Make public all types required to use ValidatePolicy (sigstore#1727)

Signed-off-by: Josh Dolitsky <josh@dolit.ski>

pkg/apis/config/image_policies.go

@@ -21,7 +21,7 @@ import (
 	"fmt"
 	"regexp"
 
-	internalcip "github.com/sigstore/cosign/internal/pkg/apis/cosigned"
+	webhookcip "github.com/sigstore/cosign/pkg/cosign/kubernetes/webhook/clusterimagepolicy"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
 )
@@ -35,13 +35,13 @@ const (
 type ImagePolicyConfig struct {
 	// This is the list of ImagePolicies that a admission controller uses
 	// to make policy decisions.
-	Policies map[string]internalcip.ClusterImagePolicy
+	Policies map[string]webhookcip.ClusterImagePolicy
 }
 
 // NewImagePoliciesConfigFromMap creates an ImagePolicyConfig from the supplied
 // Map
 func NewImagePoliciesConfigFromMap(data map[string]string) (*ImagePolicyConfig, error) {
-	ret := &ImagePolicyConfig{Policies: make(map[string]internalcip.ClusterImagePolicy, len(data))}
+	ret := &ImagePolicyConfig{Policies: make(map[string]webhookcip.ClusterImagePolicy, len(data))}
 	// Spin through the ConfigMap. Each key will point to resolved
 	// ImagePatterns.
 	for k, v := range data {
@@ -52,7 +52,7 @@ func NewImagePoliciesConfigFromMap(data map[string]string) (*ImagePolicyConfig,
 		if v == "" {
 			return nil, fmt.Errorf("configmap has an entry %q but no value", k)
 		}
-		clusterImagePolicy := &internalcip.ClusterImagePolicy{}
+		clusterImagePolicy := &webhookcip.ClusterImagePolicy{}
 
 		if err := parseEntry(v, clusterImagePolicy); err != nil {
 			return nil, fmt.Errorf("failed to parse the entry %q : %q : %w", k, v, err)
@@ -79,13 +79,13 @@ func parseEntry(entry string, out interface{}) error {
 // need to be matched for the given Image.
 // Returned map contains the name of the CIP as the key, and an array of
 // authorities from that Policy that must be validated against.
-func (p *ImagePolicyConfig) GetMatchingPolicies(image string) (map[string][]internalcip.Authority, error) {
+func (p *ImagePolicyConfig) GetMatchingPolicies(image string) (map[string][]webhookcip.Authority, error) {
 	if p == nil {
 		return nil, errors.New("config is nil")
 	}
 
 	var lastError error
-	ret := map[string][]internalcip.Authority{}
+	ret := map[string][]webhookcip.Authority{}
 
 	// TODO(vaikas): this is very inefficient, we should have a better
 	// way to go from image to Authorities, but just seeing if this is even

pkg/apis/config/image_policies_test.go

@@ -21,7 +21,7 @@ import (
 	"strings"
 	"testing"
 
-	internalcip "github.com/sigstore/cosign/internal/pkg/apis/cosigned"
+	webhookcip "github.com/sigstore/cosign/pkg/cosign/kubernetes/webhook/clusterimagepolicy"
 	. "knative.dev/pkg/configmap/testing"
 	_ "knative.dev/pkg/system/testing"
 )
@@ -127,7 +127,7 @@ func TestGetAuthorities(t *testing.T) {
 	}
 }
 
-func checkGetMatches(t *testing.T, c map[string][]internalcip.Authority, err error) {
+func checkGetMatches(t *testing.T, c map[string][]webhookcip.Authority, err error) {
 	t.Helper()
 	if err != nil {
 		t.Error("GetMatches Failed =", err)

pkg/cosign/kubernetes/webhook/validator.go

@@ -25,8 +25,8 @@ import (
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/pkg/errors"
-	internalcip "github.com/sigstore/cosign/internal/pkg/apis/cosigned"
 	"github.com/sigstore/cosign/pkg/apis/config"
+	webhookcip "github.com/sigstore/cosign/pkg/cosign/kubernetes/webhook/clusterimagepolicy"
 	"github.com/sigstore/cosign/pkg/oci"
 	ociremote "github.com/sigstore/cosign/pkg/oci/remote"
 	"github.com/sigstore/fulcio/pkg/api"
@@ -227,7 +227,7 @@ func (v *Validator) validatePodSpec(ctx context.Context, ps *corev1.PodSpec, opt
 // Note that if an image does not match any policies, it's perfectly
 // reasonable that the return value is 0, nil since there were no errors, but
 // the image was not validated against any matching policy and hence authority.
-func validatePolicies(ctx context.Context, ref name.Reference, kc authn.Keychain, policies map[string][]internalcip.Authority, remoteOpts ...ociremote.Option) (map[string][]oci.Signature, map[string][]error) {
+func validatePolicies(ctx context.Context, ref name.Reference, kc authn.Keychain, policies map[string][]webhookcip.Authority, remoteOpts ...ociremote.Option) (map[string][]oci.Signature, map[string][]error) {
 	// Gather all validated signatures here.
 	signatures := map[string][]oci.Signature{}
 	// For a policy that does not pass at least one authority, gather errors
@@ -256,7 +256,7 @@ func validatePolicies(ctx context.Context, ref name.Reference, kc authn.Keychain
 // ValidatePolicy will go through all the Authorities for a given image and
 // return a success if at least one of the Authorities validated the signatures.
 // Returns the validated signatures, or the errors encountered.
-func ValidatePolicy(ctx context.Context, ref name.Reference, kc authn.Keychain, authorities []internalcip.Authority, remoteOpts ...ociremote.Option) ([]oci.Signature, []error) {
+func ValidatePolicy(ctx context.Context, ref name.Reference, kc authn.Keychain, authorities []webhookcip.Authority, remoteOpts ...ociremote.Option) ([]oci.Signature, []error) {
 	// If none of the Authorities for a given policy pass the checks, gather
 	// the errors here. If one passes, do not return the errors.
 	authorityErrors := []error{}

pkg/cosign/kubernetes/webhook/validator_test.go

@@ -30,10 +30,10 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-containerregistry/pkg/authn/k8schain"
 	"github.com/google/go-containerregistry/pkg/name"
-	internalcip "github.com/sigstore/cosign/internal/pkg/apis/cosigned"
 	"github.com/sigstore/cosign/pkg/apis/config"
 	"github.com/sigstore/cosign/pkg/apis/cosigned/v1alpha1"
 	"github.com/sigstore/cosign/pkg/cosign"
+	webhookcip "github.com/sigstore/cosign/pkg/cosign/kubernetes/webhook/clusterimagepolicy"
 	"github.com/sigstore/cosign/pkg/oci"
 	"github.com/sigstore/cosign/pkg/oci/remote"
 	"github.com/sigstore/cosign/pkg/oci/static"
@@ -231,14 +231,14 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw==
 		customContext: config.ToContext(context.Background(),
 			&config.Config{
 				ImagePolicyConfig: &config.ImagePolicyConfig{
-					Policies: map[string]internalcip.ClusterImagePolicy{
+					Policies: map[string]webhookcip.ClusterImagePolicy{
 						"cluster-image-policy": {
 							Images: []v1alpha1.ImagePattern{{
 								Regex: ".*",
 							}},
-							Authorities: []internalcip.Authority{
+							Authorities: []webhookcip.Authority{
 								{
-									Key: &internalcip.KeyRef{
+									Key: &webhookcip.KeyRef{
 										Data:       authorityKeyCosignPubString,
 										PublicKeys: []*ecdsa.PublicKey{authorityKeyCosignPub},
 									},
@@ -265,12 +265,12 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw==
 		customContext: config.ToContext(context.Background(),
 			&config.Config{
 				ImagePolicyConfig: &config.ImagePolicyConfig{
-					Policies: map[string]internalcip.ClusterImagePolicy{
+					Policies: map[string]webhookcip.ClusterImagePolicy{
 						"cluster-image-policy-keyless": {
 							Images: []v1alpha1.ImagePattern{{
 								Regex: ".*",
 							}},
-							Authorities: []internalcip.Authority{
+							Authorities: []webhookcip.Authority{
 								{
 									Keyless: &v1alpha1.KeylessRef{
 										URL: badURL,
@@ -308,12 +308,12 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw==
 		customContext: config.ToContext(context.Background(),
 			&config.Config{
 				ImagePolicyConfig: &config.ImagePolicyConfig{
-					Policies: map[string]internalcip.ClusterImagePolicy{
+					Policies: map[string]webhookcip.ClusterImagePolicy{
 						"cluster-image-policy-keyless": {
 							Images: []v1alpha1.ImagePattern{{
 								Regex: ".*",
 							}},
-							Authorities: []internalcip.Authority{
+							Authorities: []webhookcip.Authority{
 								{
 									Keyless: &v1alpha1.KeylessRef{
 										URL: fulcioURL,
@@ -351,12 +351,12 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw==
 		customContext: config.ToContext(context.Background(),
 			&config.Config{
 				ImagePolicyConfig: &config.ImagePolicyConfig{
-					Policies: map[string]internalcip.ClusterImagePolicy{
+					Policies: map[string]webhookcip.ClusterImagePolicy{
 						"cluster-image-policy-keyless": {
 							Images: []v1alpha1.ImagePattern{{
 								Regex: ".*",
 							}},
-							Authorities: []internalcip.Authority{
+							Authorities: []webhookcip.Authority{
 								{
 									Keyless: &v1alpha1.KeylessRef{
 										URL: fulcioURL,

pkg/reconciler/clusterimagepolicy/clusterimagepolicy.go

@@ -24,11 +24,11 @@ import (
 	"fmt"
 	"strings"
 
-	internalcip "github.com/sigstore/cosign/internal/pkg/apis/cosigned"
 	"github.com/sigstore/cosign/pkg/apis/config"
 	"github.com/sigstore/cosign/pkg/apis/cosigned/v1alpha1"
 	"github.com/sigstore/cosign/pkg/apis/utils"
 	clusterimagepolicyreconciler "github.com/sigstore/cosign/pkg/client/injection/reconciler/cosigned/v1alpha1/clusterimagepolicy"
+	webhookcip "github.com/sigstore/cosign/pkg/cosign/kubernetes/webhook/clusterimagepolicy"
 	"github.com/sigstore/cosign/pkg/reconciler/clusterimagepolicy/resources"
 	corev1 "k8s.io/api/core/v1"
 	apierrs "k8s.io/apimachinery/pkg/api/errors"
@@ -79,18 +79,18 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, cip *v1alpha1.ClusterIma
 		return cipErr
 	}
 
-	// Converting external CIP to internal CIP
+	// Converting external CIP to webhook CIP
 	bytes, err := json.Marshal(&cipCopy.Spec)
 	if err != nil {
 		return err
 	}
 
-	var internalCIP *internalcip.ClusterImagePolicy
-	if err := json.Unmarshal(bytes, &internalCIP); err != nil {
+	var webhookCIP *webhookcip.ClusterImagePolicy
+	if err := json.Unmarshal(bytes, &webhookCIP); err != nil {
 		return err
 	}
 
-	internalCIP, cipErr = r.convertKeyData(ctx, internalCIP)
+	webhookCIP, cipErr = r.convertKeyData(ctx, webhookCIP)
 	if cipErr != nil {
 		r.handleCIPError(ctx, cip.Name)
 		// Note that we return the error about the Invalid cip here to make
@@ -106,7 +106,7 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, cip *v1alpha1.ClusterIma
 			return err
 		}
 		// Does not exist, create it.
-		cm, err := resources.NewConfigMap(system.Namespace(), config.ImagePoliciesConfigName, cip.Name, internalCIP)
+		cm, err := resources.NewConfigMap(system.Namespace(), config.ImagePoliciesConfigName, cip.Name, webhookCIP)
 		if err != nil {
 			logging.FromContext(ctx).Errorf("Failed to construct configmap: %v", err)
 			return err
@@ -116,7 +116,7 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, cip *v1alpha1.ClusterIma
 	}
 
 	// Check if we need to update the configmap or not.
-	patchBytes, err := resources.CreatePatch(system.Namespace(), config.ImagePoliciesConfigName, cip.Name, existing.DeepCopy(), internalCIP)
+	patchBytes, err := resources.CreatePatch(system.Namespace(), config.ImagePoliciesConfigName, cip.Name, existing.DeepCopy(), webhookCIP)
 	if err != nil {
 		logging.FromContext(ctx).Errorf("Failed to create patch: %v", err)
 		return err
@@ -153,7 +153,7 @@ func (r *Reconciler) FinalizeKind(ctx context.Context, cip *v1alpha1.ClusterImag
 // to ecdsa.PublicKey and store it in the returned CIP
 // When PublicKeys are successfully set, the authority key's data will be
 // cleared out
-func (r *Reconciler) convertKeyData(ctx context.Context, cip *internalcip.ClusterImagePolicy) (*internalcip.ClusterImagePolicy, error) {
+func (r *Reconciler) convertKeyData(ctx context.Context, cip *webhookcip.ClusterImagePolicy) (*webhookcip.ClusterImagePolicy, error) {
 	for _, authority := range cip.Authorities {
 		if authority.Key != nil && authority.Key.Data != "" {
 			keys, err := convertAuthorityKeys(ctx, authority.Key.Data)

pkg/reconciler/clusterimagepolicy/resources/configmap.go

@@ -18,15 +18,15 @@ import (
 	"encoding/json"
 	"fmt"
 
-	internalcip "github.com/sigstore/cosign/internal/pkg/apis/cosigned"
+	webhookcip "github.com/sigstore/cosign/pkg/cosign/kubernetes/webhook/clusterimagepolicy"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"knative.dev/pkg/apis/duck"
 )
 
 // NewConfigMap returns a new ConfigMap with an entry for the given
 // ClusterImagePolicy
-func NewConfigMap(ns, name, cipName string, cip *internalcip.ClusterImagePolicy) (*corev1.ConfigMap, error) {
+func NewConfigMap(ns, name, cipName string, cip *webhookcip.ClusterImagePolicy) (*corev1.ConfigMap, error) {
 	entry, err := marshal(cip)
 	if err != nil {
 		return nil, err
@@ -48,7 +48,7 @@ func NewConfigMap(ns, name, cipName string, cip *internalcip.ClusterImagePolicy)
 // CreatePatch updates a particular entry to see if they are differing and
 // returning the patch bytes for it that's suitable for calling
 // ConfigMap.Patch with.
-func CreatePatch(ns, name, cipName string, cm *corev1.ConfigMap, cip *internalcip.ClusterImagePolicy) ([]byte, error) {
+func CreatePatch(ns, name, cipName string, cm *corev1.ConfigMap, cip *webhookcip.ClusterImagePolicy) ([]byte, error) {
 	entry, err := marshal(cip)
 	if err != nil {
 		return nil, err
@@ -85,7 +85,7 @@ func CreateRemovePatch(ns, name string, cm *corev1.ConfigMap, cipName string) ([
 	return jsonPatch.MarshalJSON()
 }
 
-func marshal(spec *internalcip.ClusterImagePolicy) (string, error) {
+func marshal(spec *webhookcip.ClusterImagePolicy) (string, error) {
 	bytes, err := json.Marshal(spec)
 	if err != nil {
 		return "", err