance. | [RFC3161Timestamp](#rfc3161timestamp) | false |
+| signatureFormat | SignatureFormat specifies the format the authority expects. Supported formats are \"legacy\" and \"bundle\". If not specified, the default is \"legacy\" (cosign's default). | string | false |
 
 [Back to TOC](#table-of-contents)
 
diff --git a/go.mod b/go.mod
@@ -64,6 +64,7 @@ require (
 	github.com/go-jose/go-jose/v4 v4.1.0
 	github.com/sigstore/protobuf-specs v0.4.1
 	github.com/sigstore/scaffolding v0.7.22
+	github.com/sigstore/sigstore-go v0.7.1
 	github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.3
 	github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.3
 	github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.3
@@ -229,7 +230,6 @@ require (
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.9.0 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
-	github.com/sigstore/sigstore-go v0.7.1 // indirect
 	github.com/sigstore/timestamp-authority v1.2.5 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
diff --git a/pkg/apis/policy/v1alpha1/clusterimagepolicy_conversion.go b/pkg/apis/policy/v1alpha1/clusterimagepolicy_conversion.go
@@ -89,6 +89,7 @@ func (matchResource *MatchResource) ConvertTo(_ context.Context, sink *v1beta1.M
 
 func (authority *Authority) ConvertTo(ctx context.Context, sink *v1beta1.Authority) error {
 	sink.Name = authority.Name
+	sink.SignatureFormat = authority.SignatureFormat
 	if authority.CTLog != nil && authority.CTLog.URL != nil {
 		sink.CTLog = &v1beta1.TLog{
 			URL:          authority.CTLog.URL.DeepCopy(),
@@ -244,6 +245,7 @@ func (spec *ClusterImagePolicySpec) ConvertFrom(ctx context.Context, source *v1b
 
 func (authority *Authority) ConvertFrom(ctx context.Context, source *v1beta1.Authority) error {
 	authority.Name = source.Name
+	authority.SignatureFormat = source.SignatureFormat
 	if source.CTLog != nil && source.CTLog.URL != nil {
 		authority.CTLog = &TLog{
 			URL:          source.CTLog.URL.DeepCopy(),
diff --git a/pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go b/pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go
@@ -144,6 +144,10 @@ type Authority struct {
 	// RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance.
 	// +optional
 	RFC3161Timestamp *RFC3161Timestamp `json:"rfc3161timestamp,omitempty"`
+	// SignatureFormat specifies the format the authority expects. Supported
+	// formats are "legacy" and "bundle". If not specified, the default
+	// is "legacy" (cosign's default).
+	SignatureFormat string `json:"signatureFormat,omitempty"`
 }
 
 // This references a public verification key stored in
diff --git a/pkg/apis/policy/v1beta1/clusterimagepolicy_types.go b/pkg/apis/policy/v1beta1/clusterimagepolicy_types.go
@@ -143,6 +143,10 @@ type Authority struct {
 	// RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance.
 	// +optional
 	RFC3161Timestamp *RFC3161Timestamp `json:"rfc3161timestamp,omitempty"`
+	// SignatureFormat specifies the format the authority expects. Supported
+	// formats are "legacy" and "bundle". If not specified, the default
+	// is "legacy" (cosign's default).
+	SignatureFormat string `json:"signatureFormat,omitempty"`
 }
 
 // This references a public verification key stored in
diff --git a/pkg/reconciler/trustroot/controller.go b/pkg/reconciler/trustroot/controller.go
@@ -16,7 +16,6 @@ package trustroot
 
 import (
 	"context"
-	"time"
 
 	"k8s.io/client-go/tools/cache"
 	kubeclient "knative.dev/pkg/client/injection/kube/client"
@@ -30,15 +29,14 @@ import (
 	"github.com/sigstore/policy-controller/pkg/apis/config"
 	trustrootinformer "github.com/sigstore/policy-controller/pkg/client/injection/informers/policy/v1alpha1/trustroot"
 	trustrootreconciler "github.com/sigstore/policy-controller/pkg/client/injection/reconciler/policy/v1alpha1/trustroot"
+	"github.com/sigstore/policy-controller/pkg/tuf"
 	cminformer "knative.dev/pkg/injection/clients/namespacedkube/informers/core/v1/configmap"
 )
 
 // This is what the default finalizer name is, but make it explicit so we can
 // use it in tests as well.
 const FinalizerName = "trustroots.policy.sigstore.dev"
 
-type trustrootResyncPeriodKey struct{}
-
 // NewController creates a Reconciler and returns the result of NewImpl.
 func NewController(
 	ctx context.Context,
@@ -78,22 +76,8 @@ func NewController(
 			pkgreconciler.NamespaceFilterFunc(system.Namespace()),
 			pkgreconciler.NameFilterFunc(config.SigstoreKeysConfigName)),
 		Handler: controller.HandleAll(grCb),
-	}, FromContextOrDefaults(ctx)); err != nil {
+	}, tuf.FromContextOrDefaults(ctx)); err != nil {
 		logging.FromContext(ctx).Warnf("Failed configMapInformer AddEventHandlerWithResyncPeriod() %v", err)
 	}
 	return impl
 }
-
-func ToContext(ctx context.Context, duration time.Duration) context.Context {
-	return context.WithValue(ctx, trustrootResyncPeriodKey{}, duration)
-}
-
-// FromContextOrDefaults returns a stored trustrootResyncPeriod if attached.
-// If not found, it returns a default duration
-func FromContextOrDefaults(ctx context.Context) time.Duration {
-	x, ok := ctx.Value(trustrootResyncPeriodKey{}).(time.Duration)
-	if ok {
-		return x
-	}
-	return controller.DefaultResyncPeriod
-}
diff --git a/pkg/reconciler/trustroot/controller_test.go b/pkg/reconciler/trustroot/controller_test.go
@@ -16,10 +16,8 @@ package trustroot
 
 import (
 	"testing"
-	"time"
 
 	"knative.dev/pkg/configmap"
-	"knative.dev/pkg/controller"
 	rtesting "knative.dev/pkg/reconciler/testing"
 
 	// Fake injection informers
@@ -39,21 +37,3 @@ func TestNew(t *testing.T) {
 		t.Fatal("Expected NewController to return a non-nil value")
 	}
 }
-
-func TestContextDuration(t *testing.T) {
-	ctx, _ := rtesting.SetupFakeContext(t)
-
-	expected := controller.DefaultResyncPeriod
-	actual := FromContextOrDefaults(ctx)
-	if expected != actual {
-		t.Fatal("Expected the context to store the value and be retrievable")
-	}
-
-	expected = time.Hour
-	ctx = ToContext(ctx, expected)
-	actual = FromContextOrDefaults(ctx)
-
-	if expected != actual {
-		t.Fatal("Expected the context to store the value and be retrievable")
-	}
-}
diff --git a/pkg/tuf/context.go b/pkg/tuf/context.go
@@ -0,0 +1,41 @@
+//
+// Copyright 2024 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package tuf
+
+import (
+	"context"
+	"time"
+
+	"knative.dev/pkg/controller"
+)
+
+type trustrootResyncPeriodKey struct{}
+
+// ToContext returns a context that includes a key trustrootResyncPeriod
+// set to the included duration
+func ToContext(ctx context.Context, duration time.Duration) context.Context {
+	return context.WithValue(ctx, trustrootResyncPeriodKey{}, duration)
+}
+
+// FromContextOrDefaults returns a stored trustrootResyncPeriod if attached.
+// If not found, it returns a default duration
+func FromContextOrDefaults(ctx context.Context) time.Duration {
+	x, ok := ctx.Value(trustrootResyncPeriodKey{}).(time.Duration)
+	if ok {
+		return x
+	}
+	return controller.DefaultResyncPeriod
+}
diff --git a/pkg/tuf/context_test.go b/pkg/tuf/context_test.go
@@ -0,0 +1,42 @@
+//
+// Copyright 2024 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package tuf
+
+import (
+	"testing"
+	"time"
+
+	"knative.dev/pkg/controller"
+	rtesting "knative.dev/pkg/reconciler/testing"
+)
+
+func TestContextDuration(t *testing.T) {
+	ctx, _ := rtesting.SetupFakeContext(t)
+
+	expected := controller.DefaultResyncPeriod
+	actual := FromContextOrDefaults(ctx)
+	if expected != actual {
+		t.Fatal("Expected the context to store the value and be retrievable")
+	}
+
+	expected = time.Hour
+	ctx = ToContext(ctx, expected)
+	actual = FromContextOrDefaults(ctx)
+
+	if expected != actual {
+		t.Fatal("Expected the context to store the value and be retrievable")
+	}
+}
diff --git a/pkg/tuf/repo.go b/pkg/tuf/repo.go
@@ -28,9 +28,12 @@ import (
 	"path/filepath"
 	"runtime"
 	"strings"
+	"sync"
 	"testing/fstest"
 	"time"
 
+	"github.com/sigstore/sigstore-go/pkg/root"
+	"github.com/sigstore/sigstore/pkg/tuf"
 	"github.com/theupdateframework/go-tuf/client"
 	"sigs.k8s.io/release-utils/version"
 )
@@ -294,3 +297,44 @@ func ClientFromRemote(_ context.Context, mirror string, rootJSON []byte, targets
 	}
 	return tufClient, nil
 }
+
+var (
+	mu          sync.RWMutex
+	timestamp   time.Time
+	trustedRoot *root.TrustedRoot
+)
+
+// GetTrustedRoot returns the trusted root for the TUF repository.
+func GetTrustedRoot(ctx context.Context) (*root.TrustedRoot, error) {
+	resyncPeriodDuration := FromContextOrDefaults(ctx)
+	now := time.Now().UTC()
+	// check if timestamp has never been set or if the current time
+	// is after the current timestamp value plus the included resync duration
+	if timestamp.IsZero() || now.After(timestamp.Add(resyncPeriodDuration)) {
+		mu.Lock()
+		defer mu.Unlock()
+
+		tufClient, err := tuf.NewFromEnv(context.Background())
+		if err != nil {
+			return nil, fmt.Errorf("initializing tuf: %w", err)
+		}
+		// TODO: add support for custom trusted root path
+		targetBytes, err := tufClient.GetTarget("trusted_root.json")
+		if err != nil {
+			return nil, fmt.Errorf("error getting targets: %w", err)
+		}
+		trustedRoot, err = root.NewTrustedRootFromJSON(targetBytes)
+		if err != nil {
+			return nil, fmt.Errorf("error creating trusted root: %w", err)
+		}
+
+		timestamp = now
+
+		return trustedRoot, nil
+	}
+
+	mu.RLock()
+	defer mu.RUnlock()
+
+	return trustedRoot, nil
+}
diff --git a/pkg/webhook/clusterimagepolicy/clusterimagepolicy_types.go b/pkg/webhook/clusterimagepolicy/clusterimagepolicy_types.go
@@ -86,6 +86,8 @@ type Authority struct {
 	Attestations []AttestationPolicy `json:"attestations,omitempty"`
 	// +optional
 	RFC3161Timestamp *RFC3161Timestamp `json:"rfc3161timestamp,omitempty"`
+	// +optional
+	SignatureFormat string `json:"signatureFormat,omitempty"`
 }
 
 // This references a public verification key stored in
@@ -325,6 +327,7 @@ func convertAuthorityV1Alpha1ToWebhook(in v1alpha1.Authority) *Authority {
 		CTLog:            in.CTLog,
 		RFC3161Timestamp: rfc3161Timestamp,
 		Attestations:     attestations,
+		SignatureFormat:  in.SignatureFormat,
 	}
 }
 
diff --git a/pkg/webhook/validator.go b/pkg/webhook/validator.go
diff --git a/pkg/webhook/validator_test.go b/pkg/webhook/validator_test.go
