Added `x509_decode` JMESPath function #4664

zeborg · 2022-09-21T11:22:58Z

Signed-off-by: Abhinav Sinha abhinav@nirmata.com

Explanation

Added a new JMESPath function to decode X.509 certificates. The certificate may be passed to the function in any of the following ways:

Base64 Encoded (using `base64_decode` JMESPath function)

base64_decode('LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM3VENDQWRXZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFZTVJZd0ZBWURWUVFEREEwcUxtdDUKZG1WeWJtOHVjM1pqTUI0WERUSXlNREV4TVRFek1qWTBNMW9YRFRJek1ERXhNVEUwTWpZME0xb3dHREVXTUJRRwpBMVVFQXd3TktpNXJlWFpsY201dkxuTjJZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DCmdnRUJBTXNBejg1K3lpbm8rTW1kS3NWdEh3Tmkzb0FWanVtelhIaUxmVUpLN3hpNUtVOEI3Z29QSEYvVkNlL1YKN1kyYzRhZnlmZ1kyZVB3NEx4U0RrQ1lOZ1l3cWpTd0dJYmNzcXY1WlJhekJkRHhSMDlyaTZQa25OeUJWR0xpNQpSbFBYSXJHUTNwc051ZjU1cXd4SnhMTzMxcUNadXZrdEtZNVl2dUlSNEpQbUJodVNGWE9ubjBaaVF3OHV4TWNRCjBRQTJseitQeFdDVk5rOXErMzFINURIMW9ZWkRMZlUzbWlqSU9BK0FKR1piQmIrWndCbXBWTDArMlRYTHhFNzQKV293ZEtFVitXVHNLb2pOVGQwVndjdVJLUktSLzZ5blhBQWlzMjF5MVg3VWk5RkpFNm1ESXlsVUQ0MFdYT0tHSgoxbFlZNDFrUm5ZaFZodlhZTjlKdE5ZZFkzSHNDQXdFQUFhTkNNRUF3RGdZRFZSMFBBUUgvQkFRREFnS2tNQThHCkExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRk9ubEFTVkQ5ZnUzVEFqcHRsVy9nQVhBNHFsK01BMEcKQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNJcHlSaUNoeHA5N2NyS2ZRMjRKdDd6OFArQUdwTGYzc1g0ZUw4N0VTYQo3UVJvVkp0WExtYXV0MXBVRW9ZTFFydUttaC8wWUZ0Wkc5V3hWZ1k2aXVLYldudTdiT2VNQi9JcitWL3lyWDNSCitYdlpPc3VYaUpuRWJKaUJXNmxKekxsZG9XNGYvNzFIK2oxV0Q0dEhwcW1kTXhxL3NMcVhmUEl1YzAvbTB5RkMKbitBREJXR0dCOE5uNjZ2eHR2K2NUNnArUklWb3RYUFFXYk1pbFdwNnBkNXdTdUI2OEZxckR3dFlMTkp0UHdGcwo5TVBWa3VhSmRZWjBlV2Qvck1jS0Q5NEhnZjg5Z3ZBMCtxek1WRmYrM0JlbVhza2pRUll5NkNLc3FveUM2alg0Cm5oWWp1bUFQLzdwc2J6SVRzbnBIdGZDRUVVKzJKWndnTTQwNmFpTWNzZ0xiCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K')

Single-line String (newlines represented by `\n`)

"-----BEGIN CERTIFICATE-----\nMIIC7TCCAdWgAwIBAgIBADANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA0qLmt5\ndmVybm8uc3ZjMB4XDTIyMDExMTEzMjY0M1oXDTIzMDExMTE0MjY0M1owGDEWMBQG\nA1UEAwwNKi5reXZlcm5vLnN2YzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\nggEBAMsAz85+yino+MmdKsVtHwNi3oAVjumzXHiLfUJK7xi5KU8B7goPHF/VCe/V\n7Y2c4afyfgY2ePw4LxSDkCYNgYwqjSwGIbcsqv5ZRazBdDxR09ri6PknNyBVGLi5\nRlPXIrGQ3psNuf55qwxJxLO31qCZuvktKY5YvuIR4JPmBhuSFXOnn0ZiQw8uxMcQ\n0QA2lz+PxWCVNk9q+31H5DH1oYZDLfU3mijIOA+AJGZbBb+ZwBmpVL0+2TXLxE74\nWowdKEV+WTsKojNTd0VwcuRKRKR/6ynXAAis21y1X7Ui9FJE6mDIylUD40WXOKGJ\n1lYY41kRnYhVhvXYN9JtNYdY3HsCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMA8G\nA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOnlASVD9fu3TAjptlW/gAXA4ql+MA0G\nCSqGSIb3DQEBCwUAA4IBAQCIpyRiChxp97crKfQ24Jt7z8P+AGpLf3sX4eL87ESa\n7QRoVJtXLmaut1pUEoYLQruKmh/0YFtZG9WxVgY6iuKbWnu7bOeMB/Ir+V/yrX3R\n+XvZOsuXiJnEbJiBW6lJzLldoW4f/71H+j1WD4tHpqmdMxq/sLqXfPIuc0/m0yFC\nn+ADBWGGB8Nn66vxtv+cT6p+RIVotXPQWbMilWp6pd5wSuB68FqrDwtYLNJtPwFs\n9MPVkuaJdYZ0eWd/rMcKD94Hgf89gvA0+qzMVFf+3BemXskjQRYy6CKsqoyC6jX4\nnhYjumAP/7psbzITsnpHtfCEEU+2JZwgM406aiMcsgLb\n-----END CERTIFICATE-----"

Multi-line String

`-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIUWxmj40l+TDVJq98Xy7c6Leo3np8wDQYJKoZIhvcNAQEL
BQAwPTELMAkGA1UEBhMCeHgxCjAIBgNVBAgTAXgxCjAIBgNVBAcTAXgxCjAIBgNV
BAoTAXgxCjAIBgNVBAsTAXgwHhcNMTgwMjAyMTIzODAwWhcNMjMwMjAxMTIzODAw
WjA9MQswCQYDVQQGEwJ4eDEKMAgGA1UECBMBeDEKMAgGA1UEBxMBeDEKMAgGA1UE
ChMBeDEKMAgGA1UECxMBeDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANHkqOmVf23KMXdaZU2eFUx1h4wb09JINBB8x/HL7UE0KFJcnOoVnNQB0gRukUop
iYCzrzMFyGWWmB/pAEKool+ZiI2uMy6mcYBDtOi4pOm7U0TQQMV6L/5Yfi65xRz3
RTMd/tYAoFi4aCZbJAGjxU6UWNYDzTy8E/cP6ZnlNbVHRiA6/wHsoWcXtWTXYP5y
n9cf7EWQi1hOBM4BWmOIyB1f6LEgQipZWMOMPPHO3hsuSBn0rk7jovSt5XTlbgRr
txqAJiNjJUykWzIF+lLnZCioippGv5vkdGvE83JoACXvZTUwzA+MLu49fkw3bweq
kbhrer8kacjfGlw3aJN37eECAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1Ud
EwEB/wQFMAMBAf8wHQYDVR0OBBYEFKXcb52bv6oqnD+D9fTNFHZL8IWxMA0GCSqG
SIb3DQEBCwUAA4IBAQADvKvv3ym0XAYwKxPLLl3Lc6sJYHDbTN0donduG7PXeb1d
huukJ2lfufUYp2IGSAxuLecTYeeByOVp1gaMb5LsIGt2BVDmlMMkiH29LUHsvbyi
85CpJo7A5RJG6AWW2VBCiDjz5v8JFM6pMkBRFfXH+pwIge65CE+MTSQcfb1/aIIo
Q226P7E/3uUGX4k4pDXG/O7GNvykF40v1DB5y7DDBTQ4JWiJfyGkT69TmdOGLFAm
jwxUjWyvEey4qJex/EGEm5RQcMv9iy7tba1wK7sykNGn5uDELGPGIIEAa5rIHm1F
UFOZZVoELaasWS559wy8og39Eq21dDMynb8Bndn/
-----END CERTIFICATE-----
`

Related issue

Closes #4146

Milestone of this PR

What type of PR is this

/kind enhancement

Proposed Changes

Proof Manifests

ClusterPolicy

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: test-x509-decode
spec:
  validationFailureAction: enforce
  rules:
  - name: test-x509-decode
    match:
      any:
      - resources:
          kinds:
          - ConfigMap
    validate:
      message: "public key modulus mismatch: \"{{ x509_decode('{{request.object.data.cert}}').PublicKey.N }}\" != \"{{ x509_decode('{{base64_decode('{{request.object.data.certB64}}')}}').PublicKey.N }}\""
      deny:
        conditions:
          any:
            - key: "{{ x509_decode('{{request.object.data.cert}}').PublicKey.N }}"
              operator: NotEquals
              value: "{{ x509_decode('{{base64_decode('{{request.object.data.certB64}}')}}').PublicKey.N }}"

Resource

apiVersion: v1
kind: ConfigMap
metadata:
  name: test-configmap
  namespace: default
data:
  cert: |
    -----BEGIN CERTIFICATE-----
    MIIDSjCCAjKgAwIBAgIUWxmj40l+TDVJq98Xy7c6Leo3np8wDQYJKoZIhvcNAQEL
    BQAwPTELMAkGA1UEBhMCeHgxCjAIBgNVBAgTAXgxCjAIBgNVBAcTAXgxCjAIBgNV
    BAoTAXgxCjAIBgNVBAsTAXgwHhcNMTgwMjAyMTIzODAwWhcNMjMwMjAxMTIzODAw
    WjA9MQswCQYDVQQGEwJ4eDEKMAgGA1UECBMBeDEKMAgGA1UEBxMBeDEKMAgGA1UE
    ChMBeDEKMAgGA1UECxMBeDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
    ANHkqOmVf23KMXdaZU2eFUx1h4wb09JINBB8x/HL7UE0KFJcnOoVnNQB0gRukUop
    iYCzrzMFyGWWmB/pAEKool+ZiI2uMy6mcYBDtOi4pOm7U0TQQMV6L/5Yfi65xRz3
    RTMd/tYAoFi4aCZbJAGjxU6UWNYDzTy8E/cP6ZnlNbVHRiA6/wHsoWcXtWTXYP5y
    n9cf7EWQi1hOBM4BWmOIyB1f6LEgQipZWMOMPPHO3hsuSBn0rk7jovSt5XTlbgRr
    txqAJiNjJUykWzIF+lLnZCioippGv5vkdGvE83JoACXvZTUwzA+MLu49fkw3bweq
    kbhrer8kacjfGlw3aJN37eECAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1Ud
    EwEB/wQFMAMBAf8wHQYDVR0OBBYEFKXcb52bv6oqnD+D9fTNFHZL8IWxMA0GCSqG
    SIb3DQEBCwUAA4IBAQADvKvv3ym0XAYwKxPLLl3Lc6sJYHDbTN0donduG7PXeb1d
    huukJ2lfufUYp2IGSAxuLecTYeeByOVp1gaMb5LsIGt2BVDmlMMkiH29LUHsvbyi
    85CpJo7A5RJG6AWW2VBCiDjz5v8JFM6pMkBRFfXH+pwIge65CE+MTSQcfb1/aIIo
    Q226P7E/3uUGX4k4pDXG/O7GNvykF40v1DB5y7DDBTQ4JWiJfyGkT69TmdOGLFAm
    jwxUjWyvEey4qJex/EGEm5RQcMv9iy7tba1wK7sykNGn5uDELGPGIIEAa5rIHm1F
    UFOZZVoELaasWS559wy8og39Eq21dDMynb8Bndn/
    -----END CERTIFICATE-----
  certB64: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM3VENDQWRXZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFZTVJZd0ZBWURWUVFEREEwcUxtdDUKZG1WeWJtOHVjM1pqTUI0WERUSXlNREV4TVRFek1qWTBNMW9YRFRJek1ERXhNVEUwTWpZME0xb3dHREVXTUJRRwpBMVVFQXd3TktpNXJlWFpsY201dkxuTjJZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DCmdnRUJBTXNBejg1K3lpbm8rTW1kS3NWdEh3Tmkzb0FWanVtelhIaUxmVUpLN3hpNUtVOEI3Z29QSEYvVkNlL1YKN1kyYzRhZnlmZ1kyZVB3NEx4U0RrQ1lOZ1l3cWpTd0dJYmNzcXY1WlJhekJkRHhSMDlyaTZQa25OeUJWR0xpNQpSbFBYSXJHUTNwc051ZjU1cXd4SnhMTzMxcUNadXZrdEtZNVl2dUlSNEpQbUJodVNGWE9ubjBaaVF3OHV4TWNRCjBRQTJseitQeFdDVk5rOXErMzFINURIMW9ZWkRMZlUzbWlqSU9BK0FKR1piQmIrWndCbXBWTDArMlRYTHhFNzQKV293ZEtFVitXVHNLb2pOVGQwVndjdVJLUktSLzZ5blhBQWlzMjF5MVg3VWk5RkpFNm1ESXlsVUQ0MFdYT0tHSgoxbFlZNDFrUm5ZaFZodlhZTjlKdE5ZZFkzSHNDQXdFQUFhTkNNRUF3RGdZRFZSMFBBUUgvQkFRREFnS2tNQThHCkExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRk9ubEFTVkQ5ZnUzVEFqcHRsVy9nQVhBNHFsK01BMEcKQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNJcHlSaUNoeHA5N2NyS2ZRMjRKdDd6OFArQUdwTGYzc1g0ZUw4N0VTYQo3UVJvVkp0WExtYXV0MXBVRW9ZTFFydUttaC8wWUZ0Wkc5V3hWZ1k2aXVLYldudTdiT2VNQi9JcitWL3lyWDNSCitYdlpPc3VYaUpuRWJKaUJXNmxKekxsZG9XNGYvNzFIK2oxV0Q0dEhwcW1kTXhxL3NMcVhmUEl1YzAvbTB5RkMKbitBREJXR0dCOE5uNjZ2eHR2K2NUNnArUklWb3RYUFFXYk1pbFdwNnBkNXdTdUI2OEZxckR3dFlMTkp0UHdGcwo5TVBWa3VhSmRZWjBlV2Qvck1jS0Q5NEhnZjg5Z3ZBMCtxek1WRmYrM0JlbVhza2pRUll5NkNLc3FveUM2alg0Cm5oWWp1bUFQLzdwc2J6SVRzbnBIdGZDRUVVKzJKWndnTTQwNmFpTWNzZ0xiCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K

Output

Checklist

I have read the contributing guidelines.
I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
This is a bug fix and I have added unit tests that prove my fix is effective.
This is a feature and I have added CLI tests that are applicable.
My PR needs to be cherry picked to a specific release branch which is .
My PR contains new or altered behavior to Kyverno and
- CLI support should be added and my PR doesn't contain that functionality.
- I have added or changed the documentation myself in an existing PR and the link is:
- I have raised an issue in kyverno/website to track the documentation update and the link is:

Further Comments

Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>

codecov · 2022-09-21T11:30:28Z

Codecov Report

Merging #4664 (f4890c3) into main (38c2529) will increase coverage by 0.07%.
The diff coverage is 57.89%.

@@            Coverage Diff             @@
##             main    #4664      +/-   ##
==========================================
+ Coverage   33.54%   33.61%   +0.07%     
==========================================
  Files         159      159              
  Lines       18890    18947      +57     
==========================================
+ Hits         6336     6369      +33     
- Misses      11807    11823      +16     
- Partials      747      755       +8

Impacted Files	Coverage Δ
test/e2e/validate/resources.go	`0.00% <ø> (ø)`
pkg/engine/jmespath/functions.go	`72.55% <57.89%> (-1.12%)`	⬇️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

go.mod

chipzoller · 2022-09-21T11:54:57Z

Nice work on this, Abhinav. In your Proof Manifests section, would you please show an example of this filter in context of a policy and/or show the filter working on a PEM-encoded certificate and the output displayed as a JSON document?

Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>

zeborg · 2022-09-21T12:19:26Z

Thanks @chipzoller! I'll work on adding one to the PR description.

go.mod

pkg/engine/jmespath/functions.go

Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>

sonatype-lift · 2022-09-21T13:52:34Z

pkg/engine/jmespath/functions.go

+		return res, errors.WithStack(err)
+	}
+
+	json.Unmarshal(buf.Bytes(), &res)


G104: Errors unhandled.

ℹ️ Learn about @sonatype-lift commands

You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.

Command Usage

@sonatype-lift ignore Leave out the above finding from this PR

@sonatype-lift ignoreall Leave out all the existing findings from this PR

@sonatype-lift exclude <file|issue|path|tool> Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file

Note: When talking to LiftBot, you need to refresh the page to see its response.
_{Click here to add LiftBot to another repo.}

Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>

api/kyverno/v1/utils.go

Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>

sambhav

@zeborg can we please add some CLI tests for this function? You should be able to move the proof manifests to the CLI test folder and use them directly.

pkg/engine/jmespath/functions_test.go

pkg/engine/jmespath/functions.go

go.mod

sambhav · 2022-09-25T18:17:06Z

@zeborg I'm still unsure about using smallstep/zcrypto and I would prefer kyverno did not depend on it. The library is a fork of zmap/zcrypto and seems to be unmaintained and had its last commit in 2021.

ZCrypto is a research library, designed to be used for data collection and analysis, as well as experimenting and prototyping. It should not be used to provide security for production systems.

Both the libraries have large warnings on their Readme pointing that they are experimental and meant for research purposes and should not be used in production systems. Since cryptography is an essential part of production security, most production systems prefer to depend on the go standard library instead, because of maintenance and bug fix guarantees and also simply because it is battle tested.

As for the issue with number vs float, you can create a type alias for the certificate type and declare a MarshalJSON just for that struct to appropriately serialize it without affecting rest of Kyverno serialization. An example can be found at https://stackoverflow.com/a/52447111/5458985.

pkg/engine/jmespath/functions.go

realshuting · 2022-09-28T09:40:06Z

@zeborg - any updates? We are trying to close 1.8.0, will you be able to address the comments?

zeborg · 2022-09-28T13:34:06Z

@realshuting - Yes, I have implemented a solution for this and will be discussing a few concerns of mine during today's Kyverno office hours.

Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>

realshuting

Thanks @zeborg !

realshuting · 2022-09-28T18:00:50Z

/cherry-pick release-1.8

* Added `x509_decode` JMESPath function Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Use `crypto/x509` stdlib Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Return result as `map[string]interface{}` Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Made minor fixes Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Fixed error with unmarshalling decoded certificate Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Added e2e test for decoding X.509 certs Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Reverted to using `smallstep/zcrypto` for X.509 Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Minor fix Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Addressed reviews Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Removed redundant dependency on `pkg/errors` Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>

* Added `x509_decode` JMESPath function Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Use `crypto/x509` stdlib Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Return result as `map[string]interface{}` Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Made minor fixes Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Fixed error with unmarshalling decoded certificate Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Added e2e test for decoding X.509 certs Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Reverted to using `smallstep/zcrypto` for X.509 Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Minor fix Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Addressed reviews Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Removed redundant dependency on `pkg/errors` Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> Co-authored-by: Abhinav Sinha <37282098+zeborg@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>

* Added `x509_decode` JMESPath function Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Use `crypto/x509` stdlib Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Return result as `map[string]interface{}` Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Made minor fixes Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Fixed error with unmarshalling decoded certificate Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Added e2e test for decoding X.509 certs Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Reverted to using `smallstep/zcrypto` for X.509 Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Minor fix Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Addressed reviews Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Removed redundant dependency on `pkg/errors` Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>

Added x509_decode JMESPath function

0875016

Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>

zeborg requested a review from prateekpandey14 as a code owner September 21, 2022 11:22

zeborg requested review from sambhav and chipzoller September 21, 2022 11:23

sambhav reviewed Sep 21, 2022

View reviewed changes

go.mod Outdated Show resolved Hide resolved

Use crypto/x509 stdlib

3f6a4ed

Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>

sambhav reviewed Sep 21, 2022

View reviewed changes

go.mod Outdated Show resolved Hide resolved

pkg/engine/jmespath/functions.go Outdated Show resolved Hide resolved

Return result as map[string]interface{}

7c90327

Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>

sonatype-lift bot reviewed Sep 21, 2022

View reviewed changes

Made minor fixes

f99186f

Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>

zeborg requested a review from sambhav September 21, 2022 14:24

realshuting added the milestone 1.8.0 label Sep 21, 2022

abhinav-nirmata added 2 commits September 23, 2022 01:20

Fixed error with unmarshalling decoded certificate

b25fa58

Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>

Added e2e test for decoding X.509 certs

8c8fd5f

Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>

zeborg requested review from eddycharly and vyankyGH as code owners September 22, 2022 20:34

zeborg commented Sep 22, 2022

View reviewed changes

api/kyverno/v1/utils.go Outdated Show resolved Hide resolved

abhinav-nirmata added 2 commits September 23, 2022 05:26

Reverted to using smallstep/zcrypto for X.509

268a93f

Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>

Minor fix

f53c77d

Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>

zeborg force-pushed the jmespath-x509_decode branch from 3696935 to f53c77d Compare September 23, 2022 00:36

Merge branch 'main' into jmespath-x509_decode

479034e

sambhav reviewed Sep 25, 2022

View reviewed changes

pkg/engine/jmespath/functions_test.go Outdated Show resolved Hide resolved

pkg/engine/jmespath/functions.go Outdated Show resolved Hide resolved

go.mod Outdated Show resolved Hide resolved

sambhav reviewed Sep 25, 2022

View reviewed changes

pkg/engine/jmespath/functions.go Outdated Show resolved Hide resolved

Addressed reviews

a39a8b5

Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>

zeborg requested a review from sambhav September 28, 2022 16:44

abhinav-nirmata and others added 2 commits September 28, 2022 22:30

Removed redundant dependency on pkg/errors

e065ff4

Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>

Merge branch 'main' into jmespath-x509_decode

f4890c3

realshuting approved these changes Sep 28, 2022

View reviewed changes

realshuting enabled auto-merge (squash) September 28, 2022 18:00

realshuting merged commit a118285 into kyverno:main Sep 28, 2022

gcp-cherry-pick-bot bot mentioned this pull request Sep 28, 2022

Added x509_decode JMESPath function (cherry-pick #4664) #4737

Merged

zeborg mentioned this pull request Sep 28, 2022

[Enhancement] Add documentation for x509_decode JMESPath function kyverno/website#630

Closed

zeborg mentioned this pull request Sep 29, 2022

[Feature] Allow verifying subject/SAN when using certificates in verifyImage #4689

Closed

2 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Added `x509_decode` JMESPath function #4664

Added `x509_decode` JMESPath function #4664

Command	Usage
`@sonatype-lift ignore`	Leave out the above finding from this PR
`@sonatype-lift ignoreall`	Leave out all the existing findings from this PR
`@sonatype-lift exclude <file\|issue\|path\|tool>`	Exclude specified `file\|issue\|path\|tool` from Lift findings by updating your config.toml file

Added x509_decode JMESPath function #4664

Added x509_decode JMESPath function #4664

Conversation

Explanation

Base64 Encoded (using base64_decode JMESPath function)

Single-line String (newlines represented by \n)

Multi-line String

Related issue

Milestone of this PR

What type of PR is this

Proposed Changes

Proof Manifests

ClusterPolicy

Resource

Output

Checklist

Further Comments

Codecov Report

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Added `x509_decode` JMESPath function #4664

Added `x509_decode` JMESPath function #4664

Base64 Encoded (using `base64_decode` JMESPath function)

Single-line String (newlines represented by `\n`)