From 90320297c0f0ddd627dfd283d5fab6a906780172 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Tue, 2 Jul 2024 20:29:50 +0000 Subject: [PATCH 01/15] move fulcio config from json to yaml Signed-off-by: Javan lacerda --- config/fulcio-config.yaml | 125 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 125 insertions(+) create mode 100644 config/fulcio-config.yaml diff --git a/config/fulcio-config.yaml b/config/fulcio-config.yaml new file mode 100644 index 000000000..ad3056695 --- /dev/null +++ b/config/fulcio-config.yaml @@ -0,0 +1,125 @@ +# +# Copyright 2021 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +data: + config.yaml: |- + oidc-issuers: + https://accounts.google.com: + issuer-url: https://accounts.google.com + client-id: sigstore + type: email + contact: tac@sigstore.dev + description: "Google OIDC auth" + https://agent.buildkite.com: + issuer-url: https://agent.buildkite.com + client-id: sigstore + type: buildkite-job + contact: support@buildkite.com + description: "Buildkite Agent OIDC tokens for job identity" + https://allow.pub: + issuer-url: https://allow.pub + client-id: sigstore + type: spiffe + spiffe-trust-domain: allow.pub + contact: evan@phx.io + description: "Server side signing support for the OCI registry vcr.pub" + https://auth-staging.eclipse.org/realms/sigstore: + issuer-url: https://auth-staging.eclipse.org/realms/sigstore + client-id: sigstore + type: email + contact: security@eclipse-foundation.org + description: "Eclipse Foundation Staging OIDC provider" + https://auth.eclipse.org/auth/realms/sigstore: + issuer-url: https://auth.eclipse.org/auth/realms/sigstore + client-id: sigstore + type: email + contact: security@eclipse-foundation.org + description: "Eclipse Foundation Production OIDC provider" + https://dev.gitlab.org: + issuer-url: https://dev.gitlab.org + client-id: sigstore + type: gitlab-pipeline + contact: distribution-be@gitlab.com + description: "GitLab OIDC tokens for job identity" + https://gitlab.archlinux.org: + issuer-url: https://gitlab.archlinux.org + client-id: sigstore + type: gitlab-pipeline + contact: sigstore@archlinux.org + description: "GitLab OIDC tokens for job identity" + https://gitlab.com: + issuer-url: https://gitlab.com + client-id: sigstore + type: gitlab-pipeline + contact: support@gitlab.com + description: "GitLab OIDC tokens for job identity" + https://issuer.enforce.dev: + issuer-url: https://issuer.enforce.dev + client-id: sigstore + type: chainguard-identity + contact: mattmoor@chainguard.dev + description: "Chainguard identity tokens" + https://oauth2.sigstore.dev/auth: + issuer-url: https://oauth2.sigstore.dev/auth + client-id: sigstore + type: email + issuer-claim: $.federated_claims.connector_id + contact: tac@sigstore.dev + description: "dex address for fulcio" + https://oidc.codefresh.io: + issuer-url: https://oidc.codefresh.io + client-id: sigstore + type: codefresh-workflow + contact: support@codefresh.io + description: "Codefresh OIDC tokens for job identity" + https://ops.gitlab.net: + issuer-url: https://ops.gitlab.net + client-id: sigstore + type: gitlab-pipeline + contact: distribution-be@gitlab.com + description: "GitLab OIDC tokens for job identity" + https://token.actions.githubusercontent.com: + issuer-url: https://token.actions.githubusercontent.com + client-id: sigstore + type: github-workflow + contact: tac@sigstore.dev + description: "GitHub Actions OIDC auth" + meta-issuers: + https://*.oic.prod-aks.azure.com/*: + client-id: sigstore + type: kubernetes + https://container.googleapis.com/v1/projects/*/locations/*/clusters/*: + client-id: sigstore + type: kubernetes + https://oidc.eks.*.amazonaws.com/id/*: + client-id: sigstore + type: kubernetes + https://oidc.prod-aks.azure.com/*: + client-id: sigstore + type: kubernetes + https://token.actions.githubusercontent.com/*: + client-id: sigstore + type: github-workflow + server.yaml: |- + host: 0.0.0.0 + port: 5555 + grpc-port: 5554 + ca: googleca + ct-log-url: http://ct-log/test + log_type: prod +kind: ConfigMap +metadata: + name: fulcio-config + namespace: fulcio-system From 4084cbe7690cb33f2ad225e718177ceb773852c5 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Mon, 8 Jul 2024 19:54:35 +0000 Subject: [PATCH 02/15] move fulcio-config to a new file Signed-off-by: Javan lacerda --- config/config.yaml | 97 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 config/config.yaml diff --git a/config/config.yaml b/config/config.yaml new file mode 100644 index 000000000..9226a85ba --- /dev/null +++ b/config/config.yaml @@ -0,0 +1,97 @@ +oidc-issuers: + https://accounts.google.com: + issuer-url: https://accounts.google.com + client-id: sigstore + type: email + contact: tac@sigstore.dev + description: "Google OIDC auth" + https://agent.buildkite.com: + issuer-url: https://agent.buildkite.com + client-id: sigstore + type: buildkite-job + contact: support@buildkite.com + description: "Buildkite Agent OIDC tokens for job identity" + https://allow.pub: + issuer-url: https://allow.pub + client-id: sigstore + type: spiffe + spiffe-trust-domain: allow.pub + contact: evan@phx.io + description: "Server side signing support for the OCI registry vcr.pub" + https://auth-staging.eclipse.org/realms/sigstore: + issuer-url: https://auth-staging.eclipse.org/realms/sigstore + client-id: sigstore + type: email + contact: security@eclipse-foundation.org + description: "Eclipse Foundation Staging OIDC provider" + https://auth.eclipse.org/auth/realms/sigstore: + issuer-url: https://auth.eclipse.org/auth/realms/sigstore + client-id: sigstore + type: email + contact: security@eclipse-foundation.org + description: "Eclipse Foundation Production OIDC provider" + https://dev.gitlab.org: + issuer-url: https://dev.gitlab.org + client-id: sigstore + type: gitlab-pipeline + contact: distribution-be@gitlab.com + description: "GitLab OIDC tokens for job identity" + https://gitlab.archlinux.org: + issuer-url: https://gitlab.archlinux.org + client-id: sigstore + type: gitlab-pipeline + contact: sigstore@archlinux.org + description: "GitLab OIDC tokens for job identity" + https://gitlab.com: + issuer-url: https://gitlab.com + client-id: sigstore + type: gitlab-pipeline + contact: support@gitlab.com + description: "GitLab OIDC tokens for job identity" + https://issuer.enforce.dev: + issuer-url: https://issuer.enforce.dev + client-id: sigstore + type: chainguard-identity + contact: mattmoor@chainguard.dev + description: "Chainguard identity tokens" + https://oauth2.sigstore.dev/auth: + issuer-url: https://oauth2.sigstore.dev/auth + client-id: sigstore + type: email + issuer-claim: $.federated_claims.connector_id + contact: tac@sigstore.dev + description: "dex address for fulcio" + https://oidc.codefresh.io: + issuer-url: https://oidc.codefresh.io + client-id: sigstore + type: codefresh-workflow + contact: support@codefresh.io + description: "Codefresh OIDC tokens for job identity" + https://ops.gitlab.net: + issuer-url: https://ops.gitlab.net + client-id: sigstore + type: gitlab-pipeline + contact: distribution-be@gitlab.com + description: "GitLab OIDC tokens for job identity" + https://token.actions.githubusercontent.com: + issuer-url: https://token.actions.githubusercontent.com + client-id: sigstore + type: github-workflow + contact: tac@sigstore.dev + description: "GitHub Actions OIDC auth" +meta-issuers: + https://*.oic.prod-aks.azure.com/*: + client-id: sigstore + type: kubernetes + https://container.googleapis.com/v1/projects/*/locations/*/clusters/*: + client-id: sigstore + type: kubernetes + https://oidc.eks.*.amazonaws.com/id/*: + client-id: sigstore + type: kubernetes + https://oidc.prod-aks.azure.com/*: + client-id: sigstore + type: kubernetes + https://token.actions.githubusercontent.com/*: + client-id: sigstore + type: github-workflow \ No newline at end of file From 8491ca497c916f29c2ded43507f1df9fa7bef84f Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Mon, 8 Jul 2024 20:08:17 +0000 Subject: [PATCH 03/15] updating test for check-config workflow Signed-off-by: Javan lacerda --- config/config.yaml | 40 ++++++++++++++-------------------------- 1 file changed, 14 insertions(+), 26 deletions(-) diff --git a/config/config.yaml b/config/config.yaml index 9226a85ba..189503bd9 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -1,84 +1,72 @@ +# Copyright 2024 The Sigstore Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + oidc-issuers: https://accounts.google.com: issuer-url: https://accounts.google.com client-id: sigstore type: email - contact: tac@sigstore.dev - description: "Google OIDC auth" https://agent.buildkite.com: issuer-url: https://agent.buildkite.com client-id: sigstore type: buildkite-job - contact: support@buildkite.com - description: "Buildkite Agent OIDC tokens for job identity" https://allow.pub: issuer-url: https://allow.pub client-id: sigstore type: spiffe spiffe-trust-domain: allow.pub - contact: evan@phx.io - description: "Server side signing support for the OCI registry vcr.pub" https://auth-staging.eclipse.org/realms/sigstore: issuer-url: https://auth-staging.eclipse.org/realms/sigstore client-id: sigstore type: email - contact: security@eclipse-foundation.org - description: "Eclipse Foundation Staging OIDC provider" https://auth.eclipse.org/auth/realms/sigstore: issuer-url: https://auth.eclipse.org/auth/realms/sigstore client-id: sigstore type: email - contact: security@eclipse-foundation.org - description: "Eclipse Foundation Production OIDC provider" https://dev.gitlab.org: issuer-url: https://dev.gitlab.org client-id: sigstore type: gitlab-pipeline - contact: distribution-be@gitlab.com - description: "GitLab OIDC tokens for job identity" https://gitlab.archlinux.org: issuer-url: https://gitlab.archlinux.org client-id: sigstore type: gitlab-pipeline - contact: sigstore@archlinux.org - description: "GitLab OIDC tokens for job identity" https://gitlab.com: issuer-url: https://gitlab.com client-id: sigstore type: gitlab-pipeline - contact: support@gitlab.com - description: "GitLab OIDC tokens for job identity" https://issuer.enforce.dev: issuer-url: https://issuer.enforce.dev client-id: sigstore type: chainguard-identity - contact: mattmoor@chainguard.dev - description: "Chainguard identity tokens" https://oauth2.sigstore.dev/auth: issuer-url: https://oauth2.sigstore.dev/auth client-id: sigstore type: email issuer-claim: $.federated_claims.connector_id - contact: tac@sigstore.dev - description: "dex address for fulcio" https://oidc.codefresh.io: issuer-url: https://oidc.codefresh.io client-id: sigstore type: codefresh-workflow - contact: support@codefresh.io - description: "Codefresh OIDC tokens for job identity" https://ops.gitlab.net: issuer-url: https://ops.gitlab.net client-id: sigstore type: gitlab-pipeline - contact: distribution-be@gitlab.com - description: "GitLab OIDC tokens for job identity" https://token.actions.githubusercontent.com: issuer-url: https://token.actions.githubusercontent.com client-id: sigstore type: github-workflow - contact: tac@sigstore.dev - description: "GitHub Actions OIDC auth" meta-issuers: https://*.oic.prod-aks.azure.com/*: client-id: sigstore From c3b6254cff6d96223a80c20e85e8f79127f4f28a Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Wed, 10 Jul 2024 14:41:09 +0000 Subject: [PATCH 04/15] set verify k8s workflow for get configg directly Signed-off-by: Javan lacerda --- config/config.yaml | 85 -------------------------- config/fulcio-config.yaml | 125 -------------------------------------- 2 files changed, 210 deletions(-) delete mode 100644 config/config.yaml delete mode 100644 config/fulcio-config.yaml diff --git a/config/config.yaml b/config/config.yaml deleted file mode 100644 index 189503bd9..000000000 --- a/config/config.yaml +++ /dev/null @@ -1,85 +0,0 @@ -# Copyright 2024 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -oidc-issuers: - https://accounts.google.com: - issuer-url: https://accounts.google.com - client-id: sigstore - type: email - https://agent.buildkite.com: - issuer-url: https://agent.buildkite.com - client-id: sigstore - type: buildkite-job - https://allow.pub: - issuer-url: https://allow.pub - client-id: sigstore - type: spiffe - spiffe-trust-domain: allow.pub - https://auth-staging.eclipse.org/realms/sigstore: - issuer-url: https://auth-staging.eclipse.org/realms/sigstore - client-id: sigstore - type: email - https://auth.eclipse.org/auth/realms/sigstore: - issuer-url: https://auth.eclipse.org/auth/realms/sigstore - client-id: sigstore - type: email - https://dev.gitlab.org: - issuer-url: https://dev.gitlab.org - client-id: sigstore - type: gitlab-pipeline - https://gitlab.archlinux.org: - issuer-url: https://gitlab.archlinux.org - client-id: sigstore - type: gitlab-pipeline - https://gitlab.com: - issuer-url: https://gitlab.com - client-id: sigstore - type: gitlab-pipeline - https://issuer.enforce.dev: - issuer-url: https://issuer.enforce.dev - client-id: sigstore - type: chainguard-identity - https://oauth2.sigstore.dev/auth: - issuer-url: https://oauth2.sigstore.dev/auth - client-id: sigstore - type: email - issuer-claim: $.federated_claims.connector_id - https://oidc.codefresh.io: - issuer-url: https://oidc.codefresh.io - client-id: sigstore - type: codefresh-workflow - https://ops.gitlab.net: - issuer-url: https://ops.gitlab.net - client-id: sigstore - type: gitlab-pipeline - https://token.actions.githubusercontent.com: - issuer-url: https://token.actions.githubusercontent.com - client-id: sigstore - type: github-workflow -meta-issuers: - https://*.oic.prod-aks.azure.com/*: - client-id: sigstore - type: kubernetes - https://container.googleapis.com/v1/projects/*/locations/*/clusters/*: - client-id: sigstore - type: kubernetes - https://oidc.eks.*.amazonaws.com/id/*: - client-id: sigstore - type: kubernetes - https://oidc.prod-aks.azure.com/*: - client-id: sigstore - type: kubernetes - https://token.actions.githubusercontent.com/*: - client-id: sigstore - type: github-workflow \ No newline at end of file diff --git a/config/fulcio-config.yaml b/config/fulcio-config.yaml deleted file mode 100644 index ad3056695..000000000 --- a/config/fulcio-config.yaml +++ /dev/null @@ -1,125 +0,0 @@ -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -apiVersion: v1 -data: - config.yaml: |- - oidc-issuers: - https://accounts.google.com: - issuer-url: https://accounts.google.com - client-id: sigstore - type: email - contact: tac@sigstore.dev - description: "Google OIDC auth" - https://agent.buildkite.com: - issuer-url: https://agent.buildkite.com - client-id: sigstore - type: buildkite-job - contact: support@buildkite.com - description: "Buildkite Agent OIDC tokens for job identity" - https://allow.pub: - issuer-url: https://allow.pub - client-id: sigstore - type: spiffe - spiffe-trust-domain: allow.pub - contact: evan@phx.io - description: "Server side signing support for the OCI registry vcr.pub" - https://auth-staging.eclipse.org/realms/sigstore: - issuer-url: https://auth-staging.eclipse.org/realms/sigstore - client-id: sigstore - type: email - contact: security@eclipse-foundation.org - description: "Eclipse Foundation Staging OIDC provider" - https://auth.eclipse.org/auth/realms/sigstore: - issuer-url: https://auth.eclipse.org/auth/realms/sigstore - client-id: sigstore - type: email - contact: security@eclipse-foundation.org - description: "Eclipse Foundation Production OIDC provider" - https://dev.gitlab.org: - issuer-url: https://dev.gitlab.org - client-id: sigstore - type: gitlab-pipeline - contact: distribution-be@gitlab.com - description: "GitLab OIDC tokens for job identity" - https://gitlab.archlinux.org: - issuer-url: https://gitlab.archlinux.org - client-id: sigstore - type: gitlab-pipeline - contact: sigstore@archlinux.org - description: "GitLab OIDC tokens for job identity" - https://gitlab.com: - issuer-url: https://gitlab.com - client-id: sigstore - type: gitlab-pipeline - contact: support@gitlab.com - description: "GitLab OIDC tokens for job identity" - https://issuer.enforce.dev: - issuer-url: https://issuer.enforce.dev - client-id: sigstore - type: chainguard-identity - contact: mattmoor@chainguard.dev - description: "Chainguard identity tokens" - https://oauth2.sigstore.dev/auth: - issuer-url: https://oauth2.sigstore.dev/auth - client-id: sigstore - type: email - issuer-claim: $.federated_claims.connector_id - contact: tac@sigstore.dev - description: "dex address for fulcio" - https://oidc.codefresh.io: - issuer-url: https://oidc.codefresh.io - client-id: sigstore - type: codefresh-workflow - contact: support@codefresh.io - description: "Codefresh OIDC tokens for job identity" - https://ops.gitlab.net: - issuer-url: https://ops.gitlab.net - client-id: sigstore - type: gitlab-pipeline - contact: distribution-be@gitlab.com - description: "GitLab OIDC tokens for job identity" - https://token.actions.githubusercontent.com: - issuer-url: https://token.actions.githubusercontent.com - client-id: sigstore - type: github-workflow - contact: tac@sigstore.dev - description: "GitHub Actions OIDC auth" - meta-issuers: - https://*.oic.prod-aks.azure.com/*: - client-id: sigstore - type: kubernetes - https://container.googleapis.com/v1/projects/*/locations/*/clusters/*: - client-id: sigstore - type: kubernetes - https://oidc.eks.*.amazonaws.com/id/*: - client-id: sigstore - type: kubernetes - https://oidc.prod-aks.azure.com/*: - client-id: sigstore - type: kubernetes - https://token.actions.githubusercontent.com/*: - client-id: sigstore - type: github-workflow - server.yaml: |- - host: 0.0.0.0 - port: 5555 - grpc-port: 5554 - ca: googleca - ct-log-url: http://ct-log/test - log_type: prod -kind: ConfigMap -metadata: - name: fulcio-config - namespace: fulcio-system From 0e8a7471a3bad1dbaaef1d5dc4f383f5f5dd37d6 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Wed, 10 Jul 2024 21:33:34 +0000 Subject: [PATCH 05/15] remove federation, add contact, description Signed-off-by: Javan lacerda --- config/identity/config.yaml | 25 +++++++++++++++++++ federation/README.md | 23 ----------------- federation/accounts.google.com/config.yaml | 18 ------------- federation/agent.buildkite.com/config.yaml | 18 ------------- .../auth-staging.eclipse.org/config.yaml | 18 ------------- federation/auth.eclipse.org/config.yaml | 18 ------------- federation/dev.gitlab.org/config.yaml | 18 ------------- federation/external/allow.pub/config.yaml | 19 -------------- federation/gitlab.archlinux.org/config.yaml | 18 ------------- federation/gitlab.com/config.yaml | 18 ------------- federation/issuer.enforce.dev/config.yaml | 19 -------------- federation/oauth2.sigstore.dev/config.yaml | 19 -------------- federation/oidc.codefresh.io/config.yaml | 18 ------------- federation/ops.gitlab.net/config.yaml | 18 ------------- .../config.yaml | 18 ------------- pkg/config/config.go | 5 ++++ 16 files changed, 30 insertions(+), 260 deletions(-) delete mode 100644 federation/README.md delete mode 100644 federation/accounts.google.com/config.yaml delete mode 100644 federation/agent.buildkite.com/config.yaml delete mode 100644 federation/auth-staging.eclipse.org/config.yaml delete mode 100644 federation/auth.eclipse.org/config.yaml delete mode 100644 federation/dev.gitlab.org/config.yaml delete mode 100644 federation/external/allow.pub/config.yaml delete mode 100644 federation/gitlab.archlinux.org/config.yaml delete mode 100644 federation/gitlab.com/config.yaml delete mode 100644 federation/issuer.enforce.dev/config.yaml delete mode 100644 federation/oauth2.sigstore.dev/config.yaml delete mode 100644 federation/oidc.codefresh.io/config.yaml delete mode 100644 federation/ops.gitlab.net/config.yaml delete mode 100644 federation/token.actions.githubusercontent.com/config.yaml diff --git a/config/identity/config.yaml b/config/identity/config.yaml index 298d89c20..ecbfd64d6 100644 --- a/config/identity/config.yaml +++ b/config/identity/config.yaml @@ -17,52 +17,76 @@ oidc-issuers: issuer-url: https://accounts.google.com client-id: sigstore type: email + contact: tac@sigstore.dev + description: "Google OIDC auth" https://agent.buildkite.com: issuer-url: https://agent.buildkite.com client-id: sigstore type: buildkite-job + contact: support@buildkite.com + description: "Buildkite Agent OIDC tokens for job identity" https://allow.pub: issuer-url: https://allow.pub client-id: sigstore type: spiffe spiffe-trust-domain: allow.pub + contact: evan@phx.io + description: "Server side signing support for the OCI registry vcr.pub" https://auth.eclipse.org/auth/realms/sigstore: issuer-url: https://auth.eclipse.org/auth/realms/sigstore client-id: sigstore type: email + contact: security@eclipse-foundation.org + description: "Eclipse Foundation Production OIDC provider" https://dev.gitlab.org: issuer-url: https://dev.gitlab.org client-id: sigstore type: gitlab-pipeline + contact: distribution-be@gitlab.com + description: "GitLab OIDC tokens for job identity" https://gitlab.archlinux.org: issuer-url: https://gitlab.archlinux.org client-id: sigstore type: gitlab-pipeline + contact: sigstore@archlinux.org + description: "GitLab OIDC tokens for job identity" https://gitlab.com: issuer-url: https://gitlab.com client-id: sigstore type: gitlab-pipeline + contact: support@gitlab.com + description: "GitLab OIDC tokens for job identity" https://issuer.enforce.dev: issuer-url: https://issuer.enforce.dev client-id: sigstore type: chainguard-identity + contact: mattmoor@chainguard.dev + description: "Chainguard identity tokens" https://oauth2.sigstore.dev/auth: issuer-url: https://oauth2.sigstore.dev/auth client-id: sigstore type: email issuer-claim: $.federated_claims.connector_id + contact: tac@sigstore.dev + description: "dex address for fulcio" https://oidc.codefresh.io: issuer-url: https://oidc.codefresh.io client-id: sigstore type: codefresh-workflow + contact: support@codefresh.io + description: "Codefresh OIDC tokens for job identity" https://ops.gitlab.net: issuer-url: https://ops.gitlab.net client-id: sigstore type: gitlab-pipeline + contact: distribution-be@gitlab.com + description: "GitLab OIDC tokens for job identity" https://token.actions.githubusercontent.com: issuer-url: https://token.actions.githubusercontent.com client-id: sigstore type: github-workflow + contact: tac@sigstore.dev + description: "GitHub Actions OIDC auth" meta-issuers: https://*.oic.prod-aks.azure.com/*: client-id: sigstore @@ -79,3 +103,4 @@ meta-issuers: https://token.actions.githubusercontent.com/*: client-id: sigstore type: github-workflow + diff --git a/federation/README.md b/federation/README.md deleted file mode 100644 index 3d9e575cd..000000000 --- a/federation/README.md +++ /dev/null @@ -1,23 +0,0 @@ -# OIDC Federation Configs - -This directory contains configurations for individual OIDC endpoints that the public good instance of Fulcio should accept identity tokens from. - -## Usage - -To update the k8s `ConfigMap`, run `go run federation/main.go` from the root directory of this repository. - -## Adding New Entries - -We'll happily accept new entries here in the form of a pull request! -Open one up with your endpoint, filling in a directory and a `config.yaml` with the following structure: - -```yaml -url: -contact: -description: -type: -``` - -You'll then have to regenerate the ConfigMap with `go run federation/main.go`, and then send your PR. - -We'll discuss your use-case with you over the pull request, and merge! diff --git a/federation/accounts.google.com/config.yaml b/federation/accounts.google.com/config.yaml deleted file mode 100644 index b21c89a31..000000000 --- a/federation/accounts.google.com/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2021 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://accounts.google.com -contact: tac@sigstore.dev -description: "Google OIDC auth" -type: "email" diff --git a/federation/agent.buildkite.com/config.yaml b/federation/agent.buildkite.com/config.yaml deleted file mode 100644 index bc1d46425..000000000 --- a/federation/agent.buildkite.com/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://agent.buildkite.com -contact: support@buildkite.com -description: "Buildkite Agent OIDC tokens for job identity" -type: "buildkite-job" diff --git a/federation/auth-staging.eclipse.org/config.yaml b/federation/auth-staging.eclipse.org/config.yaml deleted file mode 100644 index 11c0f91cb..000000000 --- a/federation/auth-staging.eclipse.org/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://auth-staging.eclipse.org/realms/sigstore -contact: security@eclipse-foundation.org -description: "Eclipse Foundation Staging OIDC provider" -type: "email" diff --git a/federation/auth.eclipse.org/config.yaml b/federation/auth.eclipse.org/config.yaml deleted file mode 100644 index be7a4b2d5..000000000 --- a/federation/auth.eclipse.org/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://auth.eclipse.org/auth/realms/sigstore -contact: security@eclipse-foundation.org -description: "Eclipse Foundation Production OIDC provider" -type: "email" diff --git a/federation/dev.gitlab.org/config.yaml b/federation/dev.gitlab.org/config.yaml deleted file mode 100644 index 1fe70bccc..000000000 --- a/federation/dev.gitlab.org/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://dev.gitlab.org -contact: distribution-be@gitlab.com -description: "GitLab OIDC tokens for job identity" -type: "gitlab-pipeline" diff --git a/federation/external/allow.pub/config.yaml b/federation/external/allow.pub/config.yaml deleted file mode 100644 index 69b164896..000000000 --- a/federation/external/allow.pub/config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2021 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://allow.pub -contact: evan@phx.io -description: "Server side signing support for the OCI registry vcr.pub" -type: "spiffe" -spiffetrustdomain: "allow.pub" diff --git a/federation/gitlab.archlinux.org/config.yaml b/federation/gitlab.archlinux.org/config.yaml deleted file mode 100644 index e7796b0b0..000000000 --- a/federation/gitlab.archlinux.org/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://gitlab.archlinux.org -contact: sigstore@archlinux.org -description: "GitLab OIDC tokens for job identity" -type: "gitlab-pipeline" diff --git a/federation/gitlab.com/config.yaml b/federation/gitlab.com/config.yaml deleted file mode 100644 index 8fb05c85b..000000000 --- a/federation/gitlab.com/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://gitlab.com -contact: support@gitlab.com -description: "GitLab OIDC tokens for job identity" -type: "gitlab-pipeline" diff --git a/federation/issuer.enforce.dev/config.yaml b/federation/issuer.enforce.dev/config.yaml deleted file mode 100644 index 45e252a88..000000000 --- a/federation/issuer.enforce.dev/config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2024 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://issuer.enforce.dev -# TODO(mattmoor): Change to a group. -contact: mattmoor@chainguard.dev -description: "Chainguard identity tokens" -type: "chainguard-identity" diff --git a/federation/oauth2.sigstore.dev/config.yaml b/federation/oauth2.sigstore.dev/config.yaml deleted file mode 100644 index a5782a26c..000000000 --- a/federation/oauth2.sigstore.dev/config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2021 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://oauth2.sigstore.dev/auth -issuerclaim: $.federated_claims.connector_id -contact: tac@sigstore.dev -description: "dex address for fulcio" -type: "email" diff --git a/federation/oidc.codefresh.io/config.yaml b/federation/oidc.codefresh.io/config.yaml deleted file mode 100644 index 8d51a8adb..000000000 --- a/federation/oidc.codefresh.io/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://oidc.codefresh.io -contact: support@codefresh.io -description: "Codefresh OIDC tokens for job identity" -type: "codefresh-workflow" diff --git a/federation/ops.gitlab.net/config.yaml b/federation/ops.gitlab.net/config.yaml deleted file mode 100644 index 7984c576f..000000000 --- a/federation/ops.gitlab.net/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://ops.gitlab.net -contact: distribution-be@gitlab.com -description: "GitLab OIDC tokens for job identity" -type: "gitlab-pipeline" diff --git a/federation/token.actions.githubusercontent.com/config.yaml b/federation/token.actions.githubusercontent.com/config.yaml deleted file mode 100644 index a8208db01..000000000 --- a/federation/token.actions.githubusercontent.com/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2021 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://token.actions.githubusercontent.com -contact: tac@sigstore.dev -description: "GitHub Actions OIDC auth" -type: "github-workflow" diff --git a/pkg/config/config.go b/pkg/config/config.go index 6b5f01f9a..a2296147e 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -111,6 +111,11 @@ type OIDCIssuer struct { // Optional, the challenge claim expected for the issuer // Set if using a custom issuer ChallengeClaim string `json:"ChallengeClaim,omitempty" yaml:"challenge-claim,omitempty"` + // Optional, the description for the issuer + Description string `json:"Description,omitempty" yaml:"description,omitempty"` + // Optional, the contact for the issuer team + // Usually it is a email + Contact string `json:"Contact,omitempty" yaml:"contact,omitempty"` } func metaRegex(issuer string) (*regexp.Regexp, error) { From c6a61f60a38d216c8fe2d42790ba058922e3033b Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Sat, 13 Jul 2024 13:12:31 +0000 Subject: [PATCH 06/15] update documentation Signed-off-by: Javan lacerda --- docs/oidc.md | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/docs/oidc.md b/docs/oidc.md index a58bc4aad..fc9619084 100644 --- a/docs/oidc.md +++ b/docs/oidc.md @@ -10,13 +10,18 @@ Sigstore runs a federated OIDC identity provider, Dex. Users authenticate to the To add a new OIDC issuer: -* Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml) and to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions. -* Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503) -* Map the issuer type to the token claim that will be signed over when requesting a token [here](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L464-L486). You can likely just use `sub`. -* Add a case statement to map the issuer constant to the issuer type you created [here](https://github.com/sigstore/fulcio/blob/4d9d96a/pkg/server/issuer_pool.go#L40-L62) -* Update the end-to-end gRPC tests: - * Update the [configuration test](https://github.com/sigstore/fulcio/blob/572b7c8496c29a04721f608dd0307ba08773c60c/pkg/server/grpc_server_test.go#L175) - * Add a test for the new issuer ([example](https://github.com/sigstore/fulcio/blob/572b7c8496c29a04721f608dd0307ba08773c60c/pkg/server/grpc_server_test.go#L331)) +* Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml). + * Atention: If your issuer is a ci, you should set the `type` as `ci-provider` and set the field `ci-provider` with the name of your provider. You should also fill the `ci-issuer-metadata` with the `default-template-values`, `extension-templates` and `subject-alternative-name-template`, following the pattern defined on the example ([example](tbd after migrating the github to ci-provider)). + * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field have to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. +* If your issuer is not a ci, you need to follow the next steps: + * Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions. + * Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503) + * Map the issuer type to the token claim that will be signed over when requesting a token [here](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L464-L486). You can likely just use `sub`. + * Add a case statement to map the issuer constant to the issuer type you created [here](https://github.com/sigstore/fulcio/blob/4d9d96a/pkg/server/issuer_pool.go#L40-L62) +* These next steps are required only for non-ci issuers, as it is already tested for generically. Although, you are welcome to add tests for your provider if you want to. + * Update the end-to-end gRPC tests: + * Update the [configuration test](https://github.com/sigstore/fulcio/blob/572b7c8496c29a04721f608dd0307ba08773c60c/pkg/server/grpc_server_test.go#L175) + * Add a test for the new issuer ([example](https://github.com/sigstore/fulcio/blob/572b7c8496c29a04721f608dd0307ba08773c60c/pkg/server/grpc_server_test.go#L331)) See [this example](https://github.com/sigstore/fulcio/pull/890), although it is out of date as you'll now need to create an issuer type. From 61471cf7af38435c04794b7c48c6c36d4fabc8b0 Mon Sep 17 00:00:00 2001 From: Javan Lacerda Date: Wed, 17 Jul 2024 14:42:22 -0300 Subject: [PATCH 07/15] Update docs/oidc.md Co-authored-by: Hayden B Signed-off-by: Javan Lacerda --- docs/oidc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/oidc.md b/docs/oidc.md index fc9619084..138bdaac3 100644 --- a/docs/oidc.md +++ b/docs/oidc.md @@ -11,7 +11,7 @@ Sigstore runs a federated OIDC identity provider, Dex. Users authenticate to the To add a new OIDC issuer: * Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml). - * Atention: If your issuer is a ci, you should set the `type` as `ci-provider` and set the field `ci-provider` with the name of your provider. You should also fill the `ci-issuer-metadata` with the `default-template-values`, `extension-templates` and `subject-alternative-name-template`, following the pattern defined on the example ([example](tbd after migrating the github to ci-provider)). + * Attention: If your issuer is for a CI provider, you should set the `type` as `ci-provider` and set the field `ci-provider` with the name of your provider. You should also fill the `ci-issuer-metadata` with the `default-template-values`, `extension-templates` and `subject-alternative-name-template`, following the pattern defined on the example ([example](tbd after migrating the github to ci-provider)). * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field have to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. * If your issuer is not a ci, you need to follow the next steps: * Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions. From 0467c9854e20fadf2f7af0041d6c6e7da8c7daf8 Mon Sep 17 00:00:00 2001 From: Javan Lacerda Date: Wed, 17 Jul 2024 14:42:33 -0300 Subject: [PATCH 08/15] Update docs/oidc.md Co-authored-by: Hayden B Signed-off-by: Javan Lacerda --- docs/oidc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/oidc.md b/docs/oidc.md index 138bdaac3..b3f34690b 100644 --- a/docs/oidc.md +++ b/docs/oidc.md @@ -12,7 +12,7 @@ To add a new OIDC issuer: * Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml). * Attention: If your issuer is for a CI provider, you should set the `type` as `ci-provider` and set the field `ci-provider` with the name of your provider. You should also fill the `ci-issuer-metadata` with the `default-template-values`, `extension-templates` and `subject-alternative-name-template`, following the pattern defined on the example ([example](tbd after migrating the github to ci-provider)). - * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field have to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. + * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field has to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. * If your issuer is not a ci, you need to follow the next steps: * Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions. * Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503) From f3bfe8d0746e32208ebad1afd78ee8fb5d32c500 Mon Sep 17 00:00:00 2001 From: Javan Lacerda Date: Wed, 17 Jul 2024 14:43:01 -0300 Subject: [PATCH 09/15] Update docs/oidc.md Co-authored-by: Hayden B Signed-off-by: Javan Lacerda --- docs/oidc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/oidc.md b/docs/oidc.md index b3f34690b..c87530932 100644 --- a/docs/oidc.md +++ b/docs/oidc.md @@ -13,7 +13,7 @@ To add a new OIDC issuer: * Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml). * Attention: If your issuer is for a CI provider, you should set the `type` as `ci-provider` and set the field `ci-provider` with the name of your provider. You should also fill the `ci-issuer-metadata` with the `default-template-values`, `extension-templates` and `subject-alternative-name-template`, following the pattern defined on the example ([example](tbd after migrating the github to ci-provider)). * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field has to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. -* If your issuer is not a ci, you need to follow the next steps: +* If your issuer is not for a CI provider, you need to follow the next steps: * Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions. * Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503) * Map the issuer type to the token claim that will be signed over when requesting a token [here](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L464-L486). You can likely just use `sub`. From 63188f22de818136e31e3025e7c95515035d4ab3 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Wed, 17 Jul 2024 21:15:17 +0000 Subject: [PATCH 10/15] update example to a non-ci Signed-off-by: Javan lacerda --- docs/oidc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/oidc.md b/docs/oidc.md index c87530932..653644e33 100644 --- a/docs/oidc.md +++ b/docs/oidc.md @@ -14,7 +14,7 @@ To add a new OIDC issuer: * Attention: If your issuer is for a CI provider, you should set the `type` as `ci-provider` and set the field `ci-provider` with the name of your provider. You should also fill the `ci-issuer-metadata` with the `default-template-values`, `extension-templates` and `subject-alternative-name-template`, following the pattern defined on the example ([example](tbd after migrating the github to ci-provider)). * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field has to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. * If your issuer is not for a CI provider, you need to follow the next steps: - * Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions. + * Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/email)). You will define an `Issuer` type and a way to map the token to the certificate extensions. * Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503) * Map the issuer type to the token claim that will be signed over when requesting a token [here](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L464-L486). You can likely just use `sub`. * Add a case statement to map the issuer constant to the issuer type you created [here](https://github.com/sigstore/fulcio/blob/4d9d96a/pkg/server/issuer_pool.go#L40-L62) From b7e77174c780a5a344f1d1278fe0b0593cd5d182 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Mon, 15 Jul 2024 21:22:07 +0000 Subject: [PATCH 11/15] migrate github to ci-provider Signed-off-by: Javan lacerda --- config/identity/config.yaml | 34 +++++++++++++++++++++++++++++--- pkg/config/fulcio_config_test.go | 7 +++++-- 2 files changed, 36 insertions(+), 5 deletions(-) diff --git a/config/identity/config.yaml b/config/identity/config.yaml index ecbfd64d6..82003927e 100644 --- a/config/identity/config.yaml +++ b/config/identity/config.yaml @@ -12,6 +12,8 @@ # See the License for the specific language governing permissions and # limitations under the License. +define: &github-type "github-workflow" + oidc-issuers: https://accounts.google.com: issuer-url: https://accounts.google.com @@ -84,7 +86,8 @@ oidc-issuers: https://token.actions.githubusercontent.com: issuer-url: https://token.actions.githubusercontent.com client-id: sigstore - type: github-workflow + type: ci-provider + ci-provider: *github-type contact: tac@sigstore.dev description: "GitHub Actions OIDC auth" meta-issuers: @@ -102,5 +105,30 @@ meta-issuers: type: kubernetes https://token.actions.githubusercontent.com/*: client-id: sigstore - type: github-workflow - + type: ci-provider + ci-provider: *github-type +ci-issuer-metadata: + *github-type: + default-template-values: + url: "https://github.com" + extension-templates: + github-workflow-trigger: "event_name" + github-workflow-sha: "sha" + github-workflow-name: "workflow" + github-workflow-repository: "repository" + github-workflow-ref: "ref" + build-signer-uri: "{{ .url }}/{{ .job_workflow_ref }}" + build-signer-digest: "job_workflow_sha" + runner-environment: "runner_environment" + source-repository-uri: "{{ .url }}/{{ .repository }}" + source-repository-digest: "sha" + source-repository-ref: "ref" + source-repository-identifier: "repository_id" + source-repository-owner-uri: "{{ .url }}/{{ .repository_owner }}" + source-repository-owner-identifier: "repository_owner_id" + build-config-uri: "{{ .url }}/{{ .workflow_ref }}" + build-config-digest: "workflow_sha" + build-trigger: "event_name" + run-invocation-uri: "{{ .url }}/{{ .repository }}/actions/runs/{{ .run_id }}/attempts/{{ .run_attempt }}" + source-repository-visibility-at-signing: "repository_visibility" + subject-alternative-name-template: "{{ .url }}/{{ .job_workflow_ref }}" diff --git a/pkg/config/fulcio_config_test.go b/pkg/config/fulcio_config_test.go index c0c464523..f5a6fd3b2 100644 --- a/pkg/config/fulcio_config_test.go +++ b/pkg/config/fulcio_config_test.go @@ -53,11 +53,14 @@ func TestLoadFulcioConfig(t *testing.T) { t.Errorf("expected %s, got %s", issuerURL, got.IssuerURL) } if string(got.Type) == "" { - t.Errorf("Issuer Type should not be empty") + t.Errorf("issuer Type should not be empty") } if got.Type == IssuerTypeCIProvider { if got.CIProvider == "" { - t.Errorf("Issuer CIProvider should not be empty when Type is ci-provider") + t.Errorf("issuer that is CIProvider field shouldn't be empty when Type is ci-provider") + } + if _, ok := fulcioConfig.CIIssuerMetadata[got.CIProvider]; !ok { + t.Error("isseuer with type ci provider should has the same ci provider name as key for CIIssuerMetadata") } } if _, ok := fulcioConfig.GetIssuer("not_an_issuer"); ok { From 39f109a2c8e5cd09de20a871bf4d12b5c85cad3d Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Mon, 15 Jul 2024 22:36:55 +0000 Subject: [PATCH 12/15] migrate gitlab to ci provider Signed-off-by: Javan lacerda --- config/identity/config.yaml | 38 ++++++++++++++++++++++++++++++------- 1 file changed, 31 insertions(+), 7 deletions(-) diff --git a/config/identity/config.yaml b/config/identity/config.yaml index 82003927e..2e74cbd2d 100644 --- a/config/identity/config.yaml +++ b/config/identity/config.yaml @@ -12,8 +12,9 @@ # See the License for the specific language governing permissions and # limitations under the License. -define: &github-type "github-workflow" - +define: + - &github-type "github-workflow" + - &gitlab-type "gitlab-pipeline" oidc-issuers: https://accounts.google.com: issuer-url: https://accounts.google.com @@ -43,19 +44,22 @@ oidc-issuers: https://dev.gitlab.org: issuer-url: https://dev.gitlab.org client-id: sigstore - type: gitlab-pipeline + type: ci-provider + ci-provider: *gitlab-type contact: distribution-be@gitlab.com description: "GitLab OIDC tokens for job identity" https://gitlab.archlinux.org: issuer-url: https://gitlab.archlinux.org client-id: sigstore - type: gitlab-pipeline + type: ci-provider + ci-provider: *gitlab-type contact: sigstore@archlinux.org description: "GitLab OIDC tokens for job identity" https://gitlab.com: issuer-url: https://gitlab.com client-id: sigstore - type: gitlab-pipeline + type: ci-provider + ci-provider: *gitlab-type contact: support@gitlab.com description: "GitLab OIDC tokens for job identity" https://issuer.enforce.dev: @@ -80,7 +84,8 @@ oidc-issuers: https://ops.gitlab.net: issuer-url: https://ops.gitlab.net client-id: sigstore - type: gitlab-pipeline + type: ci-provider + ci-provider: *gitlab-type contact: distribution-be@gitlab.com description: "GitLab OIDC tokens for job identity" https://token.actions.githubusercontent.com: @@ -111,7 +116,7 @@ ci-issuer-metadata: *github-type: default-template-values: url: "https://github.com" - extension-templates: + extension-templates: github-workflow-trigger: "event_name" github-workflow-sha: "sha" github-workflow-name: "workflow" @@ -132,3 +137,22 @@ ci-issuer-metadata: run-invocation-uri: "{{ .url }}/{{ .repository }}/actions/runs/{{ .run_id }}/attempts/{{ .run_attempt }}" source-repository-visibility-at-signing: "repository_visibility" subject-alternative-name-template: "{{ .url }}/{{ .job_workflow_ref }}" + *gitlab-type: + default-template-values: + url: "https://gitlab.com" + extension-templates: + build-signer-uri: "https://{{ .ci_config_ref_uri }}" + build-signer-digest: "ci_config_sha" + runner-environment: "runner_environment" + source-repository-uri: "{{ .url }}/{{ .repository }}" + source-repository-digest: "sha" + source-repository-ref: "ref" + source-repository-identifier: "project_id" + source-repository-owner-uri: "{{ .url }}/{{ .namespace_path }}" + source-repository-owner-identifier: "namespace_id" + build-config-uri: "https://{{ .ci_config_ref_uri }}" + build-config-digest: "ci_config_sha" + build-trigger: "pipeline_source" + run-invocation-uri: "{{ .url }}/{{ .project_path }}/-/jobs/{{ .job_id }}" + source-repository-visibility-at-signing: "repository_visibility" + subject-alternative-name-template: "https://{{ .ci_config_ref_uri }}" From c81ba1749530f7ffe8cdd5d485c71e960669daf0 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Wed, 17 Jul 2024 20:49:36 +0000 Subject: [PATCH 13/15] start migrating codefresh to ci provider Signed-off-by: Javan lacerda --- config/identity/config.yaml | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/config/identity/config.yaml b/config/identity/config.yaml index 2e74cbd2d..76d529112 100644 --- a/config/identity/config.yaml +++ b/config/identity/config.yaml @@ -15,6 +15,7 @@ define: - &github-type "github-workflow" - &gitlab-type "gitlab-pipeline" + - &codefresh-type "codefresh-workflow" oidc-issuers: https://accounts.google.com: issuer-url: https://accounts.google.com @@ -78,7 +79,8 @@ oidc-issuers: https://oidc.codefresh.io: issuer-url: https://oidc.codefresh.io client-id: sigstore - type: codefresh-workflow + type: ci-provider + ci-provider: *codefresh-type contact: support@codefresh.io description: "Codefresh OIDC tokens for job identity" https://ops.gitlab.net: @@ -156,3 +158,22 @@ ci-issuer-metadata: run-invocation-uri: "{{ .url }}/{{ .project_path }}/-/jobs/{{ .job_id }}" source-repository-visibility-at-signing: "repository_visibility" subject-alternative-name-template: "https://{{ .ci_config_ref_uri }}" + *codefresh-type: + default-template-values: + url: "https://g.codefresh.io" + extension-templates: + build-signer-uri: "https://{{ .ci_config_ref_uri }}" + build-signer-digest: "ci_config_sha" + runner-environment: "runner_environment" + source-repository-uri: "{{ .url }}/{{ .repository }}" + source-repository-digest: "sha" + source-repository-ref: "ref" + source-repository-identifier: "project_id" + source-repository-owner-uri: "{{ .url }}/{{ .namespace_path }}" + source-repository-owner-identifier: "namespace_id" + build-config-uri: "https://{{ .ci_config_ref_uri }}" + build-config-digest: "ci_config_sha" + build-trigger: "pipeline_source" + run-invocation-uri: "{{ .url }}/{{ .project_path }}/-/jobs/{{ .job_id }}" + source-repository-visibility-at-signing: "repository_visibility" + subject-alternative-name-template: "{{ .url }}/{{ .account_name }}/{{ .pipeline_name }}:{{ .account_id }}/{{ .pipeline_id }}" From 629149a9c7fe0af15456ce082baa4c2b0b4ffa06 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Wed, 17 Jul 2024 23:28:14 +0000 Subject: [PATCH 14/15] add tests for using if else on templates, missing key set zero value --- config/identity/config.yaml | 20 ++++++------------- docs/oidc.md | 2 +- pkg/identity/ciprovider/principal.go | 4 ++-- pkg/identity/ciprovider/principal_test.go | 24 +++++++++++++++++------ 4 files changed, 27 insertions(+), 23 deletions(-) diff --git a/config/identity/config.yaml b/config/identity/config.yaml index 76d529112..150bda644 100644 --- a/config/identity/config.yaml +++ b/config/identity/config.yaml @@ -162,18 +162,10 @@ ci-issuer-metadata: default-template-values: url: "https://g.codefresh.io" extension-templates: - build-signer-uri: "https://{{ .ci_config_ref_uri }}" - build-signer-digest: "ci_config_sha" + build-signer-uri: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/build/{{ .workflow_id }}" runner-environment: "runner_environment" - source-repository-uri: "{{ .url }}/{{ .repository }}" - source-repository-digest: "sha" - source-repository-ref: "ref" - source-repository-identifier: "project_id" - source-repository-owner-uri: "{{ .url }}/{{ .namespace_path }}" - source-repository-owner-identifier: "namespace_id" - build-config-uri: "https://{{ .ci_config_ref_uri }}" - build-config-digest: "ci_config_sha" - build-trigger: "pipeline_source" - run-invocation-uri: "{{ .url }}/{{ .project_path }}/-/jobs/{{ .job_id }}" - source-repository-visibility-at-signing: "repository_visibility" - subject-alternative-name-template: "{{ .url }}/{{ .account_name }}/{{ .pipeline_name }}:{{ .account_id }}/{{ .pipeline_id }}" + source-repository-uri: "scm_repo_url" + source-repository-ref: "scm_ref" + build-config-uri: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/api/pipelines/{{ .pipeline_id }}" + run-invocation-uri: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/build/{{ .workflow_id }}" + subject-alternative-name-template: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/{{.account_name}}/{{.pipeline_name}}:{{.account_id}}/{{.pipeline_id}}" diff --git a/docs/oidc.md b/docs/oidc.md index 653644e33..798a6f119 100644 --- a/docs/oidc.md +++ b/docs/oidc.md @@ -12,7 +12,7 @@ To add a new OIDC issuer: * Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml). * Attention: If your issuer is for a CI provider, you should set the `type` as `ci-provider` and set the field `ci-provider` with the name of your provider. You should also fill the `ci-issuer-metadata` with the `default-template-values`, `extension-templates` and `subject-alternative-name-template`, following the pattern defined on the example ([example](tbd after migrating the github to ci-provider)). - * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field has to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. + * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field has to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. If you set a `default-template-value` with the same name of a claim key, the default value will have priority over the claimed one. * If your issuer is not for a CI provider, you need to follow the next steps: * Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/email)). You will define an `Issuer` type and a way to map the token to the certificate extensions. * Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503) diff --git a/pkg/identity/ciprovider/principal.go b/pkg/identity/ciprovider/principal.go index fb94df3bd..8bb57c965 100644 --- a/pkg/identity/ciprovider/principal.go +++ b/pkg/identity/ciprovider/principal.go @@ -66,7 +66,7 @@ func applyTemplateOrReplace(extValueTemplate string, tokenClaims map[string]stri var doc bytes.Buffer // This option forces to having the claim that is required // for the template - t := template.New("").Option("missingkey=error") + t := template.New("").Option("missingkey=zero") // It shouldn't raise error since we already checked all // templates in validateCIIssuerMetadata functions in config.go p, err := t.Parse(extValueTemplate) @@ -81,7 +81,7 @@ func applyTemplateOrReplace(extValueTemplate string, tokenClaims map[string]stri } claimValue, ok := mergedData[extValueTemplate] if !ok { - return "", fmt.Errorf("value <%s> not present in either claims or defaults", extValueTemplate) + return "", nil } return claimValue, nil } diff --git a/pkg/identity/ciprovider/principal_test.go b/pkg/identity/ciprovider/principal_test.go index aa387f995..776cde4dd 100644 --- a/pkg/identity/ciprovider/principal_test.go +++ b/pkg/identity/ciprovider/principal_test.go @@ -229,9 +229,11 @@ func TestApplyTemplateOrReplace(t *testing.T) { "workflow": "foo", "workflow_ref": "sigstore/other/.github/workflows/foo.yaml@refs/heads/main", "workflow_sha": "example-sha-other", + "workflow_id": "1", } issuerMetadata := map[string]string{ - "url": "https://github.com", + "url": "https://github.com", + "default_platform_url": "https://g.codefresh.io", } tests := map[string]struct { @@ -252,12 +254,12 @@ func TestApplyTemplateOrReplace(t *testing.T) { `Missing key for template`: { Template: "{{ .foo }}", ExpectedResult: "", - ExpectErr: true, + ExpectErr: false, }, `Empty string`: { Template: "", ExpectedResult: "", - ExpectErr: true, + ExpectErr: false, }, `Replaceable string`: { Template: "job_workflow_ref", @@ -267,7 +269,17 @@ func TestApplyTemplateOrReplace(t *testing.T) { `Missing string`: { Template: "bar", ExpectedResult: "", - ExpectErr: true, + ExpectErr: false, + }, + `If else template`: { + Template: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.default_platform_url}}{{end}}/build/{{ .workflow_id }}", + ExpectedResult: "https://g.codefresh.io/build/1", + ExpectErr: false, + }, + `If else template using else condition`: { + Template: "{{if .iss}}{{.iss}}{{ else }}{{.default_platform_url}}{{end}}/build/{{ .workflow_id }}", + ExpectedResult: "https://token.actions.githubusercontent.com/build/1", + ExpectErr: false, }, } @@ -279,8 +291,8 @@ func TestApplyTemplateOrReplace(t *testing.T) { test.ExpectedResult, res) } if (err != nil) != test.ExpectErr { - t.Errorf("should raise an error don't matches: Expected %v, received: %v", - test.ExpectErr, err != nil) + t.Errorf("should raise an error don't matches: Expected %v, received: %v, %v", + test.ExpectErr, err != nil, name) } }) } From 2711ac332585c810408e422427e44a7d7f40f721 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Thu, 18 Jul 2024 18:21:31 +0000 Subject: [PATCH 15/15] migrating buildkite to ci provider Signed-off-by: Javan lacerda --- config/identity/config.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/config/identity/config.yaml b/config/identity/config.yaml index 150bda644..6132ce3bb 100644 --- a/config/identity/config.yaml +++ b/config/identity/config.yaml @@ -16,6 +16,7 @@ define: - &github-type "github-workflow" - &gitlab-type "gitlab-pipeline" - &codefresh-type "codefresh-workflow" + - &buildkite-type "buildkite-job" oidc-issuers: https://accounts.google.com: issuer-url: https://accounts.google.com @@ -26,7 +27,8 @@ oidc-issuers: https://agent.buildkite.com: issuer-url: https://agent.buildkite.com client-id: sigstore - type: buildkite-job + type: ci-provider + ci-provider: *buildkite-type contact: support@buildkite.com description: "Buildkite Agent OIDC tokens for job identity" https://allow.pub: @@ -169,3 +171,7 @@ ci-issuer-metadata: build-config-uri: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/api/pipelines/{{ .pipeline_id }}" run-invocation-uri: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/build/{{ .workflow_id }}" subject-alternative-name-template: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/{{.account_name}}/{{.pipeline_name}}:{{.account_id}}/{{.pipeline_id}}" + *buildkite-type: + default-template-values: + url: "https://buildkite.com" + subject-alternative-name-template: "{{.url}}/{{.organization_slug}}/{{.pipeline_slug}}"