can't have issuer/issuerRegExp and subject/subjectRegExp

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
sigstore · Jun 6, 2022 · 6c9ee1a · 6c9ee1a
1 parent 8134505
commit 6c9ee1a
Show file tree

Hide file tree

Showing 4 changed files with 141 additions and 2 deletions.
diff --git a/pkg/apis/policy/v1alpha1/clusterimagepolicy_validation.go b/pkg/apis/policy/v1alpha1/clusterimagepolicy_validation.go
@@ -194,7 +194,13 @@ func (p *Policy) Validate(ctx context.Context) *apis.FieldError {
 func (identity *Identity) Validate(ctx context.Context) *apis.FieldError {
 	var errs *apis.FieldError
 	if identity.Issuer == "" && identity.Subject == "" && identity.IssuerRegExp == "" && identity.SubjectRegExp == "" {
-		errs = errs.Also(apis.ErrMissingOneOf("issuer", "subject", "issuerRegExp", "subjectRegExp"))
+		errs = errs.Also(apis.ErrMissingField("issuer", "subject", "issuerRegExp", "subjectRegExp"))
+	}
+	if identity.Issuer != "" && identity.IssuerRegExp != "" {
+		errs = errs.Also(apis.ErrMultipleOneOf("issuer", "issuerRegExp"))
+	}
+	if identity.Subject != "" && identity.SubjectRegExp != "" {
+		errs = errs.Also(apis.ErrMultipleOneOf("subject", "subjectRegExp"))
 	}
 	if identity.IssuerRegExp != "" {
 		errs = errs.Also(ValidateRegex(identity.IssuerRegExp).ViaField("issuerRegExp"))

diff --git a/pkg/apis/policy/v1alpha1/clusterimagepolicy_validation_test.go b/pkg/apis/policy/v1alpha1/clusterimagepolicy_validation_test.go
@@ -646,6 +646,69 @@ func TestIdentitiesValidation(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:        "Should fail when identities fields are empty",
+			expectErr:   true,
+			errorString: "missing field(s): spec.authorities[0].keyless.identities[0].issuer, spec.authorities[0].keyless.identities[0].issuerRegExp, spec.authorities[0].keyless.identities[0].subject, spec.authorities[0].keyless.identities[0].subjectRegExp",
+			policy: ClusterImagePolicy{
+				Spec: ClusterImagePolicySpec{
+					Images: []ImagePattern{
+						{
+							Glob: "globbityglob",
+						},
+					},
+					Authorities: []Authority{
+						{
+							Keyless: &KeylessRef{
+								Identities: []Identity{{Issuer: ""}},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:        "Should fail with both issuer and issuerRegExp",
+			expectErr:   true,
+			errorString: "expected exactly one, got both: spec.authorities[0].keyless.identities[0].issuer, spec.authorities[0].keyless.identities[0].issuerRegExp",
+			policy: ClusterImagePolicy{
+				Spec: ClusterImagePolicySpec{
+					Images: []ImagePattern{
+						{
+							Glob: "globbityglob",
+						},
+					},
+					Authorities: []Authority{
+						{
+							Keyless: &KeylessRef{
+								Identities: []Identity{{Issuer: "issuer", IssuerRegExp: "issuerregexp"}},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:        "Should fail with both subject and subjectRegExp",
+			expectErr:   true,
+			errorString: "expected exactly one, got both: spec.authorities[0].keyless.identities[0].subject, spec.authorities[0].keyless.identities[0].subjectRegExp",
+			policy: ClusterImagePolicy{
+				Spec: ClusterImagePolicySpec{
+					Images: []ImagePattern{
+						{
+							Glob: "globbityglob",
+						},
+					},
+					Authorities: []Authority{
+						{
+							Keyless: &KeylessRef{
+								Identities: []Identity{{Subject: "subject", SubjectRegExp: "subjectregexp"}},
+							},
+						},
+					},
+				},
+			},
+		},
 		{
 			name:        "Should fail when issuer has invalid regex",
 			expectErr:   true,

diff --git a/pkg/apis/policy/v1beta1/clusterimagepolicy_validation.go b/pkg/apis/policy/v1beta1/clusterimagepolicy_validation.go
@@ -194,7 +194,13 @@ func (p *Policy) Validate(ctx context.Context) *apis.FieldError {
 func (identity *Identity) Validate(ctx context.Context) *apis.FieldError {
 	var errs *apis.FieldError
 	if identity.Issuer == "" && identity.Subject == "" && identity.IssuerRegExp == "" && identity.SubjectRegExp == "" {
-		errs = errs.Also(apis.ErrMissingOneOf("issuer", "subject", "issuerRegExp", "subjectRegExp"))
+		errs = errs.Also(apis.ErrMissingField("issuer", "subject", "issuerRegExp", "subjectRegExp"))
+	}
+	if identity.Issuer != "" && identity.IssuerRegExp != "" {
+		errs = errs.Also(apis.ErrMultipleOneOf("issuer", "issuerRegExp"))
+	}
+	if identity.Subject != "" && identity.SubjectRegExp != "" {
+		errs = errs.Also(apis.ErrMultipleOneOf("subject", "subjectRegExp"))
 	}
 	if identity.IssuerRegExp != "" {
 		errs = errs.Also(ValidateRegex(identity.IssuerRegExp).ViaField("issuerRegExp"))

diff --git a/pkg/apis/policy/v1beta1/clusterimagepolicy_validation_test.go b/pkg/apis/policy/v1beta1/clusterimagepolicy_validation_test.go
@@ -612,6 +612,70 @@ func TestIdentitiesValidation(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:        "Should fail when identities fields are empty",
+			expectErr:   true,
+			errorString: "missing field(s): spec.authorities[0].keyless.identities[0].issuer, spec.authorities[0].keyless.identities[0].issuerRegExp, spec.authorities[0].keyless.identities[0].subject, spec.authorities[0].keyless.identities[0].subjectRegExp",
+			policy: ClusterImagePolicy{
+				Spec: ClusterImagePolicySpec{
+					Images: []ImagePattern{
+						{
+							Glob: "globbityglob",
+						},
+					},
+					Authorities: []Authority{
+						{
+							Keyless: &KeylessRef{
+								Identities: []Identity{{Issuer: ""}},
+							},
+						},
+					},
+				},
+			},
+		},
+
+		{
+			name:        "Should fail with both issuer and issuerRegExp",
+			expectErr:   true,
+			errorString: "expected exactly one, got both: spec.authorities[0].keyless.identities[0].issuer, spec.authorities[0].keyless.identities[0].issuerRegExp",
+			policy: ClusterImagePolicy{
+				Spec: ClusterImagePolicySpec{
+					Images: []ImagePattern{
+						{
+							Glob: "globbityglob",
+						},
+					},
+					Authorities: []Authority{
+						{
+							Keyless: &KeylessRef{
+								Identities: []Identity{{Issuer: "issuer", IssuerRegExp: "issuerregexp"}},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:        "Should fail with both subject and subjectRegExp",
+			expectErr:   true,
+			errorString: "expected exactly one, got both: spec.authorities[0].keyless.identities[0].subject, spec.authorities[0].keyless.identities[0].subjectRegExp",
+			policy: ClusterImagePolicy{
+				Spec: ClusterImagePolicySpec{
+					Images: []ImagePattern{
+						{
+							Glob: "globbityglob",
+						},
+					},
+					Authorities: []Authority{
+						{
+							Keyless: &KeylessRef{
+								Identities: []Identity{{Subject: "subject", SubjectRegExp: "subjectregexp"}},
+							},
+						},
+					},
+				},
+			},
+		},
 		{
 			name:        "Should fail when issuer has invalid regex",
 			expectErr:   true,