From d16be8db673de5fbc7d64063bf4920674378da2b Mon Sep 17 00:00:00 2001 From: Matt Moore Date: Wed, 10 Jul 2024 13:00:35 -0700 Subject: [PATCH 01/20] Surface the right `Name()` from our principal. (#1726) The cosign logic for interacting with Fulcio treats identity tokens as *largely* opaque, and most of the logic for how issuers and subjects and whatnot is handled happens server-side. However, for the "proof of possession" `cosign` has some logic (from `sigstore/sigstore`) that fumbles with `email` and `sub` claims in ways that have (until now) been compatible with Fulcio principals. The Chainguard provider is the first provider that optionally includes an `email` claim, but we always want the subject we use to be our opaque identifier string (from `sub`). This creates a tear in the fulcio/cosign continuum, and so we must surface what `cosign` is signing as `Name()` even though that isn't necessarily what we embed in the certificate. The only correct way to implement `Name()` today is to match what this function does, and current implementations happen to align, but unfortunately because of how this abstraction is formulated it is challenging to actually change how we confirm the proof of possession to use this directly in place of the principal itself. Fixes: https://github.com/sigstore/cosign/issues/3777 Signed-off-by: Matt Moore --- pkg/identity/chainguard/principal.go | 14 ++++++++++- pkg/identity/chainguard/principal_test.go | 29 +++++++++++++++++++++++ 2 files changed, 42 insertions(+), 1 deletion(-) diff --git a/pkg/identity/chainguard/principal.go b/pkg/identity/chainguard/principal.go index d2940c667..194b89924 100644 --- a/pkg/identity/chainguard/principal.go +++ b/pkg/identity/chainguard/principal.go @@ -22,11 +22,13 @@ import ( "github.com/coreos/go-oidc/v3/oidc" "github.com/sigstore/fulcio/pkg/certificate" "github.com/sigstore/fulcio/pkg/identity" + "github.com/sigstore/sigstore/pkg/oauthflow" ) type workflowPrincipal struct { issuer string subject string + name string actor map[string]string servicePrincipal string @@ -35,7 +37,7 @@ type workflowPrincipal struct { var _ identity.Principal = (*workflowPrincipal)(nil) func (w workflowPrincipal) Name(_ context.Context) string { - return w.subject + return w.name } func PrincipalFromIDToken(_ context.Context, token *oidc.IDToken) (identity.Principal, error) { @@ -50,9 +52,19 @@ func PrincipalFromIDToken(_ context.Context, token *oidc.IDToken) (identity.Prin return nil, err } + // This is the exact function that cosign uses to extract the "subject" + // (misnomer) from the token in order to establish "proof of possession". + // We MUST use this to implement Name() or tokens that embed an email claim + // will fail to sign because of this divergent logic. + name, err := oauthflow.SubjectFromToken(token) + if err != nil { + return nil, err + } + return &workflowPrincipal{ issuer: token.Issuer, subject: token.Subject, + name: name, actor: claims.Actor, servicePrincipal: claims.Internal.ServicePrincipal, }, nil diff --git a/pkg/identity/chainguard/principal_test.go b/pkg/identity/chainguard/principal_test.go index db995db17..cd666aab0 100644 --- a/pkg/identity/chainguard/principal_test.go +++ b/pkg/identity/chainguard/principal_test.go @@ -60,6 +60,7 @@ func TestJobPrincipalFromIDToken(t *testing.T) { ExpectPrincipal: workflowPrincipal{ issuer: "https://issuer.enforce.dev", subject: id.String(), + name: id.String(), actor: map[string]string{ "iss": "https://iss.example.com/", "sub": fmt.Sprintf("catalog-syncer:%s", group.String()), @@ -85,6 +86,34 @@ func TestJobPrincipalFromIDToken(t *testing.T) { ExpectPrincipal: workflowPrincipal{ issuer: "https://issuer.enforce.dev", subject: group.String(), + name: group.String(), + actor: map[string]string{ + "iss": "https://auth.chainguard.dev/", + "sub": "google-oauth2|1234567890", + "aud": "fdsaldfkjhasldf", + }, + }, + WantErr: false, + }, + `Human SSO token (with email)`: { + Claims: map[string]interface{}{ + "iss": "https://issuer.enforce.dev", + "sub": group.String(), + "email": "jane@doe.dev", + "email_verified": true, + // Actor claims track the identity that was used to assume the + // Chainguard identity. In this case, it is the Catalog Syncer + // service principal. + "act": map[string]string{ + "iss": "https://auth.chainguard.dev/", + "sub": "google-oauth2|1234567890", + "aud": "fdsaldfkjhasldf", + }, + }, + ExpectPrincipal: workflowPrincipal{ + issuer: "https://issuer.enforce.dev", + subject: group.String(), + name: "jane@doe.dev", actor: map[string]string{ "iss": "https://auth.chainguard.dev/", "sub": "google-oauth2|1234567890", From f11344b67252fbfada3774ce17426df9f85b87ae Mon Sep 17 00:00:00 2001 From: Hayden B Date: Wed, 10 Jul 2024 15:41:22 -0700 Subject: [PATCH 02/20] Revert "CiProvider as a new OIDCIssuer type (#1679)" (#1727) This reverts commit 66485b693867adc650aea85777f1899286c3c7ce. --- pkg/certificate/extensions.go | 38 +- pkg/challenges/challenges.go | 3 - pkg/config/config.go | 58 +-- pkg/config/config_network_test.go | 56 --- pkg/config/config_test.go | 3 - pkg/identity/ciprovider/issuer.go | 39 -- pkg/identity/ciprovider/issuer_test.go | 100 ----- pkg/identity/ciprovider/principal.go | 157 -------- pkg/identity/ciprovider/principal_test.go | 422 ---------------------- pkg/server/grpc_server_test.go | 184 +--------- pkg/server/issuer_pool.go | 3 - 11 files changed, 22 insertions(+), 1041 deletions(-) delete mode 100644 pkg/identity/ciprovider/issuer.go delete mode 100644 pkg/identity/ciprovider/issuer_test.go delete mode 100644 pkg/identity/ciprovider/principal.go delete mode 100644 pkg/identity/ciprovider/principal_test.go diff --git a/pkg/certificate/extensions.go b/pkg/certificate/extensions.go index 584aac971..38f80d5ae 100644 --- a/pkg/certificate/extensions.go +++ b/pkg/certificate/extensions.go @@ -69,69 +69,69 @@ type Extensions struct { // Deprecated // Triggering event of the Github Workflow. Matches the `event_name` claim of ID // tokens from Github Actions - GithubWorkflowTrigger string `json:"GithubWorkflowTrigger,omitempty" yaml:"github-workflow-trigger,omitempty"` // OID 1.3.6.1.4.1.57264.1.2 + GithubWorkflowTrigger string // OID 1.3.6.1.4.1.57264.1.2 // Deprecated // SHA of git commit being built in Github Actions. Matches the `sha` claim of ID // tokens from Github Actions - GithubWorkflowSHA string `json:"GithubWorkflowSHA,omitempty" yaml:"github-workflow-sha,omitempty"` // OID 1.3.6.1.4.1.57264.1.3 + GithubWorkflowSHA string // OID 1.3.6.1.4.1.57264.1.3 // Deprecated // Name of Github Actions Workflow. Matches the `workflow` claim of the ID // tokens from Github Actions - GithubWorkflowName string `json:"GithubWorkflowName,omitempty" yaml:"github-workflow-name,omitempty"` // OID 1.3.6.1.4.1.57264.1.4 + GithubWorkflowName string // OID 1.3.6.1.4.1.57264.1.4 // Deprecated // Repository of the Github Actions Workflow. Matches the `repository` claim of the ID // tokens from Github Actions - GithubWorkflowRepository string `json:"GithubWorkflowRepository,omitempty" yaml:"github-workflow-repository,omitempty"` // OID 1.3.6.1.4.1.57264.1.5 + GithubWorkflowRepository string // OID 1.3.6.1.4.1.57264.1.5 // Deprecated // Git Ref of the Github Actions Workflow. Matches the `ref` claim of the ID tokens // from Github Actions - GithubWorkflowRef string `json:"GithubWorkflowRef,omitempty" yaml:"github-workflow-ref,omitempty"` // 1.3.6.1.4.1.57264.1.6 + GithubWorkflowRef string // 1.3.6.1.4.1.57264.1.6 // Reference to specific build instructions that are responsible for signing. - BuildSignerURI string `json:"BuildSignerURI,omitempty" yaml:"build-signer-uri,omitempty"` // 1.3.6.1.4.1.57264.1.9 + BuildSignerURI string // 1.3.6.1.4.1.57264.1.9 // Immutable reference to the specific version of the build instructions that is responsible for signing. - BuildSignerDigest string `json:"BuildSignerDigest,omitempty" yaml:"build-signer-digest,omitempty"` // 1.3.6.1.4.1.57264.1.10 + BuildSignerDigest string // 1.3.6.1.4.1.57264.1.10 // Specifies whether the build took place in platform-hosted cloud infrastructure or customer/self-hosted infrastructure. - RunnerEnvironment string `json:"RunnerEnvironment,omitempty" yaml:"runner-environment,omitempty"` // 1.3.6.1.4.1.57264.1.11 + RunnerEnvironment string // 1.3.6.1.4.1.57264.1.11 // Source repository URL that the build was based on. - SourceRepositoryURI string `json:"SourceRepositoryURI,omitempty" yaml:"source-repository-uri,omitempty"` // 1.3.6.1.4.1.57264.1.12 + SourceRepositoryURI string // 1.3.6.1.4.1.57264.1.12 // Immutable reference to a specific version of the source code that the build was based upon. - SourceRepositoryDigest string `json:"SourceRepositoryDigest,omitempty" yaml:"source-repository-digest,omitempty"` // 1.3.6.1.4.1.57264.1.13 + SourceRepositoryDigest string // 1.3.6.1.4.1.57264.1.13 // Source Repository Ref that the build run was based upon. - SourceRepositoryRef string `json:"SourceRepositoryRef,omitempty" yaml:"source-repository-ref,omitempty"` // 1.3.6.1.4.1.57264.1.14 + SourceRepositoryRef string // 1.3.6.1.4.1.57264.1.14 // Immutable identifier for the source repository the workflow was based upon. - SourceRepositoryIdentifier string `json:"SourceRepositoryIdentifier,omitempty" yaml:"source-repository-identifier,omitempty"` // 1.3.6.1.4.1.57264.1.15 + SourceRepositoryIdentifier string // 1.3.6.1.4.1.57264.1.15 // Source repository owner URL of the owner of the source repository that the build was based on. - SourceRepositoryOwnerURI string `json:"SourceRepositoryOwnerURI,omitempty" yaml:"source-repository-owner-uri,omitempty"` // 1.3.6.1.4.1.57264.1.16 + SourceRepositoryOwnerURI string // 1.3.6.1.4.1.57264.1.16 // Immutable identifier for the owner of the source repository that the workflow was based upon. - SourceRepositoryOwnerIdentifier string `json:"SourceRepositoryOwnerIdentifier,omitempty" yaml:"source-repository-owner-identifier,omitempty"` // 1.3.6.1.4.1.57264.1.17 + SourceRepositoryOwnerIdentifier string // 1.3.6.1.4.1.57264.1.17 // Build Config URL to the top-level/initiating build instructions. - BuildConfigURI string `json:"BuildConfigURI,omitempty" yaml:"build-config-uri,omitempty"` // 1.3.6.1.4.1.57264.1.18 + BuildConfigURI string // 1.3.6.1.4.1.57264.1.18 // Immutable reference to the specific version of the top-level/initiating build instructions. - BuildConfigDigest string `json:"BuildConfigDigest,omitempty" yaml:"build-config-digest,omitempty"` // 1.3.6.1.4.1.57264.1.19 + BuildConfigDigest string // 1.3.6.1.4.1.57264.1.19 // Event or action that initiated the build. - BuildTrigger string `json:"BuildTrigger,omitempty" yaml:"build-trigger,omitempty"` // 1.3.6.1.4.1.57264.1.20 + BuildTrigger string // 1.3.6.1.4.1.57264.1.20 // Run Invocation URL to uniquely identify the build execution. - RunInvocationURI string `json:"RunInvocationURI,omitempty" yaml:"run-invocation-uri,omitempty"` // 1.3.6.1.4.1.57264.1.21 + RunInvocationURI string // 1.3.6.1.4.1.57264.1.21 // Source repository visibility at the time of signing the certificate. - SourceRepositoryVisibilityAtSigning string `json:"SourceRepositoryVisibilityAtSigning,omitempty" yaml:"source-repository-visibility-at-signing,omitempty"` // 1.3.6.1.4.1.57264.1.22 + SourceRepositoryVisibilityAtSigning string // 1.3.6.1.4.1.57264.1.22 } func (e Extensions) Render() ([]pkix.Extension, error) { diff --git a/pkg/challenges/challenges.go b/pkg/challenges/challenges.go index 143fdaab9..dda3298ff 100644 --- a/pkg/challenges/challenges.go +++ b/pkg/challenges/challenges.go @@ -27,7 +27,6 @@ import ( "github.com/sigstore/fulcio/pkg/config" "github.com/sigstore/fulcio/pkg/identity" "github.com/sigstore/fulcio/pkg/identity/buildkite" - "github.com/sigstore/fulcio/pkg/identity/ciprovider" "github.com/sigstore/fulcio/pkg/identity/email" "github.com/sigstore/fulcio/pkg/identity/github" "github.com/sigstore/fulcio/pkg/identity/gitlabcom" @@ -76,8 +75,6 @@ func PrincipalFromIDToken(ctx context.Context, tok *oidc.IDToken) (identity.Prin principal, err = uri.PrincipalFromIDToken(ctx, tok) case config.IssuerTypeUsername: principal, err = username.PrincipalFromIDToken(ctx, tok) - case config.IssuerTypeCIProvider: - principal, err = ciprovider.WorkflowPrincipalFromIDToken(ctx, tok) default: return nil, fmt.Errorf("unsupported issuer: %s", iss.Type) } diff --git a/pkg/config/config.go b/pkg/config/config.go index 6b5f01f9a..6a6aca77e 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -21,7 +21,6 @@ import ( "encoding/json" "errors" "fmt" - "html/template" "net/http" "net/url" "os" @@ -32,7 +31,6 @@ import ( "github.com/coreos/go-oidc/v3/oidc" lru "github.com/hashicorp/golang-lru" - "github.com/sigstore/fulcio/pkg/certificate" fulciogrpc "github.com/sigstore/fulcio/pkg/generated/protobuf" "github.com/sigstore/fulcio/pkg/log" "github.com/spiffe/go-spiffe/v2/spiffeid" @@ -62,33 +60,12 @@ type FulcioConfig struct { // * https://container.googleapis.com/v1/projects/mattmoor-credit/locations/us-west1-b/clusters/tenant-cluster MetaIssuers map[string]OIDCIssuer `json:"MetaIssuers,omitempty" yaml:"meta-issuers,omitempty"` - // It defines metadata to be used for the CIProvider identity provider principal. - // The CI provider has a generic logic for ci providers, this metadata is used - // to define the right behavior for each ci provider that is defined - // on the configuration file - CIIssuerMetadata map[string]IssuerMetadata `json:"CIIssuerMetadata,omitempty" yaml:"ci-issuer-metadata,omitempty"` - // verifiers is a fixed mapping from our OIDCIssuers to their OIDC verifiers. verifiers map[string][]*verifierWithConfig // lru is an LRU cache of recently used verifiers for our meta issuers. lru *lru.TwoQueueCache } -type IssuerMetadata struct { - // Defaults contains key-value pairs that can be used for filling the templates from ExtensionTemplates - // If a key cannot be found on the token claims, the template will use the defaults - DefaultTemplateValues map[string]string `json:"DefaultTemplateValues,omitempty" yaml:"default-template-values,omitempty"` - // ExtensionTemplates contains a mapping between certificate extension and token claim - // Provide either strings following https://pkg.go.dev/text/template syntax, - // e.g "{{ .url }}/{{ .repository }}" - // or non-templated strings with token claim keys to be replaced, - // e.g "job_workflow_sha" - ExtensionTemplates certificate.Extensions `json:"ExtensionTemplates,omitempty" yaml:"extension-templates,omitempty"` - // Template for the Subject Alternative Name extension - // It's typically the same value as Build Signer URI - SubjectAlternativeNameTemplate string `json:"SubjectAlternativeNameTemplate,omitempty" yaml:"subject-alternative-name-template,omitempty"` -} - type OIDCIssuer struct { // The expected issuer of an OIDC token IssuerURL string `json:"IssuerURL,omitempty" yaml:"issuer-url,omitempty"` @@ -97,8 +74,6 @@ type OIDCIssuer struct { // Used to determine the subject of the certificate and if additional // certificate values are needed Type IssuerType `json:"Type" yaml:"type,omitempty"` - // CIProvider is an optional configuration to map token claims to extensions for CI workflows - CIProvider string `json:"CIProvider,omitempty" yaml:"ci-provider,omitempty"` // Optional, if the issuer is in a different claim in the OIDC token IssuerClaim string `json:"IssuerClaim,omitempty" yaml:"issuer-claim,omitempty"` // The domain that must be present in the subject for 'uri' issuer types @@ -309,7 +284,6 @@ const ( IssuerTypeSpiffe = "spiffe" IssuerTypeURI = "uri" IssuerTypeUsername = "username" - IssuerTypeCIProvider = "ci-provider" ) func parseConfig(b []byte) (cfg *FulcioConfig, err error) { @@ -417,7 +391,7 @@ func validateConfig(conf *FulcioConfig) error { } } - return validateCIIssuerMetadata(conf) + return nil } var DefaultConfig = &FulcioConfig{ @@ -458,34 +432,6 @@ func FromContext(ctx context.Context) *FulcioConfig { return untyped.(*FulcioConfig) } -// It checks that the templates defined are parseable -// We should check it during the service bootstrap to avoid errors further -func validateCIIssuerMetadata(fulcioConfig *FulcioConfig) error { - - checkParse := func(temp string) error { - t := template.New("").Option("missingkey=error") - _, err := t.Parse(temp) - return err - } - - for _, ciIssuerMetadata := range fulcioConfig.CIIssuerMetadata { - v := reflect.ValueOf(ciIssuerMetadata.ExtensionTemplates) - for i := 0; i < v.NumField(); i++ { - s := v.Field(i).String() - err := checkParse(s) - if err != nil { - return err - } - } - - err := checkParse(ciIssuerMetadata.SubjectAlternativeNameTemplate) - if err != nil { - return err - } - } - return nil -} - // Load a config from disk, or use defaults func Load(configPath string) (*FulcioConfig, error) { if _, err := os.Stat(configPath); os.IsNotExist(err) { @@ -570,8 +516,6 @@ func issuerToChallengeClaim(issType IssuerType, challengeClaim string) string { return "email" case IssuerTypeGithubWorkflow: return "sub" - case IssuerTypeCIProvider: - return "sub" case IssuerTypeCodefreshWorkflow: return "sub" case IssuerTypeChainguard: diff --git a/pkg/config/config_network_test.go b/pkg/config/config_network_test.go index 4e00720bf..52808181a 100644 --- a/pkg/config/config_network_test.go +++ b/pkg/config/config_network_test.go @@ -25,7 +25,6 @@ import ( "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" - "github.com/sigstore/fulcio/pkg/certificate" ) func TestLoad(t *testing.T) { @@ -69,61 +68,6 @@ func TestLoad(t *testing.T) { } } -func TestParseTemplate(t *testing.T) { - - validTemplate := "{{.foobar}}" - invalidTemplate := "{{.foobar}" - ciissuerMetadata := make(map[string]IssuerMetadata) - ciissuerMetadata["github"] = IssuerMetadata{ - ExtensionTemplates: certificate.Extensions{ - BuildTrigger: invalidTemplate, - }, - } - fulcioConfig := &FulcioConfig{ - CIIssuerMetadata: ciissuerMetadata, - } - // BuildTrigger as a invalid template should raise an error - err := validateCIIssuerMetadata(fulcioConfig) - if err == nil { - t.Error("invalid template should raise an error") - } - ciissuerMetadata["github"] = IssuerMetadata{ - ExtensionTemplates: certificate.Extensions{ - BuildTrigger: validTemplate, - }, - } - fulcioConfig = &FulcioConfig{ - CIIssuerMetadata: ciissuerMetadata, - } - // BuildTrigger as a valid template shouldn't raise an error - err = validateCIIssuerMetadata(fulcioConfig) - if err != nil { - t.Error("valid template shouldn't raise an error, error: %w", err) - } - ciissuerMetadata["github"] = IssuerMetadata{ - SubjectAlternativeNameTemplate: invalidTemplate, - } - fulcioConfig = &FulcioConfig{ - CIIssuerMetadata: ciissuerMetadata, - } - // A SAN as a invalid template should raise an error - err = validateCIIssuerMetadata(fulcioConfig) - if err == nil { - t.Error("invalid SAN should raise an error") - } - ciissuerMetadata["github"] = IssuerMetadata{ - SubjectAlternativeNameTemplate: invalidTemplate, - } - fulcioConfig = &FulcioConfig{ - CIIssuerMetadata: ciissuerMetadata, - } - // A SAN as a valid template should raise an error - err = validateCIIssuerMetadata(fulcioConfig) - if err == nil { - t.Error("valid SAN shouldn't raise an error") - } -} - func TestLoadDefaults(t *testing.T) { td := t.TempDir() diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index 390bd6f6b..4c0967660 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -492,9 +492,6 @@ func Test_issuerToChallengeClaim(t *testing.T) { if claim := issuerToChallengeClaim(IssuerTypeGithubWorkflow, ""); claim != "sub" { t.Fatalf("expected sub subject claim for GitHub issuer, got %s", claim) } - if claim := issuerToChallengeClaim(IssuerTypeCIProvider, ""); claim != "sub" { - t.Fatalf("expected sub subject claim for CI issuer, got %s", claim) - } if claim := issuerToChallengeClaim(IssuerTypeGitLabPipeline, ""); claim != "sub" { t.Fatalf("expected sub subject claim for GitLab issuer, got %s", claim) } diff --git a/pkg/identity/ciprovider/issuer.go b/pkg/identity/ciprovider/issuer.go deleted file mode 100644 index ce82d3558..000000000 --- a/pkg/identity/ciprovider/issuer.go +++ /dev/null @@ -1,39 +0,0 @@ -// Copyright 2024 The Sigstore Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package ciprovider - -import ( - "context" - - "github.com/sigstore/fulcio/pkg/config" - "github.com/sigstore/fulcio/pkg/identity" - "github.com/sigstore/fulcio/pkg/identity/base" -) - -type ciProviderIssuer struct { - identity.Issuer -} - -func Issuer(issuerURL string) identity.Issuer { - return &ciProviderIssuer{base.Issuer(issuerURL)} -} - -func (e *ciProviderIssuer) Authenticate(ctx context.Context, token string, opts ...config.InsecureOIDCConfigOption) (identity.Principal, error) { - idtoken, err := identity.Authorize(ctx, token, opts...) - if err != nil { - return nil, err - } - return WorkflowPrincipalFromIDToken(ctx, idtoken) -} diff --git a/pkg/identity/ciprovider/issuer_test.go b/pkg/identity/ciprovider/issuer_test.go deleted file mode 100644 index 1d8e605e3..000000000 --- a/pkg/identity/ciprovider/issuer_test.go +++ /dev/null @@ -1,100 +0,0 @@ -// Copyright 2024 The Sigstore Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package ciprovider - -import ( - "context" - "encoding/json" - "testing" - - "github.com/coreos/go-oidc/v3/oidc" - "github.com/sigstore/fulcio/pkg/config" - "github.com/sigstore/fulcio/pkg/identity" -) - -func TestIssuer(t *testing.T) { - ctx := context.Background() - url := "test-issuer-url" - issuer := Issuer(url) - - // test the Match function - t.Run("match", func(t *testing.T) { - if matches := issuer.Match(ctx, url); !matches { - t.Fatal("expected url to match but it doesn't") - } - if matches := issuer.Match(ctx, "some-other-url"); matches { - t.Fatal("expected match to fail but it didn't") - } - }) - - t.Run("authenticate", func(t *testing.T) { - token := &oidc.IDToken{ - Issuer: "https://iss.example.com", - Subject: "repo:sigstore/fulcio:ref:refs/heads/main", - } - claims, err := json.Marshal(map[string]interface{}{ - "aud": "sigstore", - "event_name": "push", - "exp": 0, - "iss": "https://token.actions.githubusercontent.com", - "job_workflow_ref": "sigstore/fulcio/.github/workflows/foo.yaml@refs/heads/main", - "job_workflow_sha": "example-sha", - "ref": "refs/heads/main", - "repository": "sigstore/fulcio", - "repository_id": "12345", - "repository_owner": "username", - "repository_owner_id": "345", - "repository_visibility": "public", - "run_attempt": "1", - "run_id": "42", - "runner_environment": "cloud-hosted", - "sha": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "sub": "repo:sigstore/fulcio:ref:refs/heads/main", - "workflow": "foo", - "workflow_ref": "sigstore/other/.github/workflows/foo.yaml@refs/heads/main", - "workflow_sha": "example-sha-other", - }) - if err != nil { - t.Fatal(err) - } - - withClaims(token, claims) - ctx := context.TODO() - OIDCIssuers := - map[string]config.OIDCIssuer{ - token.Issuer: { - IssuerURL: token.Issuer, - Type: config.IssuerTypeCIProvider, - CIProvider: "github-workflow", - ClientID: "sigstore", - }, - } - cfg := &config.FulcioConfig{ - OIDCIssuers: OIDCIssuers, - } - ctx = config.With(ctx, cfg) - identity.Authorize = func(_ context.Context, _ string, _ ...config.InsecureOIDCConfigOption) (*oidc.IDToken, error) { - return token, nil - } - principal, err := issuer.Authenticate(ctx, "token") - if err != nil { - t.Fatal(err) - } - - if principal.Name(ctx) != "repo:sigstore/fulcio:ref:refs/heads/main" { - t.Fatalf("got unexpected name %s", principal.Name(ctx)) - } - }) -} diff --git a/pkg/identity/ciprovider/principal.go b/pkg/identity/ciprovider/principal.go deleted file mode 100644 index fb94df3bd..000000000 --- a/pkg/identity/ciprovider/principal.go +++ /dev/null @@ -1,157 +0,0 @@ -// Copyright 2024 The Sigstore Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package ciprovider - -import ( - "bytes" - "context" - "crypto/x509" - "fmt" - "html/template" - "net/url" - "reflect" - "strings" - - "github.com/coreos/go-oidc/v3/oidc" - "github.com/sigstore/fulcio/pkg/config" - "github.com/sigstore/fulcio/pkg/identity" -) - -func mapValuesToString(claims map[string]interface{}) map[string]string { - newMap := make(map[string]string) - for k, v := range claims { - newMap[k] = fmt.Sprintf("%s", v) - } - return newMap -} - -func getTokenClaims(token *oidc.IDToken) (map[string]string, error) { - var tokenClaims map[string]interface{} - if err := token.Claims(&tokenClaims); err != nil { - return nil, err - } - return mapValuesToString(tokenClaims), nil -} - -// It makes string interpolation for a given string by using the -// templates syntax https://pkg.go.dev/text/template -func applyTemplateOrReplace(extValueTemplate string, tokenClaims map[string]string, issuerMetadata map[string]string) (string, error) { - - // Here we merge the data from was claimed by the id token with the - // default data provided by the yaml file. - // The order here matter because we want to override the claimed data - // with the default data. - // The default data will have priority over the claimed data. - mergedData := make(map[string]string) - for k, v := range tokenClaims { - mergedData[k] = v - } - for k, v := range issuerMetadata { - mergedData[k] = v - } - - if strings.Contains(extValueTemplate, "{{") { - var doc bytes.Buffer - // This option forces to having the claim that is required - // for the template - t := template.New("").Option("missingkey=error") - // It shouldn't raise error since we already checked all - // templates in validateCIIssuerMetadata functions in config.go - p, err := t.Parse(extValueTemplate) - if err != nil { - return "", err - } - err = p.Execute(&doc, mergedData) - if err != nil { - return "", err - } - return doc.String(), nil - } - claimValue, ok := mergedData[extValueTemplate] - if !ok { - return "", fmt.Errorf("value <%s> not present in either claims or defaults", extValueTemplate) - } - return claimValue, nil -} - -type ciPrincipal struct { - Token *oidc.IDToken - ClaimsMetadata config.IssuerMetadata -} - -func WorkflowPrincipalFromIDToken(ctx context.Context, token *oidc.IDToken) (identity.Principal, error) { - cfg := config.FromContext(ctx) - issuerCfg, ok := cfg.GetIssuer(token.Issuer) - if !ok { - return nil, fmt.Errorf("configuration can not be loaded for issuer %v", token.Issuer) - } - return ciPrincipal{ - token, - cfg.CIIssuerMetadata[issuerCfg.CIProvider], - }, nil -} - -func (principal ciPrincipal) Name(_ context.Context) string { - return principal.Token.Subject -} - -func (principal ciPrincipal) Embed(_ context.Context, cert *x509.Certificate) error { - - claimsTemplates := principal.ClaimsMetadata.ExtensionTemplates - defaults := principal.ClaimsMetadata.DefaultTemplateValues - claims, err := getTokenClaims(principal.Token) - if err != nil { - return err - } - subjectAlternativeName, err := applyTemplateOrReplace(principal.ClaimsMetadata.SubjectAlternativeNameTemplate, claims, defaults) - if err != nil { - return err - } - sanURL, err := url.Parse(subjectAlternativeName) - if err != nil { - return err - } - uris := []*url.URL{sanURL} - cert.URIs = uris - // We should use value.Elem() here as we need a - // addressable reference of the templates for applying the SetString(). - v := reflect.ValueOf(&claimsTemplates).Elem() - // Type of the reflect value is needed as it is necessary - // for getting the field name. - vType := v.Type() - for i := 0; i < v.NumField(); i++ { - s := v.Field(i).String() // value of each field, e.g the template string - // We check the field name to avoid to apply the template for the Issuer - // Issuer field should always come from the token issuer - if s == "" || vType.Field(i).Name == "Issuer" { - continue - } - extValue, err := applyTemplateOrReplace(s, claims, defaults) - if err != nil { - return err - } - v.Field(i).SetString(extValue) - } - - // Guarantees to set the extension issuer as the token issuer - // regardless of whether this field has been set before - claimsTemplates.Issuer = principal.Token.Issuer - // Embed additional information into custom extensions - cert.ExtraExtensions, err = claimsTemplates.Render() - if err != nil { - return err - } - return nil -} diff --git a/pkg/identity/ciprovider/principal_test.go b/pkg/identity/ciprovider/principal_test.go deleted file mode 100644 index aa387f995..000000000 --- a/pkg/identity/ciprovider/principal_test.go +++ /dev/null @@ -1,422 +0,0 @@ -// Copyright 2024 The Sigstore Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package ciprovider - -import ( - "bytes" - "context" - "crypto/x509" - "encoding/asn1" - "encoding/json" - "errors" - "fmt" - "reflect" - "testing" - "unsafe" - - "github.com/coreos/go-oidc/v3/oidc" - "github.com/sigstore/fulcio/pkg/certificate" - "github.com/sigstore/fulcio/pkg/config" -) - -func TestWorkflowPrincipalFromIDToken(t *testing.T) { - tests := map[string]struct { - ExpectedPrincipal ciPrincipal - }{ - `Github workflow challenge should have all Github workflow extensions and issuer set`: { - ExpectedPrincipal: ciPrincipal{ - ClaimsMetadata: config.IssuerMetadata{ - ExtensionTemplates: certificate.Extensions{ - Issuer: "issuer", - GithubWorkflowTrigger: "event_name", - GithubWorkflowSHA: "sha", - GithubWorkflowName: "workflow", - GithubWorkflowRepository: "repository", - GithubWorkflowRef: "ref", - BuildSignerURI: "{{ .url }}/{{ .job_workflow_ref }}", - BuildSignerDigest: "job_workflow_sha", - RunnerEnvironment: "runner_environment", - SourceRepositoryURI: "{{ .url }}/{{ .repository }}", - SourceRepositoryDigest: "sha", - SourceRepositoryRef: "ref", - SourceRepositoryIdentifier: "repository_id", - SourceRepositoryOwnerURI: "{{ .url }}/{{ .repository_owner }}", - SourceRepositoryOwnerIdentifier: "repository_owner_id", - BuildConfigURI: "{{ .url }}/{{ .workflow_ref }}", - BuildConfigDigest: "workflow_sha", - BuildTrigger: "event_name", - RunInvocationURI: "{{ .url }}/{{ .repository }}/actions/runs/{{ .run_id }}/attempts/{{ .run_attempt }}", - SourceRepositoryVisibilityAtSigning: "repository_visibility", - }, - DefaultTemplateValues: map[string]string{ - "url": "https://github.com", - }, - SubjectAlternativeNameTemplate: "{{.url}}/{{.job_workflow_ref}}", - }, - }, - }, - } - - for name, test := range tests { - t.Run(name, func(t *testing.T) { - claims, err := json.Marshal(map[string]interface{}{ - "issuer": "https://token.actions.githubusercontent.com", - "event_name": "trigger", - "sha": "sha", - "workflow": "workflowname", - "repository": "repository", - "ref": "ref", - "job_workflow_sha": "jobWorkflowSha", - "job_workflow_ref": "jobWorkflowRef", - "runner_environment": "runnerEnv", - "repository_id": "repoID", - "repository_owner": "repoOwner", - "repository_owner_id": "repoOwnerID", - "workflow_ref": "workflowRef", - "workflow_sha": "workflowSHA", - "run_id": "runID", - "run_attempt": "runAttempt", - "repository_visibility": "public", - }) - if err != nil { - t.Fatal(err) - } - token := &oidc.IDToken{} - withClaims(token, claims) - - test.ExpectedPrincipal.Token = token - ctx := context.TODO() - OIDCIssuers := - map[string]config.OIDCIssuer{ - token.Issuer: { - IssuerURL: token.Issuer, - Type: config.IssuerTypeCIProvider, - CIProvider: "github-workflow", - ClientID: "sigstore", - }, - } - meta := make(map[string]config.IssuerMetadata) - meta["github-workflow"] = test.ExpectedPrincipal.ClaimsMetadata - cfg := &config.FulcioConfig{ - OIDCIssuers: OIDCIssuers, - CIIssuerMetadata: meta, - } - ctx = config.With(ctx, cfg) - principal, err := WorkflowPrincipalFromIDToken(ctx, token) - if err != nil { - t.Fatal(err) - } - if !reflect.DeepEqual(principal, test.ExpectedPrincipal) { - t.Error("Principals should be equals") - } - }) - } - -} - -// reflect hack because "claims" field is unexported by oidc IDToken -// https://github.com/coreos/go-oidc/pull/329 -func withClaims(token *oidc.IDToken, data []byte) { - val := reflect.Indirect(reflect.ValueOf(token)) - member := val.FieldByName("claims") - pointer := unsafe.Pointer(member.UnsafeAddr()) - realPointer := (*[]byte)(pointer) - *realPointer = data -} - -func TestName(t *testing.T) { - tests := map[string]struct { - Claims map[string]interface{} - ExpectName string - }{ - `Valid token authenticates with correct claims`: { - Claims: map[string]interface{}{ - "aud": "sigstore", - "event_name": "push", - "exp": "0", - "iss": "https://token.actions.githubusercontent.com", - "job_workflow_ref": "sigstore/fulcio/.github/workflows/foo.yaml@refs/heads/main", - "job_workflow_sha": "example-sha", - "ref": "refs/heads/main", - "repository": "sigstore/fulcio", - "repository_id": "12345", - "repository_owner": "username", - "repository_owner_id": "345", - "repository_visibility": "public", - "run_attempt": "1", - "run_id": "42", - "runner_environment": "cloud-hosted", - "sha": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "sub": "repo:sigstore/fulcio:ref:refs/heads/main", - "workflow": "foo", - "workflow_ref": "sigstore/other/.github/workflows/foo.yaml@refs/heads/main", - "workflow_sha": "example-sha-other", - }, - ExpectName: "repo:sigstore/fulcio:ref:refs/heads/main", - }, - } - - for name, test := range tests { - t.Run(name, func(t *testing.T) { - token := &oidc.IDToken{ - Issuer: test.Claims["iss"].(string), - Subject: test.Claims["sub"].(string), - } - claims, err := json.Marshal(test.Claims) - if err != nil { - t.Fatal(err) - } - withClaims(token, claims) - ctx := context.TODO() - OIDCIssuers := - map[string]config.OIDCIssuer{ - token.Issuer: { - IssuerURL: token.Issuer, - Type: config.IssuerTypeCIProvider, - CIProvider: "ci-provider", - ClientID: "sigstore", - }, - } - cfg := &config.FulcioConfig{ - OIDCIssuers: OIDCIssuers, - } - ctx = config.With(ctx, cfg) - principal, err := WorkflowPrincipalFromIDToken(ctx, token) - if err != nil { - t.Fatal(err) - } - - gotName := principal.Name(context.TODO()) - if gotName != test.ExpectName { - t.Error("name should match sub claim") - } - }) - } -} - -func TestApplyTemplateOrReplace(t *testing.T) { - - tokenClaims := map[string]string{ - "aud": "sigstore", - "event_name": "push", - "exp": "0", - "iss": "https://token.actions.githubusercontent.com", - "job_workflow_ref": "sigstore/fulcio/.github/workflows/foo.yaml@refs/heads/main", - "job_workflow_sha": "example-sha", - "ref": "refs/heads/main", - "repository": "sigstore/fulcio", - "repository_id": "12345", - "repository_owner": "username", - "repository_owner_id": "345", - "repository_visibility": "public", - "run_attempt": "1", - "run_id": "42", - "runner_environment": "cloud-hosted", - "sha": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "sub": "repo:sigstore/fulcio:ref:refs/heads/main", - "workflow": "foo", - "workflow_ref": "sigstore/other/.github/workflows/foo.yaml@refs/heads/main", - "workflow_sha": "example-sha-other", - } - issuerMetadata := map[string]string{ - "url": "https://github.com", - } - - tests := map[string]struct { - Template string - ExpectedResult string - ExpectErr bool - }{ - `Valid template`: { - Template: "{{ .url }}/{{ .repository }}/actions/runs/{{ .run_id }}/attempts/{{ .run_attempt }}", - ExpectedResult: "https://github.com/sigstore/fulcio/actions/runs/42/attempts/1", - ExpectErr: false, - }, - `Empty template`: { - Template: "{{}}", - ExpectedResult: "", - ExpectErr: true, - }, - `Missing key for template`: { - Template: "{{ .foo }}", - ExpectedResult: "", - ExpectErr: true, - }, - `Empty string`: { - Template: "", - ExpectedResult: "", - ExpectErr: true, - }, - `Replaceable string`: { - Template: "job_workflow_ref", - ExpectedResult: "sigstore/fulcio/.github/workflows/foo.yaml@refs/heads/main", - ExpectErr: false, - }, - `Missing string`: { - Template: "bar", - ExpectedResult: "", - ExpectErr: true, - }, - } - - for name, test := range tests { - t.Run(name, func(t *testing.T) { - res, err := applyTemplateOrReplace(test.Template, tokenClaims, issuerMetadata) - if res != test.ExpectedResult { - t.Errorf("expected result don't matches: Expected %s, received: %s", - test.ExpectedResult, res) - } - if (err != nil) != test.ExpectErr { - t.Errorf("should raise an error don't matches: Expected %v, received: %v", - test.ExpectErr, err != nil) - } - }) - } -} - -func TestEmbed(t *testing.T) { - tests := map[string]struct { - WantFacts map[string]func(x509.Certificate) error - Principal ciPrincipal - }{ - `Github workflow challenge should have all Github workflow extensions and issuer set`: { - WantFacts: map[string]func(x509.Certificate) error{ - `Certifificate should have correct issuer`: factDeprecatedExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 1}, "https://token.actions.githubusercontent.com"), - `Certificate has correct trigger extension`: factDeprecatedExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 2}, "trigger"), - `Certificate has correct SHA extension`: factDeprecatedExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 3}, "sha"), - `Certificate has correct workflow extension`: factDeprecatedExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 4}, "workflowname"), - `Certificate has correct repository extension`: factDeprecatedExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 5}, "repository"), - `Certificate has correct ref extension`: factDeprecatedExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 6}, "ref"), - `Certificate has correct issuer (v2) extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 8}, "https://token.actions.githubusercontent.com"), - `Certificate has correct builder signer URI extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 9}, "https://github.com/jobWorkflowRef"), - `Certificate has correct builder signer digest extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 10}, "jobWorkflowSha"), - `Certificate has correct runner environment extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 11}, "runnerEnv"), - `Certificate has correct source repo URI extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 12}, "https://github.com/repository"), - `Certificate has correct source repo digest extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 13}, "sha"), - `Certificate has correct source repo ref extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 14}, "ref"), - `Certificate has correct source repo ID extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 15}, "repoID"), - `Certificate has correct source repo owner URI extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 16}, "https://github.com/repoOwner"), - `Certificate has correct source repo owner ID extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 17}, "repoOwnerID"), - `Certificate has correct build config URI extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 18}, "https://github.com/workflowRef"), - `Certificate has correct build config digest extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 19}, "workflowSHA"), - `Certificate has correct build trigger extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 20}, "trigger"), - `Certificate has correct run invocation ID extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 21}, "https://github.com/repository/actions/runs/runID/attempts/runAttempt"), - `Certificate has correct source repository visibility extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 22}, "public"), - }, - Principal: ciPrincipal{ - ClaimsMetadata: config.IssuerMetadata{ - ExtensionTemplates: certificate.Extensions{ - GithubWorkflowTrigger: "event_name", - GithubWorkflowSHA: "sha", - GithubWorkflowName: "workflow", - GithubWorkflowRepository: "repository", - GithubWorkflowRef: "ref", - BuildSignerURI: "{{ .url }}/{{ .job_workflow_ref }}", - BuildSignerDigest: "job_workflow_sha", - RunnerEnvironment: "runner_environment", - SourceRepositoryURI: "{{ .url }}/{{ .repository }}", - SourceRepositoryDigest: "sha", - SourceRepositoryRef: "ref", - SourceRepositoryIdentifier: "repository_id", - SourceRepositoryOwnerURI: "{{ .url }}/{{ .repository_owner }}", - SourceRepositoryOwnerIdentifier: "repository_owner_id", - BuildConfigURI: "{{ .url }}/{{ .workflow_ref }}", - BuildConfigDigest: "workflow_sha", - BuildTrigger: "event_name", - RunInvocationURI: "{{ .url }}/{{ .repository }}/actions/runs/{{ .run_id }}/attempts/{{ .run_attempt }}", - SourceRepositoryVisibilityAtSigning: "repository_visibility", - }, - DefaultTemplateValues: map[string]string{ - "url": "https://github.com", - }, - SubjectAlternativeNameTemplate: "{{.url}}/{{.job_workflow_ref}}", - }, - }, - }, - } - - for name, test := range tests { - t.Run(name, func(t *testing.T) { - var cert x509.Certificate - claims, err := json.Marshal(map[string]interface{}{ - "event_name": "trigger", - "sha": "sha", - "workflow": "workflowname", - "repository": "repository", - "ref": "ref", - "job_workflow_sha": "jobWorkflowSha", - "job_workflow_ref": "jobWorkflowRef", - "runner_environment": "runnerEnv", - "repository_id": "repoID", - "repository_owner": "repoOwner", - "repository_owner_id": "repoOwnerID", - "workflow_ref": "workflowRef", - "workflow_sha": "workflowSHA", - "run_id": "runID", - "run_attempt": "runAttempt", - "repository_visibility": "public", - }) - if err != nil { - t.Fatal(err) - } - token := &oidc.IDToken{} - token.Issuer = "https://token.actions.githubusercontent.com" - withClaims(token, claims) - - test.Principal.Token = token - err = test.Principal.Embed(context.TODO(), &cert) - if err != nil { - t.Error(err) - } - for factName, fact := range test.WantFacts { - t.Run(factName, func(t *testing.T) { - if err := fact(cert); err != nil { - t.Error(err) - } - }) - } - }) - } -} - -func factExtensionIs(oid asn1.ObjectIdentifier, value string) func(x509.Certificate) error { - return func(cert x509.Certificate) error { - for _, ext := range cert.ExtraExtensions { - if ext.Id.Equal(oid) { - var strVal string - _, _ = asn1.Unmarshal(ext.Value, &strVal) - if value != strVal { - return fmt.Errorf("expected oid %v to be %s, but got %s", oid, value, strVal) - } - return nil - } - } - return errors.New("extension not set") - } -} - -func factDeprecatedExtensionIs(oid asn1.ObjectIdentifier, value string) func(x509.Certificate) error { - return func(cert x509.Certificate) error { - for _, ext := range cert.ExtraExtensions { - if ext.Id.Equal(oid) { - if !bytes.Equal(ext.Value, []byte(value)) { - return fmt.Errorf("expected oid %v to be %s, but got %s", oid, value, ext.Value) - } - return nil - } - } - return errors.New("extension not set") - } -} diff --git a/pkg/server/grpc_server_test.go b/pkg/server/grpc_server_test.go index 56f05b71a..999083160 100644 --- a/pkg/server/grpc_server_test.go +++ b/pkg/server/grpc_server_test.go @@ -53,7 +53,6 @@ import ( "github.com/sigstore/fulcio/pkg/ca" "github.com/sigstore/fulcio/pkg/ca/ephemeralca" - "github.com/sigstore/fulcio/pkg/certificate" "github.com/sigstore/fulcio/pkg/config" "github.com/sigstore/fulcio/pkg/generated/protobuf" "github.com/sigstore/fulcio/pkg/identity" @@ -200,7 +199,6 @@ func TestGetConfiguration(t *testing.T) { _, gitLabIssuer := newOIDCIssuer(t) _, codefreshIssuer := newOIDCIssuer(t) _, chainguardIssuer := newOIDCIssuer(t) - _, ciProviderIssuer := newOIDCIssuer(t) issuerDomain, err := url.Parse(usernameIssuer) if err != nil { @@ -256,11 +254,6 @@ func TestGetConfiguration(t *testing.T) { "IssuerURL": %q, "ClientID": "sigstore", "Type": "chainguard-identity" - }, - %q: { - "IssuerURL": %q, - "ClientID": "sigstore", - "Type": "ci-provider" } }, "MetaIssuers": { @@ -278,7 +271,6 @@ func TestGetConfiguration(t *testing.T) { gitLabIssuer, gitLabIssuer, codefreshIssuer, codefreshIssuer, chainguardIssuer, chainguardIssuer, - ciProviderIssuer, ciProviderIssuer, k8sIssuer))) if err != nil { t.Fatalf("config.Read() = %v", err) @@ -299,7 +291,7 @@ func TestGetConfiguration(t *testing.T) { t.Fatal("GetConfiguration failed", err) } - if got, want := len(config.Issuers), 11; got != want { + if got, want := len(config.Issuers), 10; got != want { t.Fatalf("expected %d issuers, got %d", want, got) } @@ -307,7 +299,7 @@ func TestGetConfiguration(t *testing.T) { emailIssuer: true, spiffeIssuer: true, uriIssuer: true, usernameIssuer: true, k8sIssuer: true, gitHubIssuer: true, buildkiteIssuer: true, gitLabIssuer: true, codefreshIssuer: true, - chainguardIssuer: true, ciProviderIssuer: true, + chainguardIssuer: true, } for _, iss := range config.Issuers { var issURL string @@ -1131,178 +1123,6 @@ func TestAPIWithGitHub(t *testing.T) { } } -// Tests API for CiProvider subject types -func TestAPIWithCiProvider(t *testing.T) { - ciProviderSigner, ciProviderIssuer := newOIDCIssuer(t) - // Create a FulcioConfig that supports these issuers. - cfg, err := config.Read([]byte(fmt.Sprintf(`{ - "OIDCIssuers": { - %q: { - "IssuerURL": %q, - "ClientID": "sigstore", - "Type": "ci-provider", - "CIProvider": "github-workflow" - } - } - }`, ciProviderIssuer, ciProviderIssuer))) - if err != nil { - t.Fatalf("config.Read() = %v", err) - } - claims := githubClaims{ - JobWorkflowRef: "job/workflow/ref", - Sha: "sha", - EventName: "trigger", - Repository: "sigstore/fulcio", - Workflow: "workflow", - Ref: "refs/heads/main", - JobWorkflowSha: "example-sha", - RunnerEnvironment: "cloud-hosted", - RepositoryID: "12345", - RepositoryOwner: "username", - RepositoryOwnerID: "345", - RepositoryVisibility: "public", - WorkflowRef: "sigstore/other/.github/workflows/foo.yaml@refs/heads/main", - WorkflowSha: "example-sha-other", - RunID: "42", - RunAttempt: "1", - } - githubSubject := fmt.Sprintf("repo:%s:ref:%s", claims.Repository, claims.Ref) - // Create an OIDC token using this issuer's signer. - tok, err := jwt.Signed(ciProviderSigner).Claims(jwt.Claims{ - Issuer: ciProviderIssuer, - IssuedAt: jwt.NewNumericDate(time.Now()), - Expiry: jwt.NewNumericDate(time.Now().Add(30 * time.Minute)), - Subject: githubSubject, - Audience: jwt.Audience{"sigstore"}, - }).Claims(&claims).Serialize() - if err != nil { - t.Fatalf("Serialize() = %v", err) - } - - ctClient, eca := createCA(cfg, t) - ctx := context.Background() - cfg.CIIssuerMetadata = make(map[string]config.IssuerMetadata) - cfg.CIIssuerMetadata["github-workflow"] = config.IssuerMetadata{ - ExtensionTemplates: certificate.Extensions{ - Issuer: "issuer", - GithubWorkflowTrigger: "event_name", - GithubWorkflowSHA: "sha", - GithubWorkflowName: "workflow", - GithubWorkflowRepository: "repository", - GithubWorkflowRef: "ref", - BuildSignerURI: "{{ .url }}/{{ .job_workflow_ref }}", - BuildSignerDigest: "job_workflow_sha", - RunnerEnvironment: "runner_environment", - SourceRepositoryURI: "{{ .url }}/{{ .repository }}", - SourceRepositoryDigest: "sha", - SourceRepositoryRef: "ref", - SourceRepositoryIdentifier: "repository_id", - SourceRepositoryOwnerURI: "{{ .url }}/{{ .repository_owner }}", - SourceRepositoryOwnerIdentifier: "repository_owner_id", - BuildConfigURI: "{{ .url }}/{{ .workflow_ref }}", - BuildConfigDigest: "workflow_sha", - BuildTrigger: "event_name", - RunInvocationURI: "{{ .url }}/{{ .repository }}/actions/runs/{{ .run_id }}/attempts/{{ .run_attempt }}", - SourceRepositoryVisibilityAtSigning: "repository_visibility", - }, - DefaultTemplateValues: map[string]string{ - "url": "https://github.com", - }, - SubjectAlternativeNameTemplate: "{{.url}}/{{.job_workflow_ref}}", - } - - server, conn := setupGRPCForTest(t, cfg, ctClient, eca) - defer func() { - server.Stop() - conn.Close() - }() - client := protobuf.NewCAClient(conn) - pubBytes, proof := generateKeyAndProof(githubSubject, t) - // Hit the API to have it sign our certificate. - resp, err := client.CreateSigningCertificate(ctx, &protobuf.CreateSigningCertificateRequest{ - Credentials: &protobuf.Credentials{ - Credentials: &protobuf.Credentials_OidcIdentityToken{ - OidcIdentityToken: tok, - }, - }, - Key: &protobuf.CreateSigningCertificateRequest_PublicKeyRequest{ - PublicKeyRequest: &protobuf.PublicKeyRequest{ - PublicKey: &protobuf.PublicKey{ - Content: pubBytes, - }, - ProofOfPossession: proof, - }, - }, - }) - if err != nil { - t.Fatalf("SigningCert() = %v", err) - } - leafCert := verifyResponse(resp, eca, ciProviderIssuer, t) - // Expect URI values - if len(leafCert.URIs) != 1 { - t.Fatalf("unexpected length of leaf certificate URIs, expected 1, got %d", len(leafCert.URIs)) - } - githubURL := fmt.Sprintf("https://github.com/%s", claims.JobWorkflowRef) - githubURI, err := url.Parse(githubURL) - if err != nil { - t.Fatalf("failed to parse expected url") - } - if *leafCert.URIs[0] != *githubURI { - t.Fatalf("URIs do not match: Expected %v, got %v", githubURI, leafCert.URIs[0]) - } - // Verify custom OID values - deprecatedExpectedExts := map[int]string{ - 2: claims.EventName, - 3: claims.Sha, - 4: claims.Workflow, - 5: claims.Repository, - 6: claims.Ref, - } - for o, value := range deprecatedExpectedExts { - ext, found := findCustomExtension(leafCert, asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, o}) - if !found { - t.Fatalf("expected extension in custom OID 1.3.6.1.4.1.57264.1.%d", o) - } - if string(ext.Value) != value { - t.Fatalf("unexpected extension value, expected %s, got %s", value, ext.Value) - } - } - url := "https://github.com/" - expectedExts := map[int]string{ - 9: url + claims.JobWorkflowRef, - 10: claims.JobWorkflowSha, - 11: claims.RunnerEnvironment, - 12: url + claims.Repository, - 13: claims.Sha, - 14: claims.Ref, - 15: claims.RepositoryID, - 16: url + claims.RepositoryOwner, - 17: claims.RepositoryOwnerID, - 18: url + claims.WorkflowRef, - 19: claims.WorkflowSha, - 20: claims.EventName, - 21: url + claims.Repository + "/actions/runs/" + claims.RunID + "/attempts/" + claims.RunAttempt, - 22: claims.RepositoryVisibility, - } - for o, value := range expectedExts { - ext, found := findCustomExtension(leafCert, asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, o}) - if !found { - t.Fatalf("expected extension in custom OID 1.3.6.1.4.1.57264.1.%d", o) - } - var extValue string - rest, err := asn1.Unmarshal(ext.Value, &extValue) - if err != nil { - t.Fatalf("error unmarshalling extension: :%v", err) - } - if len(rest) != 0 { - t.Fatal("error unmarshalling extension, rest is not 0") - } - if string(extValue) != value { - t.Fatalf("unexpected extension value, expected %s, got %s", value, extValue) - } - } -} - // gitlabClaims holds the additional JWT claims for GitLab OIDC tokens type gitlabClaims struct { ProjectPath string `json:"project_path"` diff --git a/pkg/server/issuer_pool.go b/pkg/server/issuer_pool.go index 61e05fa34..18349f262 100644 --- a/pkg/server/issuer_pool.go +++ b/pkg/server/issuer_pool.go @@ -19,7 +19,6 @@ import ( "github.com/sigstore/fulcio/pkg/identity" "github.com/sigstore/fulcio/pkg/identity/buildkite" "github.com/sigstore/fulcio/pkg/identity/chainguard" - "github.com/sigstore/fulcio/pkg/identity/ciprovider" "github.com/sigstore/fulcio/pkg/identity/codefresh" "github.com/sigstore/fulcio/pkg/identity/email" "github.com/sigstore/fulcio/pkg/identity/github" @@ -58,8 +57,6 @@ func getIssuer(meta string, i config.OIDCIssuer) identity.Issuer { return email.Issuer(issuerURL) case config.IssuerTypeGithubWorkflow: return github.Issuer(issuerURL) - case config.IssuerTypeCIProvider: - return ciprovider.Issuer(issuerURL) case config.IssuerTypeGitLabPipeline: return gitlabcom.Issuer(issuerURL) case config.IssuerTypeBuildkiteJob: From 71c2ea70f9d9581fb614f94a3244d2b2fc90c288 Mon Sep 17 00:00:00 2001 From: Hayden B Date: Wed, 10 Jul 2024 23:31:11 -0700 Subject: [PATCH 03/20] Changelog for v1.5.1 (#1728) Signed-off-by: Hayden Blauzvern --- CHANGELOG.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ff1fce503..e76d6dc04 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,13 @@ +# v1.5.1 + +## Bug Fixes + +* Surface the right `Name()` from our principal. (#1726) + +## Contributors + +* Matt Moore + # v1.5.0 ## Features From 1a404b1fe7deb4e322326e18ea3a8c4a4574e5ef Mon Sep 17 00:00:00 2001 From: Hayden B Date: Thu, 11 Jul 2024 08:59:51 -0700 Subject: [PATCH 04/20] CiProvider as a new OIDCIssuer type (#1729) This adds a new generic CI provider so that new CI providers can be added via configuration without any code changes. The existing CI providers will be migrated over. Ref: #1111 Add back #1679 Signed-off-by: Javan lacerda javanlacerda@google.com --- pkg/certificate/extensions.go | 38 +- pkg/challenges/challenges.go | 3 + pkg/config/config.go | 58 ++- pkg/config/config_network_test.go | 56 +++ pkg/config/config_test.go | 3 + pkg/identity/ciprovider/issuer.go | 39 ++ pkg/identity/ciprovider/issuer_test.go | 100 +++++ pkg/identity/ciprovider/principal.go | 157 ++++++++ pkg/identity/ciprovider/principal_test.go | 422 ++++++++++++++++++++++ pkg/server/grpc_server_test.go | 184 +++++++++- pkg/server/issuer_pool.go | 3 + 11 files changed, 1041 insertions(+), 22 deletions(-) create mode 100644 pkg/identity/ciprovider/issuer.go create mode 100644 pkg/identity/ciprovider/issuer_test.go create mode 100644 pkg/identity/ciprovider/principal.go create mode 100644 pkg/identity/ciprovider/principal_test.go diff --git a/pkg/certificate/extensions.go b/pkg/certificate/extensions.go index 38f80d5ae..584aac971 100644 --- a/pkg/certificate/extensions.go +++ b/pkg/certificate/extensions.go @@ -69,69 +69,69 @@ type Extensions struct { // Deprecated // Triggering event of the Github Workflow. Matches the `event_name` claim of ID // tokens from Github Actions - GithubWorkflowTrigger string // OID 1.3.6.1.4.1.57264.1.2 + GithubWorkflowTrigger string `json:"GithubWorkflowTrigger,omitempty" yaml:"github-workflow-trigger,omitempty"` // OID 1.3.6.1.4.1.57264.1.2 // Deprecated // SHA of git commit being built in Github Actions. Matches the `sha` claim of ID // tokens from Github Actions - GithubWorkflowSHA string // OID 1.3.6.1.4.1.57264.1.3 + GithubWorkflowSHA string `json:"GithubWorkflowSHA,omitempty" yaml:"github-workflow-sha,omitempty"` // OID 1.3.6.1.4.1.57264.1.3 // Deprecated // Name of Github Actions Workflow. Matches the `workflow` claim of the ID // tokens from Github Actions - GithubWorkflowName string // OID 1.3.6.1.4.1.57264.1.4 + GithubWorkflowName string `json:"GithubWorkflowName,omitempty" yaml:"github-workflow-name,omitempty"` // OID 1.3.6.1.4.1.57264.1.4 // Deprecated // Repository of the Github Actions Workflow. Matches the `repository` claim of the ID // tokens from Github Actions - GithubWorkflowRepository string // OID 1.3.6.1.4.1.57264.1.5 + GithubWorkflowRepository string `json:"GithubWorkflowRepository,omitempty" yaml:"github-workflow-repository,omitempty"` // OID 1.3.6.1.4.1.57264.1.5 // Deprecated // Git Ref of the Github Actions Workflow. Matches the `ref` claim of the ID tokens // from Github Actions - GithubWorkflowRef string // 1.3.6.1.4.1.57264.1.6 + GithubWorkflowRef string `json:"GithubWorkflowRef,omitempty" yaml:"github-workflow-ref,omitempty"` // 1.3.6.1.4.1.57264.1.6 // Reference to specific build instructions that are responsible for signing. - BuildSignerURI string // 1.3.6.1.4.1.57264.1.9 + BuildSignerURI string `json:"BuildSignerURI,omitempty" yaml:"build-signer-uri,omitempty"` // 1.3.6.1.4.1.57264.1.9 // Immutable reference to the specific version of the build instructions that is responsible for signing. - BuildSignerDigest string // 1.3.6.1.4.1.57264.1.10 + BuildSignerDigest string `json:"BuildSignerDigest,omitempty" yaml:"build-signer-digest,omitempty"` // 1.3.6.1.4.1.57264.1.10 // Specifies whether the build took place in platform-hosted cloud infrastructure or customer/self-hosted infrastructure. - RunnerEnvironment string // 1.3.6.1.4.1.57264.1.11 + RunnerEnvironment string `json:"RunnerEnvironment,omitempty" yaml:"runner-environment,omitempty"` // 1.3.6.1.4.1.57264.1.11 // Source repository URL that the build was based on. - SourceRepositoryURI string // 1.3.6.1.4.1.57264.1.12 + SourceRepositoryURI string `json:"SourceRepositoryURI,omitempty" yaml:"source-repository-uri,omitempty"` // 1.3.6.1.4.1.57264.1.12 // Immutable reference to a specific version of the source code that the build was based upon. - SourceRepositoryDigest string // 1.3.6.1.4.1.57264.1.13 + SourceRepositoryDigest string `json:"SourceRepositoryDigest,omitempty" yaml:"source-repository-digest,omitempty"` // 1.3.6.1.4.1.57264.1.13 // Source Repository Ref that the build run was based upon. - SourceRepositoryRef string // 1.3.6.1.4.1.57264.1.14 + SourceRepositoryRef string `json:"SourceRepositoryRef,omitempty" yaml:"source-repository-ref,omitempty"` // 1.3.6.1.4.1.57264.1.14 // Immutable identifier for the source repository the workflow was based upon. - SourceRepositoryIdentifier string // 1.3.6.1.4.1.57264.1.15 + SourceRepositoryIdentifier string `json:"SourceRepositoryIdentifier,omitempty" yaml:"source-repository-identifier,omitempty"` // 1.3.6.1.4.1.57264.1.15 // Source repository owner URL of the owner of the source repository that the build was based on. - SourceRepositoryOwnerURI string // 1.3.6.1.4.1.57264.1.16 + SourceRepositoryOwnerURI string `json:"SourceRepositoryOwnerURI,omitempty" yaml:"source-repository-owner-uri,omitempty"` // 1.3.6.1.4.1.57264.1.16 // Immutable identifier for the owner of the source repository that the workflow was based upon. - SourceRepositoryOwnerIdentifier string // 1.3.6.1.4.1.57264.1.17 + SourceRepositoryOwnerIdentifier string `json:"SourceRepositoryOwnerIdentifier,omitempty" yaml:"source-repository-owner-identifier,omitempty"` // 1.3.6.1.4.1.57264.1.17 // Build Config URL to the top-level/initiating build instructions. - BuildConfigURI string // 1.3.6.1.4.1.57264.1.18 + BuildConfigURI string `json:"BuildConfigURI,omitempty" yaml:"build-config-uri,omitempty"` // 1.3.6.1.4.1.57264.1.18 // Immutable reference to the specific version of the top-level/initiating build instructions. - BuildConfigDigest string // 1.3.6.1.4.1.57264.1.19 + BuildConfigDigest string `json:"BuildConfigDigest,omitempty" yaml:"build-config-digest,omitempty"` // 1.3.6.1.4.1.57264.1.19 // Event or action that initiated the build. - BuildTrigger string // 1.3.6.1.4.1.57264.1.20 + BuildTrigger string `json:"BuildTrigger,omitempty" yaml:"build-trigger,omitempty"` // 1.3.6.1.4.1.57264.1.20 // Run Invocation URL to uniquely identify the build execution. - RunInvocationURI string // 1.3.6.1.4.1.57264.1.21 + RunInvocationURI string `json:"RunInvocationURI,omitempty" yaml:"run-invocation-uri,omitempty"` // 1.3.6.1.4.1.57264.1.21 // Source repository visibility at the time of signing the certificate. - SourceRepositoryVisibilityAtSigning string // 1.3.6.1.4.1.57264.1.22 + SourceRepositoryVisibilityAtSigning string `json:"SourceRepositoryVisibilityAtSigning,omitempty" yaml:"source-repository-visibility-at-signing,omitempty"` // 1.3.6.1.4.1.57264.1.22 } func (e Extensions) Render() ([]pkix.Extension, error) { diff --git a/pkg/challenges/challenges.go b/pkg/challenges/challenges.go index dda3298ff..143fdaab9 100644 --- a/pkg/challenges/challenges.go +++ b/pkg/challenges/challenges.go @@ -27,6 +27,7 @@ import ( "github.com/sigstore/fulcio/pkg/config" "github.com/sigstore/fulcio/pkg/identity" "github.com/sigstore/fulcio/pkg/identity/buildkite" + "github.com/sigstore/fulcio/pkg/identity/ciprovider" "github.com/sigstore/fulcio/pkg/identity/email" "github.com/sigstore/fulcio/pkg/identity/github" "github.com/sigstore/fulcio/pkg/identity/gitlabcom" @@ -75,6 +76,8 @@ func PrincipalFromIDToken(ctx context.Context, tok *oidc.IDToken) (identity.Prin principal, err = uri.PrincipalFromIDToken(ctx, tok) case config.IssuerTypeUsername: principal, err = username.PrincipalFromIDToken(ctx, tok) + case config.IssuerTypeCIProvider: + principal, err = ciprovider.WorkflowPrincipalFromIDToken(ctx, tok) default: return nil, fmt.Errorf("unsupported issuer: %s", iss.Type) } diff --git a/pkg/config/config.go b/pkg/config/config.go index 6a6aca77e..6b5f01f9a 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -21,6 +21,7 @@ import ( "encoding/json" "errors" "fmt" + "html/template" "net/http" "net/url" "os" @@ -31,6 +32,7 @@ import ( "github.com/coreos/go-oidc/v3/oidc" lru "github.com/hashicorp/golang-lru" + "github.com/sigstore/fulcio/pkg/certificate" fulciogrpc "github.com/sigstore/fulcio/pkg/generated/protobuf" "github.com/sigstore/fulcio/pkg/log" "github.com/spiffe/go-spiffe/v2/spiffeid" @@ -60,12 +62,33 @@ type FulcioConfig struct { // * https://container.googleapis.com/v1/projects/mattmoor-credit/locations/us-west1-b/clusters/tenant-cluster MetaIssuers map[string]OIDCIssuer `json:"MetaIssuers,omitempty" yaml:"meta-issuers,omitempty"` + // It defines metadata to be used for the CIProvider identity provider principal. + // The CI provider has a generic logic for ci providers, this metadata is used + // to define the right behavior for each ci provider that is defined + // on the configuration file + CIIssuerMetadata map[string]IssuerMetadata `json:"CIIssuerMetadata,omitempty" yaml:"ci-issuer-metadata,omitempty"` + // verifiers is a fixed mapping from our OIDCIssuers to their OIDC verifiers. verifiers map[string][]*verifierWithConfig // lru is an LRU cache of recently used verifiers for our meta issuers. lru *lru.TwoQueueCache } +type IssuerMetadata struct { + // Defaults contains key-value pairs that can be used for filling the templates from ExtensionTemplates + // If a key cannot be found on the token claims, the template will use the defaults + DefaultTemplateValues map[string]string `json:"DefaultTemplateValues,omitempty" yaml:"default-template-values,omitempty"` + // ExtensionTemplates contains a mapping between certificate extension and token claim + // Provide either strings following https://pkg.go.dev/text/template syntax, + // e.g "{{ .url }}/{{ .repository }}" + // or non-templated strings with token claim keys to be replaced, + // e.g "job_workflow_sha" + ExtensionTemplates certificate.Extensions `json:"ExtensionTemplates,omitempty" yaml:"extension-templates,omitempty"` + // Template for the Subject Alternative Name extension + // It's typically the same value as Build Signer URI + SubjectAlternativeNameTemplate string `json:"SubjectAlternativeNameTemplate,omitempty" yaml:"subject-alternative-name-template,omitempty"` +} + type OIDCIssuer struct { // The expected issuer of an OIDC token IssuerURL string `json:"IssuerURL,omitempty" yaml:"issuer-url,omitempty"` @@ -74,6 +97,8 @@ type OIDCIssuer struct { // Used to determine the subject of the certificate and if additional // certificate values are needed Type IssuerType `json:"Type" yaml:"type,omitempty"` + // CIProvider is an optional configuration to map token claims to extensions for CI workflows + CIProvider string `json:"CIProvider,omitempty" yaml:"ci-provider,omitempty"` // Optional, if the issuer is in a different claim in the OIDC token IssuerClaim string `json:"IssuerClaim,omitempty" yaml:"issuer-claim,omitempty"` // The domain that must be present in the subject for 'uri' issuer types @@ -284,6 +309,7 @@ const ( IssuerTypeSpiffe = "spiffe" IssuerTypeURI = "uri" IssuerTypeUsername = "username" + IssuerTypeCIProvider = "ci-provider" ) func parseConfig(b []byte) (cfg *FulcioConfig, err error) { @@ -391,7 +417,7 @@ func validateConfig(conf *FulcioConfig) error { } } - return nil + return validateCIIssuerMetadata(conf) } var DefaultConfig = &FulcioConfig{ @@ -432,6 +458,34 @@ func FromContext(ctx context.Context) *FulcioConfig { return untyped.(*FulcioConfig) } +// It checks that the templates defined are parseable +// We should check it during the service bootstrap to avoid errors further +func validateCIIssuerMetadata(fulcioConfig *FulcioConfig) error { + + checkParse := func(temp string) error { + t := template.New("").Option("missingkey=error") + _, err := t.Parse(temp) + return err + } + + for _, ciIssuerMetadata := range fulcioConfig.CIIssuerMetadata { + v := reflect.ValueOf(ciIssuerMetadata.ExtensionTemplates) + for i := 0; i < v.NumField(); i++ { + s := v.Field(i).String() + err := checkParse(s) + if err != nil { + return err + } + } + + err := checkParse(ciIssuerMetadata.SubjectAlternativeNameTemplate) + if err != nil { + return err + } + } + return nil +} + // Load a config from disk, or use defaults func Load(configPath string) (*FulcioConfig, error) { if _, err := os.Stat(configPath); os.IsNotExist(err) { @@ -516,6 +570,8 @@ func issuerToChallengeClaim(issType IssuerType, challengeClaim string) string { return "email" case IssuerTypeGithubWorkflow: return "sub" + case IssuerTypeCIProvider: + return "sub" case IssuerTypeCodefreshWorkflow: return "sub" case IssuerTypeChainguard: diff --git a/pkg/config/config_network_test.go b/pkg/config/config_network_test.go index 52808181a..4e00720bf 100644 --- a/pkg/config/config_network_test.go +++ b/pkg/config/config_network_test.go @@ -25,6 +25,7 @@ import ( "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" + "github.com/sigstore/fulcio/pkg/certificate" ) func TestLoad(t *testing.T) { @@ -68,6 +69,61 @@ func TestLoad(t *testing.T) { } } +func TestParseTemplate(t *testing.T) { + + validTemplate := "{{.foobar}}" + invalidTemplate := "{{.foobar}" + ciissuerMetadata := make(map[string]IssuerMetadata) + ciissuerMetadata["github"] = IssuerMetadata{ + ExtensionTemplates: certificate.Extensions{ + BuildTrigger: invalidTemplate, + }, + } + fulcioConfig := &FulcioConfig{ + CIIssuerMetadata: ciissuerMetadata, + } + // BuildTrigger as a invalid template should raise an error + err := validateCIIssuerMetadata(fulcioConfig) + if err == nil { + t.Error("invalid template should raise an error") + } + ciissuerMetadata["github"] = IssuerMetadata{ + ExtensionTemplates: certificate.Extensions{ + BuildTrigger: validTemplate, + }, + } + fulcioConfig = &FulcioConfig{ + CIIssuerMetadata: ciissuerMetadata, + } + // BuildTrigger as a valid template shouldn't raise an error + err = validateCIIssuerMetadata(fulcioConfig) + if err != nil { + t.Error("valid template shouldn't raise an error, error: %w", err) + } + ciissuerMetadata["github"] = IssuerMetadata{ + SubjectAlternativeNameTemplate: invalidTemplate, + } + fulcioConfig = &FulcioConfig{ + CIIssuerMetadata: ciissuerMetadata, + } + // A SAN as a invalid template should raise an error + err = validateCIIssuerMetadata(fulcioConfig) + if err == nil { + t.Error("invalid SAN should raise an error") + } + ciissuerMetadata["github"] = IssuerMetadata{ + SubjectAlternativeNameTemplate: invalidTemplate, + } + fulcioConfig = &FulcioConfig{ + CIIssuerMetadata: ciissuerMetadata, + } + // A SAN as a valid template should raise an error + err = validateCIIssuerMetadata(fulcioConfig) + if err == nil { + t.Error("valid SAN shouldn't raise an error") + } +} + func TestLoadDefaults(t *testing.T) { td := t.TempDir() diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index 4c0967660..390bd6f6b 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -492,6 +492,9 @@ func Test_issuerToChallengeClaim(t *testing.T) { if claim := issuerToChallengeClaim(IssuerTypeGithubWorkflow, ""); claim != "sub" { t.Fatalf("expected sub subject claim for GitHub issuer, got %s", claim) } + if claim := issuerToChallengeClaim(IssuerTypeCIProvider, ""); claim != "sub" { + t.Fatalf("expected sub subject claim for CI issuer, got %s", claim) + } if claim := issuerToChallengeClaim(IssuerTypeGitLabPipeline, ""); claim != "sub" { t.Fatalf("expected sub subject claim for GitLab issuer, got %s", claim) } diff --git a/pkg/identity/ciprovider/issuer.go b/pkg/identity/ciprovider/issuer.go new file mode 100644 index 000000000..ce82d3558 --- /dev/null +++ b/pkg/identity/ciprovider/issuer.go @@ -0,0 +1,39 @@ +// Copyright 2024 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package ciprovider + +import ( + "context" + + "github.com/sigstore/fulcio/pkg/config" + "github.com/sigstore/fulcio/pkg/identity" + "github.com/sigstore/fulcio/pkg/identity/base" +) + +type ciProviderIssuer struct { + identity.Issuer +} + +func Issuer(issuerURL string) identity.Issuer { + return &ciProviderIssuer{base.Issuer(issuerURL)} +} + +func (e *ciProviderIssuer) Authenticate(ctx context.Context, token string, opts ...config.InsecureOIDCConfigOption) (identity.Principal, error) { + idtoken, err := identity.Authorize(ctx, token, opts...) + if err != nil { + return nil, err + } + return WorkflowPrincipalFromIDToken(ctx, idtoken) +} diff --git a/pkg/identity/ciprovider/issuer_test.go b/pkg/identity/ciprovider/issuer_test.go new file mode 100644 index 000000000..1d8e605e3 --- /dev/null +++ b/pkg/identity/ciprovider/issuer_test.go @@ -0,0 +1,100 @@ +// Copyright 2024 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package ciprovider + +import ( + "context" + "encoding/json" + "testing" + + "github.com/coreos/go-oidc/v3/oidc" + "github.com/sigstore/fulcio/pkg/config" + "github.com/sigstore/fulcio/pkg/identity" +) + +func TestIssuer(t *testing.T) { + ctx := context.Background() + url := "test-issuer-url" + issuer := Issuer(url) + + // test the Match function + t.Run("match", func(t *testing.T) { + if matches := issuer.Match(ctx, url); !matches { + t.Fatal("expected url to match but it doesn't") + } + if matches := issuer.Match(ctx, "some-other-url"); matches { + t.Fatal("expected match to fail but it didn't") + } + }) + + t.Run("authenticate", func(t *testing.T) { + token := &oidc.IDToken{ + Issuer: "https://iss.example.com", + Subject: "repo:sigstore/fulcio:ref:refs/heads/main", + } + claims, err := json.Marshal(map[string]interface{}{ + "aud": "sigstore", + "event_name": "push", + "exp": 0, + "iss": "https://token.actions.githubusercontent.com", + "job_workflow_ref": "sigstore/fulcio/.github/workflows/foo.yaml@refs/heads/main", + "job_workflow_sha": "example-sha", + "ref": "refs/heads/main", + "repository": "sigstore/fulcio", + "repository_id": "12345", + "repository_owner": "username", + "repository_owner_id": "345", + "repository_visibility": "public", + "run_attempt": "1", + "run_id": "42", + "runner_environment": "cloud-hosted", + "sha": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + "sub": "repo:sigstore/fulcio:ref:refs/heads/main", + "workflow": "foo", + "workflow_ref": "sigstore/other/.github/workflows/foo.yaml@refs/heads/main", + "workflow_sha": "example-sha-other", + }) + if err != nil { + t.Fatal(err) + } + + withClaims(token, claims) + ctx := context.TODO() + OIDCIssuers := + map[string]config.OIDCIssuer{ + token.Issuer: { + IssuerURL: token.Issuer, + Type: config.IssuerTypeCIProvider, + CIProvider: "github-workflow", + ClientID: "sigstore", + }, + } + cfg := &config.FulcioConfig{ + OIDCIssuers: OIDCIssuers, + } + ctx = config.With(ctx, cfg) + identity.Authorize = func(_ context.Context, _ string, _ ...config.InsecureOIDCConfigOption) (*oidc.IDToken, error) { + return token, nil + } + principal, err := issuer.Authenticate(ctx, "token") + if err != nil { + t.Fatal(err) + } + + if principal.Name(ctx) != "repo:sigstore/fulcio:ref:refs/heads/main" { + t.Fatalf("got unexpected name %s", principal.Name(ctx)) + } + }) +} diff --git a/pkg/identity/ciprovider/principal.go b/pkg/identity/ciprovider/principal.go new file mode 100644 index 000000000..fb94df3bd --- /dev/null +++ b/pkg/identity/ciprovider/principal.go @@ -0,0 +1,157 @@ +// Copyright 2024 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package ciprovider + +import ( + "bytes" + "context" + "crypto/x509" + "fmt" + "html/template" + "net/url" + "reflect" + "strings" + + "github.com/coreos/go-oidc/v3/oidc" + "github.com/sigstore/fulcio/pkg/config" + "github.com/sigstore/fulcio/pkg/identity" +) + +func mapValuesToString(claims map[string]interface{}) map[string]string { + newMap := make(map[string]string) + for k, v := range claims { + newMap[k] = fmt.Sprintf("%s", v) + } + return newMap +} + +func getTokenClaims(token *oidc.IDToken) (map[string]string, error) { + var tokenClaims map[string]interface{} + if err := token.Claims(&tokenClaims); err != nil { + return nil, err + } + return mapValuesToString(tokenClaims), nil +} + +// It makes string interpolation for a given string by using the +// templates syntax https://pkg.go.dev/text/template +func applyTemplateOrReplace(extValueTemplate string, tokenClaims map[string]string, issuerMetadata map[string]string) (string, error) { + + // Here we merge the data from was claimed by the id token with the + // default data provided by the yaml file. + // The order here matter because we want to override the claimed data + // with the default data. + // The default data will have priority over the claimed data. + mergedData := make(map[string]string) + for k, v := range tokenClaims { + mergedData[k] = v + } + for k, v := range issuerMetadata { + mergedData[k] = v + } + + if strings.Contains(extValueTemplate, "{{") { + var doc bytes.Buffer + // This option forces to having the claim that is required + // for the template + t := template.New("").Option("missingkey=error") + // It shouldn't raise error since we already checked all + // templates in validateCIIssuerMetadata functions in config.go + p, err := t.Parse(extValueTemplate) + if err != nil { + return "", err + } + err = p.Execute(&doc, mergedData) + if err != nil { + return "", err + } + return doc.String(), nil + } + claimValue, ok := mergedData[extValueTemplate] + if !ok { + return "", fmt.Errorf("value <%s> not present in either claims or defaults", extValueTemplate) + } + return claimValue, nil +} + +type ciPrincipal struct { + Token *oidc.IDToken + ClaimsMetadata config.IssuerMetadata +} + +func WorkflowPrincipalFromIDToken(ctx context.Context, token *oidc.IDToken) (identity.Principal, error) { + cfg := config.FromContext(ctx) + issuerCfg, ok := cfg.GetIssuer(token.Issuer) + if !ok { + return nil, fmt.Errorf("configuration can not be loaded for issuer %v", token.Issuer) + } + return ciPrincipal{ + token, + cfg.CIIssuerMetadata[issuerCfg.CIProvider], + }, nil +} + +func (principal ciPrincipal) Name(_ context.Context) string { + return principal.Token.Subject +} + +func (principal ciPrincipal) Embed(_ context.Context, cert *x509.Certificate) error { + + claimsTemplates := principal.ClaimsMetadata.ExtensionTemplates + defaults := principal.ClaimsMetadata.DefaultTemplateValues + claims, err := getTokenClaims(principal.Token) + if err != nil { + return err + } + subjectAlternativeName, err := applyTemplateOrReplace(principal.ClaimsMetadata.SubjectAlternativeNameTemplate, claims, defaults) + if err != nil { + return err + } + sanURL, err := url.Parse(subjectAlternativeName) + if err != nil { + return err + } + uris := []*url.URL{sanURL} + cert.URIs = uris + // We should use value.Elem() here as we need a + // addressable reference of the templates for applying the SetString(). + v := reflect.ValueOf(&claimsTemplates).Elem() + // Type of the reflect value is needed as it is necessary + // for getting the field name. + vType := v.Type() + for i := 0; i < v.NumField(); i++ { + s := v.Field(i).String() // value of each field, e.g the template string + // We check the field name to avoid to apply the template for the Issuer + // Issuer field should always come from the token issuer + if s == "" || vType.Field(i).Name == "Issuer" { + continue + } + extValue, err := applyTemplateOrReplace(s, claims, defaults) + if err != nil { + return err + } + v.Field(i).SetString(extValue) + } + + // Guarantees to set the extension issuer as the token issuer + // regardless of whether this field has been set before + claimsTemplates.Issuer = principal.Token.Issuer + // Embed additional information into custom extensions + cert.ExtraExtensions, err = claimsTemplates.Render() + if err != nil { + return err + } + return nil +} diff --git a/pkg/identity/ciprovider/principal_test.go b/pkg/identity/ciprovider/principal_test.go new file mode 100644 index 000000000..aa387f995 --- /dev/null +++ b/pkg/identity/ciprovider/principal_test.go @@ -0,0 +1,422 @@ +// Copyright 2024 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package ciprovider + +import ( + "bytes" + "context" + "crypto/x509" + "encoding/asn1" + "encoding/json" + "errors" + "fmt" + "reflect" + "testing" + "unsafe" + + "github.com/coreos/go-oidc/v3/oidc" + "github.com/sigstore/fulcio/pkg/certificate" + "github.com/sigstore/fulcio/pkg/config" +) + +func TestWorkflowPrincipalFromIDToken(t *testing.T) { + tests := map[string]struct { + ExpectedPrincipal ciPrincipal + }{ + `Github workflow challenge should have all Github workflow extensions and issuer set`: { + ExpectedPrincipal: ciPrincipal{ + ClaimsMetadata: config.IssuerMetadata{ + ExtensionTemplates: certificate.Extensions{ + Issuer: "issuer", + GithubWorkflowTrigger: "event_name", + GithubWorkflowSHA: "sha", + GithubWorkflowName: "workflow", + GithubWorkflowRepository: "repository", + GithubWorkflowRef: "ref", + BuildSignerURI: "{{ .url }}/{{ .job_workflow_ref }}", + BuildSignerDigest: "job_workflow_sha", + RunnerEnvironment: "runner_environment", + SourceRepositoryURI: "{{ .url }}/{{ .repository }}", + SourceRepositoryDigest: "sha", + SourceRepositoryRef: "ref", + SourceRepositoryIdentifier: "repository_id", + SourceRepositoryOwnerURI: "{{ .url }}/{{ .repository_owner }}", + SourceRepositoryOwnerIdentifier: "repository_owner_id", + BuildConfigURI: "{{ .url }}/{{ .workflow_ref }}", + BuildConfigDigest: "workflow_sha", + BuildTrigger: "event_name", + RunInvocationURI: "{{ .url }}/{{ .repository }}/actions/runs/{{ .run_id }}/attempts/{{ .run_attempt }}", + SourceRepositoryVisibilityAtSigning: "repository_visibility", + }, + DefaultTemplateValues: map[string]string{ + "url": "https://github.com", + }, + SubjectAlternativeNameTemplate: "{{.url}}/{{.job_workflow_ref}}", + }, + }, + }, + } + + for name, test := range tests { + t.Run(name, func(t *testing.T) { + claims, err := json.Marshal(map[string]interface{}{ + "issuer": "https://token.actions.githubusercontent.com", + "event_name": "trigger", + "sha": "sha", + "workflow": "workflowname", + "repository": "repository", + "ref": "ref", + "job_workflow_sha": "jobWorkflowSha", + "job_workflow_ref": "jobWorkflowRef", + "runner_environment": "runnerEnv", + "repository_id": "repoID", + "repository_owner": "repoOwner", + "repository_owner_id": "repoOwnerID", + "workflow_ref": "workflowRef", + "workflow_sha": "workflowSHA", + "run_id": "runID", + "run_attempt": "runAttempt", + "repository_visibility": "public", + }) + if err != nil { + t.Fatal(err) + } + token := &oidc.IDToken{} + withClaims(token, claims) + + test.ExpectedPrincipal.Token = token + ctx := context.TODO() + OIDCIssuers := + map[string]config.OIDCIssuer{ + token.Issuer: { + IssuerURL: token.Issuer, + Type: config.IssuerTypeCIProvider, + CIProvider: "github-workflow", + ClientID: "sigstore", + }, + } + meta := make(map[string]config.IssuerMetadata) + meta["github-workflow"] = test.ExpectedPrincipal.ClaimsMetadata + cfg := &config.FulcioConfig{ + OIDCIssuers: OIDCIssuers, + CIIssuerMetadata: meta, + } + ctx = config.With(ctx, cfg) + principal, err := WorkflowPrincipalFromIDToken(ctx, token) + if err != nil { + t.Fatal(err) + } + if !reflect.DeepEqual(principal, test.ExpectedPrincipal) { + t.Error("Principals should be equals") + } + }) + } + +} + +// reflect hack because "claims" field is unexported by oidc IDToken +// https://github.com/coreos/go-oidc/pull/329 +func withClaims(token *oidc.IDToken, data []byte) { + val := reflect.Indirect(reflect.ValueOf(token)) + member := val.FieldByName("claims") + pointer := unsafe.Pointer(member.UnsafeAddr()) + realPointer := (*[]byte)(pointer) + *realPointer = data +} + +func TestName(t *testing.T) { + tests := map[string]struct { + Claims map[string]interface{} + ExpectName string + }{ + `Valid token authenticates with correct claims`: { + Claims: map[string]interface{}{ + "aud": "sigstore", + "event_name": "push", + "exp": "0", + "iss": "https://token.actions.githubusercontent.com", + "job_workflow_ref": "sigstore/fulcio/.github/workflows/foo.yaml@refs/heads/main", + "job_workflow_sha": "example-sha", + "ref": "refs/heads/main", + "repository": "sigstore/fulcio", + "repository_id": "12345", + "repository_owner": "username", + "repository_owner_id": "345", + "repository_visibility": "public", + "run_attempt": "1", + "run_id": "42", + "runner_environment": "cloud-hosted", + "sha": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + "sub": "repo:sigstore/fulcio:ref:refs/heads/main", + "workflow": "foo", + "workflow_ref": "sigstore/other/.github/workflows/foo.yaml@refs/heads/main", + "workflow_sha": "example-sha-other", + }, + ExpectName: "repo:sigstore/fulcio:ref:refs/heads/main", + }, + } + + for name, test := range tests { + t.Run(name, func(t *testing.T) { + token := &oidc.IDToken{ + Issuer: test.Claims["iss"].(string), + Subject: test.Claims["sub"].(string), + } + claims, err := json.Marshal(test.Claims) + if err != nil { + t.Fatal(err) + } + withClaims(token, claims) + ctx := context.TODO() + OIDCIssuers := + map[string]config.OIDCIssuer{ + token.Issuer: { + IssuerURL: token.Issuer, + Type: config.IssuerTypeCIProvider, + CIProvider: "ci-provider", + ClientID: "sigstore", + }, + } + cfg := &config.FulcioConfig{ + OIDCIssuers: OIDCIssuers, + } + ctx = config.With(ctx, cfg) + principal, err := WorkflowPrincipalFromIDToken(ctx, token) + if err != nil { + t.Fatal(err) + } + + gotName := principal.Name(context.TODO()) + if gotName != test.ExpectName { + t.Error("name should match sub claim") + } + }) + } +} + +func TestApplyTemplateOrReplace(t *testing.T) { + + tokenClaims := map[string]string{ + "aud": "sigstore", + "event_name": "push", + "exp": "0", + "iss": "https://token.actions.githubusercontent.com", + "job_workflow_ref": "sigstore/fulcio/.github/workflows/foo.yaml@refs/heads/main", + "job_workflow_sha": "example-sha", + "ref": "refs/heads/main", + "repository": "sigstore/fulcio", + "repository_id": "12345", + "repository_owner": "username", + "repository_owner_id": "345", + "repository_visibility": "public", + "run_attempt": "1", + "run_id": "42", + "runner_environment": "cloud-hosted", + "sha": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + "sub": "repo:sigstore/fulcio:ref:refs/heads/main", + "workflow": "foo", + "workflow_ref": "sigstore/other/.github/workflows/foo.yaml@refs/heads/main", + "workflow_sha": "example-sha-other", + } + issuerMetadata := map[string]string{ + "url": "https://github.com", + } + + tests := map[string]struct { + Template string + ExpectedResult string + ExpectErr bool + }{ + `Valid template`: { + Template: "{{ .url }}/{{ .repository }}/actions/runs/{{ .run_id }}/attempts/{{ .run_attempt }}", + ExpectedResult: "https://github.com/sigstore/fulcio/actions/runs/42/attempts/1", + ExpectErr: false, + }, + `Empty template`: { + Template: "{{}}", + ExpectedResult: "", + ExpectErr: true, + }, + `Missing key for template`: { + Template: "{{ .foo }}", + ExpectedResult: "", + ExpectErr: true, + }, + `Empty string`: { + Template: "", + ExpectedResult: "", + ExpectErr: true, + }, + `Replaceable string`: { + Template: "job_workflow_ref", + ExpectedResult: "sigstore/fulcio/.github/workflows/foo.yaml@refs/heads/main", + ExpectErr: false, + }, + `Missing string`: { + Template: "bar", + ExpectedResult: "", + ExpectErr: true, + }, + } + + for name, test := range tests { + t.Run(name, func(t *testing.T) { + res, err := applyTemplateOrReplace(test.Template, tokenClaims, issuerMetadata) + if res != test.ExpectedResult { + t.Errorf("expected result don't matches: Expected %s, received: %s", + test.ExpectedResult, res) + } + if (err != nil) != test.ExpectErr { + t.Errorf("should raise an error don't matches: Expected %v, received: %v", + test.ExpectErr, err != nil) + } + }) + } +} + +func TestEmbed(t *testing.T) { + tests := map[string]struct { + WantFacts map[string]func(x509.Certificate) error + Principal ciPrincipal + }{ + `Github workflow challenge should have all Github workflow extensions and issuer set`: { + WantFacts: map[string]func(x509.Certificate) error{ + `Certifificate should have correct issuer`: factDeprecatedExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 1}, "https://token.actions.githubusercontent.com"), + `Certificate has correct trigger extension`: factDeprecatedExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 2}, "trigger"), + `Certificate has correct SHA extension`: factDeprecatedExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 3}, "sha"), + `Certificate has correct workflow extension`: factDeprecatedExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 4}, "workflowname"), + `Certificate has correct repository extension`: factDeprecatedExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 5}, "repository"), + `Certificate has correct ref extension`: factDeprecatedExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 6}, "ref"), + `Certificate has correct issuer (v2) extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 8}, "https://token.actions.githubusercontent.com"), + `Certificate has correct builder signer URI extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 9}, "https://github.com/jobWorkflowRef"), + `Certificate has correct builder signer digest extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 10}, "jobWorkflowSha"), + `Certificate has correct runner environment extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 11}, "runnerEnv"), + `Certificate has correct source repo URI extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 12}, "https://github.com/repository"), + `Certificate has correct source repo digest extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 13}, "sha"), + `Certificate has correct source repo ref extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 14}, "ref"), + `Certificate has correct source repo ID extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 15}, "repoID"), + `Certificate has correct source repo owner URI extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 16}, "https://github.com/repoOwner"), + `Certificate has correct source repo owner ID extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 17}, "repoOwnerID"), + `Certificate has correct build config URI extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 18}, "https://github.com/workflowRef"), + `Certificate has correct build config digest extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 19}, "workflowSHA"), + `Certificate has correct build trigger extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 20}, "trigger"), + `Certificate has correct run invocation ID extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 21}, "https://github.com/repository/actions/runs/runID/attempts/runAttempt"), + `Certificate has correct source repository visibility extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 22}, "public"), + }, + Principal: ciPrincipal{ + ClaimsMetadata: config.IssuerMetadata{ + ExtensionTemplates: certificate.Extensions{ + GithubWorkflowTrigger: "event_name", + GithubWorkflowSHA: "sha", + GithubWorkflowName: "workflow", + GithubWorkflowRepository: "repository", + GithubWorkflowRef: "ref", + BuildSignerURI: "{{ .url }}/{{ .job_workflow_ref }}", + BuildSignerDigest: "job_workflow_sha", + RunnerEnvironment: "runner_environment", + SourceRepositoryURI: "{{ .url }}/{{ .repository }}", + SourceRepositoryDigest: "sha", + SourceRepositoryRef: "ref", + SourceRepositoryIdentifier: "repository_id", + SourceRepositoryOwnerURI: "{{ .url }}/{{ .repository_owner }}", + SourceRepositoryOwnerIdentifier: "repository_owner_id", + BuildConfigURI: "{{ .url }}/{{ .workflow_ref }}", + BuildConfigDigest: "workflow_sha", + BuildTrigger: "event_name", + RunInvocationURI: "{{ .url }}/{{ .repository }}/actions/runs/{{ .run_id }}/attempts/{{ .run_attempt }}", + SourceRepositoryVisibilityAtSigning: "repository_visibility", + }, + DefaultTemplateValues: map[string]string{ + "url": "https://github.com", + }, + SubjectAlternativeNameTemplate: "{{.url}}/{{.job_workflow_ref}}", + }, + }, + }, + } + + for name, test := range tests { + t.Run(name, func(t *testing.T) { + var cert x509.Certificate + claims, err := json.Marshal(map[string]interface{}{ + "event_name": "trigger", + "sha": "sha", + "workflow": "workflowname", + "repository": "repository", + "ref": "ref", + "job_workflow_sha": "jobWorkflowSha", + "job_workflow_ref": "jobWorkflowRef", + "runner_environment": "runnerEnv", + "repository_id": "repoID", + "repository_owner": "repoOwner", + "repository_owner_id": "repoOwnerID", + "workflow_ref": "workflowRef", + "workflow_sha": "workflowSHA", + "run_id": "runID", + "run_attempt": "runAttempt", + "repository_visibility": "public", + }) + if err != nil { + t.Fatal(err) + } + token := &oidc.IDToken{} + token.Issuer = "https://token.actions.githubusercontent.com" + withClaims(token, claims) + + test.Principal.Token = token + err = test.Principal.Embed(context.TODO(), &cert) + if err != nil { + t.Error(err) + } + for factName, fact := range test.WantFacts { + t.Run(factName, func(t *testing.T) { + if err := fact(cert); err != nil { + t.Error(err) + } + }) + } + }) + } +} + +func factExtensionIs(oid asn1.ObjectIdentifier, value string) func(x509.Certificate) error { + return func(cert x509.Certificate) error { + for _, ext := range cert.ExtraExtensions { + if ext.Id.Equal(oid) { + var strVal string + _, _ = asn1.Unmarshal(ext.Value, &strVal) + if value != strVal { + return fmt.Errorf("expected oid %v to be %s, but got %s", oid, value, strVal) + } + return nil + } + } + return errors.New("extension not set") + } +} + +func factDeprecatedExtensionIs(oid asn1.ObjectIdentifier, value string) func(x509.Certificate) error { + return func(cert x509.Certificate) error { + for _, ext := range cert.ExtraExtensions { + if ext.Id.Equal(oid) { + if !bytes.Equal(ext.Value, []byte(value)) { + return fmt.Errorf("expected oid %v to be %s, but got %s", oid, value, ext.Value) + } + return nil + } + } + return errors.New("extension not set") + } +} diff --git a/pkg/server/grpc_server_test.go b/pkg/server/grpc_server_test.go index 999083160..56f05b71a 100644 --- a/pkg/server/grpc_server_test.go +++ b/pkg/server/grpc_server_test.go @@ -53,6 +53,7 @@ import ( "github.com/sigstore/fulcio/pkg/ca" "github.com/sigstore/fulcio/pkg/ca/ephemeralca" + "github.com/sigstore/fulcio/pkg/certificate" "github.com/sigstore/fulcio/pkg/config" "github.com/sigstore/fulcio/pkg/generated/protobuf" "github.com/sigstore/fulcio/pkg/identity" @@ -199,6 +200,7 @@ func TestGetConfiguration(t *testing.T) { _, gitLabIssuer := newOIDCIssuer(t) _, codefreshIssuer := newOIDCIssuer(t) _, chainguardIssuer := newOIDCIssuer(t) + _, ciProviderIssuer := newOIDCIssuer(t) issuerDomain, err := url.Parse(usernameIssuer) if err != nil { @@ -254,6 +256,11 @@ func TestGetConfiguration(t *testing.T) { "IssuerURL": %q, "ClientID": "sigstore", "Type": "chainguard-identity" + }, + %q: { + "IssuerURL": %q, + "ClientID": "sigstore", + "Type": "ci-provider" } }, "MetaIssuers": { @@ -271,6 +278,7 @@ func TestGetConfiguration(t *testing.T) { gitLabIssuer, gitLabIssuer, codefreshIssuer, codefreshIssuer, chainguardIssuer, chainguardIssuer, + ciProviderIssuer, ciProviderIssuer, k8sIssuer))) if err != nil { t.Fatalf("config.Read() = %v", err) @@ -291,7 +299,7 @@ func TestGetConfiguration(t *testing.T) { t.Fatal("GetConfiguration failed", err) } - if got, want := len(config.Issuers), 10; got != want { + if got, want := len(config.Issuers), 11; got != want { t.Fatalf("expected %d issuers, got %d", want, got) } @@ -299,7 +307,7 @@ func TestGetConfiguration(t *testing.T) { emailIssuer: true, spiffeIssuer: true, uriIssuer: true, usernameIssuer: true, k8sIssuer: true, gitHubIssuer: true, buildkiteIssuer: true, gitLabIssuer: true, codefreshIssuer: true, - chainguardIssuer: true, + chainguardIssuer: true, ciProviderIssuer: true, } for _, iss := range config.Issuers { var issURL string @@ -1123,6 +1131,178 @@ func TestAPIWithGitHub(t *testing.T) { } } +// Tests API for CiProvider subject types +func TestAPIWithCiProvider(t *testing.T) { + ciProviderSigner, ciProviderIssuer := newOIDCIssuer(t) + // Create a FulcioConfig that supports these issuers. + cfg, err := config.Read([]byte(fmt.Sprintf(`{ + "OIDCIssuers": { + %q: { + "IssuerURL": %q, + "ClientID": "sigstore", + "Type": "ci-provider", + "CIProvider": "github-workflow" + } + } + }`, ciProviderIssuer, ciProviderIssuer))) + if err != nil { + t.Fatalf("config.Read() = %v", err) + } + claims := githubClaims{ + JobWorkflowRef: "job/workflow/ref", + Sha: "sha", + EventName: "trigger", + Repository: "sigstore/fulcio", + Workflow: "workflow", + Ref: "refs/heads/main", + JobWorkflowSha: "example-sha", + RunnerEnvironment: "cloud-hosted", + RepositoryID: "12345", + RepositoryOwner: "username", + RepositoryOwnerID: "345", + RepositoryVisibility: "public", + WorkflowRef: "sigstore/other/.github/workflows/foo.yaml@refs/heads/main", + WorkflowSha: "example-sha-other", + RunID: "42", + RunAttempt: "1", + } + githubSubject := fmt.Sprintf("repo:%s:ref:%s", claims.Repository, claims.Ref) + // Create an OIDC token using this issuer's signer. + tok, err := jwt.Signed(ciProviderSigner).Claims(jwt.Claims{ + Issuer: ciProviderIssuer, + IssuedAt: jwt.NewNumericDate(time.Now()), + Expiry: jwt.NewNumericDate(time.Now().Add(30 * time.Minute)), + Subject: githubSubject, + Audience: jwt.Audience{"sigstore"}, + }).Claims(&claims).Serialize() + if err != nil { + t.Fatalf("Serialize() = %v", err) + } + + ctClient, eca := createCA(cfg, t) + ctx := context.Background() + cfg.CIIssuerMetadata = make(map[string]config.IssuerMetadata) + cfg.CIIssuerMetadata["github-workflow"] = config.IssuerMetadata{ + ExtensionTemplates: certificate.Extensions{ + Issuer: "issuer", + GithubWorkflowTrigger: "event_name", + GithubWorkflowSHA: "sha", + GithubWorkflowName: "workflow", + GithubWorkflowRepository: "repository", + GithubWorkflowRef: "ref", + BuildSignerURI: "{{ .url }}/{{ .job_workflow_ref }}", + BuildSignerDigest: "job_workflow_sha", + RunnerEnvironment: "runner_environment", + SourceRepositoryURI: "{{ .url }}/{{ .repository }}", + SourceRepositoryDigest: "sha", + SourceRepositoryRef: "ref", + SourceRepositoryIdentifier: "repository_id", + SourceRepositoryOwnerURI: "{{ .url }}/{{ .repository_owner }}", + SourceRepositoryOwnerIdentifier: "repository_owner_id", + BuildConfigURI: "{{ .url }}/{{ .workflow_ref }}", + BuildConfigDigest: "workflow_sha", + BuildTrigger: "event_name", + RunInvocationURI: "{{ .url }}/{{ .repository }}/actions/runs/{{ .run_id }}/attempts/{{ .run_attempt }}", + SourceRepositoryVisibilityAtSigning: "repository_visibility", + }, + DefaultTemplateValues: map[string]string{ + "url": "https://github.com", + }, + SubjectAlternativeNameTemplate: "{{.url}}/{{.job_workflow_ref}}", + } + + server, conn := setupGRPCForTest(t, cfg, ctClient, eca) + defer func() { + server.Stop() + conn.Close() + }() + client := protobuf.NewCAClient(conn) + pubBytes, proof := generateKeyAndProof(githubSubject, t) + // Hit the API to have it sign our certificate. + resp, err := client.CreateSigningCertificate(ctx, &protobuf.CreateSigningCertificateRequest{ + Credentials: &protobuf.Credentials{ + Credentials: &protobuf.Credentials_OidcIdentityToken{ + OidcIdentityToken: tok, + }, + }, + Key: &protobuf.CreateSigningCertificateRequest_PublicKeyRequest{ + PublicKeyRequest: &protobuf.PublicKeyRequest{ + PublicKey: &protobuf.PublicKey{ + Content: pubBytes, + }, + ProofOfPossession: proof, + }, + }, + }) + if err != nil { + t.Fatalf("SigningCert() = %v", err) + } + leafCert := verifyResponse(resp, eca, ciProviderIssuer, t) + // Expect URI values + if len(leafCert.URIs) != 1 { + t.Fatalf("unexpected length of leaf certificate URIs, expected 1, got %d", len(leafCert.URIs)) + } + githubURL := fmt.Sprintf("https://github.com/%s", claims.JobWorkflowRef) + githubURI, err := url.Parse(githubURL) + if err != nil { + t.Fatalf("failed to parse expected url") + } + if *leafCert.URIs[0] != *githubURI { + t.Fatalf("URIs do not match: Expected %v, got %v", githubURI, leafCert.URIs[0]) + } + // Verify custom OID values + deprecatedExpectedExts := map[int]string{ + 2: claims.EventName, + 3: claims.Sha, + 4: claims.Workflow, + 5: claims.Repository, + 6: claims.Ref, + } + for o, value := range deprecatedExpectedExts { + ext, found := findCustomExtension(leafCert, asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, o}) + if !found { + t.Fatalf("expected extension in custom OID 1.3.6.1.4.1.57264.1.%d", o) + } + if string(ext.Value) != value { + t.Fatalf("unexpected extension value, expected %s, got %s", value, ext.Value) + } + } + url := "https://github.com/" + expectedExts := map[int]string{ + 9: url + claims.JobWorkflowRef, + 10: claims.JobWorkflowSha, + 11: claims.RunnerEnvironment, + 12: url + claims.Repository, + 13: claims.Sha, + 14: claims.Ref, + 15: claims.RepositoryID, + 16: url + claims.RepositoryOwner, + 17: claims.RepositoryOwnerID, + 18: url + claims.WorkflowRef, + 19: claims.WorkflowSha, + 20: claims.EventName, + 21: url + claims.Repository + "/actions/runs/" + claims.RunID + "/attempts/" + claims.RunAttempt, + 22: claims.RepositoryVisibility, + } + for o, value := range expectedExts { + ext, found := findCustomExtension(leafCert, asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, o}) + if !found { + t.Fatalf("expected extension in custom OID 1.3.6.1.4.1.57264.1.%d", o) + } + var extValue string + rest, err := asn1.Unmarshal(ext.Value, &extValue) + if err != nil { + t.Fatalf("error unmarshalling extension: :%v", err) + } + if len(rest) != 0 { + t.Fatal("error unmarshalling extension, rest is not 0") + } + if string(extValue) != value { + t.Fatalf("unexpected extension value, expected %s, got %s", value, extValue) + } + } +} + // gitlabClaims holds the additional JWT claims for GitLab OIDC tokens type gitlabClaims struct { ProjectPath string `json:"project_path"` diff --git a/pkg/server/issuer_pool.go b/pkg/server/issuer_pool.go index 18349f262..61e05fa34 100644 --- a/pkg/server/issuer_pool.go +++ b/pkg/server/issuer_pool.go @@ -19,6 +19,7 @@ import ( "github.com/sigstore/fulcio/pkg/identity" "github.com/sigstore/fulcio/pkg/identity/buildkite" "github.com/sigstore/fulcio/pkg/identity/chainguard" + "github.com/sigstore/fulcio/pkg/identity/ciprovider" "github.com/sigstore/fulcio/pkg/identity/codefresh" "github.com/sigstore/fulcio/pkg/identity/email" "github.com/sigstore/fulcio/pkg/identity/github" @@ -57,6 +58,8 @@ func getIssuer(meta string, i config.OIDCIssuer) identity.Issuer { return email.Issuer(issuerURL) case config.IssuerTypeGithubWorkflow: return github.Issuer(issuerURL) + case config.IssuerTypeCIProvider: + return ciprovider.Issuer(issuerURL) case config.IssuerTypeGitLabPipeline: return gitlabcom.Issuer(issuerURL) case config.IssuerTypeBuildkiteJob: From f9cc6b60ab0dc7386712277ce4e5ff8d28d0a182 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Jul 2024 15:15:19 -0700 Subject: [PATCH 05/20] Bump the all group across 1 directory with 8 updates (#1719) * Bump the all group across 1 directory with 8 updates Bumps the all group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [cloud.google.com/go/security](https://github.com/googleapis/google-cloud-go) | `1.17.0` | `1.17.2` | | [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) | `1.8.4` | `1.8.6` | | [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) | `1.8.4` | `1.8.6` | | [github.com/sigstore/sigstore/pkg/signature/kms/azure](https://github.com/sigstore/sigstore) | `1.8.4` | `1.8.6` | | [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) | `1.8.4` | `1.8.6` | | [github.com/sigstore/sigstore/pkg/signature/kms/hashivault](https://github.com/sigstore/sigstore) | `1.8.4` | `1.8.6` | Updates `cloud.google.com/go/security` from 1.17.0 to 1.17.2 - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/documentai/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/kms/v1.17.0...asset/v1.17.2) Updates `github.com/sigstore/sigstore` from 1.8.4 to 1.8.6 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.4...v1.8.6) Updates `github.com/sigstore/sigstore/pkg/signature/kms/aws` from 1.8.4 to 1.8.6 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.4...v1.8.6) Updates `github.com/sigstore/sigstore/pkg/signature/kms/azure` from 1.8.4 to 1.8.6 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.4...v1.8.6) Updates `github.com/sigstore/sigstore/pkg/signature/kms/gcp` from 1.8.4 to 1.8.6 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.4...v1.8.6) Updates `github.com/sigstore/sigstore/pkg/signature/kms/hashivault` from 1.8.4 to 1.8.6 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.4...v1.8.6) Updates `google.golang.org/api` from 0.185.0 to 0.187.0 - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.185.0...v0.187.0) Updates `google.golang.org/genproto/googleapis/api` from 0.0.0-20240610135401-a8a62080eff3 to 0.0.0-20240617180043-68d350f18fd4 - [Commits](https://github.com/googleapis/go-genproto/commits) --- updated-dependencies: - dependency-name: cloud.google.com/go/security dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/azure dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/hashivault dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: google.golang.org/genproto/googleapis/api dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] * update test Signed-off-by: cpanato --------- Signed-off-by: dependabot[bot] Signed-off-by: cpanato Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: cpanato --- go.mod | 61 ++++++++++--------- go.sum | 134 +++++++++++++++++++++--------------------- pkg/ca/common_test.go | 4 +- 3 files changed, 98 insertions(+), 101 deletions(-) diff --git a/go.mod b/go.mod index 1a3039284..117970722 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.22.4 require ( chainguard.dev/go-grpc-kit v0.17.5 chainguard.dev/sdk v0.1.20 - cloud.google.com/go/security v1.17.0 + cloud.google.com/go/security v1.17.2 github.com/PaesslerAG/jsonpath v0.1.1 github.com/ThalesIgnite/crypto11 v1.2.5 github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d @@ -26,19 +26,19 @@ require ( github.com/prometheus/client_model v0.6.1 github.com/prometheus/common v0.55.0 github.com/rs/cors v1.11.0 - github.com/sigstore/sigstore v1.8.4 - github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.4 - github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.4 - github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.4 - github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.4 + github.com/sigstore/sigstore v1.8.6 + github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.6 + github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.6 + github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.6 + github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.6 github.com/spf13/cobra v1.8.1 github.com/spf13/pflag v1.0.5 github.com/spf13/viper v1.19.0 github.com/spiffe/go-spiffe/v2 v2.3.0 go.step.sm/crypto v0.47.1 go.uber.org/zap v1.27.0 - google.golang.org/api v0.185.0 - google.golang.org/genproto/googleapis/api v0.0.0-20240610135401-a8a62080eff3 + google.golang.org/api v0.187.0 + google.golang.org/genproto/googleapis/api v0.0.0-20240617180043-68d350f18fd4 google.golang.org/grpc v1.64.1 google.golang.org/protobuf v1.34.2 gopkg.in/yaml.v3 v3.0.1 @@ -47,34 +47,34 @@ require ( require ( cloud.google.com/go v0.115.0 // indirect - cloud.google.com/go/auth v0.5.1 // indirect + cloud.google.com/go/auth v0.6.1 // indirect cloud.google.com/go/auth/oauth2adapt v0.2.2 // indirect cloud.google.com/go/compute/metadata v0.3.0 // indirect cloud.google.com/go/iam v1.1.8 // indirect - cloud.google.com/go/kms v1.17.1 // indirect + cloud.google.com/go/kms v1.18.0 // indirect cloud.google.com/go/longrunning v0.5.7 // indirect filippo.io/edwards25519 v1.1.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/azcore v1.12.0 // indirect - github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.9.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect github.com/PaesslerAG/gval v1.0.0 // indirect - github.com/aws/aws-sdk-go v1.53.10 // indirect - github.com/aws/aws-sdk-go-v2 v1.27.1 // indirect - github.com/aws/aws-sdk-go-v2/config v1.27.17 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.17.17 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.4 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.8 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.8 // indirect + github.com/aws/aws-sdk-go v1.54.6 // indirect + github.com/aws/aws-sdk-go-v2 v1.30.0 // indirect + github.com/aws/aws-sdk-go-v2/config v1.27.21 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.21 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.8 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.10 // indirect - github.com/aws/aws-sdk-go-v2/service/kms v1.32.2 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.20.10 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.4 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.28.11 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14 // indirect + github.com/aws/aws-sdk-go-v2/service/kms v1.34.1 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.21.1 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.25.1 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.29.1 // indirect github.com/aws/smithy-go v1.20.2 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cenkalti/backoff/v3 v3.2.2 // indirect @@ -88,11 +88,11 @@ require ( github.com/go-logr/stdr v1.2.2 // indirect github.com/golang-jwt/jwt/v5 v5.2.1 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/google/go-containerregistry v0.19.1 // indirect + github.com/google/go-containerregistry v0.19.2 // indirect github.com/google/s2a-go v0.1.7 // indirect github.com/google/uuid v1.6.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect - github.com/googleapis/gax-go/v2 v2.12.4 // indirect + github.com/googleapis/gax-go/v2 v2.12.5 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect @@ -107,7 +107,7 @@ require ( github.com/jellydator/ttlcache/v3 v3.2.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/kylelemons/godebug v1.1.0 // indirect - github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e // indirect + github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect github.com/miekg/pkcs11 v1.1.1 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect @@ -131,7 +131,7 @@ require ( github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0 // indirect go.opentelemetry.io/otel v1.27.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect @@ -142,7 +142,7 @@ require ( go.uber.org/multierr v1.11.0 // indirect goa.design/goa v2.2.5+incompatible // indirect golang.org/x/crypto v0.24.0 // indirect - golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb // indirect + golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 // indirect golang.org/x/net v0.26.0 // indirect golang.org/x/oauth2 v0.21.0 // indirect golang.org/x/sync v0.7.0 // indirect @@ -150,9 +150,8 @@ require ( golang.org/x/term v0.21.0 // indirect golang.org/x/text v0.16.0 // indirect golang.org/x/time v0.5.0 // indirect - google.golang.org/genproto v0.0.0-20240617180043-68d350f18fd4 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240617180043-68d350f18fd4 // indirect - gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect + google.golang.org/genproto v0.0.0-20240624140628-dc46fd24d27d // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240624140628-dc46fd24d27d // indirect gopkg.in/ini.v1 v1.67.0 // indirect k8s.io/klog/v2 v2.120.1 // indirect ) diff --git a/go.sum b/go.sum index aa35df7a9..71424846b 100644 --- a/go.sum +++ b/go.sum @@ -5,26 +5,26 @@ chainguard.dev/sdk v0.1.20/go.mod h1:UO+3bmvsha1UoXxvgNnMze1kfNLuADe2WWi3AirvvxE cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.115.0 h1:CnFSK6Xo3lDYRoBKEcAtia6VSC837/ZkJuRduSFnr14= cloud.google.com/go v0.115.0/go.mod h1:8jIM5vVgoAEoiVxQ/O4BFTfHqulPZgs/ufEzMcFMdWU= -cloud.google.com/go/auth v0.5.1 h1:0QNO7VThG54LUzKiQxv8C6x1YX7lUrzlAa1nVLF8CIw= -cloud.google.com/go/auth v0.5.1/go.mod h1:vbZT8GjzDf3AVqCcQmqeeM32U9HBFc32vVVAbwDsa6s= +cloud.google.com/go/auth v0.6.1 h1:T0Zw1XM5c1GlpN2HYr2s+m3vr1p2wy+8VN+Z1FKxW38= +cloud.google.com/go/auth v0.6.1/go.mod h1:eFHG7zDzbXHKmjJddFG/rBlcGp6t25SwRUiEQSlO4x4= cloud.google.com/go/auth/oauth2adapt v0.2.2 h1:+TTV8aXpjeChS9M+aTtN/TjdQnzJvmzKFt//oWu7HX4= cloud.google.com/go/auth/oauth2adapt v0.2.2/go.mod h1:wcYjgpZI9+Yu7LyYBg4pqSiaRkfEK3GQcpb7C/uyF1Q= cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc= cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= cloud.google.com/go/iam v1.1.8 h1:r7umDwhj+BQyz0ScZMp4QrGXjSTI3ZINnpgU2nlB/K0= cloud.google.com/go/iam v1.1.8/go.mod h1:GvE6lyMmfxXauzNq8NbgJbeVQNspG+tcdL/W8QO1+zE= -cloud.google.com/go/kms v1.17.1 h1:5k0wXqkxL+YcXd4viQzTqCgzzVKKxzgrK+rCZJytEQs= -cloud.google.com/go/kms v1.17.1/go.mod h1:DCMnCF/apA6fZk5Cj4XsD979OyHAqFasPuA5Sd0kGlQ= +cloud.google.com/go/kms v1.18.0 h1:pqNdaVmZJFP+i8OVLocjfpdTWETTYa20FWOegSCdrRo= +cloud.google.com/go/kms v1.18.0/go.mod h1:DyRBeWD/pYBMeyiaXFa/DGNyxMDL3TslIKb8o/JkLkw= cloud.google.com/go/longrunning v0.5.7 h1:WLbHekDbjK1fVFD3ibpFFVoyizlLRl73I7YKuAKilhU= cloud.google.com/go/longrunning v0.5.7/go.mod h1:8GClkudohy1Fxm3owmBGid8W0pSgodEMwEAztp38Xng= -cloud.google.com/go/security v1.17.0 h1:u4RCnEQPvlrrnFRFinU0T3WsjtrsQErkWBfqTM5oUQI= -cloud.google.com/go/security v1.17.0/go.mod h1:eSuFs0SlBv1gWg7gHIoF0hYOvcSwJCek/GFXtgO6aA0= +cloud.google.com/go/security v1.17.2 h1:pEkUeR1PFNwoFAIXPMa4PBCYb75UT8LmNfjQy1fm/Co= +cloud.google.com/go/security v1.17.2/go.mod h1:6eqX/AgDw56KwguEBfFNiNQ+Vzi+V6+GopklexYuJ0U= filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.12.0 h1:1nGuui+4POelzDwI7RG56yfQJHCnKvwfMoU7VsEp+Zg= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.12.0/go.mod h1:99EvauvlcJ1U06amZiksfYz/3aFGyIhWGHVyiZXtBAI= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 h1:U2rTu3Ef+7w9FHKIAXM6ZyqF3UOWJZ12zIm8zECAFfg= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 h1:tfLQ34V6F7tVSwoTf/4lH5sE0o6eCJuNDTmH09nDpbc= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg= github.com/Azure/azure-sdk-for-go/sdk/internal v1.9.0 h1:H+U3Gk9zY56G3u872L82bk4thcsy2Gghb9ExT4Zvm1o= github.com/Azure/azure-sdk-for-go/sdk/internal v1.9.0/go.mod h1:mgrmMSgaLp9hmax62XQTd0N4aAqSE5E0DulSpVYK7vc= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0 h1:DRiANoJTiW6obBQe3SqZizkuV1PEgfiiGivmVocDy64= @@ -44,34 +44,34 @@ github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d h1:Byv0BzEl3/e6D5CLfI0j/7hiIEtvGVFPCZ7Ei2oq8iQ= github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/aws/aws-sdk-go v1.53.10 h1:3enP5l5WtezT9Ql+XZqs56JBf5YUd/FEzTCg///OIGY= -github.com/aws/aws-sdk-go v1.53.10/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= -github.com/aws/aws-sdk-go-v2 v1.27.1 h1:xypCL2owhog46iFxBKKpBcw+bPTX/RJzwNj8uSilENw= -github.com/aws/aws-sdk-go-v2 v1.27.1/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= -github.com/aws/aws-sdk-go-v2/config v1.27.17 h1:L0JZN7Gh7pT6u5CJReKsLhGKparqNKui+mcpxMXjDZc= -github.com/aws/aws-sdk-go-v2/config v1.27.17/go.mod h1:MzM3balLZeaafYcPz8IihAmam/aCz6niPQI0FdprxW0= -github.com/aws/aws-sdk-go-v2/credentials v1.17.17 h1:b3Dk9uxQByS9sc6r0sc2jmxsJKO75eOcb9nNEiaUBLM= -github.com/aws/aws-sdk-go-v2/credentials v1.17.17/go.mod h1:e4khg9iY08LnFK/HXQDWMf9GDaiMari7jWPnXvKAuBU= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.4 h1:0cSfTYYL9qiRcdi4Dvz+8s3JUgNR2qvbgZkXcwPEEEk= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.4/go.mod h1:Wjn5O9eS7uSi7vlPKt/v0MLTncANn9EMmoDvnzJli6o= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.8 h1:RnLB7p6aaFMRfyQkD6ckxR7myCC9SABIqSz4czYUUbU= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.8/go.mod h1:XH7dQJd+56wEbP1I4e4Duo+QhSMxNArE8VP7NuUOTeM= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.8 h1:jzApk2f58L9yW9q1GEab3BMMFWUkkiZhyrRUtbwUbKU= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.8/go.mod h1:WqO+FftfO3tGePUtQxPXM6iODVfqMwsVMgTbG/ZXIdQ= +github.com/aws/aws-sdk-go v1.54.6 h1:HEYUib3yTt8E6vxjMWM3yAq5b+qjj/6aKA62mkgux9g= +github.com/aws/aws-sdk-go v1.54.6/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= +github.com/aws/aws-sdk-go-v2 v1.30.0 h1:6qAwtzlfcTtcL8NHtbDQAqgM5s6NDipQTkPxyH/6kAA= +github.com/aws/aws-sdk-go-v2 v1.30.0/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= +github.com/aws/aws-sdk-go-v2/config v1.27.21 h1:yPX3pjGCe2hJsetlmGNB4Mngu7UPmvWPzzWCv1+boeM= +github.com/aws/aws-sdk-go-v2/config v1.27.21/go.mod h1:4XtlEU6DzNai8RMbjSF5MgGZtYvrhBP/aKZcRtZAVdM= +github.com/aws/aws-sdk-go-v2/credentials v1.17.21 h1:pjAqgzfgFhTv5grc7xPHtXCAaMapzmwA7aU+c/SZQGw= +github.com/aws/aws-sdk-go-v2/credentials v1.17.21/go.mod h1:nhK6PtBlfHTUDVmBLr1dg+WHCOCK+1Fu/WQyVHPsgNQ= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.8 h1:FR+oWPFb/8qMVYMWN98bUZAGqPvLHiyqg1wqQGfUAXY= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.8/go.mod h1:EgSKcHiuuakEIxJcKGzVNWh5srVAQ3jKaSrBGRYvM48= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 h1:SJ04WXGTwnHlWIODtC5kJzKbeuHt+OUNOgKg7nfnUGw= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12/go.mod h1:FkpvXhA92gb3GE9LD6Og0pHHycTxW7xGpnEh5E7Opwo= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 h1:hb5KgeYfObi5MHkSSZMEudnIvX30iB+E21evI4r6BnQ= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12/go.mod h1:CroKe/eWJdyfy9Vx4rljP5wTUjNJfb+fPz1uMYUhEGM= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.10 h1:7kZqP7akv0enu6ykJhb9OYlw16oOrSy+Epus8o/VqMY= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.10/go.mod h1:gYVF3nM1ApfTRDj9pvdhootBb8WbiIejuqn4w8ruMes= -github.com/aws/aws-sdk-go-v2/service/kms v1.32.2 h1:WuwRxTSPc+E4dwDRmxh4TILJsnYoqm41KTb11pRkzBA= -github.com/aws/aws-sdk-go-v2/service/kms v1.32.2/go.mod h1:qEy625xFxrw6hA+eOAD030wmLERPa7LNCArh+gAC+8o= -github.com/aws/aws-sdk-go-v2/service/sso v1.20.10 h1:ItKVmFwbyb/ZnCWf+nu3XBVmUirpO9eGEQd7urnBA0s= -github.com/aws/aws-sdk-go-v2/service/sso v1.20.10/go.mod h1:5XKooCTi9VB/xZmJDvh7uZ+v3uQ7QdX6diOyhvPA+/w= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.4 h1:QMSCYDg3Iyls0KZc/dk3JtS2c1lFfqbmYO10qBPPkJk= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.4/go.mod h1:MZ/PVYU/mRbmSF6WK3ybCYHjA2mig8utVokDEVLDgE0= -github.com/aws/aws-sdk-go-v2/service/sts v1.28.11 h1:HYS0csS7UJxdYRoG+bGgUYrSwVnV3/ece/wHm90TApM= -github.com/aws/aws-sdk-go-v2/service/sts v1.28.11/go.mod h1:QXnthRM35zI92048MMwfFChjFmoufTdhtHmouwNfhhU= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14 h1:zSDPny/pVnkqABXYRicYuPf9z2bTqfH13HT3v6UheIk= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14/go.mod h1:3TTcI5JSzda1nw/pkVC9dhgLre0SNBFj2lYS4GctXKI= +github.com/aws/aws-sdk-go-v2/service/kms v1.34.1 h1:VsKBn6WADI3Nn3WjBMzeRww9WHXeVLi7zyuSrqjRCBQ= +github.com/aws/aws-sdk-go-v2/service/kms v1.34.1/go.mod h1:5F6kXrPBxv0l1t8EO44GuG4W82jGJwaRE0B+suEGnNY= +github.com/aws/aws-sdk-go-v2/service/sso v1.21.1 h1:sd0BsnAvLH8gsp2e3cbaIr+9D7T1xugueQ7V/zUAsS4= +github.com/aws/aws-sdk-go-v2/service/sso v1.21.1/go.mod h1:lcQG/MmxydijbeTOp04hIuJwXGWPZGI3bwdFDGRTv14= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.25.1 h1:1uEFNNskK/I1KoZ9Q8wJxMz5V9jyBlsiaNrM7vA3YUQ= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.25.1/go.mod h1:z0P8K+cBIsFXUr5rzo/psUeJ20XjPN0+Nn8067Nd+E4= +github.com/aws/aws-sdk-go-v2/service/sts v1.29.1 h1:myX5CxqXE0QMZNja6FA1/FSE3Vu1rVmeUmpJMMzeZg0= +github.com/aws/aws-sdk-go-v2/service/sts v1.29.1/go.mod h1:N2mQiucsO0VwK9CYuS4/c2n6Smeh1v47Rz3dWCPFLdE= github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q= github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= @@ -123,11 +123,11 @@ github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= -github.com/go-rod/rod v0.116.0 h1:ypRryjTys3EnqHskJ/TdgodFMvXV0EHvmy4bSkKZgHM= -github.com/go-rod/rod v0.116.0/go.mod h1:aiedSEFg5DwG/fnNbUOTPMTTWX3MRj6vIs/a684Mthw= +github.com/go-rod/rod v0.116.1 h1:BDMZY3qm/14SmvHBV7DoFUhXeJ2MbUYgumQ88b+v2WE= +github.com/go-rod/rod v0.116.1/go.mod h1:3Ash9fYwznqz9S1uLQgQRStur4fCXjoxxGW+ym6TYjU= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= -github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg= -github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= +github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U= +github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= github.com/goadesign/goa v2.2.5+incompatible h1:SLgzk0V+QfFs7MVz9sbDHelbTDI9B/d4W7Hl5udTynY= github.com/goadesign/goa v2.2.5+incompatible/go.mod h1:d/9lpuZBK7HFi/7O0oXfwvdoIl+nx2bwKqctZe/lQao= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= @@ -162,8 +162,8 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-containerregistry v0.19.1 h1:yMQ62Al6/V0Z7CqIrrS1iYoA5/oQCm88DeNujc7C1KY= -github.com/google/go-containerregistry v0.19.1/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI= +github.com/google/go-containerregistry v0.19.2 h1:TannFKE1QSajsP6hPWb5oJNgKe1IKjHukIKDUmvsV6w= +github.com/google/go-containerregistry v0.19.2/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI= github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o= github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= github.com/google/tink/go v1.7.0 h1:6Eox8zONGebBFcCBqkVmt60LaWZa6xg1cl/DwAh/J1w= @@ -173,8 +173,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs= github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= -github.com/googleapis/gax-go/v2 v2.12.4 h1:9gWcmF85Wvq4ryPFvGFaOgPIs1AQX0d0bcbGw4Z96qg= -github.com/googleapis/gax-go/v2 v2.12.4/go.mod h1:KYEYLorsnIGDi/rPC8b5TdlB9kbKoFubselGIoBMCwI= +github.com/googleapis/gax-go/v2 v2.12.5 h1:8gw9KZK8TiVKB6q3zHY3SBzLnrGp6HQjyfYBYGmXdxA= +github.com/googleapis/gax-go/v2 v2.12.5/go.mod h1:BUDKcWo+RaKq5SC9vVYL0wLADa3VcfswbOMMRmB9H3E= github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI= github.com/grpc-ecosystem/go-grpc-middleware v1.4.0/go.mod h1:g5qyo/la0ALbONm6Vbp88Yd8NsDy6rZz+RcrMPxvld8= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.1-0.20210315223345-82c243799c99 h1:JYghRBlGCZyCF2wNUJ8W0cwaQdtpcssJ4CgC406g+WU= @@ -230,8 +230,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= -github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e h1:RLTpX495BXToqxpM90Ws4hXEo4Wfh81jr9DX1n/4WOo= -github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e/go.mod h1:EAuqr9VFWxBi9nD5jc/EA2MT1RFty9288TF6zdtYoCU= +github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec h1:2tTW6cDth2TSgRbAhD7yjZzTQmcN25sDRPEeinR51yQ= +github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec/go.mod h1:TmwEoGCwIti7BCeJ9hescZgRtatxRE+A72pCoPfmcfk= github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY= github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= @@ -297,16 +297,16 @@ github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbm github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU= github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c= github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= -github.com/sigstore/sigstore v1.8.4 h1:g4ICNpiENFnWxjmBzBDWUn62rNFeny/P77HUC8da32w= -github.com/sigstore/sigstore v1.8.4/go.mod h1:1jIKtkTFEeISen7en+ZPWdDHazqhxco/+v9CNjc7oNg= -github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.4 h1:okxaVlaTrQowE1FA4UQ3rw54f7BUjdnzERIxbZTBZuc= -github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.4/go.mod h1:jkcPErmnCECuSJajUaUq5pwCMOeBF19VzQo6bv4l1D0= -github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.4 h1:1G6uLTZaqvu867DbgH7p75L6Y7Tu8LLnYJGZnWsTUu8= -github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.4/go.mod h1:QtKKb8DChi1mRi9xSNr8ImSQu6m+0MZAV0sYIoPOta0= -github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.4 h1:fjnDR5Lw9ElfOSRUGKkgwjaynqj93nLu0twAw+QxhHE= -github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.4/go.mod h1:9KFn5MwelyNoFXu3gNyVzvN/yAhcL6FE053oxih9+vM= -github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.4 h1:QEXOb+feQmNOyLVT+FrghBqKKK4QDMP5dyic8RZHXdE= -github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.4/go.mod h1:ohOhV9zclcIpNAWS0kq2ASB3EPPuRce2HjgXXaU3pKQ= +github.com/sigstore/sigstore v1.8.6 h1:g066b/Nw5r5oxhNv4XqJUUzVcyf1b07itUueiQe7rZM= +github.com/sigstore/sigstore v1.8.6/go.mod h1:UOBrJd9JBQ81DrkpGljzsIFXEtfC30raHvLWFWG857U= +github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.6 h1:uVcT1JT4lLkmBQII25PvgP/nyvi4HvTMNXzoHqQqEHE= +github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.6/go.mod h1:VJ/745ojKNQKbZ1ykO5Vebtnq9vGt8zcgKemQIibBIE= +github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.6 h1:TBbzoiUDVYpWw4uXBp3bV0uyA2SJp9uGsOATYnHHbgw= +github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.6/go.mod h1:lJtlCNOCXPncwOigWZi15gu3Io/lvAo7gXXm4vpfKuE= +github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.6 h1:CFtW7RIQ4fOtBzl+1YAnAmcACL4B+Qr/S7PXPdJ+54s= +github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.6/go.mod h1:rhX2eca5kAqUTwQxQLMnOLmvSxbqF9JZ3rFOoDpQX5w= +github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.6 h1:5pNfbRsG5GZyJy+cBZ6gjuhedlC6CCaMTVr2lPIfdOo= +github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.6/go.mod h1:ieWGmXzhPSZ3W8aOBUWNFM6Hh/VFQzZdiyGw1zSBanY= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog= @@ -351,8 +351,8 @@ github.com/ysmood/fetchup v0.2.3 h1:ulX+SonA0Vma5zUFXtv52Kzip/xe7aj4vqT5AJwQ+ZQ= github.com/ysmood/fetchup v0.2.3/go.mod h1:xhibcRKziSvol0H1/pj33dnKrYyI2ebIvz5cOOkYGns= github.com/ysmood/goob v0.4.0 h1:HsxXhyLBeGzWXnqVKtmT9qM7EuVs/XOgkX7T6r1o1AQ= github.com/ysmood/goob v0.4.0/go.mod h1:u6yx7ZhS4Exf2MwciFr6nIM8knHQIE22lFpWHnfql18= -github.com/ysmood/got v0.34.1 h1:IrV2uWLs45VXNvZqhJ6g2nIhY+pgIG1CUoOcqfXFl1s= -github.com/ysmood/got v0.34.1/go.mod h1:yddyjq/PmAf08RMLSwDjPyCvHvYed+WjHnQxpH851LM= +github.com/ysmood/got v0.40.0 h1:ZQk1B55zIvS7zflRrkGfPDrPG3d7+JOza1ZkNxcc74Q= +github.com/ysmood/got v0.40.0/go.mod h1:W7DdpuX6skL3NszLmAsC5hT7JAhuLZhByVzHTq874Qg= github.com/ysmood/gson v0.7.3 h1:QFkWbTH8MxyUTKPkVWAENJhxqdBa4lYTQWqZCiLG6kE= github.com/ysmood/gson v0.7.3/go.mod h1:3Kzs5zDl21g5F/BlLTNcuAGAYLKt2lV5G8D1zF3RNmg= github.com/ysmood/leakless v0.8.0 h1:BzLrVoiwxikpgEQR0Lk8NyBN5Cit2b1z+u0mgL4ZJak= @@ -364,8 +364,8 @@ go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0 h1:vS1Ao/R55RNV4O7TA2Qopok8yN+X0LIP6RVWLFkprck= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0/go.mod h1:BMsdeOxN04K0L5FNUBfjFdvwWGNe/rkmSwH4Aelu/X0= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0 h1:9l89oX4ba9kHbBol3Xin3leYJ+252h0zszDtBwyKe2A= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0/go.mod h1:XLZfZboOJWHNKUv7eH0inh0E9VV6eWDFB/9yJyTLPp0= go.opentelemetry.io/otel v1.27.0 h1:9BZoF3yMK/O1AafMiQTVu0YDj5Ea4hPhxCs7sGva+cg= go.opentelemetry.io/otel v1.27.0/go.mod h1:DMpAK8fzYRzs+bi3rS5REupisuqTheUlSZJ1WnZaPAQ= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0 h1:R9DE4kQ4k+YtfLI2ULwX82VtNQ2J8yZmA7ZIF/D+7Mc= @@ -402,8 +402,8 @@ golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDf golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb h1:c0vyKkb6yr3KR7jEfJaOSv4lG7xPkbN6r52aJz1d8a8= -golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI= +golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 h1:hNQpMuAJe5CtcUqCXaWga3FHu+kQvCqcsoVaQgSV60o= +golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= @@ -490,20 +490,20 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/api v0.185.0 h1:ENEKk1k4jW8SmmaT6RE+ZasxmxezCrD5Vw4npvr+pAU= -google.golang.org/api v0.185.0/go.mod h1:HNfvIkJGlgrIlrbYkAm9W9IdkmKZjOTVh33YltygGbg= +google.golang.org/api v0.187.0 h1:Mxs7VATVC2v7CY+7Xwm4ndkX71hpElcvx0D1Ji/p1eo= +google.golang.org/api v0.187.0/go.mod h1:KIHlTc4x7N7gKKuVsdmfBXN13yEEWXWFURWY6SBp2gk= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20240617180043-68d350f18fd4 h1:CUiCqkPw1nNrNQzCCG4WA65m0nAmQiwXHpub3dNyruU= -google.golang.org/genproto v0.0.0-20240617180043-68d350f18fd4/go.mod h1:EvuUDCulqGgV80RvP1BHuom+smhX4qtlhnNatHuroGQ= -google.golang.org/genproto/googleapis/api v0.0.0-20240610135401-a8a62080eff3 h1:QW9+G6Fir4VcRXVH8x3LilNAb6cxBGLa6+GM4hRwexE= -google.golang.org/genproto/googleapis/api v0.0.0-20240610135401-a8a62080eff3/go.mod h1:kdrSS/OiLkPrNUpzD4aHgCq2rVuC/YRxok32HXZ4vRE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240617180043-68d350f18fd4 h1:Di6ANFilr+S60a4S61ZM00vLdw0IrQOSMS2/6mrnOU0= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240617180043-68d350f18fd4/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= +google.golang.org/genproto v0.0.0-20240624140628-dc46fd24d27d h1:PksQg4dV6Sem3/HkBX+Ltq8T0ke0PKIRBNBatoDTVls= +google.golang.org/genproto v0.0.0-20240624140628-dc46fd24d27d/go.mod h1:s7iA721uChleev562UJO2OYB0PPT9CMFjV+Ce7VJH5M= +google.golang.org/genproto/googleapis/api v0.0.0-20240617180043-68d350f18fd4 h1:MuYw1wJzT+ZkybKfaOXKp5hJiZDn2iHaXRw0mRYdHSc= +google.golang.org/genproto/googleapis/api v0.0.0-20240617180043-68d350f18fd4/go.mod h1:px9SlOOZBg1wM1zdnr8jEL4CNGUBZ+ZKYtNPApNQc4c= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240624140628-dc46fd24d27d h1:k3zyW3BYYR30e8v3x0bTDdE9vpYFjZHK+HcyqkrppWk= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240624140628-dc46fd24d27d/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= google.golang.org/grpc v1.18.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= @@ -528,8 +528,6 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/go-jose/go-jose.v2 v2.6.3 h1:nt80fvSDlhKWQgSWyHyy5CfmlQr+asih51R8PTWNKKs= -gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI= gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/pkg/ca/common_test.go b/pkg/ca/common_test.go index 30723b3ec..4deef68d1 100644 --- a/pkg/ca/common_test.go +++ b/pkg/ca/common_test.go @@ -127,12 +127,12 @@ func TestVerifyCertChain(t *testing.T) { // Failure: Weak key weakSubCert, weakSubKey, _ := test.GenerateWeakSubordinateCA(rootCert, rootKey) err = VerifyCertChain([]*x509.Certificate{weakSubCert, rootCert}, weakSubKey) - if err == nil || !strings.Contains(err.Error(), "unsupported ec curve") { + if err == nil || !strings.Contains(err.Error(), "ECDSA curve P-224 not allowed") { t.Fatalf("expected error verifying weak cert chain: %v", err) } // Failure: Empty chain - err = VerifyCertChain([]*x509.Certificate{}, weakSubKey) + err = VerifyCertChain([]*x509.Certificate{}, subKey) if err == nil || !strings.Contains(err.Error(), "certificate chain must contain at least one certificate") { t.Fatalf("expected error verifying with empty chain: %v", err) } From d2b0739a6bcbfb6a42d80c0f9d2b2675788c61da Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Jul 2024 02:55:02 +0000 Subject: [PATCH 06/20] Bump go.step.sm/crypto from 0.47.1 to 0.50.0 Bumps [go.step.sm/crypto](https://github.com/smallstep/crypto) from 0.47.1 to 0.50.0. - [Release notes](https://github.com/smallstep/crypto/releases) - [Commits](https://github.com/smallstep/crypto/compare/v0.47.1...v0.50.0) --- updated-dependencies: - dependency-name: go.step.sm/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 42 ++++++++++++++--------------- go.sum | 84 +++++++++++++++++++++++++++++----------------------------- 2 files changed, 63 insertions(+), 63 deletions(-) diff --git a/go.mod b/go.mod index 117970722..6cb570626 100644 --- a/go.mod +++ b/go.mod @@ -35,11 +35,11 @@ require ( github.com/spf13/pflag v1.0.5 github.com/spf13/viper v1.19.0 github.com/spiffe/go-spiffe/v2 v2.3.0 - go.step.sm/crypto v0.47.1 + go.step.sm/crypto v0.50.0 go.uber.org/zap v1.27.0 google.golang.org/api v0.187.0 google.golang.org/genproto/googleapis/api v0.0.0-20240617180043-68d350f18fd4 - google.golang.org/grpc v1.64.1 + google.golang.org/grpc v1.65.0 google.golang.org/protobuf v1.34.2 gopkg.in/yaml.v3 v3.0.1 sigs.k8s.io/release-utils v0.8.2 @@ -51,7 +51,7 @@ require ( cloud.google.com/go/auth/oauth2adapt v0.2.2 // indirect cloud.google.com/go/compute/metadata v0.3.0 // indirect cloud.google.com/go/iam v1.1.8 // indirect - cloud.google.com/go/kms v1.18.0 // indirect + cloud.google.com/go/kms v1.18.2 // indirect cloud.google.com/go/longrunning v0.5.7 // indirect filippo.io/edwards25519 v1.1.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/azcore v1.12.0 // indirect @@ -62,24 +62,24 @@ require ( github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect github.com/PaesslerAG/gval v1.0.0 // indirect github.com/aws/aws-sdk-go v1.54.6 // indirect - github.com/aws/aws-sdk-go-v2 v1.30.0 // indirect - github.com/aws/aws-sdk-go-v2/config v1.27.21 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.17.21 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.8 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 // indirect + github.com/aws/aws-sdk-go-v2 v1.30.1 // indirect + github.com/aws/aws-sdk-go-v2/config v1.27.24 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.24 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.9 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.13 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.13 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14 // indirect - github.com/aws/aws-sdk-go-v2/service/kms v1.34.1 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.21.1 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.25.1 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.29.1 // indirect - github.com/aws/smithy-go v1.20.2 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.15 // indirect + github.com/aws/aws-sdk-go-v2/service/kms v1.35.1 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.22.1 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.2 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.30.1 // indirect + github.com/aws/smithy-go v1.20.3 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cenkalti/backoff/v3 v3.2.2 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect - github.com/cespare/xxhash/v2 v2.2.0 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/chainguard-dev/slogctx v1.2.2 // indirect github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect github.com/felixge/httpsnoop v1.0.4 // indirect @@ -141,13 +141,13 @@ require ( go.opentelemetry.io/proto/otlp v1.2.0 // indirect go.uber.org/multierr v1.11.0 // indirect goa.design/goa v2.2.5+incompatible // indirect - golang.org/x/crypto v0.24.0 // indirect + golang.org/x/crypto v0.25.0 // indirect golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 // indirect - golang.org/x/net v0.26.0 // indirect + golang.org/x/net v0.27.0 // indirect golang.org/x/oauth2 v0.21.0 // indirect golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.21.0 // indirect - golang.org/x/term v0.21.0 // indirect + golang.org/x/sys v0.22.0 // indirect + golang.org/x/term v0.22.0 // indirect golang.org/x/text v0.16.0 // indirect golang.org/x/time v0.5.0 // indirect google.golang.org/genproto v0.0.0-20240624140628-dc46fd24d27d // indirect diff --git a/go.sum b/go.sum index 71424846b..771325014 100644 --- a/go.sum +++ b/go.sum @@ -13,8 +13,8 @@ cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2Qx cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= cloud.google.com/go/iam v1.1.8 h1:r7umDwhj+BQyz0ScZMp4QrGXjSTI3ZINnpgU2nlB/K0= cloud.google.com/go/iam v1.1.8/go.mod h1:GvE6lyMmfxXauzNq8NbgJbeVQNspG+tcdL/W8QO1+zE= -cloud.google.com/go/kms v1.18.0 h1:pqNdaVmZJFP+i8OVLocjfpdTWETTYa20FWOegSCdrRo= -cloud.google.com/go/kms v1.18.0/go.mod h1:DyRBeWD/pYBMeyiaXFa/DGNyxMDL3TslIKb8o/JkLkw= +cloud.google.com/go/kms v1.18.2 h1:EGgD0B9k9tOOkbPhYW1PHo2W0teamAUYMOUIcDRMfPk= +cloud.google.com/go/kms v1.18.2/go.mod h1:YFz1LYrnGsXARuRePL729oINmN5J/5e7nYijgvfiIeY= cloud.google.com/go/longrunning v0.5.7 h1:WLbHekDbjK1fVFD3ibpFFVoyizlLRl73I7YKuAKilhU= cloud.google.com/go/longrunning v0.5.7/go.mod h1:8GClkudohy1Fxm3owmBGid8W0pSgodEMwEAztp38Xng= cloud.google.com/go/security v1.17.2 h1:pEkUeR1PFNwoFAIXPMa4PBCYb75UT8LmNfjQy1fm/Co= @@ -46,34 +46,34 @@ github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d h1:Byv0BzEl github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/aws/aws-sdk-go v1.54.6 h1:HEYUib3yTt8E6vxjMWM3yAq5b+qjj/6aKA62mkgux9g= github.com/aws/aws-sdk-go v1.54.6/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= -github.com/aws/aws-sdk-go-v2 v1.30.0 h1:6qAwtzlfcTtcL8NHtbDQAqgM5s6NDipQTkPxyH/6kAA= -github.com/aws/aws-sdk-go-v2 v1.30.0/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= -github.com/aws/aws-sdk-go-v2/config v1.27.21 h1:yPX3pjGCe2hJsetlmGNB4Mngu7UPmvWPzzWCv1+boeM= -github.com/aws/aws-sdk-go-v2/config v1.27.21/go.mod h1:4XtlEU6DzNai8RMbjSF5MgGZtYvrhBP/aKZcRtZAVdM= -github.com/aws/aws-sdk-go-v2/credentials v1.17.21 h1:pjAqgzfgFhTv5grc7xPHtXCAaMapzmwA7aU+c/SZQGw= -github.com/aws/aws-sdk-go-v2/credentials v1.17.21/go.mod h1:nhK6PtBlfHTUDVmBLr1dg+WHCOCK+1Fu/WQyVHPsgNQ= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.8 h1:FR+oWPFb/8qMVYMWN98bUZAGqPvLHiyqg1wqQGfUAXY= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.8/go.mod h1:EgSKcHiuuakEIxJcKGzVNWh5srVAQ3jKaSrBGRYvM48= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 h1:SJ04WXGTwnHlWIODtC5kJzKbeuHt+OUNOgKg7nfnUGw= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12/go.mod h1:FkpvXhA92gb3GE9LD6Og0pHHycTxW7xGpnEh5E7Opwo= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 h1:hb5KgeYfObi5MHkSSZMEudnIvX30iB+E21evI4r6BnQ= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12/go.mod h1:CroKe/eWJdyfy9Vx4rljP5wTUjNJfb+fPz1uMYUhEGM= +github.com/aws/aws-sdk-go-v2 v1.30.1 h1:4y/5Dvfrhd1MxRDD77SrfsDaj8kUkkljU7XE83NPV+o= +github.com/aws/aws-sdk-go-v2 v1.30.1/go.mod h1:nIQjQVp5sfpQcTc9mPSr1B0PaWK5ByX9MOoDadSN4lc= +github.com/aws/aws-sdk-go-v2/config v1.27.24 h1:NM9XicZ5o1CBU/MZaHwFtimRpWx9ohAUAqkG6AqSqPo= +github.com/aws/aws-sdk-go-v2/config v1.27.24/go.mod h1:aXzi6QJTuQRVVusAO8/NxpdTeTyr/wRcybdDtfUwJSs= +github.com/aws/aws-sdk-go-v2/credentials v1.17.24 h1:YclAsrnb1/GTQNt2nzv+756Iw4mF8AOzcDfweWwwm/M= +github.com/aws/aws-sdk-go-v2/credentials v1.17.24/go.mod h1:Hld7tmnAkoBQdTMNYZGzztzKRdA4fCdn9L83LOoigac= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.9 h1:Aznqksmd6Rfv2HQN9cpqIV/lQRMaIpJkLLaJ1ZI76no= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.9/go.mod h1:WQr3MY7AxGNxaqAtsDWn+fBxmd4XvLkzeqQ8P1VM0/w= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.13 h1:5SAoZ4jYpGH4721ZNoS1znQrhOfZinOhc4XuTXx/nVc= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.13/go.mod h1:+rdA6ZLpaSeM7tSg/B0IEDinCIBJGmW8rKDFkYpP04g= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.13 h1:WIijqeaAO7TYFLbhsZmi2rgLEAtWOC1LhxCAVTJlSKw= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.13/go.mod h1:i+kbfa76PQbWw/ULoWnp51EYVWH4ENln76fLQE3lXT8= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14 h1:zSDPny/pVnkqABXYRicYuPf9z2bTqfH13HT3v6UheIk= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14/go.mod h1:3TTcI5JSzda1nw/pkVC9dhgLre0SNBFj2lYS4GctXKI= -github.com/aws/aws-sdk-go-v2/service/kms v1.34.1 h1:VsKBn6WADI3Nn3WjBMzeRww9WHXeVLi7zyuSrqjRCBQ= -github.com/aws/aws-sdk-go-v2/service/kms v1.34.1/go.mod h1:5F6kXrPBxv0l1t8EO44GuG4W82jGJwaRE0B+suEGnNY= -github.com/aws/aws-sdk-go-v2/service/sso v1.21.1 h1:sd0BsnAvLH8gsp2e3cbaIr+9D7T1xugueQ7V/zUAsS4= -github.com/aws/aws-sdk-go-v2/service/sso v1.21.1/go.mod h1:lcQG/MmxydijbeTOp04hIuJwXGWPZGI3bwdFDGRTv14= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.25.1 h1:1uEFNNskK/I1KoZ9Q8wJxMz5V9jyBlsiaNrM7vA3YUQ= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.25.1/go.mod h1:z0P8K+cBIsFXUr5rzo/psUeJ20XjPN0+Nn8067Nd+E4= -github.com/aws/aws-sdk-go-v2/service/sts v1.29.1 h1:myX5CxqXE0QMZNja6FA1/FSE3Vu1rVmeUmpJMMzeZg0= -github.com/aws/aws-sdk-go-v2/service/sts v1.29.1/go.mod h1:N2mQiucsO0VwK9CYuS4/c2n6Smeh1v47Rz3dWCPFLdE= -github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q= -github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 h1:dT3MqvGhSoaIhRseqw2I0yH81l7wiR2vjs57O51EAm8= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3/go.mod h1:GlAeCkHwugxdHaueRr4nhPuY+WW+gR8UjlcqzPr1SPI= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.15 h1:I9zMeF107l0rJrpnHpjEiiTSCKYAIw8mALiXcPsGBiA= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.15/go.mod h1:9xWJ3Q/S6Ojusz1UIkfycgD1mGirJfLLKqq3LPT7WN8= +github.com/aws/aws-sdk-go-v2/service/kms v1.35.1 h1:0gP2OJJT6HM2BYltZ9x+A87OE8LJL96DXeAAdLv3t1M= +github.com/aws/aws-sdk-go-v2/service/kms v1.35.1/go.mod h1:hGONorZkQCfR5DW6l2xdy7zC8vfO0r9pJlwyg6gmGeo= +github.com/aws/aws-sdk-go-v2/service/sso v1.22.1 h1:p1GahKIjyMDZtiKoIn0/jAj/TkMzfzndDv5+zi2Mhgc= +github.com/aws/aws-sdk-go-v2/service/sso v1.22.1/go.mod h1:/vWdhoIoYA5hYoPZ6fm7Sv4d8701PiG5VKe8/pPJL60= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.2 h1:ORnrOK0C4WmYV/uYt3koHEWBLYsRDwk2Np+eEoyV4Z0= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.2/go.mod h1:xyFHA4zGxgYkdD73VeezHt3vSKEG9EmFnGwoKlP00u4= +github.com/aws/aws-sdk-go-v2/service/sts v1.30.1 h1:+woJ607dllHJQtsnJLi52ycuqHMwlW+Wqm2Ppsfp4nQ= +github.com/aws/aws-sdk-go-v2/service/sts v1.30.1/go.mod h1:jiNR3JqT15Dm+QWq2SRgh0x0bCNSRP2L25+CqPNpJlQ= +github.com/aws/smithy-go v1.20.3 h1:ryHwveWzPV5BIof6fyDvor6V3iUL7nTfiTKXHiW05nE= +github.com/aws/smithy-go v1.20.3/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -84,8 +84,8 @@ github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4r github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= -github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chainguard-dev/slogctx v1.2.2 h1:aDfTjasw/ApX0By8Nicl0C02oV/bXzBD8Dh7AG014ZM= github.com/chainguard-dev/slogctx v1.2.2/go.mod h1:+/TwogApSQPC+Umn9LF/T6my0KDml1XDAgpuSN/nwU4= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= @@ -380,8 +380,8 @@ go.opentelemetry.io/otel/trace v1.27.0 h1:IqYb813p7cmbHk0a5y6pD5JPakbVfftRXABGt5 go.opentelemetry.io/otel/trace v1.27.0/go.mod h1:6RiD1hkAprV4/q+yd2ln1HG9GoPx39SuvvstaLBl+l4= go.opentelemetry.io/proto/otlp v1.2.0 h1:pVeZGk7nXDC9O2hncA6nHldxEjm6LByfA2aN8IOkz94= go.opentelemetry.io/proto/otlp v1.2.0/go.mod h1:gGpR8txAl5M03pDhMC79G6SdqNV26naRm/KDsgaHD8A= -go.step.sm/crypto v0.47.1 h1:XvqgWLA1OTJXkmkmD6QSDZrmGKP4flv3PEoau60htcU= -go.step.sm/crypto v0.47.1/go.mod h1:0fz8+Am8oIwfOJgr9HHf7MwTa7Gffliv35VxDrQqU0Y= +go.step.sm/crypto v0.50.0 h1:BqI9sEgocoHDLLHiZnFqdqXl5FjdMvOWKMm/fKL/lrw= +go.step.sm/crypto v0.50.0/go.mod h1:NCFMhLS6FJXQ9sD9PP282oHtsBWLrI6wXZY0eOkq7t8= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= @@ -399,8 +399,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= -golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= -golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= +golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= +golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 h1:hNQpMuAJe5CtcUqCXaWga3FHu+kQvCqcsoVaQgSV60o= golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08= @@ -426,8 +426,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= -golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= -golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= +golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys= +golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= @@ -455,15 +455,15 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= -golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= +golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= -golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA= -golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0= +golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk= +golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= @@ -511,8 +511,8 @@ google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQ google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.64.1 h1:LKtvyfbX3UGVPFcGqJ9ItpVWW6oN/2XqTxfAnwRRXiA= -google.golang.org/grpc v1.64.1/go.mod h1:hiQF4LFZelK2WKaP6W0L92zGHtiQdZxk8CrSdvyjeP0= +google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= +google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= From 2599f0131995698c0baad04dbf022b2d28db08ce Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Jul 2024 02:25:00 +0000 Subject: [PATCH 07/20] Bump actions/setup-go from 5.0.1 to 5.0.2 in the all group Bumps the all group with 1 update: [actions/setup-go](https://github.com/actions/setup-go). Updates `actions/setup-go` from 5.0.1 to 5.0.2 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/cdcb36043654635271a94b9a6d1392de5bb323a7...0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/container-build.yml | 2 +- .github/workflows/main.yml | 2 +- .github/workflows/verify-k8s.yml | 4 ++-- .github/workflows/verify.yml | 6 +++--- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0b2371772..cb6398e21 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -45,7 +45,7 @@ jobs: # - name: Extract version of Go to use # run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV - - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: '1.22' check-latest: true diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml index 4a274b097..8f77d8f88 100644 --- a/.github/workflows/container-build.yml +++ b/.github/workflows/container-build.yml @@ -40,7 +40,7 @@ jobs: # - name: Extract version of Go to use # run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV - - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: '1.22' check-latest: true diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 7ac7d0554..8b65fb8b8 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -35,7 +35,7 @@ jobs: # - name: Extract version of Go to use # run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV - - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: '1.22' check-latest: true diff --git a/.github/workflows/verify-k8s.yml b/.github/workflows/verify-k8s.yml index 0e47b993f..a27efbb5c 100644 --- a/.github/workflows/verify-k8s.yml +++ b/.github/workflows/verify-k8s.yml @@ -31,7 +31,7 @@ jobs: # - name: Extract version of Go to use # run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV - - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: ${{ env.GOVERSION }} check-latest: true @@ -75,7 +75,7 @@ jobs: # - name: Extract version of Go to use # run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV - - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: '1.22' check-latest: true diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index ec2722d9b..b3683b9eb 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -35,7 +35,7 @@ jobs: # - name: Extract version of Go to use # run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV - - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: '1.22' check-latest: true @@ -62,7 +62,7 @@ jobs: # - name: Extract version of Go to use # run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV - - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: '1.22' check-latest: true @@ -83,7 +83,7 @@ jobs: # - name: Extract version of Go to use # run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV - - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: '1.22' check-latest: true From 9913099559afd53af5a6ae9cc123009cc50f9c59 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Jul 2024 02:49:46 +0000 Subject: [PATCH 08/20] Bump golang from `fcae9e0` to `829eff9` Bumps golang from `fcae9e0` to `829eff9`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Dockerfile | 4 ++-- Dockerfile.ctfe_init | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 114c81034..693dfb897 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.22.5@sha256:fcae9e0e7313c6467a7c6632ebb5e5fab99bd39bd5eb6ee34a211353e647827a AS builder +FROM golang:1.22.5@sha256:829eff99a4b2abffe68f6a3847337bf6455d69d17e49ec1a97dac78834754bd6 AS builder ENV APP_ROOT=/opt/app-root ENV GOPATH=$APP_ROOT @@ -28,7 +28,7 @@ RUN go build -o server main.go RUN CGO_ENABLED=1 go build -gcflags "all=-N -l" -o server_debug main.go # Multi-Stage production build -FROM golang:1.22.5@sha256:fcae9e0e7313c6467a7c6632ebb5e5fab99bd39bd5eb6ee34a211353e647827a AS deploy +FROM golang:1.22.5@sha256:829eff99a4b2abffe68f6a3847337bf6455d69d17e49ec1a97dac78834754bd6 AS deploy # Retrieve the binary from the previous stage COPY --from=builder /opt/app-root/src/server /usr/local/bin/fulcio-server diff --git a/Dockerfile.ctfe_init b/Dockerfile.ctfe_init index 29fba0577..d9b1ede41 100644 --- a/Dockerfile.ctfe_init +++ b/Dockerfile.ctfe_init @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.22.5@sha256:fcae9e0e7313c6467a7c6632ebb5e5fab99bd39bd5eb6ee34a211353e647827a AS builder +FROM golang:1.22.5@sha256:829eff99a4b2abffe68f6a3847337bf6455d69d17e49ec1a97dac78834754bd6 AS builder WORKDIR /root/ From bdc2230859850b8281705b73cd0523ba8703627b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Jul 2024 02:55:07 +0000 Subject: [PATCH 09/20] Bump github.com/coreos/go-oidc/v3 from 3.10.0 to 3.11.0 Bumps [github.com/coreos/go-oidc/v3](https://github.com/coreos/go-oidc) from 3.10.0 to 3.11.0. - [Release notes](https://github.com/coreos/go-oidc/releases) - [Commits](https://github.com/coreos/go-oidc/compare/v3.10.0...v3.11.0) --- updated-dependencies: - dependency-name: github.com/coreos/go-oidc/v3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 6cb570626..dd6a39d68 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( github.com/PaesslerAG/jsonpath v0.1.1 github.com/ThalesIgnite/crypto11 v1.2.5 github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d - github.com/coreos/go-oidc/v3 v3.10.0 + github.com/coreos/go-oidc/v3 v3.11.0 github.com/fsnotify/fsnotify v1.7.0 github.com/go-jose/go-jose/v4 v4.0.2 github.com/goadesign/goa v2.2.5+incompatible diff --git a/go.sum b/go.sum index 771325014..9dc61e8c0 100644 --- a/go.sum +++ b/go.sum @@ -92,8 +92,8 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL2kskAlV9ckgEsNQXscjIaLiOYiZ75d4e94E6dcQ= github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w= -github.com/coreos/go-oidc/v3 v3.10.0 h1:tDnXHnLyiTVyT/2zLDGj09pFPkhND8Gl8lnTRhoEaJU= -github.com/coreos/go-oidc/v3 v3.10.0/go.mod h1:5j11xcw0D3+SGxn6Z/WFADsgcWVMyNAlSQupk0KK3ac= +github.com/coreos/go-oidc/v3 v3.11.0 h1:Ia3MxdwpSw702YW0xgfmP1GVCMA9aEFWu12XUZ3/OtI= +github.com/coreos/go-oidc/v3 v3.11.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= From b879601e1aaf48de01f2997ba7be339377b7b93e Mon Sep 17 00:00:00 2001 From: Javan Lacerda Date: Mon, 15 Jul 2024 14:35:12 -0300 Subject: [PATCH 10/20] Move configuration to yaml format (#1720) Migrate the configuration file from json to yaml Also removes the fulcio-config.yaml file that isn't used Concentrate the issuers and meta-issuers in a single file that can be found at config/identity/config.yaml Also removes the https://auth-staging.eclipse.org/realms/sigstore from the list of issuers, as it is unavailable. Removes the federation script as it has not been used, and switches over to a test that's run to check validity of the configuration. Ref #1111 Signed-off-by: Javan lacerda --- .github/workflows/verify-k8s.yml | 16 ++-- .github/workflows/verify.yml | 3 +- cmd/app/serve.go | 2 +- config/config.jsn | 35 -------- config/fulcio-config.yaml | 121 -------------------------- config/identity/config.yaml | 81 +++++++++++++++++ docker-compose.yml | 2 +- docs/oidc.md | 4 +- federation/main.go | 140 ------------------------------ pkg/config/config_network_test.go | 47 +++++++++- pkg/config/config_test.go | 15 +++- pkg/config/fulcio_config_test.go | 73 ++++++++++++++++ tools/loadtest/README.md | 2 +- 13 files changed, 223 insertions(+), 318 deletions(-) delete mode 100644 config/config.jsn delete mode 100644 config/fulcio-config.yaml create mode 100644 config/identity/config.yaml delete mode 100644 federation/main.go create mode 100644 pkg/config/fulcio_config_test.go diff --git a/.github/workflows/verify-k8s.yml b/.github/workflows/verify-k8s.yml index a27efbb5c..e86859d01 100644 --- a/.github/workflows/verify-k8s.yml +++ b/.github/workflows/verify-k8s.yml @@ -52,12 +52,11 @@ jobs: include: - issuer: "OIDC Issuer" - issuer-config: | - "OIDCIssuers": {"https://kubernetes.default.svc": {"IssuerURL": "https://kubernetes.default.svc","ClientID": "sigstore","Type": "kubernetes"}} + issuer-config: + "oidc-issuers:\n https://kubernetes.default.svc:\n issuer-url: \"https://kubernetes.default.svc\"\n client-id: \"sigstore\"\n type: \"kubernetes\"" - issuer: "Meta Issuer" - issuer-config: | - "MetaIssuers": {"https://kubernetes.*.svc": {"ClientID": "sigstore","Type": "kubernetes"}} - + issuer-config: + "meta-issuers:\n https://kubernetes.*.svc: \n client-id: \"sigstore\"\n type: \"kubernetes\"" env: # https://github.com/google/go-containerregistry/pull/125 allows insecure registry for # '*.local' hostnames. This works both for `ko` and our own tag-to-digest resolution logic, @@ -124,10 +123,8 @@ jobs: name: fulcio-config namespace: fulcio-system data: - config.json: |- - { - ${{ matrix.issuer-config }} - } + config.yaml: |- + ${{ matrix.issuer-config }} server.yaml: |- host: 0.0.0.0 port: 5555 @@ -139,7 +136,6 @@ jobs: ct-log-url: "" log_type: prod EOF - # Create secret needed to use fileca cat < config/fulcio-secret.yaml apiVersion: v1 diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index b3683b9eb..14f6b0a53 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -91,5 +91,4 @@ jobs: - name: check-config run: | set -e - go run federation/main.go - git diff --exit-code + go test -timeout 30s -run ^TestLoadFulcioConfig$ github.com/sigstore/fulcio/pkg/config diff --git a/cmd/app/serve.go b/cmd/app/serve.go index de0b28194..016e42ba0 100644 --- a/cmd/app/serve.go +++ b/cmd/app/serve.go @@ -87,7 +87,7 @@ func newServeCmd() *cobra.Command { cmd.Flags().String("hsm-caroot-id", "", "HSM ID for Root CA (only used with --ca pkcs11ca)") cmd.Flags().String("ct-log-url", "http://localhost:6962/test", "host and path (with log prefix at the end) to the ct log") cmd.Flags().String("ct-log-public-key-path", "", "Path to a PEM-encoded public key of the CT log, used to verify SCTs") - cmd.Flags().String("config-path", "/etc/fulcio-config/config.json", "path to fulcio config json") + cmd.Flags().String("config-path", "/etc/fulcio-config/config.yaml", "path to fulcio config yaml") cmd.Flags().String("pkcs11-config-path", "config/crypto11.conf", "path to fulcio pkcs11 config file") cmd.Flags().String("fileca-cert", "", "Path to CA certificate") cmd.Flags().String("fileca-key", "", "Path to CA encrypted private key") diff --git a/config/config.jsn b/config/config.jsn deleted file mode 100644 index 27fae5423..000000000 --- a/config/config.jsn +++ /dev/null @@ -1,35 +0,0 @@ -{ - "OIDCIssuers": { - "https://accounts.google.com": { - "IssuerURL": "https://accounts.google.com", - "ClientID": "sigstore", - "Type": "email" - }, - "https://oauth2.sigstore.dev/auth": { - "IssuerURL": "https://oauth2.sigstore.dev/auth", - "ClientID": "sigstore", - "Type": "email" - }, - "http://dex-idp:8888/auth": { - "IssuerURL": "http://dex-idp:8888/auth", - "ClientID": "fulcio", - "IssuerClaim": "$.federated_claims.connector_id", - "Type": "email" - }, - "https://token.actions.githubusercontent.com": { - "IssuerURL": "https://token.actions.githubusercontent.com", - "ClientID": "sigstore", - "Type": "github-workflow" - }, - "https://oidc.codefresh.io": { - "IssuerURL": "https://oidc.codefresh.io", - "ClientID": "sigstore", - "Type": "codefresh-workflow" - }, - "https://issuer.enforce.dev": { - "IssuerURL": "https://issuer.enforce.dev", - "ClientID": "sigstore", - "Type": "chainguard-identity" - } - } -} diff --git a/config/fulcio-config.yaml b/config/fulcio-config.yaml deleted file mode 100644 index 0f7a0aded..000000000 --- a/config/fulcio-config.yaml +++ /dev/null @@ -1,121 +0,0 @@ -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -apiVersion: v1 -data: - config.json: |- - { - "OIDCIssuers": { - "https://accounts.google.com": { - "IssuerURL": "https://accounts.google.com", - "ClientID": "sigstore", - "Type": "email" - }, - "https://agent.buildkite.com": { - "IssuerURL": "https://agent.buildkite.com", - "ClientID": "sigstore", - "Type": "buildkite-job" - }, - "https://allow.pub": { - "IssuerURL": "https://allow.pub", - "ClientID": "sigstore", - "Type": "spiffe", - "SPIFFETrustDomain": "allow.pub" - }, - "https://auth-staging.eclipse.org/realms/sigstore": { - "IssuerURL": "https://auth-staging.eclipse.org/realms/sigstore", - "ClientID": "sigstore", - "Type": "email" - }, - "https://auth.eclipse.org/auth/realms/sigstore": { - "IssuerURL": "https://auth.eclipse.org/auth/realms/sigstore", - "ClientID": "sigstore", - "Type": "email" - }, - "https://dev.gitlab.org": { - "IssuerURL": "https://dev.gitlab.org", - "ClientID": "sigstore", - "Type": "gitlab-pipeline" - }, - "https://gitlab.archlinux.org": { - "IssuerURL": "https://gitlab.archlinux.org", - "ClientID": "sigstore", - "Type": "gitlab-pipeline" - }, - "https://gitlab.com": { - "IssuerURL": "https://gitlab.com", - "ClientID": "sigstore", - "Type": "gitlab-pipeline" - }, - "https://issuer.enforce.dev": { - "IssuerURL": "https://issuer.enforce.dev", - "ClientID": "sigstore", - "Type": "chainguard-identity" - }, - "https://oauth2.sigstore.dev/auth": { - "IssuerURL": "https://oauth2.sigstore.dev/auth", - "ClientID": "sigstore", - "Type": "email", - "IssuerClaim": "$.federated_claims.connector_id" - }, - "https://oidc.codefresh.io": { - "IssuerURL": "https://oidc.codefresh.io", - "ClientID": "sigstore", - "Type": "codefresh-workflow" - }, - "https://ops.gitlab.net": { - "IssuerURL": "https://ops.gitlab.net", - "ClientID": "sigstore", - "Type": "gitlab-pipeline" - }, - "https://token.actions.githubusercontent.com": { - "IssuerURL": "https://token.actions.githubusercontent.com", - "ClientID": "sigstore", - "Type": "github-workflow" - } - }, - "MetaIssuers": { - "https://*.oic.prod-aks.azure.com/*": { - "ClientID": "sigstore", - "Type": "kubernetes" - }, - "https://container.googleapis.com/v1/projects/*/locations/*/clusters/*": { - "ClientID": "sigstore", - "Type": "kubernetes" - }, - "https://oidc.eks.*.amazonaws.com/id/*": { - "ClientID": "sigstore", - "Type": "kubernetes" - }, - "https://oidc.prod-aks.azure.com/*": { - "ClientID": "sigstore", - "Type": "kubernetes" - }, - "https://token.actions.githubusercontent.com/*": { - "ClientID": "sigstore", - "Type": "github-workflow" - } - } - } - server.yaml: |- - host: 0.0.0.0 - port: 5555 - grpc-port: 5554 - ca: googleca - ct-log-url: http://ct-log/test - log_type: prod -kind: ConfigMap -metadata: - name: fulcio-config - namespace: fulcio-system diff --git a/config/identity/config.yaml b/config/identity/config.yaml new file mode 100644 index 000000000..298d89c20 --- /dev/null +++ b/config/identity/config.yaml @@ -0,0 +1,81 @@ +# Copyright 2024 The Sigstore Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +oidc-issuers: + https://accounts.google.com: + issuer-url: https://accounts.google.com + client-id: sigstore + type: email + https://agent.buildkite.com: + issuer-url: https://agent.buildkite.com + client-id: sigstore + type: buildkite-job + https://allow.pub: + issuer-url: https://allow.pub + client-id: sigstore + type: spiffe + spiffe-trust-domain: allow.pub + https://auth.eclipse.org/auth/realms/sigstore: + issuer-url: https://auth.eclipse.org/auth/realms/sigstore + client-id: sigstore + type: email + https://dev.gitlab.org: + issuer-url: https://dev.gitlab.org + client-id: sigstore + type: gitlab-pipeline + https://gitlab.archlinux.org: + issuer-url: https://gitlab.archlinux.org + client-id: sigstore + type: gitlab-pipeline + https://gitlab.com: + issuer-url: https://gitlab.com + client-id: sigstore + type: gitlab-pipeline + https://issuer.enforce.dev: + issuer-url: https://issuer.enforce.dev + client-id: sigstore + type: chainguard-identity + https://oauth2.sigstore.dev/auth: + issuer-url: https://oauth2.sigstore.dev/auth + client-id: sigstore + type: email + issuer-claim: $.federated_claims.connector_id + https://oidc.codefresh.io: + issuer-url: https://oidc.codefresh.io + client-id: sigstore + type: codefresh-workflow + https://ops.gitlab.net: + issuer-url: https://ops.gitlab.net + client-id: sigstore + type: gitlab-pipeline + https://token.actions.githubusercontent.com: + issuer-url: https://token.actions.githubusercontent.com + client-id: sigstore + type: github-workflow +meta-issuers: + https://*.oic.prod-aks.azure.com/*: + client-id: sigstore + type: kubernetes + https://container.googleapis.com/v1/projects/*/locations/*/clusters/*: + client-id: sigstore + type: kubernetes + https://oidc.eks.*.amazonaws.com/id/*: + client-id: sigstore + type: kubernetes + https://oidc.prod-aks.azure.com/*: + client-id: sigstore + type: kubernetes + https://token.actions.githubusercontent.com/*: + client-id: sigstore + type: github-workflow diff --git a/docker-compose.yml b/docker-compose.yml index cee2a6410..a720943c9 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -37,7 +37,7 @@ services: - "${FULCIO_METRICS_PORT:-2112}:2112" volumes: - ~/.config/gcloud:/root/.config/gcloud/:z # for GCP authentication - - ${FULCIO_CONFIG:-./config/config.jsn}:/etc/fulcio-config/config.json:z + - ${FULCIO_CONFIG:-./config/identity/config.yaml}:/etc/fulcio-config/config.yaml:z healthcheck: test: ["CMD", "curl", "-f", "http://localhost:5555/healthz"] interval: 10s diff --git a/docs/oidc.md b/docs/oidc.md index d0907bfc9..a58bc4aad 100644 --- a/docs/oidc.md +++ b/docs/oidc.md @@ -10,9 +10,7 @@ Sigstore runs a federated OIDC identity provider, Dex. Users authenticate to the To add a new OIDC issuer: -* Add a file under the [`federation` folder](https://github.com/sigstore/fulcio/tree/main/federation) with the URL, new issuer type name, and contact ([example](https://github.com/sigstore/fulcio/blob/8975dfd/federation/agent.buildkite.com/config.yaml)) -* Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/fulcio-config.yaml) by running `go run federation/main.go` -* Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions. +* Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml) and to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions. * Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503) * Map the issuer type to the token claim that will be signed over when requesting a token [here](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L464-L486). You can likely just use `sub`. * Add a case statement to map the issuer constant to the issuer type you created [here](https://github.com/sigstore/fulcio/blob/4d9d96a/pkg/server/issuer_pool.go#L40-L62) diff --git a/federation/main.go b/federation/main.go deleted file mode 100644 index 7926f772a..000000000 --- a/federation/main.go +++ /dev/null @@ -1,140 +0,0 @@ -// Copyright 2021 The Sigstore Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// - -package main - -import ( - "encoding/json" - "os" - "path/filepath" - - "github.com/sigstore/fulcio/pkg/config" - "gopkg.in/yaml.v3" -) - -var rootPaths = []string{"federation", "federation/external"} -var boilerPlate = `# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -` - -type federationConfig struct { - URL string - Type string - IssuerClaim string - SpiffeTrustDomain string -} - -func main() { - matches := []string{} - for _, rp := range rootPaths { - glob := filepath.Join(rp, "*/config.yaml") - globs, err := filepath.Glob(glob) - if err != nil { - panic(err) - } - matches = append(matches, globs...) - } - fulcioConfig := &config.FulcioConfig{ - OIDCIssuers: map[string]config.OIDCIssuer{}, - MetaIssuers: map[string]config.OIDCIssuer{ - // EKS Cluster OIDC issuers - "https://oidc.eks.*.amazonaws.com/id/*": { - ClientID: "sigstore", - Type: "kubernetes", - }, - // GKE Cluster OIDC issuers - "https://container.googleapis.com/v1/projects/*/locations/*/clusters/*": { - ClientID: "sigstore", - Type: "kubernetes", - }, - // AKS Cluster OIDC issuers - "https://oidc.prod-aks.azure.com/*": { - ClientID: "sigstore", - Type: "kubernetes", - }, - "https://*.oic.prod-aks.azure.com/*": { - ClientID: "sigstore", - Type: "kubernetes", - }, - // GitHub Actions OIDC unique enterprise issuers - "https://token.actions.githubusercontent.com/*": { - ClientID: "sigstore", - Type: "github-workflow", - }, - }, - } - for _, m := range matches { - b, err := os.ReadFile(m) - if err != nil { - panic(err) - } - cfg := federationConfig{} - if err := yaml.Unmarshal(b, &cfg); err != nil { - panic(err) - } - - fulcioCfg := config.OIDCIssuer{ - IssuerURL: cfg.URL, - ClientID: "sigstore", - Type: config.IssuerType(cfg.Type), - IssuerClaim: cfg.IssuerClaim, - } - if fulcioCfg.Type == config.IssuerTypeSpiffe { - fulcioCfg.SPIFFETrustDomain = cfg.SpiffeTrustDomain - } - fulcioConfig.OIDCIssuers[cfg.URL] = fulcioCfg - } - - m, err := json.MarshalIndent(fulcioConfig, "", " ") - if err != nil { - panic(err) - } - - // Update the yaml - yb, err := os.ReadFile("config/fulcio-config.yaml") - if err != nil { - panic(err) - } - - cm := map[string]interface{}{} - if err := yaml.Unmarshal(yb, &cm); err != nil { - panic(err) - } - data := cm["data"].(map[string]interface{}) - data["config.json"] = string(m) - - newYaml, err := yaml.Marshal(cm) - if err != nil { - panic(err) - } - - yamlWithBoilerplate := boilerPlate + string(newYaml) - - if err := os.WriteFile("config/fulcio-config.yaml", []byte(yamlWithBoilerplate), 0600); err != nil { - panic(err) - } -} diff --git a/pkg/config/config_network_test.go b/pkg/config/config_network_test.go index 4e00720bf..00f139824 100644 --- a/pkg/config/config_network_test.go +++ b/pkg/config/config_network_test.go @@ -28,10 +28,51 @@ import ( "github.com/sigstore/fulcio/pkg/certificate" ) -func TestLoad(t *testing.T) { +func TestLoadYamlConfig(t *testing.T) { + td := t.TempDir() + cfgPath := filepath.Join(td, "config.yaml") + if err := os.WriteFile(cfgPath, []byte(validYamlCfg), 0644); err != nil { + t.Fatal(err) + } + + cfg, err := Load(cfgPath) + if err != nil { + t.Fatal(err) + } + got, ok := cfg.GetIssuer("https://accounts.google.com") + if !ok { + t.Error("expected true, got false") + } + if got.ClientID != "foo" { + t.Errorf("expected foo, got %s", got.ClientID) + } + if got.IssuerURL != "https://accounts.google.com" { + t.Errorf("expected https://accounts.google.com, got %s", got.IssuerURL) + } + if got := len(cfg.OIDCIssuers); got != 1 { + t.Errorf("expected 1 issuer, got %d", got) + } + + got, ok = cfg.GetIssuer("https://oidc.eks.fantasy-land.amazonaws.com/id/CLUSTERIDENTIFIER") + if !ok { + t.Error("expected true, got false") + } + if got.ClientID != "bar" { + t.Errorf("expected bar, got %s", got.ClientID) + } + if got.IssuerURL != "https://oidc.eks.fantasy-land.amazonaws.com/id/CLUSTERIDENTIFIER" { + t.Errorf("expected https://oidc.eks.fantasy-land.amazonaws.com/id/CLUSTERIDENTIFIER, got %s", got.IssuerURL) + } + + if _, ok := cfg.GetIssuer("not_an_issuer"); ok { + t.Error("no error returned from an unconfigured issuer") + } +} + +func TestLoadJsonConfig(t *testing.T) { td := t.TempDir() cfgPath := filepath.Join(td, "config.json") - if err := os.WriteFile(cfgPath, []byte(validCfg), 0644); err != nil { + if err := os.WriteFile(cfgPath, []byte(validJSONCfg), 0644); err != nil { t.Fatal(err) } @@ -128,7 +169,7 @@ func TestLoadDefaults(t *testing.T) { td := t.TempDir() // Don't put anything here! - cfgPath := filepath.Join(td, "config.json") + cfgPath := filepath.Join(td, "config.yaml") cfg, err := Load(cfgPath) if err != nil { t.Fatal(err) diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index 390bd6f6b..042fe9b8f 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -27,7 +27,20 @@ import ( "github.com/sigstore/fulcio/pkg/generated/protobuf" ) -var validCfg = ` +var validYamlCfg = ` +oidc-issuers: + https://accounts.google.com: + issuer-url: https://accounts.google.com + client-id: foo + type: email + challenge-claim: email +meta-issuers: + https://oidc.eks.*.amazonaws.com/id/*: + client-id: bar + type: kubernetes +` + +var validJSONCfg = ` { "OIDCIssuers": { "https://accounts.google.com": { diff --git a/pkg/config/fulcio_config_test.go b/pkg/config/fulcio_config_test.go new file mode 100644 index 000000000..c0c464523 --- /dev/null +++ b/pkg/config/fulcio_config_test.go @@ -0,0 +1,73 @@ +// Copyright 2024 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +//go:build !hermetic + +package config + +import ( + "os" + "path/filepath" + "runtime" + "testing" +) + +// The config/identity/config.yaml is a config file that is reflected directly +// to the public good instance. +// This test checks that the config.yaml is valid and can be properly used +// on the public good instance. +func TestLoadFulcioConfig(t *testing.T) { + _, path, _, _ := runtime.Caller(0) + basepath := filepath.Dir(path) + b, err := os.ReadFile(basepath + "/../../config/identity/config.yaml") + if err != nil { + t.Errorf("read file: %v", err) + } + + fulcioConfig, err := Read(b) + if err != nil { + t.Fatal(err) + } + + for issuerURL := range fulcioConfig.OIDCIssuers { + got, ok := fulcioConfig.GetIssuer(issuerURL) + if !ok { + t.Error("expected true, got false") + } + if got.ClientID != "sigstore" { + t.Errorf("expected sigstore, got %s", got.ClientID) + } + if got.IssuerURL != issuerURL { + t.Errorf("expected %s, got %s", issuerURL, got.IssuerURL) + } + if string(got.Type) == "" { + t.Errorf("Issuer Type should not be empty") + } + if got.Type == IssuerTypeCIProvider { + if got.CIProvider == "" { + t.Errorf("Issuer CIProvider should not be empty when Type is ci-provider") + } + } + if _, ok := fulcioConfig.GetIssuer("not_an_issuer"); ok { + t.Error("no error returned from an unconfigured issuer") + } + } + + for _, metaIssuer := range fulcioConfig.MetaIssuers { + if metaIssuer.ClientID != "sigstore" { + t.Errorf("expected sigstore, got %s", metaIssuer.ClientID) + } + } +} diff --git a/tools/loadtest/README.md b/tools/loadtest/README.md index 0e2af9930..1a5d7f014 100644 --- a/tools/loadtest/README.md +++ b/tools/loadtest/README.md @@ -24,7 +24,7 @@ Confirm a successful install with `locust -V`, which should print the version. Y ### Fetching identity token -To fetch a certificate, you will need an OIDC token from one of the [OIDC issuers](https://github.com/sigstore/fulcio/blob/main/config/fulcio-config.yaml). One way is to fetch a token from Google. Note that you will need to install [`gcloud`](https://cloud.google.com/sdk/gcloud) and create a service account. A service account is necessary for the `--include-email` flag, which is needed to get an OIDC token with the correct format for Fulcio. +To fetch a certificate, you will need an OIDC token from one of the [OIDC issuers](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml). One way is to fetch a token from Google. Note that you will need to install [`gcloud`](https://cloud.google.com/sdk/gcloud) and create a service account. A service account is necessary for the `--include-email` flag, which is needed to get an OIDC token with the correct format for Fulcio. Run the following command, and record the output: From 90320297c0f0ddd627dfd283d5fab6a906780172 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Tue, 2 Jul 2024 20:29:50 +0000 Subject: [PATCH 11/20] move fulcio config from json to yaml Signed-off-by: Javan lacerda --- config/fulcio-config.yaml | 125 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 125 insertions(+) create mode 100644 config/fulcio-config.yaml diff --git a/config/fulcio-config.yaml b/config/fulcio-config.yaml new file mode 100644 index 000000000..ad3056695 --- /dev/null +++ b/config/fulcio-config.yaml @@ -0,0 +1,125 @@ +# +# Copyright 2021 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +data: + config.yaml: |- + oidc-issuers: + https://accounts.google.com: + issuer-url: https://accounts.google.com + client-id: sigstore + type: email + contact: tac@sigstore.dev + description: "Google OIDC auth" + https://agent.buildkite.com: + issuer-url: https://agent.buildkite.com + client-id: sigstore + type: buildkite-job + contact: support@buildkite.com + description: "Buildkite Agent OIDC tokens for job identity" + https://allow.pub: + issuer-url: https://allow.pub + client-id: sigstore + type: spiffe + spiffe-trust-domain: allow.pub + contact: evan@phx.io + description: "Server side signing support for the OCI registry vcr.pub" + https://auth-staging.eclipse.org/realms/sigstore: + issuer-url: https://auth-staging.eclipse.org/realms/sigstore + client-id: sigstore + type: email + contact: security@eclipse-foundation.org + description: "Eclipse Foundation Staging OIDC provider" + https://auth.eclipse.org/auth/realms/sigstore: + issuer-url: https://auth.eclipse.org/auth/realms/sigstore + client-id: sigstore + type: email + contact: security@eclipse-foundation.org + description: "Eclipse Foundation Production OIDC provider" + https://dev.gitlab.org: + issuer-url: https://dev.gitlab.org + client-id: sigstore + type: gitlab-pipeline + contact: distribution-be@gitlab.com + description: "GitLab OIDC tokens for job identity" + https://gitlab.archlinux.org: + issuer-url: https://gitlab.archlinux.org + client-id: sigstore + type: gitlab-pipeline + contact: sigstore@archlinux.org + description: "GitLab OIDC tokens for job identity" + https://gitlab.com: + issuer-url: https://gitlab.com + client-id: sigstore + type: gitlab-pipeline + contact: support@gitlab.com + description: "GitLab OIDC tokens for job identity" + https://issuer.enforce.dev: + issuer-url: https://issuer.enforce.dev + client-id: sigstore + type: chainguard-identity + contact: mattmoor@chainguard.dev + description: "Chainguard identity tokens" + https://oauth2.sigstore.dev/auth: + issuer-url: https://oauth2.sigstore.dev/auth + client-id: sigstore + type: email + issuer-claim: $.federated_claims.connector_id + contact: tac@sigstore.dev + description: "dex address for fulcio" + https://oidc.codefresh.io: + issuer-url: https://oidc.codefresh.io + client-id: sigstore + type: codefresh-workflow + contact: support@codefresh.io + description: "Codefresh OIDC tokens for job identity" + https://ops.gitlab.net: + issuer-url: https://ops.gitlab.net + client-id: sigstore + type: gitlab-pipeline + contact: distribution-be@gitlab.com + description: "GitLab OIDC tokens for job identity" + https://token.actions.githubusercontent.com: + issuer-url: https://token.actions.githubusercontent.com + client-id: sigstore + type: github-workflow + contact: tac@sigstore.dev + description: "GitHub Actions OIDC auth" + meta-issuers: + https://*.oic.prod-aks.azure.com/*: + client-id: sigstore + type: kubernetes + https://container.googleapis.com/v1/projects/*/locations/*/clusters/*: + client-id: sigstore + type: kubernetes + https://oidc.eks.*.amazonaws.com/id/*: + client-id: sigstore + type: kubernetes + https://oidc.prod-aks.azure.com/*: + client-id: sigstore + type: kubernetes + https://token.actions.githubusercontent.com/*: + client-id: sigstore + type: github-workflow + server.yaml: |- + host: 0.0.0.0 + port: 5555 + grpc-port: 5554 + ca: googleca + ct-log-url: http://ct-log/test + log_type: prod +kind: ConfigMap +metadata: + name: fulcio-config + namespace: fulcio-system From 4084cbe7690cb33f2ad225e718177ceb773852c5 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Mon, 8 Jul 2024 19:54:35 +0000 Subject: [PATCH 12/20] move fulcio-config to a new file Signed-off-by: Javan lacerda --- config/config.yaml | 97 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 config/config.yaml diff --git a/config/config.yaml b/config/config.yaml new file mode 100644 index 000000000..9226a85ba --- /dev/null +++ b/config/config.yaml @@ -0,0 +1,97 @@ +oidc-issuers: + https://accounts.google.com: + issuer-url: https://accounts.google.com + client-id: sigstore + type: email + contact: tac@sigstore.dev + description: "Google OIDC auth" + https://agent.buildkite.com: + issuer-url: https://agent.buildkite.com + client-id: sigstore + type: buildkite-job + contact: support@buildkite.com + description: "Buildkite Agent OIDC tokens for job identity" + https://allow.pub: + issuer-url: https://allow.pub + client-id: sigstore + type: spiffe + spiffe-trust-domain: allow.pub + contact: evan@phx.io + description: "Server side signing support for the OCI registry vcr.pub" + https://auth-staging.eclipse.org/realms/sigstore: + issuer-url: https://auth-staging.eclipse.org/realms/sigstore + client-id: sigstore + type: email + contact: security@eclipse-foundation.org + description: "Eclipse Foundation Staging OIDC provider" + https://auth.eclipse.org/auth/realms/sigstore: + issuer-url: https://auth.eclipse.org/auth/realms/sigstore + client-id: sigstore + type: email + contact: security@eclipse-foundation.org + description: "Eclipse Foundation Production OIDC provider" + https://dev.gitlab.org: + issuer-url: https://dev.gitlab.org + client-id: sigstore + type: gitlab-pipeline + contact: distribution-be@gitlab.com + description: "GitLab OIDC tokens for job identity" + https://gitlab.archlinux.org: + issuer-url: https://gitlab.archlinux.org + client-id: sigstore + type: gitlab-pipeline + contact: sigstore@archlinux.org + description: "GitLab OIDC tokens for job identity" + https://gitlab.com: + issuer-url: https://gitlab.com + client-id: sigstore + type: gitlab-pipeline + contact: support@gitlab.com + description: "GitLab OIDC tokens for job identity" + https://issuer.enforce.dev: + issuer-url: https://issuer.enforce.dev + client-id: sigstore + type: chainguard-identity + contact: mattmoor@chainguard.dev + description: "Chainguard identity tokens" + https://oauth2.sigstore.dev/auth: + issuer-url: https://oauth2.sigstore.dev/auth + client-id: sigstore + type: email + issuer-claim: $.federated_claims.connector_id + contact: tac@sigstore.dev + description: "dex address for fulcio" + https://oidc.codefresh.io: + issuer-url: https://oidc.codefresh.io + client-id: sigstore + type: codefresh-workflow + contact: support@codefresh.io + description: "Codefresh OIDC tokens for job identity" + https://ops.gitlab.net: + issuer-url: https://ops.gitlab.net + client-id: sigstore + type: gitlab-pipeline + contact: distribution-be@gitlab.com + description: "GitLab OIDC tokens for job identity" + https://token.actions.githubusercontent.com: + issuer-url: https://token.actions.githubusercontent.com + client-id: sigstore + type: github-workflow + contact: tac@sigstore.dev + description: "GitHub Actions OIDC auth" +meta-issuers: + https://*.oic.prod-aks.azure.com/*: + client-id: sigstore + type: kubernetes + https://container.googleapis.com/v1/projects/*/locations/*/clusters/*: + client-id: sigstore + type: kubernetes + https://oidc.eks.*.amazonaws.com/id/*: + client-id: sigstore + type: kubernetes + https://oidc.prod-aks.azure.com/*: + client-id: sigstore + type: kubernetes + https://token.actions.githubusercontent.com/*: + client-id: sigstore + type: github-workflow \ No newline at end of file From 8491ca497c916f29c2ded43507f1df9fa7bef84f Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Mon, 8 Jul 2024 20:08:17 +0000 Subject: [PATCH 13/20] updating test for check-config workflow Signed-off-by: Javan lacerda --- config/config.yaml | 40 ++++++++++++++-------------------------- 1 file changed, 14 insertions(+), 26 deletions(-) diff --git a/config/config.yaml b/config/config.yaml index 9226a85ba..189503bd9 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -1,84 +1,72 @@ +# Copyright 2024 The Sigstore Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + oidc-issuers: https://accounts.google.com: issuer-url: https://accounts.google.com client-id: sigstore type: email - contact: tac@sigstore.dev - description: "Google OIDC auth" https://agent.buildkite.com: issuer-url: https://agent.buildkite.com client-id: sigstore type: buildkite-job - contact: support@buildkite.com - description: "Buildkite Agent OIDC tokens for job identity" https://allow.pub: issuer-url: https://allow.pub client-id: sigstore type: spiffe spiffe-trust-domain: allow.pub - contact: evan@phx.io - description: "Server side signing support for the OCI registry vcr.pub" https://auth-staging.eclipse.org/realms/sigstore: issuer-url: https://auth-staging.eclipse.org/realms/sigstore client-id: sigstore type: email - contact: security@eclipse-foundation.org - description: "Eclipse Foundation Staging OIDC provider" https://auth.eclipse.org/auth/realms/sigstore: issuer-url: https://auth.eclipse.org/auth/realms/sigstore client-id: sigstore type: email - contact: security@eclipse-foundation.org - description: "Eclipse Foundation Production OIDC provider" https://dev.gitlab.org: issuer-url: https://dev.gitlab.org client-id: sigstore type: gitlab-pipeline - contact: distribution-be@gitlab.com - description: "GitLab OIDC tokens for job identity" https://gitlab.archlinux.org: issuer-url: https://gitlab.archlinux.org client-id: sigstore type: gitlab-pipeline - contact: sigstore@archlinux.org - description: "GitLab OIDC tokens for job identity" https://gitlab.com: issuer-url: https://gitlab.com client-id: sigstore type: gitlab-pipeline - contact: support@gitlab.com - description: "GitLab OIDC tokens for job identity" https://issuer.enforce.dev: issuer-url: https://issuer.enforce.dev client-id: sigstore type: chainguard-identity - contact: mattmoor@chainguard.dev - description: "Chainguard identity tokens" https://oauth2.sigstore.dev/auth: issuer-url: https://oauth2.sigstore.dev/auth client-id: sigstore type: email issuer-claim: $.federated_claims.connector_id - contact: tac@sigstore.dev - description: "dex address for fulcio" https://oidc.codefresh.io: issuer-url: https://oidc.codefresh.io client-id: sigstore type: codefresh-workflow - contact: support@codefresh.io - description: "Codefresh OIDC tokens for job identity" https://ops.gitlab.net: issuer-url: https://ops.gitlab.net client-id: sigstore type: gitlab-pipeline - contact: distribution-be@gitlab.com - description: "GitLab OIDC tokens for job identity" https://token.actions.githubusercontent.com: issuer-url: https://token.actions.githubusercontent.com client-id: sigstore type: github-workflow - contact: tac@sigstore.dev - description: "GitHub Actions OIDC auth" meta-issuers: https://*.oic.prod-aks.azure.com/*: client-id: sigstore From c3b6254cff6d96223a80c20e85e8f79127f4f28a Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Wed, 10 Jul 2024 14:41:09 +0000 Subject: [PATCH 14/20] set verify k8s workflow for get configg directly Signed-off-by: Javan lacerda --- config/config.yaml | 85 -------------------------- config/fulcio-config.yaml | 125 -------------------------------------- 2 files changed, 210 deletions(-) delete mode 100644 config/config.yaml delete mode 100644 config/fulcio-config.yaml diff --git a/config/config.yaml b/config/config.yaml deleted file mode 100644 index 189503bd9..000000000 --- a/config/config.yaml +++ /dev/null @@ -1,85 +0,0 @@ -# Copyright 2024 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -oidc-issuers: - https://accounts.google.com: - issuer-url: https://accounts.google.com - client-id: sigstore - type: email - https://agent.buildkite.com: - issuer-url: https://agent.buildkite.com - client-id: sigstore - type: buildkite-job - https://allow.pub: - issuer-url: https://allow.pub - client-id: sigstore - type: spiffe - spiffe-trust-domain: allow.pub - https://auth-staging.eclipse.org/realms/sigstore: - issuer-url: https://auth-staging.eclipse.org/realms/sigstore - client-id: sigstore - type: email - https://auth.eclipse.org/auth/realms/sigstore: - issuer-url: https://auth.eclipse.org/auth/realms/sigstore - client-id: sigstore - type: email - https://dev.gitlab.org: - issuer-url: https://dev.gitlab.org - client-id: sigstore - type: gitlab-pipeline - https://gitlab.archlinux.org: - issuer-url: https://gitlab.archlinux.org - client-id: sigstore - type: gitlab-pipeline - https://gitlab.com: - issuer-url: https://gitlab.com - client-id: sigstore - type: gitlab-pipeline - https://issuer.enforce.dev: - issuer-url: https://issuer.enforce.dev - client-id: sigstore - type: chainguard-identity - https://oauth2.sigstore.dev/auth: - issuer-url: https://oauth2.sigstore.dev/auth - client-id: sigstore - type: email - issuer-claim: $.federated_claims.connector_id - https://oidc.codefresh.io: - issuer-url: https://oidc.codefresh.io - client-id: sigstore - type: codefresh-workflow - https://ops.gitlab.net: - issuer-url: https://ops.gitlab.net - client-id: sigstore - type: gitlab-pipeline - https://token.actions.githubusercontent.com: - issuer-url: https://token.actions.githubusercontent.com - client-id: sigstore - type: github-workflow -meta-issuers: - https://*.oic.prod-aks.azure.com/*: - client-id: sigstore - type: kubernetes - https://container.googleapis.com/v1/projects/*/locations/*/clusters/*: - client-id: sigstore - type: kubernetes - https://oidc.eks.*.amazonaws.com/id/*: - client-id: sigstore - type: kubernetes - https://oidc.prod-aks.azure.com/*: - client-id: sigstore - type: kubernetes - https://token.actions.githubusercontent.com/*: - client-id: sigstore - type: github-workflow \ No newline at end of file diff --git a/config/fulcio-config.yaml b/config/fulcio-config.yaml deleted file mode 100644 index ad3056695..000000000 --- a/config/fulcio-config.yaml +++ /dev/null @@ -1,125 +0,0 @@ -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -apiVersion: v1 -data: - config.yaml: |- - oidc-issuers: - https://accounts.google.com: - issuer-url: https://accounts.google.com - client-id: sigstore - type: email - contact: tac@sigstore.dev - description: "Google OIDC auth" - https://agent.buildkite.com: - issuer-url: https://agent.buildkite.com - client-id: sigstore - type: buildkite-job - contact: support@buildkite.com - description: "Buildkite Agent OIDC tokens for job identity" - https://allow.pub: - issuer-url: https://allow.pub - client-id: sigstore - type: spiffe - spiffe-trust-domain: allow.pub - contact: evan@phx.io - description: "Server side signing support for the OCI registry vcr.pub" - https://auth-staging.eclipse.org/realms/sigstore: - issuer-url: https://auth-staging.eclipse.org/realms/sigstore - client-id: sigstore - type: email - contact: security@eclipse-foundation.org - description: "Eclipse Foundation Staging OIDC provider" - https://auth.eclipse.org/auth/realms/sigstore: - issuer-url: https://auth.eclipse.org/auth/realms/sigstore - client-id: sigstore - type: email - contact: security@eclipse-foundation.org - description: "Eclipse Foundation Production OIDC provider" - https://dev.gitlab.org: - issuer-url: https://dev.gitlab.org - client-id: sigstore - type: gitlab-pipeline - contact: distribution-be@gitlab.com - description: "GitLab OIDC tokens for job identity" - https://gitlab.archlinux.org: - issuer-url: https://gitlab.archlinux.org - client-id: sigstore - type: gitlab-pipeline - contact: sigstore@archlinux.org - description: "GitLab OIDC tokens for job identity" - https://gitlab.com: - issuer-url: https://gitlab.com - client-id: sigstore - type: gitlab-pipeline - contact: support@gitlab.com - description: "GitLab OIDC tokens for job identity" - https://issuer.enforce.dev: - issuer-url: https://issuer.enforce.dev - client-id: sigstore - type: chainguard-identity - contact: mattmoor@chainguard.dev - description: "Chainguard identity tokens" - https://oauth2.sigstore.dev/auth: - issuer-url: https://oauth2.sigstore.dev/auth - client-id: sigstore - type: email - issuer-claim: $.federated_claims.connector_id - contact: tac@sigstore.dev - description: "dex address for fulcio" - https://oidc.codefresh.io: - issuer-url: https://oidc.codefresh.io - client-id: sigstore - type: codefresh-workflow - contact: support@codefresh.io - description: "Codefresh OIDC tokens for job identity" - https://ops.gitlab.net: - issuer-url: https://ops.gitlab.net - client-id: sigstore - type: gitlab-pipeline - contact: distribution-be@gitlab.com - description: "GitLab OIDC tokens for job identity" - https://token.actions.githubusercontent.com: - issuer-url: https://token.actions.githubusercontent.com - client-id: sigstore - type: github-workflow - contact: tac@sigstore.dev - description: "GitHub Actions OIDC auth" - meta-issuers: - https://*.oic.prod-aks.azure.com/*: - client-id: sigstore - type: kubernetes - https://container.googleapis.com/v1/projects/*/locations/*/clusters/*: - client-id: sigstore - type: kubernetes - https://oidc.eks.*.amazonaws.com/id/*: - client-id: sigstore - type: kubernetes - https://oidc.prod-aks.azure.com/*: - client-id: sigstore - type: kubernetes - https://token.actions.githubusercontent.com/*: - client-id: sigstore - type: github-workflow - server.yaml: |- - host: 0.0.0.0 - port: 5555 - grpc-port: 5554 - ca: googleca - ct-log-url: http://ct-log/test - log_type: prod -kind: ConfigMap -metadata: - name: fulcio-config - namespace: fulcio-system From 0e8a7471a3bad1dbaaef1d5dc4f383f5f5dd37d6 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Wed, 10 Jul 2024 21:33:34 +0000 Subject: [PATCH 15/20] remove federation, add contact, description Signed-off-by: Javan lacerda --- config/identity/config.yaml | 25 +++++++++++++++++++ federation/README.md | 23 ----------------- federation/accounts.google.com/config.yaml | 18 ------------- federation/agent.buildkite.com/config.yaml | 18 ------------- .../auth-staging.eclipse.org/config.yaml | 18 ------------- federation/auth.eclipse.org/config.yaml | 18 ------------- federation/dev.gitlab.org/config.yaml | 18 ------------- federation/external/allow.pub/config.yaml | 19 -------------- federation/gitlab.archlinux.org/config.yaml | 18 ------------- federation/gitlab.com/config.yaml | 18 ------------- federation/issuer.enforce.dev/config.yaml | 19 -------------- federation/oauth2.sigstore.dev/config.yaml | 19 -------------- federation/oidc.codefresh.io/config.yaml | 18 ------------- federation/ops.gitlab.net/config.yaml | 18 ------------- .../config.yaml | 18 ------------- pkg/config/config.go | 5 ++++ 16 files changed, 30 insertions(+), 260 deletions(-) delete mode 100644 federation/README.md delete mode 100644 federation/accounts.google.com/config.yaml delete mode 100644 federation/agent.buildkite.com/config.yaml delete mode 100644 federation/auth-staging.eclipse.org/config.yaml delete mode 100644 federation/auth.eclipse.org/config.yaml delete mode 100644 federation/dev.gitlab.org/config.yaml delete mode 100644 federation/external/allow.pub/config.yaml delete mode 100644 federation/gitlab.archlinux.org/config.yaml delete mode 100644 federation/gitlab.com/config.yaml delete mode 100644 federation/issuer.enforce.dev/config.yaml delete mode 100644 federation/oauth2.sigstore.dev/config.yaml delete mode 100644 federation/oidc.codefresh.io/config.yaml delete mode 100644 federation/ops.gitlab.net/config.yaml delete mode 100644 federation/token.actions.githubusercontent.com/config.yaml diff --git a/config/identity/config.yaml b/config/identity/config.yaml index 298d89c20..ecbfd64d6 100644 --- a/config/identity/config.yaml +++ b/config/identity/config.yaml @@ -17,52 +17,76 @@ oidc-issuers: issuer-url: https://accounts.google.com client-id: sigstore type: email + contact: tac@sigstore.dev + description: "Google OIDC auth" https://agent.buildkite.com: issuer-url: https://agent.buildkite.com client-id: sigstore type: buildkite-job + contact: support@buildkite.com + description: "Buildkite Agent OIDC tokens for job identity" https://allow.pub: issuer-url: https://allow.pub client-id: sigstore type: spiffe spiffe-trust-domain: allow.pub + contact: evan@phx.io + description: "Server side signing support for the OCI registry vcr.pub" https://auth.eclipse.org/auth/realms/sigstore: issuer-url: https://auth.eclipse.org/auth/realms/sigstore client-id: sigstore type: email + contact: security@eclipse-foundation.org + description: "Eclipse Foundation Production OIDC provider" https://dev.gitlab.org: issuer-url: https://dev.gitlab.org client-id: sigstore type: gitlab-pipeline + contact: distribution-be@gitlab.com + description: "GitLab OIDC tokens for job identity" https://gitlab.archlinux.org: issuer-url: https://gitlab.archlinux.org client-id: sigstore type: gitlab-pipeline + contact: sigstore@archlinux.org + description: "GitLab OIDC tokens for job identity" https://gitlab.com: issuer-url: https://gitlab.com client-id: sigstore type: gitlab-pipeline + contact: support@gitlab.com + description: "GitLab OIDC tokens for job identity" https://issuer.enforce.dev: issuer-url: https://issuer.enforce.dev client-id: sigstore type: chainguard-identity + contact: mattmoor@chainguard.dev + description: "Chainguard identity tokens" https://oauth2.sigstore.dev/auth: issuer-url: https://oauth2.sigstore.dev/auth client-id: sigstore type: email issuer-claim: $.federated_claims.connector_id + contact: tac@sigstore.dev + description: "dex address for fulcio" https://oidc.codefresh.io: issuer-url: https://oidc.codefresh.io client-id: sigstore type: codefresh-workflow + contact: support@codefresh.io + description: "Codefresh OIDC tokens for job identity" https://ops.gitlab.net: issuer-url: https://ops.gitlab.net client-id: sigstore type: gitlab-pipeline + contact: distribution-be@gitlab.com + description: "GitLab OIDC tokens for job identity" https://token.actions.githubusercontent.com: issuer-url: https://token.actions.githubusercontent.com client-id: sigstore type: github-workflow + contact: tac@sigstore.dev + description: "GitHub Actions OIDC auth" meta-issuers: https://*.oic.prod-aks.azure.com/*: client-id: sigstore @@ -79,3 +103,4 @@ meta-issuers: https://token.actions.githubusercontent.com/*: client-id: sigstore type: github-workflow + diff --git a/federation/README.md b/federation/README.md deleted file mode 100644 index 3d9e575cd..000000000 --- a/federation/README.md +++ /dev/null @@ -1,23 +0,0 @@ -# OIDC Federation Configs - -This directory contains configurations for individual OIDC endpoints that the public good instance of Fulcio should accept identity tokens from. - -## Usage - -To update the k8s `ConfigMap`, run `go run federation/main.go` from the root directory of this repository. - -## Adding New Entries - -We'll happily accept new entries here in the form of a pull request! -Open one up with your endpoint, filling in a directory and a `config.yaml` with the following structure: - -```yaml -url: -contact: -description: -type: -``` - -You'll then have to regenerate the ConfigMap with `go run federation/main.go`, and then send your PR. - -We'll discuss your use-case with you over the pull request, and merge! diff --git a/federation/accounts.google.com/config.yaml b/federation/accounts.google.com/config.yaml deleted file mode 100644 index b21c89a31..000000000 --- a/federation/accounts.google.com/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2021 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://accounts.google.com -contact: tac@sigstore.dev -description: "Google OIDC auth" -type: "email" diff --git a/federation/agent.buildkite.com/config.yaml b/federation/agent.buildkite.com/config.yaml deleted file mode 100644 index bc1d46425..000000000 --- a/federation/agent.buildkite.com/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://agent.buildkite.com -contact: support@buildkite.com -description: "Buildkite Agent OIDC tokens for job identity" -type: "buildkite-job" diff --git a/federation/auth-staging.eclipse.org/config.yaml b/federation/auth-staging.eclipse.org/config.yaml deleted file mode 100644 index 11c0f91cb..000000000 --- a/federation/auth-staging.eclipse.org/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://auth-staging.eclipse.org/realms/sigstore -contact: security@eclipse-foundation.org -description: "Eclipse Foundation Staging OIDC provider" -type: "email" diff --git a/federation/auth.eclipse.org/config.yaml b/federation/auth.eclipse.org/config.yaml deleted file mode 100644 index be7a4b2d5..000000000 --- a/federation/auth.eclipse.org/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://auth.eclipse.org/auth/realms/sigstore -contact: security@eclipse-foundation.org -description: "Eclipse Foundation Production OIDC provider" -type: "email" diff --git a/federation/dev.gitlab.org/config.yaml b/federation/dev.gitlab.org/config.yaml deleted file mode 100644 index 1fe70bccc..000000000 --- a/federation/dev.gitlab.org/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://dev.gitlab.org -contact: distribution-be@gitlab.com -description: "GitLab OIDC tokens for job identity" -type: "gitlab-pipeline" diff --git a/federation/external/allow.pub/config.yaml b/federation/external/allow.pub/config.yaml deleted file mode 100644 index 69b164896..000000000 --- a/federation/external/allow.pub/config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2021 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://allow.pub -contact: evan@phx.io -description: "Server side signing support for the OCI registry vcr.pub" -type: "spiffe" -spiffetrustdomain: "allow.pub" diff --git a/federation/gitlab.archlinux.org/config.yaml b/federation/gitlab.archlinux.org/config.yaml deleted file mode 100644 index e7796b0b0..000000000 --- a/federation/gitlab.archlinux.org/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://gitlab.archlinux.org -contact: sigstore@archlinux.org -description: "GitLab OIDC tokens for job identity" -type: "gitlab-pipeline" diff --git a/federation/gitlab.com/config.yaml b/federation/gitlab.com/config.yaml deleted file mode 100644 index 8fb05c85b..000000000 --- a/federation/gitlab.com/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://gitlab.com -contact: support@gitlab.com -description: "GitLab OIDC tokens for job identity" -type: "gitlab-pipeline" diff --git a/federation/issuer.enforce.dev/config.yaml b/federation/issuer.enforce.dev/config.yaml deleted file mode 100644 index 45e252a88..000000000 --- a/federation/issuer.enforce.dev/config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2024 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://issuer.enforce.dev -# TODO(mattmoor): Change to a group. -contact: mattmoor@chainguard.dev -description: "Chainguard identity tokens" -type: "chainguard-identity" diff --git a/federation/oauth2.sigstore.dev/config.yaml b/federation/oauth2.sigstore.dev/config.yaml deleted file mode 100644 index a5782a26c..000000000 --- a/federation/oauth2.sigstore.dev/config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2021 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://oauth2.sigstore.dev/auth -issuerclaim: $.federated_claims.connector_id -contact: tac@sigstore.dev -description: "dex address for fulcio" -type: "email" diff --git a/federation/oidc.codefresh.io/config.yaml b/federation/oidc.codefresh.io/config.yaml deleted file mode 100644 index 8d51a8adb..000000000 --- a/federation/oidc.codefresh.io/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://oidc.codefresh.io -contact: support@codefresh.io -description: "Codefresh OIDC tokens for job identity" -type: "codefresh-workflow" diff --git a/federation/ops.gitlab.net/config.yaml b/federation/ops.gitlab.net/config.yaml deleted file mode 100644 index 7984c576f..000000000 --- a/federation/ops.gitlab.net/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://ops.gitlab.net -contact: distribution-be@gitlab.com -description: "GitLab OIDC tokens for job identity" -type: "gitlab-pipeline" diff --git a/federation/token.actions.githubusercontent.com/config.yaml b/federation/token.actions.githubusercontent.com/config.yaml deleted file mode 100644 index a8208db01..000000000 --- a/federation/token.actions.githubusercontent.com/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2021 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://token.actions.githubusercontent.com -contact: tac@sigstore.dev -description: "GitHub Actions OIDC auth" -type: "github-workflow" diff --git a/pkg/config/config.go b/pkg/config/config.go index 6b5f01f9a..a2296147e 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -111,6 +111,11 @@ type OIDCIssuer struct { // Optional, the challenge claim expected for the issuer // Set if using a custom issuer ChallengeClaim string `json:"ChallengeClaim,omitempty" yaml:"challenge-claim,omitempty"` + // Optional, the description for the issuer + Description string `json:"Description,omitempty" yaml:"description,omitempty"` + // Optional, the contact for the issuer team + // Usually it is a email + Contact string `json:"Contact,omitempty" yaml:"contact,omitempty"` } func metaRegex(issuer string) (*regexp.Regexp, error) { From c6a61f60a38d216c8fe2d42790ba058922e3033b Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Sat, 13 Jul 2024 13:12:31 +0000 Subject: [PATCH 16/20] update documentation Signed-off-by: Javan lacerda --- docs/oidc.md | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/docs/oidc.md b/docs/oidc.md index a58bc4aad..fc9619084 100644 --- a/docs/oidc.md +++ b/docs/oidc.md @@ -10,13 +10,18 @@ Sigstore runs a federated OIDC identity provider, Dex. Users authenticate to the To add a new OIDC issuer: -* Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml) and to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions. -* Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503) -* Map the issuer type to the token claim that will be signed over when requesting a token [here](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L464-L486). You can likely just use `sub`. -* Add a case statement to map the issuer constant to the issuer type you created [here](https://github.com/sigstore/fulcio/blob/4d9d96a/pkg/server/issuer_pool.go#L40-L62) -* Update the end-to-end gRPC tests: - * Update the [configuration test](https://github.com/sigstore/fulcio/blob/572b7c8496c29a04721f608dd0307ba08773c60c/pkg/server/grpc_server_test.go#L175) - * Add a test for the new issuer ([example](https://github.com/sigstore/fulcio/blob/572b7c8496c29a04721f608dd0307ba08773c60c/pkg/server/grpc_server_test.go#L331)) +* Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml). + * Atention: If your issuer is a ci, you should set the `type` as `ci-provider` and set the field `ci-provider` with the name of your provider. You should also fill the `ci-issuer-metadata` with the `default-template-values`, `extension-templates` and `subject-alternative-name-template`, following the pattern defined on the example ([example](tbd after migrating the github to ci-provider)). + * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field have to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. +* If your issuer is not a ci, you need to follow the next steps: + * Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions. + * Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503) + * Map the issuer type to the token claim that will be signed over when requesting a token [here](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L464-L486). You can likely just use `sub`. + * Add a case statement to map the issuer constant to the issuer type you created [here](https://github.com/sigstore/fulcio/blob/4d9d96a/pkg/server/issuer_pool.go#L40-L62) +* These next steps are required only for non-ci issuers, as it is already tested for generically. Although, you are welcome to add tests for your provider if you want to. + * Update the end-to-end gRPC tests: + * Update the [configuration test](https://github.com/sigstore/fulcio/blob/572b7c8496c29a04721f608dd0307ba08773c60c/pkg/server/grpc_server_test.go#L175) + * Add a test for the new issuer ([example](https://github.com/sigstore/fulcio/blob/572b7c8496c29a04721f608dd0307ba08773c60c/pkg/server/grpc_server_test.go#L331)) See [this example](https://github.com/sigstore/fulcio/pull/890), although it is out of date as you'll now need to create an issuer type. From 61471cf7af38435c04794b7c48c6c36d4fabc8b0 Mon Sep 17 00:00:00 2001 From: Javan Lacerda Date: Wed, 17 Jul 2024 14:42:22 -0300 Subject: [PATCH 17/20] Update docs/oidc.md Co-authored-by: Hayden B Signed-off-by: Javan Lacerda --- docs/oidc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/oidc.md b/docs/oidc.md index fc9619084..138bdaac3 100644 --- a/docs/oidc.md +++ b/docs/oidc.md @@ -11,7 +11,7 @@ Sigstore runs a federated OIDC identity provider, Dex. Users authenticate to the To add a new OIDC issuer: * Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml). - * Atention: If your issuer is a ci, you should set the `type` as `ci-provider` and set the field `ci-provider` with the name of your provider. You should also fill the `ci-issuer-metadata` with the `default-template-values`, `extension-templates` and `subject-alternative-name-template`, following the pattern defined on the example ([example](tbd after migrating the github to ci-provider)). + * Attention: If your issuer is for a CI provider, you should set the `type` as `ci-provider` and set the field `ci-provider` with the name of your provider. You should also fill the `ci-issuer-metadata` with the `default-template-values`, `extension-templates` and `subject-alternative-name-template`, following the pattern defined on the example ([example](tbd after migrating the github to ci-provider)). * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field have to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. * If your issuer is not a ci, you need to follow the next steps: * Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions. From 0467c9854e20fadf2f7af0041d6c6e7da8c7daf8 Mon Sep 17 00:00:00 2001 From: Javan Lacerda Date: Wed, 17 Jul 2024 14:42:33 -0300 Subject: [PATCH 18/20] Update docs/oidc.md Co-authored-by: Hayden B Signed-off-by: Javan Lacerda --- docs/oidc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/oidc.md b/docs/oidc.md index 138bdaac3..b3f34690b 100644 --- a/docs/oidc.md +++ b/docs/oidc.md @@ -12,7 +12,7 @@ To add a new OIDC issuer: * Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml). * Attention: If your issuer is for a CI provider, you should set the `type` as `ci-provider` and set the field `ci-provider` with the name of your provider. You should also fill the `ci-issuer-metadata` with the `default-template-values`, `extension-templates` and `subject-alternative-name-template`, following the pattern defined on the example ([example](tbd after migrating the github to ci-provider)). - * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field have to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. + * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field has to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. * If your issuer is not a ci, you need to follow the next steps: * Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions. * Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503) From f3bfe8d0746e32208ebad1afd78ee8fb5d32c500 Mon Sep 17 00:00:00 2001 From: Javan Lacerda Date: Wed, 17 Jul 2024 14:43:01 -0300 Subject: [PATCH 19/20] Update docs/oidc.md Co-authored-by: Hayden B Signed-off-by: Javan Lacerda --- docs/oidc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/oidc.md b/docs/oidc.md index b3f34690b..c87530932 100644 --- a/docs/oidc.md +++ b/docs/oidc.md @@ -13,7 +13,7 @@ To add a new OIDC issuer: * Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml). * Attention: If your issuer is for a CI provider, you should set the `type` as `ci-provider` and set the field `ci-provider` with the name of your provider. You should also fill the `ci-issuer-metadata` with the `default-template-values`, `extension-templates` and `subject-alternative-name-template`, following the pattern defined on the example ([example](tbd after migrating the github to ci-provider)). * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field has to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. -* If your issuer is not a ci, you need to follow the next steps: +* If your issuer is not for a CI provider, you need to follow the next steps: * Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions. * Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503) * Map the issuer type to the token claim that will be signed over when requesting a token [here](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L464-L486). You can likely just use `sub`. From 63188f22de818136e31e3025e7c95515035d4ab3 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Wed, 17 Jul 2024 21:15:17 +0000 Subject: [PATCH 20/20] update example to a non-ci Signed-off-by: Javan lacerda --- docs/oidc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/oidc.md b/docs/oidc.md index c87530932..653644e33 100644 --- a/docs/oidc.md +++ b/docs/oidc.md @@ -14,7 +14,7 @@ To add a new OIDC issuer: * Attention: If your issuer is for a CI provider, you should set the `type` as `ci-provider` and set the field `ci-provider` with the name of your provider. You should also fill the `ci-issuer-metadata` with the `default-template-values`, `extension-templates` and `subject-alternative-name-template`, following the pattern defined on the example ([example](tbd after migrating the github to ci-provider)). * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field has to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. * If your issuer is not for a CI provider, you need to follow the next steps: - * Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions. + * Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/email)). You will define an `Issuer` type and a way to map the token to the certificate extensions. * Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503) * Map the issuer type to the token claim that will be signed over when requesting a token [here](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L464-L486). You can likely just use `sub`. * Add a case statement to map the issuer constant to the issuer type you created [here](https://github.com/sigstore/fulcio/blob/4d9d96a/pkg/server/issuer_pool.go#L40-L62)