also v1beta1.

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>

pkg/apis/policy/v1beta1/clusterimagepolicy_validation.go

@@ -133,6 +133,9 @@ func (keyless *KeylessRef) Validate(ctx context.Context) *apis.FieldError {
 		errs = errs.Also(apis.ErrMissingField("identities"))
 	}
 
+	if keyless.CACert != nil {
+		errs = errs.Also(keyless.DeepCopy().CACert.Validate(ctx).ViaField("ca-cert"))
+	}
 	for i, identity := range keyless.Identities {
 		errs = errs.Also(identity.Validate(ctx).ViaFieldIndex("identities", i))
 	}
@@ -213,7 +216,6 @@ func ValidateGlob(glob string) *apis.FieldError {
 }
 
 func ValidateRegex(regex string) *apis.FieldError {
-	// It's a regexp, so pull out the regex
 	_, err := regexp.Compile(regex)
 	if err != nil {
 		return apis.ErrInvalidValue(regex, apis.CurrentField, fmt.Sprintf("regex is invalid: %v", err))

pkg/apis/policy/v1beta1/clusterimagepolicy_validation_test.go

@@ -16,13 +16,16 @@ package v1beta1
 
 import (
 	"context"
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/require"
 	v1 "k8s.io/api/core/v1"
 	"knative.dev/pkg/apis"
 )
 
+const validPublicKey = "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaEOVJCFtduYr3xqTxeRWSW32CY/s\nTBNZj4oIUPl8JvhVPJ1TKDPlNcuT4YphSt6t3yOmMvkdQbCj8broX6vijw==\n-----END PUBLIC KEY-----"
+
 func TestImagePatternValidation(t *testing.T) {
 	tests := []struct {
 		name        string
@@ -169,6 +172,22 @@ func TestKeyValidation(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:        "Should fail with invalid AWS KMS for Keyful",
+			expectErr:   true,
+			errorString: "invalid value: awskms://localhost:8888/arn:butnotvalid: spec.authorities[0].key.kms\nfailed to parse either key or alias arn: arn: not enough sections",
+			policy: ClusterImagePolicy{
+				Spec: ClusterImagePolicySpec{
+					Images: []ImagePattern{{Glob: "gcr.io/*"}},
+					Authorities: []Authority{
+						{
+							Key:     &KeyRef{KMS: "awskms://localhost:8888/arn:butnotvalid"},
+							Sources: []Source{{OCI: "registry.example.com"}},
+						},
+					},
+				},
+			},
+		},
 		{
 			name:        "Should pass when key has only one property: %v",
 			errorString: "",
@@ -248,7 +267,7 @@ func TestKeylessValidation(t *testing.T) {
 									Host: "myhost",
 								},
 								CACert: &KeyRef{
-									Data: "---certificate---",
+									Data: validPublicKey,
 								},
 							},
 						},
@@ -278,6 +297,21 @@ func TestKeylessValidation(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:        "Should fail with invalid AWS KMS for Keyless",
+			expectErr:   true,
+			errorString: "invalid value: awskms://localhost:8888/arn:butnotvalid: spec.authorities[0].keyless.ca-cert.kms\nfailed to parse either key or alias arn: arn: not enough sections",
+			policy: ClusterImagePolicy{
+				Spec: ClusterImagePolicySpec{
+					Images: []ImagePattern{{Glob: "gcr.io/*"}},
+					Authorities: []Authority{
+						{
+							Keyless: &KeylessRef{CACert: &KeyRef{KMS: "awskms://localhost:8888/arn:butnotvalid"}},
+						},
+					},
+				},
+			},
+		},
 	}
 
 	for _, test := range tests {
@@ -678,6 +712,12 @@ func TestIdentitiesValidation(t *testing.T) {
 }
 
 func TestAWSKMSValidation(t *testing.T) {
+	// Note the error messages betweeen the kms / cacert validation is
+	// identical, with the only difference being `kms` or `ca-cert.kms`. Reason
+	// for the ca-cert.kms is because it's embedded within the ca-cert that
+	// we pass in. So we put a KMSORCACERT into the err string that we then
+	// replace based on the tests so we don't have to write identical tests
+	// for both of them.
 	tests := []struct {
 		name        string
 		expectErr   bool
@@ -687,25 +727,25 @@ func TestAWSKMSValidation(t *testing.T) {
 		{
 			name:        "malformed, only 2 slashes ",
 			expectErr:   true,
-			errorString: "invalid value: awskms://1234abcd-12ab-34cd-56ef-1234567890ab: kms\nmalformed AWS KMS format, should be: 'awskms://$ENDPOINT/$KEYID'",
+			errorString: "invalid value: awskms://1234abcd-12ab-34cd-56ef-1234567890ab: KMSORCACERT\nmalformed AWS KMS format, should be: 'awskms://$ENDPOINT/$KEYID'",
 			kms:         "awskms://1234abcd-12ab-34cd-56ef-1234567890ab",
 		},
 		{
 			name:        "fails with invalid host",
 			expectErr:   true,
-			errorString: "invalid value: awskms://localhost:::4566/alias/exampleAlias: kms\nmalformed endpoint: address localhost:::4566: too many colons in address",
+			errorString: "invalid value: awskms://localhost:::4566/alias/exampleAlias: KMSORCACERT\nmalformed endpoint: address localhost:::4566: too many colons in address",
 			kms:         "awskms://localhost:::4566/alias/exampleAlias",
 		},
 		{
 			name:        "fails with non-arn alias",
 			expectErr:   true,
-			errorString: "invalid value: awskms://localhost:4566/alias/exampleAlias: kms\nfailed to parse either key or alias arn: arn: invalid prefix",
+			errorString: "invalid value: awskms://localhost:4566/alias/exampleAlias: KMSORCACERT\nfailed to parse either key or alias arn: arn: invalid prefix",
 			kms:         "awskms://localhost:4566/alias/exampleAlias",
 		},
 		{
 			name:        "Should fail when arn is invalid",
 			expectErr:   true,
-			errorString: "invalid value: awskms://localhost:4566/arn:sonotvalid: kms\nfailed to parse either key or alias arn: arn: not enough sections",
+			errorString: "invalid value: awskms://localhost:4566/arn:sonotvalid: KMSORCACERT\nfailed to parse either key or alias arn: arn: not enough sections",
 			kms:         "awskms://localhost:4566/arn:sonotvalid",
 		},
 		{
@@ -727,11 +767,23 @@ func TestAWSKMSValidation(t *testing.T) {
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
+			// First test with KeyRef
 			keyRef := KeyRef{KMS: test.kms}
 			err := keyRef.Validate(context.TODO())
 			if test.expectErr {
 				require.NotNil(t, err)
-				require.EqualError(t, err, test.errorString)
+				kmsErrString := strings.Replace(test.errorString, "KMSORCACERT", "kms", 1)
+				require.EqualError(t, err, kmsErrString)
+			} else {
+				require.Nil(t, err)
+			}
+			// Then with Keyless with CACert as KeyRef
+			keylessRef := KeylessRef{CACert: &keyRef}
+			err = keylessRef.Validate(context.TODO())
+			if test.expectErr {
+				require.NotNil(t, err)
+				caCertErrString := strings.Replace(test.errorString, "KMSORCACERT", "ca-cert.kms", 1)
+				require.EqualError(t, err, caCertErrString)
 			} else {
 				require.Nil(t, err)
 			}