-
Notifications
You must be signed in to change notification settings - Fork 139
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This adds support for Chainguard issued tokens, so that users can sign with their Chainguard-issued identity, and so that we can explore signing our own content with our internal service principal construct (see issue). Related: #1702 Signed-off-by: Matt Moore <mattmoor@chainguard.dev>
- Loading branch information
Showing
13 changed files
with
629 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# Copyright 2024 The Sigstore Authors | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
url: https://issuer.enforce.dev | ||
# TODO(mattmoor): Change to a group. | ||
contact: mattmoor@chainguard.dev | ||
description: "Chainguard identity tokens" | ||
type: "chainguard-identity" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
// Copyright 2024 The Sigstore Authors. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package chainguard | ||
|
||
import ( | ||
"context" | ||
"fmt" | ||
|
||
"github.com/sigstore/fulcio/pkg/config" | ||
"github.com/sigstore/fulcio/pkg/identity" | ||
"github.com/sigstore/fulcio/pkg/identity/base" | ||
) | ||
|
||
type issuer struct { | ||
identity.Issuer | ||
} | ||
|
||
func Issuer(issuerURL string) identity.Issuer { | ||
return &issuer{base.Issuer(issuerURL)} | ||
} | ||
|
||
func (e *issuer) Authenticate(ctx context.Context, token string, opts ...config.InsecureOIDCConfigOption) (identity.Principal, error) { | ||
idtoken, err := identity.Authorize(ctx, token, opts...) | ||
if err != nil { | ||
return nil, fmt.Errorf("authorizing chainguard issuer: %w", err) | ||
} | ||
return PrincipalFromIDToken(ctx, idtoken) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
// Copyright 2024 The Sigstore Authors. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package chainguard | ||
|
||
import ( | ||
"context" | ||
"encoding/json" | ||
"fmt" | ||
"reflect" | ||
"testing" | ||
"unsafe" | ||
|
||
"chainguard.dev/sdk/uidp" | ||
"github.com/coreos/go-oidc/v3/oidc" | ||
"github.com/sigstore/fulcio/pkg/config" | ||
"github.com/sigstore/fulcio/pkg/identity" | ||
) | ||
|
||
func TestIssuer(t *testing.T) { | ||
ctx := context.Background() | ||
url := "test-issuer-url" | ||
issuer := Issuer(url) | ||
|
||
// test the Match function | ||
t.Run("match", func(t *testing.T) { | ||
if matches := issuer.Match(ctx, url); !matches { | ||
t.Fatal("expected url to match but it doesn't") | ||
} | ||
if matches := issuer.Match(ctx, "some-other-url"); matches { | ||
t.Fatal("expected match to fail but it didn't") | ||
} | ||
}) | ||
|
||
t.Run("authenticate", func(t *testing.T) { | ||
group := uidp.NewUIDP("") | ||
id := group.NewChild() | ||
|
||
token := &oidc.IDToken{ | ||
Issuer: "https://iss.example.com", | ||
Subject: id.String(), | ||
} | ||
claims, err := json.Marshal(map[string]interface{}{ | ||
"iss": "https://iss.example.com", | ||
"sub": id.String(), | ||
|
||
// Actor claims track the identity that was used to assume the | ||
// Chainguard identity. In this case, it is the Catalog Syncer | ||
// service principal. | ||
"act": map[string]string{ | ||
"iss": "https://iss.example.com/", | ||
"sub": fmt.Sprintf("catalog-syncer:%s", group.String()), | ||
"aud": "chainguard", | ||
}, | ||
"internal": map[string]interface{}{ | ||
"service-principal": "CATALOG_SYNCER", | ||
}, | ||
}) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
withClaims(token, claims) | ||
|
||
identity.Authorize = func(_ context.Context, _ string, _ ...config.InsecureOIDCConfigOption) (*oidc.IDToken, error) { | ||
return token, nil | ||
} | ||
principal, err := issuer.Authenticate(ctx, "token") | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
|
||
if principal.Name(ctx) != id.String() { | ||
t.Fatalf("got unexpected name %s", principal.Name(ctx)) | ||
} | ||
}) | ||
} | ||
|
||
// reflect hack because "claims" field is unexported by oidc IDToken | ||
// https://github.com/coreos/go-oidc/pull/329 | ||
func withClaims(token *oidc.IDToken, data []byte) { | ||
val := reflect.Indirect(reflect.ValueOf(token)) | ||
member := val.FieldByName("claims") | ||
pointer := unsafe.Pointer(member.UnsafeAddr()) | ||
realPointer := (*[]byte)(pointer) | ||
*realPointer = data | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
// Copyright 2024 The Sigstore Authors. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package chainguard | ||
|
||
import ( | ||
"context" | ||
"crypto/x509" | ||
"net/url" | ||
|
||
"github.com/coreos/go-oidc/v3/oidc" | ||
"github.com/sigstore/fulcio/pkg/certificate" | ||
"github.com/sigstore/fulcio/pkg/identity" | ||
) | ||
|
||
type workflowPrincipal struct { | ||
issuer string | ||
subject string | ||
|
||
actor map[string]string | ||
servicePrincipal string | ||
} | ||
|
||
var _ identity.Principal = (*workflowPrincipal)(nil) | ||
|
||
func (w workflowPrincipal) Name(_ context.Context) string { | ||
return w.subject | ||
} | ||
|
||
func PrincipalFromIDToken(_ context.Context, token *oidc.IDToken) (identity.Principal, error) { | ||
var claims struct { | ||
Actor map[string]string `json:"act"` | ||
Internal struct { | ||
ServicePrincipal string `json:"service-principal,omitempty"` | ||
} `json:"internal"` | ||
} | ||
|
||
if err := token.Claims(&claims); err != nil { | ||
return nil, err | ||
} | ||
|
||
return &workflowPrincipal{ | ||
issuer: token.Issuer, | ||
subject: token.Subject, | ||
actor: claims.Actor, | ||
servicePrincipal: claims.Internal.ServicePrincipal, | ||
}, nil | ||
} | ||
|
||
func (w workflowPrincipal) Embed(_ context.Context, cert *x509.Certificate) error { | ||
baseURL, err := url.Parse(w.issuer) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
// Set SAN to the <issuer>/<subject> | ||
cert.URIs = []*url.URL{baseURL.JoinPath(w.subject)} | ||
|
||
cert.ExtraExtensions, err = certificate.Extensions{ | ||
Issuer: w.issuer, | ||
|
||
// TODO(mattmoor): Embed more of the Chainguard token structure via OIDs. | ||
}.Render() | ||
if err != nil { | ||
return err | ||
} | ||
|
||
return nil | ||
} |
Oops, something went wrong.